• dogs0n@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      6
      ·
      4 days ago

      They explained why they dont pay for audits in a forum post and I agreed with their reasoning, which if I remember correctly was something like:

      If we paid for an audit, there’s no way you’d know we didn’t enable logging, etc, right after the auditors left.


      It really is just a game of trust when it comes down to it and they feel the most trustworthy to me, but if lack of an audit changes your mind that’s okay.

      • Valmond@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 days ago

        That’s just so bad, “we won’t show what we’re doing because it’s tiresome to cover it up” is what I read here.

        • dogs0n@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 day ago

          If you want to look at the thread I was referring to (looked it up): https://airvpn.org/forums/topic/56799-audits/

          I think what they say makes sense. I read it the opposite way: How do I know any service with an audit really is as described the day after the audit concludes?

          Most audits (as far as I’m aware) will tell the company maybe a week in advance that they are coming in to do the audit, so it’a not like surprise visits I don’t think.

          I 100% think it comes down to trust (and some accountability being that their code is open source). Audits feel like a gamed system.

          And being open source is a way of showing what they are doing.

          • Valmond@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            22 hours ago

            You underestimate how costly it is to run services like that, your network is what it is, and it would be even costlier to change, who’s going to change it all, hired contractors? I mean hired people already have fulltime jobs in the company. Then scrape all the traces that there were logging (amongst other things)?

            It’s not a Hollywood movie where you just “unplug the log machine” and hide it in a drawer.

            • dogs0n@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              58 minutes ago

              Maybe you are overestimating it.

              I wouldn’t truly know because I’m not a wireguard expert or anything.

              That said, a “log machine” that you describe could just simply be a portable executable with root access on the vpn server machine. With this root access it could probably easily see what network connections are being made and potentially sniff them.

              Maybe I’m wrong though. I don’t think it’d be easy to develop such an executable, but once made it could be portable, probably.

              Unless you are a skilled network engineer/software dev in the field telling me it’s not possible, then sure I shall believe you.

      • dogs0n@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        4 days ago

        What of theirs is written in C?

        Eg: You buy a sub and just connect through wireguard. You aren’t touching any AirVPN code (unless you want to use their client, which is not written in C, but you can just use the official wireguard client or any other tool to connect).

        Same goes for any provider as far as I’m aware. Am I wrong?

          • dogs0n@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            3 days ago

            Maybe I misread your comment, I thought you were talking about AirVPN vs Mullvad.

            Anyways the C code in that repo looks like it’s just libraries they have vendored in, not specifically stuff they are writing (which a lot of apps do, but usually dont include directly in their repos), but I could be wrong didn’t look that hard.

            And you can still always use a different client (I know you can with AirVPN, I assume ivpn is the same).

      • forestbeasts@pawb.social
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        3 days ago

        Ah yes, because Rust is Holy and everything must be written in it or it’s inherently untrustworthy

        No thank you.

        – Frost