Analysis of Nym VPN and its "guaranteed" privacy

DanielM:

I can’t find any real-world evidence backing up the company’s claims regarding their 5 nodes against high-level adversaries. I don’t want whitepapers or lab results; what I want is proof based on reality

This is a reasonable goal. Let’s see what we can do

DanielM:

If they don’t respond, it’s because they are hiding something.

This is a bold accusation based on no evidence of wrongdoing. I operate on zero-trust: I will assume any service provider could be compromised, but I stop short of baseless accusations

DanielM:

but forgets that high-level adversaries possess undisclosed, covert weapons

FUD. We threat model against evidence-backed threat vectors. Mitigations against undefined, hypothetical threats are not practical

DanielM:

Malicious actors (the NSA, the mafia, etc.) will ignore these rules and infiltrate the network, or are already infiltrated; each will operate according to their own agenda.

Wise. This is zero-trust architecture. Assume bad actors can/will penetrate wherever possible

DanielM:

2 - Advanced patterns detected:

→ Not applicable. It is not fundamental to this service.

Disagree. Traffic analysis is an emerging threat vector. Providers like Mulvad are beginning to design mitigation techniques. I assume the intent here is similar

DanielM:

3 - Emerging dangers:

Two words - Privacy “guaranteed”.

You argument here just seems to be a pedantic case against the word “guaranteed”. I do ultimately agree with your premise, but don’t feel it’s a meaningful indicator of their actual services

DanielM:

Nodes run by “volunteers”.

DanielM:

Even if the network is difficult for attackers or unfamiliar to them at first, they will learn how it works if it’s something new, and will stealthily counterattack

We’re back to zero-trust architecture. Good stuff. This is almost identical to issues Tor faces - users can maintain anonymity if a node is compromised, but it becomes difficult to do anything if the whole volunteer node network is assumed to be hostile

DanielM:

4 - Deep, multi-level reasoning:

→ Not applicable. It is not worth applying a higher level of analysis to this service

I think this is rehashing the same emerging mitigation techniques as section 2

So far as ‘proof’ goes, it does looknas though they’ve been audited a couple times. For example, I found the Cure53 report here. These are probably a good starting point for assessing the tech