HideMyAss has defended its role in handing over evidence that resulted in the arrest of a suspected LulzSec member last week. UK-based HideMyAss, which offers freebie web proxy and paid-for VPN services, said it handed over potentially incriminating data to the feds only in response to a court order. It had been aware that its …
You have to hand over the data in response to a court order
But what data do you have to keep in the first place?
As long as you discard after the session is completed, which would be the proper way to "Hide Someone's Ass", one would think the Feds would have no leg to stand on.
From what I heard...
They maintain logs for 30 days. Not sure if that is a UK legal requirement or their policy... maybe others who know could chime in?
EC Data Retention Regs
Presumably they would be subject to the EC Data Retention Regulations?
Either they admitted if they did not keep a log, the security services would most likely just infiltrate the company and do it themselves anyway.
The real question here is why would anyone use a service base in a country with some of the most sophisticated spying technologies. An would not wast a second thought on employing that technologies to track down hackers.
--"The real question here is why would anyone use a service base in a country with some of the most sophisticated spying technologies. An would not wast a second thought on employing that technologies to track down hackers."
Because some 'hackers' are dumb kids who think it's cool to be a rebel, and who trust people they've never met who tell them that one or other method of attacking someone or some company is 'safe'?
They could receive an order to start keeping logs for an account as part of a warrant.
What a bunch of idiots
Using a proxy in a country that will co-operate. Use one in some backwater country. The kind that laughs at American court orders.
No one to blame but themselves.
Why would the VPN company have any need to keep this information ? If they hadn't, sounds like they'd be on to a winner, and would have got a good story out of it. As it is, burnt !
Being willing to go to jail for your beliefs is fine.
Being willing for someone else to go to jail for your beliefs is not.
Once they got a court order they had a choice of:
2> Try to fight it - very expensive (might be too expensive to be possible without massive contributions), extremely unlikely to succeed.
3> Go to jail
4> Don't keep logs in the first place, and therefore comply fully with the court order by supplying a printout of 'cat /dev/null'
"Don't keep logs"
is another way of saying "don't keep customers" -- when something breaks, how do you expect to fix it if you can't figure out what's gone wrong? And if you can't fix something broken, why should anyone be giving you good money for your services?
data retention laws
They are also obliged by law to keep some logging, 30 days I think
Lulzsec contenders for Darwin 2011
This guy is an amateur IT wannabe who clearly has no clue about the meaning of anonymity.
Additionally, it also shows the Lulzsec crew up for what we know them to be - kids with big mouths and little understanding of how to a) hack and b) obfuscate one's source address.
Security my arse. They don't even understand TCP/IP.
I dunno, I suppose you could hire some competent sysadmins I suppose.
What silly plonking dogmatism
You could give everyone two accounts: one that is logged and one that isn't. You can explain to them that it's only possible to investigate a specific problem in the past if it happened with the logged account. They'll understand.
If your idea of "competent sysadmin" is "nothing he administers ever breaks for any reason, whatsoever, including user ignorance and stupidity", then you're a dribbling moron yourself and not worth anyone's time.
That's a good one! How much experience do you have dealing with users, anyway? A whole week? Two?
Besides, two accounts for everybody is a huge pain in the ass. Not worth the time and effort, much less the additional expense which goes into everybody's bills at the end of the month, when it's much simpler to point out in the T&C that if you do something illegal over my service, then on your own head be it, and that I will under no circumstances imperil myself in your defense. If that means turning over logs in compliance with a subpoena, then so be it; you're not paying me anywhere near enough to go to jail for contempt of court.
my suggestion would be to turn on logging for a specific case when and only when a customer calls/ raises an issue. This way the customer will then need to re-create the problem (which you would want to test anyways) and if it can be re-created then you will have THAT session logged but no others. This is also an opportunity to directly inform that customer that the session which will be used for testing will be logged and then fall subject to UK law etc etc.
Still live but for how much longer. A Catch 22 this one. Rat em out and get ddosed and hacked out of business or defy the court order and have all your servers lifted, court appearances and hefty fines.
I'll take A please Bob
Maybe HideMyAss have the rudimentary security measures in place required to defeat the army of script kiddies, and enough bandwidth to weather the LOIC storm for a few days.
They might lose some no-longer-deluded customers though.
Hey, I can understand if Joe Average VPN user doesn't understand this type of situation, but all it took was a little searching and reading (for a friend of course) for me to question if these VPN services were even adequate for Bittorrent use... much less as protection for *really* questionable/illegal activity like breaking into websites.
These companies (unless there is one in Russia that I don't know about ;) have to abide by the laws of the country they operate in and, IIRC, they pretty much all specifically call out in their TOS (how clearly, of course, may be questionable) that they will-not/cannot shield you in the event of a subpoena.
A service like this will also have your credit card on file *and* your source IP so it's not like you can use DHCP or even unsecured home Wifi as a "wasn't me, honest" defense. Caveat emptor!
My personal feeling on the subject is that this type of service - if used right - could shield the user from a lot of (most? - definitely not all) civil types of complaints just by virtue of putting the discovery in another country - but a determined and quick (log retention is usually ~30 days for a service like this) civil pursuer could still find you in the right circumstances... but I can't imagine this would provide any type of protection for a remotely serious hacking incident (which is typically categorized as a criminal violation).
Useful, but only for legitimate needs
These services can be a real godsend for a lot of people, but no, they really aren't very useful for hiding anything illegitimate - they are, in practice, just another ISP who has all of your details.
If you use mobile internet, swap locations a lot, find yourself stuck behind restrictive firewalls when you have a legitimate need for full internet access - these services can be invaluable. Personally, I used one the last time I was moving and had to use the Cricket mobile internet service for a little over a month - it changed it from unbearable to at least tolerable. However, anyone who thinks that they are actually getting real anonymity from them clearly doesn't understand how either the internet or the law works.
Didn't they notice that "heading for the border" in the US always meant Mexico, not Canada? Isn't this the same?
Using a proxy in a western country, and hoping that's good enough to avoid prosecutors in a different western country finding them? They certainly aren't as smart as they think they are.
Anon - because it's an unbreakable cloak of invisibility from the Feds
currently I am in Sultanate of Oman (the first Arab country from the east), and I just tried to access the HideMyAss website..... blocked! (Error: "This site has been blocked due to content that is contrary to the laws of the Sultanate. if you believe that the website you are trying to access does not contain any such content, please fill in and submit the form below: "). Although, according to the locals, _all_ proxy sites are blocked and they have been blocked for years.
by the way, I believe that proxy sites (as well as netcafes) are required to store access information for few months. I believe it was one of those anti-terrest laws.
Look up "honeypot" an espionage term
a carefully picked VPN service would have no logs to begin with.
The only response they would get is either "fsck off" (if they are based in a place carefully picked) or "oops, we forgot to log our users, thanks for reminding"
What these guys do is basic "honeypot" operation and I wouldn't be surprised a bit if they handed over data to some wealthy (not out of power) dictator as long as their interests were fulfilled. It could be a phone from British govt. or some spy agency, some money at some anonymous bank account etc.
This is the very serious risk of getting VPN service and trusting it blindly. At least these guys/lamers are based on some "democratic" country. In your case (if you were citizen), you could have been tricked into some honeypot and while swearing at Sultan, your door would be broken at 5 am.
No, "honeypot" is not an espionage term.
You're thinking of "honeytrap". And that's not anything you can set up on a computer...
Route everyone from your wireless and run something like wireshark.
Say "It is an untrackable private network which will protect your privacy"
Enjoy the data from the stupid flies trapped in honeypot.
Better change their name to "ShopYouAss.com"!
Or, more accurately --
It will now be rebranded as "Hide, My Ass"
RE: Or, more accurately --
Or maybe "ReadTheSmallPrint,DumbAss.com"?
Good on 'em.
Serves the hackers right for not reading the T&Cs
Why in hell's name would the company allow themselves to be prosecuted and closed down to cover the ass of some spotty hacker anyway?
They aren't hackers.
They are a bunch of skiddies that don't even understand how TCP/IP works.
That means chances are they are under the age of 25.
We all know that nowadays anyone under the age of 25 cannot be held responsible for their immature actions.
You hear it on the news after a stabbing, "Wahhh wahhh it's not my fault!"
Kids gotta learn consequences. In my day it was called getting a good slap on occasion.
time to change proxy, me thinks.....would like to know what data they keep anyways!
Subject access request
You could always try a subject access request, under s7, Data Protection Act 1998.
Have a day when you make a note of the traffic which you generate when connected to the service, then ask them for a SAR relating to that day.
You may be asked to pay up to £10, but, if they retain information in identifable form, they should be providing it to you after receipt of payment.
AC says: "time to change proxy, me thinks.....would like to know what data they keep anyways!"
One would think it prudent to assume *all of it* and act accordingly.
Euro data retention directive.
Anybody using a European service and expecting no logging, is just being wilfully ignorant of euro directive 2006/24/EC, or plain stupid.
Hackers should be interested in the law, even when they think they stand above it, it will affect them.
Note that the DRD does not require data to be generated.
The DRD does not required data to be generated; rather, it requires retention of data which are generated as part of providing the service. See s3 of the Data Retention (EC Directive) Regulations 2009: "These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned."
If the service had not generated data as part of its operation (i.e. it did not switch on logging functionality), a s10 notice has no effect. By choosing to generate logs, the service provider was effectively choosing to bring itself within the ambit of the data retention regime. (For it to be obliged to retain, it must be served with a s10 notice, though.)
However, since the article talks about a "court order," which is not required for access to stored data under RIPA 2000, it is possible that the disclosure was made under a warrant under s8, PACE 1984 anyway., and so discussion of DRD obligations might be misleading. That being said, if logging / other data generation had not been enabled, there would have been nothing to be discovered under PACE.
(On the DRD point, one might question whether the provision of a VPN service is the provision of a public electronic communications service, but perhaps another story, and not applicable to an order under PACE anyway.)
S4 says that CPs are obligated to retain the data - the data is generated during the actual communication. So surely "retaining" in this sense is the actual act of logging?
ie, the user's actions are generating the data, which is then being retained in logs
Not all in EU are bad..
You can still use CitizenVPN.com a Danish service that delivers the service out of The Bahamas and therefore do not have to comply with the EU logging. Even if they got subpoenaed by a Bahamas court there wouldn't be any logs to deliver...
But you're otherwise right. Be careful when using a EU or American VPN provider and read the TOS. Generally if a specific VPN provider in the EU don't write on their site if they log, then they do log. All American VPN services are not to be trusted.
A policeman friend of mine...
...when I asked how hackers are stupid enough to get caught even though they know Internet traffic is not truly anonymous replied...
"Fingerprint technology has been publicly known for a hundred and thirty years, but some blokes still break into houses without wearing gloves."
That about says it all I think.
I now it appears they know about all my deep, dark fetishes.....
Serves them right
If a court order turns up ordering a VPN to turn over information, they're going to turn it over. No legitimate business is going to risk sanction, fines or whatever because some idiot decides to launch an attack through their service. Next time they should probably pick a VPN which resides somewhere without data retention laws.
The data retention laws only relate to data that you store during the operation of the service.
If you do not 'normally' store any information, then you cannot be compelled to store it and clearly you cannot be compelled to release data that you do not have.
The real question is what data was being stored. If "HideMyAss" was storing anything more than strictly necessary to operate such a service, then they deserve to lose all their customers and go bust.
However, it's clear that any paid-for service is going to need to store billing details which will include at least one way of contacting the user, and unless paid by cash (highly unlikely!) that will include a real name.
So 'the feds' will always be able to subpoena "Data relating to %individual%", and will at least be able to confirm that a given individual paid for the service - though of course that transaction could be fraudulent.
The keyword here is 'store'
What constitutes 'storing'?
If your system needs to temporarily save your IP in a table to keep track of your connection onward, then it's possible that it's subject to the DRD.
If the system bills by usage (time/amount of data/whatever) it must also log that for billing purposes. suddenly DRD is applicable again.
Well, that really says everything you need to know... using a publicly/commercially available anonymizing service located in a lawful country... hmmm let me think about how that possibly could have gone wrong.
If you run a service like this you have to keep logs... its the same thing as companies have to follow, ie, attack on company A's network is traced to company B's network. To stop the CEO of company B being slammed in jail, company B has to find who did it - ie pass the buck. The buck passing can be down to a rogue employee or in this case, a user of a service.
Its simple fundamental internet legal 101, remarkable how few seem to grasp it.
BTW, i can't actually imagine why you'd want to use a service like that for anything but illegal stuff... I mean the number of people wearing tinfoil hats has to be quite small surely?
I suspect more likely its a bit like having a pirate site that says it will honour any copyright take down notices it receives.
There are legitimate uses for services like this one
Suppose a) you spend a lot of time traveling, or otherwise accessing sensitive info across untrusted networks, and b) either your company doesn't provide a VPN, or their VPN is too locked down for your purposes, or you own a business or otherwise aren't nestled under the broad, downy wings of a professional IT staff, i.e., a batch of chain-smoking paranoids responsible for making your computer things work right. (If your IT staff doesn't contain at least one chain-smoker, consider firing them en masse, as they're either completely incompetent or too green to have picked up the habit yet.)
In a case like that, where you're given a pretty stark choice between either not doing what you need to do online, or making your life a target for every snotnose who's ever heard of Firesheep but not yet had it earn him a well-deserved punch in the nose, a paid VPN service can be a lifesaver.
(Yes, if it's called "HideMyAss", there could be a certain reasonable presumption that it's being used for less than entirely lawful purposes, in just the same way that there's a certain reasonable presumption of the innocent having nothing to hide.)
Using an internet to internet VPN service for sensitive business from a dodgy sounding vendor?
I'd sooner take my chances that Starbucks had a rogue employee with a network analyser.
No, the only use for this service is either:
1) Plain illegal
2) Contrary to the rules of the user's network (perhaps as worthy as reading the BBC from some kinda dictatorship run country, but more likely so you can get around your corporate internet access policy to reach sites banned and probably pr0n)
Either way around both uses will be upsetting someone and likely to get you fired/arrested.
BTW a lot of employers will also fireyerass(dot com presumably) for using such services as this ;-)
- JLaw, Kate Upton exposed in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- GCHQ protesters stick it to British spooks ... by drinking urine
- Twitter declines to deny JLaw tweet scrubdown after alleged iCloud NAKED PHOTOS hack