back to article HideMyAss defends role in LulzSec hack arrest

HideMyAss has defended its role in handing over evidence that resulted in the arrest of a suspected LulzSec member last week. UK-based HideMyAss, which offers freebie web proxy and paid-for VPN services, said it handed over potentially incriminating data to the feds only in response to a court order. It had been aware that its …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    You have to hand over the data in response to a court order

    But what data do you have to keep in the first place?

    1. maclovinz

      Discarding...

      As long as you discard after the session is completed, which would be the proper way to "Hide Someone's Ass", one would think the Feds would have no leg to stand on.

    2. Anonymous Coward
      Anonymous Coward

      From what I heard...

      They maintain logs for 30 days. Not sure if that is a UK legal requirement or their policy... maybe others who know could chime in?

      1. dephormation.org.uk
        Meh

        EC Data Retention Regs

        Presumably they would be subject to the EC Data Retention Regulations?

    3. David 164

      Either they admitted if they did not keep a log, the security services would most likely just infiltrate the company and do it themselves anyway.

      The real question here is why would anyone use a service base in a country with some of the most sophisticated spying technologies. An would not wast a second thought on employing that technologies to track down hackers.

      1. Anonymous Coward
        Anonymous Coward

        @david164

        --"The real question here is why would anyone use a service base in a country with some of the most sophisticated spying technologies. An would not wast a second thought on employing that technologies to track down hackers."

        Because some 'hackers' are dumb kids who think it's cool to be a rebel, and who trust people they've never met who tell them that one or other method of attacking someone or some company is 'safe'?

    4. Agarax

      They could receive an order to start keeping logs for an account as part of a warrant.

      1. Wize

        What a bunch of idiots

        Using a proxy in a country that will co-operate. Use one in some backwater country. The kind that laughs at American court orders.

        No one to blame but themselves.

  2. Tom Chiverton 1
    FAIL

    Bizarre

    Why would the VPN company have any need to keep this information ? If they hadn't, sounds like they'd be on to a winner, and would have got a good story out of it. As it is, burnt !

  3. Christoph Silver badge

    Being willing to go to jail for your beliefs is fine.

    Being willing for someone else to go to jail for your beliefs is not.

    Once they got a court order they had a choice of:

    1> Comply

    2> Try to fight it - very expensive (might be too expensive to be possible without massive contributions), extremely unlikely to succeed.

    3> Go to jail

    1. Aquilus

      4> Don't keep logs in the first place, and therefore comply fully with the court order by supplying a printout of 'cat /dev/null'

      1. Aaron Em

        "Don't keep logs"

        is another way of saying "don't keep customers" -- when something breaks, how do you expect to fix it if you can't figure out what's gone wrong? And if you can't fix something broken, why should anyone be giving you good money for your services?

        1. Anonymous Coward
          Anonymous Coward

          Lulzsec contenders for Darwin 2011

          This guy is an amateur IT wannabe who clearly has no clue about the meaning of anonymity.

          Additionally, it also shows the Lulzsec crew up for what we know them to be - kids with big mouths and little understanding of how to a) hack and b) obfuscate one's source address.

          Security my arse. They don't even understand TCP/IP.

        2. Anonymous Coward
          Anonymous Coward

          I dunno, I suppose you could hire some competent sysadmins I suppose.

          1. Aaron Em

            "Competent sysadmins"

            If your idea of "competent sysadmin" is "nothing he administers ever breaks for any reason, whatsoever, including user ignorance and stupidity", then you're a dribbling moron yourself and not worth anyone's time.

        3. Anonymous Coward
          Anonymous Coward

          What silly plonking dogmatism

          You could give everyone two accounts: one that is logged and one that isn't. You can explain to them that it's only possible to investigate a specific problem in the past if it happened with the logged account. They'll understand.

          1. Aaron Em

            "They'll understand."

            That's a good one! How much experience do you have dealing with users, anyway? A whole week? Two?

            Besides, two accounts for everybody is a huge pain in the ass. Not worth the time and effort, much less the additional expense which goes into everybody's bills at the end of the month, when it's much simpler to point out in the T&C that if you do something illegal over my service, then on your own head be it, and that I will under no circumstances imperil myself in your defense. If that means turning over logs in compliance with a subpoena, then so be it; you're not paying me anywhere near enough to go to jail for contempt of court.

        4. L1feless

          Well...

          @Aaron Em

          my suggestion would be to turn on logging for a specific case when and only when a customer calls/ raises an issue. This way the customer will then need to re-create the problem (which you would want to test anyways) and if it can be re-created then you will have THAT session logged but no others. This is also an opportunity to directly inform that customer that the session which will be used for testing will be logged and then fall subject to UK law etc etc.

      2. James Micallef Silver badge
        Holmes

        data retention laws

        They are also obliged by law to keep some logging, 30 days I think

  4. Matthew Anderson

    Still live but for how much longer. A Catch 22 this one. Rat em out and get ddosed and hacked out of business or defy the court order and have all your servers lifted, court appearances and hefty fines.

    :-/

    1. Anonymous Coward
      Anonymous Coward

      I'll take A please Bob

      Maybe HideMyAss have the rudimentary security measures in place required to defeat the army of script kiddies, and enough bandwidth to weather the LOIC storm for a few days.

      They might lose some no-longer-deluded customers though.

      1. Anonymous Coward
        Anonymous Coward

        "no-longer-deluded customers"

        Hey, I can understand if Joe Average VPN user doesn't understand this type of situation, but all it took was a little searching and reading (for a friend of course) for me to question if these VPN services were even adequate for Bittorrent use... much less as protection for *really* questionable/illegal activity like breaking into websites.

        These companies (unless there is one in Russia that I don't know about ;) have to abide by the laws of the country they operate in and, IIRC, they pretty much all specifically call out in their TOS (how clearly, of course, may be questionable) that they will-not/cannot shield you in the event of a subpoena.

        A service like this will also have your credit card on file *and* your source IP so it's not like you can use DHCP or even unsecured home Wifi as a "wasn't me, honest" defense. Caveat emptor!

        My personal feeling on the subject is that this type of service - if used right - could shield the user from a lot of (most? - definitely not all) civil types of complaints just by virtue of putting the discovery in another country - but a determined and quick (log retention is usually ~30 days for a service like this) civil pursuer could still find you in the right circumstances... but I can't imagine this would provide any type of protection for a remotely serious hacking incident (which is typically categorized as a criminal violation).

        1. Daniel 4

          Useful, but only for legitimate needs

          These services can be a real godsend for a lot of people, but no, they really aren't very useful for hiding anything illegitimate - they are, in practice, just another ISP who has all of your details.

          If you use mobile internet, swap locations a lot, find yourself stuck behind restrictive firewalls when you have a legitimate need for full internet access - these services can be invaluable. Personally, I used one the last time I was moving and had to use the Cricket mobile internet service for a little over a month - it changed it from unbearable to at least tolerable. However, anyone who thinks that they are actually getting real anonymity from them clearly doesn't understand how either the internet or the law works.

          -d

  5. Anonymous Coward
    Anonymous Coward

    Idiots

    Didn't they notice that "heading for the border" in the US always meant Mexico, not Canada? Isn't this the same?

    Using a proxy in a western country, and hoping that's good enough to avoid prosecutors in a different western country finding them? They certainly aren't as smart as they think they are.

    Anon - because it's an unbreakable cloak of invisibility from the Feds

  6. The Fuzzy Wotnot

    Well...

    Better change their name to "ShopYouAss.com"!

    1. Aaron Em

      Or, more accurately --

      "NotGoingToJailForYourAss.com".

      1. Vladimir Plouzhnikov

        No

        It will now be rebranded as "Hide, My Ass"

      2. Matt Bryant Silver badge
        Happy

        RE: Or, more accurately --

        Or maybe "ReadTheSmallPrint,DumbAss.com"?

  7. Anonymous Coward
    Anonymous Coward

    currently I am in Sultanate of Oman (the first Arab country from the east), and I just tried to access the HideMyAss website..... blocked! (Error: "This site has been blocked due to content that is contrary to the laws of the Sultanate. if you believe that the website you are trying to access does not contain any such content, please fill in and submit the form below: "). Although, according to the locals, _all_ proxy sites are blocked and they have been blocked for years.

    by the way, I believe that proxy sites (as well as netcafes) are required to store access information for few months. I believe it was one of those anti-terrest laws.

    1. Ilgaz

      Look up "honeypot" an espionage term

      a carefully picked VPN service would have no logs to begin with.

      The only response they would get is either "fsck off" (if they are based in a place carefully picked) or "oops, we forgot to log our users, thanks for reminding"

      What these guys do is basic "honeypot" operation and I wouldn't be surprised a bit if they handed over data to some wealthy (not out of power) dictator as long as their interests were fulfilled. It could be a phone from British govt. or some spy agency, some money at some anonymous bank account etc.

      This is the very serious risk of getting VPN service and trusting it blindly. At least these guys/lamers are based on some "democratic" country. In your case (if you were citizen), you could have been tricked into some honeypot and while swearing at Sultan, your door would be broken at 5 am.

      1. Anonymous Coward
        Anonymous Coward

        No, "honeypot" is not an espionage term.

        You're thinking of "honeytrap". And that's not anything you can set up on a computer...

        1. Ilgaz

          You can

          Route everyone from your wireless and run something like wireshark.

          Say "It is an untrackable private network which will protect your privacy"

          Enjoy the data from the stupid flies trapped in honeypot.

  8. Anonymous Coward
    Anonymous Coward

    Good on 'em.

    Serves the hackers right for not reading the T&Cs

    Why in hell's name would the company allow themselves to be prosecuted and closed down to cover the ass of some spotty hacker anyway?

    1. Agarax

      They aren't hackers.

      They are a bunch of skiddies that don't even understand how TCP/IP works.

    2. jason 7 Silver badge
      Stop

      Spotty Hackers.

      That means chances are they are under the age of 25.

      We all know that nowadays anyone under the age of 25 cannot be held responsible for their immature actions.

      You hear it on the news after a stabbing, "Wahhh wahhh it's not my fault!"

      Kids gotta learn consequences. In my day it was called getting a good slap on occasion.

  9. Anonymous Coward
    Anonymous Coward

    mmmmm

    time to change proxy, me thinks.....would like to know what data they keep anyways!

    1. Neil Brown

      Subject access request

      You could always try a subject access request, under s7, Data Protection Act 1998.

      Have a day when you make a note of the traffic which you generate when connected to the service, then ask them for a SAR relating to that day.

      You may be asked to pay up to £10, but, if they retain information in identifable form, they should be providing it to you after receipt of payment.

    2. 437T
      Paris Hilton

      AC says: "time to change proxy, me thinks.....would like to know what data they keep anyways!"

      One would think it prudent to assume *all of it* and act accordingly.

  10. Anonymous Coward
    Anonymous Coward

    Euro data retention directive.

    Anybody using a European service and expecting no logging, is just being wilfully ignorant of euro directive 2006/24/EC, or plain stupid.

    Hackers should be interested in the law, even when they think they stand above it, it will affect them.

    1. Neil Brown

      Note that the DRD does not require data to be generated.

      The DRD does not required data to be generated; rather, it requires retention of data which are generated as part of providing the service. See s3 of the Data Retention (EC Directive) Regulations 2009: "These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned."

      If the service had not generated data as part of its operation (i.e. it did not switch on logging functionality), a s10 notice has no effect. By choosing to generate logs, the service provider was effectively choosing to bring itself within the ambit of the data retention regime. (For it to be obliged to retain, it must be served with a s10 notice, though.)

      However, since the article talks about a "court order," which is not required for access to stored data under RIPA 2000, it is possible that the disclosure was made under a warrant under s8, PACE 1984 anyway., and so discussion of DRD obligations might be misleading. That being said, if logging / other data generation had not been enabled, there would have been nothing to be discovered under PACE.

      (On the DRD point, one might question whether the provision of a VPN service is the provision of a public electronic communications service, but perhaps another story, and not applicable to an order under PACE anyway.)

      1. Volvic

        really?

        S4 says that CPs are obligated to retain the data - the data is generated during the actual communication. So surely "retaining" in this sense is the actual act of logging?

        ie, the user's actions are generating the data, which is then being retained in logs

    2. JR555

      Not all in EU are bad..

      You can still use CitizenVPN.com a Danish service that delivers the service out of The Bahamas and therefore do not have to comply with the EU logging. Even if they got subpoenaed by a Bahamas court there wouldn't be any logs to deliver...

      But you're otherwise right. Be careful when using a EU or American VPN provider and read the TOS. Generally if a specific VPN provider in the EU don't write on their site if they log, then they do log. All American VPN services are not to be trusted.

  11. Anonymous Coward
    Anonymous Coward

    A policeman friend of mine...

    ...when I asked how hackers are stupid enough to get caught even though they know Internet traffic is not truly anonymous replied...

    "Fingerprint technology has been publicly known for a hundred and thirty years, but some blokes still break into houses without wearing gloves."

    That about says it all I think.

  12. maclovinz
    Devil

    Sooo....

    I now it appears they know about all my deep, dark fetishes.....

    XD

  13. DrXym Silver badge

    Serves them right

    If a court order turns up ordering a VPN to turn over information, they're going to turn it over. No legitimate business is going to risk sanction, fines or whatever because some idiot decides to launch an attack through their service. Next time they should probably pick a VPN which resides somewhere without data retention laws.

    1. Anonymous Coward
      Anonymous Coward

      The data retention laws only relate to data that you store during the operation of the service.

      If you do not 'normally' store any information, then you cannot be compelled to store it and clearly you cannot be compelled to release data that you do not have.

      The real question is what data was being stored. If "HideMyAss" was storing anything more than strictly necessary to operate such a service, then they deserve to lose all their customers and go bust.

      However, it's clear that any paid-for service is going to need to store billing details which will include at least one way of contacting the user, and unless paid by cash (highly unlikely!) that will include a real name.

      So 'the feds' will always be able to subpoena "Data relating to %individual%", and will at least be able to confirm that a given individual paid for the service - though of course that transaction could be fraudulent.

      1. Trygve Henriksen

        The keyword here is 'store'

        What constitutes 'storing'?

        If your system needs to temporarily save your IP in a table to keep track of your connection onward, then it's possible that it's subject to the DRD.

        If the system bills by usage (time/amount of data/whatever) it must also log that for billing purposes. suddenly DRD is applicable again.

  14. Anonymous Coward
    Anonymous Coward

    Script kiddz

    Well, that really says everything you need to know... using a publicly/commercially available anonymizing service located in a lawful country... hmmm let me think about how that possibly could have gone wrong.

    If you run a service like this you have to keep logs... its the same thing as companies have to follow, ie, attack on company A's network is traced to company B's network. To stop the CEO of company B being slammed in jail, company B has to find who did it - ie pass the buck. The buck passing can be down to a rogue employee or in this case, a user of a service.

    Its simple fundamental internet legal 101, remarkable how few seem to grasp it.

    BTW, i can't actually imagine why you'd want to use a service like that for anything but illegal stuff... I mean the number of people wearing tinfoil hats has to be quite small surely?

    I suspect more likely its a bit like having a pirate site that says it will honour any copyright take down notices it receives.

    1. Aaron Em

      There are legitimate uses for services like this one

      Suppose a) you spend a lot of time traveling, or otherwise accessing sensitive info across untrusted networks, and b) either your company doesn't provide a VPN, or their VPN is too locked down for your purposes, or you own a business or otherwise aren't nestled under the broad, downy wings of a professional IT staff, i.e., a batch of chain-smoking paranoids responsible for making your computer things work right. (If your IT staff doesn't contain at least one chain-smoker, consider firing them en masse, as they're either completely incompetent or too green to have picked up the habit yet.)

      In a case like that, where you're given a pretty stark choice between either not doing what you need to do online, or making your life a target for every snotnose who's ever heard of Firesheep but not yet had it earn him a well-deserved punch in the nose, a paid VPN service can be a lifesaver.

      (Yes, if it's called "HideMyAss", there could be a certain reasonable presumption that it's being used for less than entirely lawful purposes, in just the same way that there's a certain reasonable presumption of the innocent having nothing to hide.)

      1. Anonymous Coward
        Anonymous Coward

        C'mon

        Using an internet to internet VPN service for sensitive business from a dodgy sounding vendor?

        I'd sooner take my chances that Starbucks had a rogue employee with a network analyser.

        No, the only use for this service is either:

        1) Plain illegal

        2) Contrary to the rules of the user's network (perhaps as worthy as reading the BBC from some kinda dictatorship run country, but more likely so you can get around your corporate internet access policy to reach sites banned and probably pr0n)

        Either way around both uses will be upsetting someone and likely to get you fired/arrested.

        BTW a lot of employers will also fireyerass(dot com presumably) for using such services as this ;-)

        1. Aaron Em

          "Rogue employee with a network analyzer"

          How delightfully quaint -- you have heard of Firesheep, yes? It doesn't take a smartass with a copy of Wireshark to sniff your session cookie any more; now, thanks to the miracle of open source, even a colored-pencil pusher with a Macbook can screw you just for grins.

          I don't carry any water for HideMyAss, but at least they don't appear to be doing anything but what they said they'd do. All the screaming from the Guy Fawkes crowd is as hilariously misguided, useless, and ignorant as everything else for which Anonymous has ever taken credit, and I for one find it vastly entertaining to watch so many toys fly out of so many prams all at once.

          1. Anonymous Coward
            Anonymous Coward

            Ooooooh

            Aaron finds the solution to Firesheep, that must be why those people subscribed to that service, thats it.

            I'd cancel your subscription mate and take a look at google for freebie alternatives - including not using badly written sites for your "business".

            Mind you, donkeypr0n.com might not listen to your technical solutions to their security problem.

      2. Richard 12 Silver badge

        @Chain smoker

        You're a bit old-fashioned, aren't you?

        Smoking in a server room is frowned upon these days, apparently the tar makes opening an old machine a terrifying prospect. Plus it's illegal throughout the EU.

        IT staff retention is now entirely dependent on how good a coffee machine you have.

        1. Aaron Em

          Who ever said

          anything about smoking in a server room? I'm an asshole, not an idiot. And I don't drink coffee.

  15. Anonymous Coward
    Anonymous Coward

    Waaaaah

    Waah, waah, this service does not do what I inexplicably imagined it would do, even though it never actually claimed that it would, waah, waah.

  16. Anonymous Coward
    Anonymous Coward

    Crazy

    If your anonymity replies on some guy trying to run a business not voluntarily going to prison for you, a faceless customer, then you're already in trouble.

    Even more so, why the hell would you proxy through an extraditable country with close links in the intelligence and police communities?

    Proxy one should be China. It'll even be cheap as every hospital and school has been hacked to death and has an open proxy somewhere. Proxy two should be in the first world if you're worried about resources geo-killing you.

    (If you're really paranoid [as in willing to run away and hide paranoid], proxy 0 should be your next door neighbour or the local internet cafe to give you vamos time.)

  17. Cameron Colley

    Duh, of course they handed over the logs.

    The rule of thumb is always use a service in a country uncooperative towards the one you're hacking. Though using any service sold in the UK or US to do anything which may be considered illegal anywhere in the world is actually asking for trouble, since they have a habit of introducing laws making it illegal to break anyone else's rules also.

  18. James Gosling

    Not the way I would handle it if I were them

    I would as a business make it my policy to retain the least information possible whilst staying on the right side of the law, I would also make some measure of resistence... not refusing to comply with the law, just not being in any hurry to do so. After all they need to defend their business image by appearing to always side with the righ to anonimity or else what do they stand for?

    1. Steven Roper
      Stop

      Not being in any hurry to do so?

      Having witnessed the process of a business being served a court order, I can tell you that you don't really have much choice about it. Although the case I saw was an order to seize hardcopy files and paperwork, the process would likely be similar for computer data.

      In Australia (and I assume the process is probably similar in the UK), what happens is two police officers and a bailiff show up at the front door with a piece of paper signed and sealed by a judge, and inform you that you are required by law to produce the items listed as follows, blah blah blah. If you don't cooperate *immediately*, they start turning the place upside down until they find it. They'll literally bust open locked filing cabinets with crowbars and sledgehammers if it becomes necessary to do so. For computer data, I'd assume they'd simply start removing computers and storage media if you don't hand over the information pronto. Believe me, these guys don't piss around, and they won't stand about listening to your excuses.

      So HideMyAss's staff probably didn't have a whole lot of choice about complying or not, or even taking their time about it. More likely, if they didn't instantly hand over the requested data, they would have been herded into an office while the police started carting stuff out the door. Nobody can reasonably expect anyone in a normal working situation to put up any kind of a fight against something like that.

  19. Anonymous Coward
    Anonymous Coward

    shoulda used ctunnel

    I know, it's not a VPN, only a cgi proxy so couldn't have been used for this type of hacking in any case.

    I just wanted to share an except from the response posted by Gabe, the ctunnel admin, to the over-zealous prosecution of the Sarah Palin email hacker, last year, for anyone who didn't see it at the time.

    Quite a stand-up guy - I was, and still am, impressed by his stance (admittedly after the fact).

    "As a result of this trial, I will be changing the logging policy for my proxy websites. Effective immediately, I will only be logging the minimum amount required by law. In the United States, this means nothing at all. For our servers in the UK (currently hosting only ktunnel.com, popular only in Turkey), we will be logging for 48 hours, as that is the relevant required logging period in that jurisdiction. Even in the UK, we will be looking into ways to log less evidence-quality information, so long as what we are logging is within our legal obligations. For the US, where almost all of our proxies are hosted, logging will only take place after-the-fact, to specifically try to log information on people who are repeatedly abusing our systems, and then, only logging what is necessary to stop a specific, repeatedly abusive user. We will no longer be proactively logging the activity of users on our US servers.

    [...]

    As a result of this trial, and the complete lack of perspective and justice being shown by the federal government, I will be stepping up now, in an attempt to meet my moral obligations. As such, I will do whatever it is that I can do, legally, to protect my users, by logging as little as I am legally allowed to log while still keeping my site working properly for everyone who needs to use it. I am genuinely sorry for being an integral part in this trial, something I hope never happens again".

    http://www.freeproxies.org/blog/2010/04/27/sarah-palin-kernell-email-hacking-case-unfair-causes-vtunnel-to-stop-logging-user-activity/

  20. Matt Bryant Silver badge
    Devil

    Obviously....

    The stupidity of using a UK-based commercial proxy to hack a major site is just all part of the Lulz, giving the rest of us a good laugh!

    1. asdf Silver badge
      FAIL

      yeah

      Almost as stupid as running a billion+ dollar business on a internet infrastructure so insecure even this idiot could hack it.

  21. John Latham

    "UK-based HideMyAss"

    I have no donkey to hide and therefore nothing to fear.

  22. Paul RND*1000
    Big Brother

    Their Ts&Cs "no illegal use" clause is almost immaterial; that they store anything at all for long enough to have to reveal it under court order calls the point of using their service into question. You never know when you might suddenly find yourself having "something to hide".

    Law enforcement has proven time and again that it isn't above going on vague fishing expeditions backed by a court order (or local equivalent) and government has proven time and again that it's not above moving the goalposts to suit its own ends. There have been times in not too distant history where, practically overnight, it became a very bad thing indeed to have been opposed to, or even slightly critical of, some political or religious movement while that movement was making its way to power.

    But do note that I stated "almost immaterial". Using a service which states "no illegal use" for something that's illegal when you do it is a pretty stupid move.

    1. Ian Michael Gumby Silver badge
      WTF?

      @Paul RND*1000

      Their T's&C's 'no illegal use' clause is definitely not immaterial. Its a CYA clause which is in place to protect the company from users who want to use the service to commit a crime.

      Here's a legal use of the System.... you want to browse one of your competitor's websites without them being able to trace any of your activities to you or your company.

      Or you're dumb enough to want to put some compromising whistle blowing material on Wikileaks' website and you want to add some additional layers of security.

      (But that's another story...)

      Clearly if you're going to do something which is clearly totally illegal wouldn't you take precautions?

      (Note: I won't say what precautions one could take because that would be a bad idea...)

      You can't blame them for complying with the law. They are a legitimate company providing a legitimate service.

    2. david wilson

      @Paul

      >>"You never know when you might suddenly find yourself having "something to hide"."

      But surely, most of the time, most people *do* know?

  23. Anonymous Coward
    Anonymous Coward

    "our countries legal system"

    Everyone's covered the "what did you expect?" angle, but I had to be amused by the above quote. Did they just miss out the apostrophe or did they just incorrectly use the plural instead of the singular possessive? It's a somewhat Freudian commentary on the "special relationship".

  24. asdf Silver badge
    FAIL

    even more embarassing for Sony

    They can't claim they were hacked by some hostile foreign government entity with nearly unlimited resources. They were hacked by a skiddie who didn't even understand basic practices for covering your tracks.

  25. Anonymous Coward
    Anonymous Coward

    We don't know

    When they were served with the court order do we? Just because the story has come out now after the arrest has no relevance to how long the original investigation part took. Once PSN had identified from their log's where the connection came from one assume the court order was obtained soon after so I expect the request reached then well within 30 days.

  26. asdf Silver badge
    FAIL

    wtf?

    Who in their right mind would use a service in the UK to hack US mega corps? The UK is the USA lapdog and is owned almost as much by the mega corp as the USA. I guess Estonian servers do have their advantages when they are not spamming me about penis pills.

  27. kellerr13

    Hold your ground

    If you are going to be in the business of hiding people then be in that business and either delete all the data on the fly, or leave the country.

    They did not want to be shut down by the feds. Lets see how they survive when Anonymous shuts them down.

    1. Bango Skank

      Conjunctivitis

      I think you are missing the conjunction in the options list.

      Option #1

      - Piss off the h4x0rs and maybe get hacked badly enough to disrupt business

      - In which case: Declare bankruptcy, claim insurance, open a new company with a new name using the same hardware.

      Option #2

      - Piss off Caesar

      - Your kit gets confiscated, you go to jail, AND you go bankrupt

      Yes, I can definitely see how being hacked is far worse than a few years of porridge and soap-kicking

  28. miknik
    FAIL

    1337 ha><orz @ LulzSec

    I would have hired a bot net, pretty sure bot net operators don't swap logs for court orders.

  29. theSaint707

    A new opinion

    First an individual needs to read a terms of service when they sign up for anything, ESPECIALLY a service claiming to protect their privacy. I do believe that it was a bit BUSH LEAGUE to roll right over, but they are the biggest gorilla in town and probably have Aston Martins to pay for :) . Lastly, when you read that TOS, if there is a mention that they can shut you off for any other reason than NON-PAYMENT then they log enough to pick the needle from the Haystack.

    On the comments that these services are frequented by terrorists and hackers, I would firmly disagree. Any proficient tech can create his own secure alleyway on the 'Net. Furthermore TOR, a good product for what it is but ANTI-P2P, has the perfect setup for pedophiles so why pay for something you can get for free?

    There are other services that gave away FULL free and unfettered accounts to in-country residents Tibet, China, Cuba, Egypt and Iran (almost 10,000) to those individuals. Sometimes these things don't need to be bragged about as you can do more quietly than beating your chest looking for praise.

    Lastly, thinking that your particular Country will protect you from US or any LEA, I would suggest you put down your pipe and get a grip. If you think that your EU Country will resist US pressure or vice versa your mistaken. The words 'National Security' or 'terrorist' will get you whatever you need.

    I would love to keep this up, but I have a business to run customers privacy to protect and DMCA letters to answer!

    Cheers,

    theSaint707

    Father; Blogger; Practicing 'Lattlay Fottfoy'; Recently been dubbed 'HARDCORE'; Active for Freedom, Privacy, Free Speech; Part Time Troll & Redneck Gigalo

    P.S. Beware Companies that appear out of thin AIR

    1. Anonymous Coward
      Anonymous Coward

      >>"Lastly, thinking that your particular Country will protect you from US or any LEA, I would suggest you put down your pipe and get a grip. If you think that your EU Country will resist US pressure or vice versa your mistaken. The words 'National Security' or 'terrorist' will get you whatever you need."

      Protect?

      Since when was it the job of a country to 'protect' fuckwits who think what they and their internet pseudofriends want to do takes precedence over the law?

  30. Anonymous Coward
    Anonymous Coward

    does this proxy service extend its dmarc to club fed?

    I'm guessing he's also going to want to hid his ass in club fed

  31. raving angry loony

    2 faces

    On the one face, they abhor illegal behaviour.

    On the other face, they provide VPN services so that people from outside the country can pretend to be inside the country in order to bypass copyright restrictions.

    I wonder if they need twice the toothpaste?

  32. Gav76
    Facepalm

    definition

    Surely the whole argument here is the definition of anonymous? I always understood proxies as making your source anonymous to the target server, not the proxy itself. Without enough information to route the traffic back to you the connection is useless.

    Since the proxy has to know who you are, where you are and where you connect to, the assumption that this information isn't going to be logged somewhere is naive at best, stupid at worst.

    And to try and pass the blame on to a 3rd party after doing something illegal is as unlikely as Lamborghini paying your speeding fine after you drive their car too fast.

  33. Anonymous Coward
    Anonymous Coward

    Security experts... ?

    I can't understand why a hacker would use a VPN like hidemyass.com for doing their shit.

    If they were security experts as they pretented, woudn't they have rooted boxes all around the world which they could use as proxy/vpn/tunnel/whatever ? Or even just go to mc donalds, pay with cash and enjoy the free internet.

  34. pjcard
    Devil

    "we are simply complying with our countries legal system"

    That should either be countries' (unlikely), country's or [sic] depending on whether it's a written quote or transcribed.

  35. Anonymous Coward
    Anonymous Coward

    heh

    HMA defends itself using Egypt as example.. and they also use Egypt as a location for their VPN services. If Egypt's government had requested info all the users evading a filter, would they have complied as well? No? What if ordered by a court? You're telling me there isn't an ounce of hypocrisy in divulging your user's information, albeit even if ordered by a court?

    I honestly hope all their customers lose faith in them. They should. Screw HMA, their worthless services, and the dumb ass who got caught. Guess lulzsec wasn't so smart after all.

    1. Gordon 10 Silver badge

      I tend to agree

      There is a whiff of hypocrisy from hma. They will only hide people from countries for whom their host country doesn't have any legislation for.

      I suspect at least one of the Arab D

      Spring countries may gave been in this position but too overtaken by events to action it

  36. Anonymous Coward
    Anonymous Coward

    Arse?

    My biggest problem with this is, if it's based in the UK why isn't it called 'hidemyarse.com' - 'hidemyass.com' should be hosted in the US.

    1. The Mole

      Not HideMyDonkey.com?

  37. DaeDaLuS_015
    WTF?

    sigh

    This makes no sense, why care that another useless hacker got caught?

    We all know we wouldn't do anything dubious through the HMA proxy because, well, we aren't idiots. I would think you could assume that anyone like him doing things like that through a UK based proxy service is a complete idiot.

    Now isn't it reasonable to assume that he can form a representation for all HMA users? If he was such a "1337 hax0r" then i reckon most of HMAs users are going to care even less than he did about whether they log information or not.

    I can't really see this affecting HMAs userbase at all and to be honest, i'm glad the little tit got caught, as you all should be!

    Stands to reason..

  38. johnwerneken
    Thumb Up

    Nice El Reg and HideMyAss are honest and law-abiding, unlike a lot of so-called hackers

    A hacker used to mean one who could event ways of getting something done with a computer, whether a kludge (initially) or a brilliand contribution. Now it simply means someone who uses a computer in ways that are not 'ordinary'. El Reg and HideMyAss are being truthful and consistent on this. Unlike a lot of BS one sees posted by todays' hackers about this and many other topics as well, all over the thoroughly poluted internet.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019