Slashdot Mirror
HideMyAss.com Doesn't Hide Logs From the FBI
An anonymous reader writes "People use VPN services to hide their identities online, right? And a UK-based service called HideMyAss would seem to fit that bill perfectly. Not so, unfortunately: they have to hand over the logs to the FBI when a UK judge tells them to." Reader wiredmikey points to a story at SecurityWeek, too.
Log this!
But another question is why they kept logs anyway? Are they required to keep logs by law?
If you're expecting to use public VPN servers to "hide your ass" you're doing it wrong.
If you're not competent enough to "hide your own ass" then you really shouldn't be fucking with other people's networks.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I was hoping something like hidemyass.com would be devoted to the anti-muffin top movement :P
Monstar L
That lulzsec guy is going to get introduced to fuckmyass.com in jail!
HMA is designed to avoid censorship, not mask illegal activities. Although their may be some gray area where using the internet to organize people in political actions may be illegal, the sharing information itself is not illegal, and should not be censored. People that then actually commit cyber crimes or real crimes, will be subject to applicable laws by involved governments, and of course, the governments will take action to find the responsible parties.
I've heard /dev/null is a pretty neat place to store logs. Compression ratio is quite high too - no need to worry about filling disks with uncompressed logs.
It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN. There's plenty of perfectly legitimate reasons to want to do this, and that's what the service is there for.
It's not there to allow someone to break the law with impunity. So it's not been engineered to be particularly difficult to dig into the logs and figure out who was using the service. So if they get served with a court order saying "Hand over the logs", they have to.
Want something which is a lot harder to be traced? Don't use a commercial VPN service, use something like Tor.
This isn't a story of "HideMyAss selling out". This is a story of "Person uses a service in a way it's not meant to be used and is surprised when it blows up in his face".
Is this really surprising to anyone? There are two ways to hide traffic. The first is illegal and it will cover your tracks because you can use hacked machines without any logging. The second is legal and it is very hard to hide yourself. The only legal way which might actually work is if you bounced through a country with no diplomatic ties to the West but very few of those are even on the internet.
So back to this company. Does it surprise anyone that a company located in the UK of all places would have to give up logs when a judge orders it to? It is that way in almost every Western state. If US law enforcement requested such information I see no reason why a UK court shouldn't grant it (although you'd have to decide on a case by case basis).
at least they wait till a judge tells them to.Too many companies/websites are handing over information if they are asked.
Haha, LulzSec was using hide my ass? Talk about amateurs. Just get some VPN or VPS account from some "We have a long 6 month history" company from India or Italy. Any legitimate business or entity will always give logs to the authorities since they are compelled to by law and in some cases can be held in contempt of court if they refuse. What happened to CloudFlare? They were turning a blind eye even during the whole saga, so were a bunch of other companies. These guys didn't trust Tor but they didn't think to turn their botnets into their own onion network either.
A lot of proxies get around this problem by launching a new site every few days.
I'd like to make a smart comment here but I don't have time, I have a lot of stuff to delete before the feds knock to my door!
lucm, indeed.
Not everyone understands computers, that doesn't mean they're incompetent, wikileaks, openleaks and other needs to help their submitters keep anonymous, and there are better ways to do this, follow my instructions below, and you'll be as safe as you CAN be in this world:
1) First of all, you need to download TAILS
http://tails.boum.org/download/index.de.html
2) Burn this .ISO on a CD
3) Get a second computer
4) Tear out its harddisks
5) Make sure there are NO USB-memory sticks either.
6) Make it boot from the CD only, (enter the bios and set Boot Priority to CDROM)
7) Now you can surf relatively safely, but you're not done yet!
8) When surfing, do NOT surf into familiar places of yours, do NOT use your real name, do NOT search for your real name or even your internet alias, if it's known in combination with your name (if you surfed with it on your computer, google already knows your IP, so forget it!)
TAILS uses TOR, google it if you're truly curious. It can't keep you 100% anonymous but it's the safest "service" out there, and it's only relatively safe if YOUR SURFING HABITS ARE SAFE TOO.
Good luck!
What this world is coming to - is for you and me to decide.
Use a coffee shop connection or any other open/crackable WIFI + tor.
thats what you should use.
Read radical news here
Something we suspected for a long time...
Don't get me wrong, we're truly grateful you stepped in 70 years ago to help save us being conquered by the nazis (even if you did take 2 years to finish your breakfast before getting your spurs on) , but jings, we do seem to have a procession of Prime Ministers whose real dream seems to be made a governor of a USA state...
I use a VPN because i firmly believe that a malicous neighbor on the same cable trunk does not need to know what i am doing or intercept certain connections. I use a VPN because public and free WLANs and Hotels LANs are uncontrolled cesspools. I use a VPN because i dont want every server operator to be able to identify my location to the block-level (and combine it with other techniques to identify me). I use a VPN because i dont trust GSM encryption. I use a VPN because i dont want to be throttled based on IP or content.
If the FBI wants to see the log of my VPN provider, they can. If i would want anonymity i would go to other measures.
Would the same go for anonymouse.org? I have visited my own website through their proxy, and it remains unlogged in (wordpress) WassUp stats. Hidemyass actually shows up though, along with my browser type and screen res. Also, why do more people not consider that these anonymity services are not honey pots?
Laws are like sausages. It's better not to see them being made. - Otto von Bismarck
HMA is primarily used to bypass school/college firewalls
two more words... proxy chaining, one word... TOR
Have your last proxy in a questionable country as well - fckknowswhere-istan
Use a Nic that you can write a mac address to and change it on occasion and have a separate encrypted removable HDD that you swap out and stash when your 'private' activities are over. Boot from a CD or a virtual machine so even if something was uploaded to you it is wiped next boot.
CCTV on the entrances to your house will also help with seeing the Feds coming and you power down.
Also have lots of old spare and unused encrypted HDD around. Go ahead narcs get all forensic on those terra bytes of drives you found - time consuming and plausible deniability about forgetting passwords to the numerous encrypted partitions spread around.
If they can find and prosecute you after all that then you've probably been found by men who stare at goats.
Logging is for thick-necked, dull-witted, arborphobic lumberjacks.
The Admin and the Engineer
Comment removed based on user account deletion
My best guess is legal compliance.
Laws are like sausages. It's better not to see them being made. - Otto von Bismarck
To quote the PRQ "About us" page (http://www.prq.se/?p=company&intl=1).
"The only thing we need to know about you to set up the service is which e-mail address that should receive the invoices. Logging is only done to the minimal extent required for trouble-shooting in case of problems, and thus we do not have any logs whatsoever of data traffic."
I'm not saying PRQ are the only (or even the best) VPN provider that conduct their business in this way, I just want to point out that there are indeed alternatives to the apparently crap-a-delic service HideMyAss is providing. If the UK has seen it fit to force ISPs to keep logs, don't use an ISP that falls under their jurisdiction. Easy as that.
From the court order:
So elite that they were able to hack more than one computer at once! So elite that they used the paid VPN service of a legal UK company under their real names...
Unless you're some kind of super 4Chan, you can't run a business that actively keeps no logs and relies upon -- as your buisness model -- the idea that you can keep people 100% anonymous online no matter what they do. That's just retarded.
Generally speaking, the best you can hope for is, "We will keep you safe from basically anyone who doesn't come knocking with a court order or warrant. Depending on your country, they may not even have that, but they'll definitely have to be law enforcement related."
I mean, really. Would you willingly operate a legitimate business that had, as its business model, the idea that your clients give you a hunk of money and then you give them back an entirely different set of money (minus 15%) in non-sequential bills? Do you think such a business would operate without being investigated by the FBI/CIA/ASIO etc? Who would you think the primary clientele of such a business would be and is it really ethical to protect them?
Somewhat more tin-foil-hatty is the idea that anyone who runs a business that promises to give the finger to the law, doesn't keep any logs and is prepared to go to jail to project your online anonymity... well, to me, that screams that they're a honeypot. Probably paid for directly by the FBI, with 95% of their clientelle being 13 year old 4Chan script kiddies, PirateBay users and other harmless folk who are utterly ignored and left in peace... but that other 5% being pedos (there are *very very* few pedophiles online; don't buy into the panic!), drug runners and organized crime members who are kept under close surveillance.
In short, I would rather use an anonymizing VPN service who spells out exactly what is kept and why, and what level of law enforcement intervention is required. A service I would use would probably have the following terms of service:
1) If you commit any crime, or transmit evidence of any crime, that has a minimum of one year in jail OR do anything *truly* retarded (like Skype-out over the VPN and call the White House legitimately threatening to assassinate the President of the United States) then your arse is grass.
2) If you are DDOSing from behind the VPN service, or sending spam e-mail, or operating any form of spam/volume based attack behind the VPN we'll disconnect you since that typically rapes our already overloaded services. Generally no legal butthole-raping, just a D/C, one day timeout, and an e-mail explaining why. Note rule #1 still applies if you are scamming people.
3) If the cops come with a 100% legal warrant issued by a judge, irrespective of the crime, we'll comply with its order.
I believe that's entirely fair and I know some people will scream for more, but realistically, I think that if your business doesn't basically follow those three rules it's not going to survive... or is a honeypot.
Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
Anyone who doesn't want logs/wants them deleted quickly is an evil criminal.
Filthy, filthy copyrapists!
Yes, your ISP, who knows your identity since you have a commercial relationship with them, cannot hide logs of your data from the authorities, because they're a registred business. Whatever shall you do? OH I KNOW! Enter a commercial relationship with someone else who is also a registered business.
To paraphrase the old adage, "if you think, speak, write, publish and don't use Tor, don't be surprised."
Isn't the surest form of protection to not log user activity in the first place?
------ The best brain training is now totally free : )
...to "coverourass.com"?!
A lesson in paranoia, it's all logic:
Do you seriously think you can surf for free, unlimited bandwidth on some service out there in internet land? Sure, they may finance their services with advertising, and that's probably the main idea and intentions with their services to BEGIN WITH, but as with all such services, no one is ABOVE the LAW, and don't think for a minute you'll even be safe under such services.
Sure...your ISP won't see your actions
But the Service you use (eg. Hidemysorryass.dot.com) WILL know your every move, they have to...why? Liability, that's why! No one can truly circumvent their own countrys laws, not even the best of them, the only reason you don't get caught, is because you ain't important enough, if you do the CRIME, you WILL eventually do the TIME.
It's all a giant game of who do you trust (to quote Jack Nicholson) - Who DO YOU TRUST? Some free internet service out there, are you freaking KIDDING me? They WILL COVERTHEIROWNASS.com when the feds come knocking on their doors, they're in it for the money, not to save your ass, that's for sure.
Networks like TOR (google it and learn) works, because it's a giant network of private individuals that lend their computers to forward encrypted chopped packets of information they have no chance of assembling, only that makes sense as you couldn't really assemble this unless you owned the entire network ...or...figured out who where behind the originating address trough mistakes such as leaving your name on a forum, user name + previous IPs with that user name etc... Nevermind that, we're getting too technical, point remains though.
Learn to surf safely first
And then you may use TOR!
What this world is coming to - is for you and me to decide.
I would set up services like HideMyAss and run it in a competent way .... and let my analysts have a look at what people want to hide.
If people are trying to hide something then it is likely to be interesting or embarassing. OK: most of it would be uninteresting from the point of view of a national security agency, but there would probably be an occasional gem from some dumb ass who believes that such a service really does give him the secrecy that he wants.
Actually, there is a ton of things the government will attempt to do to try to get you, even if it is a puny, pariah, poor government. I was helping a few friends of mine who live in a country, where people who laugh at politicians are still beaten up, to publish some funny videos about their top politician. Since I also visit there occasionally, we took full precautions. Private VPN to a foreign country, rather unfriendly to the regime, chained proxies, then TOR, new email addresses and video upload accounts, different chained proxies to access each of those, etc.
Once the videos hit the tubes,some people got mightily pissed off, and started an official, but silent investigation. Imagine my surprise, when two of our e-mail accounts (free, with a large US-based web mail provider) that we used for the services were blocked, and login attempts redirected us to customer support barely a day into the operation. Since the investigation in these countries tends to leak like a sieve, we got info that that particular country was paying someone mid-level in customer support dept. to give them data on customers.
They hit the video upload sites with official requests and apparently tried to hack into one, obtained logs from the ISPs of all online forums that we used to advertise the videos to, had videos deleted and did other funny things. They persisted into this business for about 18 months until they decided to close it down.
Given this much effort about a few videos from a near-third world country, imagine what a really powerful government can do to you, and despair :)
What is the point of services like these storing logs for longer than 24 hours?
If I was running services like these, I would wipe them daily
Well, in addition to legal compliance measures, the guys who maintain the security of the site might want to take the weekend off once in a while. It's pretty damn tough to run any kind of secure network if your memory of all potential intrusion attempts is only 24 hours long.
1. Go buy a cheap USB wireless card (with cash).
2. Disable your wireless card on your laptop.
3. Go to Starbucks or other public Wi-Fi hot spot.
4. Plug in newly purchased wireless card and get on to "the inter tubes"
5. Do what ever nasty sh*t you're going to do.
6. Dispose of newly purchased wireless card.
They can't find you, period.
Relakks is protected by Swedish data security laws, which require a severe crime before anything can be given to authorities. Quote from the FAQ ( https://www.relakks.com/faq/legal/?cid=gb&lang=en ):
RELAKKS Safe Surf enjoys the strongest legal protection possible under Swedish Law because of the service type (pre-paid flat-rate service). This means that RELAKKS do not have to keep an ordinary customer database (to be able handle transactions etc.). This is of importance if forced to hand over information.
If Swedish authorities can prove beyond reasonable doubt that they have a case for demanding subscription information from RELAKKS (they have to be of the opinion that if convicted the user will be imprisoned – fined not enough). .
RELAKKS then have to hand over the subscription information entered by you (but that’s all). RELAKKS do not store any subscribtion information about you except what you entered yourself when signing up for the RELAKKS Safe Surf service.
For Swedish authorities to force RELAKKS to hand over “traffic data” including your RELAKKS IP at a specific point in time, they will have to prove a case with the minimum sentence of two years imprisonment.
Regarding inquires from other parties than Swedish authorities RELAKKS will never hand over any kind of information.
(emphasis mine) "What you entered".. They will not check the information, though I'm not sure if and how long the payment data is stored by the payment processor. Why would you use any other VPN service? The only reason I can come up with is when you need to appear from coming from country X to get around content filtering based on your location. (Ie. something is not sold to say UK, but it is available for USA).
Why do people do illegal shit from their homes. There are thousands of public WiFi connections in any city. Change the MAC on your laptop and then drive somewhere far from your home and park outside a coffee shop, supermarket, hotel, motel, or just about any other business and do your evil business in a way that could never be traced back to you. Do people do that? No, because they're lazy.
Without a VPN:
IOW, an ISP has little incentive to stand-up for user rights, whereas that's a VPN's major selling point.
But if the Egyptian government went through the appropriate channels and got a UK court order, presumably HMA would turn over the logs immediately. Besides, there are a number of censorship-related situations where HMA would apparently pass out user information like cookies at a bake sale regardless of whether a boogedy-boogedy scary middle east country is involved or if it is the US/UK... the wikileaks fiasco would be an obvious example.
Why not at least keep the connections logs for only 2 or 3 days? I would imagine that would still enable them to crack down on abuse while avoiding having to comply with most court orders.
Not EUSia.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
First go to:
http://www.daveproxy.co.uk/
the use that proxy to access UK proxy:
http://docoja.com/blue/
then use that to access Japanese proxy:
http://www.ejapan.eu/blue
then use that access Hidemyass proxy:
http://hidemyass.com/
then go to slashdot and post Anon!
They'll never find you!!
You'd think that a tor-like vpn service would be smart enough to not enable logging, except for errors that they may need to fix, and then not log IP addresses in any case. Then, they can hand over the logs, knowing that no, or little, information will be available.
Sometimes, real fast is almost as good as real-time.
Since the investigation in these countries tends to leak like a sieve, we got info that that particular country was paying someone mid-level in customer support dept. to give them data on customers.
All the corporate privacy/security policies [and, for that matter, government privacy/security LAWS] in the world aren't worth diddly squat in the presence of a determined mole.
I seem to recall that the key element of the plot of Dune involved a traitor at the heart of House Atreides...
PS: Wow, has it been almost 30 YEARS since Dune was released?!?
Yikes!!!
I feel old.
Old. Old. Old. Old. Old.
PPS: Man, you know that Virginia Madsen was a world-class piece of tail if she was as hawt in Sideways (2004) as she had been in Dune [if not even hawter?].
Whew.
Log this!
Your log appears to be a floater.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
This is just what ctunnel.com did when they were hit with subpoenas in that case. Silly to think that a VPN service would be any different in that regard from a plain old web proxying service.
Also, to all the smug fuckers who are saying "Well what do you expect, it's the UK and its stupid laws, this would never happen in the US": it already did. Duh.
It doesn't take a whole lot of thought to arrive at the conclusion that choosing a UK based VPN provider to attack US based sites is a bad idea. What country has a better relationship with the US than the UK? Even if that company "doesn't do logging", do you think that a court order can't change that very, very quickly?
AccountKiller
You are using a narrow definition of privacy, many of the users of this site probably have something else in mind. They are not necessarily morons. Most of these people are probably not trying to hide from government, its more likely they don't want to be tracked for advertising and marketing purposes.
RTFA and you will get your answer.
From corrupt western governments? There are a lot of people in the world that need protection from USA, EU, China, India, Russia and other powers.
How do we protect political activists that have a legitimate need to be protected from western intelligence agencies?
You know that right now the CIA is happily turning over everything they know to the Syrian dictatorship, just like we fully cooperated with the Libyan dictatorship.
Put it in a barn.
Stick Men
The whole point of calling themselves "hide my ass" is that they imply they can't tell anyone who did what when.
So now we know the name "hidemyass" simply means they take money from stupid people.
So basically, someone out there thought that a site like this was actually a legitimate way to shield from any kind of tracking?
And the fact that that someone was wrong is surprising?
They make their points very clear in the linked statement: The service is not intended to provide anonymity or shelter from legal repurcussions; They are there to provide a workaround for those who are being censored, to provide a way of bypassing "Great Firewalls", or simply to prevent your ISP or wireless network from seeing your HTTP requests. There is no expectation of privacy, and nor should there be. The same expectations are true of Tor and other "anonymity" initiatives (though Tor is inherently less open to tracking due to the way packets flow through the Tor network (that is to say, it's very decentralized)).
Sure, services like HMA partially obfuscate the trail, but they aren't bound by any agreement to guarantee your privacy, don't claim to, and ultimately will not.
Screw the rules, I have green hair!
ShowMyAsscom
It is my Constitutional RIGHT to be able to break the law in PRIVATE!
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
How can these idiots claiming to be "hackers" use this service for illegal activity? All these *chans people make me laugh when they claim to be "Anonymous Hacking on Steroids" They deserve to get their houses raided by the FBI! for being n00bz!