Slashdot Mirror

← Back to Stories (view on slashdot.org)

HideMyAss.com Doesn't Hide Logs From the FBI

Posted by timothy on from the technically-sir-you-were-being-a-donkey dept.

An anonymous reader writes "People use VPN services to hide their identities online, right? And a UK-based service called HideMyAss would seem to fit that bill perfectly. Not so, unfortunately: they have to hand over the logs to the FBI when a UK judge tells them to." Reader wiredmikey points to a story at SecurityWeek, too.

20 of 233 comments (clear)

  1. Who would have thought so.... by Anonymous Coward · · Score: 4, Insightful

    But another question is why they kept logs anyway? Are they required to keep logs by law?

    1. Re:Who would have thought so.... by Runaway1956 · · Score: 5, Insightful

      Now, THAT is the correct question. A server that keeps no logs is a fairly secure server from which to run a VPS. Ditto proxies. When shopping for something of this sort, the important question to ask is, "What logs do you keep, and how long do you retain them?" Every server makes and keeps logs - there is no getting around that. The lifetime of the logs should depend on administrative necessity. Generally, logs should be flushed every 24 hours. Performance logs, security logs, things that pertain to the ongoing health and security of the server should be retained for as long as necessay - sometimes, for months. But every publicly facing server should routinely delete logs that aren't central to the server's main mission. VPS and proxy servers main mission being to protect the anonymity of it's users.

      Shouldn't it be considered a fraud, to advertise they you will protect a user's identity, then maintain logs which can be seized by any government agency that demands them?

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    2. Re:Who would have thought so.... by jhoegl · · Score: 5, Funny

      Ass logs can get pretty big.

      I just dont know if I want to be the one sifting through the logs to find kernels of information.

    3. Re:Who would have thought so.... by migla · · Score: 3, Interesting

      They are based in UK, so they so not retaining logs is illegal. If you want proxy without logs find one based in country without data retention laws. Hint: it is nowhere in EU.

      Judicially, no. But, unless I'm mistaken (and don't base hiding of ass on my level of informedness, please), Sweden is for example not abiding by that EU law yet, incurring ever growing fines in the process.

      My ISP still claims the logs of who had what IP at what point in time are gone in about a week.

      --
      Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
    4. Re:Who would have thought so.... by qbast · · Score: 3, Interesting

      The problem is that when it comes to promises of security, fraud is very common and never punished. How exactly do you determine what logs the proxy keeps? By asking them? As you see what is promised and what is actually delivered is usually not the same. For another example look at Dropbox - for a while they claimed that only user has encryption keys and it is impossible for their staff to decrypt anything. Then they changed story to 'staff is not allowed to decrypt'. Hell, even if you find a proxy in bumfuckistan which has no data retention laws, it may be a honeypot.

    5. Re:Who would have thought so.... by Bert64 · · Score: 3, Interesting

      a, not really.. you can easily eliminate potential proxy services by assuming that at minimum they comply with the local data retention laws...

      b, possibly, but who do they claim to "cover your ass" from?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:Who would have thought so.... by qbast · · Score: 3, Informative

      You are right, in UK data retention is voluntary. And here I thought that all members already got pressured to implement EU Directive 2006/24/EC .

    7. Re:Who would have thought so.... by lseltzer · · Score: 3, Informative
      In addition to that, from TFA:

      Why do we log the above^ information? Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do. Some providers choose not to do session logging and instead try to locate the abusive customer by using the intelligence from the complaint, for example if someone hacks XYZ.com they may monitor traffic to XYZ.com and log which customers have a connection to this website. Ask yourself this: if a provider claims not to do any form of logging, but is able to locate abusive customers, how are they able to do this without any form of logging?

    8. Re:Who would have thought so.... by Zemran · · Score: 3, Interesting

      In the UK, not only do they have to keep the logs for 18 months but practically anyone, including the fire service, can look at them. The British law is the craziest in the world in that regard and anyone stupid enough to use a British proxy/VPN must need their head examined. If you use a Swiss or a Swedish proxy they will not even keep logs, so there is nothing for the FBI to ask the court to make them hand over. If you buy a car you look into which car does the job that you want it to do... So if you get a proxy it is up to you to make sure it will do what you want. If you want to watch British TV or whatever without being told that you cannot because you are not in Britain then OK but for privacy??? MORON!!!

      --
      I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
    9. Re:Who would have thought so.... by iamhassi · · Score: 4, Insightful

      But every publicly facing server should routinely delete logs that aren't central to the server's main mission. VPS and proxy servers main mission being to protect the anonymity of it's users.

      Shouldn't it be considered a fraud, to advertise they you will protect a user's identity, then maintain logs which can be seized by any government agency that demands them?

      reason for keeping logs:
      "16:32 edit: We have had a few queries as to our logging policies. We only log the time you connect and disconnect from our service, we do not log in any shape or form your actual internet traffic.

      21:05 edit: Why do we log the above^ information? Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do."

      makes sense, they have to protect their other customers and themselves, if someone logs in and does kiddie porn or terrorism and HMA doesn't have the logs they'll lose relationships with the other VPN servers they're using. Govt might even just come in and take what servers they do have and shut down the website if HMA doesn't cooperate.

      Honestly I think lulzsec was stupid for using their credit card on a VPN service for hacking online, if they thought "Let's be safe, I'll just enter my credit card number...." then they're stupid and deserve what they got. Should have gone anonymous (no credit cards, or at least prepaid) and should have gone through several VPNs in other countries.

      Wanna hack anonymously? Buy a used PC, wipe the drive (or install new HD), install OS, use it only for hacking, never put any personal information on it, never check personal email, facebook, forum accounts, bank, credit card, paypal, etc. Create fake email on PC, use fake email to create fake accounts, find free VPNs and go through several of them (at least three). Wipe cookies, temp files, etc after every session. Even better if you buy a used laptop and use wifi at starbucks, mcdonalds, B&N, or open networks from wardriving and switch networks daily.

      --
      my karma will be here long after I'm gone
  2. lol by smash · · Score: 4, Funny

    If you're expecting to use public VPN servers to "hide your ass" you're doing it wrong.

    If you're not competent enough to "hide your own ass" then you really shouldn't be fucking with other people's networks.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    1. Re:lol by smash · · Score: 3, Insightful

      I'm not claiming to have a method. My option is "don't do retarded shit on the internet and expect not to get caught".

      But using someone else's VPN service in a western country is pretty much equivalent to using nothing at all.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  3. So disappointed by the name by antifoidulus · · Score: 5, Funny

    I was hoping something like hidemyass.com would be devoted to the anti-muffin top movement :P

    --
    Monstar L
  4. Just log to the right place... by geogob · · Score: 4, Insightful

    I've heard /dev/null is a pretty neat place to store logs. Compression ratio is quite high too - no need to worry about filling disks with uncompressed logs.

  5. And? This shouldn't be a surprise by jimicus · · Score: 4, Insightful

    It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN. There's plenty of perfectly legitimate reasons to want to do this, and that's what the service is there for.

    It's not there to allow someone to break the law with impunity. So it's not been engineered to be particularly difficult to dig into the logs and figure out who was using the service. So if they get served with a court order saying "Hand over the logs", they have to.

    Want something which is a lot harder to be traced? Don't use a commercial VPN service, use something like Tor.

    This isn't a story of "HideMyAss selling out". This is a story of "Person uses a service in a way it's not meant to be used and is surprised when it blows up in his face".

  6. This is what you do to truly hide your ASS! by MindPrison · · Score: 5, Informative

    Not everyone understands computers, that doesn't mean they're incompetent, wikileaks, openleaks and other needs to help their submitters keep anonymous, and there are better ways to do this, follow my instructions below, and you'll be as safe as you CAN be in this world:

    1) First of all, you need to download TAILS

    http://tails.boum.org/download/index.de.html

    2) Burn this .ISO on a CD

    3) Get a second computer

    4) Tear out its harddisks

    5) Make sure there are NO USB-memory sticks either.

    6) Make it boot from the CD only, (enter the bios and set Boot Priority to CDROM)

    7) Now you can surf relatively safely, but you're not done yet!

    8) When surfing, do NOT surf into familiar places of yours, do NOT use your real name, do NOT search for your real name or even your internet alias, if it's known in combination with your name (if you surfed with it on your computer, google already knows your IP, so forget it!)

    TAILS uses TOR, google it if you're truly curious. It can't keep you 100% anonymous but it's the safest "service" out there, and it's only relatively safe if YOUR SURFING HABITS ARE SAFE TOO.

    Good luck!

    --
    What this world is coming to - is for you and me to decide.
  7. Anonymouse by E.I.A · · Score: 5, Interesting

    Would the same go for anonymouse.org? I have visited my own website through their proxy, and it remains unlogged in (wordpress) WassUp stats. Hidemyass actually shows up though, along with my browser type and screen res. Also, why do more people not consider that these anonymity services are not honey pots?

    --
    Laws are like sausages. It's better not to see them being made. - Otto von Bismarck
  8. Of course. Duh. by Sasayaki · · Score: 4, Insightful

    Unless you're some kind of super 4Chan, you can't run a business that actively keeps no logs and relies upon -- as your buisness model -- the idea that you can keep people 100% anonymous online no matter what they do. That's just retarded.

    Generally speaking, the best you can hope for is, "We will keep you safe from basically anyone who doesn't come knocking with a court order or warrant. Depending on your country, they may not even have that, but they'll definitely have to be law enforcement related."

    I mean, really. Would you willingly operate a legitimate business that had, as its business model, the idea that your clients give you a hunk of money and then you give them back an entirely different set of money (minus 15%) in non-sequential bills? Do you think such a business would operate without being investigated by the FBI/CIA/ASIO etc? Who would you think the primary clientele of such a business would be and is it really ethical to protect them?

    Somewhat more tin-foil-hatty is the idea that anyone who runs a business that promises to give the finger to the law, doesn't keep any logs and is prepared to go to jail to project your online anonymity... well, to me, that screams that they're a honeypot. Probably paid for directly by the FBI, with 95% of their clientelle being 13 year old 4Chan script kiddies, PirateBay users and other harmless folk who are utterly ignored and left in peace... but that other 5% being pedos (there are *very very* few pedophiles online; don't buy into the panic!), drug runners and organized crime members who are kept under close surveillance.

    In short, I would rather use an anonymizing VPN service who spells out exactly what is kept and why, and what level of law enforcement intervention is required. A service I would use would probably have the following terms of service:

    1) If you commit any crime, or transmit evidence of any crime, that has a minimum of one year in jail OR do anything *truly* retarded (like Skype-out over the VPN and call the White House legitimately threatening to assassinate the President of the United States) then your arse is grass.
    2) If you are DDOSing from behind the VPN service, or sending spam e-mail, or operating any form of spam/volume based attack behind the VPN we'll disconnect you since that typically rapes our already overloaded services. Generally no legal butthole-raping, just a D/C, one day timeout, and an e-mail explaining why. Note rule #1 still applies if you are scamming people.
    3) If the cops come with a 100% legal warrant issued by a judge, irrespective of the crime, we'll comply with its order.

    I believe that's entirely fair and I know some people will scream for more, but realistically, I think that if your business doesn't basically follow those three rules it's not going to survive... or is a honeypot.

    --
    Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
  9. Re:Two words... unprotected WIFI by SuricouRaven · · Score: 4, Insightful

    In most cases, changing your MAC is pointless. It doesn't go beyond your segment anyway, and your ISP will be tracking you based on either modem identifier or physical line your connection comes in via.

    The only exception is if you are using a public(/hacked) wireless hotspot, in which case they may be able to use the MAC to track you down (Some OEMs, like Apple, keep the MAC on record and associated with purchaser) or else use it as proof if they already have enough suspicion to sieze your laptop.

  10. Lol indeed by siddesu · · Score: 5, Informative

    Actually, there is a ton of things the government will attempt to do to try to get you, even if it is a puny, pariah, poor government. I was helping a few friends of mine who live in a country, where people who laugh at politicians are still beaten up, to publish some funny videos about their top politician. Since I also visit there occasionally, we took full precautions. Private VPN to a foreign country, rather unfriendly to the regime, chained proxies, then TOR, new email addresses and video upload accounts, different chained proxies to access each of those, etc.

    Once the videos hit the tubes,some people got mightily pissed off, and started an official, but silent investigation. Imagine my surprise, when two of our e-mail accounts (free, with a large US-based web mail provider) that we used for the services were blocked, and login attempts redirected us to customer support barely a day into the operation. Since the investigation in these countries tends to leak like a sieve, we got info that that particular country was paying someone mid-level in customer support dept. to give them data on customers.

    They hit the video upload sites with official requests and apparently tried to hack into one, obtained logs from the ISPs of all online forums that we used to advertise the videos to, had videos deleted and did other funny things. They persisted into this business for about 18 months until they decided to close it down.

    Given this much effort about a few videos from a near-third world country, imagine what a really powerful government can do to you, and despair :)