Slashdot Mirror
Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI (bleepingcomputer.com)
An anonymous reader writes:
"VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."
And WANSecurity.
But the take-home lesson here shouldn't be that if you avoid those you're good. The lesson is that in the end, you're taking every provider's word for security. Certainly some are good and some aren't, but there is literally no way for you to be able to tell which ones are good.
That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.
All a VPN really does is prevent your local ISP provider from monetizing your surfing habits. Which is enough for me.
There NO VPNs beyond the reach of the US spy infrastructure. Those who refuse the private, closed door court room orders are locked up or if they have scruples, just skuddle their products and walk away.
Examples; LavaBit & the original axcrypt
That's all a VPN does for you , which is irrelevant to what Pure VPN says it does for others.
PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .
Emphasis mine.
It little behooves the best of us to comment on the rest of us.
Except that, according to TFA, Pure is lying when they say that.
It also forces the security services to actively target you and expend some extra effort to get your data.
In some countries, e.g. the UK, ISPs are required to log and hand over such data pretty much on demand to the police, and of course you have outfits like GCHQ and the NSA doing mass surveillance.
A VPN increases to cost to spy on you from nearly zero to something that will discourage casual snooping and a lot of abuse. It's not perfect but it's a useful line of defence.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Most of the damning info came from a laptop, and all the VPNs did was confirm an IP address for his residence was used to connect to one of their IP addresses during the same time frame "someone" logged into both the victim's e-mail account and the abuser's e-mail account -- both from the same VPN address.
PureVPN lists what data it records and states it cooperates with investigations. The only thing I can find that they gave to investigators that wasn't explicitly stated in the TOS was that they gave the origin IP address for the connection. but... the TOS already says they store the name of the person on the account and connection times and bandwidth anyway, so that's pretty damning to begin with if requested by law enforcement.
Basically, Law Enforcement said:
"Hey we have a laptop with evidence that you have a VPN and have accessed both the victim's and the abuser's e-mail addresses. We just checked with the e-mail services and discovered a login to both from a VPN IP address within a short time period."
And the VPN provider upon court order said:
"That user was logged into our service from their residential IP address during that time and was connected to that same VPN IP address (along with many other users). Here's the amount of time they were on our system and the amount of bandwidth they used."
The VPN didn't rat out what site they went to -- but the sites they went to DID keep IP logs.
In short, the VPN service provided exactly what it said it would record and it just happened to correlate nicely with what the detectives found. It's not proof, but it's strong evidence.
Frankly, I'm a little surprised the victim's e-mail service allowed a connection to a VPN IP to begin with. I'm also surprised this moron thought that just because a VPN doesn't record every site you visit that the sites themselves wouldn't be recording every login and IP address along with cookies that might identify his specific hardware and/or tie into a social media profile or the like.
You could roll your own VPN by purchasing a VPS and routing your traffic through it but even that will only give you a little bit more privacy. At some point the data that you send will have to be decrypted in order to be sent out to the internet at large. Authorities can see the point at which the decryption is taking place and trace it back to that end-point IP address. It is a trivial matter to see who the IP address belongs to. The VPS provider could then be issued a subpoena to get your information. The whole VPN thing is really misunderstood. It's really a way to make it harder for an ISP to grab and monetize your browsing data or even a way to protect your identity on an untrusted network.
Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division. “This kind of behavior is not a prank, and it isn't harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today's arrest will deter others from engaging in similar criminal conduct.”
This jerk has degraded the trustworthiness of ALL bomb threat calls, ALL emergency distress calls. As incidents like this increase, as people figure out better ways to hide their tracks, more people will do such things. In the end the police and emergency services will take time to check veracity and trustworthiness of the caller before responding. False alarms will increase cost for all tax payers. Some stalking victims could actually be raped or violated due to such postings.
This guy is evil, he should be punished so severely others don't even fantasize doing such things.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
VPNs aren't meant to keep people anonymous. They just obscure the origin IP address enough to where an average site may not know for certain who is visiting and law enforcement would have to request account connection details -- time and origin of connection, user name, actual name, length of time of connection, bandwidth usage, etc. Sure, VPNs don't usually record what sites you visit, but the sites themselves keep detailed logs that include the IP address of the VPN used... which in this situation correlates well with the VPN's logs. It's strong evidence, but not proof.
People often don't realize that advertisers love creating profiles of people -- and tracking cookies are great for creating, tracking, and linking profiles so that no matter where one logs in from -- even a VPN -- you can be identified... if only by the user/agent string and hardware you're using to access the web.
This moron logged into the victim's e-mail address and the abuser's email address within moments of each other from the SAME IP address on the VPN. If that VPN shows he logged into their service and was assigned that IP address just before accessing them and logged out shortly after accessing both, that's pretty damning.
PureVPN didn't lie about what it records... but, it didn't have to record much other than the connection info and bandwidth use to correlate strongly with what the investigators already knew from inspecting a laptop and contacting the 2 e-mail services.
Sure you can write disparaging remarks, insult other people anonymously; but the moment you start performing malicious actions causing deliberate targeted harm, that mask can come off mighty fast.
I don't read AC
trust....but verify
have you seen my sig? there are many others like it but none that are the same
VPNs aren't meant to keep people anonymous.
Yes, this is exactly correct. VPNs don't disguise endpoints or decorrelate access times.
Personally, I use a VPN solely so that I don't have to worry quite as much when I'm connecting through WiFi access points that I don't control (open access points, workplace WiFi, etc.).
I'm not even trying to hide from my ISP (since, at some point, my datastream is going to be exposed to an ISP anyway -- at least this way, I know which one I'm exposed to). So, I don't use a third party VPN. I run my own VPN server, and my devices all use that.
Security is always a tradeoff, and others may not find this one acceptable for their situation and preferences. But it works for me.
My favorite definition of "virtual" is one I got in an advertising class talking about meaningless advertising words. Whenever you see "virtual", you can mentally replace it with "not in fact".
Cyberstalking generally isn't something that people who are good at thinking things through and restricting their behaviors accordingly do.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
VPN services are nice if you want to pretend to be in another geographically location, but the claims of security are pure marketing. Incidentally, anybody that cares to find out knows that. And no VPN service that is run commercially can say "no" when the Feds want logs to be recorded and handed to them. Lavabit is an extremely rare exception (and just did anonymous email, not VPN) and it can be seen nicely in their case what happens after such a "no". The CEO is lucky to not end up in prison.
At this time, the only VPN service with actual security is Tor and even there, you anonymity can be compromised by attacks on the client or making mistake while using it. And, of course, a large-scale traffic analysis can break even Tor. The thing with Tor is however, that nobody that can break it will admit so for a mere cyberstalking case. It would have to be something really, really large for anybody to admit that they can compromise Tor itself.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Service providers routinely have incentives to overstate the quality of their product. Perverted incentives, brought to you by capitalism. End even extreme lies can often stay undetected for a long time, see, e.g. the current nice example with diesel cars. In actual reality, at the very least, a careful check of the plausibility of such claims is necessary and almost universally you find the product is nowhere near as good as claimed. This case here is no exception.
Of course, it is quite possible that the VPN provider in question only started keeping logs after being served with a court-order and may only handed records over that concerned this particular user. But court-orders are easy to get for all kinds of things, so any claims of anonymity from a VPN provider basically is "unless you do anything that is illegal or pisses off people powerful enough".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This is a good reminder that you shouldn't put much faith in the claims made by service providers.
From PureVPN provider's privacy policy (linked in TFS):
"Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a “connection” and the total bandwidth used during this connection is called “bandwidth”. Connection and bandwidth are kept in record to maintain the quality of our service."
These connection logs are what law enforcement used, in conjunction with information pulled from the creep's work computer and from logs obtained from Google (Gmail) and others.
I'm not feeling the outrage.
#DeleteChrome
Actually, they say "Our servers automatically record the time at which you connect to any of our servers." My guess would hence be that, legally, they do not log, but they do keep records.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I did quote directly from their privacy policy. No idea why you think I missed anything here, this is literally on their site.
If indeed "records" and "logs" are different legally (no idea whether they are), then "no logs of your activities" would not even be a lie. There would just be records of your log-ins and log-outs, but no logs. It is also possible, that the log-in and log-out does not count legally as "activity" within the context of the service. And to make the deception complete, "complete security" is a term without meaning, i.e. it gives you no assurances whatsoever.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That's not the reasoning. Some are surely trustworthy. The underlying problem is that you literally have no way to tell which ones those are.
The internet is not anonymous. Never has been, never will be unless the fundamental nature off it is changed, which will destroy the internet. The only thing that gives a person any sense of anonymity is the degree of the crime, and how badly they want to find you.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
So he was found out by metadata? This is perhaps a good reason why govt. should require a warrant to get ahold of it.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
That's true. I use a vpn to help my privacy, but have no expectation that it would help me if i commited a serious crime. If you do, there's a good chance you'll be caught, thankfully.
Yup. Protecting your privacy on line is very sensible. I do what I can also. Where there can be confusion is the concept of of privacy, and anonymity. Some folks get a little confused, thinking that anonymity is privacy. and vice versa.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.