You have to hand over the data in response to a court order
But what data do you have to keep in the first place?
HideMyAss has defended its role in handing over evidence that resulted in the arrest of a suspected LulzSec member last week. UK-based HideMyAss, which offers freebie web proxy and paid-for VPN services, said it handed over potentially incriminating data to the feds only in response to a court order. It had been aware that its …
Either they admitted if they did not keep a log, the security services would most likely just infiltrate the company and do it themselves anyway.
The real question here is why would anyone use a service base in a country with some of the most sophisticated spying technologies. An would not wast a second thought on employing that technologies to track down hackers.
--"The real question here is why would anyone use a service base in a country with some of the most sophisticated spying technologies. An would not wast a second thought on employing that technologies to track down hackers."
Because some 'hackers' are dumb kids who think it's cool to be a rebel, and who trust people they've never met who tell them that one or other method of attacking someone or some company is 'safe'?
Being willing to go to jail for your beliefs is fine.
Being willing for someone else to go to jail for your beliefs is not.
Once they got a court order they had a choice of:
2> Try to fight it - very expensive (might be too expensive to be possible without massive contributions), extremely unlikely to succeed.
3> Go to jail
This guy is an amateur IT wannabe who clearly has no clue about the meaning of anonymity.
Additionally, it also shows the Lulzsec crew up for what we know them to be - kids with big mouths and little understanding of how to a) hack and b) obfuscate one's source address.
Security my arse. They don't even understand TCP/IP.
That's a good one! How much experience do you have dealing with users, anyway? A whole week? Two?
Besides, two accounts for everybody is a huge pain in the ass. Not worth the time and effort, much less the additional expense which goes into everybody's bills at the end of the month, when it's much simpler to point out in the T&C that if you do something illegal over my service, then on your own head be it, and that I will under no circumstances imperil myself in your defense. If that means turning over logs in compliance with a subpoena, then so be it; you're not paying me anywhere near enough to go to jail for contempt of court.
my suggestion would be to turn on logging for a specific case when and only when a customer calls/ raises an issue. This way the customer will then need to re-create the problem (which you would want to test anyways) and if it can be re-created then you will have THAT session logged but no others. This is also an opportunity to directly inform that customer that the session which will be used for testing will be logged and then fall subject to UK law etc etc.
Hey, I can understand if Joe Average VPN user doesn't understand this type of situation, but all it took was a little searching and reading (for a friend of course) for me to question if these VPN services were even adequate for Bittorrent use... much less as protection for *really* questionable/illegal activity like breaking into websites.
These companies (unless there is one in Russia that I don't know about ;) have to abide by the laws of the country they operate in and, IIRC, they pretty much all specifically call out in their TOS (how clearly, of course, may be questionable) that they will-not/cannot shield you in the event of a subpoena.
A service like this will also have your credit card on file *and* your source IP so it's not like you can use DHCP or even unsecured home Wifi as a "wasn't me, honest" defense. Caveat emptor!
My personal feeling on the subject is that this type of service - if used right - could shield the user from a lot of (most? - definitely not all) civil types of complaints just by virtue of putting the discovery in another country - but a determined and quick (log retention is usually ~30 days for a service like this) civil pursuer could still find you in the right circumstances... but I can't imagine this would provide any type of protection for a remotely serious hacking incident (which is typically categorized as a criminal violation).
These services can be a real godsend for a lot of people, but no, they really aren't very useful for hiding anything illegitimate - they are, in practice, just another ISP who has all of your details.
If you use mobile internet, swap locations a lot, find yourself stuck behind restrictive firewalls when you have a legitimate need for full internet access - these services can be invaluable. Personally, I used one the last time I was moving and had to use the Cricket mobile internet service for a little over a month - it changed it from unbearable to at least tolerable. However, anyone who thinks that they are actually getting real anonymity from them clearly doesn't understand how either the internet or the law works.
Didn't they notice that "heading for the border" in the US always meant Mexico, not Canada? Isn't this the same?
Using a proxy in a western country, and hoping that's good enough to avoid prosecutors in a different western country finding them? They certainly aren't as smart as they think they are.
Anon - because it's an unbreakable cloak of invisibility from the Feds
currently I am in Sultanate of Oman (the first Arab country from the east), and I just tried to access the HideMyAss website..... blocked! (Error: "This site has been blocked due to content that is contrary to the laws of the Sultanate. if you believe that the website you are trying to access does not contain any such content, please fill in and submit the form below: "). Although, according to the locals, _all_ proxy sites are blocked and they have been blocked for years.
by the way, I believe that proxy sites (as well as netcafes) are required to store access information for few months. I believe it was one of those anti-terrest laws.
a carefully picked VPN service would have no logs to begin with.
The only response they would get is either "fsck off" (if they are based in a place carefully picked) or "oops, we forgot to log our users, thanks for reminding"
What these guys do is basic "honeypot" operation and I wouldn't be surprised a bit if they handed over data to some wealthy (not out of power) dictator as long as their interests were fulfilled. It could be a phone from British govt. or some spy agency, some money at some anonymous bank account etc.
This is the very serious risk of getting VPN service and trusting it blindly. At least these guys/lamers are based on some "democratic" country. In your case (if you were citizen), you could have been tricked into some honeypot and while swearing at Sultan, your door would be broken at 5 am.
That means chances are they are under the age of 25.
We all know that nowadays anyone under the age of 25 cannot be held responsible for their immature actions.
You hear it on the news after a stabbing, "Wahhh wahhh it's not my fault!"
Kids gotta learn consequences. In my day it was called getting a good slap on occasion.
You could always try a subject access request, under s7, Data Protection Act 1998.
Have a day when you make a note of the traffic which you generate when connected to the service, then ask them for a SAR relating to that day.
You may be asked to pay up to £10, but, if they retain information in identifable form, they should be providing it to you after receipt of payment.
The DRD does not required data to be generated; rather, it requires retention of data which are generated as part of providing the service. See s3 of the Data Retention (EC Directive) Regulations 2009: "These Regulations apply to communications data if, or to the extent that, the data are generated or processed in the United Kingdom by public communications providers in the process of supplying the communications services concerned."
If the service had not generated data as part of its operation (i.e. it did not switch on logging functionality), a s10 notice has no effect. By choosing to generate logs, the service provider was effectively choosing to bring itself within the ambit of the data retention regime. (For it to be obliged to retain, it must be served with a s10 notice, though.)
However, since the article talks about a "court order," which is not required for access to stored data under RIPA 2000, it is possible that the disclosure was made under a warrant under s8, PACE 1984 anyway., and so discussion of DRD obligations might be misleading. That being said, if logging / other data generation had not been enabled, there would have been nothing to be discovered under PACE.
(On the DRD point, one might question whether the provision of a VPN service is the provision of a public electronic communications service, but perhaps another story, and not applicable to an order under PACE anyway.)
You can still use CitizenVPN.com a Danish service that delivers the service out of The Bahamas and therefore do not have to comply with the EU logging. Even if they got subpoenaed by a Bahamas court there wouldn't be any logs to deliver...
But you're otherwise right. Be careful when using a EU or American VPN provider and read the TOS. Generally if a specific VPN provider in the EU don't write on their site if they log, then they do log. All American VPN services are not to be trusted.
...when I asked how hackers are stupid enough to get caught even though they know Internet traffic is not truly anonymous replied...
"Fingerprint technology has been publicly known for a hundred and thirty years, but some blokes still break into houses without wearing gloves."
That about says it all I think.
If a court order turns up ordering a VPN to turn over information, they're going to turn it over. No legitimate business is going to risk sanction, fines or whatever because some idiot decides to launch an attack through their service. Next time they should probably pick a VPN which resides somewhere without data retention laws.
The data retention laws only relate to data that you store during the operation of the service.
If you do not 'normally' store any information, then you cannot be compelled to store it and clearly you cannot be compelled to release data that you do not have.
The real question is what data was being stored. If "HideMyAss" was storing anything more than strictly necessary to operate such a service, then they deserve to lose all their customers and go bust.
However, it's clear that any paid-for service is going to need to store billing details which will include at least one way of contacting the user, and unless paid by cash (highly unlikely!) that will include a real name.
So 'the feds' will always be able to subpoena "Data relating to %individual%", and will at least be able to confirm that a given individual paid for the service - though of course that transaction could be fraudulent.
What constitutes 'storing'?
If your system needs to temporarily save your IP in a table to keep track of your connection onward, then it's possible that it's subject to the DRD.
If the system bills by usage (time/amount of data/whatever) it must also log that for billing purposes. suddenly DRD is applicable again.
Well, that really says everything you need to know... using a publicly/commercially available anonymizing service located in a lawful country... hmmm let me think about how that possibly could have gone wrong.
If you run a service like this you have to keep logs... its the same thing as companies have to follow, ie, attack on company A's network is traced to company B's network. To stop the CEO of company B being slammed in jail, company B has to find who did it - ie pass the buck. The buck passing can be down to a rogue employee or in this case, a user of a service.
Its simple fundamental internet legal 101, remarkable how few seem to grasp it.
BTW, i can't actually imagine why you'd want to use a service like that for anything but illegal stuff... I mean the number of people wearing tinfoil hats has to be quite small surely?
I suspect more likely its a bit like having a pirate site that says it will honour any copyright take down notices it receives.
Suppose a) you spend a lot of time traveling, or otherwise accessing sensitive info across untrusted networks, and b) either your company doesn't provide a VPN, or their VPN is too locked down for your purposes, or you own a business or otherwise aren't nestled under the broad, downy wings of a professional IT staff, i.e., a batch of chain-smoking paranoids responsible for making your computer things work right. (If your IT staff doesn't contain at least one chain-smoker, consider firing them en masse, as they're either completely incompetent or too green to have picked up the habit yet.)
In a case like that, where you're given a pretty stark choice between either not doing what you need to do online, or making your life a target for every snotnose who's ever heard of Firesheep but not yet had it earn him a well-deserved punch in the nose, a paid VPN service can be a lifesaver.
(Yes, if it's called "HideMyAss", there could be a certain reasonable presumption that it's being used for less than entirely lawful purposes, in just the same way that there's a certain reasonable presumption of the innocent having nothing to hide.)
Using an internet to internet VPN service for sensitive business from a dodgy sounding vendor?
I'd sooner take my chances that Starbucks had a rogue employee with a network analyser.
No, the only use for this service is either:
1) Plain illegal
2) Contrary to the rules of the user's network (perhaps as worthy as reading the BBC from some kinda dictatorship run country, but more likely so you can get around your corporate internet access policy to reach sites banned and probably pr0n)
Either way around both uses will be upsetting someone and likely to get you fired/arrested.
BTW a lot of employers will also fireyerass(dot com presumably) for using such services as this ;-)
How delightfully quaint -- you have heard of Firesheep, yes? It doesn't take a smartass with a copy of Wireshark to sniff your session cookie any more; now, thanks to the miracle of open source, even a colored-pencil pusher with a Macbook can screw you just for grins.
I don't carry any water for HideMyAss, but at least they don't appear to be doing anything but what they said they'd do. All the screaming from the Guy Fawkes crowd is as hilariously misguided, useless, and ignorant as everything else for which Anonymous has ever taken credit, and I for one find it vastly entertaining to watch so many toys fly out of so many prams all at once.
Aaron finds the solution to Firesheep, that must be why those people subscribed to that service, thats it.
I'd cancel your subscription mate and take a look at google for freebie alternatives - including not using badly written sites for your "business".
Mind you, donkeypr0n.com might not listen to your technical solutions to their security problem.
You're a bit old-fashioned, aren't you?
Smoking in a server room is frowned upon these days, apparently the tar makes opening an old machine a terrifying prospect. Plus it's illegal throughout the EU.
IT staff retention is now entirely dependent on how good a coffee machine you have.
If your anonymity replies on some guy trying to run a business not voluntarily going to prison for you, a faceless customer, then you're already in trouble.
Even more so, why the hell would you proxy through an extraditable country with close links in the intelligence and police communities?
Proxy one should be China. It'll even be cheap as every hospital and school has been hacked to death and has an open proxy somewhere. Proxy two should be in the first world if you're worried about resources geo-killing you.
(If you're really paranoid [as in willing to run away and hide paranoid], proxy 0 should be your next door neighbour or the local internet cafe to give you vamos time.)
The rule of thumb is always use a service in a country uncooperative towards the one you're hacking. Though using any service sold in the UK or US to do anything which may be considered illegal anywhere in the world is actually asking for trouble, since they have a habit of introducing laws making it illegal to break anyone else's rules also.
I would as a business make it my policy to retain the least information possible whilst staying on the right side of the law, I would also make some measure of resistence... not refusing to comply with the law, just not being in any hurry to do so. After all they need to defend their business image by appearing to always side with the righ to anonimity or else what do they stand for?
Having witnessed the process of a business being served a court order, I can tell you that you don't really have much choice about it. Although the case I saw was an order to seize hardcopy files and paperwork, the process would likely be similar for computer data.
In Australia (and I assume the process is probably similar in the UK), what happens is two police officers and a bailiff show up at the front door with a piece of paper signed and sealed by a judge, and inform you that you are required by law to produce the items listed as follows, blah blah blah. If you don't cooperate *immediately*, they start turning the place upside down until they find it. They'll literally bust open locked filing cabinets with crowbars and sledgehammers if it becomes necessary to do so. For computer data, I'd assume they'd simply start removing computers and storage media if you don't hand over the information pronto. Believe me, these guys don't piss around, and they won't stand about listening to your excuses.
So HideMyAss's staff probably didn't have a whole lot of choice about complying or not, or even taking their time about it. More likely, if they didn't instantly hand over the requested data, they would have been herded into an office while the police started carting stuff out the door. Nobody can reasonably expect anyone in a normal working situation to put up any kind of a fight against something like that.
I know, it's not a VPN, only a cgi proxy so couldn't have been used for this type of hacking in any case.
I just wanted to share an except from the response posted by Gabe, the ctunnel admin, to the over-zealous prosecution of the Sarah Palin email hacker, last year, for anyone who didn't see it at the time.
Quite a stand-up guy - I was, and still am, impressed by his stance (admittedly after the fact).
"As a result of this trial, I will be changing the logging policy for my proxy websites. Effective immediately, I will only be logging the minimum amount required by law. In the United States, this means nothing at all. For our servers in the UK (currently hosting only ktunnel.com, popular only in Turkey), we will be logging for 48 hours, as that is the relevant required logging period in that jurisdiction. Even in the UK, we will be looking into ways to log less evidence-quality information, so long as what we are logging is within our legal obligations. For the US, where almost all of our proxies are hosted, logging will only take place after-the-fact, to specifically try to log information on people who are repeatedly abusing our systems, and then, only logging what is necessary to stop a specific, repeatedly abusive user. We will no longer be proactively logging the activity of users on our US servers.
As a result of this trial, and the complete lack of perspective and justice being shown by the federal government, I will be stepping up now, in an attempt to meet my moral obligations. As such, I will do whatever it is that I can do, legally, to protect my users, by logging as little as I am legally allowed to log while still keeping my site working properly for everyone who needs to use it. I am genuinely sorry for being an integral part in this trial, something I hope never happens again".
Their Ts&Cs "no illegal use" clause is almost immaterial; that they store anything at all for long enough to have to reveal it under court order calls the point of using their service into question. You never know when you might suddenly find yourself having "something to hide".
Law enforcement has proven time and again that it isn't above going on vague fishing expeditions backed by a court order (or local equivalent) and government has proven time and again that it's not above moving the goalposts to suit its own ends. There have been times in not too distant history where, practically overnight, it became a very bad thing indeed to have been opposed to, or even slightly critical of, some political or religious movement while that movement was making its way to power.
But do note that I stated "almost immaterial". Using a service which states "no illegal use" for something that's illegal when you do it is a pretty stupid move.
Their T's&C's 'no illegal use' clause is definitely not immaterial. Its a CYA clause which is in place to protect the company from users who want to use the service to commit a crime.
Here's a legal use of the System.... you want to browse one of your competitor's websites without them being able to trace any of your activities to you or your company.
Or you're dumb enough to want to put some compromising whistle blowing material on Wikileaks' website and you want to add some additional layers of security.
(But that's another story...)
Clearly if you're going to do something which is clearly totally illegal wouldn't you take precautions?
(Note: I won't say what precautions one could take because that would be a bad idea...)
You can't blame them for complying with the law. They are a legitimate company providing a legitimate service.
Everyone's covered the "what did you expect?" angle, but I had to be amused by the above quote. Did they just miss out the apostrophe or did they just incorrectly use the plural instead of the singular possessive? It's a somewhat Freudian commentary on the "special relationship".
When they were served with the court order do we? Just because the story has come out now after the arrest has no relevance to how long the original investigation part took. Once PSN had identified from their log's where the connection came from one assume the court order was obtained soon after so I expect the request reached then well within 30 days.
I think you are missing the conjunction in the options list.
- Piss off the h4x0rs and maybe get hacked badly enough to disrupt business
- In which case: Declare bankruptcy, claim insurance, open a new company with a new name using the same hardware.
- Piss off Caesar
- Your kit gets confiscated, you go to jail, AND you go bankrupt
Yes, I can definitely see how being hacked is far worse than a few years of porridge and soap-kicking
First an individual needs to read a terms of service when they sign up for anything, ESPECIALLY a service claiming to protect their privacy. I do believe that it was a bit BUSH LEAGUE to roll right over, but they are the biggest gorilla in town and probably have Aston Martins to pay for :) . Lastly, when you read that TOS, if there is a mention that they can shut you off for any other reason than NON-PAYMENT then they log enough to pick the needle from the Haystack.
On the comments that these services are frequented by terrorists and hackers, I would firmly disagree. Any proficient tech can create his own secure alleyway on the 'Net. Furthermore TOR, a good product for what it is but ANTI-P2P, has the perfect setup for pedophiles so why pay for something you can get for free?
There are other services that gave away FULL free and unfettered accounts to in-country residents Tibet, China, Cuba, Egypt and Iran (almost 10,000) to those individuals. Sometimes these things don't need to be bragged about as you can do more quietly than beating your chest looking for praise.
Lastly, thinking that your particular Country will protect you from US or any LEA, I would suggest you put down your pipe and get a grip. If you think that your EU Country will resist US pressure or vice versa your mistaken. The words 'National Security' or 'terrorist' will get you whatever you need.
I would love to keep this up, but I have a business to run customers privacy to protect and DMCA letters to answer!
Father; Blogger; Practicing 'Lattlay Fottfoy'; Recently been dubbed 'HARDCORE'; Active for Freedom, Privacy, Free Speech; Part Time Troll & Redneck Gigalo
P.S. Beware Companies that appear out of thin AIR
>>"Lastly, thinking that your particular Country will protect you from US or any LEA, I would suggest you put down your pipe and get a grip. If you think that your EU Country will resist US pressure or vice versa your mistaken. The words 'National Security' or 'terrorist' will get you whatever you need."
Since when was it the job of a country to 'protect' fuckwits who think what they and their internet pseudofriends want to do takes precedence over the law?
Surely the whole argument here is the definition of anonymous? I always understood proxies as making your source anonymous to the target server, not the proxy itself. Without enough information to route the traffic back to you the connection is useless.
Since the proxy has to know who you are, where you are and where you connect to, the assumption that this information isn't going to be logged somewhere is naive at best, stupid at worst.
And to try and pass the blame on to a 3rd party after doing something illegal is as unlikely as Lamborghini paying your speeding fine after you drive their car too fast.
I can't understand why a hacker would use a VPN like hidemyass.com for doing their shit.
If they were security experts as they pretented, woudn't they have rooted boxes all around the world which they could use as proxy/vpn/tunnel/whatever ? Or even just go to mc donalds, pay with cash and enjoy the free internet.
HMA defends itself using Egypt as example.. and they also use Egypt as a location for their VPN services. If Egypt's government had requested info all the users evading a filter, would they have complied as well? No? What if ordered by a court? You're telling me there isn't an ounce of hypocrisy in divulging your user's information, albeit even if ordered by a court?
I honestly hope all their customers lose faith in them. They should. Screw HMA, their worthless services, and the dumb ass who got caught. Guess lulzsec wasn't so smart after all.
This makes no sense, why care that another useless hacker got caught?
We all know we wouldn't do anything dubious through the HMA proxy because, well, we aren't idiots. I would think you could assume that anyone like him doing things like that through a UK based proxy service is a complete idiot.
Now isn't it reasonable to assume that he can form a representation for all HMA users? If he was such a "1337 hax0r" then i reckon most of HMAs users are going to care even less than he did about whether they log information or not.
I can't really see this affecting HMAs userbase at all and to be honest, i'm glad the little tit got caught, as you all should be!
Stands to reason..
A hacker used to mean one who could event ways of getting something done with a computer, whether a kludge (initially) or a brilliand contribution. Now it simply means someone who uses a computer in ways that are not 'ordinary'. El Reg and HideMyAss are being truthful and consistent on this. Unlike a lot of BS one sees posted by todays' hackers about this and many other topics as well, all over the thoroughly poluted internet.