Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

HideMyAss.com Doesn't Hide Logs From the FBI

timothy posted about 3 years ago | from the technically-sir-you-were-being-a-donkey dept.

Crime 233

An anonymous reader writes "People use VPN services to hide their identities online, right? And a UK-based service called HideMyAss would seem to fit that bill perfectly. Not so, unfortunately: they have to hand over the logs to the FBI when a UK judge tells them to." Reader wiredmikey points to a story at SecurityWeek, too.

cancel ×

233 comments

Sorry! There are no comments related to the filter you selected.

Log this! (0)

Anonymous Coward | about 3 years ago | (#37506982)

Log this!

Who would have thought so.... (4, Insightful)

Anonymous Coward | about 3 years ago | (#37506986)

But another question is why they kept logs anyway? Are they required to keep logs by law?

Re:Who would have thought so.... (5, Insightful)

Runaway1956 (1322357) | about 3 years ago | (#37507040)

Now, THAT is the correct question. A server that keeps no logs is a fairly secure server from which to run a VPS. Ditto proxies. When shopping for something of this sort, the important question to ask is, "What logs do you keep, and how long do you retain them?" Every server makes and keeps logs - there is no getting around that. The lifetime of the logs should depend on administrative necessity. Generally, logs should be flushed every 24 hours. Performance logs, security logs, things that pertain to the ongoing health and security of the server should be retained for as long as necessay - sometimes, for months. But every publicly facing server should routinely delete logs that aren't central to the server's main mission. VPS and proxy servers main mission being to protect the anonymity of it's users.

Shouldn't it be considered a fraud, to advertise they you will protect a user's identity, then maintain logs which can be seized by any government agency that demands them?

Re:Who would have thought so.... (5, Funny)

jhoegl (638955) | about 3 years ago | (#37507140)

Ass logs can get pretty big.

I just dont know if I want to be the one sifting through the logs to find kernels of information.

Re:Who would have thought so.... (1)

ubrgeek (679399) | about 3 years ago | (#37507464)

I know that was sophomoric humor, but damn it was funny :)

Re:Who would have thought so.... (1)

qbast (1265706) | about 3 years ago | (#37507170)

They are based in UK, so they so not retaining logs is illegal. If you want proxy without logs find one based in country without data retention laws. Hint: it is nowhere in EU.

Re:Who would have thought so.... (1)

Runaway1956 (1322357) | about 3 years ago | (#37507190)

That sidesteps my point, really. Assuming that you want a proxy server to actually hide you - you need to determine what logs they keep, right?

You also seem to ignore my final question. Shouldn't it be considered fraud, if they promise to "cover your ass", then they hand logs to whichever government agency demands them?

Re:Who would have thought so.... (3, Interesting)

qbast (1265706) | about 3 years ago | (#37507264)

The problem is that when it comes to promises of security, fraud is very common and never punished. How exactly do you determine what logs the proxy keeps? By asking them? As you see what is promised and what is actually delivered is usually not the same. For another example look at Dropbox - for a while they claimed that only user has encryption keys and it is impossible for their staff to decrypt anything. Then they changed story to 'staff is not allowed to decrypt'. Hell, even if you find a proxy in bumfuckistan which has no data retention laws, it may be a honeypot.

Re:Who would have thought so.... (3, Interesting)

Bert64 (520050) | about 3 years ago | (#37507272)

a, not really.. you can easily eliminate potential proxy services by assuming that at minimum they comply with the local data retention laws...

b, possibly, but who do they claim to "cover your ass" from?

Re:Who would have thought so.... (1)

DrgnDancer (137700) | about 3 years ago | (#37507320)

Alternately to (b), what do you expect them to do? Subpenas and warrants are not optional. You can, right up to the minute the court order comes in, tell government agencies that your policies forbid releasing customer data... after that, your choices are pretty limited (they involve "hand over information" or "go to jail and let them search for it themselves"). If you want true, court order proof, privacy, the onus is on you to find a company that can provide it, Ideally you want a company located in a place where either the there are no data retention requirements, or the court cannot compel discovery, conversely you'd like to be able to sue them if they do release your data. I'd venture that finding a country with the proper blend of anarchy and legal system will be challenging.

Re:Who would have thought so.... (3, Interesting)

migla (1099771) | about 3 years ago | (#37507206)

They are based in UK, so they so not retaining logs is illegal. If you want proxy without logs find one based in country without data retention laws. Hint: it is nowhere in EU.

Judicially, no. But, unless I'm mistaken (and don't base hiding of ass on my level of informedness, please), Sweden is for example not abiding by that EU law yet, incurring ever growing fines in the process.

My ISP still claims the logs of who had what IP at what point in time are gone in about a week.

Re:Who would have thought so.... (1)

Anonymous Coward | about 3 years ago | (#37507228)

They are based in UK, so they so not retaining logs is illegal.

Not to the best of my knowledge. Certainly when I worked for a medium-ish ISP as a sysadmin we didn't have any structured logging in place, and it's my understanding that logging is only required if the organisation is on the Home Office "Prescribed List". Pretty much only the larger ISP's are on the list: the Home Office doesn't care particularly about the smaller outfits and doesn't have the resources to deal with them all anyway.

Re:Who would have thought so.... (3, Informative)

qbast (1265706) | about 3 years ago | (#37507284)

You are right, in UK data retention is voluntary. And here I thought that all members already got pressured to implement EU Directive 2006/24/EC .

Re:Who would have thought so.... (1)

__Paul__ (1570) | about 3 years ago | (#37507254)

Not retaining logs might be illegal, but is it illegal to not make the logs in the first place?

If it is, does that mean that it's illegal to code software that doesn't do logging at all? (eg, specifically removing the code from squid that does this, or writing one's own proxy and never actually get around to the point of writing the logging part).

Re:Who would have thought so.... (1, Insightful)

AmiMoJo (196126) | about 3 years ago | (#37507260)

Servers in the uk have a legal obligation to keep certain logs, and we are America's bitch. TOR is the only safe option.

Re:Who would have thought so.... (2)

Runaway1956 (1322357) | about 3 years ago | (#37507278)

TOR is only as safe as the government permits it to be. I stated above that the darkweb is subject to MIM attacks. TOR is merely a subset of the darkweb - albeit, less secure than I2P and other protocols.

Re:Who would have thought so.... (0)

Anonymous Coward | about 3 years ago | (#37507330)

Not strictly correct. According to conversation I had with the Home Office, who are behind the legislation, the requirement currently is to retain logs once you have been requested to do so.

Re:Who would have thought so.... (2)

jonbryce (703250) | about 3 years ago | (#37507148)

Yes, Internet Service Providers are required to keep laws by the Regulation of Investigatory Powers Act.

Re:Who would have thought so.... (3, Informative)

lseltzer (311306) | about 3 years ago | (#37507342)

In addition to that, from TFA:

Why do we log the above^ information? Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do. Some providers choose not to do session logging and instead try to locate the abusive customer by using the intelligence from the complaint, for example if someone hacks XYZ.com they may monitor traffic to XYZ.com and log which customers have a connection to this website. Ask yourself this: if a provider claims not to do any form of logging, but is able to locate abusive customers, how are they able to do this without any form of logging?

Re:Who would have thought so.... (3, Interesting)

Zemran (3101) | about 3 years ago | (#37507368)

In the UK, not only do they have to keep the logs for 18 months but practically anyone, including the fire service, can look at them. The British law is the craziest in the world in that regard and anyone stupid enough to use a British proxy/VPN must need their head examined. If you use a Swiss or a Swedish proxy they will not even keep logs, so there is nothing for the FBI to ask the court to make them hand over. If you buy a car you look into which car does the job that you want it to do... So if you get a proxy it is up to you to make sure it will do what you want. If you want to watch British TV or whatever without being told that you cannot because you are not in Britain then OK but for privacy??? MORON!!!

Re:Who would have thought so.... (2)

ChumpusRex2003 (726306) | about 3 years ago | (#37507380)

The UK requires (under the Digital Economy Act) that any internet service provider (which the law defines in an exceedingly broad way) keeps logs of all customer connections and retain them for a minimum period of 6 months. They are not required to log the contents of the connection, merely the IP.

This includes an individual or small business offering wi-fi to customers on their premises. Under the DEA, they are an ISP and must keep the relevant logs (which include positive identity of the customer) for the required period. Failure to keep the logs is an offence, and may mean that the operator of the network is personally liable for any offences that were alleged to have been committed.

lol (4, Funny)

smash (1351) | about 3 years ago | (#37506990)

If you're expecting to use public VPN servers to "hide your ass" you're doing it wrong.

If you're not competent enough to "hide your own ass" then you really shouldn't be fucking with other people's networks.

Re:lol (1)

Runaway1956 (1322357) | about 3 years ago | (#37507050)

Perhaps you could write a "How to" for covering your ass, then. There aren't very many ways to hide your ass on the internet, and those that I know of are all subject to a MIM attack. Yes, even the darknet is subject to MIM, if the gubbermint wants to throw enough resources into finding you. So, what do you use?

Re:lol (3, Insightful)

smash (1351) | about 3 years ago | (#37507060)

I'm not claiming to have a method. My option is "don't do retarded shit on the internet and expect not to get caught".

But using someone else's VPN service in a western country is pretty much equivalent to using nothing at all.

Re:lol (1)

Runaway1956 (1322357) | about 3 years ago | (#37507092)

Alright, can't fault your logic there.

Re:lol (1)

SomePgmr (2021234) | about 3 years ago | (#37507096)

I guess that depends on what you're trying to achieve. If it's "I'm going to do something seriously heinous and need to protect myself from huge international investigative bureaus!", then yes, some VPN service in a western country probably isn't going to cut it.

If, on the other hand, you don't want your [employer/service provider/whatever] knowing that you're doing something that's just questionable or embarrassing, it'd probably work just fine... assuming you use it properly.

Re:lol (1)

smash (1351) | about 3 years ago | (#37507158)

Well of course. there's a difference between not getting busted by your employer for doing stuff you shouldn't be doing at work and attacking the US government and multinational corporations, however.

If your want to fuck with the big boys, then you better have your shit in order. Be it some bot-net to hide your tracks with, an account in backpackistan, or whatever.

Renting service of a VPN provider in the UK (who is well known to be the USA's bitch in recent years) to attack megacorps and the US government is just retarded.

But sure, to hide from your boss, go for it.

Re:lol (-1)

Anonymous Coward | about 3 years ago | (#37507154)

Two quotes from the GP:

If you're not competent enough to "hide your own ass" then you really shouldn't be fucking with other people's networks.

I'm not claiming to have a method.

And seeing smash's 4 digit UID you just know he's flamed people for less stupidity.

Re:lol (0)

Anonymous Coward | about 3 years ago | (#37507124)

Honestly, the best option currently is an encrypted onion network. Tor is one of the largest at the moment but with nodes not always changing and high publicity it's become a target of government surveillance. Onion networks are vulnerable to large wholesale traffic analysis, the more connections between nodes you can monitor the higher the risk your connection through the onion network will be susceptible to traffic analysis. It all depends on how paranoid you are and how much you think relevant governments are doing wholesale internet surveillance. These guys apparently had their own botnets, they should have setup their own onion network using them to at least add a layer of obscurity to an already multi-layered security approach which is what you need for an operation which has a short lifespan.

Two words... unprotected WIFI (0)

Anonymous Coward | about 3 years ago | (#37507126)

two more words... proxy chaining, one word... TOR

Have your last proxy in a questionable country as well - fckknowswhere-istan

Use a Nic that you can write a mac address to and change it on occasion and have a separate encrypted removable HDD that you swap out and stash when your 'private' activities are over. Boot from a CD or a virtual machine so even if something was uploaded to you it is wiped next boot.

CCTV on the entrances to your house will also help with seeing the Feds coming and you power down.

Also have lots of old spare and unused encrypted HDD around. Go ahead narcs get all forensic on those terra bytes of drives you found - time consuming and plausible deniability about forgetting passwords to the numerous encrypted partitions spread around.

If they can find and prosecute you after all that then you've probably been found by men who stare at goats.

Re:Two words... unprotected WIFI (4, Insightful)

SuricouRaven (1897204) | about 3 years ago | (#37507282)

In most cases, changing your MAC is pointless. It doesn't go beyond your segment anyway, and your ISP will be tracking you based on either modem identifier or physical line your connection comes in via.

The only exception is if you are using a public(/hacked) wireless hotspot, in which case they may be able to use the MAC to track you down (Some OEMs, like Apple, keep the MAC on record and associated with purchaser) or else use it as proof if they already have enough suspicion to sieze your laptop.

Re:Two words... unprotected WIFI (0)

Anonymous Coward | about 3 years ago | (#37507340)

In most cases, changing your MAC is pointless.

In of itself, yes. But it will trigger the DHCP server of most ISP's to hand out a new IP address, which cycles the old one back into the useable pool. Depending on how long your ISP holds records, you might get lucky and the record of you having that address might be purged before anybody comes looking. Don't count on it, however, since those logs are usually kept for at least 3 years in the US.
The accuracy, and actual retention time of those logs is open for debate. Some ISP's do a good job, others are so miserable at it that they routinely cannot identify users once a lease expires and/or will give faulty info to the authorities.

Re:Two words... unprotected WIFI (1)

Anonymous Coward | about 3 years ago | (#37507358)

RE: "In most cases, changing your MAC is pointless" and "The only exception is if you are using a public(/hacked) wireless hotspot"

Did you read the heading of the post you replied too (and hence the subject of your post)? - "Two words unprotected wireless"

The whole presumption of the post was that wifi was used and 'stolen' from a source not linked to the anonymous computer user.

It would be a shame to have everything encrypted and stitched up secure (perhaps even magnetized if time permitted) only to have them match the wireless traffic to the unique MAC address in your laptop that was seized.

So I would say in the context of the post you replied to not pointless at all.

Re:lol (0)

Anonymous Coward | about 3 years ago | (#37507204)

Tor works well enough for this. MITM will not reveal your identity (unless you do something stupid to make the data available to harvest).

Also, MITM is mostly only an issue for tor with unencrypted protocols. Using SSL you are safe from MITM (to the extent you ever are with the mess that certificate authorities and such are), and SSH should be completely safe (as long as you know the server's fingerprint).

Re:lol (2)

SuricouRaven (1897204) | about 3 years ago | (#37507266)

Depends who you want to communicate with. There are a few foilhatters on Freenet who believe various conspiracies are after them - and, in the unlikely event they are actually right, freenet is going to be all but impossible to track someone on. Easier to try to bait your target into a trap by, for example, giving him a unique link to a conventional website and then looking through their logs to see where the request came from.

There are a few low-ranking pirate releasers there too, but as they tend not to do the latest blockbuster stuff I doubt anyone is trying to hunt them down either.

Lol indeed (5, Informative)

siddesu (698447) | about 3 years ago | (#37507354)

Actually, there is a ton of things the government will attempt to do to try to get you, even if it is a puny, pariah, poor government. I was helping a few friends of mine who live in a country, where people who laugh at politicians are still beaten up, to publish some funny videos about their top politician. Since I also visit there occasionally, we took full precautions. Private VPN to a foreign country, rather unfriendly to the regime, chained proxies, then TOR, new email addresses and video upload accounts, different chained proxies to access each of those, etc.

Once the videos hit the tubes,some people got mightily pissed off, and started an official, but silent investigation. Imagine my surprise, when two of our e-mail accounts (free, with a large US-based web mail provider) that we used for the services were blocked, and login attempts redirected us to customer support barely a day into the operation. Since the investigation in these countries tends to leak like a sieve, we got info that that particular country was paying someone mid-level in customer support dept. to give them data on customers.

They hit the video upload sites with official requests and apparently tried to hack into one, obtained logs from the ISPs of all online forums that we used to advertise the videos to, had videos deleted and did other funny things. They persisted into this business for about 18 months until they decided to close it down.

Given this much effort about a few videos from a near-third world country, imagine what a really powerful government can do to you, and despair :)

Re:Lol indeed (0)

Anonymous Coward | about 3 years ago | (#37507414)

Not much they can do if there's no logs, though.

So disappointed by the name (5, Funny)

antifoidulus (807088) | about 3 years ago | (#37506992)

I was hoping something like hidemyass.com would be devoted to the anti-muffin top movement :P

Lulz! (0)

Anonymous Coward | about 3 years ago | (#37507000)

That lulzsec guy is going to get introduced to fuckmyass.com in jail!

Censorhip anyone? (2)

miahmiah (1325117) | about 3 years ago | (#37507002)

HMA is designed to avoid censorship, not mask illegal activities. Although their may be some gray area where using the internet to organize people in political actions may be illegal, the sharing information itself is not illegal, and should not be censored. People that then actually commit cyber crimes or real crimes, will be subject to applicable laws by involved governments, and of course, the governments will take action to find the responsible parties.

Re:Censorhip anyone? (1)

smash (1351) | about 3 years ago | (#37507066)

OK, so given that some censorship worthy information is illegal in some countries, what's to say hidemyass.com won't just bend over for a government other than the US, when presented with law breakage in that particular country?

Re:Censorhip anyone? (1)

maxwell demon (590494) | about 3 years ago | (#37507164)

The key part is "when an UK judge tells them to." Which means that the UK judge must be convinced that this request is justified under UK rules. Not perfect (the request can contain any amount of lies, and the judge can fall for them), but at least one more barrier. And if you're really concerned about your security, I guess you'll not do your stuff directly through that VPN, but tunnel another security protocol (e.g. Tor, or a connection to another VPN) through it.

Re:Censorhip anyone? (1)

MysteriousPreacher (702266) | about 3 years ago | (#37507432)

Nothing really, other than their assurance that they reject legal requests except this coming via the UK judicial system. With the European Arrest Warrant though this can be problematic. For example, prior the UK's de-criminalization of blasphemy a member state with a blasphemy law that was not just an relic could see their batshit crazy law enforced in the UK.

Do you have reason to suspect that HMA will abandon their stated policy?

Re:Censorhip anyone? (1)

jonbryce (703250) | about 3 years ago | (#37507488)

It doesn't have to be illegal in the UK to get a European Arrest Warrant. Around 25% of all European Arrest Warrants are from Poland on the charge of exceeding your bank account overdraft limit, something which isn't illegal in any part of the UK.

Re:Censorhip anyone? (1)

zlogic (892404) | about 3 years ago | (#37507100)

I always thought HMA was a service for using Facebook or any other blocked site at work.

Just log to the right place... (4, Insightful)

geogob (569250) | about 3 years ago | (#37507004)

I've heard /dev/null is a pretty neat place to store logs. Compression ratio is quite high too - no need to worry about filling disks with uncompressed logs.

Re:Just log to the right place... (1)

Runaway1956 (1322357) | about 3 years ago | (#37507054)

I'm looking around my desk, looking for /dev/null. Can't find the damned thing. Not even sure what I'm looking for. Do you have a picture? ;^)

Re:Just log to the right place... (0)

Anonymous Coward | about 3 years ago | (#37507122)

cat /dev/null >> Runaway1956

Might take a while, hope you have a fast connection.

Re:Just log to the right place... (2)

qbast (1265706) | about 3 years ago | (#37507180)

Well, /dev/null is like gaping black hole. I am sure someone you can find relevant picture if you browse slashdot for a little longer.

Re:Just log to the right place... (0)

Anonymous Coward | about 3 years ago | (#37507064)

I think I'm just going to print your comment out, no way I can lay it on so thick from memory alone

Re:Just log to the right place... (0)

Anonymous Coward | about 3 years ago | (#37507090)

You could save his comment in /dev/null too. That way it will be preserved forever.

I'm OK (1)

catmistake (814204) | about 3 years ago | (#37507128)

Logging is for thick-necked, dull-witted, arborphobic lumberjacks.

Re:I'm OK (1)

FrootLoops (1817694) | about 3 years ago | (#37507234)

Wow. I just got through a wild ride visiting very [livejournal.com] strange [youtube.com] places [youtube.com] . Thanks for that.

And? This shouldn't be a surprise (4, Insightful)

jimicus (737525) | about 3 years ago | (#37507016)

It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN. There's plenty of perfectly legitimate reasons to want to do this, and that's what the service is there for.

It's not there to allow someone to break the law with impunity. So it's not been engineered to be particularly difficult to dig into the logs and figure out who was using the service. So if they get served with a court order saying "Hand over the logs", they have to.

Want something which is a lot harder to be traced? Don't use a commercial VPN service, use something like Tor.

This isn't a story of "HideMyAss selling out". This is a story of "Person uses a service in a way it's not meant to be used and is surprised when it blows up in his face".

Re:And? This shouldn't be a surprise (2)

heypete (60671) | about 3 years ago | (#37507044)

It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN.

Indeed. I use a similar service for accessing various online services (e.g. Netflix, Pandora, etc.) that are geographically limited to the US (or at least to US+Canada) while I'm in graduate school in Europe. Nothing illegal about that, and I wouldn't be surprised if the VPN provider kept detailed logs.

Re:And? This shouldn't be a surprise (2)

antabus (858998) | about 3 years ago | (#37507186)

Can you link to this? I've been looking for a service like that, and wouldn't mind some recommendations.

Re:And? This shouldn't be a surprise (1)

Anonymous Coward | about 3 years ago | (#37507280)

Just use http://www.unblock-us.com/

Not similar tech wise, but much better than any VPN solution, performance wise

Re:And? This shouldn't be a surprise (1)

Bert64 (520050) | about 3 years ago | (#37507306)

Indeed thats primarily what UK based VPN services are used for, to access things like BBC iPlayer and other such resources.

Re:And? This shouldn't be a surprise (1)

lseltzer (311306) | about 3 years ago | (#37507360)

Hear hear. I'm an HMA Pro subscriber BTW and I'd go so far as to say that I'm glad for them that they could be part of busting these assholes.

Shocker? (1)

Manip (656104) | about 3 years ago | (#37507030)

Is this really surprising to anyone? There are two ways to hide traffic. The first is illegal and it will cover your tracks because you can use hacked machines without any logging. The second is legal and it is very hard to hide yourself. The only legal way which might actually work is if you bounced through a country with no diplomatic ties to the West but very few of those are even on the internet.

So back to this company. Does it surprise anyone that a company located in the UK of all places would have to give up logs when a judge orders it to? It is that way in almost every Western state. If US law enforcement requested such information I see no reason why a UK court shouldn't grant it (although you'd have to decide on a case by case basis).

Re:Shocker? (0)

Anonymous Coward | about 3 years ago | (#37507136)

You could break into machines and disable logging, but that doesn't prevent ISPs from doing so.
Sure, traffic logs are not enough to convict you of anything, but someone out there is going to wonder how come the attacks came from the compromised machine right when you were having a heated exchange on port 22.

Re:Shocker? (0)

Anonymous Coward | about 3 years ago | (#37507352)

You'd need to break into several machines in different countries, preferably countries which do not generally co-operate with the law enforcement agencies of the country you are attacking or the country where you are based. Sure even this isn't infallible, but they will have a hard time tracing you back hop by hop through un-cooperative ISPs...
Also make sure your machine is rootkitted too, gives you plausible deniability that you are just another victim being used as a relay by the unknown hackers.
And of course, don't hack your own country... Your local law enforcement is far more likely to co-operate with local organisations than foreign ones.

The harder you make it, the more serious the offense has to be in order for them to bother.

Also depending on who you hack, most commercial companies won't want any publicity so unless you do something high profile like deface their website, will just want the whole incident brushed under the carpet as public knowledge of a security breach is bad for business. Non commercial targets however, like educational and government targets are less likely to care about loss of business and are more likely to come after you.

Re:Shocker? (1)

SuricouRaven (1897204) | about 3 years ago | (#37507290)

There is a third: Have friends in very high places. This option isn't available to most people, but it's an open secret that there is some amount of international espionage going on with countries trying to blame their hacking efforts on independant hackers who happen to live within their borders.

Re:Shocker? (0)

Anonymous Coward | about 3 years ago | (#37507332)

Yea, the nutty hollywood-esque conspiracy theory is a valid third option. I'll call up my friends at the bureau and make them blame my next crime spree on you for bringing our insidious plan to light.

Re:Shocker? (1)

stonewallred (1465497) | about 3 years ago | (#37507438)

So North Korea could make a fortune running proxy services?

It took a judge (2)

He who knows (1376995) | about 3 years ago | (#37507032)

at least they wait till a judge tells them to.Too many companies/websites are handing over information if they are asked.

Amateurs. (0)

Anonymous Coward | about 3 years ago | (#37507036)

Haha, LulzSec was using hide my ass? Talk about amateurs. Just get some VPN or VPS account from some "We have a long 6 month history" company from India or Italy. Any legitimate business or entity will always give logs to the authorities since they are compelled to by law and in some cases can be held in contempt of court if they refuse. What happened to CloudFlare? They were turning a blind eye even during the whole saga, so were a bunch of other companies. These guys didn't trust Tor but they didn't think to turn their botnets into their own onion network either.

Proxies (1)

Hentes (2461350) | about 3 years ago | (#37507038)

A lot of proxies get around this problem by launching a new site every few days.

Oh no (1)

lucm (889690) | about 3 years ago | (#37507046)

I'd like to make a smart comment here but I don't have time, I have a lot of stuff to delete before the feds knock to my door!

This is what you do to truly hide your ASS! (5, Informative)

MindPrison (864299) | about 3 years ago | (#37507052)

Not everyone understands computers, that doesn't mean they're incompetent, wikileaks, openleaks and other needs to help their submitters keep anonymous, and there are better ways to do this, follow my instructions below, and you'll be as safe as you CAN be in this world:

1) First of all, you need to download TAILS

http://tails.boum.org/download/index.de.html [boum.org]

2) Burn this .ISO on a CD

3) Get a second computer

4) Tear out its harddisks

5) Make sure there are NO USB-memory sticks either.

6) Make it boot from the CD only, (enter the bios and set Boot Priority to CDROM)

7) Now you can surf relatively safely, but you're not done yet!

8) When surfing, do NOT surf into familiar places of yours, do NOT use your real name, do NOT search for your real name or even your internet alias, if it's known in combination with your name (if you surfed with it on your computer, google already knows your IP, so forget it!)

TAILS uses TOR, google it if you're truly curious. It can't keep you 100% anonymous but it's the safest "service" out there, and it's only relatively safe if YOUR SURFING HABITS ARE SAFE TOO.

Good luck!

seriously... (0)

Anonymous Coward | about 3 years ago | (#37507056)

Use a coffee shop connection or any other open/crackable WIFI + tor.

Re:seriously... (1)

SuricouRaven (1897204) | about 3 years ago | (#37507294)

Might want to change your MAC too.

Russian or chinese proxies. (1)

unity100 (970058) | about 3 years ago | (#37507058)

thats what you should use.

Re:Russian or chinese proxies. (1)

Anonymous Coward | about 3 years ago | (#37507074)

Too slow, unreliable and low bandwidth and who knows how many are passive or active MITM honeypots.

USAOwnsOurAss (2)

fantomas (94850) | about 3 years ago | (#37507070)

Something we suspected for a long time...

Don't get me wrong, we're truly grateful you stepped in 70 years ago to help save us being conquered by the nazis (even if you did take 2 years to finish your breakfast before getting your spurs on) , but jings, we do seem to have a procession of Prime Ministers whose real dream seems to be made a governor of a USA state...

Re:USAOwnsOurAss (0)

Anonymous Coward | about 3 years ago | (#37507196)

Eddie, that you?

Re:USAOwnsOurAss (1)

Anonymous Coward | about 3 years ago | (#37507392)

even if you did take 2 years to finish your breakfast before getting your spurs on

That's an incredibly naive view of what really happened back then.

For one thing, back then Americans were almost 100% against foreign involvement after the fiasco that led to WWI. To put it bluntly, we were doing exactly what everybody is bitching at us for not doing today- staying out of their business.

But more importantly, we really did not have the military hardware, troops, etc. to do much at all. Everything from WWI was used up, sold off, or converted to civilian applications, or was already horribly outdated to the point of being useless. We didn't spend 2 years eating our breakfast, we spent 2 years converting our industry to military manufacturing and getting ready for war. And a good bit of that time we were sending a ton of help in the forms of food, medical supplies, and military equipment over to Europe.

Re:USAOwnsOurAss (1)

DrgnDancer (137700) | about 3 years ago | (#37507466)

Oh come on, really? Sure the UK and the US work hard to keep each other happy. We're almost certainly amongst each others most important allies (Canada is probably more important to us, France more important to you, for geographic reasons; but we're hugely important to each other). I won't deny that the UK has bent over backward to help the US before (and we've done the same), but in this case you're just being a tinfoil hatter. A law enforcement agency of a sovereign nation went to your courts and presented solid evidence that an international crime had been committed partially on your soil. They asked for a warrant to search for information from a company linked to said crime. It doesn't matter if the country in question was the US or Portugal, they'd have gotten the warrant. It's a simple process and it happens daily, probably hourly. International law enforcement cooperation is strong amongst all the western nations.

As long as the action in question is in fact a crime in the UK (it appears to be), and the evidence presented is sufficient (it appears to be), a warrant will be issued.

i dont use a vpn to hide criminal acts (2)

drolli (522659) | about 3 years ago | (#37507088)

I use a VPN because i firmly believe that a malicous neighbor on the same cable trunk does not need to know what i am doing or intercept certain connections. I use a VPN because public and free WLANs and Hotels LANs are uncontrolled cesspools. I use a VPN because i dont want every server operator to be able to identify my location to the block-level (and combine it with other techniques to identify me). I use a VPN because i dont trust GSM encryption. I use a VPN because i dont want to be throttled based on IP or content.

If the FBI wants to see the log of my VPN provider, they can. If i would want anonymity i would go to other measures.

Re:i dont use a vpn to hide criminal acts (0)

Anonymous Coward | about 3 years ago | (#37507300)

You are putting way too much faith in your VPN provider if you are that paranoid.

Re:i dont use a vpn to hide criminal acts (0)

Anonymous Coward | about 3 years ago | (#37507386)

Cable internet (DOCSIS) use encryption so that others on same segment cannot see your traffic.

Anonymouse (5, Interesting)

E.I.A (2303368) | about 3 years ago | (#37507110)

Would the same go for anonymouse.org? I have visited my own website through their proxy, and it remains unlogged in (wordpress) WassUp stats. Hidemyass actually shows up though, along with my browser type and screen res. Also, why do more people not consider that these anonymity services are not honey pots?

hidemyass.com (1)

mehrotra.akash (1539473) | about 3 years ago | (#37507116)

HMA is primarily used to bypass school/college firewalls

Re:hidemyass.com (0)

Anonymous Coward | about 3 years ago | (#37507192)

and national censorship, including geofiltering by websites. I use the free proxy service to view all those videos geofiltered by Youtube because they have background music and the German RIAA equivalent threatened to sue for fees.

Bear with me here, but... (1)

KuRa_Scvls (932317) | about 3 years ago | (#37507142)

What is the point of services like these storing logs for longer than 24 hours?

If I was running services like these, I would wipe them daily

Re:Bear with me here, but... (1)

E.I.A (2303368) | about 3 years ago | (#37507146)

My best guess is legal compliance.

Re:Bear with me here, but... (0)

Anonymous Coward | about 3 years ago | (#37507434)

What is the point of services like these storing logs for longer than 24 hours?

If I was running services like these, I would wipe them daily

Well, in addition to legal compliance measures, the guys who maintain the security of the site might want to take the weekend off once in a while. It's pretty damn tough to run any kind of secure network if your memory of all potential intrusion attempts is only 24 hours long.

Use a provider in a different jurisdiction (0)

Anonymous Coward | about 3 years ago | (#37507174)

To quote the PRQ "About us" page (http://www.prq.se/?p=company&intl=1).

"The only thing we need to know about you to set up the service is which e-mail address that should receive the invoices. Logging is only done to the minimal extent required for trouble-shooting in case of problems, and thus we do not have any logs whatsoever of data traffic."

I'm not saying PRQ are the only (or even the best) VPN provider that conduct their business in this way, I just want to point out that there are indeed alternatives to the apparently crap-a-delic service HideMyAss is providing. If the UK has seen it fit to force ISPs to keep logs, don't use an ISP that falls under their jurisdiction. Easy as that.

Re:Use a provider in a different jurisdiction (1)

Mister Transistor (259842) | about 3 years ago | (#37507462)

Well, if you had read TFA, they say exactly the same shit on the HideMyAss website. They state they don't log data traffic at all and they only keep logs of when people connect in and out so they can "troubleshoot" any troublesome connections (like illegal activity, spamming or anything else they are ordered to keep track of, no doubt). The only variable is how long they keep them and how easily foreign governments (i.e. the US) can get the info. It sounds like PRQ is just more of the same to me.

Any "legitimate" VPN service is going to be subject to their local laws and very likely to the influence of US gov't interests as well. Not the best place to be doing "anonymous" stuff from, most definitely.

officially 1337 (1)

Anonymous Coward | about 3 years ago | (#37507176)

From the court order [docstoc.com] :

a. "Anonymous" was a collective of computer hackers [...]
b. "Lulz Security," or simply "LulzSec," was a group of elite computers hackers affiliated with Anonymous.

So elite that they were able to hack more than one computer at once! So elite that they used the paid VPN service of a legal UK company under their real names...

Re:officially 1337 (2)

Bert64 (520050) | about 3 years ago | (#37507422)

If you have to admit to having been hacked (and its hard not to when its already gone public), its less shameful to be hacked by an elite group of hackers than a bunch of script kiddies.

All about PR spin.

Of course. Duh. (4, Insightful)

Sasayaki (1096761) | about 3 years ago | (#37507188)

Unless you're some kind of super 4Chan, you can't run a business that actively keeps no logs and relies upon -- as your buisness model -- the idea that you can keep people 100% anonymous online no matter what they do. That's just retarded.

Generally speaking, the best you can hope for is, "We will keep you safe from basically anyone who doesn't come knocking with a court order or warrant. Depending on your country, they may not even have that, but they'll definitely have to be law enforcement related."

I mean, really. Would you willingly operate a legitimate business that had, as its business model, the idea that your clients give you a hunk of money and then you give them back an entirely different set of money (minus 15%) in non-sequential bills? Do you think such a business would operate without being investigated by the FBI/CIA/ASIO etc? Who would you think the primary clientele of such a business would be and is it really ethical to protect them?

Somewhat more tin-foil-hatty is the idea that anyone who runs a business that promises to give the finger to the law, doesn't keep any logs and is prepared to go to jail to project your online anonymity... well, to me, that screams that they're a honeypot. Probably paid for directly by the FBI, with 95% of their clientelle being 13 year old 4Chan script kiddies, PirateBay users and other harmless folk who are utterly ignored and left in peace... but that other 5% being pedos (there are *very very* few pedophiles online; don't buy into the panic!), drug runners and organized crime members who are kept under close surveillance.

In short, I would rather use an anonymizing VPN service who spells out exactly what is kept and why, and what level of law enforcement intervention is required. A service I would use would probably have the following terms of service:

1) If you commit any crime, or transmit evidence of any crime, that has a minimum of one year in jail OR do anything *truly* retarded (like Skype-out over the VPN and call the White House legitimately threatening to assassinate the President of the United States) then your arse is grass.
2) If you are DDOSing from behind the VPN service, or sending spam e-mail, or operating any form of spam/volume based attack behind the VPN we'll disconnect you since that typically rapes our already overloaded services. Generally no legal butthole-raping, just a D/C, one day timeout, and an e-mail explaining why. Note rule #1 still applies if you are scamming people.
3) If the cops come with a 100% legal warrant issued by a judge, irrespective of the crime, we'll comply with its order.

I believe that's entirely fair and I know some people will scream for more, but realistically, I think that if your business doesn't basically follow those three rules it's not going to survive... or is a honeypot.

Obviously (2)

cheekyjohnson (1873388) | about 3 years ago | (#37507202)

Anyone who doesn't want logs/wants them deleted quickly is an evil criminal.

Idiots (1)

Arancaytar (966377) | about 3 years ago | (#37507232)

Yes, your ISP, who knows your identity since you have a commercial relationship with them, cannot hide logs of your data from the authorities, because they're a registred business. Whatever shall you do? OH I KNOW! Enter a commercial relationship with someone else who is also a registered business.

To paraphrase the old adage, "if you think, speak, write, publish and don't use Tor, don't be surprised."

Re:Idiots (0)

Anonymous Coward | about 3 years ago | (#37507364)

If you think Tor will hide you from any non-trivial investigation you're in for a surprise aswell.

why does HideMyAss.com even KEEP logs??? (1)

popo (107611) | about 3 years ago | (#37507242)

Isn't the surest form of protection to not log user activity in the first place?

When did they change domain names... (1)

dyfet (154716) | about 3 years ago | (#37507296)

...to "coverourass.com"?!

Do NOT use webservices, paid or free! (2, Insightful)

MindPrison (864299) | about 3 years ago | (#37507326)

A lesson in paranoia, it's all logic:

Do you seriously think you can surf for free, unlimited bandwidth on some service out there in internet land? Sure, they may finance their services with advertising, and that's probably the main idea and intentions with their services to BEGIN WITH, but as with all such services, no one is ABOVE the LAW, and don't think for a minute you'll even be safe under such services.

Sure...your ISP won't see your actions
But the Service you use (eg. Hidemysorryass.dot.com) WILL know your every move, they have to...why? Liability, that's why! No one can truly circumvent their own countrys laws, not even the best of them, the only reason you don't get caught, is because you ain't important enough, if you do the CRIME, you WILL eventually do the TIME.

It's all a giant game of who do you trust (to quote Jack Nicholson) - Who DO YOU TRUST? Some free internet service out there, are you freaking KIDDING me? They WILL COVERTHEIROWNASS.com when the feds come knocking on their doors, they're in it for the money, not to save your ass, that's for sure.

Networks like TOR (google it and learn) works, because it's a giant network of private individuals that lend their computers to forward encrypted chopped packets of information they have no chance of assembling, only that makes sense as you couldn't really assemble this unless you owned the entire network ...or...figured out who where behind the originating address trough mistakes such as leaving your name on a forum, user name + previous IPs with that user name etc... Nevermind that, we're getting too technical, point remains though.

Learn to surf safely first

And then you may use TOR!

If I were MI5/CIA/... (2)

Alain Williams (2972) | about 3 years ago | (#37507348)

I would set up services like HideMyAss and run it in a competent way .... and let my analysts have a look at what people want to hide. If people are trying to hide something then it is likely to be interesting or embarassing. OK: most of it would be uninteresting from the point of view of a national security agency, but there would probably be an occasional gem from some dumb ass who believes that such a service really does give him the secrecy that he wants.

They can't find you if.... (0)

Anonymous Coward | about 3 years ago | (#37507436)

1. Go buy a cheap USB wireless card (with cash).
2. Disable your wireless card on your laptop.
3. Go to Starbucks or other public Wi-Fi hot spot.
4. Plug in newly purchased wireless card and get on to "the inter tubes"
5. Do what ever nasty sh*t you're going to do.
6. Dispose of newly purchased wireless card.

They can't find you, period.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?