Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Crime Privacy The Courts United Kingdom

HideMyAss.com Doesn't Hide Logs From the FBI 233

An anonymous reader writes "People use VPN services to hide their identities online, right? And a UK-based service called HideMyAss would seem to fit that bill perfectly. Not so, unfortunately: they have to hand over the logs to the FBI when a UK judge tells them to." Reader wiredmikey points to a story at SecurityWeek, too.
This discussion has been archived. No new comments can be posted.

HideMyAss.com Doesn't Hide Logs From the FBI

Comments Filter:
  • by Anonymous Coward on Sunday September 25, 2011 @05:08AM (#37506986)

    But another question is why they kept logs anyway? Are they required to keep logs by law?

    • by Runaway1956 ( 1322357 ) on Sunday September 25, 2011 @05:25AM (#37507040) Homepage Journal

      Now, THAT is the correct question. A server that keeps no logs is a fairly secure server from which to run a VPS. Ditto proxies. When shopping for something of this sort, the important question to ask is, "What logs do you keep, and how long do you retain them?" Every server makes and keeps logs - there is no getting around that. The lifetime of the logs should depend on administrative necessity. Generally, logs should be flushed every 24 hours. Performance logs, security logs, things that pertain to the ongoing health and security of the server should be retained for as long as necessay - sometimes, for months. But every publicly facing server should routinely delete logs that aren't central to the server's main mission. VPS and proxy servers main mission being to protect the anonymity of it's users.

      Shouldn't it be considered a fraud, to advertise they you will protect a user's identity, then maintain logs which can be seized by any government agency that demands them?

      • by jhoegl ( 638955 ) on Sunday September 25, 2011 @05:54AM (#37507140)
        Ass logs can get pretty big.

        I just dont know if I want to be the one sifting through the logs to find kernels of information.
      • by qbast ( 1265706 )
        They are based in UK, so they so not retaining logs is illegal. If you want proxy without logs find one based in country without data retention laws. Hint: it is nowhere in EU.
        • That sidesteps my point, really. Assuming that you want a proxy server to actually hide you - you need to determine what logs they keep, right?

          You also seem to ignore my final question. Shouldn't it be considered fraud, if they promise to "cover your ass", then they hand logs to whichever government agency demands them?

          • by qbast ( 1265706 ) on Sunday September 25, 2011 @06:57AM (#37507264)
            The problem is that when it comes to promises of security, fraud is very common and never punished. How exactly do you determine what logs the proxy keeps? By asking them? As you see what is promised and what is actually delivered is usually not the same. For another example look at Dropbox - for a while they claimed that only user has encryption keys and it is impossible for their staff to decrypt anything. Then they changed story to 'staff is not allowed to decrypt'. Hell, even if you find a proxy in bumfuckistan which has no data retention laws, it may be a honeypot.
            • by blueg3 ( 192743 )

              Dropbox - for a while they claimed that only user has encryption keys and it is impossible for their staff to decrypt anything

              Actually, they never claimed that only the user has the encryption keys, and they didn't say "impossible", they said "can't", which is a softer guarantee.

              Just goes to show you when reading security guarantees, "fraud" is not nearly as much a problem as companies being intentionally vague and optimistic, customers reading in to their statements what they want to hear, and everyone having poor reading comprehension and inadequate skepticism.

          • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Sunday September 25, 2011 @07:01AM (#37507272) Homepage

            a, not really.. you can easily eliminate potential proxy services by assuming that at minimum they comply with the local data retention laws...

            b, possibly, but who do they claim to "cover your ass" from?

            • Alternately to (b), what do you expect them to do? Subpenas and warrants are not optional. You can, right up to the minute the court order comes in, tell government agencies that your policies forbid releasing customer data... after that, your choices are pretty limited (they involve "hand over information" or "go to jail and let them search for it themselves"). If you want true, court order proof, privacy, the onus is on you to find a company that can provide it, Ideally you want a company located in a

        • by migla ( 1099771 ) on Sunday September 25, 2011 @06:22AM (#37507206)

          They are based in UK, so they so not retaining logs is illegal. If you want proxy without logs find one based in country without data retention laws. Hint: it is nowhere in EU.

          Judicially, no. But, unless I'm mistaken (and don't base hiding of ass on my level of informedness, please), Sweden is for example not abiding by that EU law yet, incurring ever growing fines in the process.

          My ISP still claims the logs of who had what IP at what point in time are gone in about a week.

        • by __Paul__ ( 1570 )

          Not retaining logs might be illegal, but is it illegal to not make the logs in the first place?

          If it is, does that mean that it's illegal to code software that doesn't do logging at all? (eg, specifically removing the code from squid that does this, or writing one's own proxy and never actually get around to the point of writing the logging part).

      • Re: (Score:2, Insightful)

        by AmiMoJo ( 196126 )

        Servers in the uk have a legal obligation to keep certain logs, and we are America's bitch. TOR is the only safe option.

        • TOR is only as safe as the government permits it to be. I stated above that the darkweb is subject to MIM attacks. TOR is merely a subset of the darkweb - albeit, less secure than I2P and other protocols.

      • by iamhassi ( 659463 ) on Sunday September 25, 2011 @11:46AM (#37508582) Journal

        But every publicly facing server should routinely delete logs that aren't central to the server's main mission. VPS and proxy servers main mission being to protect the anonymity of it's users.

        Shouldn't it be considered a fraud, to advertise they you will protect a user's identity, then maintain logs which can be seized by any government agency that demands them?

        reason for keeping logs: [hidemyass.com]
        "16:32 edit: We have had a few queries as to our logging policies. We only log the time you connect and disconnect from our service, we do not log in any shape or form your actual internet traffic.

        21:05 edit: Why do we log the above^ information? Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do."


        makes sense, they have to protect their other customers and themselves, if someone logs in and does kiddie porn or terrorism and HMA doesn't have the logs they'll lose relationships with the other VPN servers they're using. Govt might even just come in and take what servers they do have and shut down the website if HMA doesn't cooperate.

        Honestly I think lulzsec was stupid for using their credit card on a VPN service for hacking online, if they thought "Let's be safe, I'll just enter my credit card number...." then they're stupid and deserve what they got. Should have gone anonymous (no credit cards, or at least prepaid) and should have gone through several VPNs in other countries.

        Wanna hack anonymously? Buy a used PC, wipe the drive (or install new HD), install OS, use it only for hacking, never put any personal information on it, never check personal email, facebook, forum accounts, bank, credit card, paypal, etc. Create fake email on PC, use fake email to create fake accounts, find free VPNs [google.com] and go through several of them (at least three). Wipe cookies, temp files, etc after every session. Even better if you buy a used laptop and use wifi at starbucks, mcdonalds, B&N, or open networks from wardriving [wikipedia.org] and switch networks daily.

    • Yes, Internet Service Providers are required to keep laws by the Regulation of Investigatory Powers Act.

      • by lseltzer ( 311306 ) on Sunday September 25, 2011 @07:26AM (#37507342)
        In addition to that, from TFA:

        Why do we log the above^ information? Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn. The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do. Some providers choose not to do session logging and instead try to locate the abusive customer by using the intelligence from the complaint, for example if someone hacks XYZ.com they may monitor traffic to XYZ.com and log which customers have a connection to this website. Ask yourself this: if a provider claims not to do any form of logging, but is able to locate abusive customers, how are they able to do this without any form of logging?

        • by KDR_11k ( 778916 )

          I have to ask what exactly they expect people to use such a service for. How many people need to hide their IP address from servers badly enough to invoke a third party like this when they aren't planning anything nefarious? Without a court order that IP address cannot be matched to a person anyway and people who are just using general caution would likely prefer a service that uses its basic design for reducing your traceability, not the promises of a single third party (after all who's to say that third p

          • I use it mostly as an encrypting proxy so I can use open Wifi and other untrustworthy networks.
          • They say that one reason is to get around geographic blocks, like the iPlayer that only works in the UK. http://en.wikipedia.org/wiki/BBC_iPlayer#Overseas_availability [wikipedia.org] Of course that violates Intellectual Property law, and so it is illegal. Ooops...
          • by MobyDisk ( 75490 )

            Some possibitilies:
            - A celebrity or politician who was gay, or holds an view unpopular in their party.
            - A whistleblower
            - Someone who lives in a country where certain speech is considered terrorism, or books are banned, or certain technology is prohibited.
            - A male who likes Justin Bieber music.

    • by Zemran ( 3101 ) on Sunday September 25, 2011 @07:31AM (#37507368) Homepage Journal

      In the UK, not only do they have to keep the logs for 18 months but practically anyone, including the fire service, can look at them. The British law is the craziest in the world in that regard and anyone stupid enough to use a British proxy/VPN must need their head examined. If you use a Swiss or a Swedish proxy they will not even keep logs, so there is nothing for the FBI to ask the court to make them hand over. If you buy a car you look into which car does the job that you want it to do... So if you get a proxy it is up to you to make sure it will do what you want. If you want to watch British TV or whatever without being told that you cannot because you are not in Britain then OK but for privacy??? MORON!!!

    • The UK requires (under the Digital Economy Act) that any internet service provider (which the law defines in an exceedingly broad way) keeps logs of all customer connections and retain them for a minimum period of 6 months. They are not required to log the contents of the connection, merely the IP.

      This includes an individual or small business offering wi-fi to customers on their premises. Under the DEA, they are an ISP and must keep the relevant logs (which include positive identity of the customer) for the

      • by KDR_11k ( 778916 )

        On the other hand in Germany the courts have ruled that the extended data retention spans are unconstitutional. Of course they have also ruled our federal voting laws to be unconstitutional and the politicians have done nothing about that.

  • lol (Score:5, Funny)

    by smash ( 1351 ) on Sunday September 25, 2011 @05:09AM (#37506990) Homepage Journal

    If you're expecting to use public VPN servers to "hide your ass" you're doing it wrong.

    If you're not competent enough to "hide your own ass" then you really shouldn't be fucking with other people's networks.

    • Perhaps you could write a "How to" for covering your ass, then. There aren't very many ways to hide your ass on the internet, and those that I know of are all subject to a MIM attack. Yes, even the darknet is subject to MIM, if the gubbermint wants to throw enough resources into finding you. So, what do you use?

      • Re:lol (Score:4, Insightful)

        by smash ( 1351 ) on Sunday September 25, 2011 @05:29AM (#37507060) Homepage Journal

        I'm not claiming to have a method. My option is "don't do retarded shit on the internet and expect not to get caught".

        But using someone else's VPN service in a western country is pretty much equivalent to using nothing at all.

        • Alright, can't fault your logic there.

        • I guess that depends on what you're trying to achieve. If it's "I'm going to do something seriously heinous and need to protect myself from huge international investigative bureaus!", then yes, some VPN service in a western country probably isn't going to cut it.

          If, on the other hand, you don't want your [employer/service provider/whatever] knowing that you're doing something that's just questionable or embarrassing, it'd probably work just fine... assuming you use it properly.
          • by smash ( 1351 )

            Well of course. there's a difference between not getting busted by your employer for doing stuff you shouldn't be doing at work and attacking the US government and multinational corporations, however.

            If your want to fuck with the big boys, then you better have your shit in order. Be it some bot-net to hide your tracks with, an account in backpackistan, or whatever.

            Renting service of a VPN provider in the UK (who is well known to be the USA's bitch in recent years) to attack megacorps and the US gover

      • Depends who you want to communicate with. There are a few foilhatters on Freenet who believe various conspiracies are after them - and, in the unlikely event they are actually right, freenet is going to be all but impossible to track someone on. Easier to try to bait your target into a trap by, for example, giving him a unique link to a conventional website and then looking through their logs to see where the request came from.

        There are a few low-ranking pirate releasers there too, but as they tend not to
        • Lol indeed (Score:5, Informative)

          by siddesu ( 698447 ) on Sunday September 25, 2011 @07:27AM (#37507354)

          Actually, there is a ton of things the government will attempt to do to try to get you, even if it is a puny, pariah, poor government. I was helping a few friends of mine who live in a country, where people who laugh at politicians are still beaten up, to publish some funny videos about their top politician. Since I also visit there occasionally, we took full precautions. Private VPN to a foreign country, rather unfriendly to the regime, chained proxies, then TOR, new email addresses and video upload accounts, different chained proxies to access each of those, etc.

          Once the videos hit the tubes,some people got mightily pissed off, and started an official, but silent investigation. Imagine my surprise, when two of our e-mail accounts (free, with a large US-based web mail provider) that we used for the services were blocked, and login attempts redirected us to customer support barely a day into the operation. Since the investigation in these countries tends to leak like a sieve, we got info that that particular country was paying someone mid-level in customer support dept. to give them data on customers.

          They hit the video upload sites with official requests and apparently tried to hack into one, obtained logs from the ISPs of all online forums that we used to advertise the videos to, had videos deleted and did other funny things. They persisted into this business for about 18 months until they decided to close it down.

          Given this much effort about a few videos from a near-third world country, imagine what a really powerful government can do to you, and despair :)

          • I guess that's why you posted as AC. Oh, wait......
          • by AmiMoJo ( 196126 )

            It depends what you expect from Freenet and Tor. On the one hand the powers that be can tell you are using them, but they can't tell what for. Of course sometimes that alone is enough for them to raid you, take your computers, lock you up, render you to some place to be tortured etc. Generally speaking though people in Western Europe are probably reasonably secure because unless those countries generally stick to the law, and make it hard for the US to grab you inside their borders now that rendition has co

      • by KDR_11k ( 778916 )

        How about "only fuck with targets that the intel agencies sniffing in the darknet don't mind seeing fucked with" like targets in countries hostile to the US?

        • by mpe ( 36238 )
          How about "only fuck with targets that the intel agencies sniffing in the darknet don't mind seeing fucked with" like targets in countries hostile to the US?

          Governments can change which countries they do and don't like very rapidly. As well as publically claiming one thing, whilst actually doing something completly different. Even if you could find a country which truely had no friends you'd probably find that various "intelligence agencies" would view you as trespassing on their "turf".
      • They're plenty of sites dedicated to that, it's just that they have strange names like JC Penny and Macy's.

  • by antifoidulus ( 807088 ) on Sunday September 25, 2011 @05:09AM (#37506992) Homepage Journal
    I was hoping something like hidemyass.com would be devoted to the anti-muffin top movement :P
  • HMA is designed to avoid censorship, not mask illegal activities. Although their may be some gray area where using the internet to organize people in political actions may be illegal, the sharing information itself is not illegal, and should not be censored. People that then actually commit cyber crimes or real crimes, will be subject to applicable laws by involved governments, and of course, the governments will take action to find the responsible parties.
    • by smash ( 1351 )
      OK, so given that some censorship worthy information is illegal in some countries, what's to say hidemyass.com won't just bend over for a government other than the US, when presented with law breakage in that particular country?
      • Nothing really, other than their assurance that they reject legal requests except this coming via the UK judicial system. With the European Arrest Warrant though this can be problematic. For example, prior the UK's de-criminalization of blasphemy a member state with a blasphemy law that was not just an relic could see their batshit crazy law enforced in the UK.

        Do you have reason to suspect that HMA will abandon their stated policy?

        • It doesn't have to be illegal in the UK to get a European Arrest Warrant. Around 25% of all European Arrest Warrants are from Poland on the charge of exceeding your bank account overdraft limit, something which isn't illegal in any part of the UK.

    • by zlogic ( 892404 )

      I always thought HMA was a service for using Facebook or any other blocked site at work.

    • by KDR_11k ( 778916 )

      I expect countries with active censorship to simply ban hidemyass.com and be done with it.

    • "HMA is designed to avoid censorship, not mask illegal activities"

      Same shit, different day. The level of protection required is the same, anonymity.

  • by geogob ( 569250 ) on Sunday September 25, 2011 @05:14AM (#37507004)

    I've heard /dev/null is a pretty neat place to store logs. Compression ratio is quite high too - no need to worry about filling disks with uncompressed logs.

  • by jimicus ( 737525 ) on Sunday September 25, 2011 @05:17AM (#37507016)

    It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN. There's plenty of perfectly legitimate reasons to want to do this, and that's what the service is there for.

    It's not there to allow someone to break the law with impunity. So it's not been engineered to be particularly difficult to dig into the logs and figure out who was using the service. So if they get served with a court order saying "Hand over the logs", they have to.

    Want something which is a lot harder to be traced? Don't use a commercial VPN service, use something like Tor.

    This isn't a story of "HideMyAss selling out". This is a story of "Person uses a service in a way it's not meant to be used and is surprised when it blows up in his face".

    • by heypete ( 60671 )

      It's quite clear that HMA see their service as a way of doing things that are not illegal through a VPN.

      Indeed. I use a similar service for accessing various online services (e.g. Netflix, Pandora, etc.) that are geographically limited to the US (or at least to US+Canada) while I'm in graduate school in Europe. Nothing illegal about that, and I wouldn't be surprised if the VPN provider kept detailed logs.

      • by antabus ( 858998 )
        Can you link to this? I've been looking for a service like that, and wouldn't mind some recommendations.
        • by heypete ( 60671 )

          I've had good luck with StrongVPN [strongvpn.com] and their L2TP/IPSec VPN service.

          I'm in Switzerland and connect to a Washington DC server (low latency from Europe to the US East Coast). The only connectivity problems I've had were related to the spotty wifi environment in the temporary place I'm presently living in (shared wifi between about 30-40 people) until I move into my private, long-term apartment in a week.

          Setup was trivial, and so far connections have been limited only by my local connection speed.

      • by Bert64 ( 520050 )

        Indeed thats primarily what UK based VPN services are used for, to access things like BBC iPlayer and other such resources.

      • by Toy G ( 533867 )

        What you do is clearly a breach of contract between you and the content provider, with more contractual implications up the licensing chain. At worst, it could be argued that you're defrauding the content provider/producer. So, "not illegal"? Maybe, maybe not, it's a grey area. For sites like HideMyAss to state that this sort of usage is fully legal is very self-serving and clearly false.

        Let's be honest, we now know that HMA will fold when the first copyright troll comes knocking with a court order. Their r

        • by mpe ( 36238 )
          What you do is clearly a breach of contract between you and the content provider, with more contractual implications up the licensing chain.

          The only way a contract could possibly exist with a streaming media site would be where a user had to "sign in" somehow.
          If this server was just making a decision based on the IP address it saw then how could such a contractual relationship exist?
    • Hear hear. I'm an HMA Pro subscriber BTW and I'd go so far as to say that I'm glad for them that they could be part of busting these assholes.
  • Is this really surprising to anyone? There are two ways to hide traffic. The first is illegal and it will cover your tracks because you can use hacked machines without any logging. The second is legal and it is very hard to hide yourself. The only legal way which might actually work is if you bounced through a country with no diplomatic ties to the West but very few of those are even on the internet.

    So back to this company. Does it surprise anyone that a company located in the UK of all places would hav
    • There is a third: Have friends in very high places. This option isn't available to most people, but it's an open secret that there is some amount of international espionage going on with countries trying to blame their hacking efforts on independant hackers who happen to live within their borders.
    • So North Korea could make a fortune running proxy services?
  • at least they wait till a judge tells them to.Too many companies/websites are handing over information if they are asked.
  • by lucm ( 889690 )

    I'd like to make a smart comment here but I don't have time, I have a lot of stuff to delete before the feds knock to my door!

  • by MindPrison ( 864299 ) on Sunday September 25, 2011 @05:27AM (#37507052) Journal

    Not everyone understands computers, that doesn't mean they're incompetent, wikileaks, openleaks and other needs to help their submitters keep anonymous, and there are better ways to do this, follow my instructions below, and you'll be as safe as you CAN be in this world:

    1) First of all, you need to download TAILS

    http://tails.boum.org/download/index.de.html [boum.org]

    2) Burn this .ISO on a CD

    3) Get a second computer

    4) Tear out its harddisks

    5) Make sure there are NO USB-memory sticks either.

    6) Make it boot from the CD only, (enter the bios and set Boot Priority to CDROM)

    7) Now you can surf relatively safely, but you're not done yet!

    8) When surfing, do NOT surf into familiar places of yours, do NOT use your real name, do NOT search for your real name or even your internet alias, if it's known in combination with your name (if you surfed with it on your computer, google already knows your IP, so forget it!)

    TAILS uses TOR, google it if you're truly curious. It can't keep you 100% anonymous but it's the safest "service" out there, and it's only relatively safe if YOUR SURFING HABITS ARE SAFE TOO.

    Good luck!

    • and you'll be as safe as you CAN be in this world

      Are you fishing for idiots?

      "Go find an unsecured AP in some other city and/or country" is the first step in getting some anonymity.

      After that, there's a never ending list of precautions you should take, of which your advice is only one part.

  • by fantomas ( 94850 ) on Sunday September 25, 2011 @05:30AM (#37507070)

    Something we suspected for a long time...

    Don't get me wrong, we're truly grateful you stepped in 70 years ago to help save us being conquered by the nazis (even if you did take 2 years to finish your breakfast before getting your spurs on) , but jings, we do seem to have a procession of Prime Ministers whose real dream seems to be made a governor of a USA state...

    • Oh come on, really? Sure the UK and the US work hard to keep each other happy. We're almost certainly amongst each others most important allies (Canada is probably more important to us, France more important to you, for geographic reasons; but we're hugely important to each other). I won't deny that the UK has bent over backward to help the US before (and we've done the same), but in this case you're just being a tinfoil hatter. A law enforcement agency of a sovereign nation went to your courts and pres

    • I think we'd be willing to give you Texas if you promise not to give it back.

  • by drolli ( 522659 ) on Sunday September 25, 2011 @05:38AM (#37507088) Journal

    I use a VPN because i firmly believe that a malicous neighbor on the same cable trunk does not need to know what i am doing or intercept certain connections. I use a VPN because public and free WLANs and Hotels LANs are uncontrolled cesspools. I use a VPN because i dont want every server operator to be able to identify my location to the block-level (and combine it with other techniques to identify me). I use a VPN because i dont trust GSM encryption. I use a VPN because i dont want to be throttled based on IP or content.

    If the FBI wants to see the log of my VPN provider, they can. If i would want anonymity i would go to other measures.

  • Anonymouse (Score:5, Interesting)

    by E.I.A ( 2303368 ) on Sunday September 25, 2011 @05:43AM (#37507110) Homepage Journal
    Would the same go for anonymouse.org? I have visited my own website through their proxy, and it remains unlogged in (wordpress) WassUp stats. Hidemyass actually shows up though, along with my browser type and screen res. Also, why do more people not consider that these anonymity services are not honey pots?
  • HMA is primarily used to bypass school/college firewalls

  • Of course. Duh. (Score:5, Insightful)

    by Sasayaki ( 1096761 ) on Sunday September 25, 2011 @06:17AM (#37507188)

    Unless you're some kind of super 4Chan, you can't run a business that actively keeps no logs and relies upon -- as your buisness model -- the idea that you can keep people 100% anonymous online no matter what they do. That's just retarded.

    Generally speaking, the best you can hope for is, "We will keep you safe from basically anyone who doesn't come knocking with a court order or warrant. Depending on your country, they may not even have that, but they'll definitely have to be law enforcement related."

    I mean, really. Would you willingly operate a legitimate business that had, as its business model, the idea that your clients give you a hunk of money and then you give them back an entirely different set of money (minus 15%) in non-sequential bills? Do you think such a business would operate without being investigated by the FBI/CIA/ASIO etc? Who would you think the primary clientele of such a business would be and is it really ethical to protect them?

    Somewhat more tin-foil-hatty is the idea that anyone who runs a business that promises to give the finger to the law, doesn't keep any logs and is prepared to go to jail to project your online anonymity... well, to me, that screams that they're a honeypot. Probably paid for directly by the FBI, with 95% of their clientelle being 13 year old 4Chan script kiddies, PirateBay users and other harmless folk who are utterly ignored and left in peace... but that other 5% being pedos (there are *very very* few pedophiles online; don't buy into the panic!), drug runners and organized crime members who are kept under close surveillance.

    In short, I would rather use an anonymizing VPN service who spells out exactly what is kept and why, and what level of law enforcement intervention is required. A service I would use would probably have the following terms of service:

    1) If you commit any crime, or transmit evidence of any crime, that has a minimum of one year in jail OR do anything *truly* retarded (like Skype-out over the VPN and call the White House legitimately threatening to assassinate the President of the United States) then your arse is grass.
    2) If you are DDOSing from behind the VPN service, or sending spam e-mail, or operating any form of spam/volume based attack behind the VPN we'll disconnect you since that typically rapes our already overloaded services. Generally no legal butthole-raping, just a D/C, one day timeout, and an e-mail explaining why. Note rule #1 still applies if you are scamming people.
    3) If the cops come with a 100% legal warrant issued by a judge, irrespective of the crime, we'll comply with its order.

    I believe that's entirely fair and I know some people will scream for more, but realistically, I think that if your business doesn't basically follow those three rules it's not going to survive... or is a honeypot.

  • by cheekyjohnson ( 1873388 ) on Sunday September 25, 2011 @06:21AM (#37507202)

    Anyone who doesn't want logs/wants them deleted quickly is an evil criminal.

  • Yes, your ISP, who knows your identity since you have a commercial relationship with them, cannot hide logs of your data from the authorities, because they're a registred business. Whatever shall you do? OH I KNOW! Enter a commercial relationship with someone else who is also a registered business.

    To paraphrase the old adage, "if you think, speak, write, publish and don't use Tor, don't be surprised."

  • Isn't the surest form of protection to not log user activity in the first place?

  • ...to "coverourass.com"?!

  • by MindPrison ( 864299 ) on Sunday September 25, 2011 @07:21AM (#37507326) Journal

    A lesson in paranoia, it's all logic:

    Do you seriously think you can surf for free, unlimited bandwidth on some service out there in internet land? Sure, they may finance their services with advertising, and that's probably the main idea and intentions with their services to BEGIN WITH, but as with all such services, no one is ABOVE the LAW, and don't think for a minute you'll even be safe under such services.

    Sure...your ISP won't see your actions
    But the Service you use (eg. Hidemysorryass.dot.com) WILL know your every move, they have to...why? Liability, that's why! No one can truly circumvent their own countrys laws, not even the best of them, the only reason you don't get caught, is because you ain't important enough, if you do the CRIME, you WILL eventually do the TIME.

    It's all a giant game of who do you trust (to quote Jack Nicholson) - Who DO YOU TRUST? Some free internet service out there, are you freaking KIDDING me? They WILL COVERTHEIROWNASS.com when the feds come knocking on their doors, they're in it for the money, not to save your ass, that's for sure.

    Networks like TOR (google it and learn) works, because it's a giant network of private individuals that lend their computers to forward encrypted chopped packets of information they have no chance of assembling, only that makes sense as you couldn't really assemble this unless you owned the entire network ...or...figured out who where behind the originating address trough mistakes such as leaving your name on a forum, user name + previous IPs with that user name etc... Nevermind that, we're getting too technical, point remains though.

    Learn to surf safely first

    And then you may use TOR!

    • by b4upoo ( 166390 )

      Many crimes go unsolved and even undiscovered. As far as serious crimes are concerned the odds are with the criminal. It is repetition over time, the nature of a crime, and just dumb luck that allow criminals to continue. It is rather like a car thief. You catch him but he may have stolen hundreds of cars over many years and you have him under arrest for stealing one car. He'll get probation unless he has prior convictions.
      The r

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Sunday September 25, 2011 @07:26AM (#37507348) Homepage

    I would set up services like HideMyAss and run it in a competent way .... and let my analysts have a look at what people want to hide. If people are trying to hide something then it is likely to be interesting or embarassing. OK: most of it would be uninteresting from the point of view of a national security agency, but there would probably be an occasional gem from some dumb ass who believes that such a service really does give him the secrecy that he wants.

    • by b4upoo ( 166390 )

      Or you could work as a computer technician and get access to a bunch of materials that enable you to put yourself in a very lucrative position such as buying a chunk of land that is sought by a developer for a large project. It takes money to buy that little piece of raw land right in the middle of your intended mega golf course- resort.

  • by QCompson ( 675963 ) on Sunday September 25, 2011 @09:48AM (#37507912)

    Regarding censorship bypassing, some have stated it is hypocritical for us to claim we do not allow illegal activity, and then claim our service is used in some countries to bypass censorship illegally. Again we follow UK law, there isn’t a law that prohibits the use of Egyptians gaining access to blocked websites such as Twitter, even if there is one in Egypt though there are certainly laws regarding the hacking of government and corporate systems.

    But if the Egyptian government went through the appropriate channels and got a UK court order, presumably HMA would turn over the logs immediately. Besides, there are a number of censorship-related situations where HMA would apparently pass out user information like cookies at a bake sale regardless of whether a boogedy-boogedy scary middle east country is involved or if it is the US/UK... the wikileaks fiasco would be an obvious example.

    Why not at least keep the connections logs for only 2 or 3 days? I would imagine that would still enable them to crack down on abuse while avoiding having to comply with most court orders.

  • You'd think that a tor-like vpn service would be smart enough to not enable logging, except for errors that they may need to fix, and then not log IP addresses in any case. Then, they can hand over the logs, knowing that no, or little, information will be available.

Keep up the good work! But please don't ask me to help.

Working...