Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime Privacy

Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI (bleepingcomputer.com) 212

An anonymous reader writes: "VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity," writes Bleeping Computer, "but a recent criminal case shows that at least some do store user activity logs." According to the FBI, VPN providers played a key role in identifying an aggressive cyberstalker by providing detailed logs to authorities, even if they claimed in their privacy policies that they don't. The suspect is a 24-year-old man that hacked his roommate, published her private journal, made sexually explicit collages, sent threats to schools in the victim's name, and registered accounts on adult portals, sending men to the victim's house...
FBI agents also obtained Google records on their suspect, according to a 29-page affidavit which, ironically, includes the text of one of his tweets warning people that VPN providers do in fact keep activity logs. "If they can limit your connections or track bandwidth usage, they keep logs."
This discussion has been archived. No new comments can be posted.

Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI

Comments Filter:
  • This is a good reminder that you shouldn't put much faith in the claims made by service providers.

    • by gweihir ( 88907 )

      Service providers routinely have incentives to overstate the quality of their product. Perverted incentives, brought to you by capitalism. End even extreme lies can often stay undetected for a long time, see, e.g. the current nice example with diesel cars. In actual reality, at the very least, a careful check of the plausibility of such claims is necessary and almost universally you find the product is nowhere near as good as claimed. This case here is no exception.

      Of course, it is quite possible that the V

      • by TWX ( 665546 )

        Replace "Service providers" with sellers, and it's been accurate since the dawn of humanity.

        Anyone selling has incentive to make as much sales as possible, and that includes immoral or dishonest means if those means do not lead to far less sales. For businesses theoretically operating within the law this is why it's important to have groups like the consumer products safety commission and the federal trade commission, because businesses will go through whatever steps are necessary to protect themselves up-

        • by gweihir ( 88907 )

          I have given up getting exceptions for Internet access via customer laptops (I do IT security consulting). Instead I have an unlimited mobile data-plan and bring my own laptop in addition. This is quite often needed to get the information I need to do my work.

      • by johanw ( 1001493 )

        AND you are stupid enough to use a VPN provider in the same country where you piss off the police.

    • This is a good reminder that you shouldn't put much faith in the claims made by service providers.

      From PureVPN provider's privacy policy (linked in TFS):

      "Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a “connection” and the total bandwidth used during this connection is called “bandwidth”. Connection and bandwidth are kept in record to maintain

      • I'm not feeling the outrage.

        I'm not even upset, let alone outraged.

        • I'm not feeling the outrage.

          I'm not even upset, let alone outraged.

          I'm glad they caught the assole, who is both a criminal, and stupid.

      • by mentil ( 1748130 )

        So he was found out by metadata? This is perhaps a good reason why govt. should require a warrant to get ahold of it.

    • Excellent. I'm glad they nailed him.

      This guy was a major asshole. I hope when he gets out, his terms of parole include "never allowed to touch a computer for any reason."

      • by johanw ( 1001493 )

        Now the detection metghod is ready to bust anyone who is illegally downloading the new Stsr Trek Discovery epuisodes.

  • ... you'll be anonymous, they said.

    I'm bookmarking this article for reference material for the VPN fanbois.

    • All a VPN really does is prevent your local ISP provider from monetizing your surfing habits. Which is enough for me.
      • by CaptainDork ( 3678879 ) on Sunday October 08, 2017 @10:34AM (#55331211)

        That's all a VPN does for you , which is irrelevant to what Pure VPN says it does [purevpn.com] for others.

        PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .

        Emphasis mine.

        • Except that, according to TFA, Pure is lying when they say that.

          • Precisely.

            Which leads to the next question: Are other or all VPN providers lying?

            • Indeed. I think it's safe to assume three things: some are lying, some are honest, and we can't really distinguish between the two.

              • Agreed.

                And I would add that people who think they can outsmart other people are not clever enough to do so.

                • people who think they can outsmart other people are not clever enough to do so.

                  Well, they can outsmart some people, but yes. If you really think you're the smartest one in the room, then your comeuppance is only a matter of time -- and usually, not very much time.

                  • Well... even if you genuinely are the smartest person in the room, the second and third smartest people in the room, working together, are smarter than you. Only a few people in the world are ever so much smarter than everyone else as to leave any potential rival in the dust. Those people tend to wind up having elements or units of measurement named after them.

              • by HiThere ( 15173 )

                Well, you can't really assert that any are honest, unless you consider deceptive phrasing honest. There's a small amount of evidence that those which actually are honest are regularly put out of business by government officials.

                So you can rephrase that as: some are lying, some may be honest, and we can't really distinguish between the two. But the honest ones may be an empty set.

            • by qbast ( 1265706 )
              You can't verify their claims in any way so assume they do.
              • Agree.

                I've been at this for over 30 years and I've found that the best way to avoid capture is to refrain from risky behaviour.

                There's a lot that I could do, (as can you), but I know there are people like us who can catch people like us.

      • by AmiMoJo ( 196126 ) on Sunday October 08, 2017 @10:43AM (#55331247) Homepage Journal

        It also forces the security services to actively target you and expend some extra effort to get your data.

        In some countries, e.g. the UK, ISPs are required to log and hand over such data pretty much on demand to the police, and of course you have outfits like GCHQ and the NSA doing mass surveillance.

        A VPN increases to cost to spy on you from nearly zero to something that will discourage casual snooping and a lot of abuse. It's not perfect but it's a useful line of defence.

    • Get a VPN they said ... you'll be anonymous, they said.

      You will be anonymous until the VPN gets a warrant for specific information.

      If you want to be entirely anonymous then you will need to set up proxies using multiple hacked IoT devices in nations that will not cooperate.

      • If you want to be entirely anonymous then you will need to set up proxies using multiple hacked IoT devices in nations that will not cooperate.

        So say you.

        Where do you publish your guarantee, and how do we know you're not outright lying like Pure VPN is?

    • by Ramze ( 640788 )

      VPNs aren't meant to keep people anonymous. They just obscure the origin IP address enough to where an average site may not know for certain who is visiting and law enforcement would have to request account connection details -- time and origin of connection, user name, actual name, length of time of connection, bandwidth usage, etc. Sure, VPNs don't usually record what sites you visit, but the sites themselves keep detailed logs that include the IP address of the VPN used... which in this situation corre

      • by JohnFen ( 1641097 ) on Sunday October 08, 2017 @11:11AM (#55331369)

        VPNs aren't meant to keep people anonymous.

        Yes, this is exactly correct. VPNs don't disguise endpoints or decorrelate access times.

        Personally, I use a VPN solely so that I don't have to worry quite as much when I'm connecting through WiFi access points that I don't control (open access points, workplace WiFi, etc.).

        I'm not even trying to hide from my ISP (since, at some point, my datastream is going to be exposed to an ISP anyway -- at least this way, I know which one I'm exposed to). So, I don't use a third party VPN. I run my own VPN server, and my devices all use that.

        Security is always a tradeoff, and others may not find this one acceptable for their situation and preferences. But it works for me.

      • by hey! ( 33014 )

        Cyberstalking generally isn't something that people who are good at thinking things through and restricting their behaviors accordingly do.

      • VPNs aren't meant to keep people anonymous.

        Really? From their site: [purevpn.com].

        Anonymity: PureVPN replaces your real IP with one of our abundant IPs, allowing you to use the internet freely whilst remaining completely invisible.

        • That's just Pure being deceptive. The point that VPNs aren't designed to keep you anonymous is true regardless of what they say.

          • True. However, the uninformed will jump all over that statement by PureVPN and run with it.

            I think deceptive trade practices should apply, but predict that a lot of sites would be quickly editing their narrative.

      • by HiThere ( 15173 )

        "The moron" believed the promises made on the services web page. There seem to be a lot of people here that accept deceptive phraseology as honest, but it's interesting that many of them post as Anonymous Coward. One might almost think someone has hired a reputation management company.

        That said, I agree with your statements about the design of VPNs. But that's not saying what the company that's selling the service promises. And the promise *could* be essentially correct, if they actually never saved the

  • VPN vendors were PureVPN and WANSecurity.
    He also used a secure email and Tor but no indication that logs or info was pulled from those.

    --For the karma whoring.
    • by gweihir ( 88907 )

      Tor has no logs. This has been tested and verified, also bu diverse law-enforcement agencies, time and again. That does not make Tor absolutely secure, large traffic analysis, insecure user behavior and zero-days in the browser (or failure to update) can still de-anonymize Tor users though. The Tor project has a nice collection of documents on these things.

  • Roll your own (Score:4, Insightful)

    by DaMattster ( 977781 ) on Sunday October 08, 2017 @10:58AM (#55331307)
    You could roll your own VPN by purchasing a VPS and routing your traffic through it but even that will only give you a little bit more privacy. At some point the data that you send will have to be decrypted in order to be sent out to the internet at large. Authorities can see the point at which the decryption is taking place and trace it back to that end-point IP address. It is a trivial matter to see who the IP address belongs to. The VPS provider could then be issued a subpoena to get your information. The whole VPN thing is really misunderstood. It's really a way to make it harder for an ISP to grab and monetize your browsing data or even a way to protect your identity on an untrusted network.
    • by Ayano ( 4882157 )
      The internet is forever, you can't really disappear on the grid as much as one would like to believe. You can hide, but you'll be found in time.

      The best defense is not to do dumb stuff in the first place.
      • The best defense is not to do dumb stuff in the first place.

        That doesn't protect you from other entities doing dumb or abusive stuff, though.

  • by 140Mandak262Jamuna ( 970587 ) on Sunday October 08, 2017 @10:59AM (#55331309) Journal

    Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division. “This kind of behavior is not a prank, and it isn't harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today's arrest will deter others from engaging in similar criminal conduct.”

    This jerk has degraded the trustworthiness of ALL bomb threat calls, ALL emergency distress calls. As incidents like this increase, as people figure out better ways to hide their tracks, more people will do such things. In the end the police and emergency services will take time to check veracity and trustworthiness of the caller before responding. False alarms will increase cost for all tax payers. Some stalking victims could actually be raped or violated due to such postings.

    This guy is evil, he should be punished so severely others don't even fantasize doing such things.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Sunday October 08, 2017 @11:19AM (#55331413)
      Comment removed based on user account deletion
      • Unfortunately, severely punishing somebody for a crime has a negligible effect on discouraging anybody else from committing the same crime. I guarantee that at no point did this person ever think, "I wonder what happened to others who have stalked and harassed people? What's my risk vs. reward ratio here?"

        Then, pray tell, what would have non-negligible deterrent effect?

        Are you claiming people don't fear punishment or getting caught at all?

        • Comment removed based on user account deletion
        • by green1 ( 322787 )

          Studies have shown that the thing that makes people think twice is the perception that they'll be caught, and not the severity of the punishment. From that stand point the publicity around punishing someone helps, but giving them a stiffer sentence does not. (Note I said perception that they'll be caught rather than likelihood of being caught, because the 2 are not really related)

          It also doesn't help that the human mind tends to think in terms of exceptionalism, people always think they're smarter than the

      • Re: (Score:3, Insightful)

        by JohnFen ( 1641097 )

        Citing "deterrence" is very often a thin disguise over the real intent: vengeance.

        • Whats wrong with vengeance? As long as the target of vengeance deserved it, As long as the amount of vengeance is comparable to the amount of affront, I see nothing wrong in vengeance.

          You, of course, retain the right to refrain from vengeance. You have the right not to file charges when you are the victim.

          You also have the right to tell other victims to give up vengeance, not to file charges and practice universal love.

          And they have the right to ask you to go fly a kite.

          • Whats wrong with vengeance?

            A "justice system" is supposed to result in justice. Vengeance isn't justice, it's emotional expression.

    • Have bomb threat calls EVER been considered trustworthy? When I was in college in the '90s, most professors included wording in their syllabuses to the effect that exams would most definitely NOT be cancelled or postponed in the event of a bomb threat; and gave a meeetup point elsewhere on campus where we would be expected to show up and take our exams in the event that a bomb threat was called in for the building in which our exam was scheduled. That would indicate to me that, by that point in time about

  • Sure you can write disparaging remarks, insult other people anonymously; but the moment you start performing malicious actions causing deliberate targeted harm, that mask can come off mighty fast.
  • Something doesn't sound quite right about this. From TFA:

    The logs showed how within the span of minutes the same VPN IP address had logged into Lin's real Gmail address, another Gmail address used for some of the threats, and a Rover.com account Lin created to discover Smith's real phone number.

    Gmail has forced HTTPS since 2014. What are we being asked to believe here?

    • Perhaps that the feds issued a search warrant to get the Gmail logs?

      • That's certainly possible, but it just reinforces my point. If they had the Gmail logs, they wouldn't need anything from PureVPN but the IP address association for the customer's session (which PureVPN's privacy policy by my read doesn't explicitly exclude from logging). Activity logs showing that particular session accessed Gmail, without actual account information, might perhaps reinforce what the Gmail logs already showed, but wouldn't independently show anything.

        And if it wasn't necessary for PureVPN

  • by gweihir ( 88907 ) on Sunday October 08, 2017 @12:13PM (#55331599)

    VPN services are nice if you want to pretend to be in another geographically location, but the claims of security are pure marketing. Incidentally, anybody that cares to find out knows that. And no VPN service that is run commercially can say "no" when the Feds want logs to be recorded and handed to them. Lavabit is an extremely rare exception (and just did anonymous email, not VPN) and it can be seen nicely in their case what happens after such a "no". The CEO is lucky to not end up in prison.

    At this time, the only VPN service with actual security is Tor and even there, you anonymity can be compromised by attacks on the client or making mistake while using it. And, of course, a large-scale traffic analysis can break even Tor. The thing with Tor is however, that nobody that can break it will admit so for a mere cyberstalking case. It would have to be something really, really large for anybody to admit that they can compromise Tor itself.

    • And no VPN service that is run commercially can say "no" when the Feds want logs to be recorded and handed to them.

      Sure they can. By "feds" I'm assuming you one of America's three letter agencies. The reality is that there are many countries in the world who don't play America's bullshit game.

  • does your VPN (website, Tor network, etc) hosts child pornography, Islamic State glorification materials, bomb making manuals?

    If yes, then the website is private.

You know you've landed gear-up when it takes full power to taxi.

Working...