

Lulzsec fiasco - from HideMyAss VPN provider - gapanalysis
http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/
It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.
======
DeusExMachina
I find curious that they first state this:

 _"As stated in our terms of service and privacy policy our service is not to
be used for illegal activity, and as a legitimate company we will cooperate
with law enforcement if we receive a court order"_

And then this:

 _"In 2005 we setup HMA primarily as a way to bypass censorship of the world-
wide-web whether this be on a government or a corporate/localized scale."_

If censorship is government driven, it means that the law prohibits you to see
some things. If you still do it, you get arrested because you are breaking the
law. This is an illegal activity and they should cooperate with law
enforcement, as stated in the first point.

So, how do they decide what is illegal but permitted and what is not? If they
allow some illegal behavior and not some other, they are actually judging the
morality of an act, and not if it respect laws.

~~~
blake8086
I came in here to ask exactly that. They explicitly "forbid" illegal activity
and then immediately promote their service as a way of breaking other
countries' laws.

~~~
objclxt
Exactly - I think they're a bit confused in their language. When HMA say:

"our VPN service and VPN services in general are not designed to be used to
commit illegal activity"

...what they actually mean is:

"...not designed to be used to commit illegal activity _in the USA_ "

Clearly one of their main selling points is the ability to circumvent
censorship in countries where that's a problem. For better or for worse,
trying to get around such restrictions can very well be illegal.

Of course, I'm not saying trying to get round oppressive censorship is a bad
thing. Of course it's not - but HMA don't seem to acknowledge the hypocrisy of
on the one hand saying "use our service to get around your government's laws"
whilst on the other saying "but don't do any illegal activity!".

The _real_ reason HMA have that attitude is that being based in the US they
have everything to fear from US government action. This is the same reason
online poker sites actively and aggressively block US players - because
chances are at some point in the future you're going to do business in the US,
and you don't want it coming back to bite you in the ass.

Similarly, why should HMA care about China or Iran getting upset at their
service? But it's much more inconvenient if the FBI starts poking around,
because they're based in the USA (I think).

~~~
hmacom
We are not based in the US, we are a UK company, and operate using UK law
only.

------
toyg
It's quite ironic how he says "Our VPN service and VPN services in general are
not designed to be used to commit illegal activity", and then "there are many
other legitimate uses such as the ability to unblock GEO-restricted websites."

Hello, why do you think most of those sites are geo-restricted? Because of
copyright _laws_. Circumventing those blocks in most cases means you're
breaking those laws -- at the very minimum, you're breaking contractual
obligations that you and the service are supposed to obey under penalty, and
at worst you're committing fraud by claiming you come from a different
country. By caving to the court order without a fight, HMA's owner opened the
gates to every copyright troll under the sun to come knocking for logs, court
order in hand.

I'm the first to admit I've used HMA's webproxy to get around some stupid
company firewall; I knew perfectly well I was breaking company policy and
could have been sanctioned. I clearly relied on HMA not to spill the beans.
It's called HIDE MY ASS, for g*d's sake. Nice to see I was wrong.

A privacy service lives or dies on its reputation, and HMA's reputation is now
gone forever.

~~~
nupark2
_Hello, why do you think most of those sites are geo-restricted? Because of
copyright laws. Circumventing those blocks in most cases means you're breaking
those laws -- at the very minimum, you're breaking contractual obligations
that you and the service are supposed to obey under penalty, and at worst
you're committing fraud by claiming you come from a different country._

Using a different IP address is, _in absolutely no way_ , a mechanism for
claiming that you come from a different country.

If I live on the Canadian border, and get my internet access via long-range
wireless from the US, am I committing "fraud" by presenting a "US" IP address?

~~~
toyg
If it can be proved, above reasonable doubt, that you're using that IP on
purpose, with the only aim to bypass such geographical restrictions on content
distribution against the will of content owners... well, it'll be a tough day
in court.

Note that I'm not saying that IP == actual physical person or GeoIP == actual
physical location. A lawyer would have to prove that you were using that
computer, with that specific IP, on that date-time, and you were accessing
that content in full knowledge of the fact that only US-based consumers were
allowed to do that... Which is very difficult, but not impossible. Laws are
always _interpreted_ , at the end of the day.

~~~
kevinpet
Then they'd have to show that spoofing your country was actually illegal, as
opposed to just against their policies. Don't fall into the trap of equating
terms of service with laws.

------
randomaccount4
Throwaway account here.

I've actually done work for the owner of this website, on this particular
service (front end) and another couple services that he runs (back end). He is
a good guy - I believe people are reading into this a bit too much. In the
end, he is just like us; trying to build a business/s. He runs a few websites
that are fairly successful, and I believe he sold one a year or so ago - good
for him. I don't think he means any harm, or is trying to make a political
statement - or be righteous in any way. He is just a guy, trying to make a
buck. Maybe he made a mistake in the way he handled this, maybe he didn't.

For other people making comments about double standards when he obeys US law,
but is circumventing laws of other countries. The fact is, he is a citizen of
the UK, not the US. Just put yourself in his shoes - You run this website, the
US govt. comes knocking at your door looking for records - what do you do?
Thought so.

It happened. A guy committed a crime in a country with a lot of influence.
Said influence persuaded another guy to hand over records and he complies (or
else face the consequences). Move on.

~~~
thaumaturgy
And if the U.S. decides to assist with some other country's pursuit of a
political dissident? Do you help then, too?

> _You run this website, the US govt. comes knocking at your door looking for
> records - what do you do?_

You truthfully say that you don't have any records to provide, because
responsible privacy services don't log their customers' activities. I think
that's the one part of this situation that I don't understand: why were there
records in the first place?

Regardless, a lot of his customers -- the ones providing half of his revenue
for this business -- are now aware that the service monitors their activities.

~~~
randomaccount4
He states that only two things are recorded - the time you start using the
service, and the time you stop.

I assume the FBI pieced that crime together based on this data. I honestly
don't know much more than that, or what he has been up to in the past 2 years.
I just know him from previously doing work for him, and thought I could give
some insight to who he is and what he's like.

~~~
thaumaturgy
Three things would have to be recorded in that case: the "you" part of the
start & stop times, as well as the times themselves.

I'll take your word for it that he's a decent person. I certainly have no
reason to think otherwise. But that doesn't change that his service is
recording information that it ought not to be.

~~~
TheCapn
I'm sort of interested how you plan to make profit by billing unknown sources
for use of your services...

A _responsible business_ that wishes to comply with tax law and other
important parts of making a living needs to have record of income.

~~~
zizee
The service charges a monthly or yearly fee for unlimited data transfer. They
don't need to log when you actually use the service.

------
nikcub
I was always curious as to what they were doing to hide their identities. I
read the logs, and I am a bit disappointed that the extent of their methods of
hiding themselves were so narrow - involving only VPN providers.

The old way of doing this was to own a series of boxes around the world and
setup your own SOCKS server, ssh forwards etc. You use boxes that are being
used internally at small companies for email or web hosting, meaning that
there aren't any admins on there looking for weird traffic patterns.

You setup a group of servers like that, and chain them together. Symlink all
logs to null, and make sure the first box you jump onto is the most
unsuspecting (and one that you have most control over).

With a group that I was a member of 10+ years ago we would abandon boxes that
had a sysadmin that seemed like he knew what he/she was doing (looking at
history logs) or boxes that had a lot of user activity on them but not a lot
of resources (it only takes one user to wonder why the net connection is slow
for the exploit and you to be found ). The best best were to scan for old
ftpd's running on old kernels.

These were boxes that had been bought and setup for something like email or a
small webpage and then forgotten about (usually setup by external IT). You
patch the exploit so nobody else can get it, install a backdoor, and not do
anything noticeable. We had access to such boxes for _years_ and as far as I
know we were never noticed by anybody.

VPN providers are constantly monitoring for abuse, and when they get a law
enforcement notice they will comply. It is only a matter of time before you
get caught if you are using them. I would suspect that law enforcement found
out which VPN providers were being used some months ago, and set up honeypots
at each one waiting for members of anonymous to reconnect.

------
pavelkaroukin
for some reason i sympathize this team, but really.. if you are so high
profile hackers group, why use mostly-legitimate-use vpn service when you can
buy:

1) vpn service hosted in the bot net (i.e. on zombies machines)

2) hosting on the bot net (i.e. one you can not stop at all, you can not track
it)

These "services" quite possible to buy and they are not really expensive. The
only downside is link speed which should be pretty slow keeping in mind that
bots are hosted on regular home PC on adsl/cable internet connection..

~~~
icebraining
At least don't use a VPN on the same jurisdiction! That's a big WTF.

------
morpher
From an edit to the article: "We have had a few queries as to our logging
policies. We only log the time you connect and disconnect from our service, we
do not log in any shape or form your actual internet traffic."

So, the information possibly gained by law enforcement is that "account X was
connected to our proxy service at the time the crime was committed". I don't
know how large their user base is, but it seems unlikely that the above is all
that informative. Unless there are enough "criminal events" to knock the total
"set of users connected during all events" down to a manageable size.

~~~
eatm0rewaffles
We also have no idea what other potential information the source requesting
the information has to correlate it to.

------
hmacom
I've updated the blog post with some edits that may answer some of the
questions here.

-HMA

------
ricksta
Why don't these guys hack from a virtual machine, in starbucks, then delete
the virtual machine, then never visit the same coffee shop again? how would
they get traced from doing that?

~~~
kevinpet
MAC address, store security tapes, cell phone geo tracking data.

I mean, you're right, face in a huge crowd is potentially more security than
hidden really well, but it's not perfect either.

~~~
hennypenny
MAC addresses are easily changed. You don't have to be in a store, or even
near it, to use its wifi. And you don't have to bring your cell. Or you could
use a throwaway prepaid.

Long story short, no competent hacker would get caught using hidemyass, and
the Feds are once again putting on a dog and pony show.

------
hidethis
He's such a good guy that he prevents anyone from commenting on his blog.

His willingness to play junior deputy for corrupt governments is disturbing.
He says UK court but that's nonsense. He's getting a call and coughing up
everything out of fear. Oh and a couple of his servers are doing mitm on
Gmail. It's been noticed by others and posted in his forum.

------
hidethis
Now the log retention is 30days? He said 5 on the forum. Nothing but lies. He
received a phone call, nothing from a court. Someone is going to prison for
FIFTEEN YEARS for nothing. It's disgusting.

I wouldn't be surprised if they log EVERYTHING because they mine the traffic.
It's how they under sell other providers.

Boycott this garbage

------
eli
IANAL, but just because your terms say the service may not be used for illegal
things it doesn't mean you can't also be culpable.

If I purchase stolen goods from a thief, I might be breaking the law even if
the thief has signed a contract swearing the goods aren't stolen.

~~~
jemka
That example doesn't really apply since the law is explicit about stolen
property, which this case has nothing to do with.

~~~
eatm0rewaffles
Wait a minute, didn't these guys steal a whole bunch of information?
Downloading a song and stealing credit card numbers seem to be two different
types of theft.

------
redthrowaway
Anyone who can access the site mind posting the article for those of us stuck
behind work proxies? Much obliged.

~~~
blhack
Lulzsec fiasco Posted on September 23, 2011 We have received concerns by users
that our VPN service was utilized by a member or members of the hacktivist
group ‘lulzsec’. Lulzsec have been ALLEGEDLY been responsible for a number of
high profile cases such as:

The hacking of the Sony Playstation network which compromised the names,
passwords, e-mail addresses, home addresses and dates of birth of thousands of
people. The DDOS attack which knocked the British governments SOCA (Serious
Organised Crime Agency) and other government websites offline. The release of
various sensitive and confidential information from companies such as AT&T,
Viacom, Disney, EMI, NBC Universal, and AOL. Gaining access to NATO servers
and releasing documents regarding the communication and information services
(CIS) in Kosovo. The defacement of British newspaper websites The Sun & The
Times. The hacking of 77 law enforcement sheriff websites.

It first came to our attention when leaked IRC chat logs were released, in
these logs participants discussed about various VPN services they use, and it
became apparent that some members were using our service. No action was taken,
after all there was no evidence to suggest wrongdoing and nothing to identify
which accounts with us they were using. At a later date it came as no surprise
to have received a court order asking for information relating to an account
associated with some or all of the above cases. As stated in our terms of
service and privacy policy our service is not to be used for illegal activity,
and as a legitimate company we will cooperate with law enforcement if we
receive a court order (equivalent of a subpoena in the US).

Our VPN service and VPN services in general are not designed to be used to
commit illegal activity. It is very naive to think that by paying a
subscription fee to a VPN service you are free to break the law without any
consequences. This includes certain hardcore privacy services which claim you
will never be identified, these types of services that do not cooperate are
more likely to have their entire VPN network monitored and tapped by law
enforcement, thus affecting all legitimate customers.

We would also like to clear up some misconceptions about what we do and what
we stand for. In 2005 we setup HMA primarily as a way to bypass censorship of
the world-wide-web whether this be on a government or a corporate/localized
scale. We truly believe the world-wide-web should be world-wide and not
censored in anyway. A prime example of this would be the Egyptian revolution
for which our service played a key role for protesters gaining access to
websites such as Twitter which were blocked by the government, we experienced
record traffic during this time. Although our web proxy accounts to a high
percentage of our traffic, our VPN service accounts to nearly all of our
revenue. Our main customer base use our VPN service to ensure their sensitive
web traffic cannot be intercepted on insecure networks, though there are many
other legitimate uses such as the ability to unblock GEO-restricted websites.
Rummage through our review database and you’ll be able to gain a decent
understanding of who uses our service and why. Edit: We have had a few queries
as to our logging policies. We only log the time you connect and disconnect
from our service, we do not log in any shape or form your actual internet
traffic.

------
skeptical
I agree with numerous opinions in here that consider this a fiasco. Many say
that the law must be interpreted in it's context (uk) and that the guy behind
the service couldn't much, etc. But honestly, why putting up a service
bragging to fight the power all the time, specifically pointing out that it
can be used to circumvent censorship, etc. if you're going to give in at the
first trouble. I don't recall them clearly stating that their service was not
meant to provide means to those breaking laws. If they are so loyal to some
country law, then they should clearly state it, instead of bragging how cool
they are by rebelling against some other county law.

I say, if you put a service like this up, stand up for its integrity, or else,
don't bother creating it in the first place.

