Security Tool – Server Logs on VPN Accounts: HideMyAss case
Last month it became clear that an alleged Lulzsec member who had carried out attacks on various organizations including Sony and the UK’s Serious Organised Crime Agency, had used an ‘anonymous’ VPN service supplied by HideMyAss. According to documents obtained by TorrentFreak, VPN providers worried by the bad publicity are now considering data sharing to combat ‘fraudsters’.
September 2011 will be a month that VPN provider HideMyAss will want to forget. Dozens of news outlets retold the story that an alleged Lulzsec member, allegedly partly responsible for attacks on Sony, the UK’s Serious Organised Crime Agency, AT&T, Viacom, Disney, EMI, NBC Universal, AOL and NATO, not to mention the newspapers The Sun & The Times, had used their services to remain anonymous.
But his plan failed in the biggest way imaginable. HideMyAss (HMA) keep logs and as a UK company when given a court order to cough up information, they do so. After matching timestamps to IP addresses, in the blink of an eye Luzlsec member ‘Recursion’ became 23-year-old Cody Kretsinger from Phoenix. The FBI had their man.
So, for the purposes of illustration, let’s dismiss the notion that the service was used to attack Sony. Let’s pretend it was a dissident, or a government whistleblower, or some other equally vulnerable individual relying on the service to provide anonymity, as advertised. Let’s be absolutely clear – thanks to the myriad of logs kept by HMA, when someone really needs to count on the service, there is no anonymity that a court order can’t destroy.
Many VPN companies argue that they don’t log the sites visited but some logs are necessary to make sure that ‘criminals’ can’t abuse their services. But logs don’t discriminate. Quite simply, criminal or not, if a VPN provider logs the external IP addresses they hand out to a user along with a timestamp, subscribers are not anonymous.
But while all VPN providers have a duty to uphold the law and be accountable to the government in the country where they are based, not all of them are required by law to carry logs – so they don’t. But who are they?