Hide My Ass proxy server
In most instances using a Virtual Private Network (VPN) is sufficient to hide your real identity while online; however as Cody Kretsinger, who was using just this type of service, the UK based company Hide My Ass, had to find out, this might not always be the case.
For the record, I do not condone illegal activities using VPN services, nor on the Internet. So lets look at what happened. In September 2011 the FBI arrested Cody Kretsinger, a 23-year old Phoenix resident and charged him with conspiracy and unauthorized impairment of a protected computer, the Sony Pictures website. According to Reuters, Kretsinger pleaded guilty to both charges and could face up to 15 years in prison. “I joined LulzSec, your honor, at which point we gained access to the Sony Pictures website.”, Kretsinger, known online as “recursion”, told the judge after entering his guilty plea, as reported by Wire. LulzSec was considered a spinoff of Anonymous, a world-wide operating group of hacker-activists.
Earlier, in March 2011, the FBI had arrested a core member of LulzSec, Hector Xavier Monsegur, also known as “sabu”, who apparently turned into an informant for the FBI. In June hackers associated with LulzSec, allegedly including Kretsinger, hacked into SonyPictures.com and compromised personal information of more than 1 Million users. Sony Pictures had to notify 37, 500 users that their personal info might be at risk.
Data provided by
London based Virtual Private Network provider Hide My Ass (HMA) appears to have played a vital role in Kretsinger’s arrest. A leaked IRC chat log revealed that hackers, including Kretsinger aka “recursion”, boasted about their illegal activities online and used HMA to conceal their identities. Hackers assume fake online identities and go to great length to hide their location and other identifiable details for obvious reasons.
It appears that the FBI traced a hack into Sony back to an IP address owned by HMA and promptly got a UK court oder, demanding logs from HMA an incident HMA dubbed the “LulzSec Fiasco” in a post on their blog on September 23rd, 2011. When leaked IRC chat logs revealed that some LulzSec members used HMA to conceal their identities, HMA didn’t take any action they stated on their blog; however, later they made it clear that “Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.” They then went on to say that “We would also like to clear up some misconceptions about what we do and what we stand for. In 2005 we setup HMA primarily as a way to bypass censorship of the world-wide-web whether this be on a government or a corporate/localized scale. We truly believe the world-wide-web should be world-wide and not censored in anyway.”
In later edits of this blog post they indicate that they do not log a user’s activity, just the log-on and log-off events, that they do this to identify abusive users, that they complied with UK law and finally, that there isn’t a UK law prohibiting them to aid Egyptian to access social networks, such as Twitter, which was blocked by that country’s government.
While I appreciate HMA addressing these issues openly rather than swiping them under the rug, the incident points to a serious flaw in the system. When you are selling a service that claims to protect a users privacy, hence identity, you can’t turn around later and reveal just that to authorities without appearing at least a little insincere.