Lulzsec fiasco - from HideMyAss VPN provider

I find curious that they first state this:<p><i>"As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order"</i><p>And then this:<p><i>"In 2005 we setup HMA primarily as a way to bypass censorship of the world-wide-web whether this be on a government or a corporate/localized scale."</i><p>If censorship is government driven, it means that the law prohibits you to see some things. If you still do it, you get arrested because you are breaking the law. This is an illegal activity and they should cooperate with law enforcement, as stated in the first point.<p>So, how do they decide what is illegal but permitted and what is not? If they allow some illegal behavior and not some other, they are actually judging the morality of an act, and not if it respect laws.

It's quite ironic how he says "Our VPN service and VPN services in general are not designed to be used to commit illegal activity", and then "there are many other legitimate uses such as the ability to unblock GEO-restricted websites."<p>Hello, why do you think most of those sites are geo-restricted? Because of copyright <i>laws</i>. Circumventing those blocks in most cases means you're breaking those laws -- at the very minimum, you're breaking contractual obligations that you and the service are supposed to obey under penalty, and at worst you're committing fraud by claiming you come from a different country. By caving to the court order without a fight, HMA's owner opened the gates to every copyright troll under the sun to come knocking for logs, court order in hand.<p>I'm the first to admit I've used HMA's webproxy to get around some stupid company firewall; I knew perfectly well I was breaking company policy and could have been sanctioned. I clearly relied on HMA not to spill the beans. It's called HIDE MY ASS, for g*d's sake. Nice to see I was wrong.<p>A privacy service lives or dies on its reputation, and HMA's reputation is now gone forever.

Throwaway account here.<p>I've actually done work for the owner of this website, on this particular service (front end) and another couple services that he runs (back end). He is a good guy - I believe people are reading into this a bit too much. In the end, he is just like us; trying to build a business/s. He runs a few websites that are fairly successful, and I believe he sold one a year or so ago - good for him. I don't think he means any harm, or is trying to make a political statement - or be righteous in any way. He is just a guy, trying to make a buck. Maybe he made a mistake in the way he handled this, maybe he didn't.<p>For other people making comments about double standards when he obeys US law, but is circumventing laws of other countries. The fact is, he is a citizen of the UK, not the US. Just put yourself in his shoes - You run this website, the US govt. comes knocking at your door looking for records - what do you do? Thought so.<p>It happened. A guy committed a crime in a country with a lot of influence. Said influence persuaded another guy to hand over records and he complies (or else face the consequences). Move on.

I was always curious as to what they were doing to hide their identities. I read the logs, and I am a bit disappointed that the extent of their methods of hiding themselves were so narrow - involving only VPN providers.<p>The old way of doing this was to own a series of boxes around the world and setup your own SOCKS server, ssh forwards etc. You use boxes that are being used internally at small companies for email or web hosting, meaning that there aren't any admins on there looking for weird traffic patterns.<p>You setup a group of servers like that, and chain them together. Symlink all logs to null, and make sure the first box you jump onto is the most unsuspecting (and one that you have most control over).<p>With a group that I was a member of 10+ years ago we would abandon boxes that had a sysadmin that seemed like he knew what he/she was doing (looking at history logs) or boxes that had a lot of user activity on them but not a lot of resources (it only takes one user to wonder why the net connection is slow for the exploit and you to be found ). The best best were to scan for old ftpd's running on old kernels.<p>These were boxes that had been bought and setup for something like email or a small webpage and then forgotten about (usually setup by external IT). You patch the exploit so nobody else can get it, install a backdoor, and not do anything noticeable. We had access to such boxes for <i>years</i> and as far as I know we were never noticed by anybody.<p>VPN providers are constantly monitoring for abuse, and when they get a law enforcement notice they will comply. It is only a matter of time before you get caught if you are using them. I would suspect that law enforcement found out which VPN providers were being used some months ago, and set up honeypots at each one waiting for members of anonymous to reconnect.

for some reason i sympathize this team, but really.. if you are so high profile hackers group, why use mostly-legitimate-use vpn service when you can buy:<p>1) vpn service hosted in the bot net (i.e. on zombies machines)<p>2) hosting on the bot net (i.e. one you can not stop at all, you can not track it)<p>These "services" quite possible to buy and they are not really expensive. The only downside is link speed which should be pretty slow keeping in mind that bots are hosted on regular home PC on adsl/cable internet connection..

From an edit to the article: "We have had a few queries as to our logging policies. We only log the time you connect and disconnect from our service, we do not log in any shape or form your actual internet traffic."<p>So, the information possibly gained by law enforcement is that "account X was connected to our proxy service at the time the crime was committed". I don't know how large their user base is, but it seems unlikely that the above is all that informative. Unless there are enough "criminal events" to knock the total "set of users connected during all events" down to a manageable size.

I've updated the blog post with some edits that may answer some of the questions here.<p>-HMA

Why don't these guys hack from a virtual machine, in starbucks, then delete the virtual machine, then never visit the same coffee shop again? how would they get traced from doing that?

He's such a good guy that he prevents anyone from commenting on his blog.<p>His willingness to play junior deputy for corrupt governments is disturbing. He says UK court but that's nonsense. He's getting a call and coughing up everything out of fear. Oh and a couple of his servers are doing mitm on Gmail. It's been noticed by others and posted in his forum.

Now the log retention is 30days? He said 5 on the forum. Nothing but lies. He received a phone call, nothing from a court. Someone is going to prison for FIFTEEN YEARS for nothing. It's disgusting.<p>I wouldn't be surprised if they log EVERYTHING because they mine the traffic. It's how they under sell other providers.<p>Boycott this garbage

IANAL, but just because your terms say the service may not be used for illegal things it doesn't mean you can't also be culpable.<p>If I purchase stolen goods from a thief, I might be breaking the law even if the thief has signed a contract swearing the goods aren't stolen.

Anyone who can access the site mind posting the article for those of us stuck behind work proxies? Much obliged.

I agree with numerous opinions in here that consider this a fiasco. Many say that the law must be interpreted in it's context (uk) and that the guy behind the service couldn't much, etc. But honestly, why putting up a service bragging to fight the power all the time, specifically pointing out that it can be used to circumvent censorship, etc. if you're going to give in at the first trouble. I don't recall them clearly stating that their service was not meant to provide means to those breaking laws. If they are so loyal to some country law, then they should clearly state it, instead of bragging how cool they are by rebelling against some other county law.<p>I say, if you put a service like this up, stand up for its integrity, or else, don't bother creating it in the first place.