The recent LulzSec arrests have highlighted the fact that virtual private network providers are under no obligation to safeguard the privacy of your online communications. Now dissidents must question who they can trust online.
On September 22, Cody Kretsinger was arrested by the FBI for his part in the hack of Sony Pictures Entertainment by LulzSec. The hack had resulted in the personal information of more than 37,500 people who had registered for online promotions being leaked to the public. The hack itself and the reasons behind it have become secondary to this story; it came as part of a campaign against Sony by the Anonymous and LulzSec groups, after Sony pursued PlayStation 3 games hackers and in particular George Holt, aka “GeoHot”.
What made this arrest notable is that the FBI tracked Kretsinger, or “recursion” as he was also known, by obtaining logs of his activity from a proxy service provider called Hide My Ass (HMA). HMA was aware that LulzSec members had been using their services from chat logs that had been publicised by the Guardian newspaper but had chosen not to do anything about it. This changed when they were allegedly served with a court order in the UK.
There is now some expectation that a second LulzSec hacker “Neuron”, who had also admitted to using the HMA service, might be tracked down.
The actions of HMA in handing over logs to the FBI has been a rude awakening for many and has sparked condemnation from commentators on Twitter. It illustrates how many in the hacker community have strong principles that they expect others of “like mind” to hold – it’s just who happens to be in the group of “like minds” at any one time that is the issue.
HMA is a commercial company that markets its services by exploiting the idea that it is supportive of the hacker’s cause – even somewhat cynically exploiting their role in aiding Egyptian protesters in circumventing government censorship to access Twitter. To many in the West, including in government and security circles, there is nothing wrong with helping an Egyptian resident to break a law in a country whose government had effectively lost their support. However, the issue is a practical rather than a moral one, as it is less likely that the Egyptian government would be able to obtain a UK court order to persuade a service such as HMA to hand over logs.
Other virtual private network (VPN) providers such as AirVPN have come out to condemn HMA’s actions and question statements issued by them that “all VPN providers keep logs”. AirVPN do not keep logs and accept anonymous payment by Bitcoin. They also question HMA’s motivation in handing over logs. Privacy International has also questioned the actions of a provider that sells itself on the ability to keep your online activity anonymous and untraceable.
In the chatroom logs of several LulzSec hackers there is some discussion about how to stay secure and, in particular, how to use VPN technology to remain unidentified. A VPN connection allows a user to appear as if he or she is on a different network. VPN service providers establish servers in multiple countries and allow users to connect to these.
The most common reason for using these services would be to appear as if you are a user in the US, for example, so that you could bypass any restrictions imposed by your local Internet service provider or government. Users range from Chinese residents attempting to access blocked sites such as Facebook, to residents outside the US wanting to watch streaming video only available to US residents.
The issue with VPN services is that, as the HMA/LulzSec episode has highlighted, HMA has no obligation to keep private the details of the communication through their services.
Although HMA claimed in this case that they were served a court order, there is no evidence that they received anything other than a request from the FBI. Being UK based, it is unlikely that the FBI would have been able to obtain a UK court order for an activity that occurred in the US. Rather, HMA might have been concerned that their business would have been affected and servers in the US shut down. There is also another possibility: services like HMA are referred to as “Honeypots” – services set up by authorities to masquerade as independent commercial operations.
Given that HMA is a commercial organisation, it was curious that the LulzSec hackers would have used it and other services like it. An alternative to these commercial services is a system called Tor. Tor was originally developed as a project of the US Naval Research Laboratory and received further support from the Electronic Frontier Foundation (EFF) and other donors. Tor works by encrypting traffic from a user’s computer and sending it through a number of Tor Servers that are run by volunteers. The message is encrypted and re-encrypted and each time it passes through a server, a layer of encryption is removed. Eventually, the message exits but when combined with secure communication, it is not possible for an external observer to tell which path the communication took and where it originated.
Tor does suffer from some weaknesses, but combined with special browser software it can allow users to remain largely anonymous.
It would seem that the LulzSec hackers may not have used Tor because it slows down all interactions on the Internet. Normal download speeds can be 10 times slower whilst using Tor.
The VPN providers AirVPN advise users to always use their VPN services over Tor.
The arrest of Cody Kretsinger has served as an object lesson to the hacker community of the difficulties in remaining anonymous and untraceable on the Internet. More to the point however, is the fact that a considerable amount of background information was actually leaked to the press in the first place by a former LulzSec group member “m_nerva” who was later identified as Marshal Webb from Ohio.
The lesson that the hackers have learned the hard way is also a salutary one for all dissidents, whistle-blowers and activists. In these situations where so much is at stake, no precaution is too great. From now on having a general awareness of tools such as Tor and similar others (Freenet and JohnDonym) will become as fundamental as knowing how to use a browser. In all of this, commercial companies and networks will always act in their own interests. In the end it comes down to a simple, unfortunate fact: it’s hard to trust anyone when your life depends on it.