Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Monday October 09 2017, @02:10PM   Printer-friendly
from the not-as-safe-as-you-think dept.

Submitted via IRC for TheMightyBuzzard

A Massachusetts man was arrested late last week on suspicion of conducting a cyberstalking campaign against a female former roommate, her friends, and family. Court documents reveal that logs, obtained by the FBI from privacy service PureVPN, helped the prosecution. Until now, PureVPN had always maintained it carried no logs - almost.

[...] if one drills down into the PureVPN privacy policy proper, one sees the following:

Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a ‘connection’ and the total bandwidth used during this connection is called ‘bandwidth’. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.

This seems to match what the FBI says – almost. While it says it doesn’t log, PureVPN admits to keeping records of when a user connects to the service and for how long. The FBI clearly states that the service also captures the user’s IP address too. In fact, it appears that PureVPN also logged the IP address belonging to another VPN service (WANSecurity) that was allegedly used by Lin to connect to PureVPN.

I think I'll stick with PrivateInternetAccess who've had their lack of logging stand up in court.

Source: https://torrentfreak.com/purevpn-logs-helped-fbi-net-alleged-cyberstalker-171009/


Original Submission

Related Stories

FBI Director Christopher Wray Keeps War on Encryption Alive 61 comments

The new FBI Director Christopher Wray has been repeating the broken rhetoric of the Crypto Wars:

In recent testimony before Congress, the director of the FBI has again highlighted what the government sees as the problem of easy-to-use, on-by-default, strong encryption.

In prepared remarks from last Thursday, FBI Director Christopher Wray said that encryption presents a "significant challenge to conducting lawful court-ordered access," he said, again using the longstanding government moniker "Going Dark."

The statement was just one portion of his testimony about the agency's priorities for the coming year.

The FBI and its parent agency, the Department of Justice, have recently stepped up public rhetoric about the so-called dangers of "Going Dark." In recent months, both Wray and Deputy Attorney General Rod Rosenstein have given numerous public statements about this issue.

Remember to use encryption irresponsibly, and stay salty, my FBI friends.

Previously: FBI Chief Calls for National Talk Over Encryption vs. Safety
Federal Court Rules That the FBI Does Not Have to Disclose Name of iPhone Hacking Vendor
PureVPN Logs Helped FBI Net Alleged Cyberstalker
FBI Failed to Access 7,000 Encrypted Mobile Devices
Great, Now There's "Responsible Encryption"
FBI Bemoans Phone Encryption After Texas Shooting, but Refuses Apple's Help
DOJ: Strong Encryption That We Don't Have Access to is "Unreasonable"


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Insightful) by TheGratefulNet on Monday October 09 2017, @02:34PM (4 children)

    by TheGratefulNet (659) on Monday October 09 2017, @02:34PM (#579277)

    I used to use PIA but they are UK based (from what I can gather) and the UK is about as far from trustable for privacy as you can get!

    also, their software worked for me for many months and then stopped. they could not figure it out and so I gave up.

    even if I got their software to work, I have many doubts about the company.

    --
    "It is now safe to switch off your computer."
    • (Score: 5, Interesting) by hemocyanin on Monday October 09 2017, @02:46PM

      by hemocyanin (186) on Monday October 09 2017, @02:46PM (#579279) Journal

      Anyone can say anything, but this is what PIA says on the topic: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/229705288-Is-Private-Internet-Access-Located-In-A-Fourteen-Eyes-Country- [privateinternetaccess.com]

      Any paranoid scenario possible is probably reasonable to think about when using any VPN provider for nefarious purposes. Lin would probably have been better off using a coffee shop (with no video surveillance) or other person's wifi, though that isn't as straightforward today as open routers/WEP encryption are mostly a thing of the past.

    • (Score: 2) by The Mighty Buzzard on Monday October 09 2017, @03:14PM

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday October 09 2017, @03:14PM (#579284) Homepage Journal

      US-based. Always have been as far as I know. And if you sign up through non-obvious payment means all you really have to worry about is live capture; they've already proven they'll shut down operations rather than comply with that.

      --
      My rights don't end where your fear begins.
    • (Score: 3, Informative) by number11 on Monday October 09 2017, @03:17PM

      by number11 (1170) Subscriber Badge on Monday October 09 2017, @03:17PM (#579286)

      I used to use PIA but they are UK based (from what I can gather) and the UK is about as far from trustable for privacy as you can get!

      While PIA is owned by company called "London Trust Media, Inc.", that company appears to be US-based. That may, or may not, make you feel better about them.

    • (Score: 2) by EvilSS on Monday October 09 2017, @05:45PM

      by EvilSS (1456) Subscriber Badge on Monday October 09 2017, @05:45PM (#579332)
      PIA has brushed off requests for logs in the past with the "Sorry, we don't have any" reply to the courts involved.
  • (Score: 0) by Anonymous Coward on Monday October 09 2017, @03:15PM (2 children)

    by Anonymous Coward on Monday October 09 2017, @03:15PM (#579285)

    NotSoPureVPN, suits better.

    • (Score: 2) by frojack on Monday October 09 2017, @08:19PM (1 child)

      by frojack (1554) on Monday October 09 2017, @08:19PM (#579395) Journal

      Why? They followed their stated policy.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 0) by Anonymous Coward on Monday October 09 2017, @09:23PM

        by Anonymous Coward on Monday October 09 2017, @09:23PM (#579437)

        You are right, excuse my insipid comment.

  • (Score: 2, Interesting) by Anonymous Coward on Monday October 09 2017, @03:18PM (6 children)

    by Anonymous Coward on Monday October 09 2017, @03:18PM (#579287)

    Did SoylentNews ever have a warrant canary?

    • (Score: 5, Informative) by The Mighty Buzzard on Monday October 09 2017, @03:44PM (5 children)

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday October 09 2017, @03:44PM (#579289) Homepage Journal

      Nah. As far as I'm concerned though, consider the site not being nuked from orbit our warrant canary. Even if they did manage live access, they'll get salted and hashed IP addresses that they'll have to build an IPv4 rainbow table for. Beyond that, we only store the salted and hashed IP information for non-admin stuff for a very limited time; two weeks unless I'm mistaken.

      It's worth remembering that court orders are nothing but paper if even one of your admins is willing to serve prison time rather than give up your information. I wouldn't dream of speaking for the rest of the admin team but you lot should be quite familiar with my views on liberty by now and the fact that as a much younger Buzzard, I signed paper and swore an oath to the effect of being willing to get shot at/blown up/etc... for yours.

      Really, I'd worry far more about Linode (our primary VPS provider) giving them access without telling us staff types.

      --
      My rights don't end where your fear begins.
      • (Score: 3, Insightful) by DeathMonkey on Monday October 09 2017, @05:41PM (1 child)

        by DeathMonkey (1380) on Monday October 09 2017, @05:41PM (#579330) Journal

        Well the nice thing about records is that they have to already exist in order to be subpoena-able.

        Create (AND DOCUMENT!) your retention schedule, don't retain anything personally identifiable in the first place, and then follow it! If the man comes knocking, hand over your woefully inadequate logs and be perfectly legal. No dead Buzzards required.

      • (Score: 0) by Anonymous Coward on Monday October 09 2017, @08:38PM (2 children)

        by Anonymous Coward on Monday October 09 2017, @08:38PM (#579404)

        I take back all the times I said you're a old faggot even if everyone agreed with me.

        You're ok.

        • (Score: 3, Insightful) by The Mighty Buzzard on Monday October 09 2017, @10:36PM (1 child)

          by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday October 09 2017, @10:36PM (#579472) Homepage Journal

          Old faggots are like onions. They have layers.

          --
          My rights don't end where your fear begins.
          • (Score: 0) by Anonymous Coward on Tuesday October 10 2017, @04:59AM

            by Anonymous Coward on Tuesday October 10 2017, @04:59AM (#579636)

            ...now I'm visualizing goatse with half an onion dead centre.

            Ugh.

            Did you have to do that?

            My mental eyes are watering.

  • (Score: 3, Interesting) by frojack on Monday October 09 2017, @08:16PM (1 child)

    by frojack (1554) on Monday October 09 2017, @08:16PM (#579393) Journal

    I suspect the perp used the VPN just to perform his nefarious acts, then shut it down and went back to his normal provider.

    So any time he was on PureVPN he was engaged in what ever activity the FBI traced back to PureVPN. Probably he used email or other direct type of contact with the victims that leaves a log somewhere (like right in the headers).

    Match log A with log B and you can build a track even when ONLY connections are tracked, EVEN if Pure never kept outbound logs.

    Its not that hard if you have access to a bunch of logs along the route.

    People who incessantly start nattering about VPN's when ever the privacy issue comes up just totally miss the point. If ALL the traffic goes through the VPN for days on end you MIGHT be able to hide in the deluge, but if you log in, do your nasty, and log out its a pointless exercise. You've left too many tracks in too many places.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2) by The Mighty Buzzard on Monday October 09 2017, @10:34PM

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday October 09 2017, @10:34PM (#579471) Homepage Journal

      Which is why you want to use a busy VPN endpoint. So your traffic gets mixed in with that of as many other people as possible. No logs, no way to tell which person to trace it back to. In theory anyway.

      --
      My rights don't end where your fear begins.
  • (Score: 1) by corey on Tuesday October 10 2017, @01:34AM (2 children)

    by corey (2202) on Tuesday October 10 2017, @01:34AM (#579543)

    I'm all for VPNs (don't do any though) but the tone of TFS seems to focus on the problem with the VPN not being immune to feds. I suppose that's the more interesting part for SN.

    I think in this case, its good this dude was busted. Well done to to FBI in getting him doing the dodgy shit. He was obviously trying to hide using the VPN.

    I'm always torn between privacy erosion and civil liberties concerns versus busting actual crims for the good of society when it comes to VPNs and encryption debates.

    • (Score: 0) by Anonymous Coward on Tuesday October 10 2017, @05:02AM

      by Anonymous Coward on Tuesday October 10 2017, @05:02AM (#579638)

      Cops should do everything they have technical and legal ability to do to catch crims.

      The technical ability should therefore have legal checks where the containing society encodes its values/needs with respect to privacy and civil liberties.

    • (Score: 0) by Anonymous Coward on Tuesday October 10 2017, @06:07AM

      by Anonymous Coward on Tuesday October 10 2017, @06:07AM (#579663)

      The only good thing about the stalker being caught is that it gave PureVPN users a clue that the service is shit. Everybody should be able to use a VPN with the expectation that the service will not give them up. It should be a dead end for law enforcement, but as long as the services operate in the U.S., they will be forced to give up their users like this.

      We should be having a debate not about VPNs and encryption, but on whether or not we want to pay for an FBI, NSA, CIA, DEA, etc. We should not be paying agencies to stockpile vulnerabilities and target privacy services. If that means a murderer or stalker gets to roam free, then lucky for them.

  • (Score: 2, Insightful) by pipedwho on Tuesday October 10 2017, @08:43AM

    by pipedwho (2032) on Tuesday October 10 2017, @08:43AM (#579700)

    This looks more like the FBI already suspected him and knew who he was from other evidence they'd gathered. He was her roommate after all. They'd also suspected that the cyber-stalking efforts and posts had most likely come from a single person. So once they had this 'other' evidence whatever it may have been (possibly he said something to someone or directly to the woman, or she caught him doing/saying something), the FBI started to correlate his online activity with time stamps on the 'harassment' postings.

    So after tracking his connections from his ISP to his VPN provider, and showing that 'coincidentally' on a few occasions that he logged in to the VPN provider during those instances, they'd made a fair correlation that supported their existing evidence. The logs from the VPN provider would have then added further detail and points of interest to this evidence even though it may have only been login/logout times.

    So it's doubtful that the FBI back tracked him through the VPN provider, although that is definitely possible if they'd poured over the logs and noticed that his account logged in and out right before and after each 'incident'. If he did this enough times, the probability of this being a false positive would quickly asymptote towards zero, and certainty becomes pretty much guaranteed. A large amount of circumstantial evidence can be as good or better than a single piece of direct evidence.

    So the moral of the story is that if you're going to use a VPN provider, stay connected, don't just do a fly-by connect/disconnect for any dodgy activities. Although, if the provider isn't big enough, it's still possible that a negative correlation on all other accounts may imply a positive correlation on yours. ie. even if you stay logged in, if your account is the only one that was logged in during every instance being tracked, it may still point the finger, albeit with less certainty.

(1)