"no logging" EarthVPN caught handing logs to cops

Encouraging best practices in the VPN industry via independent, community-certified verification of clean installers and clean basic service operations. Let's reward the good, and make the bad a little bit less tempting 〰 github repo#cleanVPN
User avatar
Posts: 612
Joined: Sun Dec 16, 2012 6:34 am

"no logging" EarthVPN caught handing logs to cops

Post by Pattern_Juggled » Sat Jan 11, 2014 1:15 pm

{direct link: cryptostorm.ch/nologs_not}

This recently-surfaced report of self-proclaimed "no logging VPN service" EarthVPN - one of a bubbling morass of recently-created, carbon-copy, technically inept entrants into the network security market - outs them as not only keeping logs, but also of providing logs to police. When called out for doing that, EarthVPN publicly denied it, claimed their server was "seized," and then spun up a bullshit story about how "DDoS protection service" magically allowed the datacentre (who they will not identify, which is utterly laughable) to "identify" the customer in question.

Note that the corresponding sea of bloggers and other syncophants who post about the "VPN service" market has studiously ignored this story since last fall. Hats off to School of Privacy and Wipe Your Data for outing this story, so that others can learn from it... even if "journalists" seem constitutionally incapable of noting such examples of fraud, deceit, and technical incompetence in a market that seems to make up a disproportionate share of their advertising revenues of late.

My comment in reply to the story as posted:
It will take only a tiny bit of sleuthing to determine what colo earthvpn was using in Holland about six months ago; this is trivially easy to verify. There's only a few larger datacentres in the city (& surrounding areas, such as Den Haag). Indeed, I can likely guess the one they're using as it's used by many low-end, newcomer "VPN services" looking for cheap capacity.

Why could I hazard such a guess off the top of my head on such a specific topic? Well actually, I was part of the team that first put a "VPN server" in Amsterdam (Den Haag, more specifically :-) for use by customers... in 2007. So I am somewhat familiar with the landscape there, and also with the cancerous growth of technically inept "VPN services" bilking money from unsuspecting customers.

Finally, while I'm tempted to do a more formal write-up elsewhere, let me be crystal clear about something: a claim that "datacentre logs" could be used to "identify a customer" of a legitimate network security service (aka, "VPN service") is complete, total horseshit. Making such a claim either means that "earthvpn" is so ignorant of the fundamentals of network security that they can say this and actually think it's true (which seems unlikely... I mean, that's astonishing ignorance) or that they think they can lie their ass off and nobody will notice because most folks trust other folks to tell the truth, more or less... particularly when they are speaking in a professional capacity on a technical subject.

Whichever the case, it's disgusting.
(yes, I am familiar with theoretical traffic-analysis-based attacks on network anonymity and, no, it is not in the least bit likely that this was deployed in current context - indeed, it's an attack that has yet to be documented in the wild and has not even proved successful in the NSA's extensive & well-funded campaign to subvert Tor's security model... so to imagine that local Dutch cops have perfected such a technique is laughable. Simply put, they placed a call to the morons running "earthvpn" who promptly caved - just like HideMyAss, vtunnel.com, and others in the past who have been publicly exposed for doing this... and there's a hell of alot more who have done it but not yet been outed in public, this I know firsthand - when faced with a little bit of pressure... then, they lied about it to try to blame someone else)

What the lesson learned here says is this: don't "trust" some me-too, technically inept, inexperienced, profit-driven, marketing-heavy "VPN service" to protect you from a damned thing. These newbie cash-grab schemes are all the rage nowadays... but their security is statistically indistinguishable from zero. We've been documenting this drift towards hypeware/scamware, for years... hell, I've been writing detailed technical forensic posts on specific examples myself, for years. One after another. Earlier this week, I worked with Baneki Privacy Labs to expose a "VPN service" that's circulating identical 'private keys' for RSA session validation to every single fucking customer, and posting the keys publicly online... and, at least one other "VPN service" is using identical 'private keys' in their own crypto configuration. No, I am not making this up. It's posted and documented.

You know what? Nobody cares.

No journalists or bloggers follow these debacles. Nobody asks hard questions of these "VPN services" that betray their customers, screw up their tech so badly that it's utterly useless as a "security" tool... or both. The entire model of "scammy me-too 'VPN service' runs ads on scammy 'VPN review' website and gets great reviews from said website, leading to SEO nirvana and tons of sign-ups" has grown roots so deep it seems like nobody's willing to note the emperor's lack of clothes.

Well, the emperor is indeed stark naked.

This is good to know if you're someone who is investing in "VPN service" because they actually need network security and not merely because they want to engage in a charity campaign to support incompetent technologists too lazy or clueless to get a real job doing real tech work that really provides value.

Hats off to schoolofprivacy.eu for publicizing this, and for Wipe Your Data for noting it in the first place. Now, let's see if TorrentFreak's boys jump all over it (like their "report" on the "alien technology" proof crypto snake oil of PIA)- and Ars writes up an expose. Or not. You can guess what my prediction is, for whatever it's worth...

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github

User avatar
Posts: 119
Joined: Mon Dec 17, 2012 2:37 am

"Absolutely no logs" <--- except for, you know, the logs

Post by Graze » Sat Jan 11, 2014 1:18 pm

My avatar is pretty much what I look like. ;) <-- ...actually true, says pj
WebMonkey, Foilhat, cstorm evangelnomitron.
Twitter: @grazestorm.
For any time sensitive help requests, best to email the fine bots in support@cryptostorm.is or via Bitmessage at BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ ;)

User avatar
Posts: 434
Joined: Mon Aug 05, 2013 11:39 am

Re: "no logging" EarthVPN caught handing logs to cops

Post by marzametal » Sat Jan 11, 2014 1:27 pm