This recently-surfaced report of self-proclaimed "no logging VPN service" EarthVPN - one of a bubbling morass of recently-created, carbon-copy, technically inept entrants into the network security market - outs them as not only keeping logs, but also of providing logs to police. When called out for doing that, EarthVPN publicly denied it, claimed their server was "seized," and then spun up a bullshit story about how "DDoS protection service" magically allowed the datacentre (who they will not identify, which is utterly laughable) to "identify" the customer in question.
Note that the corresponding sea of bloggers and other syncophants who post about the "VPN service" market has studiously ignored this story since last fall. Hats off to School of Privacy and Wipe Your Data for outing this story, so that others can learn from it... even if "journalists" seem constitutionally incapable of noting such examples of fraud, deceit, and technical incompetence in a market that seems to make up a disproportionate share of their advertising revenues of late.
My comment in reply to the story as posted:
It will take only a tiny bit of sleuthing to determine what colo earthvpn was using in Holland about six months ago; this is trivially easy to verify. There's only a few larger datacentres in the city (& surrounding areas, such as Den Haag). Indeed, I can likely guess the one they're using as it's used by many low-end, newcomer "VPN services" looking for cheap capacity.
Why could I hazard such a guess off the top of my head on such a specific topic? Well actually, I was part of the team that first put a "VPN server" in Amsterdam (Den Haag, more specifically for use by customers... in 2007. So I am somewhat familiar with the landscape there, and also with the cancerous growth of technically inept "VPN services" bilking money from unsuspecting customers.
Finally, while I'm tempted to do a more formal write-up elsewhere, let me be crystal clear about something: a claim that "datacentre logs" could be used to "identify a customer" of a legitimate network security service (aka, "VPN service") is complete, total horseshit. Making such a claim either means that "earthvpn" is so ignorant of the fundamentals of network security that they can say this and actually think it's true (which seems unlikely... I mean, that's astonishing ignorance) or that they think they can lie their ass off and nobody will notice because most folks trust other folks to tell the truth, more or less... particularly when they are speaking in a professional capacity on a technical subject.
Whichever the case, it's disgusting. (yes, I am familiar with theoretical traffic-analysis-based attacks on network anonymity and, no, it is not in the least bit likely that this was deployed in current context - indeed, it's an attack that has yet to be documented in the wild and has not even proved successful in the NSA's extensive & well-funded campaign to subvert Tor's security model... so to imagine that local Dutch cops have perfected such a technique is laughable. Simply put, they placed a call to the morons running "earthvpn" who promptly caved - just like HideMyAss, vtunnel.com, and others in the past who have been publicly exposed for doing this... and there's a hell of alot more who have done it but not yet been outed in public, this I know firsthand - when faced with a little bit of pressure... then, they lied about it to try to blame someone else)
What the lesson learned here says is this: don't "trust" some me-too, technically inept, inexperienced, profit-driven, marketing-heavy "VPN service" to protect you from a damned thing. These newbie cash-grab schemes are all the rage nowadays... but their security is statistically indistinguishable from zero. We've been documenting this drift towards hypeware/scamware, for years... hell, I've been writing detailed technical forensic posts on specific examples myself, for years. One after another. Earlier this week, I worked with Baneki Privacy Labs to expose a "VPN service" that's circulating identical 'private keys' for RSA session validation to every single fucking customer, and posting the keys publicly online... and, at least one other "VPN service" is using identical 'private keys' in their own crypto configuration. No, I am not making this up. It's posted and documented.
You know what? Nobody cares.
No journalists or bloggers follow these debacles. Nobody asks hard questions of these "VPN services" that betray their customers, screw up their tech so badly that it's utterly useless as a "security" tool... or both. The entire model of "scammy me-too 'VPN service' runs ads on scammy 'VPN review' website and gets great reviews from said website, leading to SEO nirvana and tons of sign-ups" has grown roots so deep it seems like nobody's willing to note the emperor's lack of clothes.
Well, the emperor is indeed stark naked.
This is good to know if you're someone who is investing in "VPN service" because they actually need network security and not merely because they want to engage in a charity campaign to support incompetent technologists too lazy or clueless to get a real job doing real tech work that really provides value.
Hats off to schoolofprivacy.eu for publicizing this, and for Wipe Your Data for noting it in the first place. Now, let's see if TorrentFreak's boys jump all over it (like their "report" on the "alien technology" proof crypto snake oil of PIA)- and Ars writes up an expose. Or not. You can guess what my prediction is, for whatever it's worth...