VPN Provider's No-Logging Claims Tested In FBI Case (torrentfreak.com) 67
An anonymous reader writes from an article published on TorrentFreak: [A] criminal complaint details the FBI's suspicions that 25-year-old Preston McWaters had conveyed "false or misleading information regarding an explosive device." The FBI started digging and in February 2016 two search warrants against Twitter and Facebook required them to turn over information on several accounts. Both did and the criminal complaint makes it clear that the FBI believes that McWaters was behind the accounts and the threats. With McWaters apparently leaving incriminating evidence all over the place (including CCTV at Walmart where he allegedly purchased a pre-paid Tracfone after arriving in his own car), the FBI turned to IP address evidence available elsewhere. "During the course of the investigation, subpoenas and search warrants have been directed to various companies in an attempt to identify the internet protocol (IP) address from where the email messages are being sent," the complaint reads. "All the responses from [email provider] 1&1, Facebook, Twitter, and Tracfone have been traced by IP address back to a company named London Trust Media [doing business as] PrivateInternetAccess.com. A subpoena was sent to London Trust Media and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States," the FBI's complain reads. "However, London Trust did provide that they accept payment for their services through credit card with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through PayPal, Bitpay, Bit Coin, Cash You, Ripple, Ok Pay, and Pay Garden."
While McWaters is yet to be found guilty, it's a sad fact that some people will use anonymizing services such as VPNs, pre-paid phones and anonymous email providers to harass others. And thankfully, as this case shows, they'll need to hide a lot more than their IP address to get away with that level of crime.
While McWaters is yet to be found guilty, it's a sad fact that some people will use anonymizing services such as VPNs, pre-paid phones and anonymous email providers to harass others. And thankfully, as this case shows, they'll need to hide a lot more than their IP address to get away with that level of crime.
Re: (Score:1)
It's "over the internet", so it's a whole new thing. We need a whole new set of laws specifically for this, with more significant penalties [of course, we will also charge you under the old laws as well].
Re: (Score:2)
In some places, you can buy a burner phone at a liquor store counter along with a pack of philly blunts (or Skoal) and a five-hour energy drink.
There are Mobil stations that sell burner phones for cash in Chicago.
Re: (Score:2)
If you think about it a second, you'll see why having a security camera at the point of sale does not tell you who is using a phone. Is there a law against me buying a burner phone and giving it to someone else?
Re: (Score:2)
No law against it, however you'll be charged with a dozen different terrorism related crimes until you break.
Re: (Score:2)
No law against it, however you'll be charged with a dozen different terrorism related crimes until you break.
I assumed that the people with something to hide just ask the homeless guy in the alley to go in and buy the phone in return for a few bucks.
Re: (Score:2)
That's not really the point.
Do you remember the case of the student doing terror threats against the university via tor? They did not have any more evidence than he was the only tor user on campus. But they did not need to. They visited him, asked him and he did not resist, but conceded. ...
When somebody already comes to ask you about the things, even when this is not the rubberhose type of interview, you probably will tell, if you're not a full grown criminal prepared to lie to the police / agencies /
Re: (Score:1)
The difference is that a university has 100% domination over its students. There is no legal framework, appeals system, or "right to study" that will allow you to defend yourself against the administration. If the university decides to boot you, for whatever reason, you are out. Period.
Luckily, "real life" is not like that. We have a set of laws to protect people and the right to be regarded as innocent until proven guilty is a very significant part of that. In **EVERY** case the prosecution must make a com
Re: (Score:2)
The main problem is another: The police stands in your door, sounds angry and you admit everything. No need for further investigation, they are witness in court and the decision is only what penalty you will get.
Okay, some people may have a pokerface and be prepared. But most are not.
Re: (Score:2, Insightful)
Maybe it's time for government to protect citizens and regulate corporations instead of the other way around.
Re: (Score:2)
Because corporations do most of the data collection.
Re: (Score:2)
Because corporations do most of the data collection.
Pretty much the only group that's more likely to abuse personal information than your governors.
Re: (Score:2)
but might one day want to be bad.
I don't want to be bad. I just want to negotiate business plans with people and not have some fucking legislator front-running my deals.
Re: (Score:1, Troll)
Liberal democrats ARE bad guys. The only variable is "how bad" they are.
So. PIA passes? (Score:1)
Looks to me like they have nothing for the FBI. No logs, nothing identifying anyone in particular.
This is what they promised.
Re: (Score:2)
If nothing else, this is great marketing for them - assuming it turns out to be true. I'll watch and consider changing/adding them.
Encryption and anonymization is a two edged sword (Score:5, Insightful)
2. It protects criminals' freedom to have their information private and not snooped on by others, or the government.
Can't have one without the other, people. If you give up one, you give up both.
No, that's wrong. (Score:4, Insightful)
You can certainly give up on legitimate uses of encryption, but criminals aren't going to quit using it themselves.
Therefore, the choice is not whether to give up freedom in return for safety, but whether to give up freedom in return for nothing of value at all. Unless you're a totalitarian sociopath, it's an easy choice!
Indeed (Score:5, Insightful)
"And thankfully, as this case shows, they'll need to hide a lot more than their IP address to get away with that level of crime."
Yes, they have to go to a local starbucks.
Re: (Score:2)
Re: (Score:2)
Go inside? Buy something? With a credit card?
Are you crazy? If you go there to commit a crime, you just _walk_ by with a gadget in your pocket.
+1 for PIA (Score:3)
Love their service.
Especially their API, which allows you to script stuff like port forwarding.
Got a nice little cronjob that automates the whole thing.
Highly recommended
Re: (Score:1)
Heck yeah. PIA is awesome. Glad to see that they are keeping their promise! :D
Re:+1 for PIA (Score:4, Interesting)
Just remember to cycle your connection periodically - at least once a day if not longer.
Even if a VPN provider doesn't log, if the authorities are fast enough, they can query who might be on a machine at a particular time and request that information be saved.
All VPN providers will "log" to that extent - they need to know you're logged in after all, so if you're logged into a machine for days at a time, they do have that information available while you're connected. By cycling your connection (disconnect then reconnect), you destroy any record that you were previously on and only have information when you were on now.
Also, don't be an idiot and use a machine as the only person on it. There are actually things called "real time DMCA" where they can deliver DMCA notices to users. But only if they can identify the user - so if you're the only person using a VPN server, makes life easy. Ditto if you use port-forwarding and such since while you're connected, that port is yours and can be accounted for.
The "no logging" part of any VPN means that the moment you disconnect, all trace of your activities as well as the fact you even logged in, are gone. But while you are connected, a temporary "log entry" is created for book-keeping and system upkeep purposes, and those "logs" can be subpoenaed. So cycling often (once a day or so) makes it harder to track you.
Re: (Score:1)
Thanks for the info. I don't use my VPN all the time (in fact it's usually off, like right now), so it shouldn't be a problem. But good to know anyway.
Re: (Score:2)
I'd be extremely careful using a company based in London though. The laws in the UK and the fact that the UK seems very welling to extradite people to the US makes me nervous. That's why many VPN services locate themselves in countries with clearer, more robust laws governing VPN providers. Ideally they should be in a different country to their actual servers too.
To be fair, the Feds seemed to be pretty thorough (Score:5, Informative)
I read the affidavit for a warrant for the guy's arrest.
To summarize : He used PIA, but bought 2 tracfones that he used to make harassing twitter posts. They have surveillance of someone looking like him at the register, his car leaving, bank withdrawals for the exact amount of money used to buy the phones in cash, and 3 separate sets of recordings. Walmart security(who seem to be pretty on the ball, surprisingly) even got a picture of his license plate when he visited a second time.
They also have the phones geolocated when they were used, they checked that he went to the closest walmart to his house, they found 2 chargers in his car for the phones, the username and password for a PIA account listed in his wallet, cell tower locations to his home and work...pretty solid.
I didn't see any of the gaps I normally see when I read about police investigations, it almost sounds like the Feds made sure they had the right man. Really, the only fault I have with the authorities is the hysterical response to bomb threats. Evacuating a building because some random made an anonymous threat? That's no way to run a railroad. Most of the damage he did was because the authorities fucked up.
Re: (Score:2)
And all of that is circumstantial evidence. The thing they don't have is direct evidence that he made the posts.
Re: (Score:2)
The IP of the phone used to make those posts traces to a tracphone that the man is known to have purchased with cash. They know he bought the phone because of the bank withdrawals, the car used, and the walmart video.
So, a twitter acount makes threats. Twitter gives the IP of the computer posting the messages and the phone number of the phone used for the account. Phone number goes to a tracphone. Tracphone bought at walmart, on the same day the man withdrawals the exact amount of cash used to puchase t
Re: (Score:3)
This is the very definition of circumstantial. It's enough to justify further investigation, at best.
You haven't presented evidence that he made those posts with that phone that he was seen purchasing. For all you know, he could have lost it or had it stolen right after leaving Walmart, or lent it to someone, or it might not have even been his phone at all and he's just unlucky. This is why circumstantial evidence isn't nearly sufficient for conviction. Coincidences happen all the time.
If the phones that ma
Re: (Score:2)
This is why circumstantial evidence isn't nearly sufficient for conviction.
You're wrong. If a jury decides that enough circumstantial evidence exists to prove guilt "beyond a reasonable doubt", then that's enough for conviction.
You were probably around during the Hans Reiser [wikipedia.org] trial. No body, but plenty of circumstantial evidence. The prevailing Slashdot mood was defending Reiser, but based on the evidence I figured he was guilty as hell and was glad when he got convicted. It was even sweeter when he took a deal, admitted to the crime, and disclosed the location of the body.
Re: (Score:2)
No, it's not close to direct evidence. It is circumstantial evidence. Words have meaning.
Re:To be fair, the Feds seemed to be pretty thorou (Score:4)
Re: The Feds seemed to be pretty thorough (Score:2)
Airtight circumstantial evidence is indistinguishable from parallel construction.
--
With age comes a modicum of cynicism.
Re: (Score:2)
We know the gov is doing this. How is any charge not immediately suspect? Reasonable doubt would seem to be met....
Re: (Score:2)
The problem is that a judge and/or jury has to (a) understand what parallel construction is, and (b) care.
Re: (Score:2)
I for one would rather be evacuated from a building for a hoax than be left in a building that one time in a thousand it isn't. Whats that old saying? Better an ounce of prevention than pounds of flesh splatted all over the street, or something like that :)
Re: (Score:2)
Evacuation is the leading cause of bomb threats.
Re: (Score:2)
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.
Re:To be fair, the Feds seemed to be pretty thorou (Score:4, Interesting)
The FBI and other police are all well aware of course that serious bombers with actual plans and devices almost never make THREATS.
No, they act. They attack. They detonate their device and then later take credit for it, if at all. They do not phone ahead.
People who phone ahead are making empty threats or they are late for work or out sick and want to be away from their job for the day without penalty. There is a LOT of "hey I don't want to have THAT meeting with my boss today so I'll just phone in a bomb threat and then I won't have to deal with the boss!" bullshit.
Re: (Score:1)
Used to work as a security guard at a local skyscraper years ago. We actually had forms printed for bomb threats. Complete with questions to ask in order of importance. You would be surprised how many people will answer with their name or address when asked.
Re: (Score:2)
What happened to this place (Score:2, Insightful)
I find the tone of the comment at the end odd. While not condoning the actions, I'd figure Slashdot and its readers would be much more interested in the de-anonymysing dimension of the story than the he got what he deserves mentality of that comment.
Re: (Score:2)
mod parent up
Re:Subpeona to a London Company (Score:4, Informative)
London Trust Media is an Indiana corporation [in.gov] with mailing addresses in Los Angeles, CA and Grandville, MI.
Re: (Score:1)
Duh. What part of Team America: World Police don't you understand?
Result (Score:2)
So the FBI can be clever and persistent. Good.
Of course there are some operatives who make them look like knobheads. Why don't law enforcers stick to being the good guys?
Power induces moral blindness and complete WTF
Biased Summary (Score:2)
"Thankfully"? Not only, that it's not neutral, but it's even against freedom. A VPN is there to protect your privacy and freedom of speech. If the cannot protect the guilty, they cannot protect the innocent, either. Read the Tor Projects's summary on why anonymity needs to be universal and why the "bad guys" will always have ways to be anonymous, while the good ones trust software like tor or providers like PIA, i.e. instead of using hacked windows pcs to cloak their origin. So a logging vpn only encourages