Home
Logging
Anonymity
You pay for a service from someone. You connect to their servers. You have lost your anonymity just by paying and connecting. They can look and see your IP connected to them. Whether they do so or not is immaterial, they can do it if they desire. You also do everything through their machines when you use their tunnels, vpns, or proxies. They own every machine you pass through.
This means that you are not anonymous to them and they can see everything you do if they want. You'd have to be anonymous before connecting to them for them to be unable to trace you to your real IP. You also probably pay them with paypal or a credit card, which gives them your name and another trail to follow to get to you.
They must tie the payment info to the account to know who to update and they must be able to address stolen credit cards, bounced checks, fake money orders, and other fraud (they have to be able to trace the payment to the account for up to sixty days in case it turns out to be a chargeback or some type of fraud).
In reality a service needs to keep track of much more. The point is that the payment process removes anonymity. Some services understand the payment issue and so they tell you to pay by cash to be anonymous.
Wait a minute, if you have to connect anonymously and also pay anonymously in cash to get anonymity from them, well, I hope you aren't paying them for anonymity.
Anonymous Owners
We have seen some services claim "We are anonymous too, this protects you because they can't find us to pressure us". First, federal agents set up stings and remain anonymous when they do so. So do criminals. Second, even if not a sting or a criminal operation, that anonymity doesn't protect you, it protects them. It protects them from accountability to you. It protects them from any responsibilty to you or anyone else.
It doesn't protect you at all. In fact, it is a detriment. They will not fight the system, they are anonymous. They won't even be able to be served, which means the authorities will get to act freely, without anyone challenging them and enforcing proper procedure (of course the jursidictions some of these places host servers have no legal protections at all anyway, most of them the authorities can walk in and tap the server without any legal writ because they don't need one to do so.)
Even if they claim their servers drive is encrypted, that is no protection. The running server has the encryption already opened, it has to for things to read and write. Crack that server and that encryption means nothing because it is already open. There are many ways into a machine when you have physical access. Plus, if it's boot level encryption then the local datacenter has to have the password if the server crashes.
If not boot level encryption and only file encryption, the key resides on the
server so that it comes back up if it crashes. Even if it was set up without the key being on the server, just
reboot it and wait, the owner will have to log in and enter the password to the encryption for the server to come
fully back up. With an anonymous owner you aren't protected at all, but he/she is protected from any responsibility
to you or anyone else.
With a known owner, you have someone to sue if your information is given out against policy. In our case we are
fully accountable to you. We will make sure every T is crossed and every i is dotted legally should anyone come
after our servers. We'll fight it too. And if we give out your info without a subpoena forcing us to and without
proper legal procedure, you can sue us for that. With an anonymous owner, you have no recourse. No recourse if
they hand out your info to anyone who asks. No recourse if they take your money and don't provide the service.
No recourse if they suddenly vanish.
No Logging
"No Logging! We don't even know what you do while using us." Another big marketing claim.
Think about this, if you just used stolen credit cards everywhere for everything you could order, and you spread
viruses, and spammed mail and/or guestbooks, and initiated denial of service attacks against the FBI, and sent
bomb threats to the secret service, and tried to hack into the pentagon, and tried to solicit the young daughters
of FBI agents for sex, or did any of the myriad of other things that would cause pressure to stop it, how long
do you think you would stay online? A month? You'd probably be taken off line in less time than that. Privacy services
have the same issue.
Nobody can just allow anything and everything. Everyone has to have some control. Everyone must prevent abuse to
stay online. To keep their internet connections and to stay financially solvent (you'll go broke letting people
pay with stolen credit cards and forged money orders). So, everyone must make sure that their service doesn't become
a haven thieves and abusers.
How does everyone handle it? Rules and account termination for violating those rules. They tell you so in their
terms of service (don't do this, don't do that, or risk account term). Just the fact that they can prove you broke
those rules after the fact means they are logging something. They can prove what you did after you did it. Really
anonymous without any records would mean you could send continuous threats to fire missles at incoming planes to
the FAA and never get caught nor would they even know what account to terminate for doing it no matter how hard
they looked.
Besides all this, there are many things on a server that log. Account payment records and updates - everyone has
to log those, what good is a service that doesn't know who paid for what and for how long. Plus server process
and programs log when they start and stop. Errors are also logged. Error logs are critical to providing a reliable
service and troubleshooting problems. Intrusion detection systems and firewalls log (an unsecured machine cannot
even provide privacy, so they better have these and their logs). Many things keep logs.
I guess those that claim no logs really mean "No logs...except for these...oh and these...oh and those too...but
they don't really count, what's important is that we don't log your datastream". We really do understand that
they are using this term "no logs" to mean only the data stream. They don't log the data stream and probably
not your ip when using the proxy (it's theirs or 127.0.0.1).
We don't log the datastream either and your IP in our SSH tunnels accessing the proxies is 127.0.0.1 and comes
out as ours (these are standard setups and nobody is doing something special that others can't), but there are
many other things that log on a system and to just ignore them all and say "No logs" is lying.
What is in our logs?
We have standard SMTP transaction logs for our e-mail, every service that provides e-mail has these. Ours roll
(overwrite) every five days. A sample of what a standard SMTP transaction log looks like that would have user information
in it is here:
Nov 18 13:25:23 www mta[12345]: AUTH=server, relay=domain.com [127.0.0.1] (may be forged), authid=account, mech=<type
of auth>
Nov 18 13:25:23 www mta[12345]: XXXmpe12345: from=<from@domain.com>, size=405, class=0, nrcpts=1, msgid=<messageID>,
proto=ESMTP, daemon=TLSMTA, relay=domain.com [127.0.0.1] (may be forged)
Nov 18 13:25:23 www mta[12346]: XXXmpe12345: to=<mail@domain.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp,
pri=12345, relay=receivingmachine.domain.com. [receivingmachineIP], dsn=2.0.0, stat=Sent (iAIIPOAb089975 Message
accepted for delivery)
The content of the SMTP log is nothing different than what is already in the header of the message, sans authenticated
username, that is how we tell which account to terminate if someone decides to try to spam through us or sends
a death threat, etc. (we think that is better than putting that info in the header for all to see).
We also use them for support issues like "I sent/posted/etc this and it never made it". The logs are
needed so we can go look at them to see if the remote server accepted it or not, and if not, why. Without them
the only answer we could give would be "Sorry, can't help you", which isn't very good customer support.
We have standard apache logs for our web site. Every single web site has these logs. We use them to trace errors,
to alert us to DoS and hacking attempts, and for website statistics. A sample standard apache log entry looks like
this:
<connectingIP> - - [18/Nov/2004:13:22:47 -0500] "GET /index.html HTTP/1.1" 200 10210
Our proxy logs are standard too. We need them to trace errors, counter DoS and hacking attempts, etc. A sample
of a proxy log:
127.0.0.1 - - [18/Nov/2004:13:42:05 -0500] "CONNECT www.domain.com:443 HTTP/1.0" 200 15088
(above is a https connection via a proxy, no target filenames, etc can be seen because the datastream is a direct
connection encrypted.)
127.0.0.1 - - [18/Nov/2004:13:41:40 -0500] "GET http://www.domain.com/file.html HTTP/1.0" 200 361
(above is a plain http connection, unlike https this is not an encrypted direct connection and the proxy is told
the filename to go retrieve)
Our proxy logs do not log your IP. The ip logged is ours because the requests all come from localhost.
Our SSH logs are also standard, a standard last log (last login from:). This is mostly for you, but allows us to
also counter people attempting to guess their way into your account. A standard SSH log entry that would have user
information in it looks like this:
accountname ttyp1 <connecting IP> Tue Nov 16 03:16 - 21:32 (1+18:15)
From the SSH logs we cannot tell what you did, where you went, or anything else, only that you connected to us
and for how long. This allows you to see who last logged into your account (so you know someone else didn't break
into your account) and enables us to autolockout repeated failed attempts at guessing passwords.
Identifiable/personal information that our VPN logs contain are the ip address
and port connected to, the time of the connection, and the local (10.x) address connected, which can be tied to
the account. Initial VPN login logs will also contain the IP address logging into the VPN server.
We have scripts monitoring all of our services for attacks, mostly anomaly and signature detection. We have scripts
that monitor performance and the services and servers themselves. They will trigger automatic failover to backup
servers in the event of system or service failure. They can and do automatically manage power as well, they are
able to automatically powercycle a machine if it locks up. All of these scripts work with the logs above, to some
extent, and those that have their own logs have absolutely no individual user identifiable information in them.
None of our logs record the datastream, as in contents of the email, web request, or SSH tunnel. We do not know
what you do in the SSH tunnel or any communications, only that you set up a tunnel or sent a message. You'll notice
that very little information is kept in the logs, only what is needed for the abuse issues, troubleshooting problems,
and anomaly/intrusion detection. All but the proxies are on a five day rotation (due to the size of the logs, proxies
are on a three day rotation). This means that at any given time we do not have any information in web and mail
logs for six days ago and no information from proxy logs for four days ago.