What Everybody Ought to Know About HideMyAss

In most instances using a Virtual Private Network (VPN) is sufficient to hide your real identity while online; however as Cody Kretsinger, who was using just this type of service, the UK based company Hide My Ass, had to find out, this might not always be the case.

If you’ve never heard of Hide My Ass VPN, The Guardian suggests it’s a good option for accessing restricted content, because HMA has the largest server network of all VPN providers.

For the record, I do not condone illegal activities using VPN services, nor on the Internet. So lets look at what happened. In September 2011 the FBI arrested Cody Kretsinger, a 23-year old Phoenix resident and charged him with conspiracy and unauthorized impairment of a protected computer, the Sony Pictures website. According to Reuters, Kretsinger pleaded guilty to both charges and could face up to 15 years in prison. “I joined LulzSec, your honor, at which point we gained access to the Sony Pictures website.”, Kretsinger, known online as “recursion”, told the judge after entering his guilty plea, as reported by Wire. LulzSec was considered a spinoff of Anonymous, a world-wide operating group of hacker-activists.


Earlier, in March 2011, the FBI had arrested a core member of LulzSec, Hector Xavier Monsegur, also known as “sabu”, who apparently turned into an informant for the FBI. In June hackers associated with LulzSec, allegedly including Kretsinger, hacked into SonyPictures.com and compromised personal information of more than 1 Million users. Sony Pictures had to notify 37,500 users that their personal info might be at risk.

Data provided by http://attrition.org/security/rants/sony_aka_sownage.html

London based Virtual Private Network provider Hide My Ass (HMA) appears to have played a vital role in Kretsinger’s arrest.  A leaked IRC chat log revealed that hackers, including Kretsinger aka “recursion”, boasted about their illegal activities online and used HMA to conceal their identities. Hackers assume fake online identities and go to great length to hide their location and other identifiable details for obvious reasons.

It appears that the FBI traced a hack into Sony back to an IP address owned by HMA and promptly got a UK court oder, demanding logs from HMA an incident HMA dubbed the “LulzSec Fiasco” in a post on their blog on September 23rd, 2011. When leaked IRC chat logs revealed that some LulzSec members used HMA to conceal their identities, HMA didn’t take any action they stated on their blog; however, later they made it clear that “Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.” They then went on to say that “We would also like to clear up some misconceptions about what we do and what we stand for. In 2005 we setup HMA primarily as a way to bypass censorship of the world-wide-web whether this be on a government or a corporate/localized scale. We truly believe the world-wide-web should be world-wide and not censored in anyway.”

In later edits of this blog post they indicate that they do not log a user’s activity, just the log-on and log-off events, that they do this to identify abusive users, that they complied with UK law and finally, that there isn’t a UK law prohibiting them to aid Egyptian to access social networks, such as Twitter, which was blocked by that country’s government.

While I appreciate HMA addressing these issues openly rather than swiping them under the rug, the incident points to a serious flaw in the system. When you are selling a service that claims to protect a users privacy, hence identity, you can’t turn around later and reveal just that to authorities without appearing at least a little insincere.

Virtual Private Networks are used for many purposes, accessing blocked websites, accessing region restricted content, bypassing network filters, accessing Twitter, Facebook and Skype in countries that block such connections, or simpler applications like protecting your privacy when accessing a public Wifi spot and stopping your Internet Service Provider (or ISP) from snooping into your business.

It doesn’t take too much imagination to see that VPNs can also be used for outright illegal activities, copyright violations and hacking for example. All VPN providers know this and, while their terms and conditions always state that their services are not to be used for illegal activities, they derive a portion of their revenue from users who signed up for just that purpose, something all VPN providers are aware of.

As a VPN service provider your main selling points are privacy, anonymity, presence (as in how many countries you have IP addresses in) and speed. At the same time you are also running a business (if we neglect any hobbyists and non-profits for a moment) that was setup to make money, and as any legal entity you must comply with the laws and regulations of the country you are operating in. Many (if not most or even all) lease bandwidth and IP addresses from other providers, and abusive behaviors of their customers can easily jeopardize their business. Usually the term abusive behavior when used by a VPN service refers to bandwidth hogs, subscribers with (much) higher than average bandwidth usage, potentially slowing down the service for others. With speed being one of the main selling points it is easy to see why.

In response to the HMA LulzSec case, many VPN providers now quite prominently claim on their sites, that they don’t keep logs; yet many terms and conditions also alert users that they will investigate suspicious behavior, apparently referring to, what they consider to be, illegal activity. My question then is this: If a provider does not log your IP address and does not log your activity, how would they be able to investigate anything?

While the LulzSec case may seem extreme and it is easy to think: why worry, I am not engaged in illegal activities online? The RIAA and MPAA (for those who don’t know, those are the Recording Industry Association of America and the Motion Picture Association of America) have come to an agreement with certain Internet Service Providers to cooperate to curb illegal file sharing under the clever and innocent sounding name Copyright Alert System or abbreviated CAS. They decide what they consider illegal and enlist your ISP to notify you, and if necessary, force you to watch educational videos or throttle your bandwidth. Maybe a no-log VPN is a good idea after all?

Reuters reports that a Los Angeles judge sentenced 25 year old Cody Kretsinger to a one year prison term, one year home detention and 1000 hours of community service. He also has to pay $605,663 in restitution for the attack on Sony Pictures.

Kretsinger had pleaded guilty to a single count of conspiracy and unauthorized impairment of a protected computer (i.e. computer hacking) in a plea-bargaining agreement in April 2012 and was facing up to 15 years in prison.


Hector Xavier Monsegur, also know as “Sabu”, the computer hacker turned FBI informant, was sentenced to 7 months in prison, basically the time he already served.

A remorseful Monsegur pleaded guilty to computer hacking crimes in 2011 and was originally facing more than 26 years behind bars, but received a significantly reduced sentence for his cooperation with the FBI that led to the arrest of Jeremy Hammond, who was at the time the FBI’s No. 1 crime target.

Hammond is currently serving a 10-year prison sentence for the 2011 cyberattack that exposed tens of thousands of consumer credit cards and millions of private emails affiliated with Strafor (the global intelligence firm Strategic Forecasting), a crime Monsegur allegedly encouraged him to commit.

Image Credit: gaelx


  1. To make a point very clear, the FBI already ‘had’ one member of the group. They encouraged the group to take more risks and do a larger attack precisely in order to catch members. It would not matter what measures were taken as sabu and the FBI were party to all group communication.

  2. Andre, first of all, I wanted to congratulate you for such a well written text! It was a pleasant reading.

    It also took me attention that you keep contact with your public (thumbs up), that means I’m going to be back here often.

    Last but not least, have you ever though about inserting a revision history (change log) on your articles, or to make it simpler, add the posting date and last revision/edit date below the title or at the end of the article? It’s hard to figure out when this was posted as we have the 03.02.2015 on the left sidebar (and on the home page) and there are comments to this since 2012. Since your articles seem serious this would give more confidence to the reader and also help you not to get annoying comments in the future such as: “this is wrong, they don’t do that since 2014″(something you wouldn’t be able to forecast in 2012…).

    Sorry for the long comment!

    Herrliche Grüße,
    Ein guter Freund

    • Thank you for your comment. We are always looking for ways to make the site more user-friendly and easier to navigate. Your suggestions are appreciated.

      Stop by often!

      Viele Gruesse,


  3. I just received an email from HMA telling me that they got a complaint about me from the legal department of ‘American Sniper’. They told me that they did not inform their legal department, then went on to say that they condemn any illegal activity while using their servers. A friendly reminder that they are watching, what do you think?

  4. I dropped HMA almost a year ago when I knew they were doing this. What are your thoughts on Private Internet Access? I switched to them and was wondering if they are any better?

    • Hi and thanks for stopping by. When it comes to privacy and anonymity, then yes, Private Internet Access (PIA) is clearly better than HMA, the major difference being that HMA logs user activity while PIA does not, as stated in the Terms & Conditions and Privacy Policy. If you are using your VPN for torrenting, then go with PIA; if you only need it to encrypt a public Wi-Fi connection then it doesn’t really matter.

      Here’s the rub though, technically speaking every VPN provider can potentially log user activity or could be compelled to do so. Aside from PIA not being able to provide historical data (because they don’t keep logs) compared with HMA, it will depend on how much of a fight a VPN provider will put up to protect their users should law enforcement come knocking on their door…

  5. Luminati has changed the game for proxy networks — It’s like Tor, only faster and much larger. Luminati enables you to send your HTTP(s) request through our massive peer to peer network, through millions of IPs. In every city in the world.

    With the Luminati API you control the country of the exit node and you control when to change IP within that country. You can send high rate, high bandwidth requests through these millions of IPs.

    You can see more information at luminati.io.

    • Luminati is definitely not like Tor which uses Onion routing to keep the sender’s identity anonymous. Luminati is just another anonymous P2P proxy network, which brags itself “the world’s largest anonymity network” without giving much details – “How do you keep each node anonymous?”, “How messages are encrypted or are they encrypted at all?”, and “How do you keep the payment information safe and anonymous?” since Luminati is a paid service.

  6. In other words, any government agency with a court order gets carte blanche access to HMA.
    In other words, it isn’t protecting anyone

  7. I use hidemyass daily to connect to poland and it works flawlessly every time. I have used other services that have been very unreliable and left me unable to connect on occassion. I would recommend this to anyone who requires a fast, reliable connection through their vpn service.

  8. Thanks for this article. VPN is good if you want to hide your real location. However, about content streaming, I prefer the DNS option. Currently, I am using UnoTelly and have no speed loss  which allows me HD streaming with my 10 mbps connection.

  9. Tried a few other VPN service. In my opinion HMA is the best at a very fair price. It adds a whole new of watching TV through my computer in countries other than the one you in. More information here:

    All the best:)

  10. @bob I get what your saying totally but when faced with the courts I don’t think any VPN can resist that. they could spend a fortune defending by appealing against a court order which would probably bankrupt them with legal fees.

  11. @Ben T you’re spot on here. they can see what you do in your own home and the same applies to everybody. as for VPN i’m with HMA and find it a good service. it works fast. as for this Kretzinger case, they only supplied log on log off details and i bet any service would have to do that if it came down to a High Court intervention. at the end of the day the courts have the last say on these matters and if all they get is log on log off details that’s fine by me.

  12. I guess they are cherry picking what it is they chose to hide our asses on. @tia_darcy if you paid money to download something they shouldn’t interfere it’s not like you’re uploading something harmful well maybe I ‘spose they think what it is ur downldng can be used malicously. But good heads up no sense paying for something you can’t use fully. I agree with you. I’ll say I do from time to time like to hmm wink wink ‘borrow’ a game or two just for educational purposes you see.

  13. I paid for HMA for a year, used it for 6 weeks then got blocked by them for downloading something that they had a complaint about. They are based in the UK and are worse than useless as a VPN. Id been filesharing for awhile without being ‘hidden’. My ISP said nothing but I pay for (expensive too) a VPN and with 6 weeks I’m getting problems. Avoid HMA like the plague. Pick something not based in the UK.

  14. Rock and a hard place. You try to stay away from prying eyes and getting hacked yourself, what with all the re-directs out there solely based on advertizing to draw users to what it is someone is ‘selling’ has caused a lot of issues internet wise for people who just want to surf or get torrents anonymously, but as all things people take it and run with it creating illegal activities like the guy hacking Sony for god knows what reason other that ‘he can’. So is it right for HMA to turn his ass in? Where do you draw the line? IMHO if you use it to hack and cause mischief and harm YOU crossed the line. You just can’t condone actions that goes against common sense.

    Like here in the states and the gun issue. Guns themselves don’t commit crimes but the availability of them alone is rendered as the cause of gun related crimes. Remove ‘em and voila’ no crimes. Not so fast my friend. Crimminals would love nothing better, they loath the ‘stand your ground’ deal as they are the ones getting shot by law abiding citizens that protect themselves.

     So the question really is what you do and how you use it. Abuse it and pay the penalty in my book. You try to do something worthwhile like having anonymous IPs for folks but we all know when you use it whatever service it is, you’re using has your IP to start with to go there so don’t think poorly of the service for standing on moral ground because YOU abused it, just think of yourself as being stupid for doing it in the first place. In these days and times people for some reason think it’s smart or cute to hack sites or hold computers for ransom, it will forever be ongoing no matter the restrictions.

     I’m all for Net Neutality for all the obvious reasons and as in all things people you’ve got your bad apples that spoil the barrel. Don’t throw the baby out with the bath water. HMA was right. Now if NSA hacks HMA that’s a different story and I’ll betcha it’s ongoing.

  15. some of these vpns such as purevpn are nothing but a con , collecting subscriptions and providing either nothing or a laughably slow and useless service that lets you do nothing


  16. I can’t believe how passive people have become about our loss of privacy after 9/11. It is insane. Everyone has this “so what if you are not doing anything illegal” attitude, THAT IS NOT THE POINT! Example; my cousin can be seen in his house in his boxers drinking a cup of coffee. Really?! He laughed when he showed me. That should be an outrage. Are they transmitting radiowaves or dropping chemtrails to keep everyone so passive? It should be a disgusting bitter outrage with people in the streets but no one seems to care. The technology of a satellite in outterspace being able to zoom into you,so close to the point it can count the hairs on your head, or being tracked everywhere you go from your mobile devices or even your car SHOULD BE AN OPTION!!!! It is not a free country any longer when you have to wonder if the NSA is looking at your dick when you piss, or you know for a fact you are being logged, tracked, recorded, listened to. Thats no conspiracy theory it is a fact. I could go on and on but I won’t. This country is pretty fuckin disgusting and the main reason being I can’t even type this opinion and speak my mind or have free will without thinking the government will be watching, listening, reading. I’m sure this little post will even get looked at because I have said key worlds like “9/11″ “government” and “privacy”…. oh well gone are the days that you could masturbate without wondering if the government is watching or tell private things to your loved ones without it being logged and listened to.

  17. I don’t want to do anything that your typical person living in the free world would consider criminal, but we live in a day and age where activities can change in their legality very quickly and arbitrarily, depending on who you tick off. My adage about life has become, you have all the freedom in the world until it becomes an inconvenience to someone in power, then look out. I want to retain privacy because I want to retain my rights as a free and civilized human being, what we have now is quickly turning into what George Orwell warned us about, without exaggeration.

  18. What VPN(s) do you use? Are you using software other than that provided/required by the VPN? When you say encrypted on both ends, what do you mean exactly? How? You mean the encryption on the other side being provided a VPN or some other third Party? Thanks.

  19. i have a ipad and i cant watch any thing from it is there any way around it please been told its a very good site cheers

  20. To be honest Hide my ass is still a decent VPN provider; heaps of locations, and so many features. Just don’t use their service for anything illegal (torrents, spamming, ddos..), perfectly fine if you just want to protect your traffic over public wifi or bypass geo-blocks.

  21. “When you are selling a service that claims to protect a users privacy, hence identity, you cant turn around later and reveal just that to authorities without appearing at least a little insincere”

    They are two very different things here.
    1. Hiding your details, IP, etc browsing websites safely and those sites genuinly do not know your details or your IP.
    2. You commit a crime and the proxy gives “authorities” your details.

    I’m glad they had them stored, and provided them. What if they plotted to murder someone, or worse…

    (btw, blocking mouse buttons on your site is very annoying. I can’t copy paste, activate my sepll cheker, I cant seem to use keyboard arrows in this comment box either, or do other things)

  22. Hi There,
    Here is one thing which astonished me quite a bit lately. I just got my first mac, and installed Skype, among other programs on it. When I was opening the Skype for the 1st time, Mac Os asked whether I want my contacts to be known to Skype. I said yes. And voila, all my cell contacts appeared on the mac screen.
    Now, I did not give to Apple any info about with exception of my cel # and credit card, but in both I use only initials of my name (not the whole name). So really, the phone # was likely sufficient for Apple to get my cell contact list – all without asking me for permission. Hmm… Now I am probably going to try to get my ex’s contacts as well… And perhaps, say, that of the judge who is presiding over our divorce proceedings, and perhaps the girl who lives next door as well. It can not be too difficult…

  23. @shanghaiGuy, I am wondering that if we have mentioned something on our website then why we will try to hide it? The link was given to let you read in detail ad we believe complete information could not be typed every time by the support executive and ma miss something so providing the link is best and it is for your favor. Read our Privacy Policy and Terms of Use in order to get complete information.
    @andre, Could you please confirm did you get slow response over live chat, support ticket or email?
    Manager Customer Service & Support

  24. I use a VPN thats bought and paid for by a Burn card, my real ID is never associated with this account, i also go to places and connect to my VPN using free wifi, mostly places that dont now better, everything i do is encrypted, and the other end is encrypted also, password protected and more bits than i would really need, then i can use proxies that fluctuate every 5 minutes in the baltics, my Business is my Business, its no one elses, and never will be!!!!

  25. these vpn’s can little more than a trap to harvest all the very info you most want keep
    private. and why is breaking the law ok in repressive china or egypt and not a nealy as
    repressive usa and uk and it’s NSA’s. hma and are nothing more than patseys and
    money suckers. useless. advoid.

  26. No logs can help but still dont provide total anonimity. The VPN providers ISP still logs all connections. If you want to feel safe use I2P or tor, and even then you still can’t be sure your 100% anonymous because you may have a compromised node, but it is still better than a VPN who will give up your info to LE in a second. Don’t believe me? Search “Telecommunications data retention”

    • Maybe a good way of looking at it, is the degree of difficulty to identify a user. If you make it more difficult (hence costly in terms of money and/or time) it is less likely anyone will try. Using a VPN makes identifying you more difficult and using a no-log VPN makes it even more difficult still.

      The other side of the equation to consider is why would anyone want to identify you in the first place? I doubt that the nuts from the RIAA or MPAA will spend a lot of money to go after you if you just shared a few titles, but they may try if you are sharing thousands of movies or songs.

      Summarizing, consider using technology appropriate for what you are doing and trying to prevent; VPN, I2P and Tor aren’t perfect, but a good first step.

  27. I had an purevpn account and I contacted them asking about their logging policy. Guess what? they never replied to my email. After I sent them a few more emails, they finally got back to me with one line telling me to look for that information on their website myself. Why can’t they just tell me and answer my question directly??? So I went ahead and cancelled my subscription. Now i am in the market for a vpn again, but it is hard to find one that keeps no logs. Now I decided to setup my own VPN using Microsoft Azure. :)

    • Unfortunately I had the same experience with PureVPN, their customer service is slow to respond and then only sends these cryptic messages, apparently hoping that the user will figure it out. I setup my own VPN using Amazon before, but I found that to be rather tedious and not suitable for the average user. When you do get it setup it works well; however, I am not sure how secure it would really be. The only way to setup an account with Microsoft is to use a credit card, so they have at least that information. Besides all cloud services have backups…

    • Sadly Azure is NOT safe. Microsoft actively hands over information to local and federal law enforcment agencies, when the occasion occurs. So Azure NOT safe, it is monitored by Microsoft and every bit is heavily watched by many law enforcment agencies. Be careful what you are doing with Azure, because it might just screw you hard.

  28. When presented with a court order or National Security Letter (or non-US equivalent), services like this turn on IP logging and track you. Expecting them to defy their government when presented with such items is naive and irrational.

    • Charles, you are correct. Most VPN providers are small businesses and don’t have the resources to fight subpoenas or court orders, besides I am not sure that all of them actually have the will to do so. Not logging any information to begin with would be a good start. The real problem is the claim of anonymity, which is tough to guarantee. I strongly urge users to read the terms and condition and privacy statements of any provider they plan to sign up with.

    • Charles,

      I understand that a VPN will turn on what they have in their hands upon request of their national authorities. The problem is when they claim to not keep logs but do. I would rather trust a VPN that clearlly specify that they keep logs and will provide information upon subpoena rather than lying to me. A question of trust I guess. At least, then you know what to expect and you know whether the services the VPN offers you suits your needs or not. If they lied on this matter, how do we know that tomorrow they will not deliver information to China political dissident or just selling all information regarding their users to marketing companies ?

Leave a comment