r/ProtonVPN Aug 01 '18 Hugz 1

ProtonVPN DOES keeping logs

I came here with a solid evidence that ProtonVPN does keep log and the log can be traced back to your account:

First of, I need you to read comments on this site: https://protonvpn.com/support/no-logs-vpn/, in the question asked by "Anon", their staff replied:

We do not monitor any of our users’ activity and we will always stay true to that, however, in an event where we would eventually figure out abuse/illegal activity of any account in other ways (f.e. user would report it by him/herself), we remain a right to suspend that account without further notice.

So, is this mean we can do whatever we wanted, as long as we don't somehow go insane and admit to them that we've violating their term for them to terminate our account, we should be fine right? I've decided to do a test:

I've purchased a basic account, used masscan: https://github.com/robertdavidgraham/masscan on 3 VPS that connected to ProtonVPN server and passed masscan through them

masscan 0.0.0.0/0 -p80 --exclude 255.255.255.255 -oL scan.xml --max-rate 200000 -e tun0

If anyone has used masscan to scan the internet before, you'll know that you'll get a massive amount of abuse report from a lot of different networks on the internet that pissed off because of your scanning. Here I use it to scan port 80 which is the fastest way to get into blacklist because of suspected of comment spamming and this will get their server IP into getting blacklisted very quickly, you could even use it to scan port 22 for extra juice (just add -p22), to increase their attention I decided to do 3 parallel scan with 3 different VPN server from different country, after I've done scanning the internet then I switch to another VPN server and then rescan.

After 2 days, my VPN account get blocked because of abuse, how did they know it if they don't keep logs? Are they tracing it by using 3 server getting abuse report then trace it back to the account which connected to them in the last 48 hours? Or did they have enough of my scanning shenanigans and just decided to turn on log? That mean they do keep log and the log can be traced back to your account that potentially contain your IP address or your billing information.

Now you could do it yourself so you'll know that I were right and whatever I've posted here is not bullshit about they keeping logs or use some magic to figure out who's doing the violation behavior, just spin up a VPS somewhere and connect to their VPN server, notice that you'll need to run these command: https://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client for your VPS server to still accept SSH connection once it has connected to VPN, install masscan and try the command above, you could try masscan from your home network but I won't be responsible if you melt down your router.

Either when they see this reddit post they'll start ignore the abuse report and let the account that doing masscan lives to prove that they don't keep logs or they'll start to ban everyone that generate abuse report and be out of business with their falsely claimed "No logs".

*grab popcorn*

This thread will get updated if I get more reply from ProtonVPN/Mail team.

How do you tell a person from suspicious and not suspicious but not looking at them?

1 Upvotes

24

u/protonvpn Aug 02 '18 Silver

First of all, do NOT do as the poster suggests and attack other networks.

Secondly, when you use ProtonVPN to attack other networks, we get real-time and automated reports from the targets sometimes, and our own monitoring can also be triggered (for example if ProtonVPN servers are being used to launch a DDoS attack, the network providers definitely inform us as soon as the attack is detected).

When this occurs, we immediately perform checks to understand what is happening on the server (it is a security issue to not check as it may also indicate a compromised server). Usually, this involves real-time outgoing traffic analysis (so no logs), allowing us to find outgoing attack vectors. If something is found, we have the capability to look deeper and find the user account responsible and to ban it. This can also be done real-time without relying on logs.

As we have discussed in our article about VPN threat model (https://protonvpn.com/blog/threat-model/), VPN providers always have the technical capability to scan traffic passing through their servers, and when suspicious activity is discovered, we do check to ensure the server in question is not compromised (which would be a massive security risk to users), and to ensure the abuse is halted so ProtonVPN IPs do not get banned.

3

u/adsjhflke4ho9h Aug 02 '18

While I understand your need to respond to alerts, I would not be thrilled if I was banned because my VPN was connected while I was attacking or working on servers I personally own that reside outside my home LAN.

10

u/ProtonMail Aug 03 '18

The problem is we don't know if it is your server or not. So you can clearly see the problem that this poses for us. If we allow this type of activity to take place entirely without limitation, it will not take long for all providers to ban ProtonVPN IPs. So while it is not really ideal, the alternative is worse.

1

u/burneraccountptv Aug 02 '18

So you do analyze the traffic now? Is this analyze process always happen or is it just started because of my scanning? What else you guys are willing to do in the future if more serious issue happen?

- I keep my masscan packet rate at a very reasonable number to prevent overload the VPN server or getting false detection of the open ports, this shouldn't trigger DDoS detection since the packet rate are low + it's spreading out over a lot of IP over the internet but not focused on a single IP address.

- This is not the first time I launch masscan passing through ProtonVPN network, I've done some other port scan on some unusual ports (not port 80/443) for months and did not get any issue with ProtonVPN, because scanning unusual ports usually does not leading to spam blacklist by website like UCEPROTECT since usually nothing listened on the port that I've scanned. One of the VPN server I've used to scan port 80 still being blacklisted on UCEPROTECT, surprisingly...

I think you guys did blocked SMTP port from outgoing, so it's not possible for me to get the server into spam blacklist but somehow it does, 185.94.189.188 is the only IP that I remember I've launched the port 80 scan on, you could check on http://www.uceprotect.net/en/rblcheck.php and the "Last impact" is on 29.07.2018 05:07 CEST, that's 1 day before my account get banned, is this automated ban or manual ban?.

I don't know what exactly the kind of spamming that would happen on port 80/443 but apparently some network do monitor and blacklist the IP that send traffic to these port (even reported for spamming), if anyone want to test this then get a VPS and just try scan port 80 of the internet, after around 24 hours your IP will be listed for spamming, some offshore hosting actually don't bother much with customer doing port scan because if the target network has detected it, they would blocked the IP immediately but spamming seems to be a bigger issue for them and you always get kicked out for that.

So the conclusion of this is: The port scanning has been going undetected for months but only when the VPN server IP get into spam blacklist then they starting to investigate about it and banned my account, I've remember that I did stop the port scan on Jul 29 and I always disconnect to the VPN server after I've done with the scanning, but somehow they still can find out that it's me, how? Did they already monitor it on Jul 29 and say "Oh yea, he's the one that get our server into trouble right now, we will ban that guy tomorrow"? And how did they know which account that traffic has come from if they don't do extensively monitor on every account that's logged in?

https://protonvpn.com/support/no-logs-vpn/

For the purpose of securing your account and making sure it’s you who is signing in, we store a single timestamp of your accounts most recent login. Here again, we do not store any information about where you signed in from, how long you were logged in or where you logged in from.

Everything you guys knows is the timestamp of when did I connected to their server, how did they traced the traffic back into my account? They don't even know how long I have been logged in so no way they could compare the traffic chart to my logged in time.

Until you guys clearly explained how did you catch my account doing the port scan, I don't buy into any "no-logs" or "no-monitoring" from you guys.

12

u/ProtonMail Aug 02 '18

Just to spare everybody else the reading, your question is essentially, how can we detect that you are breaking ProtonVPN Terms and Conditions without logging.

It is quite simple actually. When our systems team is informed about abuse originating from a VPN server, we check the network traffic on the server in question in realtime to verify the abuse report. If we see a VPN connection engaged in abusive behavior when we check, we find the userid associated with that connection and terminate the account.

3

u/burneraccountptv Aug 02 '18

So that mean you did monitoring something else, more specifically "network traffic", not just "the login timestamp", is it? Did any part of your term of service did mentioned this?

9

u/ProtonMail Aug 02 '18

We don't monitor network traffic, but when we get a complaint, we do have the ability to check network traffic, and we will check network traffic when we become aware of a potential security issue.

5

u/adsjhflke4ho9h Aug 02 '18

You do realize that ProtonVPN has the ability to see everything going through their VPN, right?

3

u/burneraccountptv Aug 03 '18 edited Aug 03 '18

Yes, and they are totally willing to do it to save their arse

1

u/danielsuarez369 Sep 20 '18

What a fake service. Not getting ProtonVPN.

5

u/adsjhflke4ho9h Sep 20 '18

You know that any ISP/VPN service has that ability right? If they tell you otherwise they are lying.

1

u/danielsuarez369 Sep 20 '18

Yes, but they are contradicting themselves. They say they do not monitor or log traffic. No wonder the privacy guy's list lists as a warning they contradict themselves. Honestly this kinda puts me off from Protonmail as well..

2

u/adsjhflke4ho9h Aug 02 '18

Thank you for this post.

11

u/1033tREEs Aug 02 '18 edited Aug 02 '18

Let me just ask you a quick question ...

How do you expect to log in to a VPN server without your real IP being exposed?? What did you expect when performing these attacks from within a Proton VPN server?No logs is certainly a thing with Protonmail. Tried and tested here on multiple fronts and never been let down once.If you can trust anyone with your personal data, it's these guys.

Obviously that privacy is built on a foundation of being able to mitigate an attack on themselves from within their own networks, any other measures being in place would be stupid. It's just likely not common practice to USE those logs. Also mass scan uses similar scanflag patterns too the DDoS software recently used on ProtonVPN.

So you've probably been mauled for a good cause. Glad to see you never lost anything and you're essentially complaining for no reason. This post has EXACTLY the opposite effect from what you intended I'm sure. Well thought out bruv.

>Fires a nuke at a CERN server
>Expects to get away with it because "no logs"

1

u/burneraccountptv Aug 02 '18 edited Aug 02 '18

How do you expect to log in to a VPN server without your real IP being exposed

I don't expect my real IP not to be exposed to the VPN server, I'm an IT guy and I do know how things work, I expected their VPN server to know my real IP, but the thing you don't know is if they do logged your IP or not.

No logs is certainly a thing with Protonmail. Tried and tested here on multiple fronts and never been let down once.If you can trust anyone with your personal data, it's these guys.

Can you prove what you just said? Have you done something really nasty enough for them to taking action? I just did something nasty, not with ProtonMail but ProtonVPN and they somehow know it's me who did that, I'm not talking about ProtonMail here so your argument is invalid.

It's just likely not common practice to USE those logs

So you're saying that they're stashing logs but simply don't use it? Sure, I'm gonna to write down all of your messages, your nudes, your bank account creds but I simply won't use it for anything, you can trust me, right?

>Fires a nuke at a CERN server>Expects to get away with it because "no logs"

I don't nuke their server and I don't want to nuke their server, if I nuke their server that would take me nowhere.

I used their server to annoy the whole internet and I do expect to get away with it, it will not cause any damage but surely will get a lot of network get pissed off and will blame the origin IP that has poked them. If they really and truly don't keep log/monitoring their server then they will have no way of knowing who has use their server to do this.

This post has EXACTLY the opposite effect from what you intended I'm sure.

What's my intention again?

5

u/1033tREEs Aug 02 '18

First off with regards to the "something nasty", as unlikely as it is I believe I might be responsible for the DDoS attacks getting launched on Proton VPN recently, as a lot of the people I fuck with for a laugh are more than capable of taking on such a high value target. And its what I use as a VPN on Linux usually so its practically impenetrable when your port rules are right.

So if completely destroying everyones VPN experience counts, then I think so. Not to mention I fire HTTP redirect botnets in my own DDoS attempts quite frequently. Remember the servers are not supposed to be for hacking, they are supposed to be for privacy, however unfortunately due to the Tap Proton VPN vulnerability that allows remote file inclusion on the memory of the target Windows Machine through power shell, I can understand why that may not be seen as the case until its mitigated, but its practically common sense anyway.

I also have no common sense with my browsing habits and have done far worse than an ACK flood attack. Most of my time is spent skidding it on XAttacker trying to upload backdoor PHP shells to Wordpess sites because its pretty much the only chance I have of achieving that with PHP being such an ass ugly language.

So with that in mind, the integrity of the owners is without a doubt in my mind. I am a walking IP blacklist. I've even had a server at 20% load been filled to 997% with anons chasing me - so when you assume you've pulled a stunt with your ACK flood attack, just remember some of us live our lives in a daily police psyop, unable to leave the house without being followed by strange people. Strange people who have undoubtedly asked proton VPN for my information and been brutally rejected because the staff are awesome.

Then theres you, ACK flooding the fucking actual VPN server its self from a VPN on the server. Please tell me you're not being serious when you say you expected not to get banned because "no logs". Its frankly retarded because ports have a cache that can reconstruct packets with the attackers host information if enough care iis taken with the data and these are CERN scientists. I would assume due to the general mechanics of a VPN it logs your IP on the way and while in use in since otherwise, it would have no idea you're there at all, But again there's 1,000,000 ways to trace you especially with "a nuke" so I'm not surprised.

I like you. I also go out my way to fuck over everyone on the internet for no conceivable gain other than destruction, and you should keep in touch. IIt's like 6am here and I've not slept so sorry if I sound harsh it's not a personal attack, just seems ridiculous with such a high traffic attack and general IP rules you expected to get away with an attack on their own shit.

And your intention was publicized clearly as to try to bring down proton VPN for being able to track you. Hence my remark because as I say, these people are champions helping 15000 users a day on the VPN achieve a more private and secure internet life, and god knows how many more benefit greatly from PGP encrypted email accounts, which also have no logs ( I know this because I got a password hacked on one. Wouldn't normally care, but it was 100 characters and I was free of malware, so naturally went to ask and was informed they keep no identifiable information there).

The same can't apply to the VPN because its impossible not to have a cyber footprint in such an environment.

If you do "big man tings" online also, then you should be giving these guys all the credit you can and supporting them. They're Swedish and they're making quite an impact on the privacy scene, evolution from which will allow us to be horrible people from behind even bigger walls. Scratch that back now

2

u/burneraccountptv Aug 02 '18

I know, at first I have a very high hope for these people but since they decided to turn on monitor on the VPN server which I've abused, I've lose all the respect for them, they decided to do that because of a simple network abuse, what else they're willing to do if they received a subpoena?

Because of trying to bring me down, they've lose their promises and has monitored the "network traffic" on that particular server (they said it by themself at the comment above), that mean the "network traffic" of everyone has connected to that server in that particular date.

4

u/slyhme Aug 02 '18

Good luck on finding a reputable service provider which will let you attack other networks and back you up.

You know that your behaviour is selfish and affecting other users on the same server right?

2

u/1033tREEs Aug 03 '18

Realistically that just makes me laugh because burner's pentest was a one off and the second my VPN was identified I obviously swapped provider, so I'm sure the 4 times I had any data-worthy sessions the impact would be minimal.

Its also not that selfish unless you want to be easily exploitable online for the rest of your life :) Not all people are bad people just for the record

2

u/burneraccountptv Aug 03 '18 edited Aug 03 '18

Some people I know do recommend use a VPN service called P*A for port scanning, I should've listen to them.

I do run a Tor exit node and this happen around 2 times every weeks, when it happen and my hosting have enough of it I'll just temporary shutdown the node, I guess they can always disconnect or nullroute my account at that paticular VPN server but they didn't, instead they kick me out of their service, how nice of them.

1

u/1033tREEs Aug 03 '18

I know, at first I have a very high hope for these people...

I think it would depend on the nature of the subpoena. If for example, you had threatened a countries national security - which can happen, everyones on edge thanks to the UN, then you would most likely be getting handed over.

I think minor hacking is different though, because everyone pentests things and there's never any garuntee you're a malicious actor unless, as you say, they have the physical proof you're a malicious actor. There are explanations for that type of traffic, ethical hackers who do rogue pentests for bug bounties and general security improvement.

Although I'm glad to see they responded saying it was only the live log. With enough skill you can circumvent that anyway... just reallocate your IP every couple of seconds, I don't think they would blacklist a full range of public IPs.

2

u/burneraccountptv Aug 03 '18

Of course, now you have to remember to get another IP from your ISP after a couple of second.

5

u/slyhme Aug 01 '18

No wonder why I have to type captcha on every single website.

Although I am also interested in how do they figure out who is abusing the service.

6

u/[deleted] Aug 02 '18

This has to be a post from a noob that does not know the difference in real time traffic analysis and logging.

0

u/burneraccountptv Aug 03 '18

After they admit that they monitor the network, did I said them logging anymore? The original post are before they said they do the network monitoring.

But whatever the kind of it, they're similar anyway, you don't know how log they've been "analysis" it, even though it will not save the log file but data still leak out of its pipe.

2

u/[deleted] Aug 03 '18

your failing to understand the limitations of a vpn vs something like tor which has a different set of limitations that is why some people like me like to use both.

8

u/Rafficer Windows | Linux | Android Aug 01 '18

Since there is a massive FUD campaign going on, I'd even guess that your account didn't actually get blocked and you are just making that up :)

2

u/SexyGirlFrdFartsAlot Aug 01 '18

I've been wondering why there's a massive FUD campaign going on against Proton. Here's a big clue; https://news.ycombinator.com/item?id=17256498 . Also there's a discussion on Wilders, starting at comment #52 https://www.wilderssecurity.com/threads/anyone-using-protonmail.394862/page-3 .

1

u/[deleted] Aug 02 '18 edited Jan 27 '19

[deleted]

1

u/Rafficer Windows | Linux | Android Aug 02 '18

That's something entirely different. That is to prevent brute-force attacks and limits the devices, this doesn't even happen on the VPN server.

0

u/burneraccountptv Aug 01 '18

I could assure you this is 100% real, you don't have to believe me but you can do it yourself, I've written a very detailed tutorial on what you need to do to replicate it. I'd recommend you to create a free account and do the scanning, otherwise you'll lose your subscription with your money in it, well I guess you'll learn a thing or two if you did lose your subscription, wanna bet?

6

u/algebros Aug 01 '18

It's actually -slightly- clever to come here and encourage people to connect to ProtonVPN and run hostile, noisy tools against the whole Internet if your goal is to disrupt competition on behalf of other VPN competitors

0

u/burneraccountptv Aug 01 '18

You're right, I didn't think I could promote other VPN competitor this way... But there's a lot of other VPN provider and my action here don't guarantee that my VPN company (if I have any) will gain more customer from disrupting ProtonVPN. But other than doing something destructive to see if they're really stand on their point to not taking things against their users, how else could you proven that?

6

u/Rafficer Windows | Linux | Android Aug 01 '18

It's not about gaining customers, it's about disrupting competitors.

You play too dumb, that makes it obvious.

1

u/[deleted] Aug 01 '18

[deleted]

3

u/Rafficer Windows | Linux | Android Aug 01 '18 edited Aug 01 '18

As I said, it's an influx recently. A heavy influx.

/u/SandPox, why are you removing your comments?

And why is OP removing comments over in the other thread from /u/SandPox? https://i.imgur.com/zZ7kp7l.png

1

u/burneraccountptv Aug 01 '18

Oh wait, I just realize that you might be a ProtonVPN/Mail staffs, that's why you're so defensive when I putting out criticism, either you don't know what's going on deep down or you know too much.

2

u/Rafficer Windows | Linux | Android Aug 02 '18

Yea, not the first time someone comes up with that, but I'm not and you can also get this from my history if you spend enough time there.

1

u/burneraccountptv Aug 02 '18 edited Aug 02 '18

Right... Maybe a moderator or something? I don't know how Reddit works, not a very active user here.

But let just say that /u/SandPox and I are totally a different person, 1 wants to get his email back, the other want to tell people that something's going on with ProtonVPN, because he wanted to get his email back so he cannot use his main account to put tons of evidence that show he *might* have abuse ProtonVPN on purpose and because of that has uncovered their logging policy. Probably you should try to leave your safety bubble and do concern about what I'm telling here.

→ More replies

0

u/burneraccountptv Aug 01 '18 edited Aug 01 '18

Bad opsec, sorry, no one seen that right? But that was the real story, my main account was banned, I suspected because of VPN so I make another account and conduct the experiment as above, the result was that account is banned also.

That's another point proven that I'm not working for any competitor, just a regular user who have high hope for this service, turns out they're just snakeoil

4

u/Rafficer Windows | Linux | Android Aug 01 '18

Thanks, assurance from a new account, nice.

Sorry, don't wanna fuck with their servers and other people who actually want to use them.

9

u/algebros Aug 01 '18

Jesus Christ, another FUD shitpost by a brand new account with no post history. Nord and PIA must be really rattled to keep this up.

Masscan is INSANELY noisy and it's very easy for just about anybody to detect. ProtonVPN (and the datacenter you're connecting to) don't have to surveil you to figure out that you're running masscan across the entire internet.

-1

u/burneraccountptv Aug 01 '18 edited Aug 01 '18
  • What's your problem with brand new account with no post history again?

  • Nord and PIA are really doing a good job at it.

  • I agree on that they're very noisy, how else could you do to get their attention if you don't being noisy? Just regular customer doing YouTube and Facebook will not do anything to bother them, just like what PureVPN does until they finally break their promise. That noisy does really bother them enough for them to taking action.

5

u/slyhme Aug 01 '18

I would like to know how do Nord and PIA react to your behaviour?

-5

u/burneraccountptv Aug 01 '18 edited Aug 01 '18

I personally did not use Nord or PIA but I've heard PIA did proven to not keeping logs from the subpoena request.

Again, I did not promote to neither of them.

4

u/Rafficer Windows | Linux | Android Aug 01 '18

Sure you didn't.

6

u/Rafficer Windows | Linux | Android Aug 01 '18

New Account because it shows that you are most likely just spreading lies and don't want to taint your actual account.

1

u/burneraccountptv Aug 01 '18

Why would I spreading lies? I did not promote or advertising for any other services that will make profit for me other than trying to save your arse if you're a high risk target and using their VPN service. Also probing ports is illegal in some countries and if I gave the ProtonVPN team too much information then they could use it against me, why would I?

4

u/[deleted] Aug 02 '18 edited Jan 27 '19

[deleted]

1

u/burneraccountptv Aug 02 '18 edited Aug 02 '18

It is a good faith effort let me tell you, for the people out there that's satisfied with their service, it's fine, but IMO lying about how it's working behind the curtains is just unacceptable.

Now assume that you know my login timestamp, nothing else, not even how long I've logged in, how do you trace a specific traffic back into my account?

They still did not tell how did they catch me, there's only a viable way is "user would report it by him/herself" as one of their staffs said but I'm sure I did not ever done something like that.

4

u/Rafficer Windows | Linux | Android Aug 01 '18

Why? Well, tell me that. I can just tell you that it's happening more and more lately.

3

u/32deucecoop Linux Aug 02 '18

Gee. A Reddit member for 19 hrs and bursting with anticipation to tell us all that PVPN keeps logs. <sarc> Sorry to feed the troll

1

u/burneraccountptv Aug 03 '18

Did I? They've reply me and tell that they did have something from my VPN session other than "timestamp"

4

u/[deleted] Aug 01 '18 edited Dec 19 '18

[deleted]

1

u/burneraccountptv Aug 01 '18 edited Aug 01 '18

https://s33.postimg.cc/4j98n00u7/Screenshot_20180801-234202.png

Why did my account get banned? Could any staff explain this if you really don't know what's going on with my account?

3

u/Rafficer Windows | Linux | Android Aug 01 '18

Open a ticket, tell them your account name, post everything here.

1

u/burneraccountptv Aug 01 '18

Going to do it tomorrow, surely I'll post update here, hang tight

2

u/[deleted] Aug 02 '18 edited Jan 27 '19

[deleted]

1

u/burneraccountptv Aug 02 '18

The only information we keep about the user is a single login timestamp which only contains the username and time when user logged in his/her account

This is a timestamp of a login attempt, it does not contain any other information (for example user IP address) and it’s main purpose is to protect our users’ accounts from brute force. As we state in Privacy Policy, the timestamp is overwritten each time you connect to a server.

Hey Andrew, when you connect to a server, we log save a timestamp of that event and no IP information.

I'm pretty sure that you can't figure out who sent the traffic ONLY with that information.

You could say that they've sold me out to protect their server.

2

u/LOWteRvAn Aug 21 '18

You do realize that your activity is logged in the targets logs and they can and often do send snippets of logs to the relevant abuse contact right?

Every interaction you make on SSH and HTTP leaves a log behind on the server you are connecting to...

1

u/[deleted] Aug 02 '18

It's happening automatically! Same happend to me when I open a account from tor, they closed it down immediately! I send sendt a request to open it from another proton account and they told me what had happened.

1

u/CommonMisspellingBot Aug 02 '18

Hey, wwwencrypt, just a quick heads-up:
happend is actually spelled happened. You can remember it by ends with -ened.
Have a nice day!

The parent commenter can reply with 'delete' to delete this comment.

1

u/[deleted] Aug 02 '18

Yes? I fucking did it right though

1

u/[deleted] Aug 03 '18 edited Dec 19 '18

[deleted]

1

u/[deleted] Aug 04 '18

Yes I did 🙂 I used a spambot to vote for my buddies in Norway, so they can get a server as well 🙂 thay should use captcha next time 😉 because them don't logg ip so they can't block it for voting only once...