The criminal complaint has a lot more information[0] in what is a much deeper and involved story that this headline doesn't really do justice to. Lin had stalked her in person for over a year with a host of incidents - the affidavit is almost 30 pages long and the story is stunning.
She had a laptop in her room with no login and a file containing passwords. The accused stole all of her account details and taunted her in person using information she had written in a private journal that she hadn't shared with anybody.
He was also using his work computer to access her iCloud, Google Drive, etc. and then send bomb threats, child porn, personal diary entries and sexually explicit photos to her contacts, school and family.
After he was fired he wanted access to that computer, which his employer refused. They reformatted the drive but the FBI picked it up and found all of these artifacts on that machine (including the PureVPN software and account).
This is a case where the FBI have started with a suspect and then worked backwards to build a criminal complaint. In those cases it is much easier to look at his financial records, find that he paid for a VPN service, subpoena the VPN provider for account records, and then link that VPN account and service with IP access as another data point for the criminal complaint.
In this case it was even easier - they had the VPN provider and account details, along with a host of other evidence, on his computer.
This isn't a case of starting with an IP address and then working back through a haystack to find a suspect - but rather affirming a link that was suspected, and found, to exist.
He didn't compartmentalize his real identity from his psycho stalker identity, and this combined with the accused horrible real-world behavior is what lead to his arrest.
Thanks for that link, it's interesting to see how the fbi operates. What always confuses me is how liberally the feds use "Wire Fraud" 1343. In the report I don't see evidence of Lin trying to obtain money fraudulently through the internet cabling. But over and over I see "Wire Fraud" 1343 tacked on if there is any computer abuse type charges. It must be super easy to get a conviction of Wire Fraud (/ impossible to defend yourself).
"Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any"
It must be for property or money. I am not following. When did Lin try to gain money or property using fraud? It just doesn't make sense to 'throw on wire fraud' - the charge in the US is more serious than rape or kidnapping.
It’s a criminal complaint. Also, “having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses” parses as a “any scheme or artifice to defraud” or the obtaining of money or property. The three part test is intent, a “wire” (i.e. Internet) communication and that “or” test. He intentionally logged into her Internet accounts, and sent emails from them, while fraudulently claiming to be her.
Disclaimer: I am not a lawyer. This is not legal advice nor advice of any kind. Do not commit wire fraud.
The affidavit doesn't lay out the case for wire fraud or several of the other mentioned offenses. They are only mentioned as a passing reference to all the crimes for which the FBI is investigating Lin. Only the cyber-stalking count is discussed in full.
The bomb threats weren't limited to her: most of the schools in my town (one over from Newton) got bomb threats. Lots of bomb threats. Mostly at 4:15AM, but some during the school day. Sometimes for three or four days in a row.
> PureVPN's Privacy Policy: We do NOT keep any logs that can identify or help in monitoring a user's activity.
> TorrentFreak: However, if one drills down into the PureVPN privacy policy proper, one sees the following:
> Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a ‘connection’ and the total bandwidth used during this connection is called ‘bandwidth’. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.
> TorrentFreak: This seems to match what the FBI says - almost. [followed by further explanation]
The VPN he was using honestly would have been fine to protect you from drag-net style surveillance, but he was specifically targeted by the FBI. By the time the FBI opens a case against you you're most likely totally fucked, regardless of what software you use.
I doubt anything will help you if FBI makes you a priority, they have virtually unlimited resources.
If half of what the affidavit says is true, this guy (IMO) deserves 20 - to life in jail https://regmedia.co.uk/2017/10/08/lin_complaint_pacer.pdf He really pushed his luck and FBI responded with all they have.
>> PureVPN's Privacy Policy: We do NOT keep any logs that can identify or help in monitoring a user's activity.
Just further confirmation that these lip-service policies used by VPN's are completely meaningless. Remember this the next time you use a commercial VPN for "privacy".
>even though this had been formatted after his employment was terminated, the FBI was still able to gather data from the hard drive.
Usual misinformation, the company only reinstalled the Windows Operating System (clearly without reformatting the volume(s)), as in the affidavit:
regmedia.co.uk/2017/10/08/lin_complaint_pacer.pdf
(point 37, page 16).
Also, according to the affidavit, what actually comes out from PureVPN is only that the same user connected to them from two different IP's, corresponding to home/work of the suspect. (point 52, page 22)
And that some traces of use of PureVPN were found in (the unallocated space of) the work computer. (point 58, page 24)
Simplified, IMHO 99% (maybe 99.99%) of the case is based on non-PureVPN derived evidence.
Reinstalling Windows in itself does not necessarily imply reformatting, for all that matters you can just delete files in the filesystem and reinstall, but my note was more about the behaviour of format, up to XP when you ran format on a volume there was no way to 00 it [0], while since Vista it is the default [1].
Unless the /q parameter is used (or the "Quick Format" option is chosen) the format command will 00 the volume.
Of course if the task at hand is "reset a computer removing traces of what the old employee did and have a brand new OS" using a "Quick Format" is not particularly smart, I should have written "without reformatting properly".
If you try and install Windows onto a drive that Windows is already installed on and basically just click though next though the installation process then setup will tell you:
> "If the partition you've chosen contains files from a previous Windows installation, these files will be moved to a folder named Windows.old"
If you then click OK Setup will then create a Windows.old folder, move the old Windows dir, user dir to Windows.old and then install as normal.
If you delete the existing partition during the setup (or its a fresh drive), Setup needs to create a new partition(s) and will do it automatically if you wish, after which it will do a quick format.
EDIT: Reading the pdf they point too it states that the OS was reinstalled, leading to data deletion but they were able to find various artifacts in unallocated space. So they may or may not of formated the drive, but most likely at least delete the partition, but even a full format doesn't zero out the drive (unless you give format.exe the /p: argument).
>but even a full format doesn't zero out the drive (unless you give format.exe the /p: argument).
A "normal", "full" format will wipe the volume, the /P command is implied unless /Q is specified (since Vista, but previous versions didn't have the /P at all), the /P:count parameter is to add (why?) to do it a number of times, using random characters:
>/P:count Zero every sector on the volume. After that, the volume will be overwritten "count" times using a different random number each time. If "count" is zero, no additional overwrites are made after zeroing every sector. This switch is ignored when /Q is specified.
>/p:count = This format command option writes zeros to every sector of the drive: once. If you specify a count, a different random number will be written to the entire drive that many times after the zero writing is complete. You can not use the /p option with the /q option. Beginning in Windows Vista, /p is assumed unless you use /q [KB941961].
Yep, no prob, I also posted a link to that kb above (but maybe it was posted after your post and went above your reply because it was a direct reply to roywiggins' post).
Anyway, I wanted to also highlight how since the company where he worked was specifically a "software company" (I mean not a mom and pop shop around the corner or similar) the IT guys over there should have wiped the disk anyway, possibly using the SecureErase ATA command (that wipes also not normally accessible disk areas), it should be "standard" procedure.
The fundamental structure of the Internet is not designed for anonymity. That's why this is ultimately a losing battle. Strong anonymity needs a different network structure and transport protocols, and trusted, open hardware and software stacks from the ground up. A chink anywhere can be used to insert malware and track/target users. The existing networks and stacks are impossibly hard to secure and plug all the holes.
Can user account information really be called "logs?" This article mislead me into thinking PureVPN kept activity logs, but the end of the article makes it sound like they just store an email address. Did I misread?
I read it to mean that he accessed his GMail account while using PureVPN, which really raises more questions than it answers because PureVPN should have no way to know which GMail account is being accessed, regardless of what logs they keep.
It seems pretty simple. PVPN keeps logs of when end users connect. Google keeps logs of which IPs access accounts.
Google discloses that the victims account was accessed by a set of IPs. Those IPs are known to belong to PureVPN. A list of people connecting to those IPs as clients is requested by the FBI. The connection logs validate their suspicions.
My question is was the information from PureVPN like the statement says, or was it misworded and about his use of the vpn? Were there actually logs or did they match up his IP address after finding PureVPN on the computer and obtaining the accessing IP from Google and putting them together?
All you suggest is likely it. The logs show time connected, how long and how much bandwidth. If they knew the IP in question and timeframe based on how the VPN keeps logs they can ask Google a very precise question about access from said IP and find out that they indeed were connected at x time from x IP. I imagine with warants and all.
Even if they acted on a subpoena, it means they had the logs nonetheless. Which still makes them liars and they are deceiving their customers.
I believe choosing a trustworthy vpn is an actual challenge.
The fact that this nut-job called Ryan Lin got caught is fantastic. But I want to choose if a company has data about me or not. What if the data exchange doesn't happen with FBI, but with malicious individuals.
I use https://protonvpn.com and I trust it. A transparent team with an already successful product (protonmail) working towards making privacy the norm. A group of scientists, not hackers or liars.
> he is alleged to have used Tor, anonymized online testing services and PureVPN in an attempt to protect his identity
Well, VPN can protect your privacy up to a certain degree. If you go over it, there are always methods to dig you out, especially FBI is the one hunting.
The only possible way to protect your privacy is use anonymous services like Tor etc. But even those services can't guarantee 100% anonymity as there are still have way to compromise them.
"especially if the FBI is the one hunting" is very true. Even using TOR, I remember a college student who made a bomb threat over TOR to get out of a test and got caught because they were able to see the activity on the TOR network during the time the threat was made and traced it back to his dorm.
I thought they found him because he was the only one on the campus network accessing TOR at the time of the bomb threat. Which really says nothing about TOR or anything else because they saw input and output, the middle might as well be a black box. And if you really don't suspect a real bomb, and know the traffic came through TOR, the first thing I would look for is which students used TOR and which students had tests that day. Pretty easy to narrow that down.
Sure, which was exactly my point. There are a multitude of external pieces of data that can be used to track you down if the people going after you have the resources.
That student was the only one using TOR while the threat was made. If he had made up a plausible excuse for that he would probably have won; they didn’t get at the contents of his traffic.
But that's the problem. If he had been smart, he would've used a public wifi somewhere without CCTV. There's a big difference between using ISP logs and really identifying a user through TOR.
If the user here hadn't used his work computer and had paid the vpn account with bitcoin (using another email address), it would've been much, much harder for the FBI to track him.
> Further, records from PureVPN show that the same email accounts -- Lin's Gmail account and the teleprtfx Gmail account -- were accessed from the same WANSecurity IP address.
How would PureVPN records be able to show which GMail account he was accessing? This will all be HTTPS.
if the FBI knew of his email address, and they know which host you're accessing (even via https), then they can deduce that it was a gmail account access. THen they can compel google to provide their logs to corroborate (based on timestamps).
"Rather, I think the account matching described in the affidavit says the FBI could have identified which VPNs Lin used via orders to Google, Facebook, and other tech companies, and using that, obtained a pen register on PureVPN collecting prospective traffic. I don’t think what is shown proves that FBI obtained historic logs (though it doesn’t disprove it either)."
That still seems to be at odds with "We do NOT keep any logs that can identify or help in monitoring a user's activity."
If they were ordered to keep some logs, they should say "We do NOT keep any logs that can identify or help in monitoring a user's activity, except in the event that we have been ordered to do so."
Since PureVPN is committed to freedom, and doesn't support crime,
we will only share information with authorities having valid subpoenas,
warrants, other legal documents or with alleged victims having clear proof of any such activity.
So I think it's likely they would link connection records back to individual users, and if you did that enough times (perhaps only 2 or 3 occurances?), you'd know which individual user was responsible without any detailed logs?
I agree, "No logs" means they don't / can't respond to blanket DMCA style "identify this user" generic requests.
It doesn't mean they'll go to court to protect your identity in a criminal case, you'd be very foolish to expect any company you're paying $10 a month for to do that for you as an individual.
Both claims are in the first paragraph of the privacy policy though, if you don't read even the first paragraph of a privacy policy for a service you're buying to get privacy, I don't know what you'd expect!
Main rule in operational security: Things you do not own AND can not be audited can not be trusted.
In this case: run your own VPN endpoint on a security hardened BSD or Linux box with your own hardware (preferably in your own rackspace or at a hosting location which is trustworthy)
> run your own VPN endpoint on a security hardened BSD or Linux box with your own hardware
In another country where you paid with bitcoin or prepaid credit cards, otherwise the IP's assigned to that hosted server will be associated with you and offer zero protection from an FBI raid.
That said, there are always some logs. The VPN provider may not keep session logs, but their upstream could easily log connections to the PureVPN boxes. You can use the upstream log to cross reference with gmail account accesses of potential suspects and you can establish a link.
Not to mention that no US based company is going to fight a subpoena/gag order from the US authorities for a lowlife online stalker.
edit: I see now that PureVPN is based out of Hong Kong, so the statement about subpoena may not apply.
In their Windows client PureVPN's default setting for a long time was 'No encryption'. The company had some fast servers but technically they were never privacy savvy, far from it.
I think you are conflating two different issues. Yes bad people are bad and should be punished. Does that mean that good people don't get what they think they are getting when buying services (if in fact that's what happened here)?
Another way is: there are two options. Either we have strong anonimity on the Internet, or the authorities have the power to catch criminals. Which one do you think would win in a vote?
I don't know if this was a rhetorical question with an implied and obvious answer, but to me it actually is a curiosity, I have no idea which one would win a vote.
Those who paid attention knew that Trump needed to win votes in specific states, not on the Upper East Side or in the Bay Area just like those who pay attention realize that only places like Bay Area or Upper East Side would have people voting for anonymity vs. ability of police to solve crimes.
Could you explain? I mean, if the government has the ability to catch criminals that think they are anonymous then how exactly is true anonymity of non-criminals maintained?
To be clear, of the two evils I'd prefer having the risk of a few bad people getting their way than to trust the "good government" to always protect me by knowing everything about me, but this is far from a trivial subject. In some ways this is analogous to the issue of the right to bear arms. There's always a tension between safety and liberty and it's not always clear where the optimal line should be drawn.
Everyone knows if you want true anonymity when conducting criminal activity you don't use a service with a dollar trail straight to you. You use a system you've gained unauthorized access to and you doctor or delete the logs. Criminals have no qualms illegally accessing other people's systems, so it's not logical that giving non-criminal users access to true anonymity would give the criminal users any capabilities they don't already have. In fact there could be benefits to non-criminal users of such a system possibly shielding them from certain types of criminal activity, so it is not even true that society inherently has more to gain by prohibiting truly anonymous networks.
Point taken regarding criminals using criminal methods to gain anonymity, and I have little doubt that often the real agenda behind government action in this field is accumulation of power and control over the population in the guise of protecting it. However, like with guns, when there is an abundance of them and they can be easily and legally obtained, you will probably end up with more casualties by criminals who would otherwise perhaps not have seen the investment (and risk) in obtaining one worthwhile. To be clear, I am for everyone's freedom for total anonymity and believe it is a faster way to a better world than trusting governments with too much power - it's just that I think that it doesn't come without a price.
You can't. Any network having strong anonymity needs to have zero negative effects on the real world by design. The Internet is not that. It is inextricably intertwined with huge areas of our 'real' world. So strong anonymity on the Internet will never happen, politically. At most there'll be some subnet like Tor or Freenet and even those aren't immune from legislation.
could have obtained 'records' live instead of from logs...
vpn provider can easy break your crypto if they need to, mitm you and get cleartext 'records' from live data. that being said, i think most vpn providers log because they are forced to do so by law. if you dont want your vpn provder to play along with fbi or nsa, try a russian one or so... they will cooperate with other agencies though ^^...
probarbly some lame story will come back if any , by purevpn, as if fbi did some mitms from their services / on their services, they would probarbly not be allowed to speak of the details of how this was done and what was done..
purpose of vpn is to hide your location mainly, if u want it to protect u from your countries agencies, don't pick one in your own country and be very specific on what one you chose... >.> seems like a case of poor choice and awareness on the user's part more than the vpn provider, who is probarbly unable to stop these kind of intrustions by the agencies without getting taken down...
> vpn provider can easy break your crypto if they need to, mitm you and get cleartext 'records' from live data.
Could you elaborate on that? I'm going to China soon and don't know if I should trust commercial VPN providers. I was under the impression that if I use SSL/TLS it's impossible to MITM my connection.
If an entity can mint certificates that are signed and appear legit then MITM is possible. We so many certificate authorities now it is possible that are certificate trust is failing us or can fail us.
Google chrome can detect a google cert that is not legitimate because it has embedded the certificate fingerprints in the browser for its public certs. We don't have that benefit elsewhere.
Might some state actors have cert signing ability. You be the judge.
It's not that simple - it depends on the implementation, otherwise if your browser trusts root cert which was issued by chinese gov, what's to stop them doing the mitm? I mean, they issued the cert.
However to mitigate this, VPN providers (some of them) implement checks to make sure they only trust particular root certs, which makes doing mitm much harder.
Re your trip to China I would not be worried about that though - 30 % of Internet users in China are using VPN's daily so it's not like you will be flagged and get locked for using a VPN. Pick one of the reputable ones (NordVPN?) and you should be good.
It may be impossible to MITM your connection. However, it is entirely possible for the authorities to just prevent the connection from working in the first place.
She had a laptop in her room with no login and a file containing passwords. The accused stole all of her account details and taunted her in person using information she had written in a private journal that she hadn't shared with anybody.
He was also using his work computer to access her iCloud, Google Drive, etc. and then send bomb threats, child porn, personal diary entries and sexually explicit photos to her contacts, school and family.
After he was fired he wanted access to that computer, which his employer refused. They reformatted the drive but the FBI picked it up and found all of these artifacts on that machine (including the PureVPN software and account).
This is a case where the FBI have started with a suspect and then worked backwards to build a criminal complaint. In those cases it is much easier to look at his financial records, find that he paid for a VPN service, subpoena the VPN provider for account records, and then link that VPN account and service with IP access as another data point for the criminal complaint.
In this case it was even easier - they had the VPN provider and account details, along with a host of other evidence, on his computer.
This isn't a case of starting with an IP address and then working back through a haystack to find a suspect - but rather affirming a link that was suspected, and found, to exist.
He didn't compartmentalize his real identity from his psycho stalker identity, and this combined with the accused horrible real-world behavior is what lead to his arrest.
[0] https://www.justice.gov/opa/press-release/file/1001841/downl...