Hacker News new | past | comments | ask | show | jobs | submit login
FBI affidavit against Ryan S. Lin in cyberstalking case (2017) (justice.gov)
120 points by LinuxBender on Jan 16, 2019 | hide | past | favorite | 65 comments

The relevant bit is on Page 22.

>Further, records from Pure VPN show that the same email accounts Lin's gmail account and the teleportfx gmail account-were accessed from the same WANSecurity IP address. Significantly, Pure VPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time.

Also, it seems Lin knew or suspected this at least, seeing as he doesn't believe in a VPN service that doesn't keep logs:

>For example, on June 15, 2017, Lin ... re-tweeted a tweet from "IPVanish," that read: "Your privacy is our priority. That's why we have a strict zero log policy." Lin criticized the tweet, saying, "There is no such thing as VPN that doesn't keep logs. If they can limit your connections or track bandwidth usage, they keep logs."

This will be a useful .pdf to keep on hand because I also don't believe in VPN's that don't keep logs. At a minimum they'll keep 30 days worth and in many countries may actually be required by law to keep them longer than that even (60-90 days usually).

As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.

E: A few typo fixes and the last 4 words.

I opened the document expecting to sympathize with Lin. In my imagination this was some FBI surveillance state overreach, or "cyberharassment" thing getting overblown.

Instead, reading through the allegations, Lin came off as abominable. Contrary to your conclusion that this shows the FBI takes cyber harassment seriously, it seems like law enforcement generally allowed Lin to publicly subject this poor woman to psychological torture for a couple years before doing anything about it.

Provided the allegations are true, whatever sentence he gets will not be enough...

> Provided the allegations are true, whatever sentence he gets will not be enough...

He has already been sentenced to 17.5 years in federal prison (and federal time has no parole).


> has no parole

Also, this is not going to be some "white collar resort" prison!

Anyway, it's worth noting how Lin's behavior was not just criminal to the point of outright sociopathy, but also - like most criminals' - incredibly lazy and complacent. That anyone knowledgeable in a CS-related field could target a vulnerable individual in such an extreme, sustained and long-lasting cyber-abuse campaign and expect to get away with it, is rather surprising to say the least.

Why would you expect to sympathize with him? Is it usual (i.e more likely than not) that cases of cyberharassment are overblown, or based on faulty knowledge, or outright false? It's strange to me that someone would immediately be so skeptical, unless the rate of false accusations is higher than the rate of true accusations (at least insofar as determined by the imperfect legal system). Is that the case? I'd like to be corrected if it is.

I don't know what the rate of false or overblown allegations is. I wrote above about my intuition and not my judgment after a considered study of the issues and evidence. It's just what I expected.

As for why my intuition went that way, I suspect it's because, from the title, I felt like Lin was wronged by the VPN company which misled him, I generally distrust the FBI, deanonymizing VPN traffic seems troubling to me, "cyberharassment" sounds more like being mean to people online than the things Lin did and I don't think sending rude words to people should be criminal, and I suppose that I personally am more likely to be (falsely) accused of cyberharassment than I am to be victimized by it which probably results in implicitly identifying more with the attacker than the victim.

I don't think "cyberharassment" sounds like being mean online at all, I think it's what most would consider harassment but conducted through the Internet to the extent that it is possible to do so, and it may even be more pernicious, since it is very easy to stalk people and submit anonymous comments via the Internet. In the same way, I'd also assume you personally more likely to be falsely accused of rape than you are to be victimized by it - simply because you're probably not a rapist. It does not have much to do with the fact that most rape allegations are true, at least to the extent we determine in legal courts.

Maybe we should think about how we act online if we feel that there is a significant risk of being accused of cyberharassment, even if such conduct should not be illegal (and I suspect we also disagree on where the line ought to be drawn here).

"Harassment" can refer to a variety of behaviors. I feel "harassed" by telemarketers insisting I apply for a loan or buy whatever they're selling. If someone were to repeatedly bother me at the mall trying to sell me something, I'd think of that as them "harassing" me to buy something etc. Harassing seems to me like repeatedly being a nuisance.

In the context of criminal behavior I'd expect harassment to be a campaign of intentionally bothering someone and invading their space. I'd assume someone like Lin might be guilty of criminal harassment if he waited outside this girl's house and lewdly propositioned her every day, bothered her at work, etc.

I think we should have a higher bar for what constitutes cyberharassment because it's so much less invasive and threatening than physical harassment and so much easier to ignore. It's also possible that it's easier to inadvertently participate in cyberharassment when you can't see how the other person is reacting to you or feel how inappropriate the behavior is.

What Lin did in this case is far beyond any of what I described above. I think of his behavior as transcending what I'd describe as cyberharassment - in my earlier comment I called it psychological torture and I think that's far more apt than cyberharassment which seems too milquetoast a phrase for what happened here.

The title changed! I hate when Hacker News does this. Before, it was:

> FBI arrests PureVPN user with log data that was said to not exist (justice.gov)

Nothing about cyberstalking. I too figured it was going to be something stupid like piracy.


I think you're behaving inappropriately by implying I'm some sort of misogynist ("a certain segment of the tech community", implying I think "women and sjw's" are trying to "emasculate" men or create fake rape accusations). Your implications are not only inaccurate and unwelcome, they are unwarranted. No fair reading of what I wrote could reach the conclusion that I suspect women are faking cyberharassment or rape allegations.

Kindly remove or correct your comment. Thanks.

>Provided the allegations are true, whatever sentence he gets will not be enough...

While Lin is undoubtedly a terrible person, I still think 17.5 years in federal prison is rather excessive unless you've actually killed someone.

I mean, the special agent even calls it a fact:

"the fact that VPN's track activity with logs."

>As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.

Seriously, all this over a roommate found on Craigslist. I did like the part where his victim repeatedly smashed his computer monitor with a hammer, though.

Again, its easier to buy a cheap VPS in a country that is at odds with the one you're in. Then, any intelligence the other country gets will likely not be sent to the country of residence.

Ally countries usually have extradition treaties, and have a greater chance of sharing intel.

Correlation is still quite easy in that scenario, unless you're sharing that VPS with a thousand other people.

NSA has your international traffic logged and timestamped. If you're doing nefarious activity from a non-MLAT country's IP, and you're the only one connecting to it from the US, it's a simple matter of parallel construction for domestic law enforcement to pop you.

>it's a simple matter of parallel construction for domestic law enforcement to pop you.

This is more just putting some circumstantial evidence together. Parallel construction refers to going out and getting evidence a second time, because you don’t want to reveal how you got it the first time. Usually because the first time it was collected was without a warrant, or collected from a sources or via a method you want to keep secret. So the evidence is reconstructed in parallel.

> NSA has your international traffic logged and timestamped. If you're doing nefarious activity from a non-MLAT country's IP, and you're the only one connecting to it from the US, it's a simple matter of parallel construction for domestic law enforcement to pop you.

Couldn't that be countered by using two foreign IPs for your VPN, one for your inbound connection and another for your outbound traffic? It would make it more difficult to correlate your US IP with the outbound VPN traffic without extra information.

In Brazil law requires services to keep logs for a year. This made me very wary of services like ProtonVPN that put some servers there. A lot of people trust them, but I for some reason don't...

>A lot of people trust them, but I for some reason don't...

No offense or anything, but it sounds like you actually have very GOOD reasons for not trusting them.

We don't keep logs in Brazil, and as we have no operations in Brazil, so this is not a point that particularly concerns us.

We have something known as Secure Core VPN that offers additional protection if our Brazilian ISP starts monitoring our connection: https://protonvpn.com/support/secure-core-vpn/

One important distinction could be that these were HTTP requests made on his account page or other. If he logs into the account to update billing, etc that would certainly be logged.

All of what is claimed in the statement would be possible even if we assume no logs are stored for the VPN Server they run, which makes no guarantees about access to their HTTP properties.

Bandwidth counting can be accomplished without keeping "logs" per se, and with WireGuard, I think there would be very little reason to attempt to limit connections.

WireGuard is very hard to run without logging. It simply wasn’t designed for that and the maintainer was paid once to write “a rootkit-like” piece of code for a VPN provider which hired him to help them fix that.

It’s still an open question afaik

edit: I've worded this weird. I was typing on my phone at lunch stuff I'd just learned this morning[0] which referenced this[1] article saying running a log-less Wireguard might not be possible.

AirVPN in [0]:

> "Wireguard, in its current state, not only is dangerous because it lacks basic features and is an experimental software, but it also weakens dangerously the anonymity layer."

and Perfect Privacy:

> "WireGuard has no dynamic address management, the client addresses are fixed. That means we would have to register every active device of our customers and assign the static IP addresses on each of our VPN servers. [...]"

Things may have changed, but it appears that running a log-less vpn provider is actually more complicated with Wireguard than at first glance. Namely the issues around DynamicIPs.

[0]: https://restoreprivacy.com/wireguard/ [1]: https://www.perfect-privacy.com/blog/2018/10/10/wireguard-vp...

I run Wireguard on my systems and to my knowledge it does not log anything on my Linux systems (not that I intended specifically to set it up that way, it is just something that I noticed). Can you tell me where I can find these logs which I am seemingly unaware of? I do know that my iOS app logs things but I'm talking about Linux.

At least AzireVPN has some claims of not logging Wireguard:


>WireGuard is very hard to run without logging. It simply wasn’t designed for that and the maintainer was paid once to write “a rootkit-like” piece of code for a VPN provider which hired him to help them fix that.

This is a really bizarre misunderstanding of the events.

Wireguard does not generate any log entries by default.

zx2c4 wrote a rootkit which makes it more difficult to retrieve connected users IPs from a running wireguard instance.

Your statement is vacant without an explanation of what kind of logging Wireguard requires. Currently, all it does is attempt to scare the user with the word "rootkit".

FWIW Jason called it A Defensive Rootkit [0].

But the parent post is wrong, the defensive rootkit is not to prevent logging, it's to prevent extracting the configuration from the kernel. It effectively makes the WireGuard configuration write-only from the perspective of userspace. WireGuard does not do any access logging by default as far as I am aware.

[0]: https://lists.zx2c4.com/pipermail/wireguard/2017-November/00...

>As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.

Probably cos they investigated certain cases and found nothing, to the great dismay of certain people who wanted to be seen as victims and others who wanted to be seen defending them.

Why not just use Tor?

For some things, Tor works just fine. For some sites, Tor is either blocked, or may send you through endless captchas. At least, that has been my experience.

This guy is a monster. Read the whole thing if you have the time. For some reason this bit stuck out at me out of all the crimes: He hacked into her "Rover" account (Uber for dog walking) and messaged all her clients that she had a panic attack and murdered their dogs, and will deliver the dog to them in a ziploc bag.

Total psychopath.

Yeah, this primarily inspires the thought of whether we should be providing services that enable this kind of behavior.

Started out wondering if Lin was going to be wrongly accused but this hit closer to home that I expected. First off Lin appears to be a POS but what hit me was this line:

> While each of these incidents in isolation may appear relatively harmless, the cumulative effect of this behavior is both harassing and indicative of a significant attachment, disproportionate to the amount of time they spent together.

Specifically the first part "While each of these incidents in isolation may appear relatively harmless". I've had friends harassed online and when you try to explain to law enforcement it sounds petty or minor but I've seen first hand it weigh on my friends who have experienced it.

Services like TextNow and Pinger and amazing tools for someone looking to make someones life a living hell. I've still got screenshots of PAGES of new text messages (from different numbers) all from some asshole who has nothing better to do than harass people.

In my situation I had finally had enough and thew up a webpage explaining how to block ALL TextNow/Pinger numbers and calling out the individual in question (trust me this was done tastefully and with tact) then ran Ads on FB to raise awareness in my community. Turns out way more people that just my immediate friends had been affected by this toxic individual (I had a number of people reach out to me). I spent $40 on ads for 67 clicks, 1,465 reach, and 37,454 impressions. It was worth every penny. I'm not going to say this will work for you OR that it worked for me (the harassment stopped but, you know causation/correlation and all that) but I know I would do it again in a heartbeat.

It's important to note the police were next to useless for this entire saga. I'm not sure what percentage was apathy vs a lack of skills but yeah...

That's amazing!

Last year I was desperate for extra work, and met a guy hiring programmers on Craigslist. I ran his name and found a website from a guy saying never do business with him, that he doctored financial documents and was a liar. It was kind-of a crazy site, so I met with the liar anyway, and he brought it up pretty quickly, saying it was an old neighbor and that he's crazy. I went to work for him, but he kept bringing it up, wondering how he could get the site taken down (queue me trying to explain slander and him saying "there's gotta be another way!"), until one day he was exploded with a "I could go over to his house and fucking kill him!".

I already had a new job lined up at that point, so I just left my key on the desk and never came back. I still wonder if I should email the guy that made the website just to let him know how much it gets under his enemy's skin.

They all log, and they all turn those logs over to police agencies when they get court orders to do so. These services are only intended to prevent ISP snooping on legal activities that may be personal or embarrassing, but not illegal. That's it.

If you do something illegal on a VPN connection and think the VPN providers have no logs/evidence, you'll be very surprised when the cops show up.

Exactly. Even my personal VPN (Streisand) running on a cloud-hosted VPS is not safe if I decide to become a criminal. All LE would have to do is subpoena my hosting company and monitor incoming connections.

A VPN may slow a nation-state down a little, but it will certainly not stop them.

I'm always curious at how these VPN providers aren't being hit with false advertising. They claim to keep basically no data about you.

"You are Invisible – Even We Cannot See What You Do Online We DO NOT keep any record of your browsing activities, connection logs, records of the VPN IPs assigned to you, your original IPs, your connection time, the history of your browsing, the sites you visited, your outgoing traffic, the content or data you accessed, or the DNS queries generated by you." [0]

[0] https://www.purevpn.com/privacy-policy.php

Their privacy policy looked very different at the time Lin was allegedly using it:

> We Do Not monitor user activity nor do we keep any logs. We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers. Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a “connection” and the total bandwidth used during this connection is called “bandwidth”. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.

They appear to have made the policy (and presumably connection logging) change in June 2018. For reference, Lin pleaded guilty to charges related to the criminal complaint posted by OP in April 2018. I would imagine PureVPN's lawyers had advised them to wait until the case had ended before enacting the new policy.

Source: https://web.archive.org/web/20170128142453/https://www.purev...

Them not keeping a record may be true...

But the rsyslog was delivering the logs to *.fbi.gov

And not retaining logs would still be correct. They said nothing about transporting them to the relevant feds.

Ahhh. They aren't keeping the logs, they're merely forwarding the logs to another "non-associated entity" (giving them legal cover), and storing the logs there. Makes sense. They can advertise "we don't keep logs" (we meaning the corporate entity itself) so they have legal cover, and they make the three letter agencies happy (and thus are allowed to continue to operate)

Indeed. And those tools to do such an analysis already exist. Its the formerly NSA tool called "Apache NiFi". It even has a syslog server plugin specifically for this purpose (it's built in already; drag, drop, configure, done):


Link/proof asserting Apache NiFi is one of the NSA data analytics tools: https://www.forbes.com/sites/adrianbridgwater/2015/07/21/nsa...

Proof also can be found here: https://code.nsa.gov

And there's still real value in that, even if they work with law enforcement.

If you actually need a VPN, the last thing you want is for the service to create an opportunity, which wouldn't otherwise exist, for a malicious 3rd party to quietly obtain existing records of DNS queries, connections, and other traffic data.

By not storing the data in advance, the risk is reduced. A malicious actor would have to compromise the servers and either use one as a network tap to send the traffic somewhere else, or enable logging or other analytics locally.

Both are more likely to be detected than a one-time access or leak of data that was already stored.

Sometimes I feel the anonymity aspect of the Internet brings the worst out of people. If we didn't have anonymity to begin with, people would have not tried those kind of harassment. Or if they do, it'll be a routine case for the police as opposed to requiring substantial FBI involvement.

Anonymity is required to maintain freedom of speech. It provides a route for any adult to be the child that calls out the emperors new clothes.

The sad part is yes, it also enables bad people to do bad things without consequence, however, that is the bet that we make. That the bad people doing their bad shit, is a small price to pay to prevent bad people in power from doing very very bad shit

It's not anonymity that protected freedom of speech, but people who believe in free speech, represented by supreme court that is protecting it.

And when it comes to overthrowing corrupt ruling class, do people seriously believe anonymously complaining online is going to do anything?

One could argue that anonymous complaining and accusations contributed to Trumps election.

How many of those 'anonymous americans' (who were concered about the emails, or spouting off about clinton having parkinsons, or bernie or busters, etc etc) were not americans, but non-americans or bots/sockpuppets created to amplify the signal of a vocal minority of americans or non-americans.

Because of platforms that are largely anonymous you can never know if an anonymous user is your next door neighbor or a bot tied to the marketing arm of some product you might be interested in or the agent of a foreign government.

An interesting concept might be a social network where all users are verified and their profile contains only general information about them, letting you know if their opinion matters or is misleading.

The other side of that coin is without anonymity only the strongest can truly speak their mind without fear of repercussions.

I’d say, overall, it’s been worth it so far.

don't fool yourself, people have been harassing and exploiting others without issue long before the internet. the difference is that while the internet can extend their reach the very nature of brings such occurrences to light more often than before.

so while the internet broadens their reach it doesn't always give them more anonymity, if anything their trail is easier to follow by more people, especially law enforcement. people just don't understand the depth of a trail they leave when using the net

> don't fool yourself, people have been harassing and exploiting others without issue long before the internet. the difference is that while the internet can extend their reach the very nature of brings such occurrences to light more often than before.

There's another key difference that you are completely ignoring.

The return on effort invested with internet harassment is much better then the ROI with harassment in the physical world.

Sometimes, an improvement in ROI produces a categorically new thing. An automobile is just a horse buggy with a better ROI - yet, for some reason, neither society, nor the law treats them like it did horse buggies.

As far as anonymity and abuse goes, the Internet is not a revolutionary development. The postal system has existed for a very long time, and is capable of much worse. The Unabomber is a poignant example.

I generally file it under:

This Is Why We Can't Have Nice Things

> On April 14, 2017, at 14: 55: 52, the email address "rlincc@gmail.com" was accessed from IP address, an IP address owned by WANSecurity, a Kansas VPN service. As discussed above, this Gmail address is directly attributable to Ryan Lin and was used to communicate directly and openly with Smith and her roommates, including when he first responded to the Craigslist advertisement to be their roommate.

This type of information couldn't be provided by VPN logs due to gmail using TLS encryption. If they gained physic access to a device that he was currently logged into, they just needed to look at the gmail account activity. Anyone can look at all the IP addresses they have accessed their gmail account from. They could have also just got a warrant.

> On April 14, 2017, at 15:06:27, the email address teleportxf@gmail.com, provided by "Ashley Plano" to Rover, was accessed from the same exact WANSecurity IP address,

This is more interesting. It doesn't seem likely they caught him logged into this account, or that would be all the evidence they needed. I suspect they issued a warrant to Google for this account and got a list of IP addresses back. I can't imagine that the VPN provider allocated a unique IP addresses for each subscriber. This seems like a really weak correlation unless they are leaving out some important information.

Although much of the data seems to have been recovered from his work computer after he lost a job.

This article is two years old. Current status, from US Bureau of Prisons Inmate Locator:

    Register Number: 00578-138
    Age:  	26
    Race: 	Asian
    Sex: 	Male
    Located at: Brooklyn MDC
    Release Date: 01/02/2033

I wonder where he worked and why he was terminated. It was probably a similar pattern of behavior at work.

What the guy did was seriously disturbing. He looks like he is going to prison for 17 years and virtually ruined the victim’s lives:


This dude is a horrible monster and has been one for years. 17 years seems like barely enough.

Took me a second to find the follow-up [0], he pleaded guilty and took a 17 year sentence.

[0] https://www.boston.com/news/local-news/2018/10/04/newton-rya...

VPN providers never keep your private data... since when are IP addresses considered private data? Gotcha.

The new title tells me what the submission is about but not why it's here on HN. For context, the old title mentioned why it's relevant - that Pure VPN kept logs that assisted the FBI in its investigation of Ryan Lin.

If you use PureVPN, you're a sucker, plain and simple. You failed to do basic research into your VPN provider, or failed to consult with someone who actually knows what they're talking about.

Let's do a very quick experiment where we evaluate a few popular VPN services at a glance, and critique them using non-technical insights which can generally be applied to any business trying to sell you a product. In other words, there's no excuse for not being able to develop these insights just because you aren't a "tech person".

Googling PureVPN provides the following summary:

"The best VPN service in 2018. PureVPN leads the industry with its massive network of more than 2000 encrypted VPN servers, around 300000 anonymous IPs..."

PureVPN only has a 150 character limit to describe their business, and they use it for:

1) Overzealous claims about being "the best" and the "industry leader"

2) Throwing out large numbers which they hope the user will correlate to excellence as a VPN service. The clueless user will think, "the more the better, right?"

Nord VPN's summary:

"Protect your privacy online and access media content with no regional restrictions. Strong encryption and no-log policy with 5000+ servers in 60+ countries..."

1) No regional restrictions? That's a given for any decent VPN. Useless noise meant to paint the product in a better light.

2) They claim strong encryption, but again, that's a GIVEN for any decent service. More deception.

3) They immediately try to sucker people in with the "no logs" bullshit

4) More stupid large numbers.

See a trend?

Now look at Mullvad VPN's summary:

"Mullvad is a VPN service that helps keep your online activity, identity, and location private. Only €5/month - We accept Bitcoin, cash, bank wire, credit card..."

Wow! No claims about being the best, no claims about anything. It "helps" keep your data private. No claims about 100% privacy. Then they list the price and payment methods. Informative and non-deceptive.

> "Protect your privacy online and access media content with no regional restrictions. Strong encryption and no-log policy with 5000+ servers in 60+ countries..."

I don't see how this is deceptive whatsoever? It states known facts about the VPN while also giving a basic outline on their policies. I'm inclined to believe that Nord doesn't keep logs (as of Nov. 1 of 2018) due to their audit by an external company. The report is available: https://ucp.nordvpn.com/audit-report/

I'm not saying that Nord is 100% safe, as others mentioned in this thread, it is completely possible that any "no-logs" VPN provider may store logs somewhere else or an organization may store their data. It allows a provider to claim they keep no logs, which also technically being truthful. I'm intrigued by Nord's stance to this (as their audit has no mention of it at a quick glance) and I will email their support about this.

Not only that, regional restrictions may apply to services such as Netflix, which have been battling VPNs for years now. Most VPN providers don't work with many of these services, and due to the fact Nord does, I'd claim that as a good advertising standpoint. Never tried "Mullvad", but I doubt they can bypass restrictions of these same sites.

Now onto Mullvad... The reason they can't claim to be the best, in any field for that matter, is because they aren't. Isn't keeping your data private "a GIVEN for any decent service" (to quote your own words...)? I'm also worried about that price, are the potential legal fees Mullvad may pay to keep your privacy safe worth the 5 pounds a month you pay? Same with any VPN for that matter - the cheaper it is, the less likely it is safe.

Regarding #2, I flubbed and meant to say "More noise", not "More deception". I didn't realize my mistake till later.

And I was briefly dissecting the Google summaries of these services, but I have read much, much more than that for every major VPN provider before settling with Mullvad.

I recommend Mullvad and if you took more than a cursory glance at their blog and documentation then you would get an understanding of what kind of service they want to be. They strive for top-notch security and service.

Nord also seems like a decent choice, even if they are not for me. For me, a company's ethos is extremely important and comes first. However, Nord still has the standard scummy sales tactics employed by so many companies, as you can see from their summary.

Why is this relevant to HN? Is he a famous OSS contributor?

Why is a raw legal document better than an accurate news article simplifying it for lay folks?

Dropbox's value is derived from it's ability to make something like rsync more human for non-tech folks.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact