>Further, records from Pure VPN show that the same email
accounts Lin's gmail account and the teleportfx gmail account-were accessed from the same
WANSecurity IP address. Significantly, Pure VPN was able to determine that their service was
accessed by the same customer from two originating IP addresses: the RCN IP address from the
home Lin was living in at the time, and the software company where Lin was employed at the
time.
Also, it seems Lin knew or suspected this at least, seeing as he doesn't believe in a VPN service that doesn't keep logs:
>For example, on June 15, 2017,
Lin ... re-tweeted a tweet from "IPVanish," that read: "Your privacy is our priority. That's why we have a strict zero log policy." Lin criticized the tweet, saying, "There is no such thing as VPN that doesn't keep logs. If they can limit your connections or track bandwidth usage, they keep logs."
This will be a useful .pdf to keep on hand because I also don't believe in VPN's that don't keep logs. At a minimum they'll keep 30 days worth and in many countries may actually be required by law to keep them longer than that even (60-90 days usually).
As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.
I opened the document expecting to sympathize with Lin. In my imagination this was some FBI surveillance state overreach, or "cyberharassment" thing getting overblown.
Instead, reading through the allegations, Lin came off as abominable. Contrary to your conclusion that this shows the FBI takes cyber harassment seriously, it seems like law enforcement generally allowed Lin to publicly subject this poor woman to psychological torture for a couple years before doing anything about it.
Provided the allegations are true, whatever sentence he gets will not be enough...
>As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.
Seriously, all this over a roommate found on Craigslist. I did like the part where his victim repeatedly smashed his computer monitor with a hammer, though.
Again, its easier to buy a cheap VPS in a country that is at odds with the one you're in. Then, any intelligence the other country gets will likely not be sent to the country of residence.
Ally countries usually have extradition treaties, and have a greater chance of sharing intel.
In Brazil law requires services to keep logs for a year. This made me very wary of services like ProtonVPN that put some servers there. A lot of people trust them, but I for some reason don't...
One important distinction could be that these were HTTP requests made on his account page or other. If he logs into the account to update billing, etc that would certainly be logged.
All of what is claimed in the statement would be possible even if we assume no logs are stored for the VPN Server they run, which makes no guarantees about access to their HTTP properties.
Bandwidth counting can be accomplished without keeping "logs" per se, and with WireGuard, I think there would be very little reason to attempt to limit connections.
>As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.
Probably cos they investigated certain cases and found nothing, to the great dismay of certain people who wanted to be seen as victims and others who wanted to be seen defending them.
This guy is a monster. Read the whole thing if you have the time. For some reason this bit stuck out at me out of all the crimes: He hacked into her "Rover" account (Uber for dog walking) and messaged all her clients that she had a panic attack and murdered their dogs, and will deliver the dog to them in a ziploc bag.
Started out wondering if Lin was going to be wrongly accused but this hit closer to home that I expected. First off Lin appears to be a POS but what hit me was this line:
> While each of these incidents in isolation may appear relatively harmless, the cumulative effect of this behavior is both harassing and indicative of a significant attachment, disproportionate to the amount of time they spent together.
Specifically the first part "While each of these incidents in isolation may appear relatively harmless". I've had friends harassed online and when you try to explain to law enforcement it sounds petty or minor but I've seen first hand it weigh on my friends who have experienced it.
Services like TextNow and Pinger and amazing tools for someone looking to make someones life a living hell. I've still got screenshots of PAGES of new text messages (from different numbers) all from some asshole who has nothing better to do than harass people.
In my situation I had finally had enough and thew up a webpage explaining how to block ALL TextNow/Pinger numbers and calling out the individual in question (trust me this was done tastefully and with tact) then ran Ads on FB to raise awareness in my community. Turns out way more people that just my immediate friends had been affected by this toxic individual (I had a number of people reach out to me). I spent $40 on ads for 67 clicks, 1,465 reach, and 37,454 impressions. It was worth every penny. I'm not going to say this will work for you OR that it worked for me (the harassment stopped but, you know causation/correlation and all that) but I know I would do it again in a heartbeat.
It's important to note the police were next to useless for this entire saga. I'm not sure what percentage was apathy vs a lack of skills but yeah...
Last year I was desperate for extra work, and met a guy hiring programmers on Craigslist. I ran his name and found a website from a guy saying never do business with him, that he doctored financial documents and was a liar. It was kind-of a crazy site, so I met with the liar anyway, and he brought it up pretty quickly, saying it was an old neighbor and that he's crazy. I went to work for him, but he kept bringing it up, wondering how he could get the site taken down (queue me trying to explain slander and him saying "there's gotta be another way!"), until one day he was exploded with a "I could go over to his house and fucking kill him!".
I already had a new job lined up at that point, so I just left my key on the desk and never came back. I still wonder if I should email the guy that made the website just to let him know how much it gets under his enemy's skin.
They all log, and they all turn those logs over to police agencies when they get court orders to do so. These services are only intended to prevent ISP snooping on legal activities that may be personal or embarrassing, but not illegal. That's it.
If you do something illegal on a VPN connection and think the VPN providers have no logs/evidence, you'll be very surprised when the cops show up.
Exactly. Even my personal VPN (Streisand) running on a cloud-hosted VPS is not safe if I decide to become a criminal. All LE would have to do is subpoena my hosting company and monitor incoming connections.
A VPN may slow a nation-state down a little, but it will certainly not stop them.
I'm always curious at how these VPN providers aren't being hit with false advertising. They claim to keep basically no data about you.
"You are Invisible – Even We Cannot See What You Do Online
We DO NOT keep any record of your browsing activities, connection logs, records of the VPN IPs assigned to you, your original IPs, your connection time, the history of your browsing, the sites you visited, your outgoing traffic, the content or data you accessed, or the DNS queries generated by you." [0]
Their privacy policy looked very different at the time Lin was allegedly using it:
> We Do Not monitor user activity nor do we keep any logs. We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers. Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a “connection” and the total bandwidth used during this connection is called “bandwidth”. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.
They appear to have made the policy (and presumably connection logging) change in June 2018. For reference, Lin pleaded guilty to charges related to the criminal complaint posted by OP in April 2018. I would imagine PureVPN's lawyers had advised them to wait until the case had ended before enacting the new policy.
Sometimes I feel the anonymity aspect of the Internet brings the worst out of people. If we didn't have anonymity to begin with, people would have not tried those kind of harassment. Or if they do, it'll be a routine case for the police as opposed to requiring substantial FBI involvement.
Anonymity is required to maintain freedom of speech. It provides a route for any adult to be the child that calls out the emperors new clothes.
The sad part is yes, it also enables bad people to do bad things without consequence, however, that is the bet that we make. That the bad people doing their bad shit, is a small price to pay to prevent bad people in power from doing very very bad shit
don't fool yourself, people have been harassing and exploiting others without issue long before the internet. the difference is that while the internet can extend their reach the very nature of brings such occurrences to light more often than before.
so while the internet broadens their reach it doesn't always give them more anonymity, if anything their trail is easier to follow by more people, especially law enforcement. people just don't understand the depth of a trail they leave when using the net
As far as anonymity and abuse goes, the Internet is not a revolutionary development. The postal system has existed for a very long time, and is capable of much worse. The Unabomber is a poignant example.
> On April 14, 2017, at 14: 55: 52, the email address "[email protected]" was accessed from IP address 199.38.233.169, an IP address owned by WANSecurity, a Kansas VPN service. As discussed above, this Gmail address is directly attributable to Ryan Lin and was used to communicate directly and openly with Smith and her roommates, including when he first responded to the Craigslist advertisement to be their roommate.
This type of information couldn't be provided by VPN logs due to gmail using TLS encryption. If they gained physic access to a device that he was currently logged into, they just needed to look at the gmail account activity. Anyone can look at all the IP addresses they have accessed their gmail account from. They could have also just got a warrant.
> On April 14, 2017, at 15:06:27, the email address [email protected], provided by "Ashley Plano" to Rover, was accessed from the same exact WANSecurity IP address, 199.38.233.169
This is more interesting. It doesn't seem likely they caught him logged into this account, or that would be all the evidence they needed. I suspect they issued a warrant to Google for this account and got a list of IP addresses back. I can't imagine that the VPN provider allocated a unique IP addresses for each subscriber. This seems like a really weak correlation unless they are leaving out some important information.
The new title tells me what the submission is about but not why it's here on HN. For context, the old title mentioned why it's relevant - that Pure VPN kept logs that assisted the FBI in its investigation of Ryan Lin.
If you use PureVPN, you're a sucker, plain and simple. You failed to do basic research into your VPN provider, or failed to consult with someone who actually knows what they're talking about.
Let's do a very quick experiment where we evaluate a few popular VPN services at a glance, and critique them using non-technical insights which can generally be applied to any business trying to sell you a product. In other words, there's no excuse for not being able to develop these insights just because you aren't a "tech person".
Googling PureVPN provides the following summary:
"The best VPN service in 2018. PureVPN leads the industry with its massive network of more than 2000 encrypted VPN servers, around 300000 anonymous IPs..."
PureVPN only has a 150 character limit to describe their business, and they use it for:
1) Overzealous claims about being "the best" and the "industry leader"
2) Throwing out large numbers which they hope the user will correlate to excellence as a VPN service. The clueless user will think, "the more the better, right?"
Nord VPN's summary:
"Protect your privacy online and access media content with no regional restrictions. Strong encryption and no-log policy with 5000+ servers in 60+ countries..."
1) No regional restrictions? That's a given for any decent VPN. Useless noise meant to paint the product in a better light.
2) They claim strong encryption, but again, that's a GIVEN for any decent service. More deception.
3) They immediately try to sucker people in with the "no logs" bullshit
4) More stupid large numbers.
See a trend?
Now look at Mullvad VPN's summary:
"Mullvad is a VPN service that helps keep your online activity, identity, and location private. Only €5/month - We accept Bitcoin, cash, bank wire, credit card..."
Wow! No claims about being the best, no claims about anything. It "helps" keep your data private. No claims about 100% privacy. Then they list the price and payment methods. Informative and non-deceptive.
> "Protect your privacy online and access media content with no regional restrictions. Strong encryption and no-log policy with 5000+ servers in 60+ countries..."
I don't see how this is deceptive whatsoever? It states known facts about the VPN while also giving a basic outline on their policies. I'm inclined to believe that Nord doesn't keep logs (as of Nov. 1 of 2018) due to their audit by an external company. The report is available: https://ucp.nordvpn.com/audit-report/
I'm not saying that Nord is 100% safe, as others mentioned in this thread, it is completely possible that any "no-logs" VPN provider may store logs somewhere else or an organization may store their data. It allows a provider to claim they keep no logs, which also technically being truthful. I'm intrigued by Nord's stance to this (as their audit has no mention of it at a quick glance) and I will email their support about this.
Not only that, regional restrictions may apply to services such as Netflix, which have been battling VPNs for years now. Most VPN providers don't work with many of these services, and due to the fact Nord does, I'd claim that as a good advertising standpoint. Never tried "Mullvad", but I doubt they can bypass restrictions of these same sites.
Now onto Mullvad...
The reason they can't claim to be the best, in any field for that matter, is because they aren't. Isn't keeping your data private "a GIVEN for any decent service" (to quote your own words...)? I'm also worried about that price, are the potential legal fees Mullvad may pay to keep your privacy safe worth the 5 pounds a month you pay? Same with any VPN for that matter - the cheaper it is, the less likely it is safe.
[+] [-] Nadya|7 years ago|reply
>Further, records from Pure VPN show that the same email accounts Lin's gmail account and the teleportfx gmail account-were accessed from the same WANSecurity IP address. Significantly, Pure VPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time.
Also, it seems Lin knew or suspected this at least, seeing as he doesn't believe in a VPN service that doesn't keep logs:
>For example, on June 15, 2017, Lin ... re-tweeted a tweet from "IPVanish," that read: "Your privacy is our priority. That's why we have a strict zero log policy." Lin criticized the tweet, saying, "There is no such thing as VPN that doesn't keep logs. If they can limit your connections or track bandwidth usage, they keep logs."
This will be a useful .pdf to keep on hand because I also don't believe in VPN's that don't keep logs. At a minimum they'll keep 30 days worth and in many countries may actually be required by law to keep them longer than that even (60-90 days usually).
As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.
E: A few typo fixes and the last 4 words.
[+] [-] ALittleLight|7 years ago|reply
Instead, reading through the allegations, Lin came off as abominable. Contrary to your conclusion that this shows the FBI takes cyber harassment seriously, it seems like law enforcement generally allowed Lin to publicly subject this poor woman to psychological torture for a couple years before doing anything about it.
Provided the allegations are true, whatever sentence he gets will not be enough...
[+] [-] ukyrgf|7 years ago|reply
"the fact that VPN's track activity with logs."
>As an aside, it's good to see another example that the FBI does actually investigate cases of cyberharrasment and takes doxing seriously, contrary to popular opinion.
Seriously, all this over a roommate found on Craigslist. I did like the part where his victim repeatedly smashed his computer monitor with a hammer, though.
[+] [-] crankylinuxuser|7 years ago|reply
Ally countries usually have extradition treaties, and have a greater chance of sharing intel.
[+] [-] pedrocx486|7 years ago|reply
[+] [-] jclay|7 years ago|reply
All of what is claimed in the statement would be possible even if we assume no logs are stored for the VPN Server they run, which makes no guarantees about access to their HTTP properties.
[+] [-] microcolonel|7 years ago|reply
[+] [-] memeograph|7 years ago|reply
Probably cos they investigated certain cases and found nothing, to the great dismay of certain people who wanted to be seen as victims and others who wanted to be seen defending them.
[+] [-] iqy|7 years ago|reply
[+] [-] seibelj|7 years ago|reply
Total psychopath.
[+] [-] roguecoder|7 years ago|reply
[+] [-] joshstrange|7 years ago|reply
> While each of these incidents in isolation may appear relatively harmless, the cumulative effect of this behavior is both harassing and indicative of a significant attachment, disproportionate to the amount of time they spent together.
Specifically the first part "While each of these incidents in isolation may appear relatively harmless". I've had friends harassed online and when you try to explain to law enforcement it sounds petty or minor but I've seen first hand it weigh on my friends who have experienced it.
Services like TextNow and Pinger and amazing tools for someone looking to make someones life a living hell. I've still got screenshots of PAGES of new text messages (from different numbers) all from some asshole who has nothing better to do than harass people.
In my situation I had finally had enough and thew up a webpage explaining how to block ALL TextNow/Pinger numbers and calling out the individual in question (trust me this was done tastefully and with tact) then ran Ads on FB to raise awareness in my community. Turns out way more people that just my immediate friends had been affected by this toxic individual (I had a number of people reach out to me). I spent $40 on ads for 67 clicks, 1,465 reach, and 37,454 impressions. It was worth every penny. I'm not going to say this will work for you OR that it worked for me (the harassment stopped but, you know causation/correlation and all that) but I know I would do it again in a heartbeat.
It's important to note the police were next to useless for this entire saga. I'm not sure what percentage was apathy vs a lack of skills but yeah...
[+] [-] ukyrgf|7 years ago|reply
Last year I was desperate for extra work, and met a guy hiring programmers on Craigslist. I ran his name and found a website from a guy saying never do business with him, that he doctored financial documents and was a liar. It was kind-of a crazy site, so I met with the liar anyway, and he brought it up pretty quickly, saying it was an old neighbor and that he's crazy. I went to work for him, but he kept bringing it up, wondering how he could get the site taken down (queue me trying to explain slander and him saying "there's gotta be another way!"), until one day he was exploded with a "I could go over to his house and fucking kill him!".
I already had a new job lined up at that point, so I just left my key on the desk and never came back. I still wonder if I should email the guy that made the website just to let him know how much it gets under his enemy's skin.
[+] [-] w8rbt|7 years ago|reply
If you do something illegal on a VPN connection and think the VPN providers have no logs/evidence, you'll be very surprised when the cops show up.
[+] [-] zigzaggy|7 years ago|reply
A VPN may slow a nation-state down a little, but it will certainly not stop them.
[+] [-] woofcat|7 years ago|reply
"You are Invisible – Even We Cannot See What You Do Online We DO NOT keep any record of your browsing activities, connection logs, records of the VPN IPs assigned to you, your original IPs, your connection time, the history of your browsing, the sites you visited, your outgoing traffic, the content or data you accessed, or the DNS queries generated by you." [0]
[0] https://www.purevpn.com/privacy-policy.php
[+] [-] elliekelly|7 years ago|reply
> We Do Not monitor user activity nor do we keep any logs. We therefore have no record of your activities such as which software you used, which websites you visited, what content you downloaded, which apps you used, etc. after you connected to any of our servers. Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a “connection” and the total bandwidth used during this connection is called “bandwidth”. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.
They appear to have made the policy (and presumably connection logging) change in June 2018. For reference, Lin pleaded guilty to charges related to the criminal complaint posted by OP in April 2018. I would imagine PureVPN's lawyers had advised them to wait until the case had ended before enacting the new policy.
Source: https://web.archive.org/web/20170128142453/https://www.purev...
[+] [-] crankylinuxuser|7 years ago|reply
But the rsyslog was delivering the logs to *.fbi.gov
And not retaining logs would still be correct. They said nothing about transporting them to the relevant feds.
[+] [-] analyst74|7 years ago|reply
[+] [-] vokep|7 years ago|reply
The sad part is yes, it also enables bad people to do bad things without consequence, however, that is the bet that we make. That the bad people doing their bad shit, is a small price to pay to prevent bad people in power from doing very very bad shit
[+] [-] koolba|7 years ago|reply
I’d say, overall, it’s been worth it so far.
[+] [-] Shivetya|7 years ago|reply
so while the internet broadens their reach it doesn't always give them more anonymity, if anything their trail is easier to follow by more people, especially law enforcement. people just don't understand the depth of a trail they leave when using the net
[+] [-] gnode|7 years ago|reply
[+] [-] bilbo0s|7 years ago|reply
This Is Why We Can't Have Nice Things
[+] [-] deckar01|7 years ago|reply
This type of information couldn't be provided by VPN logs due to gmail using TLS encryption. If they gained physic access to a device that he was currently logged into, they just needed to look at the gmail account activity. Anyone can look at all the IP addresses they have accessed their gmail account from. They could have also just got a warrant.
> On April 14, 2017, at 15:06:27, the email address [email protected], provided by "Ashley Plano" to Rover, was accessed from the same exact WANSecurity IP address, 199.38.233.169
This is more interesting. It doesn't seem likely they caught him logged into this account, or that would be all the evidence they needed. I suspect they issued a warrant to Google for this account and got a list of IP addresses back. I can't imagine that the VPN provider allocated a unique IP addresses for each subscriber. This seems like a really weak correlation unless they are leaving out some important information.
[+] [-] Animats|7 years ago|reply
This article is two years old. Current status, from US Bureau of Prisons Inmate Locator:
[+] [-] tjbarkley|7 years ago|reply
[+] [-] chris_wot|7 years ago|reply
https://www.justice.gov/usao-ma/pr/newton-man-sentenced-over...
[+] [-] anxman|7 years ago|reply
[+] [-] iaw|7 years ago|reply
[0] https://www.boston.com/news/local-news/2018/10/04/newton-rya...
[+] [-] Romanulus|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] 8ytecoder|7 years ago|reply
[+] [-] MyBrainHz|7 years ago|reply
[deleted]
[+] [-] MyBrainHz|7 years ago|reply
[deleted]
[+] [-] AnonQ|7 years ago|reply
[deleted]
[+] [-] kakarot|7 years ago|reply
Let's do a very quick experiment where we evaluate a few popular VPN services at a glance, and critique them using non-technical insights which can generally be applied to any business trying to sell you a product. In other words, there's no excuse for not being able to develop these insights just because you aren't a "tech person".
Googling PureVPN provides the following summary:
"The best VPN service in 2018. PureVPN leads the industry with its massive network of more than 2000 encrypted VPN servers, around 300000 anonymous IPs..."
PureVPN only has a 150 character limit to describe their business, and they use it for:
1) Overzealous claims about being "the best" and the "industry leader"
2) Throwing out large numbers which they hope the user will correlate to excellence as a VPN service. The clueless user will think, "the more the better, right?"
Nord VPN's summary:
"Protect your privacy online and access media content with no regional restrictions. Strong encryption and no-log policy with 5000+ servers in 60+ countries..."
1) No regional restrictions? That's a given for any decent VPN. Useless noise meant to paint the product in a better light.
2) They claim strong encryption, but again, that's a GIVEN for any decent service. More deception.
3) They immediately try to sucker people in with the "no logs" bullshit
4) More stupid large numbers.
See a trend?
Now look at Mullvad VPN's summary:
"Mullvad is a VPN service that helps keep your online activity, identity, and location private. Only €5/month - We accept Bitcoin, cash, bank wire, credit card..."
Wow! No claims about being the best, no claims about anything. It "helps" keep your data private. No claims about 100% privacy. Then they list the price and payment methods. Informative and non-deceptive.
[+] [-] kkhafra|7 years ago|reply
I don't see how this is deceptive whatsoever? It states known facts about the VPN while also giving a basic outline on their policies. I'm inclined to believe that Nord doesn't keep logs (as of Nov. 1 of 2018) due to their audit by an external company. The report is available: https://ucp.nordvpn.com/audit-report/
I'm not saying that Nord is 100% safe, as others mentioned in this thread, it is completely possible that any "no-logs" VPN provider may store logs somewhere else or an organization may store their data. It allows a provider to claim they keep no logs, which also technically being truthful. I'm intrigued by Nord's stance to this (as their audit has no mention of it at a quick glance) and I will email their support about this.
Not only that, regional restrictions may apply to services such as Netflix, which have been battling VPNs for years now. Most VPN providers don't work with many of these services, and due to the fact Nord does, I'd claim that as a good advertising standpoint. Never tried "Mullvad", but I doubt they can bypass restrictions of these same sites.
Now onto Mullvad... The reason they can't claim to be the best, in any field for that matter, is because they aren't. Isn't keeping your data private "a GIVEN for any decent service" (to quote your own words...)? I'm also worried about that price, are the potential legal fees Mullvad may pay to keep your privacy safe worth the 5 pounds a month you pay? Same with any VPN for that matter - the cheaper it is, the less likely it is safe.
[+] [-] person_of_color|7 years ago|reply
[+] [-] writepub|7 years ago|reply
Dropbox's value is derived from it's ability to make something like rsync more human for non-tech folks.