Federal authorities arrested a 58-year-old Colorado Springs man after unravelling the origin of a "Declaration Of War" that threatened harm or death to Elon Musk, owners of his Tesla vehicles, and members of President Donald Trump's Cabinet.
I think the article is telling us in reverse order of discovery which makes it VERY confusing to parse:
As in:
Investigators from the Federal Bureau of Investigation’s Joint Terrorism Task Force retraced the roots of the digital messages Payne allegedly sent to the media outlets.
Okay, so where did the “digital messages” come from?
According to the affidavit, Payne used a Proton email address,
Okay, they knew the source of the message was Proton email. One subpoena of Proton later, they know the IP address(s) of the email client/app logging into Proton. So now they have a whole bunch of IP addresses of VPN exit nodes. So they reach out to the VPN provider:
Other unusual activity was traced through Payne’s VPN
So they ask the VPN provider to provide the origin address of the VPN logins, and come back to a cell phone (network) provider
or network provider.
So they ask the network provider to provide the info on the owner, except its a burner, so the provider doesn’t know. Hmm, okay so they know its coming from Burner Phone X, but not who owns Burner Phone X. Mr Google, Mr Microsoft, etc, do you have any activity from these Mobile phone company IP addresses at this time?
That information is tracked by Google
Ah! So Mr Google does. Anything stand out to you with the activity you’re seeing?
Investigators were alerted to his accounts after finding an unusually high number of log-ins and failed log-ins from an unfamiliar devices, locations, or networks. That information is tracked by Google, per the affidavit.
Okay, so its more than just than Burner Phone X accessing these Google accounts/sessions. Yes, the same web sessions/cookies were also used by devices belonging to another Google account, that of Payne.
Okay we’ve arrested Payne, could this just be an account/device hijacking and Payne be innocent? Well we also seized a rando cell phone with incriminating evidence on it. Could this have been planted?
Messages from his burner phone, too, matched the number Payne had listed in his personal contact info while applying for unemployment benefits in February.
So someone texted something at some point to text Burner Phone X. Who was that origin texter sending to Burner Phone X? Payne. So unlikely it was planted and more confirmation it was Payne sending the original threats.
Perhaps. I’ve always wondered if the VPN providers were playing games with semantics. It would be possible to not log, but still see events happening in real-time and report those. In the IT world “logging” is the capturing of events that occurred in the past. “Monitoring” is seeing events that are happening in real-time".
So a request could come in saying “when we see activity from IP X let person Y know what is happening”. The VPN provider would technically not be logging, but the activity of the user could still be tracked. Again, I’m not saying this is what happens at any of these VPN companies, I’m simply posing a series of events that could occur while the VPN companies statements would still be factual to their advertising claims yet result in the outcomes that customers specifically want to avoid. This is just a thought exercise. I have no evidence any of this happened.
Thanks for the clarification. I read that paragraph several times and couldn’t make sense of it.
As someone who uses Proton, Signal and a VPN (always), it is concerning how easy it seemed to track this guy down. Granted I’m not doing stupid shit like this guy, but authoritarians have a broad definition of “stupid shit”.
Isn’t Proton based in Switzerland and could just tell them to shove the subpoena?
I think the article is telling us in reverse order of discovery which makes it VERY confusing to parse:
As in:
Okay, so where did the “digital messages” come from?
Okay, they knew the source of the message was Proton email. One subpoena of Proton later, they know the IP address(s) of the email client/app logging into Proton. So now they have a whole bunch of IP addresses of VPN exit nodes. So they reach out to the VPN provider:
So they ask the VPN provider to provide the origin address of the VPN logins, and come back to a cell phone (network) provider
So they ask the network provider to provide the info on the owner, except its a burner, so the provider doesn’t know. Hmm, okay so they know its coming from Burner Phone X, but not who owns Burner Phone X. Mr Google, Mr Microsoft, etc, do you have any activity from these Mobile phone company IP addresses at this time?
Ah! So Mr Google does. Anything stand out to you with the activity you’re seeing?
Okay, so its more than just than Burner Phone X accessing these Google accounts/sessions. Yes, the same web sessions/cookies were also used by devices belonging to another Google account, that of Payne.
Okay we’ve arrested Payne, could this just be an account/device hijacking and Payne be innocent? Well we also seized a rando cell phone with incriminating evidence on it. Could this have been planted?
So someone texted something at some point to text Burner Phone X. Who was that origin texter sending to Burner Phone X? Payne. So unlikely it was planted and more confirmation it was Payne sending the original threats.
A non-logging VPN provider should not be able to assist with this step.
Perhaps. I’ve always wondered if the VPN providers were playing games with semantics. It would be possible to not log, but still see events happening in real-time and report those. In the IT world “logging” is the capturing of events that occurred in the past. “Monitoring” is seeing events that are happening in real-time".
So a request could come in saying “when we see activity from IP X let person Y know what is happening”. The VPN provider would technically not be logging, but the activity of the user could still be tracked. Again, I’m not saying this is what happens at any of these VPN companies, I’m simply posing a series of events that could occur while the VPN companies statements would still be factual to their advertising claims yet result in the outcomes that customers specifically want to avoid. This is just a thought exercise. I have no evidence any of this happened.
Thanks for the clarification. I read that paragraph several times and couldn’t make sense of it.
As someone who uses Proton, Signal and a VPN (always), it is concerning how easy it seemed to track this guy down. Granted I’m not doing stupid shit like this guy, but authoritarians have a broad definition of “stupid shit”.
Isn’t Proton based in Switzerland and could just tell them to shove the subpoena?
Nice summary. Thank you for taking the time to create it.
That makes much more sense, I appreciate the explanation.
deleted by creator