Original URL: http://www.theregister.co.uk/2009/02/20/rise_and_fall_of_digerati/

How the Feds shook hands with an internet pedophile

Crime and punishment in the digital age

By Dan Goodin

Posted in Security, 20th February 2009 07:11 GMT

Editor's Note added on April 8, 2010

On March 17, 2010, almost 13 months after this article was published, Michael Johnson, one of the individuals quoted in this article, contacted The Register to recant claims he made about Ryan Goldstein.

"It was a false and fabricated account, which was created because the pressure from the community to discredit Mr Goldstein," he wrote in an email. "I was out to harm Ryan Goldstein, not to ruin his life. However, i can't say the same for others, which is maybe what [sic] they are adamant that their statement is infact [sic] a true account."

Johnson declined to elaborate on the pressure he allegedly received or to provide support for those claims. In order to alert our readers to this development, The Register is adding this editor's note and striking a line through the 55-word passage that contains Johnson's account.

As former moderators for an internet relay channel dedicated to hacking, Francine Campbell and Sterlin Ward have seen some of the net's darker quarters. But nothing prepared them for their group's encounter with an internet pedophile who called himself Digerati.

After the hacker repeatedly propositioned channel members as young as 13 to engage in graphic webcam sex, Campbell and Ward alerted the FBI and officials at the University of Pennsylvania, where Digerati attended classes and got his internet access. Digerati - whose real name is Ryan Goldstein - was eventually prosecuted, but the experience left the channel elders - and some law-enforcement experts - critical of what they characterize as a Faustian deal

In exchange for Goldstein's help prosecuting seven cases involving botnets, federal prosecutors agreed to charge him with a single misdemeanor hacking charge for damage he inflicted on a University of Pennsylvania server. In October, he received just three months in prison despite being caught with about 1,000 images of child pornography.

For Francine Campbell, Sterlin Ward, and others on the #ssgroup IRC channel, it was a bitter lesson in the vagaries of crime and punishment in the digital age.

"I think protecting kids would be way more important than monetary damages to a server," says Ward, a 35-year-old networking analyst who took an early stand against Goldstein's online grooming of underage members. "I felt that he was going to eventually find a kid that was close enough for a meetup."

Ronald Levine, a Philadelphia-based attorney representing Goldstein, issued the following statement: "Mr. Goldstein denies this allegation. He admitted the misdemeanor computer intrusion conduct with which he was charged; he received a probationary sentence; and he is committed to moving forward with his life productively."

But Goldstein's former online associates stand by the accusations, and they presented emails and chat logs that appeared to back them up. In their minds, the episode shows the sometimes misplaced priorities of law enforcement and university administrators.

Enter Digerati

Digerati first appeared in #ssgroup in late 2005. On the surface, his participation was unremarkable. He often regaled his mates with intelligent discussions about bots, trojans, and even Judaism. And he demonstrated a rare combination of technical acumen and deep connections in the hacker world.

Within a few weeks, the #ssgroup elders made him a channel operator, a designation that carried plenty of status in some hacker circles because it allowed him to exercise a great deal of control. Ejecting rowdy visitors, bestowing operator status on others, and protecting the channel from hostile attacks were all part of his responsibilities. But there were unsettling elements to Digerati that became more apparent with time.

"When he started coming into the room, it always circled around sex," Campbell recalls.

Things came to a head in January 2006, when Digerati betrayed his penchant for online sex with boys. During an online gathering with webcams to celebrate Campbell's 25th birthday, he exposed himself before the entire gathering, which included members as young as 13 years old. According to three people present, he repeatedly engaged the younger members in private messages the elders were later able to access.

"He took off his pants and underwear," Campbell says. "He was encouraging them to join him, daring them, calling them chickens. After that night, I started fighting with the admins on the site to ban him."

About a month later, the #ssgroup leaders yanked Digerati's coveted operator status. Almost immediately, the attacks began - distributed denial of service (DDoS) attacks so potent they caused #ssgroup and Taunet, the IRC server that hosted the channel, to become completely unreachable. The data floods were so fierce they sometimes inflicted damage on Taunet's internet service company as well. Taunet switched to a company that claimed it was able to withstand DDoS attacks, but the move didn't help.

"We were always DDoSed off the freaking net," Ward laments.

Over the next year, Digerati's online opponents would resort to a variety of tactics to get the hacker off their backs, but none of them worked. When diplomacy failed, they reported his repeated online liaisons with boys to university officials and then to the FBI. When those efforts bore no fruit, some opponents formed a vigilante posse that hacked the university's servers and spammed students and administrators with hundreds of flyers emblazoned with Digerati's portrait and a detailed description of his alleged online conduct.

After learning Digerati was under suspicion for hacking offenses, the posse even hacked into the university's mail system and intercepted hundreds of emails sent between school administrators and FBI investigators discussing their probe.

The Grooming

Even after the attacks began - and the FBI commenced its investigation - Digerati continued to groom boys as young as 13 years old, according to five four people who congregated with Digerati on IRC. He would often plead with the boys to masturbate in front of their webcams, and it wasn't unheard of for him to offer a payment using PayPal. He also hosted his own IRC channel called #diggerpenis, which was frequented by boys.

One of the boys he propositioned in 2006 was Michael Johnson, a then 16-year-old #ssgroup member who says Digerati asked him on at least three occasions for pictures of his penis.

"After I said no, he would always say he was joking," said Johnson, who is now a college student in Newcastle in the UK.

Digerati had a hard time accepting the revocation of his operator status and the banishing of his channel. He repeatedly argued that his connections in the hacker underworld made him an asset to #ssgroup. And he lobbied tirelessly for the reinstatement of #diggerpenis, which he said was a benign place.

Meanwhile, the DDoS assaults continued. They were unremarkable with one exception: the sheer volume and relentlessness of the junk data being thrown at them.

In private messages to Ward and others, Digerati was always careful to distance himself from the attacks. He blamed them on fellow hackers by the names of Dshocker and Vortex, who had reputations for striking out at those they didn't like.

"It's Dshocker's doing," Digerati said during one exchange with a hacker who ran Taunet, during an ongoing attack against a hosting service called Sharktech. "I tried stopping him, but they pissed him off by canceling his account and threatening to report him to authorities." A few weeks later, Digerati added: "I agree, DDoS is lame."

But Digerati's private communications with a New Zealand-based botmaster known as Akill - and later intercepted by FBI agents and recounted in court documents - tell a different story.

"I can get you some good private stuff, I can also pay you, to take Taunet down," he wrote in late January 2006, a few weeks before the attacks began.

Over the next few months, Digerati renewed his call for Akill to strike out at Taunet and added new targets, including ssgroup.org. "I want Taunet taken down," he told Akill in March. "They are starting to annoy me again. They must stay down for at least a week or so."

The Flyers

The #ssgroup leaders grew increasing desperate. They didn't yet know much about Digerati, other than he was using the University of Pennsylvania computer system for internet access. Incredulous that university authorities didn't respond to three separate warnings that one of their students was using their computer system to prey on young boys, they decided to make their case publicly.

Members of the group hacked into one of the websites Digerati was using to host his webcam chats. They copied images and excerpts from the chats and transferred them to a flyer headlined "Internet child predator." One of the members then hacked the university's print servers and caused the flyer to spontaneously print on hundreds of machines across campus.

Around the same time, the group also hacked into the university's internal email system and siphoned thousands of emails in an attempt to learn more about Digerati. They hit the jackpot. Not only did they discover that the hacker was a student named Ryan Goldstein, they also learned he was under suspicion for a computer breach in February 2006 that brought down a server at the university's SEAS, or School of Engineering & Applied Science.

As they sifted through the messages, it became clear that school administrators had taken notice of the mysterious flyer and were considering whether Goldstein was guilty of more than just hacking the SEAS server.

Among the administrators was Helen Anderson, a senior director in the SEAS IT group.

"Though the flyers themselves apparently weren't his doing, they may be evidence that there was a separate conduct violation by Ryan at Kings Court," Anderson wrote in a group email, referring to the dorm building where Goldstein lived.

Anderson's message was part of 245 pages of investigation-related email that was posted on the internet. University officials declined to comment on the breach, but an FBI spokesman confirmed the authenticity of several of the messages. University officials also denied requests to discuss whether Goldstein breached the university's code of conduct. (He is currently attending classes at the Philadelphia-based college).

The Feds

Michael Levy, a federal prosecutor who is chief of computer crimes in the US Attorney's office for Philadelphia, defended the decision not to prosecute Goldstein for child porn offenses. He said Goldstein provided valuable assistance in important criminal probes against botmasters.

"One of the big problems on the internet today are botnets, and he was clearly helping in botnet investigations," Levy says. "You need to write about all the cooperation the kid gave to us, which certainly goes into a decision about what he's charged with and how he's charged."

Levy declined to detail the investigations, except to say there were seven of them and one involved Akill, who in July was ordered to pay $10,800 after pleading guilty to six cybercrime offenses. (Levy wouldn't say whether Goldstein aided investigators in cracking down on Dshocker, the 17-year-old Massachusetts hacker who in November confessed to a three-year crime spree that included DDoS attacks, bomb threats and Swatting, which uses fraudulent emergency 911 calls to cause enemies to be raided by heavily armed police teams).

Levy also says the sentence, which calls for Goldstein to be on probation for five years, will prevent the student from carrying out any illegal activity online since a probation officer will be closely monitoring his computer usage.

But not everyone is as comfortable with the decision not to prosecute the child porn offenses.

One of them is Douglas Berman, a professor of law at Ohio State University and an expert in federal sentencing guidelines. He says Congress specifically designed child porn statutes to crack down harder on offenders who make contact with their victims.

"Absolutely, Congress wants prosecutors to be tougher on somebody who's not simply click, click, click, downloading, but being more proactive in the nature of their criminal activity with this kind of soliciting," he told The Register. "It's not just he downloaded dirty pictures but actively used chatrooms to encourage this behavior. In light of the description of the case facts, it seems like he got quite a sweetheart deal."

Mark Rasch, a former federal cyber prosecutor who is now a computer crimes specialist in Bethesda, Maryland, won't go quite that far, but the facts of the case, combined with the allegations laid out by Goldstein's former channel mates, lead him to believe sentencing guidelines would have called for Goldstein to receive from 135 months to 168 months had he been convicted for the illegal images.

Federal prosecution rules require cooperating witnesses to reveal the entire scope of their crimes before a plea agreement can be made, he says. That means either prosecutors knew of Goldstein's chatroom behavior and chose not to file charges or Goldstein hasn't been as forthcoming as he should have been.

"What this demonstrates is how much the government needs both insiders in these rings and people with technical expertise in order to successfully make these cases, so much so that they're willing to overlook some rather serious crimes," Rasch said. "Because you need these people and you need their skill sets, you're willing to bargain for them, and this may have been ultimately a bad bargain for the government." ®