Cover Story: The Wild, Wild Web

The Information Superhighway can be a mean street

Jun 15, 2005 at 2:06 pm
Jesse Tuttle, whose trial starts Monday, claims he was helping the FBI as a hacker. But after he visited two Hamilton County Web sites, investigators say they found child pornography on his computer.

Det. Rick Sweeney used to handle Hammer, a drug-sniffing dog. Now he investigates computer crime.

Phillip John Eide, AKA Xavier Von Erck, runs a vigilante Web site called Some law enforcement agencies criticize the group's tactics.

Hackers, crackers and trackers. Viruses, worms and Trojan horses. Malware, spyware and pedophiles. Danger lurks in every dark corner of the grid.

When people talk about the dangers of the Internet, they usually refer to the unwholesome influences that children can be exposed to or the possible theft of credit card or social security numbers. But the risks are much more complex than that.

Malware — malicious software — enables other people to surreptitiously use your computer to obtain or disseminate pornography, hack into government Web sites or make threats against people you don't even know.

When police investigate, your computer can be confiscated, criminal charges brought against you and all the expense and embarrassment that result will be yours to deal with.

As soon as people started using computers on a daily basis, some of them started doing illegal things: stealing identities, committing fraud, making threats, insider trading and disseminating child pornography, to name a few. Not new crimes, for the most part, just newer and faster ways of committing them.

A woman in Portland, Ore., is suing Yahoo Inc., alleging an ex-boyfriend posted personal profiles of her containing nude pictures. In online chat rooms, posing as the woman, he allegedly directed men to show up at her home and job to engage in sex.

Someone can easily make up a Yahoo account with a screen name that appears to be you and troll around cyberspace reeking havoc in your name. CityBeat ran a Yahoo member search and found the screen name "mayor_of_Cincinnati," with a profile created for Mayor Charlie Luken. The profile includes sexual aspersions about a woman named Deb and lists this as Luken's favorite quotation: "Deb, get the hell out of our city."

Luken says he isn't the person using the screen name "mayor_of_Cincinnati" and doesn't know who is.

If you think of your Internet connection as a door, you start to understand the vulnerability you face the minute you first start using the World Wide Web. Just as the door to your house can let in burglars and rapists, your Internet connection can let into your computer all manner of unsavory visitors — some of whom could lead to your arrest.

James W. Crowley, president of jCrow Consulting Co., is an attorney and computer forensics expert near Columbus who's supplied expert analysis of suspect computers and testimony for defendants in Hamilton County.

"I often tell clients, lawyers and even judges that I could find porn — even kiddie porn — on almost any machine," Crowley says. "It gets 'pushed' there sometimes by pop-ups. The same annoying technology that shoves ads into your face can put porn on the hard drive. After 24 years working with the Internet, back to the old CompuServe days, I am for the first time scared for the computing public."

The difference between the bad guys who intrude through your door and the ones who intrude via the Internet is you probably don't know the cyber break-in has occurred. But then you take your computer for repair and a technician notices something suspicious. He calls the police.

Picture this: FBI agents in bulletproof vests, guns drawn, search warrant in hand, show up on your front porch. They have evidence that a cyber attack on government sites is being launched from your Internet Protocol (IP) address. (Think of it as the home address for your computer.) You learn later that a hacker in Japan is using your computer as a "zombie" because you don't have a firewall installed on your system.

But that's not the end of your trouble. Once your computer is seized, the feds find child pornography on your hard drive. A porn trafficker is using your unprotected system to store their sick pictures so they can't be charged with possession and pandering.

Meanwhile, a software bootlegger is directing his customers to your company's server to access illegal copies of software because your IT director failed to install the latest security patch on your Microsoft IIS server.

In the next few days courts in Hamilton County will deal with two criminal cases that involve ultramodern computer technology but a defense as ancient as the first accusation of wrongdoing: "Someone else did this and made it look like I did." The suspects aren't casual Internet visitors. One is a skilled hacker and the other is a prominent criminal-defense lawyer.

Digital crime calls for a whole new kind of law enforcement. You're more likely to be mugged in cyberspace than on the street corner. Are local police agencies armed with the training and resources needed to effectively deal with cyber crime?

The Internet is a parallel universe with few rules, no borders and laws whose enforcement is limited by the expertise of the agencies responsible for policing it.

The Regional Electronics and Computer Investigations Task Force (RECI) is a multi-jurisdictional agency composed of four investigators, two from the Hamilton County Sheriff's Office and two from the Cincinnati Police Department.

CityBeat reviewed RECI's two pending cases, in which the hacker and the lawyer are charged with pandering sexually oriented matter involving a minor. They face a combined 104 years in prison for having images of child porn on their computers.

'They wanted this to happen'
Jesse Tuttle of Camp Denison has been waiting to stand trial for more than two years. His trial on charges of illegally accessing two Hamilton County Web sites and possession of child pornography was scheduled for April 11. But prosecutors agreed to a postponement after a CityBeat investigation showed that John Ruebusch, the RECI agent in charge of the case, isn't a real police officer (see "Virtual Crime," issue of April 6-12).

Tuttle's trial, now scheduled to begin Monday, will open with a hearing on motions to throw out the search warrants and any evidence they produced.

Tuttle, known in the hacker community by the screen name "Hackah Jak," has hacked sites such as Sony Corp., the Girl Scouts of America and Jenny Craig. His "hacktivism" includes raiding Chinese government sites after China seized an American spy plane in 2001. Tuttle also helped create "The Dispatchers," a group that hacked government sites of Middle Eastern countries after 9/11.

There are bad hackers, often referred to as "crackers," who break into computers, rummage around networks, delete files and steal citizens' identities. There are good hackers, wearing the virtual white hats, who are hired by companies to scour network security for holes.

Tuttle claims to be a bit of both. He's done everything from defacing Web sites and breaking into government sites to reveal holes to chasing child porn traffickers through cyberspace for the FBI.

He's accused by RECI of illegally accessing the county's main Web site,, and the sheriff's Web site, Six criminal complaints charging unauthorized use of property were issued in 2003.

On June 11, 2003, sheriff's deputies told WCPO (Channel 9) they had noticed someone trying to hack into their Web site in January and February of that year. The deputies said they decided to wait and watch to see what the alleged hacker was going to do before arresting him.

But CityBeat's review of records in the case reveals that deputies had no idea someone had tried to access the county systems. They learned about it only after John Lasker, a Columbus freelance writer, alerted the county, as Ruebusch later admitted in court.

"That is how the case opened up and the investigation began was based on that e-mail that was forwarded to me," he testified.

Ruebusch said he was able to track the e-mail header back to an account belonging to Tuttle.

When Ruebusch went to search Tuttle's house, it wasn't Tuttle's first contact with law enforcement. In May 2001, agents from the FBI's New York and Cincinnati offices questioned him about accessing the computer systems of financial companies Morgan Stanley and Dean Witter. Tuttle claimed he'd accidentally logged into both for a few seconds.

"They deemed it was just an accident," he says. "There was no harm done."

No charges were filed. But the FBI again contacted Tuttle after the terrorist attacks in New York and Washington, D.C., in September 2001, according to testimony in pretrial hearings.

"They asked me about working with them, and it was in September of 2001," Tuttle said. "Due to 9/11 is when I started working with them."

There were numerous attacks against government and military computer systems around that time, and Tuttle knew a lot of people in the hacker community.

FBI Special Agent Bennie Bustamante paid Tuttle for information, sometimes $1,000, Tuttle testified.

"I believe it was the Navy and an Air Force system that had some security holes," he said.

Tuttle said he began masquerading as a young girl in Internet chat rooms and having conversations with online pedophiles, then reporting back to the FBI.

It was during his work as an FBI informant that Tuttle accessed the two county Web sites, he said.

"I talked to Agent Bustamante about running a security scan on them," Tuttle testified. "And he said it was OK, because I'm not really breaking anything. I'm not causing damage. He told me to get back with him, let him know what the results of the scan were. If I did find a security hole in the systems, don't directly expose it to John Lasker."

What was it that made Tuttle's brief visit to the two county Web sites crimes? At a pretrial hearing in December 2003, Ruebusch testified that Tuttle ran a vulnerability scan on the system.

"He was looking for any holes that allowed him to get past the normal Web server application to get into areas that he was not supposed to normally be allowed to get in," Ruebusch said. "He gained access through a file that is not supposed to be there — something they call a 'back door,' a program that is left there so you can later come back into the system."

But that's nonsense, according to Steve Busse, owner of the Nerd Patrol, an Anderson Township computer company, who testified in Tuttle's defense at the same hearing.

"I would never have this (file) on my Web server," Busse said. "It has to be put there by somebody else. But more importantly, the Web server has to be configured specifically to allow something like this to run."

It is not a weakness. It is not a back door. It is a Microsoft product. Busse speculated that the county's Web sites were deliberately programmed to allow the "back door" file to be used.

"It's almost like they wanted this to happen," Busse testified.

The real reason Tuttle is being prosecuted is because he embarrassed the sheriff's office, according to a motion by attorney Firooz Namei.

"This case concerns a local agency's attempt to divert criticism from its inadequate, if not incompetent security system for its county computer network," the motion said. "It took an FBI operative only two seconds to break in. It might take a terrorist 10."

'Cincysugardad' on the prowl
When they got hold of Tuttle's computers, RECI investigators allegedly found images of child pornography. To date the only image publicly identified is a photo of a girl about 12 years old in a shower — which prompted Hamilton County Common Pleas Judge Thomas Crush to ask, "That's pornography?"

But whatever RECI found, it can't have been surprised. In a recorded interrogation after his arrest, Tuttle told Det. Rick Sweeney that he was working with the FBI's Bustamante and Assistant U.S. Attorney Robert Behlen, who knew someone had sent kiddie porn to Tuttle.

"I think he knows that 'Cincysugardad' has sent me child pornography," Tuttle said. "I was logging on to AOL, sitting in a Cincinnati chat room, waiting for someone to contact me. I don't ask them to send me anything. I don't ask them to show me anything. I wait for them to do it, and if they send it to me, I relay it over to Benny Bustamante, and apparently there's nothing illegal with that because I didn't ask for it and I'm sending it straight over to law enforcement."

But when Sweeney then requested a search warrant to check Tuttle's computer for child pornography, he told the judge that Tuttle had admitted it might be there. Sweeney didn't tell the judge that Tuttle was working with the FBI.

In a motion to suppress the evidence obtained, Tuttle's attorneys asserted that Sweeney deceived Common Pleas Judge Patrick Dinkelacker to obtain the second search warrant.

"Det. Sweeney, however, failed to mention that during that interview, Jesse Tuttle also stated that any child pornography that was on his computer was obtained as the result of his work with the FBI," the motion says. "It is clear that Judge Dinkelacker was not informed of that fact when he signed the warrant."

When later challenged in a pretrial hearing, Sweeney said Tuttle was no longer working with the FBI.

"I contacted Agent Bustamante before we executed the search warrant and was told that Mr. Tuttle was not an active informant and that we could proceed with our action," Sweeney said.

But that leaves unanswered the question of how Tuttle knew about an FBI case that Sweeney was also aware of — the hunt for "Cincysugardad." The FBI had informed the sheriff's office about the suspected child pornographer.

"If we came across him in a chat room or if he approached us, they wanted us to know he was a target they were looking at," Sweeney testified.

RECI's handling of the Tuttle case raises questions about the kind of training RECI has. Expert testimony is essential to legal proceedings that involve technical, medical, professional or scientific matters.

While Ruebusch is a civilian employee in the sheriff's office, Sweeney has taken Ohio Peace Officer training and is a police officer. But neither man's training reflects expertise in computer technology.

Ruebusch, whose title is electronic crimes analyst, has been with the sheriff's department for almost six years. Prior to that he was a computer consultant for various companies for about 10 years.

"I took some computer science, some college, but I did not complete it," he testified in a pretrial hearing.

He has a few certificates for attending courses for law enforcement. One is with the Federal Law Enforcement Training Center.

After reading CityBeat's report on Ruebusch's status, Tuttle's attorneys attacked his qualifications. The motion is still pending.

"Yesterday (April 6), defendant discovered that (Ruebusch) on his first search warrant is not a law enforcement officer and, as such, does not have the official police training and experience to act as such," the motion says. "Moreover, (Ruebusch) has no police training or experience in what constitutes 'probable cause.' Finally, (Ruebusch) has no law enforcement training in investigative techniques."

Det. Sweeney appears to have not much training either. After dropping out of Colerain High School, he joined the Army in 1978 and received a GED when he left in 1981. The sheriff's office hired Sweeney as a corrections officer in 1982.

Prior to joining RECI in 1999, he handled a drug-sniffing dog with the Regional Enforcement Narcotics Unit. In 1999 the sheriff's office moved him to court services, then to RECI a few months later.

How Sweeney was assigned to work computer crimes with RECI is a mystery. His personnel records show no formal training, college education or specialized training in the area of computers, not even a three-day computer workshop.

His 2002 job evaluation states he has re-focused RECI to Internet investigations of sexual predators. He sets up online stings in which officers pose as underage children and present themselves as targets for those looking for illegal sex with kids.

He apparently does like to talk about sex. Charges of sexual harassment were sustained against him in 1992, according to records in the sheriff's office.

A female co-worker found Sweeney's office conversations offensive and embarrassing. She had inquired about the meaning of the word "procuring." Sweeney told her, "That's when a man pays a woman to suck his dick and swallow." When the co-worker tried to end the conversation, Sweeney said, "Like you don't do that. ... We all know you do."

During an internal investigation, he described the incident as a practical joke and said he and the co-worker often joked sexually and shared pornographic materials.

Bait and snitch
A bungling inquiry from a freelance writer set off the Tuttle investigation. But sometimes RECI relies on a source that's shunned by law enforcement across the country.

A Web site called is a vigilante effort to snare sexual predators. Its tactics have attracted criticism from police officials and from people who say they were unfairly accused and viciously harassed by participants in the Web site.

The group trolls regional chat rooms hunting for what they call "wannabe pedophiles" — adults who engage in sexually explicit chats with what they believe to be children.

The Web site claims it has helped win 15 criminal convictions for sex offenses.

The Web site is the creation of Phillip John Eide of Portland, Ore., who uses the alias Xavier Von Erck. The site is part of his network, which includes and Eide describes himself as a libertarian, an atheist and an avid "gamer."

Nearly 700 men across the United States have had their photos, cell phone numbers and e-mail addresses posted on since the summer of 2002, publicly accused of being wannabe pedophiles.

Cincinnati attorney J. Robert Andrews became one of them on Nov. 15, 2004. At approximately 8 p.m. that night Andrews' image and personal information, including his cell phone number, were posted on Perverted Justice. By 9 p.m. the group identified him as a "collection lawyer" in Delhi, Ohio, which is erroneous information.

Members had already e-mailed Andrews' law firm, the Ohio Bar Association and several other legal groups. All of this took place even though Andrews' identity was still considered "unconfirmed" by the group's inner forums.

CityBeat obtained the e-mail sent to Andrews' law firm.

"I am a reader of the web site, a site dedicated to protecting children from Internet predators," the e-mail said. "Your partner, J. Robert Andrews, was 'busted' by the site last evening. He attempted to solicit sex from what he believed to be a 13-year-old girl."

The e-mail, containing excerpts from the alleged chat, was signed, "A concerned citizen."

The Web site administrator, Von Erck, warned members, "I've not seen a 'confirmed' on this. Sure, it looks promising, but let's get the links solid before e-mailing all of humanity. I consider this akin to jumping the gun."

But it was too late. Andrews' address, date of birth, work address, cell phone number, past employers' addresses, the names of his wife and daughter and their birthdates were all posted on the site. It somehow even included the family's unlisted phone number.

Perverted Justice member "40Ounce Killa" wrote, "That address is the one listed on his Ohio driver's license. I'd rather not say how I obtained this information; but trust me, it's confirmed."

Perverted Justice member "grod99" e-mailed The Cincinnati Enquirer and WXIX-TV (Channel 19).

"I will do the ABC, CBS, NBC networks next," grod99 wrote.

One day after Andrews' name was posted on, RECI became involved.

"On 11.16.04 Det. Sweeney received a telephone call from Cincinnati Enquirer reporter Sharon Coolidge," said an affidavit Sweeney filed in a request for a search warrant.

Coolidge told Sweeney that Andrews was posted on the site and asked if RECI were going to investigate. On Nov. 19, 2004, RECI officers were searching Andrews' home. He was later indicted on five counts, including possession of child pornography, importuning and tampering with evidence.

'We pointed and laughed'
Mike LaMonaca is a Web applications developer at the University of Pennsylvania. In March 2004, an NBC affiliate in Philadelphia lured online predators to a rented home where, instead of a tryst with an adolescent, they were greeted by news cameras and reporters. Perverted Justice helped set up the sting operation.

LaMonaca visited the group's Web site and browsed through a few of the "wannabe pedophile" profiles. He happened to recognize the photo of a local man, Craig Rodriguez. The image, it turns out, had been stolen and posted on

LaMonaca alerted Bill Horton, who had taken the photo; Rodriguez modeled for Horton's T-shirt company.

Horton contacted Von Erck via e-mail. CityBeat obtained copies of the correspondence.

"God forbid if my model should get attacked from your site claiming he is a pedophile," Horton wrote. "If this is not taken down by Monday I will get a lawyer to sue for damages."

Von Erck's response was nonchalant, saying a disclaimer made it clear that Perverted Justice isn't responsible for the photos of "wannabe pedophiles" posted on the site.

"Obviously you did not read the disclaimer," he replied. "Thanks for the heads-up. The image has been removed. Great way to overreact though!"

Rodriguez says he was shaken by having his photograph used in accusations of child sexual abuse.

"When I found out my picture was on that site, I felt sick and scared," he says. "My life is different. I still have fears about going out and talking to people because they may have seen the site. It makes it hard to live life."

Rodriguez isn't alone. A reporter at The Seattle Times dodged a bullet from Perverted Justice. An editor received an anonymous e-mail claiming that reporter Matt Peterson was busted soliciting sex from a minor. The editor didn't take the bait. later posted this message, "The Matt Peterson at The Seattle Times newspaper is not our perv. Please leave him alone."

But despite the sloppy accusations and dubious methodology, Perverted Justice's word was all RECI relied on when it went after Andrews. There was no additional investigation, according to a motion filed by Andrews' attorney, H. Louis Sirkin.

"Det. Sweeney made no effort to contact anyone associated with the Web site to obtain the name of the person who allegedly engaged in the chats with Mr. Andrews," the motion says. "Instead, Det. Sweeney relied on a Web site's posting of chat conversations that could have easily been fabricated or altered."

Det. Bill Liczbinski investigates crimes against children for the Wayne County Sheriff's Department in Detroit. He expressed surprise after learning about the search warrant in the Andrews case.

"I am really surprised a judge gave probable cause for that," Liczbinski says. "I would have to assume that this judge and municipality almost never deal with cybercrimes. My unit and prosecutor's office would never ever sign a warrant based on what Perverted Justice posted on their Web site. Maybe this is all new to the judge. When we first saw the site, we pointed and laughed."

In December 2004, Bradley Russ, director of training for the U.S. Department of Justice's Internet Crimes Against Children Task Force, told The New York Sun he didn't trust Perverted Justice.

"Perverted Justice's 'aggressive' tactics often go against national standards," Russ said. "By accepting child pornography online from pedophiles to make a better case, the contributors at Perverted Justice were themselves possessing unlawful contraband, and federal authorities are now considering whether or not to seize their computers."

Russ, telling CityBeat he has 25 years of investigative experience, compared Perverted Justice's work to having lay people buy drugs and then turn them over to police.

"To engage in investigations, pose as children and transmit and receive child pornography, that's going beyond the boundaries of what they should be doing," he says.

Hamilton County Prosecutor Joe Deters doesn't take Perverted Justice seriously.

"I have instructed my criminal division people that cases have to be ultimately confirmed by law enforcement here locally," he says. "My office is not going to take a case that Perverted Justice brings to us. We will rely on the sheriff's office to develop those cases themselves."

A hearing on a motion to quash the search warrant in the Andrews case is set for Friday.

Lt. Larry Jacobs of the Phoenix Police Department is in charge of Arizona's Regional Internet Crimes Against Children Task Force. He stays clear of tips from Perverted Justice.

"When they post those chats, there is no proof that is actually the chat that came from the other party," he says. "We refuse to work with them because they won't give up their computer for evidentiary purposes. We don't want the chats — we want the computer."

Andrews and his attorneys declined to be interviewed.

CityBeat asked Von Erck to respond to criticism of Perverted Justice by law enforcement. Instead Perverted Justice posted a lengthy statement challenging the motivation behind this part of the story. To see the statement, visit

Joe, meet Jane
Anyone with a computer connected to the Internet is potentially at risk of becoming a victim of computer crime.

In May 2004, Perverted Justice allegedly busted Derek Yoder of Virginia. His employer, family and church were contacted. Yoder was repeatedly threatened via e-mail and phone calls, including threats on his life. When he hired an attorney, malware was forensically discovered on Yoder's computer, including a "Trojan horse," which provided a back door that allowed someone, masking as Yoder, to use his computer.

A Perverted Justice forum quotes member "lvl45t3rlvllnd" saying, "Identity theft is extremely popular, especially with sites like this one. ... As far as (Yahoo Instant Messenger) theft, I used to do that for a living when I was younger ... way, way, too easy."

The incidents of Trojans found on personal computers have risen by 114 percent in the last quarter, according to a 2005 Webroot Software news update. Trojans are among the most malicious forms of spyware, capable of capturing keystrokes and screen shots on other people's computers. It's relatively easy, according to Perverted Justice member "Rad."

"Majority of people online have no clue how easy it is to install a Trojan virus onto an unsuspecting person's computer," Rad said in a Perverted Justice forum. "Knowing this, it is highly possible to either get somebody to unknowingly download kiddie porn or even 'hacking' their PC and placing a kiddie porn material onto their system."

David Beyer, spokesman for the FBI field office in Louisville, says police have to be wary of Perverted Justice.

"To throw up somebody's picture and name and say they are doing X, Y and Z — how do they know that is really the fact?" he says. "We take info from the public, but we don't arbitrarily investigate someone based upon innuendo and rumor. We are always concerned that before we charge somebody that they are actually the person using that computer."

Asked if people can get into your Yahoo or AOL account and troll around cyberspace pretending to be you, Beyer responded, "That's very, very true."

But caution is sometimes overlooked by law enforcement, according to Crowley, the Columbus forensics expert.

"I've seen loosey-goosey search warrants," he says. "Judges don't know what all the computer mumbo-jumbo means, so the search warrants drafted by the cops usually are accepted without question." educates the public about what it claims are the dangers of vigilante actions perpetrated by Perverted Justice and its members. Someone using the screen name "CGJoe," with e-mail address "[email protected]," registered for the forums on on Jan. 10.

"Since that time, (CGJoe) has visited our site on five different days in January and again mid-February," says Scott Murrow, the Web site's administrator.

The unique IP address for Computergeekjoe is registered to the domain "" That domain has the following registrar information: "Hamilton County Sheriff's Office, 1000 Sycamore St. Rm 110. Cincinnati, Ohio 45202. Administrator Name: John Ruebusch."

His visits to show that RECI officials now have at least some familiarity with criticisms of What's not yet known is whether RECI will continue to use the site as a source for investigations. Lt. Jacobs in Phoenix strongly discourages it.

"They are setting themselves up for the biggest civil liability case you can imagine," he says. "If they are using anything from a cybervigilante Web site to get search warrants from a judge, they are crazy."

Meanwhile, CityBeat created a Yahoo screen name, "Computergeekjane." The pedophile whom the FBI, RECI and Tuttle were tracking two years ago is still actively trolling online. Cincysugardad contacted Computergeekjane, asking how old she is and if she'd she send him pictures. ©