Title: Hacker Court 2004
1Hacker Court 2004
2CAST
- JUDGE Richard Salgado Attorney, Former Senior
Counsel of CCIPS division of DoJ - COURT CLERK Caitlin Klein
- PROSECUTOR Kevin Banksom Attorney, Electronic
Frontier Foundation - DEFENSE ATTORNEY Paul Ohm, Attorney, Former
counsel CCIPS division of DoJ - DEFENDANT Brian Martin Attrition
- CISO (?) -
- REPORTER (CARL WOODWARD) Ryan Bulat - Intern,
Wizards Keys Corp. - CASE AGENT Jesse Kornblum Former Captain,
USAFOSI - SENATOR BACKDOOR Simple Nomad -
- SENATOR BACKDOORs staffer Carole Fennelly,
Senior Security Engineer, Tenable Network
Security - DEFENSE EXPERT Jonathan Klein Director,
Calence, LLC
3Schedule
- 1645 Introductions, Court Called to Order
- 1650 1700 Opening Statements
- 1700 1715 Agent Kornblum
- 1715 1720 Explanation of Stipulations
- 1720 1735 Oscar J. Simpson
- 1735 1750 Brian Martin
- 1750 1805 Jonathan Klein
- 1805 1815 break
- 1815 1830 Richard Thieme
- 1830 1845 Captain Hack
- 1845 1855 Closing Statements
- 1855 panel discussion in reception area
4Witness classification
- Factual testifies to events directly witnessed
or observed. May only testify regarding facts,
not draw conclusions. - Expert specifically qualified by the court as an
expert in the subject at hand. May offer opinion
and draw conclusions based on knowledge and
expertise.
5Prosecution Opening Statement
6Defense Opening Statement
7Prosecution Witness 1
- Agent Kornblum is the Case Agent testifying as
both a factual and expert witness on events he
witnessed and actions he took when he conducted
the forensic examination on the computer.
8Forensic Evidence
9Government Exhibit 1
- May 23 111418 doc001 sshd1779 connection
from "172.18.33.1" - May 23 111424 doc001 sshd7862 Wrong password
given for user 'root'. - May 23 111432 doc001 sshd7862 Wrong password
given for user 'ojsimpson'. - May 23 111448 doc001 sshd7862 Wrong password
given for user 'jsmith'. - May 23 111501 doc001 sshd7862 Wrong password
given for user 'jsmith'. - May 23 111522 doc001 sshd25386 User jsmith's
local password accepted. - May 23 111524 doc001 sshd25386 Password
authentication for user jsmith accepted. - May 23 111524 doc001 sshd25386 User jsmith,
coming from fw001-internal.usna.gov,
authenticated. - May 24 181118 doc001 sshd1779 connection
from "172.18.33.1" - May 24 181123 doc001 sshd28003 User jsmith's
local password accepted. - May 24 181123 doc001 sshd28003 Password
authentication for user jsmith accepted. - May 24 181123 doc001 sshd28003 User jsmith,
coming from fw001-internal.usna.gov,
authenticated. - May 24 192318 doc001 sshd1779 connection
from "172.18.33.1" - May 24 192322 doc001 sshd29001 User jsmith's
local password accepted. - May 24 192322 doc001 sshd29001 Password
authentication for user jsmith accepted. - May 24 192322 doc001 sshd29001 User jsmith,
coming from fw001-internal.usna.gov,
authenticated. - May 26 084421 doc001 sshd1779 connection
from "172.18.33.1" - May 26 084422 doc001 sshd29990 User jsmith's
local password accepted. - May 26 084422 doc001 sshd29990 Password
authentication for user jsmith accepted.
10Government Exhibit 1 (Enlargement)
- May 28 160321 doc001 sshd1779 connection
from "172.18.33.1" - May 28 160322 doc001 sshd30100 User jsmith's
local password accepted. - May 28 160322 doc001 sshd30100 Password
authentication for user jsmith accepted. - May 28 160322 doc001 sshd30100 User jsmith,
coming from fw001-internal.usna.gov,
authenticated.
11Government Exhibit 1-2
- May 29 082021 doc001 sshd1779 connection
from "172.18.33.1" - May 29 082022 doc001 sshd30115 User jsmith's
local password accepted. - May 29 082022 doc001 sshd30115 Password
authentication for user jsmith accepted. - May 29 082018 doc001 sshd30115 User jsmith,
coming from fw001-internal.usna.gov,
authenticated. - May 29 142321 doc001 sshd1779 connection
from "172.18.33.1" - May 29 142322 doc001 sshd30150 User jsmith's
local password accepted. - May 29 142322 doc001 sshd30150 Password
authentication for user jsmith accepted. - May 29 142318 doc001 sshd30150 User jsmith,
coming from fw001-internal.usna.gov,
authenticated. - May 30 192021 doc001 sshd1779 connection
from "172.18.33.1" - May 30 192022 doc001 sshd32003 User jsmith's
local password accepted. - May 30 192022 doc001 sshd32003 Password
authentication for user jsmith accepted. - May 30 192018 doc001 sshd32003 User jsmith,
coming from fw001-internal.usna.gov,
authenticated. - May 31 002318 doc001 sshd1779 connection
from "172.18.33.1" - May 31 002321 doc001 sshd32200 User jsmith's
local password accepted. - May 31 002322 doc001 sshd32200 Password
authentication for user jsmith accepted. - May 31 002322 doc001 sshd32200 User jsmith,
coming from fw001-internal.usna.gov,
authenticated.
12Government Exhibit 2
- May 23 111418 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.100.188 destination172.18.3
3.22 port44466 - May 23 111421 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.100.188 destination172.18.3
3.22 port22 - May 23 111422 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.100.188 dest172.18.33.22 in145 out222
userunauth duration601 - May 24 181118 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.18.118 destination172.18.33
.22 port44466 - May 24 181121 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.18.118 destination172.18.33
.22 port22 - May 24 181122 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.18.118 dest172.18.33.22 in2042 out3054
userunauth duration1804 - May 24 192318 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.26.120 destination172.18.33
.22 port44466 - May 24 192321 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.26.120 destination172.18.33
.22 port22 - May 24 192322 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.26.120 dest172.18.33.22 in4050 out9080
userunauth duration2402 - May 26 084418 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.18.218 destination172.18.33
.22 port44466 - May 26 084421 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.18.218 destination172.18.33
.22 port22 - May 26 084422 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/61.
33.44.22 dest172.18.33.22 in555 out1320452
userunauth duration1022 - May 26 120218 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/61.33.44.22 destination172.18.33.
22 port44466 - May 26 120221 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/61.33.44.118 destination172.18.33
.22 port22 - May 26 120222 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/61.
33.44.118 dest172.18.33.22 in888 out2053
userunauth duration124 - May 28 160318 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.100.188 destination172.18.3
3.22 port44466 - May 28 160321 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.100.188stination172.18.33.2
2 port22 - May 28 160322 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.100.188 dest172.18.33.22 in12954
out32005252 userunauth duration4500
13Government Exhibit 2 (Enlargement)
- May 28 160318 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.100.188 destination172.18.3
3.22 port44466 - May 28 160321 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.100.188stination172.18.33.2
2 port22 - May 28 160322 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.100.188 dest172.18.33.22 in12954
out32005252 userunauth duration4500
14Government Exhibit 2-2
- May 29 142318 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.26.120stination172.18.33.22
port44466 - May 29 142321 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.26.120 destination172.18.33
.22 port22 - May 29 142322 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.26.120 dest172.18.33.22 inxx outyy
userunauth durationzz - May 29 080018 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/61.33.55.129 destination172.18.33
.22 port44466 - May 29 080021 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/61.33.55.129 destination172.18.33
.22 port22 - May 29 080022 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/61.
33.55.129 dest172.18.33.22 in2344 out234204
userunauth duration300 - May 29 082018 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.100.188 destination172.18.
33.22 port44466 - May 29 082021 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.100.188 destination172.18.3
3.22 port22 - May 29 082022 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.100.188 dest172.18.33.22 in2452 out3223
userunauth duration120 - May 30 192018 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.100.188 destination172.18.
33.22 port44466 - May 30 192021 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.100.188 destination172.18.
33.22 port22 - May 30 192022 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.100.188 dest172.18.33.22 in2342 out2354865
userunauth duration1210 - May 31 002318 fw001.usna.gov test-gw28161
ID 831736 daemon.notice permit
hostnodnsquery/62.36.100.188 destination172.18.
33.22 port44466 - May 31 002321 fw001.usna.gov test-gw28161
ID 741503 daemon.notice connected
hostnodnsquery/62.36.100.188 destination172.18.
33.22 port22 - May 31 002322 fw001.usna.gov test-gw28161
ID 572103 daemon.notice exit hostnodnsquery/62.
36.100.188 dest172.18.33.22 in223 out58553
userunauth duration133
15Government Exhibit 3
- sql-gw tns-tracing no
- sql-gw log-level 0
- sql-gw log-enabled yes
- sql-gw maximum-relays 1024
- sql-gw maximum-connect-data 1024
- sql-gw event-timer 0
- sql-gw answer-error-countdown 16
- sql-gw authentication-level 0
- sql-gw directory /var/log
- sql-gw answer-timeout 5
- sql-gw proxy-type sql-gw
- sql-gw proxy-exec ./sql-gw
- sql-gw state off
-
- test-gw bind-address 62.36.24.12
- test-gw port 44666
- test-gw proxy-exec ./plug-pdk
- test-gw accept-count 3
- test-gw timeout 7200
16Government Exhibit 3 (Blowup)
- test-gw bind-address 62.36.24.12
- test-gw port 44666
- test-gw proxy-exec ./plug-pdk
- test-gw accept-count 3
- test-gw timeout 7200
- test-gw groupid 0
- test-gw userid 0
- test-gw log-enabled yes
- test-gw state on
- test-gw description test gateway service
17Government Exhibit 3-2
- hosts entries for rule 3
- http-gw permit-hosts 127.0.0.1 -policy
HTTP-rule3 -ruleNumber 3 -ruleName Trusted
-logLevel 1 - http-gw permit-hosts 192.168.10.0255.255.255.0
-policy HTTP-rule3 -ruleNumber 3 -ruleName
Trusted -logLevel 1 - http-gw permit-hosts 192.168.11.0255.255.255.0
-policy HTTP-rule3 -ruleNumber 3 -ruleName
Trusted -logLevel 1 - policy-HTTP-rule3 permit-proxy http-gw
- policy-HTTP-rule3 description Default HTTP
service configuration - policy-HTTP-rule3 send-broken-post-requests off
- policy-HTTP-rule3 usedpf on
- policy-HTTP-rule3 permit-destination
-
- hosts entries for rule 3
- Ssh permit-hosts 127.0.0.1 -policy Ssh-rule3
-ruleNumber 3 -ruleName Trusted -logLevel 1 - Ssh permit-hosts 192.168.10.0255.255.255.0
-policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted
-logLevel 1 - Ssh permit-hosts 192.168.11.0255.255.255.0
-policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted
-logLevel 1 - policy-Ssh-rule3 permit-proxy Ssh
- policy-Ssh-rule3 privport off
- policy-Ssh-rule3 force_source_address off
- policy-Ssh-rule3 usedpf on
- policy-Ssh-rule3 description Secure Shell
18Government Exhibit 3-2 (Enlargement)
- hosts entries for rule 3
- test-gw permit-hosts -policy test-gw-rule4
-ruleNumber 4 -ruleName Untrusted -logLevel 1 - policy-test-gw-rule4 permit-proxy Ssh
- policy-test-gw-rule4 privport off
- policy-test-gw-rule4 force_source_address off
- policy-test-gw-rule4 destport 22
- policy-test-gw-rule4 desthost 172.18.33.22
- policy-test-gw-rule4 usedpf on
- policy-test-gw-rule4 description test gateway
- policy-test-gw-rule4 name test-gw
- policy-test-gw-rule4 permit-destination
19Evidence of Remote Locations
20Government Exhibit 4
21Government Exhibit 5
22Government Exhibit 6
23Government Exhibit 7
24Government Exhibit 8
25Government Exhibit 9
26Government Exhibit 10
27Government Exhibit 11
28Government Exhibit 12
29Government Exhibit 13
30Blog Evidence
31Government Exhibit 14
Walking the plank on the Bl4ck
P3rl datetimemood
disturbed-- Just sit right back and
you'll hear a tale, A tale of a fateful trip,
That started from this tropic port, Aboard this
tiny ship.when you find yourself in the middle
of the Potomac river, swimming to theshore in
full clothing, one hand holding your laptop above
the waterdesperately trying to preserve it..
that is the last song you may thinkof, but i
sure was.it's no secret that marvin and i have
had disagreements in the past, andit's no secret
that things have been on edge at the office
lately, dueto us not seeing eye to eye on
everything from corporate direction tosecurity
concepts to lunch. when i thought things couldn't
get worse,they did..last night, Captain
Jackass fired me. one day i own part of the
company,the next day i don't, the next day im
swimming in the potomac jobless.i played my
cards wrong, i worried too much about geek
things, i didntwatch the business side of things
and he muscled me out of my owncompany, i can
accept that (asshole). despite that, it was a
shock tobe fired on his dumpy boat last night,
and to make matters worse, thepirate wannabe
actually made me walk the plank. one minute he's
workingon his laptop yelling 'aaargh' and
laughing like a loon, the nextwe get into an
argument and he pushes me toward the side of the
boat.
32Government Exhibit 14-2
he puts a plank of wood in some slot he cut out
of the side of the boat,screams "you're fired,
walk the plank mate!" and pushes me
forward.brandishing his old fencing saber, i
grab my laptop and get prodded ontothe plank. he
goes into some gay ritual of a pirate captain
full of'aarghs' and 'mateys', then pokes me in
the back forcing me into theriver. what .. the
.. fuck!i'll post more later when my stuff
dries and i make sure my laptopis
fine.--link
X Replies Reply
33Government Exhibit 15
Captain Jackass
datetimemood
pissed--sleeping on this whole thing didn't
help. waking up i feel nothing forcontempt for
marvin and want him to pay for what he has done.
everyonearound him knows he has gone mad. it
used to be jokes about sailing thewild seas of
the net, then it was his make shift raft at
waterworldgetting laughed at by eight year olds,
then it was purchasing a realboat and decking it
out with wifi gear. did anyone bother to
remindme he knew nothing about wifi a few
months ago?every day, every hour.. questions
about wifi. how do i do this? how doi do that?
how do i hax0r this? jesus christ, read a god
damn bookmarvin! he "sets sail" on the potomac
thinking that no one had thoughtabout "war
sailing" and being a "wifi pirate" even though it
was publishedmonths ago. the release of _Pirates
of the Caribbean_ didn't help things,and his
fetish for Johnny Depp.. i won't even go there.
and the lastmeeting with our clients, what was
he thinking? while he didn't sinkhis lame ship,
he is no doubt going to sink that company. he
needsto be put out of his misery.i also
thought about pressing charges against him for
the whole boatthings last night. it wasn't
exactly warm out, and to push me intoa damn
river where i could only swim to a navy ship or
swim an extramile to a shore outside the naval
facility, that has to be assaultor attempted
murder or something. the thought of him rotting
in a jailgetting the sweet man love from bubba
is an appealing thought.--link
X Replies
Reply
34Evidence from Marvin Biggs Laptop
35Government Exhibit 16
36Government Exhibit 17
37Stipulations
- Factual an agreement between prosecution and
defense on particular facts, eliminating the need
for testimony. - Testimonial an agreement between prosecution and
defense that a particular witness would testify
in the manner stipulated, if called to the stand.
38Government Exhibit 18
- DISCLAIMER The following document is a
fictionalized testimonial stipulation for the
Black Hat 2003 Conference. The witness of the
stipulation does not exist, nor was any evidence
in this matter gathered. - __________________________________ x
-
- UNITED STATES OF AMERICA,
- -v.-
- STIPULATION
- MARVIN BIGGS,
- a/k/a Captain Jack Hack,
-
-
- Defendant,
-
- __________________________________
- IT IS HEREBY STIPULATED AND AGREED between the
United States of America, RICHARD SALGADO,
Assistant United States Attorney, of counsel, and
the defendant MARVIN BIGGS, by his attorney
JENNIFER GRANICK, Esq.
39Government Exhibit 18-2
- Mr. Smith has reviewed the business records
maintained by potomacriver.com for May 15th
June 15th, 2003 and determined that IP address
62.36.18.118 was assigned to the computer owned
by Mr. and Mrs. James Denton, 1313 Mockingbird
LA, Backwash, Maryland. - Mr. Smith has reviewed the business records
maintained by potomacriver.com for May 15th
June 15th, 2003 and determined that IP address
62.36.26.120 was assigned to the computer owned
by Mr. And Mrs. Bob Jones, 1234 State St, Rivers
Edge, Maryland. - Mr. Smith has reviewed the business records
maintained by potomacriver.com for May 15th
June 15th, 2003 and determined that IP address
62.36.18.218 was assigned to the computer owned
by Mr. And Mrs. Sam Spade, 4314 East End Ave,
Rivers End, Maryland - Mr. Smith has reviewed the business records
maintained by potomacriver.com for May 15th
June 15th, 2003 and determined that IP address
62.36.100.188 was assigned to the computer owned
by Mrs. Samantha Smith, 1445 West End Ave,
Rivers End, Maryland - Mr. Smith has reviewed the business records
maintained by potomacriver.com for May 15th
June 15th, 2003 and determined that the above IP
address were active during those times. - IT IS FURTHER STIPULATED AND AGREED that this
stipulation may be received in evidence as a
Government exhibit at trial. - Dated June 1, 2003
- By____________________________
40Government Exhibit 19
- DISCLAIMER The following document is a
fictionalized testimonial stipulation for the
Black Hat 2003 Conference. The witness of the
stipulation does not exist, nor was any evidence
in this matter gathered. - ___________________________________ x
-
- UNITED STATES OF AMERICA,
- -v.-
- STIPULATION
- MARVIN BIGGS,
- a/k/a Captain Jack Hack
-
-
- Defendant,
-
- ___________________________________
-
- IT IS HEREBY STIPULATED AND AGREED between the
United States of America, RICHARD SALGADO,
Assistant United States Attorney, of counsel, and
the defendant MARVIN BIGGS, by his attorney
JENNIFER GRANICK, Esq. - If called as a witness, Ms. Samantha Simth,
would testify as follows
41Government Exhibit 19-2
- IT IS FURTHER STIPULATED AND AGREED that this
stipulation may be received in evidence as a
Government exhibit at trial. - Dated June 1, 2003
- By____________________________
- RICHARD SALGADO
- Assistant United States Attorney
- By_ ____________________
- JENNIFER GRANICK, ESQ.
- Attorney for MARVIN BIGGS
42Prosecution Witness 2
- Oscar Simpson is the systems administrator for
the USNA, testifying as a factual witness on
events he directly witnessed. His technical
background could cause him to be qualified as an
expert during testimony, if the Judge allows it.
43Prosecution Witness 3
- Brian Martin is a former colleague of the
defendant, testifying as a factual witness on
events he directly witnessed. He may not offer
expert opinion since he is not qualified by the
court.
44Defense Witness 1
- Jonathan Klein is testifying as an expert in
wireless networks. He has been qualified by the
court before testifying as an expert.
45Defense Exhibit 1
46Defense Exhibit 2
47Defense Exhibit 3
48Defense Witness 2
- Dr. Richard Thieme is a psychiatrist treating
Marvin Biggs (a.K.A. Captain jack hack). He is
testifying as an expert witness in psychiatry on
the mental state of Mr. Biggs.
49Defense Witness 3
- Marvin Biggs a/k/a Captain Jack Hack is the
defendant and is not required to take the stand,
but has the right to do so if he chooses. His
attorney should discourage him from doing so,
since the judge can add extra points to his
sentence for perjury and obstruction of justice,
if he is found guilty.
50Prosecution Closing Statements
51Defense Closing Statements
52(No Transcript)
53Panel Discussion
- Meet in the reception area