1 IN THE CIRCUIT COURT OF THE STATE OF OREGON 2 FOR THE COUNTY OF WASHINGTON 3 4 STATE OF OREGON, ) ) 5 Plaintiff, ) ) 6 vs. ) No. C940322CR ) 7 RANDAL LEE SCHWARTZ, ) ) 8 Defendant. ) Volume 2 9 10 11 TRANSCRIPT OF PRETRIAL PROCEEDINGS 12 13 BE IT REMEMBERED THAT on the 14th 14 day of June 1995, the above-entitled matter came on 15 for Hearing before the HONORABLE ALAN C. BONEBRAKE, 16 a Circuit Court Judge. 17 18 APPEARANCES 19 Thomas J. Tintera Washington County Deputy District Attorney 20 Representing the State of Oregon 21 Mark Sussman Attorney at Law 22 Representing the Defendant 23 24 25 173 1 WITNESS INDEX 2 3 FOR THE DEFENDANT: Direct Cross ReD ReX 4 5 Mark William Morrissey 172 225 239 6 242 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 174 1 A.M. SESSION 2 BEGINNING AT 9:50 A.M. 3 JUNE 14, 1995 4 5 THE COURT: Mr. Sussman, call your 6 next witness. 7 8 MARK MORRISSEY 9 called as a witness on behalf of the Defendant, 10 having been first duly sworn under oath, was 11 examined and testified as follows: 12 13 THE CLERK: State your full name and 14 spell it for the record, please. 15 THE WITNESS: Mark William 16 Morrissey. M-o-r-r-i-s-s-e-y. 17 18 DIRECT EXAMINATION 19 BY MR. SUSSMAN: 20 Q Mr. Morrissey, how are you employed now? 21 A I'm the manager of computing facilities 22 for the Department of Computer Science at the 23 Oregon Graduate Institute. 24 Q How long have you been there? 25 A Been there for one and a half years. 175 1 Q Prior to that, where were you employed? 2 A Employed by the Information Technology 3 Group at Intel Corporation in Hillsboro. 4 Q Any particular branch or campus site? 5 A I was at the Hawthorn Farms facility. 6 Q How long were you there? 7 A A little over two years. 8 Q What was your? What were your job 9 responsibilities there? 10 A My last position at Intel, I was a senior 11 network engineer for the Information Technology 12 Group. In that role, my specific duties were 13 network management and network management tools for 14 the computer networks in Oregon for Intel. 15 Q Was that your position in October and 16 November of 1993? 17 A Yes. Yes, it was. 18 Q And during your employment at Intel, did 19 you happen to know Randal Schwartz? 20 A Yes, I did. 21 Q Did you work -- Were you working with him 22 in some capacity during that time? 23 A Yes. We both worked for Bob Wilcox in 24 the Information Technology Group. 25 Q Was that in October and November of 1993? 176 1 A Yes, it was. 2 Q And what was his position? 3 A Randal was an independent contractor 4 doing work for Bob Wilcox and also Clayton 5 Kirkwood, who was an Intel employee in California. 6 I don't know specifically what Randal's duties 7 were. 8 Q In terms of a hierarchy, hierarchal, the 9 description of the position there, Bob Wilcox being 10 the person and showing a diagram of who was under 11 him, would you and Randal Schwartz have been in 12 comparable positions? 13 A We would have been in the same group. We 14 would not have been in comparable positions. 15 Q What would have been the difference with 16 your position and his? 17 A My position, I was -- I had specific 18 responsibility for computer systems administration 19 for a small network of computers in our particular 20 group, and I was doing work related to network 21 management for the Oregon site. 22 Q And was Mr. Schwartz working under you or 23 was he in a parallel position? 24 A He was working on other items. He was 25 not working on either of those two things. 177 1 Q You were working in that capacity when 2 you discovered -- when you discovered a crack 3 program running on one of your machines? 4 A Yes. 5 Q And how was it that you saw that? What 6 brought that to your attention? 7 A Well, the normal mode of systems 8 administration, I have -- make it a habit to check 9 what I call the health of my systems to make sure 10 that I understand what is a normal mode of 11 operations for the computers, to make sure that I 12 can, at a glance, tell whether or not a computer is 13 behaving properly. The way I do that is I 14 periodically check what programs are running on a 15 system. 16 In this particular case, I had had 17 conversation, gosh, I'm not positive, probably in 18 the August or September timeframe as we were 19 getting some new computers into my group, I had a 20 conversation with Randal where we were talking 21 about some of the computer-intensive jobs that he 22 was doing, some things that required long running. 23 One of the computer systems that we 24 were bringing in was specifically designed to run a 25 program that I was just becoming familiar with, a 178 1 network management tool, and I asked everyone in my 2 group not to run any jobs on that machine until I 3 really understood how much horsepower, how much 4 computer power the system needed in order to be 5 effective. I suspected that it needed a lot. 6 Q You mean the program that you were 7 planning to run? 8 A The program that I was working with, yes. 9 On the particular day in question, when I found the 10 crack program, I was logging on just to see what 11 processes were running because I had some time and 12 I wanted to go out and check what was going on with 13 all my processes. And the way I do that, I take a 14 look at what all processes are running on the 15 machine, and I know there were some processes 16 running under Randal's user ID, under his log-in, 17 and I checked more closely and I found out that one 18 of them was a program called -- its particular name 19 was Crack-PWC. 20 Q Now, this is a new machine, new computer, 21 and it was in your system? 22 A It had probably been there less than six 23 weeks. 24 Q And it was a more powerful and faster 25 computer than you had installed there previously? 179 1 A It was more powerful than other systems 2 that we had in the group. I believe there was one 3 that was closely comparable, but it was already 4 busy doing many other things. This was the first 5 machine dedicated to this particular activity. 6 Q First machine dedicated to what? 7 A To the activity of running a tool called 8 Spectrum, which is a network monitoring tool. 9 Q Did Randal Schwartz have something called 10 root access to the systems in your area? 11 A I believe that he did. 12 Q And would you explain what root access 13 is? 14 A Root access is -- root is a special user 15 ID, log into the system that is used for a variety 16 of purposes, administrative purposes for installing 17 software, for doing a variety of things. It takes 18 special privileges that a normal unprivileged user 19 cannot do. 20 Q And you have root access? 21 A I have root access, yes. 22 Q So that's something that typically would 23 go with somebody who had supervisory responsibility 24 in a group? 25 A Not necessarily. It's someone who needed 180 1 access that went beyond the ability of their normal 2 user ID. 3 Q That would also be something that 4 somebody who was working as a systems administrator 5 would have? 6 A A systems administrator would, by 7 definition, have root privileges, yes. 8 MR. TINTERA: Judge, can I ask a 9 question in aid of understanding? 10 THE COURT: Sure. 11 12 EXAMINATION IN AID OF OBJECTION 13 BY MR. TINTERA: 14 Q What is root access? 15 A Oh, it's having the password for the root 16 account so that you can log in and do things 17 with -- in essence, the root account has no 18 security attached to it. It can do anything that 19 it wants. So if you have the password to an 20 account called root, it's historically called root 21 in a UNIX computer, and if you have that password, 22 you effectively have no controls on what you can do 23 on that particular computer. 24 Q What is the root account? "Root" sounds 25 like the bottom. Is that -- 181 1 A It's just the name of the account. The 2 way things are really done in UNIX, you do -- 3 Q What is UNIX? 4 A UNIX is a computer operating system. The 5 particular version of UNIX we were using was 6 running on computers by Sun Microsystems, 7 manufactured by Sun Microsystems, Incorporated, but 8 there is a thing called user identifier or UID. 9 That's a number that the computer goes by. 10 Mnemonics are put on those, words are attached to 11 those that are easy for humans to remember. The 12 root account is an ID of ZOZ and the OID ZI is a 13 secured account and has no security attached to it. 14 There are certain types of 15 securities inside the UNIX operating system that 16 allows controls of what people can do, what limits 17 their ability to do things on the computer, and as 18 the root account, in effect, there is nothing 19 stopping them from looking at or doing anything 20 that they wish to do on that computer. 21 MR. TINTERA: Thank you. 22 MR. SUSSMAN: Thank you. You just 23 anticipated my next questions. 24 25 182 1 BY MR. SUSSMAN: 2 Q Were you aware at the time -- let me 3 rephrase this. 4 Leading up to the time that you 5 prepared a report, which you've reviewed today, 6 October 31st, and then November 3rd, at the time 7 these were prepared, the -- particularly the one of 8 October 31st, were you aware of any other systems 9 to which Mr. Schwartz had root access? 10 A No. 11 Q In one of those reports that you wrote, 12 Mr. Morrissey, you indicated that you had two 13 reasons for logging onto a machine called Snoopy 14 under the Spectrum application. 15 A Yes. 16 Q One was to assure the Spectrum server was 17 operated correctly and further systems modification 18 was required, as you just stated. The second, you 19 say, was to make sure Randal Schwartz had not moved 20 any of his programs to this machine. 21 A Yes. 22 Q Now, would you explain that statement? 23 That wasn't something that you just touched on. 24 A Yes. When I had talked to everyone in 25 our group about not running programs on this 183 1 machine, Randal had let me know that he's always 2 looking for a faster, more powerful machine and 3 that if he could, he would run his programs on this 4 machine. And so I wanted to make sure that -- I 5 wanted to make sure that the Spectrum program was 6 able to have access to all the resources it needed. 7 If there were spare capacity on the system, I would 8 have been happy to let other people use it, but I 9 wanted to make sure that I understood the amount of 10 resources that the Spectrum needed before I allowed 11 anybody else to have access to that system. 12 Q And did Randal explain to you why he was 13 always looking for a faster, more powerful machine 14 to run his programs? 15 A Not that I recall. 16 Q What was your understanding of why he 17 intended to do that? 18 A My assumption would have been at the time 19 that -- just to complete his work in a faster, more 20 efficient fashion. 21 Q Now, you had worked with Randal for a 22 period of time? 23 A Yes. 24 Q And you knew the way he approached doing 25 his work? 184 1 A Yes. 2 Q You were familiar with that? 3 A I believe so. 4 Q In fact, you and he would often talk with 5 each other about the way you would each approach 6 your tasks at work, the projects you were working 7 on? 8 A I wouldn't say often. We certainly 9 had -- our discussions centered more around 10 activities outside of Intel. 11 Q But you did talk with him at times about 12 approaches to doing projects, work inside of Intel? 13 A Yes. 14 Q So you were familiar with his practice of 15 looking to meet the challenges at work and resolve 16 them in the quickest, most efficient way possible? 17 A That's the impression that I got. 18 Q From talking with him? 19 A Yes. 20 Q Of course, that's what led to your -- 21 ultimately later on -- your concern that he would 22 take advantage of this new, faster machine and 23 compete with your program for space on it? 24 A Yes. 25 MR. TINTERA: Can I ask another 185 1 question? 2 THE COURT: Go ahead. 3 4 EXAMINATION IN AID OF OBJECTION 5 BY MR. TINTERA: 6 Q Mr. Morrissey, if I heard what you said, 7 the machine you're talking about is named Snoopy; 8 is that right? 9 A Correct. 10 Q If I could use this analogy, and I don't 11 think -- sounds like if Snoopy was a new car, you 12 wanted to see how the engine ran without any of the 13 accessories on, such as air conditioning, and to 14 see if it could handle the way you wanted it to do, 15 to see whether any other program would be like a 16 drain on the engine? 17 A No. I'll phrase it a slightly different 18 way. 19 Q Sure. Thank you. 20 A Part of the way in particular that I do 21 systems administration is for critical systems, I 22 try to get what I consider to be a feel for how the 23 system operates, how it responds to the commands 24 that I give it, what its load appears to be so that 25 if something is -- if the machine behaves in a way 186 1 that I don't expect it to even subtly, that's a 2 warning signal for me to go and look closer to see 3 if there is anything wrong or anything happening 4 that I should be aware of. 5 So to a large degree, I was 6 parameterizing the system for myself trying to see 7 what its normal mode of operation would be, so if 8 in the future I had to come back and take a look at 9 it after a long period of time, I'd have some 10 degree of confidence as to whether or not it seemed 11 to be operating correctly or it seemed to be 12 operating incorrectly. 13 BY MR. SUSSMAN: 14 Q If I could pick up on that question, his 15 analogy would seem to describe the way Randal 16 Schwartz approached using that new, more powerful 17 machine Snoopy. Would that be accurate? 18 A I'm not sure I understand what you're 19 saying. 20 Q Mr. Tintera's analogy about the new 21 model, more powerful car and trying to test out the 22 engine to see what its maximum capacities were to 23 test its limits, that would seem to be an analogy 24 which would describe the way Mr. Schwartz seemed to 25 want to approach using the new machine? 187 1 A I would disagree with that. 2 Q You would or would not? 3 A I would disagree. 4 Q In what way? 5 A I would say that Mr. Schwartz's approach 6 would be that there is a faster, more powerful 7 machine and I want to use it. 8 Q To get his jobs done in the quickest, 9 most efficient way he could find? 10 A Possibly. From conversations with 11 Randal, I was led to believe that he would want to 12 use at all times the most powerful machine that he 13 had access to. 14 Q Always want to test out its capacities? 15 A No, just always use the most powerful 16 machine. 17 Q After you discovered this crack program 18 running, you noticed that that was running under 19 Randal's own ID, his own password? 20 A Yes, I did. 21 Q So you were immediately able to identify 22 the person running the program as Randal Schwartz 23 from the password he was using? 24 A That was my assumption, yes. 25 Q And then looking further, you found 188 1 what -- you found that he had -- what else did you 2 find? 3 A I issued a command that would tell me the 4 program -- not only what the program was, but where 5 in our storage system it was running from. And I 6 went to that area and I found a program called 7 Crack. The specific version was 4.1 which, at that 8 time, was the most recent version of that program. 9 Crack is a program that was -- 10 that's publicly available on the Internet that is 11 designed to guess or crack passwords from a UNIX 12 password file where they are stored in a cryptic 13 format based upon rules and dictionaries. 14 Q Is that Crack program available at Intel 15 sites as well as on the Internet? 16 A I'm not personally aware of any sites 17 inside of Intel where the Crack program is 18 generally available. I do know that a person in 19 Intel security, Rich Cower, periodically runs the 20 Crack program against password files within the 21 company. 22 Q I said is -- and what about at this time 23 period we're talking about prior to November 1st, 24 1993, was the Crack program available on any sites 25 or any systems within Intel? 189 1 A Not that I'm personally aware of. 2 Q Did you, in your capacity, run crack 3 programs? 4 A Yes. 5 Q Was that something that was commonly done 6 by systems administrators? 7 MR. TINTERA: Judge, I object. I 8 know this is interesting, I suppose, in a 9 deposition form, but as far as I can tell, 10 depositions are not allowed in criminal cases, and 11 I think we have had some background with 12 Mr. Morrissey so that the parties are familiar with 13 what he does, and I think -- I object that this has 14 nothing to do with the motion to controvert. 15 THE COURT: Mr. Sussman. 16 MR. SUSSMAN: This is leading to the 17 questions about what he informed Detective Lilley. 18 MR. TINTERA: I'm objecting to the 19 length of the path to get to those questions. 20 THE COURT: Well, I think we're 21 getting there soon, aren't we? 22 MR. SUSSMAN: Yes, we are. 23 THE COURT: Thank you. Proceed. 24 Overrule the objection. Again, this is a novel 25 case, especially for me, and it is -- Mr. Tintera 190 1 has, I think, been patient. I'd like to get there, 2 to the relevancy, but this is helpful in a case 3 like this because the Court has had extremely 4 limited experience in these areas, so this 5 discussion helps me, and if for no other reason, in 6 understanding some of the terms that are used, the 7 process and all that. Go ahead. 8 The question was whether or not he 9 handled crack programs as a systems administrator. 10 THE WITNESS: No. Each systems 11 administrator probably does things differently, but 12 when I run the crack program, and fairly well-known 13 for my approach, I inform my management that I'm 14 going to attempt to crack programs, that -- excuse 15 me, I'm going to attempt to crack password files. 16 And there are some risks, because if a password has 17 been cracked for a period of time, it would be in 18 what's called plain text, it will be in readable 19 form stored on the computer someplace. 20 I also take time to inform every one 21 of my users that I will be attempting to crack 22 their password and that if I do manage to guess 23 what the password is, this program, they would be 24 forced to change to another password. 25 191 1 BY MR. SUSSMAN: 2 Q So you have used this program in your 3 capacity? 4 A Yes. 5 Q At the time that you prepared these 6 reports for this investigation, follow-up 7 investigation that you had with Detective Lilley, 8 did you know whether or not Randal Schwartz had run 9 crack programs in his capacity, in any of his 10 capacities as Intel? 11 A Other than this particular case? 12 Q Yes. 13 A I did not have any of that knowledge. 14 Q What was your first contact with the 15 Washington County Sheriff's Office regarding this 16 incident, incident involving the crack program? 17 A I believe that Washington County, I'm not 18 sure if it was the District Attorney's Office or 19 the Sheriff's Office was contacted by Clyde Stites, 20 an Intel investigator, and I'm not positive if they 21 came to Intel on Thursday or Friday. 22 Q Let's see if we can get that sequence so 23 we know who you had spoken to then before that, at 24 what point you spoke to the authorities there. 25 After you discovered this program 192 1 running, who did you speak to about this? 2 A The first person I contacted was Rich 3 Cower, Intel information security. 4 Q And then after you spoke to Rich Cower 5 about this, who did you speak to? 6 A After I explained that I felt that some 7 data from Intel Supercomputer Division was 8 involved, Rich gave me the names of two systems 9 administrators at SSD to contact, Lou Poelitz and 10 John Kent. 11 I contacted Lou Poelitz and Lou said 12 that I should speak with John. And I'm not sure 13 how I got in touch with John, if it was through 14 leaving a voice mail message or if Lou contacted 15 him or had him contact me, but when I tried to 16 contact him, I believe he was at lunch and he 17 contacted me when he came back from lunch. 18 Q Some reference to a bridge meeting on 19 October 29, is that when this occurred? 20 A No. This was before the bridge meeting. 21 Q Then after the contacts were made, there 22 was a meeting on October 29th? 23 A The bridge meeting? 24 Q Yes. 25 A Yes, there was a bridge meeting. 193 1 Q At that bridge meeting was a decision 2 made to contact the law enforcement authorities? 3 A Yes. I believe it was at that bridge 4 meeting. 5 Q Prior to that time, had you contacted 6 Randal Schwartz to ask him what he was doing? 7 A No. I had spoken with Rich Cower 8 regarding whether or not I should speak with 9 Randal, and the decision was that we should speak 10 with Intel management before any decision was made 11 how to proceed. 12 Q So at that meeting, then, there was a 13 meeting then with Intel management at that bridge 14 meeting? 15 A The bridge meeting, yes. 16 Q And the decision was made not to talk 17 with Randal about this at all? 18 A Yes. I specifically asked if we should 19 confront Randal regarding this and the decision was 20 to, that it appeared to Intel management that it 21 was a serious issue and needed to involve law 22 enforcement agents. 23 Q So the next meeting that you attended was 24 on -- was with the law enforcement agency 25 representatives? 194 1 A I probably met with the Intel 2 investigators before law enforcement arrived. Most 3 certainly. 4 Q Now, prior to the meeting that you had 5 with -- we have had testimony indicating that there 6 was -- that there was a meeting with the Washington 7 County Sheriff's detectives, Mr. Tintera and the 8 Intel officials on Monday morning, November 1st. 9 Were you present at that meeting? 10 A Yes. I don't specifically recall 11 Mr. Tintera being there, but he may have been 12 there. 13 Q But you were present at the meeting with 14 Detective Lilley? 15 A Yes. 16 Q And during that meeting, who else was 17 present? 18 A It would be Rich Cower, Clyde Stites, 19 Rick Pierce, and I'm not positive if there was any 20 other Intel representatives there. 21 Q And at that meeting, did you assist -- 22 A Excuse me. Let me back up. I'm not 23 positive that Rich Cower had arrived in Oregon by 24 the initial meeting with the Washington County 25 authorities. He was certainly en route, if he was 195 1 not there. 2 Q At the meeting with Detective Lilley, did 3 you assist him in the preparation of a search 4 warrant for Mr. Schwartz's residence? 5 A Yes, I did. 6 Q At that meeting, did you tell -- did you 7 personally tell Mr. -- Detective Lilley that 8 Mr. Schwartz had committed a violation of the ORS 9 statute that involves computer crimes? 10 A No, I did not. 11 Q Did you tell Detective Lilley that 12 Mr. Schwartz was illegally bypassing access dates 13 and utilizing the crack program? 14 A Yes. 15 Q Did you tell him that nobody had spoken 16 to Mr. Schwartz about whether or not Mr. Schwartz 17 had an explanation for what was going on there? 18 A I'm not sure if I told that to Detective 19 Lilley. 20 Q Now, in the preparation of this search 21 warrant affidavit, were you the principal Intel 22 employee to provide information to Detective 23 Lilley? 24 A Yes. 25 Q Did you ever tell Detective Lilley what 196 1 Mr. Schwartz's duties or what his position was at 2 Intel? 3 A I don't specifically recall, but I would 4 assume that I did. 5 Q And did you tell him what the kind of 6 work responsibilities Mr. Schwartz had in his 7 capacity at Intel? 8 A As I recall, Mr. Lilley asked a slightly 9 different question, which was, did Mr. Schwartz 10 have permission to conduct the activities which we 11 were investigating, and I replied that he did not. 12 Q So you did not -- you're saying that you 13 did not inform him that Mr. Schwartz had, for 14 instance, had root access to computers in your 15 system? 16 A No, I did not. 17 Q You didn't inform him that he had done 18 work as a systems administrator? 19 A I did not tell him that. 20 Q Did you tell Detective Lilley anything 21 about Mr. Schwartz's tendencies to look for the 22 most powerful computers he could find to work on so 23 that he could get his work done? 24 A No, I did not. 25 Q Did you tell him what computers 197 1 Mr. Schwartz did have access to? 2 A I told him those to which I could say 3 with certainty that he did have permission to 4 access. 5 Q Did you tell him that he had access to 6 the Brillig computer? 7 A I told him that we had investigated and 8 shown that he had had access to the Brillig 9 computer. 10 THE COURT: Explain that answer to 11 me. You said that you had investigated and found 12 that he had had access to the Brillig computer. 13 Does that mean authorized access to it or 14 unauthorized access to it? 15 THE WITNESS: No. Means that we had 16 discovered that he had accessed that computer. We 17 also had spoken with the people that administered 18 computers in the Intel Supercomputer Division and 19 John Kent informed me that Randal did not have 20 authority to access Intel Supercomputer Division 21 after his contract had ended the previous spring. 22 THE COURT: Thank you. 23 BY MR. SUSSMAN: 24 Q When somebody's authorized access to a 25 computer is terminated, isn't it typical to remove 198 1 their password from the computer? Is that a 2 standard practice? 3 A That is standard practice. 4 Q And you found that Mr. Schwartz's 5 password authorization had not been removed from 6 Brillig; is that correct? 7 A That's correct. 8 Q And, in fact, that his was an authorized 9 password on Brillig at the time you did your 10 investigation at the end of October and 11 November 1st, 1993? 12 A No. 13 Q I'll rephrase that. 14 When you did your investigation, 15 isn't it true that Mr. Schwartz's password had not 16 been removed from the list of authorized passwords 17 for Brillig? 18 A Correct. 19 Q Did you tell that to Detective Lilley? 20 A Yes. 21 Q Did you tell Detective Lilley that -- 22 anything about Mr. Schwartz's work patterns in 23 terms of where he worked when he worked at Intel or 24 outside of Intel? 25 A Yes. I informed Detective Lilley that 199 1 Randal brought a notebook computer to Intel which 2 he connected to the computer in his office that he 3 used for transferring data back and forth, and that 4 Randal had informed me in previous occasions that 5 he often did work when he was not at Intel. 6 Q Did he tell you where else he did work 7 for Intel when he was not at Intel? 8 A No. Are you speaking specifically to 9 what is said in the affidavit where it says he does 10 work at home and in his office? 11 Q I'm just asking you generally. 12 A I'm sorry. 13 Q You said that Randal had told you that he 14 did work for Intel off site. 15 A Yes. 16 Q Did he tell you where he did work 17 off-site? 18 A No, he did not tell me specifically where 19 he did work off-site. 20 Q Did you tell Detective Lilley that you 21 had knowledge about where Randal did work off site? 22 A No. I told Detective Lilley that Randal 23 had informed me that he did work off site. 24 Q Aside from what Randal Schwartz told you, 25 did you have any other knowledge of where Randal 200 1 Schwartz did off site work for Intel? 2 A No. 3 Q Now, according to the affidavit, you told 4 Detective Lilley that Randal Schwartz was security 5 conscious. 6 A Yes. 7 Q Did you explain what you meant by 8 "security conscious" to Detective Lilley? 9 A Yes. 10 Q What did you tell him? 11 A I told him that Randal and I had had 12 discussion on occasions about systems security and 13 Randal was very aware of a lot of issues with 14 systems security and he seemed very knowledgeable 15 to me. 16 Q Did he seem sufficiently knowledgeable to 17 you that Randal would know how to not only avoid 18 systems security if he wanted, but to cover any 19 traces of his activities if he so chose? 20 A It's my opinion that Randal could 21 certainly do that. 22 Q He was that sophisticated? 23 A That's my impression. 24 Q Did you tell Detective Lilley that 25 information when you told him he was security 201 1 conscious? 2 A Yes. 3 Q You also told Detective Lilley that 4 Mr. Schwartz was running the program, the crack 5 program out in the open under his own user ID? 6 A Correct. 7 Q And that the password file that was 8 discovered was discovered in the open under 9 Mr. Schwartz's own files, is that correct, files 10 under his own name? 11 A The files were under his own name, yes. 12 Q Now, at the time that you met with 13 Detective Lilley, were you -- you had arranged to 14 make copies of all of Mr. Schwartz's file 15 directories that were in your systems; is that 16 right? 17 A Yes. 18 Q And had you examined those directories to 19 determine whether there were any other files from 20 the SSD division behind -- that might have come 21 from behind the cracked passwords? 22 A Not at that time, no. 23 Q Were you aware that John Kent had 24 examined -- had preserved and examined 25 Mr. Schwartz's files on a machine called -- on the 202 1 machine called Brillig? 2 A I believe by that time, John had examined 3 the files. I'm not sure if he had made a copy of 4 them by that time. 5 Q Mr. Kent -- Was Mr. Kent at that bridge 6 meeting on the 29th? 7 A I believe so. 8 Q And at that bridge meeting, did he 9 indicate that he had checked the files in 10 Mr. Schwartz's directories and found no stolen or 11 illegal files other than the Gate script and copies 12 of the logs that he was keeping on Brillig? 13 A I don't recall if he said that. 14 Q Do you recall that being told to 15 Detective Lilley at the meeting on Monday? 16 A I'm sorry. 17 Q Do you recall whether that -- whether you 18 or anybody told Detective Lilley about that on -- 19 the meeting with him on -- when the search warrant 20 affidavit was prepared? 21 A I don't recall. 22 Q Do you recall Mr. Kent indicating that 23 they also checked Mr. Schwartz's other systems 24 directories -- I'm sorry, that they checked other 25 systems directories on Brillig and found nothing 203 1 out of order or unusual? 2 A Yes, I do recall that. 3 Q Was that information provided to 4 Detective Lilley? 5 A I'm not sure. 6 Q Did you tell him anything about the 7 absence of anything out of the ordinary or illegal 8 on the Brillig files when you met with Detective 9 Lilley? 10 A I did not tell Detective Lilley anything 11 about the state of the Brillig computer, that I'm 12 aware of. 13 Q Now, were you involved in the monitoring 14 of Mr. Schwartz's activities on the Snoopy computer 15 between the time you reported this incident on 16 October 28th and November 1st when you met with the 17 Washington County authorities? 18 A Yes. 19 Q Did you find any record that Mr. Schwartz 20 had logged onto Snoopy where that Crack program and 21 password file were located during that time? 22 A I specifically looked for the evening 23 into the morning between -- I think it would be 24 October 31st, November 1st, and there was no 25 access. 204 1 Q Could you have determined -- Could you 2 determine whether there had been any access prior 3 to that time, between October 28th and the morning 4 of November 1st? 5 A Oh, yes, we would be able to tell that. 6 Q Did you look to see whether Mr. Schwartz 7 had logged on during that period of time? 8 A Before October 28th? 9 Q Between October 28th and November 1st. 10 A I'm sure that I would have, yes. 11 Q Did you find any evidence that 12 Mr. Schwartz had logged back onto the program? 13 A In that specific timeframe, I don't know 14 if I found anything. 15 Q Would you have told Detective Lilley 16 that? 17 A I may not have. It might not have seemed 18 important. 19 Q Did you tell him that you didn't find any 20 indication that Mr. Schwartz had logged on that 21 morning, November 1st, when Mr. Schwartz came back 22 to the Intel office? 23 A I believe that I did. 24 Q Now, you would also be able to tell by 25 looking at the log, the activity on the Snoopy 205 1 computer, when Mr. Schwartz had logged into that 2 machine prior to October 28th -- between the date 3 that the Crack program began running and the date 4 you discovered it on October 28th? 5 A I'll point out that it's possible to 6 remove things from logs or publicly be able to 7 remove traces of activity from logs, to remove 8 entries from the systems log that we would be 9 looking at, but I had no reason to believe that 10 those logs had been modified and I would be able to 11 tell. 12 Q Did you examine the logs prior to your 13 meeting with Detective Lilley to see if there had 14 been any other indications that Mr. Schwartz logged 15 on after initiating the crack program on the 16 password SSD file? 17 A Yes, I did. 18 Q Did you find any indication that he had 19 logged on again? 20 A Yes, I had. 21 Q And what was that and when? 22 A I would have to have the specific logs in 23 front of me. I don't know. 24 Q Did you inform Detective Lilley of those 25 occasions that Mr. Schwartz logged on after -- 206 1 A Not the specific -- not the specific 2 times, no. 3 Q Were those logs preserved along with the 4 records of the -- when you asked the Merlin 5 alternate and Bill Morgan to not reuse the backup 6 tapes, were those logs contained in those backup 7 tapes? 8 A No, they were not. 9 Q Were those logs preserved? 10 A I believe that they are preserved in a 11 set of tapes that I made for the Intel 12 investigator. 13 Q In your report of October 31st, you made 14 a statement that "at this time, Randal had not 15 removed the Crack program or elicited passwords 16 from my systems." 17 A Correct. 18 Q Did you tell Detective Lilley that? 19 A Yes. 20 Q And in that report, you said that you had 21 copies of his, meaning Mr. Schwartz's, directories 22 in the event that he does so. 23 A Yes. 24 Q Did you tell Detective Lilley that you 25 had that information also? 207 1 A Yes. 2 Q And just so that I'm clear on this, you 3 checked again on November 1st before talking to 4 Detective Lilley whether Mr. Schwartz had removed 5 the Crack program with listed crack passwords from 6 your system? 7 A Yes. 8 Q And they were still there? 9 A Yes. 10 Q Did you tell Detective Lilley that? 11 A Yes, I did. 12 Q What would your directories have shown 13 had those files been removed? 14 A By removal, I mean deletions, so they 15 would no longer be located there. 16 Q So that would have indicated an effort to 17 either terminate the program or -- that would be 18 one thing it would show? 19 A It could show that, yes. 20 Q Could be a sign of an effort to cover the 21 activity? 22 A It could be interpreted that way, yes. 23 Q In the affidavit, you told Detective 24 Lilley that passwords from the SSD password file 25 had been compromised. What did you mean by that? 208 1 A What I meant was that the Crack program 2 had successfully guessed what the passwords were. 3 Q And you told that to Detective Lilley? 4 A Yes. 5 Q And by successfully guessing the 6 passwords, then somebody with those passwords in a 7 file, the guessed passwords could go into those 8 files belonging to that password? 9 A Yes. 10 Q Now, did you check before November 1st to 11 see whether anybody had logged in from the time the 12 passwords were cracked to November 1st using those 13 cracked passwords? 14 A I personally did not. 15 Q Do you know whether anybody else did? 16 A The computer systems in question were 17 located in another part of Intel. One of the 18 administrators is John Kent. I provided to him the 19 list of account names and passwords that had been 20 compromised and asked him to investigate, and I do 21 not recall what the status of that was. 22 Q Was anything said to Detective Lilley on 23 that meeting of November 1st as to whether or not 24 any -- there had been any attempts to log in using 25 those passwords that were otherwise unexplained? 209 1 A I don't believe so. 2 Q Now, as far as your investigation of the 3 process that was running, this was being run 4 internally onto Intel, on the systems within Intel? 5 A Correct. 6 Q Did you tell Detective Lilley that? 7 A Yes. 8 Q Now, you did tell him that you had 9 expressed concern to John Kent that Randal Schwartz 10 had transferred information to his laptop? 11 A I'm not sure if I said that to John Kent. 12 I most certainly said that to Rich Cower. 13 Q Did you tell that to Detective Lilley? 14 A Detective Lilley asked me specifically if 15 it was possible that Mr. Schwartz could have 16 transferred data to his laptop computer, and I 17 informed him that yes, that was true. 18 Q That that was possible? 19 A That was possible, yes. 20 Q Did you tell him that you had any 21 specific reason to believe that Mr. Schwartz had 22 transferred information to his laptop computer? 23 A I told him that Mr. Schwartz had -- in 24 the past had transferred data to and from his 25 laptop computer, that was the purpose for him 210 1 attaching it to the computer systems at Intel, and 2 that I had no specific knowledge as to whether or 3 not he had transferred any of the information 4 specifically relating to this Crack program to or 5 from his laptop computer. 6 Q Did you tell him what kind of information 7 Mr. Schwartz had transferred to his laptop computer 8 in the past? 9 A No, I do not have that information. 10 Q When you told Detective Lilley that 11 Mr. Schwartz had transferred information to his 12 laptop computer in the past, was there any 13 discussion about the kind of information that 14 Mr. Schwartz had transferred? 15 A No. Detective Lilley was specifically 16 asking if it was possible that Randal may have done 17 that. 18 Q As far as you knew, the transfer of 19 information that Mr. Schwartz had done through his 20 laptop computer was information that he was working 21 on in his capacity -- one of his capacities as a 22 contractor for Intel? 23 A That would be my assumption. 24 Q Did you tell Detective Lilley that? 25 A I don't specifically recall if I said 211 1 that. 2 Q But he didn't ask that, is that what I'm 3 hearing you say? 4 A He did not specifically ask about the 5 types of information that may have been transferred 6 to his laptop. 7 Q Now, you also spoke to Detective Lilley 8 about an incident that occurred in the spring 9 involving Mr. Schwartz and running a gate program 10 while working with Dirk Brandewie. 11 A Yes. 12 Q You have that affidavit with you, a copy 13 of the affidavit? 14 A Yes, I have a copy of the affidavit. 15 Q Just so -- I'll take a look at what we're 16 talking about here. That's on the first full 17 paragraph on Page 2. 18 When you related this information to 19 Detective Lilley, did you know that Randal Schwartz 20 had full authority to use the machines that he was 21 accessing to outside of Intel? 22 MR. TINTERA: I object to the form 23 of the question. I think it needs to be more 24 specific. 25 THE COURT: Try to rephrase that. 212 1 MR. SUSSMAN: Certainly. 2 BY MR. SUSSMAN: 3 Q In the affidavit, you indicate that 4 Mr. Schwartz had bypassed Intel security systems to 5 communicate with -- to gain access to Intel systems 6 from the outside. 7 A Correct. 8 Q Now, when you related that information to 9 Detective Lilley, did you know that Mr. Schwartz 10 had authority to use the machines that he was 11 accessing from outside Intel? 12 A He had authority to use those systems 13 from inside of Intel. 14 Q Did you know whether he had authority to 15 use those machines when he was working off site? 16 A I'm not following. I'm not -- This 17 question means several things to me. Are you 18 specifically asking if he had authorization to 19 access those programs from outside of Intel in the 20 manner in which he was using the Gate program? 21 Q First, I'm asking if he had authority to 22 have access to those machines from outside of Intel 23 when he was doing Intel business from outside of 24 Intel. 25 A It specifically relates to the manner in 213 1 which he gained access to those systems. If he 2 gained access to the manner within Intel policy, 3 then yes, he did. 4 Q Was there a policy manual that you are 5 referring to that set out what Intel's policy was 6 for gaining access through the -- from outside 7 Intel? 8 A There is a policy manual, yes. 9 Q And to whom is that policy manual 10 distributed? 11 A I don't believe that it's in general 12 distribution. I believe that you must request a 13 copy of the manual. 14 Q Did you tell that do Detective Lilley in 15 discussing what policies Mr. Schwartz may or may 16 not have been violating when you were explaining 17 this incident? 18 A I don't -- No, I don't believe that I 19 mentioned that, that I mentioned the limited 20 distribution of that manual. 21 Q Do you know whether that manual had been 22 distributed to Mr. Schwartz? 23 A I have no information on that. 24 Q Did you know the purpose of Mr. Schwartz 25 writing that program, to get access to the Intel 214 1 system from the outside, when you made that 2 statement? 3 A I only have the information that Randal 4 specifically stated to Mr. Brandewie and myself 5 when we confronted him. 6 Q And that was to gain access to his 7 e-mail? 8 A At that time it was to gain access to 9 Intel systems from the outside, and I recall he 10 said for things like e-mail. 11 Q And at that time, he was not only an 12 independent contractor for Intel, but he was also 13 doing work that took him outside of Intel; is that 14 correct -- 15 A Correct. 16 Q -- to other parts of the country? 17 A I believe so, yes. 18 Q And so it would become necessary for him 19 to remain -- to have access to these computer files 20 at Intel when he was to do business for Intel in 21 another part of the country; is that right? 22 A I'm not sure if that would be a 23 requirement of his position or not. 24 Q No, but it would be something that would 25 be a physical requirement if he was to do the work? 215 1 A I don't specifically know if the terms of 2 his -- if for him to do his job that he be required 3 to stay in constant e-mail contact. 4 Q If there was work necessary to do, he 5 would have to be able to get access from outside 6 Intel; is that correct? 7 A I don't specifically know. It's 8 certainly possible that would be the case. 9 Q When you related this information to 10 Detective Lilley, did you tell him that 11 Mr. Schwartz explained that it was to permit him 12 access to do his Intel work and other things such 13 as reading his e-mail? 14 A That's part of what I told Detective 15 Lilley, yes. 16 Q Relative to this question, can you 17 describe what the function was of the particular 18 computer machine Mink that Mr. Schwartz was 19 accessing from outside Intel? 20 A Yes. The machine Mink is a machine that 21 specifically authorized with -- inside Intel 22 Corporation to gain access to -- for a person using 23 that machine to access machines outside of Intel. 24 In general, computer systems inside 25 of Intel are not allowed to access any computer 216 1 networks outside of the company. That particular 2 machine was set up specifically so that people that 3 had authorized access to that machine could access 4 outside of Intel but could not get from outside of 5 Intel into that machine. 6 Q And that would allow the people inside 7 Intel to get access to the Internet? 8 A Correct. 9 Q You told Detective Lilley about an -- 10 that Mr. Schwartz was using that Gate program to 11 get access to a program called Ruby.ORA.com? 12 A No. That's a mistake. It's actually a 13 computer, not a program. 14 Q And you're certain that's what you told 15 Detective Lilley? 16 A Yes. 17 Q And that computer was at the site of a 18 publisher of some books that Mr. Schwartz had 19 written? 20 A Yes. 21 Q And did you know at that time that's 22 where Mr. Schwartz's e-mail address was located? 23 A I know that he has an e-mail address 24 there, but he had several e-mail addresses at that 25 time. 217 1 Q And he told you at that time that he was 2 using this Mink to read his e-mail at Ruby.ORA.com? 3 A No. 4 MR. TINTERA: I object to the form 5 of the question. It's not specific as to what 6 time. 7 THE COURT: Sustained. 8 BY MR. SUSSMAN: 9 Q When you had this discussion with 10 Mr. Schwartz and Mr. Brandewie about this 11 incident -- 12 THE COURT: Is this after the search 13 warrant? 14 BY MR. SUSSMAN: 15 Q This is before the search warrant. This 16 is back in the spring, the incident that you were 17 describing to Detective Lilley in the search 18 warrant. 19 You learned from Mr. Schwartz that 20 he was reading his e-mail at the site or the 21 address of Ruby.ORA.com? 22 A No. 23 Q You learned that he had -- 24 A I learned that Mr. Schwartz was accessing 25 the machine to Mink from Ruby.ORA.com in order to 218 1 gain access to internal systems at Intel to read 2 his Intel mail. 3 Q Did you tell Detective Lilley that he was 4 using that means to get access to his Intel mail? 5 A Not specifically his mail, no. 6 Q Mr. Schwartz had put on some, in writing 7 that Gate program, had put certain security 8 features to protect other people from gaining 9 access to the Intel machine on that Gate program 10 that he wrote? 11 A No, he did not. 12 Q What did he do? 13 A Specifically in the program, there was a 14 comment stating that at some point, he should add 15 security. 16 Q What was done the first time that was 17 deemed to be -- How would he set it up the first 18 time it was deemed insecure? 19 MR. TINTERA: I object. This 20 doesn't have anything to do with -- that's a 21 discovery question. Doesn't have anything to do 22 with the motion to controvert. 23 THE COURT: Argument? 24 MR. SUSSMAN: Well, I think that 25 we'll show that Mr. Schwartz, in fact, had made 219 1 efforts to secure the system in -- 2 THE COURT: Are you going to call 3 Mr. Schwartz in this hearing? 4 MR. SUSSMAN: I can, Your Honor. 5 THE COURT: Well, I want to know 6 what your plan is. You said you were going to show 7 that he had done that. It would seem unusual that 8 Mr. Schwartz would have information that would bear 9 on the issuance of a search warrant and what the 10 officer knew and what -- 11 MR. SUSSMAN: Right, but this is in 12 terms of -- I'm trying to determine whether or not 13 this witness was aware of the security features 14 that Mr. Schwartz had put on this system which -- 15 I'm trying to determine if they had been 16 communicated to Detective Lilley and not been 17 included in the affidavit. 18 THE COURT: Go ahead. 19 MR. TINTERA: Then I object to the 20 question. It's not -- that question, his purpose, 21 if that's what his purpose is, is not being 22 accomplished by that question. 23 THE COURT: Ask the question again. 24 I'll listen to it. 25 I'd like to take a break here. 220 1 (Recess taken.) 2 THE COURT: Proceed, Mr. Sussman. 3 MR. SUSSMAN: Thank you, Your Honor. 4 BY MR. SUSSMAN: 5 Q Let me clarify one thing about this line 6 of questions we have been asking relating to this 7 incident that's described on Page 3 of the 8 affidavit, involves a computer system at Intel, and 9 we were talking specifically about one machine that 10 was dedicated to allowing access from inside Intel 11 outside to the Internet. Is that the machine 12 that's referred to as Mink? 13 A Correct. 14 Q And Mr. Schwartz did have an account on 15 Mink; is that right? 16 A Yes. 17 Q And the only reason to have the account 18 on Mink was to gain access to the Internet? 19 A Correct. 20 Q Now, you've had a chance to look at that 21 paragraph, Paragraph 3? 22 A Yes. 23 Q Perhaps -- What I'd like to do, to move 24 things along, would you take another look at that 25 right now and tell me if this paragraph 221 1 accurately -- 2 THE COURT: Which page are you 3 talking about? 4 MR. SUSSMAN: Talking about Page 3 5 of the affidavit, the paragraph beginning that 6 "Mr. Morrissey told me that Dirk Brandewie." 7 BY MR. SUSSMAN: 8 Q Would you just take a look through that 9 and tell me if that accurately states what you told 10 Detective Lilley? 11 A (Witness complies.) There is a piece of 12 information that I informed Detective Lilley that's 13 not in this paragraph. 14 Q What is that? 15 A That is when -- originally when Dirk 16 Brandewie and I confronted Mr. Schwartz about the 17 Gate program running on Mink before he installed 18 his blocks, we informed him it was a violation of 19 Intel security to access Intel computers from 20 outside of the company in the fashion of this 21 program. He had to put the blocks in. 22 Q Is that the only thing that is omitted 23 from this? 24 A To the best of my knowledge, yes. 25 Q And the information about Ruby.ORA.com 222 1 being a program is incorrect? 2 A Is incorrect, as previously said. 3 Q Did you tell Detective Lilley, by the 4 way, that Mr. Schwartz had an account on Mink and 5 that it was used to gain access to the Internet? 6 A Yes. 7 Q So that was not included in the 8 paragraph? 9 A Correct. 10 Q And when you told Detective Lilley that 11 Mr. Schwartz had bypassed the Intel security 12 systems and removed the blocks, you were referring 13 to specifically either removing or not putting on 14 certain -- a certain command that blocks access 15 from the outside? 16 A Correct. 17 Q In the first gate program that 18 Mr. Schwartz ran, did it require an entry of a 19 password system name and specific port number to 20 get into the Mink from the outside? 21 A No. It required that you know the 22 specific name of the machine Mink and a port 23 number. I personally verified from my account at 24 the Oregon Graduate Institute that I could use that 25 program by myself to gain access to Intel systems 223 1 inside. 2 Q So the second program that Mr. Schwartz 3 wrote later on, did that change the requirement so 4 that it required connection to a specific port and 5 required a log-in prompt to that specific port? 6 A It did require accessing a specific port 7 for communications, but the program itself, I found 8 no evidence of it requiring a password. 9 Q How about a specific log, prompt to log 10 in to that port? 11 A No. 12 Q That's from your recollection of looking 13 at a review of the log? 14 A Of reviewing the source code and 15 comparing it to the previous version that I had 16 tested from my account at the Oregon Graduate 17 Institute. 18 Q One thing I have to ask to clarify. What 19 is an ex-server? What does that mean with respect 20 to this particular machine Mink and one's ability 21 to gain access to that machine? 22 MR. TINTERA: Objection, again, to 23 the discovery nature of the question. 24 THE COURT: Mr. Sussman. 25 MR. SUSSMAN: This ex-server 224 1 capacity of this machine, I believe -- I need 2 clarification -- relates to the security feature 3 that was -- I'm trying to determine whether it was 4 in place or was used by Mr. Schwartz in this Gate 5 program to provide security features. 6 THE COURT: How does that relate to 7 the motion to controvert? 8 MR. SUSSMAN: I wanted to see if 9 this was -- in fact, something was there, 10 Mr. Morrissey knew about it and would relate that 11 to Detective Lilley. 12 THE COURT: Let's ask the last 13 question first. If he related anything to the 14 police about that and if he said no, that's the end 15 of that. 16 BY MR. SUSSMAN: 17 Q Did you relate any specific information 18 to Detective Lilley about the security features of 19 the Mink computer such as this ex -- that it was an 20 ex-server, including that it was -- that it had an 21 ex-server feature? 22 A No. 23 Q Did you tell Detective Lilley that 24 Mr. Schwartz had employed no safeguards on each of 25 these gate programs? 225 1 A I informed him that the original Gate 2 program had no security safeguards. He was asked 3 to put safeguards in. Subsequently on the machine 4 Mink, it was discovered that he had removed those 5 safeguards. 6 Q And that there were no other safeguards? 7 A And there were no other safeguards. 8 Q When this activity happened, Mr. Schwartz 9 was not -- his contract wasn't terminated, was it? 10 A No. It was handled specifically by Dirk 11 Brandewie and myself. We informed Rich Cower at 12 Intel security and informed him that it had been 13 dealt with to our satisfaction. 14 Q Did you, in your discussion with 15 Detective Lilley, happen to tell him that you had 16 seen Mr. Schwartz or would know that Mr. Schwartz 17 had been taking information from inside Intel 18 outside of Intel on floppy disks? 19 A No. 20 Q Did you tell him that you were aware of 21 anyone else having seen Mr. Schwartz with floppy 22 disks? 23 A I don't believe so. 24 Q Were you aware of any specific facts 25 that -- from which you were able to conclude that 226 1 Mr. Schwartz had transferred any of the cracked 2 passwords from the system, your system inside 3 Intel, to his machine outside and taking it outside 4 of Intel? 5 A It would not be possible to determine 6 that. 7 THE COURT: I want to revisit that 8 question. The question again was -- I think I know 9 what it was, but -- 10 MR. SUSSMAN: The question I asked 11 was: Were you aware of any specific facts to 12 indicate that Mr. Schwartz had transferred any of 13 the cracked passwords from his files inside 14 Intel -- 15 THE COURT: And you said it was not 16 possible? 17 THE WITNESS: I should clarify that. 18 THE COURT: By looking at Intel's 19 computer equipment, if you went to his apartment 20 and looked on his notebook, you could tell that? 21 THE WITNESS: Only by discovering 22 the information on his systems or his media would 23 we be able to determine that. 24 THE COURT: You couldn't tell at 25 Intel? 227 1 THE WITNESS: Not from Intel inside. 2 To transfer data in the fashion that he was 3 connected is not something that is normally logged 4 or monitored. 5 MR. SUSSMAN: That covers everything 6 that I wanted to ask this witness. Thank you. 7 THE COURT: Thank you. 8 Mr. Tintera. 9 10 CROSS-EXAMINATION 11 BY MR. TINTERA: 12 Q Mr. Morrissey, in regard to -- since 13 we're talking about the password, the SSD password 14 file, could you tell the Court where that file 15 would normally reside? 16 A On the types of UNIX systems we were 17 using, it normally resides in a directory called 18 Slash, which is a forward slash ETC, which is -- 19 it's in a file called PASSWD and that's a file that 20 is, in general, readable by anyone who has access 21 to that system. 22 Q And by access to the system, you mean 23 someone who is authorized to be on a particular 24 system? 25 A Unless they have sufficient knowledge to 228 1 break into the computer, yes. 2 Q And the SSD system, would that be the one 3 where this directory carrying the password file 4 would be? 5 A Each computer would have its own copy of 6 this Slash ETC directory, so there would be one on 7 each computer system at SSD. 8 Q And to the best of your knowledge at the 9 time you were speaking with Mr. Lilley, was 10 Mr. Schwartz an authorized user of any of those 11 computers at SSD? 12 A I had been informed by John Kent that 13 Randal did not have access to any of the systems at 14 SSD. And we went further to determine whether or 15 not the password file that we had in our position 16 was the one from Brillig or if it was one from 17 which we could verify that Randal did not have an 18 account, and we were able to verify it was a 19 machine from which Randal did not have access to 20 that account. 21 Q How did he get access? 22 A I don't know. 23 Q So you verified that the access to SSD 24 came from a computer that was not Brillig and a 25 computer that he did not have authorized access to? 229 1 A Correct. 2 Q When you run the Crack program, do you 3 copy the directory or the file that the password 4 names are in or do you run them right on the 5 directory? 6 A When I run the Crack program, I copy the 7 password file and the Crack program into an area 8 which I've attempted to secure so that all the 9 information is local and that I'm not acting on 10 what I would call live file because the password 11 file can be modified through the normal course of 12 using the system by someone changing their password 13 or an account being added. 14 Q So you want to freeze that file? 15 A You want to freeze the file so that it's 16 data is not likely to change on you. 17 Q Now, could you tell the Court if 18 Mr. Schwartz was running the Crack program on the 19 directory where the password file exists in the SSD 20 computer group or not? 21 A No. It was copied from the SSD computers 22 in some fashion to the computers in my area. 23 Q Do you know if Mr. Schwartz had authority 24 to copy the Supercomputer Division password file? 25 A I was told by John Kent that Randal 230 1 Schwartz did not have permission to have that in 2 his possession. 3 Q Now, you've described Mr. Schwartz's work 4 station as he would hook up a portable computer -- 5 I forget what you call it. 6 A A laptop computer. 7 Q To his work station? 8 A Correct. 9 Q Is there any way -- When he copied that 10 SSD password file over to his system, is there any 11 way that you can tell whether he also copied that 12 into his laptop computer? 13 A I would have no way to tell that without 14 looking at his systems. 15 Q So if you looked at his systems, you 16 could tell that? 17 A If it was still there, yes. 18 Q So there is no, like, trail for copying 19 of computer information from computer to computer 20 that you can see? 21 A None that were in force at that time. 22 Q I know I'm being imprecise in my 23 questions. 24 A There were no mechanisms in force at that 25 time for doing so. 231 1 Q You had mentioned that you had talked to 2 Detective Lilley about your knowledge that Randal 3 would engage in computer activities off the Intel 4 campus; is that correct? 5 A Correct. 6 Q Could you tell the Judge what that full 7 conversation was? 8 A To the best of my knowledge, I related 9 that Randal is a contractor and does do training 10 and consulting for clients other than Intel and 11 that he had informed me that that takes him away 12 from Intel frequently and that for that reason, and 13 because he likes to work at -- I believe I said 14 that he likes to work other hours than when he's 15 normally at Intel, that he sometimes transfers data 16 to and from the Intel computer in his laptop so he 17 can work on it when it's more convenient for him. 18 Q And did Detective Lilley have any 19 response in regard to what you told him? 20 A He asked me specifically whether or not 21 it would be possible for Randal to copy Intel 22 proprietary information to his laptop and remove it 23 from the Intel premises without being discovered, 24 and I said yes. 25 Q And did you have any conversation or did 232 1 Detective Lilley ask you any questions as to your 2 knowledge as to whether Mr. Schwartz would be 3 working at his home or business on his computer? 4 A He specifically asked me where he would 5 be working at when he was not at Intel, and I told 6 him that I didn't really know where that would be. 7 And he specifically asked me if it would be at his 8 home or office, and I said I would assume that 9 would be the case. 10 Q Now, in your computer UNIX language, is 11 there a difference between removing a file and 12 copying a file? 13 A Yes. 14 Q Could you explain that to Judge 15 Bonebrake? 16 A In removing a -- specifically deleting a 17 file, when you delete a file, for all intents and 18 purposes, it no longer exists on that computer 19 system. When you are copying a file, the original 20 file remains unmodified and you have merely made a 21 duplicate of it in another location or under 22 another name. 23 Q And there is no way for the authorized 24 user of that file to know if it's been copied, is 25 there, unless they see it somewhere else? 233 1 A Correct. 2 Q So in the affidavit when it says that you 3 told Detective Lilley that the crack program had 4 not been removed from the Snoopy computer, are you 5 telling -- are you saying that it has not been 6 copied or it has not been deleted? 7 A It had not been deleted from the system. 8 It was still there. I had no way to determine 9 whether or not a copy of it had been made and 10 stored elsewhere on another system. 11 Q When Mr. Sussman was asking you about 12 looking at whether Mr. Schwartz had logged onto the 13 system, and I didn't quiet understand your answer, 14 you had said something about you had seen evidence 15 that he had logged onto the system during this 16 timeframe? 17 A Well, the way I understood the question 18 was the timeframe that we're talking about is from 19 when the Crack program originally began running 20 until such time as we were -- that we were writing 21 the affidavit and I had seen evidence and it was 22 actually perfectly reasonable that he had logged on 23 to those systems. 24 Q So if he's logged on to the system, he 25 has access to the information from the Crack 234 1 program; is that correct? 2 A He does not need to log on to that 3 specific computer to gain access to that 4 information. The computer is operated in a small 5 computer network where your personal data, called 6 your home directory, is available on any of those 7 computers in that little network of computer 8 systems. And I believe there was five or six 9 computers that were all networked together, 10 including the computer that was on Randal's desk, 11 that had access to that data. 12 Q So if he is logged on to the system, 13 though, he can either view or copy the information 14 that the crack program is producing; is that 15 accurate? 16 A He can do that from on the system or 17 anywhere within that small computer network. 18 Q And he had had access to the computer 19 network; is that what you're saying? 20 A Correct. 21 Q You were asked when you looked at the 22 Brillig computer whether there was any stolen files 23 found on the Brillig computer. Do you remember 24 that? 25 A Yes. 235 1 Q And your answer was no. Can you tell 2 Judge Bonebrake whether Randal Schwartz had taken 3 any other files besides the password file from SSD? 4 A I have no knowledge as to whether or not 5 he did. 6 Q Well, if you look at the Brillig computer 7 and determine that there are no stolen files, does 8 it follow that there are no stolen files? 9 A No. 10 Q Why not? 11 A As we mentioned before, Intel is 12 connected to the Internet, so that gives an 13 opportunity for information to leave Intel easily 14 in one of two ways. One is to send it 15 electronically outside the company to some computer 16 system outside the company. The other is to remove 17 it by placing it on physical media, the laptop, 18 floppies, or something like that, and walking out 19 the front door. 20 Q So just looking at the Brillig system 21 itself doesn't answer the question whether there is 22 stolen files; is that fair? 23 A That would be fair. 24 Q And the Gate program that Mr. Schwartz 25 had in place gave him unrestricted access to the 236 1 internal computers for Intel; is that fair? 2 A It gave him -- it gave him access to a 3 very large part of the Intel -- very large part of 4 Intel's computer systems. 5 Q Which included the Snoopy computer? 6 A Correct. 7 Q Now, counsel was asking you about whether 8 Mr. Schwartz had a password on the Brillig system. 9 A Yes. 10 Q And the answer was yes? 11 A Yes. 12 Q Then what wasn't asked was whether that 13 was an authorized password. Was that an authorized 14 password on Brillig? 15 A There is a couple different ways to look 16 at that. From the purpose of Intel SSD, when I 17 spoke with John Kent, he was, to some degree, 18 embarrassed because the process of removing 19 passwords is somewhat manual and prone to human 20 error, and they missed the machine Brillig because 21 it's not -- it has a special status within SSD. 22 It's not one that -- it's not part of -- it's 23 not -- trying to find the right way to say this. 24 It's not a normal development system 25 within -- inside SSD's special machine with access 237 1 to the Internet. And when Randal's accounts were 2 being removed from SSD, they missed -- they made a 3 mistake and missed removing the account from 4 Brillig. 5 Q So he was no longer employed by the SSD 6 division? 7 A No. His contract had ended, I believe. 8 My understanding is as his contract ended, he came 9 to work in what was then called IPG Network Service 10 for Bob Wilcox, the group that I joined. 11 Q So what was your understanding of 12 Randal's ability -- I shouldn't say ability, but 13 authorized ability to use the Brillig computer? 14 A He was not authorized. 15 Q Now, let's go back to when you were 16 checking the Snoopy system to see how it was 17 running. You indicated to Judge Bonebrake that you 18 saw a program with Randal's name on it running, or 19 what was the sequence? 20 A Randal -- on my systems and to the best 21 of my understanding, whenever possible, Randal uses 22 the -- what's called a log-in, log-in ID of Merlin. 23 That log-in, as I explained earlier, is the word 24 associated with the UID that the computer really 25 understands. 238 1 Q The number? 2 A The number that the computer really 3 understands. And the log-in ID or the account name 4 is the handy mnemonic for humans, and it's my 5 understanding that whenever -- 6 Q If I can interrupt, that means that we 7 remember things better than a line of numbers? 8 A Correct. 9 Q And computers remember numbers better 10 than a line of letters, or something like that? 11 A Something like that, yes. 12 Q And so you saw "Merlin" there? 13 A Yes. 14 Q Could you tell what "Merlin" was doing 15 there, from just looking? 16 A Yes. Just executing normal commands that 17 I can do. 18 Q So you see Merlin, but you had to do more 19 to discover what Merlin was doing; is that right? 20 A Yeah. I had -- I initially discovered 21 that the Merlin process was running by running a 22 command called PS, which stands for process status, 23 and I ran it in a way that I normally run. And 24 when I saw the "Merlin" process, they're different 25 commands to give the PS, different options to give 239 1 the PS command that will give you more information. 2 And I ran it with more information and I was able 3 to determine where the program was running from, 4 what its data files were, things like that. 5 Q Let me ask you about the Snoopy computer. 6 Who gives the computers the names? 7 A Snoopy was named by me. 8 Q Now, this computer, you said Mr. Schwartz 9 has a preference for the fastest machine he can get 10 his hands on. And in regard to the Snoopy computer 11 and the Crack program, does it make any difference 12 in regard to running of the Crack program what 13 speed your computer operates at? 14 A Yes. 15 Q What difference does that make? 16 A The Crack program does a series of 17 computations in an attempt to guess what the 18 password is. And the more powerful the machine, 19 the faster it's able to run and so it will be able 20 to -- it will be able to finish its tasks more 21 quickly. 22 Q So it could go through the password file 23 quicker? 24 A More quickly than on a less powerful 25 machine, yes. 240 1 Q Of all the machines in your work area, 2 which was the fastest? 3 A The machine Snoopy. 4 Q The one that Mr. Schwartz was running the 5 Crack program on? 6 A Correct. 7 Q So that would be the one that would go 8 through that program the quickest; is that right? 9 A That's correct. 10 Q Now, is there any advantage if you are 11 doing that type of activity to doing it in a quick 12 manner? 13 A Yes. 14 Q What would that be? 15 A The window of opportunity for discovery 16 is smaller. 17 MR. TINTERA: Thank you. I don't 18 have any other questions. 19 THE COURT: The last answer, 20 translated loosely, means the opportunity of 21 somebody to find out you're doing this, there is 22 less chance, is that it? 23 THE WITNESS: Yes. 24 THE COURT: If you are running a 25 crack program that takes all day, somebody will 241 1 find out you're doing it. If it takes two minutes, 2 you can get on, get out, and nobody would know it? 3 THE WITNESS: Right. In this 4 particular case, the program had been running for 5 three weeks. But if it's going to be running for 6 several months versus a couple weeks, in a small 7 network that people don't normally check the 8 systems in that way, then, yes, it could escape 9 detection. 10 THE COURT: Thank you. 11 THE COURT: Mr. Sussman. 12 13 REDIRECT EXAMINATION 14 BY MR. SUSSMAN: 15 Q When you indicated that there was no way 16 to tell if files had been transferred to the Apple 17 computer from a laptop computer from the main 18 system, did you tell Detective Lilley that? 19 A I'm not certain if I did or not. I'm 20 sure that I told him I did not know if files had 21 been copied. 22 Q And I understand your response to 23 Mr. Tintera's questions about conversations with 24 Mr. Schwartz about his activities outside Intel, 25 that he was doing training and consulting with 242 1 clients other than Intel clients, did you give that 2 information to Detective Lilley? 3 A Yes. 4 Q When you said that the access -- that the 5 Gate program found on Brillig gave Mr. Schwartz 6 access to a large part of the systems within Intel, 7 that would still be limited by those systems 8 Mr. Schwartz had access to within Intel prior to 9 that; is that correct? 10 A It would give him the same type of access 11 as if he was physically on site. 12 MR. SUSSMAN: Thank you. That's all 13 I have. 14 15 RECROSS-EXAMINATION 16 BY MR. TINTERA: 17 Q Mr. Morrissey, you're assuming that it 18 only gives him access to the systems he would 19 normally do on site if he's using his password, 20 aren't you? 21 A I'm assuming two things. I'm assuming 22 that he would have the same type of access if he 23 was physically at Intel. If he had other 24 passwords, he could use other passwords. I'm also 25 assuming that it's just him using the Gate program. 243 1 Q So if he's using other passwords, his 2 reach expands, doesn't it? 3 A It would be the same as if he was 4 physically at the company using those other 5 passwords. So his reach does expand, but the Gate 6 program merely gives him the ability to access 7 those accounts from outside of the company. 8 Q Were you involved at all in the 9 preparation of the affidavit? 10 A Yes. 11 Q And what involvement was that? 12 A I was there from the first meeting with 13 Detective Lilley all the way through, I believe, to 14 the actual end of the affidavit. 15 Q And what was the atmosphere? Were there 16 rough drafts created of this thing or what? 17 A We were using one of the secretaries in 18 Intel Legal, and we were more or less drafting this 19 on the fly. But there were rough drafts that were 20 printed out and that we looked at. 21 Q What was the atmosphere that you were 22 engaged in in creating this document? 23 A Detective Lilley made very clear to Rich 24 Cower and myself, perhaps John Kent, that we needed 25 to write an affidavit that was not full of 244 1 technical jargon to the degree that it couldn't be 2 understood by someone, by, I believe he stated, the 3 Judge who would hopefully be signing the search 4 warrant, and that -- but that we needed to be very 5 careful that we didn't mislead the Court. 6 Q And did Detective Lilley take any 7 safeguards that you saw to make sure that that 8 information in the affidavit was accurate? 9 A We repeatedly questioned our wording. At 10 the time there was an awful lot of pressure to get 11 this done as quickly and efficiently as possible, 12 and I was certainly spouting an awful lot of 13 technical jargon. And Detective Lilley worked with 14 us, the people there, to say things back to us, 15 saying, "Is this what you mean in non-technical 16 terms?" So using that process, we came up with 17 what was written down on the affidavit. 18 MR. TINTERA: Thank you. I don't 19 have any other questions. 20 MR. SUSSMAN: Just a couple 21 follow-up questions. 22 23 24 25 245 1 REDIRECT EXAMINATION 2 BY MR. SUSSMAN: 3 Q You said that Mr. Schwartz then would 4 have been -- I guess your assumption or your view 5 is that Mr. Schwartz was the only one running that 6 gate program on Brillig that you were looking at at 7 the time of this investigation. 8 A Yes. The assumption is that he was the 9 only one running that program. 10 Q Was the Crack program still running as of 11 November 1st? 12 A As of the time that we did the affidavit? 13 Q Yes. 14 A Yes, it was. 15 MR. SUSSMAN: Nothing further. 16 MR. TINTERA: I don't have any other 17 questions. 18 THE COURT: Thank you. You may step 19 down. 20 MR. TINTERA: May this witness go on 21 his way? He has a haircut appointment. 22 MR. SUSSMAN: We don't want to 23 interfere with anything that important. 24 THE COURT: He may be excused. 25 Do we have additional witnesses? 246 1 MR. SUSSMAN: No, Your Honor. 2 THE COURT: Now, the gentleman 3 tomorrow will be testifying involving issues on the 4 motion to controvert as well? 5 MR. SUSSMAN: Your Honor, I would 6 like to just -- we had some issues -- I'm going to 7 take some time to review my notes. We may not have 8 anything relevant to that. 9 THE COURT: At least based on that, 10 you're not ready to argue right now, until we know 11 that, are you? 12 MR. SUSSMAN: I would prefer to make 13 that assessment and then -- 14 THE COURT: I have a noon meeting, 15 anyway. Will the State be calling witnesses on 16 this? 17 MR. TINTERA: No, Your Honor. 18 THE COURT: Then our telephone 19 testimony is set for 4:00 o'clock tomorrow, is that 20 what we decided? 21 MR. SUSSMAN: Yes. 22 THE COURT: We'll reconvene a little 23 before that, then. You'll need to make 24 arrangements to -- 25 MR. TINTERA: Tomorrow at 4:00? I 247 1 should be here, assuming the grand jury doesn't run 2 late. I'm scheduled to 3:15. 3 THE COURT: If it looks like you 4 will be late, let us know. 5 You'll be making that call on your 6 credit card, Mr. Sussman? 7 MR. SUSSMAN: Yes. We'll arrange to 8 have the call placed. 9 THE COURT: Is it possible we could 10 have one of the knowledgeable people from Intel 11 place the call through surreptitious means and know 12 it's not billed to anyone and traced on the 13 computer? We probably have the personnel available 14 to do that here. 15 MR. TINTERA: I still am objecting 16 to taking any testimony from the person that has 17 not been established in the affidavit and the 18 points raised in the affidavit as having any direct 19 contact with anyone on or before November 1st, 20 1993. 21 THE COURT: Mr. Sussman did indicate 22 originally that he wishes to take that testimony on 23 two points, one on a discovery issue and the other 24 having to do with the motion to controvert. I 25 understand your objection and may be well taken, 248 1 but, again, Mr. Tintera, in a case like this, I 2 want to hear the evidence and then I'll decide. I 3 may strike it, but I'm going to hear it. 4 MR. TINTERA: What the Court has 5 referred to as discovery -- 6 THE COURT: I know. I used that 7 term as an umbrella. 8 MR. TINTERA: -- does not involve 9 me, and I'm not sure if the party that is involved 10 is prepared to go forward on that. I know that 11 motion was served on them last Monday, late Monday. 12 THE COURT: Mr. Woodard, are you 13 going to appear tomorrow on that matter? 14 MR. WOODARD: I can appear tomorrow. 15 I just got this Monday. Still trying to run it 16 down. Appears to me, one is things they didn't 17 believe they got which they asked for, and we have 18 determined that even though there was copious notes 19 in one file, they somehow didn't get into notes 20 from the other file. I gave them those this 21 morning. 22 There was a computer file which runs 23 on ad nauseum with that that they cut off two or 24 three pages, et cetera, et cetera, which to these 25 computer people meant if you want the rest of it 249 1 there it is. To me it meant it ended with 2 et cetera, et cetera. I didn't know that was 3 there. We'll print that out and get it to them. 4 I'm not sure if there is anything else like that. 5 This is also intertwined to be -- to 6 rehear the motion that you had in camera that you 7 ruled on with respect to that material and those 8 are two separate things. 9 To the extent that we should have 10 given them something and we didn't, I don't have a 11 problem. To the extent that I can produce the 12 electronic media, if it exists and there is some 13 way to edit out the stuff that we agreed we didn't 14 have to get them, I don't have a problem with that. 15 THE COURT: Whether or not I reopen 16 the other proceeding, I'll have to wait until I see 17 what sort of presentation is made. You recall, 18 those of us that were there, that I left that 19 option open. If during the trial it appeared to me 20 that we need to review that, I'd want to see what 21 presentation Mr. Sussman could make. And so if he 22 has a witness that can somehow explain to me why 23 some of the material is extremely relevant, may not 24 be subject to privilege, may not be confidential 25 work product, that sort of thing, again taking into 250 1 account the relevance and all that, I'd reconsider 2 that issue, but -- so you ought to be here 3 prepared, at least, tomorrow. 4 MR. WOODARD: I don't know if I can 5 get my people back. Mr. Cower would be the 6 individual that I would call on that. 7 THE COURT: We can do this. 8 Mr. Sussman can put on his witness and take the 9 testimony and, of course, Frank will do his level 10 best to put it down on the machine. Maybe we ought 11 to try to electronically record that as well. When 12 we do it telephonically, it's difficult sometimes. 13 Then if, Mr. Woodard, you think you need more time 14 to discuss with your people or to ask questions of 15 the witness or whatever, we could continue that 16 hearing and then get the witness back on the phone 17 at a later date, if necessary. 18 What I'm asking and suggesting, I 19 have throughout this case, is the cooperation of 20 everybody. So let's do it in that fashion. If you 21 need to talk with people or you're not prepared to 22 ask all the questions you think you might have, we 23 can get the witness back another time, couldn't we? 24 MR. SUSSMAN: Yes. 25 THE COURT: Let's take it one step 251 1 at a time. See how we can do tomorrow. If we need 2 a continuance to ask further questions of them, we 3 can do that at a later date. 4 Thank you. Thank you. We're in 5 recess until 4:00 o'clock tomorrow. 6 (Evening recess.) 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25