1 IN THE CIRCUIT COURT OF THE STATE OF OREGON 2 FOR THE COUNTY OF WASHINGTON 3 4 STATE OF OREGON, ) ) 5 Plaintiff, ) ) 6 vs. ) No. C940322CR ) 7 RANDAL LEE SCHWARTZ, ) ) 8 Defendant. ) Volume 7 9 10 11 TRANSCRIPT OF PROCEEDINGS 12 13 BE IT REMEMBERED THAT on the 14th 14 day of July, 1995, the above-entitled matter came 15 on for Hearing before the HONORABLE ALAN C. 16 BONEBRAKE, a Circuit Court Judge. 17 18 APPEARANCES 19 Thomas J. Tintera Washington County Deputy District Attorney 20 Representing the State of Oregon 21 Mark Sussman Attorney at Law 22 Representing the Defendant 23 24 25 2 1 WITNESS INDEX 2 3 FOR THE STATE: Direct Cross ReD ReX 4 5 6 Edward Masi 4 11 7 John Kent 16 100 138 142 8 Mark William Morrissey 154 180 230 242 9 244 10 11 FOR THE DEFENDANT: 12 13 John Kent 145 147 148 14 15 16 17 18 19 20 21 22 23 24 25 3 1 EXHIBIT INDEX 2 3 FOR THE STATE: Offered Received 4 5 6 Exhibit No. 2 50 51 7 Exhibit No. 3 54 55 8 Exhibit No. 4 63 63 9 Exhibit No. 5 68 68 10 Exhibit No. 6 68 68 11 Exhibit No. 7 68 68 12 Exhibit No. 8 75 75 13 Exhibit No. 9 82 83 14 Exhibit No. 14 94 95 15 Exhibit No. 15 94 96 16 Exhibit No. 18 83 83 17 Exhibit No. 19 82 18 19 20 21 22 23 24 25 4 1 MORNING SESSION 2 BEGINNING AT 9:40 A.M. 3 JULY 14, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: You can see by the clock 10 we're almost on time. We're working at it. 11 We were hearing State's witnesses. 12 So, Mr. Tintera, you may call your next witness. 13 MR. TINTERA: Ed Masi. 14 15 EDWARD MASI 16 called as a witness on behalf of the State, having 17 been first duly sworn under oath, was examined and 18 testified as follows: 19 20 THE CLERK: State your full name and 21 spell it for the record, please. 22 THE WITNESS: Edward Masi. M-a-s-i. 23 24 25 5 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Masi, how are you employed? 4 A I work for Intel Corporation. 5 Q And do you work at any particular 6 division or group at Intel Corporation? 7 A Right. Division called SSD in Cornell 8 Oaks. 9 Q And is that a separate division from the 10 group at Hawthorn Farms? 11 A Yes, it's physically separate. It 12 reports in to the senior vice president at Hawthorn 13 Farms, but it's separate. 14 Q What is your title at Intel? 15 A I'm a corporate vice president for Intel 16 Corporation and I'm also the general manager of 17 SSD. 18 Q And was that your position in October of 19 1993? 20 A Yes. 21 Q As the general manager and as the 22 corporate vice president of the Intel Corporation, 23 how do you keep your data or information where you 24 work? 25 A Well, it depends on the type of 6 1 information. Electronic information is kept 2 confidential, protected by password. Written 3 information would be locked in desks or cabinets. 4 Q And do you use a computer at your -- in 5 your office? 6 A Yes. 7 Q You, personally, do? 8 A Yes. 9 Q How do you use a computer? 10 A Largest percentage of the time, probably 11 90 percent of the time, I use it for electronic 12 mail, for receiving messages, for sending messages, 13 for reviewing material that may be part of a 14 meeting, pre-meeting, conference call. 15 Q Could you give the jury an idea of the 16 type of information that would have been on your 17 computer in October of 1993? 18 A The information would range from 19 information that dealt with Intel corporate 20 activities to information that was SSD specific. 21 As it relates to Intel Corporation, 22 it could be information that dealt with the pricing 23 of future microprocessors, the availability in 24 terms of announcement date and shipments of those 25 microprocessors, the performance versus 7 1 competition. 2 Information then could also include 3 information that would be typically called insider 4 information, information that could be used to 5 conclude what the financial results might be for 6 the upcoming quarter, that sort of information that 7 I would be, as an officer, bound not to use as 8 information to trade in the stock market. 9 Information that would deal with the 10 division could include information relative to the 11 division product, competitive sales situations, 12 pricing in those situations, competitive 13 strategies, manufacturing plans. 14 And then there would be information 15 that, because I reported to a senior vice president 16 at Hawthorn Farms, that would also deal with his 17 organization because typically, he would copy his 18 direct reports on information that dealt with his 19 group and so I would have the similar sorts of 20 information about their activities. 21 Q Could you tell the jury what the -- what 22 as the general manager of the Supercomputer 23 Division, what that division was doing or 24 attempting to accomplish in October of 1993? 25 A It's not that well understood, not that 8 1 visible. Intel Corporation is mostly thought of as 2 a semiconductor or microprocessor or chip company. 3 My division creates the world's largest, fastest 4 computers out of those chips. And the best way for 5 me to describe that is imagine one computer system 6 that would contain the equivalent of four or five 7 thousand personal computers and perhaps ten times 8 the amount of supporting technology that a personal 9 computer might normally have, so these are very 10 large, very expensive systems. 11 The largest system in the world has 12 been and is manufactured by Intel and happens to be 13 installed at Sandy and national labs and used for 14 application like nuclear weapons safety. So these 15 are very special systems. They can cost as much as 16 $20 million. 17 Q And does any type of research and 18 development occur in the Supercomputer Division? 19 A Yes. We have the highest concentration 20 of Ph.D.'s in mathematics and the sciences within 21 any Intel group at the division and areas -- there 22 are technical areas in which a number of patents 23 have been filed and are held which deal with both 24 the architecture and underlying technology 25 associated with building these rather unique 9 1 computing systems. 2 Q What type of security measures are taken 3 to protect this information? 4 A Electronic information is protected 5 through a password scheme. Information that may be 6 in hard copy is protected through a scheme that 7 identifies and issues to the holder of that 8 information based on the secrecy or security level 9 of that information. So we have red book 10 information, literally a book of information with a 11 red cover on it assigned to an individual. 12 Corporate policy says that individual cannot 13 reproduce and must at all times own that 14 information. 15 Then there would be various levels 16 of information below that, and so if the 17 information is in hard copy, it's controlled that 18 way. Electronic, it's controlled through password. 19 Q Now, the electronic information that you 20 have in your office is protected by? 21 A Password. 22 Q And is that password known only to a very 23 limited number of individuals? 24 A The only person who knows my password, 25 other than myself, would be my secretary. 10 1 Q And does the password, itself, carry any 2 potential or actual commercial value? 3 A Yes. If you have my password, it's like 4 having the keys to my home. You can go into my 5 home and literally look at any of the file cabinets 6 in which the information I just described earlier 7 would be located. 8 Q And would the possession of your password 9 present a person with an opportunity to gain a 10 business advantage? 11 A Oh, absolutely. Absolutely. In terms of 12 Intel Corporation, because there are a number of 13 companies that compete with us in both the United 14 States and other parts of the world, and in terms 15 of my specific division responsibility. 16 MR. TINTERA: Would you mark this as 17 the next exhibit. 18 BY MR. TINTERA: 19 Q Mr. Masi, I'm going to hand you State's 20 Exhibit 17. Could you just tell the jury what that 21 is? Not what's on it, but what it is. 22 A Okay. Well, this is a magnetic disk and 23 this disk can hold about one and a half million 24 characters of information. And on the assumption 25 that a page in a book might hold 200 words or a 11 1 thousand characters of information, imagine this 2 holding 1500 pages of that sort of information. 3 Q So this could hold 1500 pages of 4 information? 5 A Right. 6 Q And if someone has your password, is 7 there anything to keep them from copying 1500 pages 8 of information to that disk? 9 A No. 10 Q Would you know it? 11 A No. I wouldn't know it. 12 Q Your computer can't tell you if that 13 information has been copied? 14 A No. 15 MR. TINTERA: Those are the only 16 questions I have. 17 THE COURT: Mr. Sussman. 18 MR. SUSSMAN: Thank you, Your Honor. 19 20 21 22 23 24 25 12 1 CROSS-EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Masi, I have a few questions for you. 4 On your electronic data, the data 5 that's stored in your machines is so sensitive that 6 it's extremely important in that your password 7 security be very good? 8 A Uh-huh. 9 Q You have to answer outloud. 10 A Yes. 11 Q And then assuring that the password 12 security is good, you need to make sure that you 13 have good passwords, don't you? 14 A Yes. 15 Q And if you have a -- in fact, Intel has 16 policies for setting up -- for choosing passwords, 17 doesn't it? 18 A Yes. 19 Q Mr. Masi, I'd like to show you what has 20 been marked for identification as Defendant's 21 Exhibit 107. Do you recognize what this is a copy 22 of? 23 A Yes. 24 Q And what is that? 25 A Information Security Bulletin for 13 1 employees. 2 Q Is that something that you were familiar 3 with as -- 4 A Not directly. That is, I haven't read 5 every page of it, but certainly in terms of being 6 issued a password and having a system set up, I was 7 briefed on it. 8 Q Did you receive one of those manuals? 9 A I may have. I joined Intel three and a 10 half years ago, so I don't recall. 11 Q Now, directing your attention to policies 12 for employees, I guess you would come under 13 "employee" even though you're -- 14 A I'm an employee. 15 Q Policy No. 3.5 refers to the policy on 16 accounts and passwords; is that correct? 17 A Yes. 18 Q Would you read for the jury what policy 19 3.5 states. 20 MR. TINTERA: Your Honor, I object. 21 MR. SUSSMAN: Let me rephrase the 22 question. 23 BY MR. SUSSMAN: 24 Q Policy 3.5 indicates that you're not to 25 give out your password to anybody. Are you 14 1 familiar with that policy? 2 A Right. 3 Q But you gave out your password to your 4 secretary? 5 A That's correct. 6 Q Policy 3.5 also says to "choose good 7 passwords, meaning six or more characters, one or 8 more special characters, not all numbers, not in 9 any dictionary." 10 A Right. 11 Q Are you familiar with that policy? 12 A Yes. 13 Q Now, unfortunately, at the time this 14 incident with Mr. Schwartz arose, you had a 15 password which was one of those passwords which was 16 cracked during the run of this Crack password file; 17 is that correct? 18 A Yes. 19 Q I'll show you what has been marked for 20 identification State's Exhibit 15 and I'll show you 21 the next to last -- just directing your attention 22 to the next to last -- the third from the bottom, 23 is that your password? 24 A It was at that point in time. 25 Q And that password was PRE dollar sign 15 1 IDEJ; is that it? 2 A Yes. 3 Q Just a simple variation of a dictionary? 4 A Yes, it has more than six characters and 5 a special character. 6 Q Based on a dictionary word "president"? 7 A Yes. 8 Q If there was a problem with your 9 password, this was not a good word, would you 10 expect your Systems Administrators in charge of 11 security to inform you of that? 12 A I felt it conformed, when I created it, 13 to the policy. 14 Q If there was a problem with that 15 password, would you expect to be informed by the 16 Systems Administrator or the person in charge of 17 the system that your computer was on? 18 A I would expect so, I guess. I've not had 19 that experience. 20 Q You haven't had the experience of any of 21 the Systems Administrators working on the machines 22 in the areas that you are working on testing the 23 security of your passwords? 24 A What the Systems Administrators do is not 25 visible to me. 16 1 MR. SUSSMAN: Thank you. I have 2 nothing further. 3 THE COURT: Mr. Tintera. 4 MR. TINTERA: No. He's identified 5 State's Exhibit 15. That was the only thing I 6 wanted him to do. I have no further questions. 7 THE COURT: Thank you. You may step 8 down. You're free to go. 9 Call your next witness. 10 MR. TINTERA: John Kent. 11 12 JOHN KENT 13 called as a witness on behalf of the State, having 14 been first duly sworn under oath, was examined and 15 testified as follows: 16 17 THE CLERK: State your full name and 18 spell it for the record, please. 19 THE WITNESS: My name is John Kent. 20 K-e-n-t. 21 22 23 24 25 17 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Kent, how are you employed, sir? 4 A I'm currently employed by Intel 5 Corporation in Oregon. 6 Q And what do you do for them? 7 A I work in the IT organization as a 8 Systems Administrator. 9 Q The IT organization, is that part of any 10 other organization? 11 A That's Information Technology. 12 Q And was that the same position you held 13 in October of 1993? 14 A Yes, it's a relatively similar position. 15 Q And where were you working in October of 16 1993? 17 A I was working for Intel Supercomputer 18 Division in Cornell Oaks. 19 Q What type of computer training have you 20 had? 21 A I've been in the business for over 20 22 years, both in networks and systems administration. 23 I've been trained on numerous different systems. 24 Q Now, could you tell the jury what a 25 Systems Administrator does, in lay terms, if you 18 1 can? 2 A It's basically maintenance and upkeep of 3 computer systems of various size or nature. 4 Q Now, as a Systems Administrator for IT, 5 is that part of the Supercomputer Division or are 6 you working for a different group now? 7 A I work for a corporate-based group now. 8 Q Let's go back to October of 1993. You 9 were working for the Supercomputer Division? 10 A Yes. 11 Q And as a Systems Administrator? 12 A Yes. 13 Q So you were making sure that the systems 14 operate correctly? 15 A My main -- the main systems I dealt with 16 at Intel Supercomputers were mainly UNIX-based, 17 UNIX-operating based systems. 18 Q And did you administer systems at other 19 campuses, Hawthorn Farms or any of the other 20 campuses? 21 A No. At that time, we were a separate 22 division. I just dealt with systems that were 23 specifically at Intel Supercomputers, although I 24 had interface with other people at the other 25 campuses. 19 1 Q Well, where are those systems kept, 2 those -- are those at Cornell Oaks? 3 A Yeah, those systems are at the Cornell 4 Oaks Campus buildings. 5 Q Do you know Randal Schwartz? 6 A I've met Randal on a couple occasions, 7 yes. 8 Q And were you present with the 9 Supercomputer Division when he was a contract 10 employee there? 11 A At one time, yes. 12 Q When was that? 13 A That was during 1993, I believe the year 14 was. 15 Q And did you have any responsibilities -- 16 well, let's lead up to that. 17 Was there a period of time when 18 Mr. Schwartz was not going to be working for the 19 Supercomputer Division anymore? 20 A Yes, I do recall that. 21 Q Tell me what you know about that. 22 A We had a particular incident shortly 23 before Randal Schwartz was -- 24 Q There is a fan behind me. Could you 25 speak up a little bit, sir. 20 1 MR. SUSSMAN: Ask a question in aid 2 of objection? 3 THE COURT: You may. 4 5 EXAMINATION IN AID OF OBJECTION 6 BY MR. SUSSMAN: 7 Q The question was sort of pretty broad, 8 like what do you know about Mr. Schwartz's 9 situation there. Is this based on personal 10 knowledge that you have? 11 A Yes. 12 Q Were you working with Mr. Schwartz at the 13 time of the events that you're talking about? 14 A I was not working directly with 15 Mr. Schwartz. He was not part of the Systems 16 Administrator group at Intel SSD. 17 MR. SUSSMAN: I have no objection. 18 THE COURT: Proceed. 19 BY MR. TINTERA: 20 Q So your knowledge is based on knowledge 21 that you received as a Systems Administrator 22 responsible for all those computers? 23 A Through our team, that's how I learned of 24 Randal at SSD. 25 Q So you can continue. We were talking 21 1 about the days before or what information you had 2 right before he left the Supercomputer Division. 3 A I was approached by one of my fellow 4 Systems Administrators and he had a concern that -- 5 MR. SUSSMAN: Your Honor, I object 6 now because the question is calling for a hearsay 7 answer and talking about discussions that were 8 occurring between various people about 9 Mr. Schwartz's activities that were not directly -- 10 they are not directly involved with this witness' 11 involvement with Mr. Schwartz. 12 THE COURT: Well, I would have hoped 13 that the next question would be what he did as a 14 result of that. 15 MR. TINTERA: I'm trying to get 16 there. 17 THE COURT: Then I'm going to 18 overrule the objection. This evidence will -- I'll 19 tell the jury, he's about to relate what somebody 20 else told him and we have rules about when and 21 where that sort of information can be used, that 22 sort of testimony. You can't -- he's going to, 23 apparently, tell us what one of his co-workers told 24 him, something about the defendant. 25 You can use that to help you 22 1 understand what he's going to say later on, but 2 what he heard his fellow employee say to him about 3 the defendant cannot be used by you to prove that 4 that actually was the truth. It helps in 5 understanding the whole story, but it's not 6 evidence to prove the truth of whatever this other 7 person said. 8 Go ahead. 9 BY MR. TINTERA: 10 Q So one of your co-worker Systems 11 Administrators approached you and then what 12 happened? 13 A Asked me to verify that we had a user 14 account name was Merlyn, also known as Randal 15 Schwartz, had gone in and given himself complete 16 root, basically full supervisor rights on a system 17 without permission. 18 So I indeed did follow along with 19 this other Systems Administrator and we checked it 20 out and indeed, he had given himself root 21 privileges on a machine without -- 22 Q The name of the machine was what? 23 A DEC. D-E-C. 24 Q Digital Equipment Corporation? 25 A Yes. 23 1 Q Could you explain what the problem was? 2 He had given himself root. Is that a word of art 3 in systems administration or computer use? 4 A When you have root access on a system, it 5 basically gives you the privileges to pretty much 6 do what you want to do on the system. It's like 7 being the main overseer, you can go in and change 8 things, you can add your own programs to the 9 system, you can alter things, you can run programs. 10 Q So you can act as an overseer for the 11 whole machine? 12 A Yes. 13 Q What was the problem? 14 A The problem was that -- 15 MR. SUSSMAN: Your Honor, I have to 16 interrupt and I have to take up a matter with the 17 Court outside the presence of the jury on this. 18 THE COURT: Remove the jury. I need 19 to take up a matter outside your presence. 20 (Whereupon, the following 21 proceedings were held in 22 open court, out of the 23 presence of the jury:) 24 THE COURT: Mr. Sussman. 25 MR. SUSSMAN: Your Honor, what 24 1 concerns me about this line of inquiry, we've got a 2 witness being asked to testify about an incident 3 that we have no reports on. We have been provided 4 with no reports on involving what appears to be 5 some other incident suggesting that Mr. Schwartz 6 was violating security, and I am at a loss to 7 recall, unless the State has something -- can show 8 me something specific, but I cannot recall being 9 given or seeing any reports about this prior 10 incident that discussed the details of it and 11 described what Mr. Schwartz was -- what is being 12 described here. 13 THE COURT: Mr. Tintera. 14 MR. TINTERA: That was provided to 15 the defense in what is essentially an e-mail from 16 this witness, John Kent, to David Small, on Page 2 17 in the middle of the page and describes this 18 incident. 19 THE COURT: Mr. Sussman, see if you 20 can -- 21 MR. SUSSMAN: I'm sorry, I do see 22 that, Your Honor. I do see that. 23 THE COURT: Does that satisfy you, 24 Mr. Sussman? 25 MR. SUSSMAN: Yes, Your Honor. 25 1 THE COURT: Let's let the jury take 2 five minutes, since we're out anyway. You had 3 something you wanted to say to me. Feel free if 4 you want. I think when I was asking for argument, 5 you were going to say something. If you want to 6 talk with either counsel during this brief recess, 7 you may. 8 In a very short period of time, 9 we'll start again. 10 (Recess.) 11 THE COURT: We have taken a short 12 break. I saw counsel briefly in chambers. 13 Mr. Sussman, you have a matter, I 14 think you wanted to address the Court on, on this 15 conduct we're hearing about now. 16 MR. SUSSMAN: Yes, Your Honor. In 17 addition to the grounds previously stated, concerns 18 previously stated, I do note that pretrial, in 19 motions in limine to exclude certain evidence of 20 uncharged misconduct and should be excluded on the 21 grounds that it was not relevant, and if it was 22 relevant, then the value it had is outweighed by 23 the prejudicial effect. 24 We have here a brief reference to 25 the security incident we're going to hear about 26 1 suggesting that Mr. Schwartz was essentially going 2 into other machines or in setting up privileges on 3 his own and this is clearly another form of 4 misconduct which could be -- the theory could be 5 charged it's the kind of misconduct which seems to 6 be -- appears to be offering it to show that 7 Mr. Schwartz appeared -- acted consistent with that 8 kind of behavior. 9 We think it's not relevant to the 10 charges here and any relevance it has is outweighed 11 by its prejudicial effect. 12 THE COURT: Okay. Mr. Tintera. 13 MR. TINTERA: Judge, the defense has 14 indicated that they -- that the defendant did not 15 know that the activities that are charged were 16 against Intel policy or without authorization. 17 This is part of the -- it's close in time and it's 18 part of the process of showing to the jury that he 19 certainly did know what was right and wrong in his 20 activities of the Intel Corporation. 21 I think it comes in to show the 22 defendant's knowledge, both his personal knowledge 23 and actual received knowledge of Intel policies and 24 what was right and wrong. 25 THE COURT: Well, this is not the 27 1 first time I've had an occasion to consider the 2 application of Rule 404, Subsection 3 primarily, 3 and consider also in doing that 403, which is the 4 weighing process. 5 MR. SUSSMAN: The witness has to 6 testify that this incident occurred in early 1992, 7 which is approximately at least a year and a half 8 before the incidents here that he's charged with 9 here. And none of the charges here involve an 10 allegation Mr. Schwartz had given himself root 11 access, this special privilege to access other 12 computers, which is the nature of the violation 13 being described. 14 THE COURT: Well, I'm going to go 15 based on the evidence I've heard so far and the 16 explanation of root access. 17 One of the prior witnesses testified 18 that root access was basically God privileged with 19 a computer. You could do anything you wanted. I 20 assume that having a password that permits you to 21 obtain information from the computer is similar, 22 but something of a lesser degree, and so there 23 seems to be a similarity there of access to 24 information held in the computer, whether you have 25 root access or whether you simply know a password 28 1 that allows you to obtain access to information 2 held in computers, and so there certainly would 3 seem to be a very -- those seem to be similar. 4 The fact that it's a year prior is 5 something to consider, but if this evidence is to 6 be evidence that the defendant was in some form 7 chastised or informed that he was not to do this 8 sort of thing, that is, to operate the computers so 9 as to give himself root access, it would seem -- 10 with Intel, it would seem unlikely that that's the 11 kind of thing that he would have forgotten in a 12 year. 13 I already heard he's a person that 14 finished high school two years early and a very 15 bright fellow, and it's obvious and hard to believe 16 that if he had been told that, he would have 17 forgotten it a year later. 18 It is uncharged conduct and there is 19 always a risk of prejudice to a party; that is, 20 that a fact-finder, in this case the jury, would 21 use that to the improper purpose of saying, "Well, 22 he did it before so he must have done it in this 23 case." 24 There is a means of trying to 25 protect against that sort of prejudice by the Court 29 1 giving, when it allows this sort of evidence, a 2 cautionary instruction to the jury. If you read 3 State v. Brady -- no. 4 MR. TINTERA: Johns. 5 THE COURT: State v. Johns, one of 6 the first cases that came out of this county, Judge 7 Ashmanskas' case, dealt with the element of intent, 8 a murder case, and the courts approved of the 9 giving of a cautionary instruction when it's 10 requested by a party. 11 Based upon what I've heard in this 12 case, it seems to me that evidence of similar 13 uncharged conduct committed previously a year 14 before, based on what I've heard in opening 15 statements, jury voir dire, questioning of other 16 witnesses, seems to be extremely relevant; that is, 17 it tends to disprove, if believed, an assertion by 18 the defense that the defendant thought he -- either 19 this was a part of his job as a Systems 20 Administrator or that he had the authority to do 21 this as a Systems Administrator and was simply 22 doing it for the protection of Intel and somehow 23 didn't know that obtaining passwords and 24 information from computers that he was not 25 authorized to have was against policy. 30 1 It also would -- I can see the type 2 of defense here that I've heard about so far, even 3 though we haven't got to the defense case, but from 4 opening statements and cross-examination and voir 5 dire, that the defense could also possibly be built 6 on the basis that the defendant somehow was 7 mistaken, that if he wasn't authorized, that he 8 thought he was authorized to do this, and this 9 would tend to negate the possibility that a mistake 10 had been committed, some mistake or accident. 11 I think this evidence is relevant to 12 all of those things. It doesn't seem to be 13 extremely prejudicial. I haven't heard every word 14 that this witness is going to speak, but I've been 15 advised generally of what he's going to say and so 16 I'm going to permit it. I think it is very 17 relevant. And even under 403, weighing the 18 possibility of prejudice against the relevance and 19 the weight of the evidence, it's clear to me that 20 given the type of case that we have here, that this 21 is relevant and the relevance outweighs the 22 possible prejudice. 23 Having said that, if the defense 24 wants me at some point to either now or later give 25 some sort of limiting instruction, cautionary 31 1 instruction to the jury about what they can use 2 this information for, I'd be pleased to consider 3 that. In the absence of such request, I won't give 4 one. Anything else? 5 MR. SUSSMAN: No, Your Honor. 6 THE COURT: Let's bring in the jury 7 and proceed. 8 (Whereupon, the following 9 proceedings were held in 10 open court, the jury being 11 present:) 12 THE COURT: Proceed, Mr. Tintera. 13 BY MR. TINTERA: 14 Q Mr. Kent, we were talking about a 15 security incident involving Digital Equipment 16 computer -- Corporation computer, to bring you 17 back. Do you know when that occurred? 18 A I don't recall the exact date. 19 Q Was it sometime before Mr. Schwartz was 20 no longer working at the Supercomputer Division? 21 A Yes, it was. 22 Q Do you know if it was years before or can 23 you give us some sort of timeframe? 24 A Definitely not years. If I recall, I 25 started at Intel around about the end of 1992, so 32 1 it was definitely a number of months after that. 2 MR. SUSSMAN: I couldn't hear the 3 answer. It was "some months" what? 4 THE COURT: I need to have a minute 5 here. Just stop for a minute. 6 (Pause in the proceedings.) 7 THE COURT: Okay, go ahead. 8 Was there an objection to the 9 question? 10 MR. SUSSMAN: No. I couldn't hear 11 the response to the last question, whether he 12 said -- whether he said "sometime after." 13 THE WITNESS: No. The incident. 14 MR. SUSSMAN: You're saying this 15 occurred sometime after Mr. Schwartz stopped 16 working at SSD? 17 THE WITNESS: No. The incident 18 occurred while he was working at SSD. 19 BY MR. TINTERA: 20 Q Let me hand you these two pages. Are you 21 familiar with these two pages, sir? 22 A Yes, I am. 23 Q And what is this? 24 A This is a report that we put together. 25 Q You? 33 1 A Myself and Doug Smith, who was my 2 co-partner, if you will, another one of our Systems 3 Administrators at SSD. 4 Q Could you just read to yourself under the 5 notes and see if that help refreshes your 6 recollection about this event. 7 A (Witness complies.) Yeah, I still recall 8 the incident, even without reading that. 9 Q So we have this security incident 10 involving the DEC computer. Would you tell the 11 jury what happened. 12 A I was approached by Doug Smith, who is 13 another one of our Systems Administrators at that 14 time at SSD, and he said that they had found the 15 user Merlyn, aka Randal Schwartz, had gone and 16 changed the root password on this DEC server that 17 we had located in one of our rooms over at Intel 18 SSD. 19 What we did was contact the Intel 20 administrator that dealt with those specific types 21 of systems and they came in and rectified it and 22 got the root password changed again so he didn't 23 have that access. And then Doug Smith and I 24 reported the incident to our management that we 25 didn't feel this was very appropriate. 34 1 Q Was that information provided to 2 Mr. Schwartz? 3 A What we did was, rather than directly 4 confront Mr. Schwartz, we went to our managers to 5 inform them that there had been an incident, and 6 that we contacted the DEC administrators to inform 7 them that there had been an incident and we 8 provided all the information directly to our 9 managers. They then took that and dealt with it 10 appropriately in their fashion. 11 Q And was that Herb Mayer and John Gray? 12 A Initially John Gray, who was our campus 13 manager, and then he and Herb Mayer had discussions 14 about this incident. 15 Q Was the root password taken away from 16 Mr. Schwartz? 17 A Most definitely. At that time, it was 18 changed appropriately. 19 Q Could you tell the jury what the 20 difference between a root password and just a 21 normal password, one like Ed Masi had? What's the 22 difference? 23 A Well, to put it basically, it gives you 24 overall power over that machine. As I heard it 25 explained earlier, it gives you God rights on that 35 1 particular machine. You can do whatever you want. 2 Q So it's different than just a normal 3 password that gives you access to the machine? 4 A Most definitely. 5 Q And where does -- who has this type of 6 root password? Where does it come from? Who has 7 the authority to give someone this type of control 8 over a machine? 9 A Well, I am entrusted by my manager as 10 being a member of a specified team of people. 11 Those specified team of people are the only people 12 that are given that type of right over that 13 machine. 14 Q Now, to move on from that, was there any 15 other problem besides the root password? Was there 16 any other change made to the DEC server? 17 A None that I'm aware of. 18 Q Anything involving back doors? 19 A Well, basically if you give yourself root 20 permission on a server, you can do what you want on 21 there, and having a root password allows you to 22 access that machine in any way that you need to. 23 Q Were you involved at all in removing 24 Mr. Schwartz's accounts or passwords or whatever he 25 had at the Supercomputer Division when he left that 36 1 division? 2 A Yes. 3 Q And can you give us a timeframe when that 4 was? 5 A I don't have the exact date. 6 Q We don't need the exact date. Can you 7 give us a timeframe of when that was? 8 A It was in the latter part of 1993, 9 approximately. 10 Q So in 1993, what did you do? 11 A I was informed that Randal Schwartz had 12 left Intel SSD. I went in as an administrator, 13 root, and I deleted his accounts. Basically, I 14 disabled his password access onto those machines. 15 I also scanned around other known 16 machines and checked for user Merlyn to make sure 17 there were no other accounts around and also 18 disabled any of those that I did find. 19 Q So what were you attempting to 20 accomplish? 21 A Well, he had left our division, 22 therefore, he had no need for those accounts and I 23 closed them down at the request of management. 24 Q What about the Brillig computer, that 25 part of the Supercomputer Division? 37 1 A It's owned by Supercomputers, yes. 2 Q Did you close the account on that? 3 A No. It had a different password file. 4 Q So the Brillig password file is separate 5 from the full SSD password file? 6 A Because of the nature of that specific 7 machine and what it was being used for by a 8 development group, yes, it had a different password 9 file. 10 Q Are you part of the administration of 11 that machine? 12 A I assist partially with that machine, but 13 there was a software engineer who was controlling. 14 Q Who is that? 15 A That was Mr. Rich Greco. 16 Q You know at that period of time the size 17 of the password file on Brillig? 18 A Yeah. When I went in and checked it, 19 there must have been approximately 30, 40 users. 20 Without looking at it, I can't recall the exact 21 amount, but it was a very small password file. 22 Q And the password file to the 23 Supercomputer Division, what was its size? 24 A Hundreds. Five or six hundred or more. 25 Q Well, can you explain to the jury how it 38 1 was that Mr. Schwartz's account on the Brillig 2 computer was not disabled or closed? 3 A As I mentioned earlier, there were 4 certain systems, very, very few, that are used 5 specifically for certain types of software 6 development. This particular machine was partially 7 under the control, if you will, of a software 8 engineer group. 9 Can you refresh me on that question 10 again? I want to make sure I answer this properly. 11 Q I was asking, if you are the person 12 responsible for disabling or terminating all of 13 Mr. Schwartz's access to Supercomputer Division 14 computers or his accounts, how was it that this 15 machine was overlooked? 16 A When I go in as a Systems 17 Administrator -- 18 MR. SUSSMAN: Objection to the form 19 of the question. Assuming facts not in evidence, 20 that it was overlooked. 21 THE COURT: Sustained. 22 BY MR. TINTERA: 23 Q Was Mr. Schwartz's account on the Brillig 24 computer disabled? 25 A No, it was not. 39 1 Q Should it have been disabled when he left 2 the Supercomputer Division? 3 A Most definitely. 4 MR. SUSSMAN: Question in aid of 5 objection? 6 THE COURT: You may. 7 EXAMINATION IN AID OF OBJECTION 8 BY MR. SUSSMAN: 9 Q Did anybody specifically tell you to 10 disable the account on Brillig? 11 A We were not aware that Merlyn still had 12 an account sitting on that particular system. 13 Q So you had no personal knowledge that the 14 account was on the system? 15 A No, because it was -- 16 Q Could have been set up by other Systems 17 Administrator that could have set it up besides 18 you? 19 A Not within my group, no. Somebody that 20 was associated perhaps, as I said, like a software 21 engineer that was working within SSD for specific 22 development purposes, it may have been set up. 23 Q So the person who may have suggested that 24 it be set up may not have told you that that 25 account should have been closed; is that right? 40 1 A Can I answer that in a very explicit 2 fashion, in the way I feel it should be answered? 3 When somebody leaves the company or moves to 4 another division within the company, their direct 5 supervisor or manager must report not only down to 6 the IT organization that this person has left or is 7 moving, but if he has any other software engineers 8 that has machines that he knows people are working 9 on, he has the responsibility of reporting this 10 information directly to the people that he's in 11 charge of. 12 Q And nobody reported to you that 13 Mr. Schwartz was moving off the Brillig machine? 14 A I'm sorry, could you repeat that? 15 Q Nobody reported to you to close the 16 account on the Brillig machine then? 17 A No. 18 Q You had no personal knowledge about 19 whether that account should be closed? 20 A Until the time of the incident, no. 21 Q Until November 1st, 1993? 22 A Approximately. 23 MR. SUSSMAN: I object to this 24 witness then further testifying about responding to 25 the question, Your Honor, as to -- that 41 1 Mr. Schwartz's account should have been -- in his 2 view should have been closed at that time. He 3 doesn't have personal knowledge of that. 4 THE COURT: Mr. Tintera, any 5 argument on that? 6 MR. TINTERA: Your Honor, this -- I 7 can establish that this person is responsible for 8 security as a Systems Administrator for the 9 Supercomputer Division. 10 THE COURT: Go ahead, if you want to 11 ask more questions before we get to that question 12 again. 13 BY MR. TINTERA: 14 Q As the Systems Administrator, are any of 15 your duties involving the security of the 16 Supercomputer Division? 17 A Yes. 18 Q And are you also responsible for -- Well, 19 as a Systems Administrator, if a person has their 20 accounts terminated within the larger group of the 21 Supercomputer Division, are they entitled or 22 authorized to maintain accounts on other computers 23 within the Supercomputer Division? 24 A No, they are not. 25 Q And how do you know that? 42 1 A Because it's told to us from upper level 2 Intel management, explained to us by local 3 management, and it's a process by which most 4 people, I would presume, fully understand that if 5 they have their main account shut down, that they 6 shouldn't be utilizing other little accounts within 7 a company. 8 Q So that is Intel's policy -- 9 A Yeah, I believe that that is. 10 Q -- or a practice? 11 A I believe it's both a policy and a 12 practice. 13 MR. TINTERA: Judge, I think that's 14 sufficient. 15 THE COURT: Overrule the objection. 16 He can answer the question. 17 BY MR. TINTERA: 18 Q Why was it that Mr. Schwartz's account on 19 Brillig was overlooked when you closed out his main 20 accounts within the Supercomputer Division? 21 MR. SUSSMAN: I object to the form 22 of the question. 23 THE COURT: There was an objection 24 to the word "overlooked" before and I sustained 25 that. If you want to ask him why the password on 43 1 Brillig was not terminated at that time, I'll 2 permit him to answer that. 3 BY MR. TINTERA: 4 Q Why was Mr. Schwartz's account left open 5 on the Brillig computer? 6 A Because I was not aware or told that he 7 had an account on the system Brillig. 8 Q And since he was leaving the 9 Supercomputer Division, had you been aware of that, 10 would you have taken any action? 11 A It would have been terminated at exactly 12 the same time and moment that we did all the other 13 ones, yes. 14 Q And why was that? 15 A Because he had left the division. 16 Q He had no business there? 17 A No, he had no business there. 18 Q Do you recall receiving information from 19 Mark Morrissey at Hawthorn Farms regarding the 20 Brillig computer? It would have been in October of 21 1993. 22 A May I get my notes off there and then I 23 can match the dates? 24 MR. TINTERA: Yeah. 25 THE WITNESS: Would that be okay? 44 1 THE COURT: You may. 2 THE WITNESS: Could you rephrase the 3 question? 4 MR. TINTERA: I'll just ask it 5 again. 6 BY MR. TINTERA: 7 Q Do you recall receiving information from 8 Mark Morrissey at Hawthorn Farms regarding the 9 Brillig computer in the last week of October of 10 1993? 11 A Thursday, October 28th, Mark Morrissey 12 contacted me by phone. 13 Q By what? 14 A By telephone. 15 Q He didn't use e-mail? 16 A We were not using e-mail at that 17 particular point out of concern that there might be 18 access to e-mail. 19 Q So by telephone? 20 A Yes. Voice only. 21 Q And what was the nature of that 22 conversation? 23 A He informed me that he had spotted a user 24 by the name of Merlyn coming in and out of a system 25 known as Brillig that was located at my site. 45 1 Q Now, when you say "coming in and out of," 2 does that mean like logging into and logging out 3 of? 4 A Yes. 5 Q And what was the concern, if any? 6 A Well, initially, he wanted me to go do a 7 check on Brillig, and I have that here in my notes. 8 Q What did you do? 9 A I went to the machine Brillig and talked 10 with Rich Greco and we sat down and I went through, 11 and sure enough, found that there was an account 12 under the name Merlyn, there had been access to 13 that account, and we found processes or programs 14 running on that machine that were owned by that 15 person. 16 Q Was this after you had terminated 17 Mr. Schwartz's main accounts with the Supercomputer 18 Division? 19 A Yes. 20 Q Was this an authorized account? 21 A In my mind -- 22 MR. SUSSMAN: Objection. Calls for 23 a conclusion of this witness and -- 24 MR. TINTERA: He's a Systems 25 Administrator for this particular portion of Intel 46 1 and knows who has an authorized account and who 2 does not. 3 THE COURT: I have a question about 4 the question you've asked. Is the question whether 5 or not it was authorized originally or whether it 6 was authorized at the time he found it to be 7 running on this occasion? 8 BY MR. TINTERA: 9 Q I'm asking about the timeframe on October 10 28th when you looked at the Brillig. 11 THE COURT: Whether on that occasion 12 it was an authorized account? 13 MR. TINTERA: Yes. 14 THE COURT: He may answer that. 15 Overrule the objection. 16 BY MR. TINTERA: 17 Q Was that an authorized account on October 18 28th? When you looked at that Brillig computer, 19 was Randal Schwartz's Merlyn account authorized? 20 A From fully understanding Intel's policies 21 and rules, no, that was not an authorized account. 22 Q So what did you do? 23 A Up until Monday, November 1st, at 9:30 in 24 the morning, we monitored that system for any 25 activity that was going on for user Merlyn. 47 1 Q Did you do any type of analysis or 2 looking into this computer? This is kind of like 3 looking into a crystal ball to me, but did you do 4 something to find out what was happening with this 5 computer, how it was being used by Mr. Schwartz or 6 Merlyn, which was his user name? 7 A Yes. We used standard UNIX commands and 8 systems administration tools to check the system to 9 see whether there was activity and other items on 10 that system. 11 Q These are a little small, but I'd like 12 you to approach this easel, and if you could -- 13 THE COURT: Have you seen those, 14 Mr. Sussman? 15 MR. SUSSMAN: I'm sure these are 16 copies of things that I have in discovery, but if I 17 could move around to see them. 18 THE COURT: Sure. 19 THE WITNESS: I'll come around. 20 This side's easier to read. 21 BY MR. TINTERA: 22 Q If you want to hold them up, I'd like you 23 to explain. 24 A What we did as Systems Administrators, 25 there are certain UNIX commands that you can go 48 1 into -- 2 THE COURT: This is going to be 3 awfully hard for Mr. Sussman to see. I understand 4 that the diagrams are small, but he's going to -- 5 THE WITNESS: He has exactly what I 6 have on here. 7 THE COURT: He can't see what you're 8 pointing at, is the problem. So you'll have to 9 back up. I can't see. Stand by the easel. 10 And, Mr. Sussman, if you would like 11 to come up by Mr. Tintera. 12 MR. SUSSMAN: If Mr. Kent will refer 13 to the number in the lower right-hand page of the 14 exhibit, not the exhibit number, but there is a 15 number next to that. 16 MR. TINTERA: Right next to the 17 sticker. 17. 18 MR. SUSSMAN: Refer to that, and as 19 you go through the statement referring to what line 20 on that exhibit, I can follow along. 21 THE WITNESS: I'll start at the top 22 here. 23 I made a note in this particular log 24 that they asked me to provide that I found that the 25 actual systems date was actually off by five days 49 1 and two hours, so that's one of the first things I 2 checked to see whether the actual time that was 3 running on that machine and logging was the actual 4 time according to the watch. 5 BY MR. TINTERA: 6 Q Was that because this machine was allowed 7 and off your normal loop of maintenance? 8 A Exactly. Otherwise, it would have had 9 the same systems time clock that all of our other 10 systems had if it had received the updates. 11 I started off basically by running 12 through some very simple commands to see whether in 13 actual fact this user had been coming onto the 14 system. This command here gave me a list for this 15 user Merlyn and showed me the dates and times and 16 approximately how long that this person had made a 17 connection on that particular machine. 18 THE COURT: You need to refer to the 19 line so that Mr. Sussman can follow along on the 20 exhibit. When you say "this command here," which 21 line? 22 THE WITNESS: References the last 23 command. 24 BY MR. TINTERA: 25 Q When you talk about a command, you're 50 1 telling the computer to do something? 2 A Yes. I'm telling the computer as the 3 root, you're to go in and give me back some 4 information that it stores on there. Has certain 5 log files, if you will, that it keeps of activities 6 and things that happen on that computer system. 7 Q What command did you use? 8 A There is a command here called lists. 9 What this looks at is lists. What that does is 10 tells me the listing of people that have been 11 attaching and connecting to that system and running 12 certain processes on there, a process being a 13 program that runs. 14 What I did here was made -- instead 15 of having a long list to provide everybody, I went 16 through and there is a command you can use to pull 17 out the information for a given user, which is why 18 you see everything here says "Merlyn." This is 19 what we were interested in finding out for user 20 Merlyn. And then this lists out the dates and 21 times and approximate time that this person was 22 using that system. 23 Q That is plus five days and two hours? 24 A Exactly. 25 Q Let's take this blue marker and if you 51 1 could indicate plus or -- 2 A If we were to take -- For example, if we 3 look at the last time it showed him as attaching 4 into that machine, we see a date of October 23rd at 5 14:12 military time. So if I add five days to 6 that, that makes it October 28th and it would be 7 16:12. That is the real time that the person 8 logged into that machine. 9 Q So what are you looking for here? 10 A Well, we're looking to find out whether 11 the person has been actually accessing and 12 utilizing a particular machine that was in 13 question. So that's the first thing I do with -- 14 as the Systems Administrator is to get onto that 15 system and start checking out all of the log files 16 and records that exist on that system to see 17 whether indeed this person has been connecting 18 into, attaching or possibly utilizing that system. 19 Q And what did you see? 20 A We saw that indeed he had an account. 21 I'll reference that as I go further back. 22 Q So you're done with State's Exhibit 2? 23 A No. 2, No. 17. 24 MR. TINTERA: Judge, I would offer 25 this into evidence. 52 1 THE COURT: Mr. Sussman. 2 MR. SUSSMAN: No objection. 3 THE COURT: 2 is received. 4 (Whereupon, State's Exhibit 5 No. 2 was received in 6 evidence.) 7 MR. TINTERA: Would you mind if we 8 passed this to the jury at this point? 9 THE COURT: If you think it will 10 help. 11 MR. TINTERA: Yeah, I do. 12 THE COURT: Go ahead. 13 THE WITNESS: I'll move on to No. 14 18, Mr. Sussman. I'll move halfway down that page. 15 The next thing I did was, I wanted 16 to see whether that person has a directory. The 17 directory is a place that the user can store 18 information and possibly may have files that exist. 19 BY MR. TINTERA: 20 Q So it's like a closet? 21 A It's like a closet, a storage box, if you 22 will. A mailbox so you can look at it in a number 23 of different ways. 24 So what I did, I found that yes, we 25 have a directory over here that is the user people. 53 1 And I see here definitely here a number of 2 different people's home accounts, if you will, 3 these home directories where they can store things. 4 So I scanned that, and if we go down 5 to this line right here, you will see an entry 6 there for Merlyn. So now I know that -- 7 BY MR. TINTERA: 8 Q Mark that with that blue marker so we 9 know what you're talking about. 10 A Okay, right here. I see that there is -- 11 Q Let me back you up. 12 At the top of State's Exhibit 3 is a 13 # tail SYSLOG, "SYSLOG," being in capital letters. 14 Does that make a difference, by the way, of capital 15 letters or lower case letters? 16 A I'm sorry. 17 Q Does it make a difference to the computer 18 whether you use capital letters or lower case? 19 A No. On the UNIX system, doesn't matter 20 whether they are upper case or lower case. 21 Q What were you doing with the # tail 22 SYSLOG at the top of State's Exhibit 3? 23 A When I went into the SYSLOG, I was 24 looking in there to see whether there were any 25 particular error messages or system concerns that 54 1 we should be taking into consideration. I didn't 2 actually find anything in here other than there was 3 an entry for another machine that was apparently 4 trying to use this server's IP address, so I did 5 have some concern and we went off into different 6 issues to investigate that matter. I recorded that 7 matter just as a matter of note. 8 Q Then you used the command in the middle 9 of State's Exhibit 3 CD/usr/people? 10 A Right. That's where I actually went down 11 to that level directory. And then there is a 12 command below that -- 13 Q What does the CD stand for? 14 A Means "change directory." 15 Q And the user, USR? 16 A User is a user directory, a name. There 17 is general standard names that are used on specific 18 systems. In this case "user" means that there is 19 some user directories or something below that. 20 Q So you're checking user storage boxes for 21 the people that have stuff in them? 22 A Yeah. They either have accounts on that 23 system -- well, if their account was disabled, then 24 generally this would not exist. It could still 25 exist, even if the password had been disabled, 55 1 though. So they could still have a directory in 2 there even if you disabled the main access 3 password. 4 Q But you do find one for Merlyn? 5 A We find one for Merlyn. 6 Q So then what did you do? 7 A The next step that I did was, I actually 8 went down one more level into that Merlyn 9 directory. Let's see if there's any files in this 10 directory called Merlyn. 11 MR. TINTERA: We would offer State's 12 Exhibit 3. 13 MR. SUSSMAN: No objection. 14 Before we go on to Exhibit 4, let me 15 ask just for logistics here -- this is getting 16 awkward. Are you simply going through -- are these 17 exhibits going through the pages -- 18 MR. TINTERA: Exactly. 19 MR. SUSSMAN: I think we'll be able 20 to follow that from our seat more comfortably. 21 THE COURT: If at any time you need 22 clarification, let us know. 23 MR. TINTERA: So we can move closer 24 if he's going to go back to the table. 25 THE COURT: I don't want him in the 56 1 jury box. 2 THE WITNESS: If you're going to 3 send them around to the -- 4 MR. TINTERA: I would offer State's 5 Exhibit 3. 6 THE COURT: I think he said no 7 objection. 8 MR. SUSSMAN: That's correct. 9 THE COURT: Received. 10 (Whereupon, State's Exhibit 11 No. 3 was received in 12 evidence.) 13 BY MR. TINTERA: 14 Q Now, on No. 19, State's Exhibit No. 4. 15 A So I stepped down one level in the Merlyn 16 directory to see if there were any files in there. 17 And also we checked file dates by doing a listing 18 of what's inside that directory. Sure enough, I 19 found there were all different types of files down 20 inside Merlyn's directory. That's what this shows. 21 Here is the owner of those files, 22 here are the dates, the sizes and the names of the 23 files. One of the reasons why I do that is because 24 I wanted to see if there is any types of files that 25 may be of concern down inside those directories. 57 1 Q Does this tell you what the computer is 2 being used for by what is in these files in the 3 directory? 4 A Sure. We can actually -- once I get a 5 directory listing, I can start looking around for 6 any files that we feel may be dangerous or may 7 cause some concern to us that the user has placed 8 in his directory. 9 Q What did this show you? What do these 10 files show you? 11 A The one that I immediately got flagged as 12 a red file, I'll mark that one up here for you. 13 Q Would you like a red marker? 14 A Yeah. There are certain files known to 15 Systems Administrators that can give certain 16 permission or create certain avenues for people to 17 make things easier for them on a given system. 18 MR. SUSSMAN: What file are you 19 referring to? 20 THE WITNESS: Line No. 3 on that 21 page, No. 19. 22 There is one file initially that I 23 found. We found a number of files here that are 24 called IRC, which is Internet Relay Chat program 25 which we normally do not allow run at SSD. 58 1 MR. SUSSMAN: Objection to that as a 2 conclusion of the witness, Your Honor. 3 MR. TINTERA: No, it's not. He's a 4 Systems Administrator, he knows what programs are 5 permitted to be run at SSD and not. 6 THE COURT: Well, he said "normally" 7 on clarification. Sustain the objection. 8 BY MR. TINTERA: 9 Q Is that an Internet Relay Chat? 10 A Yes. 11 Q What does that mean? 12 A Like allowing to have a CB program to 13 have people have a multiple chat line across the 14 Internet. And you're using that system or the 15 system is capable of allowing you to do that. 16 Q Is that something that is within the 17 normal business practices of the Supercomputer 18 Division? 19 A No, it's not. 20 Q So you found this Line 3, which was of 21 concern to you. It's an R host? 22 A Yeah, it's called a .rhost file. What I 23 did, if you go to the bottom, I did a "more" 24 command to take a look at what was indeed inside 25 this .rhost file and I noticed there were a number 59 1 of systems that didn't exist at SSD. These systems 2 that are named existed over at another facility 3 called Hawthorn Farms. 4 What the .rhost allows a person to 5 do is to be able to log in as the user name here 6 from that other system without using a password. 7 What really kind of brought this to 8 my attention here, I noticed that he's got four 9 systems named that are not even on our campus, that 10 not only has the entry for Merlyn here but also has 11 the entry for root. 12 So, as I said, gives you the name of 13 a system here and tells you who the user is and he 14 can log into the system without using a password to 15 get into it. I've got Merlyn now and I've got 16 root. 17 Q Is this that root access we talked about 18 before, is that the same thing? 19 A Yeah. It will allow root from Kandinsky, 20 for example, on the second line, to log into 21 Brillig without entering a password. 22 Q So you could go from the Kandinsky 23 computer to the Brillig computer without entering 24 your password? 25 A That's true. 60 1 Q How would the computer know who was on 2 the system? 3 A It's looking at these users in the 4 password files. So if in Brillig's password file, 5 even if it only has 20 entries, if there is a user 6 Merlyn in that password file and there is a user 7 root in there, it basically says, "Okay, this 8 person can attach to this machine without answering 9 the password." 10 Q So if they are connected together, then 11 the machine would allow this? 12 A Yeah. 13 Q Why did that attract your attention, the 14 "rhost"? 15 A Morrissey, who initially contacted me to 16 alert me of this, was a Systems Administrator in 17 Hawthorn Farms, and the systems that he was dealing 18 with that he was reporting some activity with 19 Merlyn was Kandinsky and these other machines that 20 are listed here that are sitting over on my system 21 Brillig at Intel SSD. 22 Q Well, as a Systems Administrator, are 23 those the -- the Kandinsky and root, what we have 24 at the bottom of State's Exhibit 4, are those 25 supposed to be on the Brillig machine? 61 1 A No. Normally, we generally don't allow 2 people to go sticking .rhost in the file off their 3 systems because it creates a security leak. 4 Q Did you give Mr. Schwartz permission to 5 change the Brillig computer in this manner? 6 A No. 7 MR. SUSSMAN: Question in aid of 8 objection? 9 10 EXAMINATION IN AID OF OBJECTION 11 BY MR. SUSSMAN: 12 Q You are not the administrator for the 13 Brillig machine? 14 A That's true. 15 Q You would not be in a position to give 16 him permission to do anything on Brillig, would 17 you? 18 A The person who was in charge -- 19 Q Please answer the question. I asked 20 whether you could. 21 A Whether I could? 22 Q Right, have given permission or not given 23 permission. 24 A In this particular case, I did not give 25 permission. Does that answer that? 62 1 Q No. The question was, you were not -- 2 you do not have the authority to give permission or 3 not give permission to Mr. Schwartz to do anything 4 on Brillig; is that correct? 5 A I was not informed that he had an account 6 on Brillig, so how could I? 7 Q That was not your position to do that, to 8 give authority or deny authority, was it? 9 A When management -- 10 Q Please answer the question, Mr. Kent. 11 THE COURT: Answer it and then if 12 you need to explain it, you can explain it. 13 THE WITNESS: I'm trying to think of 14 the right answer because it's a very fine 15 borderline on whether I do or whether I don't. 16 BY MR. SUSSMAN: 17 Q Management can ask you to disable an 18 account at the request of somebody else; is that 19 correct? 20 A Yes. 21 Q You don't have the authority to either 22 personally make a decision whether somebody has 23 access or not? 24 A I'm basically told that this person has 25 or does not have access. 63 1 Q You don't have personal knowledge of 2 that? 3 A When I'm told by management. 4 MR. SUSSMAN: So I move to strike 5 the last answer, the answer to the last question 6 because it's based on what he is told by others and 7 not based on his personal knowledge or based on 8 anything that's within this witness' ability to 9 speak from his personal knowledge or experience. 10 THE COURT: I've forgotten 11 specifically what the question was. 12 MR. SUSSMAN: I'm trying to say that 13 it's a conclusion of this witness. Move to strike. 14 THE COURT: The motion was to strike 15 because this witness does not have the authority to 16 grant permission or authority to change the 17 computer or to take it away. Is that what you're 18 saying? 19 MR. SUSSMAN: Yes, Your Honor. And 20 this is -- it's calling for this witness to give an 21 answer to something that is outside his purview. 22 Essentially, it calls for this witness to make a 23 conclusion as to whether or not Mr. Schwartz -- 24 THE COURT: Mr. Tintera. 25 MR. TINTERA: I can rephrase the 64 1 question. 2 THE COURT: Thank you. 3 BY MR. TINTERA: 4 Q Mr. Kent -- 5 A May I confer with -- 6 Q No. 7 A I just needed to rectify something. This 8 is very borderline. 9 Q Did anyone -- Did any person approach you 10 and request that you allow these accounts to be 11 opened on the Brillig computer? 12 A No. 13 MR. TINTERA: I'd offer State's 14 Exhibit 4. 15 THE COURT: Have you seen that, 16 Mr. Sussman? 17 MR. SUSSMAN: Yes, I have. I have 18 no objection. 19 THE COURT: Proceed. It's received. 20 (Whereupon, State's Exhibit 21 No. 4 was received in 22 evidence.) 23 BY MR. TINTERA: 24 Q Then what did you do? 25 A Let's move to State's Exhibit 5, No. 20. 65 1 The next thing that I have at the top here, I had a 2 concern over anything that may appear to be a 3 directory that might have something abnormal. So I 4 went in here and I changed directories one level 5 more down into his directory. He had a directory 6 called "play" and all I did was get a listing of 7 the items that were down in that directory here, 8 which contains some files and some further 9 subdirectories down here. 10 The next thing down in the middle of 11 the page, I went over to check out our groups file. 12 The password file and the groups file on the system 13 give various permission to users coming in and I 14 wanted to see whether there was a user Merlyn. 15 Q What command did you give the computer? 16 A More. List out all files. So I checked 17 out that file to see whether there was anything 18 abnormal in the groups file that may have been 19 hacked, that may have been tampered with, and I 20 noticed that there was nothing in that particular 21 file. 22 Next thing I did in the process, 23 what -- there were areas that store temporary 24 files. In other words, if there is some type of 25 program running on the computer, oftentimes there 66 1 will be files that are stored, log files and 2 et cetera, so down here I go into a directory, I 3 change the directory down into one of the system 4 directories now and it's called "temp." I did a 5 listing of files that were contained in that temp 6 directory. 7 I have to roll over two pages here 8 to explain this. I look at State's Exhibit 6, No. 9 21, and I noticed there were a whole bunch of files 10 contained in this temporary directory owned by user 11 Merlyn. The first group of them begin with a thing 12 call emacs. Emacs is an editor like a word 13 processor program. 14 Q Like a little typewriter? 15 A Yeah, like a little typewriter program 16 where you open up this program and it goes and 17 stores out some files. 18 I noticed that the size of these 19 files, there was nothing in them. They were zero, 20 so they were basically written out as temporary 21 files. 22 Q So if the word "cat" was in these files, 23 what would it show instead of zero? 24 A It would show X number of bites within 25 that. This number would not be zero. 67 1 Q It would be three? 2 A It would be three. 3 Q Because there is three letters. We're 4 talking about the zero says there is no information 5 in the file? 6 A Right. 7 Q The box is empty? 8 A Exactly. 9 Q If there was the word "cat" in the file, 10 it would give you a three because it has three 11 letters; is that right? 12 A Yeah. I then went on to another 13 directory. 14 Q Which exhibit are you on? 15 A I'm cross-referencing two at the same 16 time, 5 and 6, so I'm now on Page 21. I go into 17 and look at another temp directory, called a 18 "usertemp," and I did a listing there. And as you 19 can possibly see here, there are some other users 20 that had temporary files in here. 21 Once again, I noticed that there are 22 a number of them in here for this user Merlyn on 23 the system. So I looked across and checked out 24 what the name of that file is and this was rather 25 intriguing. There were these files all labeled 68 1 gatelog and a number, so I was a little concerned, 2 like what are these files here? 3 So what I did was I used that "more" 4 command again, which lists out the contents of the 5 file, and what I noticed at this particular point 6 was that this user Merlyn was keeping some 7 temporary log files. And it showed me that there 8 were connections, he was logging connections from a 9 specific machine to another machine. 10 Q Let's stop right there. What do you mean 11 he's logging connections from a specific machine to 12 another machine? 13 A This log showed that there was a 14 connection being made from -- on the Internet, each 15 machine has an associated number that goes with it. 16 From that number, you can identify the specific 17 machine. 18 Q An IP number? 19 A An IP number is also what it's known as. 20 What I was able to do here -- let's move on to 21 State's Exhibit 7, which would be Page -- 22 Q Are you done with 5 and 6? 23 A Yes. 24 MR. SUSSMAN: Which was 6? 25 THE WITNESS: State's Exhibit 6 is 69 1 No. 21. 2 MR. TINTERA: 5 is 20. 3 I would offer 5 and 6 at this time. 4 THE WITNESS: And 7, because we're 5 going to move past 7. 6 BY MR. TINTERA: 7 Q Are you going to mark on 7? 8 A No, I don't need to. This is an 9 extension. I was concerned because in these logs 10 was continually running this program over and over 11 and logging the information. 12 MR. TINTERA: So I would offer 5, 6 13 and 7. 14 THE COURT: Mr. Sussman. 15 MR. SUSSMAN: No, Your Honor. 16 THE COURT: 5, 6 and 7 are received. 17 (Whereupon, State's Exhibit 18 Nos. 5, 6 and 7 were 19 received in evidence.) 20 THE WITNESS: State's Exhibit 8, No. 21 23, as I stated, there are numbers in there, IP 22 numbers that are embedded in that log file. So 23 what I did was, I used a simple little technique, 24 telnet commands, to go out and connect me to this 25 other machine to see whether I would get any 70 1 response. 2 It was rather interesting, because 3 when I pulled the numbers out of the log here, I 4 found that the first number that it was recording 5 ended up logging me into none other than 6 duchamp.hf.intel.com, which is one of the machines 7 right over here in Hawthorn Farms. 8 When I went out there, then down 9 here and checked the other Internet address, it was 10 pointing to a machine that existed, it was called 11 Ruby, and it was owned by O'Reilly & Associates, 12 wherever they are situated. It was outside of 13 Intel. So it was showing me basically like this 14 connect point that was connecting some outside 15 machine outside of Intel to coming through this 16 machine Brillig at my site off to another machine 17 over at the Hawthorn Farms campus. 18 BY MR. TINTERA: 19 Q Now, had anybody told you to set up this 20 account for Mr. Schwartz? 21 A No. 22 Q Was this -- are you familiar with the 23 firewall that protects Intel? 24 A Yes. 25 Q Was this machine inside the firewall, 71 1 outside the firewall, or part of the firewall, the 2 Brillig machine? 3 A Can I use the piece of paper? 4 Q Yeah. 5 A I'll make this very simple, couple boxes, 6 so will it be easy to understand. 7 Out here is a big cloud and they 8 call that Internet. Multiple connections going on 9 all over the world to this particular one that came 10 into our location at Intel SSD. We have a system 11 out here and routers that act as what's known as a 12 firewall. It's supposed to block the filter and -- 13 this is real simple. This basically is the 14 boundary, if you will, into Intel, and in this 15 particular point SSD. Once you get through this 16 firewall from the Internet, you are then inside 17 SSD. 18 Well, there is a machine sitting out 19 here on our network called Brillig. We then have 20 numerous different connections going across our own 21 internal network. This is the Cornell Oaks campus. 22 Way over here was another campus called Hawthorn 23 Farms, and over here was the system called Duchamp. 24 Out of the Internet here is a place called -- for 25 shortness, we'll call it ora.com, which is O'Reilly 72 1 & Associates. This system was called Ruby. 2 Q Could you put "O'Reilly" under there so 3 we have a word to associate with? 4 A (Witness complies.) 5 Q Is O'Reilly & Associates part of Intel? 6 A No, they are not. They have nothing to 7 do with Intel. 8 Q So what happened? Keep going. 9 A As I say, this was the machine I was 10 checking right here. Morrissey was concerned 11 because of things that were going on with his 12 machine over on this network within Intel. 13 Imagine this is an invisible shield 14 where within these boundaries we have the inside of 15 this protected, if you will. On this machine -- 16 and we'll get to the process here in a minute -- 17 was some logs being kept by continual port 18 connections. In other words, ports that were 19 outside the boundary of the filtering capabilities 20 of our routers and firewall. In other words, there 21 is a certain group of numbers or ports, windows 22 that a person can block here if they are well 23 outside of that range, then it basically means that 24 you've got a connection from point A to point B. 25 You're bypassing our firewall system at Intel. 73 1 Q Now, did anyone come to you and say, 2 "Could you set this up for Mr. Schwartz?" 3 A No. 4 Q Could you label the firewall, just put 5 "firewall by it so we later on remember what that 6 red dotted line is? 7 A (Witness complies.) 8 Q So you saw this and what did you do? 9 A Well, if I could continue. I just 10 basically wanted to give you a description of what 11 those IP addresses that were in that evidence 12 showed, that this guy and this guy were basically 13 making a connect that was bypassing our firewalls. 14 Q Could you tell if the connection was -- 15 there are some roads that are one-way and some 16 roads that are two-way. What type of road was this 17 connection? 18 A What we were showing from those logs was 19 that it was this connection out of this machine 20 that was connecting inbound to Duchamp. 21 Q So it was coming in? 22 A Yeah, inbound connection off the 23 Internet. 24 Q Take a black marker and put an arrow on 25 your firewall going through the direction that the 74 1 connection was showing. 2 A If I could explain something here. What 3 the program itself does, is that we found on here 4 actually really provides a two-way connection. 5 It's not just as if it's a one-way pass. What 6 they've done is opened up this dual connection that 7 allows back-and-forth between systems. 8 Q So we could put an arrow going through 9 the firewall the other way? 10 A Sure. You could put inbound, outbound, 11 and so on. 12 MR. TINTERA: Could we have this 13 marked as State's Exhibit 18, please. 14 THE WITNESS: Okay, if I can move 15 on. 16 So the top part of Exhibit No. 8 17 shows I went out there and I said, "Let's find out 18 who the two systems are," and I went off and 19 identified them. 20 The next thing that I did, I went in 21 and I ran this thing called PS with some extensions 22 here, and I actually looked for any processes. PS 23 means processes, show me any processes that are 24 running by user Merlyn, and I found something 25 rather interesting. The date stamps and time 75 1 stamps are all out on here. 2 BY MR. TINTERA: 3 Q That's the five days plus two hours? 4 A Yeah. What we show here is that, sure 5 enough, there is this script file or a file that's 6 executing on that computer. 7 Q What does that mean? 8 A What I explained up here, we had some 9 type of a program that was running that allowed 10 this dual connection in and out of Intel via that 11 machine. 12 Q So it's just not a switch that you throw 13 to allow this connection, you have -- 14 A You have to go in and start it up. 15 Q Well, do you have to add something to the 16 computer to have this door swing both ways? 17 A Oh, definitely, yeah. 18 Q What? Is that what you're talking about 19 down here, this script? 20 A Yeah, this gate. What we found was the 21 processes that were running was a thing called 22 gate. It pointed, as you can see here, 23 user/people/Merlyn/bin/gate, which is down inside 24 his directories. The user Merlyn was running a 25 gate script. It was an executable file that was 76 1 running on that system. 2 Q Does that alter the Brillig system? 3 A Sure. 4 Q What about the network that Brillig is 5 connected to, does that alter that? 6 A Sure, it can do that as well. 7 Q So you see this gate script running and 8 what do you do? 9 A Let's move on through my charts here. 10 Okay, State's Exhibit 9, No. 24. 11 MR. TINTERA: Wait a minute. What 12 number is this? Looks like a couple numbers. 13 THE CLERK: 8. 14 MR. TINTERA: This is State's 15 Exhibit 8, and I would offer it, Page 23, Counsel. 16 MR. SUSSMAN: No objection. 17 THE COURT: 8 is received. 18 (Whereupon, State's Exhibit 19 No. 8 was received in 20 evidence.) 21 BY MR. TINTERA: 22 Q So now you're looking at No. 9? 23 A Yeah. To follow along with what we were 24 looking at, the process we were running, I also 25 noted that he had, indeed, been on -- he had opened 77 1 up what's called a c shell, like a log-in window, 2 and he was actually looking at a tail command, 3 means show me X amount of this file. 4 Well, he was running a command 5 saying, "Show me part of this gatelog.," and then 6 the number. So he'd been in there looking at those 7 log files. 8 Also, we noticed that the "ping" 9 command -- ping basically sends out this little 10 command to another machine and says, "Are you 11 there?" So he'd also been doing that. Funny 12 enough, says ping eff.org. 13 Q What's that? 14 A Electronic foundation something. Another 15 Internet cycle machine. 16 Q Is that part of Intel? 17 A No, that's outside of Intel. And also we 18 saw that he ran a telnet command, so we knew that 19 he was running -- he had used Brillig to telnet to 20 some other machine or system. 21 Q You need to explain what "telnet" means. 22 Is that a word of art for computer people? 23 A No, it's not. Basically all it does is, 24 it's a little program that allows me, the user on 25 this system, to contact this other computer system 78 1 and it will promptly ask me back for my name or 2 password, and if I have an account on that system 3 or if I want to sit there and hack it or try to 4 crack into a system or anything, I can sit there 5 and attempt to use a name password or user name 6 password that would show up as multiple telnet. 7 In this particular case there was a 8 telnet made to some other system which was not 9 identified here. 10 So finally what I did for the final 11 part of my analysis on this was, I had gone in and 12 found that indeed there was a user Merlyn account 13 on there, there was a directory with files run by 14 Merlyn on there and that indeed that person, 15 Merlyn, had been using the machine and was still 16 doing so when I went in to check it and that user 17 Merlyn had processes or programs that were running 18 continually on that machine over quite a period of 19 time. 20 So the final step that I did here, I 21 think that's what the last couple pages are, I went 22 down and just took a look at this thing called 23 gate, which ended up being a thing called the Perl 24 script. Perl is like a programming script 25 language. And I did no more to really go in and 79 1 decipher that other than one or two pieces to pull 2 out some information, which is -- 3 Q Is this all information that you are 4 getting from the Brillig computer? 5 A Yeah, this was all information that I was 6 getting on the Brillig computer. Anyway, I don't 7 think I need to go through and try to decipher the 8 gate script for the jury. 9 Q Are you done with State's Exhibit 9? 10 A I'm done with all of those pages now, 11 yes. 12 Q Well, where does the gate script start? 13 Could you take this purple pen and just mark "gate" 14 where it begins as you found it on the Brillig 15 computer? 16 A Are you talking about the actual physical 17 file that I went in and looked at? 18 Q Yes. 19 A Below this purple line is -- 20 Q Could you just write "gate" on that 21 somewhere? 22 A "Gate." This is the -- it's called 23 "gate." If we look at -- here is the word process 24 here. You'll see a thing running here called gate 25 and you'll see this in a number of places here so 80 1 they can see an example of process so we know that 2 the process gate is running, and then here is -- 3 Q The actual script? 4 A The script or the things that connects. 5 Q What does Exhibit 10 show? 6 A This is just a partial extension of the 7 contents of that file. 8 Q And 11? 9 A The same thing. It was a very -- it's 10 quite an elaborate script and went on for a ways. 11 Q Is 12 part of that? 12 A Yeah, 12, and then I find et cetera, 13 et cetera, because it went on and on and I didn't 14 want to have to send a piece of paper that was 15 about this thick to people when they kind of got 16 the idea already that yeah, this was happening. 17 MR. TINTERA: Counsel, our State's 9 18 is 24, 10 is 25, 11 is 26 and 12 is 27. I would 19 offer 9, 10, 11 and 12 at this time. 20 MR. SUSSMAN: May I see those? 21 MR. TINTERA: Yes. 22 MR. SUSSMAN: Your Honor, I have an 23 objection to the portions involving the gate script 24 because it isn't the complete gate script and it is 25 my understanding that the last portion of what is 81 1 left off on Exhibit 12, Page 27, is cut off several 2 lines before the end of that script for the end of 3 the program and it is not an accurate exhibit. The 4 exhibit is not accurate and doesn't show the full 5 gate program script. 6 MR. TINTERA: Judge, I can fix that 7 if you give me a minute. 8 THE COURT: All right. 9 MR. TINTERA: If you could resume 10 the witness stand. 11 BY MR. TINTERA: 12 Q Handing you what has been marked State's 13 Exhibit 19. Can you identify -- and what we're 14 particularly looking at is this, the response on 15 State's Exhibit 12 -- what I'm looking for is this, 16 the continuation on State's Exhibit 12 where it 17 goes "et cetera, et cetera, dot, dot, dot." Is 18 this the rest of the dots? 19 A That portion right there within those 20 pages is the actual gate script. And the 21 continuation, as he said, is, I think, a few lines 22 that were missing on the bottom, if you were to 23 match this up against the other display we had over 24 there. 25 The reason why there was the 82 1 "et cetera, et cetera," is because if you look at 2 some of this information here, I also had to 3 forward information on other scripts and so on and 4 we could have made -- 5 Q Is this the rest of the et cetera, 6 though? 7 A Yeah, this is part of. If I get past -- 8 yeah, I think this is it, because I did send -- 9 yeah, I sent all of the logs, for example, and then 10 there was some other scripts that I was a little 11 bit concerned about, one called monkey mode, good 12 for bopping around on directory retrieves and so 13 on. There was some others that I had concern for 14 and -- 15 Q What I'm asking you is, is State's 16 Exhibit 19 the rest of the et cetera when you -- 17 A Yes. As far as I recall, I did send 18 quite a large file out. What I was trying to 19 purvey is that the script went on. Rather than 20 send the whole thing and try to decipher that, we 21 had people that would decipher what the script 22 actually did for us. What we're looking at on the 23 charts here was part of an e-mail message, and 24 so -- 25 THE COURT: You need to just respond 83 1 to questions. 2 MR. SUSSMAN: If I might just 3 confer. 4 (Conference between counsel 5 off the record.) 6 MR. SUSSMAN: Your Honor, for the 7 record, I was pointing out to Mr. Tintera that the 8 first three pages of this large stack contains the 9 entire gate script. And if we include that instead 10 of the blowups, which leaves out just the last five 11 lines on Page 3 of that, then we have got the whole 12 script and we have got that one solved. 13 THE WITNESS: Right. 14 THE COURT: Instead of those other 15 exhibits or in addition to the other exhibits? 16 Could we put in 9, 10, 11 and 12 and also 19, which 17 19 shows the complete -- 18 MR. TINTERA: Let me offer State's 19 Exhibit 9. 20 MR. SUSSMAN: I have no objection to 21 9. And if we use 19, that -- 22 THE COURT: No. 9 is received. 23 MR. TINTERA: Then I would offer 24 State's Exhibit 19. And this is the gate script, 25 Mr. Kent? 84 1 THE WITNESS: That's right. That's 2 the additional few lines added in there. That's 3 the gate script right there. 4 THE COURT: Any objection to 19 5 then, Mr. Sussman? 6 MR. SUSSMAN: No. 7 THE COURT: No. 19 is received. 8 (Whereupon, State's Exhibit 9 No. 9 and 19 was received in 10 evidence.) 11 THE COURT: You're not offering 10, 12 11 and 12? 13 MR. TINTERA: No, Your Honor. 14 THE COURT: I don't have that you 15 have offered Exhibit 18, which is the diagram. Do 16 you intend to offer that? 17 MR. TINTERA: I do. I would offer 18 18. 19 THE COURT: Any objection to 18, the 20 diagram? 21 MR. SUSSMAN: No objection. 22 THE COURT: 18 is received. 23 (Whereupon, State's Exhibit 24 No. 18 was received in 25 evidence.) 85 1 BY MR. TINTERA: 2 Q Now, this was your initial look into the 3 Brillig machine; is that correct? 4 A That's true. And that was done, as I 5 said on Thursday, October 28th. 6 Q Now, did you receive any other 7 information from Mr. Morrissey about the activities 8 of user Merlyn? 9 A Friday, October 29th, Mark Morrissey and 10 I, we decided that it might be best if we met 11 personally rather than doing any phone conversation 12 and e-mail. So and between the hours of 10:00 a.m. 13 and 1:00 p.m., which is three hours total, Mark 14 Morrissey came by and showed me a few bits and 15 pieces of what he had found and helped me go 16 through some of the information that you just saw, 17 as well as doing some additional further checks on 18 those systems. 19 Q And was there any besides the gate script 20 that we have already heard about -- as a Systems 21 Administrator for the Supercomputer Division, did 22 you receive information that you also felt for 23 security reasons that you needed to look into? 24 A I'm sorry. 25 Q Did you receive any information about 86 1 your password file for the Supercomputer Division? 2 A Yeah. Immediately what we did when we 3 found out regarding the password file -- 4 Q What did you find out about the password 5 file, is what I'm asking you? 6 A Both, through copies of that file will -- 7 we're talking about -- are we talking about the 8 Brillig password file or the SSD password file? 9 Q Well, what I need -- I feel we have 10 gotten off track here. What I need to know is, was 11 it brought to your attention any information about 12 either the Brillig or the SSD password file from 13 Mr. Morrissey? 14 A Both were, because we checked the 15 password file that was on Brillig and we also 16 verified that the password file that existed on a 17 machine, a copy of a password file that was over on 18 one of his systems was indeed one that belonged, if 19 you will, to Intel SSD. 20 Q So you did participate in that? 21 A Yes. 22 Q On one of his machines, whose machine? 23 A It's still an Intel machine. It was a 24 system that was located in Hawthorn Farms. 25 Q And the name of the machine? 87 1 A Let me see if I wrote that down. I was 2 more concerned with some of the things that were 3 going on at my end. 4 I can't recall. We were talking 5 about Duchamp and Kandinsky and some other systems. 6 To verify exactly which one that was located on, 7 we'd have to reference the records from Mark 8 Morrissey. 9 Q So do you know whose account on the 10 machine you were looking at where this SSD password 11 file was? 12 A Yeah. When we looked at it, it was 13 located under an account owned by Merlyn. 14 Q Mr. Schwartz? 15 A Mr. Schwartz. 16 Q And could you tell the jury, is there a 17 difference between a password file, the size of the 18 password file on Brillig and the size of the 19 password file for the whole Supercomputer Division? 20 A Most definitely, not only in size but by 21 the users that are contained on both Brillig and 22 the SSD. 23 Q And there was an open account on the 24 Brillig computer, is that correct, for 25 Mr. Schwartz? 88 1 A Yes, there was. 2 Q And how many other open accounts with the 3 Supercomputer Division were there? 4 A For the user Merlyn or Randal Schwartz? 5 Q Mr. Schwartz. 6 A He had already left Intel SSD and those 7 accounts had been shut down on the main service. 8 MR. SUSSMAN: I'd move to strike 9 this answer as nonresponsive to the question. 10 THE COURT: Sustained. 11 BY MR. TINTERA: 12 Q My question was, we know about the 13 Brillig computer account. How many other computer 14 accounts were there in the Supercomputer Division 15 for Mr. Schwartz? 16 A None that were known. 17 Q And does the Brillig computer contain the 18 full SSD computer password file? 19 A No, it does not. 20 Q Is there -- based on your knowledge as a 21 Systems Administrator, is there an authorized 22 manner that the full password file can be obtained 23 through the Brillig computer? 24 A If you had an account on the internal SSD 25 machines, then by all means, you could log from -- 89 1 Q That's not my question. Based on what 2 you knew on October 28th and October 29th, was 3 there a manner that Mr. Schwartz, using his user 4 name Merlyn, could obtain the full password file 5 for the Supercomputer Division? 6 A Not as user Merlyn. 7 Q And that is because he had no valid 8 accounts; is that right? 9 A That's true. No known valid accounts. 10 Q So the password file for Brillig and the 11 Supercomputer Division were found on a computer at 12 Hawthorn Farms? 13 A Yes. 14 Q And were they just -- Were there any 15 processes or programs being applied to these 16 password files? 17 A Yes. 18 Q And what were those? 19 A There was a program -- 20 MR. SUSSMAN: Question in aid? 21 THE COURT: You may. 22 23 24 25 90 1 EXAMINATION IN AID OF OBJECTION 2 BY MR. SUSSMAN: 3 Q Were these processes running on your 4 computer, the computers that you were administering 5 and examining? 6 A The processes that were running on the 7 machine at the campus where I was are the ones that 8 I brought up earlier here. 9 Q The question was asking you about were 10 there processes running on those password files and 11 were those on your machines? 12 A No, that was not on the Brillig located 13 at Cornell Oaks. That was located in Hawthorn 14 Farms. 15 Q So your knowledge about any process 16 running on those password programs is based on what 17 you were told by Mr. Morrissey? 18 A Also by what I saw. As I mentioned, Mark 19 Morrissey and I got together and had a meeting. 20 MR. SUSSMAN: I have no objection. 21 You saw that. 22 BY MR. TINTERA: 23 Q Mr. Kent, what did you see? 24 A Well, when Mark Morrissey and I got 25 together, naturally we want to match up. He needed 91 1 to look at what I had seen and evaluated on my 2 side, and I also needed to do the same for him. I 3 mean, it's a -- we're basically doing cross-checks 4 and verifying files and things that are running. 5 When Mark logged us over into the 6 systems at his site, there was a user Merlyn on the 7 systems located there. There were files that were 8 owned by user Merlyn. There had also been the 9 processes running by the user Merlyn on those 10 systems. 11 Q What processes? Were you able to 12 identify them? 13 A Yeah. The one of main concern was a 14 program called Crack, and there is only one use for 15 the Crack program and that is to basically take 16 password files and sit there and use different 17 variables in an attempt to break passwords that are 18 embedded in that password file. 19 Q Is this a program that you've used as a 20 Systems Administrator? 21 A As Systems Administrators, we run that to 22 do checks on people's passwords and so on. 23 Q As a Systems Administrator for the 24 Supercomputer Division, did you authorize anyone to 25 copy the password file that was found on Hawthorn 92 1 Farms in Mr. Schwartz's file? 2 A No. 3 Q Did you authorize anyone to run the crack 4 program against the Supercomputer password file 5 that you found on Mr. Schwartz's computer at 6 Hawthorn Farms? 7 A No. 8 Q And as the Systems Administrator for the 9 Supercomputer Division, has Mr. Schwartz come to 10 you in this time period -- did he come to you with 11 either security concerns -- did he come to you with 12 security concerns? 13 A Never. 14 Q Did he approach you with passwords that 15 were, in his opinion, faulty in the Supercomputer 16 Division so you could remedy the problem? 17 A Never. 18 Q As a Systems Administrator for the 19 Supercomputer Division, there any authorized avenue 20 that you know of that Mr. Schwartz could have 21 obtained the full password file for the 22 Supercomputer Division? 23 A Could you rephrase that again? 24 Q Is there any authorized avenue that 25 Mr. Schwartz could have obtained the Supercomputer 93 1 Division password file? 2 A Authorized avenue, no. 3 Q So on that Friday when you saw this 4 process being run on something from your system, 5 what did you do? 6 A Let me reference my notes here real 7 quick. 8 It was actually on the Thursday, 9 October 28th, that I went into the machine Brillig. 10 As I said, what we did up until Monday, November 11 1st, was, we monitored the system to see whether 12 there would be any other activities or file 13 transfers or anything that may be going on on that 14 machine. We wanted to verify further whether there 15 was any activities that were occurring. 16 So on Monday, November 1st, first 17 thing that morning was when we actually physically 18 disabled the Merlyn account on Brillig, and also at 19 9:30 -- between 9:30 a.m. and 2:00 p.m. at Hawthorn 20 Farms, we disabled any of the accounts that were 21 hacked, cracked, you know, the passwords, and other 22 accounts, we stopped all the processes that were 23 running on the machine. We removed any unknown 24 additional entries or anything that we may have 25 found in the password file groups, group files, and 94 1 at that point, we made it more widely known by 2 informing all other Systems Administrators and 3 other managers to start looking around systems 4 elsewhere at Intel for any accounts by user Merlyn. 5 Q Can you identify for this jury what 6 State's Exhibit 15 is? 7 A This is from a log file that's output by 8 the program Crack. And basically what it does is, 9 it puts a time -- date and time stamp and then 10 tells you "guess user name." Then what it does is 11 actually tells you what that guess password is, so 12 if you're running this, and I -- if I get this, I 13 can log in as user Raul because I have his password 14 on his system. 15 Q Is this referenced at all to what you saw 16 on Mr. Schwartz's computer at Hawthorn Farms? 17 A At Hawthorn Farms, yeah, this is actually 18 log file information from Crack that -- this is one 19 of the things that Morrissey and I sat down and we 20 looked at things on my machines and then also on 21 his machines at HF. This is a log file output. 22 Q Is this the list of the Crack passwords? 23 A Yeah. 24 Q From the Supercomputer Division? 25 A All of those accounts, what I did was, I 95 1 took these user names and said, "Who are these 2 folks," and all of these were accounts that exist 3 over at SSD. 4 Q And because these had been cracked or 5 compromised, what action did you take? 6 A As I stated here, immediately -- well, we 7 monitored to see whether there was any unusual 8 activity over approximately a two-day period, but 9 mainly what we did was, we immediately informed 10 those users of the incident and they went through 11 and changed their passwords to those known cracked 12 accounts immediately. 13 Q Why was that? 14 A Well, because if I get into a system that 15 has allowed these users access to them, then I can 16 log in as them and use their password and go do 17 what I want. I can snoop around their directories. 18 I am them, in essence. I've just become you as I'm 19 now logging in as one of those users. So whatever 20 you can get to, whatever files you own, whatever 21 e-mail you may have, I can do whatever that user is 22 allowed to do, basically. 23 MR. TINTERA: I would offer State's 24 Exhibit 15. I do have 14 from yesterday, which 25 Mr. Wilcox identified. 96 1 MR. SUSSMAN: I have no objection to 2 14. 3 THE COURT: 14 is received. 4 (Whereupon, State's Exhibit 5 No. 14 was received in 6 evidence.) 7 MR. SUSSMAN: Just a question for 8 clarification. 9 10 EXAMINATION IN AID OF OBJECTION 11 BY MR. SUSSMAN: 12 Q Mr. Kent, Exhibit 15 that you have been 13 shown, is this a list that you directed the 14 computer running the Crack program to generate with 15 the list of passwords? 16 A When we logged in as root over on the 17 machine in Hawthorn Farms. 18 Q What -- My question is unclear. Was this 19 a list that you generated, that you directed the 20 machine to produce? 21 A I was sitting right there with Mark 22 Morrissey when we did a listing of that log file. 23 Q That's what I'm asking. Is this simply a 24 list when you and Mark Morrissey sat there together 25 and asked the machine to put out a list of the 97 1 passwords? 2 A I needed to in order to contact the 3 people at my campus. 4 Q My question is whether or not this was a 5 list that you asked the machine to produce? 6 A Yes. 7 Q This was not the entire log of the crack 8 program, just the list that you asked it to 9 produce? 10 A Those are users at SSD. 11 MR. SUSSMAN: I was asking the 12 question to clarify what exactly we have here. I 13 have no objection. 14 THE COURT: 15 is received. 15 (Whereupon, State's Exhibit 16 No. 15 was received in 17 evidence.) 18 BY MR. TINTERA: 19 Q Was this activity, the gate program and 20 the operation of the Crack program, of any security 21 concern to you? 22 A Very much so. 23 Q Why? 24 A Well, for a number of reasons. If people 25 had a method of bypassing our firewalls, then 98 1 immediately we needed to get in and start getting 2 something done about that. 3 Security is an ongoing continual 4 job. When we go out and find things, we put 5 measures in place, and it's a continual thing in 6 this industry. The concerns that we had were -- my 7 first one was some of the people that were listed 8 on that cracked account output. 9 Q Let me ask you this. If, as State's 10 Exhibit 19 shows, there is an in and out through 11 the firewall and into the Brillig computer, if a 12 person was going through there, what -- and knew 13 the cracked passwords, what is there to stop them 14 from accessing the Supercomputer Division? 15 A There is -- as those users, there is 16 nothing. 17 Q So why was it that you waited from 18 Thursday, October 28th, till November 1st before 19 you took action to close these areas? 20 A What we did, on the Thursday, once we'd 21 gone through -- on the Friday, once Mark Morrissey 22 and I had cross-verified the user list and so on 23 that you've seen, then what we did, I immediately 24 contacted those users. I'm not going to leave 25 those users in a state of jeopardy. That's where 99 1 we began the process to get these known cracked 2 passwords cleared up. But the one thing that we 3 did -- 4 Q By "cleared up" means changed? 5 A Exactly, changed and made sure that it's 6 something that is safe this time, and I won't 7 elaborate on that any further. 8 The main thing we did between the 9 Friday and the Monday, we were checking all the 10 system logs and checking who logged in and who came 11 in when, where and how, to see whether there was 12 still activity ongoing, or attempts, for example, 13 by that user to get back to the systems that he had 14 just been cut off from or found out. 15 MR. TINTERA: Thank you. Those are 16 the only questions that I have. 17 MR. SUSSMAN: Your Honor, before we 18 begin the cross-examination, Mr. Kent appears to 19 have been testifying quite a bit from notes that he 20 has, which we have never seen them. 21 THE COURT: I'll give you a chance 22 to look at them. We'll recess for now. Be back at 23 1:30 and we'll try to start at 1:30. Leave your 24 notes in the jury room. Don't talk about the case. 25 Jury is excused. 100 1 (Whereupon, the following 2 proceedings were held in 3 open court, out of the 4 presence of the jury:) 5 THE COURT: Have those notes 6 previously been produced, do you know? 7 THE WITNESS: These were small 8 handwritten notes that I took over a couple days 9 here. 10 THE COURT: Let Mr. Sussman see 11 them -- you've been refreshing your memory -- and 12 after that, you're free to go and be back at 1:30. 13 Thank you. 14 We're in recess. 15 (Luncheon recess.) 16 17 18 19 20 21 22 23 24 25 101 1 AFTERNOON SESSION 2 BEGINNING AT 1:30 P.M. 3 JULY 14, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: We need to have the 10 State's witness resume the stand. 11 You're still under oath, Mr. Kent. 12 Mr. Sussman. 13 MR. SUSSMAN: Thank you, Your Honor. 14 15 CROSS-EXAMINATION 16 BY MR. SUSSMAN: 17 Q Mr. Kent, you talked a lot this morning 18 about your position as a Systems Administrator and 19 in general terms, you described that as somebody 20 had maintained to keep the system operating. 21 A That's right, parts of it. 22 Q That sounds like that entails a great 23 deal of responsibility. 24 A Quite a bit. 25 Q And so that virtually anything that 102 1 happens to the system or affects it is something 2 that you're going to have to deal with? 3 A Yes. 4 Q So sounds like the kind of situation 5 where it could be 20 hours of work to do in a 6 10-hour day. 7 A That can sometimes be true. 8 Q Now -- but frequently, it's the kind of 9 thing, in all seriousness, I would assume you have 10 a lot of problems, a lot of matters that come up 11 that you have to deal with in any given day. 12 A Not all of them are problems. 13 Q But matters that you deal with to keep 14 your system operating and running? 15 A Yes. 16 Q Keeps you busy? 17 A Yes. 18 Q So if a problem comes up, it's helpful to 19 have it identified to you in advance? Like, for 20 instance, when Mark Morrissey comes and says, 21 "Look, here is a problem, there is a problem on 22 your system and here is what it is"? 23 A That's very helpful, yes. 24 Q Sure. Makes it very helpful? 25 A Yes, it does make your work easier if 103 1 somebody points something out that you've missed. 2 Q Now, as the Systems Administrator at 3 SSD -- let me back up. 4 When did you start in that position? 5 A I was trying to remember earlier. 6 Q I know you were having some difficulty. 7 We were trying to figure that out in terms of when 8 Randal Schwartz was there and in what capacity, 9 so -- 10 A I don't want to throw out an arbitrary 11 day. If I can get back to you on that. I can be 12 approximate. Would that help? 13 Q Was it in -- 14 A I believe it was late 1992 when I 15 initially started work with Intel. 16 Q Late 1992? 17 A Yeah, I believe it was around about that 18 time. 19 Q Now, Mr. Schwartz previously had worked 20 at SSD for a length of time prior to your arriving 21 there as a Systems Administrator; is that correct? 22 A That's what I understand. 23 Q He was not working directly under you 24 then? 25 A No. He was not one of the systems 104 1 administration people, no. 2 Q You were a full-time employee? 3 A Yes. 4 Q Mr. Schwartz, when he worked there, was 5 not an employee; is that correct? 6 A He was what we call a green badge, a 7 contract employee. 8 Q Green badge? 9 A Yes. 10 Q Independent contractor? 11 A Yes. 12 Q So there is a different-colored badge for 13 contract employees and for full-time regular 14 employees? 15 A We're known as -- Permanent full-time 16 employee is a blue badge. A contract employee 17 wears a green badge to identify them. 18 Q And do you have any independent 19 contractors working under you? 20 A Sure. We have quite a number of 21 contractors working at Intel. 22 Q So you also know then the Intel policies 23 on independent contractors? 24 A Pretty well-versed. They're pretty much 25 the same as any other person that works at Intel. 105 1 Q But you know that the requirements for an 2 independent contractor require that -- the end 3 result is controlled by Intel, but the manner, the 4 mode of work is not supposed to be because they're 5 independent contractors; is that right? 6 A Generally, someone is hired at Intel to 7 do a particular job for Intel, and that's what 8 their job is explicitly supposed to be doing. So 9 if a green badge comes to work at Intel, he's been 10 hired by Intel to come in to fulfill one specific 11 requirement or need that our company has. 12 Q So that even though they're an 13 independent contractor, Intel treats them the same 14 as the employee in terms of directing the way they 15 do their business? 16 A That's not completely true, if you say 17 get treated the same. There are certain 18 differences between a full-time and contract 19 employee and those guidelines. 20 Q In terms of the manner of their work, in 21 terms of directing the manner of the work, are you 22 saying that they'd be treated the same? 23 A Yes. 24 Q Now, to make sure that I understand some 25 of your testimony earlier, you were not the Systems 106 1 Administrator for Brillig; is that correct? 2 A That's true. 3 Q And Brillig was not one of the machines 4 in the area of your systems? 5 A Brillig was in the area of our systems. 6 It was connected to our networks. 7 Q It was connected but not one of the 8 machines that you administer? 9 A I did not directly supervise that 10 machine. 11 Q Do you, personally, know what Randal 12 Schwartz's position was at SSD prior to your 13 arrival there? 14 A I don't know too much about Randal -- I 15 know he was a contract employee -- or what he was 16 contracted to specifically do, other than I knew 17 that he was not part of our team. If he was an 18 integrated or integral part of that team, then he 19 would attend some of our meetings, et cetera. 20 Q Prior to the time that you arrived there, 21 you don't know what his positions were or 22 responsibilities? 23 A No. 24 Q Now, you had testified somewhat about 25 this incident with the DEC machine. 107 1 A Yes. 2 Q And involving the password Merlyn and its 3 access. Did you verify -- personally verify that 4 the account user Merlyn that was referred to was, 5 in fact, Randal Schwartz? He was the one that was 6 actually using that account at that time? 7 A That Randal was the one that was using 8 the Brillig account. 9 Q That -- 10 A The DEC account. 11 Q That he was the -- 12 A Doug Smith approached me and -- 13 Q I asked you, did you personally verify 14 that Randal Schwartz was the person running that 15 process under Merlyn? 16 A No, I was not dealing 100 percent with 17 that specifically. 18 Q Did you personally talk to Randal 19 Schwartz about that incident? 20 A I've never spoken directly to Randal 21 Schwartz, no. 22 Q About anything? 23 A Other than saying "hello" if I saw him in 24 the hallway. 25 Q Sure. I mean about anything involving 108 1 the events of this case. 2 A No. 3 Q You were told to remove Randal Schwartz's 4 user ID accounts from the main SSD cluster of 5 machines, you said, sometime in 1992. 6 A Uh-huh. 7 Q Can you tell us who directed you to do 8 that? 9 A Well, there were two methods that we have 10 at Intel. One of them comes from corporate and one 11 is locally generated. This was locally generated 12 by management and -- 13 Q And who was the person who told you to do 14 that? 15 A It was either John Gray, who was my 16 manager, or came through Herb Mayer, who, at the 17 time, Randal was doing some contract work for. 18 Q You cannot remember which? 19 A I don't recall which one of those two, 20 but I do know that, yes, I was issued the command, 21 if you will, to go and shut his account down 22 because he was no longer there. 23 Q And that was on the main cluster? 24 A Yes. 25 Q Nobody told you, however, to shut down 109 1 the account on Brillig. That was your testimony, 2 correct? 3 A I was ordered to investigate that, find 4 out what the situation was, and then we were 5 ordered, yes, to close that account down. 6 Q Did anybody tell you specifically to 7 close the account on Brillig? 8 A I'm going to say yes to that because, 9 yes, I was told to close the account down on 10 Brillig. As far as the actual person I was dealing 11 with, both Intel corporate information security 12 people and -- 13 Q Not talking about -- Let me make sure 14 we're clear on the timing on this. Not talking 15 about November 1st, after this incident with the 16 Crack program. 17 A Okay. 18 Q Then you were clearly informed to close 19 the account on Brillig. We're clear on that? 20 A Yeah. You're referencing back to -- 21 Q I'm referring back to the end of 1992. 22 A No, because I was unaware that he had an 23 account on Brillig. 24 Q And you were unaware? Nobody 25 specifically told you at that time to make you 110 1 aware; is that right? 2 A That's right. 3 Q You had no specific knowledge of the 4 nature of Randal Schwartz's contracts at SSD at the 5 time his first password -- when you were first told 6 to disable Randal Schwartz's passwords on the SSD 7 cluster? 8 A That's true. I don't know what all the 9 contractors of Intel do. 10 Q In part that is because he was not 11 working for you? 12 A Right. 13 Q Now, you discussed a term or having root 14 access to something earlier this morning, and was 15 there a policy at Intel that independent 16 contractors were not permitted to have root access? 17 A At that particular time -- I have to get 18 my dates and different things correct here as far 19 as root access on systems. 20 If a manager of a specific employee 21 felt that that user had to have root on a specific 22 machine, okay, or system, in order to get their 23 work done for Intel, then that request would come 24 through our group and it would be either approved 25 or disapproved, but generally signed off by another 111 1 manager. 2 Q So the manager in a group, local group 3 could sign off on something on a request or a need 4 to give an independent contractor root access to 5 something? 6 A Yes, that's possible. 7 Q Even if there was a general policy that 8 an independent contractor should have? 9 A Well, policies change over a period of 10 time. They get readjusted and so on. I'm trying 11 to, in my mind, fit in when we have adjusted 12 certain policies to fit in with what it is you're 13 saying. Does that make sense? 14 Q Makes sense. And when those policies 15 changed, particularly things like security 16 policies, how is that information disseminated? 17 A Well, it's disseminated in two ways, both 18 in written form and verbally. 19 Q Like policy manuals? 20 A We have policy manuals, we have localized 21 policy documents. There are three levels. 22 Q And are those -- were the -- Are you 23 familiar with policy manuals on Intel security that 24 were in effect in 1993? 25 A Yeah, I think I'm pretty -- I know which 112 1 ones were around. But as far as all of the 2 contents that were in a given manual at that time, 3 because I believe that our manuals were updated, I 4 think, every possibly three months or six months, 5 we would get brand knew ones with additional 6 material that would be in them to cover other 7 things that we were continually finding and adding. 8 Q When they came out, were they given to 9 each Intel employee? 10 A As far as Systems Administrator or new 11 people coming on board, those were generally handed 12 out by managers. 13 Q To the new employees? 14 A To the new employees. 15 Q Do you know whether they were handed out 16 to each of the new independent contractors? 17 A That -- I wasn't checking that. That was 18 not part of my -- 19 Q So you don't know? 20 A Don't know. 21 Q That's fair. 22 Now, if I could, I'd like to go back 23 and show you this exhibit that you were talking 24 about, some of the exhibits that you were talking 25 about and showing this morning to the jury. 113 1 I want to direct your attention to 2 State's Exhibit 3. This was the second page -- the 3 second of the exhibits, and this is the page, I 4 think, where you had the blue line pointing to the 5 Merlyn, which was the entry for his home file, home 6 directory? 7 A This is the directory. 8 Q Home directory? 9 A Yes. 10 Q And as I call it, the home directory is 11 sort of like a closet where the person stores all 12 their stuff? 13 A That could be viewed in that fashion, 14 yeah. 15 Q And is it -- it's not uncommon in a home 16 directory to have a wide variety of files, is it? 17 A That's true. 18 Q Now, this page of information, this is a 19 printout of a log of the information on Brillig? 20 A This, as you can see, is a list command 21 where I wanted to get an extended list of each one 22 of these directories so that is under this 23 directory/user/people, those -- 24 Q That gave you the list of the people with 25 home directories on Brillig? 114 1 A Exactly. 2 Q And there is a bunch of letters on this 3 first column next to this list, and like where we 4 have them in line with Merlyn, first column has a 5 bunch of letters, then there is a 10 that says 6 Merlyn and a bunch more letters. 7 A Yeah. 8 Q This first column, what do these letters 9 mean? 10 A Well, the "D" basically points to the 11 fact that it's a directory. And then the next set 12 of letters can be broken out into three individual 13 groups. There is user group and world and read 14 right, executable access. 15 Q Are those the sort of commands which 16 tells somebody who is looking at this directory 17 what you can do with it? 18 A Sure. Says whether or not you're able to 19 go in. And, for example, if I was just -- if we 20 look at this second thing after the user's name, 21 that associates them to a given group which then 22 associates with this. If I belong to that group, 23 for example, and I had read right access, well, I 24 could go in as a member of that group and look at 25 that person's file. 115 1 Q The group is in the third column? 2 A That's the one after the user name. 3 Here, you'll see, for example, Merlyn, then says 4 ISCSW. That was a particular group that his user 5 name and account belonged to. 6 Q And then this is, I guess for want of a 7 better term, the privileges that a person who is a 8 member of that group has? 9 A Exactly. 10 Q With respect to that file? 11 A Yeah. It always goes user, group, and 12 then world. 13 Q This code then, then we have some XR 14 and -- 15 A Executable and read and "W" for write. 16 Q The way the code is set up on Merlyn 17 means that anybody from that group who can look at 18 this directory can read or access anything in that 19 home directory, doesn't it? 20 A Well, they can read it. They can't do 21 any writing to it and they could possibly execute 22 something that's in it as executable permission. 23 Q It's open for anybody to look at? 24 A Yeah. And the same with the other column 25 here as well. 116 1 Q But the point is, my question is, it's 2 open for anybody to look at what's in that 3 directory. 4 A That's true. 5 Q Skip ahead to State's Exhibit 5. 6 MR. SUSSMAN: Maybe what we will do, 7 because I'm not sure you can all see because the 8 letters are small, I would ask the jury to pass 9 this around so you can see the letters we're 10 talking about and what that is referring to. 11 BY MR. SUSSMAN: 12 Q Now, referring to State's Exhibit 5, at 13 the time of this page, there looks to be another 14 list of files that were in Merlyn's directory. 15 A That was one of the subdirectories under 16 Merlyn. I was kind of curious as to what was down 17 in this directory. 18 Q Now, as I recall your prior testimony, 19 and I understand it, you could read -- take a look 20 at it -- whatever was in any of these files in this 21 directory. 22 A Very true. 23 Q Did you do that? 24 A In this particular directory, no, that 25 wasn't relevant. I possibly went in and took a 117 1 quick look at one of these files that were out 2 here. 3 Q But you don't remember? 4 A Rather than me make the determination, I 5 passed the information on to the people that were 6 requesting it as to what types of things were on 7 the system. 8 Q So it wasn't relevant? Didn't seem 9 relevant to you and you didn't read? 10 A No. 11 Q So you continue? 12 A So I continued. You're seeing basically 13 a progress of steps, very set steps that I took to 14 list out the things that I was seeing and that was 15 happening on that system, which is what I was 16 requested to do. 17 Q Here we're referring to the list and the 18 top portion of this exhibit. Let me check my notes 19 for a second. 20 One of the other exhibits that you 21 referred to was this one, State's Exhibit 4, and 22 this is the one where you pointed out that you had 23 this .rhost file on there, and then on the bottom 24 it had a number of more .rhost with a whole list 25 underneath that. 118 1 A Yes. 2 Q This number marked .rhost, wasn't that a 3 list of all the machines that Randal Schwartz had 4 authorization to be on? 5 A As I said, I went through this and did a 6 listing of all the different things I found on the 7 system. Due to the fact that these systems were 8 located in Hawthorn Farms, I wasn't questioning the 9 System Administrator there on whether or not these 10 systems he had the right to be on. My concern 11 was -- 12 Q My question, was this a list of the other 13 machines that Mr. Schwartz had authorization to 14 access? 15 A I can't answer that to you today because 16 I don't know where he was given access around 17 Intel. 18 Q "I don't know" is a fine answer. It's 19 really okay. 20 A Okay. 21 Q As I recall, your testimony was that the 22 .rhost up here allowed Mr. Schwartz from Kandinsky, 23 where it appears that he had a valid password, to 24 log onto Brillig without doing another password. 25 A That's generally what the .rhost is set 119 1 up for, is to allow a user to -- 2 Q So that's correct, that was an accurate 3 statement of your testimony? 4 A You're just saying what I said earlier. 5 Q That's what I'm saying. We have got that 6 straight. 7 Now, to set up this .rhost file on 8 Brillig, Mr. Schwartz would first have to log onto 9 Brillig with a valid password, wouldn't he? 10 A Yeah, he would have had to have an 11 account. 12 Q And he would have had to log onto Brillig 13 with that account first in order to set up the 14 .rhost file? 15 A The .rhost is never set up by an 16 administrator on a system, so, yes, it was created 17 by him on that system. 18 Q By the person with the account on the 19 system? 20 A By the person with the account on the 21 system. 22 Q One other question. On the list that we 23 had down here on Kandinsky, there was one you 24 referred to that it had referred to root on 25 Kandinsky or root on Wyatt. Those would be the 120 1 machines that he had root access on somewhere else? 2 A As I said, I don't know whether he was 3 given root permission on those other systems. 4 Q But it would appear that from that? 5 A Possibly. 6 Q Having the root access on Kandinsky, the 7 log into Brillig using this .rhost from Kandinsky 8 doesn't mean that he gets root access to Brillig, 9 does it? 10 A If the root password is the same as the 11 one that's on the other system, then it would allow 12 him that access. 13 Q But doesn't necessarily mean that he 14 gets -- by creating the .rhost file that you get 15 the root access? 16 A Doesn't directly point that he has that 17 capability, no. 18 Q I just wanted to get that clear. 19 A No. 20 Q Now, you had testified that, in 21 describing this exhibit over here, this chart, that 22 Mr. Schwartz was kind of -- by setting up this gate 23 program was bypassing the firewall. Wouldn't it be 24 accurate to say that actually it created a system 25 that went through the firewall? 121 1 A Yeah, that might -- there is lots of ways 2 you could probably describe gate. 3 Q By the way, was Brillig on the same 4 network as the machines at Hawthorn Farms? 5 A Well, yeah, it was attached to part of 6 the Intel-wide area network, yes. 7 Q And so it was through that, when you and 8 Mark Morrissey were communicating about what he was 9 finding on his machines and seeing what was going 10 on in your machines, you didn't have to go over to 11 Hawthorn Farms from Cornell Oaks to do this stuff? 12 A Oh, no. I mean, we did have a meeting 13 where we worked together from his location to my 14 location to cross-verify everything, but by no 15 means. You could do this from anywhere within that 16 Intel network. 17 Q Could have done it from Santa Clara, 18 California? 19 A If that's part of the Intel network, 20 inside the wide area network, then by all means. 21 Q So where you were located really doesn't 22 matter because of the way you were able to 23 communicate with each other through this Intel 24 network? 25 A That is true. 122 1 Q So geography doesn't mean anything in 2 terms of your ability to communicate -- 3 A That's correct. 4 Q -- and do the work for Intel at the 5 various locations? 6 A That's true as well, too. 7 Q Let's go back and take a look at State's 8 Exhibit 8. This is, as I recall, where you were 9 running your analysis on the gate program and the 10 log and where the connections were being made. 11 A Wasn't analysis but, yeah, I went in to 12 see what processes were running on that system. 13 Q And you ran some processes, yourself, to 14 see what it was doing? 15 A What I did here, as I explained earlier, 16 I went through and made a listing of things that 17 were happening on that system. I didn't look into 18 them. What I did here, if you look at this, I'm 19 doing a process and looking for any process that's 20 running on that system by user Merlyn at that time. 21 Q Now, you found an address that looked -- 22 this address up here that we're talking about where 23 it shows -- 24 A Shows an IP address up here and shows one 25 up there, too. 123 1 Q And that was the IP address that caught 2 your attention that looked like one that you wanted 3 to investigate? 4 A The next logical step after I saw this 5 was, I see IP addresses embedded in this and I 6 decided to say well, who was he running this gate 7 script against, and that's what I did here to show 8 that system. 9 Q Then the IP address is really like to 10 call up the identifying number for a computer? 11 A It's a national standard numbering system 12 for systems that are connected to the Internet or 13 networks. 14 Q Using an analogy that the jury has heard, 15 it's sort of like a telephone number for -- 16 A Exactly. 17 Q And you then did something to find out 18 what was the machine associated with that IP 19 address? 20 MR. TINTERA: Which address are you 21 talking about? 22 THE WITNESS: There are a number of 23 things you can go through as Systems Administrator. 24 Let's look at what I did here. 25 124 1 BY MR. SUSSMAN: 2 Q Let's talk about what you did here. You 3 found the IP address and -- 4 A This is the command here. 5 MR. TINTERA: Which one are you 6 talking about? 7 MR. SUSSMAN: Let me show you. Page 8 23. 9 MR. TINTERA: I know where you are. 10 BY MR. SUSSMAN: 11 Q So we're talking about Fugi telnet and 12 the address 143.1 -- 13 A Right there is the command I read. It's 14 a telnet command to that telephone number. It's 15 like dialing that number. I got an answer from the 16 other side. Systems sends me a prompt back and 17 asks me to input my log-in. Its identifier was 18 that system name. 19 I then took the other IP address 20 that was listed in here and I did the same thing 21 and I had telnet to that other IP address. It came 22 back and told me its identity was a system called 23 Ruby. 24 Q So you had to then kind of initiate a 25 process or a program to get that computer? 125 1 A Telnet is a process, yeah. 2 Q And did you have permission from the 3 owner of that machine to telnet to -- 4 A Sure, that -- Intel was the owner of that 5 machine. I work for Intel. 6 Q How about telnet to this, to the machine 7 at this IP address that you telnetted to, Fugi 8 telnet 141866525? 9 A I dialed the number. If you want to look 10 at it as a dialing mechanism. I dialed the number 11 to see who was on the other end of the line. 12 Q Do you need permission from telnet to 13 telnet somebody outside of Intel? 14 A Generally not. You can sit there to see 15 if you can get connection or things of that nature 16 if you are hacking or cracking or doing whatever on 17 the systems. 18 Q But then you didn't have permission from 19 the owner of that IP address to telnet into that 20 one, did you? 21 A I didn't call them up on the telephone -- 22 how am I supposed to know who that person was 23 without initially finding out what that IP address 24 was assigned to? 25 Q You didn't have permission to telnet to 126 1 that IP address? You did it because you were 2 trying to solve a problem? 3 A Exactly. It was like a puzzle and I'm 4 trying to put pieces together to get some answers 5 to what I'm seeing here to provide people who were 6 asking me that information. 7 Q Do you know whether inbound telnetting to 8 that address was authorized by the owner of that IP 9 address? 10 A As I said, without me doing a telnet to 11 that IP address or without going through months and 12 weeks of investigation trying to find out who that 13 IP address is assigned to in that process, I would 14 never have known who this ended up being. 15 Q So you did it whether or not it was 16 authorized to find out who the owner of the machine 17 was? 18 A It's a process that everybody on the 19 Internet uses. Everybody sits there and telnets to 20 different machines. You do it using Netscape to 21 get to the Worldwide Web and -- 22 Q You do it because it's something you have 23 to do to get a job done? 24 A In that particular case, yes, I had to 25 find an answer and I did. 127 1 Q And by doing that, you started -- you 2 actually initiated the response from the computer 3 on the other end, the response meaning that it sent 4 back an identifier as UNIX Ruby? 5 A Right. 6 Q And let me ask you something. When you 7 asked the computer on the other end to identify 8 itself, you start that process, don't you alter 9 that machine? 10 A No, I didn't alter it. It sends back a 11 logging request so it will fire up a thing, tell 12 me -- "Okay, tell me who you are." In that sense, 13 it prompts me to send a log-in back. Other than 14 that, if you notice, I didn't give any input, I 15 didn't send a password or anything. I immediately 16 cancelled the connection. 17 Q But you required it to do something else, 18 an additional function? 19 A Something that that system is used to 20 doing. 21 Q Remember I showed you there was a list of 22 files on one of the exhibits I asked you to -- it 23 was one of the subfiles, subdirectories that you 24 were looking at in the home directory. 25 A If you have the exhibit, I'd like to look 128 1 at it rather than trying to figure out what you're 2 talking about. 3 Q Sure. Going back to Exhibit 5, I was 4 referring to this set of directories up here. 5 A Okay. 6 Q Just to refresh your memory. 7 When you testified this morning that 8 putting the gate program on Brillig altered the 9 system, wasn't it also accurate to say that simply 10 entering those files into a computer system alters 11 the system? 12 A Sure. That's another method of doing 13 that. 14 Q Working on those files once they were in 15 the system alters them; is that right? 16 A Restate that. 17 Q Then would also, once those files are in 18 the system, going into it and working on the files 19 alter the system? 20 A To what are we referring, may I ask? 21 Q If Mr. Schwartz went into any of the 22 files that we just showed you and worked on them 23 and changed them or did anything to the files -- 24 A Yes, it would alter them. 25 Q -- under your definition, that would also 129 1 alter the system? 2 A Yes. 3 Q Logging into Kandinsky, his own machine, 4 would alter the system? The act of logging in, 5 would that alter -- 6 A Referencing the way you explained it 7 earlier, I would have to answer yes to that. 8 Q Logging into Brillig using the password 9 would alter the system? 10 A You're using the system, so, therefore, 11 anything you do on a system in some way, form or 12 fashion makes that system respond. So, yes, it's 13 altering. 14 Q And so then logging into -- For instance, 15 logging into Brillig from Kandinsky with a valid 16 password would alter the system? 17 A In a system function way, but not in a 18 user way. 19 Q Now, you had mentioned earlier that you 20 were -- when your understanding Mr. Schwartz's work 21 or contract ended with SSD, you were asked to 22 disable his password. That is the standard 23 practice at Intel, that when somebody's contract or 24 employment ends, their account, their password is 25 disabled on the machines in that area? 130 1 A Yeah. That's one of many things that, 2 when a person leaves or is terminated, occurs. 3 Q Is the person also given written notice 4 then that their password is being disabled and they 5 are no longer to you use the machine? 6 A Well, generally most of it is taken care 7 of verbally. 8 Q Typically you know because your password 9 is disabled? 10 A That's true. 11 Q And now, in going through the exhibits, 12 you mentioned that there was a script written in a 13 programming language called Perl, which was the 14 directions -- the operating instructions for the 15 gate program. 16 A Yeah, I recall that. That was one of the 17 things that we had. 18 Q Now, Perl is -- to make sure I'm clear -- 19 is sort of a programming language? 20 A Yeah, it's a programming scripting 21 language that Mr. Schwartz was a technical writer 22 on and had some proficiency in, yes. 23 Q In fact, he's quite expert on that? 24 A I'd say so. By now, yes. 25 Q Are you able to read Perl? 131 1 A Well, there are some commonalities 2 between different scripting languages. Sitting 3 here right now, no, I'm not an expert in Perl by 4 any means. And it was passed on by me to other 5 people to interpret. 6 Q So when that gate script came up, could 7 you read and interpret the script? 8 A I didn't even bother to go through and 9 try to interpret it. I was gathering information 10 and passing it on to people. 11 Q I just want to know if you had done that. 12 A No. 13 Q Now, you were informed by Mr. Morrissey 14 about the fact that there were password files in 15 SSD. There was a copy of the password file from 16 SSD in one of his -- in the directories of one of 17 his machines. 18 A Right. 19 Q The original password file was still at 20 SSD? 21 A Still existed there. 22 Q The password file on Brillig still 23 existed? 24 A Yes. 25 Q It was simply a copy that had been made? 132 1 A Yes. 2 Q And on Brillig, anyone with a valid 3 password on that machine could read the password 4 file? 5 A Wrong. Only the password file on 6 Brillig. If you only had an account on Brillig. 7 Q I thought that's what I asked. 8 A Okay. Yeah. I misinterpreted the way 9 you were coming out with that. 10 Q Just to make sure, that is my question. 11 If you have a valid password account on Brillig, 12 you can read Brillig's password file? 13 A Right. 14 Q Now, there are how many other Systems 15 Administrators besides yourself at SSD? 16 A Now or then? 17 Q At that time. Let's talk about at the 18 end of 1992. 19 A Okay. Have to count here for a second. 20 There were approximately about four, maybe five 21 people in addition to me. 22 Q Just before the break, I was asking 23 you -- there were some questions asked about the 24 exhibit listing the passwords from -- 25 A You'd have to refresh my memory to that 133 1 with the exhibit. 2 MR. TINTERA: No. 15, I believe. 3 MR. SUSSMAN: Thank you. 4 BY MR. SUSSMAN: 5 Q State's Exhibit 15. 6 A Yeah, I recall that. 7 Q Do you recall this one? 8 A Uh-huh. 9 Q Did you happen, did you just -- When I 10 asked you some questions at that time, you 11 indicated that was the list that you generated of 12 the passwords that had been cracked. 13 A That was the list that was generated. I 14 didn't say I generated. 15 Q Okay. It was generated. Who generated 16 that list? 17 A The one that you're looking at right 18 there? 19 Q Yes. 20 A That was done by Mr. Morrissey. 21 Q Did you look at the entire output of the 22 Crack program? 23 A I was more intent, as I stated earlier, 24 with those passwords which were associated to users 25 at my specific facility. 134 1 Q So the answer is no? 2 A The answer is no, I didn't look at every 3 piece of them. 4 I'm just getting some water. My 5 mouth is a little dry. If I could break for two 6 seconds. 7 Thank you. 8 Q Mr. Kent, were you aware of a policy that 9 requires a message to be put on the screen of each 10 computer which says that "Use of this system by 11 unauthorized persons or in an unauthorized manner 12 is strictly prohibited"? 13 A On all of the systems that are -- 14 Q Are you aware of that policy? 15 A Yes. 16 Q Is that done on each of the machines at 17 SSD? 18 A Brillig may have been -- not had that on 19 there because it was not updated with all of the 20 other system files. In other words, the IP files 21 that were on the network. 22 Q Was that message on each of the machines 23 in your system in October of 1993? 24 A If I recall, we did have what you call 25 the "message of the day" that come up that said, 135 1 "This machine is unauthorized use." Whatever it 2 has on that banner, yes. 3 Q But you don't know whether that was on 4 Brillig? 5 A That's true. 6 Q Now, nobody told you specifically to 7 disable the account name Merlyn on Brillig, right? 8 We have established that. Nobody told you in 9 December? Not in November of 1993? But prior to 10 that time -- 11 A Sometime earlier. 12 Q Prior to that time, nobody had told you 13 to disable the account of Merlyn on Brillig? 14 A No. I was not informed on that specific 15 machine. 16 Q And you, of course, didn't tell Randal 17 Schwartz that he couldn't use Brillig prior to 18 November 1st, 1993? 19 A I suppose. I think I mentioned earlier 20 to you, I had very little contact with 21 Mr. Schwartz. 22 Q You don't know if anybody else told 23 Randal Schwartz that he could not have access to 24 Brillig prior to that time? 25 A That's true. 136 1 Q And your lack of information, your 2 perhaps ignorance of whether or not Mr. Schwartz 3 had an account on Brillig and your mistake in not 4 disabling that account doesn't mean that 5 Mr. Schwartz knew that that account was supposed to 6 be disabled, does it? 7 A He had already left Intel SSD. Other 8 accounts were closed down. We missed one system 9 and yet that system was still being used by the 10 defendant. 11 Q You don't know that that -- You don't 12 know whether anybody else had had any discussions 13 with Mr. Schwartz about the use of that machine? 14 A That's true. I think I stated that 15 earlier. 16 Q Now, after Mr. Morrissey notified you 17 about these processes running on October 28th, you 18 attended a meeting the next day, a meeting I think 19 referred to in your report or Mr. Morrissey's 20 report as a bridge meeting. 21 A Yeah, we had a meeting. I believe that 22 meeting was possibly held in a room. I don't know 23 that we did it via bridge, but yeah, we had a 24 meeting of some kind, if I recall. 25 Q And the meeting was to decide what was 137 1 going to be done about the situation involving 2 Randal Schwartz? 3 A It wasn't so much that. It was basically 4 to look at all the information that we pulled 5 together and kind of tried to decipher some of that 6 and where should we go next. I mean, we had to 7 figure out what we were going to do with what we 8 had in front of us. 9 Q And also some discussions about 10 continuing to monitor the activities that 11 Mr. Schwartz was engaged in? 12 A We decided to keep an eye on it to see if 13 there was additional activities that might be 14 occurring. 15 Q And the decision was made at that meeting 16 before the weekend to call the -- contact law 17 enforcement authorities and prosecute Mr. Schwartz; 18 isn't that right? 19 A I don't know. I wasn't involved in that 20 part of it. I can't answer that. 21 Q You were involved in the monitoring of 22 Mr. Schwartz's computers and activities over the 23 weekend? 24 A Not his computers. I was looking at a 25 specific system that's owned by Intel, not 138 1 Mr. Schwartz. 2 Q So you were involved in monitoring those 3 systems that Mr. Schwartz had been accessing? 4 A True. 5 Q And over the weekend, you found no 6 attempt by Mr. Schwartz to log in to those systems, 7 did you? 8 A That's true. 9 Q And you checked those systems also for 10 Mr. Schwartz -- the files Mr. Schwartz had on these 11 systems to see if there were files from SSD that he 12 shouldn't have? 13 A We scanned through there to make sure 14 there wasn't any proprietary information. 15 Q And you found nothing? 16 A That's true. 17 MR. SUSSMAN: Thank you. I have 18 nothing further. 19 20 21 22 23 24 25 139 1 REDIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Kent, when you looked at directories 4 in the files on the Brillig machine associated with 5 user name Merlyn, the defendant, did you see any 6 indication that those files were related to 7 compiling or regression testing? 8 A I mentioned earlier, I really didn't go 9 into depth on what those purpose scripts were 10 capable of. My main target was to investigate the 11 machine, find out what was going on, pull together 12 information, and then if there was anything in 13 regard to those files, we had one other person, if 14 I recall, I don't recall their name, that was very 15 knowledgeable of SSD-based compiler-type files. 16 And I had a quick scan through the directories to 17 see whether they could find anything that was 18 relevant to possible code that was owned by Intel 19 SSD or was used by them. 20 Q Did the gate program relate to or gate 21 script relate to compiling or regression testing? 22 A Not that I know of. As far as I know, it 23 has -- from my understanding of it, it's used for 24 one purpose only, and that's what's called the port 25 reflector, which allows you to make connection from 140 1 one point to another. That's all it's important 2 for. 3 Q So your answer in regard to telnetting 4 would be the same, has nothing to do with compiling 5 or regression testing? 6 A Exactly. All it is is a method of 7 communication. In the case of gate, it basically 8 sits there and opens up a dual-way channel. When 9 you telnet, you're trying to connect the one given 10 point and make a connection to it. 11 Q Counsel asked you under his definition of 12 "alter" whether logging onto a computer would be 13 altering a computer. Do you distinguish logging 14 onto the computer Brillig and installing the gate 15 script on the computer Brillig as an alteration? 16 A Well, the log-in, itself, is an 17 alteration because it now makes a new entry in a 18 log file. Adds a new file on the system because it 19 expands the disk size, running that file you've put 20 on there because now it opens up a process on that 21 system that wasn't running before. 22 So if you look at it from that 23 perspective, very much so. Anything you do to a 24 computer, if you touch its keyboard and attempt to 25 access it, is changing and altering that system. 141 1 Q Well, so is it the same as adding the 2 gate script? Is that what you're saying? 3 A Well, there are things that the system 4 does to itself to keep itself running, and then 5 there are things that users do on that system, so 6 there is a differentiating line right there, things 7 that the system does and then things that users do 8 to get into that system will do to it. 9 When I go in and I attempt to 10 telnet, for example, into a machine, I send it a 11 command. Well, that command's operating system or 12 the systems side of it knows to send him a response 13 asking who he is. 14 When I go on and log in as a user, 15 it does the same thing. Once I'm logged in as that 16 user, it opens up this little program that allows 17 me to get into my directory. Now, once I'm on 18 there, if I copy any files onto or off of that 19 system, I've altered the system. Not the system 20 portion of it, but the user side has done that. 21 If the user goes in and starts up a 22 process of a file that he put on that system, then 23 he is altering the system, not the system side of 24 it. Even though there may be some correlation 25 between the process or program he's running and the 142 1 system function, it's the user that decided to 2 start it up that makes those changes happen. 3 Q Does the gate script alter the operation 4 in Brillig's case, the operation of the computer? 5 A Yes. 6 Q Does a log-in alter the operation of the 7 computer? 8 A The log-in being a telnet or another 9 log-in to the system? 10 Q No. Just a log-in as -- Well, let's say 11 Merlyn logs into Brillig, does that alter the 12 operation of the computer? 13 A Yes, because now it's fired up a process 14 to enable that user to log into the system. 15 Q So if he has an account, that's an 16 authorized alteration; is that correct? 17 A Sure. 18 Q And did anyone authorize the installation 19 of the gate script to the Brillig computer? 20 A From the SSD administrator's perspective 21 and so on and the management that I talked with, 22 no. We normally do not generally have people put 23 tools like this on their systems, not without 24 permission of some kind from someone. 25 Q Sure. 143 1 MR. TINTERA: Thank you. That's all 2 I have. 3 MR. SUSSMAN: Couple questions. 4 5 RECROSS-EXAMINATION 6 BY MR. SUSSMAN: 7 Q Mr. Kent, you, as the Systems 8 Administrator, are responsible for systems security 9 at SSD? 10 A That was part of my work. 11 Q And the passwords which were cracked? 12 A Can you wait for a second while we wait 13 for the Blue Angels to fly over? 14 Q Certainly. 15 A I'm sorry. 16 Q That's fine. 17 Brillig was, as you said, was a 18 machine that was attached to that system? 19 A To which system? 20 Q The system that you administer. 21 A No. To the network systems that we 22 administer, yes. 23 Q But it was a machine that you were 24 concerned about security on? Is that within your 25 purview? 144 1 A It was a machine that I was concerned 2 about security on? 3 Q Yes. Is that within your area of 4 responsibility, security? 5 A Not to that level, because the 6 responsibility, in essence, for a machine that is 7 not getting updated and in complete control, if you 8 will, of the IT organization, is due in part both 9 to the manager and the people that are utilizing 10 the system to do the necessary work that they need 11 to do. 12 Q But the main cluster of SSD machines 13 were -- 14 A Definitely. That's my testimony. 15 Q That was your testimony? 16 A Yes. 17 Q And it was the password file from the 18 machines that you were responsible for that was 19 cracked? 20 A Uh-huh. Not the one on Brillig. It was 21 our big master password file that was being 22 cracked. 23 Q That meant that was an indication that 24 the passwords on that system weren't secure, isn't 25 it? 145 1 A Not -- it depends on the date when the 2 file was taken, that's one thing. As I mentioned, 3 we started up a policy there of running Crack and 4 the method would be to inform any users whose 5 passwords were cracked over a period of time to 6 go -- 7 Q When was the last time that you had run 8 Crack on the system before -- 9 MR. TINTERA: Oh, I object. This is 10 way beyond anything that I asked on redirect. 11 MR. SUSSMAN: I will concede that, 12 but Mr. Kent is on and if I could finish this line, 13 I will not have to call him back. 14 MR. TINTERA: Well, then I would ask 15 that he -- I don't object to that, but he needs to 16 use a different line of questioning and not a 17 leading line of questioning. 18 THE COURT: All right. You may 19 proceed with direct, but don't lead the witness. 20 MR. SUSSMAN: I'm trying to remember 21 the last question. 22 MR. TINTERA: You were asking about 23 Crack. 24 THE WITNESS: You were. 25 146 1 DIRECT EXAMINATION 2 BY MR. SUSSMAN: 3 Q When was the last time you had run Crack 4 prior to October 21st, 1993? 5 A The first time or the last time? 6 Q The last time prior to that. 7 A We were generally going in three-month 8 cycles. It was a continual running process. I had 9 a system that was sitting off that was not 10 connected so everybody could access that. It was a 11 specific Systems Administration system that was 12 running that program and we had that running in a 13 continual cycle. 14 Q Were you surprised to find out about 40 15 or 50 passwords had been cracked on your system? 16 A Some of the things that we could do -- 17 Q The question was, were you surprised? 18 A Was I surprised? I'll have to say that 19 partially, I'm not surprised that some were broken, 20 but that doesn't necessitate anybody going off and 21 doing it by themselves just for the fun of it. I 22 was doing it as part of my job, and however 23 ridiculous the password is, part of the job is to 24 find out who the user is and approach them and say, 25 "I'm sorry, but your password is not safe." 147 1 And if that password is not safe, 2 then really you have to kind of monitor -- not 3 monitor, but you have to hand-hold these folks to 4 get the message through to them not to cycle bad 5 passwords. They could do a new one and might take 6 me another three weeks to crack the new one, but as 7 soon as I found out that one was bad, I find out 8 they may have gone back and used a previously bad 9 one. 10 But through our monitoring process 11 that we started implementing piece-by-piece to find 12 these things, that's virtually eliminated now. We 13 run that continually at our sites. 14 Q At the time, you were running it on 15 three-month cycles, did I hear you say? 16 A It's a three-month cycle because we like 17 to keep it the same way with the Novell systems and 18 so on. Novell can be set up to where we can see 19 you need to change the passwords today. On the 20 UNIX system, it's a little different. 21 MR. SUSSMAN: Thank you. Nothing 22 further. 23 24 25 148 1 CROSS-EXAMINATION 2 BY MR. TINTERA: 3 Q Is it fair to say that your Systems 4 Administrator group was taking care of your own 5 password security in making sure that they were 6 running a crack program in your own Supercomputer 7 Division? You were doing that on your own, right? 8 A We had started doing that. That was one 9 of the things we implement in conjunction with our 10 corporate information security group, who would 11 also assist us with the same process. 12 Q And Mr. Schwartz wasn't part of your 13 group or of corporate security, was he? 14 A Not at all. 15 Q And you hadn't sent out e-mail through 16 Intel's corporation saying, "We're all swamped, 17 could some other Systems Administrator, anybody who 18 has the time, come in and help us out here to check 19 our passwords?" Did you do that? 20 A Did I do that? As I mentioned -- 21 Q Did you ask for help in running the SSD 22 group as a Systems Administrator? 23 A No. Other than talking directly to the 24 corporate information security people who offered 25 us a better machine that would run faster to enable 149 1 us to speed that process up, no, nobody else at all 2 had that capability. 3 MR. TINTERA: Thank you. 4 5 REDIRECT EXAMINATION 6 BY MR. SUSSMAN: 7 Q If somebody else found the problem with 8 your security, you would want to know, wouldn't 9 you? 10 A I'd want to know right on the spot, but 11 I'd expect people that were finding situations to 12 report that immediately. 13 MR. SUSSMAN: Nothing further. 14 MR. TINTERA: I don't have any other 15 questions. 16 THE COURT: Thank you. You may step 17 down. You're free to go. 18 You have a matter for the Court? 19 MR. TINTERA: Judge, I wanted to let 20 you know that the continuing cooperation of the 21 District Attorney's Office with the defense, I have 22 agreed to not object to take Ms. Tanya Herlick's 23 testimony over the telephone. 24 THE COURT: That's scheduled -- you 25 anticipate doing that next week? 150 1 MR. SUSSMAN: We do, Your Honor. We 2 had anticipated and scheduled it for Tuesday 3 morning, but given the pace that we're moving, it's 4 clear that the State will not be finished today and 5 so we can take her testimony as late as Wednesday 6 morning, but not later. So in order to try not to 7 ask the State to cooperate any further by 8 interrupting their case on Tuesday morning, we can 9 wait until Wednesday, but not any more than 10 Wednesday. 11 THE COURT: How lengthy do you 12 anticipate her testimony will be? 13 MR. SUSSMAN: Approximately, I would 14 say a total, being generous, approximately a half 15 hour. 16 THE COURT: You're anticipating 17 doing it on a speaker phone and asking the jury to 18 listen to and -- as opposed to doing it and having 19 somebody take it down and having them read it or 20 have it read to them? 21 MR. SUSSMAN: I had actually 22 contemplated doing it by speaker phone, yes. 23 THE COURT: Sometimes that works and 24 sometimes it doesn't work very well. What I'm 25 saying is, if you could agree to a procedure 151 1 whereby the two of you would get together at some 2 point, we could have an oath administered to it, 3 and I would cooperate, and we can do it at some 4 mutual time and have it taken down and then read to 5 the jury, like sometimes depositions are read. 6 That would be another procedure. Then we could do 7 it at any time. We wouldn't have to do it just 8 when she was available or worry about interrupting 9 the State's case. 10 MR. SUSSMAN: I appreciate that, 11 Your Honor, but I think that to the extent that we 12 can't have her present, I'd like to do it even if 13 it's by telephone. 14 MR. TINTERA: I should also tell you 15 that I've been provided a list of the proposed 16 areas of inquiry and that's specifically what you 17 have agreed to, just those areas. Unfortunately, I 18 misplaced that area. It's here somewhere, or I 19 marked it as an exhibit and you have it, but it's 20 somewhere. But that's the parameters that I expect 21 and I expect that will be within those parameters. 22 THE COURT: We'll work out the 23 details. We'll talk about how we're going to do it 24 more specifically with the speaker phone later on. 25 MR. SUSSMAN: One other matter. We 152 1 have been discussing these things and Clayton 2 Kirkwood was an Intel employee and somebody on our 3 list and was somebody that we had proposed to -- 4 the State has told me they wish to call 5 Mr. Kirkwood, themselves. If they wish to do that 6 without bringing him up here, that's fine with me, 7 if they can do that by telephone. 8 Given the time the last witness the 9 State is calling now, the next witness is 10 Mr. Morrissey, and rather than do this in front of 11 the jury, I would anticipate -- even if 12 Mr. Morrissey's testimony isn't quite as long as 13 Mr. Kent, it will be rather lengthy on direct and I 14 would -- if it goes till close to 4:00 or so this 15 afternoon, it would be my request that we break at 16 that point. My cross-examination of Mr. Morrissey 17 will be very lengthy. I don't believe that we 18 could finish him today. 19 THE COURT: We're going to get to 20 where we won't finish this next week, because I'm 21 not available Monday. We have one juror that can't 22 be here the following week. I'm going to be here 23 for two more weeks. That's not a problem. But 24 we're going to run into some problems with these 25 people. 153 1 MR. SUSSMAN: I do understand that. 2 There are some things that have come up. And 3 Mr. Cower also informed me, by the way, he had 4 hoped to catch a flight at 5:00 o'clock or so. 5 THE COURT: I'm sure he'll stay 6 around as long as he needs to be. 7 MR. COWER: I just hope to catch a 8 flight. 9 MR. TINTERA: I do have a witness 10 who is -- who will be a lot briefer, I think, than 11 Mr. Morrissey, but it's not going to take us to 12 5:00 o'clock. I don't like the idea of just 13 working till 4:00 and giving the defense the 14 weekend plus Monday to get ready to dig into 15 Mr. Morrissey. 16 THE COURT: I think we'll take 17 Mr. Morrissey and we'll see when we end up, but I'd 18 like to try to work until 5:00. And that means 19 that if we break in the middle of 20 cross-examination, then that means we break in the 21 middle of cross-examination. 22 If I do that, I likely will be a bit 23 more friendly towards bringing -- asking a few of 24 the questions again and getting us back in -- you 25 could lead him a bit in order to get back to 154 1 wherever we were on Monday, because I know it's a 2 handicap when you start and you stop for three days 3 and you start again. I'll try to work with you. 4 MR. TINTERA: You say Monday, you 5 meant Tuesday. 6 THE COURT: Yeah, I did. 7 Mr. Tintera, call your next witness. 8 MR. TINTERA: Mark Morrissey. 9 10 MARK WILLIAM MORRISSEY 11 called as a witness on behalf of the State, having 12 been first duly sworn under oath, was examined and 13 testified as follows: 14 15 THE CLERK: State your full name and 16 spell it for the record, please. 17 THE WITNESS: Mark William 18 Morrissey. M-o-r-r-i-s-s-e-y. 19 20 21 22 23 24 25 155 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Good afternoon. Mr. Morrissey, could you 4 tell the jury how you're employed now? 5 A I'm the manager of computing facilities 6 at the Department of Computer Science and 7 Engineering for the Oregon Graduate Institute in 8 Beaverton. 9 Q And in a thumbnail, what does that mean? 10 A I manage the people responsible for 11 managing the computers and networks for the 12 Department of Computer Science. 13 Q And how big a group of computers are we 14 talking about? 15 A About 250 systems. 16 Q And what type of training or education 17 have you had to make you qualified for this 18 position? 19 A I have approximately 15 to 17 years in 20 the computer industry. I have undergraduate work 21 in computer science and just finishing my Master's 22 degree in computer science at the Oregon Graduate 23 Institute. 24 Q Have you worked for Intel? 25 A Yes, I have. 156 1 Q And do you know when you started working 2 there? 3 A 1991, I believe, the fall of 1991. 4 Q And have you ever worked with Dirk 5 Brandewie? 6 A Yes, I have. 7 Q And when did you work with him? 8 A I worked with Dirk Brandewie from the 9 time of my employment at Intel until April of 1993. 10 Q So '91 to April of '93? 11 A Yes. 12 Q In April of 1993, you changed positions? 13 A Yes, I did. 14 Q To which position? 15 A I became a senior network engineer 16 working for Bob Wilcox in the IPG Network Services 17 groups with Intel. 18 Q Was that also with a contractor named 19 Randal Schwartz? 20 A Randal was also working for Bob Wilcox, 21 yes. 22 Q Bob Wilcox's group wasn't very big, was 23 it? 24 A No. It was a very small group. 25 Q How many? 157 1 A Probably about five or six. 2 Q And you were one? 3 A Yes. 4 Q And Randal Schwartz was one? 5 A Yes. 6 Q And you started that in April of 1993? 7 A Yes. 8 Q What were your responsibilities? What 9 was the name of the group that you were with with 10 Dirk Brandewie? 11 A It's the Architectural Development Labs. 12 Q What did you do over there? 13 A I did technical project management for 14 the organization responsible for Systems 15 Administration for that lab. 16 Q When you were working there, were you 17 familiar with a computer by the name of Mink? 18 A Yes. 19 Q And was there ever an occasion towards 20 the end of your tenure at that -- with that group, 21 that you and Mr. Brandewie became aware of a gate 22 program on the Mink? 23 A Yes. 24 Q Could you tell me what happened? 25 A Dirk Brandewie came to me and explained 158 1 to me that there was a program running on the 2 machine that appeared to allow -- that he was 3 concerned that it appeared to allow access to the 4 Intel networks in a way that was not authorized. 5 Q Do you know the function of the Mink 6 machine? 7 A The Mink machine is one of the few 8 machines at Intel Corporation which allows people 9 inside the company to access computer networks 10 outside of the company directly. 11 Q And does it allow access to people 12 outside of the company into Intel? 13 A Not originating outside of the company, 14 no. 15 Q So it's a one-way street? 16 A That's its intention, yes. 17 Q Did you look at this computer Mink in 18 regard to what Mr. Brandewie told you? 19 A No. 20 Q What did you do? 21 A Dirk informed me that he had evidence 22 that, in his opinion, the program was being run by 23 contractor Randal Schwartz, and I suggested that we 24 go and talk to Randal. 25 Q Did you do that? 159 1 A Yes, we did. 2 Q What happened? 3 A We explained to Mr. Schwartz that his 4 program could be used from outside of the -- to 5 gain access to the Intel network from outside of 6 the company. And, in fact, I had gained access to 7 the Intel network from an account that I had at the 8 Oregon Graduate Institute to verify that it could 9 be used to gain access in violation of Intel's 10 security procedures. 11 Q Let's slow down. You did what? 12 A I logged onto my account at the Oregon 13 Graduate Institute. 14 Q Is that inside or outside of Intel? 15 A It's outside of Intel. And based on our 16 analysis of the program, I attempted to access this 17 gate program from my account at the Oregon Graduate 18 Institute and was able to do so successfully. 19 Q And are you aware -- Did you know a 20 computer address so that you could use this gate? 21 A Yes. The computer address effectively -- 22 the actual address was mink.intel.com, or we give 23 you a mnemonic name and the computer translates it 24 into a number that it uses for contacting -- 25 Q But you knew that, right? 160 1 A Yes. 2 Q Did you know a port address, too? 3 A We were able to determine by looking at 4 the program to determine what port to use. 5 Q Just because you knew that information 6 was the only reason you could access that or use 7 the gate, isn't that right? 8 A Not necessarily, but that is how, by 9 looking at it, I was able to determine that 10 information. 11 Q Well, was that gate a secure gate so 12 that -- Are there other ways that that gate could 13 have been used, I guess is what I'm asking? 14 A Well, it appeared to only have one 15 function, but there are other ways it could have 16 been discovered that it was there and used by 17 others, yes. 18 Q Are you familiar with those methods? 19 A Yes. 20 Q And what would those be? 21 A One of the methods is -- a common term 22 for it is a robot, that being that on the Internet, 23 the way you address things is through a particular 24 type of numerical addressing. There are programs 25 that guess what those addresses are and then these 161 1 ports have a limited number, they're usually less 2 than -- between 1 and 32,365, or something like 3 that, and they do what's called probing those ports 4 to see whether or not some form of service is being 5 offered that someone could then come back and take 6 a look at to see if they could make use of it. 7 Q Well, with 32,000-plus ports, wouldn't 8 that take quite a bit of probing, a long time? 9 A I would guess that -- 10 Q You can't guess. 11 A It would certainly -- it could take less 12 than a minute per machine. 13 Q For a user to do? 14 A Yes. 15 Q It would take you and I quite a bit 16 longer? 17 A Quite a bit longer manually, yes. 18 Q Well, how would this robot program get 19 the computer address, the IP address? 20 A It could do a sequential number, because 21 a computer address is comprised of four numbers 22 between zero and 255, separated by decimal point, 23 and so it could merely start off a 0.0.0 in 24 increments and search the entire Internet in that 25 fashion. 162 1 Q What is the time line in that type of 2 process? 3 A I wouldn't have an idea. There are 4 particular numbers that are assigned, for example, 5 to Intel Corporation. If someone was specifically 6 interested in Intel Corporation, they could 7 determine those numbers and search just that 8 address base, which is considerably smaller. 9 Q So you saw this gate and you tested it 10 and were able to come in through it? 11 A Yes. 12 Q And you went to Mr. Schwartz to talk to 13 him. What was the substance -- what did you talk 14 about? What did you tell him? 15 A Well, we explained to him that he had 16 this program running and that we were able to 17 verify that it could be used to bypass Intel 18 security mechanisms that are in place to prevent 19 people from outside the company gaining access to 20 computer networks. And we had determined that the 21 program was capable of preventing this from 22 happening, but that it had not been set up properly 23 to do that. And we requested that he put -- that 24 he modify the program in such a way that it would 25 only allow access from inside of Intel and not from 163 1 outside of the company. 2 Q Did Mr. Schwartz agree to do that? 3 A Yes. 4 Q So you took the -- what was a two-way 5 street and asked him to make some changes to make 6 it one-way again, outside of Intel only? 7 A Correct. 8 Q And he agreed to do that? 9 A Yes. 10 Q Did you talk to him at all about Intel's 11 position on allowing direct inside access to Intel 12 through the situation that he had or the script 13 that he had? 14 A Yes. We explained to him that it was a 15 violation of Intel security procedures. 16 Q Did he respond to that at all? 17 A I'm not sure what his reply was. He did 18 agree that he would make the modification to the 19 program. 20 Q So he acknowledged your statement that it 21 was against Intel security procedures? 22 MR. SUSSMAN: Objection. The 23 question is leading. 24 THE COURT: Sustained. 25 164 1 BY MR. TINTERA: 2 Q Did he respond when you told him that it 3 was a violation of Intel security procedures? Did 4 Mr. Schwartz appear to be attending to what you 5 were saying? 6 A Yes. 7 MR. SUSSMAN: I object to the 8 question again as leading. Move to strike the 9 answer. 10 MR. TINTERA: Only requires a yes or 11 no answer. 12 THE COURT: Well, it was leading. 13 I've sustained the objection. He's answered it. 14 Go ahead and ask another question. 15 BY MR. TINTERA: 16 Q After the conversation with Mr. Schwartz, 17 did you go back and look at the gate script program 18 to assure that the blocks that you requested be put 19 there had been put in? 20 A I personally did not do so. 21 Q Let's go on to April of 1993. You 22 started working for Bob Wilcox? 23 A Yes. 24 Q And what was your job description? 25 A I performed two roles: One was a senior 165 1 network engineer designing tools to manage the 2 Intel computer networks, and the other function was 3 a Systems Administrator for a small group of UNIX 4 computers that were involved and used by Bob 5 Wilcox's group. 6 Q And as you came on line with Mr. Wilcox 7 and his group, who was the Systems Administrator? 8 A Randal Schwartz. 9 Q So you were going to take over that 10 position? 11 A I was going to take over those functions, 12 yes. 13 Q Now, did you do that immediately as you 14 came into the group or how did that work? 15 A No. When I spoke to Bob Wilcox, the 16 decision was made that there were activities that 17 Randal was currently performing that required 18 privileged access or root access to those systems 19 and that we would transition and when those 20 projects were complete, then we would remove the 21 root access from him. 22 Q And did that ever occur? 23 A Yes, in the June or July timeframe. 24 Q Of 1993? 25 A Yes. 166 1 Q Tell me about that, if you would. 2 A I had gone to Bob Wilcox to state that I 3 felt it was time to transition Randal out of the 4 Systems Administrator role and transition fully to 5 me, and Bob agreed. And I spoke with Randal to 6 tell him that I was going to change the passwords 7 on the root account and that if he needed root 8 access that I would give it to him on an as-needed 9 basis. 10 Q And after that occurred, who was the 11 Systems Administrator for Bob Wilcox's group? 12 A I was. 13 Q Do you know what Mr. Schwartz's duties 14 were at that point? 15 A Bob was doing contracting for -- Randall 16 was doing contracting for Bob Wilcox and for 17 Clayton Kirkwood at Intel in California having to 18 do with a system called the Domain Name System for 19 Intel. 20 Q Now, let's go to the end of October, 21 October 28th of 1993. Before I get there, did you 22 add a new computer to your computer group with 23 Mr. Wilcox in October of '93? 24 A Either at the end of September or early 25 October, I added a new Sun computer that I named 167 1 Snoopy. 2 Q Now, was there anything special about 3 this computer, in your mind? 4 A It was the most powerful computer that we 5 had in our group and it was dedicated to collecting 6 statistics and data on our computer networks. 7 Q Now, when you say "powerful," what does 8 that mean to a computer person? 9 A It's able to execute the programs faster 10 and in less time. 11 Q It has a bigger engine? 12 A Bigger engine, yes. 13 Q In car terms. 14 A Yes. 15 Q When did this computer become 16 operational? 17 A During early October. It was certainly 18 fully functional by October 14th. 19 Q And did you have any conversation with 20 Mr. Schwartz about his use of this computer? 21 A I recall at some point, I asked Randal 22 not to use that machine because we were running a 23 program on it that required as much of the power of 24 that computer that we could give it. 25 Q Now let's go to October 28th. Did you 168 1 have any contact with this Snoopy computer on 2 October 28th, 1993? 3 A Yes. 4 Q Tell the jury what happened. 5 A Around noon, or noon to 12:30, in that 6 timeframe on that date, I -- from another computer 7 in our lab, I logged onto Snoopy just to check its 8 general state and to see how things were working on 9 it, and to make sure that the processes were all 10 fully operational, and I ran a particular command 11 that allowed me to see all the processes that were 12 running on the machine. 13 At that time, I discovered that 14 there were processes running under the user ID for 15 Randal Schwartz that I did not anticipate running 16 on that machine. I investigated more closely and I 17 found that the actual program that was running had 18 the word "crack" in its name. 19 That set off some alarm bells with 20 me because Crack is also the name of a very 21 sophisticated program for guessing passwords that's 22 available on the Internet. 23 At that point, I went to 24 Mr. Schwartz's home directory to the area where the 25 program said it was running from and I found that, 169 1 indeed, he did have a password-guessing program 2 located there, as well as a password file for a 3 company called O'Reilly & Associates, and also 4 one -- I'll take that back, one that I assumed was 5 for O'Reilly & Associates based on its name and one 6 that I assumed was for the Intel Supercomputer 7 Division based on its name. 8 At that point, I contacted Rich 9 Cower of Intel security and asked how I should 10 proceed. 11 Q Then what did you do? 12 A I spoke with Rich. Rich told me that I 13 should contact SSD and talk with either Lou 14 Poehlitz or John Kent to find out whether or not 15 Randal was doing any work for them in terms of 16 cracking their password files. 17 So I contacted Lou Poehlitz, who 18 told me I should talk with John Kent. And when I 19 spoke with John Kent, John was very alarmed and 20 agitated that this activity was occurring. 21 At that point, we -- I believe we 22 contacted Rich Cower again and decided that we did 23 have a security incident. And I also asked John 24 Kent whether or not Randal had permission to access 25 a machine called Brillig, because on our computer, 170 1 we can track when someone connects with one of our 2 computers where they connected from. And I noted 3 over a period of time that Randal had been 4 connecting to our computer from a machine called 5 Brillig in the SSD domain. 6 I asked him if he had permission to 7 access that machine and Randal -- excuse me, John 8 Kent was very surprised that Randal had any sort of 9 access to that machine because after his contract 10 had ended at SSD, all accounts for him at SSD 11 should have been terminated. 12 Q So then what did you do? 13 A At this point, I really need to reference 14 to my notes. 15 Q That's fine, as long as you don't read 16 from them. If you need to refresh your 17 recollection -- 18 A I just need to refresh my recollection. 19 Q Sure. 20 A Okay. When I was speaking to John Kent, 21 I asked him to look for a program called gate 22 running on Brillig and I explained to him that we 23 had found a similar program running on Mink earlier 24 that year and I was concerned that Brillig might be 25 being used to gain access to Intel's network from 171 1 outside of Intel. 2 He did take a look while I was on 3 the phone and found that there was a gate program 4 running and he did actually find logs as well, some 5 data from the program that logged what activity had 6 been going on with the program, and we discussed 7 those logs and I believe then we contacted Rich 8 Cower again to explain the situation. 9 And after that, I sent John off to 10 look more carefully at the data. I passed the 11 password files that were in my possession to John 12 to determine whether they were from the machine 13 called Brillig or whether they were from the main 14 computer systems at SSD, and then I went over to 15 inform my management as to what was going on. 16 Q Do you know if there was a way or a 17 system set up at that time at Intel to allow people 18 who are off-site to access Intel computers? 19 A Yes, there was. 20 Q And what was that called? 21 A The general system was called Defender. 22 Q And could you tell me in a lay version 23 how that system would work? 24 A It has two modes of operation. The mode 25 that I personally used was, I would dial into the 172 1 system and give it some access code to identify me 2 to the system and then the system would hang up the 3 phone and dial me back at a prearranged number. 4 Q When you are talking about "me," you're 5 actually going through a computer? 6 A Going through a computer, would dial back 7 my telephone that would have a computer modem 8 hooked up to it and call me back at that number. 9 And the idea being if I give it a prearranged 10 number that I told it I'm going to call from, then 11 the odds are very good that I am the person that is 12 at that number. In this case, it would normally be 13 something like your home phone. 14 A second method of accessing the 15 system is called a challenge response system and 16 the common way for that to work with the Defender 17 system is, you have a device that looks like a 18 calculator and when you validate yourself to the 19 Defender system, it spits out a large number at 20 you, maybe 16-digit number which you type into your 21 calculator and this type of calculator gives you 22 another 16-digit number back, which you then type 23 to the computer. And if it's the response that the 24 computer was expecting, then it believes that you 25 are that individual and it allows you to have 173 1 access. 2 Q Was the Defender system similar to the 3 gate script that was running on the Brillig system? 4 A In ways, yes. 5 Q Did it have the same safeguards? 6 A No. It's a -- it's built by a company 7 for the express purpose of computer security and is 8 a commercial product for computer security. 9 Q Defender is? 10 A Yes. 11 Q Do you know if Mr. Schwartz had an 12 account on Defender so that he could use that to 13 access Intel computers if he chose from off-campus 14 or off-site? 15 A Yes. Yes, he did. 16 Q How do you know that? 17 A On November 1st, when we were in the 18 process of shutting down computer access for 19 Randal, I went to the person who manages that 20 system and went with him into our main computer 21 room to determine if Randal had access or not and 22 whether or not he had ever used that access. 23 Q And what did you see? 24 A We determined that he did actually have 25 access and as far as the log files in the Defender 174 1 system occurred, we could not see where he had ever 2 used the Defender system to access Intel. 3 MR. SUSSMAN: May I ask a question 4 in aid of objection? 5 THE COURT: You may. 6 7 EXAMINATION IN AID OF OBJECTION 8 BY MR. SUSSMAN: 9 Q Did you personally view the records that 10 that -- on the Defender system? 11 A Yes, I did. 12 MR. SUSSMAN: That wasn't clear from 13 your answer. All right. 14 BY MR. TINTERA: 15 Q When you looked at these records, how 16 many times had Mr. Schwartz used the Intel setup 17 system to access their computers from off campus? 18 A We could not determine if he had ever 19 used them. Appeared that he had never used them. 20 Q Would the log that -- or the file that 21 you looked at show if there had been any use? 22 A The log should have gone back for several 23 years, yes. 24 Q And it would show each time someone had 25 used the Defender system? 175 1 A Yes. 2 Q And were there any indications that it 3 had ever been used at all? 4 A The system indicated that he had not 5 accessed it. 6 Q Could you tell the jury, based on your 7 experience -- the UNIX is a computer language; is 8 that fair? 9 A It's a computer operating system, which 10 an operating system is a master program to provide 11 an environment on the computer. 12 Q A lot of people are familiar with Windows 13 for Computers. Is that an operating system or -- 14 like UNIX? 15 A In combination with -- usually it runs on 16 something called DOS. In combination, they would 17 be considered an operating system, yes. 18 Q So Windows and DOS and UNIX, like two 19 different ways to get a computer to work? 20 A Yes. 21 Q One could be like an automatic 22 transmission and one could be like a standard 23 shift, in a very crude example? 24 A Or a Ford and a Chevy, yes. 25 Q Based on your work with Intel, do you 176 1 know what is the predominant system that's being 2 used, UNIX or Windows? 3 A The predominant system is Windows. 4 Q And is it -- if you can use Windows, are 5 you able to use this UNIX system? 6 A Not necessarily, no. 7 Q Do you use a mouse to run UNIX? 8 A You can. You would use a mouse probably 9 less in UNIX than you would in Windows. UNIX is 10 more of a command-driven, keystroke-driven system. 11 Q Now, when you found this Crack program 12 running, what did you have to do to locate it or to 13 know about it? Tell the jury the steps that you 14 went through. 15 A There is a program under UNIX called PS, 16 which stands for Process Status, and it has a 17 particular set of options that will tell you what 18 all processes are running on the computer. All the 19 process is is a program that is executing. So if 20 you have a computer program, when it's sitting on 21 the disk, it's just a program. When it's running, 22 we call it a process. 23 I use a particular set of options. 24 The ones my finger knows are AUGX, which probably 25 are not important, but they list all the processes 177 1 that are running on the machine. And on a UNIX 2 system, because it's a multi-user system, there is 3 typically a large number of processes that are 4 running. And one of the things that the command 5 will tell me is the user identifier or the count 6 log-in for the user as well as various things about 7 the resource that it is using. And using a few 8 other options, I can even find out where the 9 program was started from on the file system and any 10 options that may have been given to it. 11 Q So was this readily apparent from walking 12 by the Snoopy workstation? 13 A No. You would have to deliberately go 14 out and look at the process to discover this. 15 Q Were there a lot of people that were able 16 to use this Snoopy computer? 17 A Very small number. Probably less than 20 18 accounts, of which maybe only about four or five 19 people used that network of six computers on a 20 daily basis. 21 Q One of the other computers in your group 22 was called Wyeth; is that correct? 23 A Yes. 24 Q Was there any advantage to running the 25 Crack program on Snoopy as opposed to Wyeth? 178 1 A Yes. When we brought Snoopy into the 2 group, it was the most powerful computer in the 3 group. Before then, Wyeth would probably have been 4 one of the more powerful machines in the group and 5 it certainly would have been one of the least used 6 machines in the group. 7 Q Snoopy would have been? 8 A No, Wyeth would have been one of the 9 least used in the group. 10 Q So if a person wants to run the Crack 11 program against the password file, is there any 12 advantage to using a powerful machine as opposed to 13 a less powerful machine? 14 A You would finish your task quicker. 15 Q So the extra power allows it to -- Crack 16 does what? 17 A It uses some rules to formulate guesses 18 for passwords. It uses anything from standard 19 dictionary words to guessing proper names to 20 guessing anagrams or all sorts of -- it has rules 21 on how to put words together that are likely to be 22 passwords for computer systems. 23 Q So the bigger, more powerful the machine, 24 the faster it can go through those permutations of 25 rules? 179 1 A Yes. 2 Q What was the fastest machine in that work 3 group that Mr. Schwartz had access to? 4 A Snoopy. 5 Q Part of your responsibilities was 6 administering the Domain Name Server or DNS; is 7 that correct? 8 A No. 9 Q Whose responsibility was that? 10 A I believe that it was Randal Schwartz's 11 job. 12 Q Are you familiar with the Domain Name 13 Server, or were you at that time? 14 A I'm familiar with the Domain system and I 15 was at that time, yes. 16 Q What does that system do? 17 A In general, when people go to talk with 18 computers, they want to use names because names are 19 very easy to remember. However, computers use 20 numbers and the Domain Name Service, in a nutshell, 21 translates human names, names that humans use, into 22 numbers that computers use. 23 Q And that system goes over to the 24 Supercomputer Division, does it not? 25 A The Domain Name System? 180 1 Q Yes. 2 A They would certainly have Domain Name 3 System there, yes. 4 Q Can you use that Domain Name Service, 5 system, I'm sorry, to access the various password 6 files of where it goes? 7 A No, you wouldn't be able to. Under 8 normal circumstances, that wouldn't be configured 9 to do that, no. 10 Q Once you saw this activity on October 11 28th, did you do anything to take a computer 12 snapshot of what was happening? 13 A Yes. I made some taped copies of Randal 14 Schwartz's data files and preserved those for Intel 15 Security. 16 Q And can you tell me about how many tapes 17 that was? 18 A The sum total of all the tapes, because 19 we also do what are called computer backups where 20 on a daily basis we back up all the data that we 21 have so that if something is lost, we can recover 22 it quickly. There is something between 10 and 20 23 tapes that we had reserved for use by the 24 investigation. 25 Q And have you recently assisted in setting 181 1 up those tapes to be viewed? 2 A I recently was asked some questions by 3 Intel on how to read those tapes, yes. 4 Q So they are still in existence? 5 A Yes, to the best of my knowledge. 6 MR. TINTERA: Those are the only 7 questions I have, Mr. Morrissey. Mr. Sussman may 8 have one or two. 9 MR. SUSSMAN: May I have a couple 10 minutes? I also noted Mr. Morrissey indicated that 11 he had some notes he was referring to. If we could 12 take a look at that. 13 You were just referring to your 14 reports? 15 THE WITNESS: To my reports, yes. 16 17 CROSS-EXAMINATION 18 BY MR. SUSSMAN: 19 Q Mr. Morrissey, you first testified about 20 your meeting with Mr. Brandewie to discuss this 21 tape program that was found, that Mr. Schwartz had 22 written on Mink. 23 A Yes. 24 Q And you learned that what Mr. Schwartz 25 was doing was getting access to his computer inside 182 1 Intel through Mink from a computer named 2 ruby.ora.com, his publisher in Massachusetts? 3 A I did not know that at that time. 4 Q You learned that subsequently? 5 A Subsequently, yes. 6 Q And you learned that he was doing that to 7 gain access to his e-mail; is that correct? 8 A That's what I was told, yes. 9 Q Now, the conversation that you 10 represented with Mr. Schwartz, were both you and 11 Mr. Brandewie present during that conversation? 12 A Yes. 13 Q And do you recall your exact words to 14 Mr. Schwartz? 15 A No, I don't recall my exact words. 16 Q Now, you may have then very well told him 17 that the program as constructed was not acceptable 18 in the fashion it was -- 19 A Yes. 20 Q You had mentioned that it was a violation 21 of Intel policy to have the inbound connection from 22 a machine outside of Intel. Was there a policy 23 manual that you were familiar with or that you were 24 referring to? 25 A Yes. 183 1 Q Was that policy manual in general 2 distribution? 3 A I don't believe it was in general 4 distribution. 5 Q In fact, you don't know whether that 6 policy manual had been distributed to Mr. Schwartz? 7 A No, I don't. 8 Q In your experience, there was a 9 difference between the policy information that was 10 disseminated to you as a regular blue badge 11 employee and independent contractors? 12 A I don't know if there was or not. 13 Q Is there a difference in the amount of 14 control that Intel can exercise over its employees 15 and the amount of control it can exercise over the 16 manner of work done by its independent contractors? 17 A I don't know. 18 Q Now, as far as the gate, the gate 19 programs you're referring to, you actually looked 20 then at the codes and the script for the Gate 1 21 program? 22 A Yes. 23 Q Mr. Morrissey, I'd like to show you what 24 I've just had marked for identification as 25 Defendant's Exhibit 111. Would you take a look at 184 1 that and tell me if that is the first gate program 2 that you took a look at? 3 A I can't tell whether it is or not. 4 Q Would you take a look at that gate 5 program and tell me, then, if that program, the 6 gate program or this program on here is a gate 7 program? 8 A It would appear to be, yes. 9 Q Do you see any codes in that gate program 10 that shows that it's set up in a way to keep track 11 of the log-ins to the machine at Intel? 12 A Yes. 13 Q Would you make a notation where that 14 occurs. Just put down like an "L" alongside the 15 column for "log-in." 16 A (Witness complies.) 17 Q Mr. Morrissey, how many computers are 18 there inside of Intel? 19 A I have no idea. 20 Q Does each computer -- Do you know how 21 many machines there were in Hawthorn Farms? 22 A No. 23 Q Does each separate machine have its own 24 set of ports? 25 A Yes. 185 1 Q So if there were -- You testified earlier 2 that there were over 30-something thousand ports. 3 A Yes. 4 Q Are you certain that the number was the 5 30-something thousand number of ports? 6 A That would be, I believe, a minimum. It 7 could be higher. 8 Q And the number of ports is -- would be 9 based upon what principle? Would it be based on 10 some mathematical principles? 11 A It's based on the architecture of the 12 machine, yes. It's how many bits it actually 13 allows in for the specification of the number. 14 Q So that for each machine then, there 15 would be at least 30-something thousand ports? 16 A For each machine, for each machine -- 17 Q Each IP address? 18 A For each -- each machine that is 19 implemented with TCIP, yes. 20 Q And that -- then you would, depending on 21 the number of ports, would have to be multiplied by 22 the number of machines in Intel to give you an idea 23 about the number of ports that are possible for 24 connections? 25 A Well, the number would be less than the 186 1 number of machines inside Intel because not only -- 2 only a subset of the machines would be capable. 3 Q Repeat that. I'm not sure I understood 4 that. 5 A This port concept is really associated 6 with a protocol suite called TCP, and only a subset 7 of the computers at Intel would be using that 8 protocol. 9 Q Would be using the port numbers? 10 A Would be using something that would 11 enable them to have port numbers, yes. 12 Q And each machine with an IP that has port 13 numbers would have at least that 30-something 14 thousand? 15 A Yes. 16 Q Now, are the IP addresses of the Intel 17 computers maintained in a host file or some file at 18 Intel? 19 A They would be administered in the Domain 20 Name System, yes. 21 Q And that could be found in a host file? 22 A A portion of it would be found in the 23 host files distributed throughout the company. 24 Q And just so we're clear, the IP address 25 is the identification number or telephone number 187 1 equivalent for the computer? 2 A Yes, that's correct. 3 Q I'll leave that exhibit with you. 4 What is a Class B network of 5 computers? 6 A The class system is a method specified by 7 the entity that hands out these IP addresses, as to 8 how much of this IP address specifies what's called 9 the network and how much of it specifies what's 10 called the host portion. 11 Q Intel had these class systems of network 12 for identifying computers in a network? 13 A The protocol that they use to use in that 14 system, yes. 15 Q Intel did have Class B computers in 16 the -- 17 A Yes. 18 Q How many computers were in the Class B 19 network of computers? 20 A I have no idea. 21 Q How many are possible? 22 A It depends on how you use it. You could 23 do a thing called subnetting where you extend and 24 change the definition of the Class B address so 25 that a greater -- you have a greater number of 188 1 networks and fewer hosts, so it would depend on how 2 it was used. 3 Intel in particular used the Class B 4 address in what's called the Class C phase so they 5 would have a greater number of networks and 6 corresponding fewer numbers of hosts. 7 Q There could be as many as 65,000 IP 8 addresses on that network; is that correct? 9 A I don't know. That sounds like it's 10 possible. 11 Q And each then of those potential 65,000 12 machines could have at least 30-something thousand 13 port numbers? 14 A Worst case, yes. 15 Q Now, you were talking about some security 16 concerns for the gate program that Mr. Schwartz had 17 written and you were discussing the fact that there 18 are some computer programs that can probe an IP 19 address -- for an IP address, open one, then probe 20 for a port? 21 A Correct. 22 Q First that program would have to find the 23 right IP address under that system; is that 24 correct? 25 A It could already know. There is a 189 1 variety of methods for finding out what's an 2 accessible machine. 3 Q But your testimony was that the IP 4 addresses are based upon configuration of numbers? 5 A Yes. 6 Q And the robot program that you were 7 describing systematically goes through the 8 combination of numbers to search out for an open IP 9 address? 10 A That would be the least sophisticated 11 method it would use, yes. 12 Q And it would have to find the IP address 13 before it could then start looking for the right 14 port? 15 A Correct. 16 Q During one of these robot programs, how 17 long would it take the robot program to make a TCP 18 connection and for that connection to be either 19 established or rejected? 20 A Small fraction of a second. 21 Q And how long would it take that robot 22 program to go through that process of trying to 23 guess each combination of numbers for each 24 individual IP address before it started looking for 25 a port? 190 1 A I've never looked at that. 2 Q Now, while a robot program was doing this 3 process, trying to guess the IP port, the IP 4 number, or guess a port number, what would that do 5 to the Internet traffic into Intel? 6 A It would probably be not discernible. 7 Q Now, let's go to the next step then. 8 Suppose that we had somebody from the outside 9 trying to probe Intel's system on that gate program 10 that you had looked at that Mr. Schwartz had 11 written and somebody had actually stumbled across 12 the IP number and then stumbled across the actual 13 port number. What would have happened, from your 14 assessment -- When you looked at that program, what 15 would then happen, what would then greet the person 16 from the outside coming in? 17 A I don't know if there is a prompt or not. 18 Excuse me. I can look at the code. 19 MR. TINTERA: Is that the code that 20 was on there on this date? 21 MR. SUSSMAN: Well, Mr. Morrissey 22 had previously indicated that he was not sure if 23 this code was the first one. 24 MR. TINTERA: I know that. 25 MR. SUSSMAN: I'm asking him if he 191 1 remembered based on -- 2 MR. TINTERA: He's referring to the 3 code that you have left up there. If that's not 4 the first one, then he shouldn't be answering the 5 question based on your exhibit. 6 MR. SUSSMAN: No, he shouldn't. 7 THE WITNESS: Then I won't. 8 I don't recall whether it gives a 9 prompt or not. I do recall the program did not 10 tell you the proper way to use it. You had to know 11 that the program -- you either had to -- you either 12 had to know what the program was expecting or you 13 would have to use sort of a black box technique 14 where you tried things and decided to determine 15 whether or not it was doing something productive. 16 BY MR. SUSSMAN: 17 Q So based on your recollection, it would 18 either then give you a prompt and when the prompt 19 means you would then have to do something to log 20 in? 21 A You would then give it a command to 22 connect or do something to another machine. 23 Q And you would have to know what command 24 to give it? 25 A I -- yes. In most circumstances, yes. 192 1 Q And if there was nothing there, as I 2 think you mentioned, that was the other potential 3 alternative? 4 A Yes. 5 Q Then there would be no way of knowing 6 what to do next? 7 A Correct. 8 Q You would basically just be getting a 9 blank screen? 10 A Correct. 11 Q And with a blank screen, there is no way 12 of knowing if the computer is on, is there? 13 A Yes, there is a way to tell. The fact 14 that you had received a blank screen, you do know 15 that the computer is operational and the protocols 16 are functioning and something answered at that 17 port, yes. 18 Q There is no way to know what's behind 19 that blank screen? 20 A Not in general, no. 21 Q Let's take a look at this exhibit that 22 has been put in front of you. What does this 23 particular program do if you get to that point 24 where you get to an IP address and if you stumble 25 past that to a port number, based on that program, 193 1 if you happen to get that far, what do you get? 2 MR. TINTERA: Your Honor, I object. 3 I didn't ask about any of the defense exhibits. 4 This witness cannot identify this particular 5 exhibit, so it's a general defense question. 6 THE COURT: Is this a defense 7 exhibit? 8 MR. SUSSMAN: Yes. 9 Your Honor, what I'm asking him 10 about is, he's testified about the security or lack 11 of security on this particular gate program and I'm 12 using this to test the witness' -- 13 THE COURT: Overrule the objection. 14 Proceed. 15 THE WITNESS: Not being -- I do very 16 little programming anymore. There is something in 17 here called the "secret word," and I don't know 18 what this means. I don't know what its function 19 is. But it would appear that what it's attempting 20 to do is wait for someone to ask it to connect to 21 another computer, potentially another computer and 22 port on that computer. 23 BY MR. SUSSMAN: 24 Q When you say "it appears," I want to make 25 sure I'm straight on your answer here. Is that 194 1 what -- can you determine that from reading the 2 script or is that what you are surmising? 3 A That's what I'm surmising. 4 Q You can't tell then? 5 A I can't, no. 6 Q You don't know? 7 A No. 8 Q Let's go back to -- Setting this exhibit 9 aside, going back on your recollection of the 10 program that Mr. Schwartz had set up and the path 11 we followed where we have gotten to the blank 12 screen. Suppose we have an outside cracker/hacker, 13 somebody is trying to break in and get to that 14 blank screen. 15 MR. TINTERA: Your Honor, I object 16 to the form of the question. It assumes that the 17 program that Mr. Schwartz set up, that's in 18 discussion, would do that. That was hypothetical 19 questions that were bounced back and forth between 20 defense counsel and this witness. There is no 21 evidence that shows that's what would have happened 22 under the gate script that was initially discovered 23 on the Mink computer. 24 MR. SUSSMAN: Your Honor, I think 25 that the witness testified that he would either 195 1 produce a log-in prompt or a blank screen. 2 MR. TINTERA: Right. 3 MR. SUSSMAN: He was not sure which. 4 MR. TINTERA: Exactly. 5 THE COURT: So you want to probe his 6 knowledge of both alternatives? 7 MR. SUSSMAN: That's correct. 8 THE COURT: Overruled. Go ahead. 9 BY MR. SUSSMAN: 10 Q So we got to that blank screen and you're 11 the outside person trying to get in, what do you do 12 next to get into the system beyond that? 13 A You could guess at that point. 14 Q You would have to try to guess another IP 15 address? 16 A Or name. You could do things like that, 17 yes. 18 Q You would also have to know the format of 19 the command to give it? 20 A Correct. 21 Q And there is nothing on the screen to 22 give you any guidance on how to do that? 23 A Correct. 24 Q Wouldn't you need to get 45 characters in 25 a row at that point to get a command to go beyond 196 1 that blank screen? 2 A I don't know. 3 Q Let me put it in different terms then. 4 If you were to try to type in a command name, a 5 port name and host number, how many characters 6 would that add up to? 7 A It could vary. 8 Q At least. Minimum. 9 A Well, let's count. 29. 10 Q Now, to make sure we have got this clear 11 here, on this gate program that Mr. Schwartz wrote 12 for somebody coming in from the outside who did not 13 know the IP number to start with, did not know the 14 port number to start with, would be greeted by a 15 program that required the person to guess the IP 16 number, correct? Is that correct? 17 A No. The person could have knowledge of 18 the program and its operations. 19 Q Where would the person get that 20 information? 21 A They could have received it from either 22 the person who wrote the program, they could have 23 received it from anyone who had access to where the 24 data was stored and may have looked at it, or 25 anyone who may have been given the program and may 197 1 have been passed among the people. 2 Q The person who was trying to break in 3 from the outside would not have that information 4 inside of Intel, they would be greeted with a 5 requirement that they would have to guess the IP 6 number, correct? 7 A If they had no other information, yes. 8 Q Then guess the port number? 9 A Yes. 10 Q Then figure out what combination of at 11 least 29 characters or maybe more had to be typed 12 in onto a blank screen? 13 MR. TINTERA: Your Honor, I object. 14 Once again, he's assuming that the defendant's gate 15 program is that very same item. That fact is not 16 in evidence. This witness hasn't established that 17 and says he doesn't know. He's asking the witness 18 to assume those facts. It's not a hypothetical 19 question. It's not framed that particular way. 20 MR. SUSSMAN: Your Honor, the 21 witness did testify that he ran the gate program 22 from his station at OGI. Just walking through 23 what -- 24 THE COURT: Overruled. 25 THE WITNESS: No, it's not Randal's 198 1 document. The format of the command is very 2 well-known in the UNIX world. 3 BY MR. SUSSMAN: 4 Q You will still have to somehow figure out 5 what combinations to use in those minimum of 29 6 characters? 7 A You could potentially narrow it down 8 substantially, yes. 9 Q Now, you, in describing this program to 10 Detective Lilley, told him that, in your opinion, 11 that provided no security; is that correct? 12 A It did allow people to access Intel 13 computers -- computer systems from outside the 14 network, yes. 15 Q And that it had no safeguards, nothing 16 to -- 17 A Yes. The program itself relied on other 18 safeguards within Intel. 19 Q But you told them that it had no 20 security? 21 A The program itself had no security, 22 that's correct. 23 Q Now, after the conversation with 24 Mr. Schwartz and Mr. Brandewie, Mr. Schwartz did 25 agree to make changes in the program? 199 1 A Correct. 2 Q After that Mr. Brandewie reviewed the 3 program to see what changes had been made? 4 A That's what I was told, yes. 5 Q I want to jump ahead for a little bit. 6 You, later on, after this, I think 7 around November 1st, after this investigation had 8 been going on for some time, you met with Detective 9 Lilley from the Washington County Sheriff's 10 Department; is that right? 11 A Correct. 12 Q You helped him to assist him in preparing 13 a search warrant affidavit? 14 A Yes. 15 Q Did you tell Detective Lilley what 16 Mr. Schwartz's specific duties were at Intel? 17 A I don't recall. I wouldn't know what his 18 specific duties were. 19 Q But you knew Mr. Schwartz was not an 20 ordinary programmer; is that right? 21 A I don't understand. What he was doing 22 was ordinary programming, to a large degree. 23 Q But he was not an ordinary programmer in 24 terms of Mr. Schwartz's abilities and knowledge of 25 UNIX and knowledge of security systems and such? 200 1 A He would have above average knowledge of 2 computer systems, of UNIX computer systems, yes. 3 Q Just above average? 4 A I've never plumbed his depth. 5 Q Did you tell Detective Lilley that 6 Mr. Schwartz frequently was away from Intel and 7 that he did his work at other hours other than when 8 he was at Intel? 9 A I informed Detective Lilley that that's 10 what Mr. Schwartz had told me. 11 Q And sometimes at remote sites away from 12 home? 13 A Yes. 14 Q Did you explain to him what it meant to 15 be a Systems Administrator? 16 A No, I don't believe I did. 17 Q How about a network administrator? 18 MR. TINTERA: I don't see the 19 relevance. If this is impeachment, I don't believe 20 that Detective Lilley was asked all those 21 questions. The search warrant itself is not an 22 issue in this particular -- at this particular 23 time. 24 THE COURT: Mr. Sussman. 25 MR. SUSSMAN: Your Honor, actually 201 1 these questions are tracking questions that I asked 2 Detective Lilley on cross-examination, and also the 3 things that go to both Detective Lilley's ability 4 to recall and matters that were given to him and 5 this witness' ability to recall and whatever motive 6 and -- 7 THE COURT: Your recollection is you 8 asked these questions of Detective Lilley? 9 MR. SUSSMAN: Your Honor, it is. As 10 I indicated, I tracked in the notes I've prepared, 11 been tracking certain questions for certain 12 witnesses. 13 THE COURT: Mr. Tintera, anything 14 else? 15 MR. TINTERA: I guess the question 16 is how Detective Lilley answered the questions. If 17 he said, "Yeah, that was told to me," or "No, it 18 wasn't," then this line of inquiry doesn't have any 19 relevance. 20 THE COURT: Well, it may, depending 21 upon what answer this witness gives, and we won't 22 know unless he asks them. 23 Overruled. Go ahead. 24 BY MR. SUSSMAN: 25 Q At the time you spoke to Detective 202 1 Lilley, you didn't know what Mr. Schwartz's duties 2 were at Intel? 3 A I knew some of his duties at Intel. 4 Q But you didn't tell him what Mr. Schwartz 5 was authorized to do and what he was not authorized 6 to do -- 7 A I did tell him -- 8 Q -- in terms of his general duties? 9 A I did tell him some things that he was 10 not authorized to do. 11 Q Now, you indicated that Mr. -- that the 12 machine called Snoopy was set up in October and 13 became fully operational by October 14. 14 Mr. Schwartz was involved in some of the setup 15 activities of that machine, wasn't he? 16 A Yes. Actually, he was. 17 Q And in your discussion with Detective 18 Lilley, you talked with him about some of the ways 19 that provided information that might be found 20 behind a cracked password file, might be taken out 21 of Intel? 22 A Yes. 23 Q And you're aware of the different ways 24 then that could have been done by somebody like -- 25 with Mr. Schwartz's knowledge to avoid detection? 203 1 A It could have been, yes. 2 Q For instance, you knew that he could have 3 printed out the information from the files and then 4 mailed it out? 5 A Yes. 6 Q And he could have copied it onto a disk, 7 scrambled it, attached it to something else that 8 wouldn't attract attention and simply put it on 9 another computer someplace else? 10 A Yes. 11 Q Could have transmitted it to some remote 12 site by e-mail, couldn't he? 13 A Yes. 14 Q Your testimony was that outbound 15 telnetting was allowed, correct? 16 A Under certain circumstances, yes. 17 Q And the concern was the restriction on 18 inbound telnetting. But any data that Mr. Schwartz 19 or anybody else got from inside Intel could be 20 encrypted, mixed up with other data and telnetted 21 out to another site, correct? 22 A Yes. 23 Q Now, you told Detective Lilley that 24 Mr. Schwartz was a very sophisticated, very 25 knowledgeable person in computers and computer 204 1 security, did you not? 2 A I recall telling him that Mr. Schwartz 3 was knowledgeable about computer security. 4 Q And he could very -- with that knowledge, 5 he could very easily have done any of those methods 6 of sending information out of Intel without leaving 7 a trace, couldn't he? 8 A Correct. 9 Q Now, you, in looking on Snoopy, found a 10 Crack program running in a file under 11 Mr. Schwartz's own user ID name? 12 A That's correct. 13 Q And the program is clearly identified as 14 Crack? 15 A Yes. 16 Q And it was running against a file clearly 17 identified as password file SSD? 18 A Correct. 19 Q That wasn't very subtle, was it? 20 A It depends on how you look at it. 21 Q It was plainly done under Mr. Schwartz's 22 own identity on his own machine inside of Intel? 23 A Yes. 24 Q A machine where other people had access 25 to the programs and to the process that he was 205 1 running? 2 A Yes. 3 Q He had the ability to run that program 4 and hide it on any number of machines in the 5 network without it being under his own name, didn't 6 he? 7 A I don't know that. 8 Q Let me talk to you a little bit about -- 9 you're a Systems Administrator, right? 10 A Yes. 11 Q Systems Administrators, would it be fair 12 to say, need to have a pretty good awareness of how 13 the computers in their systems work? 14 A Yes. 15 Q And the running of this Crack program 16 came to you when you were looking at Snoopy to 17 check the health of your system? 18 A Yes. 19 Q "Health" would be the way that you 20 might -- people -- Systems Administrators might 21 describe their computer systems? 22 A Correct. 23 Q And it's standard practice for you to be 24 checking on the health of your system to kind of 25 get a feel for how the system operates? 206 1 A It's standard procedure for me. 2 Q For you. And that's how you talk about 3 these systems in terms of just getting a feel for 4 how things work, how a machine responds to certain 5 programs? 6 A Yes. 7 Q And to understand that, you need to know 8 how a system responds to commands that you give it, 9 you might put on a machine? 10 A Yes. 11 Q What the load appears to be on the 12 machine? 13 A Yeah, you may pay attention to that, yes. 14 Q What the demand is of a certain program 15 in terms of how it affects -- how the computer 16 responds to a certain program? 17 A Potentially at times, yes. 18 Q And you do that so you can tell what's 19 the normal mode of operation of a computer -- 20 A Yes. 21 Q -- what are the warning signals -- 22 A Yes. 23 Q -- if your computer is behaving in an 24 unexpected way? 25 A Yes. 207 1 Q So in that way, if there is a problem, 2 you can take a closer look to see if it's not -- to 3 see if anything is wrong? 4 A That's correct. 5 Q So if it's not behaving in the way you 6 would expect, you can take a closer look to see 7 what's happening? 8 A Correct. 9 Q And that describes -- that, in fact, 10 describes how you as a Systems Administrator 11 approach testing the health of your system? 12 A To a large degree, yes. 13 Q Is that consistent with the way other 14 Systems Administrators you're familiar with 15 approach testing the health of their systems? 16 A With some that I'm familiar with, yes. 17 Q How about Randal Schwartz? 18 A I don't know how Randal Schwartz 19 administered his systems. 20 Q You had overlap when you were there, when 21 you were -- transition from when he was Systems 22 Administrator to when you were Systems 23 Administrator? 24 A Correct. 25 Q Did you have any discussions about how 208 1 the two of you -- how you approach to administering 2 that system? 3 A I believe that we did, yes. 4 Q And, in fact, you've talked with 5 Mr. Schwartz and had some familiarity with his 6 approach to running programs and the kind of 7 machines that he liked to run his programs on? 8 A Yes. 9 Q And this new machine was, as you 10 mentioned, the fastest and most powerful machine 11 that had come into the system? 12 A Right. 13 Q Wyeth was previously the fastest one? 14 A It certainly was one of the fastest, yes. 15 Q And it's a program -- I mean, it's 16 designed to run a certain program that you use 17 as -- that you were using as a tool to manage your 18 networks? 19 A Well, it wasn't designed, but we 20 purchased it for that reason. 21 Q Because that program took a lot of 22 computer power to be effective? 23 A No. That's one of the reasons that the 24 program did on occasion require a lot of computer 25 power. But the program itself -- the program 209 1 itself was actually what's called IO intensive and 2 the processor was frequently free to do other 3 things. It was on a dedicated machine because the 4 rest of the machines in the group were already busy 5 doing other activities and that -- the IO-bound 6 nature of it, while it's talking with disk drives 7 or with the network, would impact the ability of 8 someone else trying to use that system to actually 9 use it effectively. 10 And we preemptively bought this 11 particular machine so that as we added more work to 12 this machine, which may require it to have to do 13 more processing, it would be capable of doing it 14 without impacting other work in the group. 15 Q Randal Schwartz was -- at the time now 16 that you're transitioning to becoming the Systems 17 Administrator -- was not one of the people in the 18 group under you; is that correct? 19 A No. He did not work for me, no. 20 Q You previously testified in this 21 courtroom about this particular incident in your 22 testing of the machine and you indicated when you 23 got this machine and more or less decided to -- you 24 were setting it up, do you recall testifying that 25 you asked everyone in your group not to run jobs on 210 1 the machine until you understood how much computer 2 power the system needed in order to be effective? 3 A Yes. 4 Q Because you suspect it needed a lot? 5 A I didn't know how much it would need and 6 I wanted to quantify. 7 Q Mr. Schwartz was not one of the people in 8 the group working under you at that time? 9 A No one worked under me. 10 Q You knew, of course, that Mr. Schwartz 11 liked to look -- to run programs on the fastest 12 machines that he could get access to because he 13 liked to get his work, his programs and his jobs 14 done in the quickest and most efficient manner 15 possible? 16 A Yes. 17 Q And actually, when you spoke to him about 18 this machine, your concern was that he not run 19 programs that interfered with your -- the program 20 that you were installing, this new -- 21 A Yes, that's correct. 22 Q Now, you had mentioned something about 23 having root access to certain computers. 24 A Yes. 25 Q And root is a special user ID that gives 211 1 access to a system, right? 2 A Yes. 3 Q And Mr. Schwartz did have root access to 4 the computers within the system that you were -- 5 that you were then administering? 6 A Until I took it away from him, yes. 7 Q On June 14, 1995, when you testified 8 about Mr. Schwartz's root access, you were asked 9 the question, "Did Randal Schwartz have something 10 called root access to the system in your area?" 11 Your answer was, "I believe he did." 12 And the question then was, "Would 13 you explain what root access is?" You said, "Root 14 access is a special user ID log into the system 15 that is used for a variety of purposes, 16 administrative purposes for installing software, 17 for doing a variety of things. It takes special 18 privileges that a normal unprivileged user cannot 19 do." And you made no mention at that time that you 20 took away Mr. Schwartz's root access, did you? 21 A No. 22 Q You also indicated that root access is 23 something that a Systems Administrator has by 24 definition; is that correct? 25 A Yes. 212 1 Q When you were looking at Mr. Schwartz's 2 files, did you note that he had root access to 3 other systems inside Intel outside of your -- the 4 system that you were administering? 5 A It was my understanding at that time that 6 he did have root access to other systems inside 7 Intel. 8 Q Couple more questions about this Crack 9 program, if I might. 10 The Crack program that you found 11 running was the most recent version or edition of 12 Crack? 13 A Yes. 14 Q And that was a program that was publicly 15 available to -- on the Internet? 16 A Yes. 17 Q And it was available to Systems 18 Administrators within Intel as a tool in 19 administering their systems? 20 A Yes. 21 Q And, in fact, it was a tool that was 22 typically used by Systems Administrators to test 23 the security of the systems they administer? 24 A I wouldn't say typically, no. 25 Q But it was used with some frequency. It 213 1 was not uncommon for that to be used by Systems 2 Administrators within Intel to test security of the 3 passwords in their systems? 4 A It was not uncommon for some Systems 5 Administrators to use it, yes. 6 Q You used it? 7 A I only used it after this incident. That 8 was my first time using it at Intel. 9 Q But you have used it? 10 A Correct. 11 Q Now, when you -- and you do that, of 12 course, to see if the passwords that the people in 13 your system have chosen are vulnerable to being 14 guessed by somebody trying to break in from the 15 outside? 16 A Yes. 17 Q And if the passwords are readily -- are 18 not good ones, they haven't followed the standard 19 procedures, or they're readily guessable, they are 20 not very valuable, are they? In fact, they are a 21 risk -- they present a risk to systems security; is 22 that true? 23 A I would disagree that they are not 24 valuable. 25 Q You would agree that they present a risk 214 1 to systems security? 2 A They have the potential of reducing the 3 effectiveness of the security on the system, yes. 4 Q That's why you have to test them to make 5 sure that they are not vulnerable to the attack, to 6 avoid the risk of the system? 7 A If you so choose to do so. 8 Q Was it standard practice, in your 9 experience, to disable somebody's password and 10 their user account of their password from a machine 11 when their position as an employee terminated? 12 A Yes. 13 Q Or if somebody's contract expired or 14 ended to work in a certain area to disable the 15 password? 16 A That's standard procedure, yes. 17 Q And that is typically the way that sends 18 a clear message that you are no longer authorized 19 to have access to a computer? 20 A No. 21 Q Was there another standard practice, in 22 addition to that, to communicate to a person that 23 their password -- they no longer had authorized 24 access to a computer? 25 A Well, for example, I am no longer 215 1 employed by Intel Corporation and that's a clear 2 indication that I'm not allowed to have access to 3 their computer systems. 4 Q And if you were working within Intel and 5 still were employed in some capacity by Intel, 6 disabling the password would be the clearest 7 indication that you no longer had authorized 8 access? 9 A It would be one indication, yes. 10 Q Were there other indications that you 11 personally were aware of that Intel employed to 12 notify employees or contractors who were still 13 working with Intel that their access was no longer 14 authorized besides disabling the password? 15 A Well, there is -- 16 Q People send letters? 17 A Maybe. Perhaps. 18 Q But you don't know for sure? 19 A The methods used within inside Intel are, 20 to a very large degree, ad hoc and don't always 21 fully close the loop. 22 Q Let's talk about a different practice 23 within Intel. You had talked about Defender 24 dial-up access as a means of getting access from 25 outside of Intel to Intel computers. 216 1 A Yes. 2 Q Intel had a policy which said that 3 dial-up access on the Defender program was not -- 4 was only to be given to Intel employees and not 5 independent contractors, correct? 6 A I don't know. I don't know what the 7 policy is. 8 Q Show you what is marked as Defendant's 9 Exhibit 109 and direct your attention to Page 10, 10 Remote Access Modems, and to policy 1.9.3, and that 11 restricts access on dial-up mode access to Intel 12 employees, does it not? 13 A Yes. 14 Q But you're sure that Randal Schwartz did 15 have dial-up access? 16 A Yes. 17 Q And Randal Schwartz was an independent 18 contractor? 19 A Correct. 20 Q Now, after you discovered the Crack 21 program running on Randal Schwartz's file under his 22 own user ID name, you did arrange to have all of 23 his files -- the backup tapes of all of those files 24 saved so that they could be examined later on? 25 A Correct. 217 1 Q You wanted to see if there were sensitive 2 documents taken from any SSD files belonging to the 3 passwords that were cracked? 4 A That's correct. 5 Q You examined those directories? 6 A Yes, I did. 7 Q You looked for the other files from SSD? 8 A Yes, I did. 9 Q You looked for other files or things that 10 might have been copied from files of individuals 11 whose passwords were cracked? 12 A Yes. 13 Q You found none? 14 A That's correct. I did not find any. 15 Q You knew that Randal Schwartz carried a 16 laptop computer in and out of Intel? 17 A That's correct. 18 Q And when you met with Detective Lilley, 19 you discussed the concern that he could make copies 20 of things and take it out and carry it out that way 21 if he was trying to secrete these things out of 22 Intel; is that right? 23 A We did discuss that, yes. 24 Q And that was the purpose of getting the 25 search warrant, so that the computer and all of his 218 1 computer files and data at home could be seized? 2 A I guess so. 3 Q In examining those files, did you examine 4 the output of the Crack program? 5 A Yes, I did. 6 Q "The output" meaning the log that shows 7 exactly what the Crack program was doing, exactly 8 what it did? 9 A Yes. 10 Q That started on October 21st, did it? 11 A I believe so. 12 Q And you discovered that it was running on 13 October 28th, 1993? 14 A Correct. 15 Q And it had been continuously running 16 during that time? 17 A Yes. 18 Q And you could check when you looked at 19 those files to see when Randal Schwartz logged in 20 to examine that file? 21 A I can tell when he logged in, but I could 22 not tell whether or not he had examined those 23 files, no. 24 Q But you could tell when he logged in? 25 A Yes. 219 1 Q And the last time that he had logged in 2 was on the first day that that program began 3 running, wasn't it? 4 A That was the last time that he had logged 5 in to the machine Snoopy, but he had access to that 6 data from other machines in the computer network. 7 Q The log-in, the records of the log-ins 8 typically tell you who logs into a machine, right, 9 when they log in and from what source? 10 A Correct. 11 Q And the only record you found that 12 Mr. Schwartz had logged in Snoopy after the Crack 13 program began was on the same day it started? 14 A For the machine Snoopy, yes. 15 Q And that log-in was for a period of a 16 matter of a couple minutes? 17 A I don't know. 18 Q When you looked at the output Crack 19 program, you found that the Crack program just 20 stopped running sometime on October 29th, didn't 21 you? 22 A I'm not sure what day October 29th was. 23 A Friday? 24 Q Yes. 25 A I believe it was Saturday or Sunday that 220 1 the Crack program terminated. 2 Q Simply stopped running? 3 A It appeared to terminate. 4 Q Mr. Schwartz had not logged in Snoopy on 5 October 28th and that Monday, November 1st, had he? 6 A That's correct. 7 Q The program simply stopped, terminated or 8 simply stopped running during that time? 9 A That's correct. 10 Q Now, might not that have indicated that 11 there was some glitch in the machine that -- in 12 terms of how the machine was -- Snoopy was handling 13 the running of this program? 14 A Not necessarily, no. 15 Q But it might have? 16 A Theoretically, yes. My investigation, 17 no. 18 Q When you say "your investigation, no" -- 19 A Correct. 20 Q -- did somebody specifically terminate 21 the running of the program? 22 A I was not able to determine -- there was 23 no indication that someone terminated the program. 24 And to the best of my knowledge, it appeared that 25 it had terminated of its own volition. 221 1 I found no indication there was a 2 systems problem because that would have left in 3 normal operation something called a core file, 4 which I found no indication that there was a core 5 file or any indication in the system logs that 6 there was a problem with the machine or with that 7 process. 8 Q But you also saw no indication that 9 anybody had given a command for the program to 10 terminate? 11 A That's correct. 12 Q Did you notice whether or not 13 Mr. Schwartz had the core files that you referred 14 to turned off on Snoopy? 15 A I don't recall if he did or not. 16 Q So if that was turned off, then there 17 might have been a problem with the machine? 18 A No. You would have had -- if a process 19 had terminated abnormally, you would, under normal 20 circumstances, receive an error in the system log 21 that indicated that there had been a problem with 22 the process. 23 Q You recall nothing like that? 24 A I recall nothing like that. It appeared 25 to me that the program terminated of its own 222 1 volition. 2 Q Did you personally examine the second 3 gate program script? 4 A The one that was on Brillig? 5 Q Yes. No, not on Brillig. I'm jumping 6 back. But after you and Mr. Brandewie talked to 7 Mr. Schwartz and discussed making changes in the 8 gate program, you learned that changes had been 9 made. Did you ever see the script, the actual 10 commands for the gate program that was -- for the 11 changes that were made after that on Mink? 12 A I don't recall seeing that. 13 Q Coming back for a moment to your 14 examination of Mr. Schwartz's files and your 15 examination of when you logged in onto the Snoopy 16 program, it is possible, isn't it, to remove traces 17 of activities from this program that shows when 18 somebody logs into a computer? 19 A Yes, it's possible to do that. 20 Q And you examined the files to see if 21 there had been any indication that that had been 22 done? 23 A Typically -- If that occurs, it is 24 typically not possible to determine if they had 25 been modified. 223 1 Q You did indicate that -- Or it is true 2 that you had no reason to believe that the logs on 3 Snoopy had been modified, though; is that correct? 4 A I had no reason to believe that, no. 5 Q And you -- but you would have been able 6 to tell if they had been modified? 7 A Not necessarily. 8 Q Now, I asked you a question similar to 9 that the last time we were here and I asked you the 10 question, "You would also be able to tell, by 11 looking at the log, the activity on the Snoopy 12 computer, when Mr. Schwartz had logged into that 13 machine prior to October 28th, between the date the 14 Crack program began running and the date you 15 discovered it, October 28th?" 16 Your answer is, "I'll point out that 17 it's possible to remove things from logs or 18 publicly be able to remove traces of activity from 19 logs, to remove entries from the systems log that 20 we would be looking at, but I had no reason to 21 believe that those logs had been modified and I 22 would be able to tell." 23 A If I said that, I did not mean to say 24 that. It's possible -- it is possible there is 25 technology that exists to make it so it's not 224 1 possible to detect that. 2 Q You -- Of course, that was a time when 3 you were in court and under oath and responding to 4 questions, so your testimony is now that you 5 misspoke yourself? 6 A Yes. That is technically incorrect, the 7 statement that I made previously. 8 Q You didn't state what you meant? 9 A I definitely made a mistake on that 10 statement, yes. 11 Q You said that the computer Wyeth was not 12 being used very much. 13 A No. 14 Q And it wasn't being monitored very much? 15 A Those machines typically weren't being 16 monitored very much. 17 Q So if Mr. Schwartz had wanted to run the 18 Crack program in a place where it would be even 19 less noticeable than on Snoopy, Wyeth would have 20 been the place to do that, wouldn't it? 21 A It would have been one of the logical 22 choices, yes. 23 Q Also would have been logical not to do it 24 with his own user name and -- 25 A If he had that ability, yes. 225 1 Q And logical not to name the program Crack 2 and not to identify that you were running it 3 against password -- the SSD password file? 4 A That makes sense, yes. 5 Q And just so that we're clear, these 6 processes were all being run within Intel? 7 A That's correct. 8 Q On Mr. Schwartz's own workstations? 9 A They weren't Mr. Schwartz's workstation. 10 Q Or the workstations that he had access 11 to? 12 A That he had authorized access, to, yes. 13 Q After you discovered that operating, you 14 attended -- participated in a meeting on the next 15 day, on that Friday, the 29th, that has been 16 referred to in your report as the bridge meeting? 17 A That's correct. 18 Q And at that meeting, was there any 19 discussion about talking to Randal Schwartz and 20 asking him what was going on, what on earth he was 21 doing? 22 A I believe that I may have asked whether 23 or not we wished to confront Randal directly. 24 Q And the management decision was made at 25 that point not to talk with him but instead to 226 1 prosecute him; isn't that correct? 2 MR. TINTERA: Objection. Intel did 3 not prosecute this case. The Washington County 4 Grand Jury did. 5 THE COURT: Sustained. You don't 6 have to answer that question. 7 BY MR. SUSSMAN: 8 Q The decision was made at that meeting to 9 ask that Mr. Schwartz be prosecuted, wasn't it? 10 A The decision was made at that meeting 11 to -- based upon recommendation of Intel counsel, 12 that we speak with the Washington County -- I don't 13 remember if it was the District Attorney's Office 14 or the Sheriff's Office -- to determine whether or 15 not a crime had been committed. 16 Q So the decision was made at that meeting 17 not to talk to Randal Schwartz but instead to talk 18 to law enforcement authorities? 19 A Correct. Based on the advice of Intel 20 counsel. 21 Q And then so the next meeting that 22 occurred was on Monday when you met with detectives 23 to help prepare the search warrant? 24 A I certainly met with him on Monday, yes. 25 Q Now, during this investigation, you did 227 1 learn that Mr. Schwartz had access to the computer 2 named Brillig? 3 A Yes. 4 Q And that it was a computer within the SSD 5 section of Intel? 6 A That's correct. 7 Q And you knew that Randal Schwartz had 8 previously worked at SSD? 9 A Yes. 10 Q And you learned that he had worked there 11 in a group called IWARP? 12 A Yes. I know that he used to work in 13 IWARP. 14 Q And did you learn that Mr. Schwartz had 15 been a Systems Administrator at IWARP? 16 A I believe that I did, yes. 17 Q And when this investigation occurred, you 18 learned that Mr. Schwartz had an active password on 19 Brillig? 20 A That's correct. 21 Q And his password had not been removed 22 from the list of authorized passwords from Brillig 23 at the time the activities you were investigating 24 was occurring? 25 A That's correct. 228 1 Q Now, after assisting in the preparation 2 of the search warrant, you were asked later on to 3 assist a Washington County Sheriff's Deputy named 4 Alan Watson, who actually reviewed the files that 5 were in Mr. Schwartz's computers and home records; 6 is that correct? 7 A Yes, that's correct. 8 Q And you ultimately provided Deputy Watson 9 with some of the software that was required to make 10 a mirror image copy of everything on Mr. Schwartz's 11 hard drive on his computer; is that right? 12 A I recall providing hardware. I'm not 13 sure if I provided any software or not. 14 Q So you did provide him with materials to 15 assist then in the search of Mr. Schwartz's 16 computer and computer records? 17 A Yes, I did. 18 Q And after he completed his review of all 19 those files and materials, did he ask you to review 20 the results of his search? 21 A Yes, he did. 22 Q And that search was done. So you 23 reviewed the output, the output of the different 24 activities that he went through to search 25 Mr. Schwartz's files and records? 229 1 A No. He provided me about, I don't know, 2 six-inch thick stack of papers that was output from 3 what's called keyword search where I had provided 4 and other people had provided a list of keywords 5 for their search of Mr. Schwartz's data. And I was 6 provided with a copy of the output from that search 7 which I did a random scan through it. 8 Q Those keywords were words provided by the 9 various people at Intel? 10 A Yes. The very minimum, I did provide at 11 least two different sets. 12 Q And those keywords were meant to search 13 for documents or materials that the people at Intel 14 were concerned that Randal Schwartz might have 15 copied from the files and the passwords that had 16 been cracked? 17 A They were used to give what you might 18 consider to be a red flag for a file that we would 19 then look more closely at, yes. 20 Q And it was a rather lengthy list of 21 keywords? 22 A I believe that it was fairly lengthy, 23 yes. 24 Q And you reviewed that output carefully, I 25 presume? 230 1 A I did a random scan through it and spent 2 about three hours looking at it. 3 Q And you found nothing in your review of 4 those documents? 5 A I found nothing to me that would indicate 6 that there was information on his computer that he 7 would not have normal access to. 8 Q And there was also nothing on the files 9 in his computers at Intel showing -- that indicated 10 any proprietary or secret information that was 11 contained in the files behind the cracked passwords 12 had been copied there? 13 A I found no indication of that, yes. 14 Q One last question. Those materials that 15 you provided Deputy Watson to conduct the search of 16 Mr. Schwartz's computers and data, who provided 17 those materials? 18 A Intel. 19 Q The software? The hardware? 20 A Well, I personally went out and purchased 21 the enclosure for a disk drive that we loaned to 22 the Sheriff's Office because they did not have 23 sufficient storage to perform the search. 24 Q "We loaned"? Who is "we"? 25 A Excuse me. Intel. 231 1 MR. SUSSMAN: Thank you. I have 2 nothing further. 3 THE COURT: Mr. Tintera. 4 5 REDIRECT EXAMINATION 6 BY MR. TINTERA: 7 Q Mr. Morrissey, why was equipment loaned 8 to the Sheriff's Department? 9 A The Sheriff's Department stated that 10 they -- that they didn't have sufficient storage 11 and asked whether or not we would be willing to 12 loan them equipment for the duration of the 13 investigation. 14 Q You've been asked whether information 15 that was proprietary and that Mr. Schwartz 16 shouldn't have had was located on either his Intel 17 computer at his workstation or from his home 18 system; is that correct? 19 A That's correct. 20 Q And nothing was found; is that right? 21 A I found no indication that there was such 22 information. 23 Q Is there any way for you to know whether 24 any of the cracked passwords were used in items 25 copied to other areas that Mr. Schwartz had access 232 1 to? 2 A No. 3 Q Is there any way to know whether items 4 were copied and just placed on a diskette and put 5 somewhere else? 6 A I wouldn't be able to determine that. 7 Q Does the information in a person's file 8 tell you when you look at it whether it's been 9 copied or not? 10 A No, it does not. 11 Q You were asked in regard to the Brillig 12 computer if Mr. Schwartz had an active password. 13 Does an active password on the computer equate to 14 authorized use of that computer? 15 A No. 16 Q Why not? 17 A It's possible that once someone no longer 18 has authorized access to a computer, it's possible 19 that the removal of the password could be 20 overlooked, could be the communication that the 21 person is no longer authorized and never reached 22 the appropriate people. There is a variety of 23 reasons why it could have been active even though 24 it should not have been. 25 Q So it could be active without being 233 1 authorized? 2 A That's correct. 3 Q You were also asked about whether 4 Mr. Schwartz had logged back onto Snoopy after the 5 gate or the Crack program was started. 6 A Yes. 7 Q And you said you saw no evidence of him 8 logging back on. 9 A Not on the Snoopy, no. 10 Q Does that mean that it's not -- that the 11 information that the Crack program was generating 12 was not available for Mr. Schwartz to view? 13 A No. 14 Q Could you explain that? 15 A There are six computers that were under 16 my control and they are together on a little 17 computer network, and the way they're set up, if 18 you have access to one of the computer systems, you 19 have access to all of them. And, in fact, where 20 Mr. Schwartz was storing his data is what's called 21 his home directory and the actual location where 22 that data is stored was on another machine called 23 Kandinsky, and through the computer network, all 24 six computers had access to that data. So if you 25 are logging on to any one of those six computers, 234 1 you had access to the data no matter where you were 2 at. 3 Q And can you answer this question, whether 4 after October 21st Mr. Schwartz had logged onto 5 other computers in that group? 6 A Yes, he had. 7 Q So although he had not logged into 8 Snoopy, he could have accessed the data that the 9 Crack program was generating without logging into 10 Snoopy; is that right? 11 A That's correct. 12 Q Is there any way to know whether he 13 looked without -- we know he didn't log in, but is 14 there any way to know whether he looked at that 15 data and made note of it? 16 A Not that -- I wasn't able to determine 17 that. 18 Q When you made tapes, tapes of 19 Mr. Schwartz's directory at Intel -- 20 A Yes. 21 Q -- in this time period, October 28th, 22 29th? 23 A Yes. 24 Q -- did you review those tapes at the 25 time? 235 1 A I reviewed them sometime after November 2 1st. 3 Q And that does not -- would those tapes 4 answer the question whether anything had been 5 copied to a diskette and removed from Intel? 6 A No. 7 Q Did you see anything in regard to root 8 access on those tapes, a program regarding root 9 access? 10 A I did find a program in Mr. Schwartz's 11 home directory that allowed him to gain root access 12 without providing a password. 13 Q Is that a standard program for Systems 14 Administrators? 15 A The one that he had? 16 Q Yeah. 17 A No. That's not a standard thing to do. 18 That's generally considered a security policy or 19 violation. 20 Q So how does somebody get root access? 21 A Normally, you go through a process -- 22 there is two different ways you can do it. One is 23 through a log-in process where you -- at a prompt 24 usually under UNIX says "log in," you want to log 25 in as "root," prompts you for a password and you 236 1 provide a password. 2 Another way is once you log onto the 3 system is a thing called SU, which stands for 4 substituted user ID, and you're able to become 5 rooted there. 6 Q But my question was, does not root access 7 have to be given to you by someone who has it or 8 has the authority to give it to you? 9 A Yes. 10 Q It's not within Intel's policy, is it, to 11 use a computer program to generate it for yourself? 12 A No. 13 Q You were asked about people with -- that 14 Systems Administrators have root access; is that 15 correct? 16 A That's correct. 17 Q Do all people with -- who have root 18 access, are they all Systems Administrators? 19 A No. 20 Q And why not? 21 A It's possible that -- well, for a variety 22 of reasons. One is that there could be some 23 special function on a computer that requires root 24 access to maintain it and some trusted individual 25 may be given root access to perform some small 237 1 administrative function associated with some 2 special item. 3 Also, it's quite likely, in the 4 event that somebody gets hit by a truck or goes to 5 work for another company, that other people would 6 be aware of the root password so that normal 7 operation on a computer could continue to function. 8 Q You're familiar with the Crack program 9 now? 10 A Yes. 11 Q What type of notification do you use to 12 tell people that they have poor passwords or 13 passwords that have been cracked? 14 A The Systems Administrators, or whoever 15 was running the Crack program would be, because 16 they are -- the person that has the data would have 17 to contact each of them individually. 18 Q Are you aware of an automated program 19 that will notify a user of a cracked password? 20 A I believe that the Crack system does 21 copy -- is able to do that, but I, personally, have 22 never done that, so I don't know for sure. 23 Q You were asked about your testimony on 24 June 14 in regard to whether Mr. Schwartz had root 25 access, and you were asked about whether you had 238 1 mentioned that it had been taken away in June or 2 July. Why was it on June 14 you didn't testify 3 about having taken away Mr. Schwartz's root access? 4 A Well, first, I was not asked and I hadn't 5 really recalled that until after the hearing. 6 Q So the hearing jogged your memory? 7 A Yes. 8 Q You had been asked about whether 9 Mr. Schwartz was running the Crack program, I think 10 the phrase was "out in the open," and you had said 11 that there -- that was -- there was subtle 12 differences and depends on how you look at it. 13 Could you explain that? 14 A In general, a user on a UNIX system 15 really has no reason to go looking at all the 16 processes that are running on a computer. And I as 17 a Systems Administrator did not, under normal 18 circumstances, have reasons to be going out looking 19 at all the processes running on the system. 20 The program was running from October 21 21st to 28th before I discovered it. In general, 22 if the machine is not acting in a way you don't 23 expect it to behave, there is no reason for you to 24 go investigating what may or may not be running on 25 it. 239 1 Q You were also asked about Mr. Schwartz's 2 duties and you were asked about what you told 3 Detective Lilley about what the defendant was not 4 authorized to do. Could you tell this jury what 5 you told Detective Lilley about what Mr. Schwartz 6 was not -- what he was doing that he was not 7 authorized to do? 8 A I told Detective Lilley that I had spoken 9 with John Kent at SSD and spoke with Bob Wilcox and 10 Clayton Kirkwood, both of whom had contracted with 11 Randal Schwartz, and specifically asked them 12 whether or not cracking passwords could be 13 interpreted as to being within the scope of his 14 responsibilities and all three of them told me no. 15 Q In regard to the Mink program and the 16 script that was set, the gate script that 17 Mr. Schwartz set up on it initially, you were asked 18 about whether it left a prompt or blank screen when 19 you went in. Do you remember one way or the other? 20 A I really don't recall. If it was a 21 prompt, it probably was a very small prompt, but 22 I'm not sure. 23 Q Why was this a security risk, this 24 program? 25 A Well, at that point, any connections that 240 1 are occurring from that machine to inside Intel to 2 look to the machines as though they had originated 3 outside of Intel. A lot of people inside Intel who 4 are very busy doing other things do not necessarily 5 have good security. 6 It's not uncommon for machines not 7 to have good security. Instead, they rely on the 8 security at the firewalls to protect them for most 9 of the bad things that can happen. And it's 10 quite -- it's quite possible by masquerading 11 somebody getting access to programs and knew how to 12 use them, they were taking advantage of security 13 inside the company. 14 Q You said people might have to know an IP 15 address or an Intel computer to use this. Is that 16 information available? 17 A Yes. 18 Q Do you know where? 19 A Through the DNS system. 20 Q Is it available to people outside of 21 Intel? 22 A Yes. 23 Q How so? 24 A Well, DNS is a fairly complicated system 25 in that regard in that -- but it comes down to when 241 1 you go to look for the translation of either a name 2 into an IP address or IP address into a name, the 3 system is able to figure out who to go ask. And if 4 I knew the name of the computer system from inside 5 Intel or I could get some of the IP addresses, I 6 could determine whether or not they were valid 7 addresses inside Intel without being inside of 8 Intel itself. 9 Q Counsel had also asked you in regard to 10 this gate script, it could be 32,000 or possibly 11 might go even higher. You had indicated how long 12 would it take certain programs to run the 13 permutation against the 32,000. The robot 14 programs, you said, could check for these ports; is 15 that right? 16 A Yes. 17 Q If you're adding -- If you are doubling 18 the numbers, is that significantly increasing the 19 times? 20 A I don't -- 21 Q If you double the numbers, if the 22 permutations are 64,000, is that increasing the 23 time significantly? 24 A Potentially. 25 Q What type of timeframe are we talking 242 1 about? Do you have any idea or am I on thin ice 2 here? 3 A Based on my knowledge of the TCP protocol 4 suite, I would say you're talking somewhere less 5 than 50 milliseconds to get an invalid response 6 back. Probably on average somewhere around there, 7 50 to 75 milliseconds. 8 Q Based on what you saw with what was 9 occurring on the main computer in regard to the 10 gate script, did this alter the Mink computer? 11 A It altered its functionality, yes. 12 Q Based on your information, was Randal 13 Schwartz authorized to alter the function of the 14 Mink computer by adding this gate script? 15 A He did not have permission to do that, 16 no. 17 Q Was he -- As Systems Administrator for 18 Bob Wilcox's group, did you authorize Randal 19 Schwartz to run the Crack program against the 20 Supercomputer Division password file? 21 A No, I did not. 22 Q You have the authority to do that? 23 A I felt I did, yes. I would have that 24 authority. 25 Q Did you have the authority to copy the 243 1 Supercomputer Division password file? 2 A No. 3 MR. TINTERA: Thank you. Those are 4 the only questions I have. 5 THE COURT: I do want to wrap this 6 up. 7 MR. SUSSMAN: Given the hour, I'll 8 try to keep these down to a few. 9 THE COURT: I'm not trying to 10 shorten you. If we can do it in five minutes -- 11 MR. SUSSMAN: I have people at home 12 that would like not to prolong this also. 13 14 RECROSS-EXAMINATION 15 BY MR. SUSSMAN: 16 Q Mr. Morrissey, it takes a very simple 17 command to remove a password from a password file, 18 doesn't it? 19 A Yes. Under normal circumstances, yes. 20 Q And if a person's still employed within 21 Intel or still under contract within Intel and the 22 password is not -- and their account is not 23 disabled, that would not -- that might be an 24 indication that they still had authorization to use 25 that computer, wouldn't it? 244 1 A It could be interpreted that way. 2 Q You had mentioned something about finding 3 this program that allowed Mr. Schwartz to write -- 4 to have root access through the system without a 5 password. 6 A Yes. 7 Q That program merely allowed him to have 8 access to those systems where you already had root 9 access simply without doing the password; isn't 10 that correct? 11 A No. I was able to execute that program 12 on my systems and obtain root access without 13 providing a password. 14 Q But that program didn't allow him to do 15 anything that he was not already authorized to do 16 with the root access he had on his -- on the other 17 system; isn't that correct? 18 A I don't follow the question. If he had 19 root access on a system, this program did not allow 20 him to do anything he was not authorized to do via 21 root access. He did not have root access on my 22 systems and, therefore, this program allowed him to 23 do things on my systems that he was not authorized 24 to do. 25 Q Similarly, when Mr. Schwartz -- on the 245 1 gate program, Mr. Schwartz made contact from a 2 machine such as the Ruby machine at O'Reilly -- 3 A Yes. 4 Q -- back into Intel. That merely allowed 5 him to do exactly the things at a site outside of 6 Intel that he was able to do when he was sitting at 7 his own machine inside of Intel? 8 A That's correct. 9 Q So merely allowed him to do the work that 10 he could have done inside of Intel from a site 11 someplace else in the country? 12 A That's correct. 13 MR. SUSSMAN: Thank you. Nothing 14 further. 15 16 REDIRECT EXAMINATION 17 BY MR. TINTERA: 18 Q And the real risk was anyone else could 19 come in and do that, too, with the proper programs 20 to get through that gate; is that correct? 21 A Yes. 22 MR. TINTERA: Thank you. That's 23 all. 24 MR. SUSSMAN: Time to quit. 25 THE COURT: Thank you. You may step 246 1 down. You're excused. 2 We will be in recess, ladies and 3 gentlemen of the jury, until Tuesday morning, not 4 Monday. Tuesday morning about 9:30. Be here a 5 little before that and we will begin. 6 Leave your notes with Lynda and 7 we'll give those back to you on Tuesday. 8 Have a nice weekend. Don't talk 9 about the case. Don't read up on the subject. I'm 10 sure you're all intrigued now and eager to read up 11 on it and improve your computer skills. Don't do 12 it. Resist the urge. 13 See you Tuesday morning about 9:30. 14 Thank you. 15 Remove the jury. 16 (Evening recess.) 17 18 19 20 21 22 23 24 25