1 IN THE CIRCUIT COURT OF THE STATE OF OREGON 2 FOR THE COUNTY OF WASHINGTON 3 4 STATE OF OREGON, ) ) 5 Plaintiff, ) ) 6 vs. ) No. C940322CR ) 7 RANDAL LEE SCHWARTZ, ) ) 8 Defendant. ) Volume 7 9 10 11 TRANSCRIPT OF PROCEEDINGS 12 13 BE IT REMEMBERED THAT on the 14th 14 day of July, 1995, the above-entitled matter came 15 on for Hearing before the HONORABLE ALAN C. 16 BONEBRAKE, a Circuit Court Judge. 17 18 APPEARANCES 19 Thomas J. Tintera Washington County Deputy District Attorney 20 Representing the State of Oregon 21 Mark Sussman Attorney at Law 22 Representing the Defendant 23 24 25 2 1 WITNESS INDEX 2 3 FOR THE STATE: Direct Cross ReD ReX 4 5 6 Edward Masi 4 11 7 John Kent 16 100 138 142 8 Mark William Morrissey 154 180 230 242 9 244 10 11 FOR THE DEFENDANT: 12 13 John Kent 145 147 148 14 15 16 17 18 19 20 21 22 23 24 25 3 1 EXHIBIT INDEX 2 3 FOR THE STATE: Offered Received 4 5 6 Exhibit No. 2 50 51 7 Exhibit No. 3 54 55 8 Exhibit No. 4 63 63 9 Exhibit No. 5 68 68 10 Exhibit No. 6 68 68 11 Exhibit No. 7 68 68 12 Exhibit No. 8 75 75 13 Exhibit No. 9 82 83 14 Exhibit No. 14 94 95 15 Exhibit No. 15 94 96 16 Exhibit No. 18 83 83 17 Exhibit No. 19 82 18 19 20 21 22 23 24 25 4 1 MORNING SESSION 2 BEGINNING AT 9:40 A.M. 3 JULY 14, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: You can see by the clock 10 we're almost on time. We're working at it. 11 We were hearing State's witnesses. 12 So, Mr. Tintera, you may call your next witness. 13 MR. TINTERA: Ed Masi. 14 15 EDWARD MASI 16 called as a witness on behalf of the State, having 17 been first duly sworn under oath, was examined and 18 testified as follows: 19 20 THE CLERK: State your full name and 21 spell it for the record, please. 22 THE WITNESS: Edward Masi. M-a-s-i. 23 24 25 5 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Masi, how are you employed? 4 A I work for Intel Corporation. 5 Q And do you work at any particular 6 division or group at Intel Corporation? 7 A Right. Division called SSD in Cornell 8 Oaks. 9 Q And is that a separate division from the 10 group at Hawthorn Farms? 11 A Yes, it's physically separate. It 12 reports in to the senior vice president at Hawthorn 13 Farms, but it's separate. 14 Q What is your title at Intel? 15 A I'm a corporate vice president for Intel 16 Corporation and I'm also the general manager of 17 SSD. 18 Q And was that your position in October of 19 1993? 20 A Yes. 21 Q As the general manager and as the 22 corporate vice president of the Intel Corporation, 23 how do you keep your data or information where you 24 work? 25 A Well, it depends on the type of 6 1 information. Electronic information is kept 2 confidential, protected by password. Written 3 information would be locked in desks or cabinets. 4 Q And do you use a computer at your -- in 5 your office? 6 A Yes. 7 Q You, personally, do? 8 A Yes. 9 Q How do you use a computer? 10 A Largest percentage of the time, probably 11 90 percent of the time, I use it for electronic 12 mail, for receiving messages, for sending messages, 13 for reviewing material that may be part of a 14 meeting, pre-meeting, conference call. 15 Q Could you give the jury an idea of the 16 type of information that would have been on your 17 computer in October of 1993? 18 A The information would range from 19 information that dealt with Intel corporate 20 activities to information that was SSD specific. 21 As it relates to Intel Corporation, 22 it could be information that dealt with the pricing 23 of future microprocessors, the availability in 24 terms of announcement date and shipments of those 25 microprocessors, the performance versus 7 1 competition. 2 Information then could also include 3 information that would be typically called insider 4 information, information that could be used to 5 conclude what the financial results might be for 6 the upcoming quarter, that sort of information that 7 I would be, as an officer, bound not to use as 8 information to trade in the stock market. 9 Information that would deal with the 10 division could include information relative to the 11 division product, competitive sales situations, 12 pricing in those situations, competitive 13 strategies, manufacturing plans. 14 And then there would be information 15 that, because I reported to a senior vice president 16 at Hawthorn Farms, that would also deal with his 17 organization because typically, he would copy his 18 direct reports on information that dealt with his 19 group and so I would have the similar sorts of 20 information about their activities. 21 Q Could you tell the jury what the -- what 22 as the general manager of the Supercomputer 23 Division, what that division was doing or 24 attempting to accomplish in October of 1993? 25 A It's not that well understood, not that 8 1 visible. Intel Corporation is mostly thought of as 2 a semiconductor or microprocessor or chip company. 3 My division creates the world's largest, fastest 4 computers out of those chips. And the best way for 5 me to describe that is imagine one computer system 6 that would contain the equivalent of four or five 7 thousand personal computers and perhaps ten times 8 the amount of supporting technology that a personal 9 computer might normally have, so these are very 10 large, very expensive systems. 11 The largest system in the world has 12 been and is manufactured by Intel and happens to be 13 installed at Sandy and national labs and used for 14 application like nuclear weapons safety. So these 15 are very special systems. They can cost as much as 16 $20 million. 17 Q And does any type of research and 18 development occur in the Supercomputer Division? 19 A Yes. We have the highest concentration 20 of Ph.D.'s in mathematics and the sciences within 21 any Intel group at the division and areas -- there 22 are technical areas in which a number of patents 23 have been filed and are held which deal with both 24 the architecture and underlying technology 25 associated with building these rather unique 9 1 computing systems. 2 Q What type of security measures are taken 3 to protect this information? 4 A Electronic information is protected 5 through a password scheme. Information that may be 6 in hard copy is protected through a scheme that 7 identifies and issues to the holder of that 8 information based on the secrecy or security level 9 of that information. So we have red book 10 information, literally a book of information with a 11 red cover on it assigned to an individual. 12 Corporate policy says that individual cannot 13 reproduce and must at all times own that 14 information. 15 Then there would be various levels 16 of information below that, and so if the 17 information is in hard copy, it's controlled that 18 way. Electronic, it's controlled through password. 19 Q Now, the electronic information that you 20 have in your office is protected by? 21 A Password. 22 Q And is that password known only to a very 23 limited number of individuals? 24 A The only person who knows my password, 25 other than myself, would be my secretary. 10 1 Q And does the password, itself, carry any 2 potential or actual commercial value? 3 A Yes. If you have my password, it's like 4 having the keys to my home. You can go into my 5 home and literally look at any of the file cabinets 6 in which the information I just described earlier 7 would be located. 8 Q And would the possession of your password 9 present a person with an opportunity to gain a 10 business advantage? 11 A Oh, absolutely. Absolutely. In terms of 12 Intel Corporation, because there are a number of 13 companies that compete with us in both the United 14 States and other parts of the world, and in terms 15 of my specific division responsibility. 16 MR. TINTERA: Would you mark this as 17 the next exhibit. 18 BY MR. TINTERA: 19 Q Mr. Masi, I'm going to hand you State's 20 Exhibit 17. Could you just tell the jury what that 21 is? Not what's on it, but what it is. 22 A Okay. Well, this is a magnetic disk and 23 this disk can hold about one and a half million 24 characters of information. And on the assumption 25 that a page in a book might hold 200 words or a 11 1 thousand characters of information, imagine this 2 holding 1500 pages of that sort of information. 3 Q So this could hold 1500 pages of 4 information? 5 A Right. 6 Q And if someone has your password, is 7 there anything to keep them from copying 1500 pages 8 of information to that disk? 9 A No. 10 Q Would you know it? 11 A No. I wouldn't know it. 12 Q Your computer can't tell you if that 13 information has been copied? 14 A No. 15 MR. TINTERA: Those are the only 16 questions I have. 17 THE COURT: Mr. Sussman. 18 MR. SUSSMAN: Thank you, Your Honor. 19 20 21 22 23 24 25 12 1 CROSS-EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Masi, I have a few questions for you. 4 On your electronic data, the data 5 that's stored in your machines is so sensitive that 6 it's extremely important in that your password 7 security be very good? 8 A Uh-huh. 9 Q You have to answer outloud. 10 A Yes. 11 Q And then assuring that the password 12 security is good, you need to make sure that you 13 have good passwords, don't you? 14 A Yes. 15 Q And if you have a -- in fact, Intel has 16 policies for setting up -- for choosing passwords, 17 doesn't it? 18 A Yes. 19 Q Mr. Masi, I'd like to show you what has 20 been marked for identification as Defendant's 21 Exhibit 107. Do you recognize what this is a copy 22 of? 23 A Yes. 24 Q And what is that? 25 A Information Security Bulletin for 13 1 employees. 2 Q Is that something that you were familiar 3 with as -- 4 A Not directly. That is, I haven't read 5 every page of it, but certainly in terms of being 6 issued a password and having a system set up, I was 7 briefed on it. 8 Q Did you receive one of those manuals? 9 A I may have. I joined Intel three and a 10 half years ago, so I don't recall. 11 Q Now, directing your attention to policies 12 for employees, I guess you would come under 13 "employee" even though you're -- 14 A I'm an employee. 15 Q Policy No. 3.5 refers to the policy on 16 accounts and passwords; is that correct? 17 A Yes. 18 Q Would you read for the jury what policy 19 3.5 states. 20 MR. TINTERA: Your Honor, I object. 21 MR. SUSSMAN: Let me rephrase the 22 question. 23 BY MR. SUSSMAN: 24 Q Policy 3.5 indicates that you're not to 25 give out your password to anybody. Are you 14 1 familiar with that policy? 2 A Right. 3 Q But you gave out your password to your 4 secretary? 5 A That's correct. 6 Q Policy 3.5 also says to "choose good 7 passwords, meaning six or more characters, one or 8 more special characters, not all numbers, not in 9 any dictionary." 10 A Right. 11 Q Are you familiar with that policy? 12 A Yes. 13 Q Now, unfortunately, at the time this 14 incident with Mr. Schwartz arose, you had a 15 password which was one of those passwords which was 16 cracked during the run of this Crack password file; 17 is that correct? 18 A Yes. 19 Q I'll show you what has been marked for 20 identification State's Exhibit 15 and I'll show you 21 the next to last -- just directing your attention 22 to the next to last -- the third from the bottom, 23 is that your password? 24 A It was at that point in time. 25 Q And that password was PRE dollar sign 15 1 IDEJ; is that it? 2 A Yes. 3 Q Just a simple variation of a dictionary? 4 A Yes, it has more than six characters and 5 a special character. 6 Q Based on a dictionary word "president"? 7 A Yes. 8 Q If there was a problem with your 9 password, this was not a good word, would you 10 expect your Systems Administrators in charge of 11 security to inform you of that? 12 A I felt it conformed, when I created it, 13 to the policy. 14 Q If there was a problem with that 15 password, would you expect to be informed by the 16 Systems Administrator or the person in charge of 17 the system that your computer was on? 18 A I would expect so, I guess. I've not had 19 that experience. 20 Q You haven't had the experience of any of 21 the Systems Administrators working on the machines 22 in the areas that you are working on testing the 23 security of your passwords? 24 A What the Systems Administrators do is not 25 visible to me. 16 1 MR. SUSSMAN: Thank you. I have 2 nothing further. 3 THE COURT: Mr. Tintera. 4 MR. TINTERA: No. He's identified 5 State's Exhibit 15. That was the only thing I 6 wanted him to do. I have no further questions. 7 THE COURT: Thank you. You may step 8 down. You're free to go. 9 Call your next witness. 10 MR. TINTERA: John Kent. 11 12 JOHN KENT 13 called as a witness on behalf of the State, having 14 been first duly sworn under oath, was examined and 15 testified as follows: 16 17 THE CLERK: State your full name and 18 spell it for the record, please. 19 THE WITNESS: My name is John Kent. 20 K-e-n-t. 21 22 23 24 25 17 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Kent, how are you employed, sir? 4 A I'm currently employed by Intel 5 Corporation in Oregon. 6 Q And what do you do for them? 7 A I work in the IT organization as a 8 Systems Administrator. 9 Q The IT organization, is that part of any 10 other organization? 11 A That's Information Technology. 12 Q And was that the same position you held 13 in October of 1993? 14 A Yes, it's a relatively similar position. 15 Q And where were you working in October of 16 1993? 17 A I was working for Intel Supercomputer 18 Division in Cornell Oaks. 19 Q What type of computer training have you 20 had? 21 A I've been in the business for over 20 22 years, both in networks and systems administration. 23 I've been trained on numerous different systems. 24 Q Now, could you tell the jury what a 25 Systems Administrator does, in lay terms, if you 18 1 can? 2 A It's basically maintenance and upkeep of 3 computer systems of various size or nature. 4 Q Now, as a Systems Administrator for IT, 5 is that part of the Supercomputer Division or are 6 you working for a different group now? 7 A I work for a corporate-based group now. 8 Q Let's go back to October of 1993. You 9 were working for the Supercomputer Division? 10 A Yes. 11 Q And as a Systems Administrator? 12 A Yes. 13 Q So you were making sure that the systems 14 operate correctly? 15 A My main -- the main systems I dealt with 16 at Intel Supercomputers were mainly UNIX-based, 17 UNIX-operating based systems. 18 Q And did you administer systems at other 19 campuses, Hawthorn Farms or any of the other 20 campuses? 21 A No. At that time, we were a separate 22 division. I just dealt with systems that were 23 specifically at Intel Supercomputers, although I 24 had interface with other people at the other 25 campuses. 19 1 Q Well, where are those systems kept, 2 those -- are those at Cornell Oaks? 3 A Yeah, those systems are at the Cornell 4 Oaks Campus buildings. 5 Q Do you know Randal Schwartz? 6 A I've met Randal on a couple occasions, 7 yes. 8 Q And were you present with the 9 Supercomputer Division when he was a contract 10 employee there? 11 A At one time, yes. 12 Q When was that? 13 A That was during 1993, I believe the year 14 was. 15 Q And did you have any responsibilities -- 16 well, let's lead up to that. 17 Was there a period of time when 18 Mr. Schwartz was not going to be working for the 19 Supercomputer Division anymore? 20 A Yes, I do recall that. 21 Q Tell me what you know about that. 22 A We had a particular incident shortly 23 before Randal Schwartz was -- 24 Q There is a fan behind me. Could you 25 speak up a little bit, sir. 20 1 MR. SUSSMAN: Ask a question in aid 2 of objection? 3 THE COURT: You may. 4 5 EXAMINATION IN AID OF OBJECTION 6 BY MR. SUSSMAN: 7 Q The question was sort of pretty broad, 8 like what do you know about Mr. Schwartz's 9 situation there. Is this based on personal 10 knowledge that you have? 11 A Yes. 12 Q Were you working with Mr. Schwartz at the 13 time of the events that you're talking about? 14 A I was not working directly with 15 Mr. Schwartz. He was not part of the Systems 16 Administrator group at Intel SSD. 17 MR. SUSSMAN: I have no objection. 18 THE COURT: Proceed. 19 BY MR. TINTERA: 20 Q So your knowledge is based on knowledge 21 that you received as a Systems Administrator 22 responsible for all those computers? 23 A Through our team, that's how I learned of 24 Randal at SSD. 25 Q So you can continue. We were talking 21 1 about the days before or what information you had 2 right before he left the Supercomputer Division. 3 A I was approached by one of my fellow 4 Systems Administrators and he had a concern that -- 5 MR. SUSSMAN: Your Honor, I object 6 now because the question is calling for a hearsay 7 answer and talking about discussions that were 8 occurring between various people about 9 Mr. Schwartz's activities that were not directly -- 10 they are not directly involved with this witness' 11 involvement with Mr. Schwartz. 12 THE COURT: Well, I would have hoped 13 that the next question would be what he did as a 14 result of that. 15 MR. TINTERA: I'm trying to get 16 there. 17 THE COURT: Then I'm going to 18 overrule the objection. This evidence will -- I'll 19 tell the jury, he's about to relate what somebody 20 else told him and we have rules about when and 21 where that sort of information can be used, that 22 sort of testimony. You can't -- he's going to, 23 apparently, tell us what one of his co-workers told 24 him, something about the defendant. 25 You can use that to help you 22 1 understand what he's going to say later on, but 2 what he heard his fellow employee say to him about 3 the defendant cannot be used by you to prove that 4 that actually was the truth. It helps in 5 understanding the whole story, but it's not 6 evidence to prove the truth of whatever this other 7 person said. 8 Go ahead. 9 BY MR. TINTERA: 10 Q So one of your co-worker Systems 11 Administrators approached you and then what 12 happened? 13 A Asked me to verify that we had a user 14 account name was Merlyn, also known as Randal 15 Schwartz, had gone in and given himself complete 16 root, basically full supervisor rights on a system 17 without permission. 18 So I indeed did follow along with 19 this other Systems Administrator and we checked it 20 out and indeed, he had given himself root 21 privileges on a machine without -- 22 Q The name of the machine was what? 23 A DEC. D-E-C. 24 Q Digital Equipment Corporation? 25 A Yes. 23 1 Q Could you explain what the problem was? 2 He had given himself root. Is that a word of art 3 in systems administration or computer use? 4 A When you have root access on a system, it 5 basically gives you the privileges to pretty much 6 do what you want to do on the system. It's like 7 being the main overseer, you can go in and change 8 things, you can add your own programs to the 9 system, you can alter things, you can run programs. 10 Q So you can act as an overseer for the 11 whole machine? 12 A Yes. 13 Q What was the problem? 14 A The problem was that -- 15 MR. SUSSMAN: Your Honor, I have to 16 interrupt and I have to take up a matter with the 17 Court outside the presence of the jury on this. 18 THE COURT: Remove the jury. I need 19 to take up a matter outside your presence. 20 (Whereupon, the following 21 proceedings were held in 22 open court, out of the 23 presence of the jury:) 24 THE COURT: Mr. Sussman. 25 MR. SUSSMAN: Your Honor, what 24 1 concerns me about this line of inquiry, we've got a 2 witness being asked to testify about an incident 3 that we have no reports on. We have been provided 4 with no reports on involving what appears to be 5 some other incident suggesting that Mr. Schwartz 6 was violating security, and I am at a loss to 7 recall, unless the State has something -- can show 8 me something specific, but I cannot recall being 9 given or seeing any reports about this prior 10 incident that discussed the details of it and 11 described what Mr. Schwartz was -- what is being 12 described here. 13 THE COURT: Mr. Tintera. 14 MR. TINTERA: That was provided to 15 the defense in what is essentially an e-mail from 16 this witness, John Kent, to David Small, on Page 2 17 in the middle of the page and describes this 18 incident. 19 THE COURT: Mr. Sussman, see if you 20 can -- 21 MR. SUSSMAN: I'm sorry, I do see 22 that, Your Honor. I do see that. 23 THE COURT: Does that satisfy you, 24 Mr. Sussman? 25 MR. SUSSMAN: Yes, Your Honor. 25 1 THE COURT: Let's let the jury take 2 five minutes, since we're out anyway. You had 3 something you wanted to say to me. Feel free if 4 you want. I think when I was asking for argument, 5 you were going to say something. If you want to 6 talk with either counsel during this brief recess, 7 you may. 8 In a very short period of time, 9 we'll start again. 10 (Recess.) 11 THE COURT: We have taken a short 12 break. I saw counsel briefly in chambers. 13 Mr. Sussman, you have a matter, I 14 think you wanted to address the Court on, on this 15 conduct we're hearing about now. 16 MR. SUSSMAN: Yes, Your Honor. In 17 addition to the grounds previously stated, concerns 18 previously stated, I do note that pretrial, in 19 motions in limine to exclude certain evidence of 20 uncharged misconduct and should be excluded on the 21 grounds that it was not relevant, and if it was 22 relevant, then the value it had is outweighed by 23 the prejudicial effect. 24 We have here a brief reference to 25 the security incident we're going to hear about 26 1 suggesting that Mr. Schwartz was essentially going 2 into other machines or in setting up privileges on 3 his own and this is clearly another form of 4 misconduct which could be -- the theory could be 5 charged it's the kind of misconduct which seems to 6 be -- appears to be offering it to show that 7 Mr. Schwartz appeared -- acted consistent with that 8 kind of behavior. 9 We think it's not relevant to the 10 charges here and any relevance it has is outweighed 11 by its prejudicial effect. 12 THE COURT: Okay. Mr. Tintera. 13 MR. TINTERA: Judge, the defense has 14 indicated that they -- that the defendant did not 15 know that the activities that are charged were 16 against Intel policy or without authorization. 17 This is part of the -- it's close in time and it's 18 part of the process of showing to the jury that he 19 certainly did know what was right and wrong in his 20 activities of the Intel Corporation. 21 I think it comes in to show the 22 defendant's knowledge, both his personal knowledge 23 and actual received knowledge of Intel policies and 24 what was right and wrong. 25 THE COURT: Well, this is not the 27 1 first time I've had an occasion to consider the 2 application of Rule 404, Subsection 3 primarily, 3 and consider also in doing that 403, which is the 4 weighing process. 5 MR. SUSSMAN: The witness has to 6 testify that this incident occurred in early 1992, 7 which is approximately at least a year and a half 8 before the incidents here that he's charged with 9 here. And none of the charges here involve an 10 allegation Mr. Schwartz had given himself root 11 access, this special privilege to access other 12 computers, which is the nature of the violation 13 being described. 14 THE COURT: Well, I'm going to go 15 based on the evidence I've heard so far and the 16 explanation of root access. 17 One of the prior witnesses testified 18 that root access was basically God privileged with 19 a computer. You could do anything you wanted. I 20 assume that having a password that permits you to 21 obtain information from the computer is similar, 22 but something of a lesser degree, and so there 23 seems to be a similarity there of access to 24 information held in the computer, whether you have 25 root access or whether you simply know a password 28 1 that allows you to obtain access to information 2 held in computers, and so there certainly would 3 seem to be a very -- those seem to be similar. 4 The fact that it's a year prior is 5 something to consider, but if this evidence is to 6 be evidence that the defendant was in some form 7 chastised or informed that he was not to do this 8 sort of thing, that is, to operate the computers so 9 as to give himself root access, it would seem -- 10 with Intel, it would seem unlikely that that's the 11 kind of thing that he would have forgotten in a 12 year. 13 I already heard he's a person that 14 finished high school two years early and a very 15 bright fellow, and it's obvious and hard to believe 16 that if he had been told that, he would have 17 forgotten it a year later. 18 It is uncharged conduct and there is 19 always a risk of prejudice to a party; that is, 20 that a fact-finder, in this case the jury, would 21 use that to the improper purpose of saying, "Well, 22 he did it before so he must have done it in this 23 case." 24 There is a means of trying to 25 protect against that sort of prejudice by the Court 29 1 giving, when it allows this sort of evidence, a 2 cautionary instruction to the jury. If you read 3 State v. Brady -- no. 4 MR. TINTERA: Johns. 5 THE COURT: State v. Johns, one of 6 the first cases that came out of this county, Judge 7 Ashmanskas' case, dealt with the element of intent, 8 a murder case, and the courts approved of the 9 giving of a cautionary instruction when it's 10 requested by a party. 11 Based upon what I've heard in this 12 case, it seems to me that evidence of similar 13 uncharged conduct committed previously a year 14 before, based on what I've heard in opening 15 statements, jury voir dire, questioning of other 16 witnesses, seems to be extremely relevant; that is, 17 it tends to disprove, if believed, an assertion by 18 the defense that the defendant thought he -- either 19 this was a part of his job as a Systems 20 Administrator or that he had the authority to do 21 this as a Systems Administrator and was simply 22 doing it for the protection of Intel and somehow 23 didn't know that obtaining passwords and 24 information from computers that he was not 25 authorized to have was against policy. 30 1 It also would -- I can see the type 2 of defense here that I've heard about so far, even 3 though we haven't got to the defense case, but from 4 opening statements and cross-examination and voir 5 dire, that the defense could also possibly be built 6 on the basis that the defendant somehow was 7 mistaken, that if he wasn't authorized, that he 8 thought he was authorized to do this, and this 9 would tend to negate the possibility that a mistake 10 had been committed, some mistake or accident. 11 I think this evidence is relevant to 12 all of those things. It doesn't seem to be 13 extremely prejudicial. I haven't heard every word 14 that this witness is going to speak, but I've been 15 advised generally of what he's going to say and so 16 I'm going to permit it. I think it is very 17 relevant. And even under 403, weighing the 18 possibility of prejudice against the relevance and 19 the weight of the evidence, it's clear to me that 20 given the type of case that we have here, that this 21 is relevant and the relevance outweighs the 22 possible prejudice. 23 Having said that, if the defense 24 wants me at some point to either now or later give 25 some sort of limiting instruction, cautionary 31 1 instruction to the jury about what they can use 2 this information for, I'd be pleased to consider 3 that. In the absence of such request, I won't give 4 one. Anything else? 5 MR. SUSSMAN: No, Your Honor. 6 THE COURT: Let's bring in the jury 7 and proceed. 8 (Whereupon, the following 9 proceedings were held in 10 open court, the jury being 11 present:) 12 THE COURT: Proceed, Mr. Tintera. 13 BY MR. TINTERA: 14 Q Mr. Kent, we were talking about a 15 security incident involving Digital Equipment 16 computer -- Corporation computer, to bring you 17 back. Do you know when that occurred? 18 A I don't recall the exact date. 19 Q Was it sometime before Mr. Schwartz was 20 no longer working at the Supercomputer Division? 21 A Yes, it was. 22 Q Do you know if it was years before or can 23 you give us some sort of timeframe? 24 A Definitely not years. If I recall, I 25 started at Intel around about the end of 1992, so 32 1 it was definitely a number of months after that. 2 MR. SUSSMAN: I couldn't hear the 3 answer. It was "some months" what? 4 THE COURT: I need to have a minute 5 here. Just stop for a minute. 6 (Pause in the proceedings.) 7 THE COURT: Okay, go ahead. 8 Was there an objection to the 9 question? 10 MR. SUSSMAN: No. I couldn't hear 11 the response to the last question, whether he 12 said -- whether he said "sometime after." 13 THE WITNESS: No. The incident. 14 MR. SUSSMAN: You're saying this 15 occurred sometime after Mr. Schwartz stopped 16 working at SSD? 17 THE WITNESS: No. The incident 18 occurred while he was working at SSD. 19 BY MR. TINTERA: 20 Q Let me hand you these two pages. Are you 21 familiar with these two pages, sir? 22 A Yes, I am. 23 Q And what is this? 24 A This is a report that we put together. 25 Q You? 33 1 A Myself and Doug Smith, who was my 2 co-partner, if you will, another one of our Systems 3 Administrators at SSD. 4 Q Could you just read to yourself under the 5 notes and see if that help refreshes your 6 recollection about this event. 7 A (Witness complies.) Yeah, I still recall 8 the incident, even without reading that. 9 Q So we have this security incident 10 involving the DEC computer. Would you tell the 11 jury what happened. 12 A I was approached by Doug Smith, who is 13 another one of our Systems Administrators at that 14 time at SSD, and he said that they had found the 15 user Merlyn, aka Randal Schwartz, had gone and 16 changed the root password on this DEC server that 17 we had located in one of our rooms over at Intel 18 SSD. 19 What we did was contact the Intel 20 administrator that dealt with those specific types 21 of systems and they came in and rectified it and 22 got the root password changed again so he didn't 23 have that access. And then Doug Smith and I 24 reported the incident to our management that we 25 didn't feel this was very appropriate. 34 1 Q Was that information provided to 2 Mr. Schwartz? 3 A What we did was, rather than directly 4 confront Mr. Schwartz, we went to our managers to 5 inform them that there had been an incident, and 6 that we contacted the DEC administrators to inform 7 them that there had been an incident and we 8 provided all the information directly to our 9 managers. They then took that and dealt with it 10 appropriately in their fashion. 11 Q And was that Herb Mayer and John Gray? 12 A Initially John Gray, who was our campus 13 manager, and then he and Herb Mayer had discussions 14 about this incident. 15 Q Was the root password taken away from 16 Mr. Schwartz? 17 A Most definitely. At that time, it was 18 changed appropriately. 19 Q Could you tell the jury what the 20 difference between a root password and just a 21 normal password, one like Ed Masi had? What's the 22 difference? 23 A Well, to put it basically, it gives you 24 overall power over that machine. As I heard it 25 explained earlier, it gives you God rights on that 35 1 particular machine. You can do whatever you want. 2 Q So it's different than just a normal 3 password that gives you access to the machine? 4 A Most definitely. 5 Q And where does -- who has this type of 6 root password? Where does it come from? Who has 7 the authority to give someone this type of control 8 over a machine? 9 A Well, I am entrusted by my manager as 10 being a member of a specified team of people. 11 Those specified team of people are the only people 12 that are given that type of right over that 13 machine. 14 Q Now, to move on from that, was there any 15 other problem besides the root password? Was there 16 any other change made to the DEC server? 17 A None that I'm aware of. 18 Q Anything involving back doors? 19 A Well, basically if you give yourself root 20 permission on a server, you can do what you want on 21 there, and having a root password allows you to 22 access that machine in any way that you need to. 23 Q Were you involved at all in removing 24 Mr. Schwartz's accounts or passwords or whatever he 25 had at the Supercomputer Division when he left that 36 1 division? 2 A Yes. 3 Q And can you give us a timeframe when that 4 was? 5 A I don't have the exact date. 6 Q We don't need the exact date. Can you 7 give us a timeframe of when that was? 8 A It was in the latter part of 1993, 9 approximately. 10 Q So in 1993, what did you do? 11 A I was informed that Randal Schwartz had 12 left Intel SSD. I went in as an administrator, 13 root, and I deleted his accounts. Basically, I 14 disabled his password access onto those machines. 15 I also scanned around other known 16 machines and checked for user Merlyn to make sure 17 there were no other accounts around and also 18 disabled any of those that I did find. 19 Q So what were you attempting to 20 accomplish? 21 A Well, he had left our division, 22 therefore, he had no need for those accounts and I 23 closed them down at the request of management. 24 Q What about the Brillig computer, that 25 part of the Supercomputer Division? 37 1 A It's owned by Supercomputers, yes. 2 Q Did you close the account on that? 3 A No. It had a different password file. 4 Q So the Brillig password file is separate 5 from the full SSD password file? 6 A Because of the nature of that specific 7 machine and what it was being used for by a 8 development group, yes, it had a different password 9 file. 10 Q Are you part of the administration of 11 that machine? 12 A I assist partially with that machine, but 13 there was a software engineer who was controlling. 14 Q Who is that? 15 A That was Mr. Rich Greco. 16 Q You know at that period of time the size 17 of the password file on Brillig? 18 A Yeah. When I went in and checked it, 19 there must have been approximately 30, 40 users. 20 Without looking at it, I can't recall the exact 21 amount, but it was a very small password file. 22 Q And the password file to the 23 Supercomputer Division, what was its size? 24 A Hundreds. Five or six hundred or more. 25 Q Well, can you explain to the jury how it 38 1 was that Mr. Schwartz's account on the Brillig 2 computer was not disabled or closed? 3 A As I mentioned earlier, there were 4 certain systems, very, very few, that are used 5 specifically for certain types of software 6 development. This particular machine was partially 7 under the control, if you will, of a software 8 engineer group. 9 Can you refresh me on that question 10 again? I want to make sure I answer this properly. 11 Q I was asking, if you are the person 12 responsible for disabling or terminating all of 13 Mr. Schwartz's access to Supercomputer Division 14 computers or his accounts, how was it that this 15 machine was overlooked? 16 A When I go in as a Systems 17 Administrator -- 18 MR. SUSSMAN: Objection to the form 19 of the question. Assuming facts not in evidence, 20 that it was overlooked. 21 THE COURT: Sustained. 22 BY MR. TINTERA: 23 Q Was Mr. Schwartz's account on the Brillig 24 computer disabled? 25 A No, it was not. 39 1 Q Should it have been disabled when he left 2 the Supercomputer Division? 3 A Most definitely. 4 MR. SUSSMAN: Question in aid of 5 objection? 6 THE COURT: You may. 7 EXAMINATION IN AID OF OBJECTION 8 BY MR. SUSSMAN: 9 Q Did anybody specifically tell you to 10 disable the account on Brillig? 11 A We were not aware that Merlyn still had 12 an account sitting on that particular system. 13 Q So you had no personal knowledge that the 14 account was on the system? 15 A No, because it was -- 16 Q Could have been set up by other Systems 17 Administrator that could have set it up besides 18 you? 19 A Not within my group, no. Somebody that 20 was associated perhaps, as I said, like a software 21 engineer that was working within SSD for specific 22 development purposes, it may have been set up. 23 Q So the person who may have suggested that 24 it be set up may not have told you that that 25 account should have been closed; is that right? 40 1 A Can I answer that in a very explicit 2 fashion, in the way I feel it should be answered? 3 When somebody leaves the company or moves to 4 another division within the company, their direct 5 supervisor or manager must report not only down to 6 the IT organization that this person has left or is 7 moving, but if he has any other software engineers 8 that has machines that he knows people are working 9 on, he has the responsibility of reporting this 10 information directly to the people that he's in 11 charge of. 12 Q And nobody reported to you that 13 Mr. Schwartz was moving off the Brillig machine? 14 A I'm sorry, could you repeat that? 15 Q Nobody reported to you to close the 16 account on the Brillig machine then? 17 A No. 18 Q You had no personal knowledge about 19 whether that account should be closed? 20 A Until the time of the incident, no. 21 Q Until November 1st, 1993? 22 A Approximately. 23 MR. SUSSMAN: I object to this 24 witness then further testifying about responding to 25 the question, Your Honor, as to -- that 41 1 Mr. Schwartz's account should have been -- in his 2 view should have been closed at that time. He 3 doesn't have personal knowledge of that. 4 THE COURT: Mr. Tintera, any 5 argument on that? 6 MR. TINTERA: Your Honor, this -- I 7 can establish that this person is responsible for 8 security as a Systems Administrator for the 9 Supercomputer Division. 10 THE COURT: Go ahead, if you want to 11 ask more questions before we get to that question 12 again. 13 BY MR. TINTERA: 14 Q As the Systems Administrator, are any of 15 your duties involving the security of the 16 Supercomputer Division? 17 A Yes. 18 Q And are you also responsible for -- Well, 19 as a Systems Administrator, if a person has their 20 accounts terminated within the larger group of the 21 Supercomputer Division, are they entitled or 22 authorized to maintain accounts on other computers 23 within the Supercomputer Division? 24 A No, they are not. 25 Q And how do you know that? 42 1 A Because it's told to us from upper level 2 Intel management, explained to us by local 3 management, and it's a process by which most 4 people, I would presume, fully understand that if 5 they have their main account shut down, that they 6 shouldn't be utilizing other little accounts within 7 a company. 8 Q So that is Intel's policy -- 9 A Yeah, I believe that that is. 10 Q -- or a practice? 11 A I believe it's both a policy and a 12 practice. 13 MR. TINTERA: Judge, I think that's 14 sufficient. 15 THE COURT: Overrule the objection. 16 He can answer the question. 17 BY MR. TINTERA: 18 Q Why was it that Mr. Schwartz's account on 19 Brillig was overlooked when you closed out his main 20 accounts within the Supercomputer Division? 21 MR. SUSSMAN: I object to the form 22 of the question. 23 THE COURT: There was an objection 24 to the word "overlooked" before and I sustained 25 that. If you want to ask him why the password on 43 1 Brillig was not terminated at that time, I'll 2 permit him to answer that. 3 BY MR. TINTERA: 4 Q Why was Mr. Schwartz's account left open 5 on the Brillig computer? 6 A Because I was not aware or told that he 7 had an account on the system Brillig. 8 Q And since he was leaving the 9 Supercomputer Division, had you been aware of that, 10 would you have taken any action? 11 A It would have been terminated at exactly 12 the same time and moment that we did all the other 13 ones, yes. 14 Q And why was that? 15 A Because he had left the division. 16 Q He had no business there? 17 A No, he had no business there. 18 Q Do you recall receiving information from 19 Mark Morrissey at Hawthorn Farms regarding the 20 Brillig computer? It would have been in October of 21 1993. 22 A May I get my notes off there and then I 23 can match the dates? 24 MR. TINTERA: Yeah. 25 THE WITNESS: Would that be okay? 44 1 THE COURT: You may. 2 THE WITNESS: Could you rephrase the 3 question? 4 MR. TINTERA: I'll just ask it 5 again. 6 BY MR. TINTERA: 7 Q Do you recall receiving information from 8 Mark Morrissey at Hawthorn Farms regarding the 9 Brillig computer in the last week of October of 10 1993? 11 A Thursday, October 28th, Mark Morrissey 12 contacted me by phone. 13 Q By what? 14 A By telephone. 15 Q He didn't use e-mail? 16 A We were not using e-mail at that 17 particular point out of concern that there might be 18 access to e-mail. 19 Q So by telephone? 20 A Yes. Voice only. 21 Q And what was the nature of that 22 conversation? 23 A He informed me that he had spotted a user 24 by the name of Merlyn coming in and out of a system 25 known as Brillig that was located at my site. 45 1 Q Now, when you say "coming in and out of," 2 does that mean like logging into and logging out 3 of? 4 A Yes. 5 Q And what was the concern, if any? 6 A Well, initially, he wanted me to go do a 7 check on Brillig, and I have that here in my notes. 8 Q What did you do? 9 A I went to the machine Brillig and talked 10 with Rich Greco and we sat down and I went through, 11 and sure enough, found that there was an account 12 under the name Merlyn, there had been access to 13 that account, and we found processes or programs 14 running on that machine that were owned by that 15 person. 16 Q Was this after you had terminated 17 Mr. Schwartz's main accounts with the Supercomputer 18 Division? 19 A Yes. 20 Q Was this an authorized account? 21 A In my mind -- 22 MR. SUSSMAN: Objection. Calls for 23 a conclusion of this witness and -- 24 MR. TINTERA: He's a Systems 25 Administrator for this particular portion of Intel 46 1 and knows who has an authorized account and who 2 does not. 3 THE COURT: I have a question about 4 the question you've asked. Is the question whether 5 or not it was authorized originally or whether it 6 was authorized at the time he found it to be 7 running on this occasion? 8 BY MR. TINTERA: 9 Q I'm asking about the timeframe on October 10 28th when you looked at the Brillig. 11 THE COURT: Whether on that occasion 12 it was an authorized account? 13 MR. TINTERA: Yes. 14 THE COURT: He may answer that. 15 Overrule the objection. 16 BY MR. TINTERA: 17 Q Was that an authorized account on October 18 28th? When you looked at that Brillig computer, 19 was Randal Schwartz's Merlyn account authorized? 20 A From fully understanding Intel's policies 21 and rules, no, that was not an authorized account. 22 Q So what did you do? 23 A Up until Monday, November 1st, at 9:30 in 24 the morning, we monitored that system for any 25 activity that was going on for user Merlyn. 47 1 Q Did you do any type of analysis or 2 looking into this computer? This is kind of like 3 looking into a crystal ball to me, but did you do 4 something to find out what was happening with this 5 computer, how it was being used by Mr. Schwartz or 6 Merlyn, which was his user name? 7 A Yes. We used standard UNIX commands and 8 systems administration tools to check the system to 9 see whether there was activity and other items on 10 that system. 11 Q These are a little small, but I'd like 12 you to approach this easel, and if you could -- 13 THE COURT: Have you seen those, 14 Mr. Sussman? 15 MR. SUSSMAN: I'm sure these are 16 copies of things that I have in discovery, but if I 17 could move around to see them. 18 THE COURT: Sure. 19 THE WITNESS: I'll come around. 20 This side's easier to read. 21 BY MR. TINTERA: 22 Q If you want to hold them up, I'd like you 23 to explain. 24 A What we did as Systems Administrators, 25 there are certain UNIX commands that you can go 48 1 into -- 2 THE COURT: This is going to be 3 awfully hard for Mr. Sussman to see. I understand 4 that the diagrams are small, but he's going to -- 5 THE WITNESS: He has exactly what I 6 have on here. 7 THE COURT: He can't see what you're 8 pointing at, is the problem. So you'll have to 9 back up. I can't see. Stand by the easel. 10 And, Mr. Sussman, if you would like 11 to come up by Mr. Tintera. 12 MR. SUSSMAN: If Mr. Kent will refer 13 to the number in the lower right-hand page of the 14 exhibit, not the exhibit number, but there is a 15 number next to that. 16 MR. TINTERA: Right next to the 17 sticker. 17. 18 MR. SUSSMAN: Refer to that, and as 19 you go through the statement referring to what line 20 on that exhibit, I can follow along. 21 THE WITNESS: I'll start at the top 22 here. 23 I made a note in this particular log 24 that they asked me to provide that I found that the 25 actual systems date was actually off by five days 49 1 and two hours, so that's one of the first things I 2 checked to see whether the actual time that was 3 running on that machine and logging was the actual 4 time according to the watch. 5 BY MR. TINTERA: 6 Q Was that because this machine was allowed 7 and off your normal loop of maintenance? 8 A Exactly. Otherwise, it would have had 9 the same systems time clock that all of our other 10 systems had if it had received the updates. 11 I started off basically by running 12 through some very simple commands to see whether in 13 actual fact this user had been coming onto the 14 system. This command here gave me a list for this 15 user Merlyn and showed me the dates and times and 16 approximately how long that this person had made a 17 connection on that particular machine. 18 THE COURT: You need to refer to the 19 line so that Mr. Sussman can follow along on the 20 exhibit. When you say "this command here," which 21 line? 22 THE WITNESS: References the last 23 command. 24 BY MR. TINTERA: 25 Q When you talk about a command, you're 50 1 telling the computer to do something? 2 A Yes. I'm telling the computer as the 3 root, you're to go in and give me back some 4 information that it stores on there. Has certain 5 log files, if you will, that it keeps of activities 6 and things that happen on that computer system. 7 Q What command did you use? 8 A There is a command here called lists. 9 What this looks at is lists. What that does is 10 tells me the listing of people that have been 11 attaching and connecting to that system and running 12 certain processes on there, a process being a 13 program that runs. 14 What I did here was made -- instead 15 of having a long list to provide everybody, I went 16 through and there is a command you can use to pull 17 out the information for a given user, which is why 18 you see everything here says "Merlyn." This is 19 what we were interested in finding out for user 20 Merlyn. And then this lists out the dates and 21 times and approximate time that this person was 22 using that system. 23 Q That is plus five days and two hours? 24 A Exactly. 25 Q Let's take this blue marker and if you 51 1 could indicate plus or -- 2 A If we were to take -- For example, if we 3 look at the last time it showed him as attaching 4 into that machine, we see a date of October 23rd at 5 14:12 military time. So if I add five days to 6 that, that makes it October 28th and it would be 7 16:12. That is the real time that the person 8 logged into that machine. 9 Q So what are you looking for here? 10 A Well, we're looking to find out whether 11 the person has been actually accessing and 12 utilizing a particular machine that was in 13 question. So that's the first thing I do with -- 14 as the Systems Administrator is to get onto that 15 system and start checking out all of the log files 16 and records that exist on that system to see 17 whether indeed this person has been connecting 18 into, attaching or possibly utilizing that system. 19 Q And what did you see? 20 A We saw that indeed he had an account. 21 I'll reference that as I go further back. 22 Q So you're done with State's Exhibit 2? 23 A No. 2, No. 17. 24 MR. TINTERA: Judge, I would offer 25 this into evidence. 52 1 THE COURT: Mr. Sussman. 2 MR. SUSSMAN: No objection. 3 THE COURT: 2 is received. 4 (Whereupon, State's Exhibit 5 No. 2 was received in 6 evidence.) 7 MR. TINTERA: Would you mind if we 8 passed this to the jury at this point? 9 THE COURT: If you think it will 10 help. 11 MR. TINTERA: Yeah, I do. 12 THE COURT: Go ahead. 13 THE WITNESS: I'll move on to No. 14 18, Mr. Sussman. I'll move halfway down that page. 15 The next thing I did was, I wanted 16 to see whether that person has a directory. The 17 directory is a place that the user can store 18 information and possibly may have files that exist. 19 BY MR. TINTERA: 20 Q So it's like a closet? 21 A It's like a closet, a storage box, if you 22 will. A mailbox so you can look at it in a number 23 of different ways. 24 So what I did, I found that yes, we 25 have a directory over here that is the user people. 53 1 And I see here definitely here a number of 2 different people's home accounts, if you will, 3 these home directories where they can store things. 4 So I scanned that, and if we go down 5 to this line right here, you will see an entry 6 there for Merlyn. So now I know that -- 7 BY MR. TINTERA: 8 Q Mark that with that blue marker so we 9 know what you're talking about. 10 A Okay, right here. I see that there is -- 11 Q Let me back you up. 12 At the top of State's Exhibit 3 is a 13 # tail SYSLOG, "SYSLOG," being in capital letters. 14 Does that make a difference, by the way, of capital 15 letters or lower case letters? 16 A I'm sorry. 17 Q Does it make a difference to the computer 18 whether you use capital letters or lower case? 19 A No. On the UNIX system, doesn't matter 20 whether they are upper case or lower case. 21 Q What were you doing with the # tail 22 SYSLOG at the top of State's Exhibit 3? 23 A When I went into the SYSLOG, I was 24 looking in there to see whether there were any 25 particular error messages or system concerns that 54 1 we should be taking into consideration. I didn't 2 actually find anything in here other than there was 3 an entry for another machine that was apparently 4 trying to use this server's IP address, so I did 5 have some concern and we went off into different 6 issues to investigate that matter. I recorded that 7 matter just as a matter of note. 8 Q Then you used the command in the middle 9 of State's Exhibit 3 CD/usr/people? 10 A Right. That's where I actually went down 11 to that level directory. And then there is a 12 command below that -- 13 Q What does the CD stand for? 14 A Means "change directory." 15 Q And the user, USR? 16 A User is a user directory, a name. There 17 is general standard names that are used on specific 18 systems. In this case "user" means that there is 19 some user directories or something below that. 20 Q So you're checking user storage boxes for 21 the people that have stuff in them? 22 A Yeah. They either have accounts on that 23 system -- well, if their account was disabled, then 24 generally this would not exist. It could still 25 exist, even if the password had been disabled, 55 1 though. So they could still have a directory in 2 there even if you disabled the main access 3 password. 4 Q But you do find one for Merlyn? 5 A We find one for Merlyn. 6 Q So then what did you do? 7 A The next step that I did was, I actually 8 went down one more level into that Merlyn 9 directory. Let's see if there's any files in this 10 directory called Merlyn. 11 MR. TINTERA: We would offer State's 12 Exhibit 3. 13 MR. SUSSMAN: No objection. 14 Before we go on to Exhibit 4, let me 15 ask just for logistics here -- this is getting 16 awkward. Are you simply going through -- are these 17 exhibits going through the pages -- 18 MR. TINTERA: Exactly. 19 MR. SUSSMAN: I think we'll be able 20 to follow that from our seat more comfortably. 21 THE COURT: If at any time you need 22 clarification, let us know. 23 MR. TINTERA: So we can move closer 24 if he's going to go back to the table. 25 THE COURT: I don't want him in the 56 1 jury box. 2 THE WITNESS: If you're going to 3 send them around to the -- 4 MR. TINTERA: I would offer State's 5 Exhibit 3. 6 THE COURT: I think he said no 7 objection. 8 MR. SUSSMAN: That's correct. 9 THE COURT: Received. 10 (Whereupon, State's Exhibit 11 No. 3 was received in 12 evidence.) 13 BY MR. TINTERA: 14 Q Now, on No. 19, State's Exhibit No. 4. 15 A So I stepped down one level in the Merlyn 16 directory to see if there were any files in there. 17 And also we checked file dates by doing a listing 18 of what's inside that directory. Sure enough, I 19 found there were all different types of files down 20 inside Merlyn's directory. That's what this shows. 21 Here is the owner of those files, 22 here are the dates, the sizes and the names of the 23 files. One of the reasons why I do that is because 24 I wanted to see if there is any types of files that 25 may be of concern down inside those directories. 57 1 Q Does this tell you what the computer is 2 being used for by what is in these files in the 3 directory? 4 A Sure. We can actually -- once I get a 5 directory listing, I can start looking around for 6 any files that we feel may be dangerous or may 7 cause some concern to us that the user has placed 8 in his directory. 9 Q What did this show you? What do these 10 files show you? 11 A The one that I immediately got flagged as 12 a red file, I'll mark that one up here for you. 13 Q Would you like a red marker? 14 A Yeah. There are certain files known to 15 Systems Administrators that can give certain 16 permission or create certain avenues for people to 17 make things easier for them on a given system. 18 MR. SUSSMAN: What file are you 19 referring to? 20 THE WITNESS: Line No. 3 on that 21 page, No. 19. 22 There is one file initially that I 23 found. We found a number of files here that are 24 called IRC, which is Internet Relay Chat program 25 which we normally do not allow run at SSD. 58 1 MR. SUSSMAN: Objection to that as a 2 conclusion of the witness, Your Honor. 3 MR. TINTERA: No, it's not. He's a 4 Systems Administrator, he knows what programs are 5 permitted to be run at SSD and not. 6 THE COURT: Well, he said "normally" 7 on clarification. Sustain the objection. 8 BY MR. TINTERA: 9 Q Is that an Internet Relay Chat? 10 A Yes. 11 Q What does that mean? 12 A Like allowing to have a CB program to 13 have people have a multiple chat line across the 14 Internet. And you're using that system or the 15 system is capable of allowing you to do that. 16 Q Is that something that is within the 17 normal business practices of the Supercomputer 18 Division? 19 A No, it's not. 20 Q So you found this Line 3, which was of 21 concern to you. It's an R host? 22 A Yeah, it's called a .rhost file. What I 23 did, if you go to the bottom, I did a "more" 24 command to take a look at what was indeed inside 25 this .rhost file and I noticed there were a number 59 1 of systems that didn't exist at SSD. These systems 2 that are named existed over at another facility 3 called Hawthorn Farms. 4 What the .rhost allows a person to 5 do is to be able to log in as the user name here 6 from that other system without using a password. 7 What really kind of brought this to 8 my attention here, I noticed that he's got four 9 systems named that are not even on our campus, that 10 not only has the entry for Merlyn here but also has 11 the entry for root. 12 So, as I said, gives you the name of 13 a system here and tells you who the user is and he 14 can log into the system without using a password to 15 get into it. I've got Merlyn now and I've got 16 root. 17 Q Is this that root access we talked about 18 before, is that the same thing? 19 A Yeah. It will allow root from Kandinsky, 20 for example, on the second line, to log into 21 Brillig without entering a password. 22 Q So you could go from the Kandinsky 23 computer to the Brillig computer without entering 24 your password? 25 A That's true. 60 1 Q How would the computer know who was on 2 the system? 3 A It's looking at these users in the 4 password files. So if in Brillig's password file, 5 even if it only has 20 entries, if there is a user 6 Merlyn in that password file and there is a user 7 root in there, it basically says, "Okay, this 8 person can attach to this machine without answering 9 the password." 10 Q So if they are connected together, then 11 the machine would allow this? 12 A Yeah. 13 Q Why did that attract your attention, the 14 "rhost"? 15 A Morrissey, who initially contacted me to 16 alert me of this, was a Systems Administrator in 17 Hawthorn Farms, and the systems that he was dealing 18 with that he was reporting some activity with 19 Merlyn was Kandinsky and these other machines that 20 are listed here that are sitting over on my system 21 Brillig at Intel SSD. 22 Q Well, as a Systems Administrator, are 23 those the -- the Kandinsky and root, what we have 24 at the bottom of State's Exhibit 4, are those 25 supposed to be on the Brillig machine? 61 1 A No. Normally, we generally don't allow 2 people to go sticking .rhost in the file off their 3 systems because it creates a security leak. 4 Q Did you give Mr. Schwartz permission to 5 change the Brillig computer in this manner? 6 A No. 7 MR. SUSSMAN: Question in aid of 8 objection? 9 10 EXAMINATION IN AID OF OBJECTION 11 BY MR. SUSSMAN: 12 Q You are not the administrator for the 13 Brillig machine? 14 A That's true. 15 Q You would not be in a position to give 16 him permission to do anything on Brillig, would 17 you? 18 A The person who was in charge -- 19 Q Please answer the question. I asked 20 whether you could. 21 A Whether I could? 22 Q Right, have given permission or not given 23 permission. 24 A In this particular case, I did not give 25 permission. Does that answer that? 62 1 Q No. The question was, you were not -- 2 you do not have the authority to give permission or 3 not give permission to Mr. Schwartz to do anything 4 on Brillig; is that correct? 5 A I was not informed that he had an account 6 on Brillig, so how could I? 7 Q That was not your position to do that, to 8 give authority or deny authority, was it? 9 A When management -- 10 Q Please answer the question, Mr. Kent. 11 THE COURT: Answer it and then if 12 you need to explain it, you can explain it. 13 THE WITNESS: I'm trying to think of 14 the right answer because it's a very fine 15 borderline on whether I do or whether I don't. 16 BY MR. SUSSMAN: 17 Q Management can ask you to disable an 18 account at the request of somebody else; is that 19 correct? 20 A Yes. 21 Q You don't have the authority to either 22 personally make a decision whether somebody has 23 access or not? 24 A I'm basically told that this person has 25 or does not have access. 63 1 Q You don't have personal knowledge of 2 that? 3 A When I'm told by management. 4 MR. SUSSMAN: So I move to strike 5 the last answer, the answer to the last question 6 because it's based on what he is told by others and 7 not based on his personal knowledge or based on 8 anything that's within this witness' ability to 9 speak from his personal knowledge or experience. 10 THE COURT: I've forgotten 11 specifically what the question was. 12 MR. SUSSMAN: I'm trying to say that 13 it's a conclusion of this witness. Move to strike. 14 THE COURT: The motion was to strike 15 because this witness does not have the authority to 16 grant permission or authority to change the 17 computer or to take it away. Is that what you're 18 saying? 19 MR. SUSSMAN: Yes, Your Honor. And 20 this is -- it's calling for this witness to give an 21 answer to something that is outside his purview. 22 Essentially, it calls for this witness to make a 23 conclusion as to whether or not Mr. Schwartz -- 24 THE COURT: Mr. Tintera. 25 MR. TINTERA: I can rephrase the 64 1 question. 2 THE COURT: Thank you. 3 BY MR. TINTERA: 4 Q Mr. Kent -- 5 A May I confer with -- 6 Q No. 7 A I just needed to rectify something. This 8 is very borderline. 9 Q Did anyone -- Did any person approach you 10 and request that you allow these accounts to be 11 opened on the Brillig computer? 12 A No. 13 MR. TINTERA: I'd offer State's 14 Exhibit 4. 15 THE COURT: Have you seen that, 16 Mr. Sussman? 17 MR. SUSSMAN: Yes, I have. I have 18 no objection. 19 THE COURT: Proceed. It's received. 20 (Whereupon, State's Exhibit 21 No. 4 was received in 22 evidence.) 23 BY MR. TINTERA: 24 Q Then what did you do? 25 A Let's move to State's Exhibit 5, No. 20. 65 1 The next thing that I have at the top here, I had a 2 concern over anything that may appear to be a 3 directory that might have something abnormal. So I 4 went in here and I changed directories one level 5 more down into his directory. He had a directory 6 called "play" and all I did was get a listing of 7 the items that were down in that directory here, 8 which contains some files and some further 9 subdirectories down here. 10 The next thing down in the middle of 11 the page, I went over to check out our groups file. 12 The password file and the groups file on the system 13 give various permission to users coming in and I 14 wanted to see whether there was a user Merlyn. 15 Q What command did you give the computer? 16 A More. List out all files. So I checked 17 out that file to see whether there was anything 18 abnormal in the groups file that may have been 19 hacked, that may have been tampered with, and I 20 noticed that there was nothing in that particular 21 file. 22 Next thing I did in the process, 23 what -- there were areas that store temporary 24 files. In other words, if there is some type of 25 program running on the computer, oftentimes there 66 1 will be files that are stored, log files and 2 et cetera, so down here I go into a directory, I 3 change the directory down into one of the system 4 directories now and it's called "temp." I did a 5 listing of files that were contained in that temp 6 directory. 7 I have to roll over two pages here 8 to explain this. I look at State's Exhibit 6, No. 9 21, and I noticed there were a whole bunch of files 10 contained in this temporary directory owned by user 11 Merlyn. The first group of them begin with a thing 12 call emacs. Emacs is an editor like a word 13 processor program. 14 Q Like a little typewriter? 15 A Yeah, like a little typewriter program 16 where you open up this program and it goes and 17 stores out some files. 18 I noticed that the size of these 19 files, there was nothing in them. They were zero, 20 so they were basically written out as temporary 21 files. 22 Q So if the word "cat" was in these files, 23 what would it show instead of zero? 24 A It would show X number of bites within 25 that. This number would not be zero. 67 1 Q It would be three? 2 A It would be three. 3 Q Because there is three letters. We're 4 talking about the zero says there is no information 5 in the file? 6 A Right. 7 Q The box is empty? 8 A Exactly. 9 Q If there was the word "cat" in the file, 10 it would give you a three because it has three 11 letters; is that right? 12 A Yeah. I then went on to another 13 directory. 14 Q Which exhibit are you on? 15 A I'm cross-referencing two at the same 16 time, 5 and 6, so I'm now on Page 21. I go into 17 and look at another temp directory, called a 18 "usertemp," and I did a listing there. And as you 19 can possibly see here, there are some other users 20 that had temporary files in here. 21 Once again, I noticed that there are 22 a number of them in here for this user Merlyn on 23 the system. So I looked across and checked out 24 what the name of that file is and this was rather 25 intriguing. There were these files all labeled 68 1 gatelog and a number, so I was a little concerned, 2 like what are these files here? 3 So what I did was I used that "more" 4 command again, which lists out the contents of the 5 file, and what I noticed at this particular point 6 was that this user Merlyn was keeping some 7 temporary log files. And it showed me that there 8 were connections, he was logging connections from a 9 specific machine to another machine. 10 Q Let's stop right there. What do you mean 11 he's logging connections from a specific machine to 12 another machine? 13 A This log showed that there was a 14 connection being made from -- on the Internet, each 15 machine has an associated number that goes with it. 16 From that number, you can identify the specific 17 machine. 18 Q An IP number? 19 A An IP number is also what it's known as. 20 What I was able to do here -- let's move on to 21 State's Exhibit 7, which would be Page -- 22 Q Are you done with 5 and 6? 23 A Yes. 24 MR. SUSSMAN: Which was 6? 25 THE WITNESS: State's Exhibit 6 is 69 1 No. 21. 2 MR. TINTERA: 5 is 20. 3 I would offer 5 and 6 at this time. 4 THE WITNESS: And 7, because we're 5 going to move past 7. 6 BY MR. TINTERA: 7 Q Are you going to mark on 7? 8 A No, I don't need to. This is an 9 extension. I was concerned because in these logs 10 was continually running this program over and over 11 and logging the information. 12 MR. TINTERA: So I would offer 5, 6 13 and 7. 14 THE COURT: Mr. Sussman. 15 MR. SUSSMAN: No, Your Honor. 16 THE COURT: 5, 6 and 7 are received. 17 (Whereupon, State's Exhibit 18 Nos. 5, 6 and 7 were 19 received in evidence.) 20 THE WITNESS: State's Exhibit 8, No. 21 23, as I stated, there are numbers in there, IP 22 numbers that are embedded in that log file. So 23 what I did was, I used a simple little technique, 24 telnet commands, to go out and connect me to this 25 other machine to see whether I would get any 70 1 response. 2 It was rather interesting, because 3 when I pulled the numbers out of the log here, I 4 found that the first number that it was recording 5 ended up logging me into none other than 6 duchamp.hf.intel.com, which is one of the machines 7 right over here in Hawthorn Farms. 8 When I went out there, then down 9 here and checked the other Internet address, it was 10 pointing to a machine that existed, it was called 11 Ruby, and it was owned by O'Reilly & Associates, 12 wherever they are situated. It was outside of 13 Intel. So it was showing me basically like this 14 connect point that was connecting some outside 15 machine outside of Intel to coming through this 16 machine Brillig at my site off to another machine 17 over at the Hawthorn Farms campus. 18 BY MR. TINTERA: 19 Q Now, had anybody told you to set up this 20 account for Mr. Schwartz? 21 A No. 22 Q Was this -- are you familiar with the 23 firewall that protects Intel? 24 A Yes. 25 Q Was this machine inside the firewall, 71 1 outside the firewall, or part of the firewall, the 2 Brillig machine? 3 A Can I use the piece of paper? 4 Q Yeah. 5 A I'll make this very simple, couple boxes, 6 so will it be easy to understand. 7 Out here is a big cloud and they 8 call that Internet. Multiple connections going on 9 all over the world to this particular one that came 10 into our location at Intel SSD. We have a system 11 out here and routers that act as what's known as a 12 firewall. It's supposed to block the filter and -- 13 this is real simple. This basically is the 14 boundary, if you will, into Intel, and in this 15 particular point SSD. Once you get through this 16 firewall from the Internet, you are then inside 17 SSD. 18 Well, there is a machine sitting out 19 here on our network called Brillig. We then have 20 numerous different connections going across our own 21 internal network. This is the Cornell Oaks campus. 22 Way over here was another campus called Hawthorn 23 Farms, and over here was the system called Duchamp. 24 Out of the Internet here is a place called -- for 25 shortness, we'll call it ora.com, which is O'Reilly 72 1 & Associates. This system was called Ruby. 2 Q Could you put "O'Reilly" under there so 3 we have a word to associate with? 4 A (Witness complies.) 5 Q Is O'Reilly & Associates part of Intel? 6 A No, they are not. They have nothing to 7 do with Intel. 8 Q So what happened? Keep going. 9 A As I say, this was the machine I was 10 checking right here. Morrissey was concerned 11 because of things that were going on with his 12 machine over on this network within Intel. 13 Imagine this is an invisible shield 14 where within these boundaries we have the inside of 15 this protected, if you will. On this machine -- 16 and we'll get to the process here in a minute -- 17 was some logs being kept by continual port 18 connections. In other words, ports that were 19 outside the boundary of the filtering capabilities 20 of our routers and firewall. In other words, there 21 is a certain group of numbers or ports, windows 22 that a person can block here if they are well 23 outside of that range, then it basically means that 24 you've got a connection from point A to point B. 25 You're bypassing our firewall system at Intel. 73 1 Q Now, did anyone come to you and say, 2 "Could you set this up for Mr. Schwartz?" 3 A No. 4 Q Could you label the firewall, just put 5 "firewall by it so we later on remember what that 6 red dotted line is? 7 A (Witness complies.) 8 Q So you saw this and what did you do? 9 A Well, if I could continue. I just 10 basically wanted to give you a description of what 11 those IP addresses that were in that evidence 12 showed, that this guy and this guy were basically 13 making a connect that was bypassing our firewalls. 14 Q Could you tell if the connection was -- 15 there are some roads that are one-way and some 16 roads that are two-way. What type of road was this 17 connection? 18 A What we were showing from those logs was 19 that it was this connection out of this machine 20 that was connecting inbound to Duchamp. 21 Q So it was coming in? 22 A Yeah, inbound connection off the 23 Internet. 24 Q Take a black marker and put an arrow on 25 your firewall going through the direction that the 74 1 connection was showing. 2 A If I could explain something here. What 3 the program itself does, is that we found on here 4 actually really provides a two-way connection. 5 It's not just as if it's a one-way pass. What 6 they've done is opened up this dual connection that 7 allows back-and-forth between systems. 8 Q So we could put an arrow going through 9 the firewall the other way? 10 A Sure. You could put inbound, outbound, 11 and so on. 12 MR. TINTERA: Could we have this 13 marked as State's Exhibit 18, please. 14 THE WITNESS: Okay, if I can move 15 on. 16 So the top part of Exhibit No. 8 17 shows I went out there and I said, "Let's find out 18 who the two systems are," and I went off and 19 identified them. 20 The next thing that I did, I went in 21 and I ran this thing called PS with some extensions 22 here, and I actually looked for any processes. PS 23 means processes, show me any processes that are 24 running by user Merlyn, and I found something 25 rather interesting. The date stamps and time 75 1 stamps are all out on here. 2 BY MR. TINTERA: 3 Q That's the five days plus two hours? 4 A Yeah. What we show here is that, sure 5 enough, there is this script file or a file that's 6 executing on that computer. 7 Q What does that mean? 8 A What I explained up here, we had some 9 type of a program that was running that allowed 10 this dual connection in and out of Intel via that 11 machine. 12 Q So it's just not a switch that you throw 13 to allow this connection, you have -- 14 A You have to go in and start it up. 15 Q Well, do you have to add something to the 16 computer to have this door swing both ways? 17 A Oh, definitely, yeah. 18 Q What? Is that what you're talking about 19 down here, this script? 20 A Yeah, this gate. What we found was the 21 processes that were running was a thing called 22 gate. It pointed, as you can see here, 23 user/people/Merlyn/bin/gate, which is down inside 24 his directories. The user Merlyn was running a 25 gate script. It was an executable file that was 76 1 running on that system. 2 Q Does that alter the Brillig system? 3 A Sure. 4 Q What about the network that Brillig is 5 connected to, does that alter that? 6 A Sure, it can do that as well. 7 Q So you see this gate script running and 8 what do you do? 9 A Let's move on through my charts here. 10 Okay, State's Exhibit 9, No. 24. 11 MR. TINTERA: Wait a minute. What 12 number is this? Looks like a couple numbers. 13 THE CLERK: 8. 14 MR. TINTERA: This is State's 15 Exhibit 8, and I would offer it, Page 23, Counsel. 16 MR. SUSSMAN: No objection. 17 THE COURT: 8 is received. 18 (Whereupon, State's Exhibit 19 No. 8 was received in 20 evidence.) 21 BY MR. TINTERA: 22 Q So now you're looking at No. 9? 23 A Yeah. To follow along with what we were 24 looking at, the process we were running, I also 25 noted that he had, indeed, been on -- he had opened 77 1 up what's called a c shell, like a log-in window, 2 and he was actually looking at a tail command, 3 means show me X amount of this file. 4 Well, he was running a command 5 saying, "Show me part of this gatelog.," and then 6 the number. So he'd been in there looking at those 7 log files. 8 Also, we noticed that the "ping" 9 command -- ping basically sends out this little 10 command to another machine and says, "Are you 11 there?" So he'd also been doing that. Funny 12 enough, says ping eff.org. 13 Q What's that? 14 A Electronic foundation something. Another 15 Internet cycle machine. 16 Q Is that part of Intel? 17 A No, that's outside of Intel. And also we 18 saw that he ran a telnet command, so we knew that 19 he was running -- he had used Brillig to telnet to 20 some other machine or system. 21 Q You need to explain what "telnet" means. 22 Is that a word of art for computer people? 23 A No, it's not. Basically all it does is, 24 it's a little program that allows me, the user on 25 this system, to contact this other computer system 78 1 and it will promptly ask me back for my name or 2 password, and if I have an account on that system 3 or if I want to sit there and hack it or try to 4 crack into a system or anything, I can sit there 5 and attempt to use a name password or user name 6 password that would show up as multiple telnet. 7 In this particular case there was a 8 telnet made to some other system which was not 9 identified here. 10 So finally what I did for the final 11 part of my analysis on this was, I had gone in and 12 found that indeed there was a user Merlyn account 13 on there, there was a directory with files run by 14 Merlyn on there and that indeed that person, 15 Merlyn, had been using the machine and was still 16 doing so when I went in to check it and that user 17 Merlyn had processes or programs that were running 18 continually on that machine over quite a period of 19 time. 20 So the final step that I did here, I 21 think that's what the last couple pages are, I went 22 down and just took a look at this thing called 23 gate, which ended up being a thing called the Perl 24 script. Perl is like a programming script 25 language. And I did no more to really go in and 79 1 decipher that other than one or two pieces to pull 2 out some information, which is -- 3 Q Is this all information that you are 4 getting from the Brillig computer? 5 A Yeah, this was all information that I was 6 getting on the Brillig computer. Anyway, I don't 7 think I need to go through and try to decipher the 8 gate script for the jury. 9 Q Are you done with State's Exhibit 9? 10 A I'm done with all of those pages now, 11 yes. 12 Q Well, where does the gate script start? 13 Could you take this purple pen and just mark "gate" 14 where it begins as you found it on the Brillig 15 computer? 16 A Are you talking about the actual physical 17 file that I went in and looked at? 18 Q Yes. 19 A Below this purple line is -- 20 Q Could you just write "gate" on that 21 somewhere? 22 A "Gate." This is the -- it's called 23 "gate." If we look at -- here is the word process 24 here. You'll see a thing running here called gate 25 and you'll see this in a number of places here so 80 1 they can see an example of process so we know that 2 the process gate is running, and then here is -- 3 Q The actual script? 4 A The script or the things that connects. 5 Q What does Exhibit 10 show? 6 A This is just a partial extension of the 7 contents of that file. 8 Q And 11? 9 A The same thing. It was a very -- it's 10 quite an elaborate script and went on for a ways. 11 Q Is 12 part of that? 12 A Yeah, 12, and then I find et cetera, 13 et cetera, because it went on and on and I didn't 14 want to have to send a piece of paper that was 15 about this thick to people when they kind of got 16 the idea already that yeah, this was happening. 17 MR. TINTERA: Counsel, our State's 9 18 is 24, 10 is 25, 11 is 26 and 12 is 27. I would 19 offer 9, 10, 11 and 12 at this time. 20 MR. SUSSMAN: May I see those? 21 MR. TINTERA: Yes. 22 MR. SUSSMAN: Your Honor, I have an 23 objection to the portions involving the gate script 24 because it isn't the complete gate script and it is 25 my understanding that the last portion of what is 81 1 left off on Exhibit 12, Page 27, is cut off several 2 lines before the end of that script for the end of 3 the program and it is not an accurate exhibit. The 4 exhibit is not accurate and doesn't show the full 5 gate program script. 6 MR. TINTERA: Judge, I can fix that 7 if you give me a minute. 8 THE COURT: All right. 9 MR. TINTERA: If you could resume 10 the witness stand. 11 BY MR. TINTERA: 12 Q Handing you what has been marked State's 13 Exhibit 19. Can you identify -- and what we're 14 particularly looking at is this, the response on 15 State's Exhibit 12 -- what I'm looking for is this, 16 the continuation on State's Exhibit 12 where it 17 goes "et cetera, et cetera, dot, dot, dot." Is 18 this the rest of the dots? 19 A That portion right there within those 20 pages is the actual gate script. And the 21 continuation, as he said, is, I think, a few lines 22 that were missing on the bottom, if you were to 23 match this up against the other display we had over 24 there. 25 The reason why there was the 82 1 "et cetera, et cetera," is because if you look at 2 some of this information here, I also had to 3 forward information on other scripts and so on and 4 we could have made -- 5 Q Is this the rest of the et cetera, 6 though? 7 A Yeah, this is part of. If I get past -- 8 yeah, I think this is it, because I did send -- 9 yeah, I sent all of the logs, for example, and then 10 there was some other scripts that I was a little 11 bit concerned about, one called monkey mode, good 12 for bopping around on directory retrieves and so 13 on. There was some others that I had concern for 14 and -- 15 Q What I'm asking you is, is State's 16 Exhibit 19 the rest of the et cetera when you -- 17 A Yes. As far as I recall, I did send 18 quite a large file out. What I was trying to 19 purvey is that the script went on. Rather than 20 send the whole thing and try to decipher that, we 21 had people that would decipher what the script 22 actually did for us. What we're looking at on the 23 charts here was part of an e-mail message, and 24 so -- 25 THE COURT: You need to just respond 83 1 to questions. 2 MR. SUSSMAN: If I might just 3 confer. 4 (Conference between counsel 5 off the record.) 6 MR. SUSSMAN: Your Honor, for the 7 record, I was pointing out to Mr. Tintera that the 8 first three pages of this large stack contains the 9 entire gate script. And if we include that instead 10 of the blowups, which leaves out just the last five 11 lines on Page 3 of that, then we have got the whole 12 script and we have got that one solved. 13 THE WITNESS: Right. 14 THE COURT: Instead of those other 15 exhibits or in addition to the other exhibits? 16 Could we put in 9, 10, 11 and 12 and also 19, which 17 19 shows the complete -- 18 MR. TINTERA: Let me offer State's 19 Exhibit 9. 20 MR. SUSSMAN: I have no objection to 21 9. And if we use 19, that -- 22 THE COURT: No. 9 is received. 23 MR. TINTERA: Then I would offer 24 State's Exhibit 19. And this is the gate script, 25 Mr. Kent? 84 1 THE WITNESS: That's right. That's 2 the additional few lines added in there. That's 3 the gate script right there. 4 THE COURT: Any objection to 19 5 then, Mr. Sussman? 6 MR. SUSSMAN: No. 7 THE COURT: No. 19 is received. 8 (Whereupon, State's Exhibit 9 No. 9 and 19 was received in 10 evidence.) 11 THE COURT: You're not offering 10, 12 11 and 12? 13 MR. TINTERA: No, Your Honor. 14 THE COURT: I don't have that you 15 have offered Exhibit 18, which is the diagram. Do 16 you intend to offer that? 17 MR. TINTERA: I do. I would offer 18 18. 19 THE COURT: Any objection to 18, the 20 diagram? 21 MR. SUSSMAN: No objection. 22 THE COURT: 18 is received. 23 (Whereupon, State's Exhibit 24 No. 18 was received in 25 evidence.) 85 1 BY MR. TINTERA: 2 Q Now, this was your initial look into the 3 Brillig machine; is that correct? 4 A That's true. And that was done, as I 5 said on Thursday, October 28th. 6 Q Now, did you receive any other 7 information from Mr. Morrissey about the activities 8 of user Merlyn? 9 A Friday, October 29th, Mark Morrissey and 10 I, we decided that it might be best if we met 11 personally rather than doing any phone conversation 12 and e-mail. So and between the hours of 10:00 a.m. 13 and 1:00 p.m., which is three hours total, Mark 14 Morrissey came by and showed me a few bits and 15 pieces of what he had found and helped me go 16 through some of the information that you just saw, 17 as well as doing some additional further checks on 18 those systems. 19 Q And was there any besides the gate script 20 that we have already heard about -- as a Systems 21 Administrator for the Supercomputer Division, did 22 you receive information that you also felt for 23 security reasons that you needed to look into? 24 A I'm sorry. 25 Q Did you receive any information about 86 1 your password file for the Supercomputer Division? 2 A Yeah. Immediately what we did when we 3 found out regarding the password file -- 4 Q What did you find out about the password 5 file, is what I'm asking you? 6 A Both, through copies of that file will -- 7 we're talking about -- are we talking about the 8 Brillig password file or the SSD password file? 9 Q Well, what I need -- I feel we have 10 gotten off track here. What I need to know is, was 11 it brought to your attention any information about 12 either the Brillig or the SSD password file from 13 Mr. Morrissey? 14 A Both were, because we checked the 15 password file that was on Brillig and we also 16 verified that the password file that existed on a 17 machine, a copy of a password file that was over on 18 one of his systems was indeed one that belonged, if 19 you will, to Intel SSD. 20 Q So you did participate in that? 21 A Yes. 22 Q On one of his machines, whose machine? 23 A It's still an Intel machine. It was a 24 system that was located in Hawthorn Farms. 25 Q And the name of the machine? 87 1 A Let me see if I wrote that down. I was 2 more concerned with some of the things that were 3 going on at my end. 4 I can't recall. We were talking 5 about Duchamp and Kandinsky and some other systems. 6 To verify exactly which one that was located on, 7 we'd have to reference the records from Mark 8 Morrissey. 9 Q So do you know whose account on the 10 machine you were looking at where this SSD password 11 file was? 12 A Yeah. When we looked at it, it was 13 located under an account owned by Merlyn. 14 Q Mr. Schwartz? 15 A Mr. Schwartz. 16 Q And could you tell the jury, is there a 17 difference between a password file, the size of the 18 password file on Brillig and the size of the 19 password file for the whole Supercomputer Division? 20 A Most definitely, not only in size but by 21 the users that are contained on both Brillig and 22 the SSD. 23 Q And there was an open account on the 24 Brillig computer, is that correct, for 25 Mr. Schwartz? 88 1 A Yes, there was. 2 Q And how many other open accounts with the 3 Supercomputer Division were there? 4 A For the user Merlyn or Randal Schwartz? 5 Q Mr. Schwartz. 6 A He had already left Intel SSD and those 7 accounts had been shut down on the main service. 8 MR. SUSSMAN: I'd move to strike 9 this answer as nonresponsive to the question. 10 THE COURT: Sustained. 11 BY MR. TINTERA: 12 Q My question was, we know about the 13 Brillig computer account. How many other computer 14 accounts were there in the Supercomputer Division 15 for Mr. Schwartz? 16 A None that were known. 17 Q And does the Brillig computer contain the 18 full SSD computer password file? 19 A No, it does not. 20 Q Is there -- based on your knowledge as a 21 Systems Administrator, is there an authorized 22 manner that the full password file can be obtained 23 through the Brillig computer? 24 A If you had an account on the internal SSD 25 machines, then by all means, you could log from -- 89 1 Q That's not my question. Based on what 2 you knew on October 28th and October 29th, was 3 there a manner that Mr. Schwartz, using his user 4 name Merlyn, could obtain the full password file 5 for the Supercomputer Division? 6 A Not as user Merlyn. 7 Q And that is because he had no valid 8 accounts; is that right? 9 A That's true. No known valid accounts. 10 Q So the password file for Brillig and the 11 Supercomputer Division were found on a computer at 12 Hawthorn Farms? 13 A Yes. 14 Q And were they just -- Were there any 15 processes or programs being applied to these 16 password files? 17 A Yes. 18 Q And what were those? 19 A There was a program -- 20 MR. SUSSMAN: Question in aid? 21 THE COURT: You may. 22 23 24 25 90 1 EXAMINATION IN AID OF OBJECTION 2 BY MR. SUSSMAN: 3 Q Were these processes running on your 4 computer, the computers that you were administering 5 and examining? 6 A The processes that were running on the 7 machine at the campus where I was are the ones that 8 I brought up earlier here. 9 Q The question was asking you about were 10 there processes running on those password files and 11 were those on your machines? 12 A No, that was not on the Brillig located 13 at Cornell Oaks. That was located in Hawthorn 14 Farms. 15 Q So your knowledge about any process 16 running on those password programs is based on what 17 you were told by Mr. Morrissey? 18 A Also by what I saw. As I mentioned, Mark 19 Morrissey and I got together and had a meeting. 20 MR. SUSSMAN: I have no objection. 21 You saw that. 22 BY MR. TINTERA: 23 Q Mr. Kent, what did you see? 24 A Well, when Mark Morrissey and I got 25 together, naturally we want to match up. He needed 91 1 to look at what I had seen and evaluated on my 2 side, and I also needed to do the same for him. I 3 mean, it's a -- we're basically doing cross-checks 4 and verifying files and things that are running. 5 When Mark logged us over into the 6 systems at his site, there was a user Merlyn on the 7 systems located there. There were files that were 8 owned by user Merlyn. There had also been the 9 processes running by the user Merlyn on those 10 systems. 11 Q What processes? Were you able to 12 identify them? 13 A Yeah. The one of main concern was a 14 program called Crack, and there is only one use for 15 the Crack program and that is to basically take 16 password files and sit there and use different 17 variables in an attempt to break passwords that are 18 embedded in that password file. 19 Q Is this a program that you've used as a 20 Systems Administrator? 21 A As Systems Administrators, we run that to 22 do checks on people's passwords and so on. 23 Q As a Systems Administrator for the 24 Supercomputer Division, did you authorize anyone to 25 copy the password file that was found on Hawthorn 92 1 Farms in Mr. Schwartz's file? 2 A No. 3 Q Did you authorize anyone to run the crack 4 program against the Supercomputer password file 5 that you found on Mr. Schwartz's computer at 6 Hawthorn Farms? 7 A No. 8 Q And as the Systems Administrator for the 9 Supercomputer Division, has Mr. Schwartz come to 10 you in this time period -- did he come to you with 11 either security concerns -- did he come to you with 12 security concerns? 13 A Never. 14 Q Did he approach you with passwords that 15 were, in his opinion, faulty in the Supercomputer 16 Division so you could remedy the problem? 17 A Never. 18 Q As a Systems Administrator for the 19 Supercomputer Division, there any authorized avenue 20 that you know of that Mr. Schwartz could have 21 obtained the full password file for the 22 Supercomputer Division? 23 A Could you rephrase that again? 24 Q Is there any authorized avenue that 25 Mr. Schwartz could have obtained the Supercomputer 93 1 Division password file? 2 A Authorized avenue, no. 3 Q So on that Friday when you saw this 4 process being run on something from your system, 5 what did you do? 6 A Let me reference my notes here real 7 quick. 8 It was actually on the Thursday, 9 October 28th, that I went into the machine Brillig. 10 As I said, what we did up until Monday, November 11 1st, was, we monitored the system to see whether 12 there would be any other activities or file 13 transfers or anything that may be going on on that 14 machine. We wanted to verify further whether there 15 was any activities that were occurring. 16 So on Monday, November 1st, first 17 thing that morning was when we actually physically 18 disabled the Merlyn account on Brillig, and also at 19 9:30 -- between 9:30 a.m. and 2:00 p.m. at Hawthorn 20 Farms, we disabled any of the accounts that were 21 hacked, cracked, you know, the passwords, and other 22 accounts, we stopped all the processes that were 23 running on the machine. We removed any unknown 24 additional entries or anything that we may have 25 found in the password file groups, group files, and 94 1 at that point, we made it more widely known by 2 informing all other Systems Administrators and 3 other managers to start looking around systems 4 elsewhere at Intel for any accounts by user Merlyn. 5 Q Can you identify for this jury what 6 State's Exhibit 15 is? 7 A This is from a log file that's output by 8 the program Crack. And basically what it does is, 9 it puts a time -- date and time stamp and then 10 tells you "guess user name." Then what it does is 11 actually tells you what that guess password is, so 12 if you're running this, and I -- if I get this, I 13 can log in