1 IN THE CIRCUIT COURT OF THE STATE OF OREGON 2 FOR THE COUNTY OF WASHINGTON 3 4 STATE OF OREGON, ) ) 5 Plaintiff, ) ) 6 vs. ) No. C940322CR ) 7 RANDAL LEE SCHWARTZ, ) ) 8 Defendant. ) Volume 8 9 10 11 TRANSCRIPT OF PROCEEDINGS 12 13 BE IT REMEMBERED THAT on the 18th 14 day of July, 1995, the above-entitled matter came 15 on for Hearing before the HONORABLE ALAN C. 16 BONEBRAKE, a Circuit Court Judge. 17 18 APPEARANCES 19 Thomas J. Tintera Washington County Deputy District Attorney 20 Representing the State of Oregon 21 Marc Sussman Attorney at Law 22 Representing the Defendant 23 24 25 2 1 WITNESS INDEX 2 3 FOR THE STATE: Direct Cross ReD ReX 4 5 Dirk James Brandewie 4 31 46 51 6 John C. Gray 53 60 70 7 Clayton Kirkwood 73 78 8 Herb Mayer 87 96 108 9 Richard R. Cower 127 146 181 185 10 11 FOR THE DEFENDANT: 12 13 Patrick Reilly 110 123 14 15 16 17 18 19 20 21 22 23 24 25 3 1 EXHIBIT INDEX 2 3 FOR THE STATE: Offered Received 4 5 6 Exhibit No. 21 145 146 7 Exhibit No. 22 185 185 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 4 1 MORNING SESSION 2 BEGINNING AT 9:35 A.M. 3 JULY 18, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: Mr. Tintera, you were 10 still calling witnesses when we broke last week. 11 MR. TINTERA: Yes. We're ready to 12 continue. 13 THE COURT: Call your next witness. 14 MR. TINTERA: Dirk Brandewie. 15 16 DIRK JAMES BRANDEWIE 17 called as a witness on behalf of the State, having 18 been first duly sworn under oath, was examined and 19 testified as follows: 20 21 THE CLERK: State your full name and 22 spell it for the record, please. 23 THE WITNESS: Dirk Brandewie. Dirk 24 James Brandewie. B-r-a-n-d-e-w-i-e. D-i-r-k. 25 5 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Morning, Mr. Brandewie. 4 A Morning. 5 Q Are you employed, sir? 6 A Yes. 7 Q And who do you work for? 8 A I work for Intel Corporation. 9 Q And how long have you been with that 10 corporation? 11 A Slightly less than seven years. 12 Q And what do you do for them? 13 A I'm a network programmer. I develop 14 software in a network research and development 15 group. 16 Q And do you work for any particular 17 division of Intel? 18 A I work for the Intel Architecture 19 Laboratory. 20 Q And do employees abbreviate that or -- 21 A IAL is the typical pronunciation. 22 Q Where is that division located? 23 A At the Jones Farm campus in Hillsboro, 24 Oregon. 25 Q Do people at Intel give their computers 6 1 names? 2 A Yes. 3 Q And all computers have numbers for names 4 also; is that true? 5 A This is true, yes. 6 Q What are those called? 7 A They're called IP addresses, which stands 8 nor Internet Patrol, and it's called IP address. 9 Q So are you familiar with the Mink 10 computer at Intel? 11 A Yes. 12 Q And how are you familiar with that? 13 A I was what is known as the Systems 14 Administrator for that computer. 15 Q Are you still? 16 A Yes. 17 Q And as the Systems Administrator for that 18 computer, what responsibilities did you have? 19 A My responsibilities were for creating 20 user accounts, deleting user accounts, maintaining 21 the security, maintaining the security of the 22 computer, general maintenance to make, replacing 23 any hardware that needed to be replaced, making 24 sure that the computer was available. 25 Q When you say "creating user accounts" or 7 1 "deleting user accounts," could you explain to the 2 jury what you mean by that? 3 A Yes, I can. (Pause) I am -- 4 Q Would you? 5 A I'm trying to get the right words. The 6 computers have users. It's a person who is allowed 7 to use the computer. And by creating an account, 8 you make a spot on the computer where they can put 9 their files. You put their name in a password file 10 so that the computer can tell who is logging into 11 it. When the user logs in, he has to say, "I'm 12 whoever, I'm Dirk, and my password is this," so the 13 computer can tell who is accessing it. 14 So create an account, you create 15 their home directory where they will store their 16 files and put them into the password database where 17 the computer can authenticate who is accessing it. 18 Q So without that account, you would not, 19 in theory, be able to access the computer? 20 A That's true. 21 Q You could if you were using someone 22 else's password? 23 A Yes, you could. 24 Q You also indicated as Systems 25 Administrator for the Mink computer, you had 8 1 security duties. 2 A Yes. 3 Q What do you mean by that? 4 A Making sure that as -- people who are 5 users, as they left the corporation, making sure 6 that their account was deleted so they no longer 7 had access to the computer. Making sure that files 8 that didn't need to be readable by everyone on the 9 computer where the permissions were set so no one 10 other than the people who needed access had access. 11 Making sure that the software running on the system 12 wasn't allowing people in without using a password. 13 Q And could you tell the jury if the Mink 14 computer had a specialized function within Intel? 15 A Yes. It was called an Internet gateway 16 host, which means there is a small set of computers 17 at Intel that are allowed to talk to the Internet, 18 or at that time there was. It's changed a little 19 since, but -- 20 Q What time are we talking about, 1993? 21 A Yes, this is March of 1993. There was a 22 small set of computers that were allowed to talk to 23 the Internet. "Talking" means connecting to 24 another computer. And Mink was one of the hosts 25 that was allowed to do that and that was its 9 1 specialized function was as an Internet host. 2 Q So if we give the jury an example of its 3 use, could you do that in regards to being the 4 Internet host? 5 A Yes. Let's say someone from inside of 6 Intel wanted to talk to a computer at IBM, they 7 knew the computer they wanted to talk to. What 8 they would do is log into Mink using their user 9 name and password and then they would be presented 10 with what is called a shell prompt, which is 11 basically, if you are familiar with DOS, how it -- 12 basically this is what's on the screen. Then they 13 would use the command of "connect" to the machine 14 at IBM, let's say, so they would use telnet, which 15 basically says, "Connect this terminal to that 16 machine or log in." There is a number of ways. 17 Anyway, they would first log into 18 Mink and then connect to the outside world from 19 Mink. 20 Q Let's assume they connect with the person 21 at IBM, could that person at a later time use that, 22 use the Mink computer to connect to the Intel 23 person? 24 A No. 25 Q Why not? 10 1 A There is what's called a firewall router 2 on our Internet connection between the Intel 3 network and the Internet itself which rejects 4 connections from outside of the corporation. 5 Basically, it's the equivalent of a call center. 6 It does caller ID on whoever is making the call in, 7 and if it doesn't recognize who is making the call 8 in, it throws the connection away, hangs up on 9 them. 10 Q So if this person from IBM tried to do 11 that, what type of response would they receive on 12 their computer, do you know? 13 A They would get the connection refused. 14 Q Do you know if Randal Schwartz had an 15 account on the Mink computer in March of 1993? 16 A Yes, he did. 17 Q And did you have any contact in regard to 18 that particular account, Randal Schwartz, in that 19 timeframe? 20 A Yes. 21 Q And could you tell the jury what that was 22 about? 23 A One day as I was going through checking 24 security of the box, just basically -- 25 Q When you say "the box," what do you mean? 11 1 A The box. I'm sorry, I use "box," "Mink" 2 and "computer" interchangeably, so I -- sorry. 3 I was going through and checking 4 Mink security, checking to make sure there was 5 enough space on the disks for people's files and 6 basically doing systems maintenance when I noticed 7 a process running. A process is just a program, 8 and I noticed a program running that I didn't 9 recognize and it was running under Mr. Schwartz's 10 user ID. His name was Merlyn at the time. That 11 was his user ID. 12 I wasn't familiar with what the 13 process was, so I went and looked at the source 14 file for the process that was running and spent a 15 couple hours looking at it and figuring out what it 16 was doing. And it was a port reflector, a process 17 that will take -- accept connections from outside 18 of Intel and forward those connections inside of 19 Intel. 20 At that time, myself and Mark 21 Morrissey, he had a log-in at the Oregon Graduate 22 Institute, so we logged into a computer at the 23 Oregon Graduate Institute and connected the port 24 reflector to make sure that we knew what it was 25 doing and if it behaved the way we expected. 12 1 Q Which was? 2 A You would get connected to -- you would 3 receive a connection and it would sit there with a 4 blank screen. But from looking at the source code 5 of the script, we knew that you would give it a 6 host IP number, which is the IP number that you 7 wanted to connect to, and the port that you would 8 connect to, the port on that host, and it would 9 connect you to that host. And then after that, 10 it's whatever was going across the connection. 11 Q So after that process, you were past the 12 firewall of Intel? 13 A Yes. 14 Q You needed two steps of information to do 15 that, didn't you? Isn't that what you said? 16 A You needed the IP address and the port 17 number of the host that you want to connect to, 18 yes. 19 Q So what did you do after you found this 20 script and tested whether it allowed entry through 21 the firewall? 22 A I called Mr. Schwartz's office and left 23 him phone mail and said I'd like to talk to him. 24 He didn't get back to me and I happened to be in 25 the area so I stopped by his office to talk to him 13 1 about the script, and I explained to him that 2 connections from outside of Intel weren't allowed 3 and he seemed surprised that this was happening, as 4 if -- that it wasn't an intended effect. I thought 5 it was a bug, some unintended programming error, so 6 I asked him to put in checks into the script to 7 reject connections from outside of Intel. And he 8 did that and we tested them from OGI and I 9 considered the matter closed. 10 Q So you asked him to modify the script in 11 some way? 12 A Yes. 13 Q And the modification would accomplish 14 what? 15 A It would reject connections from outside 16 of Intel, outside of the single subnet at Intel. 17 Q So the person from IBM couldn't use that 18 gate script to get into Intel? 19 A No. 20 Q And you called those what? You called 21 those blocks? 22 A That's as an appropriate a word as any. 23 Q You had a conversation with Mr. Schwartz 24 about what Intel's policy was regarding this gate 25 script at that time? 14 1 A I told him that connections from the 2 outside world without being authenticated weren't 3 allowed, yes. 4 Q Did he have any questions about that? 5 A Not the first time I talked to him, no. 6 Q Was that the end of the matter? 7 A No. Couple months later in July, I 8 believe, I was going through the system again just 9 doing general maintenance. 10 Q July '93? 11 A Yes. And I saw another process running 12 that I didn't know. The name had changed, but it 13 was running under Mr. Schwartz's user ID. So I 14 went to look at that one just as a matter of 15 course. It was the same script. The name had 16 changed from "door" to "gate," but the checks to 17 reject connections from outside of Intel had been 18 removed. 19 At that point, I blocked 20 Mr. Schwartz's account and went up to talk to -- 21 and again went up to talk to him and told him that 22 connections from outside of Intel weren't allowed. 23 And he said that, well, that -- he told me that he 24 was using the gate mail from O'Reilly Associates, 25 and I said, "I'm sorry, I can't allow this. If you 15 1 want to have a waiver signed from Intel security 2 saying that you can do that, I don't have any 3 problem with it." 4 Basically, my take on it was I 5 didn't want to be fired because of allowing him to 6 do something he shouldn't, and if he wanted to have 7 a waiver signed, I didn't have any problem with it. 8 Q So you gave him the option of having 9 someone in authority to approve this gate? 10 A Yes. 11 Q And did he follow up on that option? 12 A No. He said that if he couldn't use the 13 script in its current form that it wasn't useful to 14 him and he didn't need the account. 15 Q When you lock an account, what does that 16 mean? 17 A Basically, I changed his password so that 18 he couldn't get into -- he couldn't log into the 19 computer from an outside computer. 20 Q Now, what changes -- you saw a different 21 name in July of '93 for this script? 22 A Yes. 23 Q What other changes were there? 24 A The name had changed. The formatting of 25 the logs had changed, but other than that -- 16 1 Q What does that mean? 2 A The information that was written to the 3 log files, instead of IP numbers, it was writing 4 the box's name, the computer's name in the file 5 instead of IP number. They were purely cosmetic. 6 Functionality hadn't changed. 7 Q So the functionality when you saw this in 8 July was what? 9 A The original function that I saw in the 10 original door script, which was it would allow 11 connection from anywhere to anywhere -- from 12 anywhere outside of the Intelnet to anywhere inside 13 the Intel network. 14 Q And the authorized use of the Mink 15 machine at that time in July of '93 regarding the 16 Internet was what? 17 A You could log into that computer and from 18 there, you could connect to machines on the 19 Internet. 20 Q And you'd have to log in from where? 21 A Inside of the Intel network. 22 Q So inside of the firewall? 23 A Yes. 24 Q And you could use the Mink computer to go 25 outside of the firewall into the Internet? 17 1 A Yes. 2 Q But the person from IBM wasn't supposed 3 to be able to go the other way? 4 A In fact, they should never be able to 5 tell that the Mink existed, other than the name and 6 its IP number existed. 7 Q Well, let me ask you this. The IP 8 address or number, is that a secret within Intel? 9 A No. 10 Q Is that information available outside of 11 the Intel firewall? 12 A Yes. 13 Q And how is that available, do you know? 14 A There is a number of ways. The general 15 range of numbers that are available at Intel is 16 published by the Network Information Center, one of 17 the controlling bodies of the Internet. The 18 specific names are published in what's called the 19 Domain Name Service server, so basically you can 20 say, "I have the name Mink, please tell me its 21 numbers," because humans aren't good at remembering 22 numbers but good at remembering names, so that's 23 why they have the name look-up, and that's the way 24 it's published. It's published by the Network 25 Information Center and in the Domain Name Services. 18 1 Q But even if someone had that number, 2 would not they need the port address to come in 3 through the gate script that Mr. Schwartz had 4 installed on the Mink computer? 5 A Yes, they would. 6 Q And tell me about the port address. 7 A Port address is an arbitrary number. You 8 can look at the IP number as a street address and 9 the port number as front door, back door, side door 10 is more equivalent except there is 64,000 doors, so 11 you would have to know which door you wanted to get 12 into. 13 Q Well, for a person, that sounds like an 14 insurmountable task. 15 A If you had to sit there and type it by 16 hand 64,000 times, there are people that have that 17 much tenacity, but you're right, as a human it's a 18 formidable task. 19 Q What about for the computer, are there 20 programs that can search ranges of IP addresses to 21 see if there is a response? 22 A Yes. 23 Q And were they in existence in 1993? 24 A Yes. I didn't have physical possession 25 of them, but I knew they existed. 19 1 Q So how would that -- could you tell the 2 jury how that would work? If you know Intel's 3 range of IP addresses, how could you use the 4 program to find out how to get into Intel? 5 A Basically the first step would be, you 6 have the range of addresses that you want to send 7 and then you scan, then you know the range of port 8 numbers you want to scan. So you tell the program 9 to start at the first address and scan all its 10 ports, go to the next address and scan all its 11 ports and look for ports where you have 12 connections. 13 And then after that, you know what 14 ports are listed and which ports are available to 15 accept connections. And then after that, you can 16 try to find some way to make that process that's 17 running on that port link on that port, do what you 18 want it to do. 19 Q So is it like sending this -- this 20 computer program sends out like sonar waves and 21 then waits for a reception? 22 A That's an appropriate analogy, yes. 23 Q Once it gets that response back, what 24 does that -- how does that help the person who is 25 running this program? 20 1 A He knows that he got a connection. He 2 probably doesn't have any other information other 3 than that, but there are some well-known software 4 programs that have bugs in them that have security 5 holes so people go around and connect to those 6 ports to find out if these people are running that 7 version of software. There is what's known as a 8 security hole, a hole present to exploit. 9 With this particular one, he would 10 have gotten a connection and then, I don't know, 11 I'm not the person sitting on the other end, but 12 they would have known that they had a connection to 13 some process and they could try to feed that 14 process information and try to make it do something 15 for them. 16 Q So the person, once they discovered this 17 gate script, would their connection be rejected or 18 not? 19 A No. 20 Q No what? 21 A I'm sorry. Their connection would not be 22 rejected. 23 Q But they would be sitting there looking 24 at a blank screen? 25 A That's true. 21 1 Q Is that significant at all? 2 A The fact that you got a connection on a 3 non-well-known port number is significant because 4 typically these are known as user processes that 5 are on those port addresses. They are typically 6 not well-managed, and they have bugs in them, 7 security holes. And so if people like looking at 8 those to look for -- people like looking at those 9 to look for security holes. 10 Q After the screen is there, what would be 11 the next step, do you know, for someone who wants 12 to come in through that gate? 13 A Well, the way that you would get through 14 the gate is by -- to type the IP address and the 15 port number of the host inside of the Intel network 16 you want to connect to, or any host on the 17 Intelnet, or the Internet, for that matter. 18 Q And how would you know the right number 19 to type? 20 A Through either you discovered it from 21 looking up the name of the box that you wanted to 22 talk to, let's say you saw a mail message from 23 somebody, mail message would have the name of the 24 machine on it. Somebody told you what the name of 25 an interesting machine was or you just sifted 22 1 through the Domain Name Services catalog of Intel 2 machines and found a name that you thought was 3 interesting. 4 Q Now, if there is mail going through this 5 gate to Mr. Schwartz inside Intel, is there any way 6 that anybody could kind of like watch the mail to 7 see where it's going? 8 A Yes. 9 Q Does that help them identify the IP 10 address and port number? 11 A The IP address and port number would be 12 typed in. It's possible for people to watch the 13 network and watch the information going across it 14 and then they would have complete access, yes. 15 Q So kind of like intercepts the signature 16 of the mail; is that fair? 17 A Well, it's not the mail. It's when they 18 connect it to the gate script. If someone happened 19 to be watching, they would have seen the IP address 20 and the port number typed in. Basically, they 21 would have the key and then anyone could use the 22 key. 23 Q So a person could do that or use the 24 program to probe this port? 25 A Probe the port and try to deduce what the 23 1 function of the process on that port was. 2 Q And could that be set up in a program to 3 just run permutations against the port until -- 4 A Yes, it could. 5 Q Give me a timeframe. Sounds 6 time-consuming. 7 A Seconds. To find the port would be 8 seconds. To find the permutations of what the 9 process was looking for, I have no idea. It 10 depends on what information you're starting with. 11 It's like, well, what do you start searching? You 12 start searching IP numbers or what? I don't know. 13 Q We don't have enough variables pinned 14 down to answer that? 15 A Right. 16 Q Handing you State's Exhibit 16, can you 17 identify this exhibit? 18 A This is one version of the gate script 19 that happened to be called Remote X at the time. 20 Q And which version is this, do you know? 21 A This is the third version that I saw, 22 that I've seen. 23 Q Was this version running on the Mink 24 computer, that you know of? 25 A I don't ever remember seeing this 24 1 particular script running, no. 2 Q Let me hand you State's Exhibit 19. Can 3 you identify State's Exhibit 19? 4 A Yes, this is the gate script. 5 Q Can you tell the jury which one this is? 6 A This is the third version of this script 7 that I've seen. The first version was the first 8 version I talked to Mr. Schwartz about which didn't 9 have any checks to reject connection from the Intel 10 network. 11 The second version that I saw of 12 this script was the one with the checks to reject 13 connections from outside the Intel network. And 14 then this script, which had the checks removed 15 again. 16 Q So 19 is the version that was running at 17 what timeframe? 18 A In July of '93. 19 Q And what is 16? 20 A This is basically the same script with a 21 slightly different function where once somebody 22 connected to it, it would only connect to a box 23 named Cage in Intel and it would only connect to 24 port 6,000 on Cage. 25 Q So State's Exhibit 19 allows -- does not 25 1 restrict which computer you can connect to, or does 2 it? 3 A No, it doesn't. 4 Q But 16 does? 5 A 16 would make -- let me make sure before 6 I say. 7 Yes, it would only connect to 8 cage.intel.com. "Dot" is period and it's separated 9 between the names. 10 Q And what type of security does that 11 provide to the Intel Corporation? 12 A None. 13 Q Pardon me? 14 A None. 15 Q Why? 16 A Because it would connect to the X server 17 on Cage and the X server would not present any 18 challenge for password or authentication of who was 19 connecting to it. 20 Q Well, did any of these scripts that you 21 saw at any point in time present anyone who was 22 trying to come into Intel with the request for a 23 password? 24 A No. 25 Q You mentioned to the jury an X server 26 1 that the Cage -- Cage is a name of a computer? 2 A Yes. 3 Q So we have got -- what is an X server? 4 A There is a program on UNIX operating 5 systems called X Windows, which is a lot like 6 Microsoft Windows, that you might be familiar with, 7 except for instead of the display of whatever 8 programs you're running having to show up on the 9 same computer where it is running, the display of 10 the programs can wind up on a remote computer, so I 11 can run a process on this computer in Kansas and 12 take the display of that X client and send it over 13 here. 14 Q And that doesn't require a password to be 15 entered to do that? 16 A No. 17 Q Are there any -- based on your experience 18 in operating the Mink computer for Intel, are there 19 any well-known port numbers in the Internet 20 community that people -- that you are aware of? 21 A Most of the port numbers before -- below 22 1,024 are well-known or assigned. Above 10,024, 23 the X server point is at 6,000, and there is some 24 other ad hoc utilities that use high-numbered 25 ports, yes. 27 1 Q Are there any particular ports that are 2 traditionally used to accept mail? 3 A Yes, that's port 2525. 4 Q And is that fairly well known? 5 A Yes. 6 Q Which port was Mr. Schwartz using, if 7 any, on the gate script? 8 A There was a couple different ones, but I 9 remember one was like 3434. I don't remember 10 specifically, but that one sticks in my mind, and 11 there were a couple others. 12 Actually, I can look. This one was 13 using port 6077 and this one received the port 14 address from the command line. When the person 15 started the program, they would tell the program 16 what port to use. 17 Q Well, if the gate scripts aren't using 18 the well-known mail scrips, why doesn't that 19 provide some security to the Intel Corporation? 20 A It's what's known in the industry as 21 security through obscurity, which means if I hide 22 the fact that there is an open door, then no one 23 will find it. It's the equivalent of closing your 24 door and not locking it and depending on somebody 25 to walk by and not open it. 28 1 Q Do you have a name for the process of 2 watching mail to determine port addresses and IP 3 addresses? 4 A Packet sniffing is one term that's used 5 in the industry. Basically, you're sniffing a wire 6 for interesting information. You're just watching 7 all the information going across the wire and 8 sifting through it later for interesting tidbits. 9 Q Well, on the Internet, can you give the 10 jury an idea of how much information is going 11 across the wire, as you put it? 12 A It's a huge number. Let's say at least 13 hundreds of millions of mail messages a day. 14 Q How is a person going to be able to sit 15 there and sift through all this stuff? 16 A A person couldn't. A computer is good at 17 it. You can tell the computer, "I'm interested in 18 looking at things from that computer," and it will 19 only pull things off the wire that had to do with 20 that computer, so it can sift out all the noise 21 from all the other computers that are sending 22 packets across the wire. 23 Q So you could give it a range of IP 24 numbers to look at for those packets? 25 A Yes. 29 1 Q So if you knew the IP addresses, which 2 are public knowledge for the Intel computers, you 3 could give them those numbers? 4 A Yes. 5 Q And then you would be able to look at the 6 address of the mail that was going across the wire? 7 A The address, the place where the mail was 8 addressed to and all of the information going to 9 and from that computer, not just mail. 10 Q And at that point in time, how many 11 computers at Intel were engaged in this, from Intel 12 through the firewall into the Internet process? 13 A Approximately nine. 14 Q And were there attempts to keep the 15 identity of these nine computers within Intel? 16 A No. 17 Q Were they -- Was this a published group? 18 A It wasn't published, as these are 19 Internet hosts, but there was no attempt on my part 20 to hide the fact that it was an Internet host. 21 MR. SUSSMAN: I couldn't hear the 22 last response. 23 THE WITNESS: I said there was no 24 attempt on my part to hide the fact that it was an 25 Internet host. 30 1 BY MR. TINTERA: 2 Q So if the person who was watching the 3 mail identified these nine computers, then they 4 could just watch the transactions between these 5 computers for addresses? 6 A Yes. 7 Q And actually, that's not a person, that's 8 a computer doing that? 9 A Yes. 10 Q If there is these programs and whatever 11 out on the Internet, how can you possibly use this 12 as a medium to conduct any business? 13 A That's one of the things that the 14 industry is struggling with. You tightly control 15 who gets into your network and what they can do 16 when they get there. The basic policy that Intel 17 had at the time was they trust their employees and 18 if they are on the Intel network, they are going -- 19 they didn't -- they are trusted. 20 If people are employees of Intel, 21 there is less security on computers on the Intel 22 network than the computers that are facing the 23 Internet to keep the rest of the world out. 24 Analogy was like, well, you trust your family to be 25 in your home, but you lock the doors to keep the 31 1 rest of the world out. 2 Q And, unfortunately, I was away from my 3 desk. On State's Exhibit 16 and 19, could you 4 identify 16 again, please? 5 A 16 is the Remote X program. 6 Q And was that one running on any of the 7 Mink computers to your line? 8 A I don't ever remember seeing this one, 9 no. 10 Q 19 is which? 11 A 19 is the gate script. 12 Q And that was running on the Mink 13 computer? 14 A Yes. 15 Q And when was that? 16 A In July of 1993. 17 MR. TINTERA: Thank you. Those are 18 the only questions I have. Defense attorney may 19 have one or two. 20 MR. SUSSMAN: Before I start, I'd 21 like to see the two exhibits. 22 THE COURT: You may. 23 24 25 32 1 CROSS-EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Brandewie, what's your assessment of 4 Mr. Schwartz's skills with a computer, particularly 5 with the UNIX system? 6 A He's very skilled. 7 Q You've identified the State's two 8 exhibits as the gate programs. I'd like to show 9 you what we have had marked for identification as 10 Defendant's Exhibit 111. Would you take a look at 11 that and tell me if you recognize it? 12 A This is a permutation of something that's 13 calling itself gate. 14 Q Do you ever remember seeing that 15 particular gate script? 16 A This exact one? I don't know, but 17 something that has the equivalent functionality, 18 yes. 19 Q What do you mean "something that has the 20 equivalent functionality"? 21 A There is multiple ways to write a program 22 to where the program acts the same from the outside 23 but the insides are different. 24 Q Do you recognize this as the first gate 25 script that you saw running when you went to 33 1 Mr. Schwartz the first time? 2 A No. The first gate script was called 3 "door," it wasn't called "gate," so this one is not 4 it. 5 Q And your statement that this is not the 6 first one is based on the fact that it was called 7 "door"? 8 A And in the source code for that script, 9 it created a door log. 10 Q This creates a door log? 11 A That creates gate log. The other one 12 created a file called "door log." 13 Q In terms of the functioning, was there a 14 difference between where it says "gate log" or 15 "door log"? 16 A No. 17 Q So the difference is just the way it's 18 named? 19 A Yes. 20 Q Otherwise, from your review of this now, 21 is this the same as the first program which you 22 called -- 23 A May I see it again? 24 Q Certainly. 25 A I don't remember it looking for a secret 34 1 word in the one that I saw, no. 2 Q You're saying you don't remember or -- 3 A The original script that I saw didn't 4 have the secret word. In this line here where it 5 says, "Unless host remote source equals new socket 6 and splitting out." 7 Q Make a note next to that where you are 8 marking. 9 A Okay. Says it does not equal secret word 10 and that -- no, I don't ever remember seeing that. 11 Q Was there a copy made or backup made of 12 that first gate program? 13 A No. I didn't think it necessary at the 14 time after I talked to Mr. Schwartz and he put in 15 the checks to keep people from the Intel network 16 out. I didn't think it was necessary. 17 Q In fact, the first time you spoke to him 18 about that gate program, he gave you an explanation 19 for the need for that and -- 20 A He said he was using it to connect to 21 O'Reilly & Associates to receive his mail that had 22 been received at O'Reilly & Associates, yes. 23 Q And you thought that was a legitimate 24 purpose? 25 A Yes, it is. 35 1 Q And his purpose -- when he made the 2 changes and you talked with him the second time 3 about the program, that had been changed? 4 A Yes. 5 Q Again, the purpose that he gave was so 6 that he could read his e-mail from off-site? 7 A No. That isn't the purpose. He told -- 8 that isn't the purpose for the first time. He was 9 connecting to O'Reilly & Associates, which was 10 allowed. Connecting from O'Reilly & Associates was 11 not allowed, and that's what I had him put the 12 checks in. 13 Q But he was doing that so he could read 14 his e-mail? 15 A That's what he said, yes. 16 Q And your description of this X window 17 where you said it allows a person who logs onto the 18 computer to pull up on screen someplace else to a 19 certain window, isn't that typically used to read 20 messages that are on the machine? 21 A It's hard to say what's typical. That's 22 one of the uses, yes. 23 Q Now, when you first approached 24 Mr. Schwartz about the first gate program, I know 25 you closed the door -- you called it the door, but 36 1 just for consistency, we'll call it the first, 2 second and third. Do you remember exactly what you 3 said to Mr. Schwartz about the problem? 4 A The problem was that it wasn't -- 5 Q The question I asked you, do you remember 6 exactly what you told him? 7 A I could paraphrase myself, but the exact 8 words, no, I didn't write them down. 9 Q Could you have told him something that 10 the gate program as it was written wasn't secure 11 enough? 12 A Yes, I did. 13 Q Now, after having this discussion with 14 Mr. Schwartz where you told him that this first 15 program wasn't secure enough, did he agree to make 16 the changes? 17 A Yes. 18 Q He made changes? 19 A Yes. 20 Q And you went back and looked at the 21 changes he made a couple days later? 22 A And tested them, yes. 23 Q And that appeared to be -- those changes 24 appeared to satisfy you; is that correct? 25 A Yes. 37 1 Q Now, on that first gate program that you 2 recall talking to Mr. Schwartz about, your concern 3 was that it had no log-in record, no record of who 4 logged in on that? 5 A The logging wasn't the issue. The issue 6 was that it was accepting connections from outside 7 of the corporation. 8 Q Did it have a log-in record? 9 A Yes. 10 Q So there was a way to keep track of who 11 tried to log into that connection from the outside? 12 A Didn't tell who did it, but told where 13 the connection was coming from. 14 Q It would identify the source of where the 15 log-in came from? 16 A It would identify the source computer 17 that was making the connection, yes. 18 Q I guess I wasn't precise enough. It does 19 identify the source computer on the log-in, the 20 time that the log-in was attempted? 21 A Yes. 22 Q And so when I said "who," you were 23 meaning the person? 24 A Right. That's the problem. We didn't 25 know who was doing that. 38 1 Q But you could identify the source? 2 A Yes, I did. 3 Q The where and the machine? 4 A Yes. 5 Q How many IP addresses were there for 6 Intel at this time? 7 A There were five Class B subnets. 8 Q What are subnets? 9 A A Class B subnet is 65,536 addresses. 10 It's the way they -- the way the addresses are 11 handed out on the Internet, they are Class A, B and 12 C subnets. "A" being a 16 million in a Class A; 13 65,000 in a Class B; and 255 in a Class C network. 14 And we had five Class B networks. 15 Q And so the person who didn't have the 16 benefit of the knowledge of the gate script that 17 you and Mr. Morrissey had to identify the IP 18 address and the port number on gate one, who was 19 trying to break in from the outside -- 20 A Yes. 21 Q -- would then have, using one of these 22 programs that we're talking about, have to run this 23 first against each of the six, the random -- try to 24 randomly attack each of the 65,000 IP addresses on 25 each Class B network? 39 1 A Yes. 2 Q And then on each of those 65,000 IP 3 addresses, if it got it, it would have to test one 4 of the 64,000 port numbers? 5 A Yes. 6 Q And then if it got -- somehow managed to 7 get the right IP address of those 65,000 among five 8 times five and 65,000 times 64 got to the right 9 address and right port, they would then be 10 confronted with a blank screen? 11 A Yes. 12 Q And at that point, the outside person 13 would have to then make -- start guessing about 14 what to do next? 15 A Yes. 16 Q And I believe you said that there were 17 some software that would permit somebody then to 18 start guessing about commands to see if they could 19 get a response. 20 A No. What I said is there is software 21 that will go out and find the IP address and port 22 number. 23 Q But once you've got that blank screen -- 24 A Then it's left up to the creativity of 25 the person trying to break in as to what they try 40 1 to feed that process. 2 Q And if it somehow -- the person somehow 3 figured out what response to enter, then you're 4 saying that they would then need to do a program -- 5 to search another program to search for the some 6 kind of soft spots or vulnerable spots once it got 7 past that on the program it was running? 8 A I had no idea what they would do once 9 they got into the Intel network. 10 Q Going back to the program that it would 11 probe, each of these tens of thousands of IP 12 addresses and tens of thousands of port numbers for 13 each address, wouldn't that create pretty high 14 extra demand on the Internet traffic coming into 15 Intel? 16 A It would create a demand. I don't know 17 what you mean by "extra high." 18 Q Well, wouldn't it create a noticeable 19 increase in the demand on the traffic coming into 20 Intel? 21 A I don't know how their monitoring is set 22 up. I don't know. 23 Q Now, on the -- You had mentioned that 24 on -- perhaps on the second -- with respect to the 25 second program, that it was possible for somebody 41 1 to watch the mail that Mr. Schwartz or somebody 2 inside sent out where -- the mail coming into the 3 address on those inbound connections and kind of 4 follow that into the IP address? 5 A What I said was it was possible to watch 6 the network and intercept the traffic on the 7 network, mail being one of the things that's on the 8 network. 9 Q Well, for a person to do that, you make 10 it sound like anybody sitting somewhere out in the 11 network could just kind of randomly look for the 12 mail. Wouldn't a person actually have to be on 13 that particular line, watching that particular line 14 to monitor what was happening? 15 A Right. Depending on where the mail was 16 going through, that line could go through hundreds 17 of different computers. 18 Q And were you aware of any time 19 Mr. Schwartz sent outbound e-mail through Mink? 20 A I never paid attention to outbound mail. 21 Q Now, you mentioned that there were like 22 nine computers in the network that were connected 23 to the Internet. 24 A That I was aware of, yes. 25 Q Those were where, Hawthorn Farms? 42 1 A Some are Hawthorn Farms, some at Jones 2 Farm, some at Cornell, some at the old IWARP group. 3 Spread throughout the corporation. 4 Q Those were nine not counting the SSD 5 computers that were -- 6 A Yes. I don't know how SSD network is 7 configured. 8 Q Was Mink not on the same network as the 9 SSD computers? 10 A True. 11 Q And so your response, the responsibility 12 that you had in the directions that you gave to 13 Mr. Schwartz, as far as how things needed to be 14 operated, dealt specifically with the computers in 15 your network? 16 A Dealt specifically with Mink. I didn't 17 have any administrative control over the rest of 18 the machines. 19 Q And as the System Administrator, it's 20 your responsibility to basically make sure things 21 are working properly, that the system is running 22 the way you feel it needs to be running? 23 A And it conforms to the policy as I 24 understand them, yes. 25 Q Were there uniform security policies in 43 1 effect at Intel at that time? 2 A Yes, but I don't remember what the 3 specific policy was at that time. 4 Q And were those policies distributed to 5 each employee at Intel? 6 A I don't remember. They were given to me. 7 I don't know if they were uniformly given to all 8 employees. 9 Q Do you know whether or not they were 10 given to each independent contractor at Intel? 11 A I don't know what they do with 12 independent contractors. 13 Q Now, I believe you testified that the 14 only reason to have an account on Mink for somebody 15 inside -- within Intel would be to have access to 16 the Internet. 17 A Yes. That was its intended purpose. 18 Q And the gate program that you saw 19 Mr. Schwartz running allowed Mr. Schwartz to have 20 access to the Intel computers that he was working 21 at from outside? 22 A Yes, it did. 23 Q And so that when Randal Schwartz, if he 24 was -- if when Randal Schwartz was outside of Intel 25 and used that program to connect to a machine 44 1 inside of Intel, it would allow him only that 2 access that he could have when he was sitting at 3 his own computer inside the -- 4 A He would have the same access except 5 there would be no name attached to the log and 6 there would be no -- people wouldn't see him there. 7 They wouldn't see him working there and they 8 wouldn't see what he was doing. 9 Q You remember having a discussion with 10 Mr. Agrue and Mr. Olstadt sitting in the courtroom 11 who has been assisting me on the case? 12 A Yes. 13 Q And you recall telling Mr. Agrue that 14 when Randal was using the gate program from the 15 outside, it would not allow him access from 16 anything outside that he couldn't do when he was 17 sitting inside? 18 A That's true. I said that. 19 Q And anybody -- you're saying that 20 anybody -- that in the process that Mr. Schwartz 21 did, that would be visible through Mink? 22 A What do you mean by "visible"? 23 Q Let me clarify the question. 24 Your previous comment was if the 25 outside connection was coming, you wouldn't see the 45 1 outside source it was coming from, as I understood 2 your testimony. 3 A Well, maybe. I think you misunderstood. 4 The fact that a connection was made to that script 5 was logged. The who was using it, who was making 6 that connection was not. 7 Q And it would show that it was coming, 8 that a log into Mink was occurring? 9 A Yes. 10 Q And when you went back and talked to 11 Mr. Schwartz the second time about the fact that 12 the changes that you observed several months later 13 were not acceptable, Mr. Schwartz told you that -- 14 to cancel his account because if he couldn't get 15 access to his e-mail from when he was outside, the 16 account was no use to him? 17 A We had a discussion as to what would be 18 acceptable for him to do and if he wanted to run 19 the script in his -- 20 Q My question to you was, Mr. Schwartz told 21 you that if that -- if he wasn't permitted that 22 access from the outside to read his e-mail, then he 23 did not need the account on Mink? 24 A That's not what he said. He said, "If I 25 can't do this, then the account is useless to me." 46 1 Q And so he asked you to -- so he basically 2 said, "Cancel the account"? 3 A Basically. I said, "Fine, I'll remove 4 it." 5 Q Couple more questions. Prior to that 6 first discussion after you noticed the first 7 program running, you had not had any discussions 8 with Mr. Schwartz about whether that process that 9 you found the first time was not allowed; is that 10 right? 11 A He never asked. 12 Q You never had a discussion like that with 13 him? 14 A No. 15 Q And at the end then when Mr. Schwartz -- 16 the last discussion when Mr. Schwartz said, "I have 17 no further need for the account," you said, "Fine," 18 it wouldn't be exactly accurate then to say that he 19 was kicked off Mink. That was a mutual decision to 20 terminate the account, wasn't it? 21 A The decision was his to not go forward 22 with getting a security waiver for that program, 23 and at that point, I told him either he can get a 24 security waiver or he no longer would have an 25 account. 47 1 Q He told you he didn't need the account 2 anymore, so it was a mutual decision; is that 3 right? 4 A Okay. 5 Q There was no disciplinary action taken 6 against Mr. Schwartz on this second -- 7 A No. 8 Q His contract wasn't terminated? 9 A I don't know. 10 MR. SUSSMAN: Nothing further. 11 THE COURT: Mr. Tintera. 12 13 REDIRECT EXAMINATION 14 BY MR. TINTERA: 15 Q You were asked about any conversation 16 before you found the first, what you have described 17 as the door program in March of 1993 -- 18 A Yes. 19 Q -- with Mr. Schwartz. Did Mr. Schwartz 20 seek your authorization to install that script on 21 the Mink computer? 22 A No. 23 Q Did that script alter the Mink computer 24 in the way that it worked? 25 A Yes. 48 1 Q Did it alter the network it was attached 2 to? 3 A Yes. 4 Q And it's your recollection that it was 5 important to Mr. Schwartz to have the two-way 6 connection on this gate script? 7 A The second time I spoke to him, yes. 8 Q And that if he couldn't have that two-way 9 connection here, then the account was useless to 10 him? 11 A Yes. 12 Q Now, you said if someone was using this 13 gate script, that the Mink computer had a log or a 14 file that would show that was being used; is that 15 correct? 16 A The script created that log, yes. 17 Q But it wouldn't show who was using it? 18 A That's true. 19 Q So it would show an entry into the Intel 20 network, but that was -- what else would it show? 21 A That's it. It would show the time that 22 the entry occurred. 23 Q Would it show what -- the user who had 24 gone through there, their identity? 25 A No. 49 1 Q Would it show where they went? 2 A It would show the first -- it would show 3 the computer that they connected to after Mink in 4 the Intel network, yes. 5 Q And would it show what they were doing on 6 the computer that they connected to? 7 A No. 8 Q Would it show if any information was 9 being copied? 10 A No. 11 Q Would it show if any information was 12 being exported from the computer outside of the 13 firewall at Intel? 14 A No. 15 Q So it would just show that the door was 16 open? 17 A Yes. 18 Q Not what was going through it? 19 A True story. 20 Q On any -- Did the script that you saw in 21 July of 1993, did you authorize Mr. Schwartz to put 22 that script in? 23 A No. 24 Q Did that also alter the Mink computer -- 25 A Yes. 50 1 Q -- in the network it was attached to? 2 A Yes. 3 Q You were asked a lot about the 65,000 IP 4 addresses times 5 and the 64,000 port addresses 5 times 64. Those numbers appear to be an 6 insurmountable obstacle to gain access to Intel. 7 Why weren't you concerned at all? 8 A Because computers never sleep and it 9 would take on the order of a few seconds to scan 10 all the ports on each of the IP addresses. And 11 computers can work 24 hours a day. It's just a 12 matter of telling them to go do it and then come 13 back and look for the answer. 14 Q Do you remember what the log entry showed 15 on the gate script? 16 A I remember some of the entries that I 17 saw, yes. 18 Q What were they? 19 A They showed connections from a box named 20 ruby.ora.com, which is a computer named Ruby at the 21 network that O'Reilly & Associates -- which is a 22 publishing company -- owns. And I don't remember 23 the exact name, but there was another connection 24 from a computer in pyramid.com, which is the 25 network owned by Pyramid Corporation. 51 1 Q Do you still have Defendant's Exhibit 2 111? 3 A No. 4 MR. TINTERA: Do you have 5 Defendant's Exhibit 111? 6 MR. SUSSMAN: Yes. 7 BY MR. TINTERA: 8 Q Refresh me on Defendant's Exhibit 111. 9 Do you recall if that was any of the scripts that 10 you saw on the Mink computer in this timeframe in 11 1993 or associated with the defendant at all? 12 A This appears to be the first version of 13 the gate script that I saw, but the only thing I 14 don't remember is this -- where it's looking for a 15 secret word here where I marked with the red X. 16 Q What significance is the secret word 17 here? 18 A It would make it slightly harder for the 19 person outside of Intel to guess what the right 20 string -- the right set of characters to give to 21 the script to gain access would be. 22 Q If that had existed on that original gate 23 program in March of '93, would you still have 24 contacted Mr. Schwartz about it? 25 A The secret word in itself would not have 52 1 been enough. If the system password file would 2 have been used which the Perl scripting language 3 has access to, then I would have given it close 4 scrutiny and tested it, but it would have been all 5 right. 6 MR. TINTERA: Those are the only 7 questions I have. 8 THE COURT: Mr. Sussman. 9 10 RECROSS-EXAMINATION 11 BY MR. SUSSMAN: 12 Q You mentioned that it would only take a 13 few seconds to scan all the IP addresses in the 14 ports. 15 A No. I say it would take a few seconds 16 per IP address. 17 Q And a few seconds per port? 18 A No. Port would be almost instantaneous. 19 Q So it would be less than a second -- 20 A Yes. 21 Q -- per port. Once the program like that 22 sends a signal to the IP address, is there any 23 additional lag time in terms of the sending of the 24 testing command to the IP address and the response? 25 A Yes, there is a latency from the time the 53 1 connection request is made to the time there is an 2 answer in the disk and computer, but you can send 3 multiple connect requests at the same time, so you 4 basically can have zero latency. 5 MR. SUSSMAN: I have nothing 6 further. 7 THE COURT: Mr. Tintera? 8 MR. TINTERA: No other questions. 9 THE COURT: Thank you. You may step 10 down. 11 Let's take a break here. Remove the 12 jury. We'll take a short break. 13 (Recess.) 14 THE COURT: Mr. Tintera, call your 15 next witness. 16 MR. TINTERA: John Gray. 17 18 JOHN C. GRAY 19 called as a witness on behalf of the State, having 20 been first duly sworn under oath, was examined and 21 testified as follows: 22 23 THE CLERK: State your full name and 24 spell it for the record, please. 25 THE WITNESS: John C. Gray. 54 1 G-r-a-y. 2 DIRECT EXAMINATION 3 BY MR. TINTERA: 4 Q Mr. Gray, how are you employed? 5 A I work for Intel Corporation. 6 Q And do you have a particular division 7 where you work? 8 A I work at Hawthorn Farms and Jones Farm 9 campuses that encapsulates multiple phases, several 10 divisions. 11 Q And what are your current 12 responsibilities? 13 A Operations management for Information 14 Technology. 15 Q Operations management for what? 16 A Information Technology. Computers, 17 networks. 18 Q And is that particular responsibility -- 19 there is a lot of letter abbreviations that I've 20 run into at Intel. Does this one have one? 21 A IT. 22 Q And was there a period of time when you 23 were associated with the Supercomputer Division of 24 the Intel Corporation? 25 A Yes. 55 1 Q And when was that, if you know? 2 A That would have been January of 1992 3 through about November of 1993. 4 Q And what was your function at the 5 Supercomputer Division? 6 A I managed Information Technology, IT. 7 Q So you managed IT over there, Information 8 Technology? 9 A Yes. 10 Q What were you trying to accomplish at the 11 Supercomputer Division in that timeframe? 12 A Prior to the formation of IT group, 13 computer services were scattered across the 14 division and individuals here and there scattered 15 around the business. So the job was to consolidate 16 all of the support resource into one organization, 17 kind of bring it into the corporate fold in terms 18 of Information Technology, support services and 19 standards. 20 Q Did any of this -- any of your function 21 there involve security? 22 A Computer security, sure. 23 Q And what was that? 24 A Basically the Information Technology 25 Group was responsible for information security 56 1 within SSD. 2 Q So from the period of January of '92 to 3 November of 1993, did you have people designated as 4 your security person? 5 A Yes. 6 Q And was there more than one? 7 A Yes. There were a succession of people. 8 Q And during that time period, who were 9 they? 10 A Would have been Lou Poehlitz initially, 11 followed by John Kent. 12 Q And do you know who selected those people 13 for those security positions? 14 A I did. 15 Q And do you know Randal Schwartz? 16 A Sure. Yes. 17 Q Do you see him here? 18 A Yes. 19 Q Could you point him out, please? 20 A Sure. That's Randal right there. 21 Q What security position did you select 22 Randal Schwartz for? 23 A None. 24 Q Was he working for SSD during this 25 timeframe? 57 1 A Yes. 2 Q What was his assignment, if you know? 3 A Randal had worked for the IWARP group in 4 a Systems Administration capacity in the UNIX 5 computing environment. 6 Q What was his position there? 7 A Randal's job was Systems Administrator 8 for the IWARP group, the job he had before I 9 arrived there and that he continued with after I 10 took the position. 11 Q And did he continue up until the end of 12 his tenure with the Supercomputer Division? 13 A Yes. 14 Q Can you explain to the jury, if you know, 15 when Mr. Schwartz left the Supercomputer Division? 16 A My recollection is that it was early in 17 1993, January or February timeframe. 18 Q And could you explain to the jury the 19 circumstances of him leaving? 20 A Yeah. We were attempting to consolidate 21 what was IWARP into the rest of SSD at the time. 22 We were in the process of consolidating systems, of 23 beefing up security and of the environment 24 generally at SSD. 25 One of the areas that we were 58 1 working in was the e-mail area and there were some 2 fundamental disagreements between Randal and Lou on 3 the approach to -- how to architect the mail 4 environment there, a distributive versus 5 centralized kind of approach. 6 Q Distributive versus centralized? 7 A Uh-huh. And Randal on the distributive 8 side of the argument and Lou and really the rest of 9 the IT group there on the centralized side of the 10 argument. And basically there was strong enough 11 disagreement about the whole issue that I 12 determined not to renew Randal's contract. 13 Randal was unhappy about the 14 situation, too, and decided to leave, so it was 15 kind of a mutual parting of the ways. That's the 16 way I remember it. 17 Q Now, when someone leaves the 18 Supercomputer Division, are there any trails or 19 things that are necessary to do when that happens, 20 when the contract is at an end and the person 21 ceases to work for the Supercomputer Division? 22 A Sure, you delete or disable account 23 access. 24 Q What does that mean? Translate that for 25 the jury. 59 1 A That means the individual can no longer 2 access the computers at the business; basically 3 blocks computer access. 4 Q And do you know who gave the instructions 5 for Mr. Schwartz's accounts to be disabled? 6 A Yeah, I did. 7 Q And who did you tell that to? 8 A That would have been John Kent. 9 Q Now, you were in the position of 10 responsibility to give that type of order? 11 A Uh-huh. 12 Q And that order -- What computers on the 13 Supercomputer Division did that order not apply to? 14 A The intent was it would apply to all 15 computers, certainly. 16 Q Are you familiar with the Brillig 17 computer? 18 A Not specifically. 19 Q You don't know if that was part of the 20 Supercomputer Division or not? 21 A The name is familiar. I'm sure it was 22 part of the division. 23 Q So your order would include that? 24 A Sure. It would include all computers in 25 the division. 60 1 Q While you were working for the 2 Supercomputer Division, did you -- that continue 3 until November of 1993? 4 A Right. 5 Q Did you, at any point in time, authorize 6 Randal Schwartz to copy the Supercomputer Division 7 password file? 8 A No. 9 Q Did you authorize Randal Schwartz to run 10 a Crack program against the Supercomputer password 11 file? 12 A No. 13 Q Did Mr. Schwartz ever come to you with 14 any type -- while he was working there or 15 afterwards, with any type of security concerns with 16 the Supercomputer Division? 17 A No. 18 Q Did he ever come to you after with 19 passwords that had been cracked at any point in 20 time during his tenure? 21 A No. 22 Q Do you know what a gateway program is? 23 A Yes. 24 Q Did you authorize Randal Schwartz to 25 install a gate script or gateway on the Brillig 61 1 computer? 2 A No, not specifically. 3 Q Who was responsible for the security of 4 the Supercomputer Division password file in 1993? 5 A It would have been Lou Poehlitz, 6 succeeded by John Kent. 7 Q Did that responsibility extend beyond the 8 Supercomputer Division to other Systems 9 Administrators? 10 A No. 11 MR. TINTERA: Thank you. I don't 12 have any other questions. 13 THE COURT: Mr. Sussman. 14 MR. SUSSMAN: Thank you, Your Honor. 15 16 CROSS-EXAMINATION 17 BY MR. SUSSMAN: 18 Q Mr. Gray, you said you're now operations 19 manager for IT at both Hawthorn Farms and Jones 20 Farm. 21 A Yes. 22 Q How far apart are they? 23 A Two miles, probably. 24 Q Do you have to go back and forth or -- 25 A Yes, I go back and forth. 62 1 Q Now, you mentioned that you -- that 2 Mr. Schwartz left SSD and you thought it was in the 3 spring of 1993. Are you certain about that date? 4 A No, I'm not certain about the dates. 5 Q Is it more likely it was the spring of 6 1992? 7 A Could have been. I really don't remember 8 the dates specifically. I know that I started in 9 January of 1992, December, January kind of 10 timeframe. We really didn't concentrate on the 11 IWARP consolidation until later that year. That 12 wouldn't have happened, so it wouldn't have been 13 January or February of 1992, I don't believe. 14 Q Now, after that time in which 15 Mr. Schwartz and you had the mutual agreement that 16 the contract would end -- 17 A Uh-huh. 18 Q -- and did Mr. Schwartz -- did 19 Mr. Schwartz do some contract work at SSD later in 20 the year? 21 A I, at the time, was not aware of any 22 other contract work that Randal was doing. 23 Q At the time? 24 A No. 25 Q Now, at the time that Mr. Schwartz was 63 1 working for you at SSD, you mentioned that there 2 was -- that you were trying to bring all these 3 disparate groups together. 4 A Uh-huh. 5 Q Could you describe what the atmosphere 6 was like at SSD and -- 7 A I think you described it pretty well. It 8 was a disparate group of individuals. 9 Q I probably used a word I shouldn't have. 10 What do we mean by that? 11 A Individuals not working together, but 12 working independently and in various aspects of the 13 computing environment, so there was no 14 consolidated, coordinated effort to get the whole 15 environment under control or managed in some 16 consistent fashion. 17 Q So were often different kinds of 18 approaches or procedures that were used in each of 19 these different groups? 20 A Certainly. 21 Q And one of the things that sounds like 22 you were then trying to work on was trying to bring 23 some cohesion or some centralization to all of 24 this. 25 A Right. 64 1 Q And so there was no unified company-wide 2 security policy in effect? 3 A No, that's not true. There has always 4 been, as long as I've been at Intel, a security 5 policy and it's well-known and generally 6 well-communicated, although at SSD, it was probably 7 less well-communicated than most other divisions of 8 the company. 9 Q So referring now to some notes of the 10 conversation that you had with Mr. Agrue and 11 Mr. Olstadt last month, and so the comment here 12 that there were no company-wide security 13 policies -- 14 A That's clearly a misunderstanding. 15 Q And if there were, they hadn't been 16 communicated to SSD? 17 A They probably were poorly communicated to 18 SSD until that point. 19 Q And that was in part because SSD 20 previously had not been as closely connected to the 21 rest of Intel? 22 A That's right. 23 Q Was it your understanding of Intel policy 24 that independent contractors were not supposed to 25 be Systems Administrators? 65 1 A That's true. Generally Intel does not 2 like -- and there is a policy that states it -- 3 contractors to perform Systems Administration 4 duties that involve security aspects of the 5 environment, for obvious reasons. 6 Q Wasn't that policy routinely broken 7 because of manpower situations? 8 A It still is. Unfortunately, because of 9 manpower constraints, we still have a lot of 10 contractors doing that kind of work for Intel that 11 really shouldn't be. 12 Q And Mr. Schwartz had been doing that kind 13 of work for Intel at the time that you came on to 14 SSD? 15 A Yes, that's true. 16 Q And for that, your understanding of that 17 policy and your review of that policy then was such 18 that you would not have wanted to hand 19 responsibility for security to an independent 20 contractor? 21 A That's right. 22 Q Because you saw that as a fundamental 23 violation of company policy? 24 A Right. 25 Q There is also a policy if a person leaves 66 1 a division or one of the sections of Intel because 2 of a security incident, they are not supposed to be 3 hired back? 4 A That's true. 5 Q How would you describe Mr. Schwartz's 6 skills, his abilities? 7 A I'd say he's a very highly skilled 8 individual in computers network. 9 Q In fact, you referred to him as a UNIX 10 jock? 11 A Sure. 12 Q What does that mean? 13 A That means what I said. Someone that's 14 very highly skilled in UNIX, in environment, and 15 UNIX is a particularly complex computing 16 environment. 17 Q A couple questions about this 18 philosophical difference that led to Randal leaving 19 SSD at that time. You talked about it in terms of 20 centralized versus decentralized. 21 A Yes. 22 Q Would it be accurate to say distribution 23 of e-mail around SSD was very important for 24 communication for keeping up on work? 25 A I'd use a different term. Access to 67 1 e-mail at SSD was very important. Distribution of 2 e-mail is a means of accomplishing that objective 3 and only one means. 4 Q And there was some problems with the 5 distribution of the e-mail that arose and some 6 changes were made? 7 A Yeah. There were fairly routine problems 8 with e-mail. 9 Q And when you talk about decentralized 10 system that Randal Schwartz was a proponent of, was 11 that a system based on the Domain Name Server? 12 A Yes. 13 Q And that, in fact, is the direction Intel 14 has gone subsequently, isn't it? 15 A Yes. 16 Q Including SSD? 17 A Yeah. It's a much more mature policy 18 today than it was several years ago. 19 Q Now, when Mr. Schwartz -- When you made 20 the decision not to renew his contract, you said it 21 was a mutual decision. Did you specifically 22 communicate to him that the contract was terminated 23 or not to be renewed? 24 A I don't remember. I don't remember a 25 specific conversation, although Randal and I talked 68 1 fairly regularly, but I don't remember a specific 2 conversation about that. 3 Q Do you remember Randal communicating by 4 e-mail or some other announcement that -- 5 A I do remember an e-mail that Randal sent. 6 Q That he, in fact, felt his services were 7 no longer required? 8 A I do remember that e-mail. 9 Q And that was the last that he worked 10 there under that contract? 11 A Right. 12 Q Now, when you arrived there, was Randal 13 Schwartz considered an expert in security? 14 A I wouldn't know. I certainly wouldn't 15 have considered him an expert in security. As I 16 said before, Randal is a very highly skilled 17 individual in the computing environment and the 18 UNIX environment specifically, and that would 19 include security expert, which is something else 20 again. 21 Q Again referring to notes from the earlier 22 conversation that you had with Mr. Agrue, and there 23 was no note that said Randal was considered an 24 expert in security, and then he says you mentioned 25 that -- goes on to discuss that he's highly 69 1 distributive in e-mail form where the industry was 2 headed, and that was the end. So was that not then 3 and accurate or -- 4 A That's a misinterpretation of what was 5 said. I'm sure I wouldn't have called Randal an 6 expert in UNIX security, although certainly he's 7 very knowledgeable in UNIX security. 8 Q In fact, security was something that you 9 were particularly concerned about? 10 A Sure. 11 Q When you came into SSD and you put in 12 extra security measures during the time and after 13 Mr. Schwartz left -- 14 A Yes. 15 Q -- and one of the things that concerned 16 you was security leaks? 17 A Security leak? 18 Q Well, for instance, at the SSD before you 19 got there they had been subjected to being broken 20 into by some hackers from Germany; is that right? 21 A Yeah, there were a number of attempts at 22 illegal break-ins at SSD. 23 Q And in fact, there had been access made 24 by some outside hackers from Germany? 25 A Yes, that's right. 70 1 Q And that was through Intel's phone modem, 2 wasn't it? 3 A That was one means of access, right. 4 Q And Mr. Poehlitz was your security person 5 at the time? 6 A Uh-huh. 7 Q And so as a result of these incidents, 8 you were concerned about improving security? 9 A Absolutely. 10 Q One last question. Mr. Schwartz was the 11 Systems Administrator at IWARP when you got there? 12 A Right. 13 Q Were you aware that Mr. Schwartz had a 14 practice of running Crack, the program called Crack 15 to test the security of the passwords at IWARP 16 while he was a Systems Administrator? 17 A No, I wasn't. 18 MR. SUSSMAN: Thank you. I have 19 nothing further. 20 THE COURT: Redirect? 21 22 23 24 25 71 1 REDIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Gray, what counsel has referred to as 4 the German hacker, are you aware that the access to 5 the Intel Corporation and SSD here in Washington 6 County was gained through the Internet? 7 A Yes. 8 Q I mean, that's the way that person made 9 it from Germany over this way, right? 10 A There was Internet access and also modem 11 access, both. 12 Q So, of course, your security concerns 13 were with people coming from the Internet through 14 the Intel firewall? 15 A Certainly. 16 Q You've been referenced to a conversation 17 that you had with the defense investigator, 18 Mr. Agrue. I showed you the report that was 19 generated from that conversation; is that correct? 20 A Yes. 21 Q Did Mr. Agrue go over the report that he 22 generated with you to have you check it for 23 accuracy? 24 A No. 25 Q Pardon me? 72 1 A No. 2 Q After Mr. Schwartz's contract was closed 3 off from SSD, are you aware of any authorization 4 for him to continue work in SSD? 5 A No, I wasn't. 6 Q Would that have come with your approval? 7 A I wouldn't have given approval for it had 8 I been asked. Obviously, I wasn't asked, though. 9 Q Why is that? 10 A That's a good question. I don't know the 11 answer to that. 12 Q Why would you not have given approval to 13 rehire Mr. Schwartz? 14 MR. SUSSMAN: Your Honor, I object. 15 This is beyond what was covered on 16 cross-examination and I don't think it's proper 17 redirect. 18 MR. TINTERA: No, Judge, he brought 19 this up as to whether there was authorization. 20 He's brought up his work habits. I think we're 21 entitled to go into that at this point. 22 THE COURT: I'm sustaining the 23 objection to that. I think that's beyond the 24 scope, at least that specific question, why he 25 would not have rehired him. 73 1 Let me rephrase that. The witness 2 is not permitted to answer the question. The 3 question you asked was whether or not he would have 4 rehired him. There was an objection. There was no 5 answer. I will not permit the witness to answer 6 that question, whether or not he would or would not 7 have rehired. 8 I'm sorry. I'm going to change that 9 again. He did answer that question, but you asked 10 why he would not have. I think I was correct to 11 begin with. I sustained the objection to that 12 question, the specifics of why he would not. 13 Go ahead. 14 MR. TINTERA: Are you sure? 15 THE COURT: I'm sure. Wait a minute 16 and I'll change it again. 17 MR. TINTERA: Thank you. I don't 18 have any other questions. 19 MR. SUSSMAN: Nothing further. 20 THE COURT: Thank you. You may step 21 down. I'm sure of that. 22 Any need for him to remain? 23 MR. SUSSMAN: No. 24 THE COURT: Thank you. You're free 25 to go. Thank you for being here. 74 1 Call your next witness. 2 MR. TINTERA: Clayton Kirkwood. 3 4 CLAYTON KIRKWOOD 5 called as a witness on behalf of the State, having 6 been first duly sworn under oath, was examined and 7 testified as follows: 8 9 THE CLERK: State your full name and 10 spell it for the record, please. 11 THE WITNESS: Clayton Kirkwood. 12 K-i-r-k-w-o-o-d. 13 14 DIRECT EXAMINATION 15 BY MR. TINTERA: 16 Q How are you employed, Mr. Kirkwood? 17 A Employed by Intel Corporation. 18 Q And what do you do for Intel now? 19 A Currently, I'm a project manager for 20 several projects. 21 Q And back in 1992, 1993, did you have an 22 occasion to hire Randal Schwartz? 23 A Yes. 24 Q And what specific reason did you hire 25 Mr. Schwartz? 75 1 A I hired him to design and develop a 2 capability for Domain Name Services. 3 Q Could you give us any idea of what a 4 Domain Name Service does? 5 A Sure. In this particular environment 6 there are quite a few computers and users that want 7 to connect from one machine to another. People 8 remember names better than numbers, so you think of 9 the machine that you want to connect to by its 10 name, but you don't -- the computers underneath 11 communicate via numbers. 12 Q Those are called IP addresses? 13 A IP addresses, yes. To translate from a 14 host name into an IP address, you either have a 15 host file, which contains this mapping of addresses 16 to names, or you can go to a machine, a Domain Name 17 Server machine, and it will provide that look-up 18 capability for you. So machine A communicates with 19 the server and says, "Give me the address for this 20 name." Server responds back. 21 Q Now, did that -- Did Mr. Schwartz's 22 responsibility involve all the Domain Name Service 23 for all of Intel Corporation? 24 A He had access to all of them that we had 25 in our control. I was responsible for the servers 76 1 themselves, though, and the project. 2 Q And does this system go through the 3 Supercomputer Division? 4 A It doesn't go through it. It may support 5 it at the time. May have supported those systems 6 in the Supercomputer Division. 7 Q Does the Domain Name Server have its on 8 password file? 9 A Yes, has its own password file. Each 10 system which we had at the time, maybe 15 11 corporate-wide around the world, 15 to 20, each of 12 them has a port file to allow certain people access 13 to the machines. 14 Q That password file is kept independent of 15 the other Intel divisions? 16 A Yes. They are specific to the machine 17 itself and each password file on the 15 to 20 DNS 18 server corporate-wide were totally different and 19 had nothing to do with any other machines, the 20 password files. 21 Q So they had nothing to do with the 22 Supercomputer Division? 23 A Not directly. Again, if there were 24 clients in the Supercomputer Division that needed 25 to look up an address, given a name, or a name 77 1 given an address, potentially that look-up could 2 have been done on one of the servers that I was 3 responsible for. 4 Q The Supercomputer Division password filed 5 would not be maintained under the Domain Name 6 Server? 7 A Correct. 8 Q What was Mr. Schwartz supposed to do, if 9 you could tell us in layman's terms? 10 A He designed and coded up a program to 11 take the host files and create a database of 12 information that could be loaded into the server 13 itself. 14 Q A fairly specific function? 15 A Very specific function. 16 Q And do you know the period of this 17 contract? 18 A It was roughly December of -- I think it 19 was '91 through November of '93. I believe it was 20 that timeframe. 21 Q And did his responsibilities involve a 22 system administration of the Domain Name Server? 23 A He was involved with various aspects of 24 Systems Administration. It was not his sole 25 function. 78 1 Q Do you know or did you give Mr. Schwartz 2 authority to copy the password file for the 3 Supercomputer Division of the Intel Corporation? 4 A No. 5 Q And did you give Mr. Schwartz authority 6 to run a Crack program against the password file 7 for the Supercomputer Division of the Intel 8 Corporation? 9 A No. 10 Q Did you authorize Mr. Schwartz to install 11 a gateway program that would circumvent the 12 firewall of the Intel Corporation? 13 A No. 14 MR. TINTERA: Those are the only 15 questions I have. 16 THE COURT: Mr. Sussman. 17 MR. SUSSMAN: Thank you, Your Honor. 18 19 20 21 22 23 24 25 79 1 CROSS-EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Kirkwood, you are -- where is your 4 office? 5 A In Folsom, California. 6 Q Mr. Schwartz was working up here at the 7 Hawthorn Farms campus at the time when you had this 8 contract with him? 9 A Most of the time, yes. 10 Q So was it difficult to communicate, get 11 together because of the distance? 12 A No. 13 Q Why not? 14 A Telephones, meetings. We'd hold on-line 15 phone meetings and he and I would communicate, 16 often on a daily basis, regarding various things 17 that need to be done. There would also be times 18 when we wouldn't talk for many days. 19 Q Also computer access is easy? 20 A Yeah, e-mail, electronic mail. 21 Q So e-mail doesn't matter if you are in 22 Folsom, then, or Arizona or Florida as far as being 23 able to communicate with somebody in Portland? 24 A Well, it's an electronic form of mail, 25 just like postal mail. 80 1 Q Did some of the work that Mr. Schwartz 2 was doing under this contract involve computers at 3 Cornell Oaks? 4 A Not for my specific project, no. 5 Q Did it involve working at any of the 6 other Intel campuses or sites around Oregon or 7 around the rest of the country? 8 A Yes. 9 Q And also overseas? 10 A Yes. 11 Q And he had to have access to these 12 different computers and systems at these sites 13 around the country and overseas? 14 A Yes. 15 Q And on all of them, did he have access to 16 what's called root access on the ones that he was 17 working on the DNS project? 18 A Right. He had root access to my 15 or 20 19 machines corporate-wide. 20 Q And when you say "corporate-wide," where 21 were some of those located outside of Oregon? 22 A In that timeframe, we had machines in 23 Folsom, Santa Clara, Chandler, Arizona, up here in 24 Oregon at two or three sites. Israel, I believe, 25 at that point was also on line, two sites in 81 1 Israel. That would probably be it at that time. 2 Q Now, the -- did this project involve 3 moving all of the IP addresses from the Intel 4 Corporation's host, that centralized file of the IP 5 addresses, into this Domain Name Server system? 6 A Could you repeat the question? 7 Q Well, prior to -- let me rephrase. 8 Prior to the shift to using the 9 Domain Name Server to distribute the mail, were the 10 IP addresses all kept in kind of a central host 11 file? 12 A Yes. 13 Q How many IP addresses were in that 14 centralized file? 15 A At the time roughly beginning at about 16 19,000, and then towards the end of the contract, 17 roughly 29,000. 18 Q During the course of your contract, did 19 you provide Mr. Schwartz with copies of any of the 20 security manuals that were in effect? 21 A No. 22 Q During the time that Mr. Schwartz was 23 doing this DNS project and he had access to the 24 computers throughout the country and Israel, were 25 his activities on those computers closely 82 1 monitored? 2 A Closely monitored? 3 Q Yes. 4 A No. 5 Q Mr. Schwartz was an independent 6 contractor doing this? 7 A Correct. 8 Q And so as an independent contractor, 9 then, the IRS regulations require that you kind of 10 give him a job to do but not tell him the specific 11 means of how to get it done; is that right? 12 A Correct. 13 MR. SUSSMAN: I have nothing 14 further. 15 THE COURT: Redirect? 16 MR. TINTERA: No, thank you. 17 THE COURT: Thank you. You may step 18 down. You're free to go. 19 Call your next witness. 20 MR. TINTERA: Judge, the witness 21 well is dry for this morning. 22 THE COURT: Do you have some -- that 23 means you're out of witnesses? 24 MR. TINTERA: That's correct. 25 THE COURT: That's some sort of 83 1 computer legalese. 2 MR. TINTERA: I just made that up 3 for you. 4 THE COURT: Thank you. 5 MR. TINTERA: You're welcome. 6 THE COURT: Do you have witnesses 7 for 1:30 then, is that it? 8 MR. TINTERA: Yes. 9 THE COURT: How many additional 10 witnesses do you believe that you will have? 11 MR. TINTERA: Three. 12 MR. SUSSMAN: Your Honor, as we 13 mentioned last week, and the State has been also 14 willing to allow, the witness that I had lined up 15 for today, the witness who made plans to come up 16 here from Florida, was just in town for the day, is 17 here and we can take him at 1:30, after lunch, 18 because he has a flight to catch this afternoon. 19 THE COURT: Do we need to talk about 20 that some more? 21 MR. TINTERA: Not in front of the 22 jury. 23 THE COURT: They're going to recess 24 now. Looks like the State is probably going to get 25 close to winding up the State's case today, just so 84 1 we know. 2 We're going to recess now. It will 3 be until 1:30. It will be long because we don't 4 have witnesses. Leave your notes in the jury room. 5 Don't talk about the case. Check in before 1:30 6 and we'll try to start at that time. 7 (Whereupon, the following 8 proceedings were held in 9 open court, out of the 10 presence of the jury:) 11 THE COURT: You have a witness. Who 12 is the witness? 13 MR. SUSSMAN: The witness is Patrick 14 Reilly and he's a witness who I spoke to and 15 informed Mr. Tintera about right after I spoke with 16 him, which was that Sunday, the 2nd or 3rd of July, 17 and we made arrangements for him to come out. We 18 tried to anticipate, based on what I had been 19 informed earlier, that the State's case would be 20 finished last week. 21 THE COURT: What's the nature of his 22 testimony? 23 MR. SUSSMAN: He is a witness for a 24 couple things. He has some background in the sense 25 that he has been an employer of Mr. Schwartz's and 85 1 also he is a character witness for Mr. Schwartz. 2 THE COURT: Mr. Tintera. 3 MR. TINTERA: Judge, I'm not 4 objecting to taking him out of order, but I would 5 ask the Court to once again be aware that it's my 6 position that the defense counsel has opened up 7 defendant's activity, at least with the Tektronix 8 Corporation prior to him coming to Intel, through 9 defense counsel's opening statement where he said 10 he was an exemplary employee, which isn't true, and 11 I should be able to correct that. 12 I should alert the Court that as we 13 hear how he worked with other corporations, I think 14 it's going to be important and relevant that the 15 jury hear the rest of the story in regard to his 16 activities at Tandem and his activities at 17 Tektronix. So I'm just alerting Your Honor to 18 that, that that is going to be something that -- 19 THE COURT: Thank you. I appreciate 20 that. I could see the tunnel and I could see the 21 train's light coming through it. I think 22 Mr. Sussman can, too. We'll see how he is at 23 dodging it. 24 Take a recess and see you at 1:30. 25 Thank you. If you have your witness available at 86 1 that time, after direct, I'll decide how much 2 cross-examination I'll permit Mr. Tintera to get 3 involved in. Thank you. 4 (Luncheon recess.) 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 87 1 AFTERNOON SESSION 2 BEGINNING AT 1:35 P.M. 3 JULY 18, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: Mr. Tintera, call your 10 next witness. 11 MR. TINTERA: Herb Mayer. 12 13 HERB MAYER 14 called as a witness on behalf of the State, having 15 been first duly sworn under oath, was examined and 16 testified as follows: 17 18 THE CLERK: State your full name and 19 spell it for the record, please. 20 THE WITNESS: Herb Mayer. 21 M-a-y-e-r. 22 23 24 25 88 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Mayer, how are you employed? 4 A Yes. 5 Q And how is that? 6 A I'm employed at Intel, right around the 7 corner, Hillsboro, Jones Farms. 8 Q What do you do for them? 9 A Right now I'm the quality assurance 10 expert for a project called ITP. The goal is to 11 raise the quality of our software. 12 Q And ITP is an abbreviation for what? 13 A In Target Probe, trademark name. 14 Q Is that with any particular division? 15 A Yes, it's with MD-6, Microprocessor 16 Division 6. 17 Q How long have you worked for Intel? 18 A Nine years. 19 Q During that nine years, were you ever 20 associated with the Supercomputer Division at 21 Cornell Oaks? 22 A Yes, for half of that time. 23 Q And during your association, did you ever 24 have occasion to contract the services of Randal 25 Schwartz? 89 1 A Yes, I did. 2 Q Can you tell me what that project was 3 for? 4 A Yes. This was the creation of a test 5 automatron for SSD compilers. Compiler is a 6 reasonably complex piece of software that has to be 7 tested repeatedly and a test automatron does this 8 testing automatically in lieu of a human being, 9 saving time, avoiding error, therefore raising the 10 quality of the product. 11 So Randal Schwartz had to create the 12 test automatron or derive the test automatron from 13 an older existing one and had to install it on a 14 variety of machines, all of which were the hosts 15 for our products. 16 Q And which machine did that involve, that 17 contract? 18 A The most common one is a Sun 3 and Sun 4, 19 Silicon Graphics, a mock 386 machine, DEC 20 Microvaction, and those are all the machines that 21 come to mind now. There probably were one or two 22 others and sometimes there is variations of the 23 same machine I have in mind here, a Sun 4, perhaps 24 on two different operating systems. 25 Q Do you recall if this involved a machine 90 1 called Brillig, which was an SGI machine? 2 A Yes, I did. 3 Q And that was -- that was a machine that 4 was used -- the Brillig machine was used for 5 specialized testing in the Supercomputer Division; 6 is that fair? 7 A Are you asking for what other purposes 8 was the machine used? Is that what you're asking? 9 Q Well, it was a lab machine. It was not 10 part of the everyday network of the Supercomputer 11 Division? 12 A It was not a lab machine. A lab machine 13 are the machines that I call my own machines. My 14 machines were the lab machines and other machines 15 were outside lab machines, and that is an outside 16 lab machine being owned by a person who apparently 17 didn't end up with any of the cool computers at the 18 time, a Sun, so he ended up with the one and only 19 SGI. But he wanted it and he needed it for 20 purposes of what you alluded to earlier, special 21 purpose testing. I believe it was testing for 22 graphics software. 23 Q And the owner of that machine was Richard 24 Greco? 25 A That's correct. He was not in my group. 91 1 Q So your contracts specifically were with 2 two areas, developing the TA, test automatron and 3 to install that? 4 A On the variety of machines. That implies 5 also testing. In other words, when somebody 6 producing the software says that the software is 7 done, I want the person to produce evidence that 8 it's done. That means exercise it, show the 9 results and show that the results are equal to the 10 expected ones. 11 Q Was this a long-term contract or short? 12 A In lay terminology it's ambiguous, but in 13 my phrase that is a short one, duration of a very 14 few months. I don't remember the exact duration, 15 but it was on the order of two months, maybe 16 shorter, but I'm vague there. 17 Q And was the project completed? 18 A Yes, it was. 19 Q And what happened after the completion? 20 Do you remember if you had any conversation with 21 Mr. Schwartz through -- either face-to-face or 22 through e-mail about the completion? 23 A Ever since the project was complete, I 24 never had any contact, e-mail or telephone, with 25 Mr. Schwartz except for Sunday this week, he called 92 1 me up and we had a private conversation. 2 Q My question was, once it was complete, 3 did you have any conversation with Mr. Schwartz 4 about completing the project? 5 A I'm pretty sure. My memory is not -- 6 again, that was a fairly short contract and I had 7 dozens of those every year, maybe a dozen over a 8 couple years. I don't remember a particular 9 meeting in which I formally, "And this is over and 10 done," but I do remember that the project was 11 completed and, therefore, there must have been a 12 moment where I said, "Thanks for the work," pat on 13 the shoulder, "Now go out, I have other work to 14 do." A formal meeting or letter, no, never done 15 that. 16 Q Can you give the jury some idea of the 17 timeframe here? 18 A I cannot give a sure timeframe because I 19 have no written records. 20 Q Was there a written contract? 21 A I'm pretty sure there was not. 22 MR. TINTERA: If we could mark this 23 exhibit. 24 BY MR. TINTERA: 25 Q Had you requested permission to use 93 1 Mr. Schwartz from anybody at Hawthorn Farms? 2 A Yes, I did. 3 Q And who was that? 4 A I think the name was Mr. Wilcox, Bob 5 Wilcox. I never met the person personally. I did 6 make calls to the Hawthorn Farms office to the 7 person that I knew was the manager of Mr. Schwartz 8 at the time and I asked permission, if it would be 9 okay if I hired him for a limited time to do work 10 for me for my department, and I got the okay. 11 Q If I could hand you State's Exhibit 20. 12 Part of the contract involved Silicon Graphics or 13 an SGI machine; is that correct? 14 A Part of the work that he did for me did, 15 yes. 16 Q And does this State's Exhibit 20, which 17 is an invoice from Mr. Schwartz, reference work on 18 an SGI machine? 19 A It's unclear to see, but it's fairly -- 20 I'm pretty sure this means SGI in two instances. 21 Q And the dates for that work? 22 A First quarter in 1993, it says here. 23 Q Can you read that date, February? 24 A One of them says February, about 25, 25 1993. Could be 23, 1993 as well. The other one I 94 1 can't read, but since it's chronological, it must 2 be the same timeframe. But I'm not sure whether 3 that work was done for me. 4 Q Sure. And you don't have any paperwork 5 that can help us with that? 6 A You're correct. I transferred at the end 7 of the year into the new division MD-6, and all the 8 paperwork that was considered old and dusty by me, 9 I just tossed it. 10 Q If Mr. Schwartz's password were disabled, 11 he could not have done your project; is that true? 12 A That's correct. 13 Q And did your project involve copying in 14 any way of the Supercomputer Division password 15 file? 16 A No. 17 Q Did it involve running Crack against the 18 Supercomputer Division password file? 19 A No. That was not part of the job. 20 Q Do you know what a gateway program is? 21 A The name "gateway" says something to me, 22 but I don't know what a gateway program would be. 23 The gateway would be a switch from one to other 24 computers. 25 Q Did this involve putting a switch from 95 1 one to other computers on the Brillig machine? 2 A Are you asking did the work that I asked 3 Mr. Schwartz to do? 4 Q Yes. 5 A Probably not. It's conceivable because 6 all of these computers were in a way connected 7 together through some network. 8 Q Let me rephrase that. Did the work that 9 you contracted with Mr. Schwartz involve him 10 creating a way to go through the firewall of the 11 Intel Corporation into the Intel Corporation and 12 back out? 13 A No, not at all. 14 Q And so none of the jobs that you asked 15 him to do would authorize him to copy the 16 Supercomputer Division password files; is that 17 correct? 18 A You're correct. I would never authorize 19 that. On the other hand, the password file itself 20 is something publicly read and by anybody, so 21 anybody can go in and say, "Let me look at the 22 password file," because that's encoded information. 23 And you can look at it until your heart's delight 24 and you would never make sense of it much. 25 Q Is that something that came up when you 96 1 and Mr. Schwartz talked last Sunday? 2 A No. 3 Q Did you authorize -- not what somebody 4 else could do through other means, did you 5 authorize him to copy the Supercomputer Division 6 password file for the Intel Corporation? 7 A Not at all. It would be unrelated to the 8 task. 9 Q Did you authorize him to run a Crack 10 program against the Supercomputer Division password 11 file of the Intel Corporation? 12 A Not at all. It would be unrelated, 13 again, to the task. 14 Q And you wouldn't have authorized him to 15 put a gate from outside the firewall into the Intel 16 Corporation; is that true? 17 A The first thing I would have said is why, 18 and if I had convincing reasons, which I doubt it 19 would have come across, if I had convincing reasons 20 then I would have said yes, but I would have also 21 checked with my boss. 22 Q Right. And is that the normal procedure? 23 A Correct. 24 Q And -- 25 A And that did not happen. 97 1 Q And that did not happen? 2 A That did not happen. 3 MR. TINTERA: Those are the only 4 questions I have. Thank you. 5 THE COURT: Mr. Sussman. 6 7 CROSS-EXAMINATION 8 BY MR. SUSSMAN: 9 Q Mr. Mayer, had you had any -- had you 10 worked with Mr. Schwartz or known of his work prior 11 to the time that you contracted with him to do this 12 project? 13 A Yes, I did. That's why I had the intent 14 of hiring him. 15 Q And what was that prior contact? How did 16 you know him? 17 A For a period of about a year, maybe two 18 years, he was the Systems Administrator for the 19 computers for a project called IWARP. I was part 20 of the project and he was part of the project, too, 21 by being the Systems Administrator, and I think at 22 the time he was a contractor as well, but I'm not 23 sure. My impression was he was not an Intel 24 employee. 25 Q Were you then working in his group where 98 1 he was a Systems Administrator? 2 A No. Those are separate groups. 3 Q