1 IN THE CIRCUIT COURT OF THE STATE OF OREGON 2 FOR THE COUNTY OF WASHINGTON 3 4 STATE OF OREGON, ) ) 5 Plaintiff, ) ) 6 vs. ) No. C940322CR ) 7 RANDAL LEE SCHWARTZ, ) ) 8 Defendant. ) Volume 8 9 10 11 TRANSCRIPT OF PROCEEDINGS 12 13 BE IT REMEMBERED THAT on the 18th 14 day of July, 1995, the above-entitled matter came 15 on for Hearing before the HONORABLE ALAN C. 16 BONEBRAKE, a Circuit Court Judge. 17 18 APPEARANCES 19 Thomas J. Tintera Washington County Deputy District Attorney 20 Representing the State of Oregon 21 Marc Sussman Attorney at Law 22 Representing the Defendant 23 24 25 2 1 WITNESS INDEX 2 3 FOR THE STATE: Direct Cross ReD ReX 4 5 Dirk James Brandewie 4 31 46 51 6 John C. Gray 53 60 70 7 Clayton Kirkwood 73 78 8 Herb Mayer 87 96 108 9 Richard R. Cower 127 146 181 185 10 11 FOR THE DEFENDANT: 12 13 Patrick Reilly 110 123 14 15 16 17 18 19 20 21 22 23 24 25 3 1 EXHIBIT INDEX 2 3 FOR THE STATE: Offered Received 4 5 6 Exhibit No. 21 145 146 7 Exhibit No. 22 185 185 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 4 1 MORNING SESSION 2 BEGINNING AT 9:35 A.M. 3 JULY 18, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: Mr. Tintera, you were 10 still calling witnesses when we broke last week. 11 MR. TINTERA: Yes. We're ready to 12 continue. 13 THE COURT: Call your next witness. 14 MR. TINTERA: Dirk Brandewie. 15 16 DIRK JAMES BRANDEWIE 17 called as a witness on behalf of the State, having 18 been first duly sworn under oath, was examined and 19 testified as follows: 20 21 THE CLERK: State your full name and 22 spell it for the record, please. 23 THE WITNESS: Dirk Brandewie. Dirk 24 James Brandewie. B-r-a-n-d-e-w-i-e. D-i-r-k. 25 5 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Morning, Mr. Brandewie. 4 A Morning. 5 Q Are you employed, sir? 6 A Yes. 7 Q And who do you work for? 8 A I work for Intel Corporation. 9 Q And how long have you been with that 10 corporation? 11 A Slightly less than seven years. 12 Q And what do you do for them? 13 A I'm a network programmer. I develop 14 software in a network research and development 15 group. 16 Q And do you work for any particular 17 division of Intel? 18 A I work for the Intel Architecture 19 Laboratory. 20 Q And do employees abbreviate that or -- 21 A IAL is the typical pronunciation. 22 Q Where is that division located? 23 A At the Jones Farm campus in Hillsboro, 24 Oregon. 25 Q Do people at Intel give their computers 6 1 names? 2 A Yes. 3 Q And all computers have numbers for names 4 also; is that true? 5 A This is true, yes. 6 Q What are those called? 7 A They're called IP addresses, which stands 8 nor Internet Patrol, and it's called IP address. 9 Q So are you familiar with the Mink 10 computer at Intel? 11 A Yes. 12 Q And how are you familiar with that? 13 A I was what is known as the Systems 14 Administrator for that computer. 15 Q Are you still? 16 A Yes. 17 Q And as the Systems Administrator for that 18 computer, what responsibilities did you have? 19 A My responsibilities were for creating 20 user accounts, deleting user accounts, maintaining 21 the security, maintaining the security of the 22 computer, general maintenance to make, replacing 23 any hardware that needed to be replaced, making 24 sure that the computer was available. 25 Q When you say "creating user accounts" or 7 1 "deleting user accounts," could you explain to the 2 jury what you mean by that? 3 A Yes, I can. (Pause) I am -- 4 Q Would you? 5 A I'm trying to get the right words. The 6 computers have users. It's a person who is allowed 7 to use the computer. And by creating an account, 8 you make a spot on the computer where they can put 9 their files. You put their name in a password file 10 so that the computer can tell who is logging into 11 it. When the user logs in, he has to say, "I'm 12 whoever, I'm Dirk, and my password is this," so the 13 computer can tell who is accessing it. 14 So create an account, you create 15 their home directory where they will store their 16 files and put them into the password database where 17 the computer can authenticate who is accessing it. 18 Q So without that account, you would not, 19 in theory, be able to access the computer? 20 A That's true. 21 Q You could if you were using someone 22 else's password? 23 A Yes, you could. 24 Q You also indicated as Systems 25 Administrator for the Mink computer, you had 8 1 security duties. 2 A Yes. 3 Q What do you mean by that? 4 A Making sure that as -- people who are 5 users, as they left the corporation, making sure 6 that their account was deleted so they no longer 7 had access to the computer. Making sure that files 8 that didn't need to be readable by everyone on the 9 computer where the permissions were set so no one 10 other than the people who needed access had access. 11 Making sure that the software running on the system 12 wasn't allowing people in without using a password. 13 Q And could you tell the jury if the Mink 14 computer had a specialized function within Intel? 15 A Yes. It was called an Internet gateway 16 host, which means there is a small set of computers 17 at Intel that are allowed to talk to the Internet, 18 or at that time there was. It's changed a little 19 since, but -- 20 Q What time are we talking about, 1993? 21 A Yes, this is March of 1993. There was a 22 small set of computers that were allowed to talk to 23 the Internet. "Talking" means connecting to 24 another computer. And Mink was one of the hosts 25 that was allowed to do that and that was its 9 1 specialized function was as an Internet host. 2 Q So if we give the jury an example of its 3 use, could you do that in regards to being the 4 Internet host? 5 A Yes. Let's say someone from inside of 6 Intel wanted to talk to a computer at IBM, they 7 knew the computer they wanted to talk to. What 8 they would do is log into Mink using their user 9 name and password and then they would be presented 10 with what is called a shell prompt, which is 11 basically, if you are familiar with DOS, how it -- 12 basically this is what's on the screen. Then they 13 would use the command of "connect" to the machine 14 at IBM, let's say, so they would use telnet, which 15 basically says, "Connect this terminal to that 16 machine or log in." There is a number of ways. 17 Anyway, they would first log into 18 Mink and then connect to the outside world from 19 Mink. 20 Q Let's assume they connect with the person 21 at IBM, could that person at a later time use that, 22 use the Mink computer to connect to the Intel 23 person? 24 A No. 25 Q Why not? 10 1 A There is what's called a firewall router 2 on our Internet connection between the Intel 3 network and the Internet itself which rejects 4 connections from outside of the corporation. 5 Basically, it's the equivalent of a call center. 6 It does caller ID on whoever is making the call in, 7 and if it doesn't recognize who is making the call 8 in, it throws the connection away, hangs up on 9 them. 10 Q So if this person from IBM tried to do 11 that, what type of response would they receive on 12 their computer, do you know? 13 A They would get the connection refused. 14 Q Do you know if Randal Schwartz had an 15 account on the Mink computer in March of 1993? 16 A Yes, he did. 17 Q And did you have any contact in regard to 18 that particular account, Randal Schwartz, in that 19 timeframe? 20 A Yes. 21 Q And could you tell the jury what that was 22 about? 23 A One day as I was going through checking 24 security of the box, just basically -- 25 Q When you say "the box," what do you mean? 11 1 A The box. I'm sorry, I use "box," "Mink" 2 and "computer" interchangeably, so I -- sorry. 3 I was going through and checking 4 Mink security, checking to make sure there was 5 enough space on the disks for people's files and 6 basically doing systems maintenance when I noticed 7 a process running. A process is just a program, 8 and I noticed a program running that I didn't 9 recognize and it was running under Mr. Schwartz's 10 user ID. His name was Merlyn at the time. That 11 was his user ID. 12 I wasn't familiar with what the 13 process was, so I went and looked at the source 14 file for the process that was running and spent a 15 couple hours looking at it and figuring out what it 16 was doing. And it was a port reflector, a process 17 that will take -- accept connections from outside 18 of Intel and forward those connections inside of 19 Intel. 20 At that time, myself and Mark 21 Morrissey, he had a log-in at the Oregon Graduate 22 Institute, so we logged into a computer at the 23 Oregon Graduate Institute and connected the port 24 reflector to make sure that we knew what it was 25 doing and if it behaved the way we expected. 12 1 Q Which was? 2 A You would get connected to -- you would 3 receive a connection and it would sit there with a 4 blank screen. But from looking at the source code 5 of the script, we knew that you would give it a 6 host IP number, which is the IP number that you 7 wanted to connect to, and the port that you would 8 connect to, the port on that host, and it would 9 connect you to that host. And then after that, 10 it's whatever was going across the connection. 11 Q So after that process, you were past the 12 firewall of Intel? 13 A Yes. 14 Q You needed two steps of information to do 15 that, didn't you? Isn't that what you said? 16 A You needed the IP address and the port 17 number of the host that you want to connect to, 18 yes. 19 Q So what did you do after you found this 20 script and tested whether it allowed entry through 21 the firewall? 22 A I called Mr. Schwartz's office and left 23 him phone mail and said I'd like to talk to him. 24 He didn't get back to me and I happened to be in 25 the area so I stopped by his office to talk to him 13 1 about the script, and I explained to him that 2 connections from outside of Intel weren't allowed 3 and he seemed surprised that this was happening, as 4 if -- that it wasn't an intended effect. I thought 5 it was a bug, some unintended programming error, so 6 I asked him to put in checks into the script to 7 reject connections from outside of Intel. And he 8 did that and we tested them from OGI and I 9 considered the matter closed. 10 Q So you asked him to modify the script in 11 some way? 12 A Yes. 13 Q And the modification would accomplish 14 what? 15 A It would reject connections from outside 16 of Intel, outside of the single subnet at Intel. 17 Q So the person from IBM couldn't use that 18 gate script to get into Intel? 19 A No. 20 Q And you called those what? You called 21 those blocks? 22 A That's as an appropriate a word as any. 23 Q You had a conversation with Mr. Schwartz 24 about what Intel's policy was regarding this gate 25 script at that time? 14 1 A I told him that connections from the 2 outside world without being authenticated weren't 3 allowed, yes. 4 Q Did he have any questions about that? 5 A Not the first time I talked to him, no. 6 Q Was that the end of the matter? 7 A No. Couple months later in July, I 8 believe, I was going through the system again just 9 doing general maintenance. 10 Q July '93? 11 A Yes. And I saw another process running 12 that I didn't know. The name had changed, but it 13 was running under Mr. Schwartz's user ID. So I 14 went to look at that one just as a matter of 15 course. It was the same script. The name had 16 changed from "door" to "gate," but the checks to 17 reject connections from outside of Intel had been 18 removed. 19 At that point, I blocked 20 Mr. Schwartz's account and went up to talk to -- 21 and again went up to talk to him and told him that 22 connections from outside of Intel weren't allowed. 23 And he said that, well, that -- he told me that he 24 was using the gate mail from O'Reilly Associates, 25 and I said, "I'm sorry, I can't allow this. If you 15 1 want to have a waiver signed from Intel security 2 saying that you can do that, I don't have any 3 problem with it." 4 Basically, my take on it was I 5 didn't want to be fired because of allowing him to 6 do something he shouldn't, and if he wanted to have 7 a waiver signed, I didn't have any problem with it. 8 Q So you gave him the option of having 9 someone in authority to approve this gate? 10 A Yes. 11 Q And did he follow up on that option? 12 A No. He said that if he couldn't use the 13 script in its current form that it wasn't useful to 14 him and he didn't need the account. 15 Q When you lock an account, what does that 16 mean? 17 A Basically, I changed his password so that 18 he couldn't get into -- he couldn't log into the 19 computer from an outside computer. 20 Q Now, what changes -- you saw a different 21 name in July of '93 for this script? 22 A Yes. 23 Q What other changes were there? 24 A The name had changed. The formatting of 25 the logs had changed, but other than that -- 16 1 Q What does that mean? 2 A The information that was written to the 3 log files, instead of IP numbers, it was writing 4 the box's name, the computer's name in the file 5 instead of IP number. They were purely cosmetic. 6 Functionality hadn't changed. 7 Q So the functionality when you saw this in 8 July was what? 9 A The original function that I saw in the 10 original door script, which was it would allow 11 connection from anywhere to anywhere -- from 12 anywhere outside of the Intelnet to anywhere inside 13 the Intel network. 14 Q And the authorized use of the Mink 15 machine at that time in July of '93 regarding the 16 Internet was what? 17 A You could log into that computer and from 18 there, you could connect to machines on the 19 Internet. 20 Q And you'd have to log in from where? 21 A Inside of the Intel network. 22 Q So inside of the firewall? 23 A Yes. 24 Q And you could use the Mink computer to go 25 outside of the firewall into the Internet? 17 1 A Yes. 2 Q But the person from IBM wasn't supposed 3 to be able to go the other way? 4 A In fact, they should never be able to 5 tell that the Mink existed, other than the name and 6 its IP number existed. 7 Q Well, let me ask you this. The IP 8 address or number, is that a secret within Intel? 9 A No. 10 Q Is that information available outside of 11 the Intel firewall? 12 A Yes. 13 Q And how is that available, do you know? 14 A There is a number of ways. The general 15 range of numbers that are available at Intel is 16 published by the Network Information Center, one of 17 the controlling bodies of the Internet. The 18 specific names are published in what's called the 19 Domain Name Service server, so basically you can 20 say, "I have the name Mink, please tell me its 21 numbers," because humans aren't good at remembering 22 numbers but good at remembering names, so that's 23 why they have the name look-up, and that's the way 24 it's published. It's published by the Network 25 Information Center and in the Domain Name Services. 18 1 Q But even if someone had that number, 2 would not they need the port address to come in 3 through the gate script that Mr. Schwartz had 4 installed on the Mink computer? 5 A Yes, they would. 6 Q And tell me about the port address. 7 A Port address is an arbitrary number. You 8 can look at the IP number as a street address and 9 the port number as front door, back door, side door 10 is more equivalent except there is 64,000 doors, so 11 you would have to know which door you wanted to get 12 into. 13 Q Well, for a person, that sounds like an 14 insurmountable task. 15 A If you had to sit there and type it by 16 hand 64,000 times, there are people that have that 17 much tenacity, but you're right, as a human it's a 18 formidable task. 19 Q What about for the computer, are there 20 programs that can search ranges of IP addresses to 21 see if there is a response? 22 A Yes. 23 Q And were they in existence in 1993? 24 A Yes. I didn't have physical possession 25 of them, but I knew they existed. 19 1 Q So how would that -- could you tell the 2 jury how that would work? If you know Intel's 3 range of IP addresses, how could you use the 4 program to find out how to get into Intel? 5 A Basically the first step would be, you 6 have the range of addresses that you want to send 7 and then you scan, then you know the range of port 8 numbers you want to scan. So you tell the program 9 to start at the first address and scan all its 10 ports, go to the next address and scan all its 11 ports and look for ports where you have 12 connections. 13 And then after that, you know what 14 ports are listed and which ports are available to 15 accept connections. And then after that, you can 16 try to find some way to make that process that's 17 running on that port link on that port, do what you 18 want it to do. 19 Q So is it like sending this -- this 20 computer program sends out like sonar waves and 21 then waits for a reception? 22 A That's an appropriate analogy, yes. 23 Q Once it gets that response back, what 24 does that -- how does that help the person who is 25 running this program? 20 1 A He knows that he got a connection. He 2 probably doesn't have any other information other 3 than that, but there are some well-known software 4 programs that have bugs in them that have security 5 holes so people go around and connect to those 6 ports to find out if these people are running that 7 version of software. There is what's known as a 8 security hole, a hole present to exploit. 9 With this particular one, he would 10 have gotten a connection and then, I don't know, 11 I'm not the person sitting on the other end, but 12 they would have known that they had a connection to 13 some process and they could try to feed that 14 process information and try to make it do something 15 for them. 16 Q So the person, once they discovered this 17 gate script, would their connection be rejected or 18 not? 19 A No. 20 Q No what? 21 A I'm sorry. Their connection would not be 22 rejected. 23 Q But they would be sitting there looking 24 at a blank screen? 25 A That's true. 21 1 Q Is that significant at all? 2 A The fact that you got a connection on a 3 non-well-known port number is significant because 4 typically these are known as user processes that 5 are on those port addresses. They are typically 6 not well-managed, and they have bugs in them, 7 security holes. And so if people like looking at 8 those to look for -- people like looking at those 9 to look for security holes. 10 Q After the screen is there, what would be 11 the next step, do you know, for someone who wants 12 to come in through that gate? 13 A Well, the way that you would get through 14 the gate is by -- to type the IP address and the 15 port number of the host inside of the Intel network 16 you want to connect to, or any host on the 17 Intelnet, or the Internet, for that matter. 18 Q And how would you know the right number 19 to type? 20 A Through either you discovered it from 21 looking up the name of the box that you wanted to 22 talk to, let's say you saw a mail message from 23 somebody, mail message would have the name of the 24 machine on it. Somebody told you what the name of 25 an interesting machine was or you just sifted 22 1 through the Domain Name Services catalog of Intel 2 machines and found a name that you thought was 3 interesting. 4 Q Now, if there is mail going through this 5 gate to Mr. Schwartz inside Intel, is there any way 6 that anybody could kind of like watch the mail to 7 see where it's going? 8 A Yes. 9 Q Does that help them identify the IP 10 address and port number? 11 A The IP address and port number would be 12 typed in. It's possible for people to watch the 13 network and watch the information going across it 14 and then they would have complete access, yes. 15 Q So kind of like intercepts the signature 16 of the mail; is that fair? 17 A Well, it's not the mail. It's when they 18 connect it to the gate script. If someone happened 19 to be watching, they would have seen the IP address 20 and the port number typed in. Basically, they 21 would have the key and then anyone could use the 22 key. 23 Q So a person could do that or use the 24 program to probe this port? 25 A Probe the port and try to deduce what the 23 1 function of the process on that port was. 2 Q And could that be set up in a program to 3 just run permutations against the port until -- 4 A Yes, it could. 5 Q Give me a timeframe. Sounds 6 time-consuming. 7 A Seconds. To find the port would be 8 seconds. To find the permutations of what the 9 process was looking for, I have no idea. It 10 depends on what information you're starting with. 11 It's like, well, what do you start searching? You 12 start searching IP numbers or what? I don't know. 13 Q We don't have enough variables pinned 14 down to answer that? 15 A Right. 16 Q Handing you State's Exhibit 16, can you 17 identify this exhibit? 18 A This is one version of the gate script 19 that happened to be called Remote X at the time. 20 Q And which version is this, do you know? 21 A This is the third version that I saw, 22 that I've seen. 23 Q Was this version running on the Mink 24 computer, that you know of? 25 A I don't ever remember seeing this 24 1 particular script running, no. 2 Q Let me hand you State's Exhibit 19. Can 3 you identify State's Exhibit 19? 4 A Yes, this is the gate script. 5 Q Can you tell the jury which one this is? 6 A This is the third version of this script 7 that I've seen. The first version was the first 8 version I talked to Mr. Schwartz about which didn't 9 have any checks to reject connection from the Intel 10 network. 11 The second version that I saw of 12 this script was the one with the checks to reject 13 connections from outside the Intel network. And 14 then this script, which had the checks removed 15 again. 16 Q So 19 is the version that was running at 17 what timeframe? 18 A In July of '93. 19 Q And what is 16? 20 A This is basically the same script with a 21 slightly different function where once somebody 22 connected to it, it would only connect to a box 23 named Cage in Intel and it would only connect to 24 port 6,000 on Cage. 25 Q So State's Exhibit 19 allows -- does not 25 1 restrict which computer you can connect to, or does 2 it? 3 A No, it doesn't. 4 Q But 16 does? 5 A 16 would make -- let me make sure before 6 I say. 7 Yes, it would only connect to 8 cage.intel.com. "Dot" is period and it's separated 9 between the names. 10 Q And what type of security does that 11 provide to the Intel Corporation? 12 A None. 13 Q Pardon me? 14 A None. 15 Q Why? 16 A Because it would connect to the X server 17 on Cage and the X server would not present any 18 challenge for password or authentication of who was 19 connecting to it. 20 Q Well, did any of these scripts that you 21 saw at any point in time present anyone who was 22 trying to come into Intel with the request for a 23 password? 24 A No. 25 Q You mentioned to the jury an X server 26 1 that the Cage -- Cage is a name of a computer? 2 A Yes. 3 Q So we have got -- what is an X server? 4 A There is a program on UNIX operating 5 systems called X Windows, which is a lot like 6 Microsoft Windows, that you might be familiar with, 7 except for instead of the display of whatever 8 programs you're running having to show up on the 9 same computer where it is running, the display of 10 the programs can wind up on a remote computer, so I 11 can run a process on this computer in Kansas and 12 take the display of that X client and send it over 13 here. 14 Q And that doesn't require a password to be 15 entered to do that? 16 A No. 17 Q Are there any -- based on your experience 18 in operating the Mink computer for Intel, are there 19 any well-known port numbers in the Internet 20 community that people -- that you are aware of? 21 A Most of the port numbers before -- below 22 1,024 are well-known or assigned. Above 10,024, 23 the X server point is at 6,000, and there is some 24 other ad hoc utilities that use high-numbered 25 ports, yes. 27 1 Q Are there any particular ports that are 2 traditionally used to accept mail? 3 A Yes, that's port 2525. 4 Q And is that fairly well known? 5 A Yes. 6 Q Which port was Mr. Schwartz using, if 7 any, on the gate script? 8 A There was a couple different ones, but I 9 remember one was like 3434. I don't remember 10 specifically, but that one sticks in my mind, and 11 there were a couple others. 12 Actually, I can look. This one was 13 using port 6077 and this one received the port 14 address from the command line. When the person 15 started the program, they would tell the program 16 what port to use. 17 Q Well, if the gate scripts aren't using 18 the well-known mail scrips, why doesn't that 19 provide some security to the Intel Corporation? 20 A It's what's known in the industry as 21 security through obscurity, which means if I hide 22 the fact that there is an open door, then no one 23 will find it. It's the equivalent of closing your 24 door and not locking it and depending on somebody 25 to walk by and not open it. 28 1 Q Do you have a name for the process of 2 watching mail to determine port addresses and IP 3 addresses? 4 A Packet sniffing is one term that's used 5 in the industry. Basically, you're sniffing a wire 6 for interesting information. You're just watching 7 all the information going across the wire and 8 sifting through it later for interesting tidbits. 9 Q Well, on the Internet, can you give the 10 jury an idea of how much information is going 11 across the wire, as you put it? 12 A It's a huge number. Let's say at least 13 hundreds of millions of mail messages a day. 14 Q How is a person going to be able to sit 15 there and sift through all this stuff? 16 A A person couldn't. A computer is good at 17 it. You can tell the computer, "I'm interested in 18 looking at things from that computer," and it will 19 only pull things off the wire that had to do with 20 that computer, so it can sift out all the noise 21 from all the other computers that are sending 22 packets across the wire. 23 Q So you could give it a range of IP 24 numbers to look at for those packets? 25 A Yes. 29 1 Q So if you knew the IP addresses, which 2 are public knowledge for the Intel computers, you 3 could give them those numbers? 4 A Yes. 5 Q And then you would be able to look at the 6 address of the mail that was going across the wire? 7 A The address, the place where the mail was 8 addressed to and all of the information going to 9 and from that computer, not just mail. 10 Q And at that point in time, how many 11 computers at Intel were engaged in this, from Intel 12 through the firewall into the Internet process? 13 A Approximately nine. 14 Q And were there attempts to keep the 15 identity of these nine computers within Intel? 16 A No. 17 Q Were they -- Was this a published group? 18 A It wasn't published, as these are 19 Internet hosts, but there was no attempt on my part 20 to hide the fact that it was an Internet host. 21 MR. SUSSMAN: I couldn't hear the 22 last response. 23 THE WITNESS: I said there was no 24 attempt on my part to hide the fact that it was an 25 Internet host. 30 1 BY MR. TINTERA: 2 Q So if the person who was watching the 3 mail identified these nine computers, then they 4 could just watch the transactions between these 5 computers for addresses? 6 A Yes. 7 Q And actually, that's not a person, that's 8 a computer doing that? 9 A Yes. 10 Q If there is these programs and whatever 11 out on the Internet, how can you possibly use this 12 as a medium to conduct any business? 13 A That's one of the things that the 14 industry is struggling with. You tightly control 15 who gets into your network and what they can do 16 when they get there. The basic policy that Intel 17 had at the time was they trust their employees and 18 if they are on the Intel network, they are going -- 19 they didn't -- they are trusted. 20 If people are employees of Intel, 21 there is less security on computers on the Intel 22 network than the computers that are facing the 23 Internet to keep the rest of the world out. 24 Analogy was like, well, you trust your family to be 25 in your home, but you lock the doors to keep the 31 1 rest of the world out. 2 Q And, unfortunately, I was away from my 3 desk. On State's Exhibit 16 and 19, could you 4 identify 16 again, please? 5 A 16 is the Remote X program. 6 Q And was that one running on any of the 7 Mink computers to your line? 8 A I don't ever remember seeing this one, 9 no. 10 Q 19 is which? 11 A 19 is the gate script. 12 Q And that was running on the Mink 13 computer? 14 A Yes. 15 Q And when was that? 16 A In July of 1993. 17 MR. TINTERA: Thank you. Those are 18 the only questions I have. Defense attorney may 19 have one or two. 20 MR. SUSSMAN: Before I start, I'd 21 like to see the two exhibits. 22 THE COURT: You may. 23 24 25 32 1 CROSS-EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Brandewie, what's your assessment of 4 Mr. Schwartz's skills with a computer, particularly 5 with the UNIX system? 6 A He's very skilled. 7 Q You've identified the State's two 8 exhibits as the gate programs. I'd like to show 9 you what we have had marked for identification as 10 Defendant's Exhibit 111. Would you take a look at 11 that and tell me if you recognize it? 12 A This is a permutation of something that's 13 calling itself gate. 14 Q Do you ever remember seeing that 15 particular gate script? 16 A This exact one? I don't know, but 17 something that has the equivalent functionality, 18 yes. 19 Q What do you mean "something that has the 20 equivalent functionality"? 21 A There is multiple ways to write a program 22 to where the program acts the same from the outside 23 but the insides are different. 24 Q Do you recognize this as the first gate 25 script that you saw running when you went to 33 1 Mr. Schwartz the first time? 2 A No. The first gate script was called 3 "door," it wasn't called "gate," so this one is not 4 it. 5 Q And your statement that this is not the 6 first one is based on the fact that it was called 7 "door"? 8 A And in the source code for that script, 9 it created a door log. 10 Q This creates a door log? 11 A That creates gate log. The other one 12 created a file called "door log." 13 Q In terms of the functioning, was there a 14 difference between where it says "gate log" or 15 "door log"? 16 A No. 17 Q So the difference is just the way it's 18 named? 19 A Yes. 20 Q Otherwise, from your review of this now, 21 is this the same as the first program which you 22 called -- 23 A May I see it again? 24 Q Certainly. 25 A I don't remember it looking for a secret 34 1 word in the one that I saw, no. 2 Q You're saying you don't remember or -- 3 A The original script that I saw didn't 4 have the secret word. In this line here where it 5 says, "Unless host remote source equals new socket 6 and splitting out." 7 Q Make a note next to that where you are 8 marking. 9 A Okay. Says it does not equal secret word 10 and that -- no, I don't ever remember seeing that. 11 Q Was there a copy made or backup made of 12 that first gate program? 13 A No. I didn't think it necessary at the 14 time after I talked to Mr. Schwartz and he put in 15 the checks to keep people from the Intel network 16 out. I didn't think it was necessary. 17 Q In fact, the first time you spoke to him 18 about that gate program, he gave you an explanation 19 for the need for that and -- 20 A He said he was using it to connect to 21 O'Reilly & Associates to receive his mail that had 22 been received at O'Reilly & Associates, yes. 23 Q And you thought that was a legitimate 24 purpose? 25 A Yes, it is. 35 1 Q And his purpose -- when he made the 2 changes and you talked with him the second time 3 about the program, that had been changed? 4 A Yes. 5 Q Again, the purpose that he gave was so 6 that he could read his e-mail from off-site? 7 A No. That isn't the purpose. He told -- 8 that isn't the purpose for the first time. He was 9 connecting to O'Reilly & Associates, which was 10 allowed. Connecting from O'Reilly & Associates was 11 not allowed, and that's what I had him put the 12 checks in. 13 Q But he was doing that so he could read 14 his e-mail? 15 A That's what he said, yes. 16 Q And your description of this X window 17 where you said it allows a person who logs onto the 18 computer to pull up on screen someplace else to a 19 certain window, isn't that typically used to read 20 messages that are on the machine? 21 A It's hard to say what's typical. That's 22 one of the uses, yes. 23 Q Now, when you first approached 24 Mr. Schwartz about the first gate program, I know 25 you closed the door -- you called it the door, but 36 1 just for consistency, we'll call it the first, 2 second and third. Do you remember exactly what you 3 said to Mr. Schwartz about the problem? 4 A The problem was that it wasn't -- 5 Q The question I asked you, do you remember 6 exactly what you told him? 7 A I could paraphrase myself, but the exact 8 words, no, I didn't write them down. 9 Q Could you have told him something that 10 the gate program as it was written wasn't secure 11 enough? 12 A Yes, I did. 13 Q Now, after having this discussion with 14 Mr. Schwartz where you told him that this first 15 program wasn't secure enough, did he agree to make 16 the changes? 17 A Yes. 18 Q He made changes? 19 A Yes. 20 Q And you went back and looked at the 21 changes he made a couple days later? 22 A And tested them, yes. 23 Q And that appeared to be -- those changes 24 appeared to satisfy you; is that correct? 25 A Yes. 37 1 Q Now, on that first gate program that you 2 recall talking to Mr. Schwartz about, your concern 3 was that it had no log-in record, no record of who 4 logged in on that? 5 A The logging wasn't the issue. The issue 6 was that it was accepting connections from outside 7 of the corporation. 8 Q Did it have a log-in record? 9 A Yes. 10 Q So there was a way to keep track of who 11 tried to log into that connection from the outside? 12 A Didn't tell who did it, but told where 13 the connection was coming from. 14 Q It would identify the source of where the 15 log-in came from? 16 A It would identify the source computer 17 that was making the connection, yes. 18 Q I guess I wasn't precise enough. It does 19 identify the source computer on the log-in, the 20 time that the log-in was attempted? 21 A Yes. 22 Q And so when I said "who," you were 23 meaning the person? 24 A Right. That's the problem. We didn't 25 know who was doing that. 38 1 Q But you could identify the source? 2 A Yes, I did. 3 Q The where and the machine? 4 A Yes. 5 Q How many IP addresses were there for 6 Intel at this time? 7 A There were five Class B subnets. 8 Q What are subnets? 9 A A Class B subnet is 65,536 addresses. 10 It's the way they -- the way the addresses are 11 handed out on the Internet, they are Class A, B and 12 C subnets. "A" being a 16 million in a Class A; 13 65,000 in a Class B; and 255 in a Class C network. 14 And we had five Class B networks. 15 Q And so the person who didn't have the 16 benefit of the knowledge of the gate script that 17 you and Mr. Morrissey had to identify the IP 18 address and the port number on gate one, who was 19 trying to break in from the outside -- 20 A Yes. 21 Q -- would then have, using one of these 22 programs that we're talking about, have to run this 23 first against each of the six, the random -- try to 24 randomly attack each of the 65,000 IP addresses on 25 each Class B network? 39 1 A Yes. 2 Q And then on each of those 65,000 IP 3 addresses, if it got it, it would have to test one 4 of the 64,000 port numbers? 5 A Yes. 6 Q And then if it got -- somehow managed to 7 get the right IP address of those 65,000 among five 8 times five and 65,000 times 64 got to the right 9 address and right port, they would then be 10 confronted with a blank screen? 11 A Yes. 12 Q And at that point, the outside person 13 would have to then make -- start guessing about 14 what to do next? 15 A Yes. 16 Q And I believe you said that there were 17 some software that would permit somebody then to 18 start guessing about commands to see if they could 19 get a response. 20 A No. What I said is there is software 21 that will go out and find the IP address and port 22 number. 23 Q But once you've got that blank screen -- 24 A Then it's left up to the creativity of 25 the person trying to break in as to what they try 40 1 to feed that process. 2 Q And if it somehow -- the person somehow 3 figured out what response to enter, then you're 4 saying that they would then need to do a program -- 5 to search another program to search for the some 6 kind of soft spots or vulnerable spots once it got 7 past that on the program it was running? 8 A I had no idea what they would do once 9 they got into the Intel network. 10 Q Going back to the program that it would 11 probe, each of these tens of thousands of IP 12 addresses and tens of thousands of port numbers for 13 each address, wouldn't that create pretty high 14 extra demand on the Internet traffic coming into 15 Intel? 16 A It would create a demand. I don't know 17 what you mean by "extra high." 18 Q Well, wouldn't it create a noticeable 19 increase in the demand on the traffic coming into 20 Intel? 21 A I don't know how their monitoring is set 22 up. I don't know. 23 Q Now, on the -- You had mentioned that 24 on -- perhaps on the second -- with respect to the 25 second program, that it was possible for somebody 41 1 to watch the mail that Mr. Schwartz or somebody 2 inside sent out where -- the mail coming into the 3 address on those inbound connections and kind of 4 follow that into the IP address? 5 A What I said was it was possible to watch 6 the network and intercept the traffic on the 7 network, mail being one of the things that's on the 8 network. 9 Q Well, for a person to do that, you make 10 it sound like anybody sitting somewhere out in the 11 network could just kind of randomly look for the 12 mail. Wouldn't a person actually have to be on 13 that particular line, watching that particular line 14 to monitor what was happening? 15 A Right. Depending on where the mail was 16 going through, that line could go through hundreds 17 of different computers. 18 Q And were you aware of any time 19 Mr. Schwartz sent outbound e-mail through Mink? 20 A I never paid attention to outbound mail. 21 Q Now, you mentioned that there were like 22 nine computers in the network that were connected 23 to the Internet. 24 A That I was aware of, yes. 25 Q Those were where, Hawthorn Farms? 42 1 A Some are Hawthorn Farms, some at Jones 2 Farm, some at Cornell, some at the old IWARP group. 3 Spread throughout the corporation. 4 Q Those were nine not counting the SSD 5 computers that were -- 6 A Yes. I don't know how SSD network is 7 configured. 8 Q Was Mink not on the same network as the 9 SSD computers? 10 A True. 11 Q And so your response, the responsibility 12 that you had in the directions that you gave to 13 Mr. Schwartz, as far as how things needed to be 14 operated, dealt specifically with the computers in 15 your network? 16 A Dealt specifically with Mink. I didn't 17 have any administrative control over the rest of 18 the machines. 19 Q And as the System Administrator, it's 20 your responsibility to basically make sure things 21 are working properly, that the system is running 22 the way you feel it needs to be running? 23 A And it conforms to the policy as I 24 understand them, yes. 25 Q Were there uniform security policies in 43 1 effect at Intel at that time? 2 A Yes, but I don't remember what the 3 specific policy was at that time. 4 Q And were those policies distributed to 5 each employee at Intel? 6 A I don't remember. They were given to me. 7 I don't know if they were uniformly given to all 8 employees. 9 Q Do you know whether or not they were 10 given to each independent contractor at Intel? 11 A I don't know what they do with 12 independent contractors. 13 Q Now, I believe you testified that the 14 only reason to have an account on Mink for somebody 15 inside -- within Intel would be to have access to 16 the Internet. 17 A Yes. That was its intended purpose. 18 Q And the gate program that you saw 19 Mr. Schwartz running allowed Mr. Schwartz to have 20 access to the Intel computers that he was working 21 at from outside? 22 A Yes, it did. 23 Q And so that when Randal Schwartz, if he 24 was -- if when Randal Schwartz was outside of Intel 25 and used that program to connect to a machine 44 1 inside of Intel, it would allow him only that 2 access that he could have when he was sitting at 3 his own computer inside the -- 4 A He would have the same access except 5 there would be no name attached to the log and 6 there would be no -- people wouldn't see him there. 7 They wouldn't see him working there and they 8 wouldn't see what he was doing. 9 Q You remember having a discussion with 10 Mr. Agrue and Mr. Olstadt sitting in the courtroom 11 who has been assisting me on the case? 12 A Yes. 13 Q And you recall telling Mr. Agrue that 14 when Randal was using the gate program from the 15 outside, it would not allow him access from 16 anything outside that he couldn't do when he was 17 sitting inside? 18 A That's true. I said that. 19 Q And anybody -- you're saying that 20 anybody -- that in the process that Mr. Schwartz 21 did, that would be visible through Mink? 22 A What do you mean by "visible"? 23 Q Let me clarify the question. 24 Your previous comment was if the 25 outside connection was coming, you wouldn't see the 45 1 outside source it was coming from, as I understood 2 your testimony. 3 A Well, maybe. I think you misunderstood. 4 The fact that a connection was made to that script 5 was logged. The who was using it, who was making 6 that connection was not. 7 Q And it would show that it was coming, 8 that a log into Mink was occurring? 9 A Yes. 10 Q And when you went back and talked to 11 Mr. Schwartz the second time about the fact that 12 the changes that you observed several months later 13 were not acceptable, Mr. Schwartz told you that -- 14 to cancel his account because if he couldn't get 15 access to his e-mail from when he was outside, the 16 account was no use to him? 17 A We had a discussion as to what would be 18 acceptable for him to do and if he wanted to run 19 the script in his -- 20 Q My question to you was, Mr. Schwartz told 21 you that if that -- if he wasn't permitted that 22 access from the outside to read his e-mail, then he 23 did not need the account on Mink? 24 A That's not what he said. He said, "If I 25 can't do this, then the account is useless to me." 46 1 Q And so he asked you to -- so he basically 2 said, "Cancel the account"? 3 A Basically. I said, "Fine, I'll remove 4 it." 5 Q Couple more questions. Prior to that 6 first discussion after you noticed the first 7 program running, you had not had any discussions 8 with Mr. Schwartz about whether that process that 9 you found the first time was not allowed; is that 10 right? 11 A He never asked. 12 Q You never had a discussion like that with 13 him? 14 A No. 15 Q And at the end then when Mr. Schwartz -- 16 the last discussion when Mr. Schwartz said, "I have 17 no further need for the account," you said, "Fine," 18 it wouldn't be exactly accurate then to say that he 19 was kicked off Mink. That was a mutual decision to 20 terminate the account, wasn't it? 21 A The decision was his to not go forward 22 with getting a security waiver for that program, 23 and at that point, I told him either he can get a 24 security waiver or he no longer would have an 25 account. 47 1 Q He told you he didn't need the account 2 anymore, so it was a mutual decision; is that 3 right? 4 A Okay. 5 Q There was no disciplinary action taken 6 against Mr. Schwartz on this second -- 7 A No. 8 Q His contract wasn't terminated? 9 A I don't know. 10 MR. SUSSMAN: Nothing further. 11 THE COURT: Mr. Tintera. 12 13 REDIRECT EXAMINATION 14 BY MR. TINTERA: 15 Q You were asked about any conversation 16 before you found the first, what you have described 17 as the door program in March of 1993 -- 18 A Yes. 19 Q -- with Mr. Schwartz. Did Mr. Schwartz 20 seek your authorization to install that script on 21 the Mink computer? 22 A No. 23 Q Did that script alter the Mink computer 24 in the way that it worked? 25 A Yes. 48 1 Q Did it alter the network it was attached 2 to? 3 A Yes. 4 Q And it's your recollection that it was 5 important to Mr. Schwartz to have the two-way 6 connection on this gate script? 7 A The second time I spoke to him, yes. 8 Q And that if he couldn't have that two-way 9 connection here, then the account was useless to 10 him? 11 A Yes. 12 Q Now, you said if someone was using this 13 gate script, that the Mink computer had a log or a 14 file that would show that was being used; is that 15 correct? 16 A The script created that log, yes. 17 Q But it wouldn't show who was using it? 18 A That's true. 19 Q So it would show an entry into the Intel 20 network, but that was -- what else would it show? 21 A That's it. It would show the time that 22 the entry occurred. 23 Q Would it show what -- the user who had 24 gone through there, their identity? 25 A No. 49 1 Q Would it show where they went? 2 A It would show the first -- it would show 3 the computer that they connected to after Mink in 4 the Intel network, yes. 5 Q And would it show what they were doing on 6 the computer that they connected to? 7 A No. 8 Q Would it show if any information was 9 being copied? 10 A No. 11 Q Would it show if any information was 12 being exported from the computer outside of the 13 firewall at Intel? 14 A No. 15 Q So it would just show that the door was 16 open? 17 A Yes. 18 Q Not what was going through it? 19 A True story. 20 Q On any -- Did the script that you saw in 21 July of 1993, did you authorize Mr. Schwartz to put 22 that script in? 23 A No. 24 Q Did that also alter the Mink computer -- 25 A Yes. 50 1 Q -- in the network it was attached to? 2 A Yes. 3 Q You were asked a lot about the 65,000 IP 4 addresses times 5 and the 64,000 port addresses 5 times 64. Those numbers appear to be an 6 insurmountable obstacle to gain access to Intel. 7 Why weren't you concerned at all? 8 A Because computers never sleep and it 9 would take on the order of a few seconds to scan 10 all the ports on each of the IP addresses. And 11 computers can work 24 hours a day. It's just a 12 matter of telling them to go do it and then come 13 back and look for the answer. 14 Q Do you remember what the log entry showed 15 on the gate script? 16 A I remember some of the entries that I 17 saw, yes. 18 Q What were they? 19 A They showed connections from a box named 20 ruby.ora.com, which is a computer named Ruby at the 21 network that O'Reilly & Associates -- which is a 22 publishing company -- owns. And I don't remember 23 the exact name, but there was another connection 24 from a computer in pyramid.com, which is the 25 network owned by Pyramid Corporation. 51 1 Q Do you still have Defendant's Exhibit 2 111? 3 A No. 4 MR. TINTERA: Do you have 5 Defendant's Exhibit 111? 6 MR. SUSSMAN: Yes. 7 BY MR. TINTERA: 8 Q Refresh me on Defendant's Exhibit 111. 9 Do you recall if that was any of the scripts that 10 you saw on the Mink computer in this timeframe in 11 1993 or associated with the defendant at all? 12 A This appears to be the first version of 13 the gate script that I saw, but the only thing I 14 don't remember is this -- where it's looking for a 15 secret word here where I marked with the red X. 16 Q What significance is the secret word 17 here? 18 A It would make it slightly harder for the 19 person outside of Intel to guess what the right 20 string -- the right set of characters to give to 21 the script to gain access would be. 22 Q If that had existed on that original gate 23 program in March of '93, would you still have 24 contacted Mr. Schwartz about it? 25 A The secret word in itself would not have 52 1 been enough. If the system password file would 2 have been used which the Perl scripting language 3 has access to, then I would have given it close 4 scrutiny and tested it, but it would have been all 5 right. 6 MR. TINTERA: Those are the only 7 questions I have. 8 THE COURT: Mr. Sussman. 9 10 RECROSS-EXAMINATION 11 BY MR. SUSSMAN: 12 Q You mentioned that it would only take a 13 few seconds to scan all the IP addresses in the 14 ports. 15 A No. I say it would take a few seconds 16 per IP address. 17 Q And a few seconds per port? 18 A No. Port would be almost instantaneous. 19 Q So it would be less than a second -- 20 A Yes. 21 Q -- per port. Once the program like that 22 sends a signal to the IP address, is there any 23 additional lag time in terms of the sending of the 24 testing command to the IP address and the response? 25 A Yes, there is a latency from the time the 53 1 connection request is made to the time there is an 2 answer in the disk and computer, but you can send 3 multiple connect requests at the same time, so you 4 basically can have zero latency. 5 MR. SUSSMAN: I have nothing 6 further. 7 THE COURT: Mr. Tintera? 8 MR. TINTERA: No other questions. 9 THE COURT: Thank you. You may step 10 down. 11 Let's take a break here. Remove the 12 jury. We'll take a short break. 13 (Recess.) 14 THE COURT: Mr. Tintera, call your 15 next witness. 16 MR. TINTERA: John Gray. 17 18 JOHN C. GRAY 19 called as a witness on behalf of the State, having 20 been first duly sworn under oath, was examined and 21 testified as follows: 22 23 THE CLERK: State your full name and 24 spell it for the record, please. 25 THE WITNESS: John C. Gray. 54 1 G-r-a-y. 2 DIRECT EXAMINATION 3 BY MR. TINTERA: 4 Q Mr. Gray, how are you employed? 5 A I work for Intel Corporation. 6 Q And do you have a particular division 7 where you work? 8 A I work at Hawthorn Farms and Jones Farm 9 campuses that encapsulates multiple phases, several 10 divisions. 11 Q And what are your current 12 responsibilities? 13 A Operations management for Information 14 Technology. 15 Q Operations management for what? 16 A Information Technology. Computers, 17 networks. 18 Q And is that particular responsibility -- 19 there is a lot of letter abbreviations that I've 20 run into at Intel. Does this one have one? 21 A IT. 22 Q And was there a period of time when you 23 were associated with the Supercomputer Division of 24 the Intel Corporation? 25 A Yes. 55 1 Q And when was that, if you know? 2 A That would have been January of 1992 3 through about November of 1993. 4 Q And what was your function at the 5 Supercomputer Division? 6 A I managed Information Technology, IT. 7 Q So you managed IT over there, Information 8 Technology? 9 A Yes. 10 Q What were you trying to accomplish at the 11 Supercomputer Division in that timeframe? 12 A Prior to the formation of IT group, 13 computer services were scattered across the 14 division and individuals here and there scattered 15 around the business. So the job was to consolidate 16 all of the support resource into one organization, 17 kind of bring it into the corporate fold in terms 18 of Information Technology, support services and 19 standards. 20 Q Did any of this -- any of your function 21 there involve security? 22 A Computer security, sure. 23 Q And what was that? 24 A Basically the Information Technology 25 Group was responsible for information security 56 1 within SSD. 2 Q So from the period of January of '92 to 3 November of 1993, did you have people designated as 4 your security person? 5 A Yes. 6 Q And was there more than one? 7 A Yes. There were a succession of people. 8 Q And during that time period, who were 9 they? 10 A Would have been Lou Poehlitz initially, 11 followed by John Kent. 12 Q And do you know who selected those people 13 for those security positions? 14 A I did. 15 Q And do you know Randal Schwartz? 16 A Sure. Yes. 17 Q Do you see him here? 18 A Yes. 19 Q Could you point him out, please? 20 A Sure. That's Randal right there. 21 Q What security position did you select 22 Randal Schwartz for? 23 A None. 24 Q Was he working for SSD during this 25 timeframe? 57 1 A Yes. 2 Q What was his assignment, if you know? 3 A Randal had worked for the IWARP group in 4 a Systems Administration capacity in the UNIX 5 computing environment. 6 Q What was his position there? 7 A Randal's job was Systems Administrator 8 for the IWARP group, the job he had before I 9 arrived there and that he continued with after I 10 took the position. 11 Q And did he continue up until the end of 12 his tenure with the Supercomputer Division? 13 A Yes. 14 Q Can you explain to the jury, if you know, 15 when Mr. Schwartz left the Supercomputer Division? 16 A My recollection is that it was early in 17 1993, January or February timeframe. 18 Q And could you explain to the jury the 19 circumstances of him leaving? 20 A Yeah. We were attempting to consolidate 21 what was IWARP into the rest of SSD at the time. 22 We were in the process of consolidating systems, of 23 beefing up security and of the environment 24 generally at SSD. 25 One of the areas that we were 58 1 working in was the e-mail area and there were some 2 fundamental disagreements between Randal and Lou on 3 the approach to -- how to architect the mail 4 environment there, a distributive versus 5 centralized kind of approach. 6 Q Distributive versus centralized? 7 A Uh-huh. And Randal on the distributive 8 side of the argument and Lou and really the rest of 9 the IT group there on the centralized side of the 10 argument. And basically there was strong enough 11 disagreement about the whole issue that I 12 determined not to renew Randal's contract. 13 Randal was unhappy about the 14 situation, too, and decided to leave, so it was 15 kind of a mutual parting of the ways. That's the 16 way I remember it. 17 Q Now, when someone leaves the 18 Supercomputer Division, are there any trails or 19 things that are necessary to do when that happens, 20 when the contract is at an end and the person 21 ceases to work for the Supercomputer Division? 22 A Sure, you delete or disable account 23 access. 24 Q What does that mean? Translate that for 25 the jury. 59 1 A That means the individual can no longer 2 access the computers at the business; basically 3 blocks computer access. 4 Q And do you know who gave the instructions 5 for Mr. Schwartz's accounts to be disabled? 6 A Yeah, I did. 7 Q And who did you tell that to? 8 A That would have been John Kent. 9 Q Now, you were in the position of 10 responsibility to give that type of order? 11 A Uh-huh. 12 Q And that order -- What computers on the 13 Supercomputer Division did that order not apply to? 14 A The intent was it would apply to all 15 computers, certainly. 16 Q Are you familiar with the Brillig 17 computer? 18 A Not specifically. 19 Q You don't know if that was part of the 20 Supercomputer Division or not? 21 A The name is familiar. I'm sure it was 22 part of the division. 23 Q So your order would include that? 24 A Sure. It would include all computers in 25 the division. 60 1 Q While you were working for the 2 Supercomputer Division, did you -- that continue 3 until November of 1993? 4 A Right. 5 Q Did you, at any point in time, authorize 6 Randal Schwartz to copy the Supercomputer Division 7 password file? 8 A No. 9 Q Did you authorize Randal Schwartz to run 10 a Crack program against the Supercomputer password 11 file? 12 A No. 13 Q Did Mr. Schwartz ever come to you with 14 any type -- while he was working there or 15 afterwards, with any type of security concerns with 16 the Supercomputer Division? 17 A No. 18 Q Did he ever come to you after with 19 passwords that had been cracked at any point in 20 time during his tenure? 21 A No. 22 Q Do you know what a gateway program is? 23 A Yes. 24 Q Did you authorize Randal Schwartz to 25 install a gate script or gateway on the Brillig 61 1 computer? 2 A No, not specifically. 3 Q Who was responsible for the security of 4 the Supercomputer Division password file in 1993? 5 A It would have been Lou Poehlitz, 6 succeeded by John Kent. 7 Q Did that responsibility extend beyond the 8 Supercomputer Division to other Systems 9 Administrators? 10 A No. 11 MR. TINTERA: Thank you. I don't 12 have any other questions. 13 THE COURT: Mr. Sussman. 14 MR. SUSSMAN: Thank you, Your Honor. 15 16 CROSS-EXAMINATION 17 BY MR. SUSSMAN: 18 Q Mr. Gray, you said you're now operations 19 manager for IT at both Hawthorn Farms and Jones 20 Farm. 21 A Yes. 22 Q How far apart are they? 23 A Two miles, probably. 24 Q Do you have to go back and forth or -- 25 A Yes, I go back and forth. 62 1 Q Now, you mentioned that you -- that 2 Mr. Schwartz left SSD and you thought it was in the 3 spring of 1993. Are you certain about that date? 4 A No, I'm not certain about the dates. 5 Q Is it more likely it was the spring of 6 1992? 7 A Could have been. I really don't remember 8 the dates specifically. I know that I started in 9 January of 1992, December, January kind of 10 timeframe. We really didn't concentrate on the 11 IWARP consolidation until later that year. That 12 wouldn't have happened, so it wouldn't have been 13 January or February of 1992, I don't believe. 14 Q Now, after that time in which 15 Mr. Schwartz and you had the mutual agreement that 16 the contract would end -- 17 A Uh-huh. 18 Q -- and did Mr. Schwartz -- did 19 Mr. Schwartz do some contract work at SSD later in 20 the year? 21 A I, at the time, was not aware of any 22 other contract work that Randal was doing. 23 Q At the time? 24 A No. 25 Q Now, at the time that Mr. Schwartz was 63 1 working for you at SSD, you mentioned that there 2 was -- that you were trying to bring all these 3 disparate groups together. 4 A Uh-huh. 5 Q Could you describe what the atmosphere 6 was like at SSD and -- 7 A I think you described it pretty well. It 8 was a disparate group of individuals. 9 Q I probably used a word I shouldn't have. 10 What do we mean by that? 11 A Individuals not working together, but 12 working independently and in various aspects of the 13 computing environment, so there was no 14 consolidated, coordinated effort to get the whole 15 environment under control or managed in some 16 consistent fashion. 17 Q So were often different kinds of 18 approaches or procedures that were used in each of 19 these different groups? 20 A Certainly. 21 Q And one of the things that sounds like 22 you were then trying to work on was trying to bring 23 some cohesion or some centralization to all of 24 this. 25 A Right. 64 1 Q And so there was no unified company-wide 2 security policy in effect? 3 A No, that's not true. There has always 4 been, as long as I've been at Intel, a security 5 policy and it's well-known and generally 6 well-communicated, although at SSD, it was probably 7 less well-communicated than most other divisions of 8 the company. 9 Q So referring now to some notes of the 10 conversation that you had with Mr. Agrue and 11 Mr. Olstadt last month, and so the comment here 12 that there were no company-wide security 13 policies -- 14 A That's clearly a misunderstanding. 15 Q And if there were, they hadn't been 16 communicated to SSD? 17 A They probably were poorly communicated to 18 SSD until that point. 19 Q And that was in part because SSD 20 previously had not been as closely connected to the 21 rest of Intel? 22 A That's right. 23 Q Was it your understanding of Intel policy 24 that independent contractors were not supposed to 25 be Systems Administrators? 65 1 A That's true. Generally Intel does not 2 like -- and there is a policy that states it -- 3 contractors to perform Systems Administration 4 duties that involve security aspects of the 5 environment, for obvious reasons. 6 Q Wasn't that policy routinely broken 7 because of manpower situations? 8 A It still is. Unfortunately, because of 9 manpower constraints, we still have a lot of 10 contractors doing that kind of work for Intel that 11 really shouldn't be. 12 Q And Mr. Schwartz had been doing that kind 13 of work for Intel at the time that you came on to 14 SSD? 15 A Yes, that's true. 16 Q And for that, your understanding of that 17 policy and your review of that policy then was such 18 that you would not have wanted to hand 19 responsibility for security to an independent 20 contractor? 21 A That's right. 22 Q Because you saw that as a fundamental 23 violation of company policy? 24 A Right. 25 Q There is also a policy if a person leaves 66 1 a division or one of the sections of Intel because 2 of a security incident, they are not supposed to be 3 hired back? 4 A That's true. 5 Q How would you describe Mr. Schwartz's 6 skills, his abilities? 7 A I'd say he's a very highly skilled 8 individual in computers network. 9 Q In fact, you referred to him as a UNIX 10 jock? 11 A Sure. 12 Q What does that mean? 13 A That means what I said. Someone that's 14 very highly skilled in UNIX, in environment, and 15 UNIX is a particularly complex computing 16 environment. 17 Q A couple questions about this 18 philosophical difference that led to Randal leaving 19 SSD at that time. You talked about it in terms of 20 centralized versus decentralized. 21 A Yes. 22 Q Would it be accurate to say distribution 23 of e-mail around SSD was very important for 24 communication for keeping up on work? 25 A I'd use a different term. Access to 67 1 e-mail at SSD was very important. Distribution of 2 e-mail is a means of accomplishing that objective 3 and only one means. 4 Q And there was some problems with the 5 distribution of the e-mail that arose and some 6 changes were made? 7 A Yeah. There were fairly routine problems 8 with e-mail. 9 Q And when you talk about decentralized 10 system that Randal Schwartz was a proponent of, was 11 that a system based on the Domain Name Server? 12 A Yes. 13 Q And that, in fact, is the direction Intel 14 has gone subsequently, isn't it? 15 A Yes. 16 Q Including SSD? 17 A Yeah. It's a much more mature policy 18 today than it was several years ago. 19 Q Now, when Mr. Schwartz -- When you made 20 the decision not to renew his contract, you said it 21 was a mutual decision. Did you specifically 22 communicate to him that the contract was terminated 23 or not to be renewed? 24 A I don't remember. I don't remember a 25 specific conversation, although Randal and I talked 68 1 fairly regularly, but I don't remember a specific 2 conversation about that. 3 Q Do you remember Randal communicating by 4 e-mail or some other announcement that -- 5 A I do remember an e-mail that Randal sent. 6 Q That he, in fact, felt his services were 7 no longer required? 8 A I do remember that e-mail. 9 Q And that was the last that he worked 10 there under that contract? 11 A Right. 12 Q Now, when you arrived there, was Randal 13 Schwartz considered an expert in security? 14 A I wouldn't know. I certainly wouldn't 15 have considered him an expert in security. As I 16 said before, Randal is a very highly skilled 17 individual in the computing environment and the 18 UNIX environment specifically, and that would 19 include security expert, which is something else 20 again. 21 Q Again referring to notes from the earlier 22 conversation that you had with Mr. Agrue, and there 23 was no note that said Randal was considered an 24 expert in security, and then he says you mentioned 25 that -- goes on to discuss that he's highly 69 1 distributive in e-mail form where the industry was 2 headed, and that was the end. So was that not then 3 and accurate or -- 4 A That's a misinterpretation of what was 5 said. I'm sure I wouldn't have called Randal an 6 expert in UNIX security, although certainly he's 7 very knowledgeable in UNIX security. 8 Q In fact, security was something that you 9 were particularly concerned about? 10 A Sure. 11 Q When you came into SSD and you put in 12 extra security measures during the time and after 13 Mr. Schwartz left -- 14 A Yes. 15 Q -- and one of the things that concerned 16 you was security leaks? 17 A Security leak? 18 Q Well, for instance, at the SSD before you 19 got there they had been subjected to being broken 20 into by some hackers from Germany; is that right? 21 A Yeah, there were a number of attempts at 22 illegal break-ins at SSD. 23 Q And in fact, there had been access made 24 by some outside hackers from Germany? 25 A Yes, that's right. 70 1 Q And that was through Intel's phone modem, 2 wasn't it? 3 A That was one means of access, right. 4 Q And Mr. Poehlitz was your security person 5 at the time? 6 A Uh-huh. 7 Q And so as a result of these incidents, 8 you were concerned about improving security? 9 A Absolutely. 10 Q One last question. Mr. Schwartz was the 11 Systems Administrator at IWARP when you got there? 12 A Right. 13 Q Were you aware that Mr. Schwartz had a 14 practice of running Crack, the program called Crack 15 to test the security of the passwords at IWARP 16 while he was a Systems Administrator? 17 A No, I wasn't. 18 MR. SUSSMAN: Thank you. I have 19 nothing further. 20 THE COURT: Redirect? 21 22 23 24 25 71 1 REDIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Gray, what counsel has referred to as 4 the German hacker, are you aware that the access to 5 the Intel Corporation and SSD here in Washington 6 County was gained through the Internet? 7 A Yes. 8 Q I mean, that's the way that person made 9 it from Germany over this way, right? 10 A There was Internet access and also modem 11 access, both. 12 Q So, of course, your security concerns 13 were with people coming from the Internet through 14 the Intel firewall? 15 A Certainly. 16 Q You've been referenced to a conversation 17 that you had with the defense investigator, 18 Mr. Agrue. I showed you the report that was 19 generated from that conversation; is that correct? 20 A Yes. 21 Q Did Mr. Agrue go over the report that he 22 generated with you to have you check it for 23 accuracy? 24 A No. 25 Q Pardon me? 72 1 A No. 2 Q After Mr. Schwartz's contract was closed 3 off from SSD, are you aware of any authorization 4 for him to continue work in SSD? 5 A No, I wasn't. 6 Q Would that have come with your approval? 7 A I wouldn't have given approval for it had 8 I been asked. Obviously, I wasn't asked, though. 9 Q Why is that? 10 A That's a good question. I don't know the 11 answer to that. 12 Q Why would you not have given approval to 13 rehire Mr. Schwartz? 14 MR. SUSSMAN: Your Honor, I object. 15 This is beyond what was covered on 16 cross-examination and I don't think it's proper 17 redirect. 18 MR. TINTERA: No, Judge, he brought 19 this up as to whether there was authorization. 20 He's brought up his work habits. I think we're 21 entitled to go into that at this point. 22 THE COURT: I'm sustaining the 23 objection to that. I think that's beyond the 24 scope, at least that specific question, why he 25 would not have rehired him. 73 1 Let me rephrase that. The witness 2 is not permitted to answer the question. The 3 question you asked was whether or not he would have 4 rehired him. There was an objection. There was no 5 answer. I will not permit the witness to answer 6 that question, whether or not he would or would not 7 have rehired. 8 I'm sorry. I'm going to change that 9 again. He did answer that question, but you asked 10 why he would not have. I think I was correct to 11 begin with. I sustained the objection to that 12 question, the specifics of why he would not. 13 Go ahead. 14 MR. TINTERA: Are you sure? 15 THE COURT: I'm sure. Wait a minute 16 and I'll change it again. 17 MR. TINTERA: Thank you. I don't 18 have any other questions. 19 MR. SUSSMAN: Nothing further. 20 THE COURT: Thank you. You may step 21 down. I'm sure of that. 22 Any need for him to remain? 23 MR. SUSSMAN: No. 24 THE COURT: Thank you. You're free 25 to go. Thank you for being here. 74 1 Call your next witness. 2 MR. TINTERA: Clayton Kirkwood. 3 4 CLAYTON KIRKWOOD 5 called as a witness on behalf of the State, having 6 been first duly sworn under oath, was examined and 7 testified as follows: 8 9 THE CLERK: State your full name and 10 spell it for the record, please. 11 THE WITNESS: Clayton Kirkwood. 12 K-i-r-k-w-o-o-d. 13 14 DIRECT EXAMINATION 15 BY MR. TINTERA: 16 Q How are you employed, Mr. Kirkwood? 17 A Employed by Intel Corporation. 18 Q And what do you do for Intel now? 19 A Currently, I'm a project manager for 20 several projects. 21 Q And back in 1992, 1993, did you have an 22 occasion to hire Randal Schwartz? 23 A Yes. 24 Q And what specific reason did you hire 25 Mr. Schwartz? 75 1 A I hired him to design and develop a 2 capability for Domain Name Services. 3 Q Could you give us any idea of what a 4 Domain Name Service does? 5 A Sure. In this particular environment 6 there are quite a few computers and users that want 7 to connect from one machine to another. People 8 remember names better than numbers, so you think of 9 the machine that you want to connect to by its 10 name, but you don't -- the computers underneath 11 communicate via numbers. 12 Q Those are called IP addresses? 13 A IP addresses, yes. To translate from a 14 host name into an IP address, you either have a 15 host file, which contains this mapping of addresses 16 to names, or you can go to a machine, a Domain Name 17 Server machine, and it will provide that look-up 18 capability for you. So machine A communicates with 19 the server and says, "Give me the address for this 20 name." Server responds back. 21 Q Now, did that -- Did Mr. Schwartz's 22 responsibility involve all the Domain Name Service 23 for all of Intel Corporation? 24 A He had access to all of them that we had 25 in our control. I was responsible for the servers 76 1 themselves, though, and the project. 2 Q And does this system go through the 3 Supercomputer Division? 4 A It doesn't go through it. It may support 5 it at the time. May have supported those systems 6 in the Supercomputer Division. 7 Q Does the Domain Name Server have its on 8 password file? 9 A Yes, has its own password file. Each 10 system which we had at the time, maybe 15 11 corporate-wide around the world, 15 to 20, each of 12 them has a port file to allow certain people access 13 to the machines. 14 Q That password file is kept independent of 15 the other Intel divisions? 16 A Yes. They are specific to the machine 17 itself and each password file on the 15 to 20 DNS 18 server corporate-wide were totally different and 19 had nothing to do with any other machines, the 20 password files. 21 Q So they had nothing to do with the 22 Supercomputer Division? 23 A Not directly. Again, if there were 24 clients in the Supercomputer Division that needed 25 to look up an address, given a name, or a name 77 1 given an address, potentially that look-up could 2 have been done on one of the servers that I was 3 responsible for. 4 Q The Supercomputer Division password filed 5 would not be maintained under the Domain Name 6 Server? 7 A Correct. 8 Q What was Mr. Schwartz supposed to do, if 9 you could tell us in layman's terms? 10 A He designed and coded up a program to 11 take the host files and create a database of 12 information that could be loaded into the server 13 itself. 14 Q A fairly specific function? 15 A Very specific function. 16 Q And do you know the period of this 17 contract? 18 A It was roughly December of -- I think it 19 was '91 through November of '93. I believe it was 20 that timeframe. 21 Q And did his responsibilities involve a 22 system administration of the Domain Name Server? 23 A He was involved with various aspects of 24 Systems Administration. It was not his sole 25 function. 78 1 Q Do you know or did you give Mr. Schwartz 2 authority to copy the password file for the 3 Supercomputer Division of the Intel Corporation? 4 A No. 5 Q And did you give Mr. Schwartz authority 6 to run a Crack program against the password file 7 for the Supercomputer Division of the Intel 8 Corporation? 9 A No. 10 Q Did you authorize Mr. Schwartz to install 11 a gateway program that would circumvent the 12 firewall of the Intel Corporation? 13 A No. 14 MR. TINTERA: Those are the only 15 questions I have. 16 THE COURT: Mr. Sussman. 17 MR. SUSSMAN: Thank you, Your Honor. 18 19 20 21 22 23 24 25 79 1 CROSS-EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Kirkwood, you are -- where is your 4 office? 5 A In Folsom, California. 6 Q Mr. Schwartz was working up here at the 7 Hawthorn Farms campus at the time when you had this 8 contract with him? 9 A Most of the time, yes. 10 Q So was it difficult to communicate, get 11 together because of the distance? 12 A No. 13 Q Why not? 14 A Telephones, meetings. We'd hold on-line 15 phone meetings and he and I would communicate, 16 often on a daily basis, regarding various things 17 that need to be done. There would also be times 18 when we wouldn't talk for many days. 19 Q Also computer access is easy? 20 A Yeah, e-mail, electronic mail. 21 Q So e-mail doesn't matter if you are in 22 Folsom, then, or Arizona or Florida as far as being 23 able to communicate with somebody in Portland? 24 A Well, it's an electronic form of mail, 25 just like postal mail. 80 1 Q Did some of the work that Mr. Schwartz 2 was doing under this contract involve computers at 3 Cornell Oaks? 4 A Not for my specific project, no. 5 Q Did it involve working at any of the 6 other Intel campuses or sites around Oregon or 7 around the rest of the country? 8 A Yes. 9 Q And also overseas? 10 A Yes. 11 Q And he had to have access to these 12 different computers and systems at these sites 13 around the country and overseas? 14 A Yes. 15 Q And on all of them, did he have access to 16 what's called root access on the ones that he was 17 working on the DNS project? 18 A Right. He had root access to my 15 or 20 19 machines corporate-wide. 20 Q And when you say "corporate-wide," where 21 were some of those located outside of Oregon? 22 A In that timeframe, we had machines in 23 Folsom, Santa Clara, Chandler, Arizona, up here in 24 Oregon at two or three sites. Israel, I believe, 25 at that point was also on line, two sites in 81 1 Israel. That would probably be it at that time. 2 Q Now, the -- did this project involve 3 moving all of the IP addresses from the Intel 4 Corporation's host, that centralized file of the IP 5 addresses, into this Domain Name Server system? 6 A Could you repeat the question? 7 Q Well, prior to -- let me rephrase. 8 Prior to the shift to using the 9 Domain Name Server to distribute the mail, were the 10 IP addresses all kept in kind of a central host 11 file? 12 A Yes. 13 Q How many IP addresses were in that 14 centralized file? 15 A At the time roughly beginning at about 16 19,000, and then towards the end of the contract, 17 roughly 29,000. 18 Q During the course of your contract, did 19 you provide Mr. Schwartz with copies of any of the 20 security manuals that were in effect? 21 A No. 22 Q During the time that Mr. Schwartz was 23 doing this DNS project and he had access to the 24 computers throughout the country and Israel, were 25 his activities on those computers closely 82 1 monitored? 2 A Closely monitored? 3 Q Yes. 4 A No. 5 Q Mr. Schwartz was an independent 6 contractor doing this? 7 A Correct. 8 Q And so as an independent contractor, 9 then, the IRS regulations require that you kind of 10 give him a job to do but not tell him the specific 11 means of how to get it done; is that right? 12 A Correct. 13 MR. SUSSMAN: I have nothing 14 further. 15 THE COURT: Redirect? 16 MR. TINTERA: No, thank you. 17 THE COURT: Thank you. You may step 18 down. You're free to go. 19 Call your next witness. 20 MR. TINTERA: Judge, the witness 21 well is dry for this morning. 22 THE COURT: Do you have some -- that 23 means you're out of witnesses? 24 MR. TINTERA: That's correct. 25 THE COURT: That's some sort of 83 1 computer legalese. 2 MR. TINTERA: I just made that up 3 for you. 4 THE COURT: Thank you. 5 MR. TINTERA: You're welcome. 6 THE COURT: Do you have witnesses 7 for 1:30 then, is that it? 8 MR. TINTERA: Yes. 9 THE COURT: How many additional 10 witnesses do you believe that you will have? 11 MR. TINTERA: Three. 12 MR. SUSSMAN: Your Honor, as we 13 mentioned last week, and the State has been also 14 willing to allow, the witness that I had lined up 15 for today, the witness who made plans to come up 16 here from Florida, was just in town for the day, is 17 here and we can take him at 1:30, after lunch, 18 because he has a flight to catch this afternoon. 19 THE COURT: Do we need to talk about 20 that some more? 21 MR. TINTERA: Not in front of the 22 jury. 23 THE COURT: They're going to recess 24 now. Looks like the State is probably going to get 25 close to winding up the State's case today, just so 84 1 we know. 2 We're going to recess now. It will 3 be until 1:30. It will be long because we don't 4 have witnesses. Leave your notes in the jury room. 5 Don't talk about the case. Check in before 1:30 6 and we'll try to start at that time. 7 (Whereupon, the following 8 proceedings were held in 9 open court, out of the 10 presence of the jury:) 11 THE COURT: You have a witness. Who 12 is the witness? 13 MR. SUSSMAN: The witness is Patrick 14 Reilly and he's a witness who I spoke to and 15 informed Mr. Tintera about right after I spoke with 16 him, which was that Sunday, the 2nd or 3rd of July, 17 and we made arrangements for him to come out. We 18 tried to anticipate, based on what I had been 19 informed earlier, that the State's case would be 20 finished last week. 21 THE COURT: What's the nature of his 22 testimony? 23 MR. SUSSMAN: He is a witness for a 24 couple things. He has some background in the sense 25 that he has been an employer of Mr. Schwartz's and 85 1 also he is a character witness for Mr. Schwartz. 2 THE COURT: Mr. Tintera. 3 MR. TINTERA: Judge, I'm not 4 objecting to taking him out of order, but I would 5 ask the Court to once again be aware that it's my 6 position that the defense counsel has opened up 7 defendant's activity, at least with the Tektronix 8 Corporation prior to him coming to Intel, through 9 defense counsel's opening statement where he said 10 he was an exemplary employee, which isn't true, and 11 I should be able to correct that. 12 I should alert the Court that as we 13 hear how he worked with other corporations, I think 14 it's going to be important and relevant that the 15 jury hear the rest of the story in regard to his 16 activities at Tandem and his activities at 17 Tektronix. So I'm just alerting Your Honor to 18 that, that that is going to be something that -- 19 THE COURT: Thank you. I appreciate 20 that. I could see the tunnel and I could see the 21 train's light coming through it. I think 22 Mr. Sussman can, too. We'll see how he is at 23 dodging it. 24 Take a recess and see you at 1:30. 25 Thank you. If you have your witness available at 86 1 that time, after direct, I'll decide how much 2 cross-examination I'll permit Mr. Tintera to get 3 involved in. Thank you. 4 (Luncheon recess.) 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 87 1 AFTERNOON SESSION 2 BEGINNING AT 1:35 P.M. 3 JULY 18, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: Mr. Tintera, call your 10 next witness. 11 MR. TINTERA: Herb Mayer. 12 13 HERB MAYER 14 called as a witness on behalf of the State, having 15 been first duly sworn under oath, was examined and 16 testified as follows: 17 18 THE CLERK: State your full name and 19 spell it for the record, please. 20 THE WITNESS: Herb Mayer. 21 M-a-y-e-r. 22 23 24 25 88 1 DIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Mayer, how are you employed? 4 A Yes. 5 Q And how is that? 6 A I'm employed at Intel, right around the 7 corner, Hillsboro, Jones Farms. 8 Q What do you do for them? 9 A Right now I'm the quality assurance 10 expert for a project called ITP. The goal is to 11 raise the quality of our software. 12 Q And ITP is an abbreviation for what? 13 A In Target Probe, trademark name. 14 Q Is that with any particular division? 15 A Yes, it's with MD-6, Microprocessor 16 Division 6. 17 Q How long have you worked for Intel? 18 A Nine years. 19 Q During that nine years, were you ever 20 associated with the Supercomputer Division at 21 Cornell Oaks? 22 A Yes, for half of that time. 23 Q And during your association, did you ever 24 have occasion to contract the services of Randal 25 Schwartz? 89 1 A Yes, I did. 2 Q Can you tell me what that project was 3 for? 4 A Yes. This was the creation of a test 5 automatron for SSD compilers. Compiler is a 6 reasonably complex piece of software that has to be 7 tested repeatedly and a test automatron does this 8 testing automatically in lieu of a human being, 9 saving time, avoiding error, therefore raising the 10 quality of the product. 11 So Randal Schwartz had to create the 12 test automatron or derive the test automatron from 13 an older existing one and had to install it on a 14 variety of machines, all of which were the hosts 15 for our products. 16 Q And which machine did that involve, that 17 contract? 18 A The most common one is a Sun 3 and Sun 4, 19 Silicon Graphics, a mock 386 machine, DEC 20 Microvaction, and those are all the machines that 21 come to mind now. There probably were one or two 22 others and sometimes there is variations of the 23 same machine I have in mind here, a Sun 4, perhaps 24 on two different operating systems. 25 Q Do you recall if this involved a machine 90 1 called Brillig, which was an SGI machine? 2 A Yes, I did. 3 Q And that was -- that was a machine that 4 was used -- the Brillig machine was used for 5 specialized testing in the Supercomputer Division; 6 is that fair? 7 A Are you asking for what other purposes 8 was the machine used? Is that what you're asking? 9 Q Well, it was a lab machine. It was not 10 part of the everyday network of the Supercomputer 11 Division? 12 A It was not a lab machine. A lab machine 13 are the machines that I call my own machines. My 14 machines were the lab machines and other machines 15 were outside lab machines, and that is an outside 16 lab machine being owned by a person who apparently 17 didn't end up with any of the cool computers at the 18 time, a Sun, so he ended up with the one and only 19 SGI. But he wanted it and he needed it for 20 purposes of what you alluded to earlier, special 21 purpose testing. I believe it was testing for 22 graphics software. 23 Q And the owner of that machine was Richard 24 Greco? 25 A That's correct. He was not in my group. 91 1 Q So your contracts specifically were with 2 two areas, developing the TA, test automatron and 3 to install that? 4 A On the variety of machines. That implies 5 also testing. In other words, when somebody 6 producing the software says that the software is 7 done, I want the person to produce evidence that 8 it's done. That means exercise it, show the 9 results and show that the results are equal to the 10 expected ones. 11 Q Was this a long-term contract or short? 12 A In lay terminology it's ambiguous, but in 13 my phrase that is a short one, duration of a very 14 few months. I don't remember the exact duration, 15 but it was on the order of two months, maybe 16 shorter, but I'm vague there. 17 Q And was the project completed? 18 A Yes, it was. 19 Q And what happened after the completion? 20 Do you remember if you had any conversation with 21 Mr. Schwartz through -- either face-to-face or 22 through e-mail about the completion? 23 A Ever since the project was complete, I 24 never had any contact, e-mail or telephone, with 25 Mr. Schwartz except for Sunday this week, he called 92 1 me up and we had a private conversation. 2 Q My question was, once it was complete, 3 did you have any conversation with Mr. Schwartz 4 about completing the project? 5 A I'm pretty sure. My memory is not -- 6 again, that was a fairly short contract and I had 7 dozens of those every year, maybe a dozen over a 8 couple years. I don't remember a particular 9 meeting in which I formally, "And this is over and 10 done," but I do remember that the project was 11 completed and, therefore, there must have been a 12 moment where I said, "Thanks for the work," pat on 13 the shoulder, "Now go out, I have other work to 14 do." A formal meeting or letter, no, never done 15 that. 16 Q Can you give the jury some idea of the 17 timeframe here? 18 A I cannot give a sure timeframe because I 19 have no written records. 20 Q Was there a written contract? 21 A I'm pretty sure there was not. 22 MR. TINTERA: If we could mark this 23 exhibit. 24 BY MR. TINTERA: 25 Q Had you requested permission to use 93 1 Mr. Schwartz from anybody at Hawthorn Farms? 2 A Yes, I did. 3 Q And who was that? 4 A I think the name was Mr. Wilcox, Bob 5 Wilcox. I never met the person personally. I did 6 make calls to the Hawthorn Farms office to the 7 person that I knew was the manager of Mr. Schwartz 8 at the time and I asked permission, if it would be 9 okay if I hired him for a limited time to do work 10 for me for my department, and I got the okay. 11 Q If I could hand you State's Exhibit 20. 12 Part of the contract involved Silicon Graphics or 13 an SGI machine; is that correct? 14 A Part of the work that he did for me did, 15 yes. 16 Q And does this State's Exhibit 20, which 17 is an invoice from Mr. Schwartz, reference work on 18 an SGI machine? 19 A It's unclear to see, but it's fairly -- 20 I'm pretty sure this means SGI in two instances. 21 Q And the dates for that work? 22 A First quarter in 1993, it says here. 23 Q Can you read that date, February? 24 A One of them says February, about 25, 25 1993. Could be 23, 1993 as well. The other one I 94 1 can't read, but since it's chronological, it must 2 be the same timeframe. But I'm not sure whether 3 that work was done for me. 4 Q Sure. And you don't have any paperwork 5 that can help us with that? 6 A You're correct. I transferred at the end 7 of the year into the new division MD-6, and all the 8 paperwork that was considered old and dusty by me, 9 I just tossed it. 10 Q If Mr. Schwartz's password were disabled, 11 he could not have done your project; is that true? 12 A That's correct. 13 Q And did your project involve copying in 14 any way of the Supercomputer Division password 15 file? 16 A No. 17 Q Did it involve running Crack against the 18 Supercomputer Division password file? 19 A No. That was not part of the job. 20 Q Do you know what a gateway program is? 21 A The name "gateway" says something to me, 22 but I don't know what a gateway program would be. 23 The gateway would be a switch from one to other 24 computers. 25 Q Did this involve putting a switch from 95 1 one to other computers on the Brillig machine? 2 A Are you asking did the work that I asked 3 Mr. Schwartz to do? 4 Q Yes. 5 A Probably not. It's conceivable because 6 all of these computers were in a way connected 7 together through some network. 8 Q Let me rephrase that. Did the work that 9 you contracted with Mr. Schwartz involve him 10 creating a way to go through the firewall of the 11 Intel Corporation into the Intel Corporation and 12 back out? 13 A No, not at all. 14 Q And so none of the jobs that you asked 15 him to do would authorize him to copy the 16 Supercomputer Division password files; is that 17 correct? 18 A You're correct. I would never authorize 19 that. On the other hand, the password file itself 20 is something publicly read and by anybody, so 21 anybody can go in and say, "Let me look at the 22 password file," because that's encoded information. 23 And you can look at it until your heart's delight 24 and you would never make sense of it much. 25 Q Is that something that came up when you 96 1 and Mr. Schwartz talked last Sunday? 2 A No. 3 Q Did you authorize -- not what somebody 4 else could do through other means, did you 5 authorize him to copy the Supercomputer Division 6 password file for the Intel Corporation? 7 A Not at all. It would be unrelated to the 8 task. 9 Q Did you authorize him to run a Crack 10 program against the Supercomputer Division password 11 file of the Intel Corporation? 12 A Not at all. It would be unrelated, 13 again, to the task. 14 Q And you wouldn't have authorized him to 15 put a gate from outside the firewall into the Intel 16 Corporation; is that true? 17 A The first thing I would have said is why, 18 and if I had convincing reasons, which I doubt it 19 would have come across, if I had convincing reasons 20 then I would have said yes, but I would have also 21 checked with my boss. 22 Q Right. And is that the normal procedure? 23 A Correct. 24 Q And -- 25 A And that did not happen. 97 1 Q And that did not happen? 2 A That did not happen. 3 MR. TINTERA: Those are the only 4 questions I have. Thank you. 5 THE COURT: Mr. Sussman. 6 7 CROSS-EXAMINATION 8 BY MR. SUSSMAN: 9 Q Mr. Mayer, had you had any -- had you 10 worked with Mr. Schwartz or known of his work prior 11 to the time that you contracted with him to do this 12 project? 13 A Yes, I did. That's why I had the intent 14 of hiring him. 15 Q And what was that prior contact? How did 16 you know him? 17 A For a period of about a year, maybe two 18 years, he was the Systems Administrator for the 19 computers for a project called IWARP. I was part 20 of the project and he was part of the project, too, 21 by being the Systems Administrator, and I think at 22 the time he was a contractor as well, but I'm not 23 sure. My impression was he was not an Intel 24 employee. 25 Q Were you then working in his group where 98 1 he was a Systems Administrator? 2 A No. Those are separate groups. 3 Q But you got to know his work then? 4 A Yes, I got to know him quite well. I had 5 to go to him often when my computer was down and 6 ask him for help to make sure I could continue with 7 my work, and he went ahead, fixed what had to be 8 fixed, and I could continue and make progress. 9 Q You were part of a different system, part 10 of a different group than his? 11 A He had a different charter, a different 12 organization. His charter was, "Here are the 13 computers, make sure they continue to run." My 14 charter was to use a running computer and to 15 develop software on it. 16 Q He was a Systems Administrator for the 17 group's computers that you were involved in? 18 A Correct. 19 Q That you were working on, I should say. 20 So having been familiar with this 21 work, I assume it would be fair to say that you 22 thought highly of his work, which is why you asked 23 him to take on this? 24 A That's correct. 25 Q Rather, that particular project. 99 1 A He was a skillful, competent systems man. 2 Q By the way, the machines that he was 3 working for you under this contract, did any of 4 these machines, themselves, produce an Intel 5 product or were they basically -- 6 A All of the machines produced various 7 Intel products. And the purpose of his tool was to 8 ensure that those products were living up to a 9 certain level of quality. 10 Q Now, when you asked Mr. Schwartz to do 11 this job, you hired him as an independent 12 contractor; is that correct? 13 A Yes, I did. 14 Q And so as an independent contractor, you 15 were not able to tell him how to do the job, were 16 you? 17 A You're correct. That is the definition 18 of a contractor. I ask him to do something, go 19 away in the corner, do whatever he has to do, come 20 back when done, get the money and give the product. 21 Q So you're concerned with what is the job 22 that has to be done? 23 A Correct. 24 Q And you rely on Mr. Schwartz's schedule 25 to get the job done? 100 1 A That's the beauty of a contractor. 2 Q His experience in being able to do the 3 work necessary to get the job done? 4 A Yes. 5 Q And perhaps his ingenuity in solving 6 whatever problems come up in order to get the job 7 done? 8 A Yes, of course. 9 Q As I understand it, that job involved 10 putting software, certain kinds of software on 11 these machines? 12 A Yes. 13 Q And in order to make them run and 14 programs that run a way that you needed? 15 A He had to install the software in a 16 particular way that they would be available to all 17 users. 18 Q Now, to do that, when you install or 19 create software, don't you have to create files 20 that kind of instruct the machine on how to do the 21 job? 22 A Yes, you create lots of files. 23 Q And the files are sort of like tools, 24 aren't they? 25 A Many of them are, yeah. The main file 101 1 was a tool. 2 Q And one of those machines you said was a 3 DEC Microvaction? 4 A DEC Microvaction, yeah. 5 Q And would one of the tools that might be 6 installed on that DEC Microvaction or the other 7 machines be an "rhost" file that would allow 8 Mr. Schwartz to easily log in under his own user 9 name? 10 A Yeah, very likely. I remember having 11 used the tools myself. There were certain 12 limitations where I couldn't use them on one 13 computer but I could "rhost" to another computer 14 and exercise the tool on a different computer and 15 ship the results back and get my results, even 16 though my current computer was limited. And he 17 must have encountered a similar situation, so it's 18 a likely thing to happen, yeah. 19 Q So that was then a useful tool to 20 accomplish the job that you gave Mr. Schwartz to 21 do? 22 A I didn't understand question. 23 Q Creating an "rhost" file, the "rhost" 24 file would be a useful tool for Mr. Schwartz in 25 completing the job that you assigned him to do? 102 1 A Most likely. Most certainly. It was one 2 of the prescribed steps in the use of our compilers 3 when you ran into problems of what to do. We are 4 still referring to the "rhost" file information. 5 Q That's correct. And even doing this 6 particular job, Mr. Schwartz needed to have access 7 to all of these machines? 8 A Yes. 9 Q And he had to have special rights, kind 10 of special access? 11 A That is true, too, because he had to 12 install them in a way usable for all users, which 13 is what a normal programmer cannot do. 14 Q So that he would have been allowed to put 15 or to write these rights, these privileges into the 16 directories on computers that he was working on 17 that he normally wouldn't have in order to get this 18 job done? 19 A He was required to. 20 Q Now, did somebody come back to you later 21 on and talk to you about some concerns or objection 22 to the fact that there was this "rhost" file found 23 on this DEC Microvaction computer? 24 A There was somebody coming back to me with 25 a concern, and I think that was Doug Smith, but I'm 103 1 not sure there, but the exact nature of the 2 concern, I don't remember. It could have been an 3 "rhost" file. It could have been just the fact 4 that in the root directory, there were files by the 5 owner Randal Schwartz. 6 I don't remember the exact nature of 7 the concern, but concern was clearly voiced to me 8 and discussed with me, "Herb, Randal is working for 9 you. What in the world is he doing here in this 10 root directory," or "What in the world is he 11 doing?" I'm not quite sure what the concern was. 12 And then I explained that he was 13 doing work for me for the test automatron and that 14 in this context, it is likely that he would have 15 done what he did. And to the best of my memory, 16 the concern then was alleviated. And I think it 17 was Doug Smith. Doug Smith then walked away and 18 expressed no further concerns. 19 Q Was John Kent also involved in that 20 discussion? 21 A I'm not sure whether it was John Kent or 22 Doug Smith, but I do know for sure at a later time, 23 maybe about a year after completion of the 24 contract, and therefore also after the discussion 25 that I had with who I suspect is Mr. Doug Smith, 104 1 John Kent came to me and said that there were 2 security concerns raised against Mr. Schwartz. 3 Q But that grew out of the incident which 4 is why we're here in court today? 5 A Exactly. 6 Q But had nothing to do with DEC 7 Microvaction computers? 8 A Correct. That was long past. 9 Q And your recollection is that was 10 resolved to everybody's satisfaction because it was @ 11 work that was done for you and it was something 12 that was done in order to complete the job for you? 13 A It's my impression that there was no more 14 concerns because nothing else was voiced after this 15 one instance. 16 Q In your mind, that did not create a 17 serious -- 18 A If it was, he would have raised it with 19 my own line of command right away. 20 Q This particular project that was being 21 created for the test automatron, that was a fairly 22 complex bit of technology project, wasn't it? 23 A Yes. 24 Q And was that the kind of software project 25 that would typically require a fair amount of 105 1 maintenance afterwards? 2 A Yes, it does. 3 Q And could you have discussed with 4 Mr. Schwartz the likelihood that there would be 5 more maintenance work to be done on this at some 6 time in the future? 7 A You're asking could I have discussed 8 this? Yes, I could have discussed it. Whether or 9 not I did, I'm not sure, but I likely did discuss 10 it. 11 Q And when the project was complete in that 12 discussion that you had with Mr. Schwartz thanking 13 him, isn't also likely that you said you looked 14 forward to working with him again? 15 A Yes. 16 Q And Mr. Schwartz, because of your respect 17 for his skill and work he did on this project, is 18 somebody that you would have specifically kept in 19 mind for follow-up work on? 20 MR. TINTERA: Your Honor, I object 21 to this question. 22 MR. SUSSMAN: This is 23 cross-examination. 24 MR. TINTERA: I didn't ask about 25 future contracts. I asked about a specific 106 1 contract. 2 THE COURT: I'm sustaining the 3 objection. 4 MR. SUSSMAN: I'll rephrase the 5 question. 6 BY MR. SUSSMAN: 7 Q Might you have also, in the course of 8 that discussion, made any reference to -- I lost my 9 train on the one question. 10 It could have been likely that you 11 would have said something to Mr. Schwartz that he 12 might have been the person that you had in mind to 13 come back to do this work? 14 MR. TINTERA: He's not going to be 15 able to lead the witness and he can't be suggesting 16 the answer. He can ask the witness what he 17 remembers about what was said. He can't be 18 constructing the witness as to likely, maybe, 19 possibly. It calls for speculation. 20 THE COURT: Sustain the objection. 21 BY MR. SUSSMAN: 22 Q Would you have considered Mr. Schwartz as 23 somebody -- as a candidate for follow-up work? 24 A Yes, I would have. I know he is skillful 25 and sometimes skills that I need would be matched 107 1 by that person. 2 Q When Mr. Schwartz and you were working 3 together at the SSD Division at IWARP, do you 4 recall whether there was a connection to 5 Carnegie-Mellon University from the IWARP group? 6 A Yes, there was a very strong connection. 7 They were all main contractor -- all our main 8 points of contact and cooperator. We did the work 9 jointly with them. 10 Q And to facilitate that work, was there a 11 two-way connection that was created to 12 Carnegie-Mellon allowing both inbound and outbound 13 communication with them? 14 A Clearly the connection to Carnegie-Mellon 15 existed. That is an open system anyway, including 16 myself. I've logged in there many times from here. 17 The real question that you are 18 asking is, is it correct that there was a way from 19 Carnegie-Mellon to effectively bypass the security 20 measures and log in at Intel. Yes, that existed. 21 The number of those connections was very small and 22 well controlled. It was on the order of one or two 23 and associated with very specific users. 24 I don't know who the users were, but 25 I remember we discussed it and we did create such a 108 1 vehicle because it was beneficial for the overall 2 productivity of the product if those people at 3 Carnegie-Mellon could help us. 4 Q Was Mr. Schwartz involved in setting that 5 up? 6 A I don't know. I don't know. Even if he 7 did so, it was outside of the work that he did for 8 me. It was not connected with my contract. 9 Q At the conclusion of Mr. Schwartz -- When 10 you say that work was concluded, did you direct 11 anybody to disable Mr. Schwartz's accounts on the 12 various -- 13 A No, I didn't. 14 Q Did you tell Mr. Schwartz directly that 15 his access to all of the computers terminated? 16 A No, I didn't. 17 MR. SUSSMAN: Thank you. I have 18 nothing further. 19 THE COURT: Mr. Tintera. 20 21 22 23 24 25 109 1 REDIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Mayer, what was the timeframe of your 4 work with Mr. Schwartz in the IWARP group? 5 A It was on the order of a year. 6 Q When? 7 A Oh, when? It was in the end of the '80s, 8 so '89, plus or minus a year. 9 Q So it didn't go into the '90s? 10 A It could have been borderline beginning 11 1990. 12 MR. TINTERA: Thank you. That's all 13 I have. 14 THE COURT: Mr. Sussman. 15 MR. SUSSMAN: Nothing further. 16 THE COURT: Thank you. You may step 17 down. 18 MR. TINTERA: May this witness be 19 excused? 20 MR. SUSSMAN: I have no objection. 21 THE COURT: You're free to go. 22 Thank for being here. 23 Call your next witness. 24 MR. SUSSMAN: With Mr. Tintera's 25 agreement, we have agreed to take my witness out of 110 1 order. I'd like to call Patrick Reilly. 2 THE COURT: We're going to hear a 3 defense witness now. The State hasn't rested, but 4 it's convenient because Mr. Sussman has a witness 5 here, ready to testify. We'll take that witness 6 now. 7 Ordinarily, you would not hear this 8 until the State had rested, but we're going to do 9 it this way. We're sure you can keep track of it 10 that way. This is a defense witness. 11 Step forward, sir. 12 13 PATRICK L. REILLY 14 called as a witness on behalf of the Defendant, 15 having been first duly sworn under oath, was 16 examined and testified as follows: 17 18 THE CLERK: State your full name and 19 spell it for the record, please. 20 THE WITNESS: My name is Patrick L. 21 Reilly. R-e-i-l-l-y. 22 23 24 25 111 1 DIRECT EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Reilly, where do you live? 4 A I live in Chandler, Arizona. 5 Q And how are you employed? What's your 6 occupation? 7 A I'm a co-founder of a business of my own 8 called Isoqwan Technology, and I'm general manager 9 for IQ Tech, just for short. 10 Q What kind of business is this? 11 A IQ Tech develops software, particularly 12 software for wireless communication systems such as 13 cellular radio systems, personal communication 14 systems. 15 Q How long have you been the owner of this 16 particular business? 17 A Since July of last year. 18 Q Prior to that, how were you employed? 19 A I was employed by Motorola for about five 20 years prior to that time. Motorola had various 21 locations starting in Chicago at the Cellular 22 Intrastructure Group and transferred to Chandler, 23 Arizona to work for Motorola's satellite division. 24 Q What kind of work were you doing for 25 Motorola? 112 1 A Well, most recent, I was manager of the 2 network analysis simulation and performance group, 3 which was a group of about 22 people responsible 4 for the architectural specifications and the 5 performance analysis within a system called 6 Meridian, which is a satellite system that's being 7 developed by Motorola. 8 Q In your current work, please tell the 9 jury where you perform your job. 10 A Well, I have a few customers. My main 11 customer right now is located in Melbourne, 12 Florida, at Airnet Communications. Airnet is a 13 company that has been funded by Harris Corporation 14 and it's a startup and they are building a personal 15 communication system and this is all stuff that 16 you're hearing about in the papers and whatnot 17 where you will be able to walk around with a phone 18 and make calls from the 7-Eleven or what have you 19 and take this phone anywhere you would like and 20 have one phone number that can stay with you the 21 rest of your life and people can call that one 22 number and your phone would ring. 23 Q Is that where you're working at this 24 time? 25 A That's right. I have eight people 113 1 involved in that project in Florida at the present 2 time. 3 Q And that's where you came from to testify 4 today? 5 A That's correct. 6 Q How do you know Randal Schwartz then? 7 A Well, I came to know Randal in two 8 manners. One, I knew of him before I actually 9 hired him. I hired him in April of 1994 while 10 working at Motorola. I had known of him a couple 11 years prior to that time before I had ever 12 personally met Randal. 13 Q How did you know of him prior to that 14 time? 15 A In my business, my business at that time 16 was performance modeling and analysis of large 17 systems. To do that sort of work, these systems 18 generate millions and millions and millions of 19 bytes of data. Unfortunately, data is useless. 20 Information is what is important. 21 To extract information out of data, 22 there are a couple clever ways of doing that. One 23 is to use a program called Perl, and other than 24 Larry Wall, Randal is probably the world's leading 25 expert on Perl as a programming language. And I 114 1 have, of course, followed his posting to the Perl 2 news group on the Internet for a number of years 3 prior to actually meeting him. And we used Perl 4 extensively at Motorola for crunching large 5 databases of numbers to extract information. 6 Q Subsequently, then, you hired 7 Mr. Schwartz? 8 A Right. In Arizona, the Meridian project 9 is a $6 billion project and there was no way 10 Motorola has enough people to build that system, so 11 we contracted a lot of work with subcontractors. 12 And I had hired an organization called Gorca out of 13 Cherry Hill, North Carolina, and several of their 14 contractors. They introduced Randal to me as 15 another person that I could use because I had made 16 it known that I needed a person of Randal's talent. 17 I didn't say I needed Randal Schwartz, I just 18 needed a Perl expert and someone that was very good 19 at UNIX operating system as well. 20 So they posted an ad and I think 21 Randal responded to that. And then they introduced 22 me to Randal at Motorola and we talked and the 23 contract was put in place and we put him to work. 24 Q And what kind of work do you have him 25 doing for you? 115 1 A Well, he was responsible for, A, keeping 2 everything working correctly in the performance 3 analysis group and, B, creating some specialized 4 databases for some of the performance modeling 5 analysis that we were doing. 6 Q Over what period of time did he work for 7 you? 8 A Well, he worked for me up until I left 9 Motorola in July of last year, and then later when 10 I started the business and I was working for Airnet 11 Communication in Melbourne, Florida, I called upon 12 Randal to come down and do some work for me, for my 13 company, which he did successfully, and so 14 successfully that Airnet in turn brought him back 15 down there on their own nickel to do some work for 16 them. 17 Q And when was that? 18 A Most recently, I believe it's been about 19 two months ago that Randal was down there. 20 Q Now, in describing the work that Randal 21 Schwartz was doing, you mentioned something about 22 database. Would you explain to the jury what you 23 mean by that? 24 A Well, a database is simply a structure 25 that contains information about us. It's like 116 1 where our Social Security number will reside 2 somewhere in a database on all of us out there, and 3 this is where they keep all the information. 4 That's all it was. In my case, it was a database 5 of performance numbers about a particular system. 6 Q So was Mr. Schwartz administering a 7 system for you? 8 A Yeah, he was. We have to separate 9 concerns here. One, I was working at Motorola and 10 he was managing the performance modeling and 11 analysis group system, as well as doing specific 12 work there related to performance modeling and 13 analysis. At Airnet, he was managing the entire -- 14 MR. TINTERA: Objection. 15 Unresponsive. 16 THE COURT: Sustained. Ask another 17 question. 18 THE WITNESS: I'm sorry. 19 BY MR. SUSSMAN: 20 Q We'll come back to Airnet in a second. 21 What do you mean that he was doing 22 the performance modeling? Clarify perhaps the kind 23 of responsibilities and duties that Mr. Schwartz 24 had for you at Motorola. 25 A All right. Let me particularize it first 117 1 to the act of performance modeling and analysis. I 2 or some of my people would write a program that 3 would simulate satellites orbiting the earth and 4 simulate them on real time. In other words, what's 5 happening to the system every second. 6 And we would generate a simulation 7 for, let's say, an hour. So there is 3600 seconds. 8 Each tick of the clock, many things are occurring 9 in that system. Satellites are moving, calls are 10 being made, so on. All of that information is 11 written out to a file, just dumped. 12 MR. TINTERA: Can I ask a question 13 in aid of objection? 14 THE COURT: You may. 15 EXAMINATION IN AID OF OBJECTION 16 BY MR. TINTERA: 17 Q Does any of this have anything to do with 18 the Intel Corporation? 19 A No. 20 MR. TINTERA: I object. It's not 21 relevant. 22 THE COURT: How is this relevant, 23 Mr. Sussman? 24 MR. SUSSMAN: Your Honor, first it's 25 background, explaining Mr. Schwartz's work, his 118 1 skills, and gives the jury the understanding of the 2 work he does, under ultimately the foundation for 3 this witness to give his opinion on certain 4 character aspects of Mr. Schwartz because it 5 relates to the kind of duties and responsibilities 6 and access to information that he had in the work 7 that he did for Mr. Reilly. 8 It's important background for the 9 jury to know how this witness knows Mr. Schwartz 10 and in what context and to be able to evaluate the 11 opinion that this witness is going to be asked to 12 give on these characteristics. 13 THE COURT: Overrule the objection. 14 Proceed. 15 BY MR. SUSSMAN: 16 Q Do you know what a Systems Administrator 17 is? 18 A Yes. 19 Q Was Mr. Schwartz acting as a Systems 20 Administrator for you at Motorola? 21 A For our group he was. 22 Q And you started referring to this Airnet. 23 And was he also doing that kind of work at Airnet? 24 A That's right. His first assignment at 25 Airnet was for IQ Tech. Whenever I go to a new 119 1 place, I invariably find their computer network is 2 not up to proper standards for me to do my work and 3 I would like to use the best that he could find, 4 and Randal is the best that I could find, and so I 5 had Randal come down and spend a couple days down 6 there getting everything up to speed that I prefer, 7 getting the right tools there and so on. 8 After that time, the Systems 9 Administrator, the employee at Airnet who has the 10 title Systems Administrator, had to go on training 11 for a week. Airnet liked what they saw in Randal's 12 previous work and -- 13 MR. TINTERA: Objection. 14 Unresponsive. 15 THE COURT: Sustained. 16 BY MR. SUSSMAN: 17 Q Now, Mr. Schwartz was an independent 18 contractor? 19 A That's right. 20 Q And as an independent contractor, how 21 much control did you have over the way he did his 22 work? 23 A None. If the IRS has anything to say 24 about it, I'd have to make him an employee to 25 control how he did his work. 120 1 Q So how would you approach him, just give 2 him a task? 3 A Give him a broad task and tell him "make 4 it work," and not really be concerned about how he 5 did it. 6 Q At Motorola you were indicating that 7 Mr. Schwartz was working under you on this Meridian 8 satellite project. Was he working as a Systems 9 Administrator? 10 A Just for the performance modeling group, 11 which is a subnetwork of a larger monolithic 12 structure. 13 Q Did that work involve access to sensitive 14 corporate information? 15 A Absolutely. The Meridian system is still 16 being constructed. It's a $6 billion project. 17 It's a highly competitive business right now. Many 18 people are trying to get into it and some of that 19 work is classified Motorola proprietary information 20 or registered secret information. 21 Q And Mr. Schwartz had access to all of the 22 computers and -- 23 A Randal had keys to the kingdom, as far as 24 I was concerned. 25 Q Did you trust him with the keys to the 121 1 kingdom? 2 A Absolutely. 3 Q Why was that? 4 MR. TINTERA: Objection. 5 THE COURT: Sustained. 6 BY MR. SUSSMAN: 7 Q Now, at the other job that Mr. Schwartz 8 did for you over at Arizona Tech -- 9 A Airnet. 10 Q I'm sorry, Airnet. Did he also have 11 access to security or sensitive information? 12 A At Airnet it was much broader. He had 13 access to the company-wide system. Motorola was 14 company-wide to our group, 22 people out of 300, 15 and Airnet he had access to 187 people, the entire 16 system. 17 Q During any of the time that Mr. Schwartz 18 was working for you at Motorola or Airnet, did you 19 become aware of the charges pending against him in 20 Oregon, that it involved accusations of violation 21 of Intel security? 22 A Yes, I did. I think he worked for me at 23 Motorola -- 24 MR. TINTERA: Objection. He 25 answered the question. 122 1 THE COURT: Sustained. 2 BY MR. SUSSMAN: 3 Q And when you became aware of the charges, 4 what did you do? Did you have any concerns about 5 continuing to have Mr. Schwartz -- 6 MR. TINTERA: Objection. Not 7 relevant to any issue in this case. 8 THE COURT: Sustained. Not 9 relevant. 10 BY MR. SUSSMAN: 11 Q Let me ask you this. Mr. Reilly, based 12 upon your knowledge of Mr. Schwartz's background, 13 your working with him, your association with him, 14 your observation of his performance at Motorola and 15 at Airnet, do you have an opinion about 16 Mr. Schwartz's character for trustworthiness? 17 A I have no reservations about it. 18 MR. TINTERA: Objection. Not 19 responsive as required by the rules. 20 THE COURT: Well, this is kind of a 21 technical area, sir. First of all, just answer the 22 question yes or no if you have an opinion, and then 23 let Mr. Sussman ask you another question. 24 THE WITNESS: I'm sorry for being 25 verbose. 123 1 THE COURT: That's okay. You're an 2 expert in computers and the rest of us study laws 3 and the two of us don't merge very often. We're 4 trying to do that here. 5 THE WITNESS: Yes, I have an 6 opinion. 7 BY MR. SUSSMAN: 8 Q What's that opinion? 9 A I would hire Randal tomorrow if I could 10 afford him. 11 MR. TINTERA: Objection. That does 12 not follow the rules, Your Honor. 13 THE WITNESS: My opinion is I would 14 hire him tomorrow if I could afford him. I have no 15 reservations about his character or his 16 trustworthiness. 17 BY MR. SUSSMAN: 18 Q What about his character for honesty? 19 A No reservations. 20 Q Do you have an opinion about that? 21 A Yes, I have an opinion. 22 Q What's that opinion? 23 A I have no reservation about his 24 upstanding character for trustworthiness and 25 honesty. 124 1 MR. SUSSMAN: Thank you. I have 2 nothing further. 3 THE COURT: Mr. Tintera. 4 5 CROSS-EXAMINATION 6 BY MR. TINTERA: 7 Q Mr. Reilly, you left Motorola in July of 8 1994? 9 A That's correct. 10 Q Are you aware that Mr. Schwartz's 11 contract is not going to be renewed by Motorola 12 Corporation? 13 A Yes. 14 Q And are you aware of the reason? 15 A No. 16 Q So it would come as news to you that it's 17 for -- 18 MR. SUSSMAN: Objection. 19 THE COURT: Sustained. 20 MR. TINTERA: Your Honor, he can go 21 into specific areas of the contract. He's given 22 his opinion and -- 23 THE COURT: He's denied that he has 24 any knowledge and you're going to read something 25 into the record that he's going to deny knowing. 125 1 That's not appropriate. 2 MR. TINTERA: I can ask him has he 3 heard. 4 THE COURT: That's not the question 5 that you asked. 6 BY MR. TINTERA: 7 Q Mr. Reilly, have you heard that the 8 contract will not be renewed because of personality 9 problems he had with the staff at Motorola? 10 A No, I had not heard that. 11 Q And furthermore, you've given some 12 opinions as to honesty and trustworthiness. Had 13 you heard that when Mr. Schwartz worked for 14 Tektronix Corporation that he was suspended for two 15 weeks for cracking password files in 1983 and that 16 timeframe? 17 A Had I heard that? 18 Q Yes. 19 A No, I didn't know that. 20 Q And had you heard when Mr. Schwartz 21 worked for the Tandem Corporation in 1986, 1987, 22 that he was, as he put it, technically fired for 23 unauthorized cracking of password files for a short 24 period of time? 25 MR. SUSSMAN: Your Honor, I object. 126 1 This is assuming facts that are not in evidence and 2 I think that the State -- it's beyond what the 3 State can prove. 4 THE COURT: Is there something that 5 you have that has been disclosed to Mr. Sussman, a 6 report or -- 7 MR. TINTERA: Let me reference the 8 exact report, Your Honor. 9 Let me rephrase the question. 10 BY MR. TINTERA: 11 Q Had you heard that when Mr. Schwartz 12 worked for the Tandem Corporation in the period of 13 1986 and 1987 that he had illegally cracked 14 passwords and accessed file systems for Tandem and 15 was fired for a short period of time because of 16 that? Had you heard that? 17 A No. 18 Q Did you give Mr. Schwartz authorization 19 to crack the password file for the Intel 20 Supercomputer Division of the Intel Corporation? 21 MR. SUSSMAN: Objection. This is 22 beyond proper character, character witnesses on his 23 opinions. 24 THE COURT: Sustained. 25 MR. TINTERA: I don't have any other 127 1 questions for this witness. 2 THE COURT: Redirect? 3 MR. SUSSMAN: Nothing further. 4 Thank you. 5 THE COURT: Thank you. You may step 6 down. 7 MR. SUSSMAN: Ask that the witness 8 be disnissed. 9 THE COURT: You're free to go. 10 Thank you for being here. 11 That concludes your witness out of 12 order then, Mr. Sussman? 13 MR. SUSSMAN: Yes, Your Honor. 14 THE COURT: Thank you. Call your 15 next witness, Mr. Tintera. 16 MR. TINTERA: Our witness will be 17 rather lengthy. Did you want to take our recess 18 now or not? 19 THE COURT: We'll take a short break 20 here and we can at least get through direct before 21 we take another one. 22 (Recess.) 23 THE COURT: Mr. Tintera, call your 24 next witness. 25 MR. TINTERA: Rich Cower. 128 1 RICHARD R. COWER 2 called as a witness on behalf of the State, having 3 been first duly sworn under oath, was examined and 4 testified as follows: 5 6 THE CLERK: State your full name and 7 spell it for the record, please. 8 THE WITNESS: My name is Richard R. 9 Cower. C-o-w-e-r. 10 11 DIRECT EXAMINATION 12 BY MR. TINTERA: 13 Q Mr. Cower, could you tell the jury how 14 you're employed? 15 A I'm employed at Intel and my title is 16 network security specialist. 17 Q And how long have you been doing that? 18 A Almost exactly five years. 19 Q And where are you based? 20 A In Folsom, California. 21 Q And how long have you been with Intel? 22 A Almost exactly five years. 23 Q And so this is what you've done for them? 24 A Yes, for the entire time I've been there. 25 Q And what type of training or 129 1 qualifications do you have for this job? 2 A I have -- I don't know, I've been a 3 Systems Administrator, I have, roughly since 1968. 4 I've been working on computers as a systems 5 programmer primarily. 6 Q In the fall of 1993, while you were the 7 network security specialist, did you receive a call 8 regarding a situation at the Oregon site, Hawthorn 9 Farms, Cornell Oaks? 10 A Yes. 11 Q And what was the nature of the call? 12 A They had discovered a password-cracking 13 effort going on on a system in Mark Morrissey's 14 group. 15 Q When? 16 A In the end of October. 17 Q Of 1993? 18 A Of 1993. 19 Q And what happened after that? 20 A A lot. I don't know where to start. 21 Q What did you do? 22 A I came up. We had a meeting. We had a 23 couple meetings in Folsom that were bridge 24 meetings. Bridge meetings is where people dial 25 into the meeting and we have a device on the desk 130 1 that speaks, it's like a speaker phone. 2 We had a couple meetings regarding 3 that incident and I came to Oregon on -- I came up 4 on Sunday, I think, must have been Halloween 5 because I missed Halloween with my kids. Came up 6 on Sunday, that Halloween, and worked here on 7 Sunday through Tuesday or Wednesday. I don't 8 remember when I left. 9 Q What was the security concern? 10 A The password file from the SSD computer 11 group was on a machine in Hawthorn Farms. That was 12 clearly not right. Didn't belong there. The other 13 concern was this gate program running on a system 14 called Brillig. 15 Q And what did you do once you got here to 16 Oregon? 17 A We were attempting to -- Mr. Schwartz had 18 a lot of access on Intel machines. He had access 19 on machines located here in Oregon. I believe 20 there were machines located in Folsom that he had 21 access on. I don't know about Santa Clara. He had 22 access to machines in Israel with the Domain Name 23 Service he was working on. Also network 24 characterization. 25 Our concern at that time was we had 131 1 determined on Friday we were going to no longer 2 employ Mr. Schwartz at Intel, and our concern was 3 how to shut him down and minimize the damage should 4 he wind up getting malicious because of access he 5 had. So we spent quite a bit of time figuring that 6 out. 7 Q Can you jump ahead a little bit and tell 8 the jury, based on these particular activities, the 9 gate program, what you saw in Mr. Schwartz's files 10 in running the Crack program, what Intel, as a 11 corporation, had to do in response to this? 12 A It was substantial. We had to examine 13 all of the systems at Intel that had Internet 14 access and check for the existence of the gate 15 program. That was one then that had to be done. 16 We didn't know where else the gate program was 17 running or capable of running at that time. This 18 was before we interviewed Mr. Schwartz. 19 And then we had to change all of the 20 router passwords that he had access to. We had to 21 change the root passwords on all of the systems. 22 We had to shut down all of his accounts. It was a 23 substantial amount of work. 24 Q And was this all at Hawthorn Farms? 25 A It was directed from Hawthorn Farms, but 132 1 not all work was at Hawthorn Farms. The work was 2 distributed throughout Intel. Folsom, Santa Clara, 3 Hawthorn Farms, may have been some at Jones Farms, 4 I know we were looking there, and the Israeli 5 machines. 6 Q You said that was before you talked to 7 Mr. Schwartz? 8 A Yes. 9 Q Why didn't you just call him up and find 10 out what he was doing? 11 A I think, as I recall, the issue there was 12 we didn't know what he was doing. He had -- he was 13 clearly cracking passwords, we knew that, and he 14 had this gate system set up which would allow 15 Internet access coming into Intel. Based on that, 16 we weren't sure what else he was doing. 17 And in the interest of -- I mean, 18 why we contacted the sheriff, the Sheriff's Office, 19 the police, why we contacted the police, that was 20 on Monday after Halloween, maybe November 1st, was 21 it was determined if we had asked Mr. Schwartz to 22 take a look at his laptop, he had the laptop 23 computer which he carried with him in and out of 24 the building every day, and if we asked 25 Mr. Schwartz to take a look at the laptop, there 133 1 was probably no way we could force him to let us 2 look at that laptop. That was his personal office 3 and we felt there was no way we could make him let 4 us look at that laptop, so we involved the 5 Sheriff's Department. 6 Q Can you tell the jury what it cost the 7 corporation to -- 8 MR. SUSSMAN: Objection. This is -- 9 THE COURT: Overruled. Go ahead. 10 You can answer that. 11 THE WITNESS: I think I was asked to 12 produce a report on costing for this, but I don't 13 recall the timeframe. I do remember the number was 14 between 60 and $70,000. That was quite a while 15 ago. That was right after we did this, within a 16 month after the incident in October. 17 It involved a lot of people, a lot 18 of people and a lot of coordination. And there was 19 upper management direction to do it immediately, to 20 shut Randal down immediately. And then there was 21 this -- sort of this negotiation that we went 22 through on when it would be done. It was decided 23 that we would shut him off when the search warrant 24 was served at his home. 25 Q Were you involved at all with the search 134 1 warrant, in the going to Mr. Schwartz's home and in 2 execution of the search warrant? 3 A I'm not sure. I was asked to accompany 4 the sheriff's deputies to Mr. Schwartz's house and 5 assist in the -- what they call an interview 6 process. That's where they go in and ask him 7 questions to try to put some spin or help them out 8 with technical answers or technical questions that 9 might come up. So, yes, I was there. I don't know 10 if I was involved, if that's the search warrant. 11 Q All right. The gate program was located 12 where, do you know? 13 A Brillig. 14 Q And what was the problem with it? 15 A It allowed incoming access from the 16 Internet. 17 Q And what was Intel's structure in regard 18 to incoming access from the Internet? 19 A It wasn't allowed. 20 Q What about the Defender system? 21 A That was authenticated access of some 22 sort. Some form of authentication. Either call 23 back or secondary authentication. A little device, 24 key pad that you carry with you that does the 25 channel response with numbers. That was allowed. 135 1 Q Was it within the corporate policy to 2 copy the Supercomputer Division password file from 3 Cornell Oaks over to Hawthorn Farms where it was 4 found on the Snoopy machine? 5 A No, it was not. 6 Q And based on your investigation, was 7 Mr. Schwartz authorized to run the Crack program 8 against the Supercomputer Division password file? 9 A No. We haven't been able to find anyone 10 that authorized Mr. Schwartz to do that. 11 Q So you went with the police when they 12 went to his home with the search warrant? 13 A Yes. 14 Q And did you speak with Mr. Schwartz? 15 A Not initially. When they went to the 16 door of the house, the police went to the door and 17 I used a mobile telephone, an Intel mobile 18 telephone that someone lent me to make a phone call 19 which initiated all of the changes to shut his 20 access off that evening from the front of his 21 house. 22 Q And then later after that, did you speak 23 with him? 24 A Sometime later, yes. They asked me to 25 come in right away and look at -- he had his Apple 136 1 Power Book, his laptop computer doing something. I 2 don't remember what, it was doing something 3 innocuous. It was downloading cryptic or 4 something. Some new program. And it was sitting 5 there and they asked me to look at it to see if it 6 had anything to do with Intel and I said, "No, I 7 don't think it does," and I went back outside. 8 Q Later, were you invited in? 9 A Yes. Later, yes. 10 Q And did you participate in any 11 conversations with Mr. Schwartz? 12 A Yes, for quite a while. 13 Q And did you make notes of what he was 14 saying or -- 15 A I had my daytimer with me, some paper 16 notes I made, yes. 17 Q When you spoke to him, did you also, in 18 spite of your -- in addition to your daytimer, did 19 you generate a written report? 20 A Yes. 21 Q And when was that, do you remember? 22 A No. It was probably right after that. 23 Maybe the next day. But I don't remember. 24 Q Now, specifically in regard to the 25 interview of Mr. Schwartz, did you ask -- did you 137 1 talk to him about his use of the Brillig computer 2 and in the Supercomputer Division? 3 A Yes, we did. 4 Q And what did he have to say about that? 5 A Quite a bit. He was very open about what 6 he was doing and why he was doing it. He was -- he 7 had cracked -- you want everything he said or -- 8 Q Let me be more specific. Eventually, 9 yes. 10 Did he say anything in regard to 11 whether he was authorized to use the Brillig 12 computer? 13 MR. SUSSMAN: Objection to leading. 14 THE COURT: Sustained. 15 BY MR. TINTERA: 16 Q Okay. Let's go back to the other 17 question. What did he tell you about the Brillig 18 computer? 19 A That he had cracked the Brillig computer 20 password file and obtained from it a user. I think 21 the user's name was Ron B. That's the way the 22 computer knows that user. And he had used the Ron 23 B account, user name, he had impersonated Ron B and 24 used Ron B to log into SSD. 25 He also said he used possibly one 138 1 other user name to log into SSD, but he didn't 2 remember which one. 3 Q Do you know if Brillig contained the full 4 SSD password file? 5 A It did not. 6 Q Do you know how Mr. Schwartz obtained the 7 full SSD password -- well, on the Snoopy machine 8 that Mr. Schwartz was using, was the full SSD 9 password file there? 10 A I believe it was. 11 Q Did Mr. Schwartz tell you how he obtained 12 that full password file? 13 A I'm not sure. He may have -- trying to 14 remember. It's going back a long ways. He may 15 have said he used the Ron B account. When he 16 impersonated Ron B on the SSD machine, he went over 17 to SSD and logged in as Ron B, since Ron B was an 18 authorized user on the SSD machine. He may have 19 taken the password file and copied it using the Ron 20 B file. 21 Q Do you remember having a discussion with 22 Mr. Schwartz about whether he had a contract 23 regarding the use of the Brillig computer? 24 A I think that contract had expired and I 25 think we did have a discussion with him and I 139 1 believe he indicated that it expired in late 1992. 2 I took my notes in October, November, something 3 like that, December. 4 Q Regarding the statements of Mr. Schwartz, 5 did you talk with him about why he was running the 6 Crack process? 7 A Yes, we did. When I say "we," it was 8 usually what's his name -- Detective Lilley and I 9 were the ones talking to Mr. Schwartz. 10 Q What did Mr. Schwartz tell you about 11 running the Crack process? 12 A He was running the Crack process because 13 he was worried that the gate program on Brillig 14 would be discovered. And when we discovered the 15 gate program on Brillig, we would, of course, 16 probably terminate it and terminate him at that 17 time and the concern was he wanted another place -- 18 he wanted another place to land the gate program 19 and by cracking the SSD password file, he would get 20 another place to continue his access into Intel. 21 Q Was there any differences between the 22 Internet access between the SSD computers and, 23 let's say, the group that he was working with at 24 Hawthorn Farms? 25 A Yes. Most of the machines in the -- most 140 1 or maybe all of the machines, I'm not sure, let's 2 say for purposes of this discussion all the 3 machines in the SSD domain have Internet access, so 4 that would be a good place to land. The gate 5 program, I believe, relied on a machine having 6 Internet access to be able to do what he was doing 7 with it. 8 Q Did you ask him why it was that it was 9 important to him that this gate program exist? 10 A Yes, we did. 11 Q And what did he say? 12 A To read mail. He said he was reading his 13 mail with it. 14 Q As a contractor with Intel, couldn't he 15 get his e-mail through the Intel e-mail network 16 from Intel employees? 17 A He would either have to be at Intel to 18 get his e-mail or he would have to dial in using 19 the Defender system to get his e-mail. If he were 20 off site or traveling or at home, wherever he was, 21 to use the Defender. 22 Q Did you talk about the timeframe that 23 Mr. Schwartz had begun using the Brillig machine? 24 A We did. It was somewhat vague. He had 25 initially run the gate program on Mink, the machine 141 1 called Mink, which was administered by Dirk 2 Brandewie. And he had been asked to stop doing it 3 there and then he moved it to a machine called 4 Aurora, which we actually never knew it was running 5 on. 6 Aurora is the mail forward system 7 located in Santa Clara, California. One of our 8 mail entrants. He ran it there and he said it was 9 too slow, so then he moved it to Brillig. I don't 10 recall the timeframe of when all that happened. 11 Between when he got it off Mink and when we found 12 it running on Brillig. 13 Q Well, did you talk to him at all about 14 his knowledge of this in regard to Intel policy? 15 A Yes. 16 Q And what did he say about that? 17 A He said he knew it was a violation of 18 Intel policy. 19 Q Do you know what he was referencing then? 20 A I don't know the specific policy, no. 21 Q Now, what activity was he talking about 22 if he knew it violated Intel policy? 23 A I believe both activities. 24 Q Being? 25 A Crack and -- cracking the passwords and 142 1 the gate program on Brillig. I'm not sure he was 2 specific, but I would assume both. 3 Q What about -- what about tapes. Were you 4 aware that Mark Morrissey made what are called TAR 5 tapes during this time period, made copies of what 6 was happening on the Snoopy computer and on 7 Mr. Schwartz's own computer at Intel? 8 A Yes. 9 Q And have you had an opportunity to look 10 through those tapes? 11 A I have, yes. Not extensively, but I have 12 looked through them. 13 Q Hand you what has been marked State's 14 Exhibit 21. Can you identify State's Exhibit 21? 15 A Yes. 16 Q What is that? 17 A It looks like output of a Crack process 18 running on a machine named Wyeth, which is one of 19 Mark Morrissey's machines. And this particular 20 Crack process was started on September 24th at 21 almost 3:00 o'clock in afternoon, 14:54 and 17 22 seconds. 23 When you start a Crack process, it 24 states the date and time it was started. Started 25 roughly 3:00 o'clock in the afternoon on September 143 1 24th. 2 Q And can you tell what the Crack process 3 file, what it was being run against? 4 A Looks like the SSD password file. A file 5 called password.ssd. 6 Q And that's on the Wyeth machine? 7 A Yes. 8 Q And it was a printout from what? 9 A This was printed out from one of the 10 snapshots that Mr. Morrissey made of Mr. Schwartz's 11 directories on Snoopy or Kandinsky, one of those 12 machines. 13 Q Now, when you followed this process from 14 Wyeth, did it -- could you tell if there was a -- 15 if the same password file was being cracked in 16 October 21st when that process began running? 17 A I haven't looked at it with that kind of 18 detail. I could do that for you and we could look 19 at the files and compare them and see if it's a 20 different file or if he took a new file. 21 Q When you looked at what was available for 22 Mr. Schwartz in his program through this TAR tape, 23 did you find anything that is referenced in regard 24 to notification of cracked passwords? 25 A There is a script that comes with a Crack 144 1 program thats name is Nastygram, and I don't think 2 it had been modified to do anything in this case. 3 It will generate a mail message to the user, I 4 don't know if you want to pass this around, but in 5 here you can see it there, there is passwords that 6 says "guess." That means it got a password. Where 7 the entry is "guess," it says, "Okay, I guessed 8 this. I know what this password is." 9 The Nastygram script will generate a 10 mail to that user and tell him to fix it. There 11 was nothing done like that at all. 12 Q Is that an automatic program that you can 13 set up if the password is cracked, to send 14 notification to that person? 15 A I don't recall if it's automatic or not 16 or if its something that you have to do. I'd have 17 to take a look at it to see what it really does. I 18 know it will send a mail message. 19 Q In regard to the way that Intel 20 Corporation does business, when the SSD password 21 file is copied without authorization, as it was in 22 this case, does it reduce the value of the file to 23 the corporation? 24 A I would say it does reduce value. 25 MR. SUSSMAN: Objection to the 145 1 question because it's leading and also calls for 2 speculation. 3 MR. TINTERA: Judge, doesn't suggest 4 an answer. Just asks -- 5 THE COURT: I'm going to permit the 6 question. It doesn't call for speculation. The 7 witness' answer sounded like speculation. I don't 8 want him speculating. If he knows, answer it. 9 THE WITNESS: Yes, it does. 10 BY MR. TINTERA: 11 Q And a similar question in regard to 12 running of Crack against the Supercomputer Division 13 password file, does the deciphering of -- cracking 14 of the passwords change their value to the Intel 15 Corporation? 16 A Yes, very much so. Those passwords are 17 the key, if you will, to your house, that protects 18 your valuables in your house. These passwords are 19 the keys that protect our information assets 20 sitting behind those passwords in the user files 21 and absolutely does reduce the value. Makes them 22 worthless. They have no value. 23 Q Now, as your position with the network 24 security, have I asked you about the authorization 25 in regard to the gate program on Brillig? Let 146 1 me -- 2 A I don't know. 3 Q Let me ask you again. I can't recall, 4 either. I'm sorry. 5 A I can't, either. 6 Q Was there any information that you 7 received in your investigation that authorized 8 Mr. Schwartz to place the gate program on Intel's 9 Brillig computer? 10 A No. Nothing. 11 Q Was there anything that you turned up 12 that authorized Mr. Schwartz to copy the 13 Supercomputer Division password file from Cornell 14 Oaks over to Hawthorn Farms? 15 A No. We haven't found anyone that would 16 say that. 17 Q And any authorization that you found to 18 run the Crack program against the Supercomputer 19 Division that Mr. Schwartz was running on the 20 Snoopy computer, any authorization for that? 21 A None. 22 MR. TINTERA: I'd like to have -- 23 I'd like to offer State's Exhibit 21 at this time. 24 MR. SUSSMAN: I'd like to see it. 25 THE COURT: We'll have it handed to 147 1 Mr. Sussman. 2 MR. SUSSMAN: I have no objection. 3 THE COURT: 11 is received. 4 MR. TINTERA: That was 21. 5 THE COURT: I'm sorry. 21 is 6 received. 7 (Whereupon, State's Exhibit 8 No. 21 was received in 9 evidence.) 10 MR. TINTERA: Thank you. I don't 11 have any other questions. 12 THE COURT: Mr. Sussman. 13 MR. SUSSMAN: Thank you, Your Honor. 14 15 CROSS-EXAMINATION 16 BY MR. SUSSMAN: 17 Q Mr. Cower, you had mentioned that you had 18 been notified about this password-cracking program 19 running at the end of October by Mark Morrissey. 20 That would have been around October 28th? 21 A Probably. 22 Q That Thursday? 23 A Yes, probably. 24 Q And there was a meeting -- meeting you 25 scheduled as a bridge meeting the following day? 148 1 A Friday afternoon, yes. 2 Q And at that meeting, there was some 3 discussion of talking to Mr. Schwartz about what he 4 was up to, what was going on, wasn't there? 5 A Yes, there was. 6 Q And a decision was made by management not 7 to talk to Mr. Schwartz? 8 A Yes. 9 Q And the decision was made by management 10 to go to the police instead? 11 A Yes. That was based on the -- we felt we 12 couldn't look at his lap -- we didn't know what he 13 was doing. We knew some of what he was doing, but 14 not the full extent, and we couldn't look at the 15 laptop. If we asked him at Intel to look at that 16 laptop and he said, "Go to hell," or whatever, and 17 just walked out the door, we'd just be sitting 18 there without being able to look at the laptop. 19 Q At that time you knew that Mr. Schwartz 20 -- that there was a password-cracking program being 21 run against the SSD password file? 22 A Yes. 23 Q You knew that a series of passwords had 24 been cracked? 25 A Yes. 149 1 Q And you knew at that point who some of 2 the passwords belonged to? 3 A Yes. 4 Q And you were concerned because some of 5 those passwords were the passwords for Ed Masi? 6 A Yes. 7 Q And Justin Rattner, who Mr. Rattner was 8 one of -- also the chief architect, designers of 9 the Supercomputer? 10 A I don't know that Justin Rattner's 11 password was cracked. 12 Q Well, that's stated in Detective Lilley's 13 affidavit. Didn't you tell him that? 14 A I don't know that I did. I know that he 15 had -- Masi's password was cracked. 16 Q So there was a fear that Mr. Schwartz had 17 been looking in the files, correct? 18 A Well, that capability certainly existed. 19 Q And that he might have been copying 20 materials from the files? 21 A Yes. 22 Q And the only way for you to find out 23 whether he was taking the information from the 24 files, which was the main concern, was to look on 25 his laptop computer? 150 1 A Yes. We were advised there was another 2 Crack process, depending on the O'Reilly & 3 Associates password file from Mr. Schwartz's 4 publisher, and that was also going on at the same 5 time. And we found output from it and we really 6 didn't know what to do with that, so we contacted 7 CERT, the Computer Emergency Response Team, and 8 CERT said -- 9 Q You're talking about O'Reilly now. I 10 didn't ask you about that at this point. 11 A This is certainly leading up to where I 12 think you want to go with this. If I can finish -- 13 THE COURT: Just let him ask 14 questions. 15 MR. SUSSMAN: The answer is no 16 longer responsive, Your Honor. 17 THE COURT: I understand. I 18 sustained your objection. I said just let him ask 19 questions. 20 BY MR. SUSSMAN: 21 Q Between Thursday, October 28th, when the 22 process was discovered and Monday, November 1st, 23 when the police were called, Mr. Schwartz's 24 activities were being monitored at Intel, were they 25 not? 151 1 A I believe so. 2 Q What was referred to as these TAR copies 3 of his computer files were made? 4 A Yes. 5 Q And TAR files are backup tapes that make 6 a complete copy, snapshot of everything that was in 7 his -- computers that he was working on? 8 A Yes. 9 Q That he had accounts to? 10 A Yes. 11 Q So that all of that could be preserved? 12 A Yes. 13 Q And looked at to see what processes he 14 was running, what information -- what files had 15 been created on those machines and what information 16 had been copied to those files, correct? 17 A Yes. 18 Q And between that time, Mr. Kent made 19 copies of all of Mr. Schwartz's files on the 20 Brillig machine also, is that correct? 21 A I don't know that. I believe so, but I'm 22 not positive. 23 Q Now, when Detective Lilley came in on 24 Monday and you talked with him about preparing the 25 search warrant, by that time, had anybody looked 152 1 into Mr. Schwartz's files from Intel to determine 2 whether or not he had -- there was any SSD 3 sensitive information besides the password file? 4 A Besides the password file? There was so 5 much information on Mr. Schwartz's files, the 6 volumes of it were very difficult to look at. 7 Q But there were programs for you to run on 8 these files which allow you to clue in like 9 keywords, for instance, that would relate to SSD 10 information that would allow you to go through 11 those files and look for sensitive information, is 12 there not? 13 A I believe a keyword search was done. I 14 don't know when. 15 Q I'm sorry? 16 A I believe a keyword search was done, but 17 I don't know when. 18 Q And that keyword search produced no 19 information, did it? 20 A I don't know. I didn't do it. 21 Q Now, during that period of time that 22 Mr. Schwartz's activities were monitored, there was 23 no evidence that he had attempted to log into 24 Snoopy where the Crack program was running? 25 A I don't know that. I'm sorry. 153 1 Q You don't remember? 2 A I don't know that. I had no account on 3 Snoopy to be able to look at Snoopy. 4 Q Well -- 5 A No way for me to look at it. 6 Q Was this discussed during any of the 7 meetings as to what Mr. Schwartz's activities were? 8 A There were meetings on Monday. The 9 meetings on Monday were primarily the meetings I 10 was involved in, was damage control to figure out 11 how to turn off his access that evening. 12 Q And meeting with the police to feed them 13 information to prepare a search warrant so you 14 could -- 15 A My input to the police that day was very 16 limited. 17 Q There is the capacity to keep a record of 18 whether Mr. Schwartz or whether anybody logged into 19 the Snoopy computer during that period of time 20 between October 28th and November 1st, wasn't 21 there? 22 A There is. 23 Q And also it would have been able to 24 show -- there were records to show when 25 Mr. Schwartz logged onto the Snoopy computer prior 154 1 to October 23 during the time that the Crack 2 program was running? 3 A Yes, there should be records of when he 4 logged on. 5 Q You had mentioned that there was a 6 program running on Wyeth running September 24, and 7 that stopped after a short period of time. 8 A I believe that -- I would have to look at 9 that log again. I don't know that stopped after a 10 short period of time. 11 Q But that was not the program that was 12 running in October? 13 A No, it wasn't. It was the same program. 14 I think it was the same program. 15 Q Now, the Snoopy machine was not set up 16 until October? 17 A I believe so, yes, early October. 18 Q And the Crack program started when it 19 was -- it was initiated on Snoopy on October 21st? 20 A Yes. 21 Q And the program that was running was 22 running under Mr. Schwartz's user ID name, Merlyn, 23 right? 24 A I believe so. 25 Q Did you see -- were you shown the logs of 155 1 or records that showed commands or the user 2 information on how that process was running? 3 A I think I have seen them. 4 Q And that program -- so it was running 5 under Mr. Schwartz's user ID name of Merlyn? 6 A Which program? 7 Q The Crack program. 8 A On which date? 9 Q When it was discovered, on October 28th? 10 A Okay. October 21st. 11 Q When it was started on October 21st? 12 A Yes. 13 Q And in the previous one you identified 14 was running on Merlyn, the one on Wyeth? 15 A We assumed it was. I don't think we have 16 a process ID associated with that. 17 Q So the one starting on October 21st was 18 running under Mr. Schwartz's user ID name of 19 Merlyn? 20 A I believe so, yes. 21 Q And it had a command to run, that said 22 Crack-PWC? 23 A I think that's what Mr. Morrissey 24 testified to. I remember that from his testimony. 25 Q And the file, just to make sure that we 156 1 have got this right, so we have this running under 2 Merlyn's files, the user ID? 3 A Uh-huh. 4 Q And we have the command that it's running 5 is called Crack-PWC, so that's when you see -- when 6 you look into the records, right? 7 A I didn't look into that. I only know 8 that because that's what Mr. Morrissey testified 9 to. 10 Q And this was running on the files named 11 Password SSD, correct? 12 A I don't believe so. I believe that's 13 incorrect. The one instance I looked at was 14 October 24th and -- 15 Q In October? 16 A You have "password" written incorrectly 17 there. I think you dropped the "O." 18 Q Should have been like this? 19 A Can you show me the log? I'd rather not 20 rely on memory for this. 21 Q Let me show you one of them. 22 A Sure. Show me like that exhibit that was 23 just up here. That will tell me pretty much 24 everything I need to know, I think. 25 Q Let me show you this report to see if 157 1 this refreshes your memory. 2 A Whose report is this? 3 Q This is Mr. Morrissey's report. 4 A Want me to read up here? 5 Q Yes. 6 A Yeah, I see that. The second one. Based 7 on that. 8 Q Sure. And the file that was -- the other 9 file that was in there that you're referring to 10 from O'Reilly was similarly written out there as 11 password ORA, right? 12 A Is it in there? 13 Q If you don't remember -- 14 A If you say so. If you say it's written 15 in there, I'll believe you. Sure. No, I don't 16 remember. 17 Q So this was running for seven, eight days 18 before it was noticed under Mr. Schwartz's own user 19 ID, clearly designated as a Crack program on files 20 that were clearly designated as the password file 21 from SSD? 22 A Yes. 23 Q Now, prior to this time, you had 24 personally very little contact with Mr. Schwartz? 25 A Yes. 158 1 Q May have met him only once or twice? 2 A Once or twice, yes. Once I know, maybe 3 twice. I'm not sure. 4 Q What did you know about Mr. Schwartz's 5 level of skill or sophistication in the UNIX 6 systems? 7 A What did I know or what have I heard? 8 Q Yes. Well, at the time you were 9 preparing this investigation, what did you learn? 10 A He was very skillful. 11 Q And very knowledgeable in security 12 matters? 13 A I hadn't heard that. I don't know. 14 Maybe I heard that. He knew UNIX well. If he 15 knows UNIX well, he probably knows security pretty 16 well. 17 Q But you were concerned that because 18 Mr. Schwartz had access to machines in various 19 Intel sites around the country and Israel that 20 information could be easily transferred and that 21 information -- 22 A No, that wasn't it. Our concern was that 23 we knew we were going to terminate his contract. 24 That was a given. Our concern was that after we 25 terminated his contract, where else did he have 159 1 access at Intel. And that's what we really had to 2 turn off was this -- we didn't want a malicious 3 effort occurring at Intel that would shut our 4 network down. 5 Q But you were also afraid that secret and 6 sensitive information from SSD might have been 7 copied and transferred or taken off-site? 8 A Yes. 9 Q And Mr. Schwartz had access to a number 10 of systems throughout Intel and overseas? 11 A I don't think those systems had anywhere 12 near the sensitivity of the information on them 13 that the SSD file -- 14 Q No, but he could have transferred it or 15 hidden? 16 A Oh, yes. He could have moved it anywhere 17 outside of Intel. 18 Q And it would have been very easy for him 19 if he was trying to steal information to encrypt it 20 and store it on a computer where nobody would know? 21 A Yes. 22 Q Or simply to have copied information onto 23 a file and walked out with it? 24 A That's what his laptop is, is a file, if 25 you will. 160 1 Q And so the focus then got to be to seize 2 this laptop and look at all of the material, all 3 the information that was stored on its hard drive? 4 A Yes. 5 Q And the hard drive is the -- kind of the 6 memory, just to make sure the jury knows when we're 7 talking about a hard drive. Explain that. 8 A It's rotational machinery, memory that 9 moves. It's magnetic platters and there is heads 10 that go out and read and write information on those 11 platters. It's all stored magnetically, ones and 12 zeros. That's a brief description. 13 Q And also you wanted to have the police 14 seize whatever computer disks or other material 15 that he had that could have stored information? 16 A I believe that's what the police were 17 interested in doing, yes. 18 Q You were not the only person from Intel 19 who accompanied the police on the search of 20 Mr. Schwartz's residence; is that correct? 21 A That's correct. 22 Q There were two other Intel 23 representatives? 24 A Yes, there was. 25 Q And there were how many police? 161 1 A Oh, lots. I don't know. Maybe five or 2 six. 3 Q And the police had already gone into the 4 house before you went in and joined the 5 conversations that were going on? 6 A Oh, yes. 7 Q Were you present when the police advised 8 Mr. Schwartz and his brother of their right to 9 remain silent and if they said anything it could be 10 used against them in court? 11 A No. 12 Q And at any time you were present did any 13 of the officers tell Mr. Schwartz -- let me back 14 up. 15 This conversation took place in the 16 back room of Mr. Schwartz's house? 17 A Yes. 18 Q And there were usually at least two and 19 often more people in the room with Mr. Schwartz? 20 A Usually when I was in a room with 21 Mr. Schwartz, there was Detective Lilley and 22 myself. Usually they were -- I know they were 23 making a conscious effort to limit the number of 24 people in the room. I don't know why, it's 25 something that police do. 162 1 Q So Detective Lazenby, the other detective 2 was in there very infrequently? 3 A Very infrequently when he was in there. 4 Q And Mr. Schwartz was sitting opposite you 5 and Detective Lilley? 6 A Actually, no. Mr. Schwartz was sitting 7 across from Detective Lilley and I was sitting -- 8 what do you call it, at a right angle? I was 9 sitting to the right of Detective Lilley and to the 10 left of Mr. Schwartz. 11 Q How long after you arrived did you join 12 this conversation? 13 A I don't know. I would guess -- you want 14 a guess? 20 or 30 minutes, but I don't have a 15 watch so I really have a very poor sense of time. 16 Q And so you were in the room during this 17 questioning of Mr. Schwartz for more than an hour? 18 A I was in the room twice, once initially, 19 and then Detective Lilley and I went out and had a 20 brief conversation and then I went back into the 21 room. 22 Q So the total time you were there was more 23 than an hour? 24 A I really don't know. I'm sorry. It's 25 just the lack of a watch. I should buy one. 163 1 Q Did Mr. Schwartz leave the room during 2 the questioning? 3 A That's a hard one. I think he did. 4 Q Was Mr. Schwartz told by any of the 5 officers that he was free to leave? 6 A I don't know that he asked. I don't 7 remember that conversation occurring. 8 Q Did either of the detectives at any point 9 accuse Mr. Schwartz of lying to them at some point? 10 A I don't recall. That may have happened, 11 but I'm not sure. 12 Q When you said that Mr. Schwartz said he 13 wanted another place to land, talking about getting 14 beyond -- talking about the computer systems. Do 15 you remember Mr. Schwartz's words? 16 A No, I don't. 17 Q You said that -- you testified that 18 Mr. Schwartz wanted another place where he would 19 have access to the Internet. 20 A No, to Intelnet. Intelnet is what we 21 call the internal network of computers at Intel. 22 Q So Intelnet? 23 A Yeah. 24 Q And that was to be able to access his 25 Intel e-mail from outside the company? 164 1 A Yes, that's what he said he was doing. 2 Q So he had anticipated that he would 3 continue to work for Intel? 4 A I have no idea what his anticipation was, 5 I'm sorry. I don't know what he was thinking. 6 Q You don't know what he was thinking at 7 the time? 8 A No. 9 Q You mentioned that Mr. Schwartz could 10 have had access to Intel from outside through the 11 Defender dial-up. 12 A Yes. He had a Defender account. 13 Q That account went to -- is limited to 14 specific telephone numbers, isn't it? 15 A I don't recall how they were doing the 16 Defender access in Oregon at that time. That's one 17 way, could have been. Could have been a call-back 18 system where it would dial back to a specific 19 number. That's one method of operation. 20 Q So if we are talking about Mr. Schwartz's 21 home phone number, it would limit it to inbound 22 communication from that particular telephone 23 number? 24 A Yes, I recall Mr. Schwartz stating that 25 evening that the Defender system didn't meet his 165 1 needs because of the manner in which he read mail. 2 I think his mail program required an X Window. 3 Q Often because he had contracts that took 4 him out of town, to do business in other cities? 5 A He didn't mention that. 6 Q You mentioned that he told you he moved 7 the program -- this program, gate program, as you 8 described it, to a machine called Aurora but it was 9 too slow and then moved it to Brillig? 10 A Yes. 11 Q Are you sure he didn't tell you it was a 12 machine called Hermeis? 13 A I'm not sure. I'd have to look at my 14 notes. 15 Q So your recollection of exactly what he 16 said is a bit fuzzy? 17 A On that point, yes. We have a lot of 18 machines at Intel. It's difficult to remember the 19 names of all of them. 20 Q Now, at the point that Mr. Schwartz was 21 having -- was being questioned and you reported the 22 comment about being aware that these activities 23 were a violation of Intel policy, this was while he 24 was in the room with you and Detective Lilley being 25 questioned? 166 1 A It must have been. That's the only place 2 I talked to him. 3 Q And was this after Mr. Schwartz was 4 informed by Detective Lazenby that he could be 5 prosecuted for the activities that were being 6 investigated? 7 A I don't know what Mr. Lazenby said to 8 Mr. Schwartz. 9 Q When you asked Mr. Schwartz about the 10 password-cracking program on SSD, he did tell you 11 that he was doing this to check the systems 12 security, didn't he? 13 A Yes. 14 Q In fact, that was the first response that 15 he gave you? 16 A I don't remember the order. It was a 17 response. 18 Q And he was emphatic about that, wasn't 19 he? 20 A No, I wouldn't call it emphatic. He 21 mentioned it and it was mentioned and we went on. 22 Q Now, you mentioned that he -- you asked 23 him if he had run Crack against any other systems 24 and he mentioned running one against Techbook with 25 a fellow named James Deibele. 167 1 A Yes. 2 Q He told you that he did that also to 3 check on the security of that system? 4 A Yes. 5 Q And that he informed Mr. Deibele when he 6 found that out? 7 A Yes. 8 Q And he told you then that he tried the 9 Crack program on the Brillig password file first 10 and that's where he found the password for the user 11 Ron B? 12 A Yes. 13 Q He had an active account on Brillig at 14 the time he was using this machine, didn't he? 15 A He had an account. He had an account. 16 Q And that -- his password on that account 17 had been disabled? 18 A That's correct. 19 Q You had mentioned earlier, you were asked 20 a question about whether or not cracking the 21 passwords diminished the value of the passwords. 22 There are policies in Intel about how passwords 23 should be chosen, correct? 24 A Yes. 25 Q And those policies are set up so that the 168 1 people will choose passwords which cannot easily be 2 guessed? 3 A Yes. 4 Q And they won't easily be guessed by 5 programs like Crack, correct? 6 A Yes. Sure. 7 Q And Crack is well-recognized as a tool 8 that Systems Administrators and other people in 9 security within a company use to test the security 10 of passwords? 11 A Yes, it is. 12 Q And the password, as you said, is like 13 the key, it's sort of the first line of defense, a 14 security measure that you have for your machines? 15 A Yes. 16 Q Now, if somebody chooses a bad password, 17 one that violates your policy because it is easily 18 guessed, doesn't that diminish the security of your 19 system? 20 A No. Not in the same sense that cracking 21 the password does. When the password is cracked, 22 it becomes an entirely different matter. 23 Q A bad password -- 24 A Wait -- 25 MR. TINTERA: Judge, I object to 169 1 counsel interrupting the witness when he doesn't 2 care, I guess, for the answer. 3 THE COURT: Well, let him finish 4 answering the question. 5 THE WITNESS: That password, a bad 6 password, even a bad password when it is stored on 7 that computer system is stored in cryptic. It is 8 not readable. You can't look at it and then log in 9 using it. When it's cracked it's an entirely 10 different matter. 11 BY MR. SUSSMAN: 12 Q But that kind of password still exposes 13 the system in a way that a good password that 14 follows your policies does not? 15 A Yes, I would say -- okay, I'll go with 16 that, yeah. 17 Q Now, the Crack program itself contains as 18 part of the package, the Crack program package, it 19 contains a feature, this Nastygram feature that you 20 referred to, which allows an administrator using 21 that to automatically send messages to somebody 22 whose password has been cracked to inform them of 23 that? 24 A I know it contains a Nastygram 25 programmer, a script called Nastygram. Whether 170 1 it's that, I'd have to go back and look. It does 2 send a mail message. 3 Q In the course of your investigation of 4 this, you learned that Mr. Schwartz was a Systems 5 Administrator in the past at IWARP at SSD? 6 A Yeah, a long time ago at IWARP. 7 Q You also learned that when Mr. Schwartz 8 was in that capacity he routinely ran Crack against 9 passwords in people at his group to test their 10 security? 11 A I hadn't heard that until just today. I 12 did not learn that. 13 Q So you also hadn't learned that 14 Mr. Schwartz used a program like that to send 15 e-mail messages automatically to the members of his 16 group whose passwords were cracked? 17 A No. No, I haven't. 18 Q A couple questions about Brillig and the 19 gate program that you are referring to. 20 Mr. Schwartz informed you that this 21 program was set up so that he could get access to 22 his Intel mail? 23 A Yes. 24 Q And so that he could respond to it 25 quickly? 171 1 A Yes. 2 Q Now, did he -- you made reference to one 3 of his contracts that was about to expire. 4 A Actually, he made reference to a 5 contract. I think they were going to hire a 6 full-time person to replace him. 7 Q You're talking about the contract that he 8 had with Bob Wilcox? 9 A They were looking for somebody to replace 10 him there, yes. 11 Q Now, you know Mr. Schwartz had access to 12 the Internet through his publisher O'Reilly? 13 A I don't know that. 14 Q And you didn't know that or learn that at 15 the time of your investigation? 16 A We knew he had access to O'Reilly. We 17 saw from gate logs that he had used a system at 18 O'Reilly to access a system at Intel. 19 Q You didn't know whether or not he had an 20 Internet account at O'Reilly? 21 A He did have. 22 Q He did? 23 A Yeah. We found the password file for 24 O'Reilly & Associates on one of our machines. In 25 that password file, we found the Merlyn account, so 172 1 yeah, he had an account. 2 Q And in fact in his personnel file, it 3 showed that his e-mail address throughout the time 4 that he worked for Mr. Wilcox was an e-mail address 5 at O'Reilly? 6 A I don't know that. 7 Q Now, you did look at Mr. Schwartz's 8 involvement in the work that he was doing for 9 Mr. Wilcox? 10 A Yeah. 11 Q And based on that, it would be fair to 12 say he was still doing work as a Systems 13 Administrator at the time of this incident? 14 A Yes, I would say so. In the -- at the 15 Hawthorn Farms campus. 16 Q So this gate program that Mr. Schwartz 17 had set up so that he could continue to have access 18 to Intel e-mail from outside of e-mail from when he 19 was working, was done when he was working outside 20 of Intel and you knew that he was an independent 21 contractor? 22 A Yes, I knew he was a contractor. 23 Q And that as an independent contractor, 24 the people he was working for could only give him 25 jobs, describe work to be done, but couldn't give 173 1 him instructions on how he was to do his job? 2 A I didn't know any of that until this 3 week. I'm sorry. 4 Q So you were not familiar with those 5 policies? 6 A I was not familiar with the rules 7 regarding independent contractors. 8 Q Those rules were not distributed or 9 disseminated around Intel generally? 10 A Not to me. 11 Q What about the -- those security 12 policies, the security manuals, were those 13 distributed to all Intel employees? 14 A Yes. 15 Q Were they distributed to all Intel 16 contractors? 17 A I doubt that. 18 Q And in fact, Intel contractors were not 19 given the same information and were not -- did not 20 attend the same meetings as regular employees? 21 A That's true. 22 Q In order to maintain their status as 23 independent contractors? 24 A I know they can't attend certain 25 functions and events because of the contractor 174 1 status. 2 Q So you rely on managers, people who hire 3 the contractors to relate information? 4 A Yes. 5 Q In doing this investigation, you looked 6 at Mr. Schwartz's personnel file? 7 A Have I? 8 Q Yes. 9 A Not that I recall. 10 Q Mr. Brandewie earlier mentioned that one 11 of the concerns that you had about a gate program 12 that Mr. Schwartz had written was that people could 13 watch the wire from Ruby to Mink and then learn all 14 the information necessary to get through Mink and 15 then into Intel. 16 A Well, I think probably what he was 17 referring to was that information travels on wire, 18 if you will, between Ruby, and I don't know where 19 Ruby is, Cambridge or in California, I have no 20 idea, but that information travels in what we call 21 clear text. In other words, it's not encrypted. 22 Mr. Schwartz's password, Mr. Schwartz's access 23 methodology for going through the gate program, 24 going into Intel computers from outside was 25 traveling in clear text and clear text is like when 175 1 you read a book, that's clear text and encrypted 2 text would be gibberish. 3 If you read a book that was 4 encrypted, you wouldn't see anything you could 5 read. Just a string of characters. That's 6 probably what he was referring to. 7 Q And in referring to that process, a 8 person watching would have to be connected to -- 9 would have access to that series of connections 10 between Mr. Schwartz's computer and the ultimate 11 outside source? 12 A Actually, that's not quite right. The 13 person would have to have access to one of the 14 points along that connection route, not the series 15 of connections. 16 Q But they would still have to have access 17 to one of those points? 18 A Oh, yes. 19 Q Couldn't be somebody just sort of 20 generally existing around in the Internet able to 21 pick this up without having access to one of those 22 points? 23 A But somebody generally existing on the 24 Internet may have access to one of those points. 25 Q But they would have to be at that point 176 1 connected in order for that to -- to be able to 2 intercept -- 3 A They would have to be something running 4 there. Wouldn't have to be actively connected at 5 that moment. They could have a program there and 6 sniffing everything that Randal was doing. 7 Q Were there different types of connection 8 for educational and commercial networks? 9 A Uh-huh. There is different domains. 10 This is a .edu command .com which is commercial. 11 Q So like an educational one would be like 12 NSFNET? 13 A Yes. 14 Q And a commercial one might be called an 15 ALTERNET? 16 A That's one methodology of commercial, 17 yes. 18 Q Most of the hacking that comes from 19 outside of Intel or companies like Intel inside 20 comes through those educational networks, doesn't 21 it? 22 A I can't answer that question where most 23 of it comes from. Some certainly does. 24 Q Are you familiar with an outside hacking 25 program called the MIT worm? 177 1 A Which one was it? 2 Q Robert Morris. 3 A Yes. 4 Q Now, this program gained access to Intel, 5 didn't it? 6 A I wasn't at Intel then. I have no idea. 7 When was that? 8 Q I think it was obviously before your time 9 at Intel. 10 A Probably. 11 MR. TINTERA: 1988. 12 THE WITNESS: '88? I don't know 13 where I was then. Probably Switzerland. 14 BY MR. SUSSMAN: 15 Q When you met with Detective Lilley, 16 according to the affidavit, you mentioned to 17 Detective Lilley that Mr. Schwartz, in order to 18 take information out of Intel, would copy files 19 onto his laptop computer, words to that affect. 20 A This was when? Monday? 21 Q Right, Monday when you met with Detective 22 Lilley. 23 A Yes. 24 Q And you specifically -- did you also tell 25 him that Mr. Schwartz was security conscious? 178 1 A I don't recall. 2 Q But you did tell him that you expected 3 that he might copy things onto this laptop in order 4 to avoid detection. 5 Now, that program was running on a 6 computer, Mr. Schwartz's workstation within Intel, 7 the Crack program? 8 A Yes. 9 Q The gate program was running on computers 10 Mr. Schwartz had access to within Intel? 11 A Yes. 12 Q They were both running under 13 Mr. Schwartz's own user ID name? 14 A Yes. 15 Q The Crack program was clearly running, 16 clearly identified as to what it was, a Crack 17 program? 18 A Yes. 19 Q Mr. Schwartz had the ability and the 20 skills to mask the running of that program, to put 21 it under a different name in a different place 22 where it wouldn't have been noticed, didn't he? 23 A I don't know that for a fact. I would 24 assume so. 25 Q A person who was sophisticated in UNIX 179 1 and sophisticated in systems security would be able 2 to run the Crack program on passwords, on a 3 password file, crack the password file, take the 4 password, look at the information and take the 5 information from behind that file and take it out 6 of Intel without leaving a trace, couldn't they? 7 A Probably. Yeah. 8 MR. SUSSMAN: May I have just a 9 moment, please. 10 THE COURT: You may. 11 (Discussion off the record 12 between Mr. Sussman and 13 Mr. Olstadt. 14 BY MR. SUSSMAN: 15 Q When you told Detective Lilley that 16 Mr. Schwartz could have done -- could have copied 17 these files onto this machine and taken them 18 outside to avoid detection, running the Crack 19 program under his own user name is not a way of 20 avoiding detection, is it? 21 A No. 22 Q Running the program clearly marked as 23 "Crack" is not a way to avoid detection, is it? 24 A No. 25 Q Clearly marking the file that he's 180 1 working on so that everybody sees it's the password 2 SSD file is not a way of avoiding detection, is it? 3 A What do you mean by "everybody"? You 4 used a word there that -- 5 Q Whoever has access to the file to look at 6 it to see what he's working on. 7 A That's right. Yes. 8 Q And that program was not set up in a way 9 to make it difficult or obscure for somebody at 10 Intel with access to the machines to see what 11 programs were running on Mr. Schwartz's 12 workstation? 13 A I think the number of people that had 14 access was limited, but those people could 15 certainly have seen what was going on. 16 Q And so none of those activities indicated 17 an effort to avoid detection, correct? 18 A Let me think about this. 19 Q Well, they are not consistent -- 20 THE COURT: He hasn't answered that. 21 BY MR. SUSSMAN: 22 Q They are not consistent with an effort to 23 avoid detection, are they? 24 A Right. Yes. I would say yes. 25 Q And did you later on assist the 181 1 Washington County Sheriff's Office in the review of 2 the materials and files that were found on 3 Mr. Schwartz's computers? 4 A No, I didn't. 5 Q Did you provide them with any of the 6 software that was used to examine these files? 7 A No, I did not. 8 Q Did somebody else from Intel provide 9 that? 10 A I heard Mr. Morrissey state that he did. 11 Q Did you know that search of those records 12 revealed no sensitive information from SSD? 13 A I had heard that. I don't know that 14 because I haven't seen records. 15 MR. SUSSMAN: I have nothing 16 further. 17 THE COURT: Mr. Tintera. 18 MR. TINTERA: Could you staple these 19 together and mark these as 22, please. 20 21 22 23 24 25 182 1 REDIRECT EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Cower, handing you Exhibit 22, can 4 you look through this packet of information and 5 familiarize yourself with its content, please. 6 MR. SUSSMAN: Before the questioning 7 continues, I'd like to see what this particular 8 exhibit being referred to is, whether or not it was 9 given to me. They haven't shown me. 10 THE COURT: He can answer the 11 question yes or no if he is able to identify it. 12 Don't say what it is, then we'll show it to 13 Mr. Sussman. 14 THE WITNESS: All of it? 15 THE COURT: What was the question? 16 THE WITNESS: I asked him if he 17 wanted me to look at all of it? 18 THE COURT: I do. 19 THE WITNESS: This is a lot of it. 20 This is a duplicate of this. These are duplicates. 21 I believe they are. It looks same as this. 22 BY MR. TINTERA: 23 Q Just pull out any of the duplicates. 24 A Yes, I think I can identify this. Yes, I 25 know what this is. 183 1 THE COURT: Show it to Mr. Sussman. 2 BY MR. TINTERA: 3 Q What is State's Exhibit 22? 4 A It looks like the output of a Crack 5 process on a machine called Wyeth started on 6 September 24. 7 Q Is that the continuation of the running 8 of State's Exhibit 21? 9 A State's Exhibit 21 is a subset of this. 10 This is Page 1 and 2 of output and this is all of 11 it. 12 Q That's the rest? 13 A All of it. Looks like this Crack process 14 goes from September 24th until October 1st. 15 Q So it ran from September 24th to October 16 1st? 17 A That's what it looks like, yes. 18 Q That was on what file? What file is 19 being cracked here? 20 A It's cracking a file named password.ssd, 21 that one over there. 22 Q And was this, as Security Administrator 23 from Intel, was the fact that this Crack process 24 was being run, was that brought to your attention? 25 A Not this one. The one that was brought 184 1 to my attention was the one that started out on 2 October 21st. 3 Q So the process of running Crack wasn't so 4 out in the open that anybody could see it? 5 A I don't know that we saw this one until 6 the other day, until this week or last week, 7 whenever I looked at the TAR tapes. 8 Q What I'm trying to ask you, counsel has 9 indicated that this was just out in the open. Now, 10 if someone had walked by Mr. Schwartz's 11 workstation, would it have announced itself as 12 running a Crack program? 13 A The machines don't generally announce 14 what they are doing to people that walk by. You 15 have to query the machine to figure out what it's 16 doing. 17 Q So what would you have to do to find out 18 what process was running on Mr. Schwartz's 19 workstation? 20 A You would have to look at the process 21 taken to see what is actually running on the 22 machine, then make a determination of what is going 23 on. 24 Q To look at the process table, do you have 25 to do anything? Can you just go up to the computer 185 1 monitor and the process table is displayed there? 2 A No. You have to do a PS. The command, I 3 think, is PS. 4 Q PS? 5 A Process Status. 6 Q Do you have to log onto a computer to do 7 that? 8 A Yeah. Generally, yes. 9 Q And you have to have a password? 10 A Yes. 11 Q So you have to log on and you have to 12 have a password and then you have to do what? 13 A You can do it without logging on, but you 14 do need a valid account and your name, I believe, 15 to query the process table. 16 Q Then what do you have to do? 17 A Look at the status of what the machine is 18 doing. 19 Q Through some type of inquiry. You have 20 to issue a command and then do sort of an interlude 21 process and look further down into the machine on 22 what it's doing. Like what Mr. Morrissey did when 23 he found the Crack process running on October 21st, 24 what he described what he did. 25 MR. TINTERA: That's the only thing 186 1 I wanted to clarify. 2 THE COURT: Mr. Sussman. 3 4 RECROSS-EXAMINATION 5 BY MR. SUSSMAN: 6 Q The machine called Wyeth was on Mark 7 Morrissey's desk, wasn't it? 8 A I don't know where it was located. I 9 knew it was one of the machines that Mark managed. 10 Its physical location, I have no idea. 11 MR. SUSSMAN: Nothing further. 12 MR. TINTERA: I would offer 22, 13 Judge. 14 MR. SUSSMAN: No objection. 15 THE COURT: 22 is received. 16 (Whereupon, State's Exhibit 17 No. 22 was received in 18 evidence.) 19 THE COURT: You may step down. 20 Counsel approach the bench. 21 (Bench conference off the 22 record.) 23 THE COURT: We're going to recess 24 for today. Leave your notes in the jury room. Do 25 not talk about the case. 187 1 My belief is the State will rest 2 tomorrow and so then the defense will have an 3 opportunity if they wish to present evidence and we 4 should start that tomorrow. 5 Have a nice evening. Don't talk 6 about the case. 7 (Evening recess.) 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25