1 IN THE CIRCUIT COURT OF THE STATE OF OREGON 2 FOR THE COUNTY OF WASHINGTON 3 4 STATE OF OREGON, ) ) 5 Plaintiff, ) ) 6 vs. ) No. C940322CR ) 7 RANDAL LEE SCHWARTZ, ) ) 8 Defendant. ) Volume 10 9 10 11 TRANSCRIPT OF PROCEEDINGS 12 13 BE IT REMEMBERED THAT on the 20th 14 day of July, 1995, the above-entitled matter came 15 on for Hearing before the HONORABLE ALAN C. 16 BONEBRAKE, a Circuit Court Judge. 17 18 APPEARANCES 19 Thomas J. Tintera Washington County Deputy District Attorney 20 Representing the State of Oregon 21 Marc Sussman Attorney at Law 22 Representing the Defendant 23 24 25 2 1 MORNING SESSION 2 BEGINNING AT 9:45 A.M. 3 JULY 20, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: It appears I've received 10 a communication from the jury here. Are you 11 providing counsel with copies? 12 (Laughter) 13 THE COURT: This is probably 14 appropriate to read into the record. Apparently 15 the jury is taking my admonition about not talking 16 about the case at heart and, according to the 17 jurors, the jurors are eating at a lunch counter, 18 Judicial ***Mainstreaming, it's the courthouse 19 cafe, and the waiter/owner apparently is saying, 20 "And please remember my warning to you, don't 21 discuss your orders among yourselves, don't let 22 anyone talk to you about your order, don't form any 23 opinions about your order until it's been presented 24 to you." That's probability a good warning. 25 Thank you, ladies and gentlemen. 3 1 MR. TINTERA: You might want to put 2 in the record the resemblance -- 3 (Laughter) 4 THE COURT: That's two, Mr. Tintera. 5 I wanted to say that you probably 6 note that I do have a sense of humor. I appreciate 7 this. Doesn't detract from the proceedings, 8 especially in a case like this that is rather long 9 and complex and also a case where you have the 10 professionalism that's demonstrated by counsel and 11 everyone is doing their job, extremely good 12 advocates, yet they get along and it's nice to take 13 part and participate in a trial where everyone can 14 get along and even a bit of humor comes up but 15 doesn't detract from the serious nature that we do 16 here. And I do appreciate the fact that you all 17 understand that. Thank you for the cartoon. 18 Mr. Sussman, your next witness. 19 MR. TINTERA: We're at Defendant's 20 Exhibit 112, which I object to as not being 21 relevant to any of the issues involved in this 22 case. 23 MR. SUSSMAN: This is a matter that 24 I understood we were going to take up before we 25 started this morning outside the presence of the 4 1 jury. 2 THE COURT: Let's do it during the 3 recess. That's appropriate for me to take up when 4 the jury is not present. 5 Call your next witness. 6 MR. SUSSMAN: Dave Riss. 7 8 DAVID J. RISS 9 called as a witness on behalf of the Defendant, 10 having been first duly sworn under oath, was 11 examined and testified as follows: 12 13 THE CLERK: State your full name and 14 spell it for the record, please. 15 THE WITNESS: David J. Riss. 16 R-i-s-s. 17 18 DIRECT EXAMINATION 19 BY MR. SUSSMAN: 20 Q Good morning, Mr. Riss. Would you please 21 tell the jury how you are employed? 22 A I'm an engineering manager at Intel 23 Corporation. 24 Q How long have you been employed at Intel? 25 A A little over seven years. 5 1 Q Where, at which location at Intel are you 2 working? 3 A Currently I'm at Jones Farm. 4 Q How long have you been in your present 5 position? 6 A About two months. 7 Q Prior to that, what was your -- 8 A Prior to that, I was at SSD. 9 Q How long were you at SSD? 10 A Probably three and a half years. 11 Q During the time that you were at SSD, did 12 you have occasion to come into contact with Randal 13 Schwartz? 14 A Yes. 15 Q And what was the nature of that contact? 16 What was the nature of -- 17 A Randal was a contractor in my 18 organization. 19 Q And what were his duties as a contractor 20 in your organization? 21 A This is in SSD? 22 Q Well, let's back up. When was he a 23 contractor for you at SSD? 24 A Randal was a contractor for me first in 25 IWARP, secondly in SSD. 6 1 Q Well, let's go back to the beginning. 2 When did you first then hire Mr. Schwartz as a 3 contractor at the IWARP section? 4 A The year escapes me, probably 1988, 1989. 5 ***Buying had just closed and Randal had been 6 working there and he had expertise that I could use 7 and I hired him as a contractor to be Systems 8 Administrator on the IWARP network. 9 Q How long did he work for you as a Systems 10 Administrator on the IWARP network? 11 A About a year to two years. 12 Q And then was he a contractor during that 13 entire time? 14 A Yes. 15 Q And after that particular period, did 16 Mr. Schwartz work for you in any other capacity? 17 A Yes, he did. 18 Q And what was that additional capacity? 19 A I hired Randal to come in and develop -- 20 assist with development of a test system that we 21 put together to test some of our software. 22 Q Do you recall when that was? 23 A Not the year. But had to be a couple 24 years later, year and a half later. 25 Q Was this -- was there a period of time 7 1 that Mr. Schwartz continued to work at IWARP and 2 SSD after you were in a different area? 3 A Yes. See if I can -- my job kind of -- 4 projects don't crisply end. They kind of drag on 5 at different times in the industry. So there was a 6 time when Randal worked for me at IWARP directly 7 and I brought him into Intel. And during 8 reorganization, Randal ended up in another 9 organization called IT, which was the Systems 10 Administration part. Intel coordinated all its 11 Intel Systems Administrator into one organization 12 Intel-wide. After Randal left that organization, I 13 brought him back to do this contract work. 14 I don't know if that answered your 15 question. 16 Q I think so. It was sometime -- you're 17 aware then -- were you aware of the incident where 18 there was a disagreement between Mr. Schwartz and 19 Mr. Poehlitz about the distribution of e-mail 20 and -- 21 A I don't know specifically what it was in 22 regard to, but I do know there were disagreements 23 between Randal's technical direction and the 24 direction that Lou and the others wanted to go. 25 Q And it was at that point that 8 1 Mr. Schwartz terminated his contract at SSD? 2 A Correct. 3 Q And you brought him back sometime after 4 that? 5 A Correct. 6 Q Was he working directly for you or was he 7 working for somebody -- also working for somebody 8 else? 9 A At that time, he was really working for 10 one of my supervisors. 11 Q And who would that be? 12 A Herb Mayer. 13 Q Now, when -- like to take you back for a 14 second now. 15 You mentioned that Mr. Schwartz 16 worked with you at IWARP. Would you describe a 17 little bit about what the working environment was 18 like at IWARP when Mr. Schwartz was there working 19 with you? 20 A Well, we were a small team of about 70 to 21 80 people building one product with one focus. 22 Randal's duties specifically were to keep the 23 network up, make sure that we were building an 24 actual microprocessor. And there was -- I'm trying 25 to explain this correctly. 9 1 There was a lot of activity on the 2 network which required sometimes constant 3 interaction from Randal and others to make sure the 4 network stayed up so people could get their work 5 done and we could actually take chips out. 6 Q Did that work involve in the network -- 7 keeping that going involve setting up a 8 communication link with Carnegie Mellon University? 9 A Well, Randal was involved in setting up 10 links to the Internet at IWARP. One of our main 11 contract partners was CMU, so to make sure that we 12 had activity at CMU was very important. 13 Q How did that link set up? Was it allowed 14 communication both ways? 15 A It allowed communication both ways. 16 Q At IWARP in that period of time, was 17 that -- was there a lot of -- were things at Intel 18 very centralized or was the control at ***IWARP 19 more localized? 20 A The control was localized. 21 Q So how to respond to the local needs of 22 the IWARP group in terms of getting your project 23 done? 24 A That's right. We were separated out even 25 business-wise in Cornell Oaks and we had our own 10 1 network. We had our own routers that connected us 2 to the Internet and to the Intelnet. There were 3 two networks. 4 Q Initially that two-way link that existed 5 between IWARP, although IWARP group and CMU, was 6 that initially by a modem? 7 A Before Randal came on board there was 8 something call and ARPA net. The government funded 9 a network and eventually it turned into what is 10 today, the Internet. 11 At a given period of time, the 12 government decided that they would not pay for and 13 sponsor such a network. This is before Randal had 14 actually worked with me. During that time, we 15 actually set up modem-to-modem connection with 16 Carnegie Mellon to keep communication 17 electronically available so we could pass back and 18 forth information, but I don't remember Randal 19 being involved in that particular time. 20 Q What I was asking about was initially 21 whether the connection was through the use of a 22 modem, a phone, call-in modem? 23 A Initially? 24 Q Yes. The first two-way communication 25 link between Carnegie Mellon and Intel, the IWARP 11 1 group. 2 A I wasn't around at the initial part of 3 IWARP. I don't know. Please rephrase. I'm not 4 exactly sure what you're after. 5 Q I'm sorry. Perhaps I didn't hear part of 6 the ***question. Maybe you had given me the answer 7 to that question already. So no wonder you were 8 confused. 9 Where the connections were made by a 10 phone modem, how secure is access through modem 11 compared to, say, access through the other 12 connections with the Internet? 13 A I'm not sure I can really -- 14 MR. TINTERA: Could we have a 15 timeframe? I think this question changes, 16 depending on what timeframe you are looking at. 17 BY MR. SUSSMAN: 18 Q Talking about the timeframe that you were 19 working with Mr. Schwartz at the IWARP group. 20 A At IWARP? 21 Q Yes. 22 A Was one more secured than the other in 23 terms of -- 24 Q Generally how secure was the modem as -- 25 for the connections. 12 1 MR. TINTERA: Could I ask a question 2 in aid of objection? 3 THE COURT: You may. 4 5 EXAMINATION IN AID OF OBJECTION 6 BY MR. TINTERA: 7 Q Were you involved with security at all? 8 A No. Being a manager, I'm always involved 9 with security, but not per se, no. 10 Q So you had people that would manage the 11 security at various groups? 12 A Intel had security policies we had to in 13 some ways enforce. 14 Q Did you have people that were responsible 15 for security? That's my question. 16 A During what timeframe? 17 Q The IWARP period. 18 A I would say no, I guess not. 19 Q Were you the person that was overseeing 20 security at modems or any of the Internet? 21 A If anyone was, it was me, and we did not 22 have a lot of policy at that time in place. 23 MR. TINTERA: I don't have any 24 objection. Thank you. 25 THE COURT: Proceed. 13 1 BY MR. SUSSMAN: 2 Q In Mr. Schwartz's position, did he have 3 responsibility for maintaining security of the 4 network or the systems that he was working on? 5 A Not initially, but as Intel put policies 6 in place, yes, I think -- pretty sure he was 7 involved in tightening down the security on IWARP. 8 Q And what did he do to tighten down the 9 security? 10 A Good question. Some things he would do 11 would be to assure if passwords were not very 12 easily -- easy to break. There were other things 13 I'm sure Intel enforced on us in terms of software 14 we would run on our routers so we put up a fire 15 wall to allow people to not be able to get in via 16 any other way besides electronic mail. 17 Q Did Mr. Schwartz run programs to test the 18 security of the passwords? 19 A Sure. 20 Q And what were the programs that he would 21 run? 22 A I don't recall. I know I've heard the 23 word Crack program. 24 MR. TINTERA: I object if the 25 witness doesn't recall. 14 1 THE COURT: Don't guess or 2 speculate. 3 THE WITNESS: At that time, I do not 4 recall. 5 BY MR. SUSSMAN: 6 Q While Mr. Schwartz was working on the 7 contract for you, was he involved with product 8 information or was he working with information and 9 support technology? 10 A Product information? In terms of -- 11 probably in both cases, IWARP and SSD, yes, product 12 information, sure. 13 Q Now, let me go back to this -- the 14 contract that you brought him back to do later 15 on -- let me back up. 16 Were you aware while you were there 17 at IWARP and the project was going on where there 18 was the communication with Carnegie Mellon of 19 the -- Carnegie Mellon's ability to Telnet into 20 IWARP from Carnegie Mellon? 21 A Yes. 22 Q Was Mr. Schwartz involved in setting up 23 that communication? 24 A Probably. 25 MR. TINTERA: Can I ask a question 15 1 in aid of objection? 2 THE COURT: You may. 3 4 EXAMINATION IN AID OF OBJECTION 5 BY MR. TINTERA: 6 Q Do you know, Mr. Riss, or not? 7 A The reason I said "probably" is because 8 Randal knew the network better than anyone. 9 Q The question is, do you have personal 10 knowledge whether he was involved in that or not? 11 A I don't recall. 12 MR. TINTERA: I'd ask that the 13 previous answer be stricken. 14 THE COURT: I'll ask the jury to 15 disregard the last answer by the witness. I'll 16 strike it. 17 BY MR. SUSSMAN: 18 Q Did Mr. Schwartz's responsibilities for 19 you include working on the areas that would set 20 those communication links up? 21 A Yes. 22 Q And Mr. Schwartz was an independent 23 contractor as opposed to an employee? 24 A Yes. 25 Q Was there a difference then as an 16 1 independent contractor in how you were able to 2 direct or control the methods of his work as 3 opposed to employees? 4 A Yes. 5 Q And what were the differences? 6 A Randal had to be able to acquire some 7 income outside of Intel Corporation itself, which 8 means he was employed by others. He had to -- I 9 did not direct him as a staff member. I could not 10 require him to be at staff meetings. I couldn't 11 require him, doesn't mean he didn't show up at 12 times, because he would always be notified. He 13 worked outside of the office at some times 14 remotely. 15 Q When you say "remotely," what does that 16 mean? 17 A Usually from home, would be my guess. 18 Q Did he also work when he was on business 19 elsewhere from sites out of town? 20 A I don't recall him doing that. 21 Q Go ahead. You were saying he was working 22 at sites remotely and -- 23 A There were other bylaws that we had to 24 make sure that the person is truly an independent 25 contractor versus an employee. Such things like no 17 1 benefits, paid by the hour, that kind of stuff. 2 Q And one of the key tests was that you 3 could give him the job to do, tell him what you 4 wanted done and -- 5 MR. TINTERA: Objection to the 6 leading nature, Judge. 7 THE COURT: Sustained. 8 BY MR. SUSSMAN: 9 Q Was there differences then in terms of 10 your -- between an employee and a contractor in 11 terms of setting goals and setting the methods and 12 directing the day-to-day methods of how those goals 13 were accomplished? 14 A Yes. That's true. 15 Q There was a difference. And the 16 difference was what? 17 A With an individual employee, I would have 18 more of a mentor, more of a overseer of day-to-day 19 activities. As an independent contractor, a 20 specific task or tasks would be assigned and that 21 individual was to go off and do that work in some 22 ways without a lot of supervision. 23 Q Now, when you brought Mr. Schwartz back 24 to work on this project in late '92, after you 25 hired him to provide the software support -- 18 1 A Yes. 2 Q -- was that again as a contractor? 3 A Yes. 4 Q And do you recall having any discussions 5 or understanding with Mr. Schwartz about his -- the 6 prospects for coming back after that for continued 7 work with you at SSD? 8 A Yes. 9 Q And what was that? 10 A Randal put together this system and -- I 11 don't remember the crisp end to when he was 12 complete, but the system was up and running, and 13 I'm sure I had conversations then about future 14 work. I always keep contractors available -- 15 MR. TINTERA: Could I ask a 16 question? 17 THE COURT: You may. 18 19 20 21 22 23 24 25 19 1 EXAMINATION IN AID OF OBJECTION 2 BY MR. TINTERA: 3 Q Do you remember a conversation? 4 A Yes. 5 MR. TINTERA: I don't have any 6 objection. 7 THE WITNESS: Yes. I have them with 8 a lot of people. I try to keep contractors 9 available at different times for me if I need them. 10 Instead of going through contract firms, I like to 11 use independent contractors in some ways more 12 because I know their capabilities and their skill 13 sets. 14 BY MR. SUSSMAN: 15 Q Was Mr. Schwartz somebody then that you 16 particularly wanted to bring back? 17 A Yes. 18 Q And why was that? 19 A Because of his skill sets and his ability 20 to be able to get things done on schedule. 21 MR. SUSSMAN: Thank you. 22 23 24 25 20 1 CROSS-EXAMINATION 2 BY MR. TINTERA: 3 Q And you'd bring him back if you needed 4 him? 5 A Yes. 6 Q So the contract was basically at an end 7 when you had this conversation, his job was done? 8 A I can't say that the timeframe it was 9 done or just about done. 10 Q But you mentioned that the contract was 11 complete or his project was complete. 12 A Yes. 13 Q That's the logical time to have that type 14 of conversation. I mean, "You're done here, but I 15 may need you again"? 16 A Right. Or there may have been a problem 17 with what was done. You don't always get the bugs 18 out of a system and I might want to extend it, 19 Q Right. 20 A That's correct. 21 Q We know there is a difference between an 22 employee benefit package at Intel and the 23 contractor who is working under contract at an 24 hourly rate. Did you find in your dealings with 25 Mr. Schwartz in the IWARP division of Intel that 21 1 acknowledging that he was a contractor that ***it 2 was necessary to direct him to stay within the 3 policies of the Intel Corporation? 4 A Yes. 5 Q So you were able to do that? 6 A Oh, yes. 7 Q Can you think of any specific times where 8 you had to do that? 9 A Not from a technology standpoint as much 10 from a personal standpoint in terms of meetings 11 with other people. Sometimes Randal was a little 12 bit abrasive to people in meetings. He did know 13 quite a bit about what was going on on networks 14 about UNIX, and so at times we had discussions 15 about his approach to other people within Intel. 16 Q As his -- the person who brought him on 17 board, did you orient him at all, give him an 18 orientation? 19 A No formal orientation. 20 Q Informal orientation or no orientation? 21 A No orientation. 22 Q And so when you bring someone into the 23 corporate fold of Intel as a contractor, did you 24 feel you were able to direct him to stay within the 25 policies of Intel? 22 1 A Please ask the question again. 2 Q Would you expect him to follow the 3 policies of Intel, of the Intel Corporation? 4 A Yes. 5 Q Even though he was a contractor and not 6 an employee? 7 A Yes. 8 Q Did you feel you had the ability to 9 direct him if he was violating those policies? 10 A Yes. 11 Q This project in late 1992, that was under 12 your supervisor, Herb Mayer? 13 A Yes. 14 Q So that was the TA project? 15 A I guess you would call it the test 16 ***aTom to know. 17 Q Yes? 18 A Sounds right, yes. 19 Q We can't use -- we can't say those big 20 words. 21 A Recalling all those acronyms from 22 sometimes three years ago is difficult. 23 Q We use abbreviations. 24 Did this project at all -- did you 25 authorize Mr. Schwartz to be cracking the 23 1 Supercomputer Division password file in this time, 2 in any timeframe? 3 A Not the Supercomputer Division, no. 4 MR. TINTERA: Thank you. I don't 5 have any other questions. 6 7 REDIRECT EXAMINATION 8 BY MR. SUSSMAN: 9 Q Was there a time when Mr. Schwartz was 10 authorized to run a cracking program against 11 certain password files? 12 A Yes. 13 Q And what was that and when? 14 A That was in terms of IWARP when he worked 15 for me. As I said, when we were putting in 16 security, he was running crack programs on every 17 password to assure that outside folks could not get 18 in and crack passwords easily. 19 Q And the purpose of testing the password, 20 you say so they couldn't get in, how important was 21 the password to the security of -- 22 A How important is the password? The 23 password lets you into someone's area and there is 24 intellectual property rights on disk, so a 25 ****property house low you to get at in case is he 24 1 intellectual passwords property. 2 Q So when you have bad passwords, does that 3 create a risk to the company? 4 A Yes. 5 Q During the time that Mr. Schwartz worked 6 with you, did you ever disseminate to him, give him 7 any policy manuals on Intel security policies? 8 A I did not, no. 9 MR. SUSSMAN: Thank you. Nothing 10 further. 11 12 RECROSS-EXAMINATION 13 BY MR. TINTERA: 14 Q Mr. Riss, when did this -- when you 15 worked at IWARP, when did this authority to crack 16 IWARP's password files that you had given to 17 Mr. Schwartz end? 18 A From my standpoint it ended when he quit 19 working for me in a reorganization. 20 Q When was that? 21 A About a year and a half to two years 22 after he started for me. I put another supervisor 23 in place and she then, during the reorganize, owned 24 Randal and those activities. 25 Q Can you give us -- I don't want the date 25 1 like July 20, 1995 -- can you give me an idea? 2 A It was about a year and a half to two 3 years after I hired him. 4 Q When did you hire him? 5 A 1991, I guess. I'm sorry. Times kind of 6 blend in. 7 Q But it had nothing to do with the 8 Supercomputer Division? 9 A At that time we were just IWARP, that's 10 correct. 11 MR. TINTERA: That's all I have. 12 THE COURT: Mr. Sussman? 13 MR. SUSSMAN: Nothing further. 14 THE COURT: Thank you. You may step 15 down. You're free to go. 16 Call your next witness. 17 MR. SUSSMAN: I'm prepared to call 18 Bob Wilcox. 19 THE COURT: He's not here, 20 Mr. Sussman. 21 MR. SUSSMAN: If I have a moment, I 22 will see who is there. 23 THE COURT: You may. 24 (Pause in the proceedings.) 25 26 1 DR. ROBERT P. DOUGHTON 2 called as a witness on behalf of the Defendant, 3 having been first duly sworn under oath, was 4 examined and testified as follows: 5 6 THE CLERK: State your full name and 7 spell it for the record, please. 8 THE WITNESS: My name is Dr. Robert 9 P. Doughton. D-o-u-g-h-t-o-n. 10 11 DIRECT EXAMINATION 12 BY MR. SUSSMAN: 13 Q Dr. Doughton, what is your occupation? 14 A I'm a physician in Lake Oswego. 15 Q And do you live in Lake Oswego, also? 16 A Yes. 17 Q Where is your practice? 18 A Right now it's in Lake Oswego, but I used 19 to practice in Beaverton and at the Tuality 20 Hospital and St. Vincent's Hospital in the years of 21 1965 up to about 1980. 22 Q Dr. Doughton, do you happen to know 23 Randal Schwartz? 24 A I know Randal very well. 25 Q How is it that you know Randal Schwartz? 27 1 A Randal is an ex-boyfriend of my daughter 2 Katherine. 3 When she was in college, that's got 4 to be in the young '80s, she brought home Randal as 5 a boyfriend and they were in a relationship for 6 about a year and then they broke up. And my wife 7 and I went to our daughter Katherine and said, "Do 8 you mind if we keep" -- 9 MR. TINTERA: Judge, I think he's 10 answered the question. 11 THE COURT: Sustained. 12 BY MR. SUSSMAN: 13 Q Well, Dr. Doughton, that's how you 14 initially met Mr. Schwartz? 15 A Yes. 16 Q Could you tell the jury then, did you 17 have any -- after he broke up with your daughter, 18 did you have any further contact with him? 19 A Yes. My wife and I went to our daughter 20 and asked if she would mind if we kept Randal as 21 our friend and -- 22 Q Why was that? 23 A We found him an engaging and very 24 intelligent and fascinating person and we liked 25 him. And we have lots of young friends, so we just 28 1 asked if she minded and she thought it over and 2 allowed that she didn't mind. 3 Q And over the years since then, have you 4 had much contact with Mr. Schwartz? 5 A Yes, a lot. Both my wife and I and my -- 6 MR. TINTERA: Judge, I think he 7 answered the question. I object to any further 8 elaboration. 9 BY MR. SUSSMAN: 10 Q What's the nature of that contact, 11 Dr. Doughton? 12 A It's mostly social and also it's involved 13 with several projects. He -- 14 MR. TINTERA: I object to any 15 elaboration, judge. 16 THE COURT: Overruled. He can 17 explain. Go ahead. 18 BY MR. SUSSMAN: 19 Q What kind of projects are you referring 20 to? You don't have to mention anything 21 specifically by name, but just in general what kind 22 of projects? 23 A We have worked on foundations. We worked 24 for a charitable project involving children. We 25 worked on public access television. That's 29 1 probably about it. We also bought some antiques 2 together. 3 Q Now, in the course of your -- the time 4 that you've gotten to know Randal Schwartz, were 5 you able to perform form an opinion about his 6 character for trustworthiness and for honesty? 7 A Yes. 8 Q And what is that opinion, Dr. Doughton? 9 A Randal is innocent. 10 MR. TINTERA: Objection. Judge -- 11 THE COURT: Sustained. I'll ask the 12 jury to disregard the last answer by the witness. 13 BY MR. SUSSMAN: 14 Q Dr. Doughton, what is -- please explain 15 to the jury, we're not asking -- 16 THE COURT: Have you had a chance 17 with this witness about the nature of his 18 testimony, what he would be testifying to and that 19 sort of thing? 20 MR. SUSSMAN: I did, Your Honor. I 21 think the witness is -- was responding in a way 22 different than -- with a different meaning than may 23 have come across here. 24 MR. TINTERA: Would you -- 25 30 1 BY MR. SUSSMAN: 2 Q Dr. Doughton, would you just -- 3 MR. TINTERA: Judge, this area of 4 the law is very narrow and very direct as to what 5 the answer can be and the question can be. If this 6 witness has not been advised of that, then I 7 think -- I would request the Court to allow counsel 8 to have a recess to talk to this witness about what 9 the Evidence Code provides for in this area of a 10 trial. 11 MR. SUSSMAN: Your Honor, I think -- 12 we have spoken about that. I think that was an 13 ***unput choices of words and -- 14 THE COURT: Ask your question again. 15 I think the question, first of all, can be answered 16 yes or no. He asked you if you formed an opinion 17 about his character for trustworthiness, as I 18 recall. 19 MR. SUSSMAN: And for honesty, yes. 20 THE COURT: Can you answer that yes 21 or no? Have you formed an opinion about that? 22 THE WITNESS: Yes. 23 BY MR. SUSSMAN: 24 Q What is your opinion about his character 25 for trustworthiness and honesty? Please understand 31 1 the concern is that there be no comment on the 2 charges. 3 A I didn't mean to be commenting. I'm 4 sorry. 5 Randal has enormous integrity. His 6 character of the highest caliber, totally moral 7 person. And not only that -- 8 MR. TINTERA: Objection. It's not 9 responding to the specific questions. 10 THE COURT: Sustained. 11 MR. TINTERA: I'd ask the Court to 12 have the jury disregard -- 13 THE COURT: I'll strike the answer. 14 The jury will disregard it. 15 MR. SUSSMAN: Your Honor, is the 16 entire answer stricken? 17 THE COURT: Yes. 18 BY MR. SUSSMAN: 19 Q Dr. Doughton, in simpler terms without 20 going on, what is your opinion as to his character 21 for honesty and trustworthiness? 22 A If I say the same things I did before -- 23 I said he was good moral character. 24 MR. TINTERA: Judge, I'd ask for a 25 short recess, please. 32 1 THE COURT: I'm striking that 2 answer. Do you wish to try again or do you wish a 3 recess? 4 MR. SUSSMAN: Let's take a recess. 5 THE COURT: Remove the jury and 6 we'll take a mid-morning recess. 7 You may step down, sir. Have a talk 8 with Mr. Sussman during the recess. 9 (Whereupon, the following 10 proceedings were held in 11 open court, out of the 12 presence of the jury:) 13 MR. TINTERA: Judge, we had a motion 14 in limine about certain things that would come in 15 before the jury and would not. It was violated 16 yesterday when the character witness testified 17 about the charitable project involving children and 18 worldwide scope of this. Charitable project was 19 allowed by the Court and that's fine. 20 It's been violated by this witness 21 again and I talked to counsel this morning about 22 this. I said we had this motion in limine. I 23 thought we had an understanding about what would be 24 admitted and what would not. And he said we did, 25 and so I didn't bring it up again with Your Honor, 33 1 but we have got rules and they're being violated. 2 This area of the law requires, "Do 3 you have an opinion? Is it good? Is it very good? 4 Is it excellent?" It doesn't require a discourse 5 about the foundation for the opinion. 6 THE COURT: Commonly these questions 7 are answered -- when the question is asked, "What's 8 your opinion," they are commonly answered by a 9 witness saying, "My opinion is he's an honest and 10 trustworthy person." In its simplest form. That's 11 the appropriate answer. 12 I'm not suggesting that it's the 13 only appropriate answer, but that's the gist of 14 what is permitted. 15 MR. SUSSMAN: I understand that. 16 THE COURT: Talking about being a 17 moral person and having the highest integrity, 18 those sorts of things, although to a layperson 19 those may be important, those are not permitted 20 because they start getting into the other areas 21 other than permitted for this very narrow issue. 22 Now, do you want to talk to him 23 about that? If he can answer that, we'll give him 24 one more opportunity, and if not, I'm going to 25 excuse him. 34 1 MR. SUSSMAN: No. I'll have a -- I 2 want to talk to him about that. 3 Number one, as far as the witness 4 yesterday regarding the children's project, as I 5 informed Mr. Tintera, I did speak with the witness 6 about that and admonished him not to mention the 7 project by name, simply came out during a question 8 which was in general terms. Even this morning with 9 this witness again, I tried to reiterate that if 10 Your Honor recalled the question and asked him not 11 to specifically mention -- 12 THE COURT: You said he worked on 13 various projects. 14 MR. SUSSMAN: That's right. 15 THE COURT: And that -- 16 MR. SUSSMAN: I believe the Court 17 understands that sometimes witnesses, in -- 18 THE COURT: I'm not suggesting that 19 you did anything inappropriate, Mr. Sussman. This 20 is a common area of difficulty when we call 21 character witnesses, and so I know that defense 22 counsel need to spend extra time talking with 23 character witnesses on this very issue. And I'd 24 like to have you do that so that we can be 25 relatively certain that witnesses -- other 35 1 character witnesses you call will not answer 2 inappropriately. Or at least to reduce that risk. 3 All right. 4 MR. SUSSMAN: Thank you, Your Honor. 5 THE COURT: Take a short break. 6 (Recess taken.) 7 THE COURT: Proceed, Mr. Sussman. 8 MR. SUSSMAN: Thank you, Your Honor. 9 BY MR. SUSSMAN: 10 Q Dr. Doughton, before the break I asked 11 you if you had an opinion about Mr. Schwartz's 12 character for trustworthiness and honesty. You do 13 have an opinion? 14 A I do have an opinion. 15 Q Would you please tell the jury what that 16 opinion is? 17 A Mr. Schwartz is trustworthy and honest. 18 MR. SUSSMAN: Thank you. I have 19 nothing further. 20 MR. TINTERA: Thank you, 21 Dr. Doughton. Sorry for giving you a hard time. I 22 don't have any questions for you. 23 THE COURT: Thank you. You may step 24 down. You're free to go. 25 MR. SUSSMAN: I'd like to call Bob 36 1 Wilcox now. 2 3 ROBERT WILCOX 4 called as a witness on behalf of the Defendant, 5 having been first duly sworn under oath, was 6 examined and testified as follows: 7 8 THE CLERK: State your full name and 9 spell it for the record, please. 10 THE WITNESS: Robert Wilcox. 11 W-i-l-c-o-x. 12 13 DIRECT EXAMINATION 14 BY MR. SUSSMAN: 15 Q Mr. Wilcox, again, you're still working 16 at Intel? 17 A No. What was the question? 18 Q I said are you still working at Intel? 19 A I'm not working at Intel. I quit in 20 January. I'm not an Intel employee. 21 Q At any rate, we brought you back to ask 22 you a few additional follow-up questions about your 23 work with Mr. Schwartz at Intel. 24 First, I'd like to show you what has 25 been marked for identification as Defendant's 37 1 Exhibit 115. If you would just take a look at that 2 for a moment. Do you recognize what that document 3 is? 4 A Yes. 5 Q Please tell the jury what it is. 6 A When Randal first came, I left him this 7 note, I had to leave town, and it gives him a list 8 of things to do in setting up the new computer 9 systems in our department. 10 Q And in giving him that list of things to 11 do, you outlined what was there and just basically 12 gave some general directions? 13 A That's correct. I told him where 14 everything was, where his office was, what he 15 should start working on, getting systems ready, and 16 mentioned our secretary could get him any supplies 17 he needed or answer any questions while I was gone, 18 and then told him to have fun getting to work on 19 it. 20 Q And what did you mean by that? 21 A Well, when we get these new systems, they 22 come in boxes and it's like Christmas and you have 23 to open them up and then you really get to work, 24 although one of the most fun things to do is set up 25 a computer system. 38 1 Q Start playing with it and figuring out 2 what it can do? 3 A First you have to wake it up and install 4 the software and then you have to begin to 5 understand how they work. 6 Q Were you familiar with one of the 7 machines in your system that was referred to as 8 Wyeth? 9 A Yes. 10 Q And what kind of computer was that? 11 A I don't recall the specific model of 12 computer that was. That was one of our Sun 13 workstations and that was one of the ones that Mark 14 Morrissey set up and named, because I would not 15 have chosen that name. 16 Q Later on there was another machine that 17 he named called -- a Sun machine that came to be 18 named Snoopy? 19 A Correct. That was also one of Mark's. 20 It could have been the same machine. I wouldn't 21 remember which specific one. Sometimes one would 22 be renamed and become a new name, so I'm not the 23 expert on that. 24 Q Now, do you recall whether in June or 25 July of 1993, during the time that there was -- it 39 1 was in the transition of Mr. Schwartz's 2 responsibilities, a conversation with Mr. Morrissey 3 which he came to you and you said, "I believe it's 4 time," and discussed Mr. Schwartz root privileges? 5 A I don't remember specifically that 6 conversation or when it occurred. I would expect 7 that that kind of conversation would happen and I 8 would expect a transition. 9 Remember, we talked about the three 10 different roles that Randal had? So we'd expect 11 the transition, but I can't remember when it 12 occurred or specifically whether root privilege was 13 discussed as part of that. 14 MR. SUSSMAN: Thank you. I have 15 nothing further. 16 Hold on. I'm sorry. 17 BY MR. SUSSMAN: 18 Q At that time was there still root on the 19 DNS servers? 20 A Yes, because that was Randal's continuing 21 responsibility. 22 MR. SUSSMAN: Thank you. Nothing 23 further. 24 25 40 1 CROSS-EXAMINATION 2 BY MR. TINTERA: 3 Q So it was your understanding of the three 4 areas that you mentioned to the jury last week that 5 eventually Mark Morrissey would take over the 6 Systems Administration duties in your work group 7 from Mr. Schwartz? 8 A For the network management systems, yes, 9 not necessarily the DNS systems. 10 Q Right. And so those who set up the 11 machines, they get to name them, is that how it 12 works? 13 A In my group, that was my policy. I want 14 to empower the people working for me and there is a 15 whole philosophy of choosing names and so people 16 need to learn how to do that for themselves. 17 Q When I think about these machines, it's 18 kind of like the ones you might see at a store in a 19 box. Are these the same type of machines or are 20 they different, these Sun workstations? 21 A You can't go out to the regular computer 22 store and buy them, so they are different in that 23 way. But they are still computers and -- 24 Q Do you have any idea how much these 25 things cost? 41 1 A These were in the range of around 6,000 2 to $10,000. 3 Q I don't think we'll be seeing these at 4 Fred Meyer, are they? 5 A Well, that's what they cost at that time 6 a year and a half ago. They're cheaper now. 7 THE COURT: Computers go down in 8 price. 9 THE WITNESS: Absolutely. 10 THE COURT: Become more obsoleted or 11 replaced by more high-tech models? 12 THE WITNESS: Same performance goes 13 down in price. Higher performance ones are 14 introduced at higher or same price. 15 BY MR. TINTERA: 16 Q Mr. Wilcox, the Defendant's Exhibit 115, 17 the document you wrote out, that was in February of 18 1992? 19 A That's not dated. That would make sense, 20 but I couldn't tell you. It was probably when he 21 first came on. 22 MR. TINTERA: Thank you. No further 23 questions. 24 MR. SUSSMAN: Nothing further. 25 THE COURT: Did you offer 115 or -- 42 1 MR. SUSSMAN: No, I would like to 2 offer that now. 3 MR. TINTERA: I don't object to 4 that. 5 THE COURT: 115 is received. 6 (Whereupon, Defendant's 7 Exhibit No. 115 was received 8 in evidence.) 9 THE COURT: Thank you. You may step 10 down and you are free to go. 11 Call your next witness. 12 MR. SUSSMAN: Like to call Herb 13 Mayer now. 14 15 HERB MAYER 16 called as a witness on behalf of the Defendant, 17 having been first duly sworn under oath, was 18 examined and testified as follows: 19 20 THE CLERK: State your full name and 21 spell it for the record, please. 22 THE WITNESS: My name is Herb Mayer. 23 M-a-y-e-r. 24 25 43 1 DIRECT EXAMINATION 2 BY MR. SUSSMAN: 3 Q Mr. Mayer, I'd like to ask you a couple 4 additional questions. 5 When you were administering or had 6 the contract, had Mr. Schwartz do work for you as a 7 contractor and had the access to the various 8 computers in the group that you were working on, 9 was the password files of those computers readily 10 readable to him at that time? 11 A The password file was and always is 12 publicly readable and accessible. That is quite 13 common and that's one of the curious things about 14 UNIX. Any beginning UNIX programmer knows right 15 away that it exists, where it exists and it's a 16 typical challenge to take a look at it. 17 Q When you say it's a typical challenge, 18 what do you mean? 19 A It's an encoded file. The passwords are 20 all there but encoded, encrypted but not readable. 21 The reason why it's publicly 22 available, one has so much trust and faith in the 23 encryption, it's impossible to decrypt it. But 24 everybody tries to decrypt it. Nobody practically 25 succeeds, so it's a challenge. 44 1 Q So then is it common for people, 2 especially people who have Systems Administrator 3 positions, to run password-cracking programs 4 against these things to test -- 5 A The Systems Administrator should. That's 6 part of a good Systems Administrator job to do it. 7 In fact, the output of that process is to say, 8 "Dear Joe or Jim, you have a bad password because I 9 cracked it. Please choose a better one so the next 10 time around one doesn't have such easy access to 11 it." 12 Q What's the importance of making sure the 13 passwords can be cracked? 14 A Confidentiality of information, which is 15 stored by user. 16 Q So the passwords are sort of the main 17 line of defense for people getting into places they 18 shouldn't? 19 A That's correct. 20 Q So what does that -- what is a bad 21 password or a password that can be readily broken? 22 A There are lots of bad passwords. A 23 typical bad password is that the user with the name 24 Jim uses as a password, again the word Jim. So any 25 password-cracking programs tries as a first line of 45 1 let me decode this, the user ID off of the 2 respective programmer himself. 3 The second bad kind of password is 4 common English names, especially first names of 5 spouse and children. Mayer, Jim, Joe, bad 6 passwords. They are likely members of the family 7 and they are being tested right away in the 8 cracking process. 9 Q What's another common bad password? 10 A Common English nouns. 11 Q Words commonly found in the dictionary? 12 A Exactly. 13 Q Now, you mentioned something about some 14 sort of challenge to trying to crack passwords or 15 something. 16 A Well, anybody with curiosity will say, 17 "You mean there is secret information?" Yet it's 18 available publicly for anybody to look at. There 19 seems to be an apparent conflict. 20 That conflict raises a question mark 21 in most curious people's minds or most intelligent 22 people's minds and they will take a look at 23 resolving the conflict saying what can be there 24 secret if I have public access to this, until one 25 understands it's encoded. Even though you look at 46 1 it, you can't do anything with the information. 2 Q Now, going on to the one other thing, as 3 far as when the contract that you had with 4 Mr. Schwartz was in effect, was there an actual 5 written contract with duration to it? 6 A I'm pretty sure that the -- between the 7 two of us, we never had a written contract and I 8 had assumed and still believe that there was a 9 larger contract that Mr. Schwartz had with Intel in 10 Hawthorn Farms where he was employed as a 11 contractor for -- along that time. Mine was fairly 12 limited and only a small section of that period. 13 Q So it was more like an understanding 14 between the two of you? 15 A That's correct. 16 Q And did that understanding then -- to 17 what extent, if at all, did that understanding 18 extend to the potential for follow-up work? 19 A Well, the potential for follow-up work 20 would always be there and in fact was there if the 21 work delivered would be as it was expected in the 22 beginning. 23 Q And was that communicated to 24 Mr. Schwartz? 25 A I don't remember whether I told him 47 1 explicitly there will be follow-up work. No, I 2 should phrase it differently. I don't remember 3 explicitly whether I told him that he would be the 4 one conducting follow-up work. I know there would 5 be follow-up work. 6 The project, even though limited in 7 time, was simple enough we could do it in short 8 time, yet complicated enough that I knew it would 9 be a living piece of software and it would live 10 forever and lives today and will be maintained 11 today. 12 Q And the work involving the system, the 13 collection of computers also included the computer 14 that was called Brillig? 15 A Yes, it did. That was one of the 16 necessary building blocks. 17 MR. SUSSMAN: Thank you. I have 18 nothing further. 19 20 21 22 23 24 25 48 1 CROSS-EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Mayer, when did you call Mr. Schwartz 4 back for the follow-up work? 5 A I didn't call him for follow-up work. 6 That's why I was careful phrasing. I don't 7 remember whether I told him that he would be the 8 one to do follow-up work. 9 Q So he wasn't called back? 10 A That's correct. 11 Q And I don't mean to embarrass you, but 12 you seem like a fairly bright individual. 13 A No. 14 Q Are you curious? 15 A Yes. 16 Q So when has your curiosity caused you to 17 run the Crack password program against any password 18 files at the Intel Corporation? 19 A I never ran the Crack program against it. 20 Q Why not? You're curious, aren't you? 21 A Yes. But I looked at it. 22 Q Okay. 23 A In other words, I took a text editor, 24 edited the file itself to gain some understanding 25 of what does this password file look like. 49 1 Q Sure. Where did you copy it to? 2 A Into my private directory, so when you 3 use an editor, you automatically import whatever 4 you look at into your current working environment. 5 Q Did you run Crack against it? 6 A No. 7 Q Why not? 8 A I didn't have the Crack program. 9 Q It's publicly available. 10 A Yes, but there is millions of publicly 11 available programs. Most of them I will never be 12 able to touch due to time limitation or interest 13 limitations. 14 Q Well, you said that -- you referred to 15 the password program as publicly available so I 16 could copy it. 17 A Yes, you can. 18 Q And where would I find that? 19 A In /etc/user. So that's nomenclature in 20 this computer world slash means you started at the 21 topmost level where all directories are and "etc" 22 happens to be one of the main directories where you 23 stuff all the stuff that you don't know where else 24 it should sit. 25 Q So if I had a computer right here in 50 1 front of me, I could access this information? 2 A You bet, without any problem. Unless you 3 had an unconventional or unusual operating system. 4 Q How would I be able to use this 5 information at Intel Corporation? 6 A You probably couldn't. 7 Q Why would that be? 8 A Because it's encrypted. The information 9 that is there is encrypted so you cannot see the 10 meaning of it. You see strange characters, strange 11 sequences of characters. 12 Q You seem to give me the impression that 13 anyone could go into the Intel network and access 14 the Intel network. 15 A If I ever gave that impression, that must 16 have been a mistake and I would like to correct 17 that impression. Not anybody can go into the Intel 18 network. They take great pains of making sure that 19 nobody can go into the Intel network. However, 20 once you have already legal access to one of the 21 computers, once you have any access to new -- to 22 one of the computers of Intel's network, then you 23 can look at any file that is available in and 24 throughout the network. 25 Q So you were assuming that I had legal 51 1 access to an Intel computer? 2 A Correct. 3 Q Well, that's an important assumption. So 4 that your understanding of public knowledge assumes 5 a legal access to the computer? 6 A Correct. 7 Q So it's not public in the sense that it's 8 in a public library that anybody with a library 9 card -- well, you need the library card for it to 10 be public access and that's what Intel gives you to 11 access their system, is that fair, as a contractor 12 or employee? 13 A Your impression is right. Joe Smith off 14 the street cannot look at the file simply because 15 that person doesn't even have access to the 16 keyboard. There is a security guard, you cannot go 17 into the building, folks. 18 But if you were inside the building 19 and -- you wouldn't be able to sit down at any of 20 the computers and you have -- you have the right to 21 log in to any of the computers on the network, then 22 you can look at this password file, which again is 23 encrypted. 24 Q So if your account hasn't been disabled, 25 you can look at it because you would not have 52 1 access then to those? 2 A When your account is disabled, you can't 3 do anything. 4 Q So it would have been on an account that 5 you are authorized or have a valid password for? 6 A Delicate question. Whether authorized or 7 not, as long as you have some access to the 8 network, authorized or not, then you can look at 9 it. 10 The reason why I'm making that fine 11 point is apparently that's an issue here in this 12 case, whether or not one is authorized. 13 MR. TINTERA: Thank you. 14 15 REDIRECT EXAMINATION 16 BY MR. SUSSMAN: 17 Q Just to clarify a couple things. So if 18 one has an active password on any computer, that 19 allows access? 20 A Right. 21 MR. SUSSMAN: Thank you. Nothing 22 further. 23 24 25 53 1 RECROSS-EXAMINATION 2 BY MR. TINTERA: 3 Q Does that automatically mean you're 4 authorized to access that computer? 5 A Good. This point came up two days ago 6 when I was here for the first time. 7 There is no need to and there is no 8 capability of authorization one doesn't need to. 9 It really means the access is there free for 10 anybody. If you can do anything with that computer 11 at all, you can look at that password file. There 12 is no process in place saying you have formal 13 authorization to look at it. There is no such 14 process in place. It is publicly readable. It is 15 stored in ETC. It is stored in the container that 16 says, "Well, I don't know where it really should 17 belong, throw it in here," this file that anybody 18 can look at. It is that freely available to 19 anybody who can do anything with the computer at 20 all. 21 Q Right. 22 MR. TINTERA: Thank you. 23 MR. SUSSMAN: Nothing further. 24 THE COURT: Thank you. You may step 25 down. You're free to go. Thank you for being here 54 1 again. 2 Mr. Sussman. 3 MR. SUSSMAN: We'd like to call 4 Russell Schwartz, if he's gotten here yet. 5 6 RUSSELL SCHWARTZ 7 called as a witness on behalf of the Defendant, 8 having been first duly sworn under oath, was 9 examined and testified as follows: 10 11 THE CLERK: State your full name and 12 spell it for the record, please. 13 THE WITNESS: Russell Schwartz. 14 S-c-h-w-a-r-t-z. 15 16 DIRECT EXAMINATION 17 BY MR. SUSSMAN: 18 Q Mr. Schwartz, where do you live? 19 A I live at 12290 Southwest Butner Road. 20 Q And do you live there alone? 21 A No. 22 Q Who do you live with? 23 A My brother, Randal Schwartz. 24 Q Randal Schwartz sitting next to me is 25 your brother? 55 1 A Yes. 2 Q Were you home at that residence on 3 November 1st, 1993, when the search warrant was 4 executed at the residence? 5 A Yes, I was. 6 Q Where were you when that search warrant 7 was executed? 8 A When? 9 Q When the police arrived at the house. 10 A I was upstairs. 11 Q And what is upstairs in the house? 12 A It's a two-floor building and it's 13 upstairs from the main level of the building. 14 Q And do you have any particular types of 15 rooms up there? 16 A Yeah, it's the rear room, which is known 17 as the computer room. 18 Q And how is that set up? Is that a place 19 where you had a workstation, Randal had one, or 20 both of you? 21 A Yeah. 22 Q Please explain to the jury how that was 23 set up. 24 A Basically I had my own computer sitting 25 in one location and then there is another desk in 56 1 the room that had my brother's equipment in it. 2 Q Aside from the computer, what other kind 3 of equipment or materials of yours were up there? 4 A There is all the stuff, things for my 5 computer, including various programs and things 6 and -- 7 Q Did you have disks or diskettes 8 containing information up there? 9 A Yes. 10 Q And did you have very many? 11 A I had a lot. 12 Q What's a lot? 13 A Several hundred disks. 14 Q Now, at some point in time, did you 15 assist the officers in conducting the search? 16 A Yes, I did. 17 Q And what did you do? 18 A I pointed out which equipment was 19 Randal's and which was mine. 20 Q And did you point out which disks were 21 Randal's and which were yours? 22 A Yes. 23 Q And what is your -- were most of the 24 disks up there, did they belong to you or Randal? 25 A The majority would be mine. 57 1 Q And were those taken? 2 A No. 3 MR. SUSSMAN: Thank you. I have 4 nothing further. 5 MR. TINTERA: Good morning, 6 Mr. Schwartz. I don't have any questions for you. 7 THE COURT: Thank you. Thank you, 8 you may step down. 9 Mr. Sussman. 10 MR. SUSSMAN: Your Honor -- 11 THE COURT: You have that look as 12 though you've run out of witnesses. 13 MR. SUSSMAN: I have one other 14 witness who is a character witness and because he 15 has just come into town this morning -- 16 THE COURT: You'd like to talk to 17 him. 18 MR. SUSSMAN: I think it would be a 19 good idea to talk to him before I go any further. 20 THE COURT: We'll take another short 21 break before we call that witness. Thank you. 22 Remove the jury. 23 24 25 58 1 (Whereupon, the following 2 proceedings were held in 3 open court, out of the 4 presence of the jury:) 5 MR. SUSSMAN: When we come back 6 before the jury comes back in it would be 7 appropriated to take up the Exhibit 112 and I have 8 a matter relating to the offer of proof. 9 THE COURT: Okay, we'll do that. 10 Take a recess. 11 (Recess taken.) 12 THE COURT: We're back on the 13 record. The jury is not here. 14 First of all, let's take up Exhibit 15 No. 112. It was offered when Mr. John Gray, 16 defense witness, was on the stand. I understood 17 him to say that this was -- it was guidelines for 18 Systems Administrator and something that was 19 adopted, I believe, after the defendant was 20 employed, as I recall, in the IWARP group. 21 Like to clarify that, Mr. Sussman? 22 MR. SUSSMAN: Yes. I was looking 23 for the document. 24 THE CLERK: I have it here. 25 THE COURT: I believe the testimony 59 1 was that that was not a document that was in place 2 at the time the defendant worked for IWARP, but 3 after, sometime after he concluded, I don't recall 4 whether concluded his employment with IWARP or 5 something else, but the defendant was no longer 6 there. 7 MR. SUSSMAN: That's correct, Your 8 Honor, but what we're offering this exhibit for is 9 to show that it is circumstantial evidence of the 10 distribution of security policies, what the 11 particular policies were. 12 We intend to show that Mr. Schwartz 13 had not received or been shown such a basic 14 document for Systems Administrators who were 15 working at Intel at that time. So the key thing 16 was to have the witness identify what the document 17 was and we intend to offer it to show what policies 18 were, in fact, in place. 19 THE COURT: Policies in place after 20 the defendant was no longer employed there? How is 21 that relevant? 22 MR. SUSSMAN: Your Honor, these were 23 not just policies, as I understood. I'm sorry. 24 THE COURT: Well, I could be 25 corrected on that, too. The gist of it was that 60 1 this guidelines -- I haven't looked at it, but the 2 State's policies, but it was a document that was 3 prepared to memorialize, apparently, some sort of 4 guidelines or policies, but it wasn't drafted until 5 after the defendant -- his contract or employment 6 had been terminated. 7 MR. SUSSMAN: That's correct. In 8 effect, also shows what was not communicated and 9 what were the policies not implemented during the 10 time that Mr. Schwartz was there. I'm sorry that I 11 did not articulate that. 12 THE COURT: Did the witness identify 13 which of those were not in place when he was 14 working there? 15 MR. SUSSMAN: He said this was 16 established after Mr. Schwartz had left SSD. 17 THE COURT: Maybe I should hear from 18 Mr. Tintera. 19 MR. TINTERA: I don't see how it's 20 helpful or relevant to the jury and I would liken 21 it to Oregon Evidence Code Rule 407, which deals 22 with subsequent or remedial measures. That's not 23 admissible in a civil trial. 24 I think that philosophy can be 25 carried over when you look at the relevance in a 61 1 criminal trial that if, in fact, this is the policy 2 of the Supercomputer Division now, without the 3 defendant having been appraised of it or even 4 existing while he was there, how is this helpful 5 for the jury to determine his authorization at the 6 time? 7 MR. SUSSMAN: Not so much that it 8 goes to authorization but as much as it goes to 9 understanding and the issue of what security 10 policies were in place and disseminated. And this 11 was -- because that goes to evidence of 12 Mr. Schwartz's state of mind and understanding of 13 what the policies were as it affected him at the 14 time of his contract. 15 THE COURT: Do you object to 112? 16 MR. TINTERA: I do. 17 THE COURT: I'm not receiving 112. 18 It's not that I buy your argument about them being 19 similar to subsequent remedial measures of it. 20 That's a good try. 21 I thought -- somewhere I learned 22 that the public policy reason for not admitting 23 evidence of subsequent remedial measures was that 24 we wanted producers of products, goods and that 25 sort of thing, equipment, machinery at some point 62 1 to -- in particular if at some point it was 2 determined that there was some dangerousness 3 involved, to be encouraged to take remedial 4 measures. And if, in fact, that could be used as 5 evidence against them, likely they never would. 6 They would leave the dangerous product out there 7 because they wouldn't want somebody to sue them and 8 say, "Look, see what happened afterwards," and that 9 they correct the problem. 10 I doubt that same public policy 11 would apply in this case. I don't see the 12 relevance of a document that was drafted after the 13 defendant's employment had ended in this case, 14 although it may state some guidelines for Systems 15 Administrators, some policies. Some of those 16 apparently were in place and some of them may not 17 have been in place at the time of the defendant's 18 employment and I don't think it's helpful to the 19 jury, so I'm not receiving it. 112 is not 20 received. 21 Do you have another matter? 22 MR. SUSSMAN: Just something 23 regarding the offer of proof that was made with 24 respect to Tanya Herlick's testimony and I want the 25 record to reflect certain comments and 63 1 qualifications on the limit of that offer of proof 2 so that I had that clearly stated on the record at 3 some point and I apologize for not doing it at the 4 time. 5 The offer of proof was offered for 6 these limited purposes. First to show how Tanya 7 Herlick found out about Mr. Schwartz running the 8 Crack program. Second, to show that he contacted 9 O'Reilly immediately. Third, that she cancelled 10 his account initially. That she spoke with him and 11 that the statements about the conversation were 12 offered not for the truth of them, but to show why 13 she did what she did in reinstating the account and 14 not, at that point -- and there was some initial 15 lead-in to that in terms of how she found out about 16 Mr. Schwartz running the Crack program, which was 17 not the specific and the key points of the offer of 18 proof, so I want the record to be clear on that and 19 clearly state that, the specific purposes of the 20 offer. 21 THE COURT: Well, the record will 22 show the stated purpose today. Unfortunately -- 23 well, the Court always has the option of modifying 24 its prior rulings on matters. I'm declining to do 25 that. And while I appreciate the fact that we all 64 1 have clearer thinking sometimes over the evening, 2 it isn't particularly helpful to me when the 3 witness is on the stand one day and then I get a 4 clarification of the offer of proof the next day. 5 And the witness wasn't on the stand. 6 It was done telephonically. If I did wish to 7 modify the decision I previously made, I understand 8 from your prior representation, she wouldn't even 9 be available now, so pretty well limits what I 10 could do if you convinced me that I overlooked 11 something or that I had ruled incorrectly 12 previously. I couldn't change my ruling at this 13 time. 14 MR. SUSSMAN: Well, because we may 15 be running into next week, we might be able to 16 contact her later on and that certainly remained an 17 option, or that the offer of proof that -- the 18 statement of the testimony could be presented 19 through a transcript. Truthfully, ***I was not 20 bringing it up now to ask you -- necessarily to 21 invite you to change the ruling. I understand the 22 Court had made its ruling, but that it may not have 23 been clear at the time, and so for purposes of 24 making the record clear, if for no other purpose 25 than for clarifying the record. 65 1 THE COURT: Sure. And you do have 2 the opportunity to do that. 3 MR. SUSSMAN: That's what I wanted 4 to do. 5 MR. TINTERA: You did represent to 6 me that she would not be available later and that's 7 the reason we took her telephonically. 8 MR. SUSSMAN: That's correct. But 9 at that point, we thought we would be finished this 10 week. 11 THE COURT: That's true. Anything 12 else? 13 Bring in the jury and let's proceed. 14 (Whereupon, the following 15 proceedings were held in 16 open court, the jury being 17 present:) 18 THE COURT: We're ready to proceed. 19 Call your next witness. 20 MR. SUSSMAN: Larry Wall. 21 22 23 24 25 66 1 LARRY WALL 2 called as a witness on behalf of the Defendant, 3 having been first duly sworn under oath, was 4 examined and testified as follows: 5 6 THE CLERK: State your full name and 7 spell it for the record, please. 8 THE WITNESS: Larry Wall. 9 ****W-a-m-l. 10 11 DIRECT EXAMINATION 12 BY MR. SUSSMAN: 13 Q Mr. Wall, where do you live? 14 A Mountain View, California. 15 Q And what is your occupation? 16 A My occupation is software engineer 17 currently, with mixed-in Systems Administrator 18 duties. 19 Q Where are you employed? 20 A I work for Seagate ***Manufacturer. 21 Q And what kind of place is this and where 22 is it? 23 A It's a software engineering firm. It was 24 a startup about six years ago and we were recently 25 acquired by Seagate. We do network management 67 1 software and basically help companies keep track of 2 where all their machines are and what they're 3 doing. 4 Q Can you tell me a little bit about your 5 background? You said you have worked as a network 6 software ***engineer and done some Systems 7 Administrator work? 8 A Yes. I originally got into computers 9 about 21 years ago and almost immediately, this was 10 at Seattle Pacific University, I was the Systems 11 Administrator there for about three years. And 12 then after graduate school, I went to work with 13 what was then SDC, which was acquired by Burroughs, 14 which turned into ***Unisys, and I was a Systems 15 Administrator there, too. 16 And then from there, I went to the 17 Jet Propulsion Laboratory in Pasadena, California, 18 and I was there four years as a Systems 19 Administrator. 20 Q Now, you've had some extensive experience 21 as a Systems Administrator. Let me ask you couple 22 questions about that. 23 Are there any particular qualities 24 that are required to be a good Systems 25 Administrator? 68 1 A You have to have a lot of qualities. 2 Nobody has them all, but you kind of have to be a 3 jack-of-all-trades because you're the backstop. 4 You have to -- whenever someone has a problem, they 5 don't know what to do, they come to you and you 6 either have to know the answer to the problem or 7 know where to look for the answer to the problem. 8 So you have to be able to deal with a steady stream 9 of people coming in and out and asking questions 10 sometimes repetitively. 11 And on the other hand, when there 12 aren't people coming in and asking questions or 13 there isn't an immediate problem, then your job is 14 to sort of deal with the long-term planning for the 15 way the systems are going to be used and to just 16 try to be -- the buzz word in the industry is 17 "proactive" nowadays, but just try to figure out 18 ahead of time what's going to go wrong and try to 19 fix it before you get there. 20 Q As a Systems Administrator, are there any 21 particular tools that are used to test security -- 22 A Yeah. 23 Q -- of your systems? 24 A Yeah. There are a number of tools that 25 have been released over the years. There is a 69 1 couple tools from Dan Farmer. Cops is the name of 2 one of them. 3 Q What is that? 4 A ***Cops. It's -- 5 Q What is that? 6 A It's a suite of programs that helps the 7 administrator. It looks for places where there 8 might be security difficulties and tells him so he 9 can fix them up. 10 There is another program called 11 Crack which is -- it was written by a fellow named 12 ***Alec Muffet, and that was also intended to be 13 used by Systems Administrators. 14 Q Just out of curiosity, are these 15 programs, are they written in some kind of computer 16 language? 17 A Some of them are written in C. Crack is 18 written in C. ***Cops is written in Pearl. 19 Q Is that in an area that you have any 20 particular expertise in? 21 A Well, it happens I wrote the Pearl 22 computer language. I developed it and I gave it 23 away and people use it quite a bit. 24 Q Just out of curiosity, the Crack program 25 as a tool, is that particularly a good one for 70 1 Systems Administrators and is it good for other 2 purposes? 3 A It's good for figuring out whether you've 4 got a good password program, basically. That's 5 what Systems Administrators use it for. It's a 6 validation tool, basically. You put a password 7 program in there to let people change their 8 passwords and they won't necessarily pick very good 9 passwords. In fact, historically speaking, people 10 tend to pick lousy passwords. And the reason Crack 11 was written was to let Systems Administrators find 12 those lousy passwords. 13 I don't think it's the best way to 14 do it, because I think it's better to go ahead and 15 put a good password in and outlaw the bad passwords 16 in the first place. 17 Q Is Crack a program that can be used 18 effectively by somebody trying to break into a 19 system? 20 A Oh, if they were stupid, they might. 21 Q Why do you say that? 22 A It's not really -- it's not a real good 23 tool for that. In the first place, it's a real 24 heavy-duty program. It chews up your CPU. 25 Q What does that mean? 71 1 A If anybody were trying to do anything 2 else on the system, they would notice that there 3 was a heavy load on the system and probably check 4 and see there was a program out there running named 5 Crack. It's way too obvious to be used as a 6 system-cracking tool. In fact, the author of it 7 himself said he sort of misnamed it. He said it 8 should have been called "Password Check," or 9 something like that. But, yeah -- 10 Q Is it a program that can be hidden 11 easily? 12 A Not really, no. It really puts a load on 13 your system and I don't think -- if I were 14 interested in breaking security, I sure wouldn't do 15 it that way. There is lots of easier ways that are 16 known throughout the community and are -- that 17 Systems Administrators -- every System 18 Administrator worth his salt knows the company 19 ***national call lays of ways to break into the 20 systems, and that's why there is other programs 21 like Cops to help them patch these holes. 22 But Crack is not at all a stealthy 23 program. You talk about -- you think about stealth 24 fighter jets and things, but you can't hide it. 25 Q Mr. Wall, do you know Randal Schwartz? 72 1 A Yes, I do. 2 Q And how do you know Randal Schwartz? 3 A Well, I first became acquainted with him 4 in about 1987, and I had just then published the 5 Pearl programming language and I noticed that 6 the -- I noticed on the networks that certain 7 people repeatedly were helping other people out and 8 had already learned Pearl as soon as I put it out. 9 Randal was one of those people. He was -- he had 10 gotten ahold of it as soon as I put it out there 11 and learned how to use it and was already trying to 12 teach other people how to use it. 13 Q When you say you first published this and 14 put it out there, what are you referring to? 15 A Pearl is one of the kind of programs that 16 are called freeware. It's freely redistributable. 17 You can think of it as kind of like public domain. 18 And sometimes people ask me why I put that sort of 19 thing out, but I just like to do that sort of 20 thing. 21 Q Where was this published? 22 A On the network. You put it out and you 23 send it, there is various ways of publishing it. 24 Nowadays you probably put it on the Web but -- the 25 Worldwide Web, but back then we didn't have the 73 1 Worldwide Web. 2 Q The Worldwide Web refers to what? 3 A It's a mechanism for people to explore 4 the Internet and find things that they are looking 5 for. But back then what we had was a network 6 called Usenet, which still exists. But what I did 7 was publish it on Usenet and it has what's called a 8 flooding and sends it everywhere where everyone 9 subscribes to it. It's like a bulletin board all 10 over the country and now all over the world. 11 Q Anybody could get on the Usenet or 12 Internet and communicate about things with anybody 13 else in the world? 14 A Yeah. And there are various different 15 areas, various different discussion groups that 16 people have on these things. And some of these 17 discussion groups are more closely related to the 18 sort of things that you might want to do as Pearl. 19 And this is where I first got to know Randal, over 20 the network. He was ***working with people and 21 they would ask a question about how do you do this 22 and -- 23 MR. TINTERA: Your Honor, I object. 24 I think the question has been answered. 25 THE COURT: Sustained. 74 1 BY MR. SUSSMAN: 2 Q So you first got to know Randal Schwartz 3 over, you indicated, communication on the Internet? 4 A Yes. 5 Q After that, what further contact did you 6 have with him? 7 A After a while, Randal approached me with 8 the ideas of writing a book. A publisher had, in 9 fact, approached Randal. Tim O'Reilly is the 10 publisher of his book. 11 MR. TINTERA: Objection. That can 12 only be based on hearsay. 13 THE COURT: Sustained. Ask another 14 question. 15 BY MR. SUSSMAN: 16 Q What was your next contact with 17 Mr. Schwartz after he contacted you about writing a 18 book? 19 A Then we corresponded with great frequency 20 over the Net about how we would go about organizing 21 this book and what would be the best way to present 22 the materials to people. We met in person for the 23 first time while we were organizing the writing of 24 the book, and then we actually finished the book 25 over the network. 75 1 Q So most all of this communication between 2 you and Mr. Schwartz about doing this book was over 3 computers? 4 A Yes. At that point, yes. Some by 5 telephone, of course. 6 Q Where were you living at the time? 7 A At the time, I was living in Panorama 8 City, LA, basically. 9 Q And Mr. Schwartz was up here in Oregon? 10 A Yes. 11 Q And then what further contact or how else 12 do you know Mr. Schwartz? 13 A Well, when the book finally came out -- 14 the name of the book, by the way, is Programming 15 Pearl. When the book finally came out, we had a 16 signing party, I believe this was in Dallas, Texas, 17 and we had a good opportunity to gab a lot there. 18 And then since that time over the years, we have 19 continued corresponding over the networks and we 20 have met in person many times since then. 21 Randal often teaches classes in 22 programming Pearl and some of those are down in the 23 area where I live and very often he invites me in 24 to meet with his class at the end of their course 25 session. And we often do dinner, too, and have him 76 1 over to the house. 2 Q How would you describe Mr. Schwartz's 3 level of skill in programming, whether it be with 4 Pearl or in other areas? 5 A Very high. 6 Q In your opinion, does Mr. Schwartz have a 7 level of skill to run a program that would try to 8 break into somebody's passwords in a way that could 9 not be noticed or couldn't be discovered? 10 A Certainly. 11 Q Based upon your associations with 12 Mr. Schwartz, your familiarity with him over the 13 Net and over this world of the Internet or these 14 different networks and your personal dealings with 15 him, have you been able to form an opinion about 16 Mr. Schwartz's character for honesty and -- excuse 17 me, honesty and trustworthiness? 18 A I have. 19 Q And what is that opinion? 20 A I have seen no evidence whatsoever of any 21 untrustworthiness. He has -- 22 MR. TINTERA: Objection to any 23 elaboration, Judge. 24 THE COURT: Sustained. 25 77 1 BY MR. SUSSMAN: 2 Q And your opinion about his character for 3 honesty? 4 A He's always told me the truth and -- 5 MR. TINTERA: Objection. 6 Unresponsive. 7 THE COURT: Sustained. 8 BY MR. SUSSMAN: 9 Q In terms of general character for 10 honesty? 11 A Yeah, -- 12 THE COURT: Sometimes witnesses like 13 to use the word "honest" in answering the question. 14 Do you think he's an honest person or dishonest? 15 THE WITNESS: Well -- well, I've 16 seen -- yes, I think he's a very honest person. 17 MR. SUSSMAN: Thank you very much. 18 No further questions. 19 THE COURT: Mr. Tintera. 20 21 22 23 24 25 78 1 CROSS-EXAMINATION 2 BY MR. TINTERA: 3 Q Mr. Wall, in a UNIX system, who can 4 access the password file? 5 A Anybody who -- well, that's one of those 6 "it depends" questions. On some systems 7 historically particularly, anybody can access the 8 password file. The passwords, however, are only 9 stored encrypted, so they are generally of little 10 use to most people. 11 The idea is that hopefully the 12 encryption on them is strong enough that it doesn't 13 matter if the encrypted password is -- 14 Q So are you saying they are public access, 15 anyone publicly can access the password file? 16 A Yes. 17 Q Do you have to have any access rights to 18 a password file? 19 A No. Other than having a basic account on 20 the machine, no. 21 Q So you do need something else on the 22 machine? 23 A Yeah, or you have to have privileges that 24 are -- sometimes when you talk about the machine, 25 you're talking about a collection of machines that 79 1 are logically behaving at one machine. 2 Q So it's not public access. You have to 3 have an account on the machine? 4 A Generally speaking, yes, but really 5 depends on what the other privileges that are 6 granted by the Systems Administrators. 7 Q So it requires some grant of permission 8 by a Systems Administrator? 9 A Not always explicitly, no. But -- 10 Q The machine has to know who you are? 11 A Yeah. 12 Q The machine has to know who you are -- 13 A Yes. 14 Q -- to let you access the password file? 15 A Yes. 16 Q It doesn't let strangers in? 17 A Not unless the Systems Administrators has 18 specifically given away that. 19 Q Not unless he's opened the flood gate to 20 let everybody in? 21 A Right. 22 Q So in some sort of secure machine, in a 23 minimum of security, it's not going to let a 24 stranger in; is that fair? 25 A That is how it's designed to work, yes. 80 1 Q Can you usually write to a password file? 2 A No, not unless you're the superuser. 3 Q Right, Systems Administrator? 4 A Yeah. 5 Q And in regard to gaining access, this is 6 unauthorized access, how many passwords would you 7 need to know to gain unauthorized access to a 8 system? 9 A Only one. 10 Q One? 11 A Only one. But you -- by and large you 12 wouldn't be able to do much with that. 13 Q My question is how many, and your answer 14 is? 15 A One. 16 Q Sure. And if your password -- let's 17 assume you had an account on a machine and that 18 password is disabled, is that account for all 19 intents and purposes for you gone? 20 A Essentially, yes. 21 Q And as a Systems Administrator, isn't it 22 true that the use of the Crack program for systems 23 security in administration is nil if, in fact, you 24 don't follow up? 25 A Yes, that's correct. 81 1 Q Now, you mentioned that the Crack 2 program -- I liken computers to engines, it's kind 3 of like running your air conditioning. It puts a 4 drain on your engine? 5 A Uh-huh. 6 Q So if you were wanting to run the Crack 7 program and not have whoever was using that engine 8 notice the drain, you would -- you could copy that 9 or you would copy that to a different system to run 10 the Crack program; isn't that true? 11 A That could be done, yes. 12 Q And then the drain on the system wouldn't 13 be noticed, would it? 14 A Well, it would be noticed on the other 15 system. 16 Q But not the one that is the target of the 17 Crack program, would it, if it's taken away and 18 copied? 19 A That's correct. 20 Q And so someone who wanted to crack a 21 program and not be noticed would copy that file 22 away from the target system to an area that is away 23 from there, is not associated with that system so 24 it wouldn't be noticed, is that fair? 25 A That's fair. 82 1 MR. TINTERA: That's all I have. 2 Thank you. 3 THE COURT: Redirect? 4 5 REDIRECT EXAMINATION 6 BY MR. SUSSMAN: 7 Q Mr. Wall, in a system that you've 8 administered, you have a number of passwords, bad 9 passwords, would you consider those passwords a 10 benefit or a liability to your system? 11 A Bad passwords are a liability. 12 MR. SUSSMAN: Thank you. Nothing 13 further. 14 MR. TINTERA: I don't have any other 15 questions. 16 THE COURT: Thank you. You may step 17 down. And you're free to go. 18 MR. SUSSMAN: Thank you, Your Honor. 19 That concludes the witnesses that I have for this 20 morning. 21 THE COURT: We'll be in recess until 22 1:30, ladies and gentlemen. Remove the jury. 23 (Luncheon recess.) 24 25 83 1 AFTERNOON SESSION 2 BEGINNING AT ***{^____________ 3 JULY 20, 1995 4 5 (Whereupon, the following 6 proceedings were held in 7 open court, the jury being 8 present:) 9 THE COURT: Ladies and gentlemen. 10 We have been talking about scheduling. One of the 11 things I said, if we didn't conclude, we would go 12 over to Monday. 13 I neglected to check my own 14 calendar. I have a matter set in a criminal case 15 where the defendant is set -- is in jail and it's 16 been set for a long time and I have to do that 17 Monday. If this case doesn't conclude this week, 18 it will be Tuesday. 19 We have conferred and we're certain 20 that Tuesday will be the last day. Except for 21 Mr. Speck, any of you that couldn't be here 22 Tuesday? I know this has gone on longer than 23 anticipated and I can tell you that we have a 24 policy in this county when you serve on juries for 25 long periods of time that you are excused for a 84 1 long period of time, so you don't have to serve for 2 the rest of the term. 3 If you wish, you might -- you could 4 come in for the rest of the term, if that's what 5 you want to do, but if you want to be excused for 6 the rest of the term, those that have been here for 7 the two weeks may. 8 All of you except for Mr. Speck 9 could be here Tuesday; is that right? 10 Mr. Speck, we have talked about how 11 to handle your case. We are relatively certain 12 that we won't finish Friday. That being the case, 13 although you probably -- you may have found this 14 case to be interesting, seems if you want to, 15 because we know we're not going to finish the 16 trial, if you want to, I would consider excusing 17 you now and having your place taken by 18 Mr. ***Merritt, who is our alternate. 19 You told us you have tickets for 20 your vacation that are non-refundable and your 21 family is going and you'd like to be with them, 22 apparently. I want to leave that to you. You tell 23 people what you want to do. 24 JUROR: We were going to drive up 25 there and it wasn't the tickets as much as the 85 1 reservations. I consider the issues in the case to 2 be highly significant, and although it's not really 3 what I would have wished, I would very much like to 4 be part of the decision-making process. 5 THE COURT: So? 6 JUROR: So if it does go until 7 Tuesday, I would like to participate in the 8 deliberation process. 9 THE COURT: Actually, counsel 10 suggested I approach it this way, and I'm glad they 11 did. I had a reading from you that you couldn't be 12 here and they suggested that I put it to you and 13 make certain that -- as to what your desire was. 14 Now I hear you saying even though it 15 would be a sacrifice, you could be here. 16 JUROR: For a day, I could. 17 THE COURT: Earlier you thought 18 Monday, now it's Tuesday. 19 JUROR: I'll commit to that. 20 THE COURT: You're not going to be 21 worrying about that now and not -- I want to be 22 sure that your mind is on this and not missing your 23 vacation for a couple days. 24 JUROR: Oh, it is. 25 THE COURT: It is. You find the 86 1 case to be interesting. I hope the manner in which 2 the sides are presenting this to you that you all 3 find it interesting. 4 With that in mind, I'll leave you 5 here. Unless you bring it to my attention again, I 6 won't talk to you about that, excusing you, because 7 of your vacation plans. As I understand it now, 8 you've told me that you could be here Tuesday. 9 JUROR: It would be an imposition if 10 it extended even further past that. 11 THE COURT: I don't think it will. 12 The way witnesses are scheduled, I believe that 13 we're going to finish with all the evidence 14 tomorrow and it would be argument and instruction 15 and your deliberation on Tuesday. I would say the 16 only possibility -- I always think of loose ends 17 for some reason -- deliberation, you weren't able 18 to conclude on Tuesday, but I'll suggest that's 19 seldom. If we had most of the day, I think there 20 is not much chance of that. I think the jury is 21 going to be able to deliberate in this case and 22 reach a verdict. 23 So with that then, unless counsel 24 has something else. 25 MR. SUSSMAN: No. I understand 87 1 Mr. Speck's circumstances and I -- 2 THE COURT: Do counsel want to ask 3 questions? 4 MR. SUSSMAN: Mr. Tintera mentioned 5 something about deliberation also. 6 MR. TINTERA: Right. 7 MR. SUSSMAN: Both of us would be 8 concerned, Mr. Speck, that given the sacrifice 9 you've made so far, that once you get there Tuesday 10 and if we run into the situation where the 11 complexity of the issues involved and the length of 12 case and number of issues took a longer time than 13 normal for deliberation in the case so that, who 14 knows, it could run over and how that would -- 15 THE COURT: I need to bring up one 16 additional fact, and that is you may not know 17 Oregon law doesn't provide for alternates to take 18 the place of jurors during deliberation once the 19 jury begins deliberation and you have to continue. 20 MR. SUSSMAN: We would both be 21 concerned that the deliberation not be rushed 22 because of the pressure of your schedule. We want 23 to make sure we have all the time you need. 24 JUROR: I would give it as much 25 seriousness that I would want if I were in that 88 1 position. 2 MR. SUSSMAN: Thank you. 3 THE COURT: In order to try to 4 accommodate people, too, we could -- I can work 5 with counsel, talk with the jury about this, too, 6 even consider trying to start earlier on Tuesday so 7 they can begin earlier. Make sure I don't have a 8 9:00 o'clock on Tuesday. 9 I have an appearance. We can set a 10 schedule if it's argument and instructions, counsel 11 and I can sit down and set a schedule, what we have 12 typically done in those kind of cases, even if it 13 runs into the noon hour, if we can set a schedule 14 so we can get the argument done and instruct, even 15 though it might be 12:30, 1:00 o'clock, run through 16 the noon hour, provide lunch to you and let you 17 begin your deliberation. 18 Let's think in those terms. We 19 appreciate the time and consideration and effort 20 that are going into this case because it's 21 technical and the fact that it's taken longer than 22 we have anticipated. Although pretty much in the 23 time frame, taking longer, I'm speaking for all 24 parties and the Court staff, we appreciate you 25 folks. 89 1 We're ready to proceed then, and you 2 may call your next witness. 3 MR. SUSSMAN: Thank you. We'd call 4 Andrew Johnson-Laird. 5 ANDREW JOHNSON-LAIRD 6 called as a witness on behalf of the Defendant, 7 having been first duly sworn under oath, was 8 examined and testified as follows: 9 10 THE CLERK: State your full name and 11 spell it for the record, please. 12 THE WITNESS: Andrew Johnson-Laird. 13 J-o-h-n-s-o-n - L-a-i-r-d. 14 15 DIRECT EXAMINATION 16 BY MR. SUSSMAN: 17 Q Mr. Johnson-Laird, what's your 18 occupation? 19 A Forensic software analyst. 20 Q Why don't you explain to jury at this 21 point what does that mean? What is a forensic 22 software -- 23 A What I do is I preserve and analyze and 24 then explain, if necessary, computer-based 25 evidence. Sometimes for litigation and sometimes 90 1 merely to people in management who are interested 2 in the problems that it's caused. 3 Q And what's involved in doing that? 4 A Essentially a good understanding of the 5 way computers work, good understanding of the way 6 computers store data, good understanding of the way 7 computers don't do what you think they do in terms 8 of deleting files and so on. In terms of the 9 ability to analyze it, fair amount of compute power 10 sometimes that didn't need to do a lot of number 11 crunching. You get a lot of database these days. 12 In terms of explaining it, that's fairly 13 self-evident. 14 Q Where do you live? 15 A I live in Portland. My office is at 850 16 Northwest Summit Avenue. 17 Q And what kind of background, training or 18 experience do you have that brings you to the point 19 of becoming a forensic computer analyst? 20 A Software analyst, Counsel. Basically, I 21 started in the computer industry fresh out of 22 college. In fact, unfortunately for me and for 23 them, my father died when I was in college and I 24 got a job with a company called National Cash 25 Register, ***all boob it in London. They put me in 91 1 charge of operating a mainframe computer that would 2 probably just fit in this room. My job was to run 3 other programmers' work and I used to do that. 4 I favored the night shift because I 5 discovered that if I was lucky and got everything 6 to work right, by 2:00 or 3:00 in the morning, I 7 would have completed all those tasks and when I 8 asked the manager what do I do then, they said, 9 "Play with the computer." 10 So I'm afraid that sounds like a 11 confession, but that's when I started hacking 12 computers in the old sense of the word. Learning 13 them, trying to find out everything I could, trying 14 to teach myself how to program. 15 Following that, I was asked by the 16 same company to go teach people how to program 17 which, I found interesting both because it was a 18 compliment that I obviously understood these 19 machines well enough to go teach people. And then 20 they asked me to help them work on something called 21 the operating system, which is a piece of software 22 that actually makes the computer work. 23 After about three years there, I 24 moved out into the commercial work, I helped write 25 and design software for what we call building 92 1 societies. Over here, I think you call them 2 mortgage companies and savings and loans. No 3 negative connotation, they are just a combined 4 operation. 5 From that point on, I guess it was 6 in 1972, I went to work for Control Data 7 Corporation, but the European office in France and 8 there my job was when supercomputers were made by 9 Control Data, when they broke or when people 10 thought they broke, I would have to go out and try 11 and diagnose what the problem was, train the 12 customer, train the people how to use them if it 13 had been a problem that the customer had caused. 14 They then asked me whether I would 15 transfer to Control Data Toronto in Canada, and I 16 worked again for the supercomputer group working on 17 some fairly specialized software. My job, among 18 other things, was to push the software to the 19 limit, basically to break it, to use the word we 20 use, to see why it would fail. 21 We also were operating a computer 22 network and my job, among other things, was to try 23 to push that to the limit as well. 24 I also got to work on some programs, 25 we call them text editors, nowadays they are word 93 1 processors, you sit and type letters and documents 2 into the computer. 3 From there, I think we moved down to 4 the States and that would have been in '77, '78, 5 and at that point in time, the microcomputer 6 industry had just come into being. No one knew who 7 Bill Gates was. That was the test. He was running 8 a small company in New Mexico at the time and I got 9 to work with some of his products. This was the 10 hobby stage of the microcomputer business. 11 I started a company, among other 12 things specializing in installing operating 13 systems, which was an area of my specialty, and we 14 relocated that to Portland and we have been here 15 ever since. 16 Q Since you've come to Portland, what has 17 been your experience? 18 A Well, the company that we started 19 blossomed. We ended up starting two other 20 companies, simultaneously. One was in Portland and 21 the other one was in England. And we were doing 22 such things as installing operating systems. 23 We put the operating system on the 24 IBM personal computer before it was announced. 25 This wasn't Microsoft, this was an opposing -- as 94 1 it is now, an opposing operating system with a 2 different name, but it was the then standard. This 3 was before Microsoft took off and became the 4 powerhouse that it is now. And we develop various 5 other products. 6 We also were providing consulting 7 service to companies, big companies, Shell Canada, 8 among others, Xerox Corporation. So we were 9 working with them, if it's possible to describe 10 that. We were a very small company and they were 11 very large companies, obviously, but doing 12 consulting work for them. 13 Q You mentioned, of course, that you are a 14 forensic software analyst, and perhaps to help the 15 jury understand a little more about what that 16 involves, would you please tell them what kind of 17 experience you have doing forensic software 18 analysis? 19 A The reason I got into forensic software 20 work was that computer software for a long time 21 really wasn't subject to very strong intellectual 22 property law like copyright. 23 MR. TINTERA: I object. I don't 24 think that's responsive to the question. The 25 question asks for his specific experience in 95 1 forensic software analysis. 2 THE COURT: I think he's getting 3 there. Overruled. Go ahead. 4 THE WITNESS: As I was saying, this 5 was an area where there was considerable confusion 6 among the attorneys of the world and also among the 7 software developers. So the kind of work I was 8 doing would be people would call me up, sometimes 9 attorneys, sometimes not, and say, "We think 10 someone else has copied our software. Would you 11 have a look at it and see what you think?" Or "We 12 had an employee leave yesterday and a day later 13 he's advertising he has a competitive product. We 14 think he took something that he shouldn't have. 15 Can you take a look and see what you think?"more 16 relevant. "We think we have a patent and somebody 17 is infringing on that patent. Would you take a 18 look at it?" 19 Or companies would say, "We'd like 20 to buy that particular product or company. They 21 say it's great. Would you please have a look to 22 see if it's as good as it is?" That's one area of 23 work. 24 The other area that I called 25 technoarchaeology, digging through the failed 96 1 companies where a company may have spent millions 2 of dollars and whatever was produced, it wouldn't 3 work. And the management would say, "Why didn't it 4 work? What went wrong?" They would come and ask 5 me to look at that and talk to the people that I 6 could find and ask them what was going on and try 7 and understand what caused the failure. "Why did 8 we spend $3 million and get effectively nothing for 9 it?" 10 The final area that I work on is 11 what we call reverse engineering or clean room. 12 It's become very popular in the software business 13 to compete where one company comes out with a 14 program that does spread sheets, does numbers like 15 and accountant. Another company will come out and 16 want to compete and will create another specialty. 17 The problem is if the two are very, very similar, 18 it's like that there will be some acquisition that 19 one copied the other. And so the area that I get 20 involved in is how can you look at somebody else's 21 product, and eye it for what it does and what it is 22 but try and make sure that someone who completes 23 doesn't copy anything? 24 So in the sense, I act as a referee 25 looking at what they are doing and say, "No, that's 97 1 too close, you can't do that. Don't hire that 2 person, he just was working on that project until 3 something similar." That's what we call clean 4 room, to try to keep people who are working on new 5 product clean so they can't can be accused in court 6 of having copied because they never saw the 7 original product, never were employed by the 8 original developer and so on. 9 Then final activity which is coming 10 into popularity, if that's not the wrong word, 11 which is working on the Internet, which is the 12 giant network that I will be telling you about in a 13 minute. I work as a net cop. Track down stolen 14 software when people put it up on networks and I 15 will be brought in when someone says, "We think 16 someone has taken our program." 17 One case it was an ex-employee who 18 stole the software and put it up on networks and 19 the question was where was it, where was it now, 20 where is it going to be tomorrow? How do we stop 21 it? 22 I think that pretty much covers the 23 spectrum. 24 BY MR. SUSSMAN: 25 Q In the course of that kind of work, 98 1 particularly the latter work you described on the 2 Internet activity, does that require you to become 3 conversant with network security, security of 4 programs and perhaps the patterns of behavior of 5 people in the computer industry and in particular 6 people who are trying to break into computers or 7 who are stealing, getting unauthorized access to 8 other computer systems? 9 A Yes, both directly and indirectly. Funny 10 thing is sometimes people break into computers on 11 the Internet and they don't take things. They put 12 things. They break in and put stolen software and 13 hide it and they tell their friends, as it were, on 14 Internet in a surreptitious way, the word goes out, 15 "Go and look at that particular computer because 16 you can get a free copy of WordPerfect or very 17 expensive sometimes software. So it brings me into 18 contact with how these people break in. 19 I have not had the luxury of 20 watching a break-in happen. We have had the luxury 21 of watching these sites go from nothing and then 22 explode like a star into a huge amount of stolen 23 software, as word gets out, and then the moment 24 someone discovers it's going on, bang, it's gone. 25 Quite literally in a matter of few minutes, it just 99 1 disappears. 2 So that brings me into contact with 3 the way people break into computers in the first 4 place and what they do when they break in and the 5 general sort of behavior that they seem to exhibit, 6 looking at what is essentially wreckage after the 7 accident has occurred. 8 Q In this capacity that you have described, 9 have you had the opportunity or occasion to work as 10 an advisor to any government agencies? 11 A I've worked with the FBI in a particular 12 case where a person steals software and then 13 transmits it out of state. In this case, it was 14 California, then the FBI were brought in and we had 15 to both go on a raid to examine this particular 16 perpetrator's computers to find out what he had on 17 those computers, and also to examine the various 18 networks, which he then said he had access to and 19 basically try to chase through what we call 20 cyberspace, the space out there with all the 21 computers in it to try to find out where he put all 22 this particular software. 23 Q Have you had -- have you been qualified 24 in any other courts as an expert witness in these 25 areas? 100 1 A Yes, I have. 2 Q And which Court have those been? 3 A Most recently the High Court of 4 Singapore. The first software copyright case was 5 being tried there. In Boise, Idaho, I was 6 qualified on a software patent case. In 7 Los Angeles qualified as an expert on computer data 8 storage and the issue of making backup copies in 9 case the computer breaks. 10 In New Mexico, I was qualified as 11 the person to compare software and determine 12 whether or not it had been copied. 13 Q Have these been in state or federal 14 courts or both? 15 A Copyrights and the patent is always 16 federal. High Court of Singapore I guess is the 17 High Court of Singapore. 18 Q Now, in those cases where you were 19 qualified as an expert, did you testify for one of 20 the parties? 21 A Yes. I was retained in some cases by the 22 plaintiff and in some cases by the defendant. 23 Q Have you ever been qualified or brought 24 in by the Court as a court expert? 25 A Yes. I worked as a court-appointed 101 1 expert in the Federal District of Maryland 2 concerning the Baltimore City Public Schools. It's 3 a 12-year-old court case where the parents were 4 upset that Baltimore city was not providing special 5 education to their children and the Judge who 6 inherited this particular case was obviously 7 outraged to see how long this had been going on and 8 he asked me to come in and basically to cut through 9 what we call the technobabble, high-tech talk that 10 was being said in front of him just to try to say 11 why isn't it working? What's the problem? Why is 12 it taking 12 years? 13 Q And your role in that was to explain the 14 technology and make that understandable? 15 A Me role is. That is still an ongoing 16 shall and I was asked to write a report to suggest 17 how the Court should direct the people involved in 18 order to get this program, this computer 19 programming in place to track the special education 20 student so that young kids in wheelchairs weren't 21 left out in hallways in schools because there was 22 no special ed teacher to teach them. 23 MR. SUSSMAN: At this point, I'd 24 like to ask the witness be qualified as an expert 25 in forensic software analysis and computer 102 1 technology, the Internet security. 2 THE COURT: You wish to inquire, 3 Mr. Tintera, of the witness on any of those 4 subjects? 5 MR. TINTERA: No. If they would 6 have asked me initially, I would have agreed. 7 THE COURT: I will so rule. 8 Proceed. 9 MR. SUSSMAN: Thank you, Your Honor. 10 BY MR. SUSSMAN: 11 Q Mr. Johnson-Laird, in the experience that 12 you have described, have you had much experience in 13 managing computer programmers? 14 A I've been managing computer programmers 15 probably since 1966, I would think, varying numbers 16 of programmers at any given time. 17 Q And also, have you had experience in 18 working with people who are systems analysts? 19 A Oh, yes. I mean, I included programmers 20 and systems analysts, I lump them together. 21 Q In your experience in managing 22 programmers systems analysts, how would you 23 describe that? 24 A It sounds -- I'm not trying to be 25 facetious, but it's like herding cattle. You have 103 1 a bunch of bright, creative, free-thinking, 2 spirited individuals, and to try to persuade them 3 to all go in the same direction at the same time is 4 very, very difficult. 5 Q Following up on that a little bit, you've 6 described the good programmers systems analyst as a 7 bright, creative person. Are there any other 8 characteristics that you commonly see? 9 A The good programmers are typically 10 very -- 11 MR. TINTERA: I object. I don't see 12 how that's relevant to any issue, what the personal 13 characteristics of a program are might be. 14 THE COURT: Sustained. 15 MR. SUSSMAN: Your Honor, I think 16 that it provides an important background and also 17 helps understand -- for the jury to understand kind 18 of some of the behaviors that Mr. -- that will be 19 related to Mr. Schwartz and as a foundation for 20 ultimately the opinions on whether conduct that is 21 involved in the case is consistent with what is 22 commonly observed in the industry and this witness' 23 experience. 24 THE COURT: I've sustained the 25 objection. 104 1 BY MR. SUSSMAN: 2 Q In one area in particular, would you 3 describe the people that you work with in the area 4 of computers as literally minded or tend to be kind 5 of general in -- 6 A They have to be literally minded. I 7 mean, they couldn't do their job. They have to be 8 able to fixate on a particular problem and focus in 9 on it because if they don't, they can make the 10 computer do it or do it right. They'll just do it 11 wrong. They tend to have to be so focused that, I 12 mean, to some people they might seem rude or 13 arrogant, but they are fixated on getting the job 14 done. 15 Q Does this -- your experience in terms of 16 working with these individuals create any unusual 17 situations in the context of the large companies 18 that they work, conflicts between the needs of the 19 large company and policies and the practices of the 20 creative and individualistic programmer? 21 MR. TINTERA: Objection. This is 22 basically just not helpful to the jury in regard to 23 data analysis. 24 THE COURT: So it's not relevant? 25 Is that the word? 105 1 MR. TINTERA: Yes. 2 THE COURT: You wish to be heard on 3 that? 4 MR. SUSSMAN: Again, I think it will 5 help the jury understand the dynamics that are 6 involved in this particular case involving the 7 situation and conduct Mr. Schwartz was alleged to 8 be engaged in. 9 THE COURT: I'm sustaining the 10 objection. 11 BY MR. SUSSMAN: 12 Q Do you have any experience involving the 13 administration of systems involving UNIX computer 14 systems? 15 A I have a UNIX system on my desk and have 16 to maintain it for the -- probably the last ten 17 years. I mean, more than one system, but I have 18 many happy hours trying to make it work. 19 Q Is there a particular kind of computer 20 system that you are working with now? 21 A I probably have nine or ten different 22 computer systems I work with now, but including 23 UNIX system, the Spot 10, Sun Microspot Station 10 24 its full name. MacIntosh, IBM personal computers. 25 Q Focusing a little bit on your experience 106 1 with security on the Internet, you had to analyze 2 or evaluate what kind of conduct or activity people 3 engage in who try to break into computer systems? 4 A Sure. Yes. As I said, the real problem 5 is when you are looking for stolen software, people 6 will hide it out on the Internet and they will find 7 it well placed in the sense of a high-speed access 8 computer system and if its vulnerable, they'll 9 break in and put stuff on it. 10 Q What are the typical problems that seem 11 to arise in terms of dealing with the Internet or 12 in terms of people breaking into systems, is it 13 something typically outside, outside people trying 14 to break in, or people more from the inside 15 stealing secrets? What is your experience there? 16 A My experience is certainly as far as 17 people putting software, breaking into systems to 18 install software, they come and go. It almost 19 takes longer to talk about it than it takes to do 20 it these days and they will come, put software on 21 and it's gone, they are gone. 22 The software is still there and 23 pretty soon people start coming from all over the 24 world around the Internet to steal copies of the 25 stolen software, or take copies, I should say. 107 1 Q I'd like you to expand a little bit about 2 your particular experience in working with the 3 systems security on computer systems. 4 A In my experience, what happens most often 5 is people break into a weak or bad password, some 6 cases no password, and some cases it might as well 7 be no password. That is, someone will be able to 8 just walk right up as though they were physically 9 there, even though they may be thousands of miles 10 away and going into a computer system that they 11 have no business of being. They might not even 12 know where the system is, but know it as a computer 13 system out there, like dialing a random telephone 14 number out there, and they will break in and try a 15 few things. 16 They may try and steal a copy of the 17 password files, the file that contains all the 18 passwords for the users and they are gone and then 19 they will come back and start loading up the system 20 with one program after another. Reads like a local 21 software store when you see the list of stuff on 22 there. 23 Q Do you have to deal with ***Al assist of 24 tracking problem with people inside companies? 25 A I've certainly seen that situation, where 108 1 the inside job, as you might call it, has occurred 2 and clearly passwords are of all vulnerability as 3 well. On what I have seen here, read, studied in 4 my study of this, passwords are the weakest link. 5 Q We have talked a good deal about the 6 Internet in general terms. Perhaps it would help 7 the jury if you can explain what the Internet is 8 and how that works. 9 A I'd be happy to. It's actually easier to 10 show, if I might use some overhead slides. 11 THE COURT: You may. 12 MR. TINTERA: We don't object to 13 that, Judge. 14 THE COURT: Thank you. 15 THE WITNESS: To talk to the 16 Internet, we're talking about a giant computer. I 17 presume all of you have used the telephone and made 18 long-distance phone calls, then you already know 19 what a computer network is because the telephone 20 system is a computer network. 21 Basically the simplest form of 22 telephone network or the simplest form of computer 23 network is to take two computers and to stretch a 24 wire between them and over that wire with the right 25 kind of computer program, you can send documents, 109 1 you can send text, you can send sound. 2 If the software, the computer 3 program is running here and here, they obviously 4 have to talk the same language, as it were, in the 5 same way that you have to be able to understand the 6 person on the other end of the phone. But just 7 using that simple wire allows you to create the 8 illusion of a two-way conversation between computer 9 systems and essentially this is the foundation of 10 the Internet. 11 We tend to slip the data up and try 12 to represent it in little chunks. Same happens on 13 the telephone system, but you don't notice it. 14 Those little chunks are something that we call data 15 packets. 16 BY MR. SUSSMAN: 17 Q What is a data packet? 18 A A data packet, as I said, is just part of 19 a message. The original idea was to improve 20 network security when this network was first 21 created, but the easiest explanation is to look at 22 a real packet and look at what it is made up of. 23 We have got a sender's and 24 recipient's address on the packet. We have got an 25 outer wrapping and some inside contents in physical 110 1 packets. 2 The electronic packet is modeled 3 after the same thing. I don't know whether this is 4 used much in the State much anymore, but these are 5 the pneumatic tubes. Northwest Airlines uses them 6 still. You have an electronic outer wrapping. You 7 have a label and you've got the data inside, part 8 of which I'm showing poking through, as it were. 9 And this is all created inside the computer system 10 or the telephone system electronically. 11 Let me show you a little bit further 12 close up and you'll see what I mean. Here are the 13 pieces. You'll see the recipient to, and we use 14 numeric addresses. I'll explain those in a second. 15 This is who it's from. This is 16 essentially what it is, and there is a sequence 17 number because we're chopping things up into little 18 pieces, we want to make sure when it gets to the 19 far end, we can put it all back together again. 20 And then there is the message text. And as I said, 21 long messages are chopped up and put into smaller 22 data packets, so if something goes wrong, you don't 23 have to send the whole thing again, you just send 24 the data packet that got lost or damaged in 25 transit. 111 1 Q In terms of talking about the Internet, 2 you showed us a picture of a couple computers 3 linked up and sending a message between a couple 4 computers isn't really the extent of the Internet. 5 Perhaps you could share something with the jury 6 that would help them understand and visualize the 7 entire Internet and what it looks like. 8 MR. TINTERA: I don't object if he 9 goes through all of those without counsel trying to 10 preempt it with questions. Because I'm not going 11 to object. 12 THE COURT: However you wish to 13 proceed. 14 MR. SUSSMAN: There will be times 15 that I want to ask questions to supplement the 16 presentation. 17 THE COURT: That's fine. 18 THE WITNESS: As I said, the 19 telephone network is a huge network that reaches 20 around the world and the Internet is actually a 21 large network. 22 The mental model, if I can call it 23 that, what you have in your head as to how you 24 visualize the Internet. Start with an idea, a 25 telephone exchange and outlying subscribers and 112 1 substitute what we call a server that exchanges 2 data, among other things, and a series of computers 3 arced around it. This is an idealized, tidy setup. 4 Doesn't normally happen that way in life. 5 When you view the world of the eyes 6 of someone who is on the Internet, it looks more 7 like this, these clusters of machines, networks of 8 networks, and they stretch all the way to the 9 horizon. We don't know how many there are. We 10 have an approximate idea that there are about three 11 million host computers out there. 12 Host computer is one of these guys. 13 It's a method of getting to the Internet. Think of 14 it as a public or private telephone and you've got 15 the right answer. 16 We think there also may be as many 17 as 30 million people out there connect to the 18 Internet. Same kind of question of how many 19 telephones there are out there in the world. 20 Although arguably, we have got even a better number 21 of them. 22 In order to know what is going on in 23 the Internet, visualize these data packets whizzing 24 around in pipes, the messages are all chopped up, 25 intermingled and whizzing at the speed of light 113 1 almost between here and every major city in the 2 United States and in the outlying districts if you 3 can access the Internet through a telephone, if you 4 wish, and it's quite literally a giant electronic 5 web pulsating with data backward and forward, huge 6 amount of data every second, every minute, every 7 day. 8 The interesting point that as far as 9 the Internet is concerned, geography no longer 10 exists, there is no state, county or international 11 borders. This data whizzes across international 12 borders. No customs. No one stops to ***clear 13 anything. Takes me about three-tenths of a second 14 to get to Singapore. Two-tenths of a second to go 15 to New Jersey. Four-tenths of a second to get to 16 London. When I'm working on the Internet, I can 17 quite literally go around the world visiting 18 various sites, finding out what they might have. 19 There is a tradition of openness on 20 the Internet. Came from academic backgrounds. It 21 was universities that started it, also funded by 22 the defense agency, defense ***research project 23 agency. It's now no longer a defense project. 24 It's worldwide. 25 114 1 BY MR. SUSSMAN: 2 Q That kind of quick interconnectedness 3 between geographic sites, that it be thousands of 4 miles apart, that is true for networks that are not 5 on the Internet that may be within a business or 6 large corporation or government? 7 A You're talking now about private, 8 disconnected from the Internet? 9 Q Yes? 10 A Just as true. Geography doesn't exist 11 any more. One doesn't tend to think of it in terms 12 of I'll go over to Tokyo or, oh, yes, I remember 13 seeing there is a useful program, I saw that stored 14 in Finland. That's the way we think about it. 15 That's the away it actually is. 16 You can now move information around 17 that easily that far. It's for the price of a 18 local phone call usually, unlike the telephone 19 system where it would get very expensive very 20 quickly if you were on the phone talking to Finland 21 for half an hour. 22 Because it sprang up the way it did 23 with a lot of volunteerism and a lot of academics 24 and a lot of funding, what you have is a system 25 that basically is a flat fee, just like your home 115 1 phone calls here in the States, which is not the 2 way it works in England. You pay for a unit of 3 time even for a phone call across the street. 4 Because of the way the U.S. phone 5 system started up, that somehow seems to have 6 perpetuated at least today, so I have a phone line, 7 it's off the hook all the time, seven days a week, 8 24 hours a day and that's all I pay for. I can 9 never use the Internet in a given month or I can be 10 constantly roaming world looking for interesting 11 things, not to steal, I add, but just things out 12 there. Software, documents. 13 You want to find out what the U.S. 14 Constitution is, go to the Library of Congress. 15 It's literally that fast. Want to see what the 16 National Museum of Australia is showing this week, 17 go over to Australia and find out what they are 18 showing. Go to Paris to see what -- it really is 19 that fast. It happens more quickly than I can get 20 the word out. 21 Q In one of the earlier slides when we were 22 talking about the data packet, you mentioned -- you 23 showed something like IP number and -- 24 A Oh, yes. That's my next slide. 25 Going back to the idea of the 116 1 telephone system for a moment, I'll keep coming 2 back to that ever so often because it is a valid 3 way of explaining what is going on. 4 On the Internet, each host computer 5 has a number associated with it. If you think of 6 it as a telephone number, that's a pretty good 7 place to start. There are some differences, not 8 the least of which the fact that we put dots in 9 between groups of them. Some computers have more 10 than one number. Some numbers have been allocated 11 but are not in use. That's one of the problems as 12 to why we don't know how many there are out there, 13 how many computers there are out there. 14 Q When you say some are allocated and not 15 in use, how does that work? 16 A Imagine that you could call the phone 17 company and say, "In the next five years, I think 18 I'll need 27 phones." And they say, "Fine, here 19 are the numbers," but you don't pay anything for 20 it, you just have those numbers set aside. 21 And that's precisely what happens, 22 there is an agency called the Internet Network 23 Information Center, and you e-mail them, send them 24 a message over the Internet and say, "I'd like to 25 have so many Internet addresses. Could you 117 1 allocate them to me?" 2 Q Is that just on the Internet or would 3 that apply to these IP addresses? 4 A That's what you're asking for. You're 5 getting a block of IP addresses allocated to you. 6 Needless to say, a lot of people 7 have delusions of grandeur and they're asking for a 8 lot of numbers because they might need them, but 9 they are not actually being used. So when you know 10 a company has got so many IP addresses allocated to 11 them, it doesn't tell you actually how many are 12 actually in use, how many active computers there 13 are attached to those numbers. 14 Q So that there can be a much smaller 15 number of active users of the IP addresses than 16 there are total number of IP addresses for a 17 certain location or -- 18 A Yes. 19 Q -- entity? 20 A Yes. Some people have done surveys, 21 electronic surveys trying to figure out how many 22 computers are attached to how many of these IP 23 addresses and they are finding numbers like 30 24 percent actually being used by computer systems. 25 Needless to say, we're running out 118 1 of IP addresses, but there is work afoot to fix 2 that problem and we go to a different numbering 3 scheme. 4 I mentioned that the IP address is 5 like a phone number but formatted differently. An 6 example 199.112.111.254. You notice I'm 7 pronouncing the dots. It an old habit. I'm sure 8 most programmers on the Internet do pronounce the 9 dot. You don't normally pronounce the punctuation 10 in a telephone number. That's how you know you're 11 dealing with programmers, that literal-mindedness. 12 Each of these is called an octet. 13 If you look behind them, there are eight zeros or 14 ones that represent them. O-c-t-e-t. Large 15 organization asking for a Class A network is 16 roughly the equivalent of saying, "Would you mind 17 if I had area 503 to myself?" That's what it's 18 practically doing. It's reserving the first octet 19 and the company itself can do whatever it wants 20 with the remainder. 21 Needless to say, as you can tell 22 from range of 1 to 126, there are not too many 23 companies that get away with asking for a Class A. 24 Big companies ask for Class B, and typically the 25 first octet will be in the range 128 to 191. This 119 1 is a pre-allocated number here and then the 2 organization has those two octets to do with what 3 they will. They can attach all of those numbers, 4 associate all of those numbers to computers, or 5 some or most. 6 Then small organizations, mine 7 included, has a Class C. The first octet is always 8 192 to 223, and the next two digits are 9 pre-allocated, but then I've got one octet to do 10 with what I wish. 11 Associated with the IP address is a 12 port number and just a local idea but does map 13 still onto the telephone system. The company 14 building has a phone number, a main number. Port 15 numbers are like extensions. Because of the way 16 the insides of the computer work, the happened to 17 be 655536. Sixty-five thousand five hundred 18 thirty-six possible numbers. Zero has a special 19 meaning, so you don't use it in general terms. But 20 1 to 65535, those are the port numbers, just the 21 way it works. 22 Q Is that all always the case? 23 A In terms of Internet Patrol addressing, 24 yes, and port numbers on those sites, yes. 25 Now, some numbers are preassigned. 120 1 I mean in the same way that the phone system, it's 2 rather like saying, well, if you are inside a 3 company what would you dial for an outside line? 4 The odds are you will dial nine. May not be, may 5 be eight. What would you dial for the operator? 6 Probably zero. 7 So some of these ports are 8 preassigned by convention for certain purposes such 9 as sending electronic messages, electronic mail, as 10 it called, or file transfers and so on. 11 Q By electronic mail, you are referring to 12 e-mail? 13 A Yes. 14 Q Does that usually have a preassigned port 15 number? 16 A Port No. 25, usually. Other ports, when 17 they are used, you just have to know. It sounds a 18 little bit arbitrary, but it's like calling into a 19 large company. If the person is on extension 3094, 20 just have to know in order to find out. You can 21 obviously ask and there are ways that you can ask 22 on the Internet. Certainly you can find out what 23 the IP address is to find the particular company, 24 but in some cases, you just have to know that 25 something or someone is on port one two nine four 121 1 seven thousand. 2 Q You mentioned that the IP addresses are 3 published on the Internet. 4 A Some of them are. Not all of them. 5 Q Would somebody interested in finding an 6 address within the company be able to look at this 7 directory on the Internet and find out any of the 8 IP addresses within a company? 9 A They could find the range of addresses 10 that that company was allocated, but probably 11 couldn't go any further. 12 Q And by the range -- 13 A They would know whether it was a Class A, 14 B or C network. And some organizations -- I 15 believe Intel has five Class B, or had at the time 16 of interest in this case. So you can, to some 17 degree. I mean, it stands to reason. There is no 18 point of having a lot of this if you can't find out 19 about it. 20 One thing is for certain. Even for 21 programmers, if you take the idea of all of these 22 computers and all these different IP addresses and 23 all these different port numbers, each IP address 24 having its own set of 65,000 port numbers, it gets 25 very confusing very fast. So not unreasonably as 122 1 we have done with the telephone system in a sense, 2 we give things names because names are easier to 3 remember, especially if you choose them from groups 4 of them. 5 In this particular case, it's names 6 of presidents, cartoon characters, mythical 7 characters out of novels, planets around the sun, 8 Mars, Jupiter Venus. It's up to you what you call 9 the system, but you can give a computer a name. 10 Then we have to solve another 11 problem, which is what happens if people start 12 using the same name. I'm sure there is more than 13 one Washington or Jefferson computers in the United 14 States. 15 What we do is group names together. 16 We call a group of names a domain. It a technical 17 name, but that's all it is. For example, here is 18 my full -- we call it a fully qualified domain 19 name. 20 Here is mine: andy@johnsonlaird 21 incorporated.portland.or.us. I'm in U.S. domain, 22 that group of names in the United States. And you 23 can work backwards, you can find a person's state, 24 the city and so on. That's about as close as the 25 Internet gets to geography because there is also 123 1 another naming system that classifies you by a 2 type. And I also have andy@jli@.com. "Dot com" 3 means commercial. 4 There are several different domain 5 suffixes that you will see used. Princeton's 6 ".edu," educational. The university used the 7 ".edu" so all of those names are clustered together 8 and all followed by ".edu." So Purdue did "eu." 9 USCS, ".idu." 10 ".gov." If you want to send the 11 President a message, ".gov." All the President's 12 organizations are organized together. 13 ".org" is an organization that 14 doesn't qualify for any of these other domains. 15 For example, it might be some non-professional 16 organization, not commercial, they're not 17 educational, but they are an organization, so 18 ".org" would be typically used there. 19 ".com" is commercial. ".mil," 20 military. Bearing in mind how the Internet got 21 started, there was a lot of military installations 22 that are on the Internet. 23 ".net," something to do with the 24 network itself. People who are helping the 25 consumer, as it were, get out onto the Internet, 124 1 the local organization in Portland is called Rain 2 Net? 3 THE COURT: Why is that? 4 THE WITNESS: I believe it's 5 customary to ask how long have you been in Oregon, 6 Your Honor? 7 And then you have the ".us" and 8 ".uk" and now around the world you'll see "sg," 9 Singapore; "jp" for Japan; "es" for Spain. Some 10 are not immediately obvious and some are. 11 This organization, the Internet 12 coordinates all this. It's voluntary. It doesn't 13 cost you anything. You simply -- if no one else is 14 using it, you apply for it. Unfortunately, 15 somebody has already got andy.com. I looked and 16 decided I couldn't use it, so okay, it's a 17 registration system. It's not a policing system. 18 Unfortunately, there is nothing to 19 stop you until recently for applying for a 20 mcdonalds.com. Someone did, it wasn't McDonald's, 21 the hamburger chain. 22 This whole system of naming is 23 coordinated with something that is effectively the 24 directory inquiry system, called DNS, Domain Name 25 System. And how it works is that the Internet will 125 1 set up the DNS machine, like directory inquiries 2 around the country. Let me walk you through how. 3 Imagine you have your computer here 4 and it would like to send a message over to me. 5 Bear in mind, the Internet only uses Internet 6 Patrol addresses. 7 Now, you remember my site name, 8 jli.portland.or.us or jli.com. Your computer will 9 have built right into it, some fragments of the 10 directory inquiry system. Doesn't sound quite 11 usual, but we all do it. You've all got books with 12 telephone numbers jotted in that relate a name to a 13 number. Maybe it's on the refrigerator door or 14 back of an envelope, but we all have what a local 15 supplier of the frequently used names. ***(ck) 16 That makes it much faster. You don't have to go 17 through the many directories inquiries every time 18 to call someone that you haven't spoken to for 19 several months. 20 If your computer doesn't know the 21 number, doesn't have any entry for my computer 22 system, when you first got on the Internet as part 23 of going on the Internet, you had to arrange or the 24 person who supplied you with the service arranges 25 for your computer to know how to dial directory 126 1 inquiries and it will dial, reach out across the 2 Internet and send a message to a machine that it 3 was told, when you need to look up an Internet 4 number, contact them. 5 Two machines supply the Domain Name 6 Service for Oregon. One is here in town and one is 7 in Phoenix, Arizona. Why Arizona? Why Phoenix? 8 Because it's on another network and if something 9 goes wrong here, this one isn't likely to be 10 affected. 11 Geography doesn't exist, doesn't 12 matter where it is. You might as well go to 13 something that is physically separate and then if 14 one half fails, you've still got access to the 15 other half. The difference is it probably takes a 16 few thousandths of a second longer to get to 17 Phoenix than it does to get to Portland. 18 Anyway, your computer reaches out 19 and said basically the same kind of conversation 20 you would have with directory inquiries. "I'm 21 looking for a guy named Andy at jli.portland.us." 22 And they will come back, "You will need 23 .199.2.111.1" Flies back to your machine and says, 24 "I can now send a message," like sending a real 25 postal message its address, the number is put on it 127 1 and you put it in the mailbox and it goes. The 2 difference there, it arrives there a few 3 thousandths of a second later. Or maybe if you're 4 way off in the back country in Fields, Oregon, it 5 might stage out through various other routes. 6 I did an experiment last night and I 7 was curious to see how long it took information to 8 move around the world. When I tried to send a 9 message to someone from Portland out to Beaverton, 10 it went to Seattle, Spokane, New York, and started 11 to come back across the country. Why? Well, we 12 all do the same thing. If you want to go into 13 Portland, you'll probably take the freeway. May 14 not be shorter, but faster. 15 The data information, you've heard 16 of the superhighway. You take the freeway. The 17 fact that it goes in a round-about way doesn't 18 matter. It gets there faster. That's the point I 19 was trying to drive home when I said geography 20 doesn't exist. 21 BY MR. SUSSMAN: 22 Q With these networks being connected this 23 way and having access through each other through 24 listed IP addresses, what do you do if you are a 25 private person, a government agency, a corporation 128 1 where you don't want other people just calling up 2 and checking out your computers? Are there certain 3 means of establishing security against that? 4 A Yes. I mean, it's appropriate to raise 5 that. 6 There is one of two ways to do that. 7 One is the fire wall, we call it. You set up a 8 wall to protect the individuals inside it or the 9 individual computers inside it. It's an electronic 10 means to keeping unwanted investigators and data 11 out of the computer systems. It also stops people 12 taking stuff the other way. 13 Q Stops people from taking things out and 14 in? 15 A Yes. I mean, here is the problem. Some 16 of the people in Europe have reached into the 17 United States and broken into computer systems, 18 either from Germany or from the Netherlands. I 19 mean, the United States is not without its fair 20 share of these crackers, and I use the word 21 "cracker" very deliberately. You heard me when I 22 was recounting my experience talking about hackers. 23 "Hackers" used to be a good word. 24 Its meaning got changed by the press. I used to be 25 someone who could hack away, persistent, really 129 1 knew his something, a technical guru. Now it means 2 people who break in. Unfortunately, it sets 3 uneasily with me because I'm a hacker in the old 4 sense. 5 The word "cracker" is now used more 6 correctly to describe people that break in. This 7 is what you are trying to guard against when you 8 are talking about that. It's not people just from 9 Europe. It's anywhere. People who are likely to 10 break in, either take stuff, put stuff or break 11 stuff or all of the above. That's in terms of fire 12 walls. 13 AT&T, according to some of the 14 literature I read over the last few years, will 15 experience attacks, that is, people probing their 16 corporate office buildings probe it electronically. 17 They will experience two or three a day, and that 18 number, I'm sure, is increasing. 19 Q How are these probes done? 20 A Done electronically over the Internet. 21 People are starting to probe in and say, "Can I get 22 into that machine?" 23 Q Is that done by somebody sitting at a 24 machine probing or done by computer programs or -- 25 A A bit of both. It depends on resources 130 1 and the amount of time that the cracker has at 2 their disposal. If you can write a program, I 3 don't know whether you've ever had the instance 4 where the telephone rings and you pick up and there 5 is no one there. That may be a cracker dialing all 6 the numbers. 7 That's the down side of free local 8 phone calls. Someone can take the 274 exchange and 9 dial from 000 to 999 and if a computer answers, it 10 whistles back. They know it's a computer. If you 11 pick up the phone and say, "Hello," they move on to 12 the next number. 13 We call it demon dialing, where you 14 dial every number. You can do that on the 15 Internet. You dial every number. You can do it 16 either manually, which is very slow, or write 17 computer programs that would do that. 18 Q The computer programs that would do that, 19 how fast can those computer programs do that? 20 Seems computers just -- you can turn it on, let it 21 run on and on and on. 22 A The computer program itself can run very 23 quickly. I mean, they can send out these data 24 packets very rapidly. The problem is the network 25 can't handle it, even the network just from their 131 1 computer out to the telephone line and wall may not 2 be able to handle it. 3 The actual computer software 4 required to take that data packet and put it out on 5 the phone line, it just starts to run erratically, 6 you get a traffic pile-up, quite literally. You 7 get lost data packets. They get badly mangled. 8 That's obviously in the electronic sense, but 9 imagine a badly damaged packet and you've got the 10 idea. 11 The fastest we were able to do it 12 when we did an experiment, was about 30 separate 13 simultaneous probes, I think the number was 32 or 14 33, excuse me, and we did it with the permission of 15 a particular site here in town, Reed College, and 16 we wanted to see how fast you could do it. 17 Q You were talking about corporate security 18 in general here and -- 19 A I was talking really in terms of fire 20 walls. The right way to visualize a fire wall is 21 where you have a billing with its outer perimeter 22 is made up of this fire wall. Of course, there is 23 no point in having a building with no windows and 24 doors, makes live tough to get things in and out, 25 so it is for electronic data. 132 1 So typically you will have a machine 2 that operates through a hole in fire wall, a 3 deliberately created hole, not a large, jagged 4 hole, and that -- just to show you a closeup of 5 that diagram. This fire wall is actually created 6 by a device calls -- my English accent says rooter, 7 but my -- I think it's called a router here. And 8 what it is, like a person inspecting data packets 9 and saying is this one allowed in or is this one 10 allowed out, based on who is sending it and to whom 11 it's going. And so it's essentially a man standing 12 guard, a security guard standing guard saying is 13 this data allowed in, is this data allowed out 14 based essentially on what the packet description 15 says, not necessarily on its content. 16 And then this machine here would be 17 essentially one of those machines that would be the 18 first to receive and first to send data out through 19 the fire wall. It would appear to be visible, as 20 it were. Through the fire wall of one of these 21 machines you can see out of the frame here. If you 22 were out here as a hacker, you wouldn't be able to 23 necessarily find those machines because they are 24 hidden behind the fire wall. 25 Q Is there a certain company or certain 133 1 companies that make those kind of routers? 2 A Yes. I mean, you can use a personal 3 computer for a router, but for dedicated routers, 4 companies that make them is Livingston an Cisco are 5 probably the two. 6 Q I think the jury may have heard of the 7 Cisco routers mentioned during the course of the 8 trial. This is the kind of thing we're talking 9 about? 10 A Yes, dedicated computer systems in their 11 own route. Their job is to be the security guard. 12 It's all effectively done by a series of rules. 13 It's very much like you had a security guard and 14 you were telling him how that person should act. 15 What are the rules? Well, if it's coming in, if 16 it's UPS coming in for that department, then it's 17 okay. We don't want any UPS coming in for that 18 department for security reasons. We're not 19 interested in receiving any ***of for these 20 particular kinds of packets and these rules would 21 consist of, well, do you block what's coming in or 22 do you allow it? The name of our ***company, the 23 port number, port 25. 24 Incidentally, I mentioned, that's 25 the electronic mail, e-mail port. You would 134 1 typically want to allow that in. Then there is the 2 remote host. If you know a particular computer 3 system, that is a trouble spot. Why? Because you 4 know they've been storing stolen software and you 5 worry about anyone breaking in there and you don't 6 want anything coming in from that machine. You 7 block it out, saying you will not accept any data 8 packets in or out for that machine. 9 And those rules obviously can get 10 quite complicated. They change daily. If there is 11 a new threat on the Internet, they will get changed 12 and the people who change them are folks called 13 systems or network administrators. And their job, 14 among other things, is to make sure that these 15 routers and fire wall tables are kept up to date 16 and make sense and there is no problems with them, 17 no contributions. That's real big one, just to try 18 to make sure it all makes sense and the good stuff 19 gets in and the bad stuff is kept out. 20 The way the fire wall happens in 21 operation is what you will normally do, if it's a 22 valid packet coming in, it will come to the 23 particular place in the fire wall, the particular 24 IP address in the fire wall, and it will be from a 25 particular computer with a particular port number. 135 1 Think of it as someone calling from that phone 2 number from that extension and they're coming into 3 a building and they want to go to that particular 4 telephone number with that particular extension, 5 that IP address, that port number. They pass all 6 the tests, so the fire wall router lets them in. 7 They come into this machine and ***bang through to 8 that particular machine. 9 Whereas if someone comes in and 10 tried to get in through some other IP address or 11 some IP address and port number that's not allowed, 12 the packet is just destroyed, just disappears. Not 13 even sent back. Just goes away. 14 Q This picture, this description of the 15 fire wall where it looks rather formidable, but are 16 these fire walls vulnerable to somebody coming 17 through from the outside in a way other than 18 through one of those routers? 19 A I'm not sure I completely understand the 20 question. 21 Q Well, are there ways to get through those 22 fire walls? 23 A Oh, those fire walls deliberately let 24 certain traffic in. They have to. I believe in 25 the particular case in question, anything that was 136 1 coming in through a port lower than 1023, 1024, one 2 thousand twenty-four, anything that was addressed 3 in would be allowed in because that's 4 conventionally, and allowed out. 5 That's a general statement, but the 6 routers certainly allow some traffic in and out. 7 That's the whole point, to separate what should be 8 allowed in and out from what shouldn't. 9 Q And are these fire walls that are set up 10 completely secure even in those? 11 A It a very good question. They are a 12 computer system like anything else. They have to 13 be programed up and they have to have some system 14 or network administrator telling the fire wall how 15 it's supposed to behave. If that security is 16 compromised, you've got a problem. 17 Q Any other ways then besides just the 18 routers for making sure that the security of the 19 computer system is -- 20 A I mentioned ***too of security, the 21 second layer really applies to individual machine 22 level, which is the passwords, which is a method of 23 verifying someone is who they say they are. It's 24 like ***a industry on duty again. 25 The idea is the individual whose 137 1 name is Phil, I mean anyone can say, "My name is 2 Phil." If you have a secret password known only to 3 yourself and the computer system, then this is a 4 method of saying, "Well, there is a reasonable 5 chance this person is who they say they are," 6 because the question, of course -- the question is 7 how good a password do you have. 8 Passwords, as I mentioned, apply to 9 individual levels to computers. One computer can 10 be used by several people, clearly. Similarly, 11 these central machines can be accessed by several 12 people and in some cases the way you need to access 13 the outside world is to go from your machine out to 14 this machine and beyond, so you have a lot of 15 passwords floating around inside an organization 16 and the organization security to some degree lies 17 in the hands of the people who make up the 18 passwords, and in many organizations, that's the 19 user themselves. They simply are told what their 20 user ID is. They may be told in an initial 21 password just as a means of getting in, but then 22 it's up to you. 23 It still surprises me occasionally 24 to discover that a lot of people when they are told 25 "enter password" type the word p-a-s-s-w-o-r-d. 138 1 they are doing precisely what the computer has told 2 them. It's lessening now. It used to be, I 3 believe I read somewhere one of research papers 4 said 35 percent of all passwords back then was the 5 word "password." Not very good security at all. 6 That's what you would see when you 7 try to log into a computer system to get access to 8 that computer system. "Please log in. Type in 9 user ID." Mine is "Andy" because I own the 10 computer system. I decided that's the way it was 11 going to be. 12 If you work for a large company, you 13 will frequently be told what your user ID or -- or 14 they may ask you what would you like your ID to be. 15 People are plain whimsical, they come up with a 16 name that amuses them, nothing more. 17 The password is echoed back as a 18 series of dashes or whatever, so anyone standing 19 behind you can't see what the secret word is. You 20 can change it from time to time. You can change it 21 daily. Of course, that's one of the big problem is 22 if you have accounts on several computers, you end 23 up pointing around with a whole series of passwords 24 and it can get somewhat embarrassing to show how a 25 computer system works and you can't remember your 139 1 own password because you have six to choose from. 2 Based on what I have seen in terms 3 of what I said, the wreckage analysis of people who 4 have broken into computer systems, the three or 5 four instances that's happened in the last couple 6 years, plus what I have read, the research papers, 7 the weakest link is the password system in terms of 8 security. They must be hard to guess. There is no 9 point in having a secret word if someone else can 10 guess it. 11 So, as I said, many people use 12 "password" as password or use words from the 13 dictionary. I'll explain the significance of that 14 in a -- but basically a program can be set up to 15 try every word in the dictionary. 350,000 words. 16 800,000 words. Takes a little time, but you try 17 all of those. 18 So some of the users thought, "I'll 19 be clever, I'll substitute a zero for an "O" and 20 digit 1 for the letter "L." They look the same, so 21 the password is relatively easy to remember and, of 22 course, the computer program just tries that. And 23 there are other variations as well. 24 Some people use what are rather 25 silly passwords, only in the sense they are easy to 140 1 guess, use their own name. User ID, Andy, 2 password, Andy. Or use the name of their wife or 3 spouse. Or they would use the name of their 4 occupation, dentist, barber, whatever. The name of 5 their offspring, their kids. Name of the dog. 6 Personal data, birth date, Social Security number, 7 Army serial number, whatever, anything associated 8 with them personally. Either can be guessed by a 9 programmer or guessed by a person. 10 This is really only one way, in my 11 experience anyway, of testing security. That is, 12 you test your own before somebody else does it. I 13 mean, after you've locked the door, you often try 14 the door to make sure it's locked. That's all 15 you're doing. 16 As I say, test your own before the 17 cracker tries it for you. Then it's too late. 18 More particularly, by the time you discover it, it 19 might be too late. And the one way to do it, you 20 attack the fire wall systematically, as I was 21 explaining to Mr. Sussman. You just try all the 22 numbers and see what happens. Doesn't cost you 23 anything. 24 Remember, it's a fixed rate 25 structure. You just set your program up and try 141 1 this IP address and try this port number. You can 2 narrow the search some. You can avoid trying 3 numbers that you don't think are going to work. 4 Either way, it's still quite a lot of numbers. You 5 can use the test programs, as I was explaining. 6 And you can attack the password with programs like 7 Crack. You can attack the password file. 8 BY MR. SUSSMAN: 9 Q And Crack is what kind of program? 10 A It's a program specifically designed to 11 take a password file with several passwords in it. 12 It's working on several passwords simultaneously. 13 It doesn't just try the first one and then second 14 one, so it takes the whole thing and then in 15 parallel tries to guess them by an automated series 16 of guessing. 17 I got the Crack program from a site 18 out east somewhere, I honestly don't know where it 19 is. May be the at Purdue or Carnegie Mellon, one 20 of the sites out east. I went out on the Internet 21 and got it back on my computer. The organization 22 that put it out on the Internet is the computer 23 emergency response team. They are the chief cops, 24 as it were, of the Internet. There is no charge. 25 And what it does is, it takes the 142 1 typical password that you or I might use and it 2 encrypts it, using the same mechanism, turning it 3 into gibberish, the same mechanism that the 4 computer system does. What it can then do is apply 5 a series of rules to try to guess it and it can use 6 these current encrypted passwords from the password 7 file that I mentioned, the dictionary rules, and it 8 has lots of rules, has its own dictionary, but has 9 rules. 10 For example, "teach," it would also 11 try "teaching," "teacher," and so on. "Teachers," 12 plural. It will try it backwards, try it with some 13 capital letters in the middle. If this is an "O," 14 it will try a zero, and all that kind of guessing. 15 What comes out at the end of it all, 16 and it takes a long time, we recently ran Crack and 17 it took, I think, about a day to try something like 18 32 different passwords. So if you have a lot of 19 passwords, it takes quiet literally days. It is 20 not a program that you sit around and wait to 21 complete because you have no idea when it's going 22 to finish. 23 That's what Crack does and the 24 output is this list of crack passwords that says 25 Andy's password is Andy or Andy's password is Fay, 143 1 my wife's name. Probably too short to be allowed 2 by the system, but that's the general principle. 3 The whole point in running this is 4 to then say to the users -- in fact, you would get 5 a list of all of these users and then send them 6 electronic mail message and says, "Please change 7 your password, you're a security risk." Someone is 8 going to potentially get the password file, run the 9 Crack program on it from the outside of the 10 organization, and then come back and break in. 11 One of the things that they might 12 try and do is to use a program called Telnet. 13 "Tel" as in meaning a long distance, "net," over 14 the network. It's a program that allows you to sit 15 here in Oregon and log into -- get access to a 16 machine in Japan. All you need is a valid user ID 17 and a password, valid as in it works. 18 And what you would see is when you 19 first logged into your own computer here, please 20 log in, user Andy, password, Telnet remote.com, 21 somewhere else, don't know where it is. Physically 22 I don't know where it is. Please log in, that is 23 remote.com replying now. 24 Now you have to remember what your 25 user ID is on that machine and what your password 144 1 is. In fact, you can go around the word hopping 2 and logging in on the machine all around the world. 3 Gets confusing. 4 People tend to use the same user ID. 5 Don't often get them ***gets confusing. You forget 6 where you are and which user you're talking to and 7 you suddenly go blank, you suddenly forgot which 8 user ID and which password you should be using. 9 Some machines will only give you three tries and 10 you're out and it can really slow you down and 11 become very cumbersome. 12 In the context of the fire wall, 13 Telnet appears again because if you are sitting 14 here on this computer, you would Telnet through to 15 this machine, the one that's exposed, the one that 16 can get through the fire wall, and from this you 17 Telnet out and then you can reach out and access a 18 machine out on the Internet, be it in Finland, 19 Norway, Korea. It also works incoming. 20 When I was in Singapore, this is how 21 I was coming back into my machine in Portland from 22 my hotel room in Singapore. I would be out here in 23 hot Singapore and dialing back in over the 24 Internet, not Telnet, over to my machine. I have a 25 fire wall, I don't have quite as much machines -- I 145 1 don't have quite as much machines as this diagram 2 shows, but I have a few. I could Telnet in and 3 come through the computer of choice, but I would 4 have to Telnet and Telnet, and when you're that far 5 away, one of the problems is while you're doing all 6 this, you want to cut the typing down to a minimum 7 because there is enough delay that you can't see 8 what you've typed. It's very frustrating. 9 Just to summarize what I was saying, 10 double telnetting is what we're saying. Double 11 telnetting is quite cumbersome. Makes other 12 operations quite cumbersome, like data transfers or 13 reading the mail because of the delayed feedback. 14 You type a letter and nothing happens. You think, 15 "Well, did I hit the key?" And so you type it and 16 then you see two of the ones you just typed, so you 17 have to backspace it, then doesn't backspace and it 18 backspaces again and you backspace again and it 19 backspaces two. 20 One of the things that we have on 21 our fire wall, we call it a proxy, proxy server. 22 What is that, you say? You go to a restaurant, you 23 don't go to the chef and order your food. You 24 speak to the waitress. You tell them. They place 25 the order. When the food is ready, they serve it 146 1 to you. That is a proxy server. "Proxy" means 2 they do it on your behalf. 3 So what we have is a proxy server 4 running in our fire wall so that when I logged in, 5 it knew who I was how user ID, password, and then 6 logs me straight into the machine where I want to 7 go. How does it know? We told it where I want to 8 go when we first put the things in. Told them I 9 would be dialing in from Singapore -- not Singapore 10 necessarily, but we told we'll be dialing in and I 11 want to get into this machine when I get there. I 12 don't want to have to double Telnet. I want to go 13 straight in. I still have to have a valid ID, 14 you're ID and password. It's not a wide open 15 system. 16 Q You still have to have a password on the 17 machine once you get inside? 18 A Yes. If I can back up a diagram. 19 In the particular case, we set it up 20 so I log in here and it immediately switches me 21 through. I could have easily well set it up where 22 I come into this particular fire wall and go 23 straight to that machine. 24 Q When you get to that machine, did you 25 still need a password to get into -- 147 1 A I only need one. Somewhere in the 2 system, I need one. Either if I'm coming straight 3 through into this machine I need a user ID and 4 password, or if we have to put it here I need a 5 user ID and password. I can't remember now why we 6 did it that particular way. I think we were in a 7 hurry. It was a last-minute operation before going 8 to Singapore. 9 Q We have asked you to explain another 10 concept to the jury which has been mentioned before 11 by several witnesses. At this point, could you 12 explain to the jury what an X Window server is? 13 A Sure. And X Window server, this is the X 14 Window system, refers to the windows that you see 15 opening up on your screen. It's a very large, 16 complicated system that was developed in 17 Massachusetts Institute of Technology. 18 What it really does is allow 19 individual computer programs running in your 20 computer to talk, as it were, to have electronic 21 conversation backward and forward with what's 22 happening on your screen on your keyboard. And 23 this mouse, which is a pointing device that you 24 move around on the table top so that you can, like 25 laser pointer, point it at various things that you 148 1 want the computer to work on. 2 The advantage to the X Server is 3 that regardless of what is here in terms of actual 4 hardware, be it an IBM personal computer or 5 computer system from HP, Hewlett-Packard, whatever 6 the computer keyboard and mouse, this program here, 7 the spread sheet program and word processing 8 program, they don't care because they are talking a 9 very standard language. 10 It's rather like being able to talk 11 English to every person around the world. It's a 12 very convenient thing to want to be able to do. 13 You don't have to learn a different language. You 14 don't have to change the program. And X Server 15 gets his name because it's offering these programs, 16 screen, keyboard and mouse services. 17 You want me to draw something on the 18 screen, fine, I'll draw it on the screen. Oh, he 19 just typed X, now he's moved the mouse. That's 20 what it's affording. It's just a standard way for 21 allowing programs to draw things, to read 22 keyboards, and to detect when the person moves the 23 mouse. 24 Q Can these programs be on different 25 computers? 149 1 A Oh, that's a good point. I did actually 2 show it on the slide, but didn't say the words. 3 The X Server lives where the 4 keyboard, the screen and the mouse is physically 5 located. In that computer, but these programs can 6 be in the same computer or could be on a computer, 7 you can probably anticipate, anywhere in the world. 8 This conversation can happen over the Internet. 9 Q So if we had somebody who was working in 10 Pittsburgh on business out of their home office 11 here in Portland and they had something like this X 12 Server, they could just communicate in through the 13 X Server and pull up one of these windows and see 14 just what they had on their computer back home? 15 A Yes, allowing for the speed of the 16 communication language sometimes can be a problem. 17 This program can simply be told, "I 18 know you're running on my personal computer in 19 Pittsburgh, but I want you to go out over the 20 Internet and work remote." It's typically 21 cumbersome, I mean in the sense of you have all the 22 communication links. 23 The more normal circumstance is to 24 see these in the same computer or at least in the 25 same building, just so these communication lines 150 1 are very, very fast. 2 Q If you could, I'd like you to revisit for 3 a moment the Crack program. If you want to use the 4 visual, I think we were back around No. 30 or 5 something that you were visualizing here the way 6 the Crack program runs. 7 If you have the Crack program 8 running on a particular file and you have this 9 process actively running, would it be necessary for 10 you to have a password on the machine on which 11 Crack is running to log in to look at the results 12 of the Crack run? 13 A Strictly speaking, yes, although there 14 are ways that you can do it from another computer 15 if you've told this other computer, "Hey, this guy 16 is okay." If he shows up and wants to use the 17 computer, lets him do it. That's the so-called 18 .rhost files. 19 Q Maybe you ought to explain for a moment 20 what is a .rhost file? 21 A I may have already done so. What it 22 allows you to do is to say if this user from this 23 computer -- if Mr. Sussman from his computer wants 24 to come onto my computer and use it, it's okay. 25 He's a trusted user. So it builds what we call a 151 1 web of trust and it simply allows someone to use a 2 computer system without asking for a password. You 3 still have to have a valid user account. 4 Q You do? 5 A Oh, sure. 6 Q Does the existence of the .rhost file 7 itself create a security leak or is that protected 8 by having to have this password to get in there? 9 A Well, there is several answers. In the 10 strictest sense of the question, it can. If there 11 is a web of trust and someone isn't who they say 12 they are, then you obviously have a security 13 problem. 14 The existence of a "R" host file or 15 the contents of it depends on other things around 16 it. Has a cracker already got into that particular 17 machine? Can the rhost file be contaminated, 18 changed, corrupted, whatever word you want to use. 19 So it can present -- 20 Q Typically you wouldn't log onto it 21 without having -- 22 A Not in the first place. 23 Q -- without having the working password? 24 A In the strictest sense of the question, 25 no. 152 1 Q The questions I'd like to go over now 2 will deal with more of the specific issues in the 3 case. I think that covers the presentation about 4 the general Internet and how the security features 5 work. 6 A Yes. 7 THE COURT: Let's take our 8 mid-afternoon recess. We'll take 10 or 15 minutes 9 here. 10 (Whereupon, the following 11 proceedings were held in 12 open court, out of the 13 presence of the jury:) 14 15 THE COURT: Mr. Sussman, you have a 16 matter? 17 MR. SUSSMAN: I was going to offer 18 some exhibits. I was going to offer -- I've had 19 marked for identification the various visuals that 20 were used for this part of the presentation. I've 21 given a copy to the State and I would propose to 22 offer those as exhibits. 23 THE COURT: Have you seen those? 24 MR. TINTERA: Yes. 25 THE COURT: Did you have any 153 1 objection? 2 MR. TINTERA: Yes. 3 THE COURT: What's the objection? 4 MR. TINTERA: They are used for 5 demonstrative purposes. They shouldn't be going 6 back to the jury. 7 THE COURT: Hand them up and let me 8 take a look at them. 9 These are all the transparencies 10 that he used during the presentation? 11 MR. SUSSMAN: Yes, for this portion 12 of the presentation. 13 THE COURT: We'll be in recess for 14 about 15 minutes. Thank you. 15 (Recess taken.) 16 17 THE COURT: Defendant's Exhibits 116 18 through 150. The objection by Mr. Tintera was that 19 they were just demonstrative and there was no need 20 for them to be received by the Court and go to the 21 jury. Anything else on that issue? 22 MR. TINTERA: No, Judge. It was my 23 understanding that this part of the presentation 24 was for educational purposes for the jury. It was 25 not actual evidence in the case in regard to the 154 1 facts of this particular case. 2 THE COURT: Well, it's similar and 3 in more detail to that which we have heard from 4 many other witnesses. It's not different, really, 5 except it's been presented in a different fashion 6 and may be more cohesive and instructional. 7 Nevertheless, this is the kind of 8 thing if the witness had stood at the board and we 9 had taken two days and drawn all these out in a 10 colored ink, I would have permit it to go to the 11 jury. So I will receive these exhibits. Thank 12 you. 13 (Whereupon, Defendant's 14 Exhibit Nos. 116 through 150 15 were received in evidence.) 16 MR. SUSSMAN: Thank you, Your Honor. 17 THE COURT: Anything else before we 18 begin? 116 through 150 are received. 19 Bring in the jury. The witness will 20 resume the stand. 21 (Whereupon, the following 22 proceedings were held in 23 open court, the jury being 24 present:) 25 THE COURT: Mr. Sussman, proceed. 155 1 MR. SUSSMAN: Thank you, Your Honor. 2 BY MR. SUSSMAN: 3 Q Mr. Johnson-Laird, in preparing for your 4 testimony in this case, were you presented with 5 reports and documents to review? 6 A Yes, I was. 7 Q And what did that include? 8 A Oh, I read through the various police 9 reports and the various reports from people inside 10 Intel describing the incident. Looked at some of 11 the documents that were produced as being computer 12 printouts of what had been found on various 13 machines and things of that nature. 14 Q And in addition to those reports and 15 documents, show you a couple other documents. 16 First, there are two documents here 17 that have already been marked as State's Exhibit 16 18 and State's Exhibit 19. Do you recall reviewing 19 these documents? 20 A Yes, I do. 21 Q And what was document 16? 22 A Document 16 is a printout of the actual 23 computer program which I guess I referred to as 24 Gate X. It was the gate program that connected 25 through to the X Server that I described earlier. 156 1 Q Is this the gate program that was written 2 by Mr. Schwartz? 3 A I understand that to be, yes. 4 Q And what about Exhibit No. 19? 5 A This is another variant of that program. 6 I'm just trying to determine which variant it might 7 be. I think it corresponds to the program that I 8 started calling Gate 3, but then simply called 9 Gate. 10 Q Now, I have two documents that are marked 11 for identification as State's Exhibit 153 and 154. 12 THE COURT: State's or Defendant's? 13 MR. SUSSMAN: I'm sorry. 14 BY MR. SUSSMAN: 15 Q Marked Defendant's Exhibits 153 and 154. 16 What is 153? 17 A 153 is a computer printout that I 18 produced of I believe it to be State's Exhibit 16. 19 The only difference is, I printed line numbers down 20 the left-hand side. 21 Q That corresponds to Exhibit 16? 22 A Yes. 23 Q And Exhibit 154, does that correspond to 24 State's Exhibit 19? 25 A Yes, it does. 157 1 Q And it was produced the same way for your 2 reference purposes? 3 A Yes. Just to make it easy to talk about. 4 Q I'd like to show you two other documents, 5 one that has been marked for identification as 6 Defendant's Exhibit 151, and can you identify what 7 this document is? 8 A This is a printout again of a program, I 9 called it Door 1. I believe it to be the first 10 door program that Mr. Schwartz wrote, and again, it 11 has line numbers on the left-hand side. 12 Q And what's the document identified as 13 Exhibit 152? 14 A This is the second version of the 15 program, Door 2, which I gather he wrote as the 16 second version of the first door program. 17 Q Now, I'll leave these with you for the 18 moment and come back to these in a minute. 19 One of the things I want to ask you, 20 as I suppose a computer scientist, when I say to 21 you -- what does it mean to you if I say -- talk 22 about altering a computer or computer system, what 23 does that word "alter" mean in that context? 24 A It's a bit vague. There are several 25 meanings to the word "alter." Strictly speaking, 158 1 and just reacting as a computer scientist, 2 literally really means any change, but also means 3 any change whatsoever. Sending a data packet to 4 the computer would alter the computer by that 5 definition, and I'm not sure if you want me to take 6 it quite that literally. 7 Imagine if I said to you, "You can 8 use my car, but don't alter it." That's the sort 9 of common, everyday use that I would suggest might 10 be the second meaning of the word "alter." 11 Q Putting a keystroke on the computer, 12 would that -- 13 A Literally as a computer scientist that 14 alters the computer because something changes in 15 the computer. The fact that the key is pressed 16 alters something. 17 Q Under that definition, would getting a 18 list of files alter a computer? 19 A Yes. I mean, the moment you do anything 20 to the computer, if it's starting from at rest and 21 you walk up to it and you do anything to it, 22 electronically or physically, you alter it. 23 Q So if I said again -- as a computer 24 scientist, if I said to you, "You can use the 25 machine but don't alter it, you can use this 159 1 computer but don't alter it," what would that mean 2 to you? 3 A I think it would have to mean don't go 4 near it. 5 Q In a practical sense, though, you could 6 not function that way, so what would -- 7 A If you are just looking at it in a 8 practical sense, it would mean don't do any -- like 9 the car, for example, don't do anything, don't 10 damage it, don't do any permanent changes, don't 11 change the color or take a wheel off or something 12 like that. 13 Q But if you are a computer person, are 14 confronted with a restriction that says don't alter 15 the machine, how would you deal with it? 16 A You can't. It's a contradiction. 17 Q You've had a chance to review -- there 18 are several programs that Mr. Schwartz wrote that 19 are at issue, that are involved in the issues of 20 this case that allowed him to have access to Intel 21 computers inside the fire wall you described from 22 an outside connection. 23 A Yes. 24 Q And are those programs that were written, 25 were those the ones that you were referring to as 160 1 Door 1, Door 2, Gate X and Gate 2? 2 A Well, the last one was just called Gate. 3 But yes, those are the programs, as I understand 4 them. 5 Q Now, did you have the opportunity then to 6 review those and evaluate what each of those 7 programs did? 8 A Yes. 9 Q Now, can you explain for the jury the 10 first Gate program? I'm sorry, I'm misspeaking 11 myself. 12 The first program we're referring 13 to, the first one that was written is the one that 14 was referred to as Door 1? 15 A That's correct. That's the one I believe 16 is Door 1, yes. 17 Q What does that allow? What kind of 18 access does that allow? 19 A Basically when it's running in the 20 computer and only when it's running in the 21 computer, it would allow someone outside, I guess 22 outside Intel in this particular case, to connect 23 to the particular IP address and port number on 24 which this program was listening, as in it's going 25 to answer the phone if you dial that number and 161 1 that extension, then the Gate program will 2 basically sit and wait silently, picking up the 3 phone and say nothing. 4 If you happen to type the right 5 magic word, and you have to know them, it will then 6 connect you through into a computer inside Intel. 7 If you don't know the magic word or you don't even 8 realize it's there, it's just like picking up the 9 phone and saying nothing. It would just be silence 10 on the line. You won't hear it hang up. You'd 11 know someone or something was there, but it 12 wouldn't respond. 13 Q And so as a practical matter, if you 14 somehow got into a computer inside, what would you 15 actually see? 16 A You mean if you got through the Gate 17 program? 18 Q Yes. 19 A So you're presuming that you know the 20 magic word or pass phrase? 21 Q Yes. 22 A You're saying if you got through? 23 Q Yes. 24 A Depends on which machine you've connected 25 to because you're now talking through to another 162 1 telephone number and another extension. What's on 2 there? Don't know. Might be something, might be 3 nothing. It might announce its presence, it might 4 not. You don't know. 5 Q Now, what security features were built 6 into this first program? 7 A This is a particular line of code, it's a 8 very complicated line of code, but what it 9 effectively says, unless you type a magic number -- 10 excuse me, a magic word followed by an IP address, 11 an Internet Patrol address followed by a port 12 number, this program isn't going to do a thing. 13 It's just going to sit there silently and won't 14 even announce its presence. 15 Q That program that is referred to as Door 16 1, does that correspond to this additional exhibit 17 which was previously marked for identification as 18 Defendant's Exhibit 111? 19 A Yes, this is Door 1. 20 Q And 111 is referred to as Gate? 21 A There is a reference in one of the source 22 headlines, yes. 23 Q Other than that, are they identical? 24 A Without a lot of study, I couldn't say. 25 But they appear to be superficial. Yeah, 163 1 superficially. Yeah, they appear to be. 2 MR. TINTERA: I missed that, 111 3 equals 151? 4 MR. SUSSMAN: I'm sorry. 5 THE WITNESS: That's my 6 understanding. 7 THE COURT: Except for the reference 8 in one of them is to Door and the other is to Gate, 9 is that it? 10 MR. SUSSMAN: That's right. 11 BY MR. SUSSMAN: 12 Q Now, in your opinion with the program 13 which is identified as Door 1, does that program, 14 assuming that program were set up to allow access 15 to a computer within Intel that it otherwise was on 16 a network going to the Internet, does that computer 17 leave Intel security wide open? 18 MR. TINTERA: Objection. 19 MR. SUSSMAN: I'm sorry, that 20 program. 21 MR. TINTERA: Question in aid. 22 23 24 25 164 1 EXAMINATION IN AID OF OBJECTION 2 BY MR. TINTERA: 3 Q Have you ever worked for the Intel 4 Corporation? 5 A No. 6 MR. TINTERA: I don't have an 7 objection, Judge, to that question. 8 THE COURT: All right. Go ahead. 9 THE WITNESS: I'm sorry, could you 10 repeat the question. ***(ck speaker) 11 BY MR. SUSSMAN: 12 Q In your opinion, would that leave the 13 security of the computer system within Intel behind 14 the fire wall wide open? 15 A Well, it's a little difficult for me to 16 say when this program -- I mean, you have to 17 consider the whole situation. I can't talk about 18 the whole of Intel or whether it was wide open 19 before this program came. 20 Let me just answer the question 21 focusing just on this particular program, if I may. 22 Q Okay. 23 A I can't see how it would leave the 24 security wide open. You are confronted with a 25 silent challenge. If you are a cracker outside of 165 1 Intel and you have no -- 2 MR. TINTERA: I object. He's 3 answered the question. 4 THE COURT: Overruled. Go ahead. 5 He can explain. 6 THE WITNESS: If you are outside and 7 you have not inside knowledge, that's a key point 8 to me. There is no way you would know what this 9 program was expecting. 10 How can it leave the security wide 11 open? You could play with this program until the 12 cows came home and you wouldn't get through. You 13 got no -- I can give you an example of kinds of 14 security: I'm not going to answer any more 15 questions unless anyone in the courtroom can think 16 of the word that I'm thinking of. 17 MR. TINTERA: Now I think we are 18 beyond answering the question when we get into 19 examples. I object. 20 THE COURT: Overruled. Go ahead. 21 THE WITNESS: Clearly, I'm not going 22 to stand by my own rule, but you see the problem. 23 I'm thinking of something that's in the program, 24 you don't know what I'm thinking of and it's very 25 secure. I can guess continuously for years and 166 1 years. You'd have to just know. 2 BY MR. SUSSMAN: 3 Q In a situation like this, the first line 4 of defense is the password? 5 A In this particular situation, the first 6 line of defense is you've got to find it. 7 Q You mean the correct IP address? 8 A And the correct port number. 9 Q Well, aren't there -- we talked about 10 this a little bit in your earlier presentation, but 11 aren't there these robot computer programs that can 12 continuously probe for an open -- for a certain IP 13 address and then once the IP address is located, 14 probe for the port connections and do that in a 15 matter and in a time frame which is a matter of 16 thousandths of a second in order to find out, test 17 the range of addresses which are well-known on the 18 Internet? 19 A Sure. We wrote a program. I can 20 certainly write a program to do that. 21 May I use a visual, because I've got 22 some results from the experiment that we did, if 23 that's not inappropriate. 24 THE COURT: Just answer the 25 question. 167 1 THE WITNESS: Yes, you can write a 2 program. Our results were something like on 3 average, if you had 33 simultaneous probes going, 4 just to speed it up, I mean you just had more of 5 these programs trying, 33 seemed to be the maximum, 6 it took 26-thousandths of a second to discover 7 whether there was something connected to one port. 8 And depending on how many ports and machines you 9 choose to examine. 10 And there is two ways of looking at 11 it. One is the theoretically maxim, and one is go 12 to the directory and require the system to see how 13 many machines are likely to be there. And it would 14 either take somewhere in the range of -- we came up 15 with 398 days, if you took the smaller number, and 16 17 years if you took the larger number. That's 17 yesterday's speed, literally yesterday, which I 18 think will be much faster ***than when the incident 19 discussed in this case occurred. 20 BY MR. SUSSMAN: 21 Q That's, of course, presuming that you 22 don't have the inside information of knowing the IP 23 address to start with? 24 A That's assuming that you are outside and 25 you're a cracker trying to be inside. 168 1 Q When you ran that -- you mentioned that 2 you ran an experiment that produced those results. 3 What computer did you run that experiment on? 4 A We used the SPARC 10 that is in my 5 company and we attacked Reed College, with 6 permission, I hasten to add. 7 Q The SPARC 10, we have -- you've read some 8 of the reports in the case, is that the same type 9 of machine that in this case was referred to as 10 Snoopy? 11 A Yes. I think Snoopy was a bigger, 12 better, faster model, but the limiting factor here 13 is not how fast the actual computer is, it's how 14 fast can you send out these calls over the Internet 15 to try things out. And data that we got yesterday, 16 I think, was probably -- excuse me, we did it on 17 Sunday deliberately because it was a quiet time and 18 then we ran it again later. 19 The thing that really affects it is 20 how much traffic is on the freeway, how much 21 traffic is on the Internet. That determines how 22 long it takes to get out and get back. Sure, you 23 can do it in parallel, because it did 33 in 24 parallel, but there is still an upper limit as to 25 how fast the computer at the other end will 169 1 respond. But it still came up with numbers that 2 were quite large. 3 The point I was trying to make in 4 terms of using the data communication lines as 5 there are now, they've got a lot faster in the last 6 few years and so we have got some very optimistic 7 numbers, I think, in terms of 398 days. 8 Q This would be, you say, based upon a 9 random computer program trying to break into the IP 10 addresses randomly and then checking each port? 11 A Well, I may be being a literal computer 12 programmer here. I would say not random. You're 13 starting at one, two, three, and working your way 14 up. I mean, so as not to upset Reed College, I 15 think we started at port 10,000 in the range of 16 zero to 65565535, but it gives us a pretty good 17 idea if you do 10,000 you can be pretty certain it 18 will take more or less the same for the next 10,000 19 and next 10,000 after that. 20 Q Let's suppose before you started this 21 experiment you had the opportunity to look at the 22 code in that program so that you knew an IP address 23 or certain code to start with, how would that 24 affect the speed with which you could find that the 25 appropriate port gets through the fire wall and -- 170 1 A You said "that program." Do you mean the 2 Door program or -- 3 Q The Door program, that's right. 4 A Even if I looked at the code here, I 5 couldn't necessarily know which machine it was 6 running on. It's not in here, it doesn't have -- 7 we call it hard wire. It's not actually written in 8 here which IP address is going to be available. It 9 doesn't tell us which port number it's going to be 10 listening on. These are things that were decided 11 by whomever, presumably Mr. Schwartz when he 12 actually started the program. He would tell it 13 there and then some of those kinds of information. 14 Q And on the other hand, if you had certain 15 additional inside information known to somebody 16 within Intel about what IP addresses there were, 17 what machines there were, and you were running that 18 program, how would that facilitate your ability to 19 go through the fire wall and inside to the Intel 20 machines? 21 A Well, I think we have to bring it out a 22 little better. 23 First, as I said, we have to find 24 it. If I knew which machine it was running on, I 25 would still have to go through the ports. That 171 1 would obviously slow me down a little bit. So you 2 still have to find it. Slows me down maybe half an 3 hour. 4 Then the question is, okay, I've 5 found it and do I have -- how much inside 6 information do I have I guess is my question. Do I 7 now know what the magic word is? Do I now know the 8 valid IP address and port number through which or 9 to which I'm now to connect or do I not? 10 Q So you're saying even if you sort of know 11 the IP address and the port number, then you still 12 need to know the password? 13 A It's going to connect to something, is my 14 point. Once you get through the gate, you're going 15 to talk to a computer. Which computer? You'd have 16 to know. Which port, you'd have to know. What is 17 it going to say? You'd have to know. Otherwise, 18 you just can't do it. 19 Excuse me, I should also say when 20 you finally get there, you may well be confronted 21 with employee's log-in. What's your user ID? 22 You'd have to know. What's your password? You'd 23 have to know. 24 Q For a large corporation like Intel, which 25 has a fire wall and certain security measures built 172 1 up, if somebody were mounting a concerted attack, 2 you might say, on the fire wall look for a gate, a 3 program like that that would have some IP address 4 inside or port number, what -- would there be some 5 way to determine if something like that was 6 happening? Would it be noticeable as far as the -- 7 affecting the amount of traffic coming into the 8 company? 9 A Well, you could certainly write a program 10 that will trip an alarm. I believe AT&T, it's 11 documented in one of the books on Internet 12 security. They say they have alarm systems -- 13 MR. TINTERA: Objection. 14 Unresponsive to the question. The question asked 15 him would this be noticeable. 16 THE COURT: Sustained. Just answer 17 the question yes or no to start with. 18 BY MR. SUSSMAN: 19 Q Would it be possible, a concerted effort 20 to attack sort -- 21 THE COURT: Yes, no -- yes, no -- 22 yes, no or maybe. 23 THE WITNESS: I'm sorry. I'm being 24 literal. Yes, if there was a suitable program 25 there to detect it. If there wasn't, no. 173 1 BY MR. SUSSMAN: 2 Q Would it affect the amount of traffic on 3 the wires of the Internet coming into the company? 4 A I hate to use the word -- it would 5 certainly alter it. Whether or not it would affect 6 it to the point that in and of itself caused an 7 alarm depends how quickly you sent out the packet. 8 If you send out 30 packets and wait, 9 30 packets and wait, the company the size of Intel 10 would probably be a drop in the ocean. I don't 11 know. I can't know. 12 Q Have you heard the term "security through 13 obscurity"? 14 A Sure. 15 Q What does that refer to? 16 A It means you achieve security merely by 17 making something less than obvious. I mean, a 18 password is security through obscurity. The reason 19 you can't know it is because you can't guess it. 20 Or a needle in a haystack is security through 21 obscurity. Or having a machine behind the fire 22 wall at a certain IP address and certain port 23 number, that's obscure. You can't just plain guess 24 it. 25 Q Come back to take in a moment. I want to 174 1 direct your attention to the second Door program. 2 How does that change the first Door program, if at 3 all? 4 A It merely applies an extra restriction 5 that you've got on -- you've got to know it's this, 6 obviously. You've got to know the magic word and 7 the IP address and the port number of the machine 8 you want to get to still. Then adds another 9 criteria, which means you have to be calling from a 10 particular area code, a particular exchange. In 11 fact, you have to be using a computer on network 12 128.215, and that's a Class B net, so you don't 13 really know what the digits below that are. 14 Basically send it, you have to be within the 15 Internet -- in the Intel Internet. 16 Q So it narrows -- it tightens the scope of 17 the first one, it restricts the first Door program 18 to a specific address? 19 A For the next -- for the machine that is 20 talking to one running Door, yes. I mean, if 21 somebody is working their way through, if the final 22 packet arrives at this program and says, "I just 23 came from a machine from inside Intel," then it 24 would be allowed through. 25 Q Now, I'd like you to take a look at 175 1 Exhibit 153. That would be the program marked Gate 2 X. 3 A Right. 4 Q And what -- how is that different? What 5 is that from the first -- the first Door program? 6 A It differs insofar as it's now -- doesn't 7 require you -- excuse me. Gate X does still 8 require -- no, I beg your pardon, it's been 9 commented out, it does not require the magic word, 10 nor does it require an IP address and a port 11 number. 12 When I say "commented out," the 13 programmer, Mr. Schwartz, has just put a loading 14 character that says it's still here, but take no 15 notice of it, it's not effective. That's what 16 fooled me for a moment. 17 More to the point, it's hard wire 18 actually built so that if you from the outside come 19 to Gate X, it will connect you to an X Server on 20 his particular machine, whichever machine he 21 specifies when he starts the program. So it's a 22 very much more -- like a laser beam pointing at one 23 machine and one particular port on one machine. 24 Q So how does this differ in terms of 25 the -- on the first program, if somebody got -- 176 1 somehow managed to find their way through the fire 2 wall, it would allow then -- and got to a machine 3 inside, it would allow -- there was no restriction 4 to which machines within the fire wall could then 5 be accessed? 6 A I'm sorry, I got lost in your question. 7 Q On Door 1, if somebody got through the 8 fire wall, would it be accurate to say that there 9 was no -- and managed to find a machine inside 10 Intel, there was no -- the potential access was to 11 any machine inside the company? 12 A Well, I mean, you could send a data 13 packet to any machine, to any IP address, to any 14 port number, but that doesn't mean that you could 15 get into that machine. You still need to know how 16 to get into the machine. 17 Q Certainly, but if you did -- 18 A If you did then get into the machine? 19 Q Yes? 20 A Then what's the question? 21 Q In Door 1 was there any restriction on 22 which machine? 23 A No. You could specify a particular IP 24 address and the port number of your choosing. 25 Q And on Gate X, the difference, one 177 1 difference was that it specified and narrowed it 2 and only allowed access to a single machine? 3 A On Gate X, yes. If you were calling from 4 the outside, you could get to one port on one 5 machine and that's it. 6 Q And when you got to that machine, were 7 there any layers of security once you reached that 8 machine? 9 A Well, this is pointed out at a particular 10 port usually used by this X server, so there was no 11 additional logging in required, but what you can do 12 is very limited. If you were the X Server 13 controlling the screen and keyboard, it just means 14 a program outside this computer on which this is 15 running can now send something to the screen, 16 that's all, through X Server. 17 Q Now, looking at the last program, what 18 you refer to as Gate, does that -- how is that 19 different, if at all, from what you've referred to 20 as Gate X? 21 A This one could be switched to do one of 22 two things. Either it could be connected through 23 to one IP address, one port number at which the 24 Gate -- excuse me, at which the X Server program 25 was sitting there, bearing in mind that it wasn't 178 1 there all the time, but if it was there, then you 2 could have a program, display some text or whatever 3 on the screen, or it could be switched over so that 4 you could connect to this so-called Telnet so that 5 you can then dial in, log in, user ID, password 6 required. 7 Those are the two things it could do 8 on the particular machine, the particular IP 9 address and particular port number. 10 Q Now, were there any restrictions or 11 security blocks once you reach that point? 12 A Well, as I said, if you were in the 13 Telnet mode of operation, you would -- from the 14 outside of the computer running this, you would be 15 confronted with a user ID, password question. If 16 you did not know the answers, I don't know whether 17 the words would be accessed. You are confronted by 18 the computer. But unless you've got a valid user 19 ID and password, you're not going to go any 20 further. 21 Q So then still presents another layer of 22 security even if you are inside the fire wall? 23 A Sure. This is presuming that you found 24 the Gate program in the first place. 25 Q Now, you had mentioned on Gate -- two 179 1 Gate programs that it got you to an X Server. 2 A Right. 3 Q Could someone besides the user, say, 4 Mr. Schwartz, get access to the X Server by looking 5 over, sort of in figuratively looking over the 6 shoulder, somehow getting access to the line and 7 watching what -- 8 A There is a utility program which is a 9 special name for a kind of program that just does 10 useful things, it's called X Watch Within and 11 someone outside the computer on which this program 12 was running physically remote -- and remember my 13 example where the computer programs were outside 14 the computer, you can run X Watch Within and you 15 could watch what someone was doing. You can look 16 at the windows. It's a look but no touch. 17 You can make it look like the user 18 is typing something. The system will not accept 19 what we call synthetic keystrokes, that is fake 20 keystrokes, so you can certainly watch what someone 21 is doing. 22 Q But you couldn't do anything else? 23 A No. 24 Q You couldn't go any further? 25 A No. And you had to have the X Server 180 1 running up in the first place, which meant 2 Mr. Schwartz would be at his machine logged in. 3 Otherwise, there is no X Server. 4 Q To run a program like that, to watch the 5 X Server, is that something that takes any great 6 length of time to get, to access the -- 7 A To start the X Server up? 8 Q No. For the first looking over the 9 shoulder. 10 A Oh, depending on the speed of the data 11 line between you and -- yes, whenever I've tried to 12 use it, I've almost always given up. It's too damn 13 slow. Can't get it to work. You sit there and 14 wait and it's like molasses in February to work. 15 Q How is the ability of someone to look 16 over a shoulder what's on a window in X Server 17 affected if the person using the X Server turns the 18 machine off, say, at the lunch break or upon going 19 home at night? 20 A No X Server. There is nothing to watch. 21 It's no longer there. If the computer is -- the 22 user logs out or switches the machine off, either 23 way, there is no X Server, there is nothing 24 literally to control or to manage the screen or to 25 deal with any of the other -- 181 1 Q Does that practice provide any additional @ 2 security against somebody sneaking a look over the 3 shoulder of a person on an X Server? 4 A You mean the practice of logging out? 5 Q Yes. 6 A Oh, sure. I mean, it's highly encouraged 7 to log out when you walk away from your computer, 8 otherwise someone can walk up to it and suddenly 9 they have access to whatever you have access to. 10 And there is reported cases of doing what we call 11 spoofing, I pretend to be you and I send is a 12 message as though I was you, and when you come back 13 you have no idea that a message was sent. Nobody 14 outside the world. 15 Q Come back to what I asked you before 16 about security by obscurity. You were talking 17 about the first two gate programs and you said you 18 had to find the IP address and the port number to 19 get into this particular machine. 20 Would it be an appropriate analogy 21 for the security of that program to describe it as 22 like shutting your door but not locking it and just 23 hoping that nobody comes by to open the door? 24 A It's a bit of an overstatement. I mean, 25 its really not quite the same. I mean, because 182 1 there is a door or gate, whatever we want to call 2 it, and certainly you have to discover it, but when 3 you get there, it doesn't give you broad access. 4 You still have to know in various versions what the 5 IP address and port number to which you wish to 6 speak. 7 There still has to be something 8 listening on that IP address and port number. 9 There is an awful lot that has to work right before 10 you can get anywhere. 11 Q To use that analogy on the first program 12 on Door 1 and Door 2, the first password is 13 locked -- 14 A It's not a single password. It's the 15 password and IP address and -- but an outsider 16 wouldn't even know that was required. That's the 17 point. It not as though it says, "Please log in," 18 so you know what is expected. You're confronted 19 with a blank screen. 20 Q And on the two gate programs, would the 21 analogy then be more like admit the front door 22 might not be locked, but you don't know that there 23 is a door there to begin with or -- 24 A Now you move through further into the 25 network, but you're still confronted either with a 183 1 log-in message, so now you've still got the 2 obstacle of log-in. And in the other case, you'll 3 be talking to an X Server and X Server doesn't talk 4 to people. At least it doesn't talk the language 5 that we talk and you'd have to recognize it as an X 6 Server first. You might not even recognize it. 7 Depends on the level of experience. 8 Q How difficult is it -- on the two gate 9 programs is it to find the program to start with? 10 A Well, that's the case of how do you find 11 them in all these IP addresses and phone numbers 12 and you have to do the demon dialing. 13 Q So it's more like a needle in many 14 haystacks? 15 A That's a fair analogy of it, sure. 16 Q Would it be accurate to say then that 17 these door programs and gate programs actually 18 bypass the fire wall? 19 A That they are operating through the fire 20 wall. They are not bypassing it per se. They are 21 in the exposed machine. They are doing what the 22 fire wall actually permits to happen. There is no 23 special magic privileges or anything like that. I 24 mean, this is -- the fire wall is passing the 25 packets through. 184 1 Q I'd like to shift your attention for a 2 minute to a separate issue here. 3 You had mentioned in your earlier 4 discussion that a program called Crack is commonly 5 used to test the security of passwords in a system 6 and you've read some of the reports and you're 7 aware of the fact that Mr. Schwartz had run -- in 8 this case it involved facts indicating that 9 Mr. Schwartz had run a crack program on passwords 10 and separate password files, and this was done from 11 a machine at a workstation inside of Intel and the 12 program was run under his user name Merlin. 13 It was run with the total of the 14 program Crack and the files that were the object of 15 the Crack program were identified as password.ssd, 16 referring to the password file from SSD. 17 A That's correct. 18 Q And with that in mind, what I would like 19 you to explain to the jury what in your experience, 20 a person who is trying to break into a system, a 21 cracker, how does a cracker, a person trying to 22 break into a system and take secrets from or 23 important information typically approach that task? 24 A Based on the instance, the wreckage of 25 which I've analyzed and also reports I've reviewed 185 1 where other people have done the analysis, the 2 cracker usually wants to be A, surreptitious and 3 remain undetected and will often go to great 4 lengths to remain undetected. And B, during the 5 initial stages of an attack on the computer system, 6 they want to be in and out very quickly for 7 actually the same reason. They just don't want to 8 be detected. 9 And some of the reported attempts at 10 breaking in systems, first thing they do, they will 11 take the password file and get it out of the 12 computer system back onto their own computer system 13 or else just to move it away. They can do it with 14 one command. Just mail the password. That's it. 15 It's gone. 16 Q Now, if we have a crack program running 17 with a command that is -- as I recall, the command 18 was Crack PWC, this is the command for running the 19 Crack program. Could that command be changed to a 20 different command so it wouldn't show there was a 21 crack program running? 22 A You mean could the name be changed? 23 Q Yes. 24 A Sure. You could change it to anything 25 you want to. One of the more obvious things to do 186 1 if you want to disguise what you're doing is just 2 to change it to some innocuous part of system, the 3 actual system itself, to a program that won't cause 4 any surprise. 5 In the UNIX system that we're 6 talking about, there are quite a few programs that 7 sit there that run all the time. Change it to one 8 of those. Change it to the name of some word 9 processor or call it Research, call it anything you 10 want. 11 Q Now, in your experience and in your 12 opinion is the conduct of running the process or 13 the crack process under a perpetrator's own user ID 14 using a command that says crack.pwc on a file 15 clearly marked password.ssd consistent with the 16 patterns you see of a cracker? 17 A Not at all. Not at all. I mean, it 18 looks more like a Systems Administrator at work. 19 He's doing it in broad view, if you will, view of 20 anyone who happened to look on the machine. 21 Q Could you change the name of the file the 22 program was running on from password.ssd to 23 something else to hide? 24 A Sure. Call it Research Data, and then 25 you run the program as research. And if you were a 187 1 cracker, you'd probably use somebody else's ID or 2 set up your own. 3 Q You indicated that Crack is a 4 long-running program. Would that be a typical type 5 of program used by somebody trying to 6 surreptitiously break into a computer system? 7 A You mean do crackers run the Crack 8 program? 9 Q Yeah. 10 A I'm sure they do. 11 Q And would that -- to do that, where would 12 that program typically be run? Would it be run on 13 a machine that the person used normally or was 14 used -- that was open to observation by other 15 people in a group? 16 A Based on what I've seen and what I've 17 heard and what I've read, I don't think there have 18 been any cases of a cracker being -- if I can use 19 the word dumb enough to run the Crack program on 20 the machine into which they cracked. They get the 21 password file and send it to -- put it on the 22 computer in ***Asia or put it on a computer 23 elsewhere. 24 Where they run it, I can't say. I 25 never actually had the luxury of seeing a hacker do 188 1 it. 2 Q Now, whether Mr. Schwartz had access to 3 computers networks thought various sites in Intel 4 in the United States and overseas, would it have 5 been easy to move that Crack program to another 6 location outside of the -- a site here in Oregon, 7 hide it and -- 8 A Sure. 9 Q -- and rename it? 10 A Very easy. I did a demonstration to 11 illustrate this point and I found -- I looked at 12 about 40 different computer sites around the world. 13 12 of them allowed me to put data on their systems 14 and just park it there. That's security through 15 obscurity. There is no way that anyone would find 16 that. These were 12 sites ranging from Israel, 17 Turkey, all the way around the world. 18 It's very, very easy to move 19 something away from the computer on which you find 20 it and then find it a parking space just to store 21 it. It's a little bit less easy to find a computer 22 on which to run, say, a Crack program around the 23 world, but if you're a cracker, you'll have those 24 sites. 25 If you remember, I said they get in, 189 1 get out, and they'll come back and visit that site. 2 They may set up their own user account on that site 3 and come back and revisit it. 4 The incidence that I analyzed it was 5 more the volume of data, that they would come back 6 into a site and put literally millions and millions 7 of characters of information on there. And the 8 first sign of trouble would be some poor university 9 professor that says, "Guys, the machine is getting 10 full, would you please clean up all of your data 11 files. We have got no more space in this machine." 12 But he doesn't realize that the hackers had moved 13 in, the crackers had moved in. 14 Q Now, were there others, aside from 15 putting the machine on a site different -- in a 16 different location from where the password file 17 existed, were there other less obvious things that 18 could be done to be surreptitious in trying to run 19 a crack program to crack passwords on a password 20 file and then take information out of it? 21 A Sure. That's the real security 22 nightmare, I would imagine. Certainly it has been 23 in the place where I've talked to the security 24 people because it's now so easy to carry so much 25 information either out over the network or on a 190 1 floppy disk or on a little tape cartridge. 2 On a tap cartridge that you can hold 3 in the palm of your hand, you can put two and a 4 half, three million pages, this kind of page of 5 information (indicating) and just walk out of a 6 building and the security guard would be hard 7 pressed to body search everyone. 8 Q Now, in your opinion of Mr. Schwartz, 9 does Mr. Schwartz have the level of skill and 10 sophistication with computers, computer networks 11 and programming, to cover his tracks so that nobody 12 would have known he was trying to crack passwords 13 or remove information? 14 A Yeah, based on the conversations I've had 15 with Mr. Schwartz, reading books he's written, he 16 clearly has the expertise to leave no footprints 17 whatsoever. 18 Q Finally, then based on your knowledge of 19 Mr. Schwartz's skills and the manner in which this 20 Crack program was running, is there anything about 21 that which is consistent with the activity of an 22 outside cracker or an inside person trying to steal 23 information? 24 A Based on the facts as I see them and I've 25 been told them, no, not at all. I mean, all of 191 1 this happened in full view, all of this information 2 remained inside Intel. My understanding and recall 3 of police reports, there was nothing found, no 4 confidential material found on Mr. Schwartz's home 5 computer or any of the disks or tapes, whatever 6 they found there. It was all still inside Intel. 7 It's just not consistent with a cracker. 8 MR. SUSSMAN: Thank you. Nothing 9 further. 10 THE COURT: Mr. Tintera. 11 12 CROSS-EXAMINATION 13 BY MR. TINTERA: 14 Q The information that you've gone over in 15 this case all came from the defense team; is that 16 right? 17 A My understanding was some of it came from 18 Intel but through the defense, that's correct. 19 Q You got it all through the defense? 20 A The information in terms of police 21 reports and so on, yes. There was obviously other 22 material we generated. 23 Q You didn't talk to any individual Intel 24 employees, did you? 25 A About what? 192 1 Q About this particular case. 2 A **(ck speaker) That's what he -- 3 Q Yes. 4 A I was approached by their Intel legal 5 department, but on another matter. 6 Q Did you talk to Brad Benson? 7 A No. 8 Q Did you talk Bob Wilcox? 9 A No. 10 Q Did you talk to Dirk Brandewie? 11 A No. 12 Q Did you talk to Herb Mayer? 13 A No. 14 Q Have you talked to John Gray? 15 A I've talked to a John Gray, but I don't 16 think -- 17 Q John Gray working at Intel? 18 A No. 19 Q Would you agree with me that Intel 20 Corporation can set its own policy as to access 21 through its fire wall? 22 A Oh, of course. 23 Q And would you agree that Defendant's 24 Exhibit 151, 152, 153 and 154 allow incoming -- an 25 incoming port, whatever you want to call it, 193 1 incoming information through a fire wall? 2 A Sure, fire wall, e-mail, electronic mail 3 messages were coming through the fire wall as well. 4 Q So it allows incoming information? 5 A Sure. Yes. 6 Q And would you also agree that if Intel 7 policy prohibits incoming Internet connection to 8 their system, that this violates Intel's policy? 9 A I'd need to see the policy to be certain, 10 but in the spirit you ask the question, sure. 11 Q The answer is yes? 12 A Yes. 13 Q Now, you've mentioned that a person would 14 move Crack all over the world to hide it here and 15 there, and I recognize that, but you're assuming 16 that a person in your quick in and quick out is an 17 outsider, are you not? 18 A When you say "an outsider," you mean 19 physically outside or -- 20 Q You're assuming this is not someone 21 working for a company that is a target company, but 22 somebody coming in from the outside; is that true? 23 A I'm sorry, I'm somewhat confused by your 24 questions, Mr. Tintera. Are you saying that they 25 have inside knowledge or physically located inside 194 1 Intel? 2 Q I'm saying they are not employed by the 3 corporation and don't have accounts on the 4 corporation. You're assuming someone is coming 5 from outside into the company that is not an 6 authorized user; isn't that correct? 7 A If they are an outside cracker, that is 8 certainly true, yes. 9 Q That's what you're talking about? 10 A Yes. 11 Q The necessity for speed, get in and get 12 out before anyone knows you; is that right? 13 A Yes. Although I still think it would 14 apply if you were a disgruntled employee, you 15 probably -- 16 Q I agree with what you're talking about. 17 In the necessity for the speed, get in and get out 18 and plant the information somewhere else sounded 19 like someone that was coming in from the outside 20 through the fire wall. 21 A Yes, but the point I want to make, I 22 worked on one case where there was an inside person 23 who took the source code and blast it out onto a 24 bulletin board version which is a limited -- 25 Q Right. We know about that. 195 1 A I'm sure you do. 2 Q Now, you talk about telnetting and 3 somewhere in these slides, you had a telnetting -- 4 do you have the exhibit? 5 THE COURT: The bailiff has the 6 exhibits. 7 BY MR. TINTERA: 8 Q The telnetting that you have described, 9 are you aware that Intel policy prohibits 10 telnetting? 11 A I gather from the documents that 12 described it, yes. 13 Q Do you want to find that? You know this 14 better than I do, don't you? 15 A Is that a question you wish an answer to. 16 Q Yes. 17 A Yes, I know them better than you. 18 Q This is a copyright here? 19 A Yes. 20 Q You got these copyrights? 21 A I made a videotape on the Internet and I 22 make videotape for attorneys and law enforcement. 23 Q How much of your time is spent working 24 for attorneys? 25 A Probably about 80 percent, as I mentioned 196 1 to you when you asked me questions outside. 2 Q Okay. You've gone over Mr. Sussman's 3 questions before you got into the court, right? 4 A Yes. 5 Q So there is nothing wrong with me asking 6 you questions before? 7 A Not at all. 8 Q How much time have you spent going over 9 these questions? 10 A Probably a couple hours. 11 Q So you got these copyrighted, so these 12 are things that you would use in front of other 13 jurors? 14 A If I had to use them in front of other 15 jurors, surely. 16 Q Let's find the telnetting one. 17 A There we go. No. 31. 18 Q So Defendant's Exhibit 146 that you have 19 marked as 31, this is not permitted at Intel; is 20 that right? 21 A That's my understanding. 22 Q And that was what defendant's -- the last 23 gate program you talked about did; isn't that 24 right? 25 A That's correct. 197 1 Q Since you're the expert here, you have to 2 go back to these photos to help me. I know what I 3 want to ask you about. 4 This time study that you did, before 5 I get there, how many computers do you have? 6 A Probably about 17 or 18. 7 Q And how many did you use for this time 8 study, the one -- how many days did you come up, 9 over a year? 10 A 398 days. 11 Q Right. 12 A We used one, a SPARC Station 10, and we 13 used an Intel computer as the fire wall at my site. 14 Q And so you had it scan a big chunk of IP 15 addresses or just one? 16 A We just focused on one particular site at 17 Reed. 18 Q One IP address? 19 A One IP address. 20 Q What if you used two computers, would 21 that make a difference? 22 A Yes, you could probably speed it up. 23 Q What if you used more than two, if you 24 used three or four? 25 A You'd suddenly get ***ill parallelism. 198 1 We were 3130 some from one computer. You would 2 speed it up. ***(check) 3 Q You would cut it in half if you used two, 4 wouldn't you? 5 A I don't know. Didn't try it. 6 Q People that are interested in cracking 7 into corporations such as Intel, probably wouldn't 8 just use one, would they, based on your experience? 9 A I've got no direct experience, but I see 10 where you're heading. You could throw more 11 computer power at it and cut the time down. 12 Q Quite a bit? 13 A Sure. 14 Q Have you heard about Deborah Russell in? 15 Do you know who she is? 16 A No, I don't. I don't recall the name. 17 Q She was editor at O'Reilly & Associates, 18 computer security series and co-author of Computer 19 Security Basics. Are you familiar with her work? 20 A I think I have the book. I don't recall 21 the name. 22 Q And Elizabeth ***Ziewekie, have you heard 23 that name? 24 A Just now, but I don't recall it. 25 Q Maybe this will help you. Senior Systems 199 1 Administrator at Silicon Graphics and president of 2 SAG, which is the Systems Administrator Guild. Are 3 you familiar with her? 4 A Yeah, I'm not familiar with her. I don't 5 recall her name, as I said. 6 Q Now, when you talk to the jury about ways 7 to come in and attack security, you mentioned 8 breaking a password. I think we all recognize that 9 that's one way to come in and attack security. 10 What else did you mention? -- well, that's about 11 it. That's about all I wrote down. 12 Anyway, are you familiar with 13 password sniffing? 14 A Sure. 15 Q Well, that's a way to come in and attack, 16 isn't it? 17 A Yeah, but it's essentially a similar kind 18 of way of breaking a password about capturing it 19 surreptitiously. 20 Q Good point. So when you send a packet, 21 you've got this as a nice little thing here, I 22 couldn't have got this packet here? 23 A Would like me to -- 24 Q I'm getting this. It took me a while. 25 Had the end in the front. 200 1 A I'm sorry. 2 Q 118, this packet three, when you have 3 this packet here, there is a difference between an 4 e-mail that's sent and contemporaneously using of a 5 system. I have it written down here. 6 Differences between that and an 7 interactive session, isn't there a difference 8 between interactive session and sending e-mail? 9 A We call them ***protocols, but they're 10 still packets. 11 Q Let's talk about that ***protocol. The 12 interactive session that you have here, the 13 protocol includes IP address; is that correct? 14 A That's correct. 15 Q So the address includes the IP address 16 and it includes port number? 17 A Right. 18 Q And includes the user name, yes or no? 19 A For what, the e-mail? 20 Q No, not e-mail. Interactive session, 21 includes the IP address, port number, the user 22 name? 23 A Yes. I'm not sure. What protocol are we 24 talking about, Telnet? 25 Q Okay, hold on. Let's assume we have an 201 1 interactive session and the interactive session 2 involves a user name, an IP address and a port 3 number. 4 A Right. 5 Q That's going to be consistent, right? 6 A No. I mean, when the Gate program was 7 running, Mr. Schwartz was having an interactive 8 session. 9 I'm sorry to press you. I don't 10 understand the question. 11 Q Let's take that. When he was running his 12 Gate program, the interactive session for the 13 packets moving through Internet included his user 14 name, correct? 15 A I don't believe so. 16 Q So you dispute that. 17 A Well, it depends on what protocol we're 18 talking about is the problem. I'm sorry to have 19 an -- 20 Q Didn't you go through the information 21 that they gave you? 22 A Yes. 23 Q And it didn't include that? 24 A Didn't include what? 25 Q Protocol that Mr. Schwartz was using. 202 1 A It didn't, per se. He just listed on a 2 particular port he's running, we call it the TCP, 3 transmission control protocol. 4 Q Well, would you agree that interactive 5 sessions involve the password, user ID -- 6 A To get them started, yes. 7 Q Let me finish. 8 A Excuse me. 9 Q Maybe I was asking the -- maybe I'm not 10 quite as ***linear as you. 11 THE COURT: Do you need to be so 12 close to the witness, Mr. Tintera? Can you go back 13 to your -- 14 MR. SUSSMAN: Mr. Tintera has one of 15 these. 16 MR. TINTERA: I want to show him 17 that. 18 THE COURT: Complete that. Much of 19 what you are doing does not require that exhibit. 20 BY MR. TINTERA: 21 Q To begin an interactive session, you have 22 to use your passwords, correct? 23 A Let me see if I can help you a little 24 bit. When you are talking about an interactive 25 session -- 203 1 Q I don't want you to help me. I want you 2 to answer my questions. 3 A I can't answer the question. 4 Q So when you begin an interactive session, 5 what kind of information is contained in the 6 beginning? 7 A It depends on what kind of interactive 8 session you're talking to. 9 Q Assume a Telnet. 10 A If you are assuming Telnet, then you 11 would be confronted with the screen I showed you, 12 which is, "Please log in," your ID, password. 13 Q Could you tell this jury what password 14 sniffers do? 15 A Password sniffers basically lie in wait 16 and watch the data packets go by in the hope of 17 seeing passwords come by. They can lie and wait 18 either in the machine of which they are being -- 19 the actual user is typing and they -- I mean, it 20 was an old trick. You send a message to a terminal 21 and you said, "System about to crash, please log 22 out." Then a few second later, "Please log in," 23 because of course the system hadn't crashed at all 24 and you were watching what the person typed when 25 they thought they were logging back in and then you 204 1 let them carry on. That's password sniffing. 2 Q Are you familiar with CERT? 3 A I know CERT. I know one or two of the 4 people at CERT. 5 Q Are you aware that 100,000 sites were 6 targeted by password sniffers in 1994? 7 A I didn't know what the number was, but I 8 knew it was a large number. 9 Q And that password sniffer will give you 10 the port number, correct? 11 A Sure, depending on where it's running, 12 but yes, in principle. 13 Q The user name? 14 A If it happens to sniff that particular 15 packet going by, yes. 16 Q The password? 17 A Yes. 18 Q And the IP address? 19 A Yes. 20 Q So it gives you everything you need to go 21 through someone's fire wall into their system, 22 doesn't it? 23 A It can do, sure. 24 Q And CERT said there was 100,000 of those 25 on the Internet last year, right? 205 1 A That's correct, from your number. I 2 don't remember the number. 3 Q And once these passwords -- once the 4 password sniffer has all that information, isn't it 5 true that that's shared in a group on the Internet 6 that's involved in what you call cracking, that 7 information is shared? 8 A It's certainly talked about. The degree 9 to which its shared, I don't know. 10 Q Well, there is this article that those 11 two ladies, Miss Ziewekie and Miss Russell wrote, 12 How to Get a Handle on Internet Security. "Once 13 deciphered, these ***PUR HROEUPB passwords become 14 bartering chips among underground groups that share 15 **(reading) site specific security holes." 16 Would you agree with that? 17 A Yes. ***(Tom was reading from that 18 magazine article by those two ladies.) 19 Q Now, how can you avoid password sniffers 20 if you're going to be using the Internet? 21 A I don't mean to sound facetious, but the 22 best security is not beyond the Internet. Very 23 difficult to avoid it. 24 Q So when Intel sets its policy not to 25 allow inbound traffic, they are protecting their 206 1 proprietary information inside their fire wall, 2 aren't they? 3 A Absolutely. 4 Q And they have a right to do that as a 5 corporation? 6 A Of course, they do. 7 Q They don't have to allow telnetting, do 8 they? 9 A When you say they have to, that's their 10 decision. 11 Q Right. It's their decision, isn't it? 12 A Surely. 13 Q Would you agree with this statement, 14 "Recent wave of password sniffing attacks on 15 Internet makes the strength of your passwords 16 almost irrelevant"? 17 A I think that's a little bit of an 18 overstatement. 19 Q Just a little bit? 20 A Well, if you never put your word out on 21 the Internet, it's still as good as it ever was. 22 Q But if you are using the Internet, what 23 they are saying in this article, that the password 24 sniffer process makes that password almost 25 irrelevant because the process gives you the 207 1 password? 2 A Oh, yes. I see your point there, sure. 3 Q You talked a little bit about spoofing. 4 A Spoofing is when you pass yourself off as 5 somebody else. You impersonate them. 6 Q That would be like using someone's 7 password that's not you that you've cracked? 8 A That's one example of it, sure. 9 Q Let's talk a little bit about alter. 10 Your strict definition, any use of the computer is 11 altering. Let's go back to your use of the car, 12 but don't alter it. 13 Would you consider putting a new 14 door in the car and alteration? 15 A Sure, by my definition. As you said, an 16 alteration. Maybe I should have used a tailoring 17 mentality. When a tailor alters something, it's -- 18 Q And the doors and the gate that we're 19 talking about alter the computers they were put on? 20 A I think you're making a word play there, 21 but yes, they altered them in the sense that when 22 the program was first put on the computer it alters 23 it. When it runs, it alters it. When it receives 24 a data packet it alters it. 25 Q Even in your practical use definition of 208 1 "alter," these doors or gates, whatever you want to 2 call them, alter the computer, alter the computer, 3 didn't -- 4 A In my practical definition. 5 Q You had a practical definition of don't 6 do anything lasting are something like that. You 7 made a distinction between -- 8 A It doesn't sit particularly easy with me. 9 I know where you're headed in the sense of saying 10 it is an alteration, but that's not how a computer 11 scientist would think about it when they said, 12 "Don't alter the computer." 13 Q Wait a minute. One of those allowed 14 telnetting, right? One of those programs? 15 A Well, telnetting is a byproduct of merely 16 running the program. 17 Q Wouldn't you say that a computer that 18 didn't allow you to Telnet, in other words, didn't 19 allow you to go outside and allow things to come in 20 from the Internet, that's what telnetting is, 21 right? 22 A Yes. 23 Q If it didn't allow that before you got 24 there and you put something in, whatever you want 25 to call it, you put something in and now it allows 209 1 you to go in and out telnetting, that's not 2 altering it? 3 A That's altering the behavior, not the 4 machine. 5 Front page of The Wall Street 6 Journal, second section, guy was saying, "I tried 7 to run a program and I went work and I found out I 8 would have to alter the memory configuration." Get 9 more memory and physically plug it in. That's how 10 "altered" to me sits more easily. 11 Q Your definition of "alter" is changing 12 the hardware of the computer, not the software? 13 A It includes that. The point I was trying 14 to make is, I don't really understand what it means 15 precisely when it's used like that. There is 16 multiple meanings. 17 Q You mentioned the "rhost" file and that 18 system is really built on a trusted user. Do you 19 remember that? 20 A Yes, I remember what I said. 21 Q Would you agree that the web of trust is 22 violated by the use of a password that's not your 23 own that you've cracked? 24 A Depends on who uses it and for what 25 purpose. I have used passwords that I don't know. 210 1 Q How about without permission? 2 A I've had to use them without permission 3 in the middle of the night, you've got to get a job 4 done. 5 Q Leave out the emergency situation. How 6 about for your own purpose, would you agree that 7 using another person's password that you cracked 8 for your own purposes, not an emergency situation, 9 not a help situation, is a violation of the web of 10 trust? 11 A It depends on who does it and why. 12 Q Now, you've indicated that part of the 13 functionality of the Crack program and using it is 14 for a Systems Administrator to notify the persons 15 who have had their password cracked that this has 16 occurred. 17 A That's correct. 18 Q Is that right? 19 A That's correct. 20 Q Now, a person that has cracked a password 21 and is a cracker, by your definition, they're not 22 going to be sending a notice to the person whose 23 password they've cracked to let them know, are 24 they? 25 A I would really doubt that. 211 1 Q Because if they do that, we would assume 2 the person would change the password and they can't 3 use it anymore, can they? 4 A I would think that's a reasonable 5 assumption, Mr. Tintera. 6 Q I knew that. I just want to have you say 7 that. 8 A I knew you knew it. 9 THE WITNESS: Your Honor, could I 10 have some water? 11 THE COURT: You bet. This is 12 judicial water. 13 THE WITNESS: I was wondering if it 14 had special qualities. 15 THE COURT: You bet it does. 16 BY MR. TINTERA: 17 Q The time that you spend working with 18 lawyers, you indicated was 80 percent of your year. 19 A Approximately. I've never really had the 20 need to sit down and do the statistics. I'm 21 guessing. 22 Q Do you testify often in court? 23 A No, not very often. 24 Q How often? 25 A I don't know really how to say that. 212 1 Maybe once a year. This year is unusual. Twice 2 this year. 3 Q What type of income is generated by that 4 work, the 80 percent of your work? 5 A When you say "what type of income" -- 6 Q What amount of income? 7 A I don't have the number in my head. I 8 really can't tell you. 9 Q Well, do you know how much money you made 10 last year? 11 A No, I'm afraid I don't. 12 Q Did you pay taxes? 13 A I have an accountant and I pay taxes. 14 Q I don't need the exact penny. Can you 15 give me a ballpark? 16 A I think it was around -- in terms of 17 gross income for myself and the associates with 18 whom I work, probably half a million dollars. 19 Q So is it fair to say that 80 percent of 20 that came from work with attorneys? 21 A No, because it's reimbursed expenses and 22 all sorts of other stuff in there. I can't break 23 it down. 24 Q Let's talk about this case. When were 25 you brought on by the defense team? 213 1 A I think it was around April of this year. 2 Q This year, 1995? 3 A Yes. 4 Q And your services to date for your work, 5 whatever you want -- for your work in the case 6 is -- for the defense team is what? 7 A I don't have a precise number. The last 8 billing I remember was about $11,000, but I've done 9 a fair amount of work since then, so it's probably 10 20, 25. 11 Q Plus today? 12 A Oh, I mean, I have no idea if you want to 13 add just today. 14 Q You're going to add today? 15 A I presume so. 16 MR. TINTERA: Thank you, 17 Mr. Johnson- Laird, I don't have any other 18 questions. 19 THE COURT: Mr. Sussman. 20 21 22 23 24 25 214 1 REDIRECT EXAMINATION 2 BY MR. SUSSMAN: 3 Q Clarify a couple things at least in my 4 mind. 5 When you were questioned about the 6 password sniffer programs, would such a program, 7 password sniffer work against a blank screen? 8 A This is no -- nothing to sniff when you 9 have a blank screen. There is no traffic. There 10 is no data moving backward and forward. 11 Q And so if there was a magic word required 12 behind the blank screen, would that -- 13 A The password sniffer is basically lying 14 in wait waiting to look at someone responding to 15 "Please log in," or password. If it's a blank 16 screen, it doesn't even know that what you're 17 sending is a password. That's why I said it's a 18 very secure method. 19 Q With this password sniffer program, you 20 mentioned that -- there was a question about all of 21 this information that was sent, the IP address, the 22 user name, the password and so forth. Is that all 23 sent on one information packet? 24 A I very much doubt it just because of time 25 delays, otherwise, the system would be very, very 215 1 slow. Typically it times out and sends what it's 2 got. 3 Q Would it create a greater likelihood that 4 programs like password sniffers or the demon 5 dialing would be discovered when you increase the 6 amount of traffic or the amount of attempts on a 7 system? 8 A Well, as I said when I first tried to 9 answer that kind of question, the problem is it 10 presupposes that you've got something that is 11 watching and an alarm that will trigger when you 12 suddenly see someone in some form systematically 13 working their way through. It's like being in a 14 building and hearing the phones starting to ring 15 and coming closer and closer. Someone has to be 16 there to notice it. 17 Q The programs to ***detect those, are 18 those available to corporations? 19 A As far as I know, they are available to 20 CERT. Takes about 30 seconds to get a copy, to 21 answer your question. 22 Q Password sniffer, can that come from 23 anyplace outside on the network or does it have to 24 be actually connected on the connection between the 25 outside host and the inside host? 216 1 A It's like a wiretap. It has to be 2 connected, otherwise it simply doesn't get any 3 data. 4 Q So at first it has to find the actual 5 outside connecting lines? 6 A That's why I kept stressing that at first 7 you've got to find the gate program or anything 8 like that before you can glean any information 9 about it. 10 Q You were asked some questions about 11 interactive session. Do processors have -- do 12 processes on these interactive sessions, the 13 process themselves have user ID numbers? 14 A You mean when they are running inside the 15 computer do you know which user is running them? 16 Sure. You know. 17 Q What about the transmissions and ports, 18 they have user ID? 19 A I believe so. 20 Q Now, the article that you were asked 21 about, these were apparently written somewhere 22 between 1994 and 1995, was there a qualitative 23 difference in the amount of password sniffing and 24 activities such as that on the Internet prior to 25 1994 and since then? 217 1 A Do you mean has the amount of password 2 sniffing been increasing? 3 Q Yes. 4 A Yes. The whole thing is going crazy. 5 Q In 1993 and earlier, was the problem as 6 extensive as was referred to in the article? 7 A Not in my experience, but then I don't 8 recall that particular article. 9 Q You were also asked a question about -- 10 some more questions about altering the system. I'm 11 curious whether in your review of the door programs 12 and gate programs, did those programs make a 13 lasting change to computers? 14 A How literal are you asking me to be to 15 answer that question? That's the dilemma. I mean, 16 something was put on a computer systems hard disk, 17 if it was put on, it could have been removed and 18 undone very quickly. Is that a lasting alteration 19 it's borderline. 20 Q Does the running of the program make a 21 lasting change in the system? 22 A You mean running the program inside the 23 computer? It's very transitory. No. If the 24 program stops, it can come and go in a thousandth 25 of a second. If the program sits there like Crack 218 1 and grinds away on data, it might last for several 2 days but the moment it's gone, it just disappears. 3 Q You were asked a question about whether 4 it would be appropriate to restrict all incoming 5 Internet connections. Would that include other 6 incoming communications besides telnetting? 7 A If you did, you might as well not be on 8 the Internet. 9 Q What else would that include? 10 A E-mail, all the Domain Name Service, 11 final transfers, just would basically prevent you 12 getting any benefit from being on the Internet, 13 especially if it was one way. 14 I mean, in much of this, even though 15 the ultimate effect is for me to transfer something 16 to you, I would actually say are you ready to 17 receive and you would say yes, and I would say here 18 it is. You would say okay, give me the next one. 19 We call it a handshake going on. If 20 you restrict one side of it in electronic terms, it 21 gets very messy. 22 Q Now, you were also asked some questions 23 about your work with attorneys. When we talk about 24 forensic software computer analysis, what does the 25 word "forensic" mean? 219 1 A Well, again, you have to be very literal 2 because I was struggling for a word that I can say 3 to people that would make them understand what I 4 actually did and I looked it up in the dictionary 5 and it says, "For public discussion or discussion 6 in the courts." That's what "forensic" actually 7 means. 8 Q And typically in our legal system when we 9 refer to "forensic," it refers to some application 10 of science as it applies to the court system, 11 doesn't it? 12 A That's how I understand it to be used in 13 the United States, yes. 14 Q So as long as you're in forensics, you're 15 going to be dealing with a lot of lawyers, aren't 16 you? 17 A Usually, I think that's a reasonable 18 inference. 19 Q Now, have you found yourself being 20 retained by only criminal defense lawyers or only 21 civil defense lawyers or only civil plaintiffs' 22 attorneys? 23 A There is no actual predominant pattern. 24 I was retained by the U.S. Copyright Office to give 25 presentations. They happened to be lawyers at the 220 1 copyright office but -- 2 Q Have you ever had work on a case 3 involving charges of criminal activity before? 4 A I did mention there was one case where 5 the computer program was sent across state lines, 6 so I was working with the FBI. 7 Q But not for the attorneys in the case 8 where somebody was accused of a crime? 9 A In that particular case, I was assisting 10 the FBI but working for the attorney representing 11 the company. 12 I understand what your question is 13 in terms of the organization. I mean, I have 14 assisted federal agencies, but I haven't actually 15 worked for them. I helped them after the Oklahoma 16 bombing. 17 Q Have you ever been asked to assist a 18 person who is accused of a crime, a defendant in a 19 criminal case? 20 A No. 21 MR. SUSSMAN: Let me take a look at 22 my notes. 23 BY MR. SUSSMAN: 24 Q In that regard, when you agreed to take 25 this case on, you examined the documentation or do 221 1 anything before you agreed to take the case on for 2 Mr. Schwartz? 3 A Oh, definitely. I mean, you may recall I 4 had a conversation I said I'm not even sure I want 5 to take this case on until I look at the paperwork 6 and talk to Mr. Schwartz. 7 From my perspective, it's very easy 8 for technical people to -- 9 MR. TINTERA: Objection. The 10 question has been answered. 11 THE COURT: Sustained. 12 BY MR. SUSSMAN: 13 Q Now, last things. Looking at the program 14 that is marked Door No. 2, Door 2 -- 15 THE COURT: Door until 2? That 16 isn't on until 7:30, I think. 17 MR. SUSSMAN: We're almost there. 18 What prize do we get behind door 2? 19 THE WITNESS: Enter user ID. 20 BY MR. SUSSMAN: 21 Q With Door 2, did that allow an inbound 22 Telnet or inbound connection from an outside 23 computer? 24 A No. That was a program that insisted 25 that you be on this Class B network 158.215. 222 1 MR. SUSSMAN: Thank you. I have 2 nothing further. 3 THE COURT: Mr. Tintera. 4 5 RECROSS-EXAMINATION 6 BY MR. TINTERA: 7 Q I know it's late and I don't want to 8 belabor any of these points. But you make a 9 distinction, there is a distinction between the 10 address that goes with a Telnet-type interactive 11 session and e-mail; isn't that correct? 12 A You mean they use different port numbers. 13 Q Well, there is a difference in address, 14 information that's contained; isn't that true? 15 A You mean the IP address or port number? 16 Q I mean your e-mail is not going to 17 contain your password, is it? 18 A You wouldn't normally send someone a 19 message with your password in it. 20 Q Not in the context of a message. I'm 21 talking about the address that it goes on. It's 22 not going to contain your password? 23 A If I'm logged in already and I'm now 24 sending or receiving e-mail, my password would not 25 be visible to anyone. 223 1 Q And it's not going to contain your -- 2 well, it will have your name, right? 3 A It has your user name and it will have 4 your IP address and port number, so you could 5 identify the sender and receiver, you have to. 6 Q And that's a little bit different than 7 from what information would be contained when you 8 would be getting an interactive session through 9 telnetting? 10 A In the sense that sure, you're not 11 transmitting your password as part of an e-mail 12 message. At least you'd be crazy if you did. 13 Q E-mail message, your password can't be 14 sniffed, can it? 15 A I think the question you're asking me, if 16 I understand correctly, is can it be sniffed if 17 it's not there, and the answer is no. 18 Q So in e-mail you don't run the risk of 19 any password sniffing, right? 20 A No. Bigger risk. 21 MR. TINTERA: Thank you. No other 22 questions. 23 THE COURT: Mr. Sussman. 24 25 224 1 REDIRECT EXAMINATION 2 BY MR. SUSSMAN: 3 Q What are the bigger risk with e-mail? 4 A Well, there are some pretty glaring holes 5 in a program called Send Mail. You could actually 6 download a program via electronic mail message and 7 make that receiving computer run a program and 8 these are the kind of security loopholes that you 9 lie awake and worry about. 10 MR. SUSSMAN: Nothing further. 11 THE COURT: Mr. Tintera. 12 MR. TINTERA: No, thank you, Judge. 13 Thank you for the opportunity. 14 THE COURT: Thank you. You may step 15 down. And you're free to go. 16 And we are in recess until 9:30 17 tomorrow morning. And I won't tell you not to 18 discuss the case. Because you know, you all know 19 that you're not to do that. If I should find out 20 that you are -- seriously, have a nice evening and 21 we'll see you tomorrow morning at 9:30. 22 (Evening recess.) 23 24 25