1 / 53

Hacker Court 2004

Hacker Court 2004. Pirates of the Potomac: The Curse of the Bl4ck P3rl hackercourt@wkeys.com. CAST. JUDGE: Chief Judge Philip M. Pro – Chief Judge for the District of Nevada EMCEE: Carole Fennelly , President, Wizard’s Keys Corp. EMCEE: Weasel, NMRC COURT CLERK: Caitlin Klein

socorro
Download Presentation

Hacker Court 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacker Court 2004 Pirates of the Potomac: The Curse of the Bl4ck P3rl hackercourt@wkeys.com

  2. CAST JUDGE: Chief Judge Philip M. Pro – Chief Judge for the District of Nevada EMCEE: Carole Fennelly, President, Wizard’s Keys Corp. EMCEE: Weasel, NMRC COURT CLERK: Caitlin Klein COURT TECHNICIAN: Ryan Bulat - Intern, Wizard’s Keys Corp. PROSECUTOR: Richard Salgado Senior Counsel, CCIPS division of DoJ PROSECUTOR: Paul Ohm, Attorney, CCIPS division of DoJ DEFENSE ATTORNEY: Erin Kenneally M.F.S., J.D Forensic Analyst, SDSC DEFENDANT (MARVIN BIGGS): Simple Nomad – BindView, NMRC CASE AGENT: Jesse Kornblum– Captain, USAF SYSADMIN (O.J. SIMPSON): Jack Holleran–– Former NSA GOVERNMENT WITNESS: Brian Martin- Security Consultant DEFENSE EXPERT: Richard Thieme – CEO, Thiemeworks, Inc DEFENSE EXPERT: Jonathan Klein – Senior Manager, Calence, Inc

  3. Schedule 16:45 – Introductions, Court Called to Order 16:50 – 17:00 Opening Statements 17:00 – 17:15 Agent Kornblum 17:15 – 17:20 Explanation of Stipulations 17:20 – 17:35 Oscar J. Simpson 17:35 – 17:50 Brian Martin 17:50 – 18:05 Jonathan Klein 18:05 – 18:15 break 18:15 – 18:30 Richard Thieme 18:30 – 18:45 Captain Hack 18:45 – 18:55 Closing Statements 18:55 – panel discussion in reception area

  4. Witness classification Factual: testifies to events directly witnessed or observed. May only testify regarding facts, not draw conclusions. Expert: specifically qualified by the court as an expert in the subject at hand. May offer opinion and draw conclusions based on knowledge and expertise.

  5. Prosecution Opening Statement Enter Key Points Here

  6. Defense Opening Statement Enter Key Points Here

  7. Prosecution Witness 1 Agent Kornblum is the Case Agent testifying as both a factual and expert witness on events he witnessed and actions he took when he discovered the intrusion.

  8. Evidence of Break-in

  9. Government Exhibit 1 May 23 11:14:18 doc001 sshd[1779]: connection from "172.18.33.1" May 23 11:14:24 doc001 sshd[7862]: Wrong password given for user 'root'. May 23 11:14:32 doc001 sshd[7862]: Wrong password given for user 'ojsimpson'. May 23 11:14:48 doc001 sshd[7862]: Wrong password given for user 'jsmith'. May 23 11:15:01 doc001 sshd[7862]: Wrong password given for user 'jsmith'. May 23 11:15:22 doc001 sshd[25386]: User jsmith's local password accepted. May 23 11:15:24 doc001 sshd[25386]: Password authentication for user jsmith accepted. May 23 11:15:24 doc001 sshd[25386]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 24 18:11:18 doc001 sshd[1779]: connection from "172.18.33.1" May 24 18:11:23 doc001 sshd[28003]: User jsmith's local password accepted. May 24 18:11:23 doc001 sshd[28003]: Password authentication for user jsmith accepted. May 24 18:11:23 doc001 sshd[28003]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 24 19:23:18 doc001 sshd[1779]: connection from "172.18.33.1" May 24 19:23:22 doc001 sshd[29001]: User jsmith's local password accepted. May 24 19:23:22 doc001 sshd[29001]: Password authentication for user jsmith accepted. May 24 19:23:22 doc001 sshd[29001]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 26 08:44:21 doc001 sshd[1779]: connection from "172.18.33.1" May 26 08:44:22 doc001 sshd[29990]: User jsmith's local password accepted. May 26 08:44:22 doc001 sshd[29990]: Password authentication for user jsmith accepted. May 26 08:44:18 doc001 sshd[29990]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 26 12:02:21 doc001 sshd[1779]: connection from "172.18.33.1" May 26 12:02:22 doc001 sshd[30002]: User jsmith's local password accepted. May 26 12:02:22 doc001 sshd[30002]: Password authentication for user jsmith accepted. May 26 12:02:18 doc001 sshd[30002]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 28 16:03:21 doc001 sshd[1779]: connection from "172.18.33.1" May 28 16:03:22 doc001 sshd[30100]: User jsmith's local password accepted. May 28 16:03:22 doc001 sshd[30100]: Password authentication for user jsmith accepted. May 28 16:03:22 doc001 sshd[30100]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 29 08:00:21 doc001 sshd[1779]: connection from "172.18.33.1" May 29 08:00:22 doc001 sshd[30110]: User jsmith's local password accepted. May 29 08:00:22 doc001 sshd[30110]: Password authentication for user jsmith accepted. May 29 08:00:18 doc001 sshd[30110]: User jsmith, coming from fw001-internal.usna.gov, authenticated.

  10. Government Exhibit 1 (Enlargement) May 28 16:03:21 doc001 sshd[1779]: connection from "172.18.33.1" May 28 16:03:22 doc001 sshd[30100]: User jsmith's local password accepted. May 28 16:03:22 doc001 sshd[30100]: Password authentication for user jsmith accepted. May 28 16:03:22 doc001 sshd[30100]: User jsmith, coming from fw001-internal.usna.gov, authenticated.

  11. Government Exhibit 1-2 May 29 08:20:21 doc001 sshd[1779]: connection from "172.18.33.1" May 29 08:20:22 doc001 sshd[30115]: User jsmith's local password accepted. May 29 08:20:22 doc001 sshd[30115]: Password authentication for user jsmith accepted. May 29 08:20:18 doc001 sshd[30115]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 29 14:23:21 doc001 sshd[1779]: connection from "172.18.33.1" May 29 14:23:22 doc001 sshd[30150]: User jsmith's local password accepted. May 29 14:23:22 doc001 sshd[30150]: Password authentication for user jsmith accepted. May 29 14:23:18 doc001 sshd[30150]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 30 19:20:21 doc001 sshd[1779]: connection from "172.18.33.1" May 30 19:20:22 doc001 sshd[32003]: User jsmith's local password accepted. May 30 19:20:22 doc001 sshd[32003]: Password authentication for user jsmith accepted. May 30 19:20:18 doc001 sshd[32003]: User jsmith, coming from fw001-internal.usna.gov, authenticated. May 31 00:23:18 doc001 sshd[1779]: connection from "172.18.33.1" May 31 00:23:21 doc001 sshd[32200]: User jsmith's local password accepted. May 31 00:23:22 doc001 sshd[32200]: Password authentication for user jsmith accepted. May 31 00:23:22 doc001 sshd[32200]: User jsmith, coming from fw001-internal.usna.gov, authenticated.

  12. Government Exhibit 2 May 23 11:14:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=44466 May 23 11:14:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=22 May 23 11:14:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=145 out=222 user=unauth duration=601 May 24 18:11:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.18.118 destination=172.18.33.22 port=44466 May 24 18:11:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.18.118 destination=172.18.33.22 port=22 May 24 18:11:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.18.118 dest=172.18.33.22 in=2042 out=3054 user=unauth duration=1804 May 24 19:23:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.26.120 destination=172.18.33.22 port=44466 May 24 19:23:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.26.120 destination=172.18.33.22 port=22 May 24 19:23:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.26.120 dest=172.18.33.22 in=4050 out=9080 user=unauth duration=2402 May 26 08:44:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.18.218 destination=172.18.33.22 port=44466 May 26 08:44:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.18.218 destination=172.18.33.22 port=22 May 26 08:44:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/61.33.44.22 dest=172.18.33.22 in=555 out=1320452 user=unauth duration=1022 May 26 12:02:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/61.33.44.22 destination=172.18.33.22 port=44466 May 26 12:02:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/61.33.44.118 destination=172.18.33.22 port=22 May 26 12:02:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/61.33.44.118 dest=172.18.33.22 in=888 out=2053 user=unauth duration=124 May 28 16:03:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=44466 May 28 16:03:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188stination=172.18.33.22 port=22 May 28 16:03:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=12954 out=32005252 user=unauth duration=4500

  13. Government Exhibit 2 (Enlargement) May 28 16:03:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=44466 May 28 16:03:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188stination=172.18.33.22 port=22 May 28 16:03:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=12954 out=32005252 user=unauth duration=4500

  14. Government Exhibit 2-2 May 29 14:23:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.26.120stination=172.18.33.22 port=44466 May 29 14:23:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.26.120 destination=172.18.33.22 port=22 May 29 14:23:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.26.120 dest=172.18.33.22 in=xx out=yy user=unauth duration=zz May 29 08:00:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/61.33.55.129 destination=172.18.33.22 port=44466 May 29 08:00:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/61.33.55.129 destination=172.18.33.22 port=22 May 29 08:00:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/61.33.55.129 dest=172.18.33.22 in=2344 out=234204 user=unauth duration=300 May 29 08:20:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=44466 May 29 08:20:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=22 May 29 08:20:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=2452 out=3223 user=unauth duration=120 May 30 19:20:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=44466 May 30 19:20:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=22 May 30 19:20:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188] dest=172.18.33.22 in=2342 out=2354865 user=unauth duration=1210 May 31 00:23:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=44466 May 31 00:23:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=22 May 31 00:23:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188] dest=172.18.33.22 in=223 out=58553 user=unauth duration=133

  15. Government Exhibit 3 sql-gw: tns-tracing no sql-gw: log-level 0 sql-gw: log-enabled yes sql-gw: maximum-relays 1024 sql-gw: maximum-connect-data 1024 sql-gw: event-timer 0 sql-gw: answer-error-countdown 16 sql-gw: authentication-level 0 sql-gw: directory /var/log sql-gw: answer-timeout 5 sql-gw: proxy-type sql-gw sql-gw: proxy-exec ./sql-gw sql-gw: state off # test-gw: bind-address 62.36.24.12 test-gw: port 44666 test-gw: proxy-exec ./plug-pdk test-gw: accept-count 3 test-gw: timeout 7200 test-gw: groupid 0 test-gw: userid 0 test-gw: log-enabled yes test-gw: state on test-gw: description test gateway service # def_proxy_ssod ssod: bind-address 127.0.0.1 7778 ssod: proxy-exec ./ssod ssod: accept-count 2 ssod: timeout 7200 ssod: groupid 0 ssod: userid 0 ssod: log-enabled yes ssod: state on ssod: description Default single sign-on server ssod: proxy-type ssod ssod: primary-cache on ssod: shared-cache on XXXX 8

  16. Government Exhibit 3 (Blowup) test-gw: bind-address 62.36.24.12 test-gw: port 44666 test-gw: proxy-exec ./plug-pdk test-gw: accept-count 3 test-gw: timeout 7200 test-gw: groupid 0 test-gw: userid 0 test-gw: log-enabled yes test-gw: state on test-gw: description test gateway service

  17. Government Exhibit 3-2 # hosts entries for rule 3 http-gw: permit-hosts 127.0.0.1 -policy HTTP-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 http-gw: permit-hosts 192.168.10.0:255.255.255.0 -policy HTTP-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 http-gw: permit-hosts 192.168.11.0:255.255.255.0 -policy HTTP-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 policy-HTTP-rule3: permit-proxy http-gw policy-HTTP-rule3: description Default HTTP service configuration policy-HTTP-rule3: send-broken-post-requests off policy-HTTP-rule3: usedpf on policy-HTTP-rule3: permit-destination * # # hosts entries for rule 3 Ssh: permit-hosts 127.0.0.1 -policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 Ssh: permit-hosts 192.168.10.0:255.255.255.0 -policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 Ssh: permit-hosts 192.168.11.0:255.255.255.0 -policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 policy-Ssh-rule3: permit-proxy Ssh policy-Ssh-rule3: privport off policy-Ssh-rule3: force_source_address off policy-Ssh-rule3: usedpf on policy-Ssh-rule3: description Secure Shell policy-Ssh-rule3: name Ssh policy-Ssh-rule3: permit-destination * # # hosts entries for rule 3 test-gw: permit-hosts * -policy test-gw-rule4 -ruleNumber 4 -ruleName Untrusted -logLevel 1 policy-test-gw-rule4: permit-proxy Ssh policy-test-gw-rule4: privport off policy-test-gw-rule4: force_source_address off policy-test-gw-rule4: destport 22 policy-test-gw-rule4: desthost 172.18.33.22 policy-test-gw-rule4: usedpf on policy-test-gw-rule4: description test gateway policy-test-gw-rule4: name test-gw policy-test-gw-rule4: permit-destination * # # hosts entries for rule 3 SSL: permit-hosts 127.0.0.1 -policy SSL-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 SSL: permit-hosts 192.168.10.0:255.255.255.0 -policy SSL-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 SSL: permit-hosts 192.168.11.0:255.255.255.0 -policy SSL-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1 policy-SSL-rule3: permit-proxy SSL policy-SSL-rule3: description SSL default service configuration

  18. Government Exhibit 3-2 (Enlargement) # hosts entries for rule 3 test-gw: permit-hosts * -policy test-gw-rule4 -ruleNumber 4 -ruleName Untrusted -logLevel 1 policy-test-gw-rule4: permit-proxy Ssh policy-test-gw-rule4: privport off policy-test-gw-rule4: force_source_address off policy-test-gw-rule4: destport 22 policy-test-gw-rule4: desthost 172.18.33.22 policy-test-gw-rule4: usedpf on policy-test-gw-rule4: description test gateway policy-test-gw-rule4: name test-gw policy-test-gw-rule4: permit-destination *

  19. Evidence of Remote Locations

  20. Government Exhibit 4

  21. Government Exhibit 5

  22. Government Exhibit 6

  23. Government Exhibit 7

  24. Government Exhibit 8

  25. Government Exhibit 9

  26. Government Exhibit 10

  27. Government Exhibit 11

  28. Government Exhibit 12

  29. Government Exhibit 13

  30. Blog Evidence

  31. Government Exhibit 14 • [Walking the plank on the Bl4ck P3rl]                         [date|time][mood | disturbed]--  Just sit right back and you'll hear a tale,  A tale of a fateful trip,  That started from this tropic port,  Aboard this tiny ship.when you find yourself in the middle of the Potomac river, swimming to theshore in full clothing, one hand holding your laptop above the waterdesperately trying to preserve it.. that is the last song you may thinkof, but i sure was.it's no secret that marvin and i have had disagreements in the past, andit's no secret that things have been on edge at the office lately, dueto us not seeing eye to eye on everything from corporate direction tosecurity concepts to lunch. when i thought things couldn't get worse,they did..last night, Captain Jackass fired me. one day i own part of the company,the next day i don't, the next day im swimming in the potomac jobless.i played my cards wrong, i worried too much about geek things, i didntwatch the business side of things and he muscled me out of my owncompany, i can accept that (asshole). despite that, it was a shock tobe fired on his dumpy boat last night, and to make matters worse, thepirate wannabe actually made me walk the plank. one minute he's workingon his laptop yelling 'aaargh' and laughing like a loon, the nextwe get into an argument and he pushes me toward the side of the boat.

  32. Government Exhibit 14-2 • he puts a plank of wood in some slot he cut out of the side of the boat,screams "you're fired, walk the plank mate!" and pushes me forward.brandishing his old fencing saber, i grab my laptop and get prodded ontothe plank. he goes into some gay ritual of a pirate captain full of'aarghs' and 'mateys', then pokes me in the back forcing me into theriver. what .. the .. fuck!i'll post more later when my stuff dries and i make sure my laptopis fine.--[link]                                                [X Replies | Reply]

  33. Government Exhibit 15 [Captain Jackass]                                             [date|time][mood | pissed]--sleeping on this whole thing didn't help. waking up i feel nothing forcontempt for marvin and want him to pay for what he has done. everyonearound him knows he has gone mad. it used to be jokes about sailing thewild seas of the net, then it was his make shift raft at waterworldgetting laughed at by eight year olds, then it was purchasing a realboat and decking it out with wifi gear. did anyone bother to remindme he knew *nothing* about wifi a few months ago?every day, every hour.. questions about wifi. how do i do this? how doi do that? how do i hax0r this? jesus christ, read a god damn bookmarvin! he "sets sail" on the potomac thinking that no one had thoughtabout "war sailing" and being a "wifi pirate" even though it was publishedmonths ago. the release of _Pirates of the Caribbean_ didn't help things,and his fetish for Johnny Depp.. i won't even go there. and the lastmeeting with our clients, what was he thinking? while he didn't sinkhis lame ship, he is no doubt going to sink that company. he needsto be put out of his misery.i also thought about pressing charges against him for the whole boatthings last night. it wasn't exactly warm out, and to push me intoa damn river where i could only swim to a navy ship or swim an extramile to a shore outside the naval facility, that has to be assaultor attempted murder or something. the thought of him rotting in a jailgetting the sweet man love from bubba is an appealing thought.--[link]                                                [X Replies | Reply]

  34. Evidence from Marvin Biggs Laptop

  35. Government Exhibit 16

  36. Government Exhibit 17

  37. Stipulations Factual: an agreement between prosecution and defense on particular facts, eliminating the need for testimony. Testimonial: an agreement between prosecution and defense that a particular witness would testify in the manner stipulated, if called to the stand.

  38. Government Exhibit 18 DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2003 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered. __________________________________ x | UNITED STATES OF AMERICA, | | -v.- | | STIPULATION MARVIN BIGGS, | a/k/a “Captain Jack Hack”, | | | Defendant, | | __________________________________ IT IS HEREBY STIPULATED AND AGREED between the United States of America, RICHARD SALGADO, Assistant United States Attorney, of counsel, and the defendant MARVIN BIGGS, by his attorney JENNIFER GRANICK, Esq.: If called as a witness, Bert Smith, would testify as follows: • He’s the Policy Enforcement officer at Potomac River Internet Access (potomacriver.com) which is located in Backwater, Maryland. • Potomacriver.com provides high speed internet access to the Maryland area. Internet access is provided by Digital Subscriber Line (DSL) and Dialup-Connection. • When a subscriber connects to the potomacriver.com backbone, the subscriber is provided with an Internet Protocol (IP) address that is unique to the subscriber during their session • Potomacriver.com is assigned the Class B address 63.36.0.0 by the American Registry of Internet Numbers (ARIN) to provide IP addresses for its customers.

  39. Government Exhibit 18-2 • Mr. Smith has reviewed the business records maintained by potomacriver.com for May 15th – June 15th, 2003 and determined that IP address 62.36.18.118 was assigned to the computer owned by Mr. and Mrs. James Denton, 1313 Mockingbird LA, Backwash, Maryland. • Mr. Smith has reviewed the business records maintained by potomacriver.com for May 15th – June 15th, 2003 and determined that IP address 62.36.26.120 was assigned to the computer owned by Mr. And Mrs. Bob Jones, 1234 State St, River’s Edge, Maryland. • Mr. Smith has reviewed the business records maintained by potomacriver.com for May 15th – June 15th, 2003 and determined that IP address 62.36.18.218 was assigned to the computer owned by Mr. And Mrs. Sam Spade, 4314 East End Ave, River’s End, Maryland • Mr. Smith has reviewed the business records maintained by potomacriver.com for May 15th – June 15th, 2003 and determined that IP address 62.36.100.188 was assigned to the computer owned by Mrs. Samantha Smith, 1445 West End Ave, River’s End, Maryland • Mr. Smith has reviewed the business records maintained by potomacriver.com for May 15th – June 15th, 2003 and determined that the above IP address were active during those times. IT IS FURTHER STIPULATED AND AGREED that this stipulation may be received in evidence as a Government exhibit at trial. Dated: June 1, 2003 By:____________________________ RICHARD SALGADO Assistant United States Attorney By: ___________________________ JENNIFER GRANICK, ESQ. Attorney for MARVIN BIGGS

  40. Government Exhibit 19 DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2003 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered. ___________________________________ x | UNITED STATES OF AMERICA, | | -v.- | | STIPULATION MARVIN BIGGS, | a/k/a “Captain Jack Hack” | | | Defendant, | | ___________________________________ IT IS HEREBY STIPULATED AND AGREED between the United States of America, RICHARD SALGADO, Assistant United States Attorney, of counsel, and the defendant MARVIN BIGGS, by his attorney JENNIFER GRANICK, Esq.: If called as a witness, Ms. Samantha Simth, would testify as follows: • Ms. Smith lives at 1445 East End Ave, River’s End, Maryland • She is a subscriber to Potomacriver.com and connects to the Internet Service Provider via DSL. • She has a Wireless access point • She lives within 100 feet of the Potomac River • Her wireless access point and Internet connection were active from May 15th – June 15th, 2003. • She witnessed the Bl4ck P3rl sailing down the Potomac River past her house on May 28th, 2003 at approximately 4:00 pm. She was in the backyard barbequing food for a family dinner at that time..

  41. Government Exhibit 19-2 IT IS FURTHER STIPULATED AND AGREED that this stipulation may be received in evidence as a Government exhibit at trial. Dated: June 1, 2003 By:____________________________ RICHARD SALGADO Assistant United States Attorney By:_ ____________________ JENNIFER GRANICK, ESQ. Attorney for MARVIN BIGGS

  42. Prosecution Witness 2 Oscar Simpson is the systems administrator for the USNA, testifying as a factual witness on events he directly witnessed. His technical background could cause him to be qualified as an expert during testimony, if the Judge allows it.

  43. Prosecution Witness 3 Brian Martin is a former colleague of the defendant, testifying as a factual witness on events he directly witnessed. He may not offer expert opinion since he is not qualified by the court.

  44. Defense Witness 1 Jonathan Klein is testifying as an expert in wireless networks. He has been qualified by the court before testifying as an expert.

  45. Defense Exhibit 1

  46. Defense Exhibit 2

  47. Defense Exhibit 3

  48. Defense Witness 2 Dr. Richard Thieme is a psychiatrist treating Marvin Biggs (a.K.A. Captain jack hack). He is testifying as an expert witness in psychiatry on the mental state of Mr. Biggs.

  49. Defense Witness 3 Marvin Biggs a/k/a Captain Jack Hack is the defendant and is not required to take the stand, but has the right to do so if he chooses. His attorney should discourage him from doing so, since the judge can add extra points to his sentence for perjury and obstruction of justice, if he is found guilty.

  50. Prosecution Closing Statements

More Related