Hacker Court 2004

Publish in

Documents

3 views

Please download to get full document.

View again

of 52
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Description
Hacker Court 2004. Pirates of the Potomac: The Curse of the Bl4ck P3rl hackercourt@wkeys.com. CAST. JUDGE: Chief Judge Philip M. Pro – Chief Judge for the District of Nevada EMCEE: Carole Fennelly , President, Wizard’s Keys Corp. EMCEE: Weasel, NMRC COURT CLERK: Caitlin Klein
Transcript
Hacker Court 2004Pirates of the Potomac: The Curse of the Bl4ck P3rlhackercourt@wkeys.comCASTJUDGE: Chief Judge Philip M. Pro – Chief Judge for the District of NevadaEMCEE: Carole Fennelly, President, Wizard’s Keys Corp.EMCEE: Weasel, NMRCCOURT CLERK: Caitlin Klein COURT TECHNICIAN: Ryan Bulat - Intern, Wizard’s Keys Corp. PROSECUTOR: Richard Salgado Senior Counsel, CCIPS division of DoJPROSECUTOR: Paul Ohm, Attorney, CCIPS division of DoJDEFENSE ATTORNEY: Erin Kenneally M.F.S., J.D Forensic Analyst, SDSCDEFENDANT (MARVIN BIGGS): Simple Nomad – BindView, NMRCCASE AGENT: Jesse Kornblum– Captain, USAFSYSADMIN (O.J. SIMPSON): Jack Holleran–– Former NSAGOVERNMENT WITNESS: Brian Martin- Security ConsultantDEFENSE EXPERT: Richard Thieme – CEO, Thiemeworks, IncDEFENSE EXPERT: Jonathan Klein – Senior Manager, Calence, IncSchedule16:45 – Introductions, Court Called to Order16:50 – 17:00 Opening Statements17:00 – 17:15 Agent Kornblum17:15 – 17:20 Explanation of Stipulations17:20 – 17:35 Oscar J. Simpson17:35 – 17:50 Brian Martin17:50 – 18:05 Jonathan Klein18:05 – 18:15 break18:15 – 18:30 Richard Thieme18:30 – 18:45 Captain Hack18:45 – 18:55 Closing Statements18:55 – panel discussion in reception areaWitness classificationFactual: testifies to events directly witnessed or observed. May only testify regarding facts, not draw conclusions.Expert: specifically qualified by the court as an expert in the subject at hand. May offer opinion and draw conclusions based on knowledge and expertise.Prosecution Opening StatementEnter Key Points HereDefense Opening StatementEnter Key Points HereProsecution Witness 1Agent Kornblum is the Case Agent testifying as both a factual and expert witness on events he witnessed and actions he took when he discovered the intrusion.Evidence of Break-inGovernment Exhibit 1May 23 11:14:18 doc001 sshd[1779]: connection from "172.18.33.1"May 23 11:14:24 doc001 sshd[7862]: Wrong password given for user 'root'.May 23 11:14:32 doc001 sshd[7862]: Wrong password given for user 'ojsimpson'.May 23 11:14:48 doc001 sshd[7862]: Wrong password given for user 'jsmith'.May 23 11:15:01 doc001 sshd[7862]: Wrong password given for user 'jsmith'.May 23 11:15:22 doc001 sshd[25386]: User jsmith's local password accepted.May 23 11:15:24 doc001 sshd[25386]: Password authentication for user jsmith accepted.May 23 11:15:24 doc001 sshd[25386]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 24 18:11:18 doc001 sshd[1779]: connection from "172.18.33.1"May 24 18:11:23 doc001 sshd[28003]: User jsmith's local password accepted.May 24 18:11:23 doc001 sshd[28003]: Password authentication for user jsmith accepted.May 24 18:11:23 doc001 sshd[28003]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 24 19:23:18 doc001 sshd[1779]: connection from "172.18.33.1"May 24 19:23:22 doc001 sshd[29001]: User jsmith's local password accepted.May 24 19:23:22 doc001 sshd[29001]: Password authentication for user jsmith accepted.May 24 19:23:22 doc001 sshd[29001]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 26 08:44:21 doc001 sshd[1779]: connection from "172.18.33.1"May 26 08:44:22 doc001 sshd[29990]: User jsmith's local password accepted.May 26 08:44:22 doc001 sshd[29990]: Password authentication for user jsmith accepted.May 26 08:44:18 doc001 sshd[29990]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 26 12:02:21 doc001 sshd[1779]: connection from "172.18.33.1"May 26 12:02:22 doc001 sshd[30002]: User jsmith's local password accepted.May 26 12:02:22 doc001 sshd[30002]: Password authentication for user jsmith accepted.May 26 12:02:18 doc001 sshd[30002]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 28 16:03:21 doc001 sshd[1779]: connection from "172.18.33.1"May 28 16:03:22 doc001 sshd[30100]: User jsmith's local password accepted.May 28 16:03:22 doc001 sshd[30100]: Password authentication for user jsmith accepted.May 28 16:03:22 doc001 sshd[30100]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 29 08:00:21 doc001 sshd[1779]: connection from "172.18.33.1"May 29 08:00:22 doc001 sshd[30110]: User jsmith's local password accepted.May 29 08:00:22 doc001 sshd[30110]: Password authentication for user jsmith accepted.May 29 08:00:18 doc001 sshd[30110]: User jsmith, coming from fw001-internal.usna.gov, authenticated.Government Exhibit 1 (Enlargement)May 28 16:03:21 doc001 sshd[1779]: connection from "172.18.33.1"May 28 16:03:22 doc001 sshd[30100]: User jsmith's local password accepted.May 28 16:03:22 doc001 sshd[30100]: Password authentication for user jsmith accepted.May 28 16:03:22 doc001 sshd[30100]: User jsmith, coming from fw001-internal.usna.gov, authenticated.Government Exhibit 1-2May 29 08:20:21 doc001 sshd[1779]: connection from "172.18.33.1"May 29 08:20:22 doc001 sshd[30115]: User jsmith's local password accepted.May 29 08:20:22 doc001 sshd[30115]: Password authentication for user jsmith accepted.May 29 08:20:18 doc001 sshd[30115]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 29 14:23:21 doc001 sshd[1779]: connection from "172.18.33.1"May 29 14:23:22 doc001 sshd[30150]: User jsmith's local password accepted.May 29 14:23:22 doc001 sshd[30150]: Password authentication for user jsmith accepted.May 29 14:23:18 doc001 sshd[30150]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 30 19:20:21 doc001 sshd[1779]: connection from "172.18.33.1"May 30 19:20:22 doc001 sshd[32003]: User jsmith's local password accepted.May 30 19:20:22 doc001 sshd[32003]: Password authentication for user jsmith accepted.May 30 19:20:18 doc001 sshd[32003]: User jsmith, coming from fw001-internal.usna.gov, authenticated.May 31 00:23:18 doc001 sshd[1779]: connection from "172.18.33.1"May 31 00:23:21 doc001 sshd[32200]: User jsmith's local password accepted.May 31 00:23:22 doc001 sshd[32200]: Password authentication for user jsmith accepted.May 31 00:23:22 doc001 sshd[32200]: User jsmith, coming from fw001-internal.usna.gov, authenticated.Government Exhibit 2May 23 11:14:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=44466May 23 11:14:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=22May 23 11:14:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=145 out=222 user=unauth duration=601May 24 18:11:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.18.118 destination=172.18.33.22 port=44466May 24 18:11:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.18.118 destination=172.18.33.22 port=22May 24 18:11:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.18.118 dest=172.18.33.22 in=2042 out=3054 user=unauth duration=1804May 24 19:23:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.26.120 destination=172.18.33.22 port=44466May 24 19:23:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.26.120 destination=172.18.33.22 port=22May 24 19:23:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.26.120 dest=172.18.33.22 in=4050 out=9080 user=unauth duration=2402May 26 08:44:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.18.218 destination=172.18.33.22 port=44466May 26 08:44:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.18.218 destination=172.18.33.22 port=22May 26 08:44:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/61.33.44.22 dest=172.18.33.22 in=555 out=1320452 user=unauth duration=1022May 26 12:02:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/61.33.44.22 destination=172.18.33.22 port=44466May 26 12:02:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/61.33.44.118 destination=172.18.33.22 port=22May 26 12:02:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/61.33.44.118 dest=172.18.33.22 in=888 out=2053 user=unauth duration=124May 28 16:03:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=44466May 28 16:03:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188stination=172.18.33.22 port=22May 28 16:03:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=12954 out=32005252 user=unauth duration=4500Government Exhibit 2 (Enlargement)May 28 16:03:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=44466May 28 16:03:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188stination=172.18.33.22 port=22May 28 16:03:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=12954 out=32005252 user=unauth duration=4500Government Exhibit 2-2May 29 14:23:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.26.120stination=172.18.33.22 port=44466May 29 14:23:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.26.120 destination=172.18.33.22 port=22May 29 14:23:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.26.120 dest=172.18.33.22 in=xx out=yy user=unauth duration=zzMay 29 08:00:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/61.33.55.129 destination=172.18.33.22 port=44466May 29 08:00:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/61.33.55.129 destination=172.18.33.22 port=22May 29 08:00:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/61.33.55.129 dest=172.18.33.22 in=2344 out=234204 user=unauth duration=300May 29 08:20:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=44466May 29 08:20:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188 destination=172.18.33.22 port=22May 29 08:20:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188 dest=172.18.33.22 in=2452 out=3223 user=unauth duration=120May 30 19:20:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=44466May 30 19:20:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=22May 30 19:20:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188] dest=172.18.33.22 in=2342 out=2354865 user=unauth duration=1210May 31 00:23:18 fw001.usna.gov test-gw[28161]: [ID 831736 daemon.notice] permit host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=44466May 31 00:23:21 fw001.usna.gov test-gw[28161]: [ID 741503 daemon.notice] connected host=nodnsquery/62.36.100.188] destination=172.18.33.22 port=22May 31 00:23:22 fw001.usna.gov test-gw[28161]: [ID 572103 daemon.notice] exit host=nodnsquery/62.36.100.188] dest=172.18.33.22 in=223 out=58553 user=unauth duration=133Government Exhibit 3sql-gw: tns-tracing nosql-gw: log-level 0sql-gw: log-enabled yessql-gw: maximum-relays 1024sql-gw: maximum-connect-data 1024sql-gw: event-timer 0sql-gw: answer-error-countdown 16sql-gw: authentication-level 0sql-gw: directory /var/logsql-gw: answer-timeout 5sql-gw: proxy-type sql-gwsql-gw: proxy-exec ./sql-gwsql-gw: state off# test-gw: bind-address 62.36.24.12test-gw: port 44666test-gw: proxy-exec ./plug-pdktest-gw: accept-count 3test-gw: timeout 7200test-gw: groupid 0test-gw: userid 0test-gw: log-enabled yestest-gw: state ontest-gw: description test gateway service# def_proxy_ssodssod: bind-address 127.0.0.1 7778ssod: proxy-exec ./ssodssod: accept-count 2ssod: timeout 7200ssod: groupid 0ssod: userid 0ssod: log-enabled yesssod: state onssod: description Default single sign-on serverssod: proxy-type ssodssod: primary-cache onssod: shared-cache on XXXX 8Government Exhibit 3 (Blowup)test-gw: bind-address 62.36.24.12test-gw: port 44666test-gw: proxy-exec ./plug-pdktest-gw: accept-count 3test-gw: timeout 7200test-gw: groupid 0test-gw: userid 0test-gw: log-enabled yestest-gw: state ontest-gw: description test gateway serviceGovernment Exhibit 3-2# hosts entries for rule 3http-gw: permit-hosts 127.0.0.1 -policy HTTP-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1http-gw: permit-hosts 192.168.10.0:255.255.255.0 -policy HTTP-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1http-gw: permit-hosts 192.168.11.0:255.255.255.0 -policy HTTP-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1policy-HTTP-rule3: permit-proxy http-gwpolicy-HTTP-rule3: description Default HTTP service configurationpolicy-HTTP-rule3: send-broken-post-requests offpolicy-HTTP-rule3: usedpf onpolicy-HTTP-rule3: permit-destination *# # hosts entries for rule 3Ssh: permit-hosts 127.0.0.1 -policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1Ssh: permit-hosts 192.168.10.0:255.255.255.0 -policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1Ssh: permit-hosts 192.168.11.0:255.255.255.0 -policy Ssh-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1policy-Ssh-rule3: permit-proxy Sshpolicy-Ssh-rule3: privport offpolicy-Ssh-rule3: force_source_address offpolicy-Ssh-rule3: usedpf onpolicy-Ssh-rule3: description Secure Shellpolicy-Ssh-rule3: name Sshpolicy-Ssh-rule3: permit-destination *## hosts entries for rule 3test-gw: permit-hosts * -policy test-gw-rule4 -ruleNumber 4 -ruleName Untrusted -logLevel 1policy-test-gw-rule4: permit-proxy Sshpolicy-test-gw-rule4: privport offpolicy-test-gw-rule4: force_source_address offpolicy-test-gw-rule4: destport 22policy-test-gw-rule4: desthost 172.18.33.22policy-test-gw-rule4: usedpf onpolicy-test-gw-rule4: description test gatewaypolicy-test-gw-rule4: name test-gwpolicy-test-gw-rule4: permit-destination *# # hosts entries for rule 3SSL: permit-hosts 127.0.0.1 -policy SSL-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1SSL: permit-hosts 192.168.10.0:255.255.255.0 -policy SSL-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1SSL: permit-hosts 192.168.11.0:255.255.255.0 -policy SSL-rule3 -ruleNumber 3 -ruleName Trusted -logLevel 1policy-SSL-rule3: permit-proxy SSLpolicy-SSL-rule3: description SSL default service configurationGovernment Exhibit 3-2 (Enlargement)# hosts entries for rule 3test-gw: permit-hosts * -policy test-gw-rule4 -ruleNumber 4 -ruleName Untrusted -logLevel 1policy-test-gw-rule4: permit-proxy Sshpolicy-test-gw-rule4: privport offpolicy-test-gw-rule4: force_source_address offpolicy-test-gw-rule4: destport 22policy-test-gw-rule4: desthost 172.18.33.22policy-test-gw-rule4: usedpf onpolicy-test-gw-rule4: description test gatewaypolicy-test-gw-rule4: name test-gwpolicy-test-gw-rule4: permit-destination *Evidence of Remote LocationsGovernment Exhibit 4Government Exhibit 5Government Exhibit 6Government Exhibit 7Government Exhibit 8Government Exhibit 9Government Exhibit 10Government Exhibit 11Government Exhibit 12Government Exhibit 13Blog EvidenceGovernment Exhibit 14
  • [Walking the plank on the Bl4ck P3rl]                         [date|time][mood | disturbed]--  Just sit right back and you'll hear a tale,  A tale of a fateful trip,  That started from this tropic port,  Aboard this tiny ship.when you find yourself in the middle of the Potomac river, swimming to theshore in full clothing, one hand holding your laptop above the waterdesperately trying to preserve it.. that is the last song you may thinkof, but i sure was.it's no secret that marvin and i have had disagreements in the past, andit's no secret that things have been on edge at the office lately, dueto us not seeing eye to eye on everything from corporate direction tosecurity concepts to lunch. when i thought things couldn't get worse,they did..last night, Captain Jackass fired me. one day i own part of the company,the next day i don't, the next day im swimming in the potomac jobless.i played my cards wrong, i worried too much about geek things, i didntwatch the business side of things and he muscled me out of my owncompany, i can accept that (asshole). despite that, it was a shock tobe fired on his dumpy boat last night, and to make matters worse, thepirate wannabe actually made me walk the plank. one minute he's workingon his laptop yelling 'aaargh' and laughing like a loon, the nextwe get into an argument and he pushes me toward the side of the boat.
  • Government Exhibit 14-2
  • he puts a plank of wood in some slot he cut out of the side of the boat,screams "you're fired, walk the plank mate!" and pushes me forward.brandishing his old fencing saber, i grab my laptop and get prodded ontothe plank. he goes into some gay ritual of a pirate captain full of'aarghs' and 'mateys', then pokes me in the back forcing me into theriver. what .. the .. fuck!i'll post more later when my stuff dries and i make sure my laptopis fine.--[link]                                                [X Replies | Reply]
  • Government Exhibit 15[Captain Jackass]                                             [date|time][mood | pissed]--sleeping on this whole thing didn't help. waking up i feel nothing forcontempt for marvin and want him to pay for what he has done. everyonearound him knows he has gone mad. it used to be jokes about sailing thewild seas of the net, then it was his make shift raft at waterworldgetting laughed at by eight year olds, then it was purchasing a realboat and decking it out with wifi gear. did anyone bother to remindme he knew *nothing* about wifi a few months ago?every day, every hour.. questions about wifi. how do i do this? how doi do that? how do i hax0r this? jesus christ, read a god damn bookmarvin! he "sets sail" on the potomac thinking that no one had thoughtabout "war sailing" and being a "wifi pirate" even though it was publishedmonths ago. the release of _Pirates of the Caribbean_ didn't help things,and his fetish for Johnny Depp.. i won't even go there. and the lastmeeting with our clients, what was he thinking? while he didn't sinkhis lame ship, he is no doubt going to sink that company. he needsto be put out of his misery.i also thought about pressing charges against him for the whole boatthings last night. it wasn't exactly warm out, and to push me intoa damn river where i could only swim to a navy ship or swim an extramile to a shore outside the naval facility, that has to be assaultor attempted murder or something. the thought of him rotting in a jailgetting the sweet man love from bubba is an appealing thought.--[link]                                                [X Replies | Reply]Evidence from Marvin Biggs LaptopGovernment Exhibit 16Government Exhibit 17StipulationsFactual: an agreement between prosecution and defense on particular facts, eliminating the need for testimony.Testimonial: an agreement between prosecution and defense that a particular witness would testify in the manner stipulated, if called to the stand.Government Exhibit 18DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2003 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered. __________________________________ x |UNITED STATES OF AMERICA, | | -v.- | | STIPULATIONMARVIN BIGGS, | a/k/a “Captain Jack Hack”, | | | Defendant,
    Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks