Appendix A - Search and Seizure Warrant
UNITED STATES DISTRICT COURT
District of Arizona
In the matter of the Search of
(Name, address or brief description of person or
property to be searched)
SEARCH WARRANT
12345 East Hacker Street
Apt. 866 Case Number:####
98-5887MB
Phoenix, Arizona
TO: Bill F. Scrotum, III and any Authorized Officer of the United States
Affidavit(s) having been made before me by affiant, Bill F. Scrotum,
III, who has reason to believe that /_/ on the person of or /X/
on the premises known as (name, description and/or location)
SEE ATTACHMENT A.
in the District of Arizona there is now concealed a certain person or
property namely (describe the person or property)
SEE ATTACHMENT C.
I am satisfied that the affidavit(s) and any recorded testimony
establish probably cause to believe that the person or property so
described is now concealed on the person or premises above-described
and establish grounds for the issuance of this warrant.
YOU ARE HEREBY COMMANDED to search on or before
_______12-20-98__at__11:15a.m.________
Date
(not to exceed 10 days) the person or place named above for the person
or property specified, serving this warrant and making the search (in
the daytime 6:00a.m. to 10:00p.m.) (at any time in the day or night as
I find reasonable cause has been established) and if the person or
property be found there to seize same, leaving a copy of this warrant
and receipt for the person or property taken, and prepare a written
inventory of the person or property seized and promptly return this
warrant to _____United States Judge or Magistrate
Judge_____ as required by law.
_____12-14-1998__@__11:16_a.m.____ at __Phoenix,Arizona______
Date and Time Issued City and State
___Lawrence O. Somebody___________(signature)__________________
Name and Title of Judicial Officer Signature of Judicial Officer
Appendix B - Search and Seizure Warrant, Attachment A
(apartment)
ATTACHMENT A
12345 EAST HACKER STREET
APARTMENT 866
PHOENIX, ARIZONA
12345 East Hacker Street, Phoenix, Arizona, (between Hacker Street and
Federal Avenue) is a two-story, residential apartment building, with
brown stucco and siding and a brown shingle roof, consisting of
approximately 8 residential apartments. Apartment 866 (the "FIRST
PREMISES") is on the second floor of the building; the number "866"
appears beside the door to the FIRST PREMISES.
Appendix C - Search and Seizure Warrant, Attachment B (colocated
machine)
ATTACHMENT C
TWO COMPUTERS OWNED BY JOHN Q. HACKER
MAINTAINED AT THE OFFICES OF BUSINESS COMMUNICATIONS
2000 SOUTH MAIN STREET, SUITE 800,
PHOENIX, ARIZONA
One white "Sun Sparc Station" brand computer, and one personal computer
(collectively, the "SECOND PREMISES"). The latter of these two
computers has several stickers on it: a "Linux Inside" brand sticker, a
sticker which reads "For Unofficial Use Only," a bumper-style sticker
which reads "REMAIN WHERE YOU ARE WHILE VEHICLE IS IN MOTION," and a
round sticker which has a caricature of a space alien face on it. Both
computers are located in the business premises of Business
Communications (located at the above-referenced address) on a steel
rack in the vicinity of other computers.
Appendix D - Search and Seizure Warrant, Attachment C
ATTACHMENT C
THE PREMISES KNOWN AND DESCRIBED AS 12345 EAST HACKER STREET, APT. 866,
PHOENIX, ARIZONA
Records, documents, programs, applications, and materials which reflect
hacking activities, including copies of software, data, and
information; hacking tools and programs; computerized logs; electronic
organizers; account names; passwords; encryption codes, algorithms and
forumlae; personal diaries; books, newspaper, and magazine articles
concerning hacking; exploits and other hacking programs; and computer
or data processing literature, including printed copy, instruction
books, papers; or listed computer programs, in whole or in part;
computers; central processing units; external and internal drives;
external or internal storage equipment or media; terminals or video
display units; optical scanners; computer software; computerized data
storage devices, including data stored on hard disks or floppy disks,
computer printouts or computer programs; computer or data processing
software or data, including: hard disks, floppy disks, cassette tapes,
video cassette tapes, and magnetic tapes, together with peripheral
equipment such as keyboards, printers, modems or acoustic couplers,
automatic dialers, speed dialers, programmable telephone dialing or
signaling devices, fax machines (and data included therein), telephone
blue boxes, and magnetic tapes which could contain or be used to
transmit or store any of the foregoing records, documents, and
materials; indicia of occupancy or tenancy including: bills, letters,
invoices, shipping records, and rental or leasing agreements which tend
to show ownership, occupancy or control; records documents, and
materials which refer, relate to, or are for use in, computer hacking.
As used herein, the term records, documents, and materials includes
records, documents, and materials created, modified or stored in
electronic or magnetic form and any data, image or information that is
capable of being read or interpreted by a computer; and other items
containing or reflecting evidence of violations of unauthorized
intrusion into computers, in violation of Title 18, United States
Code, Sections 371 and 1030.
Appendix E - Warrent for Arrest
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF CALIFORNIA
UNITED STATES OF AMERICA WARRANT FOR ARREST
v.
JOHN HACKER (DOB: 11/22/81) CASE NUMBER: 99 M 823
TO: The United States Marshal
and any Authorized United States Officer
YOU ARE HEREBY COMMANDED to arrest JOHN HACKER and
bring him forthwith to the nearest magistrate to answer a Criminal
Complaint charging him with intentionally obtaining information from
protected and United States computers by unathorized access, and
malicious interference with a United States communication system, in
violate of Title 18, United States Code, Sections 1030(a)(2)(B) AND
(C), and 1362.
James F. Brakel United States Magistrate Judge
Name of Judicial Officer Title of Issuing Officer
August 30, 1999, at Carlsbad, CA
_________________________
Date and Location Signature of Issuing Officer(signed)
***PAGE 1****
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF WISCONSIN
UNITED STATES OF AMERICA CRIMINAL COMPLAINT
v.
JOHN HACKER (DOB: 11/22/81) CASE NUMBER: 99 M 823
I, FRED F. WHITE, the undersigned complaintant being
duly sworn state the following is true and correct to the best of my
knowledge and belief. On or about April 1, 1999 in Orange County, in
the State and Eastern Disctrict of California, JOHN HACKER, the
defendant herein, did intentionally access a computer without
authorization and did exceed authorized access, thereby obtaining
information from a protected computer and from the United States Army,
a department of the United States; and did willfully and maliciously
interfere with the working and use of a communication system operated
and controlled by the United States, and used for military functions of
the United States, and did willfully and maliciously obstruct and delay
the transmission of communications over such system,
in violation of Title 18, United States Code, Sections 1030(a)(2)(B)
and (C), and 1362.
I further state that I am a Special Agent with the United States Army
Criminal Investigative Command, and that this complaint is based on the
following facts:
Please see the attached affidavit of Special Agent Fred F. White.
______________________
Signature of Complainant
Fred F. White
Sworn to before me and subscribed in my presence,
August 30, 1999 at Carlsbad,California
Date City and State
The Honorable James F. Brakel
United States Magistrate Judge ______________________
Name & Title of Judicial Officer Signature of Judicial Officer
Affidavit
I, Fred F. White, being duly sworn, states that:
1. I have been a Special Agent with the United States
Army Criminal Investigative Command (USACIDC) for approximately 9
years. I am currently assigned to the Computer Crimes Resident Agency.
I have recieved specialized training for that assignment, including
training in the forensic recovery of digital evidence at the Federal
Law Enforcement Training Center (U.S. Treasury), training in computer
intrusion investigations conducted by the Federal Bureau of
Investigation, and Defense Department training in the computer-related
crimes and computer operating systems.
2. I make this affidavit in part from personal
knowledge based on my participation in this investigation and my review
of documents, and in part on information gained through my training and
experience. In particular, I have relied on information providfed by
FBI Special Agent Michael Serlsen and Charles Frad, both of whom have
been involved in a pending investigation of a group of computer hackers
known as "Script Kids United".
3. The Internet, something referred to as the World
Wide Web (WWW), is a collection of computers and computer networks
which are connected to one another via highspeed date links and
telephone lines for the purpose of sharing information. Connections
between Internet computers exist across state and international
borders. Information sent between computers connected to the Internet
frequently crosses state and international borders, even if those
computers are in the same state.
4. An Internet Server Provider (ISP) is a business
that provided access to the Internet. Services provided by an ISP
include computer accounts, Internet access, electron mail (E-Mail),
shell accounts (computer accounts on a computer running the UNIX
operating system), and dial-up connection to the Internet via a
telephone line and a modem.
5. A modem is a device which converts digital signals
into analog signals for transmission over telephone lines, and analog
signals back into digital signals. This allows computers to
communicate via telephone lines. A modem in a computer can be used to
"dial-up", via telephone, and connect to a computer located at an ISP.
This connection process is one method of accessing the Internet via an
ISP.
6. Computers connected to the Internet are identified
by addresses. Internet addresses take on several forms including
Internet Protocol (IP) addresses, Uniform Resource Locater (URL)
addresses, and domain names. Internet addresses are unique and each
can be resolved through recovery and identification techniques, to
identify a physical location and a computer connection of a particular
address. When an ISP customer connects to the internet through the
ISP, the customer is assigned a unique IP address by the ISP for that
entire on-line session.
7. Computers use user identities (user IDs) or
accounts to identify specific computer users. Users of a computer are
assigned a unique account/user ID which is protected from unauthorized
access by a password. Access to the computer and its resources can be
regulated by a systems adminstrator for each individual account. The
highest level of authorization on a computer is the root or super user
account which is granted unrestricted access to all computer functions
and resources.
8. Log Files are computer files containing information
regarding the activities of computer users, processes running on a
computer and the activity of computer resources such as networks,
modems and printers. Log files are used to identify unathorized uses
of computer resources.
9. A Computer Hacker is an individual who obtains
unathorized access or exceeds his authorized access to a computer.
10. A back door is a computer intrusion term which is
defined as: an intrusion tool, an unathorized computer account, or an
account which exceeds authorized access and is left by an intruder
after an intrusion as a means for gaining unathorized access to a
computer at a later time.
11. A network is a series of points connected by
communications channels. The switched telephone network is the network
normally used for dialed telephone calls.
12. A server is a computer connected to a network
which provides a particular service to other devices; for example a
print server managers a printer and an e-mail server managers
electronic mail.
13. The Internet Relay Chat (IRC) is a collection of
sserver computers on the Internet which allow IRC users to communicate
or "chat" with other users of IRC. Users on IRC, called IRC Clients,
access the IRC servers using IRC Client software programs. IRC users
communicate in public and private environments called "chat rooms."
IRC users are identifed by a unique nickname and an Internet address.
IRC Client software programs can be used to identify users. IRC is
considered to be a public communication forum with no expectation of
privacy for conversations which occur in public "chat rooms." The
computer servers which make up the IRC network are protected computers
since they are used to conduct interstate communications.
Summary of John Hacker Investigation
14. On and around June 13, 1999, FBI special agents
executed a series of search warrants at various locations around the
United States. The search warrant applications detailed the
conspiratorial activities of a group of hackers known as Script Kids
United. The objectives of the conspiracies included unathorized
intursions into computer systems, credit card fraud, and the fradulent
use of telecommunication services.
15. On or about June 18, 1999, FBI Special Agent
Michael Serlsen applied for and obtained a search warrant for the
residence of John Hacker, more particularly described in the caption of
this application. His application and supporting affidavit established
probable cause that certain evidence and instrumentalities of violates
of Title 18 United States Code, Sections 371, 1029(a)(2),
1030(a)(2)(C), 1030(a)(5)(A), 1030(a)(6) would be found at the
residence. The application was based in part on information provided
by two of the targets of the Global Hell searches referred to in the
previous paragraph. Not all the information provided by the two
subjects has been verified, and some of it is believed to be
unreliable. The following is a summary of the information provided
about Davis:
Information from Target #1:
a. The members of the conspiracy who were involved with
most of the hacking were John Hacker, a.k.a. "statd kid," and John
Vranapelly, a.k.a. "JaVa", "winkid", and "sphincter".
b. These two persons founded a hacker group called
"Script Kids Unite", a.k.a. "SKU".
c. The group is a product of the hacker group known as
"Big Kids With Toys".
d. Both Hacker and Vranapelly would coordinate attacks
on different sites by communicating with other hackers on internet
chat channels.
e. These individuals bragged of hacks they had
performed. When one member of the conspiracy had difficulty hacking
into the system, members of the conspiracy would work together to
direct attacks in order to penetrate these sites.
f. Hacker previously lived in Syracuse, New York but
had moved sometime in 1999 to a new apartment in Carlsbad,
California. The phone number for the apartment is (720) 555-8362.
Information from Target #2:
a. "JaVa" was one of the co-founders of the computer
hacker group known as Script Kids Unite.
b. "statd kid" lives in Carlsbad, California, and has a
first name of John.
c. "statd kid" has used a "Cold Fusion" program to
attack system vulnerabilites. This program searched for vulnerabilites
in window-based programs and allows the initiator to enter the computer
system via a back door.
d. Target #2 searched the domain registered to "SKU" ,
which Statd Kid set up. The name was listed to 678 Norse Drive
Apartment 44, Carlsbad, California. Special Agent Frad duplicated
the search and confirmed this listing.
e. Statd Kid told Target #2 about hacks he has done
which include, but are not limited to:
1. www.one.com
2. www.two.com
3. www.three.com
4. www.four.com
5. www.five.com
6. www.six.com
7. www.seven.com
8. www.eight.com
9. www.nine.com
10. www.ten.com
16. On June 9, 1999, FBI Special Agent Serlsen and
others executed the search warrant at the residence of John Hacker, and
seized among other things, Hacker's computer. I have just begun the
process of searching a copy of the computer's storage media. I have
discovered the Cold Fusion software necessary to accomplish the
intrusion described in paragraph 18, below. After the search of the
residence, SA Serlsen interviewed Hacker, who admitted to being a
member of Script Kids United and admitted hacking into web
sites listed above, but claimed had not done any hacking since January
of this year.
17. The United States Army maintains a number of web
sites intended to provide information to both the public and Army
personnel, who can use various sites for work-related purposes. The
web sites are maintained in a network of computers. The main web site
is www.army.mil. The web site includes links to other U.S. Army web
sites, some of which are non-public, that is, that can be accessed only
by authorized users with user ID's and passwords.
18. On July 3, 1999, between approximately 1:35 a.m.
and 5:23 a.m. (CST), an unknown hacker gained unauthorized root access
to an unclassifed U.S. Army web server located in the Pentagon,
Washington D.C. The intruder replaced the opening web page with an
altered web page containing a hacker signature from a group calling
themselves "Script Kids United". As a result, no one could utilize the
web site for any of its intended purposes until it was repaired.
Further, the unknown intruder turned off system auditing services in an
attempt to prevent any detailed record of the incident. The intruder
also downloaded event log files, modified them to cover his intrusion,
and then uploaded them to replace accurate logs with the altered
version. A thorough review of the system by system administrators
revealed a recently publicized vulnerability was used to modify the
opening web page and subsequently turn off logging. A review
of external logs revealed the intruder accessed the server through an
internet service provider (ISP) located in Carlsbad, California.
19. Logs maintaned by the ISP in Carlsbad show that the
intruder used and unathorized ISP account which has been in existence
for a period of about two years without their knowledge. Further, the
intruder utilized the ISP between 10:42 p.m. July 18 and 05:23 a.m.
July 28, 1999 (CST) which encompassed the time frame the US Army Web
server was accessed.
20. Telephone records maintained by the communications
carrier for the Carlsbad area show that beginning at approximately
10:01 p.m. on July 27, 1999, telephone numnber (720) 555-3723,
subscribed to in the name of John Hacker at the premises described in
the caption to this application, was used to place a call to the ISP
referred to above. The call lasted approximately 4 hours.
Appendix F - Indictment
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF WISCONSIN
_________________________________________________________________
UNITED STATES OF AMERICA
Plaintiff,
v.
JOHN Q. HACKER,
Defendant.
Case No. 99-Cr-432
_________________________________________________________________
INDICTMENT
_________________________________________________________________
THE GRAND JURY CHARGES:
Count One:
On or about April 1, 1999, in Central County, in the
State and Eastern District of New Mexico, and elsewhere,
JOHN Q. HACKER
intentionally accessed a computer through an interstate communication
and in a matter that exceeded authorized access, and thereby obtained
information from the United States Navy, a department of the United
States and from a protected computer; in that the defendant did gain
access to the non-public portion of a United States Navy computer and
by such access was able to obtain information about the computer.
All in violation of Title 18, United States Code,
Section 1030(a)(2)(B) and (C).
THE GRAND JURY FURHTER CHARGES:
Count Two:
On or about April 1, 1999, in Central County, in the
State and Eastern District of New Mexico, and elsewhere,
JOHN Q. HACKER
intentionally and without authorization accessed a non-public computer
used by the United States Army, a department of the United States, and
did thereby affect the use of such computer by the government of the
United States; in that the defendant gained unauthorized access to a
United States Army website server (a networked computer), intended to
be used by both the public and United States Army personnel, and then
altered that server in such a away that it could not be used by the
United States Army personnel at all untill it was repaired.
All in violation of Title 18, United States Code,
Section 1030(a)(3).
THE GRAND JURY FURHTER CHARGES:
Count Three:
On or about April 1, 1999, in Central County, in the
State and Eastern District of New Mexico, and elsewhere,
JOHN Q. HACKER
intentionally accessed a protected computer without authorization and
as a result of such conduct, recklessly caused damage; in that the
defendant gained unathorized access to a United States Army website
server intended for the use by the public and Army personnel, and
altered the server in such a way that it could not be used for its
intended purposes until it was repaired; the server ultimately had to
be replaced.
All in violation of Title 18, United States Code,
Section 1030(a)(5)(B).
THE GRAND JURY FURHTER CHARGES:
Count Four:
On or about April 1, 1999, in Central County, in the
State and Eastern District of New Mexico, and elsewhere,
JOHN Q. HACKER
did willfully and maliciously interfere with the working and use of a
communication system operated by the United States, and used for
military functions of the United States, and did willfully and
maliciously obstruct and delay the transmission of communications over
such system; in that the defendant gained unauthorized access to a
United States Army website server used in part to communicate
information to Army personnel, and altered the server in such a way
that it could not be used at all for this intended purpose until it was
repaired.
All in violate of Title 18, United States Code, Section
1362.
____________________
FOREPERSON(SIGNED)
____________________
DATE(4-01-99)
___________________
WILLIAM A. WALBERGG(SIGNED)
United States Attorney
Appendix G - USDOJ Press Release
http://www.usdoj.gov/opa/pr/1999/August/387crm.htm
FOR IMMEDIATE RELEASE
CRM
MONDAY, AUGUST 30, 1999
(202) 514-2007
WWW.USDOJ.GOV
TDD (202) 514-1888
WISCONSIN HACKER CHARGED WITH MILITARY BREAK-IN
WASHINGTON, D.C. - One of the founders of a hacker group called "
Global Hell" was arrested and charged today in a federal
complaint alleging he hacked into a protected U.S. Army computer
at the Pentagon, and maliciously interfered with the
communications system, the Justice Department announced.
The defendant, Chad Davis, 19, of Green Bay, Wisconsin, was also
know as "Mindphasr," according to an affidavit filed in U.S.
District Court in Green Bay. Davis was a founder of the hacking
group also called "GH."
The complaint alleges that Davis gained illegal access to an Army
web page and modified its contents. Davis is also alleged to have
gained access to an unclassified Army network, removing and
modifying its computer files to prevent detection.
U.S. Attorney Thomas P. Schneider said, "even though the
intrusion involved an unclassified Army computer network, the
intruder prevented use of the system by Army personnel.
Interference with government computer systems are not just
electronic vandalism, they run the risk of compromising critical
information infrastructure systems."
Schneider noted that, as alleged in the complaint, the intruder
was the subject of an FBI-executed search warrant earlier this
year. In spite of that, it appears the defendant continued to
gain unlawful access to computer networks.
The investigation which led to these charges against Davis was
conducted jointly by the U.S. Army Criminal Investigation Command
and the Federal Bureau of Investigation. The case is being
prosecuted by Assistant U.S. Attorney Eric Klumb.