SEARCH WARRANT 12345 East Hacker Street Apt. 866 Case Number:#### 98-5887MB Phoenix, Arizona TO: Bill F. Scrotum, III and any Authorized Officer of the United StatesAffidavit(s) having been made before me by affiant, Bill F. Scrotum, III, who has reason to believe that /_/ on the person of or /X/ on the premises known as (name, description and/or location)
YOU ARE HEREBY COMMANDED to search on or before _______12-20-98__at__11:15a.m.________ Date
_____12-14-1998__@__11:16_a.m.____ at __Phoenix,Arizona______ Date and Time Issued City and State ___Lawrence O. Somebody___________(signature)__________________ Name and Title of Judicial Officer Signature of Judicial Officer
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF CALIFORNIA UNITED STATES OF AMERICA WARRANT FOR ARREST v. JOHN HACKER (DOB: 11/22/81) CASE NUMBER: 99 M 823 TO: The United States Marshal and any Authorized United States Officer YOU ARE HEREBY COMMANDED to arrest JOHN HACKER and bring him forthwith to the nearest magistrate to answer a Criminal Complaint charging him with intentionally obtaining information from protected and United States computers by unathorized access, and malicious interference with a United States communication system, in violate of Title 18, United States Code, Sections 1030(a)(2)(B) AND (C), and 1362. James F. Brakel United States Magistrate Judge Name of Judicial Officer Title of Issuing Officer August 30, 1999, at Carlsbad, CA _________________________ Date and Location Signature of Issuing Officer(signed) ***PAGE 1**** UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WISCONSIN UNITED STATES OF AMERICA CRIMINAL COMPLAINT v. JOHN HACKER (DOB: 11/22/81) CASE NUMBER: 99 M 823 I, FRED F. WHITE, the undersigned complaintant being duly sworn state the following is true and correct to the best of my knowledge and belief. On or about April 1, 1999 in Orange County, in the State and Eastern Disctrict of California, JOHN HACKER, the defendant herein, did intentionally access a computer without authorization and did exceed authorized access, thereby obtaining information from a protected computer and from the United States Army, a department of the United States; and did willfully and maliciously interfere with the working and use of a communication system operated and controlled by the United States, and used for military functions of the United States, and did willfully and maliciously obstruct and delay the transmission of communications over such system, in violation of Title 18, United States Code, Sections 1030(a)(2)(B) and (C), and 1362. I further state that I am a Special Agent with the United States Army Criminal Investigative Command, and that this complaint is based on the following facts: Please see the attached affidavit of Special Agent Fred F. White. ______________________ Signature of Complainant Fred F. White Sworn to before me and subscribed in my presence, August 30, 1999 at Carlsbad,California Date City and State The Honorable James F. Brakel United States Magistrate Judge ______________________ Name & Title of Judicial Officer Signature of Judicial Officer Affidavit I, Fred F. White, being duly sworn, states that: 1. I have been a Special Agent with the United States Army Criminal Investigative Command (USACIDC) for approximately 9 years. I am currently assigned to the Computer Crimes Resident Agency. I have recieved specialized training for that assignment, including training in the forensic recovery of digital evidence at the Federal Law Enforcement Training Center (U.S. Treasury), training in computer intrusion investigations conducted by the Federal Bureau of Investigation, and Defense Department training in the computer-related crimes and computer operating systems. 2. I make this affidavit in part from personal knowledge based on my participation in this investigation and my review of documents, and in part on information gained through my training and experience. In particular, I have relied on information providfed by FBI Special Agent Michael Serlsen and Charles Frad, both of whom have been involved in a pending investigation of a group of computer hackers known as "Script Kids United". 3. The Internet, something referred to as the World Wide Web (WWW), is a collection of computers and computer networks which are connected to one another via highspeed date links and telephone lines for the purpose of sharing information. Connections between Internet computers exist across state and international borders. Information sent between computers connected to the Internet frequently crosses state and international borders, even if those computers are in the same state. 4. An Internet Server Provider (ISP) is a business that provided access to the Internet. Services provided by an ISP include computer accounts, Internet access, electron mail (E-Mail), shell accounts (computer accounts on a computer running the UNIX operating system), and dial-up connection to the Internet via a telephone line and a modem. 5. A modem is a device which converts digital signals into analog signals for transmission over telephone lines, and analog signals back into digital signals. This allows computers to communicate via telephone lines. A modem in a computer can be used to "dial-up", via telephone, and connect to a computer located at an ISP. This connection process is one method of accessing the Internet via an ISP. 6. Computers connected to the Internet are identified by addresses. Internet addresses take on several forms including Internet Protocol (IP) addresses, Uniform Resource Locater (URL) addresses, and domain names. Internet addresses are unique and each can be resolved through recovery and identification techniques, to identify a physical location and a computer connection of a particular address. When an ISP customer connects to the internet through the ISP, the customer is assigned a unique IP address by the ISP for that entire on-line session. 7. Computers use user identities (user IDs) or accounts to identify specific computer users. Users of a computer are assigned a unique account/user ID which is protected from unauthorized access by a password. Access to the computer and its resources can be regulated by a systems adminstrator for each individual account. The highest level of authorization on a computer is the root or super user account which is granted unrestricted access to all computer functions and resources. 8. Log Files are computer files containing information regarding the activities of computer users, processes running on a computer and the activity of computer resources such as networks, modems and printers. Log files are used to identify unathorized uses of computer resources. 9. A Computer Hacker is an individual who obtains unathorized access or exceeds his authorized access to a computer. 10. A back door is a computer intrusion term which is defined as: an intrusion tool, an unathorized computer account, or an account which exceeds authorized access and is left by an intruder after an intrusion as a means for gaining unathorized access to a computer at a later time. 11. A network is a series of points connected by communications channels. The switched telephone network is the network normally used for dialed telephone calls. 12. A server is a computer connected to a network which provides a particular service to other devices; for example a print server managers a printer and an e-mail server managers electronic mail. 13. The Internet Relay Chat (IRC) is a collection of sserver computers on the Internet which allow IRC users to communicate or "chat" with other users of IRC. Users on IRC, called IRC Clients, access the IRC servers using IRC Client software programs. IRC users communicate in public and private environments called "chat rooms." IRC users are identifed by a unique nickname and an Internet address. IRC Client software programs can be used to identify users. IRC is considered to be a public communication forum with no expectation of privacy for conversations which occur in public "chat rooms." The computer servers which make up the IRC network are protected computers since they are used to conduct interstate communications. Summary of John Hacker Investigation 14. On and around June 13, 1999, FBI special agents executed a series of search warrants at various locations around the United States. The search warrant applications detailed the conspiratorial activities of a group of hackers known as Script Kids United. The objectives of the conspiracies included unathorized intursions into computer systems, credit card fraud, and the fradulent use of telecommunication services. 15. On or about June 18, 1999, FBI Special Agent Michael Serlsen applied for and obtained a search warrant for the residence of John Hacker, more particularly described in the caption of this application. His application and supporting affidavit established probable cause that certain evidence and instrumentalities of violates of Title 18 United States Code, Sections 371, 1029(a)(2), 1030(a)(2)(C), 1030(a)(5)(A), 1030(a)(6) would be found at the residence. The application was based in part on information provided by two of the targets of the Global Hell searches referred to in the previous paragraph. Not all the information provided by the two subjects has been verified, and some of it is believed to be unreliable. The following is a summary of the information provided about Davis: Information from Target #1: a. The members of the conspiracy who were involved with most of the hacking were John Hacker, a.k.a. "statd kid," and John Vranapelly, a.k.a. "JaVa", "winkid", and "sphincter". b. These two persons founded a hacker group called "Script Kids Unite", a.k.a. "SKU". c. The group is a product of the hacker group known as "Big Kids With Toys". d. Both Hacker and Vranapelly would coordinate attacks on different sites by communicating with other hackers on internet chat channels. e. These individuals bragged of hacks they had performed. When one member of the conspiracy had difficulty hacking into the system, members of the conspiracy would work together to direct attacks in order to penetrate these sites. f. Hacker previously lived in Syracuse, New York but had moved sometime in 1999 to a new apartment in Carlsbad, California. The phone number for the apartment is (720) 555-8362. Information from Target #2: a. "JaVa" was one of the co-founders of the computer hacker group known as Script Kids Unite. b. "statd kid" lives in Carlsbad, California, and has a first name of John. c. "statd kid" has used a "Cold Fusion" program to attack system vulnerabilites. This program searched for vulnerabilites in window-based programs and allows the initiator to enter the computer system via a back door. d. Target #2 searched the domain registered to "SKU" , which Statd Kid set up. The name was listed to 678 Norse Drive Apartment 44, Carlsbad, California. Special Agent Frad duplicated the search and confirmed this listing. e. Statd Kid told Target #2 about hacks he has done which include, but are not limited to: 1. www.one.com 2. www.two.com 3. www.three.com 4. www.four.com 5. www.five.com 6. www.six.com 7. www.seven.com 8. www.eight.com 9. www.nine.com 10. www.ten.com 16. On June 9, 1999, FBI Special Agent Serlsen and others executed the search warrant at the residence of John Hacker, and seized among other things, Hacker's computer. I have just begun the process of searching a copy of the computer's storage media. I have discovered the Cold Fusion software necessary to accomplish the intrusion described in paragraph 18, below. After the search of the residence, SA Serlsen interviewed Hacker, who admitted to being a member of Script Kids United and admitted hacking into web sites listed above, but claimed had not done any hacking since January of this year. 17. The United States Army maintains a number of web sites intended to provide information to both the public and Army personnel, who can use various sites for work-related purposes. The web sites are maintained in a network of computers. The main web site is www.army.mil. The web site includes links to other U.S. Army web sites, some of which are non-public, that is, that can be accessed only by authorized users with user ID's and passwords. 18. On July 3, 1999, between approximately 1:35 a.m. and 5:23 a.m. (CST), an unknown hacker gained unauthorized root access to an unclassifed U.S. Army web server located in the Pentagon, Washington D.C. The intruder replaced the opening web page with an altered web page containing a hacker signature from a group calling themselves "Script Kids United". As a result, no one could utilize the web site for any of its intended purposes until it was repaired. Further, the unknown intruder turned off system auditing services in an attempt to prevent any detailed record of the incident. The intruder also downloaded event log files, modified them to cover his intrusion, and then uploaded them to replace accurate logs with the altered version. A thorough review of the system by system administrators revealed a recently publicized vulnerability was used to modify the opening web page and subsequently turn off logging. A review of external logs revealed the intruder accessed the server through an internet service provider (ISP) located in Carlsbad, California. 19. Logs maintaned by the ISP in Carlsbad show that the intruder used and unathorized ISP account which has been in existence for a period of about two years without their knowledge. Further, the intruder utilized the ISP between 10:42 p.m. July 18 and 05:23 a.m. July 28, 1999 (CST) which encompassed the time frame the US Army Web server was accessed. 20. Telephone records maintained by the communications carrier for the Carlsbad area show that beginning at approximately 10:01 p.m. on July 27, 1999, telephone numnber (720) 555-3723, subscribed to in the name of John Hacker at the premises described in the caption to this application, was used to place a call to the ISP referred to above. The call lasted approximately 4 hours.
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WISCONSIN _________________________________________________________________ UNITED STATES OF AMERICA Plaintiff, v. JOHN Q. HACKER, Defendant. Case No. 99-Cr-432 _________________________________________________________________ INDICTMENT _________________________________________________________________ THE GRAND JURY CHARGES: Count One: On or about April 1, 1999, in Central County, in the State and Eastern District of New Mexico, and elsewhere, JOHN Q. HACKER intentionally accessed a computer through an interstate communication and in a matter that exceeded authorized access, and thereby obtained information from the United States Navy, a department of the United States and from a protected computer; in that the defendant did gain access to the non-public portion of a United States Navy computer and by such access was able to obtain information about the computer. All in violation of Title 18, United States Code, Section 1030(a)(2)(B) and (C). THE GRAND JURY FURHTER CHARGES: Count Two: On or about April 1, 1999, in Central County, in the State and Eastern District of New Mexico, and elsewhere, JOHN Q. HACKER intentionally and without authorization accessed a non-public computer used by the United States Army, a department of the United States, and did thereby affect the use of such computer by the government of the United States; in that the defendant gained unauthorized access to a United States Army website server (a networked computer), intended to be used by both the public and United States Army personnel, and then altered that server in such a away that it could not be used by the United States Army personnel at all untill it was repaired. All in violation of Title 18, United States Code, Section 1030(a)(3). THE GRAND JURY FURHTER CHARGES: Count Three: On or about April 1, 1999, in Central County, in the State and Eastern District of New Mexico, and elsewhere, JOHN Q. HACKER intentionally accessed a protected computer without authorization and as a result of such conduct, recklessly caused damage; in that the defendant gained unathorized access to a United States Army website server intended for the use by the public and Army personnel, and altered the server in such a way that it could not be used for its intended purposes until it was repaired; the server ultimately had to be replaced. All in violation of Title 18, United States Code, Section 1030(a)(5)(B). THE GRAND JURY FURHTER CHARGES: Count Four: On or about April 1, 1999, in Central County, in the State and Eastern District of New Mexico, and elsewhere, JOHN Q. HACKER did willfully and maliciously interfere with the working and use of a communication system operated by the United States, and used for military functions of the United States, and did willfully and maliciously obstruct and delay the transmission of communications over such system; in that the defendant gained unauthorized access to a United States Army website server used in part to communicate information to Army personnel, and altered the server in such a way that it could not be used at all for this intended purpose until it was repaired. All in violate of Title 18, United States Code, Section 1362. ____________________ FOREPERSON(SIGNED) ____________________ DATE(4-01-99) ___________________ WILLIAM A. WALBERGG(SIGNED) United States Attorney
FOR IMMEDIATE RELEASE CRM MONDAY, AUGUST 30, 1999 (202) 514-2007 WWW.USDOJ.GOV TDD (202) 514-1888 WISCONSIN HACKER CHARGED WITH MILITARY BREAK-IN WASHINGTON, D.C. - One of the founders of a hacker group called " Global Hell" was arrested and charged today in a federal complaint alleging he hacked into a protected U.S. Army computer at the Pentagon, and maliciously interfered with the communications system, the Justice Department announced. The defendant, Chad Davis, 19, of Green Bay, Wisconsin, was also know as "Mindphasr," according to an affidavit filed in U.S. District Court in Green Bay. Davis was a founder of the hacking group also called "GH." The complaint alleges that Davis gained illegal access to an Army web page and modified its contents. Davis is also alleged to have gained access to an unclassified Army network, removing and modifying its computer files to prevent detection. U.S. Attorney Thomas P. Schneider said, "even though the intrusion involved an unclassified Army computer network, the intruder prevented use of the system by Army personnel. Interference with government computer systems are not just electronic vandalism, they run the risk of compromising critical information infrastructure systems." Schneider noted that, as alleged in the complaint, the intruder was the subject of an FBI-executed search warrant earlier this year. In spite of that, it appears the defendant continued to gain unlawful access to computer networks. The investigation which led to these charges against Davis was conducted jointly by the U.S. Army Criminal Investigation Command and the Federal Bureau of Investigation. The case is being prosecuted by Assistant U.S. Attorney Eric Klumb.