seisure warrent documents for ripco bbs

8/6/2019 Seisure Warrent Documents for Ripco BBS

1/27

*** SEIZURE WARRANT DOCUMENTS FOR RIPCO BBS ***

********************************************************************On May 8, 1990, RIPCO BBS was closed and the equipment seized as the resultof a seizure warrant. FULL DISCLOSURE Magazine obtained publicly availablecopies of the various documents related to the warrant, which arereproduced below.

The documents include (in order presented):

1. Government's petition for Assistance during Execution of Search Warrant2. ORDER approving assistance3. Order authorizing blocking out income telephone and data calls4. Application for order to block out calls5. Application and affidavit for seizure warrant (Barbara Golden, affiant)6. Application and affidavit for seizure warrant (G. Kirt Lawson, affiant)

Attached to the original documents (but not presented here) are anapplication (by Ira H. Raphaelson and William J. Cook, United States

attorney and AUSA) to suppress the seizure warrant for 90 days, and avariety of photographs of Dr. Ripco's premises.

*******************************************************************

****************************************Government's Petition for Assistance****************************************

UNITED STATES DISTRICT COURTNORTHERN DISTRICT OF ILLINOIS

EASTERN DIVISION

UNITED STATES OF AMERICA ))

v. ) No. 90-M-187 & 90-M-188) Magistrate James T. Balog)

xxxx NORTH CLYBOURN, CHICAGO )ILLINOIS AND xxxx NORTH )LAWNDALE, CHICAGO, ILLINOIS )

GOVERNMENT'S PETITION FOR ASSISTANCE

DURING EXECUTION OF SEARCH WARRANT

The United States of America, by its attorney, Ira H.Raphaelson, United States Attorney for the Northern District ofIllinois, petitions this Court for an order directingrepresentatives of AT&T's Corporate Security Division to accompanySpecial Agents of the Secret Service during the execution of thesearch warrant against the premises of xxxx North Clybourn,Chicago, Illinois, and xxxx North Lawndale, Chicago, Illinois. Thispetition is supported by the following:

1. The affidavit of Special Agent Barbara Golden of theSecret Service is incorporated herein by reference.

2. AT&T has offered the assistance of Jerry Dalton and John

Hickey of AT&T Corporate Security/Information Protection to thegovernment and this Court. Both men are very experienced in theoperation of computers and especially in the analysis of UNIX


2/27

systems.3. We also request that Sergeant Abigail Abrahams of the

Illinois State Police be authorized in the execution of theaforementioned warrants. Sergeant Abrahams has investigated thecomputer bulletin board (BBS) operation since approximately 1988

- 1 -

and has extensive details with respect to the structure of the BBSand its contents.

While these individuals will not be seizing evidence, theirassistance is necessary to quickly read and identify thecritical files in the computer being searched. Moreover, their presenceduring the search will insure that the records on the computer arenot accidentally erased and remain intact.

Respectfully submitted,

IRA H. RAPHAELSONUnited States Attorney

BY: (signature of)WILLIAM J. COOKAssistant United States Attorney

- 3 -

UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF ILLINOISEASTERN DIVISION

UNITED STATES OF AMERICA ))

v. ) No. 90-M-187 & 90-M-188) Magistrate James T. Balog)

xxxx NORTH CLYBOURN, CHICAGO )ILLINOIS AND xxxx NORTH )LAWNDALE, CHICAGO, ILLINOIS )

ORDER

In view of the specialized nature of the evidence that isbeing sought in this warrant, _______________, as indicated in thegovernment's petition and the affidavit for the search warrant,which is incorporated herein by reference;

It is Hereby Ordered that representatives of AT&T's CorporateSecurity Division and Sergeant Abigail Abrahams of the IllinoisState Police accompany Special Agents of the United States SecretService during the execution of the search warrant to assist thoseagents in the recovery and identification of the evidence soughtin the warrant.

(signature) James T. Balog


3/27

5-7-90 UNITED STATES MAGISTRATE

- 3 -


EASTERN DIVISION

IN THE MATTER OF THE )APPLICATION OF THE UNITED STATES )OF AMERICAN FOR AN ORDER FOR THE ) No. 90-M-187 & 90-M-188BLOCKING OF INCOMING TELEPHONE ) Magistrate James T. BalogAND DATA CALLS AT (312 )528-5020 )(312 )xxx-xxxx AND (312)xxx-xxxx )

ORDER AUTHORIZING BLOCKING OUT INCOME TELEPHONE DATA CALLS

An application having been made before me by Colleen D.Coughlin, an Assistant United States Attorney for the NorthernDistrict of Illinois, pursuant to Title 28, United States Code,Section 1651, for an Order to "block out" incoming telephone anddata calls by the Illinois Bell Telephone company, and there isreason to believe that requested actions are relevant to alegitimate law enforcement investigation;

IT IS ORDERED THAT:

1. Illinois Bell Telephone company servicing said telephonelines shall "Block out" of incoming telephone and data calls on

(312) 528-5020, (312) xxx-xxxx and (312) xxx-xxxx, which telephoneand data lines are on premises which are the subject of federalsearch warrants to be executed the 8th day of May, 1990 atapproximately 0630 hours. Such "blocking out" of incomingtelephone and data calls shall commence at 0500 hours on May 8,1990 and continue up to and incoming 1700 hours on May 8, 1990, oruntil the completion of the search warrants, whichever is theearlier.

2. The "blocking out" of incoming telephone and data callswill likely assist in the execution of search warrants seeking

- 4 -

evidence of violations of Title 18, United States Code, Sections1343, 1030, 1962, 1963, and 371.

(signature of)JAMES T. BALOGMagistrate

5-7-89 (sic)

- 5 -


4/27


EASTERN DIVISION

IN THE MATTER OF THE )APPLICATION OF THE UNITED STATES )OF AMERICAN FOR AN ORDER FOR THE ) No. 90-M-187 & 90-M-188

BLOCKING OF INCOMING TELEPHONE ) Magistrate James T. BalogAND DATA CALLS AT (312 )528-5020 )(312 )xxx-xxxx AND (312)xxx-xxxx )

A P P L I C A T I O N

Now comes the UNITED STATES OF AMERICA, by IRA H. RAPHAELSON,United States Attorney and Colleen D. Coughlin, Assistant UnitedStates Attorney, and makes application pursuant to Title 28, UnitedStates Code, Section 1651, the All Writs Act, for an Order to stop

or "block out" incoming telephone calls to particular telephoneand/or data lines, as described below, by the Illinois BellTelephone Company.

In support of this Application the undersigned states asfollows:

1. This Application seeks an order requiring the IllinoisBell Telephone Company to "block out" incoming telephone and datacalls from 0500 hours until 1700 on May 8, 1990 regarding thefollowing numbers (312) 528-5020, (312) xxx-xxxx and (312) xxx-xxxx.

2. The United States Secret Service has been conducting atwo year investigation into the activities of computer hackerswhich will result in thirty-two search warrants being executedacross the United States on May 8, 1990 beginning at 0630 hours.

3. Because the United States Secret Service needs to ensurethe integrity of the evidence at each of these locations fromremote access tampering, alteration, or destruction, this "blockingout" order is required.

4. This action by Illinois Bell Telephone will only "blockout" incoming calls and the telephones will at all times be capableof making "outgoing" calls. Thus, the telephone lines will at alltimes be available for emergency outgoing calls.

5. It is reasonably believed by the United States SecretService, based on experience and their investigation in thiscase, that the requested action will be of substantial assistancein forwarding this criminal investigation.

6. The All Writs Act, 28 U.S.C. 1651, provides as follows:

The Supreme Court and all courtsestablished by the Act of Congress may issue allwrits necessary and appropriate in aid of their

respective jurisdictions and agreeable to theuses and principles of law.


5/27

7. A Federal Court has power to issue "such commands underthe All Writs Act as may be necessary or appropriate to effectuateand prevent the frustration of orders it has previously issued inthe exercise of its jurisdiction...." UNITED STATES v. NEW YORKTELEPHONE CO., 434 U.S. 159, 172 (1977).

WHEREFORE, on the basis of the allegations contained in this

Application, applicant requests this Court to enter an order for"blocking out" of income telephone and/or data calls at the abovedescribed telephone numbers.

It is further requested that Illinois Bell Telephone Companymay be ordered to make no disclosure of the existence of thisApplication and Order until further order of this Court since

- 2 -

disclosure of this request to the individual or individuals whosetelephone lines are affected would threaten or impede this computer

investigation.

Respectfully submitted,

IRA H. RAPHAELSONUnited States Attorney

By: (signed)COLLEEN D. COUGHLINAssistant United States Attorney

- 3 -

****************************************************{transcriber's note:}Following is the APPLICATION AND AFFADAVIT FOR SEIZURE WARRANT,Case number 90-M-187, dated May 7, 1990.

Affiant: Barbara Golden, Special Agent, U.S. Secret ServiceLocation: United State District Court, Northern District of IllinoisJudicial Officer: Magistrate James T. BalogThe warrant alleges violations under Title 18, USC, Sections1343, 1030, 1029, 1962, 1963, and 371.*******************************************

--------------(Begin Barbara Golden's Affidavit)-----------------

State of Illinois )) SS

County of Cook )

AFFIDAVIT

1. I, Barbara Golden, am a Special Agent of the United StatesSecret Service and have been so employed for the past fourteen years; thepast three years as a Special Agent. I am present assigned to the


6/27

Computer Fraud Section of the United States Secret Service in Chicago. Iam submitting this affidavit in support of the search warrants for theresidence of Bruce Xxxxxxxxxxx xxxx North Lawndale, Chicago, Illinois(including the detached garage behind the house) and his business addressat xxxx North Clybourn, Chicago, Illinois.

2. This affidavit is based upon my investigation and informationprovided to me by Special Agent G. Kirt Lawson of the United States Secret

Service in Phoenix, Arizona and by other agents of the United StatesSecret Service. I have also received information from Sergeant AbigailAbrahams of the Illinois State Police.

3. Additionally, I have received technical information andinvestigative assistance from Roland Kwasny of Illinois Bell TelephoneCorporate Security.

VIOLATIONS INVOLVED

4. This warrant is requested to recover unauthorized and illegallyused access codes posted on the RIPCO BBS by computer hackers and todevelop evidence of their illegal use of those codes in violation of

federal criminal laws, including:

- 1 -

a. 18 USC 2314 which provides federal criminal sanctions againstindividuals who knowingly and intentionally transport stolen property orproperty contained by fraud, valued at $5,000.00 or more, in interstatecommerce.

b. 18 USC 1030(a)(6) provides federal criminal sanctions againstindividuals who, knowingly and with intent to defraud, traffic ininterstate commerce any information through which a computer may beaccessed without authorization in interstate commerce.

c. Other federal violations involved in this case may include Wire

Fraud (18 U.S.C. 1343), Access Device Fraud (U.S.C. 1029) and otherviolations listed and described on page 15, 16, and 17 of the attachedaffidavit of Special Agent Lawson.

LAWSON AFFIDAVIT

5. The attached affidavit of Special Agent Kirt Lawson isincorporated herein in its entirety and is attached as Attachment 1.Lawson's affidavit is based upon a two year undercover investigation ofthe United States Secret Service involving an undercover bulletin boardlocated in Phoenix, Arizona. Essentially, Lawson's affidavit and myinvestigation establish probably cause to believe:

a. Bruce Xxxxxxxxxxx, using the computer hacker handle "Dr. Ripco",has been operating the RIPCO BBS in Chicago since approximatelyDecember 10, 1983.

- 2 -

b. During the time period named in the Lawson affidavit unauthorizedaccess codes were posted on the RIPCO BBS by various computer hackers.

c. The access codes posted on the RIPCO BBS have been determined bySpecial Agent Lawson to be valid access codes which are being used withoutauthorization of the true authorized user of the access codes. Moreover,in many cases the access codes have been reported stolen by the trueauthorized user(s).

d. Special Agent Lawson's investigation has further determined thatthe access codes posted on the RIPCO BBS are not concealed from the systemadministrator of the BBS and could be seen by the system administrator


7/27

during an examination of the BBS.

6. I have personally worked with S.A. Lawson on computer crimeinvestigations and known him to be a reliable agent of the Secret Serviceand an expert in the field of telecommunication investigations.

7. I personally received the attached affidavit on May 1, 1990 andhave verified with S.A. Lawson that it is in fact his affidavit and have

verified with S.A. Lawson that it is in fact his affidavit and that itaccurately reflects his investigation. I have verified information withrespect to his investigation with Special Agent Lawson as recently as May7, 1990.

- 3 -

UPDATED PROBABLE CAUSE

8. On May 1, 1990, I personally observed that the surveillancecameras described on pages 32 and 33 of Lawson's affidavit still

appear to be in operation. (The antennas and surveillance cameraslocated at the Clybourn address are reflected in the photographsattached as Attachment 2.)

9. On May 4, 19900, I personally updated the status of thetelephone lines at the Clybourn address with Roland Kwasny of IllinoisBell Telephone. Kwasny advised me that those telephones continue tobe in active service at this time.

ITEMS TO BE SEIZED

10. On pages 36 to 39 of his affidavit S.A. Lawson describes theitems to be seized at the search locations.

Locations to be Searched

11. The complete description of the business location to be searchedon Clybourn Street is contained on page 30 of S.A. Lawson's affidavit.(Photographs of that location are in Attachment 2.) I have personallyobserved the resident to be searched on Lawndale on May 1, 1990. Thephotographs attached to this affidavit as Attachment 3 truly andaccurately show the residence known as xxxx North Lawndale, Chicago,Illinois, as of May 1, 1990.

- 4 -

EXAMINATION OF COMPUTER RECORDS

13. Request is made herein to search and seize the above describedcomputer and computer data and to read the information contained in and onthe computer and computer data.

14. The following attachments are incorporated herein by reference:Attachment 1 - Affidavit of S.A. Lawson (39 pages): Attachment 2 -Photographs of the Clybourn address (2 pages); Attachment 3 - Photographsof the Lawndale address (1 page).

(signature)Special Agent Barbara Golden


8/27

United States Secret Service

Sworn and Subscribed to beforeme this 7th day of May, 1990.

(signature)James T. BalogUNITED STATES MAGISTRATE

- 5 -

** (End Barbara Golden's Affidavit) **

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

** (Begin G. Kirt Lawson's affidavit) **

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

State of Arizona )) SS

County of Maricopa )

AFFIDAVIT

1. Your affiant G. Kirt Lawson has been a Special Agent of the U.S.Secret service for eighteen years and in the course of his employment has

investigated over 100 cases involving credit card fraud, theft, computer-related crime, and other offenses. I have training from the SecretService in the investigation of computer fraud, have attended six or moreseminars on investigative procedures from AT&T and the Secret Service, andhave lectured on computer crime for the IEEE (an internationalprofessional group of electrical engineers) and Bellcore (the research /security organization owned by the regional Bell operating companies.)Within the last year, I have assisted the Arizona Attorney General'soffice with the execution of three computer-crime search warrants, and theAustin, Texas field office of the Secret Service with the execution ofanother computer-related search warrant. Over the last two years, Ihave assisted numerous state, local, and federal law enforcementagents in half a dozen U.S. cities by providing information andtechnical assistance which has led to the execution of over a dozensearch warrants in computer crime cases nationwide.

- 1 -

SOURCES OF INFORMATION

2. Your affiant has also received technical information andinvestigative assistance from the following experts in the field oftelecommunication fraud and computer crime:

a. R.E. "Sandy" Sandquist,, Regional Security Manager, U.S. SprintCommunications Company, who has been so employed since 1987, and waspreviously employed by General Telephone (GTE) as a special agent,


9/27

technical investigations since 1983. He has investigated cases ofcommunications fraud involving computer hackers, computer bulletin boardsystems (see Definitions section below), and the abuse of voice mailmessage computers, involving over 100 systems. He has assisted lawenforcement search teams in the execution of search warrants, and hastrained many state, local and federal agents in the investigation ofcomputer and communications crime.

b. Stephen R. Purdy, Special Agent, U.S. Secret Service, currentlythe Assistant to the Special Agent In Charge of Fraud Division of theComputer Diagnostic Lab in Washington, D.C. He is a member of the FederalComputer Investigations Committee, and is currently its Co-Chair. He hashelped to design training programs in computer crime andtelecommunications fraud investigations for the Federal Law EnforcementTraining Center in Glynco, Georgia. He also developed and instructs inthe Secret Service's training program in computer fraud investigations.

- 2 -

c. George Mehnert has been a Special Agent with the Arizona Attorney

General's office for more than twelve years; for the last three years, hehas been responsible for special projects including the investigation ofcomputer crime. He has taken courses relating to computer hardware andsoftware programs from various industry sources and a local college, andhas worked with computer hardware and software, including communicationsequipment and analysis tools, in investigative matters for more than sixyears. Mehnert has instructed numerous state and local law enforcementagencies in the methodology of executing search warrants involvingcomputers, and in the investigation of computer crimes. He recentlypublished of article on this subject in a law enforcement periodical. Inthe past two years, Mehnert has been involved in thirty warrant searchesrelating to the seizure of computer of communications-related evidence.

d. In addition to the above, affiant has also received technical

assistance and information from the following communication industrysources: Steve Matthews, Telenet; Leila Stewart, MCI; Sue Welch, MCI;Toni Ames, U.S. West; Connie Bullock, ComSystems (a long-distancecarrier); Karen Torres, MidAmerican Communications Company; RichardPetiollo and Richard Kopacz, AT&T; Hank Kluepfel and David Bauer,Bellcore (a research/security company owned by the Bell Regional OperatingCompanies); Marty Locker, International Telephone and Telegraph (ITT),and credit industry sources: Valerie Larrison, American Express; MaryAnnBirkinshaw, TRW: Michelle Mason, CBI (TRW and CBI are national cardbureaus).

- 3 -

DEFINITIONS AND EXPLANATIONS

3. Computer hackers: individuals involved in the unauthorizedintrusion into computer systems by various means. They commonly identifythemselves by aliases of "hacker handles" when communicating by voice orelectronically with other hackers. Because they normally communicatethrough electronic bulletin board systems in several states, and becausethey often conduct their hacking activities against victims at manylocations outside their local calling area, computer hackers typically uselong-distance carrier customer authorization codes without the permission

of the individuals or corporations to which they are assigned, in order toachieve "free" long distance telecommunications (over standard voicelines, or over data-communications services). Search warrants executed in


10/27

hacker cases routinely produce evidence of theft of communicationsservices, and often product of possession, use, and/or distribution ofcredit cards as well.

4. Electronic Bulletin Board System (BBS): an electronicbulletin board is a computer operated as a medium of electroniccommunications between computer users at different locations.Users access the BBS by telephone from distant locations (often

their residences), using their own computers and communicationdevices (modems). Typical functions of a BBS include (1) providingstorage for a software library; (2) allowing users to "download"(copy to their own computers) various files or software programs;(3) allowing users to

- 4 -

exchange and store messages by "electronic mail"; and (4) publishingof text files and tutorials, which contain information or instructionson various subjects of interest to the users. Although many BBS's areoperated as commercial services to the public (large services such as

Compuserve and The Source may offer many more functions than thoselisted above), thousands of BBS's are privately operated byindividuals who run them from their residences, or by special-interestclubs. It is common for a BBS to have several sections or"conferences" on the system, to which a particular level of access isrequired: many users might have access to lower-level sections, whileonly some users would be permitted to access the highest-levelsections (many sysops --defined below-- "voice validate" a prospectiveuser, using a telephone call to screen users and determine whetherthey are law enforcement, adults, or other undesirables). This isparticularly true of BBS's whose members are involved in some form ofcriminal activity. Many "underground" or criminal bulletin boardscontain subsections through which the users regularly exchange stolen

customer authorization codes, credit card numbers, and information ontechniques or methods for the commission of such crimes as computerfraud and abuse, access device fraud and wire fraud.

5. System operator/system administrator (sysop): the person(s)charged with the responsibility for operating a particular computerbulletin board system (usually the owner of

- 5 -

the computer who lives in the residence where the BBS is operating).In order to perform their necessary supervisory and maintenancefunctions, sysops who run or own the BBS give themselves the highestlevel of access, or privileges, available on a system. In the caseof a bulletin board sysop, these functions typically include decidingwhether or not to to give access or type of privileges to allow todifferent users, and the ability to read the entire content stored onthe BBS (including "private mail" -- see electronic mail, below.)Sysops control the BBS, can remove contents, add and delete users,change the programming, alter the communications parameters, andperform a number of administrative and maintenance tasks associatedwith operation of the BBS.

6. Electronic mail (E-mail): electronic mail is a means ofcommunication among computer users, and is one of the features normallyfound on a BBS. Each user on a criminal BBS has a distinctidentifier, with a computer hacker's "username" or "login" often

identical to his hacker handle (handles tend toward the theatrical,I.e. Prophet of Doom, DungeonMaster, Ax Murderer, etc.) and a uniqueconfidential password; each user may also be assigned a user number by


11/27

the system. Users may send "public" mail by leaving a message in asection of the system where all who call in may read the message andrespond. They may also send "private mail" by sending a messagelimited to a particular individual or group.

- 6 -

In this instance, other users would not be able to read the private

message. (Except, of course for the sysop, as explained above.)7. Chat: unlike electronic mail, which consists of messages and

responses entered and stored for later review, the "chat" communication ona BBS consists of simultaneous interactive communication between the sysopand a user, or between two or more users -- the computer equivalent of aconference call. A more sophisticated BBS may have more than onetelephone line connected to the system, so that two or more users can"talk" to each other though the BBS from their own computer systems at onetime.

8. Voice Mail System (VMS): a voice mail system is an electronic

messaging computer which acts as an answering service. These systems aregenerally either (1) operated for hire to the public by commercialcommunications companies, often in combination with cellular telephone orpaging services, or (2) by corporations for the convenience of employeesand customers. In either case, the subscriber or employee is assigned anindividual "mailbox" on the system which is capable of performing severalfunctions. Among these functions are receiving and storing messages fromcallers, sending messages to other boxes on the system, and sendingmessages to a pre-selected group of boxes. These functions are performedby pushing the appropriate numerical commands on a telephone keypad forthe desired function.

- 7 -

9. While voice mail systems vary among manufacturers, in general, acaller dials either a local area code and number, or an "800" number toaccess the system. Generally, the caller hears a corporate greetingidentifying the system and listing instructions for leaving a message andother options. To leave a message, the caller enters a "mailbox number,"a series of digits (often identical to the assigned owner's telephoneextension), on his own telephone keypad. The caller then hears whatevergreeting the mailbox owner has chosen to leave. Again, the caller canusually exercise several options, one of which is to dictate an oralmessage after a tone.

10. In this respect, the voice mail system operates much like atelephone answering machine. Rather than being recorded on audio tape,however, the message is stored in digitized form by the computer system.When the message is retrieved, the computer plays it back as soundunderstandable by the human ear. The entire VMS is actually a computersystem accessible through telephone lines; the messages are stored onlarge-capacity computer disks.

11. A caller needs to known only the extension or mailbox number inorder to leave a message for the employee or subscriber. In order toretrieve the messages or delete them from the system, however, the personto whom the box is assigned must have both the box number and aconfidential password: the password ensures privacy of the communications,by acting as a "key" to "unlock" the box and reveal its contents. Anyone

- 8 -

calling the telephone number of the mailbox hears the owner's greeting --


12/27

only the content of messages left for the owner is protected by thepassword or security code. The person to whom the box is assigned mayalso have the ability to change his password, thereby preventing access tothe box contents by anyone who may have learned his password.

12. Private Branch Exchange (PBX): a private branch exchange is adevice which operates as a telephone switching system to provide internalcommunications between telephone facilities located on the owner's

premises as well as communications between the company and other privateor public networks. By dialing the specific telephone number of a PBXequipped with a remote access feature and entering a numeric password orcode on a telephone keypad or by means of a computer modem, the caller canobtain a dial tone, enabling the caller to place long distance calls atthe expense of the company operating the PBX.

13. Phone phreak: phone phreaks, like computer hackers, arepersons involved in the theft of long-distance services and otherforms of abuse of communications technology, but they often do nothave computer systems. Rather than communicating with each otherthrough BBS's, they communicate with each other and, exchange stolencarrier customer authorization codes and credit cards, either directly

or by means of stolen or "hacked" corporate voice mailboxes. Phonephreaks may also set up fraudulent conference calls for the

- 9 -

exchange of information. A phone phreak may operate a "codeline" (amethod of disseminating unauthorized access devices) on a fraudulentlyobtained voice mailbox, receiving messages containing stolen creditcard numbers from his co-conspirators, and in turn "broadcasting" themto those he shares this information with during the greeting (boxowner's message to callers), which can be heard by anyone dialing themailbox number. Phone phreaks and computer hackers sometimes shareinformation by means of the conference calls and codelines. Like

computer hackers, phone phreaks also identify themselves by "handles"or aliases.

BACKGROUND OF THE INVESTIGATION

14. Over the past several years, the U.S. Secret Service has receivedand increasing number of complaints from long distance carriers, creditcard companies, credit reporting bureaus, and other victims of crimescommitted by computer hackers, phone phreaks, and computer bulletin boardusers and operators (see Definitions section), which have resulted insubstantial financial losses and business disruption to the victims.Because the persons committing these crimes use aliases or "handles", maildrops under false names, and other means to disguise themselves, they havebeen extremely difficult to catch. They also conspire with many others toexchange information such as stolen long distance carrier authorizationcodes, credit card numbers, and technical information relating to theunauthorized invasion of computer systems and voice mail

- 10 -

messaging computers, often across state or national borders, makingthe investigation of a typical conspiracy extremely complex. Many ofthese persons are juveniles or young adults, associate electronicallyonly with others they trust or who have "proven" themselves bycommitting crimes in order to gain the trust of the group, and use

characteristic "hacker jargon." By storing and trading informationthrough a network of BBS's, the hackers increase the number ofindividuals attacking or defrauding a particular victim, and therefore


13/27

increase the financial loss suffered by the victim.15. For all of the above reasons, the U.S. Secret Service established

a computer crime investigation project in the Phoenix field office,utilizing an undercover computer bulletin board. The purpose of theundercover BBS was to provide a medium of communication for personsengaged in criminal offenses to exchange information with each other andwith the sysop (CI 404-235) about their criminal activities. The bulletin

board began operating on September 1, 1988 at 11:11 p.p., MountainStandard Time, was located at 11459 No. 28th Drive, Apt. 2131, Phoenix,Arizona, and was accessed through telephone number (602) 789-9269. It wasoriginally installed on a Commodore personal computer, but on January 13,1989 was reconfigured to operate on an Amiga 2000 personal computer.

16. The system was operated by CI 404-235, a volunteer paidconfidential informant to the U.S. Secret Service. CI 404-235 wasfacing no criminal charges. Over the past eighteen

- 11 -

months, information by CI 404-235 (see paragraph 16) has consistently

proved to be accurate and reliable. The Arizona Attorney General'soffice executed six search warrants related to affiant's investigationin 1989 and 1990 (affiant participated in three of these). Evidenceobtained in those searches corroborated information previously givento affiant or to George Mehnert, Special Agent of the Arizona AttorneyGeneral's office by CI 404-235. In over a dozen instances, CI404-235's information was verified through other independent sources,or in interviews with suspects, or by means of a dialed numberrecorder (pen register). One arrest in New York has been made as aresult of CI 404-235's warning of planned burglary which did occur ata NYNEX (New York regional Bell operating company) office. Throughoutthis investigation, CI 404-235 has documented the information providedto the affiant by means of computer printouts obtained from the

undercover BBS and from suspect systems, and consensual taperecordings of voice conversations or voice-mail messages.

17. Because many of the criminal bulletin board systems require thata new person seeking access to the telephone code or credit card sectionscontribute stolen card information to demonstrate "good faith," when askedto do so, CI 404-235 has "posted," (left on the system in a message)

Sprint, MidAmerican or ComSystems authorization codes given to affiant byinvestigators at these companies for that purpose.

- 12 -

EVIDENCE IN HACKER CASES

18. Computer hackers and persons operating or using computer bulletinboard systems commonly keep records of their criminal activities on paper,in handwritten or printout form, and magnetically stored, on computer harddrives, diskettes, or backup tapes. They also commonly tape recordcommunications such as voice mail messages containing telephoneauthorization codes and credit cards. On several occasions, affianthas interviewed George Mehnert, Special Agent, Arizona AttorneyGeneral's office and R.E. "Sandy" Sandquist, Security Manager, U.S.Sprint, about the types of evidence normally found in connection withcomputer/ communications crimes. Both have assisted more than 20

search teams in the execution of search warrants in such cases. BothMehnert and Sandquist stated that because of the sheer volume ofcredit card numbers, telephone numbers and authorization codes, and


14/27

computer passwords, and other information necessary to conduct thistype of criminal activity, in almost every case, they have found alarge volume of paper records and magnetically-stored evidence atscenes being searched. Because of the ease of storing large amountsof information on computer storage media such as diskettes, in a verysmall space, computer hackers and bulletin board users or operatorskeep the information they have collected for years, rather than

discarding it. Mehnert stated that in virtually everycommunications/computer crime case he has investigated, the suspect wasfound to have records in his possession dating

- 13 -

back for years -- Mehnert stated that it is common in such cases tofind records dating from 1985 and sometimes, even earlier.

19. Sandquist confirmed Mehnert's experience, stating that hackersand phone phreaks typically also keep a notebook listing the location ofinformation especially important to them, for easy access. Mehnert hasseized several of these "hacker notebooks" in computer/communications

crime cases; they were usually found quite close to the computer system,or in the hacker's possession. Both Mehnert and Sandquist stated that itis common for a person involved in the theft of communications services(long distance voice or data calls, voice mail boxes, etc.) also to beinvolved in the distribution or use of stolen credit cards and/or numbers;hackers and phone phreaks often trade codes for credit cards, or thereverse. Both Mehnert and Sandquist stated that it is common to findcredit card carbons at locations being searched for stolen telephoneauthorization codes.

20. Both Mehnert and Sandquist also stated other evidence commonlyfound in connection with these cases includes telephone lineman tools andhandsets (used for invading telephone company pedestal or cross-boxes andnetworks, or for illegal interception of others' communications), tone

generators (for placing fraudulent calls by electronically "fooling"the telephone network into interpreting the tones and legitimateelectronic switching signals), computer systems (including centralprocessing unit, monitor or screen, keyboard, modem for

- 14 -

computer communications, and printer), software programs andinstruction manuals. Sysops of bulletin boards also commonly keephistorical backup copies of the bulletin board contents or messagetraffic, in order to be able to restore the system in the event of asystem crash, a power interruption or other accident. An importantpiece of evidence typically found in connection with a criminalbulletin board is the "user list" -- sysops normally keep such a liston the BBS, containing the real names and telephone numbers of userswho communicate with each other only by "handles." The user list is avery substantial piece of evidence linking the co-conspirators to thedistribution of telephone codes and credit cards through the BBSmessages or electronic mail.

21. Mehnert and Sandquist stated that it is also common to find listsof voice mailboxes used by the suspect or his co-conspirators, along withtelephone numbers and passwords to the voice mailboxes. Many suspectsalso carry pagers to alert them to incoming messages.

CRIMINAL VIOLATIONS

22. Criminal violations may include, but are not limited to, the


15/27

following crimes:23. Wire fraud: 18 U.S.C. ~ 1343 prohibits the use of interstate

wire communications as part of a scheme to defraud, which includesobtaining money or property (tangible or intangible) by a criminal orthe loss of something of value by the victim. Investigation by youraffiant has determined that

- 15 -

the actions of the computer hackers, phone phreaks and bulletin boardoperators detected in this investigation defrauded telephone companieswhose customer authorization codes were exchanged through the BBS's)gained valuable property because their fraud scheme provided them withtelephone customer authorization codes and other access devices whichin turn could be used by them to obtain telephone services andproperty which would be charged to the victim companies. Their schemealso provided them with access to private branch exchange (PBX)numbers and codes which could be used to obtain telephone servicewhich was charged to the victim companies.

24. Computer fraud and abuse: 18 U.S.C. ~ 1030 prohibitsunauthorized access to a federal interest computer with intent to defraud.Intent to defraud has the same meaning as in the wire fraud statute above.A federal interest computer is defined as "one of two or more computersused in committing the offense, not all of which are located in the samestate," as well as computers exclusively for the use of a financialinstitution or the United States Government, among others defined in thestatute. This section also prohibits unauthorized access to financialrecords and information contained in consumer reporting agency files.

25. Access device fraud: 18 U.S.C. ~ 1029 prohibits theunauthorized possession of 15 or more unauthorized or counterfeit"access devices" with intent to defraud, and

- 16 -

trafficking in authorized access devices with an intent to defraud andan accompanying $1,000 profit to the violator or loss to the victim.These prohibitions also apply to members of a conspiracy to committhese offenses. Intent to defraud has the same meaning as in the wirefraud statute above. "Access devices" includes credit cards, longdistance telephone authorization codes and calling card numbers, voicemail or computer passwords, and PINS (personal identificationnumbers). An "unauthorized access device" is any access deviceobtained with the intent to defraud, or is lost, stolen, expired,revoked, or cancelled.

26. Other offenses: other federal statutes violated in this case mayinclude 18 U.S.C. ~ 1962 and 1963 which prohibit the commission of two ormore acts of racketeering (including two or more acts in violation of 18U.S.C. ~ 1343 and/or 1029), and permits forfeiture of theinstrumentalities used or obtained in the execution of a crime; and 18U.S.C. ~ 371, the federal conspiracy statute.

PROBABLE CAUSEBULLETIN BOARD SYSTEM 312-528-5020

27. CI 404-235 has accessed a public electronic bulletin board at312-528-5020 over three dozen times between 4/7/89 and 12/31/90. Themost recent access was on 4/28/90. In the "Phone Phun" subsection of

the BBS, CI 404-235 has regularly seen messages posted by users of theBBS, which contain long distance carrier customer


16/27

- 17 -

authorization codes, references to hacking, and to credit cards andcredit bureaus. This affidavit is in support of a search warrant fortwo premises where evidence of the operation of the BBS is expected tobe found. CI 404-235 provided to affiant copies of messages posted tothe BBS, including the following:

Numb 12 (54r4q9kl-12)Sub miscellaneous...From DON THOMPSON (#689)To all

Date 03/17/89 03:55:00 PM

o.k.:

1999: 322300 342059

366562 344129549259 549296492191 496362422000 549659

28. In the above message, "1999" refers to the last four digits ofthe local access number assigned to Starnet, a long distance network ownedby ITT Metromedia Communications. To use such codes, a caller dials thelocal access number, the customer authorization code, and the area codeand number to be called. Marty Locker, ITT Security, verified that thelocal access number 950-1999 is Starnet's (Starnet's authorization codesand six digits long). Loss figures on the above are unknown.

29. On 3/20/89, user #452 "Blue Adept" replies to a previous message,

as follows:

- 18 -

Numb 25 (54r4q9kl-25)Sub Reply to: Reply to: Legal expenses>From BLUE DEPT (#452)To all

Date 03/20/89 08:42:00 AM

1999 is starnet. they've busted several people I know.they live to bust people. mainly with extraordinarilylarge fines. I've heard of them taking it to courtthough. first person they busted was theDiskmaster/Hansel. really cool guy. hacked em 300times with the applecat and they busted him. he didn't

"Hacked em 300 times" refers to the number of timers that"Diskmaster/Hansel" is supposed to have attempted to hack out a Starnetcustomer authorization code. "Applecat" is the name of a modem (computercommunications device) and related software program which automates thecode-hacking process.

Numb 69 (54r4q9kl-69)Sub loop


17/27

>From JOE FRIDAY (#120)To allDate 03/25/89 07:10:00 PM

IF ANYONE HAS A LOOP FOR THE 404 AREACODE I WOULD APPR.IT VERY MUCH!! IF THERE ARE ANY REAL PHREAKS THAT STILLDO HACK ALOT LEAVE I THINCK YOU MIGHT BENEIFIT FROM IT.

18002370407-8010464006ACN-8205109251-IF ANYONE STILL GETS INTO LMOSE LEAVE ME A MESSAGE..

30. On 4/17/90 Mark Poms, Director of Security, Long DistanceService of Washington D.C., verified the following: 1)1-800-237-0407 is his company's assigned 1-800-line number.Authorization code 8010464006 has suffered $6, 287.22 in fraud

- 19 -

losses, and 8205109251 has suffered $970.34 in fraud losses.31. In the above message, "LOOP" refers to a telephone company "looparound test line". Hackers commonly exchange information on loops, inorder to be able to communicate with each other without divulging theirhome telephone numbers. If two hackers agree to call a loop number at acertain time, they loop allows them to speak with each other -- neither

hacker needs to know or to dial the other's telephone number. "LMOSE"refers to a type of computer system (LMOS) operated by Bell regionaloperating companies (local telephone companies). This computer systemcontains data such as subscriber records, and the LMOS system is solelyfor the use of telephone company employees for the purpose of maintainingtelephone service. (Explanations provided by Bellcore computer security

technical staff member David Bauer.)

Numb 136 (56r5q9kl-136)Sub Suicide?>From THE RENEGADE CHEMIST (#340)To AllDate 04/18/89 05:33:00 PM

9501001074008187438057919068671056855054168071679

- 20 -

32. On 3/20/90 Karen Torres, MidAmerican Communications, a longdistance carrier which a local access number of 950-1001 as valid

MidAmerican customer authorization codes. She advised that all but theinvalid code were terminated "due to hacking".


18/27

950-1001074008 Valid code, no loss187438 Valid code, no loss057919 Invalid068671 Valid code, no loss056855 Valid code, no loss054168 Valid code, no loss

071697 Valid code, no loss

Numb 109 (53r3q0k2-109)Sub Reply to: Reply to: Reply to: Reply to:

Reply to: John Anderson>From BRI PAPE (#22)To ALL...Date 06/28/89 05:31:00 AM

ANOTHER valid code..

AND A DIVERTER...

215-471-0083..(REMAIN QUIET)

33. 950-0488 is the local access number for ITT MetromediaCommunications, according to Marty Locker, ITT Security. Fraud,losses, if any, on this customer authorization code are unknown.

34. On 4/16/90, Kathy Mirandy, Director of Communications,Geriatrics and Medical Center Incorporated,

- 21 -

United Health Care Services, in Philadelphia, PA, verified that1-215-471-0083 is her company's telephone number. She stated thatbetween 12/28/88 nand 5/15/89, her company suffered a fraud loss of$81,912.26 on that number. In the above message,

"diverter" refers to a common hacker/phone phreak term for a means ofplacing telephone calls through a telephone facility which belongs tosomeone else. The hacker "diverts" his call through the otherfacility, and if the outgoing "diverted" call is a long distance call,the owner of the facility is billed for the call as though itoriginated from the victim telephone facility.

35. On 7/3/89, CI 404-235 accessed the BBS and observed thefollowing message, a copy of which was provided to the affiant:

Numb 137 (56r3q0k2-137)Sub dib.>From POWER ASSIST (#524)To *Date 07/02/89 12:01:00 AM

Divertors: 1800 543 7300543 3300

I'm not sure if this is a 800 to 800 : 800 777 2233

36. On 4/18/90 Delores L. Early, Associate General Counsel of theArbitron Company, Laurel, Maryland, verified that 1-800-543-7300 is


19/27

listed to her company. She advised that her company suffered a directfraud loss by October, 989 of $8,100 on that line, as well asadditional expenses in for form of the installation of "an elaboratesecurity procedure to prevent this

- 22 -

type of fraudulent use," and lost employee time in identifying andcorrecting the problem. "800 to 800" refers to whether the "divertor"posted in the above message can be used to call out to another 800number.

Numb 113 (53r6q0k2-113)Sub Codes>From BLUE STREAK (#178)To ALL

Date 07/26/89 05:05:00 AM

Here is a code:1800-476-3636388409+acn

950-026648700586563216575775oops first one is 4847 not 487

Blue Streak.

Blee blee blee thats all pholks.

37. On 4/2/90. Dana Berry. Senior Investigator, Teleconnect (adivision of Tele*Com USA, a long distance carrier), verified that 1-800-476-3636 code 388409 is her company's authorization code and it hassuffered a fraud loss of x176.21 {transcrib. note: portion of dollarfigure (first digit) is illegible on copy of affidavit}

38. On 4/20/90, Christy Mulligan, ComSystems Security, whose companyis assigned the local access number 950-0266, verified the following:

- 23 -

1) 4847005 $2,548.75 loss due to fraud2) 8656321 $2,000.00 loss due to fraud3) 6575775 $ 753.61 loss due to fraud

Numb 122 (57r3qlk2-122)Sub TRW>From NEMESIS TKK (#311)To GarthDate 09/30/89 04:01:00 AM

I have no ideas about accessing TRW through

any type of network, but,m you cal dial TRW directly(although you will probably want to code out..Even ifformat has changed or anything in the past 5 years.. its


20/27

still db idpw first, ast, etc...So anyway, if you doknow how to use it,you can get at it from that number.

39. In the above, "Nemesis" gives a telephone number in area code 602(Arizona) for TRW. "Code out" refers to using a stolen customerauthorization code ("if only to save yourself the fone bill") to call the

TRW number. The format for getting in to the TRW computer that he givesMarianne Birkinshaw, TRW investigator advised that the telephone numberposted in the message is "a legitimate telephone number into TRW'sdatabase".

Numb 138 (57r4q2k2-138)Sub 5>From Chris X (#134)To PEOPLE WHO HAVE OR HACK CODEZDate 01/22/90 05:54:00 PM

- 24 -

Dear Anyone,

I am in desperate need of a code. SOMEONEPLEASE Post a code with a dialup and the format the codemust be entered. I will be ever so greatful. PLEASEHELP!!!

Max Man - Chris X

40. In the above, user #134 asks for a code (customer authorizationcode), "dialup" (the local access or 800 number through which the code maybe used), and the format (the order in which code, area code and numbermust be dialed in order to place a call on the particular network).

Numb 146Sub Here's your code beggar>From POWER ASSIST (#524)To beggarsDate 01/23/90 12:40:00 AM

950-0266

6552513 1564844

probably die before you use it.-PA

41. On 4/19/90, John Elerick, ComSstems Security, verified that thecodes posted with his company's local access number (950-0266) in the

above message are valid; 6552513 has suffered $185.31 in fraud loss, andit" refers to the code -- customer authorization codes "die" when they are

deactivated or cancelled by the carrier.

- 25 -


21/27

42. On 1/26/90, CI 404-235 again accessed the BBS and observed thefollowing message, a copy of which was provided to the affiant:

Numb 147 (50r5q2k2-147)

Sub ALL>From THE SILENCER (#269)To ALLDate 01/25/90 08:26:00 PM

YO...UMM...WHO ASKED FOR CARDS? hahahahah that ispretty pathetic..god. If you want Credit Cards getyour own. One step closer to safe carding....gettingcc's off bbs's is the most disgusting thing I've everheard...use TRW..useCBI...trash...steal...pickpocket....but dont get em offa bbs...jeez..

0266 working:1593527lets hope that this dies real fast so the REAL phreakswill be left alone by the leacherz...heheheh

- Silencer

43. In the above message, "carding" is a common hacker/phone phreakterm which refers to the fraudulent use of credit cards or credit cardnumbers to obtain merchandise which will be billed to the cardholder."The Silencer" advises "all" users on the BBS to use TRW, or CBI (bothnational credit bureaus) or to "trash" (the practice of obtaining creditcard numbers and related information from receipts or carbons discarded intrash -- sometimes also referred to as "dumpster diving"), steal or

pickpocket, but not to get them (credit cards) from a bulletin boardsystem. He then gives the a ComSystems code identified by the the lastfour digits (0266) of the ComSystems local access number. "Leacher"is a common hacker insult for those BBS

- 26 -

users who copy codes, credit cards, or software from a BBS but do notcontribute their share.

44. On 4/13/90, John Elrick, ComSystems Security, verified that1593527 is a valid customer authorization code which has suffered $27,353.34 in fraud loss.

45. It should be noted that in message #138 above, dated 1/22/90,Chris X asked for codes. On 1/26/90 the following followupmessage was noted by CI 404-235:

Numb 149 (50rq2k2-149)Sub Credit Card's for Codez>From Chris X (#134)To ALLDate 02/26/90 07:43:00 AM

Okay,Tell ya what. I will exchange any amount of credit

cards for a code or two. You name the credit limit youwant on the credit card and I will get it for you. I dothis cause i go to ganitorial work at night INSIDE the bank


22/27

when no one is there..... heheheheheh

46. On 1/30/90, Zimmerman left a message on the BBS for CI 404-235,stating that he "will be ready to exchange your codez for cards. I havegot 2 right now. 1 witch contains a $1500 credit limit and the othercontaining a $2200 credit limit. I will 'steal' some more when I go tothe bank this weekend. Talk to ya tomorrow..." On 1/31/90 CI 404-235

gave Chris X Sprint Customer authorization code 25259681433275,provided to affiant by U.S. Sprint Regional Security Manager R.E.Sandquist for this purpose. On 3/18/90 in a computer-to-computer

- 27 -

conversation (not on the BBS), Chris X gave CI 404-235 a list often (10) credit card numbers with names, addresses, credit limits, andexpiration dates. All of the credit cards appear to be issued inIllinois. Zimmerman told CI 404-235 that all of the cards "belong" toConsumers Co Op Credit Union.

47. On 4/28/90, CI 404-235 again accessed the BBS and providedprintouts of messages which he observed on the BBS. In one, dated3/27/90, "Scott Sxxxxx", user #160, offered to trade "virgin" creditcards (newly acquired and not yet used for fraudulent purposes) for AT&Tcards (calling card numbers), PBX's (see Definition section above) ornumbers that will call overseas. In a message dated 4/17/90, "SLI FOLKS",user #572, stated that he was calling from Edmonton, Canada, "using astolen account on Datapac for this call" (Datapac is a data communicationscarrier). He tells "all" users that he has access to phone rooms for twoapartment buildings "which gives me access to several hundred phone lines.new bpox that lets me get free LD on someone elses line frommy house. SoI hope you guys can teach me some stuff." On 4/24/90, Chris Xleft another message to "anyone" offering to trade credit cards and codes

for information on how to get "information on a non-published person. Itcan be found if you have a persons phone number and want a name andaddress or vice-versa." (He is referring to obtaining non-publishedsubscriber information maintained by the telephone companies.)

- 28 -

48. In attempting to located the BBS which operates on telephonenumber 312-528-5020, affiant has discovered several significant factswhich appear to indicated that an attempt has been made to disguise theactual location of the BBS. These facts, and the sources for them, aredetailed below. In summary, the BBS telephone line is listed to anaddress as one of its facilities, the BBS telephone line ends at anIllinois Bell junction box where an non-Illinois Bell (unauthorized) lineleads from the BBS line to an apparent retail/office structure at anotheraddress. The BBS telephone bills are sent to a post office box opened inthe corporate name, but the applicant, who is not listed as an officer ofthe corporation, described himself in a police report as "self-employed".A second, unlisted, telephone line, billed to the post office boxapplicant's home address, is installed at the retail/office structurewhere the non-Illinois bell (BBS) line also leads.

49. Illinois Bell telephone records show that the BBS telephonenumber 312-528-5020 is subscribed to by Mxxx Xxxxxx, Inc., xxxx WestBelmont, xxxx xxx, Chicago, Illinois. The bills for this service aresent in the name of Mxxx Xxxxxx, Inc., at P.O. Box xxxx, Chicago,

Illinois, 60618-0169. The BBS line was installed on December 1, 1982.50. In April of 1989, Sgt. Abigail Abraham, Illinois State Police,

conducted an investigation of the bulletin board


23/27

- 29 -

system at telephone number 312-528-5020. She checked directoryassistance, and both white and yellow-page telephone directories:although she found several telephone numbers and address for MicroRepair, Inc., 312-528-5020 and xxxx West Belmont were not among them.

She investigated the purported BBS site, and determined that xxxx WestBelmont, xxxx xxx, Chicago, Illinois, does not exist. She reportedthat at xxxx W. Belmont, there is a structure which would incorporatethe address of xxxx W. Belmont. Sgt. Abraham had a telephone companyrepairman check the physical junction pole: they discovered that the312-528-5020 line ran from the phone via a non-Illinois Bell(unauthorized) connection to a building at xxxx N. Clybourn, Chicago,Illinois. This building appears to be a retail/office structure, atwhich, according to SA Conway, Secret Service Chicago field office, asof 4/16/90 "there is nothing to indicate that there are any businessesoperating out of xxxx N. Clybourn, Chicago, Illinois." It is a onestory section of a larger one-and-two story building which is "V"

shaped, fronting on both Clybourn and Belmont Avenues. The third legof the larger building (southeast side) fronts on a parking lot, witha fenced courtyard section off the parking lot. The xxxx address isapproximately the last thirty feet at the south end of the Clybournside of the building.

- 30 -

51. Illinois Bell records show that a non-published telephone line isinstalled at xxxx N. Clybourn, which is 312-xxx-xxxx. Per Sgt. Abraham,the subscriber is Bruce Xxxxxxxxxxx, xxxx N. Lawndale, Chicago, Illinois andthe bills are mailed to Fred Xxxxxxxxxxx at the same address. Telephoneservice for 312-xxx-xxxx was installed at xxxx N. Clybourn on January 1,

1982.52. On April 26, 1989, Sgt. Abraham wrote down all of the vehicle

license plates parked in the parking lot next to xxxx N. Clybourn andthose parked immediately in front of it. PTxxxx, which was a 1987, four-door Ford, was registered to Bruce Xxxxxxxxxxx, xxxx N. Lawndale, Chicago,Illinois.

53. On 4/5/90, the Secret Service office in Chicago was notified bythe Illinois Department of Revenue that there are not businesslicenses for xxxx N. Clybourn, Chicago, Illinois, nor are there anylicenses issued to Bruce Xxxxxxxxxxx.

54. On 4/2/90 the Illinois Secretary of State, Corporation Division,advised that Martin and Wendy Gilmore are the only officers for MicroRepair listed on its Illinois Articles of Incorporation.

55. On 4/3/90, the Chicago Postal Inspector's Office informed theSecret Service office in Chicago that the billing address for telephonenumber 312-528-5020 (the BBS) is Post Office Box xxxx and is open in thename of Mxxx Xxxxxx. The name of the person who made the application forthe post office box is Bruce Xxxxxxxxxxx, xxxx N. Lawndale, Chicago, Illinois,

- 31 -

telephone number 312-xxx-xxxx. Identification used to open thebox was Illinois Driver's License exxx-xxxx-xxxx (per the IllinoisSecretary of State this license is that of Bruce Xxxxxxxxxxx), and accordingto Sgt. Abraham, his license address is also xxxx N. Lawndale.

56. To the rear of the property where xxxx N. Clybourn is located,there is an antenna and a satellite dish. SA William P. Conway of theChicago field office contacted the Coast Guard for assistance in


24/27

determining the latitude and longitude of the satellite antenna. On4/3/90, the Coast Guard Air Operations Duty Officer at the Glenview NavalAir Station, Chicago, Illinois, advised that the Belmont/Western/Clybournintersection, Chicago, Illinois, has a latitude of 41 degrees, 56 minutes,9 seconds north, and a longitude of 87 degrees, 41 minutes, 5 secondswest. With that information, SA Conway was able to obtain assistance fromthe Federal Communications Commission in determining the owner of the

satellite antenna. Will Gray, of the Chicago FCC office, advised that theFCC license for the antenna (which is mounted on a tower located in thefenced courtyard section of the larger building of which xxxx N. Clybournis a part) is registered to the American United Cab Company at xxxx N.Belmont. The satellite dish is affixed to the rear of xxxx N. Clybourn.Mounted on the tower are two closed circuit cameras. The first camera islocated approximately 20 feet above the ground, the second camera isapproximately 45 feet above the ground.

- 32 -

57. Chicago Police Department General Offense Report #Mxxxxxx, dated3/13/89, lists Bruce Xxxxxxxxxxx as the victim, with the address ofoccurrence listed as xxxx N. Clybourn, Chicago, Illinois. Xxxxxxxxxxxreported that his car window was broken by two subjects. Per this policereport, Xxxxxxxxxxx states that he watched on a closed circuit securitycamera as the two subjects entered the parking lot adjacent to xxxx N.Clybourn, and broke his automobile window. Xxxxxxxxxxx told the officersthat the cameras are used for parking lot security, due to "breakins".This incident took place at 2:30 PM. The report lists Xxxxxxxxxxx'sresidence address as xxxx N. Lawndale, Chicago, Illinois, his home phonenumber as 312-xxx-xxxx (that telephone number is listed to Fred Xxxxxxxxxxxat the xxxx N. Lawndale address, according to Sgt. Abraham), and his workphone number as 312-xxx-xxxx (the unlisted line billed to his residence).

He stated that he is self-employed.58. On 4/5/90, the Chicago Office of the Secret Service requested

Rolonie Kwasny, Security Supervisor, Illinois Bell Telephone to verifythat there are no other authorized or unauthorized telephone lines intoxxxx N. Clybourn other than 312-528-5020 and 312-xxx-xxxx.

59. On 4/6/90, Kwansy notified the Chicago Office that early on thatdate the xxxx N. Clybourn address was checked. The larger building ofwhich xxxx N. Clybourn is part, is serviced by 13 working phone linesthrough the box attached to the Belmont Side of the building, which alsoservices the xxxx address.

- 33 -

60. The only authorized phone line to the xxxx address is 312-xxx-xxxx(the number Bruce Xxxxxxxxxxx gave as his business number in the policereport). The only other phone line (unauthorized) into the xxxx addressis bulletin board number 312-528-5020, the line which leads from thejunction box to the building. Kwasny advised that this type of hookuprequired no special knowledge.

61. Affiant has interviewed Sandquist, Mehnert, and CI 404-235, allof whom have operated electronic bulletin boards themselves. All threeadvised affiant that the sysop of a BBS must continuously perform a greatmany maintenance or "housekeeping" chores necessary to operation of theBBS. A sysop's maintenance functions include constantly making changes onthe BBS, such as adding or removing users, raising or lowering users'

level of access, removing files or programs uploaded to the BBS (added tothe system by a user). If a user places a virus or logic bomb which coulddisrupt the functioning of the BBS, for example, on the sysop's computer,


25/27

the sysop can remove it.62. Since many BBS's (including this one) operate 24 hours a day,

for the convenience of sysops, BBS software allows many of thesefunctions to be performed from what is called "remote" locations,I.e., by the sysop using another computer, over the telephone line tothe BBS. If the BBS is operating at a

- 34 -

business address, for example, the sysop can perform his maintenancefunctions at night or any other time from his residence or from anyother location where he has a computer, modem, and telephonecommunication to the BBS. BBS users commonly communicate directlywith the sysop on the BBS, either in "chat" mode or by leaving himelectronic mail (see Definitions section, above). A BBS sysop isessentially "on call" during the entire time the BBS is in operation,to solve equipment/software problems or interruptions to the operationof the BBS, for the supervision of users, and to communicate withthem. Operating a BBS is extremely time-consuming, according to

Mehnert, Sandquist, and CI 404-235.63. CI 404-235 advised affiant that, when he logs on to the BBS, hesees a screen in which the first two lines advised that connection hasbeen made to the BBS, the third line lists the baud rates, or speeds, atwhich a user may communicate with the BBS, and the fourth line states "Online since 12/10/83". This indicates that approximately one year afterthe 312-528-5020 number was subscribed to by Bruce Xxxxxxxxxxx, the BBS beganoperating. As of 4/29/90, all attempts to locate any residence for BruceXxxxxxxxxxx other than that listed on his driver's license, autoregistration, post office box application, and subscriber records fortelephone number 312-xxx-xxxx, have been negative. Therefore, it appearsthat his residence address is xxxx N. Lawndale, Chicago, Illinois.

- 35 -

64. The telephone bills for the unlisted line (312-xxx-xxxx) which isinstalled in the xxxx N. Clybourn building where the unauthorized BBS line(312-528-5020) leads, are mailed to the same address, xxxx N. Lawndale,Chicago, Illinois, to Fred Xxxxxxxxxxx.

65. If the sysop is accessing the BBS from his residence, it islikely that evidence of the sysop's identity and evidence relating to theoperating of the BBS will be found on a computer system at the residence,or on diskettes, printouts, and other records at the residence. Thetelephone bills for unlisted number are also likely to be found at theresidence, along with financial records such as cancelled checks orreceipts, which will assist in identifying the individual who paid them.

66. At the xxxx N. Clybourn address, evidence of the connection ofthe BBS equipment to the 312-528-5020 telephone line, and evidencerelating to the operation of the BBS, are expected to be found. Entryinto the premises at this location, and physical inspection, are necessaryin order to determine whether the 312-xxx-xxxx line is also connected tothe BBS.

67. Based upon all of the foregoing, affiant believes that evidenceof violations of 18 U.S.C. ~~ 1343, 1030, 1029, 1962, 1963, and 371, willbe found at xxxx N. Lawndale, Chicago, Illinois, and at xxxx N. Clybourn,Illinois, such evidence consisting of:

- 36 -

68. Electronic data processing and storage devices, computers andcomputer systems including central processing units; internal and


26/27

peripheral storage devices such as fixed disks, floppy disk drives anddiskettes, tape drives and tapes, optical storage devices or other memorystorage devices; peripheral input/output devices such as keyboards,printers, video display monitors, optical readers, and relatedcommunications devices such as modems; together with system documentation,operating logs and documentation, software and instruction manuals.

69. Telephone equipment such as lineman's handsets, memory

telephones, automatic dialers, programmable telephone dialing orsignalling devices, electronic tone generating devices.

70. Records pertaining to ComSystems, ITT and other long distancecompanies' access numbers and customer authorization codes; credit cardnumbers; telephone numbers for computer bulletin boards, voice mailsystems, and corporate computer systems; PBX codes and related telephonenumbers; records and information related to the unauthorized access intocomputer systems or to the sale, sharing, or other distribution of longdistance companies' access numbers and customer authorization codes,credit card numbers, including financial records, receipt of payments,worksheets, correspondence, memoranda, computer bulletin board downloadsor messages, and other documentation.

71. Records pertaining to Mxxx Xxxxxx Inc., to Post

- 37 -

Office box number xxxx, telephone bills for 312-528-5020 and to312-xxx-xxxx from 1982 to the present date, bank account recordsincluding statements and cancelled checks for Bruce Xxxxxxxxxxx from 1982to the present date, business records relating to the occupancy of thexxxx N. Clybourn premises, including rent/mortgage payment receipts,rental or mortgage contracts, utility bills and proof of payment, andrecords pertaining to the purchase, ownership, and maintenance of theBBS computer system and software.

72. All of the above records, whether stored or on paper, on magnetic

media such as tape, cassette, disk, diskette, or on memory storage devicessuch as optical disks, programmable instruments such as telephones,"electronic address books", programmable wristwatches, calculators, or anyother storage media, together with the indicia of use, ownership,possession or control of all of the above property or records, includingbills, letters, identification, personal effects, memoranda, and otherdocumentation.

73. Since much of the above-described evidence is likely to be foundin electronic form or machine-readable media which cannot be read oranalyzed by affiant in its present form,

- 38 -

affiant requests authorization to seize, listen to, read, review, andmaintain the above described property and records and to convert theabove records to human-readable form as necessary.

(Signature/G. Kirt Lawson)Affiant

Subscribed and Sworn before me this 30th day ofAPRIL, 1990.

(signature) Cynthaia M. Penumire {??illegible)Notary Public


27/27

My Commission Expires (illegible)

9865e/

- 39 -

---end of documents-----