trial brief miller - wired · pdf filein this trial brief, the government will summarize the...

UNITED STATES DISTRICT COURT DISTRICT OF MASSACHUSETTS

UNITED STATES OF AMERICA ) Case No. 12-10189-MLW ) v. ) ) ANDREW JAMES MILLER ) ) Defendant )

GOVERNMENT’S TRIAL BRIEF

The indictment in this cases charges Andrew Miller with one count of conspiracy

(18 U.S.C. § 371), one count of obtaining information without authorization from a

computer (18 U.S.C. § 1030(a)(2)), one count of damaging a computer (18 U.S.C. §

1030(a)(5)), and one count of access device fraud (18 U.S.C. § 1029(a)(2)). The trial is

scheduled to begin September 9, 2013. In this trial brief, the government will summarize

the evidence it expects to present at trial, and it will analyze the legal issues, both

substantive and evidentiary, that it anticipates might arise during trial.

I. MILLER’S COMPUTER HACKING AND PASSWORD TRAFFICKING SCHEME

a. Underground Intelligence Agency (“UIA”) Hacker Group

From approximately 2008 through June 2012, Miller, who is now 24 years old,

was a member of a computer hacking group known as the “Underground Intelligence

Agency” (“UIA”). He lived in Pennsylvania throughout this time. UIA was a small,

loosely organized group that hacked into commercial, government, military, university,

and individual computer systems; created a means for future unauthorized accesses onto

those hacked computers; and then transferred, and sometimes attempted to sell, this

unauthorized access (usually by transmitting log-in credentials) to others.

Case 1:12-cr-10189-MLW Document 55 Filed 06/10/13 of 24

2

There were at least three members of UIA: Miller, who primarily used the online

nickname “Green”; Robert Burns, who lived first in New York and later in Massachusetts

and primarily used the nickname “Intel”; and someone using the nickname “Mod” or

“Modem,” who is believed to live in Australia but whose identity is unknown. In order to

protect their anonymity, members of UIA communicated with one another primarily

online, usually via Internet Relay Chat (“IRC”) or instant message (“IM”) in private

channels or “chat rooms” that could only be accessed by members. Occasionally, UIA

members also spoke to one another over the phone.

In approximately 2010, FBI agents determined that “Intel” was Burns. After

agents approached him, Burns assisted the government’s investigation into other UIA

members.

b. Miller’s Hacking

Among the UIA members, Miller was primarily focused on hacking into

computer networks, maintaining unauthorized access for as long as possible, and then

transferring that unauthorized access to others either inside UIA or outside of the group,

sometimes charging money for the access. Typically, Miller would hack into the targeted

computer network, and once inside, would then explore the network to see what, if any,

useful data he could access. He then fortified his access to ensure continued future

access, typically by installing something called a “backdoor” (described below) and by

obtaining other users’ log-in credentials in the event that his original point of entry was

discovered and blocked. Before transferring his access to others, Miller typically hacked

back into the network to verify that his access still worked and that he still “owned” the


3

hacked machine. All the while, Miller carefully hid his tracks to avoid being detected

and/or blocked by the hacking victim.

Miller used a variety of techniques to hack into computer networks. Frequently,

he would start by finding an authorized network user with a valid username and password

(for example, an employee who remotely logged into his company’s network from his

home computer). Miller then hacked into the employee’s home computer by embedding

malicious code called an “exploit” into benign software programs such as blogging

software or IRC chat software programs. When the unsuspecting computer user installed

the infected blogging or chat software, Miller was able to use the exploit to gain access to

the user’s computer.

Once Miller had hacked into the employee’s home computer and that person

remotely logged onto his employer’s corporate network, Miller would then steal the

employee’s log-in credentials. Typically Miller did this by surreptitiously installing a

software program called a “sniffer” or “keylogger” onto the employee’s home computer

so that he could record the employee’s log-in credentials. Miller then transmitted that

information back to his own computer. He then used these stolen log-in credentials to

hack into the company network. In other instances, Miller short cut all of this and

obtained log-in credentials from other hackers, including from members of UIA.

After Miller hacked into a part of the target network, he would then use that initial

entry point to hack into other parts of the network. Like an expanding spider web, Miller

would spread his unauthorized access to other computers on the same network.

Typically, he was able to gain administrator-level or “root” access to the entire network,

which is the highest level of access and is also referred to as “owning” the network.


4

Miller would then explore the hacked network to see what type of data was stored there.

He would sometimes take “screen shots” (essentially digital photographs of whatever was

displayed on his computer monitor) of what he saw in order to prove to others that he had

the access to the network.

Once he knew he could successfully hack into the target network, Miller then

fortified his access to ensure that it would continue, presumably to help him later transfer

or sell that access. Miller used several key techniques to give him sustained access to the

network he hacked. He built a “backdoor” into the network and created “magic

passwords.” A “backdoor” is a method of bypassing a network’s security system and

normal authentication procedures to obtain remote access to a computer, while remaining

undetected. In essence, a “backdoor” allows a user to access a network and remain

undetectable to the computer’s security system. A “magic password” is a unique

password that allows the user to manage the network settings and security of a computer

system. It allows a user to bypass a network’s security system without detection.

Miller also typically installed sniffers or keystroke loggers so that he could spy on

other authorized users and obtain other users’ log-in credentials. This served as a type of

insurance policy in case his original entry point into the network was detected and

blocked.

While hacking, fortifying, and re-testing his unauthorized access, Miller took

great care to hide his tracks and his identity. He was careful to use “proxy” computers

and anonymizer services to hide the IP (Internet Protocol) address of his computer.

Essentially, these anonymizers allowed Miller to travel through other computers on his

way to the hacked network, ensuring that anyone monitoring his hacking would see only


5

that it was coming from the proxy computer that was Miller’s last stop before the hacked

network. Furthermore, once he was inside the hacked computer, he issued commands to

the network to erase his electronic fingerprints on the machine.

c. Targeting Specific Networks

Miller specifically targeted his hacking to exploit corporate, government, and

university networks, and he also claimed to have attempted to hack into and sell access to

military networks. Miller claimed to have successfully hacked into, and maintained

unauthorized access to, a large number of computer networks. In one October 2010

online chat, discussed in more detail in the government’s Motion in Limine, for example,

Miller told Burns that he had hacked into corporate servers belonging to American

Express, Yahoo!, Google, Adobe (a software company), Wordpress (a blogging

platform), Barracuda (a security network hardware manufacturer), Hurricane Electric (an

internet service provider), Juniper (a network hardware manufacturer), Cisco (a network

hardware manufacturer), and Force10networks (an Ethernet switch manufacturer). In

other chats, he admitted hacking into Layered Tech (an internet backbone provider),

Harvard University, The University of Texas, and The University of California at Davis.

On several occasions, Miller offered to sell access to the computer networks that

he had hacked into. As set forth below, in 2010-2011, undercover FBI agents who Burns

had introduced to Miller made a series of undercover purchases from Miller, primarily

through online chat conversations. In each case, Miller described the networks he had

hacked, described the type of data that he observed on those hacked networks, and

negotiated a price for selling access. Miller then transferred the log-in credentials to the


6

undercover agents, and then received a wire transfer via Western Union, payable to

“Andrew Miller.”

As set forth in the indictment, a series of four negotiations took place between

Miller and the undercover agents, each of which is described below.

d. RNKTel

In February 2011, Miller sold to UC agents unauthorized access to computer

servers belonging to RNKTel.com, a telecommunications provider based in Dedham,

Massachusetts. In a series of chats with the UC agents, Miller described how he had

hacked into RNKTel, installed a “backdoor,” and obtained “root” access to the network.

He described what type of data was on the computer servers, and, to prove his access, he

pasted into a chat log a screen shot of an inside view of the network. Miller also advised

the UC agent how to hide his tracks, directing him to issue specific commands to erase

any logging of that session’s activities (and therefore prevent detection by RNKTel).

Miller electronically transferred a “magic password” to the UC agent, which would

provide access to Miller’s backdoor into RNKTel. To further bolster the access, Miller

also provided the UC agent with a list of hundreds of other RNKTel users’ log-in

credentials in case Miller’s backdoor and magic password stopped working. In return, at

Miller’s request, the UC agent transferred $1,000 via Western Union, payable to

“Andrew Miller.”

Once he had received the log-in credentials from Miller, the UC agent then

obtained consent from RNKTel.com to verify those credentials. Using the log-in

credentials, the UC agent verified the “root”-level access that Miller had sold to him.

RNKTel explained that Miller was not an authorized user and confirmed that, with the


7

log-in credentials that Miller had sold to the UC agent, Miller or the agent would have

had access to the entire corporate network. According to RNKTel, with that

administrator-level access, a bad actor could not only have accessed RNKTel’s

confidential business records but could also have altered customer accounts to obtain, for

free, the telecommunication services that RNKTel sells to its customers.

Notably, when the UC agent (with RNKTel’s permission) accessed the RNKTel

network with the log-in credentials Miller sold him, Miller then also hacked back into

RNKTel to monitor the UC agent’s accessing the network.

e. Layered Tech’s “Database Dump”

In March 2011, Miller sold to UC agents a massive database of thousands of log-

in credentials into hundreds of computer networks. Miller told the UC agent that he

obtained the “data dump” or “ticket dump” by hacking into Layered Tech’s computer

servers. Layered Tech is a large internet service provider based in ____. Miller sold this

database to the UC agent for $1,200, which the agent paid via Western Union to “Andrew

Miller.” The UC agent then selected several sample log-in credentials from this database

to verify, including those for computer servers belonging to the University of

Massachusetts at Amherst. Agents confirmed with UMass-Amherst that Miller was not

an authorized user and that the log-in credentials from the “data dump” were fully

functional and would, in fact, have enabled a user to access its network.

f. CPB Group/Domino’s Pizza/CPB Group

In April 2011, Miller sold to UC agents unauthorized access to computer servers

hosting the website dominos.com (for Domino’s Pizza). Those computers were owned

by a Denver-based digital advertising agency, Crispin Porter and Bogusky (“CPB”), and


8

contained databases and e-mail servers for Dominos and other merchants. Once again, at

Miller’s direction, the UC agent transferred $1,000 via Western Union to “Andrew

Miller” and received log-in credentials in return.

g. NERSC/Department of Energy/NERSC Supercomputers

In April and May 2011, Miller attempted to sell to UC agents, for $50,000,

unauthorized access to two supercomputers that provide computing resources for the U.S.

Department of Energy. Those servers are located in Oakland, California, at the Lawrence

Livermore Laboratory, and are part of the National Energy Research Scientific

Computing Center (“NERSC”). Miller explained to the UC agents that he had gained

access into the NERSC supercomputers by hacking into a Japanese university that had

connections to the NERSC computers. Miller also explained that he had recently been

caught on the NERSC computers, and his access had been temporarily blocked. He was

confident that he still had access through other channels, including via Harvard and U.C.

Davis. Miller described his access to the UC agent, and to prove it, he pasted into the

chat log a screen shot of the log-in screen for the Lawrence Livermore computers.

Miller also mentioned in the chats that his “partner” had other supercomputers for

sale, many of which were “gov/edu” (meaning government or university/educational)

computers. Because Miller’s $50,000 price-tag was so steep, the FBI never transferred

the money and therefore never obtained the NERSC log-in credentials.

II. THE EVIDENCE

A. WITNESSES

The government intends to call between five and ten witnesses, depending on

what stipulations it can work out with the defense.


9

1. Robert Burns

The indictment references, as an unindicted co-conspirator, a former UIA member

who is identified by his screen name, “Intel.” The government has disclosed Intel’s true

identity in the course of discovery: Robert Burns of Boston, Massachusetts. He will be a

witness at trial.

The government expects that Burns will testify that he was a member of UIA with

Miller from approximately 2008 through 2010. He will describe UIA generally, identify

its members, and describe how they communicated with one another through IRC chats.

Burns will describe in detail the communications that he had with Miller. He will testify

about the screen names that Miller used and will describe what Miller told him about his

personal background. Burns will testify about statements that Miller made to him about

Miller’s hacking, including his hacking into RNKTel, CPB Group, Layered Tech,

NERSC, and other computer servers. Burns will also testify about statements Miller

made to him about his attempts to sell access to various hacked networks. Where

necessary, Burns will help decipher any technical jargon that appears in the chats and in

audio recordings in order to explain their meaning to the jury.

Burns will also describe his participation in an undercover operation where he

introduced “Coleman” – the undercover agent – to Miller via the internet and then

participated in chats in which Miller negotiated to sell Coleman log-in credentials to

hacked networks.

Although Burns is primarily a fact witness, we anticipate that, as part of his

testimony, he will explain some network intrusion concepts and terminology as well as

hacker slang. Thus while Burns is not an “expert witness” in the classic sense, portions


10

of his testimony may qualify as expert testimony under Fed. R. Evid. 702, and the

government has previously identified him as an expert.

Through Burns, the government will seek to introduce online chats that Burns had

with Miller, with “Mod” (another UIA member), and with the undercover agents. Burns

logged these online communications, copied the logs, provided them to the government,

and can therefore authenticate them. These chat logs are discussed in further detail in the

government’s motion in limine. The government will also seek to introduce through

Burns recordings of telephone calls between Burns and Miller.

Through Burns, the government will also introduce a thumb drive, which is an

electronic data storage device, that contained the “data dump” that Miller obtained by

hacking in to Layered Tech and then sold to “Coleman.” Burns was the go-between who

delivered a thumb drive from Miller to “Coleman,” the UC agent.

2. SA Russell

The government anticipates calling FBI Special Agent Timothy Russell to testify.

SA Russell, acting in an undercover capacity, posed as “Coleman.” He will testify about

his chats with Miller and Burns, as well as his undercover purchases of login credentials

from Miller. SA Russell will also testify about how, after obtaining the hacking victim’s

consent, he tested the login credentials he purchased from Miller to ensure that they, in

fact, granted him access to the hacked networks. He will further describe what type of

information he was able to access on those networks.

Although SA Russell is primarily a fact witness, we anticipate that, as part of his

testimony, he will explain network intrusion concepts and terminology, chat programs

and logs, and hacker slang. Thus while SA Russell is not an “expert witness” in the


11

classic sense, portions of his testimony may qualify as expert testimony under Fed. R.

Evid. 702, and the government has previously identified him as an expert.

Through SA Russell, the government will seek to introduce excerpts of logs of

online chats that Russell, acting as “Coleman,” had with Miller and others. When SA

Russell was posing as “Coleman,” SA Russell logged their online communications, made

copies of those logs, and can therefore authenticate them. These chat logs are discussed

in further detail below.

3. SA Shaver

The government intends to call FBI Special Agent Jacob Shaver to testify. Shaver

posed as “Coleman” during some of the communications with Miller, for example, the

communications about the NERSC hack and attempted sale. He will testify about his

chats with Miller and Burns, as well as his attempts to make an undercover purchase of

login credentials from Miller. SA Shaver will also testify about his testing of the other

login credentials that “Coleman” obtained from Miller to ensure that they in fact granted

him access to the hacked networks. SA Shaver will testify about text messages and chat

communications he had with Burns about his communications with Miller. He will

describe in detail his interview of Miller and Miller’s confession to the crimes charged in

the indictment, which is the subject of a pending motion to suppress.

SA Shaver will also testify about the results of the search of Miller’s computer.

He will describe file structures, nicknames, and labels he observed on Miller’s computer,

as well as his observation of “chat” client software programs. The government does not

consider this to be expert testimony but notified defense counsel about this in an excess

of caution. SA Shaver did not make the images of the original computer that the FBI


12

took from Miller’s apartment – rather an FBI forensic examiner did this. The

government hopes to reach a stipulation with the defense that obviates the need to call the

forensic examiner.

Although SA Shaver is primarily a fact witness and will testify about his

communications and transactions with Miller and Burns, we anticipate that, as part of his

testimony, he will explain network intrusion concepts and terminology. Thus while SA

Shaver is not an “expert witness” in the classic sense, portions of his testimony may

qualify as expert testimony under Fed. R. Evid. 702, and the government has previously

identified him as an expert.

Through SA Shaver, the government will seek to introduce online chat

communications that Burns had with Miller, “Coleman,” and others. When SA Shaver

was posing as “Coleman” during the NERSC discussions, SA Shaver logged their online

communications and can therefore authenticate them. In addition, SA Shaver engaged in

“text” communications with Burns. He saved those “texts” and can therefore

authenticate them. Through Shaver, the government will seek to introduce records

obtained from Western Union, including a copy of Miller’s driver’s license, as well as

receipts for the money transfers from the UC agents to Miller.

4. Additional FBI SA Daron Schreier

The government also may call FBI Special Agent Daron Schreier, who was

present during SA Shaver’s interview with Miller. SA Schreier would testify about the

interview and about Miller’s confession.


13

5. Hacking Victim Employees

The government anticipates calling Eric McClelland, a former systems engineer

for RNKTel during the events at issue in this case. Mr. McClelland will testify that

RNKTel provides, among other services, Voice Over Internet Protocol (or “VOIP”)

telephone service. He will describe RNKTel’s computer servers, where they are located,

what type of information is stored on the servers, and what type of access different log-in

credentials would provide to those servers.

He will verify that he was contacted by the FBI about a potential hack into

RNKTel’s servers and that he granted the FBI permission to test the log-in credentials it

had obtained. He will testify that he verified that those log-in credentials provided “root-

level” or administrative level access to RNKTel’s entire network. He will also testify

that, with this level of access, a bad actor could obtain sensitive, proprietary records of

both the company itself and its customers and could also obtain free telecommunications

services. Mr. McClelland or another RNKTel witnesses will also describe the scope of

the financial injury that the company suffered as a result of Miller’s hacking activities.

Because portions of his testimony may qualify as expert testimony, the government has

already provided Miller with expert disclosures for this witness.

The government also anticipates calling Christopher Misra, an information

security officer at the University of Massachusetts at Amherst. Mr. Misra will describe

the UMass computer system and will verify that the UMass login credentials Miller sold

to “Coleman” as part of the Layered Tech “data dump” were valid. Although Mr. Misra

will be primarily a fact witness from a victim institution for which Miller obtained

network passwords, we anticipate that he may also explain network intrusion concepts


14

and terminology and that this portion of his testimony might qualify as expert testimony

and have therefore already given the defense notice under Fed. R. Evid. 702.

The government also anticipates calling a network engineer for NERSC, although

we have not yet determined who this NERSC witness will be. That NERSC

administrator will testify that NERSC provides computing resources for the Department

of Energy and will describe two “supercomputers” in particular, “Carver” and “Hopper,”

to which Miller tried to sell access. This witness will also testify that the screen shot of

the log-in screen for the Lawrence Livermore computers is authentic and demonstrates

that Miller had access to those computers and was not authorized to do so.

6. Records Custodians

In the event that the defendant will not stipulate to the admissibility of Western

Union, ISP, and cell phone provider records, the government will call records custodians

from each entity. The Western Union records include receipts for the undercover

purchases of the log-in credentials, as well as a copy of Miller’s driver’s license. The ISP

records include subscriber records showing the IP address assigned to Miller’s residence.

The phone records include subscriber records showing the cell phone number assigned to

Miller.

B. EXHIBITS

1. Online Chats Between Miller, Burns, and “Coleman”

The government intends to introduce “logs” of online chat communications

between Miller, Burns, “Coleman” (SA Russell and SA Shaver) and, on occasion, others.

Chat software programs can be programmed to save or “log” the communications. These

“chat logs” can then be printed. Burns, after being approached by the government and


15

acting at the government’s direction, logged his chats, and the undercover agents did the

same. The government intends to introduce these logs through Burns and, in some cases,

through SA Russell and SA Shaver. The legal issues related to the chats’ admissibility

are discussed in the government’s motion in limine, filed concurrently with this brief.

2. Recorded Phone Calls Between Miller and Burns

The government intends to introduce recorded phone calls between Miller and

Burns, in which they discuss hacking. The government will introduce these recordings

through Burns, who made the recordings and will testify that he recognizes the voice as

belonging to Miller, aka “Green.” SA Shaver will also testify that he has listened to the

recordings, has spoken at length to Miller, and recognizes the voice on the recordings as

belonging to Miller.

3. Thumb Drive Containing “Data Dump” to Include U-Mass Log-Ins

The government also intends to introduce, through Burns and SA Shaver, a thumb

drive, which is an electronic data storage device, containing more than 10,000 log-in

credentials. Burns will testify that Miller instructed him to copy the “data dump” onto

the thumb drive and to deliver it to “Coleman.” SA Shaver will testify that he received

the thumb drive from Burns and verified that it contained the “data dump” of log-in

credentials. SA Shaver will also testify that among the 10,000 log-in credentials were

those for computers at UMass and that he verified with UMass IT personnel that these

log-in credentials were valid and would have provided access to its network.


16

4. Screen Shots Of Agents’ Access to Hacked Networks

The government intends to introduce screen shots (images of what was on the

computer screen) that show the results of SA Shaver’s and SA Russell’s testing of the

log-in credentials that Miller sold them.

5. Records from Western Union, ISP, and Cell Phone Provider

The government intends to offer records from Western Union, ISPs, and cell

phone providers. The Western Union records include receipts for the undercover

purchases of the log-in credentials, as well as a copy of Miller’s driver’s license. The ISP

records include subscriber records showing the IP address assigned to Miller’s residence.

The phone records include subscriber records showing the cell phone number assigned to

Miller.

6. Demonstrative Chalks

The government also expects to use, with Burns, SA Shaver, and the victim

company witnesses, chalks that depict how Miller hacked into the computer networks. It

is expected that these chalks will contain graphic depictions of the intrusions and the

structure of the victim networks. The government will not be seeking to introduce these

chalks into evidence.

V. SUBSTANTIVE LEGAL ISSUES

A. Miller Damaged Protected Computers By Building Backdoors, Creating Magic Passwords, Installing Sniffers, Extracting Data, and Deleting Logs

18 U.S.C. § 1030(a)(5) makes it a crime to “knowingly cause[] the transmission

of a program, information, code, or command, and as a result of such conduct,

intentionally cause[] damage without authorization, to a protected computer.” 18 U.S.C.


17

§ 1030(a)(5)(A). Count One of the indictment charges Miller with conspiring to violate

this statute, and Count Three charges Miller with substantively violating §1030(a)(5)(A)

by hacking into RNKTel’s network. Damage is defined in the statute as including “any

impairment to the integrity of data.” See 18 U.S.C. § 1030(e)(8).

With respect to RNKTel, as well as several of Miller’s other hacking victims,

Miller hacked into the networks, built a “backdoor” that would give him continual, “root

level”/administrator-level access to the entire network, created a “magic password” that

would by-pass security systems, installed keystroke loggers or sniffers onto those

networks, and then continued to log, save, and exfiltrate to himself, other users’ log-in

credentials. Miller also issued a command to RNKTel’s servers (“unset HISTFILE”), in

order to erase RNKTel’s logs of the session’s activity (and therefore prevent it from

detecting the computer intrusion). By building the backdoor, creating the magic

password, and installing a software program that logged not only users’ log-in credentials

but presumably all of their keystrokes, Miller impaired the integrity of the networks’ data

and therefore damaged it. Furthermore, by erasing RNKTel’s logs of his activity, Miller

impaired the integrity of RNKTel’s data. Finally, by giving himself high-level

administrator or “root” access to RNKTel’s network, he also damaged it.

Courts have repeatedly held that similar conduct constituted “damage” under §

1030(a)(5)(A). For example, courts have held that the insertion and execution of

malicious code or software onto a computer or network constitutes damage under §

1030(a)(5)(A). See, e.g., United States v. Makwana, 445 F. App'x 671, 673 (4th Cir.

2011) (affirming §1030(a)(5)(A) conviction and resulting application of USSG

enhancement, where defendant inserted malicious code onto server, even though


18

malicious code was discovered prior to its execution); United States v. Sullivan, 40 F.

App'x 740, 741, 744 (4th Cir. 2002) (affirming §1030(a)(5)(A) conviction, where

defendant inserted “logic bomb” into former employer’s software for handheld

computers); United States v. Middleton, 231 F.3d 1207, 1208-1209, 1212-1213 (9th Cir.

2000) (affirming §1030(a)(5)(A) conviction, where defendant’s unauthorized access

involved, in part, logging into own account and then switching to receptionist’s account

which “allowed Defendant to take advantage of the benefits and privileges associated

with that employee’s account, such as creating and deleting accounts and adding features

to existing accounts.”) Cf. United States v. Janosko, 642 F.3d 40 (1st Cir. 2011)

(affirming conviction of §1030(a)(5)(A) on other grounds, where defendant, an inmate,

pled guilty to gaining unauthorized access to prison computers and viewing prison

employees’ personnel files); Shurgard Storage Centers, Inc. v. Safeguard Self Storage,

Inc., 119 F. Supp. 2d 1121, 1126-27 (W.D. Wash. 2000) (denying motion to dismiss

1030(a)(5)(C) claim where defendant allegedly infiltrated the plaintiff’s computer

network, collected and disseminated confidential information, reasoning that “no data

was physically changed or erased, but . . . an impairment of its integrity occurred”).

Here, by his own account, Miller used a backdoor into RNKTel’s network,

created a “magic password” for it that bypassed security, and then used a malicious

software program called a sniffer or a keystroke logger to successfully log (and send to

himself) other RNKTel employees’ usernames and passwords. He also issued a

command that deleted RNKTel’s logs of his session, and he granted himself

root/administrator-level access to facilitate his activities and gather more passwords.


19

Taken separately or together, Miller’s hacking impaired the integrity of information on

RNKTel’s network and thereby damaged it.

B. Miller Trafficked in “Access Devices” By Selling Root/Administrator-level Passwords for RNKTel’s Network

Title 18 U.S.C. § 1029(a)(2) makes it a crime to “knowingly and with intent to

defraud traffic[] in or use[] one or more unauthorized access devices during any one-year

period, and by such conduct obtain[] anything of value aggregating $1,000 or more

during that period.” Count One of the indictment charges Miller with conspiring to

violate §1029(a)(2) and Count Four charges that he violated this section by trafficking in

log-in credentials into RNKTel’s networks. Under the statute, the term “access device”

means “any card, plate, code, account number, electronic serial number, mobile

identification number, personal identification number . . . or other means of account

access that can be used, alone or in conjunction with another access device, to obtain

money, goods, services, or any other thing of value, or that can be used to initiate a

transfer of funds.” 18 U.S.C. § 1029(e)(1).

Both the Second and the Ninth Circuits have endorsed an interpretation of

“account access” as access to a “contractual relationship that makes possible the

provision of goods, services, or money based on payment” from which the user would

otherwise be excluded. See United States v. Abozid, 257 F.3d 191, 195 (2d Cir. 2001);

United States v. Bailey, 41 F.3d 413, 417 (9th Cir. 1994). The legislative history appears

to confirm this interpretation. Undoubtedly, Congress intended a “broad, open-ended

definition of ‘access device’ so as to accommodate future technological development.”

United States v. Scott, 250 F.3d 550, 552 (7th Cir. 2001); See also United States v.

Dabbs, 134 F.3d 1071, 1081 (11th Cir. 1998) (“Given the plain language of the statute


20

and Congress’s clear intent, we find it appropriate to broadly construe the statutory

language of section 1029 to include the innovative means that parties use to gain

unauthorized information to engage in fraudulent activities.”).

Under this interpretation of the statute, a password that allows access to telephone

service (like RNKTel’s VOIP services) falls comfortably within the statute because the

password restricts access to a contractual arrangement between the password holder and a

company for the provision of goods and services. Here, the passwords Miller obtained

to RNKTel were “means of account access,” because they provided access to the internal

RNKTel computer systems as well as the provision of telecommunication services. As

the RNKTel witness will testify, the log-in credentials that Miller transferred to the FBI

undercover agent would have allowed a bad actor to obtain free phone calls, not to

mention a whole host of private, commercially sensitive internal information. Cf. Bailey,

41 F.3d at 418 (“The statute nowhere implies that the only ‘account’ protected against

improper ‘access’ is one maintained by an end consumer . . . . Whatever the status of

accounts of individual customers, the tumbling phones were intended, and used,

fraudulently to access the benefits of the account between the local and distant carriers.”).

The RNKTel “account access” that Miller sold was one that “can be used . . . to obtain

money, goods, services, or any other thing of value,” and it therefore qualifies as an

access device.

Other courts have held that passwords can be “access device[s].” In United States

v. Fernandez, 1993 WL 88197 (S.D.N.Y. March 25, 1993), the defendant, who was

prosecuted in part for possession of unauthorized passwords to computers, argued that 18


21

U.S.C. § 1029 did not authorize prosecution for “the possession of unauthorized

passwords.” Id. at *2. The Court rejected his defense, holding:

that the clear language of §§ 1029(a)(2) and (a)(3) refers to devices for accessing computers that are possessed and used with intent to defraud, and § 1029(e)(1) specifically includes within its definition ‘or other means of account access that can be used . . . to obtain . . . any . . . thing of value.’ The plain meaning of the statute certainly covers stolen and fraudulently obtained passwords which may be used to access computers to wrongfully obtain things of value, such as telephone and credit services. Id.

Other courts have also upheld convictions under §1029 for possessing or

trafficking in unauthorized server passwords, albeit without having to address whether

the passwords qualified as access devices. See United States v. Barrington, 648 F.3d

1178, 1201 (11th Cir. 2011) (upholding §1029 conviction for obtaining password to

school computer in order to change grades); United States v. Petersen, 98 F.3d 502, 505

(9th Cir. 1996) (“Count two charged Petersen with knowingly possessing fifteen or more

unauthorized access devices (i.e., computer passwords) that were stolen and obtained

with the intent to defraud in violation of 18 U.S.C. § 1029(a)”); cf. Bailey, 41 F.3d at 419

(holding tumbler phones are access devices because they allow defendants to access cell

phone service and that the significant limit on the statute is that “the user of the access

device be able to obtain goods or services from which he would otherwise be excluded”).

But see United States v. Morris, 81 F.3d 131 (11th Cir. 1996) (holding tumbler phones

are not access devices because statute is designed to guard against access to “an

individual account” and extending the statute “beyond those instances in which an

identifiable account is accessed would ‘turn 1029 into a general theft statute’”); United

States v. McNutt, 908 F.2d 561 (10th Cir. 1990) (holding device to obtain television


22

access is not an access device because it does not “debit legitimate subscribers’

accounts”); United States v. Lutz, 2008 WL 4449082 (N.D. Ohio 2008) (holding that a

bar code that allows for lower purchase prices is not an access code and interpreting 1029

as “requiring access to a system that monitors or tracks an ongoing account relationship

between two parties”).

VI. EVIDENTIARY ISSUES

A. The Logs of Online Chats Are Admissible

As is mentioned above, Miller engaged in a series of online chats with Burns, as

well as with “Coleman,” who was in fact SA Russell and SA Shaver. The government

intends to introduce excerpts from these chat logs through Burns (who logged and copied

the communications that he participated in with Miller) and through SA Russell and

Shaver (who logged and copied the communications they participated in with Miller).

The chat log excerpts that the government intends to offer contain chats between Miller,

Burns, and Coleman. Among the topics Miller discusses are: his hacking (e.g., who he

has hacked, how, whether he has been able to maintain access to the hacked networks or

has lost that access), his attempts to sell access to the networks he has hacked, and his

attempts to hide his identity.

As set forth in the government’s Motion in Limine To Admit Evidence of Miller’s

Hacking, Miller’s own statements in the chat logs are admissible as party admissions.

Fed. R. Evid. 801(d)(2). And as is discussed in more detail in the motion in limine, the

statements by Burns and by the undercover agents are admissible to give context for

Miller’s statements and to show Miller’s knowledge. Courts may admit statements made

by another person during a conversation with the defendant in order to give context to the


23

defendant’s statements. See United States v. Colon-Diaz, 521 F.3d 29, 38 (1st Cir. 2008)

(statements constituted reciprocal and integrated utterances and merely served to put co-

conspirator’s statement into perspective and make it intelligible to the jury).

Furthermore, courts have held that out-of-court statements are admissible when

offered to show their effect on the listener and not offered for the truth of the matter

asserted. See, e.g., United States v. Bellomo, 176 F.3d 580, 586-87 (2d Cir. 1999)

(declarant’s statement that person was killed because he was dealing drugs was not

hearsay because it was offered for listener's state of mind, not reason for murder); United

States v. Darby, 744 F.2d 1508, 1524 (11th Cir. 1984) (declarant’s statement that they

knew of witness' brother’s location was offered for effect on listener); United States v.

Nieto, 60 F.3d 1464, 1468 (10th Cir. 1995) (declarant’s instructions to defendant to take

car and make drugs into squares were not hearsay because introduced for effect on

listener).

Here, Burns’ and “Coleman’s” statements to Miller are offered to show context

and to show their effect on the listener. Furthermore, in many cases, they are questions

and therefore not statements at all. Although the chats also include several statements

made by Miller’s “partner” (identified as “Ulti”), these likely qualify as co-conspirator

statements. If the defendant objects to the admission of these portions of the chats,

however, the government will redact them.

B. Evidence of Miller’s Other Hacks During the Conspiracy Period Are Not 404(b) Material

As discussed in detail in the government’s motion in limine, many of Miller’s

statements relate to hacking and password trafficking that go beyond the specific hacks

and password sales described in the indictment. These statements do not constitute


24

404(b) material because they are intrinsic to the charged hacking scheme. They took

place during the charged conspiracy (2008-2012) and related directly to the charged

conduct. Accordingly, they are intrinsic to the charges and should be admitted.

Respectfully submitted, CARMEN M. ORTIZ United States Attorney By: /s/ Mona Sedky Adam J. Bookbinder Assistant U.S. Attorney Mona Sedky DOJ Trial Attorney

CERTIFICATE OF SERVICE I hereby certify that this document, filed through the ECF system, will be sent electronically to the registered participants as identified on the Notice of Electronic Filing (NEF). /s/ Mona Sedky Dated: June 10, 2013


trial brief miller - wired · pdf filein this trial brief, the government will summarize the...

Documents