------------------------------
Date: Undated
From: Anonymous
Subject: Len Rose's Search Warrant
********************************************************************
*** CuD #2.00: File 3 of 5: Len Rose's Search Warrant ***
********************************************************************
UNITED STATES DISTRICT COURT
District of Maryland
APPLICATION AND AFFIDAVIT
FOR SEARCH WARRANT
In the matter of the Search of:
Residence of
7018 Willow Tree Drive CASE NUMBER: 90-0002G
Middletown, Maryland
I Timothy Foley being duly sworn depose and say:
I am a Special Agent and have reason to believe that on the property or
premises known as: the residence at 7018 Willow Tree Drive, Middletown,
Maryland (see attachment B) in the District of Maryland there is now
concealed a certain person or property ,namely (see attachment A) which is
concerning a violation of Title 18 United States code,Sections 2314 and 1030.
The facts to support a finding of Probable Cause are as follows: (see
attachment C)
Sworn to before me and subscribed in my presence
February 1,1990 at Baltimore Maryland
Clarence F. Goetz,U.S. Magistrate
ATTACHMENT A
computer hardware (including central processing unit(s),monitors,memory
devices, modem(s), programming equipment,communications equipment,disks,
prints,and computer software (including but not limited to memory disks,
floppy disks, storage media) and written material and documents relating
to the use of the computer system (including networking access files,
documentation relating to the attacking of computer and advertising the
results of the computer attack (including telephone numbers and location
information), which constitute evidence,instrumentalities and fruits of
federal crimes, including interstate transportation of stolen property
(18 USC 2314) and interstate transportation of computer access information
(18 USC 1030(a)(6)). This warrant is for the seizure of the above described
computer and computer data and for the authorization to read information
stored and contained on the above described computer and computer data.
ATTACHMENT B
Two level split-foyer style house with a upper story overhang on either
side of a central indentation for the front door. House is white upper
with red brick lower portion under the overhanging upper story. Front
door is white. There is a driveway on the lefthand side of the house as
you face the front. Mail box is situated on a post adjacent to the
driveway and mailbox displays the number 7018.
ATTACHMENT C
State of Maryland )
) SS
County of Frederick )
AFFIDAVIT
1. I, Timothy Foley, am a Special Agent of the United States Secret Service
and have been so employed for the past two years. I am presently assigned
to the Computer Fraud Section of the United States Secret Service in
Chicago. Prior to that I was employed as an attorney of law practicing
in the City of Chicago and admitted to practice in the State of Illinois.
I am submitting this affidavit in support of the search warrant for the
premises known as the residence of Leonard Rose at 7018 Willow Tree Drive
in Middletown, Maryland.
2. This affidavit is based upon my investigation and information provided
to me by Special Agent Barbara Golden of the Computer Fraud Section of
the United States Secret Service in Chicago. S.A. Golden has been
employed by the Secret Service for 13 years, and has been a Special Agent
with the Secret Service for 3 years and by other agents of the United
States Secret Service.
3. I have also received technical information and investigative assistance
from the experts in the fields of telecommunications, computer technology,
software development and computer security technology, including:
a. Reed Newlin, a Security Officer of Southwestern Bell, who has numerous
years of experience in operations,maintenance and administration of
telecommunication systems as an employee of the Southwestern Bell
Telephone Company.
b. Henry M. Kluepfel, who has been employed by the Bell System or its
divested companies for the last twenty-four years. Kleupfel is
presently employed by Bell Communications Research, (Bellcore) as
a district manager responsible for coordinating security technology
and consultation at Bellcore in support of its owners, the seven (7)
regional telephone companies, including BellSouth Telephone Company
and Southwestern Bell Telephone Company. Mr. Kleupfel has participated
in the execution of numerous Federal and State search warrants relative
to telecommunications and computer fraud investigations. In addition,
Mr. Kleupfel has testified on at least twelve (12) occasions as an
expert witness in telecommunications and computer fraud related
crimes.
c. David S. Bauer, who has been employed by Bell Communications Research,
(Bellcore) since April 1987. Bauer is a member of the technical staff
responsible for research and development in computer security
technology and for consultation in support for its owners, the seven
(7) regional telephone companies, including BellSouth. Mr. Bauer is
an expert in software development,communications operating systems,
telephone and related security technologies. Mr. Bauer has conducted
the review and analysis of approximately eleven (11) computer hacking
investigations for Bellcore. He has over nine (9) years of professional
experience in the computer related field.
d. At all times relevant to this affidavit, "computer hackers" were
individuals involved with the unauthorized access of computer systems
by various means. The assumed names used by the hackers when contacting
each other were referred to as "hacker handles."
Violations Involved
-------------------
5. 18 USC 2314 provides federal criminal sanctions against individuals
who knowingly and intentionally transport stolen property or property
obtained by fraud, valued at $5,000.00 or more, in interstate commerce.
My investigation has revealed that on or about January 8, 1990
Leonard Rose, using the hacker handle Terminus, transported a stolen
or fraudulently obtained computer program worth $77,000.00 from
Middletown, Maryland to Columbia, Missouri.
6. 18 USC 1030(a) (6) provides federal criminal sanctions against
individuals who knowingly and with intent to defraud traffic in
interstate commerce any information through which a computer may be
accessed without authorization in interstate commerce. My investigation
has revealed that on or about January 8,1990 Leonard Rose trafficked
a specially modified copy of AT&T Unix source code SVR 3.2 in interstate
commerce from Middletown, Maryland to Columbia,Missouri. (Source code
is a high level computer language which frequently uses English letters
and symbols for constructing computer programs. Programs written in
source code can be converted or translated by a "compiler" program into
object code for use by the computer.) This Unix source code SVR 3.2 had
been specially modified so that it could be inserted by a computer hacker
into any computer using a Unix operating system and thereafter enable the
hacker to illegally capture logins and passwords used by legitimate
users of the computer.
Discovery of the Altered Unix Source Code
-----------------------------------------
7. For the past seven (7) months I have been one of the United States
Secret Service agents involved in a national investigation into attacks
on telephone computer switches by various computer "hackers" including
an organization referred to as the Legion of Doom (LOD).
8. My investigation to date has disclosed that hackers have stolen sensitive
proprietary information from various telecommunications organizations
and published this information in "hacker" publications such as "Phrack"
newsletter. On Janurary 18,1990 Craig Neidorf (hacker handle Knight
Lightning) the editor and co-publisher of "PHRACK" was caught in
possession of various stolen computer files including the source code
for UNIX SVR3.2 and the text file for the Bell South's enhanced 911 (E911)
system.
9. On January 18,1990 Reed Newlin, Southwestern Bell, and I conducted an
examination of the computer files of Craig Neidorf, a hacker known to us
as Knight Lightning,at the University of Missouri at Columbia in Columbia,
Missouri (referred to hereafter simply as Neidorf computer files).
Newlin's examination of the Neidorf computer files extended from the night
of January 18 into the early morning hours of January 19. Later on
January 19 Newlin advised me that his examination of the Neidorf computer
files had disclosed the existence of what he believed to be proprietary
AT&T UNIX SVR3.2 source code in among Neidorf's computer files. He further
advised me that the AT&T source code appeared to have been modified into
a hacker tutorial which would enable a computer hacker to illegally
obtain password and login information from computers running on a UNIX
operating system.
10. On January 29, 1990 I interviewed Craig Neidorf and he advised me that
Leonard Rose (hacker handle "Terminus") had provided him with the AT&T
UNIX SVR3.2 source code which had been taken by me from his computer
files on the computers at the University of Missouri. (Neidorf is soon to
be indicted in Chicago for violations of 18 USC 1030,1343, and 2314.
Neidorf's interview took place while he was aware of the potential
charges which might be brought against him.)
11. Neidorf's identification of Leonard Rose (Terminus) as his source for
the stolen UNIX source code is corroborated by the physical evidence.
That evidence also shows that Terminus knew the code was stolen. On
January 20, 21, and 31, 1990 I personally examined the 19 pages of AT&T
UNIX SVR3.2 found in the Neidorf computer files by Newlin. On pages one
and two of the AT&T document the author of the file identifies himself
by the hacker handle "Terminus". On the first page of the document
Terminus advised Neidorf that the source code came originally from AT&T
"so it's definitely not something you wish to get caught with".
Terminus also inserts the following warning into the text of the program
on the first page: "Warning: this is AT&T proprietary source code. Do
NOT get caught with it.." On page 26 of the program Terminus also states:
"Hacked by Terminus to enable stealing passwords.. This is obviously
not a tool for initial system penetration, but instead will allow you
to collect passwords and accounts once it's been installed. Ideal for
situations where you have a one-shot opportunity for super user
privileges.. This source code is not public domain..(so don't get
caught with it).
In addition to these warnings from Terminus the AT&T source code also
carries what appears to be the original warnings installed in the
program by AT&T on pages 2,5,6,7,26 and 28:
Copyright (c) 1984 AT&T
All rights reserved
THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF AT&T
The copyright notice above does not evidence and actual or intended
publication of the source code.
12. On January 26 and 30, 1990 copies of the UNIX SVR 3.2 source code
found in the Neidorf computer files and discussed above were sent to
UNIX experts with AT&T (Mr. Al Thompson) and Bellcore (Mr. David Bauer
and Mr. Hank Kleupfel) for their evaluation.
13. On January 30, 1990 Al Thompson of AT&T advised me that his initial
review of the document and the initial review of the document by AT&T's
software licensing group had disclosed the following:
a. The document was in fact a copy of the AT&T UNIX SVR3.2 source
code login program.
b. The program's value was approximately $75,000.00
c. Neither Leonard Rose nor Craig Neidorf were licensed to own or
possess the source code in question.
d. The source code provided to him had been made into a tutorial
for hackers which could be used to install "trap doors" into
a computer and it's operating system. These trap doors would
enable a hacker to illegally obtain the passwords and logins
of the legitimate users of a computer running on a UNIX
operating system.
Identification of Leonard Rose as Terminus
------------------------------------------
14. The AT&T Unix SVR3.2 source code described in paragraphs 9 through
13 above reflected that a hacker named Terminus was the author of
the modifications.
15. On January 15 and 30, 1990 David Bauer of Bellcore advised me that
Terminus is the hacker handle for an individual named Leonard Rose
who resides in Maryland. Bauer advised me that in e-mail between
Terminus and a hacker known as the Prophet (Robert Riggs), on October
9, 1988 Terminus had identified himself as:
Len Rose
Len@Netsys.COM,postmaster@Netsys.COM
301-371-4497
Netsys,Inc. 7018 Willowtree Drive Middletown MD 21769
16. In addition, Bauer's examination disclosed that Terminus received
e-mail at the following addresses: "len@ames.arc.nasa.gov" or
"len@netsys.com". The address "len@ames.arc.nasa.gov" indicates
that the author has the account "len" on the system named "Ames"
in the domain "arc" that is owned and operated by the National
Air and Space Agency of the United States government.
17. My continuing review on January 25,1990 of the Neidorf computer files
disclosed that Rose was continuing to send e-mail to Neidorf and to
receive e-mail from Neidorf. On December 28,1989,Leonard Rose
(Terminus) sent an e-mail message to Neidorf in which Rose gives his
address as 7018 Willowtree Drive in Middletown, Maryland 21769 and
gives his e-mail address as follows:
"len@netsys.netsys.com"
18. On January 30, 1990 I was advised by individuals with the Computer
Emergency Reaction team (CERT) that the e-mail address
"len@netsys.netsys.com" is located at 7018 Willowtree Drive,Middletown,
Maryland 21769. CERT is an organization located at the Carnegie-Mellon
Institute and funded by the Defense Advanced Research Projects Agency.
It records contain information about the location of many computers
in the United States.
19. There is additional evidence identifying Terminus as Leonard Rose.
On January 30, 1990 I received a May 24,1987 copy of "Phrack"
magazine from Hank Kluepfel of Bellcore wherein hacker Taran King
(Randy Tischler) interviewed and "profiled" Terminus (a/k/a Leonard
Rose). The personal background information in the article included
the following:
Handle: Terminus
Call him: Len
Past Handles: Terminal Technician
Handle Origin: Terminal Technician originated because of
Len's view of himself as a hacker. Terminus
was an offshoot of that and, although it
is an egotistical view, it means he has
reached the final point of being a
proficient hacker.
Date of birth: 1/10/59
Age at current date: 29
Height: 5'9"
Weight: About 190 lbs.
Eye Color: Hazel
Hair Color: Brown
Computers: 6800 home brew system, Apple II,Altair
S100, 2 Apple II+s,IBM PC,IBM XT,IBM 3270,
IBM AT, and 2 Altos 986's
Sysop/Co-Sysop: MetroNet,MegaNet, and NetSys Unix
Terminus is further described as an electronic engineer and he designs
boards for different minicomputers like PDP-11s,Data Generals,Vaxes,
and Perkin-Elmer who also writes software and writes computer code in
machine language.
20. My January 25 review of the Neidorf computer files also disclosed a
January 9,1990 e-mail message from Rose to Neidorf at 12:20 am which
corroborated the fact that Rose had sent Neidorf the UNIX SVR3.2
source code on or around January 7,1990. In this message Rose tells
Neidorf that he (Rose) lost his copy of what he sent to Neidorf the
other night because his (Rose's) hard drive had crashed.
21. My January 25 review also disclosed a second e-mail message from Rose
to Neidorf on January 9,1990, at 3:05 pm . This message indicates that
Neidorf had sent a copy of the requested source code back to Rose as
requested (see paragraph 20 above). Rose's message began:
"RE: UNIX file" and stated that the copy of the stolen source code
received back from Neidorf had some type of "glitch".
22. These messages reflect that Rose still has at least one copy of the
UNIX SVR3.2 source code in his possession.
23. On January 29,1990 Craig Neidorf advised me that on or around January
9, 1990 he received a copy of the Unix SVR3.2 source code which was
telecommunicated to him via Bitnet from Leonard Rose in Maryland.
24. On January 30,1990, Hank Kluepfel of Bellcore advised me that based
upon his background experience and investigation in this case and
investigating approximately 50 other incidents this year involving
the unauthorized use of other computer systems,hackers that run
computer bulletin boards typically keep and use the following types
of hardware,software and documents to execute their fraud schemes and
operate their bulletin boards:
a. Hardware - a central processing unit,a monitor, a modem,a keyboard,
a printer, and storage devices (either floppy disks or auxiliary
disk units),telephone equipment (including automatic dialing
equipment,cables and connectors), tape drives and recording equipment.
b. Software - hard disks, and floppy disks containing computer programs,
including, but not limited to software data files, e-mail files,
UNIX software and other AT&T proprietary software.
c. Documents - computer related manuals, computer related textbooks,
looseleaf binders, telephone books,computer printouts,videotapes
and other documents used to access computers and record information
taken from the computers during the above referred to breakins.
25. Based upon the above information and my own observation, I believe
that at the residence known as 7018 Willow Tree Drive, Middletown,
Maryland there is computer hardware (including central processing
unit(s),monitors,memory devices,modem(s),programming equipment,
communication equipment,disks,prints and computer software (including
but not limited to memory disks,floppy disks,storage media) and
written material and documents relating to the use of the computer
system (including networking access files,documentation relating to the
attacking of computer and advertising the results of the computer
attack (including telephone numbers and location information.) This
affidavit is for the seizure of the above described computer and
computer data and for the authorization to read information stored
and contained on the above described computer and computer data
which are evidence of violations of 18 USC 2314 and 1030, as well as
evidence,instrumentalities or fruits of the fraud scheme being
conducted by the operator of the computer at that location.
Location to be Searched
26. On January 31, 1990 I was advised by S.A. John Lewis, USSS in
Baltimore that 7018 Willow Tree Drive in Middletown, Maryland
is a two-level split-foyer style house with an upper story
overhang on either side of a central indentation for the front door.
The front door is white. There is a driveway on the left side of the
house as you face the front. A mail box is situated on a post next
to the driveway and displays the number 7018.
27. Request is made herein to search and seize the above described
computer and computer data and to read the information contained
in and on the computer and computer data.
Special Agent TIMOTHY FOLEY
United States Secret Service
Sworn and Subscribed to before
me this 1st day of February, 1990
Clarence E. Goetz
United States Magistrate
********************************************************************
>> END OF THIS FILE <<
***************************************************************************