SECRET SERVICE SEARCH WARRANT AFFADAVIT

(COMPUTER UNDERGROUND DIGEST ISSUE 2.11)

This is the affidavit submitted by the Secret Service in order to get
permission to raid the SJ Games offices on March First. Also included
here is the relevant section of the Phoenix Project log - the material
on which the Secret Service agent based his allegation of "conspiracy".
[Note that the Secret Service did NOT append the actual log material to
the affidavit the judge saw - but we're including it so YOU can see it.
It's interesting that they chose to omit it. It's interesting that the
magistrate granted the warrant anyway.]

The moderators of Computer Underground Digest re-typed all this material
from a photocopy supplied by SJ Games. To acknowledge their effort, we are
reproducing their issue 2.11 in the form they distributed it, complete
with their editorial comments, rather than just publishing the affidavit
itself.

Correspondence about CuD should go directly to its moderators.

  ****************************************************************************
                  C O M P U T E R   U N D E R G R O U N D
                                D I G E S T
              ***  Volume 2, Issue #2.11 (November 13, 1990)   **
        *** SPECIAL ISSUE: SEARCH AFFIDAVIT FOR STEVE JACKSON GAMES ***
  ****************************************************************************

MODERATORS:   Jim Thomas / Gordon Meyer  (TK0JUT2@NIU.bitnet)
ARCHIVISTS:   Bob Krause / Alex Smith / Brendan Kehoe
USENET readers can currently receive CuD as alt.society.cu-digest.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may be reprinted as long as the source is
cited.  It is assumed that non-personal mail to the moderators may be
reprinted, unless otherwise specified. Readers are encouraged to submit
reasoned articles relating to the Computer Underground.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent the
            views of the moderators. Contributors assume all responsibility
            for assuring that articles submitted do not violate copyright
            protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The application and affidavit for the search warrant for Steve Jackson
Games (Case #A-90-54m), dated February 28, 1990, and signed by U.S.
Magistrate Stephen H. Capelle in Austin Texas and Special Agent Timothy M.
Foley of the U.S. Secret Service, has been released.  The application
alleges violations of Title 18 USC Sections 2314 and 1030 and was issued in
the U.S. District Court (Western District of Texas).

We have retyped it, and there may be some typographical errors, but we have
done our best to recreate it as is.

There are several features about the affidavit. First, the bulk of it is
repititious and simply establishes the credentials of the investigators,
summarizes basic terms, and provides general background that seems
inconsequential in linking the persons to be searched to any substantive
criminal activity. It should also be remembered that the "$79,449.00"
document in question was shown to contain nothing of substance that is not
available to the general public for under $14. Further, to our knowledge,
there is no evidence, contrary to suggestions, that E911 software was
obtained.

Most troublesome is the interpretation given to attached logs from The
Phoenix Project that creates a conspiratorial scenario from a few ambiguous
messages. While imaginative use of narrative is admirable in fiction, its
use as a weapon of power is dangerous.  At root, Steve Jackson Games was
raided because an employee ran a BBS that made available, as did perhaps
thousands of others BBSs nationwide, Phrack. The employee was also accused
of being part of a "fraud scheme" because he had the temerity to explain
what a Kermit protocol is in a two line message.

Perhaps Agent Foley is competent, but in reviewing this warrant questions
arise regarding the raid on SJG that should not go unanswered.

                       ++++++++++++++++++++++++++++

                               ATTACHMENT A

     2700 "A" Metcalfe Road is located in the city of Austin, State
of Texas, County of Travis. Said address is a two-story square
building measuring approximately 50 feet on a side located on the
south side of Metcalfe Street.

     The bottom story is multi-colored brick face and the upper
story is white wood frame construction.

     A balcony surrounds the upper story. The address "2700A" is
on two sides in white letters, and the numbers are approximately
ten inches high. An outside wooden stairway connects the floors
on the south side of the building. The driveway is of gravel. A
large all-metal warehouse-type building is immediately behind the
address.

                            (End Attachment A)

                             ++++++++++++++++

                               ATTACHMENT B

     Computer hardware (including, but not limited to, central
processing unit(s), monitors, memory devices, modem(s), programming
equipment, communication equipment, disks, and prints) [sic] and computer
software (including but not limited to, memory disks, floppy
disks, storage media) and written material and documents relating
to the use of the computer system (including networking access
files), documentation relating to the attacking of computers and
advertising the results of computer attacks (including telephone
numbers and licensing documentation relative to the computer programs and
equipment at the business known as Steve Jackson Games which
constitute evidence, instrumentalities and fruits of federal
crimes, including interstate transportation of stolen property (18
USC 2314) and interstate transportation of computer access
information (18 USC 1030 (a)(6)). This warrant is for the seizure
of the above described computer and computer data and for the
authorization to read information stored and contained on the above
described computer and computer data.

                            (End Attachment B)

                         ++++++++++++++++++++++++

State of Texas      )
                    )     ss
County of Travis    )

                                 AFFIDAVIT

     1. I, Timothy Foley, am a Special Agent of the United States
Secret Service and have been so employed for the past two years.
I am presently assigned to the United States Secret Service in
Chicago. Prior to that I was employed as an attorney practicing
in the City of Chicago and admitted to practice in the State of
Illinois. I am submitting this affidavit in support of the search
warrants for the premises known as: (a) the residence of Loyd Dean
Blankenship, 1517G Summerstone, Austin, Texas; (b) the employment
location of Blankenship, the business known as Steve Jackson Games,
2700-A Metcalfe Road, Austin Texas; and (c) the residence of Chris
Goggans, 3524 Graystone #192, Austin, Texas.

SOURCES OF INFORMATION

     2. This affidavit is based on my investigation and
information provided to me by Special Agent Barbara Golden of the
Computer Fraud Section of the United States Secret Service in
Chicago and by other agents of the United States Secret Service.
     3. I have also received technical information and
investigative assistance from the experts in the fields of
telecommunications, computer technology, software development and
computer security technology, including:
          a. Reed Newlin, a Security Officer of Southwestern
Bell, who has numerous years of experience in operations,

                                   - 1 -

maintenance and administration of telecommunications systems as an
employee of the Southwestern Bell Telephone Company.
          b. Henry M. Kluepfel, who has been employed by the Bell
System or its divested companies for the last twenty-four years.
Mr. Kluepfel is presently employed by Bell Communications Research,
(Bellcore) as a district manager responsible for coordinating
security technology and consultation at Bellcore in support of its
owners, the seven regional telephone companies, including Bell
South Telephone Company and Southwestern Bell Telephone Company.
Mr. Kluepfel has participated in the execution of numerous Federal
and State search warrants relative to telecommunications and
computer fraud investigations. In addition, Mr. Kluepfel has
testified on at least twelve occasions as an expert witness in
telecommunications and computer-fraud related crimes.
          c. David S. Bauer, who has been employed by Bell
Communications Research (Bellcore) since April 1987. Mr. Bauer is
a member of the technical staff responsible for research and
development in computer security technology and for consultation
in support of its owners, the seven regional telephone companies,
including Bell South. Mr. Bauer is an expert in software
development, communications operating systems, telephone and
related security technologies. Mr. Bauer has conducted the review
and analysis of approximately eleven computer hacking
investigations for Bellcore. He has over nine years professional
experience in the computer related field.

                                   - 2 -

                            Violations Involved

     4. 18 USC 2314 provides federal criminal sanctions against
individuals who knowingly and intentionally transport stolen
property or property obtained by fraud, valued at $5,000 or more
ininterstate commerce. My investigation has revealed that on or
about February 24, 1989, Craig Neidorf transported a stolen or
fraudulently obtained computerized text file worth approximately
$79,000.000 from Columbia, Missouri, through Lockport, Illinois to
Austin, Texas to Loyd Blankenship and Chris Goggans.
     5. 18 USC 1030 (a)(6) and (b) provide federal criminal
sanctions against individuals who knowingly and with intent to
defraud traffic or attempt to traffic, in interstate commerce, in
passwords or similar information through which a computer may be
accessed without authorization. My investigation has revealed that
on or about January 30, 1990, Loyd Blankenship and Chris Goggans
attempted to traffic in illegally obtained encrypted passwords
received from other computer hackers. My investigation has further
revealed that, through the use of sophisticated decryption
equipment and software, they planned to decrypt the encrypted
passwords provided by the hackers. They then planned to provide
the original hackers with the decrypted passwords which they in
turn could use to illegally access previously guarded computers.

                                DEFINITIONS

     6. COMPUTER HACKERS/INTRUDERS - Computer hackers or
intruders are individuals involved with the unauthorized access of
computer systems by various means. The assumed names used by the

                                   - 3 -

hackers when contacting each other are referred to as "hacker
handles."
     7. BULLETIN BOARD SYSTEM (BBS) - A bulletin board system
(also referred to as a "Bulletin board" or "BBS") is an electronic
bulletin board accessible by computer. Users of a bulletin board
may leave messages, data, and software readable by others with
access to the bulletin board. Bulletin board readers may copy, or
"download," onto their own machines material that appears on a
bulletin board. Bulletin boards typically are created and
maintained by "systems operators" or "system administrators".
Hackers frequently use bulletin boards to exchange information and
data relating to the unauthorized use of computers.
     8. E911 - E911 means the enhanced 911 telephone service in
universal use for handling emergency calls (police, fire,
ambulance, etc.) in municipalities. Dialing 911 provides the
public with direct access to a municipality's Public Safety
Answering Point (PSAP). Logistically, E911 runs on the public
telephone network with regular telephone calls into the telephone
company switch. However, incoming 911 calls are given priority
over all other calls. Then the 911 call travels on specially
dedicated telephone lines from the telephone company's switch to
the fire, police and emergency reaction departments in the city
closest to the location of the caller. It is essential for the
emergency unit to know the location of the caller, so one of the
most important parts of the system is the Automatic Location
Identifier (ALI), which automatically locates where the

                                   - 4 -

telephone call originates, and the Automataic Number Identification
(ANI), which holds the telephone number of the calling party even
if the caller hangs up. The E911 system of Bell South is described
in the text of a computerized file program and is highly
proprietary and closely held by its owner, Bell South. The file
describes the computerized control, operation and maintenance of
the E911 system.
     9. ELECTRONIC MAIL - Electronic mail, also known as
e-mail, is a common form of communication between individuals on
the same or on separate computer systems. Persons who may send or
receive electronic mail are identified by an electronic mail
address, similar to a postal address. Although a person may have
more than one electronic mail address, each mail address
identifies a person uniquely.
     10. LEGION OF DOOM - At all times relevant herein, the Legion
of Doom, (LOD), was a closely knit group of computer hackers
involved in:
          a. Disrupting telecommunications by entering telephone
switches and changing the routing on the circuits of the computers.
          b. Stealing propriety (sic) computer source code and
information from individuals that owned the code and information
          c. Stealing credit information on individuals from
credit bureau computers.
          d. Fraudulently obtaining money and property from
companies by altering the computerized information used by the
companies.

                                   - 5 -

          e. Disseminating information with respect to their
methods of attacking computers to other computer hackers in an
effort to avoid the focus of law enforcement agencies and
telecommunication security experts.
     11. PASSWORD ENCRYPTION - A password is a security device
that controls access to a computer, (log on privileges) or to
special portions of a computer's memory. Encryption further limits
access to a computer by converting the ordinary language and/or
numerical passwords used on a computer into cipher or code.
Decryption is the procedure used to transform coded text into the
original ordinary language and/or numerical format.
     12. TRANSFER PROTOCOL -  transfer protocol is a method of
transferring large files of information from one computer to
another over telephone lines. Using a transfer protocol a file is
uploaded (sent) and downloaded (received). This transfer procedure
breaks blocks of data into smaller packages for transmission and
insures that each block of data is an error free copy of the
original data. Transfer protocols may also encode and decode
transmissions to insure the privacy of the transferred information.

                          INVESTIGATION OVERVIEW

     13. My investigation to date has disclosed that computer
hacker Robert Riggs of the Legion of Doom, (LOD), stole the highly
proprietary and sensitive Bell South E911 Practice text file from
Bell South in Atlanta, Georgia in about December, 1988 and that

                                   - 6 -

this stolen document was distributed in "hacker" newsletters
through the use of e-mail. These newsletters included the "Phrack"
newsletter issue #24 distributed in February, 1989 by Crig Neidorf
to LOD members, including Loyd Blankenship and Chris Goggans
of Austin, Texas. The E911 Practice was posted on the "Phoenix
Project" BBS, in January, 1990, so that anyone with access to the
BBS could download a copy of the E911 Practice onto any other
computer. The "Phoenix Project" BBS is run jointly by co-systems
operators Loyd Blankenship, (hacker handle, The Mentor), and Chris
Goggans, (hacker handle, Eric [sic] Bloodaxe), who both have sent e-mail
communications identifying themselves as members of LOD. My
investigation has also disclosed that Loyd Blankenship and Chris
Goggans, through their hacker BBS "Phoenix Project," have
established a password decryption service for hackers who had
obtained encrypted passwords from computers they had been
attacking.


                     THEFT OF E911 TEXT FILE
     14. In March, 1988, Bell South developed a sophisticated new
program which describes in great detail the operation of the E911
system and the 911 support computer in Sunrise, Florida that
controls ALI and ANI information. This program, which was
enginered at a cost of $79,449.00, was locked in a secure computer
(AIMSX) in Bell South's corporate headquarters in Atlanta, Georgia.
The document was and is highly proprietary and contained the
following warning:

                                   - 7 -

          NOTICE: NOT FOR USE OR DISCLOSURE OUTSIDE
          BELL SOUTH OR ANY OF ITS SUBSIDIARIES EXCEPT
          UNDER WRITTEN AGREEMENT.
     15. In July, 1989, Robert Riggs apartment in Decatur, Georgia
was searched by United States Secret Service agents from Atlanta
pursuant to a federal search warrant.
     16. At the time of the search, Riggs, (hacker handle, The
Prophet), was interviewed by Special Agent James Cool of the USSS-
Atlanta and representatives of Bell South from Atlanta. During
this extensive interview, Riggs admitted that he illegally gained
remote access into Bell South's AIMSX computer through an account
to which access was not secured by a password, and that once on the
machine he executed a program designed to search for passwords and
to obtain other account names on the computer. He stated that once
he was on the computer, he found the E911 protocol document and
downloaded it from the Bell South computer to his home computer.
He subsequently uploaded the E911 file from his home computer to
a computer bulletin board. (He did not give the agents the name
of the bulletin board).
     17. Riggs' admissions were corroborated by interviews with
Rich Andrews, the operator of the computer bulletin board known as
JOLNET BBS in Lockport, Illinois. Andrews disclosed that in about
January, 1989, a hacker known to him by the handle PROPHET uploaded
an E911 program with bell South proprietary markings onto his BBS.
This program was then downloaded from the BBS to another hacker
known to him by the handle Knight Lightning (Craig Neidorf).

                                   - 8 -

                            PHRACK PUBLICATION
     18. On January 18, 1990, pursuant to a federal grand jury
subpoena, I received documents from the administration of the
University of Missouri regarding computer publications of Craig
Neidorf, a student at University of Missouri and Randly Tishler, a
former student at University of Missouri, (hacker handle, Taran
King), which showed that Neidorf and Tishler were publishing the
computer hacker newsletter entitled "Phrack" which they were
distributing to computer hackers around the United States through
the use of the University of Missouri account on a
telecommunication network called Bitnet.
     19. On January 18, 1990, Security Officer Reed Newlin of
Southwestern Bell Telephone and I interviewed Craig Neidorf at the
Zeta Beta Tau Fraternity House at Columbia, Missouri. During the
course of the interview, Neidorf admitted to me and Security
Officer Newlin that he used the hacker handle Knight Lightning;
that he and Randy Tishler were the publishsers of two hacker
newsletters entitled "Phrack" and "Pirate."
     20. Also during the course of this interview, Neidorf
admitted that he had a copy of a hacker tutorial regarding the
operation of the E911 system in his room. He admited that he had
edited the E911 Practice into a hacker tutorial. He also admitted
that he knew that the E911 Practice had been stolen from a
telecommunications company by Robert J. Riggs and that the
tutorial, (the edited E911 Practice File), had been published in
the Phrack newsletter issue 24. At this point of the interview,

                                   - 9 -

Neidorf excused himself, saying he was going to his room, and he
returned moments later with a floppy disk containing the copy of
the E911 document published in Phrack magazine.
     21. In addition to Neidorf's admission that he knew the E911
tutorial had been stolen, my investigation has revealed other facts
reflecting that Neidorf was aware that the E911 data received from
Riggs in Atlanta was stolen. In July, 1989, I reviewed
documentation received from Rich Andrews, the system administrator
of the JOLNET BBS. Included in the documentation was an edited
version of the E911, the document received from Neidorf, dated
January 23, 1989, which included the following notation on his
version:
          NOTICE: NOT FOR USE OR DISCLOSURE OUTSIDE
          BELLSOUTH OR ANY OF ITS SUBSIDIARIES EXCEPT
          UNDER WRITTEN AGREEMENT. (WHOOPS)
     22. Distribution records of Phrack 24 recovered from Richard
Andrews in Lockport in July 1989 reflect that copies of this
newsletter containing the proprietary E911 information and the
proprietary markings from Bell South were forwarded from Neidorf's
computer in Colombia [sic], Missouri to Loyd Blankenship's computer in
Austin, Texas on or about February 24, 1989.
     23. I have personally examined the Phrack newsletter number
24 and observed that the newsletter does in fact contain a slightly
edited copy of the stolen Bell South E911 Practice text file with
the warning:
          NOTICE: NOT FOR USE OR DISCLOSURE OUTSIDE

                                  - 10 -

          BELLSOUTH OR ANY OF ITS SUBSIDIARIES EXCEPT
          UNDER WRITTEN AGREEMENT. (WHOOPS)

                 REPUBLICATION OF E911 BY PHOENIX PROJECT
     24. On February 26, 1990, Hank Kluepfel of Bellcore advised
me that the Phoenix Project BBS run by Loyd Blankenship and Chris
Goggans was in operation on January 15, 1990. Mr. Kluepfel advised
that he had made this determination by successfully logging on to
Phoenix Project at telephone number 512-441-0229 on about January
30, 1990 and observing messages dated from January 15, 1990 to
January 30, 1990, on the BBS. Mr. Kluepfel also advised me that the
BBS system information identified the Mentor and Erik Bloodaxe as
the system administrators on the BBS.
     25. On February 14, 1990, Mr. Kluepfel advised me that after
accessing the Phoenix Project BBS, he had gone to the Phrack sub-
menu of the BBS and observed Phrack 24 on the menu. Mr. Kluepfel
further advised me that upon review of Phrack 24, he observed that
the Bell South E911 Practice text file was still in the edition
carried by the Phoenix Project BBS.
     26. On February 14, 1990, Mr. Kluepfel advised me that he had
downloaded a copy of Phoenix Project's user list (its electronic
mailing list) and that it reflected that seeral of the hackers on
the list of users were located in the Northern District of
Illinois.
PHOENIX PROJECT DECRYPTION SERVICE

                                  - 11 -

     27. On February 14, 1990, Mr. Kluepfel advised me that on
January 23, 1990, the co-systems administrator on the Phoenix
Project BBS, Erik Bloodaxe, had published a notice that the BBS was
beginning a new decryption service. Bloodaxe invited the readers
of the newsletter to send the BBS encrypted passwords for any UNIX
or Prime computer system, and the system administrators would
decrypt the passwords and return them. Bloodaxe also indicated that
the systemes administrators would probably access the computer using
the password as well. In a later message on January 26, 1990, The
Mentor responded to a question about a transfer protocol that had
been set out, but not explained in Bloodaxe's notice, indicating
his involvement in the decryption scheme.
     28. On February 14, 1990, Mr. Kluepfel advised me that the
password file decryption service offered by the Phoenix Project
provided computer hackers with information through which a computer
could be acessed without authorization under the meaning of 18 USC
1030 (a)(6) and (b) and constituted a threat to Bellcore's client
companies including Bell South.
                 IDENTIFICATION OF BLANKENSHIP AND GOGGANS
     29. Among the documents that had been printed out from the
University of Missouri computers, which I received from the
University of Missouri computers, which I received from the
administration of the University of Missouri, were lists of hackers
and their corresponding real names. On that list were the names
of Loyd Blankenship and Chris Goggans and their respective hacker
handles of The Mentor and Erik Bloodaxe.

                                  - 12 -
     30. Among the documents seized in the search of Neidorf's
house were phone lists which included the full names of Loyd
Blankenship and Chris Goggans and identified them as The Mentor and
Erik Bloodaxe, respectively.
     31. On February 6, 1990, Mr. Kluepfel provided me with
copies of a Phrack newsletter which contained a September 23, 1989,
profile of computer hacker Erik Bloodaxe. The profile indicated
that the Erik Bloodaxe's real name was Chris, that he was 20 years
old, 5'10", 130 pounds, that he had blue eyes, brown hair and that
he used various computers including an Atari 400, various computer
terminals with limited computing capability that are or can be
linked to a central computer, and a CompuAid Turbo T. The profile
reflects that Erik Bloodaxe was a student in computer science at
the University of Texas in Austin.
     32. On February 6, 1990, Mr. Kluepfel provided me with a copy
of Phrack containing a January 18, 1989 profile of the computer
hacker known as The Mentor. The profile indicated that the
Mentor's real name was Loyd, that he was 23 years old, 120 pounds,
5'10", that he had brown hair, brown eyes and that he had owned a
TRS-80, an Apple IIe, an Amiga 1000, and a PC/AT.
     33. The identification of Loyd Blankenship as The Mentor in
the Phrack profile was corroborated on February 22, 1990, by
information provided by Larry Coutorie an inspector with campus
security at the University in Austin, Texas who advised
me that his review of locator information at the University of
Texas in Austin disclosed current drivers license information on

                                  - 13 -

Loyd Dean Blankenship reflecting that Blankenship resides at 1517G
Summerstone, in Austin, Texas, telephone number 512-441-2916 and
is described as a white, male, 5'10", with brown hair and brown
eyes. He further advised that Blankenship is employed at Steve
Jackson Games, 2700-A Metcalfe Road, Austin, Texas where he is a
computer programmer and where he uses a bulletin board service
connected to telephone number 512-447-4449.
     34. According to telephone company records the telephone
number 512-441-0229, the number for the Phoenix Project BBS, is
assigned to the address 1517 G Summerstone, Austin, Texas, which is
the residence of Loyd Blankenship.
     35. Hank Kluepfel has advised me that he has loged on to the
BBS at 512-447-4449 and that The Mentor is listed as the systems
operator of the BBS. Mr. Kluepfel further advised me that the user
list of that BBS contains the name of Loyd Blankenship and others
known to Mr. Kluepfel has hackers. Also, Mr. Kluepfel observed that
Loyd Blankenship is a frequent user of the BBS.
     36. Similarly, the identification of Chris Goggans as the
Erik Bloodaxe described in the Phrack profile was corroborated on
February 22, 1990, by Larry Coutorie who advised me that his
review of locator information at the University of Texas with
respect to Chris Goggans disclosed that Goggans resides at 3524
Graystone #192, in AUstin, Texas and that his full name is Erik
Christian Goggans. Goggans, who goes by the name Chris, is a white,
male, with blond hair and blue eyes date of birth 5/5/69, 5'9",
120 pounds.

                                  - 14 -

     37. On February 19, 1990, I was advised by Margaret Knox,
Assistant Director of the Computation Center, University of Texas,
Austin, Texas, that a young man presented himself to her as Chris
Goggans in response to the University sending a notification of the
Grand Jury subpoena for University records pertaining to Chris
Goggans to Chris Goggans at 3524 Graystone #192, Austin, Texas. The
young man also told her that he was Erik Bloodaxe of the Legion of
Doom.

                         Locations to be Searched
     38. Based on the above information and my own observations,
I believe that the E911 source code and text file and the
decryption software program are to be found in the computers
located at 1517G Summerstone, Austin, Texas, or at 2700-A Metcalfe
Road, Austin, Texas, or at 3524 Graystone #192, Austin, Texas, or
in the computers at each of those locations.
     39. The locations to be searched are described as: the
premises known as the residence of Loyd Dean Blankenship, 1517G
Summerstone, Austin, Texas; the employment location of Blankenship,
the business known as Steve Jackson Games, 2700-A Metcalfe Road,
AUstin, Texas; and the residence of Chris Goggans, 3524 Graystone
#192, Austin, Texas. Those locations are further described in
Attachment A to this Affidavit for Search Warrant.
                           Evidence To Be Found
     40. On February 2, 1990, Jerry Dalton of AT&T advised me that
based upon his background, experience and investigation in this

                                  - 15 -
case and investigating approximately 50 other incidents this year
involving the unauthorized use of other computer systems, including
individuals that run computer bulletin boards, these individuals
typically keep and use the following types of hardware, software
and documents to execute their fraud schemes and operate their
computers and computer bulletin boards:
          a. Hardware - a central processing unit, a monitor, a modem,
             a key board, a printer, and storage devices (either
             cartridge tapes, 9-track magnetic tapes, floppy disks or
             axillary [sic] disk units), telephone equipment (including)
             automatic dialing equipment, cables and connectors), tape
             drives and recording equipment.

          b. Software - hard disks and floppy disks containing
             computer programs, including, but not limited to software
             data files, electronic mail files, UNIX software and
             other AT&T proprietary software.

          c. Documents - computer related manuals, computer related
             textbooks, looseleaf binders, telephone books, computer
             printout, cassette tapes, videotapes and other documents
             used to access computers and record information taken
             from the computers during the above referred breakins.
             Financial and licensing information with respect to the
             computer hardware and software.

     41. Based on the above information and my own observation,
I believe that at the premises known as the residence of Loyd Dean
Blankenship, 1571G Summerstone, Austin, Texas; the employment
location of Blankenship, the business known as Steve Jackson Games,
2700-A Metcalfe Road, Austin, Texas; and the residence of Chris
Goggans, 3524 Graystone, #192, Austin Texas there is computer
hardware (including central processing unit(s), monitors, memory
devices, (modem(s), programming equipment, communication equipment,
disks, prints and computer software (including but not limited to
memory disks, floppy disks, storage media) and written material and

                                  - 16 -

documents relating to the use of the computer system (including
networking access files, documentation relating to the attacking
of computer and advertising the results of the computer attack
(including telephone numbers and location information). This
affidavit is for the seizure of the above described computer and
computer data and for the authorization to read information stored
and contained on the above described computer and computer data
which are evidence of violations of 18 USC 2314 and 1030, as well
as evidence, instrumentalities or fruits of the fraud scheme being
conducted by the operator of the computer at that location.
     42. Request is made herein to search and seize the above
described computer and computer data and to read the information
contained in and on the computer and computer data.



                               (signature of) Timothy M. Foley
                               Special Agent Timothy Foley
                               United States Secret Service


Sworn and Subscribed to before
me this 28th day of February, 1990


(signature of) Stephen H. Capelle
UNITED STATES MAGISTRATE


                                  - 17 -

                         (END OF SEARCH AFFIDAVIT)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

A document attached to the search affidavit reproduced 17 messages from The
Phoenix Project written from Jan. 23 - Jan. 29, 1990.  We have retyped
messages 13/17, but substituted the original posts (18/29) from TPP logs we
have obtained. The differences in message numbers (eg 13/58 from Henry
Kluepfel's logs, or our source's logs, eg, 22/47) reflect that the notes
were captured on different days.  We have compared the logs from both our
source and the document, and they are identical. Hence, the difference in
capturing dates is of no consequence.

There are several points that should be considered in reading the logs:

1. The affidavit claims that the logs substantiate the claim that an
encryption service existed. In fact, they do no such thing.  The claim is
based primarily on message 13 (Jan 23), which includes the comment "What do
you people think? Bad idea? Good idea? Hell...It is just another attempt by
me to piss everyone off."

2. The bulk of these messages are inconsequential general discussions, and
include brief discussion of transfer protocols.

3. Timothy Foley's "evidence" that The Mentor is involved in the situation
is message 23, in which The Mentor is "guilty" of saying that Kermit is a
7-bit transfer protocol, is found on mainframes, and works through
outdials.  From this, Foley says:

     In a later message on January 26, 1990, the Mentor responded to a
     question about a transfer protocol that been set out, but not
     explained in Bloodaxe's notice, indicating his involvement in the
     decryption scheme (#27, p. 12).

4. The messages before and after these dates are general, and there is
little substantive discussion of the "decryption service."

It appears that Loyd Blankenship is "guilty" of posting phracks on The
Phoenix Project, as are perhaps thousands of other sysops across the
country, and of the "criminal act" of summarizing Kermit.

We will leave it to others to judge and comment upon the logic and quality
of the document(s).

+++++++++++++++++++++++++++++++++++++++++++++++++
(The following is the first page of a 3 page document attached to
the affidavit. It has been retyped from the original).
+++++++++++++++++++++++++++++++++++++++++++++++++

New user pw= GUNSHIP

13/58: things...
Name: Erik Bloodaxe #2
Date: Tue Jan 23 22:57:29 1990
I think it's time for your friend at The Legion of Doom to start a new
service...(with great help from friends)
Decryption service! On any unix or Prime, send the etc/passwd file, or the
UAF file to the sysop directory, and you will be mailed back the encrypted
UAF file to the sysop directory, and you will be mailed back the encrypted
passwords...(on UNIX any pw that the deszip could bust)
The Prime UAF must be in binary, so kermit it from the site, and xmodem it
here.
In return, we will not distribute any information gained from your site, but
we will probably look around it anyway...but it will remain between you and
us.
What do you people think? Bad idea? Good idea? Hell...It is just another
attempt by me to piss everyone off.
->ME

14/58: aha..!
Name: Phoenix #17
Date: Wed Jan 24 01:30:35 1990
ummm...hmmm
(doesn't know what to say..)

15/58: Heck
Name: The Parmaster #21
Date: Wed Jan 24 07:48:01 1990
    Personally i like it :-)
Jason.

16/58: Decryption
Name: Grey Owl #10
Date: Wed Jan 24 19:10:52 1990
I think it's a great idea. I get a whole shitload of passwd files and some
UAF files too.               |||_______got!
grey owl

17/58: Just a couple of questions...
Name: Konica #47
Date: Wed Jan 24 23:41:13 1990
Well since the feds know this is a hacker board whats stopping them from
tracing every incoming call to Pheonix Project and getting all the #'s, then
monitoring then for illegal activity?

And just say I was calling through my personal calling card....What would
they get as the incomming #?
If I had a DNR on my line is there any way I could find out?
Sorry about this but I am not as good as most of you (except for the guy that
keeps posting codes) and the only way I am going to learn is by trying shit
out and asking questions...
Hope this is the right sub for these questions....

+++++++++++++++
(The following are the actual logs; Typos were not removed)
+++++++++++++++


18/47: vv
Name: Dtmf #27
Date: Thu Jan 25 03:22:29 1990

RE: Just a couple of questions...

To check the DNR the best bet woud be to call bell security, or the SCC


19/47: well..
Name: Phoenix #17
Date: Thu Jan 25 07:27:43 1990

nothing stops them from tracing..
I dont know how it works there.. but down here all traces are illegal unless
they are for drug/murder reasons.. (well not traces, but taps are..)


20/47: Feds...
Name: Erik Bloodaxe #2
Date: Thu Jan 25 17:05:35 1990

Absolutely nothing would stop them from collecting all local calls, and/or any
longdistance company records of calls coming into this number...in fact, I
kind of expect them to at least get all local calls here...hell Austin is all
ess...most of them 5's...(I think...maybe 1's)

However, I doubt that tapping the data line is worth their while...especially
when they can just log on and read everything anyway.  And the mail just isn't
that spectacular...

In any case, all calls here made by legal means are legaal, so don't worry
about it.  Just because tee nature of this bbs isn't that of your average
mainstream bbs, doesn't negate its legality.  Information posted here is kept
legal.

If you are truly worried about it, don't call, and sit home being paranoid.

Hell, I'm local...I call direct...and now I do it at 300 baud.  Hell, I can
almost tell what's being typed at 300 baud while listening to it...forget the
data tap!  Hehe, although a 300 baud data tap is SO simple to playback
completely error free...at 1200 or 2400 you kind of have to get the recording
levels just right...but 300 gives you plenty of room for error...

21/47: ess 1,5
Name: Dark Sun #11
Date: Thu Jan 25 20:14:00 1990

hey, whats the diff??? :-)
                                  DS




22/47: decryption
Name: Silencer #31
Date: Thu Jan 25 23:35:01 1990

hmmm....like...you mean once you have an account...read the user file and then
you will deencrypt all the passcodez...sounds good....but what the fuck is
kermit...
     - Silencer




23/47: kermit
Name: The Mentor #1
Date: Fri Jan 26 10:11:23 1990

Kermit is a 7-bit transfer protocol that is used to transfer files to/from
machines. It is mostly found on mainframes (it's a standard command on VAX,
for instance). Kermit has the added advantage of being able to work through an
outdial (because it is 7-bit).

Mentor




24/47: Kermit
Name: Sicilumm Thorne #28
Date: Fri Jan 26 11:20:10 1990

    Kermit is merely another transfer protocol like Sealink, Xmodem, Modem7,
Zmodem, et cetera.

    Its relatively slow, but was thought to be better than Xmodem, due to its
capabilties.  (Don't remember what they are, I use Zmodem).

    Sic.




25/47: my kermit
Name: Ravage #19
Date: Fri Jan 26 12:24:21 1990


lets me set it at 8 bits also. just another trivial note.




26/47: from what I know...
Name: Dark Sun #11
Date: Fri Jan 26 16:26:55 1990

kermit was originally designed to allow transmission of data across 2
computers running with different parity settings.
                             DS




27/47: and..
Name: Phoenix #17
Date: Sat Jan 27 07:28:45 1990

as a major disadvantage.. it is damn slow!

Phoenix




28/47: Well....
Name: Johnny Hicap #45
Date: Sat Jan 27 21:28:18 1990

No one answered that question (forget who posted it) that if he was calling
through a calling card is it possible to get the number of the person who
called even he was calling through hs calling card? What would they get as the
number comming in? Would they get the card? Of course then they would just see
who owns it.

JH!




29/47: more Kermit BS
Name: Grey Owl #10
Date: Sat Jan 27 23:53:57 1990

Kermit is slower than Xmodem, BTW.  The packets are smaller (usually 64 bytes)
and the error-checking is shot to hell with any line noise.  It's better than
ASCII though!

grey owl

********************************************************************
                          ** END OF CuD #2.11 **
********************************************************************

Steve Jackson Games | SJ Games vs. the Secret Service