💾 Archived View for gemini.spam.works › mirrors › textfiles › bbs › ripcowar.txt captured on 2020-10-31 at 20:04:59.

View Raw

More Information

-=-=-=-=-=-=-

          ***  SEIZURE WARRANT DOCUMENTS FOR RIPCO BBS  ***


On May 8, 1990, RIPCO BBS was closed and the equipment seized as the result
of a seizure warrant. FULL DISCLOSURE Magazine obtained publicly available
copies of the various documents related to the warrant, which are
reproduced below.

The documents include (in order presented):

1. Government's petition for Assistance during Execution of Search Warrant
2. ORDER approving assistance
3. Order authorizing blocking out income telephone and data calls
4. Application for order to block out calls
5. Application and affidavit for seizure warrant (Barbara Golden, affiant)
6. Application and affidavit for seizure warrant (G. Kirt Lawson, affiant)

Attached to the original documents (but not presented here) are an
application (by Ira H. Raphaelson and William J. Cook, United States
attorney and AUSA) to suppress the seizure warrant for 90 days, and a
variety of photographs of Dr. Ripco's premises.





Government's Petition for Assistance


                     UNITED STATES DISTRICT COURT
                    NORTHERN DISTRICT OF ILLINOIS
                           EASTERN DIVISION

UNITED STATES OF AMERICA        )
                                )
          v.                    )    No. 90-M-187 & 90-M-188
                                )    Magistrate James T. Balog
                                )
xxxx NORTH CLYBOURN, CHICAGO    )
ILLINOIS AND xxxx NORTH         )
LAWNDALE, CHICAGO, ILLINOIS     )


                 GOVERNMENT'S PETITION FOR ASSISTANCE
                  DURING EXECUTION OF SEARCH WARRANT

    The United States of America, by its attorney, Ira H.
Raphaelson, United States Attorney for the Northern District of
Illinois, petitions this Court for an order directing
representatives of AT&T's Corporate Security Division to accompany
Special Agents of the Secret Service during the execution of the
search warrant against the premises of xxxx North Clybourn,
Chicago, Illinois, and xxxx North Lawndale, Chicago, Illinois. This
petition is supported by the following:
     1. The affidavit of Special Agent Barbara Golden of the
Secret Service is incorporated herein by reference.
     2. AT&T has offered the assistance of Jerry Dalton and John
Hickey of AT&T Corporate Security/Information Protection to the
government and this Court. Both men are very experienced in the
operation of computers and especially in the analysis of UNIX
systems.
     3. We also request that Sergeant Abigail Abrahams of the
Illinois State Police be authorized in the execution of the
aforementioned warrants. Sergeant Abrahams has investigated the
computer bulletin board (BBS) operation since approximately 1988

                                - 1 -

and has extensive details with respect to the structure of the BBS
and its contents.

     While these individuals will not be seizing evidence, their
assistance is necessary to quickly read and identify the
critical files in the computer being searched. Moreover, their presence
during the search will insure that the records on the computer are
not accidentally erased and remain intact.


                                    Respectfully submitted,

                                    IRA H. RAPHAELSON
                                    United States Attorney


                                BY: (signature of)
                                    WILLIAM J. COOK
                                    Assistant United States Attorney

                                - 3 -


                     UNITED STATES DISTRICT COURT
                    NORTHERN DISTRICT OF ILLINOIS
                           EASTERN DIVISION

UNITED STATES OF AMERICA        )
                                )
          v.                    )    No. 90-M-187 & 90-M-188
                                )    Magistrate James T. Balog
                                )
xxxx NORTH CLYBOURN, CHICAGO    )
ILLINOIS AND xxxx NORTH         )
LAWNDALE, CHICAGO, ILLINOIS     )


                                ORDER

     In view of the specialized nature of the evidence that is
being sought in this warrant, _______________, as indicated in the
government's petition and the affidavit for the search warrant,
which is incorporated herein by reference;
     It is Hereby Ordered that representatives of AT&T's Corporate
Security Division and Sergeant Abigail Abrahams of the Illinois
State Police accompany Special Agents of the United States Secret
Service during the execution of the search warrant to assist those
agents in the recovery and identification of the evidence sought
in the warrant.


                                    (signature) James T. Balog
                     5-7-90          UNITED STATES MAGISTRATE


                                   - 3 -



                     UNITED STATES DISTRICT COURT
                    NORTHERN DISTRICT OF ILLINOIS
                           EASTERN DIVISION

IN THE MATTER OF THE             )
APPLICATION OF THE UNITED STATES )
OF AMERICAN FOR AN ORDER FOR THE )   No. 90-M-187 & 90-M-188
BLOCKING OF INCOMING TELEPHONE   )   Magistrate James T. Balog
AND DATA CALLS AT (312 )528-5020 )
(312 )xxx-xxxx AND (312)xxx-xxxx )

ORDER AUTHORIZING BLOCKING OUT INCOME TELEPHONE DATA CALLS

     An application having been made before me by Colleen D.
Coughlin, an Assistant United States Attorney for the Northern
District of Illinois, pursuant to Title 28, United States Code,
Section 1651, for an Order to "block out" incoming telephone and
data calls by the Illinois Bell Telephone company, and there is
reason to believe that requested actions are relevant to a
legitimate law enforcement investigation;

      IT IS ORDERED THAT:

      1. Illinois Bell Telephone company servicing said telephone
lines shall "Block out" of incoming telephone and data calls on
(312) 528-5020, (312) xxx-xxxx and (312) xxx-xxxx, which telephone
and data lines are on premises which are the subject of federal
search warrants to be executed the 8th day of May, 1990 at
approximately 0630 hours. Such "blocking out" of incoming
telephone and data calls shall commence at 0500 hours on May 8,
1990 and continue up to and incoming 1700 hours on May 8, 1990, or
until the completion of the search warrants, whichever is the
earlier.

      2. The "blocking out" of incoming telephone and data calls
will likely assist in the execution of search warrants seeking

                                - 4 -

evidence of violations of Title 18, United States Code, Sections
1343, 1030, 1962, 1963, and 371.


                              (signature of)
                              JAMES T. BALOG
                              Magistrate

         5-7-89 (sic)


                                - 5 -


                     UNITED STATES DISTRICT COURT
                    NORTHERN DISTRICT OF ILLINOIS
                           EASTERN DIVISION

IN THE MATTER OF THE             )
APPLICATION OF THE UNITED STATES )
OF AMERICAN FOR AN ORDER FOR THE )   No. 90-M-187 & 90-M-188
BLOCKING OF INCOMING TELEPHONE   )   Magistrate James T. Balog
AND DATA CALLS AT (312 )528-5020 )
(312 )xxx-xxxx AND (312)xxx-xxxx )


                        A P P L I C A T I O N


     Now comes the UNITED STATES OF AMERICA, by IRA H. RAPHAELSON,
United States Attorney and Colleen D. Coughlin, Assistant United
States Attorney, and makes application pursuant to Title 28, United
States Code, Section 1651, the All Writs Act, for an Order to stop
or "block out" incoming telephone calls to particular telephone
and/or data lines, as described below, by the Illinois Bell
Telephone Company.

     In support of this Application the undersigned states as
follows:

     1.  This Application seeks an order requiring the Illinois
Bell Telephone Company to "block out" incoming telephone and data
calls from 0500 hours until 1700 on May 8, 1990 regarding the
following numbers (312) 528-5020, (312) xxx-xxxx and (312) xxx-
xxxx.

     2. The United States Secret Service has been conducting a
two year investigation into the activities of computer hackers
which will result in thirty-two search warrants being executed
across the United States on May 8, 1990 beginning at 0630 hours.

     3. Because the United States Secret Service needs to ensure
the integrity of the evidence at each of these locations from
remote access tampering, alteration, or destruction, this "blocking
out" order is required.

     4. This action by Illinois Bell Telephone will only "block
out" incoming calls and the telephones will at all times be capable
of making "outgoing" calls. Thus, the telephone lines will at all
times be available for emergency outgoing calls.

     5. It is reasonably believed by the United States Secret
Service, based on experience and their investigation in this
case, that the requested action will be of substantial assistance
in forwarding this criminal investigation.

     6. The All Writs Act, 28 U.S.C. 1651, provides as follows:

             The Supreme Court and all courts
        established by the Act of Congress may issue all
        writs necessary and appropriate in aid of their
        respective jurisdictions and agreeable to the
        uses and principles of law.

     7. A Federal Court has power to issue "such commands under
the All Writs Act as may be necessary or appropriate to effectuate
and prevent the frustration of orders it has previously issued in
the exercise of its jurisdiction...." UNITED STATES v. NEW YORK
TELEPHONE CO., 434 U.S. 159, 172 (1977).

     WHEREFORE, on the basis of the allegations contained in this
Application, applicant requests this Court to enter an order for
"blocking out" of income telephone and/or data calls at the above
described telephone numbers.

     It is further requested that Illinois Bell Telephone Company
may be ordered to make no disclosure of the existence of this
Application and Order until further order of this Court since

                                - 2 -

disclosure of this request to the individual or individuals whose
telephone lines are affected would threaten or impede this computer
investigation.


                                   Respectfully submitted,

                                   IRA H. RAPHAELSON
                                   United States Attorney


                               By:  (signed)
                                   COLLEEN D. COUGHLIN
                                   Assistant United States Attorney



                                - 3 -


{transcriber's note:}
Following is the APPLICATION AND AFFADAVIT FOR SEIZURE WARRANT,
Case number 90-M-187, dated May 7, 1990.

Affiant: Barbara Golden, Special Agent, U.S. Secret Service
Location: United State District Court, Northern District of Illinois
Judicial Officer: Magistrate James T. Balog
The warrant alleges violations under Title 18, USC, Sections
1343, 1030, 1029, 1962, 1963, and 371.


  --------------(Begin Barbara Golden's Affidavit)-----------------

State of Illinois    )
                     )    SS
County of Cook       )


                                    AFFIDAVIT

     1.   I, Barbara Golden, am a Special Agent of the United States
Secret Service and have been so employed for the past fourteen years; the
past three years as a Special Agent.  I am present assigned to the
Computer Fraud Section of the United States Secret Service in Chicago.  I
am submitting this affidavit in support of the search warrants for the
residence of Bruce Xxxxxxxxxxx xxxx North Lawndale, Chicago, Illinois
(including the detached garage behind the house) and his business address
at xxxx North Clybourn, Chicago, Illinois.
     2.  This affidavit is based upon my investigation and information
provided to me by Special Agent G. Kirt Lawson of the United States Secret
Service in Phoenix, Arizona and by other agents of the United States
Secret Service.  I have also received information from Sergeant Abigail
Abrahams of the Illinois State Police.
     3.  Additionally, I have received technical information and
investigative assistance from Roland Kwasny of Illinois Bell Telephone
Corporate Security.

                              VIOLATIONS INVOLVED

     4.  This warrant is requested to recover unauthorized and illegally
used access codes posted on the RIPCO BBS by computer hackers and to
develop evidence of their illegal use of those codes in violation of
federal criminal laws, including:

                                - 1 -

     a.  18 USC 2314 which provides federal criminal sanctions against
individuals who knowingly and intentionally transport stolen property or
property contained by fraud, valued at $5,000.00 or more, in interstate
commerce.
     b.  18 USC 1030(a)(6) provides federal criminal sanctions against
individuals who, knowingly and with intent to defraud, traffic in
interstate commerce any information through which a computer may be
accessed without authorization in interstate commerce.
     c.  Other federal violations involved in this case may include Wire
Fraud (18 U.S.C. 1343), Access Device Fraud (U.S.C. 1029) and other
violations listed and described on page 15, 16, and 17 of the attached
affidavit of Special Agent Lawson.

                                LAWSON AFFIDAVIT

     5.  The attached affidavit of Special Agent Kirt Lawson is
incorporated herein in its entirety and is attached as Attachment 1.
Lawson's affidavit is based upon a two year undercover investigation  of
the United States Secret Service involving an undercover bulletin board
located in Phoenix, Arizona.  Essentially, Lawson's affidavit and my
investigation establish probably cause to believe:
     a.  Bruce Xxxxxxxxxxx, using the computer hacker handle "Dr. Ripco",
has been operating the RIPCO BBS in Chicago since approximately
December 10, 1983.

                                - 2 -

     b.  During the time period named in the Lawson affidavit unauthorized
access codes were posted on the RIPCO BBS by various computer hackers.
     c.  The access codes posted on the RIPCO BBS have been determined by
Special Agent Lawson to be valid access codes which are being used without
authorization of the true authorized user of the access codes.  Moreover,
in many cases the access codes have been reported stolen by the true
authorized user(s).
     d.  Special Agent Lawson's investigation has further determined that
the access codes posted on the RIPCO BBS are not concealed from the system
administrator of the BBS and could be seen by the system administrator
during an examination of the BBS.

     6.  I have personally worked with S.A. Lawson on computer crime
investigations and known him to be a reliable agent of the Secret Service
and an expert in the field of telecommunication investigations.
     7.  I personally received the attached affidavit on May 1, 1990 and
have verified with S.A. Lawson that it is in fact his affidavit and have
verified with S.A. Lawson that it is in fact his affidavit and that it
accurately reflects his investigation.  I have verified information with
respect to his investigation with Special Agent Lawson as recently as May
7, 1990.

                                - 3 -


                            UPDATED PROBABLE CAUSE

     8.  On May 1, 1990, I personally observed that the surveillance
cameras described on pages 32 and 33 of Lawson's affidavit still
appear to be in operation.  (The antennas and surveillance cameras
located at the Clybourn address are reflected in the photographs
attached as Attachment 2.)
     9.  On May 4, 19900, I personally updated the status of the
telephone lines at the Clybourn address with Roland Kwasny of Illinois
Bell Telephone.  Kwasny advised me that those telephones continue to
be in active service at this time.

                              ITEMS TO BE SEIZED

     10.  On pages 36 to 39 of his affidavit S.A. Lawson describes the
items to be seized at the search locations.


                            Locations to be Searched

     11.  The complete description of the business location to be searched
on Clybourn Street is contained on page 30 of S.A. Lawson's affidavit.
(Photographs of that location are in Attachment 2.)  I have personally
observed the resident to be searched on Lawndale on May 1, 1990.  The
photographs attached to this affidavit as Attachment 3 truly and
accurately show the residence known as xxxx North Lawndale, Chicago,
Illinois, as of May 1, 1990.

                                - 4 -


                        EXAMINATION OF COMPUTER RECORDS

     13.  Request is made herein to search and seize the above described
computer and computer data and to read the information contained in and on
the computer and computer data.

        14.  The following attachments are incorporated herein by reference:
Attachment 1 - Affidavit of S.A. Lawson (39 pages): Attachment 2 -
Photographs of the Clybourn address (2 pages); Attachment 3 - Photographs
of the Lawndale address (1 page).


                                         (signature)
                                         Special Agent Barbara Golden
                                         United States Secret Service


Sworn and Subscribed to before
me this 7th day of May, 1990.


(signature)
James T. Balog
UNITED STATES MAGISTRATE


                                - 5 -

                ** (End Barbara Golden's Affidavit) **

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

               ** (Begin G. Kirt Lawson's affidavit) **

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


State of Arizona    )
                    )    SS
County of Maricopa  )


                                  AFFIDAVIT

     1.  Your affiant G. Kirt Lawson has been a Special Agent of the U.S.
Secret service for eighteen years and in the course of his employment has

investigated over 100 cases involving credit card fraud, theft, computer-
related crime, and other offenses.   I have training from the Secret
Service in the investigation of computer fraud, have attended six or more
seminars on investigative procedures from AT&T and the Secret Service, and
have lectured on computer crime for the IEEE (an international
professional group of electrical engineers) and Bellcore (the research /
security organization owned by the regional Bell operating companies.)
Within the last year, I have assisted the Arizona Attorney General's
office with the execution of three computer-crime search warrants, and the
Austin, Texas field office of the Secret Service with the execution of
another computer-related search warrant.  Over the last two years, I
have assisted numerous state, local, and federal law enforcement
agents in half a dozen U.S. cities by providing information and
technical assistance which has led to the execution of over a dozen
search warrants in computer crime cases nationwide.

                                - 1 -


                            SOURCES OF INFORMATION

     2.  Your affiant has also received technical information and
investigative assistance from the following experts in the field of
telecommunication fraud and computer crime:
     a.  R.E. "Sandy" Sandquist,, Regional Security Manager, U.S. Sprint
Communications Company, who has been so employed since 1987, and was
previously employed by General Telephone (GTE) as a special agent,
technical investigations since 1983.  He has investigated cases of
communications fraud involving computer hackers, computer bulletin board
systems (see Definitions section below), and the abuse of voice mail
message computers, involving over 100 systems.  He has assisted law
enforcement search teams in the execution of search warrants, and has
trained many state, local and federal agents in the investigation of
computer and communications crime.
     b.  Stephen R. Purdy, Special Agent, U.S. Secret Service, currently
the Assistant to the Special Agent In Charge of Fraud Division of the
Computer Diagnostic Lab in Washington, D.C.  He is a member of the Federal
Computer Investigations Committee, and is currently its Co-Chair.  He has
helped to design training programs in computer crime and
telecommunications fraud investigations for the Federal Law Enforcement
Training Center in Glynco, Georgia.  He also developed and instructs in
the Secret Service's training program in computer fraud investigations.

                                - 2 -

     c.  George Mehnert has been a Special Agent with the Arizona Attorney
General's office for more than twelve years; for the last three years, he
has been responsible for special projects including the investigation of
computer crime.  He has taken courses relating to computer hardware and
software programs from various industry sources and a local college, and
has worked with computer hardware and software, including communications
equipment and analysis tools, in investigative matters for more than six
years.  Mehnert has instructed numerous state and local law enforcement
agencies in the methodology of executing search warrants involving
computers, and in the investigation of computer crimes.  He recently
published of article on this subject in a law enforcement periodical.  In
the past two years, Mehnert has been involved in thirty warrant searches
relating to the seizure of computer of communications-related evidence.
     d.  In addition to the above, affiant has also received technical
assistance and information from the following communication industry
sources: Steve Matthews, Telenet;  Leila Stewart, MCI;  Sue Welch, MCI;
Toni Ames, U.S. West;  Connie Bullock, ComSystems (a long-distance
carrier);  Karen Torres, MidAmerican Communications Company;  Richard
Petiollo and Richard Kopacz, AT&T;  Hank Kluepfel and David Bauer,
Bellcore (a research/security company owned by the Bell Regional Operating
Companies);  Marty Locker, International Telephone and Telegraph (ITT),
and credit industry sources:  Valerie Larrison, American Express;  MaryAnn
Birkinshaw, TRW:  Michelle Mason, CBI (TRW and CBI are national card
bureaus).

                                - 3 -


                          DEFINITIONS AND EXPLANATIONS


     3.  Computer hackers:  individuals involved in the unauthorized
intrusion into computer systems by various means.  They commonly identify
themselves by aliases of "hacker handles" when communicating by voice or
electronically with other hackers.  Because they normally communicate
through electronic bulletin board systems in several states, and because
they often conduct their hacking activities against victims at many
locations outside their local calling area, computer hackers typically use
long-distance carrier customer authorization codes without the permission
of the individuals or corporations to which they are assigned, in order to
achieve "free" long distance telecommunications (over standard voice
lines, or over data-communications services).  Search warrants executed in
hacker cases routinely produce evidence of theft of communications
services, and often product of possession, use, and/or distribution of
credit cards as well.
     4.  Electronic Bulletin Board System (BBS):  an electronic
bulletin board is a computer operated as a medium of electronic
communications between computer users at different locations.
Users access the BBS by telephone from distant locations (often
their residences), using their own computers and communication
devices (modems).  Typical functions of a BBS include (1) providing
storage for a software library; (2) allowing users to "download"
(copy to their own computers) various files or software programs;
(3) allowing users to

                                - 4 -

exchange and store messages by "electronic mail"; and (4) publishing
of text files and tutorials, which contain information or instructions
on various subjects of interest to the users.  Although many BBS's are
operated as commercial services to the public (large services such as
Compuserve and The Source may offer many more functions than those
listed above), thousands of BBS's are privately operated by
individuals who run them from their residences, or by special-interest
clubs.  It is common for a BBS to have several sections or
"conferences" on the system, to which a particular level of access is
required:  many users might have access to lower-level sections, while
only some users would be permitted to access the highest-level
sections (many sysops --defined below-- "voice validate" a prospective
user, using a telephone call to screen users and determine whether
they are law enforcement, adults, or other undesirables).  This is
particularly true of BBS's whose members are involved in some form of
criminal activity.  Many "underground" or criminal bulletin boards
contain subsections through which the users regularly exchange stolen
customer authorization codes, credit card numbers, and information on
techniques or methods for the commission of such crimes as computer
fraud and abuse, access device fraud and wire fraud.
     5.  System operator/system administrator (sysop): the person(s)
charged with the responsibility for operating a particular computer
bulletin board system (usually the owner of

                                - 5 -

the computer who lives in the residence where the BBS is operating).
In order to perform their necessary supervisory and maintenance
functions, sysops who run or own the BBS give themselves the highest
level of access, or privileges, available on a system.  In the case
of a bulletin board sysop, these functions typically include deciding
whether or not to to give access or type of privileges to allow to
different users, and the ability to read the entire content stored on
the BBS (including "private mail" -- see electronic mail, below.)
Sysops control the BBS, can remove contents, add and delete users,
change the programming, alter the communications parameters, and
perform a number of administrative and maintenance tasks associated
with operation of the BBS.
     6.  Electronic mail (E-mail):  electronic mail is a means of
communication among computer users, and is one of the features normally
found on a BBS.  Each user on a criminal BBS has a distinct
identifier, with a computer hacker's "username" or "login" often
identical to his hacker handle (handles tend toward the theatrical,
I.e. Prophet of Doom, DungeonMaster, Ax Murderer, etc.) and a unique
confidential password; each user may also be assigned a user number by
the system.  Users may send "public" mail by leaving a message in a
section of the system where all who call in may read the message and
respond.  They may also send "private mail" by sending a message
limited to a particular individual or group.

                                - 6 -

In this instance, other users would not be able to read the private

message.  (Except, of course for the sysop, as explained above.)
     7.  Chat:  unlike electronic mail, which consists of messages and
responses entered and stored for later review, the "chat" communication on
a BBS consists of simultaneous interactive communication between the sysop
and a user, or between two or more users -- the computer equivalent of a
conference call.  A more sophisticated BBS may have more than one
telephone line connected to the system, so that two or more users can
"talk" to each other though the BBS from their own computer systems at one
time.
     8.  Voice Mail System (VMS):  a voice mail system is an electronic
messaging computer which acts as an answering service.  These systems are
generally either (1) operated for hire to the public by commercial
communications companies, often in combination with cellular telephone or
paging services, or (2) by corporations for the convenience of employees
and customers.  In either case, the subscriber or employee is assigned an
individual "mailbox" on the system which is capable of performing several
functions.  Among these functions are receiving and storing messages from
callers, sending messages to other boxes on the system, and sending
messages to a pre-selected group of boxes.  These functions are performed
by pushing the appropriate numerical commands on a telephone keypad for
the desired function.

                                - 7 -

     9.  While voice mail systems vary among manufacturers, in general, a
caller dials either a local area code and number, or an "800" number to
access the system.  Generally, the caller hears a corporate greeting
identifying the system and listing instructions for leaving a message and
other options.  To leave a message, the caller enters a "mailbox number,"
a series of digits (often identical to the assigned owner's telephone
extension), on his own telephone keypad.  The caller then hears whatever
greeting the mailbox owner has chosen to leave.  Again, the caller can
usually exercise several options, one of which is to dictate an oral
message after a tone.
    10.  In this respect, the voice mail system operates much like a
telephone answering machine.  Rather than being recorded on audio tape,
however, the message is stored in digitized form by the computer system.
When the message is retrieved, the computer plays it back as sound
understandable by the human ear.  The entire VMS is actually a computer
system accessible through telephone lines; the messages are stored on
large-capacity computer disks.
    11.  A caller needs to known only the extension or mailbox number in
order to leave a message for the employee or subscriber.  In order to
retrieve the messages or delete them from the system, however, the person
to whom the box is assigned must have both the box number and a
confidential password: the password ensures privacy of the communications,
by acting as a "key" to "unlock" the box and reveal its contents. Anyone

                                - 8 -

calling the telephone number of the mailbox hears the owner's greeting --
only the content of messages left for the owner is protected by the
password or security code.  The person to whom the box is assigned may
also have the ability to change his password, thereby preventing access to
the box contents by anyone who may have learned his password.
    12.  Private Branch Exchange (PBX): a private branch exchange is a
device which operates as a telephone switching system to provide internal
communications between telephone facilities located on the owner's
premises as well as communications between the company and other private
or public networks.  By dialing the specific telephone number of a PBX
equipped with a remote access feature and entering a numeric password or
code on a telephone keypad or by means of a computer modem, the caller can
obtain a dial tone, enabling the caller to place long distance calls at
the expense of the company operating the PBX.
    13.  Phone phreak:  phone phreaks, like computer hackers, are
persons involved in the theft of long-distance services and other
forms of abuse of communications technology, but they often do not
have computer systems.  Rather than communicating with each other
through BBS's, they communicate with each other and, exchange stolen
carrier customer authorization codes and credit cards, either directly
or by means of stolen or "hacked" corporate voice mailboxes.  Phone
phreaks may also set up fraudulent conference calls for the

                                - 9 -

exchange of information.  A phone phreak may operate a "codeline" (a
method of disseminating unauthorized access devices) on a fraudulently
obtained voice mailbox, receiving messages containing stolen credit
card numbers from his co-conspirators, and in turn "broadcasting" them
to those he shares this information with during the greeting (box
owner's message to callers), which can be heard by anyone dialing the
mailbox number.  Phone phreaks and computer hackers sometimes share
information by means of the conference calls and codelines.  Like
computer hackers, phone phreaks also identify themselves by "handles"
or aliases.

                        BACKGROUND OF THE INVESTIGATION

    14.  Over the past several years, the U.S. Secret Service has received
and increasing  number of complaints from long distance carriers, credit
card companies, credit reporting bureaus, and other victims of crimes
committed by computer hackers, phone phreaks, and computer bulletin board
users and operators (see Definitions section),  which have resulted in
substantial financial losses and business disruption to the victims.
Because the persons committing these crimes use aliases or "handles", mail
drops under false names, and other means to disguise themselves, they have
been extremely difficult to catch.  They also conspire with many others to
exchange information such as stolen long distance carrier authorization
codes, credit card numbers, and technical information relating to the
unauthorized invasion of computer systems and voice mail

                                - 10 -

messaging computers, often across state or national borders, making
the investigation of a typical conspiracy extremely complex.  Many of
these persons are juveniles or young adults, associate electronically
only with others they trust or who have "proven" themselves by
committing crimes in order to gain the trust of the group, and use
characteristic "hacker jargon."  By storing and trading information
through a network of BBS's, the hackers increase the number of
individuals attacking or defrauding a particular victim, and therefore
increase the financial loss suffered by the victim.
    15.  For all of the above reasons, the U.S. Secret Service established
a computer crime investigation project in the Phoenix field office,
utilizing an undercover computer bulletin board.  The purpose of the
undercover BBS was to provide a medium of communication for persons
engaged in criminal offenses to exchange information with each other and
with the sysop (CI 404-235) about their criminal activities.  The bulletin
board began operating on September 1, 1988 at 11:11 p.p., Mountain
Standard Time, was located at 11459 No. 28th Drive, Apt. 2131, Phoenix,
Arizona, and was accessed through telephone number (602) 789-9269.  It was
originally installed on a Commodore personal computer, but on January 13,
1989 was reconfigured to operate on an Amiga 2000 personal computer.
    16.  The system was operated by CI 404-235, a volunteer paid
confidential informant to the U.S. Secret Service.  CI 404-235 was
facing no criminal charges.  Over the past eighteen

                                - 11 -

months, information by CI 404-235 (see paragraph 16) has consistently
proved to be accurate and reliable.  The Arizona Attorney General's
office executed six search warrants related to affiant's investigation
in 1989 and 1990 (affiant participated in three of these).  Evidence
obtained in those searches corroborated information previously given
to affiant or to George Mehnert, Special Agent of the Arizona Attorney
General's office by CI 404-235.  In over a dozen instances, CI
404-235's information was verified through other independent sources,
or in interviews with suspects, or by means of a dialed number
recorder (pen register).  One arrest in New York has been made as a
result of CI 404-235's warning of planned burglary which did occur at
a NYNEX (New York regional Bell operating company) office.  Throughout
this investigation, CI 404-235 has documented the information provided
to the affiant by means of computer printouts obtained from the
undercover BBS and from suspect systems, and consensual tape
recordings of voice conversations or voice-mail messages.
    17.  Because many of the criminal bulletin board systems require that
a new person seeking access to the telephone code or credit card sections
contribute stolen card information to demonstrate "good faith," when asked
to do so, CI 404-235 has "posted," (left on the system in a message)

Sprint, MidAmerican or ComSystems authorization codes given to affiant by
investigators at these companies for that purpose.

                                - 12 -


                       EVIDENCE IN HACKER CASES

    18.  Computer hackers and persons operating or using computer bulletin
board systems commonly keep records of their criminal activities on paper,
in handwritten or printout form, and magnetically stored, on computer hard
drives, diskettes, or backup tapes.  They also commonly tape record
communications such as voice mail messages containing telephone
authorization codes and credit cards.  On several occasions, affiant
has interviewed George Mehnert, Special Agent, Arizona Attorney
General's office and R.E. "Sandy" Sandquist, Security Manager, U.S.
Sprint, about the types of evidence normally found in connection with
computer/ communications crimes.  Both have assisted more than 20
search teams in the execution of search warrants in such cases.  Both
Mehnert and Sandquist stated that because of the sheer volume of
credit card numbers, telephone numbers and authorization codes, and
computer passwords, and other information necessary to conduct this
type of criminal activity, in almost every case, they have found a
large volume of paper records and magnetically-stored evidence at
scenes being searched.  Because of the ease of storing large amounts
of information on computer storage media such as diskettes, in a very
small space, computer hackers and bulletin board users or operators
keep the information they have collected for years, rather than
discarding it.  Mehnert stated that in virtually every
communications/computer crime case he has investigated, the suspect was
found to have records in his possession dating

                                - 13 -

back for years -- Mehnert stated that it is common in such cases to
find records dating from 1985 and sometimes, even earlier.
    19.  Sandquist confirmed Mehnert's experience, stating that hackers
and phone phreaks typically also keep a notebook listing the location of
information especially important to them, for easy access.  Mehnert has
seized several of these "hacker notebooks" in computer/communications
crime cases; they were usually found quite close to the computer system,
or in the hacker's possession.  Both Mehnert and Sandquist stated that it
is common for a person involved in the theft of communications services
(long distance voice or data calls, voice mail boxes, etc.) also to be
involved in the distribution or use of stolen credit cards and/or numbers;
hackers and phone phreaks often trade codes for credit cards, or the
reverse.  Both Mehnert and Sandquist stated that it is common to find
credit card carbons at locations being searched for stolen telephone
authorization codes.
    20.  Both Mehnert and Sandquist also stated other evidence commonly
found in connection with these cases includes telephone lineman tools and
handsets (used for invading telephone company pedestal or cross-boxes and
networks, or for illegal interception of others' communications), tone
generators (for placing fraudulent calls by electronically "fooling"
the telephone network into interpreting the tones and legitimate
electronic switching signals), computer systems (including central
processing unit, monitor or screen, keyboard, modem for

                                - 14 -

computer communications, and printer), software programs and
instruction manuals.  Sysops of bulletin boards also commonly keep
historical backup copies of the bulletin board contents or message
traffic, in order to be able to restore the system in the event of a
system crash, a power interruption or other accident.  An important
piece of evidence typically found in connection with a criminal
bulletin board is the "user list" -- sysops normally keep such a list
on the BBS, containing the real names and telephone numbers of users
who communicate with each other only by "handles."  The user list is a
very substantial piece of evidence linking the co-conspirators to the
distribution of telephone codes and credit cards through the BBS
messages or electronic mail.
    21.  Mehnert and Sandquist stated that it is also common to find lists
of voice mailboxes used by the suspect or his co-conspirators, along with
telephone numbers and passwords to the voice mailboxes.  Many suspects
also carry pagers to alert them to incoming messages.


                              CRIMINAL VIOLATIONS

    22.  Criminal violations may include, but are not limited to, the
following crimes:
    23.  Wire fraud:  18 U.S.C. ~ 1343 prohibits the use of interstate
wire communications as part of a scheme to defraud, which includes
obtaining money or property (tangible or intangible) by a criminal or
the loss of something of value by the victim.  Investigation by your
affiant has determined that

                                - 15 -

the actions of the computer hackers, phone phreaks and bulletin board
operators detected in this investigation defrauded telephone companies
whose customer authorization codes were exchanged through the BBS's)
gained valuable property because their fraud scheme provided them with
telephone customer authorization codes and other access devices which
in turn could be used by them to obtain telephone services and
property which would be charged to the victim companies.  Their scheme
also provided them with access to private branch exchange (PBX)
numbers and codes which could be used to obtain telephone service
which was charged to the victim companies.
    24.  Computer fraud and abuse:  18 U.S.C. ~ 1030 prohibits
unauthorized access to a federal interest computer with intent to defraud.
Intent to defraud has the same meaning as in the wire fraud statute above.
A federal interest computer is defined as "one of two or more computers
used in committing the offense, not all of which are located in the same
state," as well as computers exclusively for the use of a financial
institution or the United States Government, among others defined in the
statute.  This section also prohibits unauthorized access to financial
records and information contained in consumer reporting agency files.
    25.  Access device fraud:  18 U.S.C. ~ 1029 prohibits the
unauthorized possession of 15 or more unauthorized or counterfeit
"access devices" with intent to defraud, and

                                - 16 -

trafficking in authorized access devices with an intent to defraud and
an accompanying $1,000 profit to the violator or loss to the victim.
These prohibitions also apply to members of a conspiracy to commit
these offenses.  Intent to defraud has the same meaning as in the wire
fraud statute above.  "Access devices" includes credit cards, long
distance telephone authorization codes and calling card numbers, voice
mail or computer passwords, and PINS (personal identification
numbers).  An "unauthorized access device" is any access device
obtained with the intent to defraud, or is lost, stolen, expired,
revoked, or cancelled.
    26.  Other offenses:  other federal statutes violated in this case may
include 18 U.S.C. ~ 1962 and 1963 which prohibit the commission of two or
more acts of racketeering (including two or more acts in violation of 18
U.S.C. ~ 1343 and/or 1029), and permits forfeiture of the
instrumentalities used or obtained in the execution of a crime; and 18
U.S.C. ~ 371, the federal conspiracy statute.

                                   PROBABLE CAUSE
                         BULLETIN BOARD SYSTEM 312-528-5020

    27. CI 404-235 has accessed a public electronic bulletin board at
312-528-5020 over three dozen times between 4/7/89 and 12/31/90.  The
most recent access was on 4/28/90.  In the "Phone Phun" subsection of
the BBS, CI 404-235 has regularly seen messages posted by users of the
BBS, which contain long distance carrier customer

                                - 17 -

authorization codes, references to hacking, and to credit cards and
credit bureaus.  This affidavit is in support of a search warrant for
two premises where evidence of the operation of the BBS is expected to
be found.  CI 404-235 provided to affiant copies of messages posted to
the BBS, including the following:


           Numb   12 (54r4q9kl-12)
            Sub   miscellaneous...
           From   DON THOMPSON (#689)
             To   all
           Date   03/17/89  03:55:00  PM


           o.k.:

           1999:   322300       342059
                   366562       344129
                   549259       549296
                   492191       496362
                   422000       549659

    28.  In the above message, "1999" refers to the last four digits of
the local access number assigned to Starnet, a long distance network owned
by ITT Metromedia Communications.  To use such codes, a caller dials the
local access number, the customer authorization code, and the area code
and number to be called.  Marty Locker, ITT Security, verified that the
local access number 950-1999 is Starnet's (Starnet's authorization codes
and six digits long).  Loss figures on the above are unknown.
    29.  On 3/20/89, user #452 "Blue Adept" replies to a previous message,
as follows:


                                - 18 -


Numb   25  (54r4q9kl-25)
 Sub   Reply to: Reply to: Legal expenses
>From   BLUE DEPT (#452)
  To   all
Date   03/20/89 08:42:00 AM

1999 is starnet.  they've busted several people I know.
they live to bust people.  mainly with extraordinarily
large fines.  I've heard of them taking it to court
though.  first person they busted was the
Diskmaster/Hansel.  really cool guy.  hacked em 300
times with the applecat and they busted him.  he didn't

"Hacked em 300 times" refers to the number of timers that
"Diskmaster/Hansel" is supposed to have attempted to hack out a Starnet
customer authorization code.  "Applecat" is the name of a modem (computer
communications device) and related software program which automates the
code-hacking process.


Numb  69 (54r4q9kl-69)
 Sub  loop
>From  JOE FRIDAY  (#120)
To    all
Date  03/25/89  07:10:00 PM

IF ANYONE HAS A LOOP FOR THE 404 AREACODE I WOULD APPR.
IT VERY MUCH!!  IF THERE ARE ANY REAL PHREAKS THAT STILL
DO HACK ALOT LEAVE I THINCK YOU MIGHT BENEIFIT FROM IT.

18002370407-8010464006ACN-
8205109251-
IF ANYONE STILL GETS INTO LMOSE LEAVE ME A MESSAGE..

    30.  On 4/17/90 Mark Poms, Director of Security, Long Distance
Service of Washington D.C., verified the following:   1)
1-800-237-0407 is his company's assigned 1-800-line number.
Authorization code 8010464006 has suffered $6, 287.22 in fraud

                                - 19 -

losses, and 8205109251 has suffered $970.34 in fraud losses.
    31.  In the above message, "LOOP" refers to a telephone company "loop
around test line".  Hackers commonly exchange information on loops, in
order to be able to communicate with each other without divulging their
home telephone numbers.  If two hackers agree to call a loop number at a
certain time, they loop allows them to speak with each other -- neither

hacker needs to know or to dial the other's telephone number.  "LMOSE"
refers to a type of computer system (LMOS) operated by Bell regional
operating companies (local telephone companies).  This computer system
contains data such as subscriber records, and the LMOS system is solely
for the use of telephone company employees for the purpose of maintaining
telephone service.  (Explanations provided by Bellcore computer security
technical staff member David Bauer.)


Numb  136  (56r5q9kl-136)
 Sub  Suicide?
>From  THE RENEGADE CHEMIST (#340)
To    All
Date  04/18/89  05:33:00 PM



9501001
074008
187438
057919
068671
056855
054168
071679

                                - 20 -


    32.  On 3/20/90 Karen Torres, MidAmerican Communications, a long
distance carrier which a local access number of 950-1001 as valid
MidAmerican customer authorization codes.  She advised that all but the
invalid code were terminated "due to hacking".

     950-1001
074008    Valid code, no loss
187438    Valid code, no loss
057919    Invalid
068671    Valid code, no loss
056855    Valid code, no loss
054168    Valid code, no loss
071697    Valid code, no loss


Numb  109  (53r3q0k2-109)
 Sub  Reply to: Reply to: Reply to: Reply to:
          Reply to:  John Anderson
>From  BRI PAPE (#22)
To    ALL...
Date  06/28/89  05:31:00 AM

ANOTHER valid code..


AND A DIVERTER...

215-471-0083..(REMAIN QUIET)

    33.  950-0488 is the local access number for ITT Metromedia
Communications, according to Marty Locker, ITT Security.  Fraud,
losses, if any, on this customer authorization code are unknown.
    34.  On 4/16/90, Kathy Mirandy, Director of Communications,
Geriatrics and Medical Center Incorporated,

                                - 21 -

United Health Care Services, in Philadelphia, PA, verified that
1-215-471-0083 is her company's telephone number.  She stated that
between 12/28/88 nand 5/15/89, her company suffered a fraud loss of
$81,912.26 on that number.  In the above message,

"diverter" refers to a common hacker/phone phreak term for a means of
placing telephone calls through a telephone facility which belongs to
someone else.  The hacker "diverts" his call through the other
facility, and if the outgoing "diverted" call is a long distance call,
the owner of the facility is billed for the call as though it
originated from the victim telephone facility.
    35.  On 7/3/89, CI 404-235 accessed the BBS and observed the
following message, a copy of which was provided to the affiant:


Numb  137  (56r3q0k2-137)
 Sub  dib.
>From  POWER ASSIST  (#524)
To    *
Date  07/02/89  12:01:00 AM

Divertors:   1800 543 7300
                  543 3300

I'm not sure if this is a 800 to 800 : 800 777 2233

    36.  On 4/18/90 Delores L. Early, Associate General Counsel of the
Arbitron Company, Laurel, Maryland, verified that 1-800-543-7300 is
listed to her company.  She advised that her company suffered a direct
fraud loss by October, 989 of $8,100 on that line, as well as
additional expenses in for form of the installation of "an elaborate
security procedure to prevent this

                                - 22 -

type of fraudulent use," and lost employee time in identifying and
correcting the problem.  "800 to 800" refers to whether the "divertor"
posted in the above message can be used to call out to another 800
number.


Numb  113 (53r6q0k2-113)
 Sub  Codes
>From  BLUE STREAK  (#178)
  To  ALL
Date  07/26/89  05:05:00  AM

Here is a code:
1800-476-3636
388409+acn


950-0266
487005
8656321
6575775
oops first one is 4847 not 487

Blue Streak.

Blee blee blee thats all pholks.

    37.  On 4/2/90. Dana Berry. Senior Investigator, Teleconnect (a
division of Tele*Com USA, a long distance carrier), verified that 1-800-
476-3636 code 388409 is her company's authorization code and it has
suffered a fraud loss of x176.21 {transcrib. note: portion of dollar
figure (first digit) is illegible on copy of affidavit}
    38.  On 4/20/90, Christy Mulligan, ComSystems Security, whose company
is assigned the local access number 950-0266, verified the following:

                                - 23 -

              1) 4847005         $2,548.75 loss due to fraud
              2) 8656321         $2,000.00 loss due to fraud
              3) 6575775         $  753.61 loss due to fraud



Numb   122  (57r3qlk2-122)
 Sub   TRW
>From   NEMESIS TKK (#311)
To     Garth
Date   09/30/89  04:01:00 AM

       I have no ideas about accessing TRW through
any type of network, but,m you cal dial TRW directly
(although you will probably want to code out..Even if
format has changed or anything in the past 5 years.. its
still db idpw first, ast, etc...So anyway, if you do
know how to use it,you can get at it from that number.


    39.  In the above, "Nemesis" gives a telephone number in area code 602
(Arizona) for TRW.  "Code out" refers to using a stolen customer
authorization code ("if only to save yourself the fone bill") to call the
TRW number.  The format for getting in to the TRW computer that he gives
Marianne Birkinshaw, TRW investigator advised that the telephone number
posted in the message is "a legitimate telephone number into TRW's
database".


Numb   138  (57r4q2k2-138)
 Sub   5
>From   Chris X  (#134)
To     PEOPLE WHO HAVE OR HACK CODEZ
Date   01/22/90  05:54:00 PM

                                - 24 -


Dear Anyone,

          I am in desperate need of a code.   SOMEONE
PLEASE Post a code with a dialup and the format the code
must be entered.  I will be ever so greatful.  PLEASE
HELP!!!


                                        Max Man - Chris X

    40.  In the above, user #134 asks for a code (customer authorization
code), "dialup" (the local access or 800 number through which the code may
be used), and the format (the order in which code, area code and number
must be dialed in order to place a call on the particular network).



Numb  146
 Sub  Here's your code beggar
>From  POWER ASSIST (#524)
To    beggars
Date  01/23/90  12:40:00  AM

950-0266

6552513   1564844

probably die before you use it.
  -PA

    41.  On 4/19/90, John Elerick, ComSstems Security, verified that the
codes posted with his company's local access number (950-0266) in the

above message are valid; 6552513 has suffered $185.31 in fraud loss, and
it" refers to the code -- customer authorization codes "die" when they are
deactivated or cancelled by the carrier.

                                - 25 -


    42.  On 1/26/90, CI 404-235 again accessed the BBS and observed the
following message, a copy of which was provided to the affiant:


Numb  147  (50r5q2k2-147)
 Sub  ALL
>From  THE SILENCER (#269)
To    ALL
Date  01/25/90  08:26:00 PM

YO...UMM...WHO ASKED FOR CARDS? hahahahah that is
pretty pathetic..god.  If you want Credit Cards get
your own.  One step closer to safe carding....getting
cc's off bbs's is the most disgusting thing I've ever
heard...use TRW..use
CBI...trash...steal...pickpocket....but dont get em off
a bbs...jeez..
0266 working:1593527
lets hope that this dies real fast so the REAL phreaks
will be left alone by the leacherz...heheheh

                     - Silencer

    43.  In the above message, "carding" is a common hacker/phone phreak
term which refers to the fraudulent use of credit cards or credit card
numbers to obtain merchandise which will be billed to the cardholder.
"The Silencer" advises "all" users on the BBS to use TRW, or CBI (both
national credit bureaus) or to "trash" (the practice of obtaining credit
card numbers and related information from receipts or carbons discarded in
trash -- sometimes also referred to as "dumpster diving"), steal or
pickpocket, but not to get them (credit cards) from a bulletin board
system. He then gives the a ComSystems code identified by the the last
four digits (0266) of the ComSystems local access number.  "Leacher"
is a common hacker insult for those BBS

                                - 26 -

users who copy codes, credit cards, or software from a BBS but do not
contribute their share.
    44.  On 4/13/90, John Elrick, ComSystems Security, verified that
1593527 is a valid customer authorization code which has suffered $27,
353.34 in fraud loss.
    45.  It should be noted that in message #138 above, dated 1/22/90,
Chris X asked for codes.  On 1/26/90 the following followup
message was noted by CI 404-235:


Numb  149  (50rq2k2-149)
 Sub  Credit Card's for Codez
>From  Chris X (#134)
To    ALL
Date  02/26/90  07:43:00 AM

Okay,
     Tell ya what.  I will exchange any amount of credit
cards for a code or two.  You name the credit limit you
want on the credit card and I will get it for you.  I do
this cause i go to ganitorial work at night INSIDE the bank
when no one is there..... heheheheheh

    46.  On 1/30/90, Zimmerman left a message on the BBS for CI 404-235,
stating that he "will be ready to exchange your codez for cards.  I have
got 2 right now.  1 witch contains a $1500 credit limit and the other
containing a $2200 credit limit.  I will 'steal' some more when I go to
the bank this weekend.  Talk to ya tomorrow..."  On 1/31/90 CI 404-235

gave Chris X Sprint Customer authorization code 25259681433275,
provided to affiant by U.S. Sprint Regional Security Manager R.E.
Sandquist for this purpose.  On 3/18/90 in a computer-to-computer

                                - 27 -

conversation (not on the BBS), Chris X gave CI 404-235 a list of
ten (10) credit card numbers with names, addresses, credit limits, and
expiration dates.  All of the credit cards appear to be issued in
Illinois.  Zimmerman told CI 404-235 that all of the cards "belong" to
Consumers Co Op Credit Union.
    47.  On 4/28/90, CI 404-235 again accessed the BBS and provided
printouts of messages which he observed on the BBS.  In one, dated
3/27/90, "Scott Sxxxxx", user #160, offered to trade "virgin" credit
cards (newly acquired and not yet used for fraudulent purposes) for AT&T
cards (calling card numbers), PBX's (see Definition section above) or
numbers that will call overseas.  In a message dated 4/17/90, "SLI FOLKS",
user #572, stated that he was calling from Edmonton, Canada, "using a
stolen account on Datapac for this call" (Datapac is a data communications
carrier).  He tells "all" users that he has access to phone rooms for two
apartment buildings "which gives me access to several hundred phone lines.
new bpox that lets me get free LD on someone elses line frommy house.  So
I hope you guys can teach me some stuff."  On 4/24/90, Chris X
left another message to "anyone" offering to trade credit cards and codes
for information on how to get "information on a non-published person.  It
can be found if you have a persons phone number and want a name and
address or vice-versa."  (He is referring to obtaining non-published
subscriber information maintained by the telephone companies.)

                                - 28 -

    48.  In attempting to located the BBS which operates on telephone
number 312-528-5020, affiant has discovered several significant facts
which appear to indicated that an attempt has been made to disguise the
actual location of the BBS.  These facts, and the sources for them, are
detailed below.  In summary, the BBS telephone line is listed to an
address as one of its facilities, the BBS telephone line ends at an
Illinois Bell junction box where an non-Illinois Bell (unauthorized) line
leads from the BBS line to an apparent retail/office structure at another
address.  The BBS telephone bills are sent to a post office box opened in
the corporate name, but the applicant, who is not listed as an officer of
the corporation, described himself in a police report as "self-employed".
A second, unlisted, telephone line, billed to the post office box
applicant's home address, is installed at the retail/office structure
where the non-Illinois bell (BBS) line also leads.
    49.  Illinois Bell telephone records show that the BBS telephone
number 312-528-5020 is subscribed to by Mxxx Xxxxxx, Inc., xxxx West
Belmont, xxxx xxx, Chicago, Illinois.  The bills for this service are
sent in the name of Mxxx Xxxxxx, Inc., at P.O. Box xxxx, Chicago,
Illinois, 60618-0169.  The BBS line was installed on December 1, 1982.
    50.  In April of 1989, Sgt. Abigail Abraham, Illinois State Police,
conducted an investigation of the bulletin board

                                - 29 -

system at telephone number 312-528-5020.  She checked directory
assistance, and both white and yellow-page telephone directories:
although she found several telephone numbers and address for Micro
Repair, Inc., 312-528-5020 and xxxx West Belmont were not among them.
She investigated the purported BBS site, and determined that xxxx West
Belmont, xxxx xxx, Chicago, Illinois, does not exist.  She reported
that at xxxx W. Belmont, there is a structure which would incorporate
the address of xxxx W. Belmont.  Sgt. Abraham had a telephone company
repairman check the physical junction pole: they discovered that the
312-528-5020 line ran from the phone via a non-Illinois Bell
(unauthorized) connection to a building at xxxx N. Clybourn, Chicago,
Illinois.  This building appears to be a retail/office structure, at
which, according to SA Conway, Secret Service Chicago field office, as
of 4/16/90 "there is nothing to indicate that there are any businesses
operating out of xxxx N. Clybourn, Chicago, Illinois."  It is a one
story section of a larger one-and-two story building which is "V"
shaped, fronting on both Clybourn and Belmont Avenues.  The third leg
of the larger building (southeast side) fronts on a parking lot, with
a fenced courtyard section off the parking lot.  The xxxx address is
approximately the last thirty feet at the south end of the Clybourn
side of the building.

                                - 30 -

    51.  Illinois Bell records show that a non-published telephone line is
installed at xxxx N. Clybourn, which is 312-xxx-xxxx.  Per Sgt. Abraham,
the subscriber is Bruce Xxxxxxxxxxx, xxxx N. Lawndale, Chicago, Illinois and
the bills are mailed to Fred Xxxxxxxxxxx at the same address.  Telephone
service for 312-xxx-xxxx was installed at xxxx N. Clybourn on January 1,
1982.
    52.  On April 26, 1989, Sgt. Abraham wrote down all of the vehicle
license plates parked in the parking lot next to xxxx N. Clybourn and
those parked immediately in front of it.  PTxxxx, which was a 1987, four-
door Ford, was registered to Bruce Xxxxxxxxxxx, xxxx N. Lawndale, Chicago,
Illinois.
    53.  On 4/5/90, the Secret Service office in Chicago was notified by
the Illinois Department of Revenue that there are not business
licenses for xxxx N. Clybourn, Chicago, Illinois, nor are there any
licenses issued to Bruce Xxxxxxxxxxx.
    54.  On 4/2/90 the Illinois Secretary of State, Corporation Division,
advised that Martin and Wendy Gilmore are the only officers for Micro
Repair listed on its Illinois Articles of Incorporation.
    55.  On 4/3/90, the Chicago Postal Inspector's Office informed the
Secret Service office in Chicago that the billing address for telephone
number 312-528-5020 (the BBS) is Post Office Box xxxx and is open in the
name of Mxxx Xxxxxx.  The name of the person who made the application for
the post office box is Bruce Xxxxxxxxxxx, xxxx N. Lawndale, Chicago, Illinois,

                                - 31 -

telephone number 312-xxx-xxxx.  Identification used to open the
box was Illinois Driver's License exxx-xxxx-xxxx (per the Illinois
Secretary of State this license is that of Bruce Xxxxxxxxxxx), and according
to Sgt. Abraham, his license address is also xxxx N. Lawndale.
    56.  To the rear of the property where xxxx N. Clybourn is located,
there is an antenna and a satellite dish.  SA William P. Conway of the
Chicago field office contacted the Coast Guard for assistance in
determining the latitude and longitude of the satellite antenna.  On
4/3/90, the Coast Guard Air Operations Duty Officer at the Glenview Naval
Air Station, Chicago, Illinois, advised that the Belmont/Western/Clybourn
intersection, Chicago, Illinois, has a latitude of 41 degrees, 56 minutes,
9 seconds north, and a longitude of 87 degrees, 41 minutes, 5 seconds
west.  With that information, SA Conway was able to obtain assistance from
the Federal Communications Commission in determining the owner of the
satellite antenna.  Will Gray, of the Chicago FCC office, advised that the
FCC license for the antenna (which is mounted on a tower located in the
fenced courtyard section of the larger building of which xxxx N. Clybourn
is a part) is registered to the American United Cab Company at xxxx N.
Belmont.  The satellite dish is affixed to the rear of xxxx N. Clybourn.
Mounted on the tower are two closed circuit cameras.  The first camera is
located approximately 20 feet above the ground, the second camera is
approximately 45 feet above the ground.

                                - 32 -


    57.  Chicago Police Department General Offense Report #Mxxxxxx, dated
3/13/89, lists Bruce Xxxxxxxxxxx as the victim, with the address of
occurrence listed as xxxx N. Clybourn, Chicago, Illinois.  Xxxxxxxxxxx
reported that his car window was broken by two subjects.  Per this police
report, Xxxxxxxxxxx states that he watched on a closed circuit security
camera as the two subjects entered the parking lot adjacent to xxxx N.
Clybourn, and broke his automobile window.  Xxxxxxxxxxx told the officers
that the cameras are used for parking lot security, due to "breakins".
This incident took place at 2:30 PM.  The report lists Xxxxxxxxxxx's
residence address as xxxx N. Lawndale, Chicago, Illinois, his home phone
number as 312-xxx-xxxx (that telephone number is listed to Fred Xxxxxxxxxxx
at the xxxx N. Lawndale address, according to Sgt. Abraham), and his work
phone number as 312-xxx-xxxx (the unlisted line billed to his residence).
He stated that he is self-employed.
    58.  On 4/5/90, the Chicago Office of the Secret Service requested
Rolonie Kwasny, Security Supervisor, Illinois Bell Telephone to  verify
that there are no other authorized or unauthorized telephone lines into
xxxx N. Clybourn other than 312-528-5020 and 312-xxx-xxxx.
    59.  On 4/6/90, Kwansy notified the Chicago Office that early on that
date the xxxx N. Clybourn address was checked.  The larger building of
which xxxx N. Clybourn is part, is serviced by 13 working phone lines
through the box attached to the Belmont Side of the building, which also
services the xxxx address.

                                - 33 -

   60.  The only authorized phone line to the xxxx address is 312-xxx-xxxx
(the number Bruce Xxxxxxxxxxx gave as his business number in the police
report).  The only other phone line (unauthorized) into the xxxx address
is bulletin board number 312-528-5020, the line which leads from the
junction box to the building.  Kwasny advised that this type of hookup
required no special knowledge.
    61.  Affiant has interviewed Sandquist, Mehnert, and CI 404-235, all
of whom have operated electronic bulletin boards themselves.  All three
advised affiant that the sysop of a BBS must continuously perform a great
many maintenance or "housekeeping" chores necessary to operation of the
BBS.  A sysop's maintenance functions include constantly making changes on
the BBS, such as adding or removing users, raising or lowering users'
level of access, removing files or programs uploaded to the BBS (added to
the system by a user).  If a user places a virus or logic bomb which could
disrupt the functioning of the BBS, for example, on the sysop's computer,
the sysop can remove it.
    62.  Since many BBS's (including this one) operate 24 hours a day,
for the convenience of sysops, BBS software allows many of these
functions to be performed from what is called "remote" locations,
I.e., by the sysop using another computer, over the telephone line to
the BBS.  If the BBS is operating at a

                                - 34 -

business address, for example, the sysop can perform his maintenance
functions at night or any other time from his residence or from any
other location where he has a computer, modem, and telephone
communication to the BBS.  BBS users commonly communicate directly
with the sysop on the BBS, either in "chat" mode or by leaving him
electronic mail (see Definitions section, above).  A BBS sysop is
essentially "on call" during the entire time the BBS is in operation,
to solve equipment/software problems or interruptions to the operation
of the BBS, for the supervision of users, and to communicate with
them.  Operating a BBS is extremely time-consuming, according to
Mehnert, Sandquist, and CI 404-235.
    63.  CI 404-235 advised affiant that, when he logs on to the BBS, he
sees a screen in which the first two lines advised that connection has
been made to the BBS, the third line lists the baud rates, or speeds, at
which a user may communicate with the BBS, and the fourth line states "On
line since 12/10/83".  This indicates that approximately one year after
the 312-528-5020 number was subscribed to by Bruce Xxxxxxxxxxx, the BBS began
operating.  As of 4/29/90, all attempts to locate any residence for Bruce
Xxxxxxxxxxx other than that listed on his driver's license, auto
registration, post office box application, and subscriber records for
telephone number 312-xxx-xxxx, have been negative.  Therefore, it appears
that his residence address is xxxx N. Lawndale, Chicago, Illinois.

                                - 35 -

    64.  The telephone bills for the unlisted line (312-xxx-xxxx) which is
installed in the xxxx N. Clybourn building where the unauthorized BBS line
(312-528-5020) leads, are mailed to the same address, xxxx N. Lawndale,
Chicago, Illinois, to Fred Xxxxxxxxxxx.
    65.  If the sysop is accessing the BBS from his residence, it is
likely that evidence of the sysop's identity and evidence relating to the
operating of the BBS will be found on a computer system at the residence,
or on diskettes, printouts, and other records at the residence.  The
telephone bills for unlisted number are also likely to be found at the
residence, along with financial records such as cancelled checks or
receipts, which will assist in identifying the individual who paid them.
    66.  At the xxxx N. Clybourn address, evidence of the connection of
the BBS equipment to the 312-528-5020 telephone line, and evidence
relating to the operation of the BBS, are expected to be found.  Entry
into the premises at this location, and physical inspection, are necessary
in order to determine whether the 312-xxx-xxxx line is also connected to
the BBS.
    67.  Based upon all of the foregoing, affiant believes that evidence
of violations of 18 U.S.C. ~~ 1343, 1030, 1029, 1962, 1963, and 371, will
be found at xxxx N. Lawndale, Chicago, Illinois, and at xxxx N. Clybourn,
Illinois, such evidence consisting of:

                                - 36 -

    68.  Electronic data processing and storage devices, computers and
computer systems including central processing units; internal and
peripheral storage devices such as fixed disks, floppy disk drives and
diskettes, tape drives and tapes, optical storage devices or other memory
storage devices; peripheral input/output devices such as keyboards,
printers, video display monitors, optical readers, and related
communications devices such as modems; together with system documentation,
operating logs and documentation, software and instruction manuals.
    69.  Telephone equipment such as lineman's handsets, memory
telephones, automatic dialers, programmable telephone dialing or
signalling devices, electronic tone generating devices.
    70.  Records pertaining to ComSystems, ITT and other long distance
companies' access numbers and customer authorization codes; credit card
numbers; telephone numbers for computer bulletin boards, voice mail
systems, and corporate computer systems; PBX codes and related telephone
numbers; records and information related to the unauthorized access into
computer systems or to the sale, sharing, or other distribution of long
distance companies' access numbers and customer authorization codes,
credit card numbers, including financial records, receipt of payments,
worksheets, correspondence, memoranda, computer bulletin board downloads
or messages, and other documentation.
    71.  Records pertaining to Mxxx Xxxxxx Inc., to Post

                                - 37 -

Office box number xxxx, telephone bills for 312-528-5020 and to
312-xxx-xxxx from 1982 to the present date, bank account records
including statements and cancelled checks for Bruce Xxxxxxxxxxx from 1982
to the present date, business records relating to the occupancy of the
xxxx N. Clybourn premises, including rent/mortgage payment receipts,
rental or mortgage contracts, utility bills and proof of payment, and
records pertaining to the purchase, ownership, and maintenance of the
BBS computer system and software.
    72.  All of the above records, whether stored or on paper, on magnetic
media such as tape, cassette, disk, diskette, or on memory storage devices
such as optical disks, programmable instruments such as telephones,
"electronic address books", programmable wristwatches, calculators, or any
other storage media, together with the indicia of use, ownership,
possession or control of all of the above property or records, including
bills, letters, identification, personal effects, memoranda, and other
documentation.
    73.  Since much of the above-described evidence is likely to be found
in electronic form or machine-readable media which cannot be read or
analyzed by affiant in its present form,

                                - 38 -

affiant requests authorization to seize, listen to, read, review, and
maintain the above described property and records and to convert the
above records to human-readable form as necessary.


                                 (Signature/G. Kirt Lawson)
                                   Affiant



               Subscribed and Sworn before me this 30th day of
       APRIL, 1990.
                        (signature) Cynthaia M. Penumire {??illegible)
                                    Notary Public



My Commission Expires (illegible)



9865e/


                                - 39 -


                       ---end of documents-----