Docstoc

doc58_intro_addl_evidence_exploits

Document Sample
doc58_intro_addl_evidence_exploits Powered By Docstoc
					 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 1 of 14 PageID: 313


                                                     U.S. Department of Justice

                                          United States Attorney
                                          District of New Jersey
____________________________________________________________________________________

                                                     970 Broad Street, Suite 700             973/645-2700
                                                     Newark, NJ 07102



                                                      October 19, 2012



Hon. Susan D. Wigenton
United States District Judge
Martin Luther King Jr. Federal Building & Courthouse
50 Walnut Street
Newark, NJ 07102

       Re: United States v. Andrew Auernheimer, Crim. No. 11-470

Dear Judge Wigenton:

       Please consider this letter in lieu of a more formal brief in support of the government’s

motion to introduce evidence relating to two computer exploits perpetrated by defendant Andrew

Auernheimer’s computer “security research” organization: one in or around January 2010 (the

“Firefox Exploit”) and the second in or around March 2010 (the “Safari Exploit”). This evidence

is intrinsic to proving that the defendant conspired, with other members of his “security research”

organization, to access protected computers without authorization, contrary to 18 U.S.C. §

1030(a)(2)(c), as charged in Count 1 of the Superseding Indictment. It also explains the motive

behind the crime charged in this Count, which is always relevant to any criminal charge.

Alternatively, even if not intrinsic, this evidence is admissible under Federal Rule of Evidence

404(b) to prove defendant Auernheimer’s motive and plan.
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 2 of 14 PageID: 314



A. Evidence of the Firefox Exploit and the Safari Exploit is intrinsic to proving the
existence of the charged conspiracy, and defendant’s participation in that conspiracy.

       Where the acts in question are intrinsic to the crimes charged, the requirements of Rule

404(b)1 are not applicable. See Fed. R. Evid. 404(b), Advisory Committee Notes to 1991

Amendment (Rule 404(b) “does not extend to evidence of acts that are ‘intrinsic’ to the charged

offense”) (quoting United States v. Williams, 900 F.2d 823 (5th Cir. 1990)); see Huddleston v.

United States, 485 U.S. 681, 685 (1988) (Rule 404(b) applies only to “extrinsic acts”); United

States v. Gibbs, 190 F.3d 188, 217-18 (3d Cir. 1999) (Rule 404(b) “does not apply to evidence of

uncharged offenses committed by a defendant when those acts are intrinsic to the proof of the

charged offense”).

       Evidence is intrinsic in two circumstances – “if it ‘directly proves’ the charged offense,”

or if it constitutes “uncharged acts performed contemporaneously with the charged crime,” which

“may be termed intrinsic if they facilitate the commission of the charged crime.” United States v.

Green, 617 F.3d 233, 248-49 (3d Cir. 2010) (internal quotation marks and citation omitted). In

conspiracy cases like the instant case, the “intrinsic/extrinsic issue [is] easy to resolve,” because

“under Third Circuit precedent, acts are intrinsic when they directly prove the charged

conspiracy.’” Id. at 248 (internal quotation marks and citations omitted). Other courts have held

that the admissibility of intrinsic evidence “turns on whether the evidence . . . provide[s] the jury


       1
           Federal Rule of Evidence 404(b), in pertinent part, provides:

                 Other Crimes, Wrongs, or Acts.–Evidence of other crimes,
                 wrongs, or acts is not admissible to prove the character of a person
                 in order to show action in conformity therewith. It may, however,
                 be admissible for other purposes, such as proof of motive,
                 opportunity, intent, preparation, plan, knowledge, identity, or
                 absence of mistake or accident . . . .

                                                 -2-
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 3 of 14 PageID: 315



with a complete story of the crime [on] trial . . . or whether it tends to prove any element of the

charged crime.” United States v. Murray, 89 F.3d 459, 463 (7th Cir. 1996) (internal quotation

marks and citation omitted). Moreover, “[t]he policies beneath [Rule 404(b)] are simply

inapplicable when some offenses committed in a single criminal episode become ‘other acts’

because the defendant is indicted for less than all of his actions.” United States v. Walker, 148

F.3d 518, 528 (5th Cir. 1998); United States v. Butcher, 926 F.2d 811, 816 (9th Cir. 1991).

        In this case, the Government must prove, as an element of Count 1, that a conspiracy

existed, and that the conspiracy had certain objects. The Superseding Indictment alleges that one

object of the conspiracy was to increase the notoriety of defendant Auernheimer’s group, “Goatse

Security,” and help market defendant Auernheimer and other Goatse Security members as a

legitimate group of “security researchers.” Moreover, the Government is entitled to demonstrate

what motivated the conspirators to act as they did. Here, the object of the conspiracy and the

motive for the crime substantially overlap: the object of the conspiracy – the goal – is also what

motivated defendant Auernheimer’s actions in furtherance of the conspiracy. Whatever the label,

however, evidence relating to the Firefox Exploit and the Safari Exploit is crucial to both issues,

and is therefore intrinsic.

        Count 1 of the Superseding Indictment charges defendant Auernheimer with conspiring

with other members of Goatse Security to steal approximately 114,000 e-mail addresses and

ICC-IDs from iPad users (the “iPad Breach”). The Superseding Indictment alleges that one of

the objects of the conspiracy was for defendant Auernheimer and Goatse Security “to create

monetary and reputational benefits for themselves.” United States v. Auernheimer, Crim. A. No.

11-470 (SDW), Dkt. No. 24, at Count 1 ¶ 6.


                                                -3-
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 4 of 14 PageID: 316



       The Firefox Exploit and the Safari Exploit “explain[] the circumstances surrounding” the

charged conduct, because the three exploits – together – show that the group engaged in a

conspiracy to access computers without authorization to gain notoriety for themselves. With the

publicity from their various computer exploits, Goatse Security members sought to market

themselves as computer “security researchers.” Indeed, defendant Auernheimer’s own words so

closely tie the Safari Exploit and the Firefox Exploit to the conspiracy that if this evidence is

excluded, numerous exhibits would have to be redacted, because defendant Auernheimer writes

and speaks of these exploits so often in connection with the charged conspiracy.

       After forming in or around the beginning of 2010, Goatse Security created and publicized

all three exploits – Firefox, Safari, and iPad – in just five months. The Safari Exploit, and the

Firefox Exploit, tend to prove that the conspiracy existed, and that the object of that conspiracy

was to build the brand of Goatse Security. This is a critical element that the Government must

prove to obtain a conviction on Count 1, and therefore the evidence relating to these exploits

“tends to prove an[] element of the charged crime.” Murray, 89 F.3d at 463.

       The Government is prepared to offer a number of items into evidence, which will show

that the Safari Exploit and the Firefox Exploit “directly prove[]” the existence of a conspiracy,

and the object of that conspiracy, as is required for Count 1. Green, 617 F.3d at 249.

       As one example, Goatse Security maintained a website, which was updated during the

period charged in the Superseding Indictment. (Gov’t Ex. 1003). Companies often maintain web

sites to raise their profile and to advertise their services, and the Goatse Security web site was no

exception. The Goatse Security website is a critical piece of evidence tending to show the

existence of a conspiracy among Goatse Security members, and the structure of the website


                                                -4-
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 5 of 14 PageID: 317



demonstrates Goatse Security’s methods and objectives. The website included a motto, “Gaping

Holes Exposed,” which tends to show that the Goatse Security members were dedicated to

finding and publicizing security vulnerabilities. Beneath the corporate logo and motto, the

website included contact information for clients who might be interested in Goatse Security’s

services. Then, directly underneath the contact information, the website listed three “Goatse

Security Advisories.” These three are, in reverse chronological order, the iPad Breach, the Safari

Exploit, and the Firefox Exploit. Below the listing of the three exploits, the Goatse Security

website listed the members of Goatse Security, and a short biographical sketch for each.

Defendant Auernheimer was the first member listed, and the list included Daniel Spitler, who has

pled guilty in connection with this case. Each of the biographical sketches touted that member’s

computer-related bona fides, such as the computer languages in which the member was

proficient, or the types of computer attacks the member was capable of conducting. Goatse

Security’s website listed all three exploits, and trumpeted the capabilities of its members, for a

clear purpose: to increase their credibility as a “security research” group, to show potential

clients what the Goatse Security members were capable of, and therefore to raise their profile

among potential clients, members of the security research community, and members of the

media. This evidence is relevant to proving the object of the conspiracy, and to prove what

motivated the co-conspirators. Accordingly, evidence relating to the Firefox Exploit and the

Safari Exploit is intrinsic to Count 1.

       Other evidence, too – in the form of defendant Auernheimer’s own words – demonstrates

that the Safari Exploit and the Firefox Exploit will help to “explain[] the circumstances

surrounding” the iPad Breach. Murray, 89 F.3d at 463. The iPad Breach generated a tremendous


                                                -5-
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 6 of 14 PageID: 318



amount of publicity for defendant Auernheimer and his co-conspirators at Goatse Security.

Defendant Auernheimer used these media opportunities to link the iPad Breach with the Safari

Exploit and the Firefox Exploit – all as sophisticated “security research” work done by Goatse

Security, which was available for hire. For example, on or about June 10, 2010, during the

period of the conspiracy charged in the Superseding Indictment, defendant Auernheimer gave an

interview to Elinor Mills of the website CNET, and discussed the Safari Exploit while touting

Goatse Security’s bona fides. (Gov’t Ex. 1001.) Mills asked, “What is your group exactly? A

consulting firm that companies hire to test their security?” Defendant Auernheimer responded,

“Absolutely. We accept consultancies from a number of parties and we’re open to new

arrangements and we enjoy doing interesting research. We have compelling stuff. We have

some of the smartest people in the world on our team.” (Id.) Later, defendant Auernheimer

stated, “Our results and research speak for themselves. The last thing we publicly released – we

don’t disclose the majority of our work – but the [Safari Exploit] was a neat bug. And I am

proud of our team and I think we do great work.” (Id.) So, during the period charged in the

Superseding Indictment, defendant Auernheimer is directly tying the Safari Exploit to Goatse

Security as an example of the “great work” that Goatse Security accomplished, in a public

statement designed to raise the profile of Goatse Security as much as possible – one object of the

charged conspiracy.

       These are only a couple of the numerous instances where defendant Auernheimer himself,

in e-mails and interviews, uses the Safari Exploit and the Firefox Exploit as part of Goatse

Security’s effort to market themselves, and thus connects these exploits to one of the objects of

the conspiracy charged in Count One – “to create monetary and reputational benefits for


                                               -6-
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 7 of 14 PageID: 319



themselves.” United States v. Auernheimer, Crim. A. No. 11-470 (SDW), Dkt. No. 24, at Count

1 ¶ 6.

         While it is true that the Superseding Indictment charges a conspiracy of only limited

duration – from on or about June 2, 2010 through on or about June 15, 2010 – this should not

prevent the Court from finding that the Firefox Exploit and the Safari Exploit provide evidence

that tends to prove the existence of the charged conspiracy, and Auernheimer’s role in it. After

all, as noted above, evidence is frequently held to be intrinsic if the “defendant is indicted for less

than all of his actions.” Walker, 148 F.3d at 528. See, e.g., United States v. Fitzgerald, 264

F.R.D. 130, 132-33 (D. Del. 2010) (holding admissible, as intrinsic, evidence of defendant’s

ongoing relationship with members of conspiracy, because “[a]lthough the events that will be

testified to took place before the charged conspiracy period, they go directly to proving an

ongoing conspiracy that included the charged period”). If the Court finds, however, that

evidence of the Firefox Exploit and the Safari Exploit does not tend to prove an element of the

crime charged in Count 1, then in the alternative, the Court should find that evidence of these

two exploits is relevant and admissible pursuant to 404(b) to prove defendant Auernheimer’s

motive and plan.

B. Evidence relating to the Firefox Exploit and the Safari Exploit is admissible under Rule

404(b) as proof of motive and plan.

         Assuming, arguendo, that the Court finds that the Firefox Exploit and the Safari Exploit

evidence is not intrinsic to the crimes charged in the Superseding Indictment, the evidence should

still be admitted under Rule 404(b) to establish motive and plan. For evidence to be admissible

under Rule 404(b), it must (1) have a proper purpose, (2) be relevant, (3) not be substantially


                                                 -7-
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 8 of 14 PageID: 320



more prejudicial than probative, and (4) be accompanied by a limiting instruction (if requested by

the defendant). United States v. Cross, 308 F.3d 308, 320 (3d Cir. 2002); see also United States

v. Queen, 132 F.3d 991, 997 (4th Cir. 1997).

       Evidence offered under Rule 404(b) is proper and relevant if it is probative of a material

issue other than character. See Cross, 308 F.3d at 321 (quoting Huddleston v. United States, 485

U.S. 681, 685 (1988)); Queen, 132 F.3d at 997 (holding that evidence of prior bad acts is

generally admissible except when offered to prove “the character of a person in order to show

conformity therewith”). Accordingly, Rule 404(b) is “a rule of inclusion,” United States v.

Sriyuth, 98 F.3d 739, 745 (3d Cir. 1996), and the Third Circuit “favor[s] the admission of” Rule

404(b) evidence “if relevant for any purpose other than to show a mere propensity or disposition

on the part of the defendant to commit the crime,” United States v. Johnson, 199 F.3d 123, 128

(3d Cir. 1999) (emphasis added) (internal citation omitted); see United States v. Bergrin, 682

F.3d 261, 278 (3d Cir. 2012). Where, as here, motive and plan are at issue, admission of prior

acts is regularly admitted to prove that element. See Queen, 132 F.3d at 995 (citing Sparks v.

Gilley Trucking Co., 992 F.2d 50, 52 (4th Cir. 1993)). Moreover, evidence is not excluded under

Rule 403 merely because the danger of unfair prejudice is greater than its probative value—the

prejudice must “substantially outweigh” the probative value. See Cross, 308 F.3d at 323

(opining that where evidence is highly probative, a large risk of prejudice is acceptable).

       Rule 404(b) is designed to prevent defendants from being convicted because they possess

bad character. See Queen, 132 F.3d at 996. Likewise, Rule 404(b) protects defendants from

being convicted of prior acts rather than the crimes alleged in the indictment and guards against

juries becoming confused by the introduction of the prior acts. See id. Rule 404(b) also protects


                                                -8-
 Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 9 of 14 PageID: 321



against “trial by ambush,” preventing prosecutors from introducing evidence of prior acts

“spanning one’s entire lifetime.” Id.

       Although Rule 404(b) protects against these dangers, the rule also recognizes that

“extrinsic acts evidence may be critical to the establishment of the truth as to a disputed issue.”

Queen, 132 F.3d at 996 (citing Huddleston, 485 U.S. at 685). The more similar the act, the more

relevant the act in establishing defendant’s intent and the less danger that defendant will be

convicted for bad character. See id.

       Moreover, the Third Circuit has held squarely that “Rule 404(b) evidence is especially

probative when the charged offense involves a conspiracy,” and “[f]or this reason, the

Government has broad latitude to use ‘other acts’ evidence to prove a conspiracy.” Cross, 308

F.3d at 324 (citing United States v. Mathis, 216 F.3d 18, 26 (D.C. Cir. 2000)).

       Here, the challenged evidence is not offered to prove the defendant’s bad character or to

show action in conformity therewith. Rather, the evidence is offered to establish the defendant’s

motive and plan. The evidence at trial will show that defendant Auernheimer conspired with

other Goatse Security members to steal the e-mail addresses and ICC-IDs of over 100,000

victims. But it will be critical – and eminently proper under Rule 404(b) – for the Government to

be able to show what motivated defendant Auernheimer and his co-conspirators to commit their

crimes. The Government will prove that defendant Auernheimer was driven by a desire to

publicize himself and his co-conspirators; he wanted to burnish his reputation as a force in the

“security research” community; and prove to the world that Goatse Security was a serious

company.




                                                -9-
Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 10 of 14 PageID: 322



       With enhanced reputations, defendant Auernheimer and Goatse Security could obtain

security consulting work from paying clients. It was crucial, in this regard, for defendant

Auernheimer to build up the credentials of himself and of Goatse Security. That is why, on the

Goatse Security web page, defendant Auernheimer listed all three attacks the Goatse Security

members had claimed in 2010 – the Safari Exploit, the Firefox Exploit, and the iPad Breach.

       Again, defendant Auernheimer’s own words show how the Firefox Exploit and the Safari

Exploit shed light on his motive and his plan. For example, when defendant Auernheimer was

promoting the Firefox Exploit, he contacted some of the exact same reporters as he did when

promoting the iPad Breach. On or about January 28, 2010, defendant Auernheimer e-mailed

Taylor Buley, a reporter at Forbes magazine, with a link to an explanation of the Firefox Exploit.

Buley’s interest was piqued, and during the ensuing e-mail exchange, defendant Auernheimer

asked, “Would you or anyone you know be interested in this story? I am trying to hype this toy

deployment of the technique so I can market more profitable applications of it.” (Gov’t Ex.

5026.) Then, in June 2010, during the period charged in the Superseding Indictment, defendant

Auernheimer exchanged numerous e-mails with Buley regarding the iPad Breach. Indeed, in

these communications with Buley, one can see defendant Auernheimer’s motive and plan bearing

fruit – he is using the relationships he seeded with news of the Firefox Exploit to continue his

promotion of Goatse Security.

       As another example, on or around March 20, 2010, defendant Auernheimer sent an e-mail

to Sherrod DeGrippo, an Internet security researcher who, among other things, ran a LiveJournal

blog. (Gov’t Ex. 5036.) Under the subject heading “advisory,” defendant Auernheimer

described the Safari Exploit, introducing it by stating, “We at the Goatse Security labs have been


                                               - 10 -
Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 11 of 14 PageID: 323



delving into an old (but also new) class of web exploits . . . .” (Id.) Auernheimer also referred to

the Firefox Exploit, calling it Goatse Security’s “first cross-protocol scripting PoC release.” (Id.)

The e-mail concluded with an “About Goatse Security” section, which stated,

       At Goatse Security, we don’t really care about fighting cyberterrorism or cyber
       crime or whatever. We are pioneering new classes of exploits, new methods of
       evading IDS and new ways to use computers to make shit happen. Our minds
       won’t be owned by some liar’s system of ethics, but they are for rent to any God
       or government (or corporation or criminal organization) that will write a check of
       sufficient size.

(Id.) Importantly, the section concluded with a list of, among others, the Goatse Security

members.

       As yet another example, on or around January 30, 2010, defendant Auernheimer wrote to

an individual associated with an organization named “h@ckers.org,” which publishes so-called

“security vulnerabilities” on its blog. Auernheimer described the Firefox Exploit, referred to

“Rucas” (a member of Goatse Security), and asked that the h@ckers.org individual mention

defendant Auernheimer’s organization2 on a podcast. See Gov’t Ex. 5025. Days later, on or

about February 9, 2010, defendant Auernheimer sought to obtain a speaking engagement at an

internet culture conference named “ROFLcon.” Gov’t Ex. 5028. The subject line of the e-mail

was “What’s it take to give a speech at roflcon?” Defendant Auernheimer went on to brag about

his role in the Firefox Exploit, and state that “I’d like to use your convention as a platform for

something cool, and maybe educate some shrewd youngsters. I want to cover a few things: . . .

How to do your own PR, get press coverage, and generate blogging buzz . . . How to monetize


       2
        Defendant Auernheimer asked that the “GNAA” be mentioned. Goatse Security’s
homepage stated that Goatse Security was a “wholly owned subsidiary of the GNAA,” and
defendant Auernheimer was listed on the Goatse Security website as the “President of the
GNAA.”

                                                - 11 -
Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 12 of 14 PageID: 324



off of web vulnerabilities without going to jail . . . How individuals can manage and manipulate

the perception of those in corporate governance positions.” (Gov’t Ex. 5028.)

       All of this evidence provides clear insight into defendant Auernheimer’s motive in

promoting Goatse Security, and “[m]otive is always relevant in a criminal case, even if it is not

an element of the crime.” Sriyuth, 98 F.3d at 747 n.12. Given the critical nature of the issue of

the defendant’s motive where defendant Auernheimer did not profit directly from the crime, the

admission of the Safari Exploit and Firefox Exploit evidence is especially justified.

       Finally, there is no danger that the evidence obtained from the Safari Exploit and the

Firefox Exploit will create confusion or unfair prejudice in the sense that it will subordinate

reason to emotion in the fact-finding process. See Queen, 132 F.3d at 997. Such evidence does

not generally cause emotionalism, irrationality, or inflammatory reactions in a jury. United

States v. Greenwood, 796 F.2d 49, 53 (4th Cir. 1986). Indeed, courts have held, in similar cases,

that the type of other act evidence at issue here is not prejudicial. In United States v. Adair, 227

F. Supp. 2d 586 (W.D. Va. 2002), just as in this case, the Government sought to introduce

evidence of prior computer-related exploits to shed light on the defendant’s motive. The Court

permitted the evidence under Rule 404(b), holding that “[t]he prior acts in this case present little

risk of exciting the jury to irrational behavior. The type of misconduct involved – illegally

accessing secure computer networks – is not the sort of conduct that ordinarily inflames the

passions of a jury.” Id. at 590. Indeed, in theft cases, far more incendiary 404(b) evidence has

regularly been admitted to prove a defendant’s motive. See, e.g., United States v. LaFlam, 369

F.3d 153, 156 (2d Cir. 2004) (affirming convictions for, inter alia, bank robbery, holding that

404(b) evidence of defendant’s drug use and drug debts was offered “not for the improper


                                                - 12 -
Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 13 of 14 PageID: 325



purpose of showing a propensity for criminal behavior, but rather to demonstrate a motive—to

pay off existing drug debts and to purchase more drugs—to commit the charged robberies”).

Likewise, in § 1030 cases, more incendiary evidence has been admitted under Rule 404(b). See,

e.g., United States v. Sullivan, 40 F. App’x 740, 742 (4th Cir. Feb. 28, 2002) (unpublished)

(affirming conviction for intentionally causing damage to a protected computer, holding that

introduction of a web page entitled “Dr. Crime” and a plaque engraved with words “Dr. Crime’s

Terminal of Doom,” which the defendant placed above his computer, were not improperly

prejudicial).

        Finally, the proof with respect to the proffered Rule 404(b) evidence will be simple and

straightforward and will not complicate or significantly lengthen the duration of the trial.




                                               - 13 -
Case 2:11-cr-00470-SDW Document 58 Filed 10/19/12 Page 14 of 14 PageID: 326



C. Conclusion

       This Court should admit evidence relating to the Safari Exploit and the Firefox Exploit.

This evidence is intrinsic to proving an element of the crimes charged in Count 1 – viz., that the

defendant conspired with others to effect a particular object – and it explains the circumstances

surrounding the charged crimes. Alternatively, this Court should admit this evidence under Rule

404(b) as probative of motive and plan.

                                              Respectfully submitted,


                                              PAUL J. FISHMAN
                                              United States Attorney


                                              s/Michael Martinez
                                              By: MICHAEL MARTINEZ
                                                  Executive Assistant U.S. Attorney

                                              s/Zach Intrater
                                              By: ZACH INTRATER
                                              Assistant United States Attorney




                                               - 14 -

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:20
posted:11/14/2012
language:
pages:14
Description: trial documents from Andrew Auernheimer's case