IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF CALIFORNIA BEFORE THE HONORABLE KIMBERLY J. MUELLER, JUDGE ---o0o--UNITED STATES OF AMERICA, Plaintiff, vs. No. 2:13-CR-00082 MATTHEW KEYS, Volume 4 Pages 305 through 470 Defendant. / ---o0o--REPORTER'S TRANSCRIPT OF PROCEEDINGS JURY TRIAL VOLUME 4 THURSDAY, OCTOBER 1, 2015, 8:30 A.M. ---o0o--- For the Government: BENJAMIN B. WAGNER, U.S. ATTORNEY 501 I Street, Suite 10-100 Sacramento, California 95814 BY: MATTHEW DEAN SEGAL and PAUL ANDREW HEMESATH Assistant United States Attorneys (Appearances continued next page...) Reported by: KATHY L. SWINHART, CSR #10150 Official Court Reporter, 916-446-1347 501 I Street, Room 4-200 Sacramento, California 95814 Proceedings reported by mechanical stenography, transcript produced by computer-aided transcription. 1 APPEARANCES (Continued) 2 For the Government: UNITED STATES DEPARTMENT OF JUSTICE Computer Crime and Intellectual Property Section 1301 New York Avenue NW, Suite 600 Washington, D.C. 20530 BY: JAMES ANTHONY SILVER Deputy Chief For the Defendant: LAW OFFICES OF JAY LEIDERMAN 5740 Ralston Street, Suite 300 Ventura, California 93003 BY: JASON SCOTT LEIDERMAN 3 4 5 6 7 8 9 10 11 TOR EKELAND, P.C. 195 Plymouth Street, Fifth Floor Brooklyn, New York 11201 BY: TOR EKELAND and MARK H. JAFFE 12 13 14 15 16 17 18 19 20 21 22 23 24 25 KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 1 INDEX 2 GOVERNMENT'S WITNESSES: PAGE: 3 4 ARMANDO CARO 5 DIRECT EXAMINATION BY MR. HEMESATH CROSS-EXAMINATION BY MR. EKELAND REDIRECT EXAMINATION BY MR. HEMESATH 6 306 326 331 7 DYLAN KULESZA 8 9 DIRECT EXAMINATION BY MR. HEMESATH CROSS-EXAMINATION BY MR. LEIDERMAN REDIRECT EXAMINATION BY MR. HEMESATH 337 387 405 10 11 TIMOTHY RODRIGUEZ 12 DIRECT EXAMINATION BY MR. SEGAL CROSS-EXAMINATION BY MR. LEIDERMAN REDIRECT EXAMINATION BY MR. SEGAL 13 410 427 430 14 SAM COHEN 15 DIRECT EXAMINATION BY MR. HEMESATH 432 16 17 18 19 20 21 22 23 24 25 KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 1 2 GOVERNMENT'S EXHIBITS RECEIVED IN EVIDENCE NO.: DESCRIPTION: PAGE: 3 4 5 112 303 506 605 E-mail series Assembler security logs Screenshot from Keys computer IRC chat on 12/09/10 447 348 381 375 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 305 1 SACRAMENTO, CALIFORNIA 2 THURSDAY, OCTOBER 1, 2015, 8:39 A.M. 3 ---o0o--- 4 (Jury not present.) 5 THE CLERK: 6 States versus Matthew Keys. 7 today is day four. 8 THE COURT: 9 MR. LEIDERMAN: Calling criminal case 13-82, the United Good morning. 10 MR. SEGAL: 11 MR. EKELAND: 12 THE COURT: 13 MR. HEMESATH: 14 moment. 15 16 This is on for jury trial, and Good morning, Your Honor. Good morning, Your Honor. Good morning, Your Honor. Do we have everyone we need? Mr. Silver will be here in just a We can proceed without his presence. THE COURT: Cauthen is here. All right. Can we call the jury in? 18 MR. HEMESATH: 19 THE COURT: Yes. All right. Let's do that. (Jury present.) 21 THE COURT: 22 Good morning, Ladies and Gentlemen of the jury. You may be seated. 23 Welcome back to court. 24 month. 25 Agent Mr. Keys is here. 17 20 All counsel are here. Happy October. So we are ready to go. We've turned over one I'm going to ask the government KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 306 1 to call its next witness. Mr. Hemesath? 2 MR. HEMESATH: 3 government calls Armando Caro. 4 THE CLERK: Yes, Your Honor. Mr. Caro, please come forward. 5 take your photograph this morning. 6 against the wall facing me, please. 7 8 Thank you. At this time, the I need to If you can stand there Thank you. Please step into the witness stand, remain standing, and raise your right hand. 9 ARMANDO CARO, GOVERNMENT'S WITNESS, SWORN 10 THE WITNESS: 11 THE CLERK: 12 Will you please say and spell your first and last name 13 I do. Thank you. You may be seated. for the record. 14 THE WITNESS: 15 THE COURT: 16 Armando Caro, A-R-M-A-N-D-O, C-A-R-O. You may proceed. DIRECT EXAMINATION 17 BY MR. HEMESATH: 18 Q. Good morning. 19 A. Good morning. 20 Q. Mr. Caro, can you tell me what it is that you do for a 21 living? 22 A. 23 architecture. 24 Q. For whom do you work right now? 25 A. Currently I work for Capital Group. I work in IT, system administration, management, KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 307 1 Q. I'm sorry? 2 A. Currently I work for Capital Group. 3 Q. Capital Group. 4 A. They're a fund management company, the financial industry. 5 Q. And what is your exact title with Capital Group? 6 A. Senior systems administrator. 7 Q. Okay. 8 responsibilities as systems administrator entail for Capital 9 Group? What does Capital Group do? Can you tell me a little bit about what those 10 A. Currently I'm in the engineering space, which is I'm 11 responsible for designing, engineering and producing a product, 12 our outcome that the company requires to run its business. 13 It's system design and documentation that would be handed over 14 to the operators that take care of those systems. 15 Q. How long have you been in that position at Capital Group? 16 A. Just over a year now. 17 Q. What were you doing before that? 18 A. I was doing consulting work for a company called Frontier 19 Communications. 20 Q. 21 were you consulting for Frontier -- 22 A. 23 doing it for approximately a year. 24 Q. And before that? 25 A. Before that, I worked for Tribune Media. And how long had you been with Frontier Communications or I was an independent sales consultant to them, but I was KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 308 1 Q. And what was your position when you left Tribune Media? 2 A. Managing director, architecture and security operations. 3 Q. What year was that then that you left? 4 A. 2011. 5 Q. 2011. 6 A. I'm sorry. 7 did three and a half years. 8 Q. 9 2012. No, that's not right. Okay. I started in 2009. 2012. Well, that's my next question actually. When did you start with Tribune Media? 10 A. October 2009. 11 Q. Do you recall what your title was when you started with 12 Tribune? 13 A. Managing director, architecture. 14 Q. So you started as a managing director? 15 A. Yes. 16 Q. And before that, what were you doing? 17 A. I was director of messaging and directory operations at 18 Clear Channel Communications. 19 Q. And before that? 20 A. I was in the Air Force, a communications specialist. 21 Q. What did you do in the Air Force? 22 A. Ah, system administration. 23 military spin. 24 Q. 25 I Essentially the same job with a Very good. And any training other than those jobs? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 309 1 A. 2 Jose when I was going to school at San Jose State. 3 enrolled in computer engineering at the time. 4 several IT positions for companies in the valley. 5 Q. 6 I went through training for the Air Force. Okay. I worked in San I was And I worked Thank you for that, for that history. When you say that you worked for Tribune and you said Media 7 Company, was it Tribune Company before that? 8 A. I think the official title is Tribune Company. 9 Q. Okay. Could you tell me who you worked -- who your clients 10 were that you reported to. 11 A. My clients that I reported to? 12 Q. Well -- I'm sorry. 13 reported to. 14 A. 15 and he was my direct reporting manager. 16 Q. 17 Company, who you served in terms of the people that would make 18 requests of you on a day-to-day basis? 19 A. 20 that Tribune technology managed and operated and serviced, my 21 customers would be the IT division itself and the business. 22 in respect to what the business requested in new feature 23 capability, functionality, I would have to incorporate that 24 into what we could do with the technology we owned or had to 25 procure. Your managers, let's say, that you So my direct manager was Jeff Dorsey, the VP of operations, Could you tell me, while you were working at Tribune In my role as the head of architecture for all the systems So KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 310 1 And in respect to the IT division itself, the operations 2 team needed optimization, improvement, or life cycle 3 replacement of aging equipment. 4 analysis and putting forth the decision to make that -- to go 5 with what was requested. 6 Q. 7 this work? 8 A. 9 at Tribune, but I flew week in, week out to Chicago. I would be involved in the So the portfolio is what I managed. And where were you physically located while you were doing I lived in San Antonio during the whole time I was working 10 would be flying out, and Friday I would fly home. 11 Q. 12 Chicago? 13 A. No. 14 Q. Where were they located? 15 A. So we had two main data centers. 16 we had L.A. Times. 17 Q. 18 Times have to Tribune Company? 19 A. Tribune Company owned L.A. Times. 20 Q. Did Tribune Company own any other newspapers? 21 A. They owned eight. 22 Q. Did they own anything else? 23 A. TV stations. 24 Q. How many TV stations do they own; do you know? 25 A. I want to say 23. Monday I Were the systems that you were working on just located in We had Chicago, and then So when you say L.A. Times, what relationship does L.A. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 311 1 Q. Did they own any in Sacramento? 2 A. Yes. 3 Q. Which one did they own in Sacramento? 4 A. I do not remember the call letters. 5 Q. Did the Tribune Company have a content management system? 6 A. Yes. 7 Q. Do you remember what that was called? 8 A. P2P. 9 Q. And what does P2P stand for? 10 A. Power to the producer, I believe. 11 Q. All right. 12 the system? 13 A. Yes. 14 Q. And how were those credentials assigned? 15 A. They were given by the administrator of that system. 16 Q. Were they given to just anyone? 17 A. No. 18 Q. All right. 19 working with Tribune Company based on your date range in 20 December of 2010; is that correct? 21 A. Yes. 22 Q. Do you remember an incident involving the L.A. Times in 23 about that time? 24 A. Yes. 25 Q. What do you remember about that? Did that system require credentials to access You had to be in a role to get access to the system. Do you -- you've already stated that you were KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 312 1 A. 2 that was reporting a -- at the time what was believed to be a 3 malfunction in the system, and the content was not being 4 generated as intended or had failed to generate as intended. 5 Q. Do you remember where you were when you received that news? 6 A. I was in the office. 7 Q. The office in Chicago? 8 A. Chicago. 9 Q. Uh-huh. 10 I remember an incident where a service incident came up So what did you do as a result of that notice that you 11 received? 12 A. 13 because it was believed to be a malfunction, I was just made 14 aware as management staff. 15 was deemed a more serious issue, such as a compromise of 16 security or system integrity that I got involved. 17 Q. And why did you get -- why did you get involved? 18 A. I was in charge of the security operations team at Tribune. 19 So, in essence, we had a -- it's called a CSIRT, a computer 20 incident response team, security response team, and I managed 21 that group. 22 one responsible for the execution of that group to respond to 23 it. 24 Q. 25 you got notice? Well, at the time, since it was an operational issue It wasn't until the issue And so any incident that came up, I would be the So do you recall what the first thing is that you did after KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 313 1 A. 2 involved. 3 different disciplines across the company to be -- to contribute 4 to the effort since their skill set is required. 5 the first thing we did, activate the CSIRT. 6 Essentially we activated the CSIRT, which is get everyone Part of that group is different individuals from So that was I would ensure all the managers of those people who were 7 involved were aware that their resources were being taken and 8 that they need to make themselves available for this. 9 we started our fact-finding analysis efforts. And then 10 Q. So why couldn't you just fix it yourself? 11 A. Well, I didn't have any operational access to the system 12 since that wasn't my responsibility. 13 responsible for the day-to-day operations of those systems. 14 Q. 15 to fix it? 16 A. 17 head, Tad Lin would have been involved, Matt Dobbertien as 18 operations manager for the servers. 19 list of people. 20 Q. And you were managing these people? 21 A. I wasn't their direct manager. 22 efforts in this incident, yes. 23 activities as it pertains to what we did here. 24 Q. 25 initial conclusions about what had happened? My group isn't So do you recall who you charged with that responsibility It would have been the operations group. Okay. Off the top of my It would have been a whole I don't recall off the top of my head. I was managing their I was responsible for their So as a result of your efforts, did you come to any KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 314 1 A. Well, from the information that we gathered, a user ID had 2 logged into the system and had accessed an article and had 3 changed the content and then posted the content. 4 Q. And why did you come to that conclusion? 5 A. Because the evidence was in the log. 6 Q. So what evidence -- describe to me the evidence that you 7 saw in the log. 8 A. 9 requesting access, passing a password and authenticating to it. A log entry of a user ID logging into the system, so 10 The user ID requesting the article. The user ID making an edit 11 to the article and committing it. 12 that article to the live website. 13 Q. So what kind of log was this information found in? 14 A. It would be in the P2P system log. 15 Q. Is that also known as the Assembler log? 16 A. Yes. 17 Q. Did you find the log -- the pertinent log entries yourself? 18 A. No. 19 Q. Do you know who did? 20 A. No, I don't remember. 21 Q. Was it somebody on your team? 22 A. Somebody on the response team, yes. 23 Q. Did you review those Assembler log entries? 24 A. I would have looked at them, yes. 25 Q. All right. And then the user ID posting So then what happened? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 315 1 A. 2 that ID was assigned to. 3 believe a female employee that had left the company or was no 4 longer with the company, so her ID should have been inactive, 5 but it wasn't. 6 Well, once we identified the user ID, we went to see who And the ID had been assigned to I And we obviously deactivated the ID. And then through the 7 principle of assumed breach, meaning you assume that you've 8 been compromised and take all actions to stop it without having 9 to seek any further evidence, we asked everyone to change their 10 passwords. 11 system to harden in case the breach had been through a -- a 12 vector that we didn't currently know about or identify. 13 Q. 14 could you describe that a little bit more. 15 A. 16 And we proceeded to look for any points in the So when you say everyone had to change their passwords, Yes. So the P2P system had its own user database of IDs that 17 could log into the system. So everyone who had an ID in that 18 system was asked to change their passwords. 19 Q. 20 system that had to change their passwords? 21 A. 22 they did it, but it was communicated to them. 23 Q. 24 result? 25 A. And how was that communicated to those persons in the Probably through e-mail. I'm not certain who did it, how And do you know if passwords were in fact changed as a I don't remember knowing or seeing any direct evidence, but KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 316 1 I was reported to that it had been done. 2 Q. 3 described, what else did you do? 4 people to do? 5 A. 6 effort, which was to identify and fix whatever caused the 7 event. 8 architecture or functionality that needed to be done to prevent 9 or close any loopholes or vulnerabilities that exist in the 10 So other than shutting down the N. Garcia username that you Or what else did you direct During the course of the event, there was a remediation And then we proceeded to look at what changes in design system. 11 At that time, we did not know how the user -- how the ID 12 got compromised. 13 Q. 14 it important to know how the user got in? 15 A. So that it couldn't happen again. 16 Q. Could you describe what efforts that you directed to find 17 out who had breached the system? 18 A. 19 Chippy leet. 20 was because it wasn't relevant to the article, it stood out. 21 We just knew that it was. So with regard to that effort of not knowing how, why was So the article had been modified with a user tagline of And it was curious to understand what that phrase And through googling that name, a handful of hits had come 22 up on the Google search which led us to look through those 23 articles or those postings, and one of them had been a blog 24 posting of -- 25 MR. EKELAND: Objection, Your Honor. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 317 1 MR. HEMESATH: 2 THE COURT: 3 MR. HEMESATH: So let me stop you right there. All right. And I'm going to back up just a little 4 bit. If we could look at previously admitted Exhibit 503. 5 Q. Do you recognize this? 6 A. Yes. 7 Q. And what is this? 8 A. This is the article that was modified. 9 Q. Okay. Now you mentioned the words Chippy leet. 10 this, and I see Chippy 1337. 11 Chippy leet? 12 A. 13 numbers. Yes. I look at Could you explain why you said So the 1337 is a clever way of spelling a word using And in Internet jargon, 1337 is pronounced leet. 14 MR. EKELAND: 15 THE COURT: Objection, Your Honor. Overruled. 16 BY MR. HEMESATH: 17 Q. 18 experience, leet would refer to? And do you know what, generally speaking in your 19 THE COURT: 20 THE WITNESS: Just answer yes or no first. Yes. 21 BY MR. HEMESATH: 22 Q. What does it refer to? 23 A. It's a sub proclamation that you're good at something. 24 Q. Like elite? 25 A. Yes. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 318 1 Q. Where had you seen that before? 2 A. Users would create game tags with the phrase leet in it to 3 signify that they're a really good game player. 4 Q. 5 I see. So you were describing before with regard to your reaction 6 to the term Chippy leet what you did. So if you could continue 7 with that, telling us what you did with that term Chippy leet. 8 A. 9 leet. After seeing the article, it stands out the phrase Chippy And the content of the article was modified versus the 10 previous article. So we, myself and another security operator, 11 started to research the user tag Chippy leet. 12 Q. And how did you research that? 13 A. Using Google. 14 Q. What did your Google results result in? 15 A. We found a bunch of postings from -- relating to this user 16 tag, and one of them was a blog posting -- 17 MR. EKELAND: 18 THE COURT: 19 MR. EKELAND: 20 MR. HEMESATH: 21 THE COURT: 22 MR. HEMESATH: 23 Objection, Your Honor. What's the objection? Hearsay. It's not for the truth. What is it offered for? It's offered for how he eventually came to his conclusions. 24 THE COURT: In the form of an evidentiary -- 25 MR. HEMESATH: The blog statements themselves, there's KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 319 1 no point to offering those for whether what they said was 2 actually true, but they led to a place. 3 THE COURT: All right. So with that clarification, 4 that the contents of any blog testified about is not being -- 5 are not being offered for the truth of the contents, I'll allow 6 the testimony. 7 BY MR. HEMESATH: 8 Q. 9 So you were -THE COURT: Do you have the question -- all right. 10 BY MR. HEMESATH: 11 Q. So you were saying that you saw a blog posting and that -- 12 A. The information that the Google research revealed was a 13 blog posting of someone with the tag Chippy leet bragging about 14 a vulnerability that individual created and posted some code, a 15 code snippet, meaning a section of code, that illustrates his 16 cleverness. 17 an IRC article that the code would send data to. 18 Q. And so what did you do as a result of that information? 19 A. We went to the IRC article, the IRC channel. 20 Q. And can you tell us more about that IRC channel. 21 A. So in that channel -- And in that code snippet, there was reference to 22 MR. EKELAND: 23 THE COURT: 24 25 bit vague. Objection, Your Honor. What's the objection? The question is a Why don't you focus the question. MR. HEMESATH: Okay. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 320 1 Q. Can you briefly explain what you mean by IRC channel? 2 A. IRC stands for Internet relay chat, and it's a protocol 3 that you would access to communicate with others on the 4 Internet. 5 Q. 6 procedure -- what procedures did you follow? 7 A. 8 name of the channel, the server that it's on and connect. 9 the channel is not secure, you can get right in. And we logged into that IRC channel. When you say log into that IRC channel, what does that To log into an IRS channel, all you have to do is know the If 10 Q. When you say not secure, do you mean -- 11 A. It doesn't require a password. 12 Q. And when you get in, what does that look like? 13 A. It looks like a terminal with a bunch of text, people 14 posting their comments or conversation. 15 Q. So just text, no graphics? 16 A. You can get them using special commands, but they're not 17 displayed. 18 Q. Meaning the graphics? 19 A. Yes. 20 Q. So it's mainly text? 21 A. It is text. 22 Q. So when you got to IRC channel that was referenced in the 23 Google research, what did you see there? 24 A. 25 activities. So at this point I wasn't actively involved in the IRC I saw the terminal. My security operator was the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 321 1 one actually doing the IRC log-in activities. 2 Q. What was the name of your security operator? 3 A. Dylan Kulesza. 4 Q. Okay. 5 what you've described so far with regard to finding the 6 identity of the person responsible, do you know how many hours 7 you spent? 8 A. About a week's worth of time. 9 Q. A week's worth of time. 10 A. 40 hours is a week, a workweek. 11 Q. And how are you so sure you spent 40 hours in a workweek on 12 that particular task? 13 A. What task specifically? 14 Q. On the task of what you've described, which was stopping 15 the intrusion and then identifying the intruder. 16 A. Can I clarify? 17 Q. Yes. 18 A. So you mean from when I first was notified that the 19 incident was happening until the point where we concluded we 20 think we know what is going on? 21 Q. Yes, but only including those two categories of things. 22 A. About 20 hours, half of that. 23 Q. About half of that? 24 A. Uh-huh. 25 Q. Okay. So throughout this activity, I'm speaking just of Could you tell us how many hours? What else other than those two things did you do KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 322 1 with regard to a reaction to this incident? 2 A. 3 have had to review the design, the operation activities, the 4 system integrity, and what work would need to be done to 5 improve the security posture, rectify any deficiencies in the 6 system, and ensure that we had proper procedures to handle this 7 since it was a user ID that had been compromised, it was an ID 8 that was no longer active from a user perspective. 9 Q. Well, being in charge of architecture and security, I would So does that mean you were improving the system to make 10 sure that it would not happen again? 11 A. Yes. 12 Q. And that's -- and you're not including that time in the 20 13 hours that you just talked about, right? 14 A. No. 15 Q. Okay. 16 we're talking about, so we can make sure we're talking about 17 the same thing, what were the other 20 hours that you were 18 spending time on? 19 hours on the thing that you were just saying that you spent 20 20 hours on, what was the other 20 hours spent doing? 21 A. 22 track down the source of the compromise. 23 Q. Uh-huh. 24 A. The other 20 hours would have been to address the 25 compromise and remediate it. In that first week, other than the 20 hours that So if it's a 40-hour workweek, you spent 20 So of the 40 hours, 20 hours would have been to try to KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 323 1 Q. Okay. 2 A. Well, we had to make system changes. 3 users to change their IDs. 4 had to review, from a managerial standpoint, what is our next 5 step? 6 closed the door? 7 tasks, management oversight? 8 9 Tell me what that means. We had to get the We had to gather all the logs. Are we adequately addressing this? Are we sure we've Were the engineers doing their assigned So there was a lot of administrative work to be done as well as communicating to the business and my senior executive 10 management what was going on. 11 Q. So that was in direct response to the incident? 12 A. I think in my mind that's all direct response to the 13 incident. 14 Q. 15 incident? 16 17 I Could you have not done those things in response to this MR. EKELAND: Objection, Your Honor, calls for speculation. 18 THE COURT: Sustained. 19 MR. HEMESATH: So let's talk about what else you did 20 past this week with regard to this incident. And by this week, 21 I mean the first week. 22 Q. 23 position at Tribune at that time? 24 A. 25 situation, since we couldn't make significant system changes Can you tell me what else that you did with regard to your Okay. So beyond the week of responding and addressing the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 324 1 right up front without knowing more data as well as assessing 2 our security posture, I spent the next several months with my 3 security team and architecture team to review what changes we 4 need to make in overall architecture, overall system design, 5 and any new technologies or products that would help us react 6 faster, identify vulnerabilities quicker, identify system 7 deficiencies faster, implement a program that would help us 8 address this through the system life cycle. 9 system implementing proper security deterrence or elements into So designing a 10 our system design. And then are we operating with the security 11 facet in mind. 12 Q. 13 that you described? 14 A. No. 15 Q. Initially this is completely -- this is making the system 16 better; is that correct? 17 A. Making the environment better. 18 Q. So to loop back around to what happened after your IRC 19 research, do you recall what you did with that information? 20 A. 21 contacted the authorities, which we were then directed to the 22 FBI and were given a contact. 23 we had thought we had located the identity or the identity of 24 the hacker, we passed that information on to the FBI. 25 Q. What you just described was not counted within the 40 hours When we first determined it was a possible compromise, we Once we identified that the -- Do you remember when in the week that you've been KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 325 1 describing that occurred? 2 A. I do not remember exactly when. 3 Q. Before this, had you had any direct contact with anyone at 4 Fox 40 in Sacramento? 5 A. No. 6 Q. Mr. Caro, how much -- and I realize this is a personal 7 question, but how much money did you make as a salary in 2010 8 with your job with Tribune Company? 9 A. I made $180,000 a year. 10 Q. Sir, is that 180 or 108? 11 A. 180, one eight zero. 12 Q. 180. 13 Do you recall calculating your hourly rate? 14 A. Yes. 15 Q. And how did you calculate your hourly rate? 16 A. I took my annual salary, took the number of weeks in a year 17 and the number of hours in a week, divided that by my -- 18 divided my salary by that number. 19 Q. 20 number of hours? 21 A. 22 workweek. 23 Q. So 180 divided by 2,080; is that correct? 24 A. I believe so. 25 Q. Okay. When you say hours in a week, you don't mean the total I mean a general work -- 40 weeks -- or 40 hours of a Oh, I'm sorry to jump back. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 326 1 With regard to the change of the passwords that was 2 required, in your experience in a Tribune Company environment, 3 how long would it have taken a typical user to change a 4 password? 5 A. About two to five minutes. 6 Q. Why do you say two to five minutes? 7 A. The act of typing in the password takes relatively seconds, 8 but thinking up a new one that you haven't used before, that 9 meets the complexity of the requirements, that has the proper 10 length usually takes a user a little bit longer to come up with 11 one that they will remember. 12 Q. 13 MR. HEMESATH: 14 One moment, Your Honor. (Government counsel conferring.) 15 16 I see. MR. HEMESATH: Thank you, Your Honor. No further questions. 17 THE COURT: 18 MR. EKELAND: 19 Excuse me just one moment to get set up here. 20 All right. Cross-examination, Mr. Ekeland? Yes, Your Honor. Or actually do you guys -- can you put 503 back up? 21 CROSS-EXAMINATION 22 BY MR. EKELAND: 23 Q. 24 represent the defendant Matthew Keys along with Jay Leiderman 25 and Mark Jaffe. Good morning, Mr. Caro. My name is Tor Ekeland. I And that's the defendant over there at the end KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 327 1 of the table. I'm just going to ask you a few quick questions. 2 This won't be long. 3 I just wanted to go back to -- you testified that you spent 4 20 hours in responding to this incident, correct, at one point? 5 A. Yes. 6 Q. And do you ordinarily log your time hourly when you worked 7 for Trib Co? 8 A. No, I wasn't required to log my time. 9 Q. Okay. And did you record your time in your response to 10 this incident as you worked on it? 11 say you finished working on the day whatever you worked, an 12 hour or two in responding to this incident, did you write down 13 your time immediately afterwards and log it? 14 A. Yes. 15 Q. You did. 16 We -- So you say the 20 hours is a precise figure or is that an 17 estimate? 18 A. That is what I estimate. 19 Q. That is what you estimate. 20 So the time that you're stating here in court, they're all 21 estimates, correct? 22 A. Yes. 23 Q. That's a yes? 24 25 Aka, did you record it -- Okay. Thank you. I just want to draw your attention to Government's Exhibit 503. This is the incident that you were responding to, the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 328 1 change of the headline in this article; is that correct? 2 A. Yes. 3 Q. And the way that this article was changed, somebody logged 4 into the Trib Co system using a username and password, correct? 5 A. Yes. 6 Q. And the system responded as it was programmed to do because 7 it thought it was a valid username and password and gave access 8 to whoever accessed the system, correct? 9 A. Yes. 10 Q. So there was no impairment to the functionality of 11 Tribune's P2P system or the CMS, it functioned exactly like it 12 was supposed to? 13 14 MR. HEMESATH: Objection, that is a legal conclusion he's asking for. 15 THE COURT: Well, overruled, but the jury is to 16 understand that this is not a legal expert, and the terms that 17 Mr. Ekeland is using are not being used in a legal manner. 18 19 So as a layperson, given what you understand the words to mean, you may respond. 20 THE WITNESS: Can you repeat the question? 21 MR. EKELAND: Yes. 22 Q. So basically -- I believe the username was N. Garcia. 23 you recall that? 24 A. Yes. 25 Q. Right. Do KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 329 1 So when whoever was using the username N. Garcia logged in 2 with that username and that password, the system did exactly 3 what it was programmed to do, it gave that person access, 4 correct? 5 A. Yes. 6 Q. Right. 7 And so when that person got in, that person was able to 8 edit the article in the P2P system just like any other Trib Co 9 employee would be able to if they had logged in with their 10 username and password; is that correct? 11 A. Not any, no. 12 Q. I'm sorry. 13 A. No. 14 Q. No? 15 A. You had to be in the position of a content producer. 16 ID had to belong to you to use it and the intent that you would 17 modify an article to generate your own content. 18 Q. 19 Not any? Why not? That Right. But N. Garcia wasn't in that position. It was a username 20 and password that allowed somebody to get in just like anybody 21 else who had that type of username and password could get in 22 and edit the article, correct? 23 A. That type meaning N. Garcia? 24 Q. Yes. 25 A. No. N. Garcia belonged to N. Garcia. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 330 1 Q. What did you say? 2 A. N. Garcia belonged to N. Garcia. 3 Q. Right. 4 But N. Garcia, the username and password, had the rights 5 associated with it to edit the article, right? 6 A. Yes. 7 Q. And nothing -- there was no code that was transmitted to 8 the P2P system that changed its functionality in any way, 9 correct? 10 A. No. 11 Q. Okay. 12 functionality of the L.A. Times website as a result of this 13 log-in, correct? 14 A. Yes. 15 Q. Yes? 16 A. Yes. 17 Q. And so you're saying that username and password logging in, 18 that the system recognized as valid credentials, impaired the 19 functionality of the L.A. Times website? 20 A. 21 news for the consumers to read and be trustworthy. 22 functionality of the website was to produce valid content. 23 This is not valid content. 24 Q. 25 And you're not aware of any impairment to the The functionality of the L.A. Times website was to have The Right. But the username and password just edited the article KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 331 1 precisely like it was programmed to as if somebody from -- an 2 editor from Trib Co who had this access could have gone in and 3 edited it any way they wanted, correct? 4 A. Yes. 5 Q. Okay. 6 website did not go down because of this access, correct? 7 A. I do not believe so. 8 Q. And you're not aware of any impairment to the Fox 40 9 website because of this access, correct? So -- and you're not aware of any -- the L.A. Times 10 A. No. 11 Q. And you're not aware of any change to the underlying code 12 running your websites because of this access, correct? 13 A. Correct. 14 Q. Is that -- was that a yes? 15 A. Correct. 16 Q. Okay. Yes. 17 MR. EKELAND: 18 THE COURT: 19 MR. HEMESATH: 20 No further questions, Your Honor. All right. Redirect? Yes, Your Honor. REDIRECT EXAMINATION 21 BY MR. HEMESATH: 22 Q. 23 correct? 24 A. No. 25 Q. Could you explain that. The Assembler log saves its commands in terms of code, KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 332 1 A. 2 based on whatever the code said it needed to generate a log 3 entry for. 4 Q. 5 command that resulted in a log entry, would someone have had to 6 have transmitted a code or command? 7 A. A command, yes. 8 Q. And -- I'm sorry. 9 10 The Assembler log would log the activity of the system In order to generate a log entry or in order to generate a When I say code, in your profession that means something specific. Could you tell me what that means. 11 MR. EKELAND: 12 THE COURT: 13 THE WITNESS: Objection. Overruled. Code is the language that you use to 14 instruct computers what to do. It is either compiled or 15 interpreted, and it is how you make computers function the way 16 they do. 17 BY MR. HEMESATH: 18 Q. 19 and "command"? Can you explain the relationship between the words "code" 20 MR. EKELAND: 21 THE COURT: 22 THE WITNESS: Objection. Overruled. So I can command the computer to give me 23 a listing of all the files on that computer, but that command 24 is foreign to the computer unless it has the code to understand 25 that I'm asking for all enumeration of all the files that it KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 333 1 stores and how to access that through the hardware, how to 2 generate an output, how to format it and present it to the 3 screen. 4 So the command would be directory. The code would 5 execute all the steps necessary to generate that information. 6 BY MR. HEMESATH: 7 Q. 8 testified, sent a command, what effect did that have on the 9 system's integrity? So when someone purporting to be N. Garcia, as you've 10 MR. EKELAND: 11 THE COURT: 12 MR. EKELAND: 13 Objection. What's the objection? Calls for speculation and also expert testimony, Your Honor. 14 THE COURT: Well, this person is not testifying as an 15 expert. But based on what he has said about his job, I'm going 16 to allow him to respond as a layperson. 17 You may respond. 18 THE WITNESS: Repeat the question, please. 19 BY MR. HEMESATH: 20 Q. 21 or someone purporting to be N. Garcia transmitted a command, 22 what effect did that have on system integrity? 23 A. 24 If it was an improper command, it would put the system in a 25 compromised state. Based on your previous testimony that N. Garcia transmitted If it was a proper command, it would post the information. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 334 1 Q. The fact that you found N. Garcia to be an unauthorized 2 user, what effect did that have on system integrity? 3 A. 4 to generate content with editorial integrity, to put that 5 content on the business website, which was the product of the 6 company. 7 the spirit of the company's being an editorial news agency, it 8 would compromise the value of the company and its integrity as 9 a news source. The system was designed to allow users who were authorized If that information and product was not in line with 10 Q. What about the integrity of the security of the system? 11 A. The integrity of the system would mean that we cannot 12 ensure that anyone who had access was of -- was appropriate. 13 Q. Is that why you asked everyone to change their passwords? 14 A. Yes. 15 Q. Is that why you did your investigation as to whom? 16 A. Yes. 17 Q. Mr. Ekeland asked you about the 20 hours that you spent in 18 direct response. 19 to your direct response to this incident? 20 A. In my mind, it's all direct response. 21 Q. But certainly not including the upgrades you did after the 22 week to improve the system? 23 MR. EKELAND: 24 THE COURT: 25 MR. EKELAND: In fact, what was your testimony with regard Objection. Hold on one second. What's the objection? Leading. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 335 1 THE COURT: Sustained. 2 BY MR. HEMESATH: 3 Q. 4 response to the incident in terms of hours and what you did 5 again. 6 A. 7 reported to me, managing it through to its inevitable 8 conclusion, handing it off to the FBI to take the case and all 9 of the activities between then. Can you tell us in clearer terms what you did in direct So 40 hours of direct response from the issue being 10 Q. And then after that? 11 A. After that, I was fulfilling my role as the director of 12 architecture and security to ensure that we were not -- we were 13 in a better posture not to be compromised again. 14 Q. 15 put it, was speculation or, rather, he said whether it was an 16 estimate. 17 18 Mr. Ekeland asked you if that 40 hours, or 20 hours as he What was the absolute minimum that you believe that you spent in direct response that week? 19 MR. EKELAND: 20 THE COURT: 21 MR. EKELAND: 22 THE COURT: 23 BY MR. HEMESATH: 24 Q. 25 spent on that week? Objection. What was the objection? Calls for speculation. Sustained. How do you recall so well whether it was 40 hours that you KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 336 1 A. It was a very clear incident in my mind on what happened. 2 The exact number I do not recall, but the estimate of a week 3 was what I remember working on that event. 4 Q. Do you recall doing anything else that week? 5 A. Whether it was 39, 38, 41 hours, I remember it being a week 6 of my time. 7 Q. Do you recall doing anything else that week? 8 A. Sure, I had other responsibilities. 9 plus people. I was in charge of 50 I had day-to-day operations to make sure happened 10 as well as long nights addressing this. 11 Q. Do you recall working more than 40 hours that week total? 12 A. Yes. 13 Q. You do recall that? 14 A. Yes. 15 Q. Okay. 16 MR. HEMESATH: 17 THE COURT: 18 MR. EKELAND: 19 THE COURT: 20 MR. LEIDERMAN: 21 THE COURT: 22 MR. HEMESATH: 23 THE COURT: 24 25 Thank you very much. Any recross? No, Your Honor. All right. Is this witness excused? He is by the defense. You're excusing this witness, Mr. Hemesath? Yes, Your Honor. All right. Thank you. You're excused, sir. You may step down. The government's next witness? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 337 1 2 If you want to stand and stretch, you may. We'll take a full break around 10:00. 3 Who are you calling next? 4 MR. HEMESATH: 5 THE COURT: All right. 6 THE CLERK: Mr. Kulesza, please come forward. Mr. Kulesza. 7 to take your photograph. 8 against the wall facing me, please. 9 10 Great. I need If you can stand with your back Step into the witness stand behind you, remain standing, and raise your right hand. 11 DYLAN KULESZA, GOVERNMENT'S WITNESS, SWORN 12 THE WITNESS: 13 THE CLERK: 14 Will you please say and spell your first and last name 15 Thank you. You may be seated. for the record. 16 17 I do. THE WITNESS: My name is Dylan Kulesza. D-Y-L-A-N. Last name Kulesza, K-U-L-E-S as in Sam, Z as in zebra, A. 18 DIRECT EXAMINATION 19 BY MR. HEMESATH: 20 Q. Good morning. 21 A. Good morning. 22 Q. Could you tell me what you do for a living? 23 A. I work for Optiv Security, and I perform security strategy 24 assessments and CISO activities. 25 level roles that oversee the cyber security programs for, you CISO activities are executive KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 338 1 know, large companies. 2 Q. I'm sorry. 3 A. Optiv, O-P-T-I-V. 4 Q. Where is that based? 5 A. Based out of Colorado. 6 the United States. 7 Q. And is that where you work for them? 8 A. No, I work remotely, but that is considered my prime 9 location. You said Optiv. Could you spell that? They have multiple offices across 10 Q. And where do you work? 11 A. I'm based out of San Antonio, Texas. 12 travel to organizations almost weekly. 13 Q. Okay. 14 A. I've been with Optiv now for three weeks. 15 Q. Oh, congratulations. 16 A. Thank you. 17 Q. What did you do before you worked with Optiv? 18 A. So I briefly worked at Tesoro Corporation in San Antonio, 19 Texas, and that was a duration of six weeks. 20 Q. What did you do for Tesoro? 21 A. For Tesoro, I oversaw the enterprise architecture group. 22 Q. Okay. 23 A. Correct. 24 Q. And why did you leave Tesoro to go to Optiv? 25 A. I felt that Optiv would be a better career path for me So I work remote and And how long have you been with Optiv? And -- And that was for six weeks? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 339 1 going forward, and I would get a lot more experience than where 2 I was currently at, so I elected to leave Tesoro. 3 Q. What about before Tesoro, what were you doing? 4 A. Before Tesoro, I was VP of engineering, security and 5 architecture for Tribune Publishing Company. 6 Q. 7 architecture? 8 A. Correct. 9 Q. How long did you have that title? 10 A. I had that title for over a year. 11 Q. What about before that at Tribune? 12 A. Before that, my title would have been either director of 13 infrastructure and security or enterprise security 14 architecture. 15 all. 16 Q. 17 related -- 18 A. Yeah. 19 Q. March of 2010. 20 And that was your title, VP of engineering and security and It was a brief transition with the director of And do you recall when you started at Tribune or any of its March of 2010. And what was your title at that time? 21 A. Originally my title was I think data architect. 22 Q. Data architect. 23 And then before that, before Tribune Company? 24 A. Before Tribune Company, I worked at Clear Channel 25 Communications, now known as iHeartMedia. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 340 1 Q. Before that? 2 A. Before that, I worked for USAA. 3 Q. And could you tell us what USAA is? 4 A. USAA is a financial institution, primarily servicing 5 military officers. 6 Q. And do you have an educational background? 7 A. Correct. 8 systems. 9 Q. Where did you get that from? 10 A. University of Texas, San Antonio. 11 Q. And what year did you graduate? 12 A. 2006. 13 Q. Okay. 14 Tribune Company in December of 2010; is that correct? 15 A. Correct. 16 Q. Do you recall responding to an incident at about that time? 17 A. I do. 18 Q. Can you tell us about that. 19 A. We received a call from the business stating that our 20 website latimes.com was compromised, and it had an article or a 21 statement that Chippy leet was here. 22 Q. Do you recall who was supervising you at that time? 23 A. Armando Caro. 24 Q. So what -- do you remember where you were when you heard 25 about this news? I have a Bachelor's in management information So based on what you've said, you were working at KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 341 1 A. I was in the San Antonio office when I heard the news. 2 Q. And what did you do in reaction to the news? 3 A. In reaction to the news, a team was assembled to start 4 triaging the issue. 5 initial response to identify how the compromise occurred and 6 how to quickly remediate it. 7 who may have compromised us and what other threat we were 8 vulnerable to. 9 Q. So why a team? 10 A. There are many roles in an organization, and everyone has 11 their own specialties, and so there is a requirement to 12 collaborate with others in gathering information during a 13 security incident. 14 Q. 15 that correct? 16 A. Correct. 17 Q. Why was it important to find out who as opposed to just 18 stopping access so that the intruder -- 19 A. 20 And one part of the team focused on the And I focused on understanding You said that you were in charge of finding out who; is Correct. So, you know, you kind of want to understand, let's say if 21 your house is broken into, you know, was this a random act? 22 Did somebody just come in randomly and break into your house? 23 Or do you want to further understand and see could this person 24 come back again? 25 case, a threat to the organization? Do they pose a threat to yourself or, in this KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 342 1 Q. 2 Uh-huh. So what did you do with regard to finding out who broke 3 into the house? 4 A. 5 search sites with keywords such as Chippy leet, trying to gain 6 information on who may have compromised the organization. 7 so that's really the kind of process I took to finding out who 8 may have broke in. 9 Q. And what did you conclude as a result of those actions? 10 A. So through those actions, we discovered that there was a 11 reference to an IRC server. 12 online that individuals can join and talk to each other. 13 through that IRC server, we were able to identify how to 14 connect to it and validate that there were individuals on that 15 server talking in regards to the incident. 16 So part of my research involved looking on Google or other And An IRC is a form of communication And (Government counsel conferring.) 17 BY MR. HEMESATH: 18 Q. 19 about it? 20 A. 21 the time. 22 up to hand off to the local agent. 23 Q. 24 task? 25 A. What did you do with that information when you found out I believe we were already in communication with the FBI at So when we gathered that information, we packaged it So could you tell us how much time that you spent on that So for that task of doing the research on who attacked the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 343 1 organization, I would have spent probably, you know, 8 to 16 2 hours for that activity. 3 specific to understanding who attacked the organization, it was 4 anywhere between 8 and 16 hours. 5 Q. How do you remember that so well? 6 A. A little bit of it is experience. 7 security incidents, you understand that you'll spend 8 approximately maybe four to six hours in the initial triage of 9 what's happening. There were other activities, but After going through Perhaps you'll spend another 8 to 12 or 10 whatever duration on understanding the threat that is attacking 11 the organization. 12 you know, anywhere between 20 or 40 hours on further evidence 13 gathering and the forensics. 14 Q. 15 did you do anything at all with regard to this incident going 16 forward? 17 A. Could you further elaborate? 18 Q. Yes. 19 And then you'll also know that you'll spend, So after that initial 12 to 16 hours that you described, So getting past these sets of actions that you've already 20 described, the finding out who and so forth, what else did you 21 do with regard to this incident? 22 A. 23 after that. 24 application, in this case it was a website, a content 25 management system that allows you to publish content, seeing if So after finding out who, a series of actions occurred One would be continuing to look at our KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 344 1 there were any other vulnerabilities. 2 When this attack occurred, there were concerns within the 3 executive leadership that it could occur again, and so time was 4 spent in trying to understand how someone could breach it. 5 And then this was kind of the point in the organization 6 where we started looking at how to upgrade our defenses, how to 7 upgrade our infrastructure to better secure ourselves going 8 forward. 9 Q. So in the time that you spent doing that, what you just 10 described, was any of that included in your estimate of -- 11 A. No, it was not. 12 Q. -- 8 to 12 hours? 13 Okay. In that 8 to 12 hours, in addition to identifying on 14 Google and so forth, did you review Assembler logs? 15 A. 16 review of those logs, but that was not my primary task. 17 Q. But you did do some? 18 A. Correct. 19 Q. Why did you review what you reviewed? 20 A. Really looking at experience on the team, there was a few 21 of us that had experience in reviewing logs, and so I was the 22 second set of eyes to ensure that the assumptions were correct. 23 Q. 24 user N. Garcia as the username, why not stop the analysis and 25 the work at that point? Assembler is one of the applications, and I provided some So can you tell me at the point that you had identified the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 345 1 A. 2 up to your house and seeing that the door is wide open, and the 3 lock is not broken. 4 open? Did someone gain access to a key? 5 lock? How did they get into the house? 6 So, you know, the example of the house, it's like driving So you have to understand why is the door Did someone pick the And so just looking at it from N. Garcia and disabling that 7 account, that would be the same as just closing the door and 8 locking it. 9 validate that, the way the person got in, would they be coming So there were further steps that were required to 10 back? 11 go through the back door? 12 window in the house to gain access? 13 Q. 14 mean with regard to your specific security protocol that would 15 lead you to believe that that would be a problem? 16 A. 17 If they tried to come back again, would they now try to Would they try to go through a When you say the word "back door," can you tell us what you Yeah. In security terms, a back door is a way for an attacker or 18 a hacker to regain access. And so generally if the original 19 way they were able to break into the system, if that is 20 terminated or if that access is no longer available, an 21 attacker will try to establish a back door, which is a way that 22 they can gain access again. 23 And so in the house analogy, you know, a back door would be 24 as simple as maybe someone, you know, unlocking a window on the 25 side of the house. That's a way for that person to regain KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 346 1 access. 2 Q. 3 upgrade? 4 A. 5 would just be part of the incident response to ensure that, if 6 the person compromised you, and you believe you've removed 7 access, that you're not going to have a recurrence within the 8 next, you know, few hours or the course of the next few days. 9 Q. Do you know how many users used the CMS? 10 A. The CMS system is used primarily between two to 3,000 11 individuals. 12 organization. 13 Would looking for the back door be considered a security That would not be considered a security upgrade. That That would be the editorial within the Tribune Specific to L.A. Times, there is probably three to four 14 hundred that accessed the Assembler application. 15 Q. 16 would have had access to CMS content relating to L.A. Times? 17 A. 18 outside of the L.A. Times staff. 19 system administrators, the people that work on the computers 20 and the applications, would have access to that content. 21 Q. 22 relationship a person who is supposed to have that kind of 23 access and the concept of a super user, if you know what a 24 super user is? 25 A. Do you know if someone outside the L.A. Times had access, Generally no one would have access to L.A. Times content There are cases where the So someone with that kind of access, could you describe the Correct. So most users, let's say, would be a content KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 347 1 owner, and they own their own content. 2 own would be content for L.A. Times. 3 The content they would Then there are what you would call a super user. And so if 4 you think about how L.A. Times is one of many companies of 5 Tribune -- you have L.A. Times, Chicago Tribune -- you would 6 have content owners of L.A. Times and content owners of Chicago 7 Tribune. 8 Times, Chicago Tribune or any of the other newspapers and also 9 have the ability to create users across any of those But a super user would have access to both L.A. 10 properties. 11 Q. 12 a super user credential at stake in this incident? 13 A. 14 identification. At what point were you able to rule out that there was not I was not directly involved in the super user But from my understanding -- 15 THE COURT: 16 THE WITNESS: So wait for the next question. Okay. 17 BY MR. HEMESATH: 18 Q. 19 that the potential existence of a super user was a possibility 20 in this -- 21 22 So what can you tell us, if anything, about your knowledge MR. LEIDERMAN: I'm going to object. It calls for implied hearsay. 23 THE COURT: 24 BY MR. HEMESATH: 25 Q. Sustained. Based on what you know, were you able to rule out the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 348 1 existence of an unauthorized super user? 2 MR. LEIDERMAN: It's the same objection. It calls for 3 his knowledge and calls -- 4 THE COURT: 5 MR. HEMESATH: 6 Could I have -- Your Honor, at this time, based on 7 Sustained based on what I've heard so far. We will get back to that. stipulation, the government moves Exhibit 303 into evidence. 8 MR. EKELAND: I just need to look at it real quick. 9 (Counsel conferring.) 10 THE COURT: 11 MR. HEMESATH: 12 THE COURT: 13 Do I have a 303 on my list? I have one in my binder. It's not on the list. 14 MR. HEMESATH: 15 THE COURT: 16 MR. EKELAND: 17 Your Honor, it -- Yes, I can explain that if you'd like. Is there a stipulation to admit 303? Yes, Your Honor. We saw it and discussed it this morning. 18 THE COURT: All right. 19 MR. HEMESATH: 20 THE COURT: So it's ten pages? Yes. All right. 303 is admitted. 21 (GOVERNMENT'S EXHIBIT 303, Assembler security logs, 22 ADMITTED INTO EVIDENCE.) 23 BY MR. HEMESATH: 24 Q. Do you recognize the form of what is on the screen here? 25 A. What's on the screen would be a security log in our KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 349 1 Assembler application. 2 Q. And how can you tell that that's what that is? 3 A. One, the format where you see the first few numbers, which 4 is an IP address; the second group of data, which is a date and 5 time stamp. 6 is the access save groups. 7 Assembler application. 8 Q. Okay. 9 A. Correct. 10 Q. Can you take us through -- and understand that we are not 11 IT professionals, but could you tell us a little bit about how 12 you would interpret this particular log entry based on your 13 day-to-day experience with such entries? 14 A. 15 And then if you look past the word "post," there That is characteristic of the So this is an Assembler log entry? Correct. So going through that example, if you look at the first 16 number, that is an IP address. The simple way to think of an 17 IP address is a phone number, it's the person that is calling 18 you. 19 number that someone is calling from, this would be equivalent 20 with the IP address. So when you have caller ID on your phone, you see the 21 The second group there with the date, that would be the 22 time that this event happened, the time that it was logged. 23 And so you can see this occurred on December 8th, 2010. 24 25 The second piece of information there is the word "post." Q. Oh, I'm sorry. Could we go back to this one. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 350 1 Can you tell us what -- sorry. Can you tell us what this 2 number means? 3 A. That should be the offset of time. 4 Q. Meaning? 5 A. So meaning the log was generated in GMT time. 6 minus eight would be the -- you know, between daylight savings 7 time or Pacific time, the offset. 8 Q. So a time zone adjustment? 9 A. Correct. 10 Q. Okay. 11 A. The next piece of information, whenever someone goes to a 12 website -- for example, you go to facebook.com -- typically 13 your interaction occurs one of two ways. 14 information by saying get facebook.com or you're posting 15 information. 16 provide an update on, you know, some family event or picture. 17 And then the And the next? You're either getting Perhaps you want to send a message to somebody or And so in this case, when you see the word "post," the 18 person has submitted information to the server. 19 Q. Is there an alternative to the command post? 20 A. Post is the primary way to post, send information to a 21 server. 22 Q. 23 receive information? 24 A. They would use the command get. 25 Q. Is that roughly the difference between uploading and What command would someone use if they were trying to KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 351 1 downloading? 2 A. Loosely, yes. 3 Q. Okay. 4 A. So the next entry is showing the actual address that 5 someone is going to. 6 perhaps you go to www.facebook.com slash and your name, John 7 dot Smith. 8 9 So what about the next entry? So in the example of facebook.com, So in this example someone is going to access and save groups. And when you look at save groups.ldap, L-D-A-P, LDAP 10 is an acronym for lightweight directory authentication 11 protocol. 12 information is stored in that LDAP provider, and save groups is 13 a way to add users into certain privileged accounts or owner 14 accounts to have access to information. 15 Q. 16 Okay. And what that means is your username and password I think I got that. What about the next section? 17 A. And the next section as far as the HTTP or the 200? 18 Q. Well, what do you think, reading from left to right, top to 19 bottom, is the next relevant thing on that? 20 A. 21 means the information was successful, whatever was submitted 22 was a success. 23 command okay. 24 Q. So that you know that to be, like, the code for okay? 25 A. Correct. The next relevant would be the number 200 because that Numbers could be multiples, but 200 is the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 352 1 Q. What about the next number? 2 A. The next number is the size of the transmission. 3 relatively small number so, you know, what came back was 4 probably just a brief message saying successful. 5 been a much larger number, then it would be something similar 6 to an image or a video file that is, you know, in much larger 7 size than sending a command. 8 Q. 9 All right. So it's a If it had What about this next section? And tell me if I've got it wrong in terms of the break, but 10 that section that starts with HTTPS. 11 A. 12 group, so that was most likely the prior -- the prior web page 13 the user was on before submitting the post. 14 case, someone was trying to edit the group and add a username 15 of anon1234. 16 Q. Now let's be clear about what you mean by group. 17 A. So a group would be simply a group of entitlements or a 18 group of privileges. 19 read information in the application, and you would be a group 20 of read only. 21 content, where you can now edit the content as well as read it. 22 And you could be in a group that has super user ability where 23 you not only can edit and read content, but you have the 24 ability to add additional users into the system. 25 Q. Yep. Okay. So what's occurring here is someone is editing the And so in this And so you may have the ability to only You could be in a group where you own the And I'll ask you more about that particular section KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 353 1 in just a second. 2 Just so we can get through the rest of this line here, 3 what -- how do you interpret the section after that? 4 A. 5 user who was connecting to the server or submitting the 6 information. 7 using Mozilla, or probably more known as Firefox, and they were 8 connecting from a Macintosh computer. 9 can confirm that it was Firefox by it actually stating that it So the section after is generally information about the So what this is telling me is the person was And at the very end, you 10 was Firefox 3.6.8, which is the version. 11 Windows 8, Windows 10, this was Firefox 3.6. 12 Q. 13 tell us happened here? 14 A. 15 experience looking at this behavior, it's telling me that 16 someone is trying to put in a back door or an account that they 17 can in the future regain access if the primary account that 18 they have compromised becomes inaccessible. 19 Q. 20 IP address is? 21 A. 22 that is trying to create a back door into the system. 23 Q. And this number means that it was successful? 24 A. Correct. 25 Q. Anything else that you can tell us about this particular Okay. So when you think of So in relation to the term "anon1234," what can you Anon1234 is not the name of an actual user. And from And the relationship of that command that was sent and this So it would mean that that IP address is the individual KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 354 1 entry? 2 A. No. 3 MR. HEMESATH: 4 Is there any difference between what we just saw and 5 this one? 6 Okay. All right. Could I get the next page. Let's go to the next page. All right. And the next page. Okay. 7 Q. Are there a lot of log entries on this particular page? 8 A. It appears to be six entries. 9 Q. Okay. Let's start, if we can get the first one, with just 10 the first one. 11 A. 12 beginning you have the IP address that is being used. 13 second portion, you see the date and time. 14 different in this is they're using the get command. 15 trying to get data, and they're trying to get the ability to 16 edit a newsletter with an ID of 543. 17 So the format is similar to the one prior where at the The And then what's So they're 543 is just an arbitrary number that references some news 18 article on the website or in Assembler. 19 Q. I'm sorry. 20 A. Correct. 21 Q. Okay. 22 would the sender of this command have been uploading or 23 downloading to use a more conventional term? 24 A. 25 downloading it. Which part of 543 -- this one right here? All right. So now you described it before, but In this case, they would be getting the information or KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 355 1 Q. And you say that because of the get command? 2 A. Correct. 3 Q. Can you tell us -- first of all, the date you say is 4 November 3rd? 5 A. Correct. 6 Q. Okay. 7 A. Right here they're trying to gain access to a newsletter. 8 And what we don't have context into is what newsletter 543 is. 9 Can you tell what is being downloaded here? MR. HEMESATH: 10 Okay. Could we get the next log entry. If we can move it down just so we can see the first one 11 as well. There we go. Okay. 12 Q. So anything different about this particular one? 13 A. In this particular case, the user is trying to get 14 information as well, but they're trying to get the e-mail page 15 for a username of test1234. 16 Q. In your experience, is that a valid username? 17 A. That username would not be valid or, if it was valid, a 18 mechanism for system administrators or super users to make 19 tests or changes. 20 Q. 21 second one, what do you make of that? 22 A. 23 two. 24 Q. Is that a second or a minute? 25 A. Excuse me, my apologies. And the time difference between the first one and the The time difference is a little over a second between the That is a minute between the two. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 356 1 MR. HEMESATH: Okay. All right. Could we look at the 2 third one. 3 Q. And what can you tell us about this? 4 A. This line they're getting the images. 5 browser is requesting information, it actually can make 6 multiple requests at one time. 7 getting an okay button, and typically an okay button would be 8 used to submit information. 9 Q. But it's a get command? 10 A. But it is a get command. 11 Q. Got it. 12 So when a web And so this request here is And then this is at about the same time as the previous 13 command? 14 A. 15 Correct. MR. HEMESATH: Okay. All right. Can we see the next 16 one, please. 17 Q. 18 one in relation to the other three? 19 A. 20 product affiliates. 21 Q. What does taxonomy mean? 22 A. Taxonomy would be the -- really the hierarchy or 23 classification of a -- in this case, classification of product 24 affiliates. 25 Q. All right. Anything more that you can tell us about this Here they're trying to get the taxonomy of the different And when you say classification, what do you mean by that? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 357 1 How they're related to one another? 2 A. 3 animals, right, where you have mammals, amphibians. 4 mammals, you can have, you know, the canine. 5 you can have different classifications. 6 Q. Like an org chart? 7 A. Similar, yes. 8 Q. And that is just after 2:40, the previous one; is that 9 correct? 10 A. Yeah. The simple way to think of a taxonomy is similar to And in Within canine, Correct. 11 MR. HEMESATH: 12 THE COURT: Could we take a look at the next one. We'll just go to the bottom of this page 13 and then take our break. 14 BY MR. HEMESATH: 15 Q. 16 that; is that correct? 17 A. Correct. 18 Q. And what is happening here? 19 A. They're listing the XML template. 20 is used generally to make templates, so think of it as a cookie 21 cutter or a rubber stamp. 22 And this is about a minute after that or 40 seconds after MR. HEMESATH: Okay. An XML template -- XML And we'll look at that last one. 23 Q. And what about this one? 24 A. The individual is getting the topics for a product 25 affiliate, and that product affiliate would be KTXL. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 358 1 Q. How can you tell that it's KTXL? 2 A. When you look at the -- so you have the get, and then you 3 have the forward slash taxonomy forward slash search. 4 question mark there is basically stating it's going to be a 5 parameter, meaning it's going to ask for a product affiliate, 6 and the product affiliate it's requesting is KTXL. 7 Q. 8 9 I see. Okay. And real quick, and then we'll move on. All of these on November 3rd came from different IP addresses, the same IP address? 10 A. They all came from the same IP address. 11 Q. I see. 12 Okay. THE COURT: All right. 13 break. 14 remember all of my admonitions. 15 minutes. That's a good time for our We'll take a 15-minute break. During the break, please We'll see you back here in 15 Thank you. 16 (Jury not present.) 17 THE COURT: 18 The seat in 15 minutes. You may step down. Just be back in your All right? 19 All right. 20 MR. HEMESATH: 21 THE COURT: 22 ready a few minutes before. 10 minutes you said? Well, 15 minutes for the jurors, so be 23 MR. HEMESATH: Okay. 24 MR. SEGAL: We'll take ten. 25 THE COURT: All right. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 359 1 (Recess taken.) 2 (Jury not present.) 3 THE CLERK: Come to order. 4 THE COURT: All right. 5 Can you stand behind the counsel table until we have 6 Court is back in session. Let's bring the jury back. the jury in? 7 (Jury present.) 8 THE COURT: 9 Welcome back, Ladies and Gentlemen. 10 with the direct examination of Mr. Kulesza. 11 12 You may be seated. Just so we can be aware of our expectations, how long do you expect to continue with direct, Mr. Hemesath? 13 MR. HEMESATH: 14 THE COURT: 15 MR. HEMESATH: 16 I would estimate another half an hour. All right. But I'm pretty bad at that, so we'll -- we'll see. 17 18 We'll continue THE COURT: All right. We'll measure you in the next half hour. 19 MR. HEMESATH: Thank you. 20 Good morning again. Could we get Exhibit 303-004. 21 Q. So we were just looking at this exhibit a moment ago, and 22 you were just pointing out to us that these IP addresses are 23 the same; is that correct? 24 A. Correct. 25 Q. And it may be self evident, but in general what can you KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 360 1 tell us about the relationship that you see between these time 2 stamps ranging from 2:38 to 2:41? 3 A. 4 occur during that time period relating to these log files or 5 log entries. 6 Q. 7 these times, you had told us at a previous time that the second 8 of these two numbers here -- there's an example right there -- 9 was the size. 10 You know, with the time stamps, all of these activities did Okay. With regard to these log entries that happened at That's not going where I want it to go. Do you see any log entries in this particular set that 11 indicates a larger size than any of the others? 12 A. The largest log entry appears to be the second one. 13 Q. That one right there? 14 A. Correct. 15 Q. And this is a get command, correct? 16 A. Correct. 17 Q. So what does that mean? 18 mean? 19 A. 20 regarding username test1234 and received a sizable bit of 21 information relative to the other entries. 22 Q. 23 178,316? 24 A. That would be in bytes. 25 Q. So can you give us an idea of how big that is with regard What do you interpret that to The user was getting information from the e-mail page What unit of size is reflected in this number here, KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 361 1 to, say, a text file? 2 A. 3 letter A, consuming one byte. 4 178,316 characters being returned. 5 Q. 6 So a text file you would generally see one character, the So in this case, you would have Thank you. MR. HEMESATH: Could I get the next page, 005. And I 7 apologize in advance that we're putting you through what must 8 be a little bit like work. 9 Q. So what can you tell us about this particular entry? 10 A. Again, the similar log format with the IP address starting 11 at the beginning, the time that this event occurred, a user 12 requesting with the get command the e-mail page for username 13 test5678. 14 after the HTTP and returning one thousand eight hundred -- 15 187,976 bytes of data and coming from the navigation UI page. 16 And the user was using Mozilla Firefox on a Macintosh computer. 17 And, again, the Firefox version was 3.6.8. 18 Q. 19 Mozilla that we've been seeing through the previous exhibits? 20 A. Correct. 21 Q. And this IP address, was that the same IP address as the 22 previous page that we were talking about? 23 A. 24 25 And then that being successful with the 200 number Was that the same version of Macintosh, the same version of I'd have to see the previous page. MR. HEMESATH: Could we take a look at the previous page real quick? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 362 1 THE WITNESS: 2 MR. HEMESATH: 3 you. 4 Q. 5 address? 6 A. I was not. 7 Q. Okay. 8 9 Okay. Could we see 005. Perfect, thank Were you the one that did geolocation work on that IP All right. All right. A. Correct, the numbers were the same. Let's go to the next one. So same question, what happened here? A user with the IP address of 75.53.178.11 requested on 10 November 22nd, 2010, the left arrow image, and that was 11 successful, and it returned 120 bytes of data. 12 from the e-mail page UI with the username test5678. 13 again, with the same web browser, the Firefox 3.6.8, from a 14 Macintosh computer. 15 Q. Okay. 16 A. Very similar, but what is unique to this is that they're 17 requesting a user find function of the website. 18 potentially allow them to look at or find other users that live 19 in the system, other users that have access to the application. 20 Q. 21 Okay. And the next one? And that came And, What about this one? And that would Next, please. Same question, what about this one? 22 A. Again, similar to the prior log entries. In this case, 23 they are getting an okay image file, and that image file came 24 from, you know, the e-mail page test5678 from a Macintosh 25 computer running Firefox. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 363 1 Q. 2 text, that's something that is going to happen frequently with 3 regard -- in the same time as another command? 4 A. 5 go to search, above that search box there is usually an image 6 that says Google or whatever clever image they're using. 7 so that just gets typically downloaded or requested by going to 8 that page. 9 Q. Okay. 10 A. Correct. 11 Q. All right. 12 Okay. Safe to say that get images with a gif file and Correct. For example, when you go to google.com, and you So the next one. And And this is a gif file? So let's go to the next one. Is this another find user -- well, this is different, 13 correct? 14 A. Correct. 15 Q. How is this different? 16 A. This is find user versus a generic find from the prior 17 entry. 18 Q. So what happens with find user? 19 A. I could not speak to the Assembler application in detail to 20 specifically tell you the behavior of find user versus find. 21 Q. Okay. 22 A. Correct. 23 Q. Okay. 24 25 And this is a post command, though; is that correct? All right. All right. A. Let's go to the next page. This is from November 3rd; is that correct? Correct. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 364 1 2 MR. HEMESATH: And we may be able to skip this page. I'm going to try to save us some time. 3 Okay. All right. So we're going to skip that page, 4 because it appears to be a duplication. 5 Q. What about the first entry here? 6 A. So different from the prior entries is the IP address has 7 changed. 8 December 4th, 2010, and the user or individual requesting is 9 getting the home page. It's now 91.214.168.172. This is occurring on So, again, going to Facebook or Google, 10 you would see a get forward slash whenever you're requesting 11 the default page for those websites. 12 Q. 13 basically the same thing as the next entry as well? 14 A. 15 is similar to the prior ones being from a Macintosh computer 16 running Firefox 3.6.8. 17 prior entry is it's a Macintosh running on version 10.6, which 18 has also been on the prior entries. 19 Q. 20 the first one; is that correct? 21 A. Correct. 22 Q. Okay. 23 And I don't know if you can see below there. Correct. Is that When you're looking at the client information, it And another consistency between the And so the next entries down are substantially similar to So can we go to the fourth one right here. What can you tell me about this entry? 24 A. So with that IP address ending in 172, on December 6th, a 25 user has requested the welcome page, which would appear after KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 365 1 logging in successfully to the application. 2 occurring, again, from the same version of Macintosh running 3 10.6 and from the same Firefox version of 3.6.8. 4 Q. 5 All right. And that is So let's look at the next one after that. Same question. 6 A. Again, the same computer. In prior examples when we've 7 seen a get, that ends in dot gif or G-I-F. 8 those type of requests where it's just providing you -- 9 specifically a CSS file helps provide the color, the look and This is similar to 10 feel for the website. 11 the other information on the page. 12 Q. 13 entries would you expect to exist or to have been generated 14 within the CMS system on a given day? 15 A. 16 of a hundred or 200,000 plus log events per day for all the 17 various users and IP addresses and requests that occur. 18 Q. 19 was sifting through all those and finding these? 20 A. 21 So it's just requested in addition to And just for a little bit of context, how many of these log We would see -- for CMS application, there could be upwards A part of the job in finding the solution to this mystery Correct. MR. HEMESATH: All right. Let's go to 303-008. 22 Q. What can you tell us about this? 23 A. It's the same IP address ending in 172 on December 6th. 24 This request is sending the post command. 25 upload or sending of information, which differs from some of So post is the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 366 1 the prior examples with the get or the downloading. 2 This person -- this request is posting to the save user. 3 And as you can see, it was successful with the 200 code. 4 it was posting from the edit user function of the web 5 application for user name S. Scholbrock. 6 And And how I would interpret this is someone has been able to 7 successfully modify that username, and you would typically 8 modify it to change some characteristic, either changing the 9 password or changing the permissions of that user. 10 Q. 11 aspects that you just mentioned came from a computer running 12 Mozilla Macintosh -- or I'm sorry, not Mozilla -- from a 13 Macintosh computer running this particular OS system running 14 this version of Firefox, correct? 15 A. Correct. 16 Q. Can we take a look at -- and the time on that was 4:00 in 17 the morning it looks like. 18 Is that correct? 19 A. Correct. 20 Q. The next one. 21 You're saying that that command to change one of those Well, with the proper adjustment. What about this entry? 22 A. So, again, that account was modified for the same user from 23 the same Macintosh computer running Firefox on December 8th. 24 Q. Now that was two days after the first one? 25 A. Correct. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 367 1 Q. Would you be able to tell, looking at this, whether someone 2 was executing this command or transmitting this command from 3 within a Tribune system? 4 A. 5 address does not exist in the -- So the IP address, again similar to a phone number, that IP 6 MR. LEIDERMAN: I'm going to object as nonresponsive. 7 It's a yes or no question. 8 THE COURT: 9 MR. HEMESATH: 10 THE COURT: Sustained. So disregard the answer so far. So -- Repeat the question and provide a yes or 11 no. 12 BY MR. HEMESATH: 13 Q. 14 tell us whether or not this was from within -- So you've told us whether you can. 15 16 THE COURT: Tell us how you can No, you need to go back to the threshold question. 17 MR. LEIDERMAN: 18 THE COURT: 19 MR. HEMESATH: I don't believe he said -- That's -I see. 20 Q. Can you tell, looking at this -- yes or no -- whether or 21 not this came from a Tribune computer? 22 A. Yes. 23 Q. How can you tell? 24 A. I can tell because the IP address or the phone number is 25 not one that was issued or used by Tribune for internal KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 368 1 purposes. 2 Q. 3 I see. Can we take a look at the next entry, please. So this appears on December 14th; is that correct? 4 A. Correct. 5 Q. So what can you tell me about this? 6 A. Very similar to the prior -- the prior logs. 7 IP address, on December 14th, a user was modified. 8 time the user is different, and it's S. Scholbrock 2. 9 command was issued from a computer that appears to be the same 10 Macintosh running Firefox. 11 Q. 12 Okay. With the same But this But the And the next one? Could we -- yeah. 13 A. Similar to the prior log entry occurring five seconds 14 later. 15 occurred for username S. Scholbrock with the same computer with 16 Macintosh running Firefox. 17 Q. Okay. 18 A. Correct. 19 Q. And the series of dates are what they are, December -- I'm 20 sorry -- December 6th, December 8th, December 14th? 21 A. Correct. 22 Q. And all the same version of Firefox and a Mac computer; is 23 that correct? 24 A. Correct. 25 Q. All right. The same save user was attempted or the same save user Let's clear this. And fair to say same IP address? Next exhibit, please. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 369 1 Okay. So now January 2nd. What can you tell us about 2 this? 3 A. 4 This event occurred on January 2nd. 5 only having a forward slash, a user went to the home page of 6 the application, in this case Assembler. 7 Q. 8 that? 9 10 So the IP address has now changed, which is 75.53.171.204. Okay. What about the next one? MR. LEIDERMAN: What can you tell me about I'm going to object, it calls for a narrative. 11 THE COURT: Sustained. 12 BY MR. HEMESATH: 13 Q. 14 one and the second one? 15 16 And with the get statement Can you tell us what the difference is between the first MR. LEIDERMAN: It also calls for a narrative, so objection. 17 THE COURT: 18 THE WITNESS: Overruled. So the difference between the first one 19 and the second one, the first one was requesting the content of 20 the home page. 21 feel for the home page. 22 BY MR. HEMESATH: 23 Q. Okay. 24 A. This request is providing the image that is specified on 25 the home page and appears to be a favorite icon. The second request is providing the look and How about the next one after that? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 370 1 Q. What is the fav icon? 2 A. That would just be an image on the web page. 3 Q. Okay. 4 A. Again, this is coming from the same IP -- 5 6 And the next one after that? MR. LEIDERMAN: question pending. 7 MR. HEMESATH: 8 THE COURT: 9 I'm going to object, there's no I'm sorry. Sustained. Wait for a clear question. BY MR. HEMESATH: 10 Q. 11 entry and the previous entry? 12 A. 13 similar. 14 occurring approximately at the same time. 15 request for another image, and the image is of the log-in 16 button. 17 Q. 18 answered this previously, but is that a typical response when 19 someone is accessing the Assembler system? 20 A. Yes. 21 Q. And is it they're just seeing pages coming across like you 22 mentioned about the Google image? 23 A. Yes. 24 Q. Can we take a look at the next one. 25 What can you tell us about the difference between this This entry has the same IP address. The time is very If you look at this entry and the prior entry, it's And this is a When there are requests for images like that, you may have Is this the same get image response that you were just KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 371 1 previously referring to? 2 A. Yes. 3 Q. Could I see -- is that the next one? 4 And is that the same as the previous one with the get 5 image? 6 A. Yes. 7 Q. And let's take a look at the next one. 8 9 All right. A. What about this one? This one has the same IP address, the same date. And 10 instead of getting the information, they're sending or 11 uploading a post of information, and information is being 12 posted to the log-in module, which would validate the username 13 and password. 14 because of the 200 number returned. 15 And the results of that upload was successful And this occurred on a Macintosh computer running Firefox, 16 similar to the log entries above. 17 Q. 18 All right. And then we have one more there, one more. And what about this one? 19 A. This would just be another image file download. 20 Q. Someone accessed the system, is that correct, on January 21 2nd? 22 A. From this response, I cannot confirm that. 23 Q. Okay. 24 address did with regard to the system on that day? 25 A. What can you tell us about what a user from that IP Referring to the bottom log entry or -- KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 372 1 Q. The collective. 2 A. The collective. 3 So from the collective, a user went to the log-in page, the 4 same as if you go to facebook.com. 5 username and password in, similar as to how you would log into 6 Facebook. 7 entry, that log entry shows that the log-in was successful when 8 submitted because of the 200 code, which means the user logging 9 into the page had submitted a username and password that was And with the second to last or the next to last 10 accepted. 11 Q. 12 had from looking at this? 13 A. No, I cannot. 14 Q. Okay. 15 like this page. 16 Okay. And then a user put a Can you tell what privileges that user might have All right. Let's take a look at the last page. What can you tell us about the IP address and date on this 17 page? 18 A. 19 but it's similar to the IP address in earlier exhibits. The IP address on this page differs from the prior exhibit, 20 MR. HEMESATH: Could we take a look at 008 just to see 21 that. 22 Q. So that's the same IP address? 23 A. Correct. 24 25 I MR. HEMESATH: Q. Okay. So let's go back to 10. And the date is? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 373 1 A. The date is December 11th, 2010. 2 Q. Okay. 3 transmitted on that day? 4 A. 5 for a username of test1234. 6 the request came from a Macintosh computer running Firefox. 7 Q. 8 edit was to that particular user on that day? 9 A. You cannot tell from this entry what the edit was. 10 Q. Why not? 11 A. To capture and log all of the information being submitted 12 could, A, have potential impacts on privacy rights and, B, is 13 not sustainable in an environment that receives a hundred to 14 200,000 requests a day. 15 would overload the system. 16 Q. 17 And what can you tell us about the command that was The command that was transmitted was an edit user command And that edit was successful, and Can you tell us specifically by looking at this what the Okay. It would be too much information that Thank you very much. I appreciate your patience. Mr. Kulesza, a personal question, but do you recall what 18 your salary was while you were at the Tribune Company in 19 December 2010? 20 A. In December of 2010, my salary was 105,000 a year. 21 Q. That was based on a 40-hour workweek? 22 A. Correct. 23 Q. During that period of time when you were responding to 24 this, do you recall -- did you see what people were doing 25 around you? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 374 1 A. Yes. 2 Q. Co-workers? 3 A. Yes. 4 Q. What were they doing? 5 A. The office I was located at in San Antonio, I observed 6 Armando Caro on the phone with several individuals coordinating 7 with others to respond to the incident. 8 Q. 9 could see with your own eyes? 10 A. Okay. Anyone else that you were immediately around and No. 11 MR. HEMESATH: 12 One moment, Your Honor. (Government counsel conferring.) 13 MR. HEMESATH: Okay. Moving on. 14 Q. Are you familiar with a concept known as IRC? 15 A. Yes. 16 Q. How are you familiar with IRC? 17 A. I have used IRC in the past. 18 Q. Okay. 19 A. I have used IRC to communicate with others on the Internet 20 as well as configured my own IRC server for others to 21 communicate on. 22 Q. 23 How much have you used IRC in the past? I see. What does IRC stand for? 24 A. Internet relay chat. 25 Q. Okay. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 375 1 MR. HEMESATH: Your Honor, if I may have one moment to 2 confer with opposing counsel on something that might save us a 3 little bit of time? 4 THE COURT: You may. 5 (Counsel conferring.) 6 MR. HEMESATH: Your Honor, pursuant to oral stipulation 7 and understanding with defense counsel, the government moves 8 Exhibit 605 into evidence. 9 THE COURT: 10 11 MR. LEIDERMAN: No objection, Mr. Leiderman? No, he correctly stated the stipulation. 12 13 All right. THE COURT: All right. 605 is admitted and may be displayed. 14 (GOVERNMENT'S EXHIBIT 605, IRC chat on 12/09/10, 15 ADMITTED INTO EVIDENCE.) 16 17 MR. HEMESATH: hard to see. 18 19 That's going to be a little If we can just get this section. Okay. And could I have you open your binder up to Exhibit 605 as well. 20 21 All right. THE COURT: Just so you know, you've passed the 30-minute mark. 22 MR. HEMESATH: 23 Could we take a look at the whole thing again, 24 actually? 25 Q. Oh, my apologies. Just looking at the form of what you see before you, can KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 376 1 you tell what that is? 2 A. This is an IRC chat log. 3 Q. What distinguishing characteristics, if any, do you see 4 that make you think that? 5 A. 6 look at the first entry of text where you see Evil Boat has 7 kicked someone from #OperationPayback, those are all 8 characteristics of IRC communication. 9 Q. The characteristics that tell me it's an IRC log, if you Okay. So, in general, can you tell us why someone would 10 seek to use IRC? 11 A. 12 and Facebook or Gmail is in an IRC you can own and operate the 13 server for the communication. 14 someone on Facebook or Gmail, you're going through that third 15 party that then could, ah, manage that communication. 16 Q. When you say manage, what do you mean by that? 17 A. That third party has the ability to review what you're 18 sending on their servers and infrastructure. 19 Q. 20 that content? 21 A. 22 users connected to the IRC server, and they would only be able 23 to see content within the channels they are joined. 24 the server administrator could turn on additional log-in to see 25 communication. IRC is a form of communication. The difference between IRC Versus communicating with So if someone sets up their own IRC channel, who can review The only individuals that could review content would be the Or the -- KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 377 1 Q. So someone like Facebook wouldn't be able to look at that 2 communication, correct? 3 A. Correct. 4 Q. And who can set up one of these IRC channels? 5 A. Anyone with the technical proficiencies to do so. 6 Q. And you've set one up? 7 A. Correct. 8 9 MR. HEMESATH: So let's -- well, unfortunately we're stuck with this quality at this point. But could you go 10 through -- we'll take one step at a time and make it a little 11 easier to read. 12 here. 13 We'll just take a look at this part right Right there would be great. 14 Q. Okay. So with regard to the first line, can you tell us 15 what that first set of characters mean right here? 16 A. 17 the date and time that this message and the messaging following 18 the text occurred. 19 Q. 20 asterisk right after that date and time. 21 the asterisk means in this context? 22 A. 23 that was sent by the server or an event observed by the IRC 24 software, and it was highlighted. 25 Q. So the first part, the first portion of this log indicates Okay. And on this first line, there appears to be an Can you tell us what The asterisk would mean one of two things. Okay. It's a message And maybe that will become a little clearer after KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 378 1 explaining the next line. So what can you tell us about what's 2 going on on this next line? 3 A. 4 And then you have a -- between the greater than, less than 5 symbols, you have what would be referred to as a nickname or a 6 user. 7 the following text would be the message that individual sent. 8 Q. 9 odalfe or odalfe has sent a message consisting of exclamation So on this next line, you'll see again a date and time. This is the person that is sending a message. Okay. And then So in this case, is it fair to say that a username 10 point botnum? 11 A. Correct. 12 MR. HEMESATH: Okay. And let's open this up just a 13 little bit here. Can you clear that, please. Let's look at -- 14 okay. 15 Q. 16 P-A-U-L-L, paull is a username as well? 17 A. Correct. 18 Q. And amanikos; is that correct? 19 A. Correct. 20 Q. A username? 21 A. Correct. 22 Q. AEScracked is a user? 23 A. Correct. 24 Q. So in a typical IRC chat session, what would you expect to 25 see in relation to what we're seeing here on this screen? And based on what you said, is it fair to say that a KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 379 1 In other words, is this a typical IRC session as far as you 2 can tell? 3 A. This would be a typical IRC session. 4 Q. And do you usually see graphics in IRC sessions? 5 A. No. 6 Q. When a user logs into an IRC channel, how is it that they 7 come about on a username? 8 A. 9 an IRC server. An individual would specify their username when they join 10 Q. So they can choose any username they want? 11 A. As long as it's not already in use. 12 Q. Is there any data about the user that appears when a user 13 logs into the users of an IRC channel? 14 A. Yes. 15 Q. What information appears? 16 A. It would include either one of two things, one being their 17 IP address, which was similar to their phone number; or, two, a 18 name which, similar to caller ID, you would see the name of who 19 is calling. 20 MR. HEMESATH: Could I get the whole page. 21 Q. What did -- is it possible to limit users in an IRC channel 22 to only allow certain users in and not certain other users? 23 A. Yes. 24 Q. How do you do that? 25 A. You would set a key for the channel, which would mean you KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 380 1 need a password to join the channel. 2 Q. Who's in charge of setting that key? 3 A. The first person that joins or creates the channel. 4 Q. Is it possible to create a channel without a key? 5 A. Yes. 6 Q. Are you familiar with the term "IRC logging"? 7 A. Yes. 8 Q. What does that mean? 9 A. IRC logging is generally a setting that IRC software -- it 10 allows you to enable or disable and generally is enabled by 11 default that logs all communications that occurs within an IRC 12 channel. 13 Q. 14 log while that user that is running the log does that? 15 A. Yes. 16 Q. Does this appear to be an IRC log to you? 17 A. Yes. 18 Q. Could you tell me, other than logging, is there any other 19 way that you know of to record what's going on in an IRC chat 20 session? 21 A. Yes. 22 Q. What's that? 23 A. You could take a screenshot of the IRC session, and that 24 would be an image in a point of time of what's being displayed 25 by the IRC software. Is it fair to say it records whatever happens in the IRC KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 381 1 2 MR. HEMESATH: One moment. I'm going to try to save a little more time. 3 (Counsel conferring.) 4 MR. HEMESATH: Your Honor, at this time, pursuant to 5 the same understanding as with Exhibit 605, the government 6 seeks to introduce -- the government moves into evidence 7 Government's Exhibit 506. 8 THE COURT: 9 MR. LEIDERMAN: 10 11 THE COURT: No objection? By stipulation. All right. 506 is admitted as stipulated and may be published. 12 (GOVERNMENT'S EXHIBIT 506, screenshot of Keys computer, 13 ADMITTED INTO EVIDENCE.) 14 THE COURT: This is a single page? 15 MR. HEMESATH: 16 THE COURT: 17 MR. HEMESATH: Yes. All right. Okay. Actually let's go all the way 18 back out. 19 Q. 20 IRC session? 21 A. Yes. 22 Q. What can you tell us about the form of this -- let me 23 rephrase. 24 25 So is this a fair representation of a screenshot from an Why does this look different than the previous IRC sessions that we were looking at? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 382 1 A. The previous IRC sessions were logs, which is a text 2 representation of the communication occurring within the IRC 3 channel. 4 as well as the communication occurring that was displayed to 5 the user when this screenshot was made. 6 Q. 7 than a regular text representation? 8 A. 9 communicate and talk with on an IRC server in an IRC channel. This is a screenshot, a capture of the IRC software So why would this look, for lack of a better term, fancier This would be the software that an individual would use to 10 Q. 11 IRC chat? 12 A. 13 the IRC channel. 14 which I believe is a name that was in a prior log, and the last 15 one on the bottom, Sharpie, which appears to be the nickname of 16 the user who is actually using this IRC software. 17 Q. 18 bottom bubble or speech bubble above him? 19 What would this section here tell us about this particular This would show you the users or the nicknames that were in Okay. So we have Chronom, SiteBot, AEScracked, So what does it mean that Sharpie has a little If you don't know -- 20 A. I don't know. 21 Q. Okay. 22 A. PM is a private message. 23 Q. Okay. 24 A. Those two lines of text would be one of two things, either, 25 one, the channel or, two, the server, but it appears to be the What does the term "PM" mean in the IRC world? What do these two lines of text up here mean? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 383 1 channel. 2 Q. 3 4 I see. So there's two conversations going on? A. 5 Yes. MR. HEMESATH: So let's clear that. 6 Q. 7 going on in line 2 here? 8 you tell us who is speaking and what's being done? 9 A. 10 And then looking at this part, just for clarity, what's Not with regard to content, but could Correct. For line 2, there is a nickname or user Sharpie that is 11 sending a message that follows the colon. 12 Q. 13 14 Got it. And that can be seen by the whole chat room? A. 15 Correct. MR. HEMESATH: Okay. And then we'll back off of that. 16 Q. And then to the extreme right, what do we have? 17 A. Those are times that these messages were occurring. 18 would like to clarify on the prior question. 19 Q. Uh-huh. 20 MR. LEIDERMAN: 21 THE COURT: 22 MR. LEIDERMAN: 23 And I Objection. What's the objection? The prior question has been asked and answered, and it tends to offer a narrative. 24 THE COURT: Fair enough. 25 MR. HEMESATH: I can ask my next question, which is KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 384 1 with regard -- can we clear this screen? 2 Q. 3 meaning of the words before the colon and after the colon, is 4 there anything else that is relevant? 5 A. In addition to what you previously told us about the It was the question prior. 6 MR. LEIDERMAN: 7 THE COURT: 8 MR. HEMESATH: 9 I'm sorry. Objection, calls for a narrative. Sustained. Can we back out. I'm getting my questions, previous 10 questions mixed up. 11 Q. 12 relation to the information to the extreme -- to its 13 corresponding left? 14 A. 15 sent. 16 Q. 17 last five minutes been completely explanatory? 18 A. What can you tell us about this number right here in So that information there is the time the messages were Okay. Has everything that you've been telling me in the Could you further elaborate? 19 THE COURT: Why don't you rephrase. 20 MR. HEMESATH: 21 THE COURT: Okay. If you can. 22 BY MR. HEMESATH: 23 Q. 24 the identity or time of the data here as shown? 25 What, in addition to what you told me, would be relevant to MR. LEIDERMAN: Objection, vague and overbroad. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 385 1 THE COURT: Relevance is not for this witness to 2 decide, so you can ask a direct question. 3 BY MR. HEMESATH: 4 Q. 5 indicated you would like to make a clarification about? What would you like to clarify that you previously 6 7 MR. LEIDERMAN: It's vague and overbroad for this witness to define relevance. 8 THE COURT: 9 Do you have clearly in mind the question Mr. Hemesath 10 Well, this is clarification. is referencing in this question? 11 THE WITNESS: I'd like to clarify one of the answers on 12 the prior question after having more exposure to the content 13 displayed. 14 15 MR. HEMESATH: I think that's inherently relevant, Your Honor. 16 THE COURT: Well, we're not asking this witness to 17 decide what's relevant, but I am going to allow him to clarify 18 his answer, and it will be subject to cross. 19 20 21 22 So just very -- you were going to add something to an answer? THE WITNESS: the question based off of what I've seen with this evidence. 23 THE COURT: 24 THE WITNESS: 25 I was going to more appropriately answer What was the question? The question was regarding if the information being sent could be viewed by all users in the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 386 1 channel. 2 THE COURT: 3 THE WITNESS: 4 All right. So what is your answer to that? No, it could not. It was a private communication. 5 THE COURT: All right. 6 MR. HEMESATH: Mr. Hemesath. So let's talk about that. 7 Q. 8 you -- was this a private communication? 9 A. Yes, it was. 10 Q. How can you tell whether it was a private communication? 11 A. By observing the username Sharpie being highlighted and the 12 content being displayed with communication between Sharpie and 13 AEScracked. 14 individuals. 15 Q. 16 private message? 17 A. Yes. 18 Q. Got it. 19 20 21 22 What you're seeing on this particular screen, how can This is a private communication between those two So fair to say because this was highlighted this was a Okay. Okay. Sorry about that. And I'm not sure if we got it, but does this time to the extreme left correspond to the time this message was sent? MR. LEIDERMAN: Objection, it's been asked and answered. 23 THE COURT: So withdrawn? 24 MR. HEMESATH: 25 Your Honor, no further questions. One moment. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 387 1 THE COURT: 2 MR. LEIDERMAN: 3 All right. Mr. Leiderman? Thank you, Your Honor. Just one second, please. 4 CROSS-EXAMINATION 5 BY MR. LEIDERMAN: 6 Q. Good morning, sir. 7 A. Good morning. 8 Q. I'm going to go a little bit out of order just because 9 that's the way my notes are. 10 If you're confused by it, please let me know, and we'll back track. 11 The first thing I want to ask you is, you went through I 12 don't know how many logs but a lot of logs. You recall that, 13 correct? 14 A. Yes. 15 Q. And most if not all of these logs had what I'm going to 16 call a web address in them, assembler.tribuneinteractive.com; 17 is that fair to say? 18 A. Yes. 19 Q. Is that what's called a front facing website? 20 A. Yes. 21 Q. And what is a front facing website? 22 A. A front facing website would be one available to users and 23 displayed -- potentially exposed on the Internet to users. 24 Q. 25 assembler.tribuneinteractive.com is not something that would And I guess you say potentially because KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 388 1 typically come up in a Google search, for example? 2 A. Correct. 3 Q. But if someone were to type into their browser window 4 assembler.tribuneinteractive.com, in fact that site would come 5 up? 6 A. Yes. 7 Q. And what would a viewer see on that site? 8 A. A viewer would see a request for username and password. 9 Q. So this is not the site where you would see content on the 10 Tribune Company -- on any Tribune Company property? 11 A. Correct. 12 Q. Did you meet with the government in connection with this 13 case? 14 A. I spoke with them on the phone. 15 Q. Just once or twice? 16 A. I can't recall. 17 Q. Did you have a conference call -- did you have one 18 conference call with and one conference call without Timothy 19 Rodriguez on it? 20 A. 21 can't recall the number of communications with the FBI. 22 Q. 23 but with James Silver, Paul who just directed you, 24 Mr. Hemesath, and Matt Segal? 25 A. I do believe I had a conference call at some point, but I Okay. Well, were the conversations not just with the FBI, I believe any communication was prior to the actual KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 389 1 incident occurring. 2 Q. Prior to -- you spoke with the FBI prior to -- 3 A. No, post the incident. 4 communication with them occurred some time period after the 5 incident had occurred. 6 Q. 7 month or so? 8 A. These communications, yes. 9 Q. Okay. 10 A. Yes. 11 Q. And then there were other communications that were just you 12 and the FBI? 13 A. Correct. 14 Q. And I'm just asking you with respect to these last two 15 communications. 16 Okay. So to clarify that, any Does the -- were they recently, like within the last These two communications in specific? Was one -- it sounded like to you, if it refreshes your 17 recollection, one in August and one in September? 18 A. Of this year? 19 Q. Yes. 20 A. Correct. 21 Q. And one was just about a week ago or just exactly a week 22 ago? 23 A. Yes. 24 Q. And did you discuss your testimony with respect to this 25 case? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 390 1 A. Yes. 2 Q. Okay. 3 the government a week ago, right? 4 A. Yes. 5 Q. Going back to 2010, you were the -- did I get it right, you 6 were the VP of engineering, security and architecture for the 7 Tribune Company? 8 A. Not in 2010. 9 Q. What were you in 2010? You do have a clear recollection of speaking with I'm sorry. What was your job in 10 2010 with Tribune Company? 11 A. 12 then as a principal security architect. 13 Q. What does a data architect do? 14 A. Business intelligence and data warehousing. 15 Q. What does business intelligence mean? 16 A. Looking at large amounts of information and trying to 17 create simplified metrics to show value or characteristics of 18 data you're looking at. 19 Q. So essentially what you went through on the screen? 20 A. Yes. 21 Q. And you said you had another job, which I have forgotten? 22 A. I was a principal security analyst or principal security 23 architect in 2010. 24 Q. What does that mean? 25 A. I was primary for the security team in Tribune. I had two jobs in 2010, originally as a data architect and KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 391 1 Q. So it was your job to respond to incidents like this? 2 A. Correct. 3 Q. And were there other incidents like the one we're talking 4 about? 5 A. Not of this magnitude in 2010. 6 Q. Were there -- can you describe the typical smaller 7 incident, if there was -- was there a typical smaller incident? 8 A. Yes. 9 Q. And what were those like? 10 A. A security incident could be something as simple as an 11 individual losing a phone or a laptop. 12 conversation with HR understanding what websites an employee 13 was visiting or something of more magnitude and impact such as 14 a breach of confidential information or defacement of a 15 website. 16 Q. You had defacement of websites prior to 2010? 17 A. I am not aware. 18 Q. Okay. 19 A. That is in the classification of security incidents that 20 could occur. 21 Q. 22 Can you describe them? It could be a I joined in 2010. Why did you mention defacement of a website? Gotcha. You said the largest incident was this Chippy 1337 23 incident? 24 A. Correct. 25 Q. And you were calling it Chippy leet? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 392 1 A. Correct. 2 Q. And I think we already went over with Mr. Caro what leet 3 is. 4 opposed to 1337? 5 A. 6 characters L-E-E-T. 7 Q. Is L-E-E-T, is that also the name of a language? 8 A. I'm not aware. 9 Q. Do a lot of people that, let's say, hang around IRC use But just briefly can you tell us why you say leet as Because 1-3-3-7, 1337 is the numeric representation of the 10 numbers in their nicknames as opposed to characters, numbers 11 that correspond with characters? 12 A. They can, yes. 13 Q. For example, an A would be a 4 or a T would be a 7? 14 A. Yes. 15 Q. And you're not aware that that language is called leet; is 16 that what you said? 17 A. 18 speak. 19 Q. Leet speak, yes. 20 A. Yes. 21 Q. Okay. 22 what you said was replacing a letter with a number is leet 23 speak? 24 A. Yes. 25 Q. That's because, quote/unquote, elite people use it? So if you're referring -- I believe the term might be leet That's what I'm asking about. So replacing a number with a -- just to summarize, KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 393 1 A. I believe so, yes. 2 Q. All right. 3 use it, and in fact most users aren't elite in the computer or 4 gaming field? But in reality you don't have to be elite to 5 MR. HEMESATH: 6 THE COURT: 7 BY MR. LEIDERMAN: 8 Q. 9 correct? Objection, compound. Sustained. In fact to use it, you don't have to be elite; is that 10 A. No. 11 Q. And is it true that a lot of the users aren't elite in the 12 gaming field? 13 A. Correct. 14 MR. HEMESATH: 15 THE COURT: Objection, relevance. Overruled. 16 BY MR. LEIDERMAN: 17 Q. 18 computer programming field? 19 A. Correct. 20 Q. You said you started to triage the incident almost 21 immediately? 22 A. Yes. 23 Q. Was it that day, December 14th, or December 14th the day of 24 the defacement? 25 A. And is it true that a lot of users aren't elite in the I believe so. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 394 1 Q. And are you -- are you privy to the fact that the article 2 in question was up for only 40 minutes? 3 A. Yes. 4 Q. Are you aware of who Chippy is? 5 A. No. 6 Q. And you did some Internet research on it? 7 A. Yes. 8 Q. Are you familiar with something called the urban 9 dictionary? 10 A. Yes. 11 Q. Did it have an entry for Chippy 1337? 12 A. I'm not aware. 13 Q. What is the urban dictionary? 14 A. It's an online website where anyone can submit a definition 15 for any word that they'd like to create as a common language. 16 Q. 17 Chippy 1337? 18 A. Not directly. 19 Q. What do you mean not directly? 20 search? 21 A. I would do Google first and see what becomes relevant. 22 Q. So as you sit there today, you don't know who Chippy is? 23 A. No. And would that have been one of the things you checked for 24 MR. HEMESATH: 25 THE COURT: Perhaps through a Google Asked and answered. Overruled. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 395 1 BY MR. LEIDERMAN: 2 Q. 3 accessed the L.A. Times content management system? 4 A. Yes. 5 Q. Were you able to lock that person out or that user out? 6 A. I was not responsible for locking the individuals out. 7 Q. Based on your review of the information, was that user 8 locked out? 9 A. Did you come to a conclusion about how someone could have I believe there was multiple users that had to be locked 10 out. 11 Q. 12 through brute force; is that correct? 13 A. I don't believe I mentioned brute force. 14 Q. I'm sorry. 15 a week ago with the government. 16 A. 17 compromise the system, yes. 18 Q. Can you explain what brute force is? 19 A. Brute force would be trying numerous username-password 20 combinations and hoping to gain access. 21 Q. Guessing? 22 A. Yes. 23 Q. Was there an upgrade deployed in the system? 24 A. In reference to? 25 Q. Well, let's talk about the whole Tribune Company system to You mentioned that the user could have possibly gotten in Not in direct here today, but in your interview I believe that is one of the possible ways someone could KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 396 1 begin with. 2 MR. HEMESATH: 3 MR. LEIDERMAN: 4 THE COURT: 5 MR. LEIDERMAN: 6 Objection, vague as to time. I'm talking -- Sustained. I'm talking about in response to the December 14th incursion. 7 THE COURT: 8 THE WITNESS: All right. You can answer. The initial incident caused us to -- you 9 know, going back to the house analogy, if someone breaks into 10 the house, the first thing you're going to do is, one, see if 11 anything has been stolen; two, make sure that there is still no 12 one else inside, that you're not in harm's way; and, three, 13 begin immediately trying to secure the house. 14 in the door, you're going to replace the door, you're going to 15 lock it. So if they kick 16 As far as upgrading, changing out your locks, putting 17 in a security system, those activities take time and money to 18 implement. 19 BY MR. LEIDERMAN: 20 Q. But they were done in this case? 21 A. Over a period of time, yes. 22 Q. Do you know what that period of time was; do you recall? 23 A. Somewhat generic, but this incident caused an awareness to 24 executive leadership to put more investment in security. 25 Q. So finally the big bosses understood that you needed more KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 397 1 security based upon this incident? 2 A. Yes. 3 Q. Sir, you can move that microphone closer to you if it would 4 help. 5 A. Perfect. 6 Q. Okay. 7 this take a week, a month, six months, a year? 8 A. 9 months to a year after the incident. I notice you're leaning down each -- is that better? Thank you. So actually you never gave me a time frame. Did Security is ongoing, but activity started to occur six 10 Q. Still in response to the incident? 11 A. Correct. 12 Q. Can a nickname, IRC nickname, can it be used in different 13 channels at the same time? 14 A. 15 can be in multiple channels at the same time. 16 Q. 17 things? 18 A. They can be, yes. 19 Q. Some channels, for example, can be related to a particular 20 game or gaming, and some of these channels that you're looking 21 at can be related to some anonymous operation? 22 A. They could be, yes. 23 Q. Were these channels on the 2600 server? 24 ask a foundational question. 25 An IRC nickname is unique on the IRC server, but a nickname And are different channels sometimes dedicated to different I'm sorry. Let me Are you familiar with the 2600 server? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 398 1 A. I'm familiar of 2600, the publication. 2 Q. Are you aware that they run an IRC server? 3 A. No, I'm not. 4 Q. Oh. 5 Do you know what server these chats were happening on? 6 A. No, I do not. 7 Q. During your investigation of this incident, you learned 8 that nothing else was altered but the Chippy 1337 article, for 9 lack of a better term on it? 10 A. Yes. 11 Q. So when you used the house analogy, you talked about 12 immediate response. 13 either an entire new house or at least large portions of a new 14 house; is that fair to say? 15 A. Loosely, yes. 16 Q. I want to go back to those logs that you analyzed. 17 18 But in the long term essentially you built Is it fair to say that a web browser, the web browser that was used can be spoofed in those logs? 19 MR. HEMESATH: 20 THE COURT: Objection, vague, foundation. Sustained. You can ask a foundational 21 question. 22 BY MR. LEIDERMAN: 23 Q. What is spoofing? 24 A. Spoofing would be altering the information being sent. 25 Q. And you recall in the web logs that you just reviewed, you KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 399 1 said that there was something called Mozilla, which was a 2 browser, and then the most common part of Mozilla was Firefox. 3 4 And then you found a Firefox in fact in some of the logs you -- 5 MR. HEMESATH: 6 THE COURT: 7 BY MR. LEIDERMAN: 8 Q. 9 looked at? Objection, compound. Sustained. Did you find the word Firefox in some of the logs that you 10 A. Yes. 11 Q. And what did Firefox mean to you? 12 A. Firefox meant the web browser that accessed the site. 13 Q. Could that be spoofed? 14 A. It could, yes. 15 Q. Meaning a different web browser could have been used, could 16 have actually been used? 17 A. It could, yes. 18 Q. And you talked about Ms. Scholbrock's password being 19 changed. 20 A. Yes. 21 Q. And that when you examined those logs, it had Macintosh and 22 Mozilla in it; is that fair to say? 23 A. Yes. 24 Q. And is it also fair to say that those password changes 25 could have been made from any computer using Mozilla, presuming Do you recall that? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 400 1 it's not spoofed, Mozilla and Macintosh, that version of 2 Macintosh? 3 A. 4 log, but the Mozilla and Macintosh could be spoofed. 5 Q. 6 were done in the L.A. Times specific -- none of them were L.A. 7 Times specific; is that fair to say? It was could only have been made from the IP address in the And in terms of the incursions themselves, none of them 8 MR. HEMESATH: 9 THE COURT: 10 11 Overruled. THE WITNESS: You can answer if you're able. Are you referring to the incidents or IP addresses? 12 13 Objection, vague. MR. LEIDERMAN: IP addresses and change of those logs that said test1234. 14 THE WITNESS: None of the requests appear to have come 15 from any L.A. Times network addresses. 16 BY MR. LEIDERMAN: 17 Q. 18 Sharpie come up? 19 A. Which logs? 20 Q. Did you review IRC logs in connection with this case other 21 than the ones you just reviewed? 22 A. 23 but not -- I don't recall those names coming up. 24 Q. It's been five years since you examined these? 25 A. Correct. In your review of logs, did the names Kayla, Sabu and There were logs submitted by Tribune that were IRC logs, KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 401 1 Q. You don't remember every nickname there was? 2 A. Correct. 3 Q. Lots of nicknames, sir? 4 A. Correct. 5 Q. And over the 15 years you've been using IRC, fair to say 6 there are tons, scores of nicknames? 7 A. Correct. 8 Q. Presuming a nickname isn't already on an IRC server, can 9 someone else use it? 10 You need a better question than that? I can rephrase. 11 A. It's technology. It's always complex. 12 Q. I get that. 13 A. Please. 14 Q. Okay. 15 a nickname of 1234. 16 time, that they've logged out, can someone else use the 17 nickname 1234? 18 A. It depends. 19 Q. Actually what does it depend on? 20 A. It depends if the IRC has services to protect nickname 21 misuse. 22 Q. 23 nickname? 24 A. It depends. 25 Q. Is that one of the things that people call it? You want me to rephrase? Let's say the password -- let's say someone is using Presuming that person isn't in IRC at that And do people call that service locking, locking the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 402 1 A. I haven't heard that specific term, but certain IRC 2 services allow you to reserve nicknames, but it's not 3 commonplace. 4 Q. 5 with in this case allowed you to -- I'm going to use the word 6 "lock" a password or reserve. 7 A. 8 nickname or kicks you off within 30 seconds to a minute if 9 you're misusing it. Are you aware of whether or not the IRC that we're dealing You used the word "reserve"? Typically if a nickname is reserved, it changes your 10 Q. What does misusing it mean? 11 it? 12 A. Correct. 13 Q. Okay. 14 isn't. Oh, if someone else is using The question is withdrawn, then. Well, no, it Sorry. 15 THE COURT: It's in the record. 16 MR. LEIDERMAN: Exactly. 17 Q. 18 were going to do something just for LULZ, L-U-L-Z. 19 There's a line in the IRC logs you reviewed that said they Are you familiar with the term LULZ? 20 A. Yes. 21 Q. What does it mean? 22 A. That was a term used by Anonymous in most of their security 23 breaches of various organizations. 24 Q. What does the term L-U-L-Z mean? 25 A. For laughs. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 403 1 Q. Is it a kind of perversion of LOL? 2 A. Correct. 3 Q. And is it used just by Anonymous or is this a common 4 Internet term, something that has grown into the lexicon? 5 A. I would say Anonymous made it more in the lexicon. 6 Q. But it existed before Anonymous became -- or even became a 7 thing? 8 A. I'm sure it could have. 9 Q. Have you ever heard of the groups Internet Feds or LulzSec? 10 A. I've heard of LulzSec. 11 Q. Did you see in the logs you reviewed that they said 12 Internet Feds? 13 A. I did. 14 Q. And I guess you're saying you don't know who Internet Feds 15 are? 16 A. I'm not aware. 17 Q. Did you notice that a lot of the nicknames in Internet Feds 18 matched the nicknames in LulzSec? 19 20 MR. HEMESATH: scope of direct. Your Honor, foundation and beyond the We didn't get into the content. 21 THE COURT: 22 How much longer do you think you have on cross? 23 MR. LEIDERMAN: 24 25 Sustained. I have one more question, but I can't understand my own -- if I may have a second. THE COURT: All right. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 404 1 (Defendant conferring with his counsel.) 2 MR. LEIDERMAN: All right. Okay. Seems I fooled myself. 3 Q. The IRC times that you were talking about, do 4 you recall that? 5 A. Yes. 6 Q. All right. 7 as GMT? 8 A. I could not tell in the IRC if they were GMT time. 9 Q. You'd have to see, for example, what you saw in the logs, Are those all in what you referred to earlier 10 which is minus or negative 800, negative 0800? 11 A. That's one way, yes. 12 Q. What's another way? 13 IRC? 14 A. Regarding? 15 Q. What time these -- I want to know what actual time these 16 comments were made in the IRC. 17 A. 18 client based. 19 Q. If it was server based, it would be in GMT? 20 A. It depends. 21 Q. Oh, by the way, sir, let's go back a second. 22 What's another way that relates to I cannot tell you whether or not the time is server or What is GMT? 23 A. Greenwich mean time, which is the standard time that all 24 time zones are keyed off of. 25 Q. It's the primary one -- KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 405 1 A. Correct. 2 Q. -- of Greenwich, England? 3 A. Yep. 4 Q. And GMT minus 0800 is Pacific standard time? 5 A. I believe so, yes. 6 MR. LEIDERMAN: 7 THE COURT: 8 MR. HEMESATH: 10 THE COURT: Maybe five minutes. All right. All right. Can we take the five minutes is up. I'm going to let you know when five minutes This time you're standing in the way of a break. 14 MR. HEMESATH: 15 THE COURT: 16 How much time would you need and then take our next break? 12 13 All right. for redirect? 9 11 I don't have anything further. I should have said ten. Attorneys are at their best when they're required to condense, in my experience. 17 REDIRECT EXAMINATION 18 BY MR. HEMESATH: 19 Q. 20 incidents. 21 Mr. Leiderman asked you about your job and your response to If you weren't responding to this incident, what would -- 22 what else would you have been doing? 23 A. 24 with other teams and ensuring they were developing secure 25 software. I would have been doing daily activities, such as working You know, working with other teams in the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 406 1 organization to make sure they had security awareness. 2 Q. You weren't permitted to do nothing? 3 A. Correct. 4 Q. Mr. Leiderman asked you if there were any other defacements 5 in 2010. 6 Are you aware of any other defacements of this magnitude 7 throughout the entire time you were at Tribune? 8 A. Not of the same level of impact to the customer. 9 Q. And who do you define as the customer? 10 A. Any subscriber, any individual that would go to latimes.com 11 to visit the website and read news articles. 12 Q. 13 for 40 minutes, and you said that that was your understanding. 14 Mr. Leiderman asked you about whether the story was only up Do you have any knowledge about whether the mobile site was 15 different or changed or how long that might have been 16 different? 17 A. It's very possible the mobile site was changed. 18 Q. I don't want to ask you to speculate. 19 then -- 20 A. I'm not a hundred percent -- 21 MR. LEIDERMAN: 22 THE COURT: 23 BY MR. HEMESATH: 24 Q. 25 If you don't know, Move to strike the speculative answer. There's no real answer, so just move on. Mr. Leiderman asked you about brute force attacks. What in the system protects against brute force attacks? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 407 1 A. 2 account after defining a number of attempts to log into the 3 account with a given password. 4 Q. Was there any evidence of a brute force attack here? 5 A. No. 6 Q. Mr. Leiderman asked you about upgrades and about a period 7 of time after which there were -- during which there might have 8 been upgrades. 9 If an application is coded and designed to lock out an Do you know what upgrades were actually performed to your 10 system? 11 A. 12 Assembler. 13 Q. Other people were in charge of that? 14 A. Yes. 15 Q. What about beyond Assembler, to the system in general, any 16 upgrades that you're aware of specifically? 17 A. 18 security program to better protect all assets in the 19 organization. 20 Q. And do you know how much those cost? 21 A. Anywhere between one to two million for upgrades that 22 occurred in the year or two years prior. 23 Q. 24 25 I'm not aware of which upgrades were performed to The only upgrades I'm aware of are the upgrades to the Okay. And one last question hopefully. Mr. Leiderman asked you whether you were aware that anything else was altered in the content management system KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 408 1 other than the story itself. 2 3 MR. LEIDERMAN: Objection, misstates the question I asked. 4 THE COURT: Sustained. 5 BY MR. HEMESATH: 6 Q. 7 whether anything else was changed? 8 A. Yes. 9 Q. And you answered nothing; is that correct? 10 A. Yes. 11 Q. How long did it take you to confirm that nothing else was 12 changed? 13 A. 14 wasn't involved in it. Do you recall Mr. Leiderman's question with regard to There were other teams that confirmed it. 15 THE COURT: 16 MR. HEMESATH: 17 THE COURT: Personally I So stop there. Thank you. All right. Nothing further. Let's go ahead and take our 18 break. The attorneys can confer and see if we need to continue 19 with this witness after the break. 20 however much time you need as close as possible to that. 21 Remember my admonitions as always. 22 break is over. 23 (Jury not present.) 24 THE COURT: 25 A 15-minute break or We'll see you when the You may step down. If they need you, be back in 15 minutes. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 409 1 All right. 2 MR. LEIDERMAN: 3 THE COURT: 4 MR. HEMESATH: 5 THE COURT: 6 He can be excused. You would agree, Mr. Hemesath? Yes, Your Honor. All right. Sir, you're excused. ready with its next witness in 15 minutes. MR. SEGAL: Your Honor, would you like the witness to be on the stand when the jury comes in? 11 THE COURT: That's fine. 12 MR. SEGAL: Okay. 13 (Recess taken.) 14 (Jury not present.) 15 THE CLERK: Come to order. 16 THE COURT: All right. 17 Court is back in session. Let's bring the jury in. (Jury present.) 18 19 Thank you We'll let the jury know that the government can be 9 10 Oh, no. very much. 7 8 Do you need more recross? THE COURT: Welcome back, Ladies and Gentlemen. may be seated. 20 The government is ready to call its next witness. 21 We excused, Mr. Kulesza. 22 Kulesza? Am I saying that right, He has been excused. 23 The government's next witness. 24 MR. SEGAL: 25 You Your Honor, the United States calls Mr. Tim Rodriguez. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 410 1 THE COURT: All right. 2 THE CLERK: Mr. Rodriguez, please come forward. 3 to take your photograph this afternoon. 4 your back against the wall facing me. 5 6 All right. If you can stand with Thank you. Step into the witness stand behind you, remain standing and raise your right hand. 7 TIMOTHY RODRIGUEZ, GOVERNMENT'S WITNESS, SWORN 8 THE WITNESS: 9 THE CLERK: 10 THE WITNESS: 11 THE CLERK: I do. Thank you. Will you please say and spell your first and last name for the record. 13 THE WITNESS: Sure. Timothy P. Rodriguez. T-I-M-O-T-H-Y, R-O-D-R-I-G-U-E-Z. 15 16 You may be seated. Thank you. 12 14 I need THE COURT: All right. You may proceed. We have until 1:00 today. 17 MR. SEGAL: 18 this witness and one more. 19 THE COURT: 20 Thank you, Your Honor. We're hoping to do All right. DIRECT EXAMINATION 21 BY MR. SEGAL: 22 Q. Good afternoon, Mr. Rodriguez. 23 A. Good afternoon. 24 Q. In what line of work are you? 25 A. I do security and forensics. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 411 1 Q. And for how long have you been doing that? 2 A. About 18 to 20 years. 3 Q. What was the training you had before you actually started 4 working in the area? 5 A. 6 system and network auditor. 7 from a lot of other vendors for security firewalls, networking 8 and things of that nature. 9 Q. There was a lot of on-the-job training, and I'm a certified Okay. So I have a lot of certifications You want to just briefly walk us through your career 10 up to January of 2011? 11 A. Okay. 12 Q. But slowly. 13 A. So I worked at a number of different institutions, 14 hospitals, insurance agencies, other medical centers and banks. 15 And I started doing -- I started on the help desk and worked my 16 way up to server support, and from there I started doing 17 networking. 18 and I do security now full-time at my current employer. 19 I've worked, once again, at different hospitals, medical 20 organizations, insurance agencies and banks. 21 Q. Okay. 22 A. No, sir, I'm not. 23 Q. Okay. 24 A. Yes, I did. 25 Q. What was your first day? After I left networking, I started doing security, But Are you at Tribune now? In January -- have you ever worked at Tribune? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 412 1 A. 2 for this case, going to group -- 3 Q. 4 Well, my first day was actually handling the information Wait, wait. What day was your first day? 5 A. January 3rd, 2010. 6 Q. Okay. 7 you supposed to do? 8 A. 9 the whole security team, so my job there was to backfill the And into what title were you hired into? What were So what I was supposed to do was -- we had green-fielded 10 security position that had a lot of different roles and 11 responsibilities, one of them being investigating things like 12 compromises and incidents. 13 Q. 14 when you were hired in, at what salary were you hired? 15 A. I believe it was at 101K a year. 16 Q. Okay. 17 A. Yes, sir. 18 Q. And a 40-hour normal workweek? 19 A. Yes. 20 Q. Okay. 21 Okay. And I know it's not usually what we ask people, but A 52-week year? So January 3rd, 2011, who was your supervisor? THE COURT: That wasn't -- that wasn't his testimony. 22 BY MR. SEGAL: 23 Q. What was your first day at Tribune? 24 A. January 3rd, 2011, I believe. 25 THE COURT: All right. I think he said 2010 before. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 413 1 MR. EKELAND: 2 THE COURT: 3 He did. Are you certain about -- what is the date when you started? 4 THE WITNESS: I'm sorry. It was 2011. 5 THE COURT: All right. 6 MR. SEGAL: We -- this will become clear. 7 Q. Which is true, did you have a slip of the tongue that I 8 heard wrong or -- 9 A. Yes, I did, a slip of the tongue. 10 Q. All right. 11 A. I worked for Armando Caro. 12 Q. All right. 13 he assign you? 14 A. 15 had defaced one of our websites on some of the bylines. 16 Q. 17 instructed to assess? 18 A. 19 happened, if the break-in was continual, and if the perpetrator 20 was still inside the Tribune systems. 21 Q. How important was it to assess how the break-in happened? 22 A. It was critical to assess how the break-in happened because 23 the way the break-in happened is germane to the rest of the 24 opportunity that the person who perpetrated this act would have 25 access to all other systems or, in fact, have access to a Sorry. I apologize. So on January 3rd, 2011, who was your boss? He was a technical director. And first day on the job, to what project did He assigned me to look into the incident where Chippy leet What were you trying to -- on January 3rd, what were you Well, I was instructed to assess where the break-in KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 414 1 system where they can jump off and attack other Tribune 2 systems. 3 Q. 4 the system? 5 A. 6 could alter other bylines, they could alter other Tribune 7 systems and make it so that we would not be able to detect that 8 they were there. 9 Q. They could do it so that what? 10 A. They could -- what they could do is they could jump off to 11 other systems, so they could delete logs so that we wouldn't 12 know what systems they were, create user accounts and then use 13 those accounts to garner other Tribune Media sites and/or 14 financial information. 15 Q. 16 term or shorthand for that kind of conduct? 17 A. Yes. 18 Q. What is it? 19 A. Back doors. 20 Q. Okay. 21 whether there were any more back doors? 22 A. 23 give them access to resources now but resources in the future, 24 and they could pull down other information unbeknownst to us. 25 Q. How important was it to assess whether they were still in That's very -- that was extremely important because they When you say creating user accounts, is there a security So my next question, how important was it to assess That was critical because an open back door would not only I want to ask you what other systems at Tribune you were KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 415 1 concerned about. 2 A. Can you name some of them, please? Sure. 3 Other than the Assembler system, we were concerned with our 4 LDAP systems, if they could get in there and tamper with those. 5 Q. And what was the LDAP system? 6 A. The LDAP system is the authentication system you use when 7 you log in. 8 Q. Okay. 9 A. We have financial systems that were on the same network. What other systems? 10 We have other websites which we host other papers called the 11 Red Eye, the Chicago Tribune, the actual newspaper itself. 12 then they could jump off and attack some of the different TV 13 and radio stations that we had. 14 Q. What in your business did the plates mean? 15 A. What the plates are is -- 16 Q. Do you want to move the microphone away from you or down a 17 little bit. 18 A. 19 the plates -- 20 21 That might be -- there you go. What the plates are is if you could -- if you could alter MR. LEIDERMAN: I'm going to object. Altering plates is speculative. 22 THE COURT: 23 MR. LEIDERMAN: 24 THE COURT: 25 And Sustained. And move to strike. That answer is stricken. Rephrase the question and -- or at least restate the question. He's not KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 416 1 answering the question. 2 MR. SEGAL: Okay. Yes, Your Honor. Thank you. 3 Q. What were the plates? 4 A. The plates, when a newspaper prints out a -- when a 5 newspaper prints out the daily newspaper, what the plates are 6 is a -- it's like a set of printing instructions so that you 7 can print out thousands of copies of a newspaper. 8 an error in that thousands of copies, we have wasted paper, we 9 wasted circulation. If there is And if the paper went out, then it's 10 technically inaccurate, and it would have to be corrected. 11 Q. 12 13 All right. And in 2010 -- or I'm sorry -- MR. LEIDERMAN: I'm going to object again as irrelevant. 14 THE COURT: Overruled. 15 BY MR. SEGAL: 16 Q. 17 your computer network? 18 A. Yes, they were directly connected. 19 Q. Okay. 20 A. So you could get on a computer network, alter the plates 21 where you can actually change stories and change information 22 before it went out to print, thereby causing, you know, untold 23 thousands of dollars of damage or millions. 24 Q. 25 that controlled the plates? In 2011, was there a relationship between the plates and Explain that, please. So what did you want to assess with regard to the computers KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 417 1 A. We wanted to make sure that the computers were -- were not 2 hacked and didn't have back doors or accounts that were 3 recently changed or changed so that an opportunity to deface 4 them could happen. 5 Q. 6 financial systems did Tribune use? 7 A. 8 subscriptions through credit cards, online checks and things of 9 that nature. You discussed also financial systems. What kinds of We took information for circulation of newspapers and 10 Q. Okay. And what was important for you to assess with regard 11 to those financial systems? 12 A. 13 weren't changed, and no back doors were put in any of the 14 systems. 15 Q. 16 do to assess what was going on on the LDAP system with regard 17 to further back doors? 18 A. 19 the accounts. 20 so what we did is we checked each account for one verified user 21 and made sure that password wasn't changed within the scope of 22 30 days prior or post to the incursion happening. 23 Q. 24 integrity of your systems? 25 A. Once again that they weren't hacked, computer accounts All right. So let me ask you what you did. What did you So what we did is we had the system administrators check There's a number of accounts on the LDAP system, What did you do on the financial systems to assess the Basically the same thing. And then what we do is we look KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 418 1 through the logs, and we made sure that anyone who accessed the 2 systems were inside Tribune and had a legitimate reason. 3 then, once again, we looked through back door accounts, any 4 account that was changed or created in the last 30 to 60 days. 5 Q. 6 plates to assess the integrity of your system? 7 A. 8 that all the IDs were valid on the plates. 9 people who were actually terminated, who were no longer working And And what did you do on the systems that controlled the We performed the same functions. We checked to make sure We removed IDs of 10 at the company. And we just did a check on the system files to 11 make sure that they were -- they were correct and unaltered. 12 Q. 13 personally involved in those things? 14 A. 15 didn't have access to any of the systems as per my role. 16 system administrators actually performed the duties and the 17 tasks and correlates into the hours that they performed these 18 duties and tasks. 19 computer security emergency -- 20 Q. No, go ahead, you were explaining CSIRT. 21 A. A computer security emergency process so that they could 22 understand what the responsibilities were, what they had to 23 check and to communicate with me just in case there was another 24 back door or another system that I wasn't aware of so we could 25 put that in focus. Were you -- the things we've been talking about, were you Some of them, yes. Some of system administrators -- I The My job was to create a CSIRT process, a Go ahead. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 419 1 Q. Okay. 2 there? 3 A. 4 actually solved it. 5 analyze it and submit it as evidence to an electronic CD. 6 Q. 7 assessment on? 8 A. 9 Tribune doesn't work with one computer, one server. Yes. So you're directing this cast of characters out And they would deliver the data to me after they And they sent me the data so that I could Were there any other systems that you performed damage Well, the number of systems we performed was quite large. There's 10 many servers that, ah, correspond to our web presence on the 11 Internet. 12 of pages and archives and things of that nature. 13 very monumental task within itself. 14 There's literally hundreds of servers with thousands So that was a Once again, the financial systems had many servers that 15 housed that data, and then the plates. There's a small amount 16 of data on the plates, but there's a lot of access that goes to 17 that. 18 server that controlled the plates. 19 Q. 20 hours that you spent at $102,000 a year, how much time did you 21 spend on the tasks that we just described? 22 A. I spent 50 hours. 23 Q. Okay. 24 the time that you spent? 25 A. So we had to check each computer that accessed the Okay. So now just asking you about your job alone, the Did you do -- what did you do to keep track of the I -- every time we had a conference call or I met with KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 420 1 system administrators or managers, I just -- I just copied down 2 that time as I was taught to do on a sheet of paper, which 3 unfortunately I don't have, and I tabulated out the 4 information. 5 And then I went to each person -- 6 Q. Wait. 7 A. Sorry. 8 Q. You gotta remember that. 9 Just -- no, not them. MR. SEGAL: Just you, please. So -- but we'll go to that. Let's look at Government Exhibit 306. 10 That's that big piece of paper that is taped up there in front 11 of you. 12 defense that I don't intend to offer this into evidence. 13 For identification only, Your Honor. THE COURT: I've told the All right. 14 BY MR. SEGAL: 15 Q. Do you see that? 16 A. Yes, sir. 17 Q. What is that? 18 A. This is a list of the functional titles, names, preventive 19 hours, software code, redesign hours, analysis and 20 investigative hours, the total hours, their hourly wage, and 21 what the total is from all categories from left to right. 22 Q. 23 as part of your job. 24 and identify who among them were people that you directed to do 25 things? Okay. You said that you were directing people to do things Can you look down the name field there KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 421 1 A. 2 3 Sure. Tom Comings was one of the people that helped me actually discover who -- what ID was used to change the byline. 4 Let's see. 5 Craig Hancock and Sabrina Downard, they actually reviewed 6 the LDAP logs to find specific time and date when that person 7 was, ah, authorized with that garnished credential. 8 9 Greg Noth, Brandon Zylstra and Jason Potkanski actually did a lot of -- did a lot of analysis and investigative hours to 10 look through not only the Assembler system, but everything that 11 connected with P2P. 12 Q. 13 Jason Potkanski, P-O-T-K-A-N-S-K-I? 14 A. Yes, sir. 15 Q. Okay. 16 A. The software development team consisted of Joe Bezouska -- 17 Q. Okay. 18 not interested in that. 19 A. 20 this code was accessed, and there were some vulnerabilities 21 that they actually addressed that at the time we didn't -- we 22 didn't know whether they used those or not to -- we didn't know 23 if they garnished the system ID until a little bit later. 24 Q. Okay. 25 A. Yes. And that's Greg Noth, Brandon Zylstra, Z-Y-L-S-T-R-A, and No. Anybody else? If the software development team is upgrading, I'm Have you moved to upgrades now? What they were doing is they were redesigning the way So still part of your incident response? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 422 1 Q. Okay. Who are they? 2 A. Joe Bezouska, Casey Conor, and Brian Heusinkveld. 3 Q. Okay. 4 MR. SEGAL: I'll give the Reporter the list. 5 THE COURT REPORTER: 6 MR. SEGAL: Okay. Thank you. Thank you. 7 Q. Now how many hours are recorded here for you? 8 A. There is 50 analysis and investigative hours recorded for 9 me. 10 Q. 11 the jury, please, how your notes were accumulated and got to 12 that number on this document? 13 A. 14 these people or specific teams to find out what systems 15 Assembler connected to, web searches that we actually had to -- 16 or the web blogs we had to analyze to get this, and then how 17 many other systems that they actually looked through to make 18 sure credentials, A, weren't changed or that a specific 19 credential was not present on that system. 20 Q. 21 note, right? 22 A. Yes. 23 Q. And -- all right. 24 25 And we went -- we approached this first, but can you tell Okay. Okay. So every meeting we had with either each one of And then you took that time and recorded it in a In 2011, how late in 2011 were you still trying to figure out the extent of the damage to the integrity of your systems? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 423 1 A. I think I have noticed in the case log -- 2 MR. LEIDERMAN: Your Honor, I'm going to object to the 3 characterization of damage. 4 THE COURT: Sustained. 5 BY MR. SEGAL: 6 Q. 7 your systems? 8 A. 9 exact date, and I want to be exact with it. How late in 2011 were you still assessing the integrity of I don't have the exhibit, the report. I have -- I have the 10 Q. Would it refresh your recollection -- 11 A. It's been almost five years, so -- 12 Q. Is there a document that would refresh your recollection? 13 A. Ah, yes. 14 incident. 15 16 It is the report that I submitted for the MR. SEGAL: May I have a moment, Your Honor? I gotta go find that exhibit number. 17 THE COURT: You may. 18 Can you move on to another set of questions? 19 MR. SEGAL: Yes, I can, Your Honor. While that's going 20 on, I'm going to move on and approach it at the end of the 21 exam. 22 Q. Do you remember in what month it was, yes or no? 23 A. Yes, I believe it was either at the end of January or the 24 beginning of February. 25 Q. Okay. After that, after that was over, did Tribune Company KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 424 1 take any measures to upgrade its systems? 2 A. 3 needed to be upgraded. 4 Q. The answer to that is yes? 5 A. Yes. 6 Q. Okay. 7 and the initial response is kind of seeing if they're still 8 there, if there are back doors and that kind of thing. 9 upgrade is putting in a security system or installing a new and 10 Yes. We discovered that there was a lot of systems that We've used an analogy about a break-in to a house, stronger door, that kind of thing. 11 Are you comfortable with that analogy? 12 A. Yes. 13 Q. Okay. 14 I'm sorry -- your 50 hours until whatever time -- 15 16 17 18 And the So if I understand you correctly, your 40 hours -- MR. SEGAL: And I have the document here. I'm going to refresh recollection with Defense Exhibit P. THE COURT: All right. That's in a separate binder behind you. 19 MR. SEGAL: May I approach, Your Honor? 20 THE COURT: Well, can you open the binder? 21 if you can find it quickly. 22 corresponds? Let's see Is there a number that 23 MR. SEGAL: Yes. It's behind tab 16, Mr. Rodriguez. 24 THE COURT: All right. 25 You've found that? You may ask about the document. It appears to be quite a few pages. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 425 1 2 MR. SEGAL: Q. Yes. If you look at that, can you tell about how -- 3 THE COURT: What's the question? 4 MR. SEGAL: The question is, in what month was he 5 finished assessing the integrity of the systems? 6 tell from this report. 7 8 THE WITNESS: Yes. If you can It was January 25th before I started sending information to Agent John Cauthen. 9 MR. SEGAL: January. Okay. 10 Q. Now, after that, I want to ask you how important was it to 11 Tribune Company to upgrade and make sure this couldn't happen 12 again even once you'd re-secured the system? 13 A. 14 couldn't be appropriated again from either another individual 15 or another set of individuals. 16 active target because they were a large media company. 17 usually hackers like to target the larger media companies. 18 Q. 19 systems to secure against a future attack? 20 A. 21 that can help us detect and prevent these types of breaches. 22 Q. Do you recall about how much money was spent? 23 A. It was in excess of $450,000, I believe. Well, I think that that's critical to make sure that this Okay. So How much did management approve upgrading your We planned, we developed, and we brought in technologies 24 25 Because we were -- we're an MR. LEIDERMAN: witness. I'm going to object. It's beyond the scope. This is the wrong It calls for implied hearsay. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 426 1 THE COURT: Well, the jury shall disregard that answer 2 for now. If you can lay more of a foundation. 3 BY MR. SEGAL: 4 Q. What was your involvement in upgrading the system? 5 A. We specked out -- 6 Q. Well, it's you, it's not we. 7 A. I'm sorry. 8 Q. You individually. 9 truthful and adequate answer, just whatever it is. And if it's not you, then that's the 10 A. 11 application testing process. 12 my boss, Armando and Dylan, that we purchase this type of 13 solution so we could run these. 14 because I tested an event gathering system called Nitro that 15 gathered logs so we can actually see if this was happening 16 again through not only those systems, but other systems as 17 well, and they were very expensive. 18 What I did was I performed some penetration and an I not approved, I recommended to We bought -- I recommended, If you put all those systems together, I think they were -- 19 THE COURT: Well, wait for the next question. 20 MR. SEGAL: Okay. 21 Q. 22 engaged in it, did you see prices for those applications? 23 A. Retail prices, yes. 24 Q. Okay. 25 Now do you -- in that process, when you were personally THE COURT: He recommended. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 427 1 MR. SEGAL: Oh, sure. 2 THE COURT: So -- 3 MR. SEGAL: I'll close it up. 4 Q. Were your recommendations followed? 5 A. Yes. 6 Q. Okay. 7 what were the retail prices that you saw? 8 9 And did you see, as part of your job, the prices -- MR. LEIDERMAN: I'm going to object to the retail prices if he doesn't know what Tribune Company paid. 10 THE COURT: Sustained. 11 BY MR. SEGAL: 12 Q. Do you know what Tribune Company paid? 13 A. I didn't see the itemized list of appropriation, no. 14 Q. Okay. 15 purchase, how much of an expenditure in your view was merited? 16 17 In your job in IT, when you recommended the MR. LEIDERMAN: I'm going to object, that calls for speculation. 18 THE COURT: Sustained. 19 MR. SEGAL: That's all, Your Honor. 20 THE COURT: All right. 21 MR. LEIDERMAN: 22 Thank you. Mr. Leiderman? Thank you, Your Honor. CROSS-EXAMINATION 23 BY MR. LEIDERMAN: 24 Q. 25 inside the Tribune Company content management system change the Can someone from inside the L.A. Times or can someone from KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 428 1 plates from a -- change the plates? 2 A. From the CMS system? 3 Q. From the CMS. 4 A. Not -- 5 MR. SEGAL: Vague as to time, Your Honor. 6 THE COURT: Hold on one second. 7 Clarify the time frame. 8 MR. LEIDERMAN: 9 THE COURT: Well, how about ever from the CMS. All right. 10 BY MR. LEIDERMAN: 11 Q. 12 them as plates -- the plates from which the L.A. Times print 13 edition is published? 14 A. 15 understand the question. 16 Q. From the -- from the CMS system. 17 A. If you're on the CMS system and have access to the plates, 18 you can change it. 19 Q. 20 plates? 21 A. 22 from the physical servers. 23 Q. Okay. 24 A. To the servers or -- 25 Q. To -- these are the L.A. Times physical servers? Could someone ever from that CMS change -- you referred to From the actual system itself or from outside? Okay. I don't What part of the CMS system had access to the The physical servers. You can actually log into the plates Who had access to that? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 429 1 A. Yes. 2 Q. So you'd have to have an L.A. Times user and pass to get 3 into those? 4 A. Yes, sir. 5 Q. And those are specific L.A. Times users and passes? 6 A. Yes. 7 Q. Couldn't be just a general Trib Co user and pass? 8 A. I'm not sure if Trib Co had access to those systems. 9 Q. Do you believe they did have access to those systems in 10 December of 2010? 11 A. 12 time. 13 Q. 14 television affiliate, change the plates from the L.A. Times if 15 they just had regular access to the CMS? 16 A. 17 had access to the CMS systems or from Fox 40, you had a user ID 18 and password that can get into the system with the plates, yes, 19 you can. 20 Q. 21 the plates? Because that's not what I understood you to say 22 previously. You said they had to have access to the L.A. Times 23 server. 24 A. 25 types of access. I'm not sure if Trib Co had access to the plates at that Could any user, for example someone sitting at Fox 40, a The CMS doesn't have direct access. The system -- if you So anyone in Tribune with access to the CMS can get into Because when you say access to the CMS, there's different It would be like if I had access to my e-mail KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 430 1 system from here, if I could access e-mail. 2 than me having system access to the e-mail, a user ID and 3 password that can actually log into the system. 4 different things. 5 Q. 6 That's different Those are two Right. That's special access, correct? 7 A. Yes. 8 Q. That's where I was trying to go. 9 MR. LEIDERMAN: 10 THE COURT: 11 MR. LEIDERMAN: 12 THE COURT: 13 Thank you. Are you done? I'm done. All right. Mr. Segal, any redirect? REDIRECT EXAMINATION 14 BY MR. SEGAL: 15 Q. 16 did you know about the level of access that the hackers had 17 acquired? 18 A. 19 different systems, and that's when we found the access from 20 that garnished credential. 21 a credential on one system, they could have garnished a 22 credential on any other system that that system had access to 23 or that credential had access to. 24 Q. And that's why you checked those other systems? 25 A. Yes, sir. When you came on -- when you began your assessment, what Initially I didn't assume anything. We started looking at So basically if they had garnished KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 431 1 MR. SEGAL: Thank you. 2 THE COURT: Anything further, Mr. Leiderman? 3 MR. LEIDERMAN: 4 THE COURT: Is this witness excused, Mr. Segal? 5 MR. SEGAL: Yes, Your Honor. 6 THE COURT: Mr. Leiderman? 7 MR. LEIDERMAN: 8 THE COURT: 9 No, nothing further. Yes. All right. You may step down, sir. excused. 10 THE WITNESS: 11 THE COURT: 12 If you want to stretch, you may. 13 Thank you. All right. Next witness. Who's your next witness? 14 MR. HEMESATH: 15 THE COURT: 16 You're The government calls Samantha Cohen. All right. Do you believe she'll take the rest of today? 17 MR. SEGAL: That's our plan. 18 THE COURT: But you have someone else lined up if we 19 have additional time? 20 MR. SEGAL: Yes. 21 THE COURT: All right. 22 MR. LEIDERMAN: 23 THE CLERK: 24 your photograph. 25 the wall facing me. Very good. Innocent questions. Ask the questions slowly, right? Ma'am, please come forward. I need to take If you can stand here with your back against Thank you. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 432 1 2 Thank you. remain standing, and raise your right hand. 3 SAM COHEN, GOVERNMENT'S WITNESS, SWORN 4 THE WITNESS: 5 THE CLERK: 6 Step into the witness stand behind you, I do. Thank you. You may be seated. Will you please say and spell your first and last name for the record. 7 THE WITNESS: 8 THE COURT: 9 My name is Sam Cohen, C-O-H-E-N. You may proceed. DIRECT EXAMINATION 10 BY MR. HEMESATH: 11 Q. Good afternoon. 12 A. Thank you. 13 Q. Ms. Cohen, have you ever gone by another name? 14 A. Yes. 15 Q. Scholbrock. 16 My maiden name is Sam Scholbrock. What is your profession? 17 A. 18 media at ABC 10. 19 Q. 20 Right now I'm the executive producer of digital and social So I'm a journalist who works online. A journalist that works online. How long have you been in that position at that station? 21 A. Since March, so about seven months. 22 Q. So that's where you currently work. 23 in the past? 24 A. Before that, I worked at Fox 40 here in Sacramento. 25 Q. Fox 40, the television station? Where have you worked KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 433 1 A. Yes. 2 Q. When did you start with Fox 40? 3 A. Ah, I started working for Fox 40 in August of 2009. 4 Q. Do you recall what your title was at that point in August 5 of 2009? 6 A. 7 time. 8 Q. Was that always your title while you were at Fox 40? 9 A. No. I was a senior producer for their morning show at that In 2010, I became the executive producer of digital 10 content. 11 Q. What about before you worked at Fox 40, what did you do? 12 A. Before Fox 40, I worked at a TV station in Salt Lake City, 13 Utah. 14 Q. What were you doing for them? 15 A. I produced newscasts. 16 Q. And before that? 17 A. Before that, I worked for a TV station in Milwaukee, 18 Wisconsin, producing newscasts. 19 Q. Okay. 20 A. Before that, I was in college. 21 Q. In college. 22 Before that? And where did you go college? 23 A. I went to college at Northwestern University in Chicago. 24 Q. And what was your major there? 25 A. Broadcast journalism. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 434 1 Q. What year did you graduate? 2 A. 2004. 3 Q. Thank you. 4 So while you were at Fox 40, what was your name? 5 A. 6 originally hired, my name was Sam Scholbrock. 7 married, my legal name changed to Sam Cohen. 8 9 My name changed while I was at Fox 40. When I was And when I got With the Tribune system, they didn't allow you to change your log-in once you were in the system, so many of my 10 company -- the log-in for my computer -- the log-in for all of 11 the company systems remained S. Scholbrock even though legally 12 my name had changed. 13 Q. 14 period of time at Fox 40? 15 A. My whole time at Fox 40 my log-in was S. Scholbrock. 16 Q. S. Scholbrock. 17 So do you remember what your log-in was during that initial Did that ever change at any point, a variation on S. 18 Scholbrock? 19 A. 20 was S. Scholbrock 2. 21 Q. 22 At one point in time I had a new log-in created for me that Now speaking of log-ins -- well, a little foundation. Do you know someone by the name of Matthew Keys? 23 A. I do. 24 Q. Do you see him sitting in this courtroom here today? 25 A. I do. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 435 1 Q. 2 wearing that would distinguish him in the courtroom? 3 A. He's wearing a black suit coat and glasses. 4 Q. Okay. 5 6 Could you describe some article of his clothing that he's MR. HEMESATH: Your Honor, may the record reflect Ms. Cohen is identifying Matthew Keys? 7 THE COURT: Who's on this witness? 8 MR. JAFFE: No objection, Your Honor. 9 THE COURT: All right. 10 BY MR. HEMESATH: 11 Q. 12 The record shall so reflect. So you knew Matthew Keys. Did you happen to know what his log-in was? 13 A. 14 remember. 15 Q. 16 you say you started at Fox 40? 17 A. 2009. 18 Q. 2009. 19 I wouldn't be able to -- I don't. Sorry. I don't So when you started in two thousand -- I'm sorry. When did You said you were senior producer. What were the circumstances of your title changing from 20 senior producer to did you say director of social media? 21 A. Executive producer. 22 Q. Executive producer of social media. 23 A. When I was senior producer in the summer of 2010, the 24 executive producer of the morning show left, she got another 25 job. I was considering that position, and in conversations KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 436 1 with Brandon Mercer, who was my boss at the time, we talked 2 about an opportunity of me becoming executive producer of the 3 digital side of things where I would be working with Matthew 4 Keys. 5 We had had one, maybe two conversations about this. At one 6 point in time, Brandon Mercer approached me and asked if I 7 would make that change immediately, so I switched in October of 8 2010. 9 Q. 10 October of 2010. So previous to that moment in time, had you worked with 11 Matthew Keys? 12 A. 13 on the morning show, and I would occasionally write stories and 14 post them to our website. 15 Q. 16 would you characterize your working relationship with Matthew 17 Keys? 18 A. 19 of work, we didn't keep in touch, but at work we were friendly. 20 Q. 21 occasionally? 22 A. 23 morning, and Matthew came in in the late morning or afternoons. 24 Q. 25 at computers? I worked with him. I contributed to the website. I worked During that period of time preceding your new title, how I considered it friendly. We weren't -- socially outside Would you describe your contact as daily, weekly, Daily. Our shifts overlapped. I came in in the early Did you have occasion to notice whether or not he was good KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 437 1 A. I considered him to be good at computers. 2 Q. So you knew -- 3 MR. JAFFE: Objection, speculation. 4 THE COURT: Sustained. 5 MR. JAFFE: Move to strike. 6 THE COURT: The jury shall disregard that answer. 7 can ask a more focused question, if you're able. 8 BY MR. HEMESATH: 9 Q. You What in particular did you observe with regard to Matthew 10 Keys and computers? 11 A. I knew he knew our CMS platform, the P2P, really well. 12 MR. JAFFE: Objection, no foundation. 13 THE COURT: I'd sustain that. 14 MR. JAFFE: Lack of personal knowledge. 15 THE COURT: Again, the jury shall disregard. If you 16 want to lay a foundation, you may. 17 BY MR. HEMESATH: 18 Q. 19 observe his familiarity with computers? 20 A. Yes. 21 Q. And what did you observe with regard to Matthew Keys and 22 computers in particular with regard to the CMS system? 23 In your work with Matthew Keys, did you have occasion to THE COURT: 24 foundation. 25 BY MR. HEMESATH: Well, that's where you need to lay some KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 438 1 Q. Did you see Matthew Keys access the CMS system? 2 A. Yes. 3 Q. Under what circumstances were those? 4 A. It was his job. 5 Q. Were you looking over his shoulder? 6 Was he helping you? 7 A. 8 to be posting content through the system. 9 program he used every day when he came in. Ah, both. Were you helping him? He trained me on the system, and it was his job So that's the 10 Q. So in that context, were you able to observe his facility 11 or not with that system? 12 A. Yes. 13 Q. So can you think of any examples of his expertise with that 14 system? 15 MR. JAFFE: Objection. 16 THE COURT: Just yes or no. 17 THE WITNESS: 18 BY MR. HEMESATH: 19 Q. 20 Yes. Could you now tell us about those examples. THE COURT: Well, that calls for a narrative. 21 BY MR. HEMESATH: 22 Q. 23 have allowed you to observe his expertise? 24 A. 25 Specifically what would Matthew Keys be doing that would He was the -MR. JAFFE: Objection. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 439 1 THE COURT: What's the objection? 2 MR. JAFFE: Calls for a narrative. 3 THE COURT: Well, can you focus this a bit? 4 MR. HEMESATH: 5 I think she's about to narrow it. asked her specifically examples of what she's talking about. 6 THE COURT: How many examples -- 7 MR. JAFFE: Your Honor, that's a narrative. 8 The question assumes expertise that's not in evidence. 9 MR. HEMESATH: I'm certainly not asking for expertise. 10 MR. JAFFE: That was the question, Your Honor. 11 THE COURT: This is a lay witness. 13 MR. JAFFE: Examples -- 14 THE COURT: Just pose a new question. 12 I've This is not an expert. 15 BY MR. HEMESATH: 16 Q. Have you ever obtained help with CMS from anyone at Fox 40? 17 A. Yes. 18 Q. Was one of those people ever Matthew Keys? 19 A. Yes. 20 Q. Can you tell me about that instance of getting help from 21 Matthew Keys? 22 A. 23 administrator, so he would assist with passwords and log-in 24 issues. 25 He trained me on the CMS system. He also was our station's He trained new employees when they started. THE COURT: All right. Next question. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 440 1 BY MR. HEMESATH: 2 Q. Is Matthew Keys working at Fox 40 today? 3 A. He is not. 4 Q. All right. Do you know why he's not working at Fox 40? 5 THE COURT: 6 THE WITNESS: Just yes or no. Yes. 7 BY MR. HEMESATH: 8 Q. 9 working at Fox 40 any more? 10 A. What did you observe directly with regard to his not I observed the day before -- 11 MR. JAFFE: Objection, calls for a narrative. 12 THE COURT: Overruled. 13 THE WITNESS: I observed the day before he stopped 14 showing up to work that he got into a verbal argument with our 15 current news director, Brandon Mercer. 16 BY MR. HEMESATH: 17 Q. Did you overhear that conversation? 18 A. I did. 19 windows with the newsroom at the time. 20 Q. Was it a loud conversation? 21 A. It was. 22 Q. What happened with regard to your position immediately 23 following that argument? I was sitting in a control room that had glass 24 MR. JAFFE: Objection, assumes facts not in evidence. 25 THE COURT: Sustained. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 441 1 BY MR. HEMESATH: 2 Q. 3 December of 2010? 4 A. Not in December. 5 Q. Oh, you know what -- I'm sorry -- in October of 2010. 6 A. Yes. 7 Q. Did your position change? 8 A. Yes. 9 Q. Was it before or after this altercation that you witnessed Did anything happen with regard to your position in 10 with Matthew Keys? 11 A. Immediately after. 12 Q. So what were the circumstance of your change in position 13 immediately after that altercation? 14 A. 15 up to me and told me that my switch to dealing and managing our 16 digital properties was immediate. 17 Q. Did you consider that a replacement of Matthew Keys? 18 A. No. 19 about the position, it would have been managing Matthew and 20 managing the web team. 21 Q. Did Matthew Keys ever come back to work after that? 22 A. He did not. 23 Q. Do you recall what you did with regard to your position or 24 rather -- let me ask it more directly. 25 Immediately after that altercation, my news director came In the context that I had talked to Brandon Mercer As of that moment, what did you do? What were your job KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 442 1 duties? 2 THE COURT: 3 MR. HEMESATH: 4 Which moment? The moment that you were appointed with this new title in October of 2010. 5 THE WITNESS: I would manage the website and the 6 station's social media accounts. 7 BY MR. HEMESATH: 8 Q. Is that something that Matthew Keys had done before? 9 A. Yes. 10 Q. Were you able immediately to manage -- did the station have 11 Facebook and Twitter accounts? 12 A. Yes, they did. 13 Q. Were you able to immediately manage those accounts? 14 MR. JAFFE: Objection as to relevance. 15 THE COURT: Overruled. 16 THE WITNESS: No. There was an issue immediately 17 following the altercation at work and Matthew's departure that 18 stopped us from managing the social media -- 19 MR. JAFFE: That was a yes or no question. 20 THE COURT: I'll leave the answer, but -- 21 MR. HEMESATH: I'll just restate the question. 22 Q. Why weren't you able to manage those accounts immediately? 23 A. We were not able -- we did not have admin access to the 24 station's Facebook or Twitter accounts. 25 Friday morning, we couldn't log in, we couldn't manage those When we came into work KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 443 1 accounts. 2 Q. So were the passwords working? 3 A. They were not. 4 5 MR. HEMESATH: If you could turn in your binder in front of you to Exhibit 112. 6 I'm sorry. It's a tab. Is that the right binder? I think 7 that's -- you might want to put that binder behind you. 8 the binder that says government. 9 THE WITNESS: 10 MR. HEMESATH: It's Okay. And if you wouldn't mind taking a look 11 at page 6 of that and reviewing the document from that page in 12 reverse order. 13 THE WITNESS: Okay. 14 BY MR. HEMESATH: 15 Q. Do you recognize this document? 16 A. Yes. 17 Q. What is this document? 18 A. It's an e-mail thread between myself and somebody with 19 support in Chicago. 20 Q. And how do you recognize the document? 21 A. I recognize that that was my signature on my e-mail thread. 22 Ah, the gentleman I was sending the e-mails to, I remember 23 having this conversation with him. 24 Q. 25 Okay. MR. HEMESATH: Your Honor, at this time the government KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 444 1 moves 112 into evidence. 2 THE COURT: That's six pages? 3 MR. HEMESATH: 4 MR. JAFFE: Yes. To the extent that the government is 5 introducing this for any truth of any of the statements, the 6 defense objects on hearsay grounds. 7 THE COURT: 8 MR. HEMESATH: 9 Response? this for truth. 10 THE COURT: 11 MR. HEMESATH: 12 MR. JAFFE: 13 Except with regard to Ms. Scholbrock. Including statements contained by the MR. HEMESATH: I'll retract that. She can testify as -- 16 17 All right. witness. 14 15 The government does not intend to offer THE COURT: Elicit some more testimony before you attempt to offer it. 18 You may elicit more testimony. MR. HEMESATH: Okay. 19 Q. So turning to the last page. 20 A. Okay. 21 Q. On December 6th, do you recall having trouble with your 22 password on December 6th? 23 MR. JAFFE: Objection as to relevance. 24 THE COURT: Overruled. 25 THE WITNESS: Yes. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 445 1 BY MR. HEMESATH: 2 Q. What was your password trouble? 3 A. I could not log into our CMS system. 4 Q. Why would that be important to you? 5 A. That's how I did my job. 6 Q. You had to have CMS to do your job? 7 A. I had to be able to log in to the CMS to do my job. 8 Q. Could you explain why that would be the case. 9 A. Ah, I managed the website, so in order to post a story on 10 our website, in order to move stories around on the website, I 11 had to be able to log in to our CMS. 12 Q. 13 password? 14 A. 15 corporate support. 16 Q. 17 e-mailed by the name of Ryan Pollyea? 18 A. Yes. 19 Q. And did he respond? 20 A. He did. 21 Q. What did he tell you? 22 A. He -- we went through a pattern of resetting my password. So what did you do as a result of that problem with your When I had issues with my password, I e-mailed our Okay. And was someone at corporate support that you 23 MR. JAFFE: Objection, calls for hearsay. 24 THE COURT: Sustained. 25 MR. JAFFE: Move to strike. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 446 1 THE COURT: Well, there wasn't much of an answer out, 2 so no need. 3 BY MR. HEMESATH: 4 Q. 5 40, did you send e-mail? 6 A. Yes. 7 Q. And did you receive e-mail? 8 A. Yes. 9 Q. And did you use e-mail to get your job done? 10 A. Yes. 11 Q. And to your knowledge, were these e-mails automatically 12 stored in Outlook in the course of your communication? 13 A. Yes. 14 Q. And did that happen at the time that it occurred? 15 A. Yes. 16 Ms. Cohen, as part of your day-to-day business there at Fox MR. HEMESATH: Your Honor, at this time the government 17 moves this into evidence, and specifically under the business 18 record exception to the hearsay rule. 19 MR. JAFFE: The objection remains. 20 inadmissible hearsay. 21 Your Honor. 22 23 24 25 THE COURT: This is It does not fit into that exception, Any reason to distrust the representation that these are copies of e-mails? MR. JAFFE: They're not regularly within the course of business as required for that exception. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 447 1 2 THE COURT: Well, the objection is overruled up to -- as to the December 2010 e-mails? 3 MR. HEMESATH: 4 THE COURT: 5 6 7 8 9 10 Correct, Your Honor. So essentially pages 2 through 6, the bottom of page 1, if you redact before any publication. MR. HEMESATH: I could take a moment to redact that, Your Honor, if -THE COURT: Or you can work with whatever else -- the other pages for now. MR. HEMESATH: Well, let me ask the defense, would they 11 prefer redaction or an admonition to the jury to not consider 12 that top part? 13 MR. JAFFE: 14 MR. HEMESATH: 15 MR. JAFFE: 16 17 The top part of page 1? Yes. The direction, the direction is acceptable to redact. THE COURT: All right. Then 112 is admitted, the 18 bottom of page 1 through page 6. To the extent the government 19 displays the first page with some e-mails at the top, I would 20 just instruct the government not to enlarge those -- 21 MR. HEMESATH: Yes. 22 THE COURT: 23 And the jury shall disregard them if it can read them. -- at this point. 24 (GOVERNMENT'S EXHIBIT 112, e-mail series, ADMITTED 25 INTO EVIDENCE.) KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 448 1 MR. HEMESATH: May I have Exhibit 112, page 6. 2 Q. So this is the e-mail that you sent to someone at IT 3 indicating your password wasn't working? 4 A. Correct. 5 Q. Did this strike you as unusual at that time? 6 A. It did. 7 Q. Why was it unusual? 8 A. I didn't understand why my password wasn't working, 9 especially since it had recently worked for me after resetting 10 it earlier. 11 Q. 12 Okay. Let's look at the whole page again. And you said that Ryan Pollyea was someone you communicated 13 with? 14 A. Yes. 15 Q. And did he assign you a new password? 16 A. Yes, he did. 17 Q. And he tested it? 18 A. Yes, he did. 19 MR. HEMESATH: 20 over to the next page. 21 Oh, I'm sorry. Okay. Could we have page 5. It runs Let's go back to page 6. 22 Q. So do you recall sending this e-mail? 23 A. Yes. 24 Q. And what were you attempting to communicate with that 25 e-mail? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 449 1 A. I was frustrated that initially the new password he sent me 2 appeared to work. 3 when I was in the middle of trying to do something, so I was 4 frustrated. 5 Q. What did you mean when you said that you lied? 6 A. I initially sent him an e-mail saying thanks, and then I 7 logged in with the initial -- the password he had sent me 8 initially. 9 that said thanks, I'm sure something to the effect of thank you Unfortunately it suddenly stopped working Ah, I reached out to Ryan to see if he would help. It appeared to work, and I had sent him an e-mail 10 for your help, it's working. 11 I sent him another e-mail. 12 Q. 13 I see. Okay. But I lied about it working, and Now let's look at page 5. So did Ryan respond to you? 14 A. He did. 15 Q. What did he say? 16 A. He reset the password. 17 realized that I was having this issue, and it was not a 18 widespread issue within the Tribune system at that time. 19 Q. 20 At this point I think he and I both I see. And when he says Assembler or P2P, what does that -- what 21 did that mean to you? 22 A. 23 older version of it we still had access to. 24 platform we were using. 25 Q. Assembler and P2P were our CMS systems. I see. Okay. Assembler was an P2P is the So let's clear that. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 450 1 And then you responded to Ryan with -- let's go right 2 there. 3 Ryan? 4 A. 5 His question about are you resetting it in Assembler or P2P, I 6 was clarifying that I reset it in P2P. 7 to the tab user management, I searched for my name, and then 8 there is a button you would push to reset the password. 9 10 And here what are you attempting to communicate to He wanted to double-check how I was resetting my password. And I told him I went Umm, I -- at this point in the day, I remember feeling frustrated that I couldn't get my job done. 11 MR. JAFFE: Strike as nonresponsive. 12 THE COURT: Sustained. 13 The jury shall disregard the answer from the start of the last sentence forward. 14 Next question. 15 BY MR. HEMESATH: 16 Q. At this point in the day, could you get your job done? 17 A. I could not. 18 Q. And how did that make you feel? 19 A. Frustrated. 20 Q. So could we look at the next chunk above here. 21 So was Ryan Pollyea able to help you out in his next 22 response? 23 A. 24 was having somebody take a look at it. 25 necessarily say it was helpful. Basically his next response was just assuring me that he I don't know if I would It was just letting me know KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 451 1 they were having someone look at it. 2 Q. 3 Okay. Let's go to page 4. So then what happened? 4 A. The password that he had sent me a day or two before 5 stopped working. 6 Q. 7 indicated by TXOW 8439? 8 A. Correct. 9 Q. And so when that happened to you, what were you doing? This is the new one that he sent you in the previous e-mail 10 Does that e-mail indicate? 11 A. 12 used the same credentials, it was related to our CMS, and I was 13 logged in at the time. 14 Q. What is TIVID? 15 A. TIVID is a -- it was where we managed our videos within 16 the -- it was a program that helped us manage the videos that 17 went on our website. 18 Q. 19 I'm going to re-log-in under Scholbrock 2. 20 what you mean Scholbrock 2, S. Scholbrock 2? 21 A. 22 that the initial user password that he had sent me with ABCD, 23 when that wasn't working, he had assigned me to a different 24 log-in. 25 my first log-in, so he set up a second one, S. Scholbrock 2. I was logged into P2P, our CMS system at the time. Okay. TIVID So now you appear to say, to get work done today, Can you tell me When I was having issues with my password, when we noticed He thought maybe there might be something wrong with KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 452 1 Q. Do you recall whether you were changing your own passwords 2 from some external IP address at this time? 3 A. I would have been changing them at work. 4 Q. At work only? 5 A. Uh-huh. 6 MR. HEMESATH: Could we go to the next page. 7 just a little bit more to this e-mail. 8 Okay. 9 Q. Page 5. And then there was a little more. You reported some other incident having to do with P2P; is 10 that correct? 11 A. Yes. 12 Q. All right. 13 I'm sorry. There's Page 4, please. So what did Ryan do in response to that? 14 A. 15 he was also with corporate IT, and I had reached out on a 16 separate issue of headlines disappearing to the main corporate 17 help e-mail. 18 was making sure that Ryan knew Marquez was also looking into 19 issues. 20 He just reassured me that they were looking into it. Marquez was the one who responded back, and so I And then he was just reassuring me to use the alternate S. 21 Scholbrock 2 account, and he would follow up with me if he 22 found anything. 23 Q. 24 25 Ah, Okay. Let's take a look at the next chunk above. So you had more e-mail correspondence with Ryan Pollyea. What was the next bit of correspondence about? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 453 1 A. 2 Scholbrock 2 was now coming up as authentication failed with 3 invalid user-password combination. 4 secondary account. 5 account. 6 Q. 7 I was having more issues. The secondary account, S. I couldn't log in with my I still couldn't log in with my primary And let's take a look at the previous page or 003. That happened on December 8th at about -- do you recall it 8 being about 11:40 a.m. in the morning? 9 A. Yeah. 10 Q. It was a long time ago. 11 A. I was going to say I'm sure it was in the morning. 12 Q. Once again, were you able to get your work done while this 13 was going on? 14 A. No. 15 Q. What was Ryan Pollyea's response to you now? 16 MR. JAFFE: Your Honor, move to strike the portions 17 from Ryan Pollyea to the extent that the government relies on 18 this hearsay exception. 19 20 THE COURT: I'd sustain that. MR. HEMESATH: So are you objecting to what's on the screen right now? 23 MR. JAFFE: 24 MR. HEMESATH: 25 I think as to this witness, it's present sense impression. 21 22 There's been no foundation for it. Q. That's correct. Okay. So do you recall getting a new password for Scholbrock 2? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 454 1 A. Yes. 2 Q. And did that work for a while? 3 A. For a while. 4 Q. And what did you think that your problem might be? 5 A. I honestly didn't know what the problem was. 6 Q. Did you think it might be your fault? 7 A. Initially I thought it was my fault, but I didn't -- I just 8 didn't have an understanding of what was happening. 9 know. 10 Q. 11 I didn't Take a look at page 2. So with regard to an e-mail that you sent on December 14th, 12 what happened there? 13 A. 14 working again. 15 Q. Were you able to do your work? 16 A. No. 17 Q. Okay. 18 My passwords for S. Scholbrock and S. Scholbrock 2 were not Let's do this here. Did you send any more to Ryan Pollyea? 19 A. Yes. 20 Q. What was that? 21 A. I wanted to let him know that at the same time this was 22 happening, there were other things going on in our station, and 23 they were e-mails being sent to some viewers of our station 24 that seemed to be, umm, threatening or harassing at the same 25 time that I had these password problems. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 455 1 2 Some of my co-workers knew that I was having these password problems. 3 MR. JAFFE: Objection, move to strike. 4 THE COURT: Overruled. 5 MR. HEMESATH: 6 THE WITNESS: Go ahead. They knew I was having these passwords 7 problems because I couldn't get my work done, and they -- as I 8 say in the e-mail there, they're a little bit more conspiracy 9 theory-ish, and they started to combine the harassing e-mails 10 issue with my log-in issues. 11 MR. JAFFE: Move to strike. 12 THE COURT: Overruled. 13 Are we trying to get this witness done today? 14 know if it's possible at this point. 15 16 MR. HEMESATH: I'm just -- It depends on cross. I think I need another seven minutes. 17 THE COURT: 18 MR. HEMESATH: 19 THE COURT: All right. Actually I should say 14, I guess. Why don't you aim for 5:00 in case there is 20 a chance -- well, if there is a chance of concluding 21 reasonably -- 22 MR. HEMESATH: 23 THE COURT: 24 MR. HEMESATH: 25 I don't Q. Yes. -- with this witness today. Okay. What did super user access mean to you? KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 456 1 A. If you were a super user, you had the ability to manipulate 2 or touch more content on the CMS system Tribune wide, ah, touch 3 the content or some of the users, see different users. 4 a higher level being able to -- to be able to touch some of the 5 content in the CMS. 6 Q. Do you -- 7 8 It was MR. HEMESATH: I'm going to consult with defense counsel. 9 (Counsel conferring.) 10 MR. HEMESATH: 11 THE WITNESS: Could you look at Exhibit 505. Okay. 12 BY MR. HEMESATH: 13 Q. Do you recognize those lines? 14 A. I do. 15 Q. How do you recognize them? 16 A. When you logged into our CMS, that's how you would access 17 different levels, different places within the CMS. 18 19 MR. HEMESATH: THE COURT: 21 MR. HEMESATH: 22 THE COURT: 24 25 So at this time, I would just like to mark that for identification and note her response. 20 23 Okay. It's identified as 505. 505, yes. All right. I think the record makes that clear. MR. HEMESATH: Uh-huh. So let's get into the e-mails that you were just talking about with regard to the other KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 457 1 things that you were mentioning that was going on in the 2 newsroom. 3 Q. What was going on in the newsroom at about that time? 4 A. In December 2010, we as a station, Fox 40, were running a 5 contest through our Facebook page. 6 signed up to our system, and they could be entered to win an 7 iPad. People signed up to our -- 8 After some time of running the contest, in early December 9 some people who had signed up for the contest started getting 10 e-mails. 11 12 Ah -MR. JAFFE: Objection, this evidence is irrelevant, Your Honor. 13 THE COURT: 14 MR. HEMESATH: 15 Sustained. Your Honor, is this the Cancer Man objection? 16 MR. JAFFE: Yes. 17 THE COURT: It's also -- let's ask some focused 18 questions to structure this. 19 BY MR. HEMESATH: 20 Q. 21 to viewers? 22 A. What were those e-mails about, do you recall, the e-mails The e-mails -- 23 MR. JAFFE: Objection, there's been no foundation laid 24 for this line of testimony. 25 THE COURT: It's a yes or no initially. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 458 1 THE WITNESS: Can you ask the question again? 2 MR. HEMESATH: Yes. 3 Q. Do you recall that there were a series of e-mails that were 4 from a moniker Cancer Man? 5 A. Yes. 6 7 MR. JAFFE: personal knowledge of the witness. 8 9 Objection, no foundation laid for the THE COURT: Overruled. BY MR. HEMESATH: 10 Q. Do you recall those e-mails? 11 A. Yes. 12 Q. Do you recall similar e-mails around the same time that 13 were purportedly sent to viewers from a moniker Fox Mulder? 14 A. Yes. 15 Q. Same question, Walter Skinner? 16 A. Yes. 17 Q. Okay. 18 sent to viewers? So what was your reaction to those e-mails being 19 MR. JAFFE: Objection, no personal knowledge. 20 THE COURT: You can lay a further foundation. 21 BY MR. HEMESATH: 22 Q. What did you know about those e-mails? 23 A. I was contacted by people who had gotten the e-mails. 24 forwarded them to me. 25 Q. They And so what was your reaction to the fact that people were KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 459 1 forwarding e-mails -- 2 MR. JAFFE: Objection, not relevant. 3 THE COURT: Sustained. 4 BY MR. HEMESATH: 5 Q. 6 to viewers? What was the content of those e-mails that were being sent 7 MR. JAFFE: Objection. 8 THE COURT: Overruled. 9 You may describe generally if you're able. 10 THE WITNESS: The e-mails harassed the person about the 11 contest being fake and about the reputation of Fox 40. 12 BY MR. HEMESATH: 13 Q. Did you know who was sending those e-mails at that time? 14 A. I did not. 15 Q. Did the fact -- okay. 16 You've stated previously you have knowledge of CMS and how 17 to access content on the CMS? 18 A. Yes. 19 Q. Are you aware of whether or not e-mail lists are available 20 for downloading on the CMS? 21 A. 22 I never had a reason to. 23 Q. 24 do you know whether e-mail lists are available on the CMS? 25 I am not aware how to download an e-mail list from the CMS. So the question is not whether or not you know how to, but MR. JAFFE: Asked and answered. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 460 1 THE COURT: Sustained. 2 BY MR. HEMESATH: 3 Q. 4 knowledge downloaded e-mail lists from the CMS? To your knowledge, has anyone else based on your personal 5 MR. JAFFE: Objection as to relevance. 6 THE COURT: Answer yes or no. 7 THE WITNESS: 8 BY MR. HEMESATH: 9 Q. No. Are you -- with regard to what you testified earlier to 10 with regard to the contest, are you aware of an e-mail list 11 having been generated as a result of that contest consisting of 12 customer e-mails? 13 A. We could access their e-mails. 14 MR. JAFFE: Nonresponsive. 15 MR. HEMESATH: 16 THE COURT: So let's start -- That answer is stricken. 17 BY MR. HEMESATH: 18 Q. Let's start with are you aware of that contest? 19 A. Yes. 20 Q. Were you able to access that e-mail list? 21 A. Yes. 22 Q. How were you able to access that e-mail list? 23 A. When I logged into the CMS, I could click on a tab for UGC, 24 user generated content, and search for a name of someone who 25 had registered or entered for the contest. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 461 1 Q. Okay. 2 MR. HEMESATH: 3 Just one moment, Your Honor. (Government counsel conferring.) 4 BY MR. HEMESATH: 5 Q. 6 gave, whether e-mail addresses that would have been generated 7 as a result of the contest, whether they would have existed on 8 the CMS? Do you recall, with regard to your testimony that you just 9 MR. JAFFE: Asked and answered. 10 THE COURT: Overruled. 11 THE WITNESS: Just answer yes or no. Yes. 12 BY MR. HEMESATH: 13 Q. 14 salary was during that period of time? 15 A. In December of 2010, I made $50,000. 16 Q. Do you recall how much of your work time it would have 17 consumed to -- in reaction to not having your password to the 18 CMS? Ms. Cohen, do you recall how much money -- how much your 19 MR. JAFFE: Objection as to relevance. 20 THE COURT: Overruled. 21 THE WITNESS: I would say about five working days. 22 BY MR. HEMESATH: 23 Q. 24 wouldn't have been able to do your job for five working days? 25 A. So could you elaborate on that a little bit why you So my job is to post content and rearrange the content on KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 462 1 our station's website. 2 can't do that. 3 And if I can't log into the system, I I also worked with the video that our station produced, and 4 if I couldn't log into the CMS, I couldn't touch that video. 5 couldn't -- I couldn't do my job. 6 Q. So what did you do instead? 7 A. I assisted some of the other writers in our newsroom. 8 worked with corporate on trying to reset my password. 9 also dealt with people who entered our contest and were I I Ah, I 10 contacting us about these e-mails they were receiving. So I 11 would e-mail them back or try to work with them and did 12 customer service. 13 Q. 14 perform that was part of your job or that was your job as a 15 result of not being able to access CMS in hours? 16 A. 17 resetting my password, and all I could do is just sit at my 18 desk and twiddle my thumbs. That's how I saw the e-mails. So how much working time would you say you were not able to Ah, sorry. A lot. There was -- I mean, it was a week of 19 MR. JAFFE: Nonresponsive. 20 THE COURT: Overruled. 21 THE WITNESS: 22 MR. HEMESATH: 23 Q. 24 workweek? 25 A. About 40 hours. About 40 hours? And that was your salary. Okay. You were assigned a 40-hour Yes. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 463 1 Q. Okay. 2 3 MR. HEMESATH: Could we -- and this will be the last for -- Exhibit 505. 4 THE WITNESS: Okay. 5 MR. HEMESATH: 6 MR. SEGAL: It's not in evidence. 7 THE COURT: It's not been admitted. 8 MR. HEMESATH: Could we have Exhibit 505? I'm sorry. We discussed this earlier. 9 Q. You said you recognized these lines; is that correct? 10 A. Yes. 11 Q. Okay. 12 A. Within the CMS, these are places that you could click on 13 to -- it was different abilities that you had, so things that 14 you were able to do. 15 these were credentials assigned to somebody. 16 Q. Did you use these URLs a lot? 17 A. I wouldn't necessarily use the URLs, but I knew they were 18 there. 19 20 And how do you recognize them? You could edit things, delete things. So I saw them a lot. MR. HEMESATH: Your Honor, at this time the government moves Exhibit 505 into evidence. 21 THE COURT: Any objection? 22 MR. JAFFE: Objection as to relevance and hearsay. 23 THE COURT: Well, I'm going to defer a decision 24 allowing further testimony to be elicited. But we have come to 25 1:30, and so we will continue with this witness tomorrow KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 464 1 morning. 2 your service. 3 this time. 4 So we'll adjourn for the day. Thank you so much for I know it's a long day even though we're done at So tomorrow our schedule will be the same, 8:30 to 5 1:30. Please remember all of my admonitions. Don't research 6 the case in any way. 7 dictionary online or otherwise. 8 the case. 9 consideration comes only once you have deliberated, discussed Don't look up definitions in any kind of Don't talk with anyone about Don't think about its ultimate conclusion. 10 the case with your fellow jurors. 11 contact you, please let me know in the morning. 12 13 Have a good afternoon. Your And if anyone attempts to We'll see you tomorrow morning. Thank you. 14 (Jury not present.) 15 THE COURT: 16 your seat at 8:30. 17 All right. 18 you're done with Ms. Cohen? You may step down. All right? If you can be back in Thank you. Who are your witnesses for tomorrow once 19 MR. HEMESATH: It will be very briefly -- 20 MR. LEIDERMAN: No one believes you at this point. 21 MR. HEMESATH: I know my credibility is shot, but I 22 will make my best efforts to make it short. 23 we have -- 24 25 MR. SEGAL: And then I believe We've got to do some thinking. We may cut some witnesses out depending on some of the things that KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 465 1 happened today. For this, I don't mind sending an e-mail to 2 the Court and to counsel both saying who our witnesses are 3 tomorrow, but we need to kind of circle around and see if we 4 can strip it down a little bit. 5 We're certainly calling Jason Jedlinski. We may be 6 calling Russ Schmidt, but all he did was image the seized 7 Macintosh computer. 8 That will be brief or stipulated. 9 thinking about whether we want to call Jerry Del Core and two That could be avoided by stipulation. And then we have to do some 10 people who received e-mails whose names I can't remember right 11 now. And then the last witness will be John Cauthen. 12 THE COURT: How long will Agent Cauthen take on direct? 13 MR. SEGAL: A long time, hours. 14 THE COURT: Well, how many? 15 MR. SILVER: 16 17 18 If it turns out -- the government still intends to seek to use snippets of the recorded conversation. (Government counsel conferring.) MR. SEGAL: We'll figure it out. So part of the answer 19 to that in part turns on the Court's determination of this 20 motion in limine regarding the completeness doctrine. 21 THE COURT: That was my next question. Can you provide 22 me at this point the revised power point and the complete set 23 of excerpts? 24 25 MR. SILVER: Mr. Ekeland and I are going to meet right now to discuss the latest version of the power point, and so we KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 466 1 should be able to provide that to the Court hopefully today. 2 MR. EKELAND: 3 THE COURT: 4 Later today. All right. You can e-mail that to Ms. Schultz. 5 And on the complete set of excerpts? 6 MR. HEMESATH: Your Honor, I think we've provided that. 7 And based on what has happened in the testimony, I believe we 8 seek to add one more excerpt. 9 10 11 12 13 THE COURT: So when can I get that? MR. HEMESATH: And so I think we can get it in the next hour or so. THE COURT: All right. So also e-mail that to Ms. Schultz and make certain the defense has it. 14 Those will all be used only with Agent Cauthen? 15 MR. SILVER: 16 THE COURT: 17 MR. SILVER: 18 THE COURT: That's correct, Your Honor. So Agent Cauthen may start tomorrow? Not impossible. All right. And then you do have the 19 original of the handwritten statement. 20 copy of that. 21 MR. SILVER: 22 THE COURT: 23 MR. HEMESATH: 24 THE COURT: 25 morning before we come in. I've never seen a good Yes. It's in the binders? Okay. Yes. Ms. Schultz can just show it to me tomorrow I just want a chance to eyeball it KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 467 1 before -- you've had a chance to inspect the original? 2 MR. EKELAND: 3 MR. HEMESATH: 4 can take a look at -- 5 6 MR. LEIDERMAN: We produced a copy of the original. I was able to see a copy. You We were able to read it. 7 8 I believe we've got them. MR. SEGAL: They have a legible copy, but the original is -- is it in the courtroom or is it -- 9 THE COURT: 10 All right. MR. LEIDERMAN: I just -- Your Honor, does the Court have the 11 complete copy of the transcript of Mr. Keys' testimony, the 86 12 pages that compliments the excerpts? 13 THE COURT: 14 MR. LEIDERMAN: 15 THE COURT: 16 I thought I had the complete -I thought so, too. -- the complete set, but with the excerpts identified within it. 17 So that -- but I haven't reviewed it because I'm 18 waiting to know the final set of excerpts the government plans 19 to -- 20 MR. HEMESATH: In addition, Your Honor, I believe that 21 we've also produced to the defense and to the Court a copy of 22 just the excerpts, but we want to add one more to that. 23 MR. EKELAND: Yeah, we received -- we haven't gotten 24 the one with the addition you're talking about, but we did 25 receive the excerpts. And then there's a complete -- KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 468 1 2 THE COURT: complete transcript with the excerpts clearly identified. 3 MR. SEGAL: 4 MR. EKELAND: 5 Got it. Okay. There was a complete copy of the transcript in the defense exhibit binder, too, Your Honor. 6 7 I only want -- at this point, I need the MR. SEGAL: No, but I understand what you need. You need -- 8 MR. LEIDERMAN: 9 MR. SEGAL: I understand what the Court needs. -- from us a document that has everything 10 with each snippet identified by government exhibit number what 11 that snippet is so that we can argue that that's complete and 12 not misrepresenting. 13 THE COURT: Right. So it sounds to me like we can 14 argue that on a break tomorrow before Agent Cauthen testifies. 15 I don't know when you want to use that with him, but we have to 16 argue it before you can use it, just so that's clear. 17 18 19 20 21 In terms of the government's estimate currently, we'll still wrap up by Monday at some point? MR. SEGAL: The way things are going, I think it's possible, yeah. THE COURT: And then does the defense know at this 22 point -- you aren't required to answer me. 23 you're going to put on evidence? 24 25 MR. LEIDERMAN: our case? Do you know if Well, if the people are just -- oh, in No, we're not. I thought -- I went to the KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 469 1 cross-examination. 2 THE COURT: 3 No. At this point, no case in defense planned? 4 MR. LEIDERMAN: 5 THE COURT: All right. 6 MR. SEGAL: Something to think about now that will 7 No. probably come up in the Cauthen testimony is -- sorry. 8 9 No, no case in chief. The defense has made exhibits out of these plea agreements and -- the plea agreement and an indictment of this 10 person whose Internet nickname comes up a little bit. 11 made a motion on this, and it's been represented that that 12 stuff is not going to be offered without first flagging it for 13 the Court because we have a lot of objections as reflected in 14 our motion in limine. 15 16 THE COURT: 19 20 Is there a current plan to offer those exhibits? 17 18 MR. EKELAND: Only if the government opens the door on it. THE COURT: Do you believe the government has opened the door at this point? 21 MR. LEIDERMAN: 22 THE COURT: 23 24 25 And we this point in time. MR. EKELAND: They don't sound like they're about to. All right. I don't think it's an issue at All right. We'll flag it for the Court, Your Honor, if we do. KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 470 1 THE COURT: All right. So we'll look for some e-mails 2 today of the final power point and the excerpts in context, and 3 then we'll see you at 8:30. 4 At some point tomorrow, I'll provide you with a working 5 set of proposed instructions and a verdict form, and then we'll 6 start working in earnest on those Monday during breaks and 7 perhaps after we take a short break at 1:30 on Monday. 8 they'll be ready hopefully by Tuesday on the assumption that 9 there's a pretty good chance this goes to the jury on Tuesday. So 10 All right? 11 MR. SEGAL: There's a good chance of that, yeah. 12 THE COURT: All right. 13 MR. EKELAND: 14 THE COURT: 15 MR. EKELAND: 16 MR. JAFFE: Thank you, Your Honor. 17 THE CLERK: Court is in recess. Anything else? No, Your Honor, nothing for the defense. All right. See you tomorrow morning. Thank you, Your Honor. 18 (Proceedings were adjourned at 1:37 p.m.) 19 ---o0o--- 20 21 22 23 24 25 KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347 1 2 I certify that the foregoing is a correct transcript from the record of proceedings in the above-entitled matter. 3 4 5 /s/ Kathy L. Swinhart KATHY L. SWINHART, CSR #10150 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 KATHY L. SWINHART, OFFICIAL COURT REPORTER, USDC -- (916) 446-1347