EXHIBIT A

Transcription

EXHIBIT A

Case 1:14-cv-01375-LEK-RFT Document 86-3 Filed 09/24/15 Page 1 of 14
EXHIBIT A
8T 09/26/ 12
[ [:25 AM
Supporting Deposition (CPL 100.20)
The People ofthe State of New York
-vs.
Location of Deposition
Location of Incident
State of New York Local Criminal Court
County of Albany
Town of Colonie
written
statcm~nt
State of New York
County of Saratoga
Town of Clifton Park
resieling at
voluntarily make the following
to Investigator Rodger Kirsopp of the New York State Police:
I have previously provided a deposition on 04/ 18/12. I am an Infonnation Technology
professional and I am self employed. 1 am doing business as Solsys, LLC. I provide IT
services for NXJVM and I have been providing these services for at least six and half
years. I am providing the following infonnation to clarify the infonnation that was
gathered by Steve Ose and myself during the course of our research of the database and
web server files and logs.
Files
APACHE
File Name
APACH E.xisx
DB
DB.xlsx
Description
This is an export of our Apache server log file filtered for
lP addresses associated with MJP login attempts. This is a
very standard, very widely used web server.
According to a Netcraft survey, Apache holds a 61.45%
market share of web servers on the internet
(hup:llnews.netcraft.comlarchives/20 12/07103 /july-20 I 2web-servcr-survcy.html).
This is an export from our own database table containing
data associated with login attempts to nxian.net. This is
data collected with a custom program .
Relevant
• General Contents
APACHE
Datctime
T he date/time of the server clock at the time the req uest is
received by th e servcr
the Pllgclfi leJinfonnation r~qucsted by the client com.p~t cr
R~g ue st
IP address
The IP address to which the server sends the requested
data (the IP address from which the request originated)
How much datu (in bytes) were sent from the server to the
bytes sent
client computer
user agent data*
Client information typi cally including data ahout the
requesting computer's browser and operating system
* User agent data includes
Browser type and ve rsion making th e request (ex: Firefox/6.0)
Operating system and version of computer making the request (ex: Intel Mac
10.6 rv: 6.0)
x
as
DB
database unique 10 of record.
usemame used in login attempt
I password used in login attempt
result of login attempt
The date/time of the server clock at the time the request is
received by the server (Apache server)
The IP address to which the server sends the requested
data (the IP address from which the request originated)
I (from the Apache server)
the general location associated with the IP address acquired via publicly available ip locator tool
TD number associated with the logi n usemarne
ID
login name
id ---'pass
succ fail
login_time
IP_ address
locator_city
nxian number
General Summary
DB - Tells us login used, when, and what Ir address that person is connecting with our
server from
APACHE - Tells us exactly what was accessed/downloaded by each IP address
Our Process
The fo ll owing describes how we determined that private, confidential data from our
system was transferred from our server to the computers of individuals who did not have
pcnni ssion to access or acquire that data.
1. I wa s advised by Clare Bronfman th at a current NXI VM client li st was posted on a
blog site. The list appeared to be a mirror image of informati on accessib le on ly
through the NXIVM website by members of NXIVM. Since each m ember is
ass igned individual use rnames and passwords, I ran a Jist of all m embers who
accessed th e website around the time of th e blog post . With the assistance of
Cla re Bronfman and Steve Ose, we were looking for any unusual activity of a
particular member.
2. By checking th e log in attempts usin g (DB), we noticed that Mary Jane Pino (MJP)
had an unusual amount of login s in between 2010 and 2011.
3.
Cla re and I suspected t hat the MJP login (mary jane) was being used by so meone
ot her than Mary Jane Pi no to access our system with the intent to st eal
inform ation .
a. Clare determined th at the actual perso n associated with the username
(Mary Jan e Pino) was an active member in good standing (the refo re
allowing her to have continued access to the website) but that she had
not been participating or using her membership. Clare also inquired with
people who knew her when she was active, and we found that there
were no indications that she intended to become active again.
4. I then conducted a search through public information to determine the physical
location of the IP addresses recorded in DB. The MJP logins traced back to a
number of geographically distant locations, including at least one instance where
the login was used at the same time period in two geographically distant
locations.
5. To determine what data was downloaded using the MJP login credentials, I used
the following process:
a. Searched for all MJP login attempts in DB - specifically pulling date-time
of login attempt and IP address associated with login attempt
b. Search APACHE logs for all entries that have IP addresses used by MJP.
i. The IP address recorded in DB were pulled directly from the
APACHE server.
c.
In resulting data from APACHE, match date / time from each DB record
with date/ time of APACHE log record.
i. The date/time recorded in DB and APACHE are from the same
source - the hardware server clock. Both DB and APACHE exist
on the same hardware server, so both share the same clock.
d. Filtered out records that were from locations associated with Nxivm and
IP addresses that didn't have any relevant data transfers associated with
them.
i. 24.97.168.75
1. One MJP login with our IT override password - this was
me, testing access for the mjp login.
ii.
67.248.93.29
1. One mjp login, with the IT override password - again,
testing.
iii. 66.109.54.90
1. Two iTIjp login attempts on 2011-09-27 -failed -this was
the day we shut down MJP access, and these attempts
were to test to ensure the login was shut down.
e.
Manually and programmatically correlated and verified the APACHE log
entries associated with each individual MJP login entry in DB
i. For every DB entry there are many APACHE entries, because
APACHE entry records every request made, whereas DB only
records the login request data.
f. Each APACHE record tells us what pages/data were accessed in each
session
What the Data Tells Us
1. The DB data tells us when login attempts are made, what login credentials are
used, and where the request for data from the server originates from.
Specifically the IP address of the requestor.
2. From that DB data, we look at the APACHE data with the matching IP address
and date/time. From the APACHE data we can see what data from the server
was sent to the computer that was used to log in to the NXIVM private access
web portal.
3. Within the APACHE data, we can examine the specific pages that were accessed
by - and amount of data sent to - the IP address in question, We can determine
the specific content that the person accessed through the 'data requested' part
of the log.
a. Ex: 'GET /comm/tools/lcontact.php HTTP/l.l' tells us that the person
accessed the data rendered by the
.https://www.nxian.net/comm./tools/lcontact.php. page - a page with
names and contact information of participants.
4. The APACHE data also tells us the amount of data sent from the server to the
requesting computer with each request.
5. With all this, we can say - very definitively - the following (for example):
a. A person at xxx.xxx.xxx.xxx IP address logged into Nxian .net at yyyy-mmdd hh :mm:ss successfully using xxxxxx username and yyyyyyy password.
(DB)
b. The person at the IP address defined in (a) accessed pages [a, b, c, d, e, f,
g, h] . (APACHE)
c. Those pages contain applications [aa, bb, cc, dd, ee, ff, gg, hhL and those
applications contain [data] data. (this is determined by simply looking at
the pages/applications)
d. XXXXX bytes of data were sent from the server to the requesting IP
address in each request (APACHE)
The data downloaded by these IP addresses could not be accessed legitimately without
logging into the server. APACHE very clearly tracks exactly what data was sent and
where it was sent, specifically to what IP ;:lddresses at what date/time.
Notable Private Data Accessed
The following is an example of data that contained private corporate information which
was requested by IP addresses associated with illegitimate use of the MJP login
5
credentials . The data requested was sent from the system server to the machine at the
requesting IP address. There is much more data that was transferred but this is an
example of particularly sensitive corporate information.
lcontact.php -list of active participants/clients including contact information
Magreps/lindex.php - this page contains a dropdown list containing 99% of the
client names of the organization . One of the lists that were publicly posted
appeared to match this list and included full names and ID numbers of clients.
Due to the nature of how this list is displayed, it is possible, but time consuming,
to manually copy all the names from this list. However, in order to acquire the
names and 10 number associated with each name, someone would need to both
view the source code of the page and understand the code to some extent,
which would require at least a base understanding of IT and/or web
development to pull both names and associated ID numbers ofthe client list.
Calendar - the calendar contains a list of upcoming trainings and other events.
These events and the data associated with them are intended for organization
clients/members only.
Because video - this is a testimonial video intended to be viewed only by
clients/members. It is in no way intended for viewing by people who have not
already participated in trainings.
The data provided in the DB records dated between Feb 3, 2010 through Oct 31,2011
are relevant because of the IP address captures. The Mary Jane Pi no username and
password were used prior to Feb 3, 2010. Those entries are not provided at this time
because the IP addresses were not captured. The DB program was modified on or about
Feb 3, 2010 to record the IP addresses. Because the IP addresses were not recorded in
the DB program, we were not able to correlate the log ,in with the associated data on
the APACHE logs. You could associate the log in with the APACHE logs but not through
an IP address. You would be able to deduct that the log in date and time correlates with
the APACHE log date and time.
The following IP addresses are suspected of illegal access to the NXIVM private access
web portal.
172.131.55 .185
173.86.169,2 1
207,237.232.82
24 ,39.2 03.50
65 .37.35.176
67 .248.49 .143
69.2. 120. 11
7 1.1 97.13 7. 14 1
7 1. 244,122.39
72,226. 58 ,9 1
74.46.60.59
7?T~
74.46.62.199
74.47.145.18
74.47.1 46.1 47
74.47. 146.70
74.47.1 47.117
74 .47.149.101
74.47.150.81
74.47. 151.77
74.76.145.1 15
74.76.149.7
96.236.30.20
96.236.44.171
The DB reco rds and APACHE Jogs are standard Iracking processes that NXIVM uses
and has used fo r an extended period of time. They are kept as a normal course of
business. I can verify that these files have not been corrupted, manipulated or
manufactured in any way.
Having reviewed this statement in it" entirety, is it an accurate account of events to
the, be,s t of your recollection?
,
.
ie?
After reviewing this statemcnt, is tllere anything you wish to add , dclete or change? /'f,;t)
Has anyone forced or coerced you into making this statement against your will?
//I
/2/{)
RND OF STATEMENT
In It written instrument, any person who knowingly makes It false slatemem which such person docs not
believe to be true has committed u crime under the laws of the slale of New York punislu'Iblc as a C lass A
MisdclIlcallor.
Affirmed ullder Ihe peliAlty of p erjury
This 26th day of September 2012.
Signe~-==-
>"
Illv Rodccr Kirsopp , S P C lifton Park BC I
ET 09/26 / 12 @ 1:13 PM
EXHIBIT B
BT 05123/12
09 .12AM
The People of the State of New York
-vs.
County of Albany
Town of Colonie
Location of-Deposition
Siate of New York
County of Saratoga
I am an IT professional and I am a contractor working for NXIVM. I do business as
Solsys and I have been doing work NXIVM since 2006:
As part of my employment, I am charged with a daily audit of the log in system for the
NXIVM website. I am knowledgeable of the website and the software that is used to run
the website.
The website uses a usemame and password log in process to gain access to the website on
a log in credentials page. It captures the users credentials, including the time and date
stamp and IP address associated to the log in. The system is set up so only certain users
can gain access to certain areas ofthe website. Lower members would have limited
access and higher members would have greater access. Also it would depend on the
individual 's role with NXIVM on where they would be allowed to have access to certain
pages in the website.
The daily audits of the system were not always done until some material from the website
began to show up on the blog at Saratoga in Decline. The system always captured the
infOlmation but. the daily audits were not done on a regular basis. The daily audits were
done a1 the request of Clare Bronfman.
I am not sure of the speci fic date, but we started looking at the log ins and detennining if
they were active members or not. If it was a member that we had not heard from in a
while, we would use a process of eliminatiOll to detennine if they were active or
suspicious in nature. Through our process of elimination, we detenn ined that Mary J
Pinot had used her user name and password to gain access to the website. ] then looked at
the logs to detel111ine what pages that she had accessed . J detennined that the pages that
she had accessed on the website were pages that contained infOlmation that was rel eased
through the blog. I looked closer at the log illS for Mary j Pinot and located multiple log
ins and they appeared pretty regular.
I provided this infonnation to Clare Bronfinan.
2
Having reviewed this statement in its entirety, is it an accurate account of events to
the best of your recollection? \ /
/-17
.
;to
Has anyone forced or coerced you into making this statement against your will? I/{) .
After reviewing this statement, is there anything you wish to add, delete or change?
111--------------------- END OF STATEMENT _ _----------------------------------------111
In a written instrument, any person who knowingly makes a false statement which such person does not
believe to be true has committed a crime under the laws of the state of New York punishable as a Class A
Misdemeanor .
-/
Affirmed under the penalty of perjury
This l-8th pal of April 2012.
/1' /l1i ~t1'«
--1-2~'~: 1"",;::7/···/'Z---::?----:-:--.- c------
Signed:/
?/ [ / c
A"'--
;;SId
SP Clifton Park BCl
EXHIBIT C
BT04Jl8/12
01:38 PM
Th e P eople of th e State of New York
-vs.
County of Saratoga
Town of Halfmoon
Location of Deposition
State of New York
County ofSara!oga
Clare W. Bronfman, date of birth _
resid ing
voluntarily make the foll owing written statement to Investigator
Rodger Kirsopp of th e New York State Police:
I am making this statement in regards to activities surrounding myself and NXIVMJESP.
j am on the Executive Board with NX]VM and I oversee Accounting, Administration,
Legal, IT and Communications.
First, as an individual, ] have been subjected to numerous comments on Saratoga in
Decline. This is a blog site that is run by a man named, John Tighe. I am very afraid of
this man. He is a large man and based on his posts and activities·, ] am worried about what
he is capable of There have been posts on his site about people causing haml to me. He
has posted pictures of guns and his dog. John Tighe ha s shown up at NXIVM events such
as Vanguard Week, Winterfest and Nancy Salzman's birthday.
On August 24, 2010, John Tighe made an appearance at Vanguard Week at the Silver
Bay YMCA. As a result of monitoring the blog site and the various posts on the site,
NXIVM hired security for the event costing $75,000.00. Because of the posts on the blog
site conceming threats to me, my sister Sara Bronfman, Keith Raniere, and Nancy
Salzman, I felt it necessary to hire security for the event. I was also subjected to
numerous phone calls from people who were planning on attending the event in regards
to their concern for their and our safety. During thi s event, I was speaking in the
auditorium to the attendees, welcoming them to the event. It was at this time, 1 was
advised by security thaI John Tighe was on the property and that I needed to keep
everyone inside. ] spoke for an hour and halfuntill was advised that he had left the area,
NXIVM held a corporate holiday party at Apropos. I recall that during tile event, between
6:00 PM and 8:00 PM, John Tighe made an appearance. J was wi th Keith Raniere,
Siobalul Hotaling, and Mike Baker. NXIVM has an a cappella group and they were
practicing in the building down the street from Apropos. ] was alerted that Tighe was at
the event. J told Keith Raniere to stay jn the building and I responded to Apropos to
monitor the situation. I called the police and they responded. I observed John Tighe ill his
red convertible and he was taking pictures.
2
On July 16, 2011, I was attending Nancy Salzman's birthday at Apropos . I don't recall
where John Tighe had parked his car. He was either across the street or in his usual spot
next to Fred the Butcher. I contacted the police to respond which they did .
On August 26, 2011, I was attending Vanguard Week at the Silver Bay YMCA. I believe
it was at 12:45 PM when John Tighe made an appearance at the event. I was walking by
the lake. I was approached by Damon Brink. He told me that Tighe was at the event. I
immediately observed Tighe in his car. He was turning his car around on one of Silver
bay's private roads. I rode with Damon Brink in his golf buggy. As we approached the
m ain road, John Tighe was taking pictures of us . As we got closer, Tighe drove down the
main road, very slowly. I called the police and they responded. John Tighe had already
left the area when they responded.
I recall that John Tighe made an appearance at Nancy Salzman's birthday in 2010 at
Apropos. I don't recall the specifics but I have previously reported the incident to the
State Police in 2010.
As I previously stated, I am on the Executive Board for NXIVM and I oversee the IT and
legal teams for NXIVM . I regularly monitor the blog. As a result, I observed NXIVM
material that had been posted to the site. The information posted at that time, I
determined could only have corne from the NXIVM computers. It was at this time, I
directed the NXlVM IT team to send a report to me every night, listing people who
accessed the computer system, and how they accessed the system, ifthey were
successful, if they failed in ·their attempt to access the system, their IP address, and their
approximate location. It was from these reports that I noticed a name that I did not
recognize, a Mary Jane Pino. I had my Administrative team look up Mary's information.
I believe she had been recruited by Barbara Bouchey approximately ten years earlier.
Mary had taken some classes at that time but had not taken any additional classes since
that time. I then had the IT team look up where specificall y Mary had navigated on our
computer system. I took that report and I had the legal team look at the information that
had been visited by Mary to the information that had been posted to the blog. I had them
look at all of the times that Mary had logged into the system. We determined at that time
that the log in times for Mary's accOlmt to the tim es to the blog posting matched. Mary
Jane Pino was contacted to detennine if she had in fact used her log in to gain access to
the computer system. I have been advised that she denied using her log in to gain access
to the system.
Everyone that has taken classes through ESP has access to the computer system.
Everyone who takes classes with ESP signs a confidentiality agreement at least twice.
They sign when they fi rst sign up and they also sign an agreement with every subsequent
program that the client takes. You can gain access to the system in two ways. One is with
a usemame and password. There is a secondary access to clients that I have infonned
Investigator Kirsopp on its pruiiculars but I refrain fi·om publishing-i t here. The onl y ones
that are denied accesses are peopl e that have left on bad tenl1S with NXIVM/ESP. We
all ow cli ents to have access to celiain areas of the computer system. This is al so to say
that the hi gher your position the more access that you are granted in the computer system .
3
Having reviewed this statement in its entirety, is it an accurate account of events to
the best of your recollection?
Yes
After reviewing this statement, is there anything you wish to add, delete or change?
Has anyone forced or coerced you into making this statement against your will?
!I/o
///---------------------END 0 F STATEMENT _ _----------------------------------------11/
In a written instrument, any person who krlowing ly makes a false statement which such person does not
believe to be true has committed a crime under the laws of the state of New York punishable as a Class A
Misdemeanor.
Affirmed under the penalty of perjury
This 18th day of April 2012.
Signed·l~C£i!Q~;;.::.!.~;;...-------
~i
~
.......0
~
~ddfer Kirso.ll.r~L'TTC~fton Park Bel
ET04/18/12@4:23PM
No

EXHIBIT A

Transcription

Similar documents

AlAhliToken

MySQL DB Editor Documentation

Step 1. How to generate authorization code for your Supra EKEY

parents! - First In Math

Outlook WebAccess Login 1. Go to https://mail.clpccd.org Your user

Teacher Pages

Computer Settings For NAUTIKOS

Laxmi Khattri lkhattri@union-city.k12.nj.us

Deerhorn Sun 3

Apache Belle PDF