[from Computer underground Digest 2.11, Nov. 13 '90 "SPECIAL ISSUE: SEARCH
AFFIDAVIT FOR STEVE JACKSON GAMES"]


The application and affidavit for the search warrant for Steve Jackson
Games (Case #A-90-54m), dated February 28, 1990, and signed by U.S.
Magistrate Stephen H. Capelle in Austin Texas and Special Agent Timothy M.
Foley of the U.S. Secret Service, has been released.  The application
alleges violations of Title 18 USC Sections 2314 and 1030 and was issued
in the U.S. District Court (Western District of Texas).

We have retyped it, and there may be some typographical errors, but we
have done our best to recreate it as is.

There are several features about the affidavit. First, the bulk of it is
repititious and simply establishes the credentials of the investigators,
summarizes basic terms, and provides general background that seems
inconsequential in linking the persons to be searched to any substantive
criminal activity. It should also be remembered that the "$79,449.00"
document in question was shown to contain nothing of substance that is not
available to the general public for under $14. Further, to our knowledge,
there is no evidence, contrary to suggestions, that E911 software was
obtained.

Most troublesome is the interpretation given to attached logs from The
Phoenix Project that creates a conspiratorial scenario from a few ambiguous
messages. While imaginative use of narrative is admirable in fiction, its
use as a weapon of power is dangerous.  At root, Steve Jackson Games was
raided because an employee ran a BBS that made available, as perhaps
thousands of others BBSs nationwide, Phrack. The employee was also accused
of being part of a "fraud scheme" because he had the temerity to explain
what a Kermit protocol is in a two line message.

Perhaps Agent Foley is competent, but in reviewing this warrant questions
arise regarding the raid on SJG that should not go unanswered.

                       ++++++++++++++++++++++++++++

                               ATTACHMENT A

     2700 "A" Metcalfe Road is located in the city of Austin, State
of Texas, County of Travis. Said address is a two-story square
building measuring approximately 50 feet on a side located on the
south side of Metcalfe Street.

     The bottom story is multi-colored brick face and the upper
story is white wood frame construction.

     A balcony surrounds the upper story. The address "2700A" is
on two sides in white letters, and the numbers are approximately
ten inches high. An outside wooden stairway connects the floors
on the south side of the building. The driveway is of gravel. A
large all-metal warehouse-type building is immediately behind the
address.

                            (End Attachment A)

                             ++++++++++++++++

                               ATTACHMENT B

     Computer hardware (including, but not limited to, central
processing unit(s), monitors, memory devices, modem(s), programming
equipment, communication equipment, disks, and prints) {sic} and computer
software (including but not limited to, memory disks, floppy
disks, storage media) and written material and documents relating
to the use of the computer system (including networking access
files), documentation relating to the attacking of computers and
advertising the results of computer attacks (including telephone
numbers and licensing documentation relative to the computer programs and
equipment at the business known as Steve Jackson Games which
constitute evidence, instrumentalities and fruits of federal
crimes, including interstate transportation of stolen property (18
USC 2314) and interstate transportation of computer access
information (18 USC 1030 (a)(6)). This warrant is for the seizure
of the above described computer and computer data and for the
authorization to read information stored and contained on the above
described computer and computer data.

                            (End Attachment b)

                         ++++++++++++++++++++++++

State of Texas      )
                    )     ss
County of Travis    )

                                 AFFIDAVIT

     1. I, Timothy Foley, am a Special Agent of the United States
Secret Service and have been so employed for the past two years.
I am presently assigned to the United States Secret Service in
Chicago. Prior to that I was employed as an attorney practicing
in the City of Chicago and admitted to practice in the State of
Illinois. I am submitting this affidavit in support of the search
warrants for the premises known as: (a) the residence of Loyd Dean
Blankenship, 1517G Summerstone, Austin, Texas; (b) the employment
location of Blankenship, the business known as Steve Jackson Games,
2700-A Metcalfe Road, Austin Texas; and (c) the residence of Chris
Goggans, 3524 Graystone #192, Austin, Texas.

SOURCES OF INFORMATION

     2. This affidavit is based on my investigation and
information provided to me by Special Agent Barbara Golden of the
Computer Fraud Section of the United States Secret Service in
Chicago and by other agents of the United States Secret Service.
     3.I have also received technical information and
investigative assistance from the experts in the fields of
telecommunications, computer technology, software development and
computer security technology, including:
          a. Reed Newlin, a Security Officer of Southwestern
Bell, who has numerous years of experience in operations,

                                   - 1 -

maintenance and administration of telecommunications systems as an
employee of the Southwestern Bell Telephone Company.
          b. Henry M. Kluepfel, who has been employed by the Bell
System or its divested companies for the last twenty-four years.
Mr. Kluepfel is presently employed by Bell Communications Research,
(Bellcore) as a district manager responsible for coordinating
security technology and consultation at Bellcore in support of its
owners, the seven regional telephone companies, including Bell
South Telephone Company and Southwestern Bell Telephone Company.
Mr. Kluepfel has participated in the execution of numerous Federal
and State search warrants relative to telecommunications and
computer fraud investigations. In addition, Mr. Kluepfel has
testified on at least twelve occasions as an expert witness in
telecommunications and computer-fraud related crimes.
          c. David S. Bauer, who has been employed by Bell
Communications Research (Bellcore) since April 1987. Mr. Bauer is
a member of the technical staff responsible for research and
development in computer security technology and for consultation
in support of its owners, the seven regional telephone companies,
including Bell South. Mr. Bauer is an expert in software
development, communications operating systems, telephone and
related security technologies. Mr. Bauer has conducted the review
and analysis of approximately eleven computer hacking
investigations for Bellcore. He has over nine years professional
experience in the computer related field.

                                   - 2 -

                            Violations Involved

     4. 18 USC 2314 provides federal criminal sanctions against
individuals who knowingly and intentionally transport stolen
property or property obtained by fraud, valued at $5,000 or more
ininterstate commerce. My investigation has revealed that on or
about February 24, 1989, Craig Neidorf transported a stolen or
fraudulently obtained computerized text file worth approximately
$79,000.000 from Columbia, Missouri, through Lockport, Illinois to
Austin, Texas to Loyd Blankenship and Chris Goggans.
     5. 18 USC 1030 (a)(6) and (b) provide federal criminal
sanctions against individuals who knowingly and with intent to
defraud traffic or attempt to traffic, in interstate commerce, in
passwords or similar information through which a computer may be
accessed without authorization. My investigation has revealed that
on or about January 30, 1990, Loyd Blankenship and Chris Goggans
attempted to traffic in illegally obtained encrypted passwords
received from other computer hackers. My investigation has further
revealed that, through the use of sophisticated decryption
equipment and software, they planned to decrypt the encrypted
passwords provided by the hackers. They then planned to provide
the original hackers with the decrypted passwords which they in
turn could use to illegally access previously guarded computers.

                                DEFINITIONS

     6. COMPUTER HACKERS/INTRUDERS - Computer hackers or
intruders are individuals involved with the unauthorized access of
computer systems by various means. The assumed names used by the

                                   - 3 -

hackers when contacting each other are referred to as "hacker
handles."
     7. BULLETIN BOARD SYSTEM (BBS) - A bulletin board system
(also referred to as a "Bulletin board" or "BBS") is an electronic
bulletin board accessible by computer. Users of a bulletin board
may leave messages, data, and software readable by others with
access to the bulletin board. Bulletin board readers may copy, or
"download," onto their own machines material that appears on a
bulletin board. Bulletin boards typically are created and
maintained by "systems operators" or "system administrators".
Hackers frequently use bulletin boards to exchange information and
data relating to the unauthorized use of computers.
     8. E911 - E911 means the enhanced 911 telephone service in
universal use for handling emergency calls (police, fire,
ambulance, etc.) in municipalities. Dialing 911 provides the
public with direct access to a municipality's Public Safety
Answering Point (PSAP). Logistically, E911 runs on the public
telephone network with regular telephone calls into the telephone
company switch. However, incoming 911 calls are given priority
over all other calls. Then the 911 call travels on specially
dedicated telephone lines from the telephone company's switch to
the fire, police and emergency reaction departments in the city
closest to the location of the caller. It is essential for the
emergency unit to know the location of the caller, so one of the
most important parts of the system is the Automatic Location
Identifier (ALI), which automatically locates where the

                                   - 4 -

telephone call originates, and the Automataic Number Identification
(ANI), which holds the telephone number of the calling party even
if the caller hangs up. The E911 system of Bell South is described
in the text of a computerized file program and is highly
proprietary and closely held by its owner, Bell South. The file
describes the computerized control, operation and maintenance of
the E911 system.
     9. ELECTRONIC MAIL - Electronic mail, also known as
e-mail, is a common form of communication between individuals on
the same or on separate computer systems. Persons who may send or
receive electronic mail are identified by an electronic mail
address, similar to a postal address. Although a person may have
more than one electronic mail address, each mail address
identifies a person uniquely.
     10. LEGION OF DOOM - At all times relevant herein, the Legion
of Doom, (LOD), was a closely knit group of computer hackers
involved in:
          a. Disrupting telecommunications by entering telephone
switches and changing the routing on the circuits of the computers.
          b. Stealing propriety {sic} computer source code and
information from individuals that owned the code and information
          c. Stealing credit information on individuals from
credit bureau computers.
          d. Fraudulently obtaining money and property from
companies by altering the computerized information used by the
companies.

                                   - 5 -

          e. Disseminating information with respect to their
methods of attacking computers to other computer hackers in an
effort to avoid the focus of law enforcement agencies and
telecommunication security experts.
     11. PASSWORD ENCRYPTION - A password is a security device
that controls access to a computer, (log on privileges) or to
special portions of a computer's memory. Encryption further limits
access to a computer by converting the ordinary language and/or
numerical passwords used on a computer into cipher or code.
Decryption is the procedure used to transform coded text into the
original ordinary language and/or numerical format.
     12. TRANSFER PROTOCOL -  transfer protocol is a method of
transferring large files of information from one computer to
another over telephone lines. Using a transfer protocol a file is
uploaded (sent) and downloaded (received). This transfer procedure
breaks blocks of data into smaller packages for transmission and
insures that each block of data is an error free copy of the
original data. Transfer protocols may also encode and decode
transmissions to insure the privacy of the transferred information.

                          INVESTIGATION OVERVIEW

     13. My investigation to date has disclosed that computer
hacker Robert Riggs of the Legion of Doom, (LOD), stole the highly
proprietary and sensitive Bell South E911 Practice text file from
Bell South in Atlanta, Georgia in about December, 1988 and that

                                   - 6 -

this stolen document was distributed in "hacker" newsletters
through the use of e-mail. These newsletters included the "Phrack"
newsletter issue #24 distributed in February, 1989 by Crig Neidorf
to LOD members, including Loyd Blankenship and Chris Goggans
of Austin, Texas. The E911 Practice was posted on the "Phoenix
Project" BBS, in January, 1990, so that anyone with access to the
BBS could download a copy of the E911 Practice onto any other
computer. The "Phoenix Project" BBS is run jointly by co-systems
operators Loyd Blankenship, (hacker handle, The Mentor), and Chris
Goggans, (hacker handle, Eric {sic} Bloodaxe), who both have sent e-mail
communications identifying themselves as members of LOD. My
investigation has also disclosed that Loyd Blankenship and Chris
Goggans, through their hacker BBS "Phoenix Project," have
established a password decryption service for hackers who had
obtained encrypted passwords from computers they had been
attacking.


                     THEFT OF E911 TEXT FILE
     14. In March, 1988, Bell South developed a sophisticated new
program which describes in great detail the operation of the E911
system and the 911 support computer in Sunrise, Florida that
controls ALI and ANI information. This program, which was
enginered at a cost of $79,449.00, was locked in a secure computer
(AIMSX) in Bell South's corporate headquarters in Atlanta, Georgia.
The document was and is highly proprietary and contained the
following warning:

                                   - 7 -

          NOTICE: NOT FOR USE OR DISCLOSURE OUTSIDE
          BELL SOUTH OR ANY OF ITS SUBSIDIARIES EXCEPT
          UNDER WRITTEN AGREEMENT.
     15. In July, 1989, Robert Riggs apartment in Decatur, Georgia
was searched by United States Secret Service agents from Atlanta
pursuant to a federal search warrant.
     16. At the time of the search, Riggs, (hacker handle, The
Prophet), was interviewed by Special Agent James Cool of the USSS-
Atlanta and representatives of Bell South from Atlanta. During
this extensive interview, Riggs admitted that he illegally gained
remote access into Bell South's AIMSX computer through an account
to which access was not secured by a password, and that once on the
machine he executed a program designed to search for passwords and
to obtain other account names on the computer. He stated that once
he was on the computer, he found the E911 protocol document and
downloaded it from the Bell South computer to his home computer.
He subsequently uploaded the E911 file from his home computer to
a computer bulletin board. (He did not give the agents the name
of the bulletin board).
     17. Riggs' admissions were corroborated by interviews with
Rich Andrews, the operator of the computer bulletin board known as
JOLNET BBS in Lockport, Illinois. Andrews disclosed that in about
January, 1989, a hacker known to him by the handle PROPHET uploaded
an E911 program with bell South proprietary markings onto his BBS.
This program was then downloaded from the BBS to another hacker
known to him by the handle Knight Lightning (Craig Neidorf).

                                   - 8 -

                            PHRACK PUBLICATION
     18. On January 18, 1990, pursuant to a federal grand jury
subpoena, I received documents from the administration of the
University of Missouri regarding computer publications of Craig
Neidorf, a student at University of Missouri and Randly Tishler, a
former student at University of Missouri, (hacker handle, Taran
King), which showed that Neidorf and Tishler were publishing the
computer hacker newsletter entitled "Phrack" which they were
distributing to computer hackers around the United States through
the use of the University of Missouri account on a
telecommunication network called Bitnet.
     19. On January 18, 1990, Security Officer Reed Newlin of
          NOTICE: NOT FOR USE OR DISCLOSURE OUTSIDE
          BELLSOUTH OR ANY OF ITS SUBSIDIARIES EXCEPT
          UNDER WRITTEN AGREEMENT. (WHOOPS)
     22. Distribution records of Phrack 24 recovered from Richard
Andrews in Lockport in July 1989 reflect that copies of this
newsletter containing the proprietary E911 information and the
proprietary markings from Bell South were forwarded from Neidorf's
computer in Colombia {sic}, Missouri to Loyd Blankenship's computer in
Austin, Texas on or about February 24, 1989.
     23. I have personally examined the Phrack newsletter number
24 and observed that the newsletter does in fact contain a slightly
edited copy of the stolen Bell South E911 Practice text file with
the warning:
          NOTICE: NOT FOR USE OR DISCLOSURE OUTSIDE

                                  - 10 -

          BELLSOUTH OR ANY OF ITS SUBSIDIARIES EXCEPT
          UNDER WRITTEN AGREEMENT. (WHOOPS)


                  REPUBLICATION OF E911 BY PHOENIX PROJECT
     24. On February 26, 1990, Hank Kluepfel of Bellcore advised
me that the Phoenix Project BBS run by Loyd Blankenship and Chris
Goggans was in operation on January 15, 1990. Mr. Kluepfel advised
that he had made this determination by successfully logging on to
Phoenix Project at telephone number 512-441-0229 on about January
30, 1990 and observing messages dated from January 15, 1990 to
January 30, 1990, on the BBS. Mr. Kluepfel also advised me that the
BBS system information identified the Mentor and Erik Bloodaxe as
the system administrators on the BBS.
     25. On February 14, 1990, Mr. Kluepfel advised me that after
accessing the Phoenix Project BBS, he had gone to the Phrack sub-
menu of the BBS and observed Phrack 24 on the menu. Mr. Kluepfel
further advised me that upon review of Phrack 24, he observed that
the Bell South E911 Practice text file was still in the edition
carried by the Phoenix Project BBS.
     26. On February 14, 1990, Mr. Kluepfel advised me that he had
downloaded a copy of Phoenix Project's user list (its electronic
mailing list) and that it reflected that seeral of the hackers on
the list of users were located in the Northern District of
Illinois.
PHOENIX PROJECT DECRYPTION SERVICE

                                  - 11 -

     27. On February 14, 1990, Mr. Kluepfel advised me that on
January 23, 1990, the co-systems administrator on the Phoenix
Project BBS, Erik Bloodaxe, had published a notice that the BBS was
beginning a new decryption service. Bloodaxe invited the readers
of the newsletter to send the BBS encrypted passwords for any UNIX
or Prime computer system, and the system administrators would
decrypt the passwords and return them. Bloodaxe also indicated that
the systemes administrators would probably access the computer using
the password as well. In a later message on January 26, 1990, The
Mentor responded to a question about a transfer protocol that had
been set out, but not explained in Bloodaxe's notice, indicating
his involvement in the decryption scheme.
     28. On February 14, 1990, Mr. Kluepfel advised me that the
password file decryption service offered by the Phoenix Project
provided computer hackers with information through which a computer
could be acessed without authorization under the meaning of 18 USC
1030 (a)(6) and (b) and constituted a threat to Bellcore's client
companies including Bell South.
                 IDENTIFICATION OF BLANKENSHIP AND GOGGANS
     29. Among the documents that had been printed out from the
University of Missouri computers, which I received from the
University of Missouri computers, which I received from the
administration of the University of Missouri, were lists of hackers
and their corresponding real names. On that list were the names
of Loyd Blankenship and Chris Goggans and their respective hacker
handles of The Mentor and Erik Bloodaxe.

                                  - 12 -
     30. Among the documents seized in the search of Neidorf's
house were phone lists which included the full names of Loyd
Blankenship and Chris Goggans and identified them as The Mentor and
Erik Bloodaxe, respectively.
     31. On February 6, 1990, Mr. Kluepfel provided me with
copies of a Phrack newsletter which contained a September 23, 1989,
profile of computer hacker Erik Bloodaxe. The profile indicated
that the Erik Bloodaxe's real name was Chris, that he was 20 years
old, 5'10", 130 pounds, that he had blue eyes, brown hair and that
he used various computers including an Atari 400, various computer
terminals with limited computing capability that are or can be
linked to a central computer, and a CompuAid Turbo T. The profile
reflects that Erik Bloodaxe was a student in computer science at
the University of Texas in Austin.
     32. On February 6, 1990, Mr. Kluepfel provided me with a copy
of Phrack containing a January 18, 1989 profile of the computer
hacker known as The Mentor. The profile indicated that the
Mentor's real name was Loyd, that he was 23 years old, 120 pounds,
5'10", that he had brown hair, brown eyes and that he had owned a
TRS-80, an Apple IIe, an Amiga 1000, and a PC/AT.
     33. The identification of Loyd Blankenship as The Mentor in
the Phrack profile was corroborated on February 22, 1990, by
information provided by Larry Coutorie an inspector with campus
security at the University in Austin, Texas who advised
me that his review of locator information at the University of
Texas in Austin disclosed current drivers license information on

                                  - 13 -

Loyd Dean Blankenship reflecting that Blankenship resides at 1517G
Summerstone, in Austin, Texas, telephone number 512-441-2916 and
is described as a white, male, 5'10", with brown hair and brown
eyes. He further advised that Blankenship is employed at Steve
Jackson Games, 2700-A Metcalfe Road, Austin, Texas where he is a
computer programmer and where he uses a bulletin board service
connected to telephone number 512-447-4449.
     34. According to telephone company records the telephone
number 512-441-0229, the number for the Phoenix Project BBS, is
assigned to the address 1517 G Summerstone, Austin, Texas, which is
the residence of Loyd Blankenship.
     35. Hank Kluepfel has advised me that he has loged on to the
BBS at 512-447-4449 and that The Mentor is listed as the systems
operator of the BBS. Mr. Kluepfel further advised me that the user
list of that BBS contains the name of Loyd Blankenship and others
known to Mr. Kluepfel has hackers. Also, Mr. Kluepfel observed that
Loyd Blankenship is a frequent user of the BBS.
     36. Similarly, the identification of Chris Goggans as the
Erik Bloodaxe described in the Phrack profile was corroborated on
February 22, 1990, by Larry Coutorie who advised me that his
review of locator information at the University of Texas with
respect to Chris Goggans disclosed that Goggans resides at 3524
Graystone #192, in AUstin, Texas and that his full name is Erik
Christian Goggans. Goggans, who goes by the name Chris, is a white,
male, with blond hair and blue eyes date of birth 5/5/69, 5'9",
120 pounds.

                                  - 14 -

     37. On February 19, 1990, I was advised by Margaret Knox,
Assistant Director of the Computation Center, University of Texas,
Austin, Texas, that a young man presented himself to her as Chris
Goggans in response to the University sending a notification of the
Grand Jury subpoena for University records pertaining to Chris
Goggans to Chris Goggans at 3524 Graystone #192, Austin, Texas. The
young man also told her that he was Erik Bloodaxe of the Legion of
Doom.

                         Locations to be Searched
     38. Based on the above information and my own observations,
I believe that the E911 source code and text file and the
decryption software program are to be found in the computers
located at 1517G Summerstone, Austin, Texas, or at 2700-A Metcalfe
Road, Austin, Texas, or at 3524 Graystone #192, Austin, Texas, or
in the computers at each of those locations.
     39. The locations to be searched are described as: the
premises known as the residence of Loyd Dean Blankenship, 1517G
Summerstone, Austin, Texas; the employment location of Blankenship,
the business known as Steve Jackson Games, 2700-A Metcalfe Road,
AUstin, Texas; and the residence of Chris Goggans, 3524 Graystone
#192, Austin, Texas. Those locations are further described in
Attachment A to 

15/58: Heck
Name: The Parmaster #21
Date: Wed Jan 24 07:48:01 1990
    Personally i like it :-)
Jason.

16/58: Decryption
Name: Grey Owl #10
Date: Wed Jan 24 19:10:52 1990
I think it's a great idea. I get a whole shitload of passwd files and some
UAF files too.               |||_______got!
grey owl

17/58: Just a couple of questions...
Name: Konica #47
Date: Wed Jan 24 23:41:13 1990
Well since the feds know this is a hacker board whats stopping them from
tracing every incoming call to Pheonix Project and getting all the #'s,
then monitoring then for illegal activity?

And just say I was calling through my personal calling card....What would
they get as the incomming #?
If I had a DNR on my line is there any way I could find out?
Sorry about this but I am not as good as most of you (except for the guy
that keeps posting codes) and the only way I am going to learn is by trying
shit out and asking questions...
Hope this is the right sub for these questions....

+++++++++++++++
(The following are the actual logs; Typos were not removed)
+++++++++++++++


18/47: vv
Name: Dtmf #27
Date: Thu Jan 25 03:22:29 1990

RE: Just a couple of questions...

To check the DNR the best bet woud be to call bell security, or the SCC


19/47: well..
Name: Phoenix #17
Date: Thu Jan 25 07:27:43 1990

nothing stops them from tracing..
I dont know how it works there.. but down here all traces are illegal
unless
they are for drug/murder reasons.. 


20/47: Feds...
Name: Erik Bloodaxe #2
Date: Thu Jan 25 17:05:35 1990

Absolutely nothing would stop them from collecting all local calls, and/or
any
longdistance company records of calls coming into this number...in fact, I
kind of expect them to at least get all local calls here...hell Austin is
all




25/47: my kermit
Name: Ravage #19
Date: Fri Jan 26 12:24:21 1990


lets me set it at 8 bits also. just another trivial note.






26/47: from what I know...
Name: Dark Sun #11
Date: Fri Jan 26 16:26:55 1990

kermit was originally designed to allow transmission of data across 2
computers running with different parity settings.
                             DS






27/47: and..
Name: Phoenix #17
Date: Sat Jan 27 07:28:45 1990

as a major disadvantage.. it is damn slow!

Phoenix






28/47: Well....
Name: Johnny Hicap #45
Date: Sat Jan 27 21:28:18 1990

No one answered that question (forget who posted it) that if he was
calling
through a calling card is it possible to get the number of the person who
called even he was calling through hs calling card? What would they get as
the
number comming in? Would they get the card? Of course then they would just
see
who owns it.

JH!






29/47: more Kermit BS
Name: Grey Owl #10
Date: Sat Jan 27 23:53:57 1990

Kermit is slower than Xmodem, BTW.  The packets are smaller (usually 64
bytes)
and the error-checking is shot to hell with any line noise.  It's better
than
ASCII though!

grey owl

                          (END SEARCH AFFIDAVIT)