Hacker Court 2006 Sex, Lies, and Sniffers hackercourt@wkeys.com

1
Hacker Court 2006Sex, Lies, and
Sniffershackercourt_at_wkeys.com
2
Sex, Lies, and Sniffers Announcements

• oyez, Oyez, OYEZ
• The annual court of Black Hat is now in session
• with the honorable Judge Richard Salgado
  presiding

3
CAST

• JUDGE Richard Salgado Attorney, Former Senior
  Counsel of CCIPS, a division of Department of
  Justice
• COURT CLERK Caitlin Klein
• SAMANTHA JONES (CISO) Carole Fennelly, Senior
  Security Engineer, Tenable Network Security
• PROSECUTOR Kevin Bankston Staff Attorney,
  Electronic Frontier Foundation
• DEFENSE ATTORNEY Paul Ohm, Attorney and Law
  Professor, Former counsel CCIPS, a division of
  Department of Justice
• DEFENDANT Brian Martin Attrition.org
• REPORTER Ryan Bulat (as himself) - Intern,
  Wizards Keys Corp.
• CASE AGENT Ovie Carroll Former OSI, CCIPS, a
  division of Department of Justice
• SENATOR DAMON GASM Simple Nomad Vernier
  Networks
• DEFENSE EXPERT Jonathan Klein Director
  Security Solutions, Calence, LLC

4
Schedule

• 1645 1650 Introductions, Court Called to
  Order
• 1650 1710 Opening Statements
• 1710 1730 Agent Carroll
• 1730 1750 Samantha Jones
• 1750 1805 Ryan Bulat
• 1805 1820 SenatOR Gasm
• 1820 1830 break
• 1830 1855 Jonathan Klein
• 1855 1915 Brian Martin
• 1915 1925 Closing Statements - Attorneys
• 1925 1930 Jury Instructions Judge Salgado
• 1930 2000 panel discussion

5
Witness Classification

• Factual Witness testifies to events directly
  witnessed or observed. May only testify regarding
  facts, not draw conclusions.
• Expert Witness specifically qualified by the
  court as an expert in the subject at hand. May
  offer opinion and draw conclusions based on
  knowledge and expertise.

6
Prosecution Opening Statement

• Attorney Kevin Bankston will present his key
  points for the Prosecution.

7
Defense Opening Statement

• Attorney Paul Ohm will present his key points for
  the Defense.

8
Prosecution Witness 1

• Agent Carroll is the Case Agent testifying as
  both a factual and expert witness on events he
  witnessed and actions he took when he conducted
  the forensic examination on the computer.

9
Government Exhibit 1

• Volatile Memory commands
• rpcinfo p Print port numbers for each
  registered rpc listener
• rpcinfo Print general information about
  registered rpc listeners
• netstat an Print information about all open
  sockets
• netstat nr Print routing information
• ps lef Print a long listening of all processes
  on the system
• lsof List all open file descriptors
• nmap Scanning tool used to determine what ports
  are open on a remote system.
• gcore ltpidgt - Take a core snapshot of a
  process.
• nmstat Print virtual memory statistics
• iostat Print i/o statistics
• ifconfig Interface configuration
• ndd Display network driver settings (dev/ip,
  /dev/tcp,/dev/udp)

10
Government Exhibit 1 (contd)

• Volatile Memory commands
• pstack ltpidgt Stack trace for each thread.
• pcred ltpidgt - Displays the credentials of each
  process
• memdmp dumps memory for later examination
  (found in The Coroners Toolkit)
• pldd ltpidgt - Displays the dynamic libraries the
  process is linked with.
• netcat used to save volatile data across the
  network to a secure system.
• dd used with netcat to save off the system
  image
• dd if/dev/rdsk/c0t0d0s0 bs1024
  convsync,noerror nc 10.1.1.1 49152

11
Government Exhibit 2
Switch Configuration Cisco 3750 IOS
12.2.25(SEE) Switch attached to investigation
machine Fa0/1 Uplink to the rest of the
network Fa0/5 Link to investigation
machine ! monitor session 1 source interface
Fa0/1 monitor session 1 destination interface
Fa0/5 !
12
Government Exhibit 3
!/usr/bin/perl Chaosreader can trace
TCP/UDP/... sessions and fetch application data
from tcpdump or snoop logs. This is like an
"any-snarf" program, it will fetch telnet
sessions, FTP files, HTTP transfers (HTML, GIF,
JPEG, ...), SMTP emails, etc ... from the
captured data inside the network traffic
logs. It creates a html index file that links to
all the session details, including realtime
replay programs for telnet, rlogin or IRC
sessions and reports such as image reports
and HTTP GET/POST content reports. It also
creates replay programs for telnet sessions, so
that you can play them back in realtime (or
even different speeds). Chaosreader can also
run in standalone mode - where it invokes tcpdump
or snoop (if they are available) to create
the log files and then processes them.
29-May-2004, ver 0.94 (check for new versions,
http//www.brendangregg.com) (or run a web
search for "chaosreader")
13
Government Exhibit 3 (contd)
QUICK USAGE tcpdump -s9000 -w out1
chaosreader out1 netscape index.html
or, snoop -o out1 chaosreader out1 netscape
index.html or, ethereal (save as "out1")
chaosreader out1 netscape index.html
or, chaosreader -s 5 netscape index.html
14
Government Exhibit 4
cd snoop ls -l total 237232 -rw-r--r-- 1
root other 2001215194 May 10 1159
0510.snoop.out -rw-r--r-- 1 root other
2005216270 May 11 1159 0511.snoop.out -rw-r--r--
1 root other 2003215732 May 12 1159
0512.snoop.out -rw-r--r-- 1 root other
2005217346 May 13 1159 0513.snoop.out -rw-r--r--
1 root other 2003218422 May 14 1159
0514.snoop.out -rw-r--r-- 1 root other
2005215732 May 15 1159 0515.snoop.out
15
Government Exhibit 5
-rwxr--r-- 1 root other 8831290 May 16
0913 my-new-tripod.zip -rwxr--r-- 1 root
other 275910 May 16 0913 sheep_defile.JPG -rw
-r--r-- 1 root other 12102409 May 16
0857 session_0013.part_01.smtp.partial.email -rw-
r--r-- 1 root other 12399097 May 16
0857 session_0013.smtp.partial.html -rw-r--r--
1 root other 379103 Jul 30 1706
session_0004.part_01.smtp.email -rw-r--r-- 1
root other 389562 Jul 30 1706
session_0004.smtp.html
16
Government Exhibit 6
smtp 192.168.10.1463298 -gt 205.102.30.22225 Fil
e 0512.snoop.out, Session 4 220
mailsvr.senate.gov ESMTP Sendmail
8.12.0.Beta10/8.12.2 Fri, 12 May 2006 140548
-0800 (PST) EHLO 192.168.10.146 250-mailsvr.sena
te.gov Hello host146.cmo.org 192.168.10.146,
pleased to meet you 250-ENHANCEDSTATUSCODES 250-PI
PELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 2
50-DSN 250-ETRN 250-DELIVERBY 250 HELP MAIL
FROMltdamon_gasm_at_senate.govgt SIZE379105 250
2.1.0 ltdamon_gasm_at_senate.govgt... Sender ok RCPT
TOltkimberly_loveless_at_senate.govgt 250 2.1.5
ltkimberly_loveless_at_senate.govgt... Recipient
ok DATA
17
Government Exhibit 6 (contd)
354 Enter mail, end with "." on a line by
itself Message-ID lt44CD1DEF.1030402_at_cmo.orggt Date
Fri, 12 May 2006 140531 -0800 From Damon
Gasm ltdamon_gasm_at_senate.govgt User-Agent
Thunderbird 1.5.0.5 (Windows/20060719) MIME-Versio
n 1.0 To Kimberly Loveless ltkimberly_loveless_at_s
enate.govgt Subject Put this in a safe
place. Content-Type multipart/mixed
boundary"------------020303020005030800050404" T
his is a multi-part message in MIME
format. --------------020303020005030800050404 Con
tent-Type text/plain charsetISO-8859-1
formatflowed Content-Transfer-Encoding 7bit
18
Government Exhibit 6 (contd)
Kim, Ive been thinking of you. See what happens
when you are not around? ) -D --------------020
303020005030800050404 Content-Type image/jpeg
name"sheep_defile.JPG" Content-Transfer-Encoding
base64 Content-Disposition inline
filename"sheep_defile.JPG"
19
Government Exhibit 18

• DISCLAIMER The following document is a
  fictionalized testimonial stipulation for the
  Black Hat 2003 Conference. The witness of the
  stipulation does not exist, nor was any evidence
  in this matter gathered.
• __________________________________ x
• 
  
• UNITED STATES OF AMERICA,
  
• -v.-
• STIPULATION
• BRIAN MARTIN,
  
• 
  
• 
  
• 
  
• Defendant,
  
• 
  
• __________________________________
• IT IS HEREBY STIPULATED AND AGREED between the
  United States of America, KEVIN BANKSTON,
  Assistant United States Attorney, of counsel, and
  the defendant BRIAN MARTIN, by his attorney PAUL
  OHM, Esq.

Government Exhibit 7
Government Exhibit 7
20
Government Exhibit 8

• smtp 192.168.10.1462241 -gt 205.102.30.22225
• File 0515.snoop.out, Session 13
• 220 mailsrvr.senate.gov ESMTP Sendmail
  8.12.0.Beta10/8.12.2 Sun, 14 May 2006 085405
  -0800 (PST)
• EHLO 192.168.10.146
• 250-mailsrvr.senate.gov Hello host146.cmo.org
  192.168.10.146, pleased to meet you
• 250-ENHANCEDSTATUSCODES
• 250-PIPELINING
• 250-EXPN
• 250-VERB
• 250-8BITMIME
• 250-SIZE
• 250-DSN
• 250-ETRN
• 250-DELIVERBY
• 250 HELP

21
Government Exhibit 8 (contd)

• MAIL FROMltdamon_gasm_at_senate.govgt SIZE12103671
• 250 2.1.0 ltdamon_gasm_at_senate.govgt... Sender ok
• RCPT TOltkimberly_loveless_at_senate.govgt
• 250 2.1.5 ltkimberly_loveless_at_senate.govgt...
  Recipient ok
• DATA
• 354 Enter mail, end with "." on a line by itself
• Message-ID lt44CDFC2D.7000008_at_wkeys.comgt
• Date Sun, 14 May 2006 084845 -0800
• From Damon Gasm ltdamon_gasm_at_senate.govgt
• User-Agent Thunderbird 1.5.0.5
  (Windows/20060719)
• MIME-Version 1.0
• To Kimberly Loveless ltkimberly_loveless_at_senate.g
  ovgt
• Subject Stuck at this boring conference....
• Content-Type multipart/mixed
• boundary"------------060909010300050701070305"
• This is a multi-part message in MIME format.
• --------------060909010300050701070305
• Content-Type text/plain charsetISO-8859-1
  formatflowed

22
Government Exhibit 8 (contd)

• Kim,
• Hi sweetie! I am so bored at this conference. It
  is so boring and so not
• me, if I knew I was going to be this bored I
  would have stayed in DC and
• listened to floor debates. Yes it is that bad.
  Great photo ops though,
• looks like I may make Newsweek and the cover of
  USA Today.
• Speaking of photo ops, I've been putting that new
  tripod I bought to
• good use. I appreciate the fact that you tucked
  your underwear in my
• bag, so to show you my appreciation I thought I'd
  send these photos.
• Remind you of a certain trip to Cancun and a
  certain set of strippers?
• Boy we had fun that night! You were an animal!
• Anyway, heading back down to the conference in
  this stupid boring hotel
• so many miles away from you my love....
• Damon
• --------------060909010300050701070305

23
Government Exhibit 6 (contd)
Government Exhibit 9
24
Government Exhibit 10

• DISCLAIMER The following document is a
  fictionalized testimonial stipulation for the
  Black Hat 2006 Conference. The witness of the
  stipulation does not exist, nor was any evidence
  in this matter gathered.
• UNITED STATES OF AMERICA,
• -v.- STIPULATION
• BRIAN MARTIN,
• 
  
• Defendant
• IT IS HEREBY STIPULATED AND AGREED between the
  United States of America, KEVIN BANKSTON,
  Assistant United States Attorney, of counsel, and
  the defendant BRIAN MARTIN, by his attorney PAUL
  OHM, Esq.
• If called as a witness, Kimberly Loveless, would
  testify as follows

25
Government Exhibit 10 (contd)

• .
• IT IS FURTHER STIPULATED AND AGREED that this
  stipulation may be received in evidence as a
  Government exhibit at trial.
• Dated July 1, 2006
• By____________________________
• KEVIN BANKSTON
• Assistant United States Attorney
• By ___________________________
• PAUL OHM, ESQ.
• Attorney for BRIAN MARTIN

26
Prosecution Witness 2

• Samantha Jones is the Chief Information Security
  Officer for the Coalition for Moral Order. The
  coalition was the sponsor of Societys Morals
  Under Threat from May 10th May 15th, 2006.
  This was the conference attended by Senator Gasm.
  She is a factual witness and she is testifying to
  factual items about the conference, Brian
  Martins job roles and the organizations
  security policies.

27
Prosecution Witness 3

• Ryan Bulat is a staff writer for The New York
  Compost. Ryan broke the story about the picture
  of Senator Gasm and the sheep. He will be
  testifying as a factual witness regarding the
  story he wrote about the Senator and who the
  source was for the story.

28
Prosecution Witness 4

• Senator Damon Gasm is the victim of the release
  of the pornography pictures and is testifying as
  a factual witness on events he directly witnessed.

29
Defense Witness 1

• Jonathan Klein is testifying as an expert in
  general computer knowledge. Part of his
  testimony will be given outside the presence of
  the jury as the judge determines whether his
  testimony will be admitted.

30
Defense Exhibit 1
/ Id raptor_passwd.c,v 1.1.1.1 2004/12/04
143533 raptor Exp raptor_passwd.c -
passwd circ() local, Solaris/SPARC 8/9
Unknown vulnerability in passwd(1) in Solaris 8.0
and 9.0 allows local users to gain privileges
via unknown attack vectors (CAN-2004-0360).
"Those of you lucky enough to have your lives,
take them with you. However, leave the limbs
you've lost. They belong to me now." -- Beatrix
Kidd0 This exploit uses the ret-into-ld.so
technique, to effectively bypass the
non-executable stack protection
(noexec_user_stack1 in /etc/system). The
exploitation wasn't so straight-forward sending
parameters to passwd(1) is somewhat tricky,
standard ret-into-stack doesn't seem to work
properly for some reason (damn SEGV_ACCERR),
and we need to bypass a lot of memory
references before reaching ret. Many thanks to
Inode ltinode_at_deadlocks.infogt. Usage
gcc raptor_passwd.c -o raptor_passwd -ldl -Wall
./raptor_passwd ltcurrent passwordgt ...
id uid0(root) gid1(other) egid3(sys)
Vulnerable platforms Solaris 8 with
108993-14 through 108993-31 and without 108993-32
tested Solaris 9 without 113476-11 tested
/
31
Defense Exhibit 2
./raptor_passwd password deleted raptor_passwd
.c - passwd circ() local, Solaris/SPARC
8/9 Using SI_PLATFORM
SUNW,Sun-Blade-100 (5.9) Using stack base
0xffbffffc Using var address
0xffbffb50 Using rwx_mem address
0xff3f6004 Using sc address
0xffbfff94 Using ff address
0xffbfff50 Using strcpy() address
0xff3e0288 "Pai Mei taught you the five point
palm exploding heart technique?" -- Bill "Of
course." -- Beatrix Kidd0, alias Black Mamba,
alias The Bride (KB Vol2) iduname
-auptime uid0(root) gid1000(test)
egid3(sys) SunOS lamb 5.9 Generic sun4u sparc
SUNW,Sun-Blade-100 833pm up 1 day(s), 722,
2 users, load average 0.08, 0.03, 0.02
32
Defense Exhibit 3
Output of nmap sT p1-65535 192.168.11.23
Starting nmap V. 2.54BETA7 ( www.insecure.org/nm
ap/ ) Interesting ports on spleh.cmo.org
(192.168.10.23) (The 65486 ports scanned but not
shown below are in state closed) Port
State Service 7/tcp open echo
11/tcp open systat
13/tcp open daytime
15/tcp open netstat
19/tcp open chargen
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
53/tcp open domain
79/tcp open finger
111/tcp open sunrpc
512/tcp open exec
514/tcp open shell
540/tcp open uucp
587/tcp open submission
754/tcp open krb5_prop
898/tcp open unknown
2049/tcp open nfsd
4045/tcp open lockd
33
Defense Exhibit 3 (contd)
5987/tcp open unknown
5988/tcp open unknown
6000/tcp open unknown
6112/tcp open dtspc 7100/tcp open
fs 9002/tcp open
unknown 32777/tcp open
unknown 32778/tcp open
unknown 32779/tcp open
unknown 32780/tcp open
unknown 32781/tcp open
unknown 32782/tcp open
unknown 32783/tcp open
unknown 32785/tcp open
unknown 32786/tcp open
unknown 32789/tcp open
unknown 32790/tcp open
unknown 32791/tcp open
unknown 32792/tcp open
unknown 32799/tcp open
unknown 32801/tcp open
unknown 32807/tcp open
unknown 32808/tcp open
unknown 32809/tcp open
unknown 32810/tcp open
unknown 32811/tcp open
unknown 33003/tcp open
unknown Nmap run completed -- 1
IP address (1 host up) scanned in 1687 seconds
34
Defense Exhibit 4
Output of netstat an grep LISTEN
.898 . 0
0 49152 0 LISTEN .32805 .
0 0 49152 0 LISTEN
.5988 . 0 0
49152 0 LISTEN .32806 .
0 0 49152 0 LISTEN
.25 . 0 0
49152 0 LISTEN .587
. 0 0 49152 0 LISTN
.9002 . 0 0
10720 0 LISTEN .32807 .
0 0 49152 0 LISTEN
.32808 . 0 0
49152 0 LISTEN .2049 .
0 0 49152 0 LISTEN
.32809 . 0 0
49152 0 LISTEN .32810
. 0 0 49152 0 LISTEN
.32811 . 0 0
49152 0 LISTEN .22 .
0 0 49152 0 LISTEN
.6000 . 0 0
49152 0 LISTEN .33003 .
0 0 49152 0 LISTEN
35
Defense Exhibit 5
Output of rpcinfo p program vers
proto port service 100000 4 tcp
111 rpcbind 100000 3 tcp 111
rpcbind 100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind 100000 3
udp 111 rpcbind 100000 2 udp
111 rpcbind 100232 10 udp 32780
sadmind 100083 1 tcp 32785 100221
1 tcp 32786 100068 2 udp 32781
100068 3 udp 32781 100068 4 udp
32781 100024 1 udp 32782 status
100024 1 tcp 32789 status 100133 1
udp 32782 100133 1 tcp 32789
100068 5 udp 32781 100229 1 tcp
32790 metad 100230 1 tcp 32791
metamhd 100242 1 tcp 32792 metamedd
100001 2 udp 32783 rstatd 100001 3
udp 32783 rstatd 100001 4 udp 32783
rstatd 100002 2 udp 32784 rusersd
100002 3 udp 32784 rusersd
36
Defense Exhibit 6
grep 33003 /etc/services
login 33003/tcp
37
Defense Exhibit 7
grep login lsof.out (output from lsof)
sqldata 1883 root 3u IPv4 0x300027b3ce8
0t0 TCP login (LISTEN)
38
Defense Exhibit 8
grep sqldata lsof.out (output from lsof)
sqldata 1883 root cwd VDIR 136,0
1024 2 / sqldata 1883 root txt
VREG 136,3 260056 179239
/opt/local/sql//_at_//sqldata sqldata 1883 root
txt VREG 136,0 866316 442080
/usr/lib/libc.so.1 sqldata 1883 root txt
VREG 136,0 16768 377621
/usr/platform/sun4u/lib/libc_psr.so.1 sqldata
1883 root txt VREG 136,0 743856
442131 /usr/lib/libnsl.so.1 sqldata 1883 root
txt VREG 136,0 21676 441751
/usr/lib/libmp.so.2 sqldata 1883 root txt
VREG 136,0 316436 442151
/usr/lib/libresolv.so.2 sqldata 1883 root
txt VREG 136,0 58504 441775
/usr/lib/libsocket.so.1 sqldata 1883 root
txt VREG 136,0 60352 441864
/usr/lib/libz.so.1 sqldata 1883 root txt
VREG 136,0 3984 441719
/usr/lib/libdl.so.1 sqldata 1883 root txt
VREG 136,0 192000 441610
/usr/lib/ld.so.1 sqldata 1883 root 0u
VCHR 13,2 0t0 268835
/devices/pseudo/mm_at_0null sqldata 1883 root
1u VCHR 13,2 0t0 268835
/devices/pseudo/mm_at_0null sqldata 1883 root
2u VCHR 13,2 0t0 268835
/devices/pseudo/mm_at_0null sqldata 1883 root
3u IPv4 0x300027b3ce8 0t0 TCP login
(LISTEN)
39
Defense Exhibit 9
Output of ps ef command root 376 1
0 Jul 17 ? 002 /usr/sbin/vold root
331 1 0 Jul 17 ? 000
/usr/dt/bin/dtlogin -daemon root 392 331
0 Jul 17 ? 100 /usr/openwin/bin/Xsun 0
-nobanner -auth /var/dt/A0-KoayPa root 389
1 0 Jul 17 console 000
/usr/lib/saf/ttymon -g -h -p belar console login
-T sun -d /dev/console -l co root 385
1 0 Jul 17 ? 000 /opt/SUNWspci2/bin/sun
pcid root 393 363 0 Jul 17 ?
2145 mibiisa -r -p 32796 root 394 331 0
Jul 17 ? 000 /usr/dt/bin/dtlogin
-daemon root 395 331 0 Jul 17 ??
006 /usr/openwin/bin/fbconsole -d 0 root
396 1 0 Jul 17 ? 000
/usr/lib/ssh/sshd root 2206 202 1
193229 ? 000 in.telnetd root 411
1 0 Jul 17 ? 000 devfsadmd root
412 1 0 Jul 17 ? 003
/usr/sbin/in.named root 2210 203 1
193232 ? 000 rquotad martin 2208
2206 1 193229 pts/2 001 -ksh root
2214 2208 0 193235 pts/2 000 sh root
2217 2214 0 193247 pts/2 000 ps -ef
root 1883 1 0 210001 ? 000
/usr/sbin/vold
40
Defense Exhibit 10
find / -print grep sqldata /opt/local/sql/sqld
ata ls -l /opt/local/sql/sqldata -rw-r--r--
1 sql other 7 Jul 23 2036
sqldata ls -la total 20 drwxr-xr-x 2 sql
other 512 Jul 23 2336 . drwxr-xr-x 21
sql other 512 Jul 23 2034
.. -rw------- 1 sql 1000 58 Jul 23
2336 .sh_history -r-xr-xr-x 1 sql other
6104 Jul 23 2036 sqlclean -rw-r--r-- 1 sql
other 7 Jul 23 2036 sqldata ls
-a_at_ total 20 drwxr-xr-x_at_ 2 sql other
512 Jul 23 2336 . drwxr-xr-x 21 sql other
512 Jul 23 2034 .. -rw------- 1 sql
1000 58 Jul 23 2336 .sh_history -r-xr-xr
-x 1 sql other 6104 Jul 23 2036
sqlclean -rw-r--r-- 1 sql other 7
Jul 23 2036 sqldata
41
Defense Exhibit 11
ls l /var/spool/cron/crontabs/sql -r--------
1 root sql 57 Feb 27 1100
/var/spool/cron/crontabs/sql cat
/var/spool/cron/crontabs/sql 0
/usr/local/sql/sqlclean /usr/local/sql sqldata
42
Defense Exhibit 12
/usr/local/bin/md5 /opt/local/sql/sqlclean gt
/tmp/a /usr/local/bin/sfpC.pl /tmp/a
12ccde4d0f971f56f372e5e5466a848f -
/opt/local/sql/sqlclean - 1 match(es)
canonical-path /usr/bin/runat package SUNWcsu
version 11.9.0,REV2002.04.06.15.27
architecture sparc source Solaris 9/SPARC
43
Defense Exhibit 13
man runat NAME runat - execute command in
extended attribute name space SYNOPSIS
/usr/bin/runat file command DESCRIPTION
The runat utility is used to execute shell
commands in a file's hidden attribute
directory. Effectively, this utility changes
the current working directory to be the
hidden attribute directory associated with the
file argument and then executes the
specified command in the bourne shell
(/bin/sh). If no command argument is provided,
an interactive shell is spawned. The
environment variable SHELL defines the shell
to be spawned. If this variable is
undefined, the default shell, /bin/sh, is used.
The file argument can be any file, including
a directory, that can support extended
attributes. It is not necessary that this
file have any attributes (or be prepared in
any way) before invoking the runat command.
44
Defense Exhibit 14
runat /opt/local/sql ls -l total 528 ---s--x--x
1 root other 260056 Jul 23 2035
sqldata
45
Defense Exhibit 15
strings core.1883 grep rlogin .rlogin rlogind
s s. rlogind s. usage rlogind
options strings core.1883 grep
vold /usr/sbin/vold runat /opt/local/sql
strings sqldata grep vold /usr/sbin/vold
runat /opt/local/sql strings sqldata grep
rlogin .rlogin rlogind s s. rlogind
s. usage rlogind options
46
Defense Witness 2

• Brian Martin is the defendant and is not required
  to take the stand, but has the right to do so if
  he chooses. His attorney should discourage him
  from doing so, since the judge can add extra
  points to his sentence for perjury and
  obstruction of justice, if he is found guilty.

47
Prosecution Closing Statements

• Prosecutor Kevin Bankston will summarize the key
  points and evidence presented to persuade the
  jury that Senator Gasm is guilty beyond any
  reasonable doubt.

48
Defense Closing Statements

• Attorney Paul Ohm will summarize the Defense key
  points to refute the prosecution.

49
Jury Instructions

• The Honorable Judge Richard Salgado will present
  the jury with their responsibilities on
  determining guilt or innocence of Senator Gasm.

50
Panel Discussion

• Audience Questions