Now it was Zenner's turn. He first established that the "proprietary stamp" that BellSouth had used on the E911 Document was stamped on *every single document* that BellSouth wrote -- *thousands* of documents. "We do not publish anything other than for our own company," Ms. Williams explained. "Any company document of this nature is considered proprietary." Nobody was in charge of singling out special high-security publications for special high-security protection. They were *all* special, no matter how trivial, no matter what their subject matter - - the stamp was put on as soon as any document was written, and the stamp was never removed.
Zenner now asked whether the charts she had been using to explain the mechanics of E911 system were "proprietary," too. Were they *public information,* these charts, all about PSAPs, ALIs, nodes, local end switches? Could he take the charts out in the street and show them to anybody, "without violating some proprietary notion that BellSouth has?"
Ms Williams showed some confusion, but finally agreed that the charts were, in fact, public.
"But isn't this what you said was basically what appeared in *Phrack?*"
Ms. Williams denied this.
Zenner now pointed out that the E911 Document as published in Phrack was only half the size of the original E911 Document (as Prophet had purloined it). Half of it had been deleted -- edited by Neidorf.
Ms. Williams countered that "Most of the information that is in the text file is redundant."
Zenner continued to probe. Exactly what bits of knowledge in the Document were, in fact, unknown to the public? Locations of E911 computers? Phone numbers for telco personnel? Ongoing maintenance subcommittees? Hadn't Neidorf removed much of this?
Then he pounced. "Are you familiar with Bellcore Technical Reference Document TR-TSY-000350?" It was, Zenner explained, officially titled "E911 Public Safety Answering Point Interface Between 1-1AESS Switch and Customer Premises Equipment." It contained highly detailed and specific technical information about the E911 System. It was published by Bellcore and publicly available for about $20.
He showed the witness a Bellcore catalog which listed thousands of documents from Bellcore and from all the Baby Bells, BellSouth included. The catalog, Zenner pointed out, was free. Anyone with a credit card could call the Bellcore toll-free 800 number and simply order any of these documents, which would be shipped to any customer without question. Including, for instance, "BellSouth E911 Service Interfaces to Customer Premises Equipment at a Public Safety Answering Point."
Zenner gave the witness a copy of "BellSouth E911 Service Interfaces," which cost, as he pointed out, $13, straight from the catalog. "Look at it carefully," he urged Ms. Williams, "and tell me if it doesn't contain about twice as much detailed information about the E911 system of BellSouth than appeared anywhere in *Phrack.*"
"You want me to...." Ms. Williams trailed off. "I don't understand."
"Take a careful look," Zenner persisted. "Take a look at that document, and tell me when you're done looking at it if, indeed, it doesn't contain much more detailed information about the E911 system than appeared in *Phrack.*"
"*Phrack* wasn't taken from this," Ms. Williams said.
"Excuse me?" said Zenner.
"*Phrack* wasn't taken from this."
"I can't hear you," Zenner said.
"*Phrack* was not taken from this document. I don't understand your question to me."
"I guess you don't," Zenner said.
At this point, the prosecution's case had been gutshot. Ms. Williams was distressed. Her confusion was quite genuine. *Phrack* had not been taken from any publicly available Bellcore document. *Phrack*'s E911 Document had been stolen from her own company's computers, from her own company's text files, that her own colleagues had written, and revised, with much labor.
But the "value" of the Document had been blown to smithereens. It wasn't worth eighty grand. According to Bellcore it was worth thirteen bucks. And the looming menace that it supposedly posed had been reduced in instants to a scarecrow. Bellcore itself was selling material far more detailed and "dangerous," to anybody with a credit card and a phone.
Actually, Bellcore was not giving this information to just anybody. They gave it to *anybody who asked,* but not many did ask. Not many people knew that Bellcore had a free catalog and an 800 number. John Nagle knew, but certainly the average teenage phreak didn't know. "Tuc," a friend of Neidorf's and sometime *Phrack* contributor, knew, and Tuc had been very helpful to the defense, behind the scenes. But the Legion of Doom didn't know -- otherwise, they would never have wasted so much time raiding dumpsters. Cook didn't know. Foley didn't know. Kluepfel didn't know. The right hand of Bellcore knew not what the left hand was doing. The right hand was battering hackers without mercy, while the left hand was distributing Bellcore's intellectual property to anybody who was interested in telephone technical trivia -- apparently, a pathetic few.
The digital underground was so amateurish and poorly organized that they had never discovered this heap of unguarded riches. The ivory tower of the telcos was so wrapped-up in the fog of its own technical obscurity that it had left all the windows open and flung open the doors. No one had even noticed.
Zenner sank another nail in the coffin. He produced a printed issue of *Telephone Engineer & Management,* a prominent industry journal that comes out twice a month and costs $27 a year. This particular issue of *TE&M,* called "Update on 911," featured a galaxy of technical details on 911 service and a glossary far more extensive than *Phrack*'s.
The trial rumbled on, somehow, through its own momentum. Tim Foley testified about his interrogations of Neidorf. Neidorf's written admission that he had known the E911 Document was pilfered was officially read into the court record.
An interesting side issue came up: "Terminus" had once passed Neidorf a piece of UNIX AT&T software, a log-in sequence, that had been cunningly altered so that it could trap passwords. The UNIX software itself was illegally copied AT&T property, and the alterations "Terminus" had made to it, had transformed it into a device for facilitating computer break-ins. Terminus himself would eventually plead guilty to theft of this piece of software, and the Chicago group would send Terminus to prison for it. But it was of dubious relevance in the Neidorf case. Neidorf hadn't written the program. He wasn't accused of ever having used it. And Neidorf wasn't being charged with software theft or owning a password trapper.
On the next day, Zenner took the offensive. The civil libertarians now had their own arcane, untried legal weaponry to launch into action -- the Electronic Communications Privacy Act of 1986, 18 US Code, Section 2701 et seq. Section 2701 makes it a crime to intentionally access without authorization a facility in which an electronic communication service is provided -- it is, at heart, an anti-bugging and anti-tapping law, intended to carry the traditional protections of telephones into other electronic channels of communication. While providing penalties for amateur snoops, however, Section 2703 of the ECPA also lays some formal difficulties on the bugging and tapping activities of police.
The Secret Service, in the person of Tim Foley, had served Richard Andrews with a federal grand jury subpoena, in their pursuit of Prophet, the E911 Document, and the Terminus software ring. But according to the Electronic Communications Privacy Act, a "provider of remote computing service" was legally entitled to "prior notice" from the government if a subpoena was used. Richard Andrews and his basement UNIX node, Jolnet, had not received any "prior notice." Tim Foley had purportedly violated the ECPA and committed an electronic crime! Zenner now sought the judge's permission to cross-examine Foley on the topic of Foley's own electronic misdeeds.