November 17, 2012: Keith Becker’s team fraudulently obtains a “void ab initio” Network Investigation Technique (NIT) warrant. It was fraudulent because the data they said they were obtaining was going to be fabricated and falsified; and, even if it wasn’t, all the data would be inadmissible at trial per Federal Rules of Evidence 803(6) & 803(8). (Rule 803(6) prohibits documents that are created for the sole purpose of litigation and rule 803(8) prohibits police reports.)
The warrant was void ab initio because the Magistrate in Nebraska had no authority to issue a warrant to search a computer in New York.
November 18, 2012: my linux computer sends a “computer under FBI control” two encrypted messages. One at 7:13pm CST and then another at 7:16pm CST. Each message was 98 characters and contained similar information. Both messages labeled board_id as “2” and method as “swf”. The only difference between the two messages was what they called a “session”. The session for the 7:13pm message was e4dfe8c9d5f481b03c522252789cf605 and for the 7:16pm message is was bcc5865fc88edbfd2edbce5a3a17737f.
January 18, 2013: Mr. Becker’s team generates a “TB2” NIT report. It consists of 3 pages. The source of the information on the first page was Time Warner, it indicated that the IP in question was assigned to my house at the time of the alleged crime. The source of the information on the second page was Dr. Edman’s fabricated “visitors” table that he populated with falsified information with a script he called gallery.php. The source of the information on the third page was also provided by a fabricated table and populated with a script (cornhusker.py) that Dr. Edman coded solely for criminal prosecution.
The federal rules of evidence mentioned above clearly prohibit the use of Dr. Edman’s tables at trial. Since the Becker team knew this, they presented this data in their NIT Report as “Expert Summary Evidence” and failed to disclose the source of the information on pages 2 and 3 of their report, on purpose, to evade those federal rules of evidence. This conduct established bad faith.
March 20, 2013: Mr. Becker’s team fraudulently obtains an indictment from a grand jury in Nebraska based solely on the NIT Report that they generated on January 18, 2013.
That created many problems for Mr. Becker’s team:
1) As mentioned above, the federal rules of evidence clearly preclude this evidence from trial. That makes any indictment obtained solely with that NIT report potentially frivolous. (If the government obtains an indictment with evidence that is inadmissible at trial, it must believe that it will probably find admissible evidence before trial.)
2) Mr. Becker’s team has testified that page 2 of their NIT report (Dr. Edman’s fabricated and falsified “visitors” table) is evidence of a crime. Specifically, they testified that it was proof that a web browser running on my linux computer viewed illegal images on a website called TB2, because it loaded two html files, one called “index.html” at 7:12pm CST and then another named “1481.html” at 7:15pm CST. Unfortunately, this is a claim that is easily debunked. As Gerry Grant testified at US v. Raymonda’s suppression hearing in 2013, when you view a webpage, your browser makes a series of “GET REQUESTS”. First, it requests the html file. After it receives it, it then requests the other items to finish the page, among these other requests are “image” requests. Most browsers are configured to automatically make these requests for images, BUT you can configure the browser NOT to make them. You can also configure the browser to ignore java, javascript and flash application requests.
The only way to know if a given IP requested a given file is to view the web server’s logs. In the case of TB2’s server, those logs would be useless as the only IP in its logs would be the last node the traffic went through. (TB2 was being hosting on a type of VPN called the Onion Router or TOR). Therefore any testimony given before the grand jury in Nebraska that the FBI’s NIT report provided evidence of a crime was perjury as it only contained evidence that index.html and 1481.html were requested. Dr. Edman’s visitors table doesn’t provide ANY evidence that ANY images were requested, thus it doesn’t provide any evidence that a crime was committed. In other words, viewing those HTML files would never be a crime, because they are just text files.
3) The only thing that ties that non-criminal activity (requesting index.html and 1481.html) to my IP address is Dr. Edman’s cornhusker.py log that’s presented on the NIT Report’s third page. As mentioned above, this page would be inadmissible at trial because it was created by law enforcement, solely for prosecution. As mentioned above, this log suggests that the FBI’s flash application was running on my linux computer at 7:13pm CST and 7:16pm CST and that flash app sent those two encrypted messages after being requested by my browser after loading those two html files at 7:12pm CST and 7:15pm CST.
As you can see the FBi’s narrative has five major flaws:
1) As explained above, page 2 doesn’t provide any probable cause to believe a crime has been committed.
2) Page 2 is based on a fabricated table (TB2 runs of PHP software called Tinyboard, Tinyboard doesn’t have a visitors table).
3) That fabricated table contains falsified evidence (Tinyboard doesn’t generate sessionIDs for visitors). The request_uri is also falsified. This forgery makes it impossible to determine the actual proceeding page. It means they cannot testify, in good faith, about a visit progression because their visitors table reports that the request_uri is the same page as the referring page. (For example: normally when you click a link for page B on page A the request_uri will be page B and the referring page will be page A. The forgeries generated by Dr. Edman’s scripts on TB2 always show the request_uri as page B and the referring page as page B)
4) Dr. Edman’s fabricated tables, and the falsified information he puts in them, are a form of perjury.
5) There is a strong possibility that none of this information was generated by human action. That is because the flash application takes too long to execute. The logs state that the flash application for “session” e4dfe8c9d5f481b03c522252789cf605 took 39 seconds to execute and for “session” bcc5865fc88edbfd2edbce5a3a17737f it took 63 seconds. Now, in human time that isn’t too long, but in the world of computers that’s a ridiculously long amount of time. Here are the sequence of events:
- At 7:12pm my browser requested index.html. According Dr. Edman’s table, his script, gallery.php was loaded at 7:12:53 in a hidden iframe.
- gallery.php then presented the browser with javascript to load Dr. Edman’s gallery.swf that the browser would execute it immediately.
- once the flash app was loaded it would make a dns query for the IP of the server that was running Dr. Edman’s cornhusker.py (a server that the FBI destroyed)
- the dns request was ridiculously long. It was 96.126.124.96.(98 character encrypted text).cpimagegallery.com and it negated the need to establish a socket connection to cornhusker.py, because the dns request reveals the true IP and the falsified sessionID.
- Regardless, cornhusker.py should have responded to the requests in milliseconds and then the flash app would request permission to communicate milliseconds later. Therefore the whole transaction should have taken less than 3 seconds. However, the first transaction took 39 seconds and the second took an astonishing 63 seconds. In the world of DNS, every request after the first should be much faster than the first. The fact that it took significantly longer strongly suggests shenanigans were afoot.
- We’ll never be able to determine what happened because the FBI destroyed the server (along with its logs) that could shed light on this egregious anomaly.
It’s abundantly clear that Mr. Becker’s team presented the Nebraska grand jury with false information and that information was the sole basis for the indictment. That means that the indictment was obtained fraudulently. Therefore the whole prosecution was malicious and must be vacated.