The Attack Against A.R.S. Via Forged Article Flood

DECLARATION OF DAVID MICHAEL RICE

David Michael Rice, declare as follows:

1. I am over the age of 18 years and a resident of Orange County, California. I have knowledge pertaining to the instant action and if called upon to be a witness, I could and would competently testify thereto.

2. On December 12th, 1998, I became aware of the fact that tens of thousands of forged USENET articles (hereafter referred to as "forgeries") had been and were still being posted to several Internet newsgroups (hereafter referred to as "NGs") with the far greater number of forgeries being posted to the NG called "alt.religion.scientology" (hereafter "a.r.s."). As the attack appeared to be, in my opinion, one that was and is designed to silence critics of Scientology, I offered my computer skills and services to counter the attack. Let it be known that my interest at the time concerned the issue of "Free Speech," which I felt was being denied the critics, and not an interest in Scientology per se.

3. Since that time and up to the present, several hundred thousand forgeries have been injected into a.r.s. I have deleted (via "cancel request") a small percentage of these forgeries: 34,583 at last count. The larger majority of the forgeries have been deleted by five or six other individuals.

4. During this time period (specifically between December 12th 1998 and February 5th, 1999), I have monitored a.r.s. for new sources of forgeries. When detected, I examined the headers of the forgeries and determined where they were originating, via the "NNTP-Posting-Host:" header line. An example is reproduced here:

5. From: spacecootie@my-dejanews.com
6. Newsgroups: alt.religion.scientology
7. Subject: question for Graham  Berry (ya bum!)
8. Message-ID: <6xmykJpaa4.Ik2844JkC.cmAlUwcp221@zenonian.org>
9. Lines: 76
10. Date: Sat, 06 Feb 1999 14:37:17
11. NNTP-Posting-Host: 194.72.248.2
12. X-Trace: news-reader.bt.net 918338778 194.72.248.2
   (Sat, 06 Feb 1999 22:06:18 BST)
13. NNTP-Posting-Date: Sat, 06 Feb 1999 22:06:18 BST
14. Path: news2.lightlink.com!news.lightlink.com!
   nntp-out.monmouth.com!newspeer.monmouth.com!
   newsfeed.nacamar.de!newsfeed.nacamar.de!ayres.ftech.net!
   news.ftech.net!peer.news.zetnet.net!btnet-feed1!btnet!
   news-reader.bt.net!news.demon.co.uk!zenonian.org
15. Xref: news2.lightlink.com alt.religion.scientology:565359

16. I hereby state that in my opinion the following header lines above are forged: "From:" "Message-ID:" the time in the "Date:" and the appendage to the "Path:" line--- specifically, "!news.demon.co.uk !zenonian.org" It is extremely difficult to forge a "NNTP-Posting-Host:" line and a "NNTP-Posting-Date:" line, and in my opinion the people posting the forgeries have not done so. It is my opinion that these two lines will point to the individuals responsible for the forgeries.

17. Once I determined from where the forgeries were being injected into the NGs, I contacted the Internet Service Provider(s) (hereafter "ISPs") specified in the "NNTP-Posting-Host:" field by either e-mail or via voice telephone, informing them of the abuse of their service, and explaining to them the nature of the problem.

18. Included with these explanations was a sample of the forgeries coming from their service, and my description of the "method of operation" used by the person acquiring the dial-up access to post the forgeries. Also included was my name and phone number, and a request from me asking each ISP to share as much information with me as they deemed legal and ethical.

19. To date, using the methods above, I have helped ISPs identify and terminate 12 dial-up Internet accounts that were being used to post the forgeries.

20. On or about January 28th I received an e-mail message from one of the sixty-three (63) ISPs I had contacted. The "Subject:" line of this message was "DELETE ME AFTER READING" and the "From:" line was from a Technical Support individual. The message stated that the individual who sent it to me had acquired via his "ANI" equipment the phone number being used to inject forgeries into a.r.s. via his dial-up service. The phone number he gave was 818 760 4637.

21. The Technical Support individual also stated in his message that he feared "retribution" from the people posting the forgeries, and insisted that I delete his message after reading it. I wrote the phone number down and then deleted the message as requested. To my certain recollection, the person who e-mailed this message to me works for an ISP in Ohio, but I cannot recall the specific ISP.

22. On February 1st I received a telephone call at 5:15AM PST from someone who identified himself as only "An ISP" whom I had sent a complaint to that warned him that his service was being abused. He stated to me that he was an ISP in Chicago, and that he acquired a phone number via "ANI" from one of the two phone lines being used to post forgeries via his dial-up system. That phone number was 818 760 4637. He did not tell me who he was, nor did I ask.

23. On February 4th I created a relational database that contains all pertinent information I could gather about the forgeries. This includes, at last count, over thirty thousand (30,000) headers of forgeries; the date and time they were posted; the ISPs they were posted from; and in several instances the ISP’s dial-up phone numbers. With this information, one may compare the ISP name (gathered from the "NNTP-Posting-Host:" field) and the date and time the forgeries were posted (gathered from the "NNTP-Posting-Date:" field), with that ISP’s dial-up phone numbers---- and match it with the suspected individuals’ long-distance phone bills.

24. It is my opinion that a correct match with a suspect phone bill will show that long-distance calls made from 818 760 4637 will match many ISP’s dial-up phone numbers; and that the phone bill’s date and time data will match the date and time of the forgeries themselves.

25. Please note that at least three phone lines have been and are being used to post these forgeries: therefore about one third of the phone bill’s data will match my database. If the individual(s) posting the forgeries have more than one phone line, the phone bills for those phone lines should be compared with my database for additional matching.

26. My database is in Microsoft Access, and will be produced upon demand to Pacific Bell and other interested parties.

27. Attached to this declaration: (A) a list of Internet Services Providers who have been used by the people posting the forgeries, including their addresses and phone numbers. (B) a detailed description of the database identified above.

28. I declare under penalty of perjury under the laws of the State of California that the foregoing is true and correct to the best of my knowledge.

29. Executed this 6th day of February, 1999, at San Clemente, California

David Michael Rice

A.R.S. Forged Flood Main Page