EXHIBIT A -...

EXHIBIT A

Case 1:14-cv-01375-LEK-RFT Document 86-3 Filed 09/24/15 of 14


8T 09/26/ 12

Supporting Deposition (CPL 100.20) [ [:25 AM

The People ofthe State of New York -vs.

Location of Incident State of New York Local Criminal Court County of Albany

Location of Deposition State of New York County of Saratoga

Town of Colonie Town of Clifton Park

resieling at voluntarily make the following

written statcm~nt to Investigator Rodger Kirsopp of the New York State Police:

I have previously provided a deposition on 04/ 18/12. I am an Infonnation Technology professional and I am self employed. 1 am doing business as Solsys, LLC. I provide IT services for NXJVM and I have been providing these services for at least six and half years. I am providing the following infonnation to clarify the infonnation that was gathered by Steve Ose and myself during the course of our research of the database and web server files and logs.

Files File Name Description

APACHE APACHE.xisx This is an export of our Apache server log file filtered for lP addresses associated with MJP login attempts. This is a very standard, very widely used web server. According to a Netcraft survey, Apache holds a 61.45% market share of web servers on the internet (hup:llnews.netcraft.comlarchives/20 12/07103 /july-20 I 2-web-servcr-survcy .html).

DB DB.xlsx This is an export from our own database table containing data associated with login attempts to nxian.net. This is data collected with a custom program.

Relevant General Contents • APACHE Datctime The date/time of the server clock at the time the request is

received by the servcr R~guest the Pllgclfi leJinfonnation r~qucsted by the client com.p~tcr IP address The IP address to which the server sends the requested

data (the IP address from which the request originated) bytes sent How much datu (in bytes) were sent from the server to the

client computer


user agent data* Client information typically including data ahout the requesting computer's browser and operating system

* User agent data includes Browser type and version making the request (ex: Firefox/6.0) Operating system and version of computer making the request (ex: Intel Mac as x 10.6 rv: 6.0)

DB ID database unique 10 of record. login name usemame used in login attempt id ---'pass I password used in login attempt succ fail result of login attempt login_time The date/time of the server clock at the time the request is

received by the server (Apache server) IP _address The IP address to which the server sends the requested

data (the IP address from which the request originated) I (from the Apache server)

locator_city the general location associated with the IP address -acquired via publicly available ip locator tool

nxian number TD number associated with the logi n usemarne

General Summary DB - Tells us login used, when, and what Ir address that person is connecting with our server from APACHE - Tells us exactly what was accessed/downloaded by each IP address Our Process The fo llowing describes how we determined that private, confidential data from our system was transferred from our server to the computers of individuals who did not have pcnnission to access or acquire that data.

1. I was advised by Clare Bronfman that a current NXIVM client list was posted on a

blog site. The list appeared to be a mirror image of information accessib le on ly

through the NXIVM website by members of NXIVM. Since each member is

ass igned individual usernames and passwords, I ran a Jist of all members who

accessed the website around the time of the blog post. With the assistance of

Cla re Bronfman and Steve Ose, we were looking for any unusual activity of a

particular member.

2. By checking the log in attempts using (DB), we noticed that Mary Jane Pino (MJP)

had an unusual amount of logins in between 2010 and 2011.

3. Clare and I suspected that the MJP login (mary jane) was being used by someone

other than Mary Jane Pi no to access our system with the intent to st eal

information .

a. Clare determined that the actual person associated with the username

(Mary Jane Pino) was an active member in good standing (therefo re


allowing her to have continued access to the website) but that she had

not been participating or using her membership. Clare also inquired with

people who knew her when she was active, and we found that there

were no indications that she intended to become active again.

4. I then conducted a search through public information to determine the physical

location of the IP addresses recorded in DB. The MJP logins traced back to a

number of geographically distant locations, including at least one instance where

the login was used at the same time period in two geographically distant

locations.

5. To determine what data was downloaded using the MJP login credentials, I used

the following process:

a. Searched for all MJP login attempts in DB - specifically pulling date-time

of login attempt and IP address associated with login attempt

b. Search APACHE logs for all entries that have IP addresses used by MJP.

i. The IP address recorded in DB were pulled directly from the

APACHE server.

c. In resulting data from APACHE, match date / time from each DB record

with date/ time of APACHE log record.

i. The date/time recorded in DB and APACHE are from the same

source - the hardware server clock. Both DB and APACHE exist

on the same hardware server, so both share the same clock.

d. Filtered out records that were from locations associated with Nxivm and

IP addresses that didn't have any relevant data transfers associated with

them.

i. 24.97.168.75

1. One MJP login with our IT override password - this was

me, testing access for the mjp login.

ii. 67.248.93.29

1. One mjp login, with the IT override password - again,

testing.

iii. 66.109.54.90

1. Two iTIjp login attempts on 2011-09-27 -failed -this was

the day we shut down MJP access, and these attempts

were to test to ensure the login was shut down.

e. Manually and programmatically correlated and verified the APACHE log

entries associated with each individual MJP login entry in DB


i. For every DB entry there are many APACHE entries, because

APACHE entry records every request made, whereas DB only

records the login request data.

f. Each APACHE record tells us what pages/data were accessed in each

session

What the Data Tells Us 1. The DB data tells us when login attempts are made, what login credentials are

used, and where the request for data from the server originates from. Specifically the IP address of the requestor.

2. From that DB data, we look at the APACHE data with the matching IP address and date/time. From the APACHE data we can see what data from the server was sent to the computer that was used to log in to the NXIVM private access web portal.

3. Within the APACHE data, we can examine the specific pages that were accessed by - and amount of data sent to - the IP address in question, We can determine the specific content that the person accessed through the 'data requested' part of the log.

a. Ex: 'GET /comm/tools/lcontact.php HTTP/l.l' tells us that the person accessed the data rendered by the .https://www.nxian.net/comm./tools/lcontact.php. page - a page with names and contact information of participants.

4. The APACHE data also tells us the amount of data sent from the server to the requesting computer with each request.

5. With all this, we can say - very definitively - the following (for example): a. A person at xxx.xxx.xxx.xxx IP address logged into Nxian .net at yyyy-mm

dd hh :mm:ss successfully using xxxxxx username and yyyyyyy password. (DB)

b. The person at the IP address defined in (a) accessed pages [a, b, c, d, e, f, g, h] . (APACHE)

c. Those pages contain applications [aa, bb, cc, dd, ee, ff, gg, hhL and those applications contain [data] data. (this is determined by simply looking at the pages/applications)

d. XXXXX bytes of data were sent from the server to the requesting IP address in each request (APACHE)

The data downloaded by these IP addresses could not be accessed legitimately without logging into the server. APACHE very clearly tracks exactly what data was sent and where it was sent, specifically to what IP ;:lddresses at what date/time.

Notable Private Data Accessed The following is an example of data that contained private corporate information which was requested by IP addresses associated with illegitimate use of the MJP login


credentials . The data requested was sent from the system server to the machine at the requesting IP address. There is much more data that was transferred but this is an example of particularly sensitive corporate information.

lcontact.php -list of active participants/clients including contact information Magreps/lindex.php - this page contains a dropdown list containing 99% of the client names of the organization . One of the lists that were publicly posted appeared to match this list and included full names and ID numbers of clients. Due to the nature of how this list is displayed, it is possible, but time consuming, to manually copy all the names from this list. However, in order to acquire the names and 10 number associated with each name, someone would need to both view the source code of the page and understand the code to some extent, which would require at least a base understanding of IT and/or web development to pull both names and associated ID numbers ofthe client list. Calendar - the calendar contains a list of upcoming trainings and other events. These events and the data associated with them are intended for organization clients/members only. Because video - this is a testimonial video intended to be viewed only by clients/members. It is in no way intended for viewing by people who have not already participated in trainings.

The data provided in the DB records dated between Feb 3, 2010 through Oct 31,2011 are relevant because of the IP address captures. The Mary Jane Pi no username and password were used prior to Feb 3, 2010. Those entries are not provided at this time because the IP addresses were not captured. The DB program was modified on or about Feb 3, 2010 to record the IP addresses. Because the IP addresses were not recorded in the DB program, we were not able to correlate the log ,in with the associated data on the APACHE logs. You could associate the log in with the APACHE logs but not through an IP address. You would be able to deduct that the log in date and time correlates with the APACHE log date and time.

The following IP addresses are suspected of illegal access to the NXIVM private access web portal.

172.131.55 .185

173.86.169,2 1

207,237.232.82

24 ,39.203.50

65 .37.35.176

67 .248.49 .143

69.2. 120. 11

7 1.1 97.13 7. 14 1

7 1.244,122.39

72,226. 58 ,9 1

74.46.60.59

5 7?T~


74.46.62.199

74.47.145.18

74.47.1 46.1 47

74.47. 146.70

74.47.1 47.117

74 .47.149.101

74.47.150.81

74.47. 151.77

74.76.145.1 15

74.76.149.7

96.236.30.20

96.236.44.171

The DB records and APACHE Jogs are standard Iracking processes that NXIVM uses and has used fo r an extended period of time. They are kept as a normal course of business. I can verify that these files have not been corrupted, manipulated or manufactured in any way.

Having reviewed this statement in it" entirety, is it an accurate account of events to the, be,st of your recollection? ie?

, . After reviewing this statemcnt, is tllere anything you wish to add , dclete or change? /'f,;t)

Has anyone forced or coerced you into making this statement against your will? /2/{)

//I RND OF STATEMENT

In It written instrument, any person who knowingly makes It false slatemem which such person docs not believe to be true has committed u crime under the laws of the slale of New York punislu'Ib lc as a C lass A MisdclIlcallor.

Affirmed ullder Ihe peliAlty of perjury

This 26th day of September 2012.

>"

Signe~-==-Illv Rodccr Kirsopp, SP C lifton Park BC I

ET 09/26/ 12 @ 1:13 PM

EXHIBIT B



BT 05123/12

Supporting Deposition (CPL 100.20)

The People of the State of New York -vs.

Location of Incident State of New York Local Criminal Court County of Albany Town of Colonie

Location of-Deposition Siate of New York County of Saratoga Town of Clifton Park

09 .12AM

I am an IT professional and I am a contractor working for NXIVM. I do business as Solsys and I have been doing work NXIVM since 2006:

As part of my employment, I am charged with a daily audit of the log in system for the NXIVM website. I am knowledgeable of the website and the software that is used to run the website.

The website uses a usemame and password log in process to gain access to the website on a log in credentials page. It captures the users credentials, including the time and date stamp and IP address associated to the log in. The system is set up so only certain users can gain access to certain areas ofthe website. Lower members would have limited access and higher members would have greater access. Also it would depend on the individual 's role with NXIVM on where they would be allowed to have access to certain pages in the website.

The daily audits of the system were not always done until some material from the website began to show up on the blog at Saratoga in Decline. The system always captured the infOlmation but. the daily audits were not done on a regular basis. The daily audits were done a1 the request of Clare Bronfman.

I am not sure of the speci fic date, but we started looking at the log ins and detennining if they were active members or not. If it was a member that we had not heard from in a while, we would use a process of eliminatiOll to detennine if they were active or suspicious in nature. Through our process of elimination, we detenn ined that Mary J Pinot had used her user name and password to gain access to the website. ] then looked at the logs to detel111ine what pages that she had accessed. J detennined that the pages that she had accessed on the website were pages that contained infOlmation that was rel eased through the blog. I looked closer at the log illS for Mary j Pinot and located multiple log ins and they appeared pretty regular.

I provided this infonnation to Clare Bronfinan.


Having reviewed this statement in its entirety, is it an accurate account of events to the best of your recollection? \ /

2

/-17 . After reviewing this statement, is there anything you wish to add, delete or change? ;to Has anyone forced or coerced you into making this statement against your will? I/{) . 111---------------------END OF STATEMENT __ ----------------------------------------111

In a written instrument, any person who knowingly makes a false statement which such person does not believe to be true has committed a crime under the laws of the state of New York punishable as a Class A Misdemeanor .

Affirmed under the penalty of perjury

This l-8th pal of April 2012. ;;SId /1' /l1i ~t1'«

-/ --1-2~'~: 1"",;::7/···/ c------

Signed:/?/ [ / c 'Z---::?----:-:--.-A"'--

SP Clifton Park BCl

EXHIBIT C



BT04Jl8/12

Supporting Deposition (CPL 100.20)

Th e People of the State of New York -vs.

Location of Incident State of New York Local Criminal Court County of Saratoga Town of Halfmoon

Location of Deposition State of New York County ofSara!oga Town of Clifton Park

Clare W. Bronfman, date of birth _ resid ing

01:38 PM

voluntarily make the following written statement to Investigator Rodger Kirsopp of the New York State Police:

I am making this statement in regards to activities surrounding myself and NXIVMJESP. j am on the Executive Board with NX]VM and I oversee Accounting, Administration, Legal, IT and Communications.

First, as an individual, ] have been subjected to numerous comments on Saratoga in Decline. This is a blog site that is run by a man named, John Tighe. I am very afraid of this man. He is a large man and based on his posts and activities·, ] am worried about what he is capable of There have been posts on his site about people causing haml to me. He has posted pictures of guns and his dog. John Tighe has shown up at NXIVM events such as Vanguard Week, Winterfest and Nancy Salzman's birthday.

On August 24, 2010, John Tighe made an appearance at Vanguard Week at the Silver Bay YMCA. As a result of monitoring the blog site and the various posts on the site, NXIVM hired security for the event costing $75,000.00. Because of the posts on the blog site conceming threats to me, my sister Sara Bronfman, Keith Raniere, and Nancy Salzman, I felt it necessary to hire security for the event. I was also subjected to numerous phone calls from people who were planning on attending the event in regards to their concern for their and our safety. During thi s event, I was speaking in the auditorium to the attendees, welcoming them to the event. It was at this time, 1 was advised by security thaI John Tighe was on the property and that I needed to keep everyone inside. ] spoke for an hour and halfuntill was advised that he had left the area,

NXIVM held a corporate holiday party at Apropos. I recall that during tile event, between 6:00 PM and 8:00 PM, John Tighe made an appearance. J was wi th Keith Raniere, Siobalul Hotaling, and Mike Baker. NXIVM has an a cappella group and they were practicing in the building down the street from Apropos. ] was alerted that Tighe was at the event. J told Keith Raniere to stay jn the building and I responded to Apropos to monitor the situation. I called the police and they responded. I observed John Tighe ill his red convertible and he was taking pictures.


On July 16, 2011, I was attending Nancy Salzman's birthday at Apropos . I don't recall where John Tighe had parked his car. He was either across the street or in his usual spot next to Fred the Butcher. I contacted the police to respond which they did .

On August 26, 2011, I was attending Vanguard Week at the Silver Bay YMCA. I believe it was at 12:45 PM when John Tighe made an appearance at the event. I was walking by the lake. I was approached by Damon Brink. He told me that Tighe was at the event. I immediately observed Tighe in his car. He was turning his car around on one of Silver bay's private roads. I rode with Damon Brink in his golf buggy. As we approached the main road, John Tighe was taking pictures of us . As we got closer, Tighe drove down the main road, very slowly. I called the police and they responded. John Tighe had already left the area when they responded.

I recall that John Tighe made an appearance at Nancy Salzman's birthday in 2010 at Apropos. I don't recall the specifics but I have previously reported the incident to the State Police in 2010.

As I previously stated, I am on the Executive Board for NXIVM and I oversee the IT and legal teams for NXIVM. I regularly monitor the blog. As a result, I observed NXIVM material that had been posted to the site. The information posted at that time, I determined could only have corne from the NXIVM computers. It was at this time, I directed the NXlVM IT team to send a report to me every night, listing people who accessed the computer system, and how they accessed the system, ifthey were successful, if they failed in ·their attempt to access the system, their IP address, and their approximate location. It was from these reports that I noticed a name that I did not recognize, a Mary Jane Pino. I had my Administrative team look up Mary's information. I believe she had been recruited by Barbara Bouchey approximately ten years earlier. Mary had taken some classes at that time but had not taken any additional classes since that time. I then had the IT team look up where specifically Mary had navigated on our computer system. I took that report and I had the legal team look at the information that had been visited by Mary to the information that had been posted to the blog. I had them look at all of the times that Mary had logged into the system. We determined at that time that the log in times for Mary's accOlmt to the times to the blog posting matched. Mary Jane Pino was contacted to detennine if she had in fact used her log in to gain access to the computer system. I have been advised that she denied using her log in to gain access to the system.

Everyone that has taken classes through ESP has access to the computer system. Everyone who takes classes with ESP signs a confidentiality agreement at least twice. They sign when they fi rst sign up and they also sign an agreement with every subsequent program that the client takes. You can gain access to the system in two ways. One is with a usemame and password. There is a secondary access to clients that I have infonned Investigator Kirsopp on its pruiiculars but I refrain fi·om publishing-i t here. The onl y ones that are denied accesses are peopl e that have left on bad tenl1S with NXIVM/ESP. We allow cli ents to have access to celiain areas of the computer system. This is al so to say that the higher your position the more access that you are granted in the computer system .

2


Having reviewed this statement in its entirety, is it an accurate account of events to the best of your recollection? Yes

3

After reviewing this statement, is there anything you wish to add, delete or change? No

Has anyone forced or coerced you into making this statement against your will? !I/o

/ / /---------------------END 0 F STATEMENT __ ----------------------------------------11/

In a written instrument, any person who krlowingly makes a false statement which such person does not believe to be true has committed a crime under the laws of the state of New York punishable as a Class A Misdemeanor.

Affirmed under the penalty of perjury

This 18th day of April 2012. Signed·l~C£i!Q~;;.::.!.~;;...-------

.......0 ~i ~ ~ ~ddfer Kirso.ll.r~L'TTC~fton Park Bel

ET04/18/12@4:23PM

EXHIBIT A -...

Documents

Transcript of EXHIBIT A -...