This!

http://www.themediaconsortium.com/reporting/wp-content/uploads/2008/03/affidavit-bp-final.pdf

My name is Babak Pasdar, President and CEO of Bat Blue Corporation. I have given this affidavit to
Thomas Devine, who has identified himself as the legal director of the Government Accountability
Project, without any threats, inducements or coercion.

I have been a technologist in the computer and computer security industry for the past nineteen years
and am a "Certified Ethical Hacker" (E-Commerce Consultants International Council.) I have worked
with many enterprise organizations, telecommunications carriers, as well as small and medium sized
organizations in consulting, designing, implementing, troubleshooting, and managing security systems.
This statement is to make a record ofmy concerns about the privacy implications for our society from
what I personally witnessed at a major telecommunications carrier, as summarized below.

What I know:

• I know I saw a circuit that everyone called the "Quantico Circuit."

• I know that all other sites had store numbers or affiliate numbers. The "Quantico Circuit" was
the only site being migrated that had such a unique name.

• I know that it was a third party connecting to the client's network via the "Quantico Circuit."

• I know everyone was uncomfortable talking about it.

• I know that connecting a third party to your network core with no access control is against all
standard security protocols, and would fail almost any compliance standard.

• 1 know that I was a trusted resource. During the project, I at all times had access and control
over the communications to the most sensitive of the organization's systems. This included
their sales applications, billing systems, text messaging and mobile internet access, including email
and web. I even had a client badge for entry to the building and access to facilities.

• I know the client had Network VCRs situated at various locations throughout their data centers.
These devices collected and recorded all network communications and had the capacity to store
them for days, possibly weeks.

• I know that many of the organization's branch offices and affiliate systems did not have that
unfettered access, because I instituted the controls.

What is likely, based on normal industry practice:

• A third party had access to one or more systems within the organization.

• The third party could connect to one or more of the client's systems. This would include the
billing system, fraud detection system, text messaging, web applications. Moreover, Internet
communications between a mobile phone and other Internet systems may be accessed.

• The client could connect to one or more of the third party's systems.

• The client's Data and Cell networks are interconnected.

• It is unlikely that any logging was enabled for any access to the Quantico circuit, because the
client's technical experts suggested that this was not enabled. They were tentative in even
discussing the subject. Even if logging was enabled the logging system was so inappropriately
sized that it was useless.

What is possible due to consistency with known facts but for which I don't have proof:

• The third party may be able to access the billing system to find information on a particular
person. This information may include their billing address, phone number(s), as well as the
numbers and information of other people on their plan. Other information could also include
any previous numbers that the person or others on their plan called, and the outside numbers
who have called the people on the plan.

• The third party may be able to identify the Electronic Security Number (ESN) of the plan
member's phones. This is a unique identifier that distinguishes each mobile device on the
carrier's network.

• With the ESN information and access to the fraud detection systems, a third party can locate or
track any particular mobile device. The person's call patterns and location can be trended and
analyzed.

• With the ESN, the third party could tap into any and all data being transmitted from any
particular mobile device. This would include Internet usage, e-mails, web, file transfers, text
messages and access to any remote applications.

• It also would be possible in real-time to tap into any conversation on any mobile phone
supported by the carrier at any point.

• It would be possible for the third party to access the Network VCR devices and collect a variety
of information en masse. The Network VCR collects all communications between two systems
indiscriminately. It would then archive this information making it available for retrieval on demand.
The third party could access the Network VCR systems and collect all data
communications for single mobile device such as text messaging, Internet access, e-mail, web
access, etc. over some period of minutes, hours, days or weeks. The same can be done for
communications of multiple, many or even all mobile devices for some period of minutes,
hours, days or weeks.

• Even if the client did not provide specific login and access for the third party to one or more of
their systems, without any access controls it is possible for the third party to leverage
vulnerabilities to "compromise" the client systems and obtain control or collect sensitive
information.