CryptoDevil Profile picture
Feb 26 167 tweets 30 min read Read on X
Last Friday was a whirlwind of desperate deflection as @dr_cswright was made to watch his own forging keystrokes damn him before the killer blow from Gunning pointing out the real Bitcoin WP wasn't even written in LaTeX

This week should be a far less dramatic affair without him.
Court is in Session.

Wright's side open with 2 matters, a report from Peter Bryant where CSW had sought an application to admit further evidence from Mr Bryant, dealing with certain computing environment tests.

The 2nd is a disclosure issue occurring over the weekend. (Ooh!)
When asked what it is in relation to Wright's side say it is something that CSW will be providing details of.

Judge Mellor asks why the additional forensic tests (for CSW's claimed reasons why the expert reports are wrong) need to take so much longer.

It'll be returned to later
Mr Madden, the expert witness for @opencryptoorg is being sworn in.

Hough: Give his usual reference to the witnesses statements/reports, subject to some errata which he will address
@opencryptoorg Madden, for anybody not aware, is a digital forensic expert who excoriated CSW's submitted "I am Satoshi" evidence as all being manipulated (forged). - Wright's own expert happened to agree with him.

H: Hands over to CSW's side
@opencryptoorg W: "Could we start with para 1-8 of your first report. You recall these set out your personal background. You don't provide a CV with your report"
M: "I just provide a personal bio I don't keep a track of every course I have taken"
@opencryptoorg W: "But you don't provide any detailed academic or professional qualifications. So far as the relevant industry qualifications as a forensic digital examiner, what have you taken?"
M: "To get my qualification (as a forensic examiner) I completed a 12-week course"
@opencryptoorg W: "I'll come back to that later. You've reviewed a large number of documents disclosed by CSW, over 500 of them provided to you in your first report. None were analysed on the machines or environments from which they were collected"
M: "I've detailed my concerns with that"
@opencryptoorg W: "You were provided with copies of the documents alongside their metadata load files. Saying this wasn't ideal"
M: "Yes"
W: "You were to conduct the investigation from a technical perspective"
@opencryptoorg M: "Yes"
W: "Where the authenticity of the documents are to be called into question, it is important that the environment they are created and stored in is important [to the analysis]
M: "In certain situations, yes. Some metadata can be influenced by the environment some not"
@opencryptoorg W: "You rely throughout your reports on anomolous timestamps. It is right that relying on timestamps like this is prone to difficulty, with different interpretations"
M: "Depending on the timestamps, yes"
@opencryptoorg W: "Here Dr Placks (CSW's experts) says 'a creation date indicates when a document may have been copied, last access could be from a virus check and last change might not actually mean when a document was edited'"
M: "It can do, it depends on which timestamp/file you are analysin
@opencryptoorg W: "Moving to CSW's environment, your first joint statement (with Dr Placks), para 11b you say 'the time of meeting neither expert has been provided with non-speculative description of the [computer environment of the evidence]'. Since then CSW has provided extensive detail of it
@opencryptoorg M: "I would say voluminous, not extensive"
W: "Your report [cites it]. All of those witness statements were served before your 4th report, did you [take them into account for it?]"
M: "Yes and I addressed some of them in that report"
@opencryptoorg W: "CSW's 10th witness statement says 'since 2003/4 I've been running linux as a base system and the rox cluster is an open source distro for building high-performance computing clusters. What he is saying is correct, yes"
M: "I've no reason to doubt it"
@opencryptoorg W: "He says a key feature of rox linux is resource aggragation, do you have reason to question that?"
M: "No there are various platforms which let you do that sort of task"
W: "CSW describes his use of virtual machines"
@opencryptoorg W: "He says rox linux can be used with a virtualised env, correct?"
M: "Any linux distro can be used to create a virtualised enviroment"
W: "By virtual machines, they are set up on a computer but have a separate o/s as if you were operating an entirely separate machine"
@opencryptoorg M: "Simply put, yes, depending on how you have them set up"
W: "CSW says that he used vmware and zen hypervisor systems and it is correct that vmware is used to operate virtual machines and zen hypervisor is also"
M: "Yes"
@opencryptoorg W: "You are also aware that CSW says he uses Citrix"
M: "Yes I am aware he has said that"
W "Where he refers to Citrix and Zen he says 'Citrix enables users to work from remote connections' and hypervisor is based on zen"
M: "Yes"
@opencryptoorg W: "Are you familiar with Citrix"
M: "I am familiar with analysing data on it, I am not familiar with setting it up/installing it"
W: "You are aware he has also used sans systems, for virtualised systems"
M: "Yes they can be used like that"
@opencryptoorg W: "CSw says sans are for high-perf flexibility to handle large volumes of data and delivering it to various users across a network"
M: "File version control across individual users across a san, once the files are on they would operate to the server the storage is allocated..."
@opencryptoorg M: "...only if you had not configured it correctly would issues occur and even then it would cause total corruption of the file, [not just metadata changes]"
W: "I think you are jumping ahead. CSW said he made use of symbolic linking to connect areas in his Windows systems...
@opencryptoorg W: "...to his linux system to manage his systems. And what he describes is technically possible"
M: "Yes I believe so"
W: "He says when links are created on multiple systems they can point to the same file or diff files simultaneously, that is possible, yes?"
@opencryptoorg M: "Possible yes"
W: "And if that happens it is possible for changes to the file to be made in different ways across the network"
M: "It can do, it can cause conflicts"
W: "CSW mentions staff in his organisation accessed and shared files"
M: "Yes I recall him saying that"
@opencryptoorg W: "He says that his orgs enforced group policies throughout its IT systems"
M: "Yes that's not uncommon"
W: "Referring to the use of group policies which have enforced updates from MS in a shared environment. 'in the systems I ran these policies would be enforced in citrix & zen
@opencryptoorg W: "'The implementation of standard configs was mandated in the organisations I set up'. You are aware the the nChain applications included Grammarly and Mathtype"
M: "Yes"
W: "He explains how those group policies were implemented"
@opencryptoorg W: "What CSW describes is correct in how a group policy would be set up"
M: "It is in simplistic terms, yes. For uniformity of updates etc"
W: "He says that you implement the group policy through the management console on a Windows system, by editing the group policy on it"
@opencryptoorg W: "If the court accepts this as the environment he used, that was a complex one, wasn't it?"
M: "It's pretty standard for a commercial system"
W: "It was a complex one wasn't it?"
M: "It's not a simple workstation but I wouldn't say it was extremely complex"
W: "It was complex"
@opencryptoorg M: "Sure"
W: "Citrix provides tools to allow access to Windows desktops and apps independently of the machine they are on and from any o/s. It enables a user of one computer to access a different computer to use the software and apps on that computer"
M: "Yes"
@opencryptoorg W: "A user may use a remote server and access an application to access and edit a document on that server"
M: "Yes but the edit changes would not be recorded locally (to the user) they would be written to the one on the server [it is hosted on]"
@opencryptoorg W: "The edit time counter on MS Word will continue to run until the session is closed on the remote server"
M: "Yes"
W: "So a user takes the following steps, They access the remote server by opening a Citrix session on their machine, they access the remote server, then access doc
@opencryptoorg W: "The user then disconnects their session without shutting down MS Word and then later on re establishes a connection to that remote server and reopens the document. So the edit session being recorded on the remote server would continue to run"
M: "Provided the session was open
@opencryptoorg W: "So it is possible that a document may show a long edit time, provided the remote server remained operational and was not restarted"
M: "As long as the environment session was not changed in any way [causing the session to be closed by it]"
@opencryptoorg W: "You are aware that it is possible that a system could run for years without being shut down"
M: "Yes it is possible"
W: "Dr Placks says that if a computer is accessed remotely a user could disconnect while leaving the system running, one way this could happen is using Citrix"
@opencryptoorg M: "Yes and when using a regular workstation"
W: "Going to the normal dot m file [in your report] you say it is the usual template which contains the normal fonts and customisations for a document"
M: "For new documents yes"
W: "For a document"
M: "New documents"
@opencryptoorg W: "I would dispute that. It is possible for a template to include additional elements [to an existing document] CSW says his was set up to include mathtype symbols [automatically for all documents loaded]"
M: "You could do that, yes"
@opencryptoorg W: "The normal dot m template opens whenever a user opens MS Word"
M: "No whenever opening a new document"
M: "Whenever a user opens MS Word"
M: "No [goes into further disagreement"
W: "My question was that the normal dot m is implemented whenever a user opens MS Word"
@opencryptoorg M: "Yes but only if you are opening MS Word into a new document"
W: "No you are ignoring what I am saying, the normal dot m is applied whenever a user opens MS Word"
M: [explains that is only true if your are opening MS Word and have it set to automatically display a new doc]
@opencryptoorg W: [refers to MS website stating that is is applied whenever MS Word is open]
M: "Yes that is only correct if you have MS Word set to start a new document when you open it. I am just being pedantic about the specifics of how that is applied"
Mellor:Don't be worried about pedantry
@opencryptoorg W: "So you accept the template will be the starting point of a new document and then if a user opens an existing document, the normal dot m template will sit in the background and that the custom styles in it may be applied to all documents opened by that user and not just new"
@opencryptoorg M: "The template won't be applied to all open documents, if you open it on screen it can be applied to the stored document if you then save it to the [existing] file"
W: "You say in your report that the template is used to apply to new documents, not existing ones, not correct"
@opencryptoorg M: "No it would only be applied to existing documents if you saved changes to the existing document. When you open a Word doc you don't immediately update the existing file unless you actually commit the changes you make to save to the existing file"
W: "so that is a way [though]
@opencryptoorg W: "CSW's 9th addresses the config of the template to apply mathtype, my question is that it is right that if the system is configured to apply the template to existing documents then what he said happened will happened"
M: "Talking about existing documents, not until saved"
@opencryptoorg W: "Dealing with Grammarly you say you had no previous experience prior to this case and you conducted test to understand how the timestamps operate"
M: "Yes"
W: "And that there are two versions standard and enterprise"
@opencryptoorg W: "Which did you test on"
M: "The standard as there was no reason to believe the Enterprise would behave any differently"
W: "But you are assuming that. CSW states that Grammarly can cause grammar checking to occur by default even when not actively performing a check"
@opencryptoorg M: "Yes that is correct"
W: "CSW explains how that was done in his environment using a macro in the Word template to automatically load Grammarly when Word was started"
M: "Yes that's technially possible"
W: "You cited particular Grammarly tags"
@opencryptoorg W: "You say Grammarly timestamp '42' only arise if Enterprise version is used"
M: "I don't believe that's correct. It was embedded in my test environment which uses the standard version"
W: "I suggest in fact the only environment that code can occur is in an Enterprise edition...
@opencryptoorg W: "...using Word and Citrix"
M: "No it came up on mine on a standard edition in a Windows enviroment"
W: "Well CSW is very clear in what he is saying. Anyway, moving on..."
@opencryptoorg W: "He says if a Word document is opened in an environment with missing fonts, Word will introduce its own, isn't that correct"
M: "Only to display the document, yes"
W: "If the doc us saved ref to those new fonts will be included"
M: "Not necessarily no it will retain font name"
@opencryptoorg M: "By adding the fonts [in my tests] I could see the font names being saved. And this only occurred when saves were done [not simply by opening the doc]"
W: "Well CSW disagrees"
M: "He can do if he wants"
@opencryptoorg W: "You accept [in your report] that a created date which is more recent than the last modified date would be expected if a file was created as a copy of another"
M: "Yes"
W: "Are you familiar with XCopy?"
M: "Yes"
@opencryptoorg W: "And you're aware CSW says he uses xcopy"
M: "Yes"
W: "What he explains is how copying a file using xcopy can lead to the same effect [the creation of a copy causing the differences]. The last access date timestamp can vary depending on o/s being used"
M: "Yes"
@opencryptoorg W: "It's possible the last access date can be affected differently"
M: "well there are settings where you can turn off the update of the 'last accessed' timestamp"
W: "And if you had done so and were using xcopy this would occur"
M: "Only if there is another file event happening"
@opencryptoorg M: "I would need to know which version of xcopy this refers to. I do not use xcopy myself as it does not accurately preserve all the timestamps"

Break for 5
Back in session

W: "Moving on to overlapping edit times, one apparent anomolly you identified is overlapping edit times, which suggest concurrent editing of documents"
M: "Yes"
W: "And this is just the Lynn Wright group of docs"
M: "It's the only ones I have seen that happen, yes"
W: "CSW says the critique of it being implausible is predicated on all the edits being done on the same session, but if the files were being edited across multiple machines..
W: "[this can happen]"
M: "It's where the document is stored which matters, but it could happen"
W: "You agree that if docs are edited using different computers it could explain the overlap."
M: "Yes"
W: "And you stand by that"
M: "Yes"
W: "So if CSW had multiple instances in this environment it could explain these overlapping edits"
M: "Yes if all instances were set to have Lynn Wright as the author, too"
W: "The final sentence 'i believe that unzipping a zip type of file can lead to a [new file creation date]"
M: "It can depend on how the zip file is created, but there are some events where that could happen"
W: "So it is possible that it could lead to a file creation date being written [from the file being unzipped from an archive]"
M: "Yes"
W: "This document is a scan of a page from a notepad with CSW's handwriting [on it]"
M: "I don't know whose writing that is but I would accept that"
W: "And the CSW says this was from an August 2007 meeting. A COPA's case is that this cannot be true because the Quill notepad..."
W: "...was only produced [by manufacturer] in 2009 and that this notepad as shown is from that 2009 manufacturing period"
W: "You address this [in your report] saying 'it's not possible for you to form an opinion [on this] and that you do not attempt to form an opinion on...'
W: "...[the manufacturers people's statements]. You set out your methodology saying you conducted a detailed inspection of the scan and the [original example of a Quill page from 2009], CSW has stated that [he can show differences]"
M: "I can see that he has sort of lined them up a bit"
W: "He has compared the number 3 in the exhibit against the 3 in his document, laying it against a grid background, which would be the correct way to compare them"
M: "If you have the scale for both correct, yes"
W: "You have also done a comparison [of Wright's Quill and the 2009 Quill example] but you don't do that against a grid background. It is right that as CSW says the 3 in his is larger than the example doc"
M: "If he got the scale wrong it would be larger"
W: "Have you checked?"
M: "I did but it has not been submitted in this yet"
W: "Is CSW's 3 larger than the one in the template example"
M: "When I compared them I [did not find them to be different]"
W: "Well CSW disputes that. Going back to the actual document of where that text comes from on it..."
W: "...he has set his test against a grid backgroun"
M: "Except he doesn't have it aligned"
W: "But what his showed is that the word 'reorder' does not match in his test"
M: "No I would disagree, you can see [that he doesn't have it lined up properly]
W: "You agree that [you are working from a scan] you have not been given the hard copy of this notepad"
M: "Because I'm not a hardcopy forensic expert"
W: "Well from a digital perspective you cannot determing that this 'pdf' scan has been backdated"
M: this could not be determned
W: "Moving on to this JStore article [the Nakamoto name origin CSW showed onscreen in a livestream video interview]. Your conclusion is that this document is not authentic to the January 2008 date it purports to be"
M: "Correct"
W: "You identified 2 technical reasons for reaching your view that it was not authentic to the 5th January as it states on it. You say there are inconsistencies in the font where it is written 5th January 2008 and you say the design of the footer does not match [contemporanously]
M: "Yes, [that the footer design does not match the 2008 JStore footer design]"
W: "You say the header date showed consistency with it having been [manually edited] But you could not conclude anything [other than through a visual inspection] and when you say..."
W: "...they were consistent with a particular type of editing what type of editing would that be?"
M: "Well it depends, it could have been done through an OCR process or by putting a media box over the word they were adjusting and typing the text they wanted"
W: "Any other type?"
M: "Do you have any in mind?"
W: "No I was just wondering what you suggested"
M: "Well it wouldn't have been through a hex editing process or anything like that. The pdf is digital but when editing you would mostly use a graphic interface for doing that"
W: "Another way could be by taping on [another piece of paper]"
M: "Sure, but I didn't deal with that"
W: "But if it was edited digitally wouldn't it just use the same font?"
M: "No not necessarily [it would put whatever the editor had available]."
W: "Well the normal process would be just to open up the acrobat reader and edit it where it would use just the same font, wouldn't it?"
M: "No not necessarily the fonts aren't always available [in the editing session]"
W: "So you don't know whether the editing you are talking.."
W: "...took place using the normal process where the would have been no need to change the font"
M: "If the application [had the same font available] it would not have needed to change it, no"
W: "You have concluded that this document was not authentic. I suggest..."
W: "...you don't have the basis to reach this conclusion [on the edited date font]. As for the JSTor footer, you are not able to confirm that the comparitor set you had available included ALL of the Jstor version across ALL of the repositories across the world"
M: "No"
W: "So you haven't [done a complete test]
M: "I completed what I determined was a sufficient amount [of research] into the Jstor footer version and that I believe the two elements on this page, together, served to confirm my findings"
W: "Why not confirm with JStor?"
M: "I had a lot to get through"
W: "The truth is you cannot confirm, you are simply speculating"
M: "I think it is a little more than that, but ok"
W: "Moving on"
W: "This is a [new] document with internal metadata showing it from 2005"
M: "Yes"
W: "An assessment cover sheet from Uni of Newcastle. You concluded it was created from an authentic Uni assignment, by deleting the text in the original and copying the bitcoin text in"
M: "Yes"
W: "First, taking your conclusion, you say you looked at hidden text embedded in one and identified it in the other"
M: "Yes"
W: "Then you have opened a previous version and found it showing a full table of contents [as the other]"
M: "Yes"
W: "You conclude from that it shows the authentic doc was a donor document for the other. That it was odd because the metadata for the donor doc put it as coming later than the other. That's not correct is it?"
M: "Sorry can we [review what the report says]"
W: "You don't know what changes were made when, so it is right that the doc could have been created by editing an earlier version."
M: "[talks about the release dates of MS Word version]"
W: "But it could have been created by editing an earlier version"
M: "But those portions.."
M: "woudn't have been in both"
W: "Yes but you don't know for sure about [any of this chronology]"
M: "I don't know if I would agree. If we are talking about the digital content of the documents and what is common to them both"
W: "you're making a lawyers point aren't you?"
M: "No I'm making a technical point to explain what underpins [my findings]"
W: "You're making a lawyers point. Each of the changes on these documents matter doesn't it"
M: "Yes"
W: "Going back to the edits you say were done. You say text from the published Bitcoin WP was included in the file and then edited and that the file metadata was backdated, likely by changing the computer clock, that is your conclusion isn't it?"
M: "Yes"
W: "It is right that the only version of the text was from the 2008 version of the Bitcoin WP"
M: "I don't think I have been that specific on the text"
W: "But it [could have been]"
M: "Yes"
W: "This next document is an .odt file with internal metadata showing it was created in March 2008"
M: "Yes"
W: "Your conclusion is that the timestamps can only be explained by backdating of the computer because the software version was not released until after March 2008"
M: Yes
W: "you say 'in my view it should not have been possible to generate the metadata shown without manipulating the system clock time. Are you aware that CSW says he created the document in LaTeX and deliberately modified the date to make it look like that "
M: "He said that, yes"
M: "I'm not even sure if LaTeX could even generate a metadata field named that. I'm not a LaTeX expert"
W: "But do you accept it could technically be possible"
M: "I am not an expert, but being familiar with similar programs it has the structure and feel of an openoffice doc"
W: "So you cannot say whether was CSW says is not technically possible"
M: "No but you would need to instruct the software to put in the level of detail to represent software which has not yet been released"
W: "That is a fact you cannot give a professional opinion on"
W: "It is not something which comes within the realms of your expertise [what CSW would need to have known to predict the unreleased software version's future metadata detail]"
M: "No but I'm going by what is known about .odt files"
W: "It is just you desire to reach the conclusion that these documents are not authentic isn't it"
M: "I would disagree with that"
W: "Moving on to the MYOB records you were shown some screenshots, yes"
M: "Yes"
W: "You were also shown images which Dr Placks had downloaded from the MYOB online system"
M: "Yes"
W: "So you have not worked from the Live MOYB platform"
M: "I didn't request CSW's credentials, but I did conduct my own tests on MYOB live"
W: "But you could have requested CSW's login credentials but you didn't"
M: "All the testing I was able to do myself led me to conclude it was not necessary"
W: "What testing did you do"
M: "Quite a bit"
M: "Starting with how the username was populated all through the db and showed the Live username data too, and drawing that inferrence that it was created in the offline version first before being put in the Live platform, which is why I took out a 30 day subscription to it"
M: "I conducted a series of tests on both the .myo db files and the Live MYOB format files and found a lot of the information captured in the .myo file is not generated in the older MYOB versions and so is not imported in to the Live because it didn't exist"
W: "Moving on to the BDO Samsung drive, you say the content is on the whole not authentic because it shows it was access in november 2023 and that the contents have been manipulated using system clock backdating and the recycle bin also contained contents from November 2023"
W: "you are aware that CSW says his system was hacked by a Mr Ager-Hansen isn't that right"
M: "I am aware he has said that, yes"
W: "And that he has filed a police report [about this hacking]"
M: "I was not aware of that, no"
W: "CSW says, 'I was told by Ramona that Ager-Hansen contacted her and sent her screenshots of my browsing history which have been since published on social media and he obtained these from my policy using a policy installed on nChain's system' you are aware of this?"
M: "Of his claims, yes"
W: "He says 'although I do recognise the browsing history on Ager-Hansens tweets appear to be showing Linux o/s and a Mozilla browser'. Now know what a trojan file is, that once downloaded a trojan may allow a hacker access to the target computer"
M: "potentially, yes"
W: "And that a trojan may allow a hacker to access a hard drive and virtual machines on the network"
M: "If the drive is connected, possibly yes"
W: "And that they can use a root access program to [gain access]"
W: "If we assume that a hacker DID gain unauthorised access to CSW's computer then he could have accessed the bdo drive"
M: "Technically, yes"
W: "Moving on"
W: "Re the Abacus emails DNS and DKIM authentication. You are aware that CSW says the Abacus emails are proven to be inauthentic from the date they purport to be. That CSW says it shows they were sent from google servers but that Abacus did not move to google until 2005"
M: "I understand the point he is wanting to make, yes"
W: "So that the emails could not have been sent in 2014. That the emails use an invalid DKIM"
M: "I understand he says that, yes"
W: "DKIM adds a digital signature to outgoing messages"
M: "Yes"
W: "It proves they came from the sender, not from someone impersonating the sender"
M: "Yes"
W: "With regards to the DNS system it converts human readable domain names into an IP address number"
M: "Yes it is a table which converts one to the other"
W: "And computers use the IP address to locate the destination computer on the network. Now the MX records show where the particular address the mailserver is located"
M: "Yes"
W: "There are different types of DNS records, an A Record shows where web traffic should be directed"
M: "Yes"
W: "So one server might host a website and another might host emails"
M: "Yes"
W: "Now we both agree that Abacus used google for its mailserver, but what is disputed is [when it was moved]. CSW shows the DNS records for the Abacus email MX record do not show Abacus moving to google until 3rd April 2015, you dispute that"
M: "Yes"

Lunch Break!
Back in session

W: "Going back to the DNS MX records, we identified the dispute between you and CSW is that you say these records are incomplete and have a gap. Stross Freidberg have put in a memo on this, yes?"
M: "Yes"
W: "Second bullet point says the MX record [on the screenshots] says the change was likely made but the MX DNS record for Abacus-offshore dot com between 2009/10 was mail.abacus-offshore dot comand after that we can see it was subsequently changed to google [mail server]."
W: "CSW says this is where he gets his [findings from]"
M: "I can see that, yes"
W: "Referring to your report regarding CSW's screenshot where you say the records provided are not a full record showing all the times covered. What I want to explore is you highlight the FAQ..."
W: "where they say they aim to update once a month"
M: "They say they aim to, yes"
W: "Well it beggard belief that no update would have been done between 2010 and 2015"
M: "No if we look at the data where they have provided it for 2009/10, we then have a large gap before..."
M: "...there is a single day update [talks about failed mail], then there is another long gap, if they had been regularly polling this information this data would have been updated far more frequently. I also have my own MX records and data and my data shows only have been polled
M: "in 2021 whereas my domain was live 2019. So this shows how infrequent this data can be stored"
W: "Was this disclosed in your report"
M: "No I'm just explaining an aspect to my findings"
W: "You are aware that because you did not include it in your report it is unable to be..
W: "..to be tested and verified"
M: "well anyone can go on to the website and check it"
W: "You're just making this up as you go along"
M: "No"
W: "What this shows is the website recording changes"
M: "Wrong"
M: "What they do is have to collect this information and record it. It is unsafe to assume [when this was polled and collected]. I can only say it was done by 2015"
W: [disputes this]. It is right that a working MX record is needed for an email service to function correctly"
M: "Yes"
W: "You refer to other DNS record which mention a godaddy dot com server. You say that server is related to hosting the Abacus-offshore website, not the sending and receiving of emails"
M: "godaddy are the registrar, they handle the config for these records"
W: "If you are disagreeing with me I will take you to your report where you make a point about CSW's claims, where you say 'to be clear the records shown are not MX records and do not relate to [these email]"
M: "That's about a different screenshot"
W: "You say that godaddy...
W: "..does not relate to the email server"
M "It is an independent service [mail server] it can be configured seperately to the registrar/host"
W: "The DKIM for that email produces an invalid result"
M: "Yes"
W: "But you say the reason for this is due to the age of the email and that google servers will not longer validate it [such an old email] using current server information. Saying the same can be said for the SPF checks as it has been migrated since it is not possible to check"
M: "Correct"
W: "SPF is sender policy framework"
M: "Yes"
W: "You mention SPF checks conducted. Which checks were those?"
M: "I'm not sure if it was this particular email or just speaking generally about SPF checks. This email might not had an SPF [set on it]. Can I see header?"
W: "I don't think it is on that"
M: "Well I don't think this one did have one and that one mean it would not be possible to check it now because it would have been migrated to its new mail server host"
W: "Well that looks to me like you did conduct some SPF checks"
M: "I don't think so on that one"
W: "Did you conduct SPF checks on emails?"
M: "Yes when it was possible to do so I did on other emails. That other message you flicked back to did have an SPF check done because it has one set"
W: "Why wasn't this test disclosed?"
M: "Because the results weren't relevant to my findings"
W: "But why didn't you submit the results to the report?"
M: "Because this email did not have an SPF set so no check was done"
W: "Now it is right that DNS records records DKIM and SPF policies as TXT records"
M: "Yes"
W: "Did you do checks into the Abacus domain name?"
M: "Yes"
W: "And what did you find?"
M: "It showed info for a godaddy related domain and two for another and one for google specific to if SPF checks were available"
W: "But you didn't mention that in your report"
M: "It wasn't relevant to my opinion"
W: "But you are assuming it wasn't relevant. My Lord we have an objection to this in our filings"
H: "Just to be sure the objection was due to the timing of the submission of the finding"
W: "This record shows that SPF records was only adopted by Abacus on April 2015"
M: "To clarify only that this was the first time the website has captured that information"
W: "This is when it was adopted [on April 2015"
M: "No when it was first captured"
W: "We dispute that and we assert that you simply are unable to confirm [when the migration was made]"
M: "I think I found in my report that it was not possible to determine when the migration was done. At some point between Nov 2010 and April 2015 there are a couple of..."
M: "...points it might have occurred but it is not possible to say exactly when. Just some time between those two dates"
W: "You are simply not able to say when"
M: "Correct"
W: "Your response to CSW witness statement, saying 'my overall view is that the information is general in nature and not specifically relevant to [my findings]"
M: "Yes"
W: "CSW refers to many of the points about his computing environment, to specific documents you have analysed"
W: "You deal with symbolic links and with MS Word template and then you deal with the point about merging the files together"
M: "Yes"
W: "Then you move on to the BDO drive in the next section. It is clearly right you haven't addressed ALL the issue CSW refers to about his enviro
M: "I dealt with most of it"
W: "But you didn't deal with Citrix"
M: "It is something which if you were running systems in parrellel it could cause the results claimed. My understanding is the CSW says it is because of Citrix it causes the overlapping times, I agreed with this"
W: "Moving on to PGP keys you say it is also possible to verify them using a command line called gpg. How are you aware of them concerning pgp keys?"
M: "It is used quite often for digital email signing"
W: "And do you understand them in terms of Bitcoin or other currencies?"
M: "No"
W: "Now I'd like to understand what you are saying when you say you are a sole practitioner and you say that you have done most alone but assisted by @twobirds in the following ways. Did you not consider recruiting an assistant instead of relying on COPA's solicitors?"
@twobirds M: "I don't normally like working with corporate teams, but I do not enjoy the management side of it so I didn't want to hire someone. I was happy with running the technial aspect myself"
W: "Can you explain why hiring an assistant would require serious managing?"
@twobirds M: "They would have needed to be able to understand the full [range of the requirements of the work]. It would have taken a long time to develop the rapport [for it to be useful]"
W: "Why use COPA's [team instead]?"
@twobirds M: "It was only [for some additional minor input], I did all of the work itself. If I had an assistant doing the analysis it wouldn't be me doing it and I would have to rely on them to do it. I would be supervising it"
W: "But you could decide what work they did and what you did"
@twobirds M: "But I would then have to rely on their work, which I wouldn't want to have to do"
W: "But you relied on Bird and Bird instead"
M: "Just for finessing language appropriately"
W: "So where we see language in your report about CSW's findings being speculative... whose words?"
@twobirds M: "That would be me"
W: "So all 1300 pages of your report are all you?"
M: "It's more than that in the end but, yes"
W: "You say they helped with the intial draft of the report and structuring and formatting the results of your analysis. What do you mean by that?"
@twobirds M: "Keeping the appendices [efficient] like the Lynn Wright documents [so there would not be duplication]"
W: "Did you have an office at Bird and Bird?"
M: "No I went there 3 or 4 times during this period"
W: "Only 3 or 4 times?"
@twobirds M: "I spoke to them many times but only visited their offices 3 or 4 times. I would detail the content of my report up to that point and they would be recording that and making notes. I could have access to a room when I did visit if I needed to"
W: "How did they turn notes...
@twobirds W: "into a report form?"
M: "Well after a few times of putting appendices together [we both] got the flavour of the process very well."
W: "They were essentially writing the report for you"
M: "No they helped with the assembly but the words were all mine"
@twobirds W: "Have you adopted a similar approach to create a report for any other cases?"
M: "Sometimes I have provided a draft and asked for them to give clarification on certain parts"
W: "Have you adopted the same approach you did with Bird and Bird for any other case?"
@twobirds M: "No not exactly"
W: "I put it to you that your [relationship with Bird and Bird] discredits your report. I put it to you that the findings about the BDO drive can be explained by the actions of a hacker"
M: "I think that might be a bit of a leap"
W: "all my questions"
@twobirds H: "Where you said you did not have access to the systems where these documents were produced from. Do you understand the reason why you were not given access?"
M: "No I was just not allowed access to them"
H: "You say that while the lack of access increased time to draw your...
@twobirds H: "...conclusions it did not impeded your ability to draw accurate conclusions. Would you like to expand on that any further?"
M: "Well just to say for example the load file I had I would like to have explored the original system further to expand on it more and be able to be..
@twobirds M: "...able to provide a [broader range of timestamps]. My findings are not speculative, but this extra information would have been useful to have."
H: "Next topic, the normal dot m template was put to you that it can lead to changes to exist files which are opened on the system"
@twobirds H: "You answered that the template would not cause any changes to the file unless there had been user action or a process of saving the file. How would this have shown as"
M: "You would have seen a range of timestamp data updating to show that of the system it was loaded on"
@twobirds H: "Now for the JStor document you referred to the date format and the footer but also a third issue what was that?"
M: "There was a version available on the internet which had the same format and content, except for its date showing a 2015 timestamp"
H: "All my questions"
@twobirds Mellor: "We ready for Mr Placks?"
Grabiner: "I have a bundle first" *hands out copies of bundle*
G: "My Lord we're disclosing some more documents (what the actual?)
@twobirds G: "They are the screenshots of the MYOB software, taken by @OntierLLP and there is an issue between the parties over when these screenshots were made. @opencryptoorg says they were not make until March 2020, CSW says Ontier were provided login details for MYOB live in 2019"
@twobirds @OntierLLP @opencryptoorg G: "In response to a request by @twobirds Ontier replied saying they were NOT given access to MYOB Live login until March 2020. If you go to my bundle they say 'CSW first provided this firm with MYOB on the 9th March 2020, we did not have access to MYOB in 2019...."
@twobirds @OntierLLP @opencryptoorg G: "...we created screenshots on 9th and 10th March 2020 and we are not aware of Alix Partners having access to MYOB in 2019. So that document says Ontier was NOT provided with login info until 9th March. We are now disclosing the Ontier email itself. On the next tab this email."
@twobirds @OntierLLP @opencryptoorg G: "...of last week from Ramona Watts saying please see comms between Simon Cohen of Ontier in 2019. They say they did not have it but they had it as did Alix Partners in 2019. That email shows an email forwarded from 2019 and also attached an email referring to MYOB details...
@twobirds @OntierLLP @opencryptoorg G: "..being provided in 2019. So this email purports to be, on its face, evidence that access to MYOB Live was provided in 2019 [goes on to continue reading content of email chain], now your Lordship see that it is part of a 3 email chain and the bottom one is from CSW..."
@twobirds @OntierLLP @opencryptoorg G: "...addressed to Simon Cohen, who replies 'thanks Craig what does this refer to', before a further reply detailing it as I already read out to you. Then sticking to the key chronology, on day 15 of the trial the following exchange took place in cross..."
@twobirds @OntierLLP @opencryptoorg G: "...the question put to CSW was 'you told the court that Ontier received MYOB login details in late 2019 didn't you' and he replied 'I did and I have the emails to prove it', this reference was in relation to the Ramon email I have just shown you and we take that as a..."
@twobirds @OntierLLP @opencryptoorg G: "...waiver of privilege and we asked Ontier to confirm its position on this, and they responded to @Shoosmiths 'we have urgently review and analysed the email you provided and we can confirm the email on its face is dated the same as the one you provided but the one on..."
@twobirds @OntierLLP @opencryptoorg @Shoosmiths G: "...our system was received February 2024. We attach for your information the email saved on our system dated 2019, which was received on that date and sent in response to that email of that same date. We confirm that no link to the MYOB login was received in 2019 from CSW..."
@twobirds @OntierLLP @opencryptoorg @Shoosmiths G: "... in light of the above we reach the conclusion that the email [you provided in Ramona's chain] is not genuine. Please explain to us how you came to receive it. My Lord if you compare Ontier's version with the Ramona version you will see.."
@twobirds @OntierLLP @opencryptoorg @Shoosmiths G: "...again it is a 3 email chain. The one at the top is entirely different from the one [in the Ramona chain]. It is accepted that the privelige has fallen away and it has been provided to my learned friends and we submit it for further analysis"

Holy Crap another CSW forgery!
@twobirds @OntierLLP @opencryptoorg @Shoosmiths H: "We obviously aren't going to comment on that just yet"
W: "Could I just ask your Lordship for some time to take instructions. Could have have 20 minutes"
Mellor: "Sure, let's resit at 15:30"

Daaaaamn! CSW is fuuuuuuuucked!
tl'dr for anyone who got lost during those last few minutes:
1. CSW claimed @ontierllp had access to his MYOB in 2019, they said no 2020
2. Last week Ramona sent @Shoosmiths an email chain purporting to show Ontier had access in 2019
3. Ontiers email version was NOT that at all!
CSW's counsel begged Mellor for a break so they could take instruction on this matter

@dr_cswright is a clown. He submitted forged emails from his former counsel thinking this current counsel wouldn't check their authenticity!

It's 2015 forged @ato_gov_au emails all over again
Image
Image
I did NOT think we were going to see anything dramatic happening today, but when it comes to criminal rebate fraudster and conman @dr_cswright he'll even endeavour to shoot himself in the foot while a trial to establish who has the smoking gun is underway!

Just hilarious! 10/10!
and we are BACK!

CSW's counsel says he is NOT pursuing and aplication in respect of Mr Bryant and is NOT calling Placks or Lynch
H: "The only concern I would raise is that certain aspects of Dr Placks report were put to Mr Madden and that should be taken into account"
They are choosing to continue in the morning!

There generally seems to be something of a shell-shock about things. But here were are, another day done for CSW's demise.

⚡️tips to cryptodevil@getalby.com if you appreciate my work. Complaints to your Mom if you don't😁

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with CryptoDevil

CryptoDevil Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @CryptoDevil

Feb 22
After CSW had his barrister pose technical questions attempting to trip @adam3us up, which failed spectacularly and only exposed his own misunderstanding of the tech, let's see what is in store today!

Here's yesterday's transcript for you while today's fills out here.
Morning session begins:
*Mike Hearn in witness box being sworn in*
H: gives the usual request for witness to acknowledge witness statement as being true
Grabiner: "You are a software developer?"
M: "Yes"
G: "You joined R3 a few years ago, what is the Corda product?"
M: "It is a decentralised product for banking and finance, some ideas from bitcoin but different"
G: "Is R3 a competitor to nChain?"
M: "I've no idea what nChain does"
Read 105 tweets
Feb 21
I've been given permission by Mrs Cryptodevil to transcribe the @opencryptoorg court case as I was able to tell her I'll treat her to dinner thanks to your generous ⚡️cryptodevil@getalby.com tips!

Here's yesterday's car-crash @turkeychop morning session while today's fills out!
First witness is Martti Malmi on videolink
H: Introduces himself as barrister representing @opencryptoorg asking him to confirm witness statements as true
M: Agrees
Hand over to Wright's barrister
@opencryptoorg W: "Are you alone in the room"
M: "Yes"
W: "Can you confirm you have no docs relevant to the case with you"
M: Yes"
W: "You do not have access to electronic device capable of receiving messages other than the videolink"
M: "Yes"
Read 103 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(