ELECTRONIC FRONTIER FOUNDATION
[Join EFF] [Act Now] [Sign Up] [About EFF]

Bruce Schneier Deposition, in MPAA v. 2600

CA; July 9, 2000

See related files:
http://www.eff.org/IP/Video (EFF Archive)
http://cryptome.org/cryptout.htm#DVD-DeCSS (Cryptome Archive)
http://www.2600.com/dvd/docs (2600 Archive)
http://eon.law.harvard.edu/openlaw/dvd/ (Harvard DVD OpenLaw Project)



      1   UNITED STATES DISTRICT COURT

      2   SOUTHERN DISTRICT OF NEW YORK

      3
          UNIVERSAL CITY STUDIOS, INC.;
      4   PARAMOUNT PICTURES CORPORATION;
          METRO-GOLDWYN-MAYER, INC.; 
      5   TRISTAR PICTURES, INC.; COLUMBIA
          PICTURES INDUSTRIES, INC.; TIME
      6   WARNER ENTERTAINMENT CO.; L.P.;
          DISNEY ENTERPRISES, INC., and
      7   TWENTIETH CENTURY FOX FILM 
          CORPORATION,
      8
                             Plaintiffs,
      9
          vs.                               NO. 00 Civ. 0277   
     10                                             (LAK)

     11   ERIC CORLEY a/k/a "EMMANUEL
          GOLDSTEIN"; and 2600 ENTERPRISES,
     12   INC.,

     13                      Defendants.
          _______________________________/
     14

     15   DEPOSITION OF BRUCE SCHNEIER

     16   DATE:         July 9, 2000

     17   DAY:          Sunday

     18   TIME:         10:26 a.m.

     19   PLACE:        Weil, Gotshal & Manges
                        2882 Sand Hill Road, Suite 280
     20                 Menlo Park, California

     21   PURSUANT TO:  Subpoena      

     22   REPORTED BY:  Kim Meierotto, CSR No. 11602
          __________________________________________________
     23
          COMP-U-SCRIPTS
     24   OFFICIAL REPORTERS AND NOTARIES
          1101 South Winchester Blvd., Suite D-138
     25   San Jose, California 95128
          (408) 261-9795
                                                           1

               




      1   APPEARANCES:

      2   For the Plaintiffs:     PROSKAUER ROSE LLP
                                  BY:  CARLA M. MILLER,
      3                                ATTORNEY AT LAW
                                  1585 Broadway 
      4                           New York, NY 10036-8299
                                  (212) 969-3713
      5

      6   For the Defendants:     FRANKFURT GARBUS KURNIT      
                                  KLEIN & SELZ
      7                           BY:  EDWARD HERNSTADT,
                                       ATTORNEY AT LAW
      8                           488 Madison Avenue
                                  New York, NY 10022
      9                           (212) 826-5582

     10   and                     HUBER SAMUELSON
                                  BY:  ALLONN E. LEVY,
     11                                ATTORNEY AT LAW
                                  210 North Fourth Street
     12                           Suite 400
                                  San Jose, CA 95112
     13                           (408) 295-7034

     14
          The Videographer:       McMAHON & ASSOCIATES
     15                           BY:  JASON BUTKO
                                  One Almaden Boulevard
     16                           Suite 829 
                                  San Jose, CA 95113
     17                           (408) 298-6686

     18

     19

     20

     21

     22

     23

     24

     25

                                                           2

               




      1   INDEX OF EXAMINATIONS

      2                                            Page

      3   By Ms. Miller                              5

      4

      5

      6

      7   INDEX OF EXHIBITS 

      8   Plaintiffs'                              Page

      9   1    Subpoena of deponent                 21

     10   2    Article by deponent entitled         24
               "DVD Encryption Break is a Good
     11        Thing"

     12   3    Declaration of deponent              25

     13   4    Article by deponent entitled         27
               "'Key Finding' Attacks and
     14        Publicity Attacks"

     15

     16

     17

     18

     19

     20

     21

     22

     23

     24

     25

                                                           3

               




      1                         --oOo--

      2            THE VIDEOGRAPHER:  Good morning.  We're 

      3   going on the record.  The time on the screen is 

      4   10:30 a.m.

      5            Today's date is Sunday, July 9, 2000.  

      6   We're located at the offices of Weil, Gotshal & 

      7   Manges, 2882 Sand Hill Road, Menlo Park, California.

      8            This is Tape No. 1 of the deposition of 

      9   Bruce Schneier, case name Universal City Studios 

     10   versus Corley venued in the U.S. District Court, 

     11   Southern District of New York, Case No. 00 Civ. 

     12   0277.

     13            My name is Jason Butko, legal video 

     14   specialist and notary, representing McMahon & 

     15   Associates, One Almaden Boulevard, Suite 829, San 

     16   Jose, California 95113.

     17            The court reporter is from Comp-U-Scripts.  

     18   The court reporter is Kim Meierotto.

     19           Counsel, would you please identify yourself 

     20   starting with the questioning attorney.

     21            MS. MILLER:  Carla Miller from the law firm 

     22   of Proskauer Rose LLP in New York representing all 

     23   plaintiffs.

     24            MR. HERNSTADT:  Edward Hernstadt from 

     25   Frankfurt Garbus Kurnit Klein & Selz representing 

                                                           4

               




      1   the defendants.

      2            THE VIDEOGRAPHER:  You may proceed.  I'm 

      3   sorry.  Court reporter, can you please swear in the 

      4   witness.

      5   --oOo--

      6   BRUCE SCHNEIER,

      7             having been duly sworn by the 

      8             Certified Shorthand Reporter to tell   

      9             the truth, the whole truth, and        

     10             nothing but the truth, testified        

     11             as follows:

     12

     13            THE VIDEOGRAPHER:  You may proceed.

     14

     15                EXAMINATION BY MS. MILLER:

     16        Q.  Good morning, Mr. Schneier.

     17        A.  Hi.

     18        Q.  Have you ever been deposed before?

     19        A.  Nope.

     20        Q.  Have you ever testified in a court 

     21   proceeding?

     22        A.  No.

     23        Q.  Just so you understand, you're in a 

     24   deposition obviously.  The court reporter seated to 

     25   your right is taking down stenographically every 

                                                           5

               




      1   word that's being spoken here today as among myself, 

      2   you and Mr. Hernstadt.

      3            Just as a matter of procedure, because the 

      4   court reporter has to take down everything that you 

      5   and I say, I'll try my best to make sure that I do 

      6   not interrupt your answer with another question, and 

      7   also if you could make sure that if I'm in the 

      8   middle of a question, you don't start answering 

      9   until I'm finished with the question.

     10            Mr. Hernstadt, of course, will be here, and 

     11   he'll be making objections, and again, if we could 

     12   avoid talking over each other, I'm sure the court 

     13   reporter will appreciate that, and we'll have a much 

     14   cleaner transcript of everything that's said today.

     15            Are you currently employed, Mr. Schneier?

     16        A.  Yes.

     17        Q.  Where are you employed?

     18        A.  Company called Counterpane Internet 

     19   Security, Incorporated, here in San Jose.

     20        Q.  What's your role at Counterpane Internet?

     21        A.  My title is chief technology officer.  I'm 

     22   one of the founders of the company.

     23        Q.  Who are the other founders of the company?

     24        A.  The other founder's a man named Tom Rowley.

     25        Q.  Tom Rowley?

                                                           6

               




      1        A.  R-o-w-l-e-y.

      2        Q.  How long ago was Counterpane founded by 

      3   yourself and Mr. Rowley?

      4        A.  The company was founded approximately a 

      5   year ago.

      6        Q.  Is it a public company?

      7        A.  No, it is not.

      8        Q.  Are you a shareholder in the company?

      9        A.  Yes, I am.

     10        Q.  Is Mr. Rowley also a shareholder?

     11        A.  Yes, he is.

     12        Q.  Are there any other shareholders in the 

     13   company?

     14        A.  Yes, there are.

     15        Q.  Prior to founding Counterpane, were you 

     16   employed?

     17        A.  Yes, I was.

     18        Q.  Where were you employed?

     19        A.  I was president of another company called 

     20   Counterpane Systems.

     21        Q.  Where was Counterpane Systems located?

     22        A.  The company -- it's a hard question.  The 

     23   company had three employees, and we all worked out 

     24   of our homes.  So the company was located in 

     25   Illinois, although most of the people worked 

                                                           7

               




      1   elsewhere.

      2        Q.  When you say "the company was located in 

      3   Illinois," does that mean it was incorporated in 

      4   Illinois?

      5        A.  It was a sole proprietorship.  It was just 

      6   my company.

      7        Q.  Were you living in Illinois at the time?

      8        A.  Yes, I was.

      9        Q.  Who were the other three employees of 

     10   Counterpane Systems?

     11        A.  The other cryptographers were John Kelsey, 

     12   Chris Hall and Neils Fergusen.

     13        Q.  How long was Counterpane Systems in 

     14   existence?

     15        A.  I believe I formed it in 1993.

     16        Q.  Was working for yourself with Counterpane 

     17   Systems your sole employment from 1993 until about a 

     18   year ago?

     19        A.  Yes, it was.

     20        Q.  Prior to 1993, were you employed?

     21        A.  Yes.

     22        Q.  By whom?

     23        A.  AT&T Bell Laboratories.

     24        Q.  Where before AT&T did you work?

     25        A.  Naperville, Illinois.

                                                           8

               




      1        Q.  Midwesterner.  How long were you employed 

      2   by AT&T?

      3        A.  About a year.

      4        Q.  Were you employed as a cryptographer?

      5        A.  No, I was not.  I was employed as a systems 

      6   engineer.

      7        Q.  Prior to AT&T what was your employment?

      8        A.  I worked for a company called Intelligent 

      9   Resources Integrated Systems also in Illinois.

     10        Q.  What type of business is Intelligent 

     11   Resources engaged in?

     12        A.  They made video hardware for Macintosh 

     13   computers.

     14        Q.  What was your role in Intelligent 

     15   Resources?

     16        A.  I oversaw operations.

     17        Q.  What type of operations?  The company's 

     18   operations in general or a particular development of 

     19   the video hardware?

     20        A.  Engineering operations.  The development of 

     21   the hardware and things associated with that.

     22        Q.  Prior to Intelligent Resources Integrated 

     23   Systems, what was your employment?

     24        A.  I worked for the Department of Defense in 

     25   Washington, D.C.

                                                           9

               




      1        Q.  And how long were you employed by the 

      2   Department of Defense?

      3        A.  From 1984 through 1990 or '91.

      4        Q.  What did you do for the Department of 

      5   Defense?

      6        A.  That's classified.

      7        Q.  Was it in the field of cryptography, or can 

      8   you tell us?

      9        A.  It was in the field of communications.

     10        Q.  Prior to working for the Department of 

     11   Defense, what was your employment?

     12        A.  That was my first job.

     13        Q.  Was this your first job after completing 

     14   your education?

     15        A.  After getting my Bachelor's degree, yes.

     16        Q.  Where did you get your Bachelor's degree?

     17        A.  University of Rochester.

     18        Q.  In what field did you obtain a Bachelor's 

     19   degree?

     20        A.  Physics. 

     21        Q.  Did you obtain any other degrees after your 

     22   Bachelor degree?

     23        A.  I have a Master's of Science, of computer 

     24   science, from American University.

     25        Q.  And what year did you receive your 

                                                           10

               




      1   Bachelor of Science degree?

      2        A.  I received the degree in '85.

      3        Q.  What year did you receive your Master of 

      4   Science degree?

      5        A.  '86, I believe.

      6        Q.  But you said you began working for the 

      7   Department of Defense in 1984; is that correct?

      8        A.  Yes.

      9        Q.  So you began working for the Department of 

     10   Defense while you were still an undergrad?

     11        A.  I finished all my course work except one 

     12   class, so I sort of graduated, started working for 

     13   DOD, eventually graduated a year later.  So there's 

     14   an overlap in the time but not really in what I was 

     15   doing.

     16        Q.  Okay.  In the course of obtaining your 

     17   Master's degree in computer science, did you take 

     18   any courses in computer programming?

     19        A.  Yes.

     20        Q.  Did you obtain any proficiency in any 

     21   programming languages?

     22        A.  I did work in C and Pascal and LISP.

     23        Q.  Did you take any telecommunications courses 

     24   in the course of obtaining your Master of Science 

     25   degree?

                                                           11

               




      1        A.  I did not.

      2        Q.  What is the current address for Counterpane 

      3   Internet, your current company?

      4        A.  3031 Tisch Way, T-i-s-c-h, Suite 100 Plaza 

      5   East, San Jose, California.

      6        Q.  In what type of business is Counterpane 

      7   Internet engaged?

      8        A.  We do managed security monitoring.  We do 

      9   Internet security for organizations.

     10        Q.  What does that entail, "Internet 

     11   security"?

     12        A.  What we do is we monitor our customers' 

     13   Internet networks against intrusions.  So we provide 

     14   basically a monitoring service where we will watch a 

     15   customer's network and look for attacks, intrusions 

     16   and alert the customer.

     17        Q.  Is it fair to say you're like a burglar 

     18   alarm service, a high-tech service?

     19        A.  A burglar alarm is the kind of analogy we 

     20   like to use.

     21        Q.  And how many employees does Counterpane 

     22   Internet have?

     23        A.  Approximately a hundred.

     24        Q.  And apart from monitoring the customer's 

     25   Internet security, does Counterpane provide any

                                                           12

               




      1   security -- strike that -- provide any security 

      2   solutions for Internet businesses?

      3        A.  Monitoring is in itself a solution.  

      4   Detection response we feel is a solution to Internet 

      5   security and in a lot of cases a much better 

      6   solution than prevention.

      7        Q.  Does it provide any prevention solutions in 

      8   terms of actual security systems' products?

      9        A.  We don't provide products.  We monitor 

     10   other companies' products.

     11        Q.  How many customers, if you know, does 

     12   Counterpane Internet have?  What's the customer 

     13   base?

     14        A.  We don't release that number.  Many of our 

     15   customers prefer not to be named.

     16        Q.  I'm not asking you for the name but for the 

     17   customer base.  But you said you don't release the 

     18   actual number of customers either?

     19        A.  Yes.

     20        Q.  Do you have an up-to-date resume or 

     21   curriculum vitae, Mr. Schneier?

     22        A.  The best is on my Web site.  I don't have a 

     23   paper copy with me. 

     24        Q.  What is the URL for the Web site that you 

     25   just referred to?

                                                           13

               




      1        A.  Www.counterpane.com.  Then follow the link 

      2   to "about us" and then find my name. 

      3        Q.  Now as you understand it, you've been asked 

      4   to testify as an expert witness in this lawsuit; is 

      5   that your understanding?

      6        A.  That's my understanding.

      7        Q.  Does your involvement in this case call 

      8   upon any special skills or knowledge that you have?

      9        A.  I guess I don't know yet.  I assume so.

     10        Q.  Were you asked to provide any special 

     11   skills in your testimony -- strike that.

     12            Were you asked to rely on any special 

     13   skills you have in providing your testimony in this 

     14   case?

     15        A.  I was asked to talk about cryptography 

     16   research, so presumably talking about that relies on 

     17   my knowledge and skills as a cryptography 

     18   researcher.

     19        Q.  How long would you say you've been a 

     20   cryptography researcher?

     21        A.  I would say in the academic arena, in the 

     22   public arena, since 1992.

     23        Q.  What's involved in being a cryptography 

     24   researcher?

     25        A.  A lot of mathematics.

                                                           14

               




      1        Q.  Would you say that that's the only skill 

      2   involved or specialized training that one would need 

      3   to be a cryptography researcher?

      4        A.  Cryptography is really a subset of 

      5   mathematics.  It involves a lot of mathematical 

      6   disciplines.  It involves a mindset of making and 

      7   breaking systems. 

      8        Q.  Now if I decided that I wanted to be a 

      9   cryptographer, what type of training would you 

     10   advise me to undertake in terms of educational 

     11   background course work and university?

     12        A.  Sort of two areas I would advise.  There 

     13   are certain classes in mathematics.  Some 

     14   universities actually have specialties in 

     15   cryptography, so you can take courses in 

     16   cryptographic mathematics.  There are other general 

     17   mathematic courses that are useful.

     18            More importantly is to practice.  It's 

     19   easier to teach the mathematics than the mindset.  

     20   The mindset of looking at a system and figuring out 

     21   how to break it and then by learning how to break it 

     22   how to fix it and how to make it better, that's 

     23   something you can really only learn through practice 

     24   by doing it again and again.

     25        Q.  How would you characterize that mindset so 

                                                           15

               




      1   I understand what sort of mindset is generally 

      2   required?

      3        A.  It's a mindset of looking at systems and 

      4   figuring out how to get around them.  It's the kind 

      5   of mindset that would walk into a building and look 

      6   at the security system and see, I think there are 

      7   some weaknesses here.  It's a mindset of looking at 

      8   a piece of mathematics and saying, this doesn't do 

      9   what the designer thought it did.

     10            So it's a mindset of looking for holes in 

     11   systems.  In cryptography it's mathematical systems.

     12        Q.  Is it fair to say that just one general 

     13   personality trait that might benefit a cryptographer 

     14   is curiosity?

     15        A.  Curiosity is good.  I've also been asked by 

     16   many people what does it take to be a cryptographer, 

     17   and I did write an essay on this topic.  It's on my 

     18   Web site.  It's called "So You Want to be a 

     19   Cryptographer," and I talk about some of this.  It's 

     20   hard to quantify.

     21            When I did consulting I would try to figure 

     22   out who would be the right people to hire.  I'm not 

     23   sure there are traits I can point to and say these 

     24   are the exact traits.  I know it when I see it, but 

     25   it's very hard to divide into components.

                                                           16

               




      1        Q.  What did you look for when you were looking 

      2   for people to hire as you just testified to?  

      3        A.  People who had done it.  What I was looking 

      4   for as someone running a consulting company was not 

      5   someone I could train but someone who had already 

      6   exhibited proficiency in breaking systems, in fixing 

      7   systems, in cryptography, in mathematics.

      8            Writing ability.  A lot of what we are 

      9   doing is writing papers and reports explaining what 

     10   we've done.  Good interpersonal skills because we're 

     11   often talking to people about the work we've done.  

     12   So I looked for more finished products than people I 

     13   could train.

     14        Q.  So more experience than -- now you also 

     15   mentioned that some universities have specialized 

     16   course work in cryptography.  Does American 

     17   University have specialized course work in 

     18   cryptography, if you know?

     19        A.  It did not when I went there.

     20        Q.  Does the University of Rochester?

     21        A.  It did not when I went there.

     22        Q.  Do either one of those universities now if 

     23   you know have specialized course work?

     24        A.  I don't know.

     25        Q.  What are some of the universities that 

                                                           17

               




      1   you're aware of that have specialized course work in 

      2   cryptography?

      3        A.  MIT does.  University of California -- I'm 

      4   sorry -- Stanford University, University of 

      5   California-Davis, University of Waterloo, Cambridge 

      6   University in the U.K., L'ecole Normale et Supereur 

      7   in Paris, a university in Belgium that I can't 

      8   pronounce.  And there are others.

      9        Q.  When were you first approached about 

     10   getting involved in this lawsuit?

     11        A.  Sometime in the spring.

     12        Q.  In the spring of 2000?

     13        A.  Spring of 2000.

     14        Q.  Do you have any recollection of what 

     15   specific month?

     16        A.  I really don't.  I'm sure it was before my 

     17   signed documents, so we can work backwards from 

     18   there.

     19        Q.  How were you contacted about getting 

     20   involved in this case?

     21        A.  Either by phone or e-mail.

     22        Q.  You don't recall which?

     23        A.  I do not.

     24        Q.  Who contacted you?

     25        A.  Some attorney.

                                                           18

               




      1        Q.  You don't recall a name?

      2        A.  No. 

      3        Q.  Do you recall the name of the law firm?

      4        A.  That would be harder than the name of a 

      5   person.

      6        Q.  Was it Mr. Hernstadt?

      7        A.  It might have been.  I actually don't 

      8   remember.

      9        Q.  You don't know.  You say you think it was 

     10   either by phone or by e-mail that you were first 

     11   contacted.  If it was by e-mail, would you have 

     12   saved that e-mail?

     13        A.  No, I would not have.

     14        Q.  But you don't know if it was by e-mail?

     15        A.  I don't remember.  I really don't.

     16        Q.  Do you recall anything about this initial 

     17   conversation with the attorney you can't recall who 

     18   asked you to get involved in the case?  What was the 

     19   substance of the conversation?

     20        A.  I don't remember, but presumably I was 

     21   asked if I would write a declaration.

     22        Q.  And did you do that?

     23        A.  I did.

     24        Q.  To whom did you send that declaration once 

     25   it was written?

                                                           19

               




      1        A.  This was done by e-mail, and I probably -- 

      2   I sent it to either whoever the attorney was who 

      3   contacted me or whoever I spoke to afterwards.

      4        Q.  But you have no idea who it was sent to?

      5        A.  I don't remember.  It might have been Ed, 

      6   but I actually don't remember.

      7        Q.  Apart from the declaration that you 

      8   prepared and submitted in this case, have you 

      9   prepared any other reports for submission to the 

     10   court at trial?

     11        A.  I have not.

     12        Q.  Have you been asked to prepare any 

     13   additional reports other than your declaration?

     14        A.  I have not.

     15        Q.  As far as you know, will you be testifying 

     16   in the trial of this case?

     17        A.  I believe I will be.

     18        Q.  You have been asked to testify at trial?

     19        A.  We've talked about testifying.

     20        Q.  Who have you talked to about testifying?

     21        A.  Ed.

     22        Q.  When was the last time you talked to Ed 

     23   about testifying?

     24        A.  I don't know.  Maybe a couple weeks ago, 

     25   last week.  Dates were being discussed, and I gave 

                                                           20

               




      1   my calendar.

      2        Q.  Trial dates or dates for this deposition 

      3   that you're testifying in today?

      4        A.  Trial dates.

      5        Q.  Are you being compensated for your 

      6   involvement in this case?

      7        A.  I am not.

      8        Q.  If you are to testify in the trial of this 

      9   case in New York, has anyone offered to pay your 

     10   travel expenses for going there?

     11        A.  No one has.

     12        Q.  Let me show you a document, Mr. Schneier,  

     13   I'd like to first have marked as Exhibit 1.

     14            (Plaintiffs' Exhibit No. 1 is marked.) 

     15   BY MS. MILLER:

     16        Q.  If you can take a moment and flip through 

     17   that and tell me once you've had an opportunity to 

     18   look through it.

     19        A.  (Reviewing document.)

     20            Okay.

     21        Q.  Have you ever seen this document before, 

     22   Mr. Schneier?

     23        A.  No.

     24        Q.  Ever seen a document that looks like this?

     25        A.  Probably.

                                                           21

               




      1        Q.  In connection with this case?

      2        A.  No.

      3        Q.  So you have seen, you think, a subpoena 

      4   before in your life but not a subpoena directed to 

      5   you for your testimony in this case?

      6        A.  That is correct.

      7        Q.  Now, in preparing your declaration that's 

      8   been submitted in this case, did you look at any 

      9   documents or materials?  When I use the word 

     10   "document," I mean it in the broadest possible 

     11   sense, like Internet Web sites or Web pages, DVDs, 

     12   anything that you might have looked at in preparing 

     13   the declaration that you submitted.

     14        A.  Yes.

     15        Q.  What documents were those?

     16        A.  The declaration came out of an essay I 

     17   wrote in November about the DVD copy protection 

     18   scheme and the breaking of it that appeared in a 

     19   newsletter I publish.  So I relied on the essay I 

     20   wrote to write the declaration.

     21            In writing the essay and the declaration, I 

     22   looked at a variety of documents on the Web on the 

     23   DVD copy protection scheme, on the DeCSS program, on 

     24   the cryptographic algorithm and on a variety of the 

     25   politics associated with the system and its 

                                                           22

               




      1   breaking.

      2        Q.  Can you tell me specifically in those 

      3   categories of documents you just described which 

      4   documents in particular you looked at or which 

      5   Internet Web sites one might go to to look at those 

      6   same documents that you looked at in preparing your 

      7   declaration?

      8        A.  I can't.  At the end of the essay I wrote

      9   in mid November I gave a list of URLs I found 

     10   particularly interesting or illuminating.  Those I 

     11   can produce.  The other ones I looked at I have no 

     12   idea.  I used a search engine.  I followed links.  I 

     13   did my research online, and I only kept records of 

     14   the stuff that I thought was particularly useful.

     15        Q.  And those things that you found 

     16   particularly useful in conducting your online 

     17   research, those are the links that you just 

     18   testified about that would appear at the end of the 

     19   essay you wrote in November?

     20        A.  It's not a complete list.  I do a

     21   newsletter every month, and I write a number of 

     22   articles on security topics.  And at the end I like 

     23   to give a list of links that the reader might want 

     24   to follow up.

     25            So this list is not the total of everything 

                                                           23

               




      1   I found that's interesting.  It's a subset of what I 

      2   thought the reader of the essay might find 

      3   interesting and links he might want to follow to get 

      4   more information.

      5            (Plaintiffs' Exhibit No. 2 is marked.) 

      6   BY MS. MILLER:

      7        Q.  Mr. Schneier, I've just -- or the court 

      8   reporter has just handed you what we've marked as 

      9   Schneier Exhibit 2, and it appears to be an article 

     10   entitled "DVD Encryption Break is a Good Thing" by 

     11   Bruce Schneier.  It says "Special to ZDNet" and 

     12   dates -- or it's dated November 16th, 1999.

     13            Is this the essay that you just referred 

     14   to?

     15        A.  This is a similar essay.  The essay I'm 

     16   referring to appeared in my newsletter on November 

     17   15th.  This is almost the same essay.  There's some 

     18   minor differences that appeared on the ZDNet Web 

     19   site.  This version does not include the links, and 

     20   there are probably other minor additions or 

     21   changes.  I forget.  I know they're not identical, 

     22   but they're very similar.

     23        Q.  Your essay that appears on your Counterpane 

     24   Web site in the November 15th edition of your 

     25   newsletter is the one you actually looked at and 

                                                           24

               




      1   relied upon in preparing your declaration in this 

      2   case?

      3        A.  Yeah.  That's the later one.  I believe 

      4   this is an earlier draft of that.  Even though it 

      5   appeared later, it was submitted to ZDNet earlier.

      6            (Plaintiffs' Exhibit No. 3 is marked.) 

      7   BY MS. MILLER:

      8        Q.  Mr. Schneier, you've just been handed 

      9   what's been marked as Schneier declaration 

     10   Exhibit 3 -- pardon me -- Deposition Exhibit 3.

     11            Is this the declaration that you prepared 

     12   for this case?

     13        A.  Yes, it is.

     14        Q.  The day of this declaration just flipping 

     15   to the last page is April 28th, 2000; is that 

     16   correct?

     17        A.  That's what it says.

     18        Q.  So earlier you testified that you believe 

     19   you were approached to participate in this case 

     20   sometime before obviously the submission of this 

     21   declaration, and I'm looking at the date of the 

     22   declaration.  Does that help refresh your 

     23   recollection as to when you might have been first 

     24   contacted about getting involved in the case?

     25        A.  Presumably it was before April 28th.

                                                           25

               




      1        Q.  You still don't know --

      2        A.  I'm sorry.

      3        Q.  -- whether it was two weeks before?  Three 

      4   weeks before?

      5        A.  I remember it being a pretty fast 

      6   turnaround, but no.  It was probably not more than a 

      7   few weeks before.

      8        Q.  Okay.  Did the person that contacted you 

      9   about getting involved in the case, did they 

     10   indicate that they had seen your previous essay on 

     11   the DVD encryption break?

     12        A.  I remember being contacted because of that 

     13   essay.

     14        Q.  Okay. 

     15        A.  Because the opinions in that essay were 

     16   germane to the case.

     17        Q.  Now, I want to ask you something about -- 

     18            THE VIDEOGRAPHER:  Going off the record.  

     19   The time is 11:05. 

     20            (Break taken.) 

     21            THE VIDEOGRAPHER:  We're back on the 

     22   record.  The time is 11:09.  You may proceed.

     23   BY MS. MILLER:

     24        Q.  Mr. Schneier, I believe we just marked as 

     25   Exhibit 3 your declaration in this case.

                                                           26

               




      1            MS. MILLER:  Can you read back the last 

      2   question please.

      3            (Record read.)

      4   BY MS. MILLER:

      5        Q.  Now I want to ask you some questions about 

      6   how this declaration was drafted, Mr. Schneier.  Did 

      7   you actually type the declaration yourself?

      8        A.  I don't remember.  I believe what happened 

      9   was that one of the attorneys took my essay, put it 

     10   in this form numbering the paragraphs, and then I 

     11   added stuff, deleted stuff and made modifications 

     12   based on what I wanted to say in the case.

     13        Q.  Okay.  So the first time that you saw a 

     14   draft of the document that eventually became your 

     15   declaration, was that after the attorney had typed 

     16   it up in the format with the paragraph numbers using 

     17   the information in your essay?

     18        A.  One would hope the attorney wouldn't be 

     19   dumb enough to type it.  What I saw was my essay, 

     20   the identical essay, just with the paragraphs 

     21   numbered.  So my assumption is that someone took the 

     22   document off the Web, didn't change words, put it in 

     23   this format and said, "Here, start."

     24        Q.  Okay.  But that's your assumption just 

     25   based on, as you said, your view that no one would 

                                                           27

               




      1   be dumb enough to just sit there and retype your 

      2   essay?

      3        A.  And the fact that all the words were the 

      4   same.

      5        Q.  You just answered my question for me. 

      6        A.  I think that's my job.

      7        Q.  You're right.  Now when you were first sent 

      8   an initial draft of this declaration from the 

      9   attorney, was that transmitted to you by e-mail?

     10        A.  Yes, it was.

     11        Q.  Do you recall?  Did you save that e-mail?

     12        A.  I did not.

     13        Q.  Did you save the document attached to the 

     14   e-mail?

     15        A.  I did not.

     16        Q.  Do you recall at this point the name of the 

     17   person that would have e-mailed you the document?

     18        A.  I don't.  It might have been Ed, but I 

     19   actually don't remember.

     20        Q.  Once you got the e-mail with the draft 

     21   document, did you call anyone to discuss the draft?

     22        A.  I either called or sent e-mail, and 

     23   conversations did occur either by phone or e-mail.

     24        Q.  But you don't recall one way or the other?

     25        A.  Phone and e-mail are pretty much the same 

                                                           28

               




      1   in my mind.

      2        Q.  Okay.  But of course you can't keep a 

      3   documentary record of a phone call; is that correct?

      4        A.  You cannot.  And I don't keep a documentary 

      5   record of e-mail.

      6        Q.  How many drafts did this declaration go 

      7   through before you finally signed it?  Do you 

      8   recall?

      9        A.  I don't remember.  Not very many.

     10        Q.  Five?

     11        A.  Possibly five, possibly less.  Probably not 

     12   more but possibly more.

     13        Q.  Not more than five?

     14        A.  Or maybe more than five.  I honestly don't 

     15   remember.  Certainly not hundreds.

     16        Q.  Could it have been ten?

     17        A.  Probably not as many as ten.

     18        Q.  So could have been more than five but 

     19   probably not as many as ten?

     20        A.  Um-hum, yes.

     21        Q.  And you said that it could have been Ed 

     22   that sent you the drafts of the declaration?

     23        A.  Yeah.  I do not remember, but it certainly 

     24   could have been him.

     25            MS. MILLER:  Mr. Hernstadt, if in fact it 

                                                           29

               




      1   was you that sent the draft declarations or someone 

      2   from your firm that sent the draft declarations to 

      3   Mr. Schneier, I'd like to call for the production of 

      4   those drafts if they exist at this time.

      5            MR. HERNSTADT:  We will take it under 

      6   advisement.

      7            MS. MILLER:  Thank you.  And, of course, 

      8   any e-mails that accompanied the drafts. 

      9   BY MS. MILLER:

     10        Q.  Do you recall, Mr. Schneier, over what 

     11   period of time these drafts were transmitted back 

     12   and forth between yourself and whomever you were 

     13   sending them to?  Was it a week?

     14        A.  No, I don't remember.  Presumably it was 

     15   days before it was signed.

     16        Q.  When did you first hear about DeCSS?

     17        A.  Sometime between October 15th and November 

     18   15th.

     19        Q.  How did you hear about it?

     20        A.  Don't remember.

     21        Q.  Was it over the Internet?

     22        A.  Most likely.

     23        Q.  Do you know whether it was on a 

     24   news-oriented Web site or in a chat room?

     25        A.  It wouldn't be a chat room.  It might have 

                                                           30

               




      1   been a news-oriented Web site.  It might have been a 

      2   personal e-mail.

      3        Q.  It might have been a personal e-mail.  What 

      4   is your understanding of what DeCSS does?

      5        A.  Is that DeCSS?

      6        Q.  DeCSS.

      7        A.  DeCSS.  DeCSS is a program that removes the 

      8   obfuscation and scrambling of DVDs.

      9        Q.  Have you ever used DeCSS?

     10        A.  I have never used it.

     11        Q.  Have you ever seen the source code for 

     12   DeCSS?

     13        A.  I have never seen source code.

     14        Q.  And how did you gain the understanding 

     15   that you just testified to of what DeCSS does, if 

     16   you recall?

     17        A.  I read it off other people's writings and 

     18   essays and research papers.

     19        Q.  Do you recall any of the people's essays or 

     20   writings or research papers that you read?

     21        A.  The only one that I recall, although the 

     22   list of URLs in my essay is probably a good list,  

     23   is the -- 

     24        Q.  I'm sorry.  That's the November 15th essay 

     25   that's on your Web site?

                                                           31

               




      1        A.  I'm sorry, yes.

      2        Q.  Was the most complete essay that you wrote?

      3        A.  Yes.  There is one paper that was written 

      4   by someone who actually did the cryptanalysis of the 

      5   encryption algorithm.

      6        Q.  Do you remember that person's name?

      7        A.  I do not.  But if I saw it, I would say, 

      8   yeah, that's him.

      9        Q.  Do you know the name Frank Stevenson?

     10        A.  That's him.

     11        Q.  Have you ever spoken to Mr. Stevenson 

     12   personally, or did you just read something that he 

     13   had written?

     14        A.  I just read that one thing he had written.  

     15   I had never heard from him before, and I have not 

     16   heard from him since.  

     17        Q.  Had you heard of him before?

     18        A.  I had not heard of him before.

     19        Q.  When did you first hear about CSS?

     20        A.  At the same time I heard about --

     21            MR. HERNSTADT:  Objection.  Assumes facts 

     22   not in evidence.

     23   BY MS. MILLER:

     24        Q.  Had you heard of CSS?

     25        A.  Yes.

                                                           32

               




      1        Q.  When was the first time you heard of CSS?

      2        A.  At the same time I heard of DeCSS.

      3        Q.  This would have been sometime between 

      4   October 15th and November 15th of 1999 as you've 

      5   testified?

      6        A.  That is correct.

      7        Q.  Now before that period of time -- and by

      8   "that period of time" I mean October 15th to 

      9   November 15th, 1999 -- did you know anything about a 

     10   security system put in place to protect DVD content?

     11        A.  I knew something that this was happening.  

     12   I had done some consulting for companies who had 

     13   video content to protect, and so I was familiar with 

     14   the class of systems, their security properties, how 

     15   they might work, how they might fail.  I knew 

     16   nothing about the particular CSS system, exactly how 

     17   it worked and exactly its flaws.

     18        Q.  What companies did you do this consulting 

     19   work for that had digital content that you just 

     20   testified to?

     21        A.  Counterpane keeps its customer list 

     22   confidential.

     23        Q.  But this was in connection with Counterpane 

     24   Internet or Counterpane Systems?  

     25        A.  This is in connection with Counterpane 

                                                           33

               




      1   Systems, and this was several years ago, probably 

      2   before the CSS system was developed.

      3        Q.  Do you know when the CSS system was 

      4   developed?

      5        A.  No.  I'm guessing.

      6        Q.  So you don't really know whether this was 

      7   before the CSS system was developed?

      8        A.  No.

      9        Q.  Do you have an understanding now of how 

     10   CSS, or the content scrambling system, operates?

     11        A.  I have an understanding based on documents 

     12   I've read, yes.

     13        Q.  What documents have you read to gain that 

     14   understanding?

     15        A.  Again, documents I produced before writing 

     16   my essay in mid November including that 

     17   cryptanalysis paper we mentioned earlier.

     18        Q.  Do you know who the authors of DeCSS are?

     19        A.  I do not.

     20        Q.  A moment ago I believe you testified that 

     21   it was your understanding that DeCSS removes the 

     22   obfuscation and scrambling of DVDs.  Are you aware 

     23   of any other functions that it performs?

     24        A.  I am not.

     25        Q.  Have you ever seen or examined the object 

                                                           34

               




      1   code for DeCSS?

      2        A.  I have not.

      3        Q.  Have you ever visited a Web site with the 

      4   URL www.2600.com?

      5        A.  Yes, I have.

      6        Q.  When was the first time you visited the 

      7   2600.com Web site?

      8        A.  I don't remember.  It was several years 

      9   ago.

     10        Q.  So you were familiar with the 2600.com Web 

     11   site before your involvement in this case?

     12        A.  Yes, I was.

     13        Q.  Have you ever met Mr. Eric Corley?

     14        A.  Yes, I have.

     15        Q.  When was the first time you met him?

     16        A.  It was several years ago.  I believe it was 

     17   at a hackers conference.  I do not remember which 

     18   one.

     19        Q.  Do you remember where the hackers 

     20   conference took place?

     21        A.  Either in New York or Las Vegas since those 

     22   are the only two cities and conferences I've been to 

     23   that are hackers conferences.

     24        Q.  That would stand to reason.  Was that the 

     25   only time you met Mr. Corley?

                                                           35

               




      1        A.  I believe I met him several times.

      2        Q.  When was the last time you saw Mr. Corley?

      3        A.  Again, I don't remember.  It was at some 

      4   conference also.

      5        Q.  Okay.  Was it after this lawsuit was filed?

      6        A.  No, no.  It was before that.

      7        Q.  Have you spoken to Mr. Corley since this 

      8   lawsuit has been filed?

      9        A.  I have not.

     10        Q.  Have you exchanged any e-mails with 

     11   Mr. Corley since this lawsuit has been filed?

     12        A.  I believe he sent me an e-mail thanking me 

     13   for the declaration, but I don't remember exactly.

     14        Q.  Would you have saved that e-mail if in fact 

     15   you sent it?

     16        A.  I might have.  Probably not but possible.

     17            MS. MILLER:  Mr. Hernstadt, if it is at all 

     18   possible that Mr. Schneier saved that e-mail, I'd 

     19   like you to check.  And if so, I would like to call 

     20   for production of the e-mail between Mr. Corley and 

     21   Mr. Schneier.

     22            MR. HERNSTADT:  The e-mail saying, "Thank 

     23   you for your declaration"?

     24            MS. MILLER:  I don't know that that's what 

     25   the e-mail says.  I doubt that you know that that's 

                                                           36

               




      1   what the e-mail says.

      2            MR. HERNSTADT:  That's what Mr. Schneier 

      3   said it said, but we will take it under advisement.

      4            MS. MILLER:  Thank you.

      5            MR. HERNSTADT:  Sure.

      6   BY MS. MILLER:

      7        Q.  Were you told anything about Mr. Corley's 

      8   activities which gave rise to this lawsuit?

      9        A.  I was not.

     10        Q.  Have you ever seen the Complaint that's 

     11   filed in this lawsuit by the plaintiffs?

     12        A.  I saw it.  I skimmed it.  I didn't read it.

     13        Q.  How did you see it?

     14        A.  I believe I went to the Web and found it.

     15        Q.  Do you remember what Web site you found it 

     16   on?

     17        A.  I do not.

     18        Q.  How long ago did you skim the Complaint?

     19        A.  Around the same time I wrote the 

     20   declaration.

     21        Q.  Did you -- strike that.

     22            When was the last time that you visited the 

     23   2600.com Web site if you recall?

     24        A.  I think a couple of weeks ago.

     25        Q.  Have you ever heard of a Digital Millenium 

                                                           37

               




      1   Copyright Act?

      2        A.  Yes, I have.

      3        Q.  Did you at any time, Mr. Schneier, testify 

      4   before Congress in connection with the legislative 

      5   process involved in enacting the Digital Millenium 

      6   Copyright Act?

      7        A.  I did not.

      8        Q.  Did you write any essays during the time 

      9   that Congress was considering passing the Digital 

     10   Millenium Copyright Act stressing a point of view 

     11   about that law?

     12        A.  I did.

     13        Q.  If I wanted to find those essays, where 

     14   would I go to find them?

     15        A.  They would be on the Counterpane Web site 

     16   in the Crypto-Gram archives.

     17        Q.  When was the Digital Millenium Copyright 

     18   Act passed if you know?

     19        A.  I do not remember.  If you could refresh me 

     20   with that date, I could put other things in context.

     21        Q.  If I was to represent to you that it was 

     22   enacted in 1998, would that seem consistent with 

     23   your recollection in terms of the general time frame 

     24   or how long ago?

     25        A.  Yes.

                                                           38

               




      1        Q.  So if we proceed on the assumption that it 

      2   was passed in 1998, that's fine for you?

      3        A.  Yeah.  Actually, do you have a month? 

      4        Q.  Now you're testing me.  I believe it was 

      5   actually October or November.

      6            MR. HERNSTADT:  October.

      7   BY MS. MILLER:

      8        Q.  Now did you review any drafts of the 

      9   Digital Millenium Copyright Act in conjunction with 

     10   preparing the essay you wrote about it?

     11        A.  Yes, I did.

     12        Q.  Did you ever review the final bit of 

     13   legislation as signed by President Clinton?

     14        A.  Yes, I did.

     15        Q.  Do you recall any differences between the 

     16   draft legislation that you reviewed around the time 

     17   that you wrote your essay and what was finally 

     18   enacted by Congress?

     19        A.  I believe there are several differences, 

     20   and I reviewed several different drafts, and I also 

     21   probably wrote several different essays.

     22        Q.  The first essay that you wrote about the 

     23   Digital Millenium Copyright Act, did you express any 

     24   concerns about the Act and its provisions and how 

     25   that might impact people that do the type of work 

                                                           39

               




      1   that you do?  By that I mean encryption research.

      2        A.  I do not remember the contents of the 

      3   essays.  I would have to look them up to refresh my 

      4   memory.  It is likely that I would have expressed 

      5   concern over the Act and the stifling effect that it 

      6   would have on cryptographic and security research.

      7        Q.  And what in your view was that stifling 

      8   effect at the time that you wrote the essay?

      9        A.  The Act, because of its prohibition against 

     10   circumvention and reverse engineering, would serve 

     11   to limit the research cryptographers and computer 

     12   security scientists could do.  It would limit their 

     13   ability to analyze systems, to study systems, to 

     14   learn from systems and to teach others about the 

     15   security of systems.

     16            MR. HERNSTADT:  Let me just intercede at 

     17   one point that Mr. Schneier's testifying from his 

     18   personal opinion.  He's not testifying as a lawyer 

     19   and about the legal meaning of the Act but merely 

     20   his understanding, his personal understanding, of 

     21   the Act.

     22            MS. MILLER:  I understand that.  I haven't 

     23   asked you any questions about what your legal -- 

     24   what the legal meaning is of the Act.  I understand 

     25   that you're not -- 

                                                           40

               




      1            THE WITNESS:  In the time period we were 

      2   talking about, there was no actual law.  These were 

      3   just drafts.

      4   BY MS. MILLER:

      5        Q.  When was the last time you looked at the 

      6   final legislation?

      7        A.  It was soon after it was passed.

      8        Q.  From the time that you originally expressed 

      9   concerns about, as you said, the prohibitions 

     10   against reverse engineering to the final draft of 

     11   the legislation, do you recall whether any of those 

     12   prohibitions were removed?

     13        A.  I believe they were not.  I believe wording 

     14   was changed, but I believe basically the 

     15   prohibitions remained.  Again, I would have to 

     16   refresh myself by looking at the actual law and the 

     17   drafts if I could find them.

     18        Q.  And the last time you looked at the final 

     19   legislation as passed was shortly after it was 

     20   passed?

     21        A.  Yes.  Although if you showed me an essay I 

     22   wrote between then and now that mentioned it, I 

     23   certainly would not be surprised.  I do not recall 

     24   writing any such.

     25        Q.  In the final version of the -- I'm just 

                                                           41

               




      1   going to refer to it from here on out as the "DMCA" 

      2   because the "Digital Millenium Copyright Act" is 

      3   quite a mouthful -- in the final version of the DMCA 

      4   that you reviewed after it was passed, do you recall 

      5   seeing any specific exemptions for 

      6   reverse-engineering activities?

      7        A.  I don't remember.  At some point during the 

      8   process there were exemptions for compatibility 

      9   purposes.  I forget if they were struck.  I believe 

     10   the exemption for research purposes is still there, 

     11   but I remember it being very narrowly defined and 

     12   the burden of proof put on the researcher.

     13            Again, I forget if this stayed or if it 

     14   left.  Unfortunately when I was working on this and 

     15   writing about this, it was a while ago, and I've 

     16   since then forgotten.  If I was to write about this 

     17   again, I would have to refresh my memory.

     18        Q.  Now when you said the research exemption, 

     19   were you referring to an encryption research 

     20   exemption, or what type of a research exemption were 

     21   you referring to?

     22        A.  It was either an exemption for crypto 

     23   research or for security research, but there was an 

     24   exemption for researching the effectiveness of these 

     25   security systems for which reverse engineering was 

                                                           42

               




      1   prohibited.

      2        Q.  I see.  And in viewing the final version of 

      3   the DMCA as enacted and that research exemption that 

      4   you just testified about, were you satisfied that

      5   your initial concerns in looking at earlier drafts 

      6   of the legislative -- strike that -- of the 

      7   legislation had been addressed?

      8        A.  I was -- 

      9            MR. HERNSTADT:  Object to the form of the 

     10   question.  It's vague.

     11            Go ahead.  You can answer.

     12            THE WITNESS:  I was definitely unsatisfied.

     13   BY MS. MILLER:

     14        Q.  And why were you unsatisfied?

     15        A.  Because I felt that the provisions in the 

     16   law as it remained would still have the same 

     17   stifling effect on research that I foretold when I 

     18   first heard about the law and the provision.

     19        Q.  What in your view was that stifling effect?

     20        A.  What the law does as far as I know from my 

     21   understanding is that it makes it very difficult if 

     22   not impossible to take an existing security system, 

     23   reverse engineer it, study it, publish the results 

     24   of that study and thereby learn from the mistakes 

     25   made by the people who designed it.

                                                           43

               




      1        Q.  And how was the understanding that you just 

      2   testified to derived?

      3        A.  The understanding of the mistakes -- the 

      4   understanding of the details of a security system 

      5   are derived from learning how it works, studying how 

      6   it works and figuring out how to break it.

      7            MR. HERNSTADT:  Was that what you were 

      8   asking, or were you asking about his understanding 

      9   of the DMCA?

     10            MS. MILLER:  I'll get to both.

     11            MR. HERNSTADT:  Okay.  Let me make a very 

     12   delayed objection to the form of the question as 

     13   being unclear.

     14            MS. MILLER:  I know that you're objecting 

     15   to the question but to his answer -- I'll ask 

     16   another question.

     17            MR. HERNSTADT:  The answer is fine, but 

     18   that just made me realize I thought that you were 

     19   asking something else, and then I realized the 

     20   question could have been asking either so -- 

     21            MS. MILLER:  Could you read back the 

     22   witness' last answer please.

     23            (Record read.)

     24   BY MS. MILLER:

     25        Q.  Mr. Schneier, my question actually was, how 

                                                           44

               




      1   is your understanding of the research exemption in 

      2   the DMCA derived?

      3        A.  My understanding back then was derived from 

      4   reading it and talking to other people who were 

      5   involved in lobbying and speaking about it.

      6        Q.  Okay.  Do you remember the names of any of 

      7   the other people that you talked to that were 

      8   involved in lobbying and speaking about it?

      9        A.  I do not.  The CCIA -- I forget what that 

     10   stands for -- was involved in lobbying, and I did 

     11   have contact with them.  And then anybody else who 

     12   was likely to talk about it at conferences I'm at, 

     13   I'm likely to hear their opinions.

     14            And the EFF and EPIC are two organizations 

     15   whose opinions if they were written I would have 

     16   read. And presumably there were other people.

     17        Q.  The CCIA and the EFF I'm familiar with.  

     18   What is "EPIC"?

     19        A.  EPIC is Electronic Privacy Information 

     20   Center.  They're in Washington, D.C.

     21        Q.  What does the Electronic Privacy 

     22   Information Center do as you understand it?

     23        A.  As I understand it, they do several things.  

     24   They are a privacy watchdog against industry and the 

     25   government.  They do a lot of FOIA of different 

                                                           45

               




      1   documents from the government and publish what they 

      2   find.

      3        Q.  By "FOIA" do you mean F-O-I-A, Freedom of 

      4   Information Act?

      5        A.  Yes, I do.  They do a lot of testifying 

      6   before Congress on privacy and -- a lot of 

      7   testifying before Congress on privacy laws, and they 

      8   do a lot of education on privacy issues as they 

      9   relate to computers and computer networks.

     10        Q.  Are there any professional organizations 

     11   of cryptographers that you're aware of, 

     12   Mr. Schneier?

     13        A.  Yes, there are.  The IACR, the 

     14   International Association of Cryptologic Research, 

     15   is the international cryptography professional 

     16   organization.

     17        Q.  Now, in your experience or to your 

     18   knowledge, are there any ethical constraints on 

     19   cryptographic activities with respect to 

     20   disseminating the results of encryption research on 

     21   a particular system?

     22            MR. HERNSTADT:  Objection to the form of 

     23   the question.  That's a very vague and broad 

     24   question.

     25            If you can answer it, please go ahead.

                                                           46

               




      1            THE WITNESS:  You asked me if I have any 

      2   ethical constraints or if anybody has any ethical 

      3   constraints?

      4   BY MS. MILLER:

      5        Q.  I asked you first if anybody or if any 

      6   organization that you're aware of issues ethical 

      7   guidelines concerning dissemination of the results 

      8   of cryptographic research activities.

      9            MR. HERNSTADT:  Objection to the form of 

     10   the question.  It's compound.

     11            If you can answer that -- 

     12            THE WITNESS:  Certainly, the National 

     13   Security Agency classifies cryptographic research,  

     14   as presumably do the intelligence organizations of 

     15   other companies around the world.  Some 

     16   cryptographers work for companies, and presumably 

     17   some of the work they do is proprietary, not 

     18   disseminated.  And quite possibly cryptographers may 

     19   or may not on their own initiative decide to 

     20   publish.

     21            Certainly anybody using cryptography to 

     22   commit a crime using the results of analysis to 

     23   break into systems is likely not to disseminate his 

     24   techniques.  And there certainly could be other 

     25   ethical objections that people might have.

                                                           47

               




      1   BY MS. MILLER:

      2        Q.  But as far as you're aware, is there a 

      3   standards making organization that issues guidelines 

      4   with respect to ethical consideration in 

      5   cryptographic research?

      6            MR. HERNSTADT:  Objection to the form.

      7            THE WITNESS:  As far as I know, no 

      8   standards body or professional organization or group 

      9   of cryptographers has issued any standards of what 

     10   shouldn't be published.

     11   BY MS. MILLER:

     12        Q.  Okay. 

     13        A.  The primary -- the overriding ethic in the 

     14   cryptographic community is that publication serves 

     15   research and advances knowledge and is a good thing.

     16        Q.  Now Mr. Schneier, have you personally ever 

     17   had occasion to crack an encryption algorithm that 

     18   was developed by someone else?

     19        A.  Yes, I have.

     20        Q.  Which ones?

     21        A.  There are literally dozens of academic 

     22   papers on my Web site that break different 

     23   algorithms and I could provide a list, but it's easy 

     24   to go to the Web site and look at the papers.

     25        Q.  Can you give me an example of some of the 

                                                           48

               




      1   systems that these encryption systems were designed 

      2   to protect?

      3        A.  Most of them are academic systems, and they 

      4   weren't designed to protect anything.  They were 

      5   just designed.  Generally most encryption algorithms 

      6   are completely orthogonal to the way they're used.  

      7   So an algorithm might be a proposed, and it might be 

      8   used in a variety of applications, none of which the 

      9   proposer had any idea they would be used in.

     10            An example of one that was a -- that was 

     11   proposed and used in a particular system was an 

     12   algorithm used in some digital cellular telephone 

     13   systems.

     14        Q.  For telephones, okay.  Were you personally 

     15   involved in cracking some of the encryption 

     16   algorithms for the digital cellular telephone 

     17   systems?  

     18        A.  I was a member of a group that did, yes.

     19        Q.  Was this an academic group, or what was the 

     20   group that was involved in cracking these digital 

     21   cellular telephone systems?

     22        A.  It was a group of researchers.  It was not 

     23   part of a consulting project.

     24        Q.  Were these all academics?

     25            MR. HERNSTADT: Objection to the form of the 

                                                           49

               




      1   question.

      2            Do you understand?  

      3            THE WITNESS:  It's a hard question because 

      4   many people who are paid by companies engage in 

      5   academic research.  So if "academic" means someone 

      6   who is paid by a university, the answer is one of 

      7   the members of our group was.  If the question is, 

      8   were these people people active in the academic 

      9   community, the answer is all of them.

     10   BY MS. MILLER:

     11        Q.  How many people were in this group?

     12        A.  The paper was written by three people, 

     13   although this is my recollection and I would have to 

     14   look at the paper to be sure, but I remember three 

     15   of the researchers.

     16        Q.  Is this paper on your Web site?  

     17        A.  The paper is on my Web site, yes.

     18        Q.  Now, did you after cracking this encryption 

     19   system that was designed to protect digital cellular 

     20   telephone communications design a computer program 

     21   or software utility that would allow anyone else to 

     22   then crack into the digital cellular telephone 

     23   systems to exploit the weaknesses that you were able 

     24   to uncover?

     25            MR. HERNSTADT:  Could you read back that 

                                                           50

               




      1   question please.

      2            (Record read.)

      3            MR. HERNSTADT:  Objection to the form of 

      4   the question.  It's compound, and it assumes a lot 

      5   of facts not in evidence.

      6            You can answer it if you can.

      7            THE WITNESS:  I personally did not.  Our 

      8   team did write demonstration software both to test 

      9   our hypotheses and to demonstrate to whomever needed 

     10   to verify our results that they were correct.  I do 

     11   not remember how the software worked and exactly how 

     12   usable it would be by other people.

     13   BY MS. MILLER:

     14        Q.  Is this piece of software available on your 

     15   Web site in connection with the research paper 

     16   that's posted on the Web site?

     17        A.  It might very well be.  The way to check is 

     18   to go to the Counterpane Web site, go to the 

     19   Counterpane lab Web sites, look at the CMEA button 

     20   on the left-hand side, M dash -- that's the name of 

     21   the algorithm, M dash -- and follow the link.

     22        Q.  But you said you don't know how useful the 

     23   software utility that was developed might be to 

     24   anyone else that might try to use it.  Is that what 

     25   you said?

                                                           51

               




      1            MR. HERNSTADT:  Objection to the form.

      2   BY MS. MILLER:

      3        Q.  I just want to make sure I understand your

      4   answer.  I'm really not trying to misstate what you 

      5   said.

      6        A.  I don't remember.  It was several years 

      7   ago.

      8        Q.  Do you have a point of view on whether or 

      9   not a person that's engaged in encryption research 

     10   should at the same time as that person disseminates 

     11   the results of that encryption research disseminate 

     12   a tool that will allow you to exploit the weaknesses 

     13   in a particular encryption system?

     14            MR. HERNSTADT:  Objection to form.

     15            THE WITNESS:  I have an opinion.  In a lot 

     16   of cases part of the research is writing the tool, 

     17   and part of disseminating the research is 

     18   disseminating the tool.  Personally there are many 

     19   cases where I feel that writing a tool whose sole 

     20   purpose is to attack and break systems is not a good 

     21   thing.  There are some instances where writing such 

     22   a tool is the only possible way to get the problem 

     23   fixed.

     24            So it's a very complicated issue.  It's one 

     25   I have written on in the past few months.  There's 

                                                           52

               




      1   an essay on this topic that I've written.  This is a 

      2   topic where my ideas are still in flux because it's 

      3   a very difficult question.

      4   BY MS. MILLER:

      5        Q.  I understand.  You said that you can 

      6   imagine that there would be times when it wouldn't 

      7   be a good thing to disseminate a tool that's 

      8   designed to exploit the weaknesses.  Can you give 

      9   some examples of in your view when it wouldn't be a 

     10   good thing to do that. 

     11            MR. HERNSTADT:  Objection to the form.

     12            THE WITNESS:  An example would be a tool 

     13   that doesn't actually demonstrate anything new, that 

     14   endangers life and limb and that exploits a problem 

     15   that can't easily be fixed are examples where I 

     16   would question the judgment of the person who 

     17   released the tool. 

     18   BY MS. MILLER:

     19        Q.  And in your review in what instances would 

     20   a problem not easily be fixed?

     21            MR. HERNSTADT:  Objection to the form.

     22            THE WITNESS:  In closed proprietary 

     23   systems.  So in systems that are -- systems not on a 

     24   general purpose computer are often much harder to 

     25   fix than systems that are on a general purpose 

                                                           53

               




      1   computer.

      2            A system in a closed system like nuclear 

      3   command and control or a stand-alone ATM machine, 

      4   these might involve widespread deployment of 

      5   equipment across the country or across the world 

      6   which is very different than a version of a piece of

      7   software which could be updated relatively quickly.  

      8   Again, I understand this is a gray line.

      9   BY MS. MILLER:

     10        Q.  From your point of view it's a gray line or 

     11   from the point of view of cryptographers generally?

     12        A.  From my point of view.

     13        Q.  Is it fair to say that -- you said your 

     14   ideas about this are in a state of flux, so is it 

     15   fair to say that at this point you don't have a 

     16   fully formed view on in which instances 

     17   disseminating a tool to exploit a flaw in a security 

     18   system might be permissible and other instances 

     19   where it might not be permissible?

     20            MR. HERNSTADT:  Objection to the form.  

     21   Misstates the testimony.

     22            THE WITNESS:  It's very much like the 

     23   definition of pornography.  I know it when I see it.  

     24   Defining exactly what it is is hard.

     25            And to bring to something I think you said, 

                                                           54

               




      1   I'm here more talking about security systems as 

      2   opposed to the mathematics of cryptography.  The 

      3   mathematics of cryptography is really much more cut 

      4   and dried, and that publication is pretty much 

      5   always a good idea. 

      6   BY MS. MILLER:

      7        Q.  Publication of the actual encryption 

      8   algorithm?  I just want to understand when you say 

      9   publication of the "mathematics of cryptography."

     10        A.  Publication of the research, which in 

     11   mathematics is generally mathematical research, 

     12   which is generally a paper that includes algorithms 

     13   and equations and an analysis.  And that's sort of 

     14   one end.

     15            The other end is analysis of working 

     16   security systems which would presume cryptography 

     17   but would also would include analysis of the 

     18   software, analysis of the procedures, analysis of 

     19   the usage.

     20        Q.  And the last sort of line of questions that 

     21   we've been engaged in here, I'm really more 

     22   interested in your view about developing and 

     23   disseminating particular tools that allow an 

     24   individual to exploit a flaw in a security system 

     25   that a person engaged in encryption research might 

                                                           55

               




      1   have been able to uncover.

      2        A.  Um-hum.

      3        Q.  Is your point of view on that still in a 

      4   state of flux?

      5        A.  My point of view is still in a state of 

      6   flux.  I believe I have a consistent, coherent point 

      7   of view, but exceptions and special cases are still 

      8   arising, so my view is still being refined.

      9        Q.  And the point of view that you just

     10   testified to though is more in -- strike that --  

     11   analogous to like you just said, pornography, you 

     12   know it when you see it.  Do you know a bad exploit 

     13   of a tool as opposed to a good one?

     14            MR. HERNSTADT:  I'm sorry.  Could you read 

     15   that question back please.

     16            MS. MILLER:  That was not a good -- the 

     17   most articulate question.

     18            MR. HERNSTADT:  Do you want to try again?

     19            THE WITNESS:  I can answer it.

     20            MR. HERNSTADT:  Don't answer until I hear 

     21   it because I want to make sure I have some vague 

     22   idea.  

     23            THE WITNESS:  Maybe I should hear it again 

     24   too.

     25            (Record read.)

                                                           56

               




      1            MR. HERNSTADT:  Objection to the form.

      2            THE WITNESS:  I believe that's true, 

      3   although it's not impossible that someone would show 

      4   me a special case that I would have no idea of my 

      5   opinion on it until I thought about it a lot.

      6            MS. MILLER:  Okay. 

      7            MR. HERNSTADT:  Is this a good time to take 

      8   two for unstated reasons?

      9            MS. MILLER:  Sure.

     10            THE VIDEOGRAPHER:  Going off the record.  

     11   The time is 11:56.

     12            (Break taken.)

     13            THE VIDEOGRAPHER:  We're back on the 

     14   record.  The time is 12:05.  You may proceed.

     15   BY MS. MILLER:

     16        Q.  Mr. Schneier, I'm going to show you a 

     17   document that I'll have marked as Exhibit 4 for your 

     18   deposition.

     19            (Plaintiffs' Exhibit No. 4 is marked.) 

     20   BY MS. MILLER:

     21        Q.  Now initially, Mr. Schneier, I'd like you 

     22   to focus your attention on the first two pages of 

     23   this document.  So we have a clear record, I'll 

     24   represent to you that this is a document that I 

     25   printed from the Counterpane Web site.  It is 

                                                           57

               




      1   entitled "Crypto-Gram."  The date of the document is 

      2   January 15th, 2000.  It says, "By Bruce Schneier, 

      3   founder and CTO, Counterpane Internet Security, 

      4   Inc."  And the initial article is entitled, "'Key 

      5   Finding' Attacks and Publicity Attacks."

      6            Now Mr. Schneier, earlier in your testimony 

      7   you referred to "Crypto-Gram."  What is 

      8   "Crypto-Gram"?

      9        A.  "Crypto-Gram" is a monthly newsletter, a 

     10   free e-mail newsletter, that I write and publish 

     11   every month.

     12        Q.  Is this document that I've just shown you 

     13   that's been marked as Exhibit 4 a copy of the 

     14   monthly newsletter Crypto-Gram that you write?

     15        A.  Without examining every word of it, I 

     16   assume it is.

     17        Q.  If you could take a moment to look at the 

     18   first two pages of the document that I've handed 

     19   you, I'd like to ask you some questions about it.  

     20   Tell me when you're ready.

     21            MR. HERNSTADT:  I'm going to need a couple 

     22   minutes.  

     23            THE WITNESS:  I'm ready.

     24            MR. HERNSTADT:  I'm not.

     25            (Reviewing document.)

                                                           58

               




      1            Okay.

      2   BY MS. MILLER:

      3        Q.  Mr. Schneier, do you recognize this article 

      4   in this newsletter "'Key Finding' Attacks and 

      5   Publicity Attacks"?

      6        A.  I do.

      7        Q.  Did you write it?

      8        A.  I did.

      9        Q.  Now without me reading it word for word, 

     10   can you tell us just generally what the subject of 

     11   this article is. 

     12        A.  The subject of this article is a particular 

     13   situation that occurred in January when a company 

     14   made a press announcement about what they claimed to 

     15   be a vulnerability in an Internet protocol and uses 

     16   that example as a jumping-off point to discuss some 

     17   of the pros and cons towards releasing information 

     18   about vulnerabilities, releasing vulnerability tools 

     19   and makes a stab at trying to draw some conclusions 

     20   about some of the issues we talked about earlier.

     21        Q.  What conclusion is drawn in this article 

     22   about releasing the tools that exploit 

     23   vulnerabilities and security systems?

     24            MR. HERNSTADT:  Objection.  Are you asking 

     25   him to point out in the article where he draws a 

                                                           59

               




      1   conclusion?

      2   BY MS. MILLER:  

      3        Q.  No.  At this point I'd like you to do it 

      4   from -- if it helps you to look at the article, 

      5   that's fine, however you want to answer the 

      6   question, if you understand the question.

      7        A.  You're asking me to discuss my thinking at 

      8   January 15th, not subsequent.  What I say in this 

      9   essay is that one of the ways to look at a tool is 

     10   to look at the motivations of the person who 

     11   releases it, whether it's a tool that demonstrates a 

     12   vulnerability in some useful fashion, whether it's a 

     13   tool that simply allows someone without any skill to 

     14   exploit a vulnerability, whether the person 

     15   releasing the tool has any ulterior motives in 

     16   releasing it.  And that's one way to get some idea 

     17   of whether it was a good thing or a bad thing.

     18        Q.  Okay.  And you say the ulterior motives 

     19   that the person might have had in releasing the tool 

     20   is one of the factors in your mind that determines 

     21   whether or not the release of the tool is a good or 

     22   bad thing; is that correct?

     23        A.  That's what I said, yes.

     24        Q.  Now, in this particular situation that's 

     25   being described in this article, or the essay, "'Key 

                                                           60

               




      1   Finding' Attacks and Publicity Attacks," was there a 

      2   particular tool that was disseminated along with the 

      3   press release of the vulnerability in the Internet 

      4   protocol?

      5        A.  It's unclear.  At the time I wrote this, I 

      6   believe there was.  In subsequent conversations with 

      7   the company that released the press release, they 

      8   indicated that they did not release the tool.  I do 

      9   not know if a tool was released, how widely it's 

     10   used, whether someone else took the research done 

     11   and wrote a tool.

     12            So when I wrote this essay, I believe the 

     13   tool was released by the company that released the 

     14   press release, but I don't know if that's true.

     15        Q.  At this point do you know whether or not 

     16   there was a tool released?

     17        A.  At this point I believed the people I spoke 

     18   to from the company, and they said they did not 

     19   release a tool.

     20        Q.  Now you cite other examples in this essay, 

     21   and if I can just draw your attention to page 1, and 

     22   there are several bullet points.  I'll read the 

     23   introductory phrase to the bullet point so you have 

     24   a sense of where I am.  You say, "This kind of thing 

     25   is happening more and more, and I'm getting tired of 

                                                           61

               




      1   it.  Here are some more examples" and bullet point 

      2   2.

      3            MR. HERNSTADT:  Carla, before you do that, 

      4   could you just read the first line of that sentence  

      5   before that -- the word "thing" is defined -- so we 

      6   know what kind of "thing" we are -- 

      7            MS. MILLER:  Well, I think if I want to 

      8   have that "thing" defined, I'll ask the witness to 

      9   define it, Mr. Hernstadt.

     10            MR. HERNSTADT:  All right.  Then let me 

     11   object to any question that comes out based on that 

     12   it's vague that the term is undefined.

     13   BY MS. MILLER:

     14        Q.  If you could look at bullet point 2 on page 

     15   1, Mr. Schneier, you indicate that, "Some people at

     16   eEye" -- that's lower case "e," capital E-y-e --   

     17   "discovered a bug in IIS last year completely 

     18   compromising the product.  They contacted Microsoft, 

     19   and after waiting only a week for them to 

     20   acknowledge the problem, they issued a press release 

     21   and a hacker tool.  Microsoft rushed a fix out but 

     22   not as fast as the hackers jumped on the exploit.  

     23   EEye sells vulnerability assessment tools and 

     24   security consulting by the way."

     25            Do you see that, what I've just read to 

                                                           62

               




      1   you?

      2        A.  I do.

      3        Q.  Now, did you do any verification of the 

      4   facts of eEye's rushing out and issuing a press 

      5   release and a hacker tool that exploited the 

      6   vulnerability in this Microsoft product?

      7        A.  No more verification than reading documents 

      8   and opinions and things other people had written.

      9        Q.  And did you think at the time that you 

     10   wrote this essay that those activities were a good 

     11   thing to do by eEye?

     12        A.  A lot of this is very situation dependent, 

     13   and often my objections are not based on what was 

     14   done but based on how it was done.  My objections in 

     15   the eEye instance were based on the fact that eEye 

     16   seems to me to have used the exploit and the 

     17   publication of it as a publicity engine for their 

     18   company and not as a way to fix the problem.

     19            So I'm not -- I have no objections to the 

     20   research, to the publication or the dissemination, 

     21   but the form of it was something I thought was not 

     22   the best it could have been.

     23        Q.  Okay.  And the form of it that you're 

     24   describing, was that just the dissemination of the 

     25   hacker tool or just the fact that they were using 

                                                           63

               




      1   this whole incident to publicize their security 

      2   services?

      3        A.  It was that they were using the incident to 

      4   publicize.

      5        Q.  But you have no problem with them 

      6   disseminating the hacker tool that was designed to 

      7   exploit the vulnerability that they uncovered?

      8            MR. HERNSTADT:  Objection to the form.

      9            THE WITNESS:  Again, this is very dependent 

     10   on circumstance.  Microsoft is a corporation that 

     11   will lie, will claim things that are true that are 

     12   not true, will deny the fact that exploits exist.  

     13   If you point out a security vulnerability, they will

     14   tell you you're wrong.  And the only way to get 

     15   Microsoft to fix a problem, a security problem, is 

     16   to release a tool.

     17            So in dealing with Microsoft as a 

     18   researcher wanting to improve the security of 

     19   systems, you have no choice but to release an 

     20   exploit because without doing that, the system will 

     21   remain vulnerable.

     22   BY MS. MILLER:

     23        Q.  You have no choice?

     24        A.  If you want to improve the security, you 

     25   have no choice.

                                                           64

               




      1        Q.  So if you want Microsoft to pay attention, 

      2   you have no choice but to exploit -- disseminate a 

      3   hacker tool that could exploit the security breach;  

      4   is that your testimony?

      5            MR. HERNSTADT:  Objection to form. 

      6            THE WITNESS:  Historically that has been 

      7   the case.

      8   BY MS. MILLER:

      9        Q.  And because -- again, I really am not 

     10   trying to put words in your mouth.  I'm just trying 

     11   to understand your answer because you made some 

     12   statements about a particular point of view  

     13   obviously that you hold about Microsoft.

     14            And based on that point of view about 

     15   Microsoft, if the security breach is found in a 

     16   Microsoft piece of software, then in your view 

     17   according to your testimony, it's acceptable to 

     18   disseminate a hacker tool that exploits that 

     19   vulnerability?

     20            MR. HERNSTADT:  Objection to the form of 

     21   the question and the lack of definition of the terms 

     22   used.

     23            If you can answer that, go ahead.

     24            THE WITNESS:  I believe as a researcher 

     25   wanting to improve the security of systems that 

                                                           65

               




      1   simply publishing an academic paper describing the 

      2   vulnerability in a Microsoft system will not result 

      3   in any improvement.  And the quickest way to improve 

      4   the security of the system is to release the tool 

      5   and to release the tool in a very public way so that 

      6   Microsoft has no choice but as a company to fix the 

      7   problem.

      8   BY MS. MILLER:

      9        Q.  I don't suppose you'd be surprised if 

     10   someone at Microsoft felt differently about that, 

     11   would you?

     12            MR. HERNSTADT:  Objection to the form of 

     13   the question.

     14            Go ahead.

     15            THE WITNESS:  Very few things surprise me 

     16   in this field.

     17   BY MS. MILLER:

     18        Q.  Fair enough.  Now, looking a couple 

     19   paragraphs down in the same essay, you say, "Here 

     20   are some examples of doing things right."  In the 

     21   first bullet point, I quote, "The University of 

     22   California-Berkeley researchers have broken just 

     23   about every digital cell phone algorithm.  They are 

     24   not profiting from these breaks.  They don't publish 

     25   software packages that can listen in on cell phone 

                                                           66

               




      1   calls.  That is research and good research."

      2            Now, when we talked earlier about your 

      3   activities in helping to analyze some of the

      4   encryption -- strike that -- flaws in some of the 

      5   encryption and security algorithms for digital cell 

      6   phone technologies, were you referring to this group 

      7   of University of California-Berkeley researchers?

      8        A.  Yes, I was.  

      9        Q.  Is that the project you were involved in?

     10        A.  A piece of it.  There are some different 

     11   cell phone security algorithms that this group has 

     12   successfully reverse engineered, analyzed and 

     13   published.  One particular algorithm I was involved 

     14   in the process.  There are several others that they 

     15   alone were involved in the process.

     16        Q.  Okay.  Now you made the statement in this 

     17   essay, "This is research and good research."  What 

     18   were you referring to when you drew the 

     19   conclusion -- excuse me -- about what "good 

     20   research" was?

     21            MR. HERNSTADT:  Objection to the form of 

     22   the question.

     23            THE WITNESS:  I was referring to the 

     24   cryptanalysis work done by the group in breaking the 

     25   algorithms.

                                                           67

               




      1   BY MS. MILLER:

      2        Q.  Not the fact that they didn't publish 

      3   software packages that can listen in on cell phone 

      4   calls?

      5            MR. HERNSTADT:  Objection.

      6            THE WITNESS:  No.  I was referring to the 

      7   research, and to me the research in this case was 

      8   the mathematical research on the algorithms.

      9   BY MS. MILLER:

     10        Q.  If the University of California at Berkeley 

     11   researchers had published software packages that 

     12   listened in -- that allowed a person to listen in on 

     13   cell phone calls, would that still in your opinion 

     14   have been good research?

     15            MR. HERNSTADT:  Objection to the form of 

     16   the question.

     17            THE WITNESS:  It would still have been good 

     18   research.  They would have done something additional 

     19   to that which I personally would question, but other 

     20   people would not.

     21   BY MS. MILLER:

     22        Q.  Okay.  But you personally would?

     23        A.  Yeah.  I would -- if they did that, I might 

     24   have called them and asked, why did you do this?  

     25   And they might have had an explanation, and I would 

                                                           68

               




      1   have said, I guess you're right.

      2            But I certainly would have thought twice if 

      3   I saw that, because in this particular case that 

      4   wasn't really part of the research. 

      5        Q.  I'd like to direct your attention now to 

      6   the fourth bullet point in that same list that says, 

      7   I quote, "Perfecto markets security against CGI 

      8   attacks."

      9            What is "CGI"?

     10        A.  I forget what it stands for.  CGI scripts 

     11   are those interactive bits of code on Web pages that 

     12   let you type things into forms and submit them, 

     13   allow you to type comments in, click on radio 

     14   buttons or other things that make Xs happen, things 

     15   that don't bring you to a new Web page but that put 

     16   little bits of interactivity onto a Web page.  I 

     17   think it's "computer graphics interface," but I 

     18   might be wrong as to what "CGI" stands for.

     19        Q.  I'm going to continue on reading that same 

     20   bullet point.  "Although they try to increase 

     21   awareness of the risks, they don't go around writing 

     22   new CGI exploits and publicizing them.  They point 

     23   to other CGI exploits done by hackers with no 

     24   affiliation to the company as examples of the 

     25   problem."

                                                           69

               




      1            Now, based on the point of view that you've 

      2   been testifying to, I assume that this would fall 

      3   into your category of good research; is that 

      4   correct?

      5            MR. HERNSTADT:  Objection to the form.  

      6   That misstates the testimony of the witness 

      7   significantly.

      8            If you can answer that, go ahead.

      9            THE WITNESS:  To me this is an example of 

     10   doing things right, as I said.  Again, if there were 

     11   no CGI exploits, Perfecto would have to release some 

     12   to demonstrate that the vulnerabilities they're 

     13   describing and fixing are real.  However, because 

     14   there are already CGI exploits that have been 

     15   published, that have been disseminated by the 

     16   underground community, Perfecto did not feel it 

     17   necessary to create new ones that didn't demonstrate 

     18   any new piece of research.

     19            If they learned a new piece of research, 

     20   they might feel -- and I might agree with them -- 

     21   that they should publish an exploit to demonstrate 

     22   this new piece of research.  But as long as they are 

     23   fixing old problems, writing new tools to 

     24   demonstrate the old problems doesn't seem to add 

     25   anything to the discussion.

                                                           70

               




      1   BY MS. MILLER:

      2        Q.  How are you using the word "exploits" 

      3   there?

      4        A.  It's a term of art in computer security.  

      5   An "exploit" is a program that makes use of a

      6   vulnerability to attack a system.  So it 

      7   demonstrates a vulnerability in a graphic way.

      8        Q.  Now looking at the last bullet point, you 

      9   say, "Steve Bellovin," B-e-l-l-o-v-i-n -- I hope I 

     10   pronounce his name correctly -- "at AT&T labs found 

     11   a serious hole in the Internet DNS system.  He 

     12   delayed publication of this vulnerability for years 

     13   because there was no readily available fix."

     14            Again, is this falling within your 

     15   definition of "good research"?

     16            MR. HERNSTADT:  Objection to the form of 

     17   the question.  I don't think there's been a 

     18   definition of "good research," but if you can answer 

     19   the question, go ahead.

     20            MS. MILLER:  Certainly not a definition 

     21   because I think the witness has already testified 

     22   that it's sort of a situational thing.  So I don't 

     23   mean to misstate your testimony when I say 

     24   "definition," but you've used the phrase and 

     25   characterized certain things and activities as good 

                                                           71

               




      1   research.  That's all I'm asking you about.

      2            MR. HERNSTADT:  Are you referring to the 

      3   words where it says -- 

      4            THE WITNESS:  "Doing things right."

      5            MR. HERNSTADT:  -- "doing things right" up 

      6   top?

      7            THE WITNESS:  This is good research.  

      8   Additionally the research is finding the hole.  The 

      9   delaying publication is a decision independent of 

     10   the research, and Steve in this case made a decision 

     11   not to publish but to keep the vulnerability quiet 

     12   until the Internet was able to deal with some of the

     13   problems he found.  That was his personal decision.

     14            Other researchers would have probably made 

     15   different decisions.  And in some ways it's good 

     16   that he did it, and in some ways it's bad that he 

     17   did it.  That's probably the toughest example of the 

     18   five listed.  That's the least obvious of the five 

     19   examples listed.

     20   BY MS. MILLER:

     21        Q.  Now, when you say that "he delayed 

     22   publication of this vulnerability for years because 

     23   there was no readily available fix," in your mind is 

     24   that one of the factors that should be considered in 

     25   determining whether or not this is a responsible or 

                                                           72

               




      1   a right thing to do in terms of publicizing the 

      2   vulnerability that you've been able to identify?

      3            MR. HERNSTADT:  Objection to the form.

      4            THE WITNESS:  My personal opinion is that 

      5   whether a fix is possible and how easily it is and 

      6   how expensive it is is one of the many factors that 

      7   I would take into account before publishing.

      8   BY MS. MILLER:

      9        Q.  Okay.  Now, a couple more paragraphs down 

     10   in this same essay -- I'd like to direct your 

     11   attention to actually three paragraphs down from the 

     12   list of bullet points that we've just been referring 

     13   to.  That starts, "And look at how it is released.  

     14   The nCipher" -- lower case N, capital C-i-p-h-e-r -- 

     15   "release included a hacker tool.  As the New York 

     16   Times pointed out, 'thus making e-commerce sites 

     17   more vulnerable to attack and more likely to buy 

     18   nCipher's products.'  Announcements packaged with 

     19   hacker tools are more likely to be part of the 

     20   problem than part of the solution."

     21            Do you see the sentences that I've just 

     22   read to you, Mr. Schneier?

     23        A.  I do.

     24        Q.  Now I understand you've previously 

     25   testified that nCipher I believe indicated to you 

                                                           73

               




      1   that they in fact did not publish a hacker tool.  I 

      2   understand that aspect of your prior testimony.  But 

      3   you seem to express an opinion at the end of these 

      4   last couple of sentences that "announcements 

      5   packaged with hacker tools are more likely to be 

      6   part of the problem than part of the solution."  

      7   What "problem" were you referring to?

      8        A.  In the essay I'm talking about the problem 

      9   of bad computer security and whether a particular 

     10   release of information of tools increases the 

     11   problem of bad security or helps solve the problem 

     12   of bad security by making security better.

     13            In that sentence I said that tools -- if 

     14   something is released with a tool, it is more 

     15   likely, although -- I mean that it is more likely to 

     16   be part of the problem.  So it's more likely to 

     17   result in bad security -- it's more likely to be a 

     18   release that exacerbates the security problems than 

     19   a release that will fix it.  Certainly it's not cut 

     20   and dried.  This is just one of the many things you

     21   can look at in trying to figure out whether 

     22   something was good or bad.  That's probably too 

     23   strong a word for it.

     24        Q.  I know.  I understand.  I appreciate this

     25   is a gray area that we're talking about.  That's all 

                                                           74

               




      1   I have at this time for this document. 

      2            Now Mr. Schneier, have you personally ever 

      3   notified the provider or the developer of a security 

      4   system that you're interested in researching before 

      5   engaging in that research?

      6        A.  I have not.  The only possible exception is 

      7   when I was hired as a consultant to research a 

      8   system in which case they would know that I was 

      9   doing it.

     10        Q.  Because they hired you?

     11        A.  But it would be under contract.  If as an 

     12   academic I engaged in research, I have never 

     13   notified an organization or a company first.

     14        Q.  Have you personally after engaging in 

     15   encryption research ever notified the organization 

     16   whose security system you were testing before 

     17   disseminating the results of your findings?

     18        A.  I don't remember.  I believe when I 

     19   published an analysis of Microsoft PPTP, which 

     20   stands for point-to-point tunneling protocol, I sent 

     21   a copy of my draft paper to some colleagues at 

     22   Microsoft before publishing, although this is my 

     23   best recollection.

     24        Q.  How long ago would that have been that you 

     25   engaged in this research on Microsoft PPTP?

                                                           75

               




      1        A.  I do not remember, but the paper is dated 

      2   on my Web site.

      3        Q.  That paper is also on your Web site?

      4        A.  Everything is on my Web site.

      5        Q.  Why did you send a copy of your draft 

      6   paper to your colleagues at Microsoft?

      7        A.  Professional courtesy.  I was afraid that 

      8   when the paper was released they would be asked by 

      9   their superiors to explain what was going on, and I 

     10   wanted to give them the opportunity to read what I 

     11   had written and have a little time to think about 

     12   what a response would be.

     13        Q.  Is that only because you knew these people 

     14   personally?

     15        A.  Yes, that's true.

     16        Q.  So if you didn't have this personal 

     17   relationship with the people at Microsoft that you 

     18   sent the draft to, you wouldn't have bothered to 

     19   send the draft of your research results?

     20        A.  I probably would not have.

     21        Q.  Why not?

     22        A.  Because the only benefit that that would 

     23   have served was to allow the Microsoft PR machine to 

     24   basically spread propaganda about the results before 

     25   they were released.  It would have not helped the 

                                                           76

               




      1   program.  It would have made it worse.

      2        Q.  How do you know that?

      3        A.  It's been the historical -- historically 

      4   that's what Microsoft does.

      5        Q.  What about other companies whose security 

      6   systems you've researched that maybe don't have that 

      7   same historical response as Microsoft?

      8        A.  One example that comes to mind is the 

      9   Digital Cellular Consortium, and we did not alert 

     10   them.

     11        Q.  Was there a conscious decision not to alert 

     12   them?

     13        A.  I don't know.  I don't remember if it was 

     14   actually discussed.  So I don't recall if it was a 

     15   conscious or unconscious decision.

     16        Q.  You don't recall any discussions amongst 

     17   the research group about whether or not the Digital 

     18   Cellular Consortium should be notified?

     19            MR. HERNSTADT:  Objection to form.

     20            THE WITNESS:  I don't recall.

     21   BY MS. MILLER:

     22        Q.  But in your mind as a participant in that

     23   activity, you didn't find -- strike that -- you 

     24   didn't think that there was any issue involved in 

     25   not notifying the Digital Cellular Consortium before 

                                                           77

               




      1   publishing the results of the research?

      2            MR. HERNSTADT:  Objection to form. 

      3            THE WITNESS:  Certainly there are issues, 

      4   but we felt that the greater good would have been 

      5   served by publishing and that there was no benefit 

      6   to alerting the cell phone manufacturers.

      7   BY MS. MILLER:

      8        Q.  When in your mind would there be a benefit 

      9   to alerting a particular corporation whose security 

     10   systems you've been involved in testing?

     11        A.  An example is if a flaw is found in a 

     12   browser that as a researcher you might go to the 

     13   company -- let's say Netscape -- and say, we found 

     14   this flaw.  This is it.  This is how it works.  

     15   We're going to be releasing our findings in two 

     16   weeks.  Wouldn't it be nice if at the same time you 

     17   could release an updated version of the browser.  

     18   And there's an example where the researcher and the 

     19   company effected could work in concert.

     20        Q.  But in the example that you just cited -- 

     21   strike that.

     22            Are there any other examples that you can 

     23   cite apart from the one you just gave us?

     24        A.  Probably, but none come to mind right now.

     25        Q.  Okay.  So if I understand your answer, it 

                                                           78

               




      1   would be beneficial to notify the company whose 

      2   security systems were being tested if in the mind of 

      3   the researcher the researcher thought that the 

      4   company and researchers could come to some sort of 

      5   an accord on how to fix the problem?

      6            MR. HERNSTADT:  Objection to the form.  I 

      7   think that misstates the testimony.

      8            You can answer.  If you can, go ahead.

      9            THE WITNESS:  That's one of the things to 

     10   consider.  Will the vendor mischaracterize the 

     11   research?  Will the vendor work with the researcher 

     12   to fix the problem?  Are there any political agenda 

     13   that the vendors might have?

     14            There are examples where security systems

     15   have been deliberately weakened because of   

     16   government intervention.  Those are examples where 

     17   dealing with the vendor beforehand wouldn't make any 

     18   sense because in some ways the vendor was a pawn 

     19   also.  So that's one of the considerations.  There 

     20   are certainly many of them.

     21   BY MS. MILLER:

     22        Q.  By a "pawn," you mean a pawn of the 

     23   government?

     24        A.  "Pawn" is probably too strong a word.  But 

     25   they were influenced by the government possibly to 

                                                           79

               




      1   deliberately weaken their systems.  This has 

      2   occurred many times in security.

      3        Q.  Again, I don't mean to misstate what you 

      4   just said, but I want to have a better understanding 

      5   of your point of view.  But as I interpret what you 

      6   just said, it sounds like a lot of the consideration 

      7   depends on the vendor that's involved from the 

      8   researcher's point of view.

      9            MR. HERNSTADT:  Objection to the form.  I 

     10   don't think that accurately states the testimony.

     11            THE WITNESS:  Some of it does.  I'm 

     12   hesitant to define percentages of what refers to 

     13   what, but certainly that's one of the 

     14   considerations.

     15   BY MS. MILLER:

     16        Q.  Okay.  Now, in your point of view, if there 

     17   were a law that required a cryptographer to notify 

     18   the owner or the provider of a particular security 

     19   system that they were engaged in encryption research 

     20   concerning, would you think that that would restrict 

     21   your ability to engage in such research?

     22        A.  I think it would restrict it in a very 

     23   large way.

     24        Q.  How so?

     25        A.  A number of reasons.  One, it presumes that 

                                                           80

               




      1   the cryptographer knows who to contact.  For 

      2   example, a cryptographer might research an 

      3   encryption algorithm, Blowfish, which is an

      4   algorithm I wrote.  And I know that Blowfish is in 

      5   over a hundred products, and I know there are 

      6   products that I don't know about that Blowfish is 

      7   in.  So if a cryptographer wanted to research 

      8   Blowfish, it would be impossible for him to notify 

      9   them all because he just wouldn't know who to 

     10   notify. 

     11            In any real system, the company researched, 

     12   being researched, might say no, might not give him 

     13   permission.  And that would mean that he would not 

     14   be able to do the research, which means we would not 

     15   learn about the system, we would not learn about its 

     16   weaknesses, and we would not be able to build better 

     17   systems because of it.

     18            So putting the burden on the cryptographer 

     19   to get permission is, one, something he can't do 

     20   and, two, likely to stifle research because 

     21   permission might not be forthcoming especially in 

     22   examples where there are many companies using the 

     23   same type of cryptography, and they need permission 

     24   from everybody.

     25            MS. MILLER:  Take one minute.  Allow the 

                                                           81

               




      1   videographer to change the tape.

      2            THE VIDEOGRAPHER:  This is the end of Tape 

      3   No. 1 in the deposition of Bruce Schneier.  We're 

      4   going off the record.  The time is 12:42. 

      5            (Break taken.) 

      6            (Record read.)

      7            THE VIDEOGRAPHER:  This is the beginning of 

      8   Tape No. 2, Volume 1 in the deposition of Bruce 

      9   Schneier.  We're going back on the record.  The time 

     10   is 12:54.  You may proceed.

     11   BY MS. MILLER:

     12        Q.  Now, Mr. Schneier, in your last answer you 

     13   expressed a point of view about requiring 

     14   cryptographers to seek permission before engaging in 

     15   cryptographic research and how that might inhibit 

     16   that research.  Do you feel that the owner of a 

     17   security system has the right to grant permission to 

     18   someone who might be interested in researching that 

     19   system?

     20            MR. HERNSTADT:  Objection to the form of 

     21   question and so far as it calls for a legal 

     22   conclusion.

     23            THE WITNESS:  Speaking morally and not 

     24   legally, I don't know what the law says, but I 

     25   believe personally the answer is no.

                                                           82

               




      1   BY MS. MILLER:

      2        Q.  So a person that puts a particular security 

      3   system in place to protect their copyright content 

      4   shouldn't have any right to have people come to them 

      5   and ask permission before engaging in encryption 

      6   research or perhaps disseminating the results of 

      7   that research to the extent that it might allow 

      8   people to exploit vulnerabilities in that security 

      9   system?

     10            MR. HERNSTADT:  Objection to the form of 

     11   the question.  It's compound.  It also is 

     12   argumentative, and it's difficult.

     13            MS. MILLER:  That's what "objection to 

     14   form" means.

     15            THE WITNESS:  Again, personally and not 

     16   legally, I believe the answer is either no or yes 

     17   depending on which one was -- does not have to ask 

     18   permission.  I just forgot the question in all the 

     19   objecting.

     20            MS. MILLER:  Could we read back the 

     21   question so the witness can understand.

     22            (Record read.)

     23            THE WITNESS:  Yes.

     24            MR. HERNSTADT:  I have to object also that 

     25   it's unintelligible.  

                                                           83

               




      1            THE WITNESS:  Yes.  Again, morally and 

      2   ethically, personally and not legally, I believe 

      3   someone who fields a security system is putting it 

      4   out in public and at that point does not maintain 

      5   any control over who analyzes it, that in fact 

      6   someone can analyze it without asking permission or 

      7   asking permission before analyzing or releasing 

      8   information as a result of that analysis.

      9            (Interruption in proceedings.)

     10            THE VIDEOGRAPHER:  We're going off the 

     11   record.  The time is 12:57.

     12            (Brief recess is taken.)

     13            THE VIDEOGRAPHER:  We're back on the 

     14   record.  The time is 1:02.  You may proceed.

     15   BY MS. MILLER:

     16        Q.  Now Mr. Schneier, do you know when --

     17            MS. MILLER:  First of all, let's do this.  

     18   Mr. Hernstadt, I believe a colleague of yours has 

     19   just joined the deposition.

     20            MR. HERNSTADT:  Yeah.

     21            MS. MILLER:  Could he please make an 

     22   appearance or identify himself for the record.

     23            MR. LEVY:  Sure.  This is Allonn Levy from 

     24   the firm of Huber Samuelson.  I think the court 

     25   reporter has my card already.

                                                           84

               




      1            MS. MILLER:  Mr. Levy, have you already

      2   been admitted pro hac vice as an attorney in this 

      3   lawsuit?

      4            MR. LEVY:  Yes, I believe so in the 

      5   original hearing.

      6            MS. MILLER:  Thank you.

      7   BY MS. MILLER:

      8        Q.  Mr. Schneier, do you know when the CSS, the 

      9   content scrambling system, was first developed?

     10        A.  I do not.

     11        Q.  In the reading that you did in preparing 

     12   the essay, the November 15th essay, that you've 

     13   testified about that was the precursor to your 

     14   declaration that you filed in this case, did any of 

     15   the documents that you read in preparing that essay, 

     16   did any of them indicate when the content scrambling 

     17   system was developed?

     18        A.  It's certainly possible.

     19        Q.  But you have no recollection from that 

     20   reading when it was developed?

     21        A.  I do not.

     22        Q.  Do you have any idea when DVDs were first 

     23   introduced into the United States marketplace?

     24        A.  I have some idea, but I couldn't give you a 

     25   year.

                                                           85

               




      1        Q.  Okay.  If I were to represent to you that 

      2   the content scrambling system was developed 

      3   somewhere around the late '90s, approximately 1996, 

      4   would you have an objection to working off of that 

      5   time frame for purposes of further questioning?

      6        A.  No.  That's certainly plausible.

      7        Q.  Do you have any knowledge of United States 

      8   export guidelines concerning encryption 

      9   technologies?

     10        A.  I do.

     11        Q.  How is that knowledge derived?  

     12        A.  From reading, reading and conversation.

     13        Q.  What, if you could tell me, have you read 

     14   to gain understanding that you have today about U.S. 

     15   export guidelines on encryption technologies?

     16        A.  Everything that I saw on the topic.

     17        Q.  Can you give us specific examples?

     18        A.  No.

     19        Q.  Journals?  Web pages?

     20        A.  Journals, Web pages, articles, speeches, 

     21   books, magazine articles.

     22        Q.  Have you ever looked at the law yourself, 

     23   the guidelines?

     24        A.  Yes, I have.

     25        Q.  And do you remember the citation for any of 

                                                           86

               




      1   the guidelines that you looked at?  Was it actually 

      2   the statute itself or the implementation guidelines?

      3        A.  Probably both.  Parts of the statute were 

      4   reprinted in one of my books, so I could go there 

      5   and tell you exactly what I read because I could 

      6   tell you exactly what I reprinted.

      7        Q.  Which book would that be?

      8        A.  Applied Cryptography.

      9        Q.  When was Applied Cryptography published?

     10        A.  The first edition was published in 

     11   November -- sorry -- in October of 1993.  And the 

     12   second edition was published in October of 1995.  

     13   You'll find that the copyright dates of the books

     14   don't match that.  That's because publishers often 

     15   play fast and loose with copyright dates.

     16        Q.  Fair enough.  And at the time of the 

     17   publication of the first and second editions of 

     18   Applied Cryptography, did you reprint the export 

     19   guidelines in both the editions?

     20        A.  I do not remember.  I know they're in the 

     21   second edition.  I don't know if they're in the 

     22   first edition.

     23        Q.  And in 1995, the publication date of the 

     24   second edition, that actually reprints a current -- 

     25   or then current version of the export regulations as 

                                                           87

               




      1   you understood them?

      2            MR. HERNSTADT:  Objection to form.

      3            THE WITNESS:  As I understood them at the 

      4   time, yes.

      5            MR. HERNSTADT:  You might want to 

      6   establish when the book was actually published.

      7            MS. MILLER:  I thought we already did.

      8   BY MS. MILLER:

      9        Q.  Did you answer my question when the book 

     10   was actually published?  

     11        A.  I think so.

     12        Q.  I thought so too.  Thank you.

     13            MR. HERNSTADT:  I thought you said the 

     14   dates weren't -- 

     15            MS. MILLER:  Wake up, Ed.  Let's move on.

     16   BY MS. MILLER:

     17        Q.  The book -- second edition of the book to 

     18   your understanding was published in 1995?

     19        A.  In October of '95, even though the 

     20   copyright date says 1996.

     21            MR. HERNSTADT:  I got it the other way 

     22   around.  Sorry.

     23   BY MS. MILLER:

     24        Q.  Now in 1995 when the second edition of 

     25   Applied Cryptography was published, do you recall if 

                                                           88

               




      1   there were any limitations on the length of 

      2   encryption keys that were imposed by the U.S. export 

      3   guidelines?

      4        A.  Export guidelines did impose -- the export 

      5   guidelines themselves didn't impose limits.

      6        Q.  Did not?

      7        A.  Did not impose limits.  There were 

      8   effective limits really based on hearsay and things 

      9   that had been granted export versus things that had 

     10   not been granted export.

     11            At that time encryption algorithms with a 

     12   key length of less than 40 bits were allowed 

     13   exports.  And encryption algorithms with key lengths 

     14   greater than 40 bits were not except for some 

     15   special circumstances.

     16        Q.  And do you have an understanding of what 

     17   those special circumstances were?

     18        A.  "Understanding" is a bad word because the 

     19   government went out of its way to make sure people 

     20   did not understand the rules.

     21        Q.  Do you have any knowledge about what 

     22   those -- 

     23        A.  In general if you were to design your 

     24   algorithm so badly that the key length was 

     25   irrelevant, you would be allowed to export things 

                                                           89

               




      1   with a greater key length.  But as I said, these 

      2   rules were not well defined.  They were not 

      3   codified.  They were not written down.  You 

      4   basically had to submit something and hope for the 

      5   best.  So people tended to err on the side of making 

      6   systems lousy.

      7        Q.  Mr. Schneier, in your opinion as a 

      8   cryptographer, is it possible to design an 

      9   uncrackable encryption methodology?

     10            MR. HERNSTADT:  Objection to form.

     11            THE WITNESS:  Defining "uncrackable" as 

     12   beyond the limits of our understanding of 

     13   mathematics, yes.

     14   BY MS. MILLER:

     15        Q.  Has any such system been designed to your 

     16   knowledge?

     17        A.  There are many systems in use today that 

     18   are believed to be uncrackable.  Unfortunately in 

     19   cryptography you can't make mathematically --  

     20   mathematical statements that this is unbreakable.  

     21   But you can say that with our present understanding 

     22   of mathematics, this is unbreakable.  And there are 

     23   many algorithms of which the latter holds true.

     24        Q.  Is it fair to say that it's more 

     25   probabilistic?  You can express an opinion that's it 

                                                           90

               




      1   more probably able to be cracked or less probably 

      2   able to be cracked given our current understanding 

      3   of mathematics?

      4        A.  "Probabilistic" is also a tough term.

      5            MR. HERNSTADT:  Objection to form.

      6            THE WITNESS:  "Probabilistic" is also a 

      7   tough term because it's a term of art in 

      8   cryptography.

      9   BY MS. MILLER:

     10        Q.  I see.

     11        A.  Really what you can say is that a 

     12   particular algorithm cannot be broken by any method 

     13   we know, nor do we have any road map that might get 

     14   to a method that would break the algorithm.  Of 

     15   course, you could end up being wrong, but 

     16   cryptographers often have a pretty good idea of what 

     17   is and isn't breakable.

     18        Q.  Do you have any understanding of what's 

     19   considered -- or is there currently a standard for 

     20   key lengths for encrypted data over the Internet?

     21            MR. HERNSTADT:  Objection to form.

     22            THE WITNESS:  There's no standard.  There 

     23   are a bunch of guidelines.  In 1997 I believe a 

     24   group of about nine or ten very respected 

     25   cryptographers, myself included, wrote a paper which 

                                                           91

               




      1   talked about minimal key lengths for commercial 

      2   security and looked at different key lengths and 

      3   forward in the years as to what would be minimal 

      4   security that's required.

      5            On the Internet today, the standard 

      6   algorithm -- "standard" is a bad word.  The most 

      7   commonly trusted algorithm is a -- something called 

      8   triple DES which has a 112-bit key.  The government 

      9   right now, the National Institute of Standards and 

     10   Technologies, or NIST, is proposing a new encryption 

     11   standard, and that will have key lengths of 112 

     12   bits, 192 bits and 256 bits.

     13            Single DES, which is 56 bit long, is used 

     14   in some very low-security applications, but everyone 

     15   knows that a key length of 56 bits is just not long 

     16   enough to be any good for most applications.

     17   BY MS. MILLER:

     18        Q.  Known not to be any good for most 

     19   applications in terms of what?  What's the basis for 

     20   that statement that you just made?

     21        A.  The easiest way to break an algorithm is to 

     22   try every possible key.

     23        Q.  That's what's called a brute force attack?

     24        A.  Yes.  A brute force attack can be 

     25   implemented against any algorithm regardless of the 

                                                           92

               




      1   math, regardless of how complicated it is just by 

      2   trying every possible key.  It's always possible.  

      3   It always works.  The question you ask is, how long 

      4   does that take?  How long would it take a computer 

      5   to try every possible key?

      6            And a 56-bit key as of a few years ago is 

      7   commonly known to be possible to break.  There was a 

      8   very public break against DES which used hardware 

      9   that broke a 56-bit key in I think under a day.  

     10   There have been distributed attacks on the Internet 

     11   that have broke a 56-bit key over the course of 

     12   days.  And of course these numbers are getting 

     13   faster as computer power increases.

     14        Q.  And what was the processing power of that 

     15   computer that you just testified to where it was 

     16   publicized that it broke DES in under a day?

     17        A.  I don't remember.  Going back to 

     18   Crypto-Gram, there was an essay that goes into all 

     19   the details of processing.

     20        Q.  What time frame did that occur?

     21        A.  I don't remember.  Look in the index of 

     22   back issues.

     23        Q.  Was it a year ago?  More than a year ago?

     24        A.  I believe it was two years ago that I wrote 

     25   about it.

                                                           93

               




      1        Q.  I'd like to now turn to your declaration, 

      2   Mr. Schneier.  Now, on page 2 of your declaration -- 

      3   the pages are actually not numbered, but let's look 

      4   at paragraph 2, appears on the second page.  You 

      5   state, I quote, "The entertainment industry knew 

      6   even as it implemented it that the security system 

      7   created to protect DVDs would be broken."

      8            What is the basis for you making that 

      9   statement?

     10        A.  The system is so robustly and profoundly 

     11   bad that it's inconceivable to me that an engineer 

     12   could have designed it without knowing that it was 

     13   flawed.

     14        Q.  So that's just an assumption on your part 

     15   based on the, as you said, the "robustly and 

     16   profoundly bad" system that was put into place?  In 

     17   other words, you didn't speak to anyone within the 

     18   entertainment industry to actually ascertain that 

     19   they knew the security system put in place to 

     20   protect DVDs would be broken?

     21            MR. HERNSTADT:  Which question do you want 

     22   him to answer?

     23            MS. MILLER:  The latter one.

     24            MR. HERNSTADT:  No objection to that 

     25   question.

                                                           94

               




      1            THE WITNESS:  No, I did not talk to 

      2   anybody.  It's like if you see a screen door on a 

      3   submarine, you don't need to ask whether the 

      4   engineers understood that the submarine would sink.  

      5   It just seems sort of obvious.

      6   BY MS. MILLER:

      7        Q.  That the engineers who put a screen door on 

      8   a submarine would know that the submarine would 

      9   sink?

     10        A.  It's just inconceivable to me that someone 

     11   could make -- that would be an honest mistake.

     12        Q.  Again, just to be clear, when you say the 

     13   industry -- "entertainment industry knew," you never 

     14   had any conversations with anybody in the 

     15   entertainment industry that actually confirmed that 

     16   statement?

     17        A.  I did not.

     18            MR. HERNSTADT:  Asked and answered.

     19            THE WITNESS:  I did not.

     20   BY MS. MILLER:

     21        Q.  Going on to paragraph 2 you say that, 

     22   "They" -- I assume that the "they" refers back to 

     23   the entertainment industry -- "expected the Internet 

     24   to be used to distribute programs that assist 

     25   skilled consumers to remove the copy protection on 

                                                           95

               




      1   DVDs."  Let's stop there.

      2            What is the basis for making that 

      3   statement, Mr. Schneier?

      4        A.  Again, it was my analysis of the system,  

      5   my analysis of the security properties of DVD and 

      6   digital content and what's inevitable for digital 

      7   communication systems.

      8        Q.  Okay.  But that's not exactly the question 

      9   that I'm asking you.

     10        A.  Try again.

     11        Q.  You indicated that the entertainment 

     12   industry knew that the Internet would be "used to 

     13   distribute programs that assist skilled consumers to 

     14   remove the copy protection on DVDs."  I'm asking you 

     15   how you knew that the entertainment industry 

     16   expected the Internet to be used to distribute these 

     17   programs.

     18            MR. HERNSTADT:  Objection.  Asked and 

     19   answered.

     20            THE WITNESS:  It seemed obvious to me based 

     21   on the way the system worked.

     22   BY MS. MILLER:

     23        Q.  It seemed obvious to you that the 

     24   entertainment industry expected the Internet to be 

     25   used to distribute programs such as DeCSS?

                                                           96

               




      1        A.  Yes.  This has been something I have been 

      2   saying for years that this would happen.  It's 

      3   inconceivable to me that the entertainment industry 

      4   could be that blind to the inevitability of this.

      5        Q.  You've been saying this for years?

      6        A.  Yes, that digital content will be 

      7   distributed on the Net, that programs that will 

      8   defeat any copy protection scheme that could be 

      9   designed will be made available, that it is 

     10   impossible to fix this problem through content 

     11   protection.

     12        Q.  Just because you've been saying that for 

     13   years doesn't necessarily mean that the 

     14   entertainment industry expected the Internet to be 

     15   used to distribute programs such as DeCSS, correct?

     16            MR. HERNSTADT:  Objection.  That's 

     17   argumentative.

     18            If you can answer it, go ahead.

     19            THE WITNESS:  I'm really giving them the 

     20   benefit of the doubt.  I'm assuming that they're not 

     21   stupid.  I suppose it is possible that they were 

     22   really, really, really dumb.  It seems 

     23   extraordinarily unlikely.

     24   BY MS. MILLER:

     25        Q.  Continuing on, I'll restate that or again 

                                                           97

               




      1   quote from paragraph 2.  You said, "They expected 

      2   the Internet to be used to distribute programs that 

      3   assist skilled consumers to remove the copy 

      4   protection on DVDs and play and edit and (with great 

      5   difficulty) copy them."

      6            What do you mean by "with great difficulty 

      7   copy them"?

      8            MR. HERNSTADT:  Objection to form.  It says 

      9   what it says.

     10            THE WITNESS:  There's a lot of difficulties 

     11   associated with copying DVDs simply because of the 

     12   availability of DVD writers.  They're not common.  

     13   DVD has a lot of data which is difficult to 

     14   transport and store, so any intermediate form 

     15   makes -- is difficult to deal with.

     16            So copying DVDs irrespective of any copy 

     17   protection is something difficult to do because it 

     18   requires specialized tools and hardware and 

     19   software.  It's not something -- for example, my 

     20   computer at home, I do not have enough storage to 

     21   copy a DVD. 

     22   BY MS. MILLER:

     23        Q.  How much storage do you have on your 

     24   computer at home?

     25        A.  I don't know, but less than 4 point 

                                                           98

               




      1   something gigabytes which is what a DVD is.

      2        Q.  And -- strike that.

      3            Do you have any idea what standard home 

      4   computer packages that are available in the consumer 

      5   marketplace are being shipped with in terms of hard 

      6   drive storage space?

      7            MR. HERNSTADT:  Objection to the question.

      8            If you have any idea, go ahead.

      9            THE WITNESS:  I don't, but I'm sure I can 

     10   pull any magazine off the shelf at a bookstore and 

     11   find out.

     12            MR. HERNSTADT:  Mr. Schneier is not being 

     13   presented for anything remotely like that.

     14   BY MS. MILLER:

     15        Q.  Would it surprise you to learn that a 

     16   consumer can purchase, for example, from Dell 

     17   Computers a fairly low-end personal computer system 

     18   with a 20-gigabyte hard drive?

     19            MR. HERNSTADT:  Objection to the form of 

     20   the question.

     21            THE WITNESS:  It would not surprise me.

     22   BY MS. MILLER:

     23        Q.  Okay.  You've already testified that you've 

     24   never used the DeCSS utility; is that correct?

     25        A.  That is correct.

                                                           99

               




      1        Q.  So have you heard from anyone whether or 

      2   not it's difficult to use DeCSS to copy movie files?

      3        A.  I have not.

      4            MR. HERNSTADT:  Objection to the form of 

      5   the question insofar as "difficult" is referring 

      6   back to a prior question.

      7            Go ahead.

      8            THE WITNESS:  I have not.

      9   BY MS. MILLER:

     10        Q.  I'd like for you now to look at paragraph 6

     11   of your declaration, Mr. Schneier.  In the second 

     12   sentence of paragraph 6 you state, "Instead, DVD 

     13   software manufacturers were supposed to disguise the 

     14   decryption program and possibly the playing program 

     15   using some sort of software obfuscation techniques."

     16            Do you see the sentence that I just read?

     17        A.  I do.

     18        Q.  What's the basis for you making this 

     19   statement that DVD software manufacturers are 

     20   supposed to disguise decryption programs?

     21            MR. HERNSTADT:  Asked and answered.  Go 

     22   ahead.  

     23            THE WITNESS:  That was based on my reading 

     24   of the -- of information about CSS and DeCSS and my 

     25   perusing of the various Web pages and writings on 

                                                           100

               




      1   the topic, that the different software players all 

      2   used obfuscation techniques to try to disguise the 

      3   working algorithm to make reverse engineering 

      4   harder.

      5   BY MS. MILLER:

      6        Q.  Can you tell me what specific documents you 

      7   read to gain that understanding?

      8        A.  I cannot.  I would start with the ones on 

      9   at the bottom of the essay and work from there.

     10        Q.  The November 15th essay --

     11        A.  Yes.

     12        Q.  -- that we talked about?  Now are you aware 

     13   of any efforts by anyone to reverse engineer a 

     14   software-based DVD player prior to the development 

     15   of DeCSS to ascertain the CSS encryption algorithm?

     16            MR. HERNSTADT:  Object to the form.  I 

     17   think that's unintelligible.

     18            THE WITNESS:  Personally I am not.

     19   BY MS. MILLER:

     20        Q.  You understood my question, didn't you 

     21   Mr. Schneier?

     22        A.  I hope so.

     23        Q.  The next sentence you indicate, "This is a 

     24   technique that has never worked:  There is simply no 

     25   way to obfuscate software because it has to be on 

                                                           101

               




      1   the computer somewhere and is thus accessible to 

      2   researchers, people engaged in reverse engineering 

      3   and the like."

      4            Do you have any idea of how the DeCSS 

      5   utility was developed?

      6        A.  I do not.

      7        Q.  And what is the basis of the statement that 

      8   you've made in paragraph 6 in that last sentence 

      9   that there's "simply no way to obfuscate software"?

     10        A.  It's a mathematical truth.

     11        Q.  Based on what principles?

     12        A.  Mathematics, logic, computer architecture.  

     13   It's not a problem that can be solved.

     14        Q.  What's not a problem that can be solved?

     15        A.  The problem of obfuscating software such 

     16   that someone cannot reverse engineer it.  You might 

     17   be able to make it harder, but you cannot stop it.

     18        Q.  But it is possible to make it harder 

     19   through obfuscation to reverse engineer software?

     20        A.  It's possible to make it more difficult, 

     21   but there's a limit after which you can't make it 

     22   any more difficult, and that limit is still the 

     23   limit where it's possible to reverse engineer it.

     24        Q.  Okay.  But again, just to make sure I 

     25   completely understand your answer, are these the 

                                                           102

               




      1   same principles that you testified to earlier that 

      2   say, for example, in a brute force attack that as 

      3   long as you throw enough processing power at a 

      4   problem in attempting to reverse engineer something, 

      5   eventually depending on how long, you'll eventually 

      6   be able to break it or get to the solution?

      7            MR. HERNSTADT:  Object to the form of the 

      8   question.  I don't understand the question at all.  

      9   Would you read it back please.

     10            (Record read.)

     11            MR. HERNSTADT:  What "principles" are you 

     12   referring to? 

     13            MS. MILLER:  The mathematical principles 

     14   that Mr. Schneier testified to earlier that go into 

     15   a brute force attack.

     16            MR. HERNSTADT:  Okay.

     17            MS. MILLER:  For example, in trying to 

     18   crack an encryption algorithm.

     19            THE WITNESS:  No, they're completely 

     20   different.  The brute force attack principles are 

     21   based on the blind and mechanistic trying of every 

     22   possible key.  In this case, this is not something 

     23   based on a time-consuming computer run of trying 

     24   possibilities until you find the right one.

     25   BY MS. MILLER:

                                                           103

               




      1        Q.  That's what I want to understand.

      2        A.  No, it's completely different.

      3        Q.  Could you explain what it's based on.

      4        A.  In a computer, the code, the object code, 

      5   must be intelligible to the processor.  Otherwise it 

      6   can't actually run.  So by definition, any 

      7   obfuscation technique will through the course of 

      8   running the software be unobfuscated because 

      9   otherwise the software could not run on the machine. 

     10   At that point after the software has been 

     11   unobfuscated, a researcher or reverse engineer can 

     12   intercept the stream.

     13        Q.  I see what you're saying.

     14        A.  So it has nothing to do with a brute force 

     15   attack.  It's a more -- it's real time, and it's 

     16   based on the inevitability of the processor needing 

     17   to deal with the raw information.

     18        Q.  So basically just analyzing the strings of 

     19   zeroes and ones that happen to be in the computer 

     20   register at that point in time and determining 

     21   exactly what software steps the computer is 

     22   executing?

     23        A.  Yes.

     24        Q.  I understand.  Based on this testimony, is 

     25   it your understanding that it's only through this 

                                                           104

               




      1   process that a software engineer then would be able 

      2   to understand once the software has been, if you 

      3   will, unobfuscated for purposes of having it run on 

      4   the machine, that they'll be able to intercept that 

      5   stream and understand what's going on with the 

      6   software?

      7            MR. HERNSTADT:  Object to form.

      8            THE WITNESS:  No, that's not the only way.  

      9   That's just a way that always works and cannot be 

     10   stopped.  You can certainly analyze the obfuscated 

     11   stream and understand the obfuscation techniques and 

     12   sort of reverse engineer it that way.

     13   BY MS. MILLER:

     14        Q.  Okay.

     15        A.  It's possible to build a system that 

     16   automatically unobfuscates code; again, after 

     17   understanding the techniques.

     18        Q.  Okay.

     19        A.  So I just used the example of looking at 

     20   the code after it's been unobfuscated as proof that 

     21   it's impossible to do it and that always works, but 

     22   there are certainly other ways.

     23        Q.  Again, to make sure I clarify.  I don't 

     24   want to interrupt your answer.  But that's as the 

     25   code is being executed by the machine in the first 

                                                           105

               




      1   example that you gave?

      2            MR. HERNSTADT:  Objection to the form.  

      3   That misstates the testimony.

      4            THE WITNESS:  Yes.  If you were going to do 

      5   this methodology that always works, which is looking 

      6   at the code as it's being read by the processor, 

      7   that would be during execution of a legitimate 

      8   program. 

      9   BY MS. MILLER:

     10        Q.  Okay. 

     11        A.  But there are ways to reverse engineer a 

     12   code and obfuscation techniques that don't involve 

     13   doing that.

     14            MS. MILLER:  Off the record.

     15            THE VIDEOGRAPHER:  We're going off the 

     16   record.  The time is 1:34.

     17            (Break taken.)

     18            THE VIDEOGRAPHER:  We're going back on the 

     19   record.  The time is 1:41.  You may proceed.

     20   BY MS. MILLER:

     21        Q.  Mr. Schneier, just a couple of really quick 

     22   questions I just want to make sure we've gone 

     23   through in your testimony today.  Now, have you ever 

     24   personally been involved in any effort to reverse 

     25   engineer CSS?

                                                           106

               




      1        A.  No.

      2        Q.  Looking again at paragraph 9 in your 

      3   declaration, you state, "Finally, as a matter of 

      4   basic computer and cryptological science, the DVD 

      5   break consisting of, among other utilities, DeCSS, 

      6   is a very good thing.  It is good research 

      7   illustrating how bad the encryption algorithm is and 

      8   how poorly thought out the security model is and 

      9   must be available to cryptologists, programmers and 

     10   others as a research and intellectual tool through 

     11   the normal channels -- included but not limited to 

     12   posting it on the Internet."

     13            Now, in that statement when you say, "The 

     14   DVD break, consisting of among other utilities, 

     15   DeCSS," are you referring to DeCSS in its source 

     16   code form or its object code form?

     17        A.  I'm referring to neither.  I'm referring to 

     18   it in general.

     19        Q.  Okay.  But you've earlier testified that 

     20   you've never seen the source code for DeCSS; is that 

     21   correct?

     22        A.  I have not.

     23        Q.  You also testified that you've never seen 

     24   the object code for DeCSS; is that correct?

     25        A.  I have not.  I have testified that I have 

                                                           107

               




      1   not.

      2            MS. MILLER:  Thanks.  That's actually all I 

      3   have at this time in your deposition, Mr. Schneier,  

      4   subject to the few document requests that I've made 

      5   of Mr. Hernstadt and if you don't mind searching for 

      6   the e-mails that we've talked about that you 

      7   testified to that you might have.  I'd like to leave 

      8   the deposition open in case there are any follow-up 

      9   questions.  I know Mr. Hernstadt feels differently, 

     10   and he will so state that on the record, I presume.

     11            MR. HERNSTADT:  You're welcome to state my 

     12   position for me since we -- depending on --

     13            MS. MILLER:  Shortcut things.

     14            MR. HERNSTADT:  -- depending on who takes 

     15   the deposition, we each say the same thing.  But 

     16   obviously I think the deposition is concluded, and 

     17   thank you very much.  I appreciate it.

     18            MS. MILLER:  I thank you for your time and 

     19   candor.

     20            (Discussion off the record.)

     21            MR. HERNSTADT:  Because the trial is 

     22   scheduled to start on July 17th, we've requested 

     23   that the court reporter with respect to the 

     24   depositions of Chris DiBona, Barbara Simons and 

     25   Bruce Schneier, to provide the originals immediately 

                                                           108

               




      1   or as soon as they're completed for review and 

      2   signing, and then those will be returned to the 

      3   party that's noticed the deposition.  And we 

      4   appreciate the reporter's willingness to assist us 

      5   with this.  Thank you. 

      6            THE VIDEOGRAPHER:  This is the end of Tape 

      7   No. 2 in the deposition of Bruce Schneier.  Going 

      8   off the record.  The time is 1:45. 

      9            (Time noted:  1:45 p.m.)

     10

     11

     12

     13                            ______________________ 

     14                                BRUCE SCHNEIER

     15

     16

     17

     18

     19

     20

     21   Subscribed and sworn to before me

     22   this__________ day of__________________, 2000

     23   Notary Public in and for the State of

     24   California, County of Santa Clara

     25

                                                           109



Please send any questions or comments to webmaster@eff.org

Return to   EFF   Welcome Page