![[Join EFF]](/Icons/home/joineff.gif){kind=icon}
![[Act Now]](/Icons/home/actnow.gif){kind=icon}
![[Sign Up]](/Icons/home/signup.gif){kind=icon}
![[About EFF]](/Icons/home/abouteff.gif){kind=icon}
See related files:
http://www.eff.org/IP/Video (EFF Archive)
http://cryptome.org/cryptout.htm#DVD-DeCSS
(Cryptome Archive)
http://www.2600.com/dvd/docs (2600 Archive)
http://eon.law.harvard.edu/openlaw/dvd/ (Harvard DVD OpenLaw Project)
1
1 UNITED STATES DISTRICT COURT
SOUTHERN DISTRICT OF NEW YORK
2 00 Civ. 20277
- - - - - - - - - - - - - - - - -X
3
UNIVERSAL CITY STUDIOS, INC., :
4 PARAMOUNT PICTURES CORPORATION,
METRO-GOLDWYN-MAYER STUDIOS, INC., :
5 TRISTAR PICTURES, INC., COLUMBIA
PICTURES INDUSTRIES, INC., TIME :
6 WARNER ENTERTAINMENT CO., L.P.,
DISNEY ENTERPRISES, INC., and :
7 TWENTIETH CENTURY FOX FILM
CORPORATION, :
8
Plaintiffs, :
9
Vs. :
10
SHAWN C. REIMERDES, ERIC CORLEY, :
11 a/k/a "EMMANUEL GOLDSTEIN" and
ROMAN KAZAN and 2600 ENTERPRISES, :
12 INC.,
:
13 Defendants.
14 - - - - - - - - - - - - - - - - - - X
15 Videotape deposition of EDWARD FELTON,
16 taken in the above-entitled matter before
17 Michele Anzivino, Notary Public of the
18 State of New York, taken at the offices of
19 PROSKAUER ROSE, 1585 Broadway, New York, New
20 York on Friday, July 7, 2000 commencing at
21 10:28 a.m.
22
23 NEW YORK REPORTING COMPANY (USA), LTD.
245 PARK AVENUE
24 39TH FLOOR
NEW YORK, NEW YORK 10167
25 (212) 792-5623 Fax: (212) 792-5624
2
1
2 A P P E A R A N C E S:
3
PROSKAUER ROSE, LLP
4 1585 Broadway
New York, New York 10036-8299
5 Attorney for Plaintiffs
(212) 969-3095
6 By: WILLIAM M. HART, ESQ.
LEON PHILLIP GOLD, ESQ.
7
FRANKFURT, GARBUS, KLEIN & SELZ, P.C.
8 BY: MARTIN GARBUS, ESQ.
488 Madison Avenue
9 New York, New York 10022
(212) 826-5582
10 Attorney for Defendant Eric Corley
11
12
13 Also present: Eileen McDonald, Videographer
14
15
16
17
18
19
20
21
22
23
24
25
3
1
2 I N D E X
3
4 WITNESS EXAMINATION BY PAGE
5 EDWARD FELTEN
6 Mr. Hart 5
7
INDEX TO EXHIBITS
8
PAGE
9 1 Documents 8
10 2 Documents 8
11 3 Copy of declaration 8
12
13
14
15
16
17
18
19
20
21
22
23
24
25
4
1
2 THE VIDEOGRAPHER: This is
3 Eileen Dougherty. We are going on
4 the record at 10:30 a.m. on July 7,
5 2000. We are here for the case
6 Universal versus Reimerdes. The
7 witness today is Edward Felten. We
8 are at the location of 1585
9 Broadway, New York, New York.
10 Will the attorneys please state
11 their appearances for the record.
12 MR. HART: Yeah. This is Bill
13 Hart from Proskauer Rose for the
14 plaintiffs.
15 MR. GARBUS: Martin Garbus,
16 Frankfurt, Garbus, Klein & Selz for
17 the defendant.
18 THE VIDEOGRAPHER: Will the
19 court reporter please administer
20 the oath.
21 E D W A R D F E L T E N ,
22 having been first duly sworn, was examined and
23 testified as follows:
24 EXAMINATION
25 BY MR. HART:
5
1 EDWARD FELTON
2 Q. Good morning, Mr. Felten.
3 A. Good morning.
4 Q. Have you ever been deposed before?
5 A. Yes, twice.
6 Q. In what matters?
7 A. Both times in U.S. versus
8 Microsoft, the antitrust case.
9 Q. Oh.
10 And if you can just tell me
11 generally what the subject matter was that you
12 testified to in those depositions.
13 A. Sure. The first time was in the
14 main part of the case, and I testified mostly
15 about issues relating to software design and
16 software construction, about operating systems
17 and browsers and how they related to each other
18 in general. And then specifically how
19 Microsoft's products, Windows '95 and '98 and
20 Internet Explorer, related.
21 Q. Okay.
22 And what you just described was the
23 subject matter of both of the depositions you
24 referred to?
25 A. Both depositions talked about those
6
1 EDWARD FELTON
2 matters.
3 And then the second deposition I
4 also talked about -- that was in the rebuttal
5 phase of the trial. And so I talked about
6 rebutting some of the Microsoft witnesses
7 statements on those same topics.
8 Q. Okay.
9 And who were you testifying on
10 behalf of?
11 A. Of the -- of the Department of
12 Justice.
13 Q. Okay.
14 Did you ever testify at the trial
15 or in any of the court proceedings in that
16 action?
17 A. Yes, I testified twice in court.
18 Q. Okay.
19 And was your testimony related to
20 the same subjects that you just described?
21 A. Yes.
22 Q. Was there anything else in your
23 court testimony in addition to what you
24 described regarding your deposition testimony?
25 A. Let me think about that. There was
7
1 EDWARD FELTON
2 a discussion of security issues in -- in my
3 court testimony which I -- which was not on the
4 list I gave you before.
5 Q. Okay.
6 And by "security issues," what do
7 you mean?
8 A. The implications for the security
9 of PCs of various things that Microsoft had
10 done.
11 Q. Okay.
12 And by "security," do we mean
13 preventing people from getting unauthorized
14 access into the P.C. or what? I mean, I just
15 --
16 A. Both. Both preventing unauthorized
17 access to the P.C. and also privacy issues.
18 That is, what kinds of information about the
19 user of the P.C. become available to other
20 people across the Net.
21 Q. Got you. Okay.
22 I want to mark a couple of
23 exhibits, and I'm trying to do this as
24 efficiently as possible.
25 MR. HART: Ms. Reporter, I'm
8
1 EDWARD FELTON
2 going to hand you Exhibits 1, 2 and
3 3 in that order. Marty, just give
4 us a moment.
5 Q. Mr. Felten, I'll have you identify
6 these for the record once the reporter has
7 marked them.
8 A. Okay.
9 MR. HART: Actually, those
10 copies are for you, Marty, because
11 I prefer the witness refer to the
12 ones that will have exhibit numbers
13 to make it a little easier.
14 (Thereupon, Documents marked as
15 Felten Exhibits 1, 2 and 3 for
16 identification as of today's date)
17 Q. Okay. If you would sequentially,
18 Exhibits 1, 2 and 3, and if you don't mind my
19 just asking --
20 A. Okay.
21 Q. -- a group question for all of
22 them.
23 A., Have you ever seen the document
24 before, and B., If so, what is it?
25 A. Okay. Number 1, I do not think I've
9
1 EDWARD FELTON
2 seen.
3 Q. Okay.
4 A. I've not seen Number 2.
5 Q. Okay.
6 A. And Number 3 I have seen, and this
7 was a copy of a declaration which -- which I
8 prepared.
9 Q. Okay.
10 A. And it has my C.V. as -- as an
11 appendix to it.
12 Q. Very good.
13 Are you going to be testifying in
14 the trial of this case?
15 A. I expect to.
16 Q. Okay.
17 Is there any reason, to your
18 knowledge, based on your own availability that
19 you wouldn't be able to, assuming that the
20 court goes forward on the date scheduled?
21 A. It depends on the length of the
22 trial.
23 Q. Okay.
24 A. I understand the trial is scheduled
25 to start on the 17th.
10
1 EDWARD FELTON
2 Q. Right.
3 A. And for the first two weeks
4 beginning on the 17th, I'm available.
5 Q. Okay.
6 A. The following week I am not sure
7 about my availability. I have a consulting job
8 that will involve a trip to Ottawa, and I'm not
9 sure which day that will be on. That still has
10 to be arranged with the people I would be
11 visiting.
12 Q. Okay.
13 A. And if the trial goes beyond the
14 third week, then I'm not sure.
15 Q. I understand.
16 Were you asked to collect any
17 documents in your possession or control to turn
18 over in connection with this case or with your
19 deposition?
20 A. No.
21 Q. Okay.
22 When were you first contacted about
23 the possibility of your testifying in some form
24 or another in connection with this case? And
25 by "testifying" I mean both in deposition
11
1 EDWARD FELTON
2 and/or at trial.
3 A. I don't recall exactly when it was.
4 I think -- I'd estimate it was perhaps two
5 months ago.
6 Q. Okay.
7 And who made that contact to you?
8 A. The first -- the first contact I
9 had actually was at a -- at a lunch. Professor
10 Appel was going to have lunch with Mr. Garbus
11 in Princeton and -- and Professor Appel invited
12 me to come along and I talked with Mr. Garbus
13 at that lunch. That was the first contact I'd
14 had.
15 Q. Okay.
16 And prior to being invited to that
17 lunch had you ever heard of this case before?
18 A. Yes.
19 Q. When did you first hear of this
20 case?
21 A. I don't remember exactly when I
22 heard of it. It was, to estimate, perhaps
23 January.
24 Q. Okay.
25 And how did you first hear of it?
12
1 EDWARD FELTON
2 A. In conversations with -- with
3 colleagues. I think that's when I first heard
4 of it.
5 Q. Colleagues where?
6 A. It -- it would have been at a
7 conference, at a discussion during a break
8 session in a conference.
9 Q. Is this a conference at Princeton
10 or elsewhere?
11 A. I went to a number of conferences
12 in January, but I don't -- it would have been
13 elsewhere, but I don't know which conference
14 exactly.
15 Q. Okay.
16 Was Mr. Appel one of the colleagues
17 that you include?
18 A. No.
19 Q. Okay.
20 A. I should -- let me clarify. By
21 "colleagues" I mean people working in the same
22 field as me, not necessarily people at
23 Princeton.
24 Q. Got you.
25 But Mr. Appel was not at that
13
1 EDWARD FELTON
2 conference?
3 A. He was not -- no, he was not at any
4 of the conferences I went to.
5 Q. Now, you work -- I don't mean to
6 interrupt you.
7 A. I'm finished.
8 Q. Okay. I'll try not to do that.
9 You work with Mr. Appel at
10 Princeton?
11 A. Yes.
12 Q. Okay.
13 Can you tell me what differences
14 there are between your two respective
15 specialties or knowledges or areas of
16 expertise?
17 A. Sure. I can talk about some areas
18 in which I have more knowledge and expertise
19 and other areas where he has more if that's a
20 helpful way to do.
21 Q. Fine. That would be great.
22 A. Okay. I think I have more
23 expertise in general, in issues relating to
24 security and cryptography. I have more
25 expertise related to operating systems and what
14
1 EDWARD FELTON
2 you might call Internet software. He has more
3 expertise related to programming languages,
4 software engineering and topics related to how
5 software is generally constructed.
6 Q. And are there areas where at least
7 in general you'd say the two of you overlap in
8 terms of your respective expertises, knowledge
9 or experience?
10 A. Sure. I think we both have -- when
11 I gave you the list of areas there, I didn't
12 mean to imply that he has no expertise in areas
13 where I have more, nor that I have none in
14 areas where he has more.
15 Q. I appreciate that.
16 A. So yes, there's -- there is a
17 significant amount of overlap between --
18 between our expertise.
19 Q. Okay.
20 When you said a minute ago that one
21 of the areas that you have special knowledge in
22 is in Internet software--
23 A. Yes.
24 Q. -- what do you mean by "Internet
25 software"?
15
1 EDWARD FELTON
2 A. I mean the workings and designs of
3 things like Web browsers and e-mail software
4 and so on, the sorts of software that people
5 use when accessing the Internet.
6 Q. Okay.
7 And does that also relate to --
8 does that expertise, if you will, also relate
9 to the networking capabilities and speed of
10 networks with respect to the Internet?
11 A. I think I probably have more
12 experience and expertise than he does relating
13 to how Internet -- the Internet works, sort of
14 the plumbing, the guts of it.
15 Q. Mm-hmm.
16 A. As far as the speeds, I'm not sure.
17 Q. Okay.
18 A. I'm not sure how I would
19 characterize that.
20 Q. Okay.
21 A. Whether I would know more or he
22 would know more.
23 Q. Okay. Fair enough.
24 Can you tell me in your
25 professional estimation what basic factors
16
1 EDWARD FELTON
2 contribute to or play a role in Internet
3 network speed?
4 A. Well, that's a big topic.
5 Q. I understand.
6 A. There are a number of -- and it's a
7 question that can be sort of answered at
8 different technological levels. But let me try
9 to give a basic answer.
10 Q. Please.
11 A. You -- one of the factors is what
12 is -- what are the basic hardware building
13 blocks you are using.
14 Q. Okay.
15 A. But there are a lot of other
16 factors that have to do with the -- the
17 distances over which you are communicating.
18 Q. Geographic distances?
19 A. Geographic distances, yes.
20 Q. Okay.
21 A. With the software that you are
22 using at the end points, with the amount of --
23 the effective speed you get depends on how much
24 congestion there is in the Net between Point A
25 and Point B, and it also depends in complicated
17
1 EDWARD FELTON
2 ways on sort of the design or architecture of
3 the Internet and the networks.
4 Q. Okay.
5 Are there any other factors in
6 general terms --
7 MR. GARBUS: Excuse me, what's
8 that noise?
9 MR. HART: I think you are
10 hearing footsteps again, Marty.
11 Just to be clear, I mean, there is
12 a paging system in the office, and
13 you may be hearing that and I
14 apologize for that.
15 MR. GARBUS: I see. I see.
16 A. No other factors come to mind.
17 Q. Okay.
18 A. I may be missing something.
19 Q. Well, we'll coming back to that.
20 Again, I was looking for a sort of general
21 answer --
22 A. Okay.
23 Q. -- at this point.
24 Did you have an opportunity to
25 review Mr. Appel's deposition transcript before
18
1 EDWARD FELTON
2 you appeared here today?
3 A. Yes.
4 Q. Okay.
5 Did he basically get it right? Are
6 there any things you disagree with in what he
7 said?
8 A. I don't recall disagreeing with
9 anything.
10 Q. Okay.
11 Apart from your declaration which
12 we've marked as Exhibit 3 here, have you
13 prepared any materials, whether written or
14 demonstrative, and by "demonstrative" I'm
15 including such things as software or
16 illustrations of how software works, in
17 connection with your involvement in this case?
18 A. No.
19 Q. Do you plan to, prior to testifying
20 at the trial?
21 A. No, I don't have any plans to do
22 that.
23 Q. Okay.
24 Can you tell me, to the best of
25 your knowledge, what general areas you intend
19
1 EDWARD FELTON
2 to or are prepared to testify on in the trial
3 of this case?
4 A. Sure.
5 Q. Yes.
6 A. Well, of course I'll answer
7 whatever questions I'm asked.
8 Q. Of course.
9 A. But what I would anticipate is I
10 think laid out pretty well in the declaration.
11 Q. Okay.
12 A. And there is a list of four topics
13 here.
14 Q. Okay.
15 There is nothing else, to your
16 knowledge, as we sit here today that you plan
17 to testify on at the trial or that you are
18 right now prepared to testify on at the trial
19 apart from what's in your declaration?
20 A. I don't plan to testify to anything
21 beyond this as opposed to -- if -- if you're --
22 with regard to what I'm prepared to testify
23 about in this -- I have a lot of general
24 knowledge about computer science and my -- and
25 my areas of specialty --
20
1 EDWARD FELTON
2 Q. Got you.
3 A. -- which I think I'm prepared to
4 testify about that, but I don't expect to.
5 Q. Got you. Okay.
6 Have you ever personally been
7 involved in a situation where a security or
8 encryption system has been hacked, in a
9 nonpejorative sense, and the results of that
10 hack disseminated to others?
11 MR. GARBUS: By "hack" you mean
12 also broken or compromised?
13 Q. And again, I'm not trying to -- to
14 be pejorative in any sense. If you have a
15 better word, I'll use your word.
16 A. Right. So I'm interpreting
17 "hacked" here to mean broken -- the system was
18 broken or a flaw was found in it.
19 Q. Okay. Fine.
20 A. And the result -- and the results
21 of that -- if you take the results of that to
22 include the knowledge of what was wrong with
23 the system and how the -- how the -- the -- the
24 flaw was discovered and so on, how it was
25 fixed, then yes.
21
1 EDWARD FELTON
2 Q. In how many instances have you been
3 involved in such a situation?
4 A. I'd estimate about a dozen.
5 Q. Okay.
6 In each of those instances, was the
7 proprietor of the system contacted after the
8 flaw was discovered or the system was broken?
9 A. So when I said it doesn't, I meant
10 ones in which I had been involved in
11 discovering the security flaw in one way or
12 another.
13 Q. As opposed to?
14 A. As opposed to ones in which someone
15 else had discovered it and I was aware of what
16 was happening and so on.
17 Q. And in the latter category, how
18 many were you involved in, in that way, where
19 you weren't the discoverer but you were
20 involved to one degree or another?
21 A. Maybe five.
22 Q. Okay.
23 And what -- can we put a time span
24 on all of these? I mean, is there --
25 A. Sure. We can start in, say, early
22
1 EDWARD FELTON
2 1996 up until about the present.
3 Q. Okay.
4 Now, with respect to any of them --
5 and I'm including for the purposes of these
6 questions both the ones that you were the
7 discoverer of a flaw in and the ones where you
8 weren't the discoverer but you were involved in
9 some way or another in the exercise. Were
10 there any that involved some kind of contact or
11 communication with the proprietor of the system
12 regarding the existence of the flaw or of the
13 compromise or of the break?
14 A. Yes.
15 Q. Did all of them involve some
16 contact or communication with the proprietor of
17 the system regarding that subject?
18 A. All of them did eventually.
19 Q. Okay.
20 And by "eventually," what do you
21 mean?
22 A. What I mean was that at some point
23 in time the person who discovered the flaw
24 communicated with the -- the -- what you call
25 the proprietor, the -- the creator of the
23
1 EDWARD FELTON
2 system to discuss the flaw.
3 Q. Okay.
4 Now, in the 12 instances where you
5 personally were the discoverer of the flaw, was
6 it you in each of those 12 instances that
7 communicated with the proprietor of the system
8 regarding the flaw?
9 A. Yes.
10 Q. Okay.
11 And how did you do that in each
12 instance?
13 A. If I knew who were the engineers
14 within the -- the -- the proprietor of the
15 system who were responsible for the security
16 aspects of it, I would just call them directly.
17 Q. Got you.
18 A. Although it's not easy to find out
19 who those people are if you don't already have
20 a relationship with the company.
21 Q. Okay.
22 A. And so if you don't, then you have
23 to go in through the front door.
24 Q. Right.
25 A. But -- bug reporting mechanism or
24
1 EDWARD FELTON
2 something like that.
3 Q. Got you. Okay.
4 Now, were any of the 12 instances
5 that you were involved in as the discoverer of
6 the flaw situations where you had some
7 relationship with the company that was the
8 proprietor of the system?
9 A. No, not always.
10 Q. Okay.
11 Was there any where you did have a
12 relationship with the proprietor of the system?
13 A. Yes.
14 Q. How many out of the 12, roughly?
15 A. The majority of them.
16 Q. Okay.
17 And by "relationship" what do --
18 what do you mean?
19 A. What -- what I mean by that is I
20 had already had some discussions or some
21 dealings with the engineers within those
22 companies who were responsible for the security
23 of the products.
24 Q. Okay.
25 And did that mean that the process
25
1 EDWARD FELTON
2 of your discovering the flaw in the system and
3 communicating it to the proprietor was a role
4 that you played with the company's approval?
5 MR. GARBUS: I would object to
6 the form, but I'll allow the
7 witness to answer it.
8 A. I'm not sure I fully understand
9 what you mean. I didn't need anyone's approval
10 to call these people and talk to them.
11 Q. No -- okay. Fair enough.
12 And I guess what I'm trying to get
13 at, and I apologize for the awkwardness of my
14 question, is you say in the majority of
15 instances you did have some relationship with
16 the proprietor.
17 MR. GARBUS: I think the use of
18 the word "relationship" is vague,
19 and I think you could probably be
20 more specific and get the answers
21 that you want.
22 A. Well, I said what I meant by
23 relationship a minute ago.
24 Q. Right.
25 A. Which was that I had had some
26
1 EDWARD FELTON
2 dealings with the engineers within the company
3 responsible for the security of the product.
4 Q. Okay.
5 A. And that those dealings could just
6 have been a few conversations.
7 Q. Got you.
8 A. Because it -- just to clarify, it
9 does not necessarily mean any kind of formal
10 relationship with the company.
11 Q. Okay.
12 In any of the instances where you
13 discovered the flaw in a security system, was
14 that done with the company's awareness at the
15 time?
16 A. In some of them.
17 Q. Okay.
18 How many of the 12?
19 A. It depends exactly how you
20 interpret "awareness."
21 Q. Okay.
22 A. The companies were -- I'd say in
23 the majority of the cases the companies were
24 aware that we were examining their software --
25 Q. Okay.
27
1 EDWARD FELTON
2 A. -- in general, or that we were
3 examining software that was in the same general
4 area as theirs. So they might have suspected
5 that we were looking for flaws in their
6 software.
7 Q. In how many instances?
8 A. In the majority of instances --
9 Q. Okay.
10 A. -- the companies were aware at
11 least that we were out there and we were
12 looking at security vulnerabilities in a
13 particular category of software.
14 Q. And to your knowledge, how were the
15 companies aware of that fact?
16 A. In most of the cases, because --
17 either because of conversations I had had with
18 the -- the engineers or because we had found
19 previous security flaws in that company's
20 software or because of the reports in press.
21 Q. Okay. Let's take the last two.
22 Because you had previously
23 discovered flaws in that company's security
24 system.
25 A. Yes.
28
1 EDWARD FELTON
2 Q. Not necessarily the same system or
3 the same system?
4 A. There would -- there would have
5 been some cases of each.
6 Q. Okay.
7 And in the instances -- in those
8 instances where you had previously discovered a
9 flaw in one of those companies systems, had
10 you communicated that fact to that company at
11 that time?
12 A. At which time?
13 Q. At the previous time.
14 A. At the time that we discovered the
15 previous flaw?
16 Q. Previous. Correct.
17 A. Let me think, think about the
18 cases.
19 MR. GARBUS: May I hear the
20 last question?
21 (Record read)
22 A. Yes.
23 Q. Okay.
24 And I believe you said as the third
25 prong of your answer a couple of questions ago
29
1 EDWARD FELTON
2 something about because some information
3 concerning a flaw had been published. And I
4 don't want to mischaracterize your testimony.
5 We can go back and reread it.
6 A. I think I said because of reports
7 in the press.
8 Q. Reports in the press. And --
9 A. Yes.
10 Q. -- can you describe what you mean
11 by "reports in the press"?
12 A. Sure. What I mean is by stories in
13 major newspapers, for example, and Internet
14 media about the existence of flaws and our
15 discovery of them.
16 Q. Okay.
17 Now, in each instance where you
18 were the discoverer of a flaw, did you make an
19 effort to contact the proprietor of the
20 compromised system, if you will, prior to
21 causing the disclosure of any information
22 concerning the weakness to be generally
23 publicized?
24 A. We did make an attempt in every
25 case, but we were not always successful.
30
1 EDWARD FELTON
2 Q. Got you.
3 A. Actually, let me clarify a little
4 bit.
5 Q. Yes, please.
6 A. I can think of at least one
7 instance in which we did report the existence
8 of the vulnerability to the company through a
9 sort of pub -- general public bug reporting
10 mechanism. And nothing happened as a result of
11 that. We were unable to determine who else to
12 talk to inside the company, and later the --
13 the company reported that -- that they had --
14 that they essentially don't look through those
15 -- those bug reports.
16 Q. Got you.
17 A. So in other words --
18 Q. You did --
19 A. We attempted to reach the right
20 people within the company, but not already
21 having a relationship with the company, we were
22 unable to actually effectively communicate with
23 them.
24 Q. Got you.
25 And just to clarify a general
31
1 EDWARD FELTON
2 public bug reporting mechanism in lay terms,
3 would that be --
4 A. So that --
5 Q. -- a facility that the company
6 itself sets up, like a hotline or an e-mail
7 line --
8 A. That's right, yes.
9 Q. -- that says, gee, if you have
10 discovered any flaws or bugs in our software,
11 please communicate those to us at this address?
12 A. Yes, that's what I meant.
13 Q. Okay.
14 And apart from that instance where
15 your -- which you just described, in all of the
16 other instances that you've been involved in,
17 either the 12 where you were the discoverer or
18 the 5 where you were in some way involved but
19 not the discoverer of the flaw, to the best of
20 your knowledge, was an effort made to
21 communicate with the proprietor of the system
22 concerning the flaw before any information
23 concerning the flaw was generally publicized?
24 A. No, I don't believe that was the
25 case in -- in every -- in every situation.
32
1 EDWARD FELTON
2 Q. Okay.
3 Which ones were the exceptions?
4 A. I can think of a couple in which
5 the information was publicized on the Net, and
6 in at least one case in the news media before
7 -- before, as far as I know, the -- the vendor
8 of the system was -- was contacted.
9 Q. Okay.
10 And so in total, out of the 17 we
11 are talking about, both where you were the
12 discoverer and the ones where you were
13 involved, how many fit into this category?
14 A. Category of --
15 MR. GARBUS: Category of?
16 Public notice before --
17 Q. Where some information was
18 disclosed publicly before the proprietor of the
19 system was communicated with about the flaw.
20 A. Out of the roughly 17, perhaps 13
21 or 14 would fall into that category.
22 Q. That is, some disclosure was made
23 publicly before --
24 A. No, I'm sorry. Some dis -- some --
25 some disclosure or discussion with the vendor
33
1 EDWARD FELTON
2 occurred before --
3 Q. Okay.
4 A. -- information became public.
5 Q. So in 13 cases approximately out of
6 the 17 --
7 A. Approximately.
8 Q. -- the vendor was contacted before
9 any of the public disclosure was made?
10 A. Approximately, yes.
11 Q. Leaving us with approximately four
12 where disclosure publicly was made about the
13 flaw before the vendor was contacted, is that
14 right?
15 A. That's right.
16 Q. Okay. Sorry for the confusion.
17 Thanks for clarifying that.
18 Now, of those four, okay -- and you
19 know which four I'm referring to?
20 A. Yes.
21 Q. Okay.
22 -- how many of those were ones
23 where you were the discoverer of the flaw as
24 opposed to you were just involved but not the
25 discoverer of the flaw?
34
1 EDWARD FELTON
2 A. I believe there was one, one case
3 where we were -- where I was one of the
4 discoverers in which it was -- where -- in
5 which the information became public before the
6 --
7 Q. Got you.
8 A. -- the vendor was aware of it.
9 MR. GARBUS: Do you want some
10 more water?
11 THE WITNESS: Please.
12 Q. Okay.
13 Let's focus on that one for a few
14 minutes.
15 A. Okay.
16 Q. That's where we are going to spend
17 a little time.
18 How much detail can you give me
19 here today about whose system it was, what the
20 system was, what the flaw was and where it was
21 publicized?
22 A. Sure. So the one that I'm
23 referring to is the one that I referred to
24 before in which we made an attempt to talk to
25 the -- the vendor, but we were unsuccessful in
35
1 EDWARD FELTON
2 doing it.
3 Q. Oh, okay.
4 So let me just have her read back.
5 It's for my sake, not for yours. I'm trying to
6 keep this as accurate as possible.
7 MR. HART: Ms. Reporter, if
8 you'd go back three questions ago,
9 I think, and answer.
10 THE VIDEOGRAPHER: Off the
11 record at 11:00.
12 (Record read)
13 THE VIDEOGRAPHER: Back on the
14 record, 11:05.
15 MR. HART: Thank you.
16 Q. Okay.
17 And before we went off the record,
18 just to make sure we didn't miss a beat here,
19 the one instance where you were involved as the
20 discoverer where information concerning the
21 flaw was publicized before the vendor was
22 effectively contacted was, I believe, the
23 instance you said earlier you had tried to
24 communicate through the general public bug
25 reporting mechanism, but apparently that
36
1 EDWARD FELTON
2 communication didn't work.
3 A. That's right.
4 Q. Okay.
5 Now, of the other three where you
6 weren't the discoverer of the flaw and where
7 something about the flaw was publicized prior
8 to the vendor being contacted, can you just
9 tell me generally the circumstances in which
10 each of those went down?
11 A. Well, the -- I don't recall the
12 specific details, although what I -- what I
13 recall is that -- what I recall is that the
14 people who discovered those flaws did talk
15 about them publicly before they contacted the
16 vendors. I don't -- I don't recall the
17 specific circumstances or why they did that.
18 Q. Okay.
19 Do you regard that as inappropriate
20 in terms of ethical standards or any other
21 practice in your experience with respect to
22 security, testing security or discovering
23 flaws?
24 A. I think it de --
25 MR. GARBUS: I was going to say
37
1 EDWARD FELTON
2 I object to the form of the
3 question. I also object to the
4 substance. Mr. Felten clearly will
5 answer it.
6 MR. HART: Okay.
7 A. I think it depends on the
8 circumstances really. I don't think there is a
9 general ethical requirement to -- to discuss
10 these things with the vendor before discussing
11 them with anyone else.
12 Q. Is there a general practice that
13 that be done, even if there is not a
14 requirement in other words?
15 MR. GARBUS: I would object to
16 that. I'll allow Mr. Felten to
17 answer it.
18 A. I think there -- there are
19 different schools of thought about what is the
20 best way to proceed in those situations. And
21 -- well, I want to make clear that what I'm
22 talking about here is not whether you discuss
23 these things publicly, but just the timing.
24 Whether one discusses -- I think in general
25 it's helpful to discuss these sorts of issues
38
1 EDWARD FELTON
2 with what -- to discuss them widely. And we
3 are just talking about whether -- who you call
4 first essentially, not whether you call anyone
5 in particular.
6 Q. But is it your testimony that as a
7 matter of practice, professionally speaking --
8 A. I think --
9 Q. -- that -- and I don't want to --
10 maybe I'll should reframe the question, because
11 I don't want to combine it with a lot of double
12 negatives.
13 As a matter of practice, is it the
14 norm to contact the vendor first?
15 MR. GARBUS: Objection.
16 THE WITNESS: I'm not sure
17 there is a norm that's -- that is
18 widely followed.
19 Q. Let me ask you this, because I
20 believe you said, correct me if I'm wrong, that
21 out of the 12 where you were the discoverer,
22 that in every one, say one, the vendor was
23 contacted. And in the one -- for the one
24 exception, you had indeed contacted the vendor
25 through the general reporting bug mechanism but
39
1 EDWARD FELTON
2 that didn't take, if you will?
3 A. Yes, that's right.
4 Q. Okay.
5 A. And the reason we did that --
6 Q. We or you?
7 A. Me in particular. I say "we"
8 because I'm referring to a research group of
9 which I'm the head.
10 Q. Okay.
11 A. And so if the -- when the contact
12 would occur I would be the one who did it.
13 Q. Okay.
14 A. That would sort of be on behalf of
15 the group.
16 Q. Okay. Got you.
17 A. And the reason that -- the reason
18 that we have typically done it in -- in that
19 way, the reason we've typically contacted the
20 vendor first is that that seems to cause the
21 vendor to -- to be more careful and thoughtful
22 when they issue their first pub -- public
23 reaction to the -- to the discovery of the
24 flaw. It helps -- I've found it helps to give
25 them some time to think about it before they
40
1 EDWARD FELTON
2 have to answer questions from the reporters or
3 from the public about the flaw.
4 Q. Okay.
5 A. And that's -- that's the main
6 reason why -- why -- why we have typically
7 talked to the vendor first.
8 Q. Does it also give the vendor an
9 opportunity to fix, ameliorate or at least put
10 a Band-Aid on the flaw, if you will?
11 A. It lets them start the process of
12 fixing the flaw --
13 Q. Okay.
14 A. -- but it is not our practice of
15 waiting until they ship to fix.
16 Q. I understand.
17 But is part of your purpose in
18 contacting the vendor before making disclosure
19 generally to give the vendor some kind of head
20 start in attempting to make a fix?
21 A. That's part of it. To make a head
22 start, to have a little bit of time to think
23 about what their approach is going to be to
24 fixing it, and so on.
25 Q. Okay.
41
1 EDWARD FELTON
2 A. And we would typically --
3 Q. Yeah. Okay.
4 A. So we would typically give sort of
5 48 to 72 hours sort of head start to the
6 vendor, talk to them, and then after a delay of
7 a couple of days discuss the -- the
8 vulnerability publicly.
9 Q. When you say "discuss the
10 vulnerability publicly," in each of the 12
11 instances where you were the discoverer, how
12 did you wind up discussing the vulnerability
13 publicly? And if you can answer generally,
14 that's fine. If you have to go through --
15 A. Generally in a number of different
16 ways.
17 Q. Go ahead.
18 A. We would put something on our Web
19 site discussing the -- the vulnerability. We
20 would typically send a message to the Risks
21 Digest, which is a -- an online forum for
22 discussing -- for discussing in general the
23 risks and vulnerabilities relating to
24 computerized systems, and send it to other
25 similar places.
42
1 EDWARD FELTON
2 We would talk to any reporters,
3 members of the press who -- who had seen those
4 announcements. And there were, into addition,
5 some people in the press who specifically
6 requested that we inform them when we found
7 something, and we would inform them. And then
8 that would -- that would be the immediate
9 steps. And then we would later pub -- publish
10 papers describing what we had found and what we
11 could learn from it.
12 Q. Okay.
13 A. But, of course, the academic cycle
14 is a bit longer.
15 Q. I understand.
16 A. So those would become available to
17 the public later.
18 Q. Got you.
19 And by "public," are you referring
20 to the academic, scientific and scholarly
21 community or the general public or both?
22 A. Both.
23 Q. Okay.
24 Now, in this first wave of
25 disclosure, if you will, before scholarly
43
1 EDWARD FELTON
2 publications are issued, can you generally
3 describe the content of the disclosure that was
4 made in each instance?
5 A. Well, we would typically describe
6 it in different levels of technical detail
7 because -- because we -- there are different
8 audiences of people who are interested. The
9 general public doesn't necessarily want to know
10 all the bits and bytes, but there's a large
11 community of -- of computer experts who do.
12 And so we would -- we might write two or three
13 different descriptions of -- ranging from
14 sort of what the general public -- what we
15 thought the general public would want to know,
16 what's the general nature of the vulnerability,
17 how can they protect themselves, and so on, and
18 ranging up to more technical descriptions for
19 people who were really interested in the -- in
20 the details and wanted to understand in more
21 detail how -- what the vulnerability was.
22 Q. Okay.
23 And would those more technical
24 descriptions include algorithm as part of the
25 disclosure?
44
1 EDWARD FELTON
2 A. In some cases.
3 Q. Okay.
4 Would it include code?
5 A. In some cases there -- there was
6 code in there.
7 Q. Which cases? We are talking about
8 the 12 now?
9 A. We are talking about, yes, the ones
10 in which we -- in which I was involved as a
11 discoverer.
12 Q. Okay. How many -- I'm sorry.
13 How many of the 12 involved the
14 publication of some form of code in connection
15 with the disclosure of the weakness?
16 A. And here we're talking about just
17 the immediate disclosure that occurs, not what
18 we do --
19 Q. Scholarly later.
20 A. -- later. Right.
21 The later papers are not only for
22 scholars, but also intended in some cases for
23 -- more for members of the public.
24 Q. Okay. Fair enough. I didn't mean
25 to -- sorry.
45
1 EDWARD FELTON
2 A. Right. I mean scholarly articles
3 in the usual scholarly places. Also, the
4 magazines that are more widely read,
5 information on our Web site which gets accessed
6 by a lot of people with different levels of
7 expertise.
8 But to return back to the
9 clarification to the -- to the initial question
10 --
11 Q. Right.
12 A. -- in the initial disclosure -- I'm
13 sorry, I've lost the question now. You were
14 asking what was --
15 Q. I was trying to get at how much
16 detail was disclosed, and you said well, that
17 varied depending on the audience.
18 A. Yes.
19 Q. And I think you said in some
20 instances it was more technical. And then we
21 were focusing on the more technical
22 disclosures, and I asked you whether in any
23 instances that included algorithms, and I
24 believe you said yes. And then I asked you if
25 in any of those instances it included code in
46
1 EDWARD FELTON
2 one form or another, and I believe you said
3 yes. And I think the question we're up to now
4 was out of those 12, which instances of the 12
5 included code in the initial wave of
6 disclosure?
7 A. I could only guess.
8 Q. Well, I don't want you to guess,
9 but if you could approximate that would be
10 great.
11 A. Out of 12, maybe 3 --
12 Q. Okay.
13 A. -- would be an estimate.
14 Q. Okay.
15 And I'm going to work with that
16 three number for now unless you --
17 A. Right, with the understanding it's
18 an approximation.
19 Q. I understand. And I -- again, I'm
20 not trying to box you in.
21 A. Sure.
22 Q. We need to organize this in some
23 way, so I'm going to work with those three
24 which involved in the initial wave of
25 disclosure, if you will, some form of code in
47
1 EDWARD FELTON
2 one way or another. Okay?
3 A. Okay.
4 Q. Good.
5 Can you recall whether that
6 involved the inclusion of source code or object
7 code or both?
8 A. I think it would have been source
9 code in the initial -- in the initial
10 disclosure.
11 Q. Okay.
12 A. And I'm talking here again only
13 about the initial disclosure.
14 Q. I understand.
15 And was there a reason why source
16 code was used rather than object code in the
17 initial disclosure?
18 A. Yes.
19 Q. Why was that?
20 A. I can think of two reasons. Number
21 one is that the -- the soft -- the flaws that
22 we were looking at generally were ones that
23 applied across different platforms, different
24 types of computers, different operating
25 systems. And so with object code you would
48
1 EDWARD FELTON
2 have had to make -- we would have had to make a
3 different version for each platform.
4 Q. Okay.
5 A. And in the initial disclosure, one
6 of the things we want to do is get the
7 information out there quickly.
8 Q. Right.
9 A. And so it's more expedient in that
10 situation to -- to distribute source code.
11 Q. That's reason one, correct?
12 A. Right.
13 Q. What was reason number two?
14 A. Reason two is with -- is that
15 source code is generally easier for people to
16 read. And again, in the sort of the quickie
17 initial disclosure --
18 Q. Got you.
19 A. -- that's -- we would rather do
20 less work than more in order to get it out
21 quickly. So if we had to do one thing, that's
22 what we would do.
23 Q. I understand.
24 And with respect to the inclusion
25 of source code in these initial public
49
1 EDWARD FELTON
2 disclosures, was that annotated code with
3 comment or was it -- and you probably have a
4 more scientific term for this. I would say
5 unexpurgated code.
6 A. It could be either.
7 Q. What was it, in fact, in the three
8 instances?
9 A. I'm not sure which one it would
10 have been.
11 Q. Okay.
12 A. Generally, we would have taken what
13 we had --
14 Q. Got you.
15 A. -- what we would have developed
16 ourselves in our own internal experimentation,
17 and if that had comments in it, then the
18 comments would probably be there when we
19 disclosed it. If it didn't when we were
20 working with it internally, then probably it
21 would not.
22 Q. But you can't remember as you sit
23 here today?
24 A. I can't remember the specific cases
25 what -- what the situation was.
50
1 EDWARD FELTON
2 Q. Do you have data within your
3 possession or control in some form that would
4 give you an answer to that if you were able to
5 look?
6 A. I might be able to. We -- we may
7 have access to some of the initial disclosures.
8 I don't think we have them all.
9 Q. And when you say we might have
10 access, what do you mean?
11 A. What I mean is that if things were
12 sent in e-mail there might be -- there might be
13 -- I might still have copies of some of the
14 e-mail, for example.
15 Q. Okay.
16 And again, we are not -- just to be
17 clear, we are not talking about the disclosure
18 of the vendor, we are talking about the initial
19 public disclosure?
20 A. Right, the initial public
21 disclosure, that's right.
22 Q. Okay.
23 Now -- and those e-mails would be
24 resident somewhere on a computer somewhere at
25 Princeton somewhere within your office area or
51
1 EDWARD FELTON
2 your lab?
3 A. If I have them, yes.
4 Q. Yeah. I understand. Okay.
5 Now, in the three instances that
6 we're talking about, to the best of your
7 recollection was -- what was the code that was
8 part of the initial public disclosure; was it
9 code of the system that had the flaw, was it
10 code of the thing that enabled you to detect
11 the flaw or was it something else?
12 A. It would not have been code of the
13 flawed system, because we did not have
14 permission. In most cases we did not have
15 source code for the flawed system, and in cases
16 where we did, we did not have permission to
17 publish it.
18 Q. Okay.
19 A. That is, you know, we had received
20 it under some kind of confidentiality agreement
21 or under some kind of license that did not
22 allow us to republish it. So it would have
23 been code -- it would have had to have been
24 code related to the exploitation of the
25 vulnerability or demonstration of it.
52
1 EDWARD FELTON
2 MR. HART: Okay. Can you just
3 read the last answer back? And,
4 again it's my brain, not your
5 testimony.
6 (Record read)
7 Q. Okay.
8 So again, focusing on the three
9 instances approximately where you were the
10 discoverer of the flaw, where the initial wave
11 of public disclosure included code in one form
12 or another --
13 A. Mm-hmm.
14 Q. -- it's your testimony that you did
15 not disclose the code of the system because you
16 got access to the system code or the system
17 itself by either confidentiality agreement or
18 license; is that --
19 A. That's right, yes.
20 Q. Okay.
21 A. In -- some companies have policies
22 in which they will provide source code for
23 products to any academic researcher under some
24 kind of confidentiality agreement, and under
25 some cases we had that -- that kind of
53
1 EDWARD FELTON
2 arrangement. So I don't -- I didn't mean to
3 imply that it was a special arrangement made
4 between the vendor and us necessarily.
5 Q. Got you.
6 A. It may have been a sort of blanket
7 one that they make available to everyone in the
8 academic community.
9 Q. Fair enough.
10 But just to be clear, with respect
11 to the three instances where the initial public
12 disclosure involved the publication of code in
13 one form or another, in each of those three
14 instances you had gotten access to the system
15 or to the system code through some kind of
16 license or confidentiality agreement?
17 A. To the source code.
18 Q. Okay.
19 A. Via -- right.
20 Q. Okay.
21 A. Either I or my boss had signed a
22 piece of paper promising not to publish that
23 code.
24 Q. Got you. Okay.
25 And you said that was disclosed,
54
1 EDWARD FELTON
2 therefore, in the initial wave of public
3 disclosure as not the source code of the system
4 but rather what?
5 A. Source code that was needed in one
6 way or another to discuss or demonstrate the --
7 the vulnerability that we -- that we were
8 disclosing.
9 Q. Okay.
10 And can you tell me as you sit here
11 today with respect to the three -- or
12 approximately three instances that we're
13 talking about, what in each of those three
14 instances was included in the dissemination,
15 how much code, what did it reveal?
16 A. No, I can't tell you the specifics
17 as I sit here today.
18 Q. Okay.
19 Can you tell me generalities?
20 A. Well, in general we would disclose
21 --
22 MR. GARBUS: I think he's
23 answered that already.
24 A. -- whatever we thought was
25 necessary in order to -- in order to
55
1 EDWARD FELTON
2 communicate the message that we were trying to
3 communicate, the nature of the vulnerability.
4 Q. Got you.
5 A. The fact that the -- what the risk
6 was to -- to members of the public, what the
7 cause of the vulnerability might have been and
8 so on.
9 Q. Okay. I'm sorry. I didn't mean to
10 --
11 A. That's all.
12 Q. Cool.
13 When you say to alert the public in
14 each of these three instances, what was the
15 concern for public safety or security?
16 A. Well, there are several aspects to
17 that. There are several reasons to alert the
18 public in this sort of situation.
19 One is that members of the public
20 were using software systems which made them
21 vulnerable, and we thought they had a right to
22 know that, to understand what the nature of the
23 vulnerability was, what the conse -- possible
24 consequences were.
25 Also, we thought that the public
56
1 EDWARD FELTON
2 had a -- a need to sort of understand the track
3 record of the various vendors over time.
4 Q. Okay.
5 A. And understand that.
6 We felt the people who were
7 thinking about buying into a particular
8 technology in one way or another, either by
9 using it, by partnering with the vendor, by --
10 or whatever way, had a right to understand what
11 they were getting. And we also believed that
12 discussion of these sorts of vulnerabilities
13 leads to progress in understanding how to build
14 better systems.
15 Q. Okay.
16 And all of these considerations
17 that you just described in your last answer
18 were applicable in the initial public
19 disclosure of the flaw in the three instances
20 where we're talking about where code was
21 present in one form --
22 A. That's why we -- the reasons I gave
23 you were why we communicate with the public
24 about these things --
25 Q. Okay.
57
1 EDWARD FELTON
2 A. -- and whatever disclosures we make
3 in general are motivated by those -- by those
4 goals. So without going into specifics
5 because, as I said, I don't remember the
6 specific circumstances in detail --
7 Q. Right.
8 A. -- we -- in each of these
9 situations we would have done what we thought
10 were best to achieve those goals.
11 Q. Got you. Okay.
12 Now, in each of the three instances
13 where there was an initial public disclosure
14 that included some code in one form or another,
15 okay, did any of those three involve the making
16 available to the general public of some kind of
17 executable utility that would enable people to
18 use that utility to take advantage of the flaw?
19 A. By "executable utility," you mean
20 object code --
21 Q. Well --
22 A. -- in particular or what?
23 Q. Yeah, I guess. And obviously you
24 have a little bit more expertise in that area
25 than I do, so I apologize for my clumsiness.
58
1 EDWARD FELTON
2 But when I say an "executable
3 utility," what I mean is software that is
4 operable to do a machine function or a process.
5 And specifically in this context, despite my
6 question, I'm talking about software that's
7 operable on a machine to actually take
8 advantage of the flaw that was discovered.
9 MR. GARBUS: Can I have the
10 question read?
11 (Record read)
12 MR. GARBUS: I object to the
13 question. I think the witness has
14 already answered it.
15 MR. HART: Okay. I don't want
16 you to testify, Marty. I'd like an
17 answer to the question.
18 MR. GARBUS: Okay, but --
19 MR. HART: Marty, if you have
20 an objection, state the objection
21 briefly. I do not want you
22 coaching the witness.
23 MR. GARBUS: I don't care to be
24 lectured.
25 MR. HART: I'm not lecturing.
59
1 EDWARD FELTON
2 MR. GARBUS: I'm objecting to
3 the question on the grounds that
4 the witness has already answered
5 the question.
6 MR. HART: He has not. Are you
7 instructing him?
8 MR. GARBUS: I have no
9 objection to allowing the witness
10 to answer the question. I am not,
11 in any objection that I make, going
12 to tell this witness not to answer
13 any question.
14 MR. HART: Good. So can I have
15 an answer?
16 MR. GARBUS: I'm entitled to
17 state the grounds for my objection,
18 and I would appreciate it if you
19 would not interrupt me. Go ahead,
20 Mr. Felten.
21 MR. HART: Thank you,
22 Mr. Garbus.
23 A. Okay. There's a distinction here
24 between exploiting the vulnerability and
25 demonstrating it --
60
1 EDWARD FELTON
2 Q. Okay.
3 A. -- okay, which I want to draw.
4 Q. Okay.
5 A. And by "demonstrating" what I mean
6 is showing that -- showing that the flaw or the
7 vulnerability exists by actually doing
8 something which -- which the designers of the
9 system say is supposed to be impossible.
10 Q. Mm-hmm.
11 A. And by "exploiting" I mean using
12 that capability of violating the designer's
13 rules to actually do something which is illegal
14 or damaging.
15 Q. Got you.
16 A. So we would not distribute code
17 which -- which breaks the law, say, which
18 allows you to break into someone else's
19 computer, but we would -- but we would, if --
20 in certain circumstances distribute code which
21 demonstrated that the rules could be violated.
22 Q. Okay.
23 And appreciating the distinction
24 that you just made --
25 A. Yes.
61
1 EDWARD FELTON
2 Q. -- how do you -- how did you do
3 that in actuality?
4 A. So, let me give an example, okay?
5 Suppose that -- suppose that we had found a
6 flaw which let someone construct a Web page
7 such that when someone views the Web page the
8 Web page can sort of take over their Web
9 browser and do whatever the constructor of the
10 page wants it to do, okay? So you can
11 demonstrate that by making a Web page which,
12 say -- by making a Web page which demonstrates
13 that it can create some harmless file on the
14 person's machine.
15 Q. Right.
16 A. As opposed to something which
17 actually seizes control of their machine.
18 Q. Okay. Let's -- that's an
19 instructive example.
20 A. So it steps outside the rules of
21 what the browser's security system says is
22 supposed to be possible, and it does something
23 which demonstrates that those rules are not
24 enforced.
25 (Record read)
62
1 EDWARD FELTON
2 Q. I just want to concretize what you
3 said in the context of the specific ones you've
4 -- the situations you were involved in. And
5 you gave an instructive example.
6 With respect to the three where
7 some code was included in the initial public
8 disclosure of the weakness of the system, was
9 there public dissemination of computer code
10 that was functional code to enable someone to
11 defeat the system or to take advantage of the
12 flaw?
13 A. Well, whatever code we would have
14 distributed would be functional code in the
15 sense that I'm taking from your previous
16 explanations and the questions, that is, code
17 which actually describes or specifies behavior.
18 Q. Right.
19 A. That's what code is designed to do,
20 to describe behavior.
21 Q. Got you.
22 A. And -- I'm sorry. Could I repaet the
23 question back then?
24 Q. Well, let me -- let me ask it a
25 different way, because I think we're getting
63
1 EDWARD FELTON
2 hung up unnecessarily here.
3 MR. GARBUS: That was the basis
4 of my previous objection, that you
5 were not understanding what the
6 witness was saying. And that's why
7 --
8 MR. HART: Well, I think I am,
9 Marty.
10 MR. GARBUS: -- and that's why
11 --
12 MR. HART: I don't need to be
13 lectured either. So if you have an
14 objection, make it. Otherwise,
15 let's proceed.
16 MR. GARBUS: And that's why
17 there is confusion.
18 MR. HART: I don't think there
19 was any confusion, Marty. If you
20 have an objection, make it.
21 Otherwise, let's proceed.
22 Q. You said all code is functional to
23 some degree.
24 A. Yes.
25 Q. Okay.
64
1 EDWARD FELTON
2 A. In the sense that it describes
3 behavior, it has that -- it has that aspect.
4 It's functional in the sense that it describes
5 a particular thing the computer could do.
6 Q. Okay.
7 What I'm trying to get at here in
8 the three instances that we've been focused on
9 for the last 15 or 20 minutes is whether as
10 part of the initial public disclosure you or
11 the people you worked with disseminated
12 software that was immediately operable in
13 someone else's computer to take advantage of
14 the flaw or the defect in the system.
15 MR. GARBUS: Object to the form
16 of the question.
17 A. Not immediately operable in the
18 sense that it was not object code.
19 Q. Okay.
20 A. And again, I don't -- I don't
21 recall the specifics of these situations, but
22 in general as I said, our policy was to include
23 whatever we thought needed to be included to --
24 to make the points to -- to satisfy the goals
25 that -- that we were trying to satisfy in
65
1 EDWARD FELTON
2 disclosing the -- and discussing the
3 vulnerability. And so to the extent that that
4 required us to -- to disclose code, then we
5 did.
6 Q. Okay.
7 But in disclosing code, were you
8 cognizant of trying to avoid providing
9 something to people that could be used to take
10 advantage of the flaw?
11 A. That was --
12 MR. GARBUS: I object to the
13 question. It's already been asked
14 and answered.
15 A. That was -- that was one of the
16 things we took into account in deciding what to
17 disclose or what to discuss publicly.
18 Q. And we've been making a distinction
19 so far between what I think was the initial
20 public disclosure --
21 A. Yes.
22 Q. -- versus what was later disclosed?
23 A. Yes.
24 Q. Okay.
25 Now I'd like to go to the -- what
66
1 EDWARD FELTON
2 was later disclosed --
3 A. Okay.
4 Q. -- and essentially ask you the same
5 question, which is in terms of disseminating to
6 the public code in any form in these later
7 disclosures, whether you made available to the
8 general public an executable utility or some
9 other piece of software that enabled people to
10 take advantage of the flaw as opposed to merely
11 illustrating the flaw?
12 A. In -- in general, the later
13 discussions were in more detail. They had more
14 technical details in them, they were lengthier,
15 and we had more time to prepare them. So there
16 would be more detail there than was in the
17 initial -- initial discussions.
18 Q. Okay.
19 A. Also, given that time would usually
20 pass before the later, say, academic
21 publications or magazine articles would become
22 available, there would be perhaps new versions
23 of the software, of the flawed software out
24 there, and that would also factor into our
25 calculations.
67
1 EDWARD FELTON
2 Q. Got you.
3 A. So, in general, there would have
4 been more disclosure of details of
5 vulnerability --
6 Q. Okay.
7 A. -- of vulnerabilities in the later
8 discussion.
9 MR. GARBUS: Can we take a
10 bathroom break after your next
11 question?
12 MR. HART: After a couple of
13 next questions, absolutely. Let me
14 just kind of try and wrap up this
15 area of inquiry. I appreciate your
16 candor.
17 Q. Is it fair to say that with respect
18 to any of the situations where you were the
19 discoverer of system flaw that at no time,
20 whether in the initial public disclosure or in
21 any subsequent disclosure, did you make
22 available an object code utility or an
23 executable computer program that enabled people
24 to take advantage of the flaw?
25 A. We -- in the instances that we were
68
1 EDWARD FELTON
2 in, we were able to show how to demonstrate the
3 flaw without -- without exploiting it to do
4 damage.
5 Q. Got you.
6 A. There is no doubt, though, that
7 discussing how to demonstrate the flaw provides
8 information that someone could use in a harmful
9 way.
10 Q. Got you.
11 But do you see in your mind,
12 professionally speaking, a difference between
13 providing information describing a flaw and
14 providing basically a tool that enables people
15 to take advantage of the flaw?
16 A. I think there is a difference
17 between those things. It depends on the
18 circumstances whether it's possible, for
19 example, to demonstrate a flaw without also
20 providing a way to -- to exploit it.
21 Q. Got you.
22 A. A demonstration plus some other
23 steps may be an exploitation.
24 Q. Got you.
25 But in all of the --
69
1 EDWARD FELTON
2 MR. HART: Please.
3 Q. But in all of the 12 instances
4 where you were the discoverer of the flaw and
5 you were involved in one way or another in the
6 ultimate public disclosure of that flaw, in no
7 instance did you find it necessary to provide
8 people with the tool to take advantage of the
9 flaw in order to describe it, discuss it,
10 illustrate it or analyze it, right?
11 MR. GARBUS: I'll object to it.
12 That's not what the witness has
13 testified to. That's an
14 oversimplification.
15 A. We did not provide -- we never
16 provided a tool which let someone -- which gave
17 someone all of the steps of breaking into
18 someone's computer and doing damage.
19 Q. And you -- you deliberately avoided
20 doing that; isn't that true?
21 A. That's correct.
22 Q. Thank you.
23 A. We did provide the information that
24 -- that we thought the people -- the public
25 needed in order to understand the situation, in
70
1 EDWARD FELTON
2 order to further research. And that did
3 include code which demonstrated the flaw, which
4 would mean it included necessarily one or some
5 of the steps that someone would need to do
6 damage.
7 Q. Got you. Thanks.
8 MR. GARBUS: Can we take our
9 break?
10 MR. HART: We are going to take
11 our break now. I thank you.
12 THE VIDEOGRAPHER: Off the
13 record, 11:43.
14 (Brief recess taken)
15 THE VIDEOGRAPHER: Back on the
16 record, 11:59.
17 MR. HART: Everybody ready?
18 MR. GARBUS: Yes.
19 MR. HART: Do you want to put
20 your mike back on there, Marty?
21 MR. GARBUS: I'm not doing very
22 much talking, so I'm sure it's not
23 necessary. Go ahead.
24 MR. HART: Promises, promises.
25 Q. Have you ever had occasion to
71
1 EDWARD FELTON
2 examine what's referred to as DeCSS?
3 A. Yes.
4 Q. When did you first do that?
5 A. I don't recall precisely. I would
6 estimate maybe six months ago.
7 Q. Okay.
8 I'm -- six months ago means roughly
9 when?
10 A. Means either early this year or
11 perhaps the end of 1999.
12 Q. Okay.
13 And was this prior to your lunch
14 meeting with Mr. Garbus and Mr. Appel?
15 A. Yes, it was well before that.
16 Q. Okay.
17 And where did you get access to
18 DeCSS in order to examine it?
19 A. I did a Web search and found a site
20 that had it.
21 Q. Okay.
22 Do you recall which site had it?
23 A. No.
24 Q. What form was it in?
25 A. What I got was in the form of a zip
72
1 EDWARD FELTON
2 file that had source code and object code for
3 DeCSS along with a couple other related things.
4 There was something called CSSAuth and there
5 was something called LIVID.
6 Q. LIVID?
7 A. LIVID, L-I-V-I-D.
8 Q. And did you examine CSSAuth?
9 A. I believe I did.
10 Q. And what is it?
11 A. I don't recall now.
12 Q. Did you examine LIVID?
13 A. I don't remember whether I did or
14 not.
15 Q. Do you recall what LIVID was?
16 A. I'm not sure what -- what it is.
17 There's something in -- something in the back
18 of my mind saying it might be a Linux video
19 player, but I'm not sure of that.
20 Q. Okay.
21 So you downloaded the files you
22 just mentioned from a Web site?
23 A. A Web site which I found by Web
24 search.
25 Q. Got it.
73
1 EDWARD FELTON
2 Do you still have those downloads
3 on your computer today?
4 A. Yes.
5 Q. Okay.
6 What have you done with them?
7 A. I have -- I've read the material --
8 with respect to DeCSS I've read the -- there
9 was -- there was a file in the distribution
10 which was a readme or some sort of descriptive
11 -- short descriptive file saying what was
12 there. I have read the source code, I ran the
13 object code. It didn't do anything on my
14 computer because I don't have a DVD drive.
15 With respect to CSSAuth, I believe
16 that I read descriptive files and source code,
17 as well.
18 Q. Okay.
19 When you say descriptive files in
20 source code?
21 A. And source code.
22 Q. Oh, and source code. Okay.
23 A. So a readme file and whatever --
24 whatever it is that was there.
25 Q. So that's what I want to come back
74
1 EDWARD FELTON
2 to. You said in the early part of your answer
3 there was a readme file. That was in English?
4 A. That's right. Just saying -- what
5 I recall is it said something like here's a
6 list of the files that are here and this is
7 what each one is --
8 Q. Got you.
9 A. -- or some such thing.
10 Q. Okay.
11 And what was your purpose in
12 looking at the source code and in running the
13 executable utility, if you will?
14 A. First with respect to looking at
15 the source code, I had read and heard about CSS
16 and the flaws that had been found in it, and I
17 wanted to find out more about that. And so one
18 of the things I wanted to do, one of things
19 that made sense for me to do was to get the
20 code and understand what it did. I also looked
21 at that code in conjunction with Frank
22 Stephenson's paper at one point --
23 Q. Okay.
24 A. -- again, to understand what this
25 thing did, to understand how CSS worked, how
75
1 EDWARD FELTON
2 the corresponding decryption process worked,
3 and to see for myself what the flaws were that
4 were there and that were described in
5 Stephenson's paper.
6 Q. Okay.
7 And what was your purpose in
8 running the utility?
9 A. I wanted to see whether I could
10 tell what it did on a machine that did not have
11 a -- a DVD drive. And it turns out, as far as
12 I can tell it doesn't do anything if you don't
13 -- it didn't do anything on my machine as far
14 as I can tell.
15 MR. HART: Let the record
16 reflect we have an interruption.
17 (Brief interruption)
18 MR. HART: Let's read the last
19 answer back. I was distracted.
20 I'm easily distracted as Marty
21 knows.
22 (Record read)
23 Q. And was there any value, then, in
24 running DeCSS on your machine as far you were
25 concerned?
76
1 EDWARD FELTON
2 A. It turned out that there was no
3 value to me in the -- in the very brief
4 experiment I did. Had I had a DVD drive, I --
5 there would have been value because this would
6 have provided a demonstration of that -- of the
7 -- of the flaw in -- in DeCSS.
8 Q. Got you.
9 A. That's the kind of demonstration
10 that I was talking about before when I talked
11 about code which demonstrates that a flaw
12 exists. It would have enabled me to go take
13 some files off a DVD and verify that they were
14 actually the content that was originally on the
15 DVD. So I could have been able to verify for
16 myself without understanding a lot of theory
17 that what people were saying about the
18 weaknesses in CSS was right.
19 Q. Okay.
20 So what is it, to your
21 understanding, that DeCSS does?
22 A. My understanding of what it does is
23 that it -- it allows you to take files which
24 are stored on a DVD disc and copy them onto,
25 say, the hard drive of your computer.
77
1 EDWARD FELTON
2 Q. And in doing that, does it decrypt
3 CSS?
4 A. Yes, it does -- it does perform
5 decryption as part of that operation.
6 Q. Okay.
7 A. Of course, decryption is necessary
8 in order to get the files onto the -- onto the
9 hard drive in a form where they're -- they're
10 usable for many of the purposes that I might
11 want to put them to if I were the owner of a
12 DVD.
13 Q. Do you own a DVD player?
14 A. No, I don't.
15 Q. Do you own a VHS type VCR?
16 A. Yes.
17 Q. Okay.
18 How many computers do you have or
19 have access to in your ordinary routine?
20 A. Let me think. I have -- in my
21 office at work I have one computer. There is
22 also a lab that has maybe 10 computers in it.
23 At home -- this is embarrassing -- I think five
24 computers.
25 MR. GARBUS: All for your
78
1 EDWARD FELTON
2 child.
3 Q. Are any of those computers
4 operating using the Linux operating system?
5 A. Yes.
6 Q. Which ones?
7 A. One of the machines in my home runs
8 Linux and some of the -- some of the 10 in my
9 lab run Linux, maybe three or four would be my
10 -- would be my estimate.
11 Q. Okay.
12 And do you also have Windows-based
13 operating system on any of your home computers?
14 A. Yes.
15 Q. Okay.
16 And what about in the lab?
17 A. Yes, there are some Windows
18 machines in the lab.
19 Q. And what about the computer that's
20 in your office, what operating system does that
21 use?
22 A. Windows.
23 Q. It's a Windows system. Okay.
24 And what kind of Internet
25 connection do you have, if any, with respect to
79
1 EDWARD FELTON
2 your office computer?
3 A. The office computer is connected to
4 our departmental network --
5 Q. Okay.
6 A. -- which inside the department is
7 100 megabits per second.
8 Q. Okay.
9 And what about with respect to the
10 five computers you have at home, what kind of
11 Internet connection or connections do you have
12 with respect to any of them?
13 A. The connection from my home is a
14 DSL connection which goes to the computer
15 science department at Princeton.
16 Q. Okay.
17 A. And that -- so that between my home
18 and Princeton I get about perhaps 2 megabits
19 per second.
20 Q. Okay.
21 Do you have any other Internet
22 connection at home?
23 A. No. And it's usual -- I should
24 say, all of those -- the bandwidth I'm quoting
25 are internal. That's from one place in the
80
1 EDWARD FELTON
2 building to another place in the building.
3 That's not the bandwidth to arbitrary places on
4 the Net.
5 Q. But the bandwidth that you're
6 talking about which is what, somewhere between
7 2 megabytes a second to 100 megabytes per
8 second, depending on whether we're talking
9 about the DSL at home or the one in your
10 office?
11 A. Megabits per second.
12 Q. I'm sorry. Excuse me. I
13 apologize.
14 Those allow you to connect through
15 a network to Princeton University?
16 A. Just within the computer science
17 department at those rates.
18 Q. I see.
19 And what about the rest of the
20 university?
21 A. I don't know exactly what kind of
22 connectivity we have to the rest of the
23 university. I know there is at least one link
24 between our department's network and the
25 university's backbone, I guess. But that, of
81
1 EDWARD FELTON
2 course, is shared with everyone else in the
3 department.
4 Q. All right.
5 You're saying you have no specific
6 knowledge of the network --
7 A. But I don't know specifically how
8 fast that is.
9 Q. Okay. I'm sorry. Let me finish
10 the question and then you can give the answer
11 --
12 A. Okay.
13 Q. -- just to make the record clear.
14 You have no specific knowledge
15 concerning the network at Princeton that's
16 available to people outside of the computer
17 department, for example, like students, and the
18 connectivity and the speeds and the bandwidth
19 of that facility?
20 A. I think I know generally what's
21 available to people within their own little
22 area of the network, but I don't understand how
23 the various local networks -- I don't
24 understand in detail how the various local
25 networks are connected together.
82
1 EDWARD FELTON
2 Q. Okay.
3 And among the local networks that
4 you have some understanding of, would that
5 include networks that students have access to
6 from dorm rooms or other?
7 A. I'm generally familiar with dorm
8 room networks.
9 Q. And what's the bandwidth of those,
10 to your knowledge?
11 A. A typical bandwidth would be 10
12 megabits per second on a shared link.
13 Q. As opposed to a switched link?
14 A. That's correct.
15 Q. Now, are the various dorm rooms set
16 up so that each floor is a shared link unto
17 itself, and then each floor is separately
18 switched?
19 A. I don't know.
20 Q. You don't know the overall network
21 configuration?
22 A. I don't know those details, no.
23 Q. Okay. That's fine. Fine.
24 Do you have any knowledge of video
25 compression technologies?
83
1 EDWARD FELTON
2 A. Only in a very general way.
3 Q. Generally, what do you know if you
4 can sum it up?
5 A. Well, I know that it's -- it's
6 possible to compress video and to get some --
7 some -- a modest -- relatively modest amount of
8 compression out of them. I know that video
9 compression technologies are widely used
10 because video files are so big.
11 Q. Does that sum up the state of your
12 knowledge in video codex?
13 A. In general. I know some of the
14 acronyms and buzzwords, as well, but I'm not an
15 expert by any means.
16 Q. Give me some of the acronyms that
17 are?
18 A. Well, a compression mechan --
19 compression algorithms like MPEG and the
20 various versions of MPEG, for example, are
21 widely used. I know that some of my colleagues
22 do research into video compression algorithms,
23 but I'm not really up on their work.
24 Q. Okay.
25 Have you ever heard of Divx?
84
1 EDWARD FELTON
2 A. Yes, I've heard of it.
3 Q. Do you know anything about it?
4 A. I don't -- I don't understand it in
5 any detail.
6 Q. You do you know if it's widely
7 available?
8 A. I don't know that.
9 MR. GARBUS: I object to the
10 use of the word "widely."
11 THE WITNESS: I don't know how
12 widely available it is.
13 Q. Okay.
14 Now, did you ever have any
15 communications with Eric Corley or Emmanuel
16 Goldstein?
17 A. No.
18 Q. Do you know who that is?
19 A. Yes. I understand that that's one
20 person.
21 Q. That's a start.
22 A. And that he's one of the defendants
23 in this case.
24 Q. Okay.
25 A. And that he is the publisher or
85
1 EDWARD FELTON
2 otherwise associated with 2600 Magazine.
3 Q. Had you ever heard of 2600 Magazine
4 before, let's say, your luncheon meeting with
5 Mr. Garbus?
6 A. Yes, yes.
7 Q. Had you ever read it before?
8 A. Yes.
9 Q. Had you ever visited the 2600 Web
10 site before your luncheon meeting with
11 Mr. Garbus?
12 A. Yes.
13 Q. And I'm sorry, you may have
14 answered this. I apologize.
15 Can we place a rough date on your
16 luncheon meeting with Mr. Garbus?
17 A. It was a couple months ago. That's
18 the best I can do.
19 Q. Okay.
20 And can you give me the gist of
21 what was said at that luncheon meeting?
22 A. Sure. There was some general
23 discussion about this case, and Professor Appel
24 was present at the lunch along with Mr. Garbus
25 and me. And so -- and at that point Mr. Garbus
86
1 EDWARD FELTON
2 had discussed, I understand, in the past with
3 Professor Appel, the possibility of his
4 testifying. And so there was some discussion
5 about that.
6 There was some discussion about
7 what the case was about in general, issues of
8 schedule.
9 There was some discussion about the
10 -- the topics that were discussed in a paper
11 that Professor Appel and I wrote and submitted
12 to the Copyright Office and then later to
13 Communications of the ACM, and there was, I
14 think, also some discussion of issues involved
15 in a -- in declarations that Professor Appel
16 had written in other cases previously relating
17 to the role of source code as a means of
18 expression for computer scientists.
19 Q. Okay.
20 Were there areas of potential
21 testimony or analysis that were focused on you,
22 Ed Felten?
23 A. I -- I think there was a general
24 discussion of my background and what my areas
25 of specialization were and so on. But I don't
87
1 EDWARD FELTON
2 recall anything more specific than that.
3 Q. There was no discussion of areas
4 where you might be qualified to testify in the
5 case or provide a declaration at that luncheon
6 meeting?
7 A. I don't remember any discussion at
8 that lunch meeting except that at the very end
9 there was a very brief exchange about whether I
10 might potentially be interested in testifying.
11 Q. And did you -- who -- who asked you
12 whether you might potentially be interested in
13 testifying, Mr. Garbus?
14 A. Mr. Garbus.
15 Q. Okay.
16 And did you respond to that query?
17 A. Yes. I said that I was interested
18 in discussing it more.
19 Q. Okay.
20 A. But not a yes or no.
21 Q. Okay.
22 Was there anyone else present at
23 the luncheon aside from you, Appel and Garbus?
24 A. No.
25 Q. When did you next have occasion to
88
1 EDWARD FELTON
2 speak to anyone or communicate with anyone
3 regarding this case or your involvement in it
4 like an e-mail or in-person or telephonic?
5 A. I talked to Professor Appel not
6 long after that -- I'll wait.
7 (Brief interruption)
8 Q. Okay.
9 A. Now that the tape is back, I talked
10 to Professor Appel not long after that -- that
11 lunch that I just referred to --
12 Q. Okay.
13 A. -- in general about -- about the
14 possibility of me testifying.
15 Q. Okay.
16 A. That was, I think, the next
17 discussion.
18 Q. Okay.
19 To your knowledge, had Professor
20 Appel already committed to testifying in this
21 case?
22 A. I don't know whether he had
23 committed or not.
24 Q. All right.
25 Did Professor Appel encourage you
89
1 EDWARD FELTON
2 in any way to testify in this case?
3 A. No, I don't think he did. I don't
4 think he expressed an opinion one way or the
5 other about whether I should or should not.
6 Q. Did you have any discussion with
7 Professor Appel in any way about whether you
8 should or should not?
9 A. I don't think I did, no.
10 Q. So what was discussed with Appel
11 regarding your involvement in the case?
12 A. Information about the case, what he
13 might be -- what he was expecting to testify
14 about, which areas and so on.
15 One of the things that I wanted to
16 understand was, you know, what -- where -- the
17 extent to which my testifying would sort of add
18 to what he was saying.
19 Q. Okay.
20 A. Whether --
21 Q. I'm sorry. Go ahead.
22 A. Whether there were areas, relevant
23 areas in which I had expertise beyond his.
24 Q. Okay.
25 A. So I wanted to understand what he
90
1 EDWARD FELTON
2 might talk about.
3 Q. Okay.
4 Were you able to identify during
5 that conversation with Professor Appel any
6 areas where you might add to what he had to
7 offer?
8 A. I'm not sure whether I identified
9 things during the conversation, but I
10 eventually came to an understanding about that.
11 Q. And when did you come to an
12 understanding about that?
13 A. I think it happened over a period
14 of time starting after the -- the lunch meeting
15 that we talked about and going forward for, I
16 don't know, some period of weeks probably.
17 Q. Okay.
18 And you are in pretty much daily
19 contact with Professor Appel when you're both
20 in the office, is that right?
21 A. More or less, yeah. We -- probably
22 more -- I speak to him the majority of days
23 about one thing or another.
24 Q. Okay.
25 Your offices are adjacent to each
91
1 EDWARD FELTON
2 other?
3 A. Down the hall.
4 Q. Right. Okay. Okay.
5 And did you speak with anyone else
6 other than Professor Appel in trying to clarify
7 or crystallize in your mind what things you
8 might be able to add to what he might testify
9 to?
10 A. Yes. I later spoke to Mr. Garbus
11 and also Mr. Hernstadt.
12 Q. Okay.
13 And can you tell me, relative to
14 the lunch meeting, when that occurred or when
15 those conversations occurred?
16 A. It would have been in a series of
17 phone conversations between -- starting
18 sometime after the -- the lunch meeting and
19 going up until, say, sometime in June.
20 Q. Okay.
21 A. So I would have spoken on the phone
22 to them a few times during that -- during that
23 period.
24 Q. And is it your testimony that it
25 was partly your own reflection, partly your
92
1 EDWARD FELTON
2 discussions with Professor Appel and partly
3 your discussions with Messrs. Hernstadt and
4 Garbus that helped you sort of crystallize in
5 your mind what areas of additional testimony
6 you might be able offer over and above that of
7 Professor Appel?
8 A. I think in understanding what I
9 could testify about, which areas I had sort of
10 knowledge or expertise beyond Professor Appel,
11 it was really my discussions with him that --
12 Q. Got you.
13 A. -- that helped me understand that.
14 Q. Okay.
15 But that you could ultimately wind
16 up communicating your thoughts to
17 Messrs. Garbus or Hernstadt on that subject?
18 A. We did talk about whether -- about
19 what areas -- in what areas I -- I would be
20 testifying, yes.
21 Q. Okay.
22 In addition to that which Appel was
23 going to cover or might cover, is that right?
24 A. That's right.
25 Q. Okay.
93
1 EDWARD FELTON
2 This is not a trick question. I'm
3 really just trying to focus on what you bring
4 to the table, sir.
5 A. And also to the extent that I have
6 some expertise in the same areas as Professor
7 Appel, there's -- there's obviously some
8 overlap between our testimony, as well.
9 Q. Okay.
10 Can you tell me in subject matter
11 areas what areas you discussed testifying in
12 with Professor Appel and/or Mr. Garbus and/or
13 Mr. Hernstadt, whether those overlapped or were
14 separate and apart or in addition to those
15 Appel might testify to?
16 A. Well, a good place to start is the
17 -- the list of four topics -- that is in the
18 declaration.
19 Q. Right.
20 A. And let me look at that --
21 Q. Sure. Please.
22 A. -- and see whether there's anything
23 else that comes to mind.
24 Q. Okay.
25 A. I -- I don't recall discussing
94
1 EDWARD FELTON
2 anything else that's not listed here.
3 Q. Okay.
4 Now, we are talking about the four
5 subject matter categories that are identified
6 in Paragraph 3 of your declaration that's been
7 marked Exhibit 3, right?
8 A. That's right.
9 Q. Okay.
10 Let's work backwards, I guess.
11 A. Okay.
12 Q. The fourth category is the
13 relationship between studying and improving the
14 practice of cryptography and computer security
15 related to the foregoing. I guess that is
16 going to lead us into the earlier ones, but I
17 -- is this subject matter, Number 4 in
18 Paragraph 3, that which we were talking about a
19 little bit earlier in terms of detecting
20 weaknesses in systems and system security and
21 making information concerning those weaknesses
22 available?
23 A. We talked earlier about my
24 experiences in doing that, but we did not talk
25 about why it's valuable to the value of that
95
1 EDWARD FELTON
2 sort of testing and that sort of discussion for
3 education and practice in -- in security and
4 cryptography. So we talked about any
5 experience, but not about the topic in general
6 or the implications of -- of discussion.
7 Q. Fair enough. And again, I'm really
8 trying to do this to expedite things.
9 A. Sure.
10 Q. So you'll stop me if I in any way
11 misstate anything you say, please. But we did
12 touch upon what I thought were your beliefs as
13 to the value of testing security systems, if
14 you will, and the value of making the
15 weaknesses known.
16 Is that part of the Subject Matter
17 4, the relationship between studying and
18 improving the practice of cryptography in
19 computer security?
20 A. That's -- that's part of the
21 subject matter, yes.
22 Q. What else in addition to what we
23 talked about is covered by this Subject Matter
24 4?
25 A. The use -- for example, the use of
96
1 EDWARD FELTON
2 information about vulnerabilities and
3 historical vulnerabilities, and testing and so
4 on. The use of all of that in education, and
5 how these sort of activities contribute to the
6 practice, by which I mean the making of better
7 and stronger systems in the future.
8 Q. Okay.
9 A. That's an example of something that
10 goes beyond what we talked about earlier.
11 Q. When you talk about -- I'm sorry.
12 A. I'm done.
13 Q. Okay.
14 When you talk about the value in
15 education, are you talking about using examples
16 of systems and system weaknesses in the
17 classroom with students?
18 A. Yes.
19 Q. Are these undergraduate students,
20 graduate students or both?
21 A. Both.
22 Q. Okay.
23 Have you, in fact, done so?
24 A. Yes. That's a -- it's -- it's an
25 important part of the security course that I
97
1 EDWARD FELTON
2 teach.
3 Q. I see.
4 And were any of the 12 instances
5 where you were involved in the discovery of a
6 flaw or weakness in the system, have any of
7 those been used in your classroom work with
8 your students?
9 A. Yes. Some of them have been used
10 specifically and also as sort of overview of --
11 of them, also.
12 Q. Okay.
13 A. It's part of what I use in
14 teaching.
15 Q. Okay.
16 But not all of the 12 have been
17 used in your classroom work?
18 A. Not all of those specifically, no.
19 Q. Okay.
20 A. I also use a number of other
21 systems that have been found to be flawed in
22 the past and what can be learned from that,
23 including CSS.
24 Q. Okay.
25 So we are leading to my next
98
1 EDWARD FELTON
2 question which is, have you had occasion at any
3 time in your classroom work with students to
4 use DeCSS?
5 A. I have -- I had a discu -- there
6 was a discussion in -- in one of my lectures in
7 my security class in the spring semester of
8 this year regarding CSS and DeCSS.
9 Q. Okay.
10 And in the course of that
11 discussion, did you at any time operate DeCSS
12 as an executable utility?
13 A. No. What I did was I used the
14 knowledge which I had gotten from examining
15 DeCSS to be able to give a -- an informative
16 and useful lecture about it. So the
17 availability of that -- of that software to me
18 allowed me to -- to teach my course better, to
19 teach about that material. And I did discuss
20 with the students what CSS does, what DeCSS,
21 does and the fact that DeCSS is available on
22 the Net.
23 Q. Did you express any views about
24 this case with your students in connection with
25 these classroom discussions?
99
1 EDWARD FELTON
2 A. No. I did mention that there was a
3 case. At that time I did not know -- I knew
4 very little about the case except that it
5 existed and that it was about the DeCSS
6 utility.
7 Q. Got you. Okay.
8 Have you ever read the court's
9 opinion with respect to the preliminary
10 injunction issue in this case? By opinion I
11 mean sort of the reason, the judge's views of
12 the evidence and the findings. I don't mean to
13 characterize it as a legal matter. I'm just
14 trying to describe what I'm talking about.
15 A. I did read it at one point,
16 although it's pretty far back in time. So I
17 don't have a clear memory of what's in it.
18 Q. Okay.
19 How many classroom sessions
20 involved the discussion of CSS or DeCSS?
21 A. One.
22 Q. And was the entire class session
23 that day devoted to that particular subject?
24 A. Not to CSS specifically. That was
25 a class which was discussing uses of encryption
100
1 EDWARD FELTON
2 to -- to try to restrict the use of various
3 digital content. That topic in general.
4 Q. I see.
5 A. And one of the subtopics was CSS
6 and the experience with it.
7 Q. Okay.
8 Were there any other security
9 systems or encryption systems that were
10 discussed with respect to the protection of
11 digital content, I think as you said, apart
12 from CSS?
13 A. I'm sure I discussed some of the
14 commercial software systems that are designed
15 to do this. I don't recall specifically which
16 ones I talked about.
17 Q. Okay.
18 A. There is relatively little
19 technical information available publicly about
20 some of them, so CSS was probably the one where
21 I had the most access to information about how
22 the system really works.
23 Q. Okay.
24 And why is it that with respect to
25 some of these other systems there is very
101
1 EDWARD FELTON
2 little public information available about them?
3 A. Some of the other systems are still
4 in development. Some of them may be more
5 complicated and, at least as far as I'm aware,
6 less information has been released or reverse
7 engineered about the other systems.
8 Q. And are we talking about some of
9 the other systems that are actually
10 commercially in place?
11 A. Yes.
12 Q. Can you put a name to those even if
13 you can't remember if you discussed them?
14 A. I can't remember whether I
15 discussed specific ones --
16 Q. Fair enough. But sitting here
17 today --
18 A. Intertrust Systems is one example.
19 Q. Any others?
20 A. I'm not recalling the names of
21 others.
22 Q. Okay.
23 And you mentioned a minute ago that
24 there were systems more complicated than CSS, I
25 believe?
102
1 EDWARD FELTON
2 A. Yes.
3 Q. Do you regard the Intertrust System
4 as more complicated than CSS?
5 A. I think it probably is. What it is
6 trying to do is more complicated than what CSS
7 is trying to do. Not having access to
8 information about how the Intertrust System
9 works, I can't say for sure, but it seems to me
10 likely that it's more complicated.
11 Q. And what do you base that statement
12 on?
13 A. The fact that it's trying to
14 provide a more complex set of functions, more
15 different kinds of control or ability to
16 specify use, ability to extract payment on a
17 per-use basis and so on. A lot of functions
18 like that.
19 Q. Got you. Okay.
20 Okay.
21 Is there anything else about the
22 relationship between studying and improving the
23 practice of cryptography and computer security
24 that you either intend to testify about or are
25 prepared to testify about in connection with
103
1 EDWARD FELTON
2 this case?
3 A. I can't think of anything I haven't
4 mentioned.
5 Q. Let's move up to Number 3. I
6 promised you I'd try to do this as efficiently
7 as possible. This is Subpart 3 of your
8 Paragraph 3 of our Exhibit 3 declaration, the
9 importance of disseminating and making
10 available information concerning the subject of
11 such tests and the methodology and results of
12 such testing.
13 Now, just again, for clarity's
14 sake, we had talked earlier about the public
15 dissemination of information regarding flaws in
16 systems and the like. Is -- is that what this
17 subject addresses?
18 A. In part.
19 Q. Okay.
20 A. Information about flaws, but also
21 information about methods used to find the
22 flaws --
23 Q. Okay.
24 A. -- and information about the sort
25 of scientific procedures used and what the
104
1 EDWARD FELTON
2 specific results of testing were, not just
3 there's a flaw of this nature, but how it was
4 found.
5 Q. Okay.
6 A. And -- and the implications of it
7 and information about what went wrong to cause
8 the system to be vulnerable.
9 Q. Okay.
10 Do you -- are you prepared to
11 testify to your views as to the vulnerabilities
12 of CSS and what in your estimation,
13 professional estimation went wrong as it were?
14 A. I have -- I have an understanding
15 of some of the mistakes that the designers of
16 the CSS made. And so I am prepared to testify
17 about that, not in great detail.
18 Q. Okay.
19 A. But at a basic level.
20 Q. Okay.
21 And just tell me basically what
22 your testimony would be.
23 A. Well, on a technical level they
24 made a number of mistakes. One of them was
25 designing their own cipher instead of using a
105
1 EDWARD FELTON
2 standard one that had been well-studied. One
3 was using a 40-bit key size. One of the --
4 there were mistakes which led to the
5 vulnerability that Frank Stephenson described
6 that allowed someone to find a key with less
7 than a 40 -- a full 40-bit space search. And
8 there are also issues related to the
9 description of distribution of keys which are
10 more technical. I have not thought about those
11 in -- in much detail at this point.
12 Q. Now, you mentioned the 40-bit key
13 size.
14 A. Yes.
15 Q. Okay.
16 Are you aware of any sort of
17 government regulation that was in place at the
18 time with respect to supporting limitations on
19 certain encryption device or codes?
20 A. Yes.
21 Q. And is it true that at the time CSS
22 was first implemented commercially that it was
23 subject to some sort of government regulation,
24 again, I'm not asking for legal views, with
25 respect to export of encryption code that was
106
1 EDWARD FELTON
2 greater in length than 40-bit keys?
3 A. I know there were U.S. government
4 export restrictions that applied more stringent
5 rules to -- to devices that used more than
6 40-bit keys. Whether those rules -- how those
7 rules applied to CSS I can't say.
8 Q. Fair enough.
9 But you were generally aware of the
10 existence of those export limitations, correct?
11 A. Yes.
12 (At this time, Mr. Gold enters
13 the room)
14 MR. HART: That's Mr. Gold.
15 He's a colleague of mine.
16 Q. Now, I think the third category you
17 mentioned -- we are not on the dec, we are in
18 subpart --
19 A. Okay.
20 Q. -- was something about the way in
21 which the keys were protected or the way in
22 which the hack occurred. Is that --
23 A. The way -- key management in
24 general, which is about how you choose the
25 keys, how many different keys there are, who
107
1 EDWARD FELTON
2 has which keys, where they're stored and so on.
3 And in the design of a system like CSS key
4 management would be one of the critical issues.
5 Q. Okay.
6 And when you say "key management,"
7 what do you mean by that?
8 A. As I said, I guess I gave a
9 definition a minute ago, which --
10 Q. Okay.
11 A. -- pretty much having to do with
12 everything, how keys are generated, who has
13 them, where they are stored and so on.
14 Q. And what is your understanding of
15 key management with respect to the CSS system?
16 A. I don't recall the details of how
17 it works, although I have read about that.
18 There are -- I know there are certain keys
19 which are stored in every DVD player, and that
20 manufacturers of DVDs have access to certain
21 keys. I don't recall exactly how those fit
22 together.
23 Q. And do you have any knowledge and
24 are you prepared to testify in any way with
25 respect to the particular circumstances of how
108
1 EDWARD FELTON
2 CSS was -- was -- was hacked?
3 A. I don't have any special knowledge
4 about that.
5 Q. Okay.
6 Let me just back up and, again,
7 this is just sort of in an effort to expedite
8 things. You gave an answer several questions
9 ago where you categorized four things about
10 Subject Matter 3 in Paragraph 3, and I want to
11 go back to those four things.
12 (Record read)
13 MR. HART: Okay. Good.
14 Thanks. That helped remind me of
15 where we were at.
16 Q. Issues about key distribution. We
17 just talked about what you know on that
18 subject, yes, in terms of key management
19 relative to CSS?
20 A. Yes.
21 Q. Okay.
22 Let's go to the topic about the
23 mistakes and Frank Stephenson. What can you
24 tell me about that?
25 A. Sitting here right now, I don't --
109
1 EDWARD FELTON
2 I don't recall specifically what the mistakes
3 were that led to that. I remember reading
4 Stephenson's paper and verifying that with
5 reference to the -- to the -- the code for CSS
6 and DeCSS and understanding what the problem
7 was, but I don't -- don't remember at the
8 moment.
9 Q. And you've read Stephenson's paper,
10 right?
11 A. Yes.
12 Q. It's available on the Internet,
13 right?
14 A. It at least was when I got it.
15 Q. That's right.
16 A. That's where I got it from.
17 Q. Do you recall whether Stephenson
18 included DeCSS as a zip code or downloadable
19 utility?
20 A. I don't recall.
21 Q. Okay.
22 A. I do know, though -- I do recall,
23 though, that when I was reading Stephenson's
24 paper I made reference to the code which I had
25 downloaded.
110
1 EDWARD FELTON
2 Q. And you didn't post the code?
3 A. No. I didn't want to be sued.
4 Q. All right.
5 Have we exhausted --
6 MR. GARBUS: I object to the
7 use of the word "exhausted."
8 MR. HART: Well, I won't use it
9 to describe you, Marty, but --
10 Q. Notwithstanding Mr. Garbus's
11 objection, have we covered Subject Matter 3
12 within Paragraph 3 insofar as you're prepared
13 to provide testimony in this case?
14 A. I can't think of anything that we
15 haven't covered.
16 Q. Good.
17 Let's turn to Subject Matter 4
18 within Paragraph 3. And just for the record,
19 it's the methodology, purpose and importance of
20 testing security systems, protecting access
21 and/or use of various computer and/or
22 Internet-related system. What does that mean?
23 A. Well, it's about how and why -- how
24 you go about testing and studying the security
25 level or vulnerabilities in software, how that
111
1 EDWARD FELTON
2 process works --
3 Q. Okay.
4 A. -- both within an individual lab
5 and sort of how the community process works
6 among all the people working in that area.
7 Q. Okay.
8 A. And why that matters to -- to
9 various people.
10 Q. Okay.
11 So why don't you tell me what
12 you're prepared to testify to in that regard.
13 A. Well, I have a lot of experience in
14 doing this myself. And so I'm prepared to
15 testify about the methods that one uses, about
16 the sort of training that someone would go
17 through in order to learn how to do this, about
18 the interactions between people who do this,
19 what sort of interactions I've had with -- with
20 colleagues elsewhere and others who are engaged
21 in that sort of study.
22 Q. Right.
23 A. How -- how different groups of
24 people studying the same system interact and
25 cooperate with each other.
112
1 EDWARD FELTON
2 Q. Okay.
3 A. And then, in general, and also
4 based on my experience, what value people --
5 the public and -- and vendors and computer
6 professionals in general get from that testing.
7 Q. Okay.
8 This last subject, the value to the
9 public and the vendors and the like, is
10 something we have covered in your testimony
11 today?
12 A. We've covered it in general, yes,
13 why -- why I think it is valuable to those
14 people. Although I'm not sure we've covered
15 all of the different communities who -- who get
16 value from this sort of testing.
17 Q. Okay.
18 Why don't you identify those
19 communities for me.
20 A. Well, we talked about -- at least
21 about the value that's provided to the vendors.
22 Q. Right. We talked about the value
23 to the public, correct?
24 A. To the public, yes.
25 Q. Right.
113
1 EDWARD FELTON
2 A. And there are also organizations or
3 -- there are also people within organizations
4 who are in charge of maintaining or securing
5 the computer system, system administrators and
6 so on. Those people want to be able to
7 understand the security, the implications of
8 the choices they are making and security
9 implications of the choices they have already
10 made --
11 Q. Got you.
12 A. -- in deploying software.
13 Q. And these are people that would be
14 aligned with the vendor role even if they don't
15 work for a particular vendor whose systems may
16 have been compromised?
17 A. Not necessarily.
18 MR. GARBUS: Objection.
19 A. Let me give you an example of the
20 person I'm talking about.
21 Q. Please.
22 A. And I'll do it within -- within
23 Princeton University.
24 There's an organization called
25 Computing and Information Technology which sort
114
1 EDWARD FELTON
2 of runs the networks and the public computer
3 clusters and all of that. And they not only
4 handle the operations of those -- all systems
5 but they make decisions about which software
6 would be deployed, what the security policy is
7 going to be, who is allowed to access what and
8 so on.
9 And in order to make informed
10 decisions about what to allow and what they
11 should -- what they should do and what they
12 should allow their customers, their users to
13 do, they need to understand not only specific
14 vulnerabilities in specific systems but also to
15 have a general sense of which kinds of systems
16 are likely to be vulnerable, how common
17 vulnerabilities are and so on.
18 Q. Okay.
19 A. And -- okay.
20 Q. That covers value and identifies
21 the relevant communities?
22 A. I can think of at least one more
23 community, which is law enforcement.
24 Q. Okay.
25 A. Law enforcement agencies are very
115
1 EDWARD FELTON
2 keen to talk to people who have an
3 understanding of security vulnerabilities, how
4 they are found, how to test for them and so on.
5 Q. And why is that?
6 (Brief interruption)
7 A. Could you repeat the question?
8 Q. I'm going to have to have the
9 reporter read it back. I'm sorry for the
10 interruption.
11 (Record read)
12 A. They want to understand what kinds
13 of computer crime are likely to be committed.
14 They want -- they want help in investigating
15 things that have already occurred, and in
16 general they -- they want help with the sorts
17 of forensic analysis which tend to be done in
18 looking for security flaws.
19 Q. Got you. Good.
20 Now, the first three things that
21 you mentioned -- and I think you've presented
22 five.
23 A. Okay.
24 Q. Were methodology, training, and
25 interaction between the interested parties if I
116
1 EDWARD FELTON
2 can use those words. Is that --
3 A. Okay.
4 Q. I --
5 A. Sure. I -- I remember talking
6 about all of those things.
7 Q. Okay.
8 What's the significance of
9 training?
10 A. So I -- I believe what I was -- I
11 think what I -- what I was talking about or
12 what you are referring to is how one goes about
13 training people to do this kind of study.
14 Q. Study being?
15 A. Study of -- analysis of -- of
16 systems looking for vulnerabilities.
17 Q. Okay.
18 A. How one goes about training
19 students, for example, to do that or training
20 oneself for that matter.
21 Q. Okay.
22 How does one go about training?
23 A. Partly practice.
24 Q. Right.
25 A. Partly by studying what other
117
1 EDWARD FELTON
2 people have done, the experiences other people
3 have had, how they go about doing it, what
4 their methods are and what they found. Partly
5 it's developing general skill at reverse
6 engineering, which is something you can
7 practice, and also study methods, understanding
8 what tools are available and how they can be
9 used.
10 Q. Now, you mentioned the interactions
11 that take place between interested parties.
12 Can you tell me what you mean by that?
13 A. Sure. We talked earlier about
14 interactions between -- some examples of
15 interactions between vendors of systems and
16 people who find flaws in them. Also,
17 interactions between -- really all the
18 interested parties, vendors, system
19 administrators, members of the public, people
20 who are doing studies of vulnerabilities, and
21 sometimes law enforcement. All of those groups
22 interact with each other --
23 Q. Right.
24 A. -- in different ways. Even
25 interactions for example, between people who
118
1 EDWARD FELTON
2 are studying vulnerabilities in the same
3 system. Quite a bit of experience in that.
4 Q. Okay.
5 And what do you mean by
6 "interactions"?
7 A. What I mean in that -- in that
8 instance, between different researchers
9 studying the same subject --
10 Q. Right.
11 A. -- how these people find out about
12 each other, how they communicate their results
13 to each other, how they build on each other's
14 work --
15 Q. Okay.
16 A. -- and -- and so on. How they
17 sometimes come into collaboration on projects
18 and all that.
19 Q. And tell me what you know about
20 that, what you are prepared to testify in this
21 case in that regard.
22 A. Several -- well, several things.
23 Q. Okay.
24 A. One -- one part -- one thing which
25 I've experienced is that -- well, this is often
119
1 EDWARD FELTON
2 a phenomenon in research where you are working
3 on a problem, working on some topic, and you
4 don't know anyone else who's working on it and
5 somehow you hear of someone else who is doing
6 it. And in my experience, very frequently
7 after there's been some public discussion based
8 on -- my group's work, whether it's in the
9 press or on our Web site, we get people who
10 we've never heard of come to us and describe
11 what they are doing, which is very useful and
12 relevant to -- helps to inform us about what's
13 going on and give us useful information.
14 Q. And how do they come to you, by
15 what means?
16 A. Usually -- usually they'll call me
17 or send me an e-mail.
18 Q. Okay.
19 A. Which, to me, just comes out of the
20 blue.
21 Q. Okay. Got you.
22 And is code shared in those e-mails
23 on occasion?
24 A. On occasion, yes.
25 Q. Okay.
120
1 EDWARD FELTON
2 And so as long as people know that
3 you are working on a particular subject or have
4 an interest in it by some information that's
5 put on a public Web site, you can solicit,
6 comment and further communicate through such
7 things as phone calls and e-mails, is that
8 right?
9 A. You could always discuss things by
10 e-mail, but one of the -- one of the challenges
11 in this situation is that you receive many
12 comments from people, and it's by the technical
13 content in those comments and it's by the
14 sophistication of their reaction to the
15 technical details that we've published that we
16 can spot the people who are really the most
17 interesting ones to -- to talk to.
18 Q. Okay.
19 A. And so it's really the technical
20 parts of the discussion that let me recognize
21 which of the thousand of e-mails I got --
22 Q. Right.
23 A. -- are likely to lead to a useful
24 technical discussion.
25 Q. Okay.
121
1 EDWARD FELTON
2 So, in other words, you may get a
3 thousand e-mails in regard to a particular
4 topic and you will screen those essentially and
5 look at the ones that you think have the most
6 value or the writer of that e-mail might have a
7 lot to contribute and again get into further
8 communication with that person, is that --
9 A. Well, in general I'll read
10 everything.
11 Q. Sure.
12 A. And, you know, some -- some person
13 may be pointing out an -- an interesting idea I
14 haven't heard of, has a new way of thinking
15 about a problem or has interesting feedback on
16 something that we have done. That can't happen
17 unless we're -- we are communicating to the
18 public in the beginning details about what --
19 what we found and how --
20 Q. I understand.
21 A. -- and why.
22 Q. And after you've communicated to
23 the public some details of what you found and
24 why and you've gotten e-mails from lots of
25 people, what do you then do in terms of
122
1 EDWARD FELTON
2 facilitating the interaction or communication
3 with the people that you're interested in
4 talking with?
5 A. Well, to -- generally I receive a
6 bunch of e-mails, a bunch of phone calls, and
7 respond to each one. Someone sends -- someone
8 has a particularly thoughtful or interesting
9 thing to say, I'm likely to, you know, have a
10 longer return conversation with them. And over
11 time you might develop a dialogue or a
12 collaboration or some sort of relationship with
13 someone that originated this way. And a lot of
14 communications just lead to -- lead to nothing.
15 Q. And where you have a continuing
16 dialogue, how do you conduct that dialogue on a
17 continuing basis?
18 A. Once you already know that you are
19 working in the same area as someone, then you
20 can operate by e-mail, for example. But in the
21 beginning, in my experience you almost never
22 know who those people are. And it's only
23 through the more general kind of discussion
24 that -- it's only that that leads people to --
25 to start the interaction.
123
1 EDWARD FELTON
2 Q. Got you.
3 A. So it's not the case that there's
4 some small community of people working on this
5 problem who I know in advance --
6 Q. I understand.
7 A. -- who they are.
8 Q. I understand.
9 MR. GARBUS: Mr. Hart, do have
10 any sense of how long you are going
11 to go? I want to release my wife
12 so we can start our weekend if
13 you're going to go longer.
14 MR. HART: I'm obviously going
15 longer because I'm not finished
16 with my questioning. If you have
17 to release your wife from whatever
18 you've done, as a matter of
19 courtesy, I would suggest that you
20 release her immediately.
21 MR. GARBUS: As a matter of
22 courtesy, can you tell me how far
23 do you -- how long you think you
24 are going to go?
25 MR. HART: I wouldn't expect to
124
1 EDWARD FELTON
2 go more than another hour as a
3 matter of courtesy.
4 MR. GARBUS: Go ahead.
5 Continue. I'm just going to make a
6 call. I can listen to the
7 questions as you are doing it.
8 MR. HART: Okay. I don't know
9 if I can ask questions while you're
10 talking on the telephone. It's not
11 a question of your permission, sir.
12 It's a question of your being
13 distracting.
14 THE WITNESS: Can we just take
15 a quick break in any case?
16 MR. HART: That's fine. I
17 think that's the right thing to do.
18 THE VIDEOGRAPHER: Off the
19 record, 1:02.
20 (Brief recess taken)
21 THE VIDEOGRAPHER: Back on the
22 record at 1:12.
23 MR. HART: Could you just read
24 back the last Q and A, please?
25 We're all -- remind ourselves where
125
1 EDWARD FELTON
2 we were.
3 (Record read)
4 Q. So just to bring some closure to
5 that area before we move on, you're saying that
6 there's value in posting discussion to an open
7 Web site which, in turn, will generate input
8 from a variety of people by e-mail and then
9 further communication -- or a phone, I think you
10 mentioned. And then further communications
11 that are of interest to you would be you
12 pursued by phone or e-mail, is that a fair
13 statement?
14 A. Yes, it helps -- it helps you to
15 find -- it helps the people who are engaged in
16 the study of this area to find each other. And
17 I also think it inspires more people to go into
18 that kind of study.
19 Q. Okay.
20 Okay.
21 Now, I think we are still in
22 Subpart 2 of Paragraph 3, right?
23 A. Yes.
24 Q. Okay.
25 And we were talking about
126
1 EDWARD FELTON
2 methodology, purpose and importance of testing
3 security systems, protecting access and/or use
4 of various computer and/or Internet-related
5 systems, right?
6 A. Yes.
7 Q. And is there anything else beyond
8 what you've already testified here -- to here
9 today that you intend to or are prepared to
10 testify to in this proceeding relative to that
11 subject, Subpart 2 of Paragraph 3?
12 A. There is nothing else that I can
13 think of.
14 Q. Okay.
15 Subsection 1 of Paragraph 3, the
16 function, similarity and/or differences between
17 source code and object code, and we talked a
18 little about that today, is there anything else
19 that we can add that would bear on what you are
20 prepared to or intend to testify to in that
21 proceeding on that subject?
22 A. Well, I think in general I would
23 expect to testify to what source code and
24 object code are.
25 Q. Right. What are they? Sorry.
127
1 EDWARD FELTON
2 A. Sorry, is that a joke or a
3 question?
4 Q. It's actually a question that I
5 said with a smile on my face. But it is a real
6 question.
7 A. Let me finish the --
8 Q. I'm sorry. Please.
9 A. -- my previous answer.
10 What they are, what they are used
11 for, what they're good for, and why and how
12 people use them as a medium of communication.
13 Q. Okay. Go ahead.
14 A. So -- sorry, could you --
15 Q. Yeah. All right.
16 Now, could you tell me, based on
17 your last answer, what your testimony is or
18 will be with respect to what they are, what
19 they're used for, what they are good for and
20 I'm sorry, I neglected the last one.
21 MR. HART: We can have the
22 reporter read it back if that's a
23 help.
24 THE WITNESS: Sure.
25 (Record read)
128
1 EDWARD FELTON
2 A. Sorry, is there a question?
3 Q. Yes. I'm sorry. And, again, I'm
4 really just trying to expedite things.
5 If you don't mind, I'd like you to
6 now tell us in your professional opinion what
7 source and object code are, what they are used
8 for, and so on based on your last answer.
9 A. I'll go down the list.
10 First what they are. They are both
11 different ways of expressing a computer program
12 which is a list of instructions or a set of
13 procedures for a computer to carry out or a
14 process of doing something in series of stages,
15 essentially what a computer is going to do.
16 Q. Right.
17 A. There are different -- there are lots
18 of different ranges or notations for expressing
19 computer programs, and generally you would
20 apply the term "source code" to things which are
21 closer to the level at which humans tend to
22 analyze the -- and which humans prefer to
23 analyze the -- the functions of the -- of what
24 the computer is doing. And you generally apply
25 the term "object code" to things that are closer
129
1 EDWARD FELTON
2 to the form in which the computer actually
3 executes the software. In fact, it's really
4 more of a continuum.
5 Q. I understand.
6 A. There are often intermediary stages
7 and so on.
8 Q. I often refer to that distinction
9 as humanly readable versus machine readable
10 code. Would you disagree with that as
11 reflecting the two ends of the spectrum that
12 you just described?
13 A. Well, I think that both of those
14 descriptions you gave are too extreme in that
15 both forms are human readable and both forms
16 are machine readable, and there's value to
17 having machine and humans read -- be able to
18 read any of these forms and analyze them.
19 Certainly we teach students about all these
20 different forms, how to read them, how to write
21 them, what they're for, why they're used and so
22 on.
23 Q. But is it fair to say that to the
24 untutored eye object code is largely
25 unintelligible?
130
1 EDWARD FELTON
2 MR. GARBUS: I'll object to the
3 use of the term "untutored eye."
4 MR. HART: Untutored.
5 MR. GARBUS: I said untutored
6 eye. It depends on whose eye and
7 it depends on what "tutored" and
8 "untutored" means.
9 Q. Of course it does.
10 A. To the untutored eye it's pretty
11 much all gibberish.
12 Q. Of course.
13 A. It typically requires a bit more
14 training and experience to be able to read
15 object code effectively. One often reads or
16 extracts information from object code with the
17 help of -- of software tools.
18 Q. Called?
19 A. There are various different kinds;
20 debuggers, disassemblers and so on.
21 Q. Right.
22 A. Those are examples of the sorts of
23 tools one uses in working with object code.
24 Q. Right. Okay.
25 What else are you prepared to
131
1 EDWARD FELTON
2 testify?
3 A. That was what they are.
4 Q. Correct.
5 A. The next category is what they are
6 used for.
7 Q. Okay.
8 A. And they are used for several
9 things. They are used as a medium of -- that
10 people can use to express ideas about computer
11 programs and what they want the computer to do.
12 I'll leave that aside for now because that's
13 one of the later topics that I mentioned.
14 That's Number 4 on the list.
15 Q. Okay.
16 A. They are also used as computers --
17 some forms of code can be executed directly or
18 indirectly by -- directly by a computer. All
19 of them can be executed indirectly, at least.
20 So that's another thing they are used for.
21 Q. When you say "indirectly" --
22 A. What I mean is, at the extreme end
23 object code -- you have something -- you might
24 have something which you can just load into
25 memory and point the microprocessor at that and
132
1 EDWARD FELTON
2 it will execute.
3 Q. Right.
4 A. In other forms you might need help
5 from something -- a compiler to translate the
6 code into a different format. You might use
7 something called an interpreter which can
8 execute code that's written in yet another type
9 of format. And so when I talk about indirectly
10 executed something, I mean with the help of
11 other software.
12 Q. Okay.
13 So as an example, one can take
14 source code and, with the use of a compiler,
15 cause that source code to be converted into an
16 executable piece of code for the machine to
17 operate on?
18 A. That's an example, yes.
19 Q. Okay.
20 A. So these things are used as ways
21 for people to communicate with each other, they
22 are used to have a computer execute them, and
23 they are also used as a way that -- as a method
24 for people to describe what they want the
25 computer to do. So when you write code you
133
1 EDWARD FELTON
2 might be communicating partly to the computer,
3 but you are also communicating to other people
4 and to yourself.
5 Q. When you are communicating to other
6 people and yourself, are you doing that more on
7 the source code end of the spectrum rather than
8 on the object code end of the spectrum?
9 A. It depends what those people want,
10 what they want to learn about the program.
11 Certain kinds of information are most easily
12 extracted from source code and other kinds of
13 information are most easily extracted from
14 object code.
15 Q. Can you tell me what kinds of
16 information are extracted from which type of
17 code?
18 A. Sure. Source code is, as I said
19 before, a little bit easier to read than object
20 code and so it -- it might contain a
21 description of what the program does or is
22 supposed to do at a higher level of
23 abstraction.
24 Q. Okay.
25 A. And so if someone wants information
134
1 EDWARD FELTON
2 that exists or can be expressed at that level,
3 they might look at the source code.
4 The object code contains more
5 information about how the program will execute
6 a particular machine or on a particular
7 architecture, about the efficiency of that
8 execution, about what kind of resources would
9 be required to execute it. Information about
10 bugs or errors in the program might be found in
11 one or both of the forms.
12 Q. Okay.
13 A. So to move --
14 Q. I just want to try and close that
15 subpart up --
16 A. Okay, sure.
17 Q. -- which would be to say that the
18 value of the object code is in discerning the
19 efficiency of the program on a number of
20 different levels including how fast it would
21 respect or how effectively it would run?
22 MR. GARBUS: I object to you
23 testifying, Mr. Hart. Now, your
24 job here as I understand it is to
25 ask the witness questions. And
135
1 EDWARD FELTON
2 incorrectly stating or qualifying
3 or narrowing his testimony is
4 inappropriate. I object to the
5 form of the question. I will allow
6 the witness to answer. I've
7 permitted you to testify on a
8 number of occasions in the hope of
9 closing down this deposition. Go
10 ahead, Mr. Felten.
11 THE WITNESS: All right.
12 A. I think what you said is part of
13 the picture.
14 Q. Okay.
15 A. Certain -- certain kinds of
16 information about efficiency, for example,
17 about interaction with the detailed features of
18 a microprocessor or some hardware device might
19 be in the object code, but not in source code.
20 Also, there are certain things
21 about a program which you can only learn or
22 best learn by actually running the program.
23 And in order to do that you have the program in
24 a form such that you can actually run it.
25 Q. What things do you learn only when
136
1 EDWARD FELTON
2 you run the program?
3 A. Some -- some things having to do
4 with efficiency and use of resources by the
5 program are best learned by running the
6 program. There are some forms of testing which
7 -- there are some situations where you can
8 learn about the behavior of a program by a
9 systematic testing method of running the
10 program in different inputs and so on. And
11 that's often more effective than just analyzing
12 the program and scratching your head. So
13 that's -- that's one example.
14 Q. Okay.
15 Do you have anything else to add on
16 the value of the object code form as
17 distinguished from the source code form?
18 A. I think that's all.
19 Q. Okay.
20 Let's just continue with your
21 checklist. You have it in front of you.
22 A. What are they good for? I think
23 I've -- that largely falls -- that largely is
24 covered by information in the other categories.
25 I've talked about testing. I've talked about
137
1 EDWARD FELTON
2 learning about the programs. The next item is
3 using the code as a medium for communication.
4 Q. Okay. Go ahead.
5 A. So let me move on to the -- the
6 last one, which is why and how software code is
7 used as a medium of communication.
8 Q. Please.
9 And so -- a medium of communication
10 in this case between people.
11 And there are a number of ways in
12 which that's done. This -- code is the most
13 precise method that we have for specifying a
14 computer program. If we want to talk about a
15 program or algorithm. The most precise way of
16 doing it is exhibiting code, because that says
17 exactly what the program does without leaving
18 out details. And the code is often in the
19 details. So you often need to see code in
20 order to understand what someone is talking
21 about.
22 Q. Okay.
23 A. Code also can serve as an
24 existential proof of something. You say I can
25 do something and someone, if they doubt you,
138
1 EDWARD FELTON
2 you can show them the code and they can try it
3 out themselves.
4 There are -- in addition, in the
5 process of writing code there are many choices
6 that the author can make. Some of them
7 aesthetic, some of them having to do with how
8 things are named, how things are arranged, how
9 the functions of the software are divided up
10 and organized. And a lot of ideas about how to
11 structure or organize software or a particular
12 program get expressed in the code.
13 Books that talk about how to write
14 programs, how to be an effective programmer are
15 usually filled with examples of code for just
16 this reason. If -- computer programming is
17 about writing code, and in order to be a good
18 writer even of English, you have to read good
19 writing and a lot of it, and maybe read some
20 bad writing, and talk about it and figure out
21 what's -- what's wrong with it. So in all of
22 those ways software code is a way that people
23 can communicate with each other.
24 Also, in writing code you're
25 communicating with yourself because -- I know
139
1 EDWARD FELTON
2 it sounds funny but --
3 Q. I find a lot of things funny. And
4 believe me, I'm say -- this is very
5 well-spirited. I think you understand that.
6 A. Yeah.
7 Q. Okay.
8 A. I understand that.
9 You are communicating with yourself
10 in the sense that you might write a piece of
11 code and then two months later come back and
12 need to fix it and you want to be able to read
13 it and understand what you meant. And so that
14 sense, it's also -- there's also a
15 certain expressiveness in the way you write it
16 would be -- that would be easy for someone to
17 understand what it is intended for when you
18 come back, and that someone else might be you
19 having forgotten things in the meantime. Those
20 are all examples of why and how software serves
21 as a medium of expression.
22 Q. Okay.
23 A. I know Professor Appel has written
24 about and spoken about examples of people using
25 code as a medium of expression and a way of
140
1 EDWARD FELTON
2 publishing scientific ideas.
3 Q. Right.
4 A. Which -- which I won't go into in
5 detail.
6 Q. Okay.
7 A. But there are lots of examples of
8 people doing that and code serving as a medium
9 of expression and communication between --
10 between researchers and even from researchers
11 to the -- to the general programming community.
12 THE COURT REPORTER: I just
13 need to change my paper real quick.
14 MR. HART: Okay.
15 Q. Now, in the examples you just gave
16 about code as a medium of expression in
17 communicating ideas, is it typical in your
18 experience to do so by including the code for
19 an entire program in unexpurgated form or is it
20 parsing pieces of a code including annotations
21 within it or what? I mean, you have to give me
22 a better sense of --
23 A. Well, it depends. It depends on
24 the circumstances, who is trying to communicate
25 what to whom.
141
1 EDWARD FELTON
2 Q. Right.
3 A. So I can't give a general answer.
4 You see all of these in different
5 circumstances.
6 Q. That is an entire program in code
7 form, that is unexpurgated, unannotated
8 fashion.
9 A. You might see an entire program,
10 you might see a part of the program, you might
11 see the program annotated or described and you
12 might see the program described. You might see
13 it in source code or object code or some other
14 formats. All of those make sense in different
15 circumstances.
16 Q. In your professional experience and
17 based on all the testimony you've given here
18 today in terms of communication, interaction,
19 security testing, reverse engineering, what
20 have you --
21 MR. GARBUS: I object to the
22 form of the question. It has "what
23 have you" in it.
24 MR. HART: I'm sure you do.
25 Thank you, Mr. Garbus.
142
1 EDWARD FELTON
2 Q. Of the various manners in which
3 code could be presented as you just outlined,
4 how typical is it to have an entire program
5 presented in unannotated code?
6 MR. GARBUS: I object to the
7 form of the word "typical." Go
8 ahead.
9 THE WITNESS: I -- I think it's
10 one of the forms that you commonly
11 see, a whole program not annotated
12 or poorly annotated.
13 Q. I'm sorry, not annotated?
14 A. Not annotated or poorly annotated.
15 Q. What does "poorly annotated" mean?
16 A. Few annotations, maybe inaccurate
17 annotations.
18 Q. And it's poorly annotated for what
19 reason?
20 A. By poorly --
21 Q. Why is it poor? I'm sorry.
22 A. Perhaps "poorly" wasn't the best
23 word for describing what I meant. What I meant
24 is -- perhaps what I should have said is not
25 annotated or minimally annotated.
143
1 EDWARD FELTON
2 Q. Okay.
3 But in your judgment, minimally
4 annotated would be poorly annotated at some
5 level. And what is -- why is it poorly
6 annotated?
7 A. I think I chose the wrong word when
8 I said poorly. What I meant to convey is
9 there's not much annotation there.
10 Q. Got it.
11 MR. GARBUS: He wasn't using
12 poor to mean not having dollars to
13 it.
14 MR. HART: Of course he wasn't,
15 Mr. Garbus, and I think we all know
16 that. So your comment was really
17 gratuitous and unnecessary.
18 Q. Now, can you tell me, in how many
19 instances with respect to your Web site or the
20 Web site that your group uses at Princeton,
21 that you have posted openly to the public
22 unexpurgated, unannotated object code
23 utilities?
24 A. I can think of a few, a few
25 instances. And here I'm interpreting object
144
1 EDWARD FELTON
2 code as something that can be executed
3 directly.
4 Q. Right.
5 A. Whether through an interp --
6 executed easily just by sort of double-clicking
7 it regardless of what form it's in.
8 Q. That's the gist of the question.
9 And what were those instances?
10 A. Well, first of all -- actually, let
11 me clarify something with respect to the
12 question. If something is object code or
13 executable code or something which, as I said,
14 can just be double-clicked and run, it's not
15 going to have it in commentary or explanation.
16 It just will be the code that executes.
17 Q. Right.
18 A. It says -- it says what it says.
19 Q. Right.
20 In other words, if you put
21 commentary into what would otherwise be the
22 presentation of object code, you are making the
23 code inoperable in a sense as an immediately
24 executable utility?
25 A. It may not be immediately
145
1 EDWARD FELTON
2 executable if it has -- if it has comments in
3 it.
4 Q. Okay. Got you. Go ahead.
5 A. It might be accompanied by
6 comments.
7 Q. Got you.
8 A. Or there might be comments
9 associated with it somehow.
10 Q. Okay.
11 A. About how to use it. There might
12 be a manual or something.
13 Q. Okay.
14 A. We've done that in a few instances.
15 Q. And you were going to tell me what
16 those instances were.
17 A. Well, I'll give you a couple of
18 examples. I'm not sure I can get them all, but
19 -- we've -- one bit of code that we have made
20 available -- we -- because of what I'll
21 characterize as various lawyer-oriented rules
22 of the university we -- we don't often just
23 give out code without requiring people to agree
24 to some very mild license agreement promising
25 not to sue us if something goes wrong or
146
1 EDWARD FELTON
2 something.
3 So if we are going to distribute a
4 whole program with the expectation that people
5 will run it, it we will require people to -- to
6 agree to some -- to something before they take
7 it. But with that understanding. But we do
8 make it available to anyone who wants it.
9 Q. Who signs the license agreement,
10 the recipient?
11 A. The recipient, yes. And it's
12 pretty much boilerplate type of thing.
13 Q. Is that something that's readily
14 available on a Web site, the license agreement?
15 A. I believe it would be.
16 Q. Okay.
17 A. I'm not positive that it's
18 available.
19 MR. HART: I'd like that
20 produced. And if you get it to us,
21 the quicker the better.
22 MR. GARBUS: Okay.
23 THE WITNESS: Right.
24 Q. Is there a URL that you can give me
25 right now where I might --
147
1 EDWARD FELTON
2 A. Not off the top of my head, no.
3 Q. Okay.
4 A. And it's our usual practice to do
5 that. I can't say -- to associate that
6 agreement. I can't say we've done it every
7 time.
8 Q. And is there anything that is
9 provided by Princeton University and/or written
10 by its lawyers as you mentioned a minute ago,
11 you said it was lawyer-driven, that explains
12 the policy itself?
13 A. The policy of the University --
14 well, without going into a long exposition on
15 the University's intellectual property policy,
16 if we -- the rules roughly say that if we want
17 to distribute something which might potentially
18 have commercial value, software, then we need
19 to get permission from the University to do
20 that. And generally that permission is readily
21 given and they might -- the University might
22 ask us to put -- to put -- to require a license
23 agreement that involves, say, a liability
24 disclaimer or something with the code.
25 Q. Okay. Got you.
148
1 EDWARD FELTON
2 A. That's the sort of thing I'm
3 talking about as the license agreement.
4 Q. When you say where software might
5 have a commercial utility or value, what do you
6 mean by that?
7 A. So what I mean is that the
8 University -- if we as researchers create
9 something that has monetary value, the
10 University would like to -- would like to get
11 -- get its share.
12 Q. Got you.
13 A. And so we can't just -- if we have
14 something of commercial value we can't just
15 necessarily release it without at least
16 disclosing to them what it is and so on. And
17 there are a bunch of procedures related to
18 that. That's pretty standard at universities
19 and companies for obvious reasons.
20 Q. Are there any policies or
21 procedures or license -- or other kind of
22 written requirements to your knowledge at
23 Princeton which address potential liability
24 arising from code, i.e., it would cause a
25 disruption of someone's system, virus issues or
149
1 EDWARD FELTON
2 just the potential that it could be misused in
3 some way and that somebody could get sued for
4 that?
5 A. My experience has been that if I go
6 to the university and ask for permission to
7 distribute some kind of software because it
8 might potentially have commercial value, then
9 they will generally, regardless of the nature
10 of that software, ask me to require people to
11 sign some sort of license agreement involving a
12 liability disclaimer regardless of the nature
13 of the software.
14 Q. Whether or not it has commercial
15 value?
16 A. Whether or not they judge it to
17 have commercial value. Just the fact that I
18 have talked to them about releasing it. They
19 will generally ask for it.
20 Q. Did you ever go to anybody at
21 Princeton and ask them for permission to
22 disseminate DeCSS in any form?
23 A. No.
24 MR. HART: I'm sorry. I think
25 we were talking about those
150
1 EDWARD FELTON
2 instances where you had posted or
3 caused to be posted to you or your
4 group's Web site at Princeton what
5 I was calling unexpurgated code in
6 the form of an immediately-executed
7 utility. And I think you were
8 going to give me examples of those
9 instances where you had done that,
10 and you started to explain the
11 license procedure. Continue to do
12 that, please.
13 A. Sure. So let me start with one
14 example. It was something called the JAVA
15 filter which was -- which you can think of as
16 being an add-on browser that provides some
17 additional security functionality.
18 Q. Okay.
19 A. It was -- if you installed this
20 thing on a certain version of a certain browser
21 it would give you the ability to have more
22 control over which Java Applets your browser
23 would execute, and that has security
24 implications.
25 Q. Got you. Okay.
151
1 EDWARD FELTON
2 A. So we had developed that as a
3 research projet, and we made it available to
4 the public from our Web site. That's one
5 example.
6 Q. Okay.
7 A. I'm trying to think of some more
8 examples. We -- another example -- I -- I'm
9 not thinking of another example coming out of
10 our lab --
11 Q. Okay.
12 A. -- although I'm sure there are some.
13 But releasing the software in this way is a
14 routine practice and lots of people in our
15 department have done it.
16 Q. Okay.
17 To your knowledge, have any
18 computer crimes been committed affecting
19 Princeton's computer systems?
20 MR. GARBUS: Object to the form
21 of the question. But you can
22 answer if you know.
23 A. Yes.
24 Q. Can you tell me just briefly what
25 you know about that?
152
1 EDWARD FELTON
2 A. Well, so with the qualification
3 that I'm not going to make -- I'm not going to
4 make expert decisions about what's a crime and
5 what's not.
6 Q. Correct. Absolutely. And I don't
7 want a legal conclusion.
8 A. Based on a common sense
9 understanding, yes, there have been virus --
10 there have been viruses, there have been
11 instances of people breaking into various
12 computer systems.
13 Q. Are these students, typically, or
14 outsiders or both?
15 A. I do not know of any instances of
16 students doing it.
17 Q. Okay. Okay.
18 A. I don't know if I would have --
19 Q. Yeah, I understand.
20 A. -- had that occurred, but I do know
21 of a number of instances in which people
22 apparently from the outside broke into
23 Princeton's system as well as the viruses.
24 Q. Do you know if they were prosecuted
25 or any action was taken against them?
153
1 EDWARD FELTON
2 A. I don't know. I wouldn't know if
3 they had. It's not my department --
4 Q. Got you.
5 A. -- to go after those people.
6 Q. Okay.
7 Were you consulted at all in any
8 connection in terms of the integrity of the
9 system or the forensics or any of the other
10 things you mentioned earlier about law
11 enforcement issues relative to computers and
12 computer crime?
13 A. With respect to crimes at Princeton
14 -- yes, actually.
15 Q. And in which instances were you
16 consulted?
17 A. I'm thinking in particular of the
18 Melissa virus.
19 Q. Okay.
20 A. In that case I was consulted by the
21 FBI and by the U.S. Attorney's office.
22 Q. Okay.
23 Are you aware of Napster?
24 A. Yes.
25 Q. How are you aware of it?
154
1 EDWARD FELTON
2 A. Articles about it in the press
3 primarily. Discussions with people.
4 Q. Were those discussions confined to
5 computer specialists or did they also include
6 laypeople?
7 A. I think I've had discussions with
8 both, specialists and laypeople.
9 Q. Okay.
10 Are you aware whether Princeton has
11 encountered any problems as a result of
12 students using Napster at Princeton?
13 A. I don't know.
14 Q. You are not aware of any?
15 A. I'm not aware of -- of any.
16 Q. Okay.
17 A. Of any problems.
18 MR. HART: I'm not clear what
19 we are doing on the record at this
20 point, because Mr. Garbus' phone
21 rang while you were answering my
22 question and he's now stood up and
23 taken a phone call. So I'm not
24 going to ask you any questions
25 until Mr. Garbus resumes his
155
1 EDWARD FELTON
2 appearance here.
3 Are we back?
4 MR. GARBUS: Yes.
5 MR. HART: Thank you.
6 Q. Now, you co-authored a piece with
7 Professor Appel that was submitted to the
8 Copyright Office in connection with the
9 rule-making inquiry, correct?
10 A. Yes.
11 Q. And who prompted the writing of
12 that piece?
13 A. I think -- the actual writing was a
14 collaborative effort. I think I'm the one who
15 first raised the topic of the Copyright Office
16 soliciting comments.
17 Q. Okay.
18 And how did you become aware of the
19 Copyright Office proceeding?
20 A. I don't remember.
21 Q. Do you think it may have been as a
22 result of any communications you've had about
23 this case?
24 A. No, not as a result of this case,
25 because we worked on that document before I had
156
1 EDWARD FELTON
2 any involvement in this case.
3 Q. Okay.
4 Had you followed the legislative
5 process with respect to the enactment of the
6 Digital Millennium Copyright Act?
7 A. Yes.
8 Q. Did you ever submit any testimony
9 or views in connection with that legislative
10 process?
11 A. Yes. I signed a letter to -- I
12 believe it was to various members of Congress
13 or -- and/or Senators --
14 Q. Right.
15 A. -- which was signed by a large
16 number of computer security experts, I guess.
17 Q. Okay.
18 And what was the gist of that
19 letter?
20 A. It was a concern about the -- about
21 the effect of the -- of what was then the
22 current draft of the Digital Millennium
23 Copyright Act, and the effect of that on the
24 ability of people like me to do computer
25 security research and to disseminate the
157
1 EDWARD FELTON
2 results of that -- of that research.
3 Q. And specifically, was it the
4 circumvention or that type of proposed
5 circumvention legislation that was part of the
6 DMCA that was the focus?
7 A. The -- the circumvention aspect of
8 the DMCA was -- was at least one of the main
9 topics of the letter.
10 Q. I'm only saying this, not to
11 belabor the point, but because the DMCA as you
12 may know includes a number of different
13 components, and I'm not interested, unless you
14 feel you are going to testify or you may
15 testify, on subjects like ISP liability and
16 boat hull protection and some of the other
17 things that were in the DMCA.
18 A. No, it was -- it was not about any
19 of those topics that you mentioned.
20 Q. Okay. Fine.
21 A. It was primarily in the area of the
22 anticircumvention requirements and the things
23 that are connected to or close to the -- some
24 of the issues in this case.
25 Q. Okay.
158
1 EDWARD FELTON
2 And I'm sorry, the view again, that
3 was expressed generally speaking was?
4 A. Was -- the view -- generally, the
5 view of the -- of the letter and the concern
6 that we were trying to raise was that -- was a
7 concern that the DMCA would make it either
8 impossible or more difficult to do computer
9 security research that involves reverse
10 engineering and studies of vulnerabilities and
11 so on, and also about the effect of the DMCA as
12 it was then on -- on -- dissemination of -- of
13 research results and interaction among
14 researchers and between researchers and other
15 people.
16 Q. Got you.
17 And can you place a rough time
18 frame on when this letter was submitted?
19 A. I'm not sure I can tell you the
20 time frame. I can tell you when it was
21 relative to the passage after the DMCA.
22 Q. Okay.
23 A. It was -- it was within a few
24 months before the DMCA passed.
25 Q. Okay.
159
1 EDWARD FELTON
2 And to your knowledge, were there
3 further bills or proposed bills for the
4 circumvention aspects of the DMCA that were
5 under consideration after the date that you
6 submitted your letter?
7 A. You are referring to bills relating
8 to the DMCA, other -- other bills relating to
9 the DMCA?
10 Q. I'm sorry. And it may have been my
11 question. I apologize.
12 Without yet drawing any conclusion
13 as to what effect your letter may have had on
14 the Congressional legislative process, I'm
15 simply asking you whether you are aware that
16 there was further bill writing and bill
17 proposals with respect to the DMCA and its
18 circumvention provisions that -- that were done
19 or made after the date of your letter.
20 A. My understanding is that when we
21 submitted the letter, the process of writing or
22 editing or whatever the term is, determining
23 the final form of the DMCA was still going on.
24 Q. Okay.
25 And are you aware whether, in fact,
160
1 EDWARD FELTON
2 there were any changes made in the bills or the
3 proposed legislation after the date of your
4 letter with respect to any of the topics that
5 you covered in your letter?
6 A. After the date of the letter there
7 was a -- an exclusion for -- a very limited
8 exclusion for cryptographic research put into
9 the DMCA which, in my opinion at least, was not
10 enough to address -- it was better than nothing
11 but not enough to address -- fully address the
12 concerns that we raised in the letter.
13 Q. And this was for cryptographic
14 research you said?
15 A. It's a -- yes, it's a limited
16 exclusion for cryptographic research. Which,
17 as I said, I think did not go far enough to
18 protect the issues that we were discussing.
19 Q. I understand.
20 And you say that at the time you
21 submitted the letter no such exclusion existed
22 in the legislation you were commenting on at
23 the time?
24 A. It's a little bit hard to tell
25 because there were various drafts and so on.
161
1 EDWARD FELTON
2 Q. Right.
3 A. And it's not easy for an average
4 person to get access to the up-to-the-minute
5 draft of the bill.
6 Q. Got you.
7 A. But there were at least some
8 versions floating around at the time that we
9 submitted the letter which did not have such an
10 exclusion.
11 Q. Did you weigh in any respect in
12 your letter on any other kinds of proposed
13 exclusions or modifications to the bill or
14 bills in respect to anything relating to
15 circumvention?
16 A. I don't recall whether we
17 specifically commented on language in a bill.
18 We raised the issues that I described before in
19 general.
20 Q. Right. Okay.
21 A. And one of the goals of the letter
22 was to make sure that the people who were
23 writing the legislation understood what the
24 values were that we were concerned about.
25 Q. I understand. And I apologize if
162
1 EDWARD FELTON
2 my last question was unclear. I wasn't talking
3 necessarily about commenting on particular
4 language in the bill. But you mentioned that
5 one of the subjects in your letter had been
6 encryption research and the need to address
7 that in some way in the proposed legislation,
8 right?
9 A. No, I don't think --
10 Q. I'm sorry.
11 A. Let me -- let me characterize that
12 in a different way.
13 Q. Okay. Fine.
14 A. There was a concern that particular
15 -- well, there were many concerns, but the --
16 one of our desires was to -- in fact, to make
17 sure that the people working on the bill
18 understood that -- that computer security
19 research in general was at risk in the process
20 of writing the bill. Not just encryption, but
21 other forms of -- of security, as well.
22 Q. Like security testing, you mean?
23 A. Well, there -- there are different
24 methods -- different kinds of technologies that
25 people use to try to protect or establish
163
1 EDWARD FELTON
2 security, and encryption is only one of them.
3 Q. Okay.
4 What are the others?
5 A. Access control.
6 Q. Right.
7 A. Physical security.
8 Q. Right.
9 A. Various kinds of software methods
10 for limiting and enforcing restrictions on what
11 programs can do. Encryption is only one
12 subarea of security.
13 Q. Okay.
14 A. And so we wanted to make sure that
15 they had understood that this was not just
16 about encryption, but about security in
17 general.
18 Q. Okay.
19 A. That was one of the concerns.
20 Q. What I'm trying to do -- and again,
21 I'll make my agenda here plain -- is to get at
22 what subjects you covered in the letter and
23 what Congress ultimately did, whether or not
24 there was a causal connection between your
25 letter and what Congress did. And if we can do
164
1 EDWARD FELTON
2 that simply by topic -- I mean, you mentioned,
3 for example, that your letter addressed certain
4 concerns and that ultimately there was a
5 provision and exception, I think you may have
6 used the word, or exclusion, put into the bill,
7 although I think you said you weren't entirely
8 happy with its scope respecting encryption
9 research. I'm trying to get at what other
10 topics you addressed respecting circumvention
11 in your letter and what, to your knowledge,
12 occurred in respect to the passage of the --
13 the law on those subjects. Does that help?
14 A. Sure.
15 Q. Okay.
16 A. So the letter talked in general
17 about what we were concerned about, it talked
18 about the value of reverse engineering.
19 Q. Okay.
20 A. It talked about the value of being
21 able to do and study circumvention.
22 Q. Okay.
23 A. It talked about how -- talked about
24 the difference, I believe, between
25 circumvention and copyright infringement.
165
1 EDWARD FELTON
2 Q. Okay.
3 A. And a number of related issues like
4 that. I believe there may have been some
5 concerns in the letter, specifically about
6 things that were in the current version of the
7 bill.
8 Q. The then current version of the
9 bill?
10 A. The then current version of the
11 bill.
12 Q. Right.
13 And to your knowledge, were there
14 any additional exclusions put into the
15 legislation as it was finally enacted after
16 your letter, whether or not you can say it was
17 as a result of your letter?
18 A. I don't recall there being any
19 other, I guess what I'd call helpful changes to
20 the bill after the letter.
21 Q. Okay.
22 Do you recall if there is an
23 exclusion for reverse engineering in the
24 legislate as enacted?
25 A. There -- I know that there are some
166
1 EDWARD FELTON
2 -- I know that there's some language in the
3 bill that protects reverse engineering for
4 certain purposes.
5 Q. Okay.
6 A. But I can't tell you specifically
7 what those are.
8 Q. Okay. That's fine.
9 Under whose auspices was this
10 letter submitted? Was it on behalf of a
11 particular society or a group of societies?
12 A. It was signed by a group of
13 individuals.
14 Q. Okay.
15 A. It was a fairly large group. It
16 may have been 50 or more. Some from
17 universities, some from societies, some from
18 companies and perhaps some from government,
19 although I'm not -- I'm not sure about that.
20 Q. Okay.
21 A. In most cases speaking as
22 individuals.
23 Q. Okay.
24 A. But many of the leading experts in
25 security research signed the letter. The goal
167
1 EDWARD FELTON
2 was to sort of give the -- give the people
3 working on the bill something which represented
4 the opinion of -- the sort of majority opinion
5 of experienced security researchers.
6 Q. Okay.
7 Now, with respect to the article
8 that you and Professor Appel wrote that got
9 submitted to the Copyright Office or the
10 Library of Congress in connection with the
11 Copyright Office rule-making proceeding, what
12 was your purpose in submitting that?
13 A. Well, there's a point of view
14 expressed in the -- in the -- in our
15 submission, and we wanted to make sure that
16 they -- they heard that point of view, that --
17 that people understood that -- that
18 technological access control which prevents
19 researchers from getting at the raw bits of
20 digital works does prevent certain kinds of
21 valuable research on those works, valuable and,
22 as far as we -- as far as we know, legal
23 research on those works.
24 Q. Okay.
25 And --
168
1 EDWARD FELTON
2 A. And specifically -- if I could go
3 on with that answer.
4 Q. You bet. Sure. Sure.
5 A. The solicitation for comments that
6 -- that was put out specifically asked for
7 information about the effect of the
8 anticircumvention provisions on research and
9 scholarship. And so we wanted to speak to that
10 part of the solicitation.
11 Q. Okay.
12 So, in other words, the Library of
13 Congress had solicited comments as part of an
14 ongoing legislative process to your
15 understanding?
16 A. My understanding is when the DMCA
17 was passed that the Library of Congress was
18 directed or authorized to do -- to make
19 findings at some point later in time, and that
20 this was the process of their -- of their
21 deciding what findings to make.
22 Q. Okay.
23 And that's the general purpose for
24 which you and Professor Appel submitted your
25 piece, namely in furtherance of the taking of
169
1 EDWARD FELTON
2 comments by the Library of Congress as part of
3 the legislative process?
4 A. That's why we submitted it to the
5 Library of Congress, yes.
6 Q. Got you.
7 MR. HART: I would like to have
8 a copy of that letter if I didn't
9 already ask for it, and I -- I
10 really want to thank you for your
11 time and your candor. Thank you.
12 MR. GARBUS: Thank you very
13 much.
14 MR. HART: You are quite
15 welcome.
16 MR. GARBUS: We are done.
17 THE VIDEOGRAPHER: Off the
18 record, 2:02.
19 (Time noted: 2:02 p.m.)
20 ______________________________
EDWARD FELTEN
21
22 Subscribed and sworn to before me on
23 this_____day of____________________, 2000.
24
_______________________________
25 Notary Public
170
1
2 STATE OF NEW YORK )
) ss:
3 COUNTY OF NEW YORK )
4 I wish to make the following changes, for
5 the following reasons:
6
7 PAGE LINE
8 ____ ____ CHANGE: __________________________
9 REASON: __________________________
10 ____ ____ CHANGE: __________________________
11 REASON: __________________________
12 ____ ____ CHANGE: __________________________
13 REASON: __________________________
14 ____ ____ CHANGE: __________________________
15 REASON: __________________________
16 ____ ____ CHANGE: __________________________
17 REASON: __________________________
18 ____ ____ CHANGE: __________________________
19 REASON: __________________________
20 ____ ____ CHANGE: __________________________
21 REASON: __________________________
22 ____ ____ CHANGE: __________________________
23 REASON: __________________________
24
___________________________ ____________
25 WITNESS' SIGNATURE DATE
171
1
2 CERTIFICATION
3
4 I, MICHELE ANZIVINO, a Notary
5 Public in and for the State of New York, do
6 hereby certify;
7 THAT the witness whose
8 testimony is hereinbefore set forth, was duly
9 sworn by me; and
10 THAT the within transcript is a
11 true record of the testimony given by said
12 witness.
13 I further certify that I am not
14 related, either by blood or marriage, to any of
15 the parties to this action; and
16 THAT I am in no way interested
17 in the outcome of this matter.
18 IN WITNESS WHEREOF I have
19 hereunto set my hand this 7th day of July,
20 2000.
21
22 ____________________________
MICHELE ANZIVINO
23
24
25