![[Join EFF]](/Icons/home/joineff.gif){kind=icon}
![[Act Now]](/Icons/home/actnow.gif){kind=icon}
![[Sign Up]](/Icons/home/signup.gif){kind=icon}
![[About EFF]](/Icons/home/abouteff.gif){kind=icon}
See related files:
http://www.eff.org/IP/Video (EFF Archive)
http://cryptome.org/cryptout.htm#DVD-DeCSS
(Cryptome Archive)
http://www.2600.com/dvd/docs (2600 Archive)
http://eon.law.harvard.edu/openlaw/dvd/ (Harvard DVD OpenLaw Project)
1 UNITED STATES DISTRICT COURT
2 SOUTHERN DISTRICT OF NEW YORK
3
UNIVERSAL CITY STUDIOS, INC.;
4 PARAMOUNT PICTURES CORPORATION;
METRO-GOLDWYN-MAYER, INC.;
5 TRISTAR PICTURES, INC.; COLUMBIA
PICTURES INDUSTRIES, INC.; TIME
6 WARNER ENTERTAINMENT CO.; L.P.;
DISNEY ENTERPRISES, INC., and
7 TWENTIETH CENTURY FOX FILM
CORPORATION,
8
Plaintiffs,
9
vs. NO. 00 Civ. 0277
10 (LAK)
11 ERIC CORLEY a/k/a "EMMANUEL
GOLDSTEIN"; and 2600 ENTERPRISES,
12 INC.,
13 Defendants.
_______________________________/
14
15 DEPOSITION OF BRUCE SCHNEIER
16 DATE: July 9, 2000
17 DAY: Sunday
18 TIME: 10:26 a.m.
19 PLACE: Weil, Gotshal & Manges
2882 Sand Hill Road, Suite 280
20 Menlo Park, California
21 PURSUANT TO: Subpoena
22 REPORTED BY: Kim Meierotto, CSR No. 11602
__________________________________________________
23
COMP-U-SCRIPTS
24 OFFICIAL REPORTERS AND NOTARIES
1101 South Winchester Blvd., Suite D-138
25 San Jose, California 95128
(408) 261-9795
1
1 APPEARANCES:
2 For the Plaintiffs: PROSKAUER ROSE LLP
BY: CARLA M. MILLER,
3 ATTORNEY AT LAW
1585 Broadway
4 New York, NY 10036-8299
(212) 969-3713
5
6 For the Defendants: FRANKFURT GARBUS KURNIT
KLEIN & SELZ
7 BY: EDWARD HERNSTADT,
ATTORNEY AT LAW
8 488 Madison Avenue
New York, NY 10022
9 (212) 826-5582
10 and HUBER SAMUELSON
BY: ALLONN E. LEVY,
11 ATTORNEY AT LAW
210 North Fourth Street
12 Suite 400
San Jose, CA 95112
13 (408) 295-7034
14
The Videographer: McMAHON & ASSOCIATES
15 BY: JASON BUTKO
One Almaden Boulevard
16 Suite 829
San Jose, CA 95113
17 (408) 298-6686
18
19
20
21
22
23
24
25
2
1 INDEX OF EXAMINATIONS
2 Page
3 By Ms. Miller 5
4
5
6
7 INDEX OF EXHIBITS
8 Plaintiffs' Page
9 1 Subpoena of deponent 21
10 2 Article by deponent entitled 24
"DVD Encryption Break is a Good
11 Thing"
12 3 Declaration of deponent 25
13 4 Article by deponent entitled 27
"'Key Finding' Attacks and
14 Publicity Attacks"
15
16
17
18
19
20
21
22
23
24
25
3
1 --oOo--
2 THE VIDEOGRAPHER: Good morning. We're
3 going on the record. The time on the screen is
4 10:30 a.m.
5 Today's date is Sunday, July 9, 2000.
6 We're located at the offices of Weil, Gotshal &
7 Manges, 2882 Sand Hill Road, Menlo Park, California.
8 This is Tape No. 1 of the deposition of
9 Bruce Schneier, case name Universal City Studios
10 versus Corley venued in the U.S. District Court,
11 Southern District of New York, Case No. 00 Civ.
12 0277.
13 My name is Jason Butko, legal video
14 specialist and notary, representing McMahon &
15 Associates, One Almaden Boulevard, Suite 829, San
16 Jose, California 95113.
17 The court reporter is from Comp-U-Scripts.
18 The court reporter is Kim Meierotto.
19 Counsel, would you please identify yourself
20 starting with the questioning attorney.
21 MS. MILLER: Carla Miller from the law firm
22 of Proskauer Rose LLP in New York representing all
23 plaintiffs.
24 MR. HERNSTADT: Edward Hernstadt from
25 Frankfurt Garbus Kurnit Klein & Selz representing
4
1 the defendants.
2 THE VIDEOGRAPHER: You may proceed. I'm
3 sorry. Court reporter, can you please swear in the
4 witness.
5 --oOo--
6 BRUCE SCHNEIER,
7 having been duly sworn by the
8 Certified Shorthand Reporter to tell
9 the truth, the whole truth, and
10 nothing but the truth, testified
11 as follows:
12
13 THE VIDEOGRAPHER: You may proceed.
14
15 EXAMINATION BY MS. MILLER:
16 Q. Good morning, Mr. Schneier.
17 A. Hi.
18 Q. Have you ever been deposed before?
19 A. Nope.
20 Q. Have you ever testified in a court
21 proceeding?
22 A. No.
23 Q. Just so you understand, you're in a
24 deposition obviously. The court reporter seated to
25 your right is taking down stenographically every
5
1 word that's being spoken here today as among myself,
2 you and Mr. Hernstadt.
3 Just as a matter of procedure, because the
4 court reporter has to take down everything that you
5 and I say, I'll try my best to make sure that I do
6 not interrupt your answer with another question, and
7 also if you could make sure that if I'm in the
8 middle of a question, you don't start answering
9 until I'm finished with the question.
10 Mr. Hernstadt, of course, will be here, and
11 he'll be making objections, and again, if we could
12 avoid talking over each other, I'm sure the court
13 reporter will appreciate that, and we'll have a much
14 cleaner transcript of everything that's said today.
15 Are you currently employed, Mr. Schneier?
16 A. Yes.
17 Q. Where are you employed?
18 A. Company called Counterpane Internet
19 Security, Incorporated, here in San Jose.
20 Q. What's your role at Counterpane Internet?
21 A. My title is chief technology officer. I'm
22 one of the founders of the company.
23 Q. Who are the other founders of the company?
24 A. The other founder's a man named Tom Rowley.
25 Q. Tom Rowley?
6
1 A. R-o-w-l-e-y.
2 Q. How long ago was Counterpane founded by
3 yourself and Mr. Rowley?
4 A. The company was founded approximately a
5 year ago.
6 Q. Is it a public company?
7 A. No, it is not.
8 Q. Are you a shareholder in the company?
9 A. Yes, I am.
10 Q. Is Mr. Rowley also a shareholder?
11 A. Yes, he is.
12 Q. Are there any other shareholders in the
13 company?
14 A. Yes, there are.
15 Q. Prior to founding Counterpane, were you
16 employed?
17 A. Yes, I was.
18 Q. Where were you employed?
19 A. I was president of another company called
20 Counterpane Systems.
21 Q. Where was Counterpane Systems located?
22 A. The company -- it's a hard question. The
23 company had three employees, and we all worked out
24 of our homes. So the company was located in
25 Illinois, although most of the people worked
7
1 elsewhere.
2 Q. When you say "the company was located in
3 Illinois," does that mean it was incorporated in
4 Illinois?
5 A. It was a sole proprietorship. It was just
6 my company.
7 Q. Were you living in Illinois at the time?
8 A. Yes, I was.
9 Q. Who were the other three employees of
10 Counterpane Systems?
11 A. The other cryptographers were John Kelsey,
12 Chris Hall and Neils Fergusen.
13 Q. How long was Counterpane Systems in
14 existence?
15 A. I believe I formed it in 1993.
16 Q. Was working for yourself with Counterpane
17 Systems your sole employment from 1993 until about a
18 year ago?
19 A. Yes, it was.
20 Q. Prior to 1993, were you employed?
21 A. Yes.
22 Q. By whom?
23 A. AT&T Bell Laboratories.
24 Q. Where before AT&T did you work?
25 A. Naperville, Illinois.
8
1 Q. Midwesterner. How long were you employed
2 by AT&T?
3 A. About a year.
4 Q. Were you employed as a cryptographer?
5 A. No, I was not. I was employed as a systems
6 engineer.
7 Q. Prior to AT&T what was your employment?
8 A. I worked for a company called Intelligent
9 Resources Integrated Systems also in Illinois.
10 Q. What type of business is Intelligent
11 Resources engaged in?
12 A. They made video hardware for Macintosh
13 computers.
14 Q. What was your role in Intelligent
15 Resources?
16 A. I oversaw operations.
17 Q. What type of operations? The company's
18 operations in general or a particular development of
19 the video hardware?
20 A. Engineering operations. The development of
21 the hardware and things associated with that.
22 Q. Prior to Intelligent Resources Integrated
23 Systems, what was your employment?
24 A. I worked for the Department of Defense in
25 Washington, D.C.
9
1 Q. And how long were you employed by the
2 Department of Defense?
3 A. From 1984 through 1990 or '91.
4 Q. What did you do for the Department of
5 Defense?
6 A. That's classified.
7 Q. Was it in the field of cryptography, or can
8 you tell us?
9 A. It was in the field of communications.
10 Q. Prior to working for the Department of
11 Defense, what was your employment?
12 A. That was my first job.
13 Q. Was this your first job after completing
14 your education?
15 A. After getting my Bachelor's degree, yes.
16 Q. Where did you get your Bachelor's degree?
17 A. University of Rochester.
18 Q. In what field did you obtain a Bachelor's
19 degree?
20 A. Physics.
21 Q. Did you obtain any other degrees after your
22 Bachelor degree?
23 A. I have a Master's of Science, of computer
24 science, from American University.
25 Q. And what year did you receive your
10
1 Bachelor of Science degree?
2 A. I received the degree in '85.
3 Q. What year did you receive your Master of
4 Science degree?
5 A. '86, I believe.
6 Q. But you said you began working for the
7 Department of Defense in 1984; is that correct?
8 A. Yes.
9 Q. So you began working for the Department of
10 Defense while you were still an undergrad?
11 A. I finished all my course work except one
12 class, so I sort of graduated, started working for
13 DOD, eventually graduated a year later. So there's
14 an overlap in the time but not really in what I was
15 doing.
16 Q. Okay. In the course of obtaining your
17 Master's degree in computer science, did you take
18 any courses in computer programming?
19 A. Yes.
20 Q. Did you obtain any proficiency in any
21 programming languages?
22 A. I did work in C and Pascal and LISP.
23 Q. Did you take any telecommunications courses
24 in the course of obtaining your Master of Science
25 degree?
11
1 A. I did not.
2 Q. What is the current address for Counterpane
3 Internet, your current company?
4 A. 3031 Tisch Way, T-i-s-c-h, Suite 100 Plaza
5 East, San Jose, California.
6 Q. In what type of business is Counterpane
7 Internet engaged?
8 A. We do managed security monitoring. We do
9 Internet security for organizations.
10 Q. What does that entail, "Internet
11 security"?
12 A. What we do is we monitor our customers'
13 Internet networks against intrusions. So we provide
14 basically a monitoring service where we will watch a
15 customer's network and look for attacks, intrusions
16 and alert the customer.
17 Q. Is it fair to say you're like a burglar
18 alarm service, a high-tech service?
19 A. A burglar alarm is the kind of analogy we
20 like to use.
21 Q. And how many employees does Counterpane
22 Internet have?
23 A. Approximately a hundred.
24 Q. And apart from monitoring the customer's
25 Internet security, does Counterpane provide any
12
1 security -- strike that -- provide any security
2 solutions for Internet businesses?
3 A. Monitoring is in itself a solution.
4 Detection response we feel is a solution to Internet
5 security and in a lot of cases a much better
6 solution than prevention.
7 Q. Does it provide any prevention solutions in
8 terms of actual security systems' products?
9 A. We don't provide products. We monitor
10 other companies' products.
11 Q. How many customers, if you know, does
12 Counterpane Internet have? What's the customer
13 base?
14 A. We don't release that number. Many of our
15 customers prefer not to be named.
16 Q. I'm not asking you for the name but for the
17 customer base. But you said you don't release the
18 actual number of customers either?
19 A. Yes.
20 Q. Do you have an up-to-date resume or
21 curriculum vitae, Mr. Schneier?
22 A. The best is on my Web site. I don't have a
23 paper copy with me.
24 Q. What is the URL for the Web site that you
25 just referred to?
13
1 A. Www.counterpane.com. Then follow the link
2 to "about us" and then find my name.
3 Q. Now as you understand it, you've been asked
4 to testify as an expert witness in this lawsuit; is
5 that your understanding?
6 A. That's my understanding.
7 Q. Does your involvement in this case call
8 upon any special skills or knowledge that you have?
9 A. I guess I don't know yet. I assume so.
10 Q. Were you asked to provide any special
11 skills in your testimony -- strike that.
12 Were you asked to rely on any special
13 skills you have in providing your testimony in this
14 case?
15 A. I was asked to talk about cryptography
16 research, so presumably talking about that relies on
17 my knowledge and skills as a cryptography
18 researcher.
19 Q. How long would you say you've been a
20 cryptography researcher?
21 A. I would say in the academic arena, in the
22 public arena, since 1992.
23 Q. What's involved in being a cryptography
24 researcher?
25 A. A lot of mathematics.
14
1 Q. Would you say that that's the only skill
2 involved or specialized training that one would need
3 to be a cryptography researcher?
4 A. Cryptography is really a subset of
5 mathematics. It involves a lot of mathematical
6 disciplines. It involves a mindset of making and
7 breaking systems.
8 Q. Now if I decided that I wanted to be a
9 cryptographer, what type of training would you
10 advise me to undertake in terms of educational
11 background course work and university?
12 A. Sort of two areas I would advise. There
13 are certain classes in mathematics. Some
14 universities actually have specialties in
15 cryptography, so you can take courses in
16 cryptographic mathematics. There are other general
17 mathematic courses that are useful.
18 More importantly is to practice. It's
19 easier to teach the mathematics than the mindset.
20 The mindset of looking at a system and figuring out
21 how to break it and then by learning how to break it
22 how to fix it and how to make it better, that's
23 something you can really only learn through practice
24 by doing it again and again.
25 Q. How would you characterize that mindset so
15
1 I understand what sort of mindset is generally
2 required?
3 A. It's a mindset of looking at systems and
4 figuring out how to get around them. It's the kind
5 of mindset that would walk into a building and look
6 at the security system and see, I think there are
7 some weaknesses here. It's a mindset of looking at
8 a piece of mathematics and saying, this doesn't do
9 what the designer thought it did.
10 So it's a mindset of looking for holes in
11 systems. In cryptography it's mathematical systems.
12 Q. Is it fair to say that just one general
13 personality trait that might benefit a cryptographer
14 is curiosity?
15 A. Curiosity is good. I've also been asked by
16 many people what does it take to be a cryptographer,
17 and I did write an essay on this topic. It's on my
18 Web site. It's called "So You Want to be a
19 Cryptographer," and I talk about some of this. It's
20 hard to quantify.
21 When I did consulting I would try to figure
22 out who would be the right people to hire. I'm not
23 sure there are traits I can point to and say these
24 are the exact traits. I know it when I see it, but
25 it's very hard to divide into components.
16
1 Q. What did you look for when you were looking
2 for people to hire as you just testified to?
3 A. People who had done it. What I was looking
4 for as someone running a consulting company was not
5 someone I could train but someone who had already
6 exhibited proficiency in breaking systems, in fixing
7 systems, in cryptography, in mathematics.
8 Writing ability. A lot of what we are
9 doing is writing papers and reports explaining what
10 we've done. Good interpersonal skills because we're
11 often talking to people about the work we've done.
12 So I looked for more finished products than people I
13 could train.
14 Q. So more experience than -- now you also
15 mentioned that some universities have specialized
16 course work in cryptography. Does American
17 University have specialized course work in
18 cryptography, if you know?
19 A. It did not when I went there.
20 Q. Does the University of Rochester?
21 A. It did not when I went there.
22 Q. Do either one of those universities now if
23 you know have specialized course work?
24 A. I don't know.
25 Q. What are some of the universities that
17
1 you're aware of that have specialized course work in
2 cryptography?
3 A. MIT does. University of California -- I'm
4 sorry -- Stanford University, University of
5 California-Davis, University of Waterloo, Cambridge
6 University in the U.K., L'ecole Normale et Supereur
7 in Paris, a university in Belgium that I can't
8 pronounce. And there are others.
9 Q. When were you first approached about
10 getting involved in this lawsuit?
11 A. Sometime in the spring.
12 Q. In the spring of 2000?
13 A. Spring of 2000.
14 Q. Do you have any recollection of what
15 specific month?
16 A. I really don't. I'm sure it was before my
17 signed documents, so we can work backwards from
18 there.
19 Q. How were you contacted about getting
20 involved in this case?
21 A. Either by phone or e-mail.
22 Q. You don't recall which?
23 A. I do not.
24 Q. Who contacted you?
25 A. Some attorney.
18
1 Q. You don't recall a name?
2 A. No.
3 Q. Do you recall the name of the law firm?
4 A. That would be harder than the name of a
5 person.
6 Q. Was it Mr. Hernstadt?
7 A. It might have been. I actually don't
8 remember.
9 Q. You don't know. You say you think it was
10 either by phone or by e-mail that you were first
11 contacted. If it was by e-mail, would you have
12 saved that e-mail?
13 A. No, I would not have.
14 Q. But you don't know if it was by e-mail?
15 A. I don't remember. I really don't.
16 Q. Do you recall anything about this initial
17 conversation with the attorney you can't recall who
18 asked you to get involved in the case? What was the
19 substance of the conversation?
20 A. I don't remember, but presumably I was
21 asked if I would write a declaration.
22 Q. And did you do that?
23 A. I did.
24 Q. To whom did you send that declaration once
25 it was written?
19
1 A. This was done by e-mail, and I probably --
2 I sent it to either whoever the attorney was who
3 contacted me or whoever I spoke to afterwards.
4 Q. But you have no idea who it was sent to?
5 A. I don't remember. It might have been Ed,
6 but I actually don't remember.
7 Q. Apart from the declaration that you
8 prepared and submitted in this case, have you
9 prepared any other reports for submission to the
10 court at trial?
11 A. I have not.
12 Q. Have you been asked to prepare any
13 additional reports other than your declaration?
14 A. I have not.
15 Q. As far as you know, will you be testifying
16 in the trial of this case?
17 A. I believe I will be.
18 Q. You have been asked to testify at trial?
19 A. We've talked about testifying.
20 Q. Who have you talked to about testifying?
21 A. Ed.
22 Q. When was the last time you talked to Ed
23 about testifying?
24 A. I don't know. Maybe a couple weeks ago,
25 last week. Dates were being discussed, and I gave
20
1 my calendar.
2 Q. Trial dates or dates for this deposition
3 that you're testifying in today?
4 A. Trial dates.
5 Q. Are you being compensated for your
6 involvement in this case?
7 A. I am not.
8 Q. If you are to testify in the trial of this
9 case in New York, has anyone offered to pay your
10 travel expenses for going there?
11 A. No one has.
12 Q. Let me show you a document, Mr. Schneier,
13 I'd like to first have marked as Exhibit 1.
14 (Plaintiffs' Exhibit No. 1 is marked.)
15 BY MS. MILLER:
16 Q. If you can take a moment and flip through
17 that and tell me once you've had an opportunity to
18 look through it.
19 A. (Reviewing document.)
20 Okay.
21 Q. Have you ever seen this document before,
22 Mr. Schneier?
23 A. No.
24 Q. Ever seen a document that looks like this?
25 A. Probably.
21
1 Q. In connection with this case?
2 A. No.
3 Q. So you have seen, you think, a subpoena
4 before in your life but not a subpoena directed to
5 you for your testimony in this case?
6 A. That is correct.
7 Q. Now, in preparing your declaration that's
8 been submitted in this case, did you look at any
9 documents or materials? When I use the word
10 "document," I mean it in the broadest possible
11 sense, like Internet Web sites or Web pages, DVDs,
12 anything that you might have looked at in preparing
13 the declaration that you submitted.
14 A. Yes.
15 Q. What documents were those?
16 A. The declaration came out of an essay I
17 wrote in November about the DVD copy protection
18 scheme and the breaking of it that appeared in a
19 newsletter I publish. So I relied on the essay I
20 wrote to write the declaration.
21 In writing the essay and the declaration, I
22 looked at a variety of documents on the Web on the
23 DVD copy protection scheme, on the DeCSS program, on
24 the cryptographic algorithm and on a variety of the
25 politics associated with the system and its
22
1 breaking.
2 Q. Can you tell me specifically in those
3 categories of documents you just described which
4 documents in particular you looked at or which
5 Internet Web sites one might go to to look at those
6 same documents that you looked at in preparing your
7 declaration?
8 A. I can't. At the end of the essay I wrote
9 in mid November I gave a list of URLs I found
10 particularly interesting or illuminating. Those I
11 can produce. The other ones I looked at I have no
12 idea. I used a search engine. I followed links. I
13 did my research online, and I only kept records of
14 the stuff that I thought was particularly useful.
15 Q. And those things that you found
16 particularly useful in conducting your online
17 research, those are the links that you just
18 testified about that would appear at the end of the
19 essay you wrote in November?
20 A. It's not a complete list. I do a
21 newsletter every month, and I write a number of
22 articles on security topics. And at the end I like
23 to give a list of links that the reader might want
24 to follow up.
25 So this list is not the total of everything
23
1 I found that's interesting. It's a subset of what I
2 thought the reader of the essay might find
3 interesting and links he might want to follow to get
4 more information.
5 (Plaintiffs' Exhibit No. 2 is marked.)
6 BY MS. MILLER:
7 Q. Mr. Schneier, I've just -- or the court
8 reporter has just handed you what we've marked as
9 Schneier Exhibit 2, and it appears to be an article
10 entitled "DVD Encryption Break is a Good Thing" by
11 Bruce Schneier. It says "Special to ZDNet" and
12 dates -- or it's dated November 16th, 1999.
13 Is this the essay that you just referred
14 to?
15 A. This is a similar essay. The essay I'm
16 referring to appeared in my newsletter on November
17 15th. This is almost the same essay. There's some
18 minor differences that appeared on the ZDNet Web
19 site. This version does not include the links, and
20 there are probably other minor additions or
21 changes. I forget. I know they're not identical,
22 but they're very similar.
23 Q. Your essay that appears on your Counterpane
24 Web site in the November 15th edition of your
25 newsletter is the one you actually looked at and
24
1 relied upon in preparing your declaration in this
2 case?
3 A. Yeah. That's the later one. I believe
4 this is an earlier draft of that. Even though it
5 appeared later, it was submitted to ZDNet earlier.
6 (Plaintiffs' Exhibit No. 3 is marked.)
7 BY MS. MILLER:
8 Q. Mr. Schneier, you've just been handed
9 what's been marked as Schneier declaration
10 Exhibit 3 -- pardon me -- Deposition Exhibit 3.
11 Is this the declaration that you prepared
12 for this case?
13 A. Yes, it is.
14 Q. The day of this declaration just flipping
15 to the last page is April 28th, 2000; is that
16 correct?
17 A. That's what it says.
18 Q. So earlier you testified that you believe
19 you were approached to participate in this case
20 sometime before obviously the submission of this
21 declaration, and I'm looking at the date of the
22 declaration. Does that help refresh your
23 recollection as to when you might have been first
24 contacted about getting involved in the case?
25 A. Presumably it was before April 28th.
25
1 Q. You still don't know --
2 A. I'm sorry.
3 Q. -- whether it was two weeks before? Three
4 weeks before?
5 A. I remember it being a pretty fast
6 turnaround, but no. It was probably not more than a
7 few weeks before.
8 Q. Okay. Did the person that contacted you
9 about getting involved in the case, did they
10 indicate that they had seen your previous essay on
11 the DVD encryption break?
12 A. I remember being contacted because of that
13 essay.
14 Q. Okay.
15 A. Because the opinions in that essay were
16 germane to the case.
17 Q. Now, I want to ask you something about --
18 THE VIDEOGRAPHER: Going off the record.
19 The time is 11:05.
20 (Break taken.)
21 THE VIDEOGRAPHER: We're back on the
22 record. The time is 11:09. You may proceed.
23 BY MS. MILLER:
24 Q. Mr. Schneier, I believe we just marked as
25 Exhibit 3 your declaration in this case.
26
1 MS. MILLER: Can you read back the last
2 question please.
3 (Record read.)
4 BY MS. MILLER:
5 Q. Now I want to ask you some questions about
6 how this declaration was drafted, Mr. Schneier. Did
7 you actually type the declaration yourself?
8 A. I don't remember. I believe what happened
9 was that one of the attorneys took my essay, put it
10 in this form numbering the paragraphs, and then I
11 added stuff, deleted stuff and made modifications
12 based on what I wanted to say in the case.
13 Q. Okay. So the first time that you saw a
14 draft of the document that eventually became your
15 declaration, was that after the attorney had typed
16 it up in the format with the paragraph numbers using
17 the information in your essay?
18 A. One would hope the attorney wouldn't be
19 dumb enough to type it. What I saw was my essay,
20 the identical essay, just with the paragraphs
21 numbered. So my assumption is that someone took the
22 document off the Web, didn't change words, put it in
23 this format and said, "Here, start."
24 Q. Okay. But that's your assumption just
25 based on, as you said, your view that no one would
27
1 be dumb enough to just sit there and retype your
2 essay?
3 A. And the fact that all the words were the
4 same.
5 Q. You just answered my question for me.
6 A. I think that's my job.
7 Q. You're right. Now when you were first sent
8 an initial draft of this declaration from the
9 attorney, was that transmitted to you by e-mail?
10 A. Yes, it was.
11 Q. Do you recall? Did you save that e-mail?
12 A. I did not.
13 Q. Did you save the document attached to the
14 e-mail?
15 A. I did not.
16 Q. Do you recall at this point the name of the
17 person that would have e-mailed you the document?
18 A. I don't. It might have been Ed, but I
19 actually don't remember.
20 Q. Once you got the e-mail with the draft
21 document, did you call anyone to discuss the draft?
22 A. I either called or sent e-mail, and
23 conversations did occur either by phone or e-mail.
24 Q. But you don't recall one way or the other?
25 A. Phone and e-mail are pretty much the same
28
1 in my mind.
2 Q. Okay. But of course you can't keep a
3 documentary record of a phone call; is that correct?
4 A. You cannot. And I don't keep a documentary
5 record of e-mail.
6 Q. How many drafts did this declaration go
7 through before you finally signed it? Do you
8 recall?
9 A. I don't remember. Not very many.
10 Q. Five?
11 A. Possibly five, possibly less. Probably not
12 more but possibly more.
13 Q. Not more than five?
14 A. Or maybe more than five. I honestly don't
15 remember. Certainly not hundreds.
16 Q. Could it have been ten?
17 A. Probably not as many as ten.
18 Q. So could have been more than five but
19 probably not as many as ten?
20 A. Um-hum, yes.
21 Q. And you said that it could have been Ed
22 that sent you the drafts of the declaration?
23 A. Yeah. I do not remember, but it certainly
24 could have been him.
25 MS. MILLER: Mr. Hernstadt, if in fact it
29
1 was you that sent the draft declarations or someone
2 from your firm that sent the draft declarations to
3 Mr. Schneier, I'd like to call for the production of
4 those drafts if they exist at this time.
5 MR. HERNSTADT: We will take it under
6 advisement.
7 MS. MILLER: Thank you. And, of course,
8 any e-mails that accompanied the drafts.
9 BY MS. MILLER:
10 Q. Do you recall, Mr. Schneier, over what
11 period of time these drafts were transmitted back
12 and forth between yourself and whomever you were
13 sending them to? Was it a week?
14 A. No, I don't remember. Presumably it was
15 days before it was signed.
16 Q. When did you first hear about DeCSS?
17 A. Sometime between October 15th and November
18 15th.
19 Q. How did you hear about it?
20 A. Don't remember.
21 Q. Was it over the Internet?
22 A. Most likely.
23 Q. Do you know whether it was on a
24 news-oriented Web site or in a chat room?
25 A. It wouldn't be a chat room. It might have
30
1 been a news-oriented Web site. It might have been a
2 personal e-mail.
3 Q. It might have been a personal e-mail. What
4 is your understanding of what DeCSS does?
5 A. Is that DeCSS?
6 Q. DeCSS.
7 A. DeCSS. DeCSS is a program that removes the
8 obfuscation and scrambling of DVDs.
9 Q. Have you ever used DeCSS?
10 A. I have never used it.
11 Q. Have you ever seen the source code for
12 DeCSS?
13 A. I have never seen source code.
14 Q. And how did you gain the understanding
15 that you just testified to of what DeCSS does, if
16 you recall?
17 A. I read it off other people's writings and
18 essays and research papers.
19 Q. Do you recall any of the people's essays or
20 writings or research papers that you read?
21 A. The only one that I recall, although the
22 list of URLs in my essay is probably a good list,
23 is the --
24 Q. I'm sorry. That's the November 15th essay
25 that's on your Web site?
31
1 A. I'm sorry, yes.
2 Q. Was the most complete essay that you wrote?
3 A. Yes. There is one paper that was written
4 by someone who actually did the cryptanalysis of the
5 encryption algorithm.
6 Q. Do you remember that person's name?
7 A. I do not. But if I saw it, I would say,
8 yeah, that's him.
9 Q. Do you know the name Frank Stevenson?
10 A. That's him.
11 Q. Have you ever spoken to Mr. Stevenson
12 personally, or did you just read something that he
13 had written?
14 A. I just read that one thing he had written.
15 I had never heard from him before, and I have not
16 heard from him since.
17 Q. Had you heard of him before?
18 A. I had not heard of him before.
19 Q. When did you first hear about CSS?
20 A. At the same time I heard about --
21 MR. HERNSTADT: Objection. Assumes facts
22 not in evidence.
23 BY MS. MILLER:
24 Q. Had you heard of CSS?
25 A. Yes.
32
1 Q. When was the first time you heard of CSS?
2 A. At the same time I heard of DeCSS.
3 Q. This would have been sometime between
4 October 15th and November 15th of 1999 as you've
5 testified?
6 A. That is correct.
7 Q. Now before that period of time -- and by
8 "that period of time" I mean October 15th to
9 November 15th, 1999 -- did you know anything about a
10 security system put in place to protect DVD content?
11 A. I knew something that this was happening.
12 I had done some consulting for companies who had
13 video content to protect, and so I was familiar with
14 the class of systems, their security properties, how
15 they might work, how they might fail. I knew
16 nothing about the particular CSS system, exactly how
17 it worked and exactly its flaws.
18 Q. What companies did you do this consulting
19 work for that had digital content that you just
20 testified to?
21 A. Counterpane keeps its customer list
22 confidential.
23 Q. But this was in connection with Counterpane
24 Internet or Counterpane Systems?
25 A. This is in connection with Counterpane
33
1 Systems, and this was several years ago, probably
2 before the CSS system was developed.
3 Q. Do you know when the CSS system was
4 developed?
5 A. No. I'm guessing.
6 Q. So you don't really know whether this was
7 before the CSS system was developed?
8 A. No.
9 Q. Do you have an understanding now of how
10 CSS, or the content scrambling system, operates?
11 A. I have an understanding based on documents
12 I've read, yes.
13 Q. What documents have you read to gain that
14 understanding?
15 A. Again, documents I produced before writing
16 my essay in mid November including that
17 cryptanalysis paper we mentioned earlier.
18 Q. Do you know who the authors of DeCSS are?
19 A. I do not.
20 Q. A moment ago I believe you testified that
21 it was your understanding that DeCSS removes the
22 obfuscation and scrambling of DVDs. Are you aware
23 of any other functions that it performs?
24 A. I am not.
25 Q. Have you ever seen or examined the object
34
1 code for DeCSS?
2 A. I have not.
3 Q. Have you ever visited a Web site with the
4 URL www.2600.com?
5 A. Yes, I have.
6 Q. When was the first time you visited the
7 2600.com Web site?
8 A. I don't remember. It was several years
9 ago.
10 Q. So you were familiar with the 2600.com Web
11 site before your involvement in this case?
12 A. Yes, I was.
13 Q. Have you ever met Mr. Eric Corley?
14 A. Yes, I have.
15 Q. When was the first time you met him?
16 A. It was several years ago. I believe it was
17 at a hackers conference. I do not remember which
18 one.
19 Q. Do you remember where the hackers
20 conference took place?
21 A. Either in New York or Las Vegas since those
22 are the only two cities and conferences I've been to
23 that are hackers conferences.
24 Q. That would stand to reason. Was that the
25 only time you met Mr. Corley?
35
1 A. I believe I met him several times.
2 Q. When was the last time you saw Mr. Corley?
3 A. Again, I don't remember. It was at some
4 conference also.
5 Q. Okay. Was it after this lawsuit was filed?
6 A. No, no. It was before that.
7 Q. Have you spoken to Mr. Corley since this
8 lawsuit has been filed?
9 A. I have not.
10 Q. Have you exchanged any e-mails with
11 Mr. Corley since this lawsuit has been filed?
12 A. I believe he sent me an e-mail thanking me
13 for the declaration, but I don't remember exactly.
14 Q. Would you have saved that e-mail if in fact
15 you sent it?
16 A. I might have. Probably not but possible.
17 MS. MILLER: Mr. Hernstadt, if it is at all
18 possible that Mr. Schneier saved that e-mail, I'd
19 like you to check. And if so, I would like to call
20 for production of the e-mail between Mr. Corley and
21 Mr. Schneier.
22 MR. HERNSTADT: The e-mail saying, "Thank
23 you for your declaration"?
24 MS. MILLER: I don't know that that's what
25 the e-mail says. I doubt that you know that that's
36
1 what the e-mail says.
2 MR. HERNSTADT: That's what Mr. Schneier
3 said it said, but we will take it under advisement.
4 MS. MILLER: Thank you.
5 MR. HERNSTADT: Sure.
6 BY MS. MILLER:
7 Q. Were you told anything about Mr. Corley's
8 activities which gave rise to this lawsuit?
9 A. I was not.
10 Q. Have you ever seen the Complaint that's
11 filed in this lawsuit by the plaintiffs?
12 A. I saw it. I skimmed it. I didn't read it.
13 Q. How did you see it?
14 A. I believe I went to the Web and found it.
15 Q. Do you remember what Web site you found it
16 on?
17 A. I do not.
18 Q. How long ago did you skim the Complaint?
19 A. Around the same time I wrote the
20 declaration.
21 Q. Did you -- strike that.
22 When was the last time that you visited the
23 2600.com Web site if you recall?
24 A. I think a couple of weeks ago.
25 Q. Have you ever heard of a Digital Millenium
37
1 Copyright Act?
2 A. Yes, I have.
3 Q. Did you at any time, Mr. Schneier, testify
4 before Congress in connection with the legislative
5 process involved in enacting the Digital Millenium
6 Copyright Act?
7 A. I did not.
8 Q. Did you write any essays during the time
9 that Congress was considering passing the Digital
10 Millenium Copyright Act stressing a point of view
11 about that law?
12 A. I did.
13 Q. If I wanted to find those essays, where
14 would I go to find them?
15 A. They would be on the Counterpane Web site
16 in the Crypto-Gram archives.
17 Q. When was the Digital Millenium Copyright
18 Act passed if you know?
19 A. I do not remember. If you could refresh me
20 with that date, I could put other things in context.
21 Q. If I was to represent to you that it was
22 enacted in 1998, would that seem consistent with
23 your recollection in terms of the general time frame
24 or how long ago?
25 A. Yes.
38
1 Q. So if we proceed on the assumption that it
2 was passed in 1998, that's fine for you?
3 A. Yeah. Actually, do you have a month?
4 Q. Now you're testing me. I believe it was
5 actually October or November.
6 MR. HERNSTADT: October.
7 BY MS. MILLER:
8 Q. Now did you review any drafts of the
9 Digital Millenium Copyright Act in conjunction with
10 preparing the essay you wrote about it?
11 A. Yes, I did.
12 Q. Did you ever review the final bit of
13 legislation as signed by President Clinton?
14 A. Yes, I did.
15 Q. Do you recall any differences between the
16 draft legislation that you reviewed around the time
17 that you wrote your essay and what was finally
18 enacted by Congress?
19 A. I believe there are several differences,
20 and I reviewed several different drafts, and I also
21 probably wrote several different essays.
22 Q. The first essay that you wrote about the
23 Digital Millenium Copyright Act, did you express any
24 concerns about the Act and its provisions and how
25 that might impact people that do the type of work
39
1 that you do? By that I mean encryption research.
2 A. I do not remember the contents of the
3 essays. I would have to look them up to refresh my
4 memory. It is likely that I would have expressed
5 concern over the Act and the stifling effect that it
6 would have on cryptographic and security research.
7 Q. And what in your view was that stifling
8 effect at the time that you wrote the essay?
9 A. The Act, because of its prohibition against
10 circumvention and reverse engineering, would serve
11 to limit the research cryptographers and computer
12 security scientists could do. It would limit their
13 ability to analyze systems, to study systems, to
14 learn from systems and to teach others about the
15 security of systems.
16 MR. HERNSTADT: Let me just intercede at
17 one point that Mr. Schneier's testifying from his
18 personal opinion. He's not testifying as a lawyer
19 and about the legal meaning of the Act but merely
20 his understanding, his personal understanding, of
21 the Act.
22 MS. MILLER: I understand that. I haven't
23 asked you any questions about what your legal --
24 what the legal meaning is of the Act. I understand
25 that you're not --
40
1 THE WITNESS: In the time period we were
2 talking about, there was no actual law. These were
3 just drafts.
4 BY MS. MILLER:
5 Q. When was the last time you looked at the
6 final legislation?
7 A. It was soon after it was passed.
8 Q. From the time that you originally expressed
9 concerns about, as you said, the prohibitions
10 against reverse engineering to the final draft of
11 the legislation, do you recall whether any of those
12 prohibitions were removed?
13 A. I believe they were not. I believe wording
14 was changed, but I believe basically the
15 prohibitions remained. Again, I would have to
16 refresh myself by looking at the actual law and the
17 drafts if I could find them.
18 Q. And the last time you looked at the final
19 legislation as passed was shortly after it was
20 passed?
21 A. Yes. Although if you showed me an essay I
22 wrote between then and now that mentioned it, I
23 certainly would not be surprised. I do not recall
24 writing any such.
25 Q. In the final version of the -- I'm just
41
1 going to refer to it from here on out as the "DMCA"
2 because the "Digital Millenium Copyright Act" is
3 quite a mouthful -- in the final version of the DMCA
4 that you reviewed after it was passed, do you recall
5 seeing any specific exemptions for
6 reverse-engineering activities?
7 A. I don't remember. At some point during the
8 process there were exemptions for compatibility
9 purposes. I forget if they were struck. I believe
10 the exemption for research purposes is still there,
11 but I remember it being very narrowly defined and
12 the burden of proof put on the researcher.
13 Again, I forget if this stayed or if it
14 left. Unfortunately when I was working on this and
15 writing about this, it was a while ago, and I've
16 since then forgotten. If I was to write about this
17 again, I would have to refresh my memory.
18 Q. Now when you said the research exemption,
19 were you referring to an encryption research
20 exemption, or what type of a research exemption were
21 you referring to?
22 A. It was either an exemption for crypto
23 research or for security research, but there was an
24 exemption for researching the effectiveness of these
25 security systems for which reverse engineering was
42
1 prohibited.
2 Q. I see. And in viewing the final version of
3 the DMCA as enacted and that research exemption that
4 you just testified about, were you satisfied that
5 your initial concerns in looking at earlier drafts
6 of the legislative -- strike that -- of the
7 legislation had been addressed?
8 A. I was --
9 MR. HERNSTADT: Object to the form of the
10 question. It's vague.
11 Go ahead. You can answer.
12 THE WITNESS: I was definitely unsatisfied.
13 BY MS. MILLER:
14 Q. And why were you unsatisfied?
15 A. Because I felt that the provisions in the
16 law as it remained would still have the same
17 stifling effect on research that I foretold when I
18 first heard about the law and the provision.
19 Q. What in your view was that stifling effect?
20 A. What the law does as far as I know from my
21 understanding is that it makes it very difficult if
22 not impossible to take an existing security system,
23 reverse engineer it, study it, publish the results
24 of that study and thereby learn from the mistakes
25 made by the people who designed it.
43
1 Q. And how was the understanding that you just
2 testified to derived?
3 A. The understanding of the mistakes -- the
4 understanding of the details of a security system
5 are derived from learning how it works, studying how
6 it works and figuring out how to break it.
7 MR. HERNSTADT: Was that what you were
8 asking, or were you asking about his understanding
9 of the DMCA?
10 MS. MILLER: I'll get to both.
11 MR. HERNSTADT: Okay. Let me make a very
12 delayed objection to the form of the question as
13 being unclear.
14 MS. MILLER: I know that you're objecting
15 to the question but to his answer -- I'll ask
16 another question.
17 MR. HERNSTADT: The answer is fine, but
18 that just made me realize I thought that you were
19 asking something else, and then I realized the
20 question could have been asking either so --
21 MS. MILLER: Could you read back the
22 witness' last answer please.
23 (Record read.)
24 BY MS. MILLER:
25 Q. Mr. Schneier, my question actually was, how
44
1 is your understanding of the research exemption in
2 the DMCA derived?
3 A. My understanding back then was derived from
4 reading it and talking to other people who were
5 involved in lobbying and speaking about it.
6 Q. Okay. Do you remember the names of any of
7 the other people that you talked to that were
8 involved in lobbying and speaking about it?
9 A. I do not. The CCIA -- I forget what that
10 stands for -- was involved in lobbying, and I did
11 have contact with them. And then anybody else who
12 was likely to talk about it at conferences I'm at,
13 I'm likely to hear their opinions.
14 And the EFF and EPIC are two organizations
15 whose opinions if they were written I would have
16 read. And presumably there were other people.
17 Q. The CCIA and the EFF I'm familiar with.
18 What is "EPIC"?
19 A. EPIC is Electronic Privacy Information
20 Center. They're in Washington, D.C.
21 Q. What does the Electronic Privacy
22 Information Center do as you understand it?
23 A. As I understand it, they do several things.
24 They are a privacy watchdog against industry and the
25 government. They do a lot of FOIA of different
45
1 documents from the government and publish what they
2 find.
3 Q. By "FOIA" do you mean F-O-I-A, Freedom of
4 Information Act?
5 A. Yes, I do. They do a lot of testifying
6 before Congress on privacy and -- a lot of
7 testifying before Congress on privacy laws, and they
8 do a lot of education on privacy issues as they
9 relate to computers and computer networks.
10 Q. Are there any professional organizations
11 of cryptographers that you're aware of,
12 Mr. Schneier?
13 A. Yes, there are. The IACR, the
14 International Association of Cryptologic Research,
15 is the international cryptography professional
16 organization.
17 Q. Now, in your experience or to your
18 knowledge, are there any ethical constraints on
19 cryptographic activities with respect to
20 disseminating the results of encryption research on
21 a particular system?
22 MR. HERNSTADT: Objection to the form of
23 the question. That's a very vague and broad
24 question.
25 If you can answer it, please go ahead.
46
1 THE WITNESS: You asked me if I have any
2 ethical constraints or if anybody has any ethical
3 constraints?
4 BY MS. MILLER:
5 Q. I asked you first if anybody or if any
6 organization that you're aware of issues ethical
7 guidelines concerning dissemination of the results
8 of cryptographic research activities.
9 MR. HERNSTADT: Objection to the form of
10 the question. It's compound.
11 If you can answer that --
12 THE WITNESS: Certainly, the National
13 Security Agency classifies cryptographic research,
14 as presumably do the intelligence organizations of
15 other companies around the world. Some
16 cryptographers work for companies, and presumably
17 some of the work they do is proprietary, not
18 disseminated. And quite possibly cryptographers may
19 or may not on their own initiative decide to
20 publish.
21 Certainly anybody using cryptography to
22 commit a crime using the results of analysis to
23 break into systems is likely not to disseminate his
24 techniques. And there certainly could be other
25 ethical objections that people might have.
47
1 BY MS. MILLER:
2 Q. But as far as you're aware, is there a
3 standards making organization that issues guidelines
4 with respect to ethical consideration in
5 cryptographic research?
6 MR. HERNSTADT: Objection to the form.
7 THE WITNESS: As far as I know, no
8 standards body or professional organization or group
9 of cryptographers has issued any standards of what
10 shouldn't be published.
11 BY MS. MILLER:
12 Q. Okay.
13 A. The primary -- the overriding ethic in the
14 cryptographic community is that publication serves
15 research and advances knowledge and is a good thing.
16 Q. Now Mr. Schneier, have you personally ever
17 had occasion to crack an encryption algorithm that
18 was developed by someone else?
19 A. Yes, I have.
20 Q. Which ones?
21 A. There are literally dozens of academic
22 papers on my Web site that break different
23 algorithms and I could provide a list, but it's easy
24 to go to the Web site and look at the papers.
25 Q. Can you give me an example of some of the
48
1 systems that these encryption systems were designed
2 to protect?
3 A. Most of them are academic systems, and they
4 weren't designed to protect anything. They were
5 just designed. Generally most encryption algorithms
6 are completely orthogonal to the way they're used.
7 So an algorithm might be a proposed, and it might be
8 used in a variety of applications, none of which the
9 proposer had any idea they would be used in.
10 An example of one that was a -- that was
11 proposed and used in a particular system was an
12 algorithm used in some digital cellular telephone
13 systems.
14 Q. For telephones, okay. Were you personally
15 involved in cracking some of the encryption
16 algorithms for the digital cellular telephone
17 systems?
18 A. I was a member of a group that did, yes.
19 Q. Was this an academic group, or what was the
20 group that was involved in cracking these digital
21 cellular telephone systems?
22 A. It was a group of researchers. It was not
23 part of a consulting project.
24 Q. Were these all academics?
25 MR. HERNSTADT: Objection to the form of the
49
1 question.
2 Do you understand?
3 THE WITNESS: It's a hard question because
4 many people who are paid by companies engage in
5 academic research. So if "academic" means someone
6 who is paid by a university, the answer is one of
7 the members of our group was. If the question is,
8 were these people people active in the academic
9 community, the answer is all of them.
10 BY MS. MILLER:
11 Q. How many people were in this group?
12 A. The paper was written by three people,
13 although this is my recollection and I would have to
14 look at the paper to be sure, but I remember three
15 of the researchers.
16 Q. Is this paper on your Web site?
17 A. The paper is on my Web site, yes.
18 Q. Now, did you after cracking this encryption
19 system that was designed to protect digital cellular
20 telephone communications design a computer program
21 or software utility that would allow anyone else to
22 then crack into the digital cellular telephone
23 systems to exploit the weaknesses that you were able
24 to uncover?
25 MR. HERNSTADT: Could you read back that
50
1 question please.
2 (Record read.)
3 MR. HERNSTADT: Objection to the form of
4 the question. It's compound, and it assumes a lot
5 of facts not in evidence.
6 You can answer it if you can.
7 THE WITNESS: I personally did not. Our
8 team did write demonstration software both to test
9 our hypotheses and to demonstrate to whomever needed
10 to verify our results that they were correct. I do
11 not remember how the software worked and exactly how
12 usable it would be by other people.
13 BY MS. MILLER:
14 Q. Is this piece of software available on your
15 Web site in connection with the research paper
16 that's posted on the Web site?
17 A. It might very well be. The way to check is
18 to go to the Counterpane Web site, go to the
19 Counterpane lab Web sites, look at the CMEA button
20 on the left-hand side, M dash -- that's the name of
21 the algorithm, M dash -- and follow the link.
22 Q. But you said you don't know how useful the
23 software utility that was developed might be to
24 anyone else that might try to use it. Is that what
25 you said?
51
1 MR. HERNSTADT: Objection to the form.
2 BY MS. MILLER:
3 Q. I just want to make sure I understand your
4 answer. I'm really not trying to misstate what you
5 said.
6 A. I don't remember. It was several years
7 ago.
8 Q. Do you have a point of view on whether or
9 not a person that's engaged in encryption research
10 should at the same time as that person disseminates
11 the results of that encryption research disseminate
12 a tool that will allow you to exploit the weaknesses
13 in a particular encryption system?
14 MR. HERNSTADT: Objection to form.
15 THE WITNESS: I have an opinion. In a lot
16 of cases part of the research is writing the tool,
17 and part of disseminating the research is
18 disseminating the tool. Personally there are many
19 cases where I feel that writing a tool whose sole
20 purpose is to attack and break systems is not a good
21 thing. There are some instances where writing such
22 a tool is the only possible way to get the problem
23 fixed.
24 So it's a very complicated issue. It's one
25 I have written on in the past few months. There's
52
1 an essay on this topic that I've written. This is a
2 topic where my ideas are still in flux because it's
3 a very difficult question.
4 BY MS. MILLER:
5 Q. I understand. You said that you can
6 imagine that there would be times when it wouldn't
7 be a good thing to disseminate a tool that's
8 designed to exploit the weaknesses. Can you give
9 some examples of in your view when it wouldn't be a
10 good thing to do that.
11 MR. HERNSTADT: Objection to the form.
12 THE WITNESS: An example would be a tool
13 that doesn't actually demonstrate anything new, that
14 endangers life and limb and that exploits a problem
15 that can't easily be fixed are examples where I
16 would question the judgment of the person who
17 released the tool.
18 BY MS. MILLER:
19 Q. And in your review in what instances would
20 a problem not easily be fixed?
21 MR. HERNSTADT: Objection to the form.
22 THE WITNESS: In closed proprietary
23 systems. So in systems that are -- systems not on a
24 general purpose computer are often much harder to
25 fix than systems that are on a general purpose
53
1 computer.
2 A system in a closed system like nuclear
3 command and control or a stand-alone ATM machine,
4 these might involve widespread deployment of
5 equipment across the country or across the world
6 which is very different than a version of a piece of
7 software which could be updated relatively quickly.
8 Again, I understand this is a gray line.
9 BY MS. MILLER:
10 Q. From your point of view it's a gray line or
11 from the point of view of cryptographers generally?
12 A. From my point of view.
13 Q. Is it fair to say that -- you said your
14 ideas about this are in a state of flux, so is it
15 fair to say that at this point you don't have a
16 fully formed view on in which instances
17 disseminating a tool to exploit a flaw in a security
18 system might be permissible and other instances
19 where it might not be permissible?
20 MR. HERNSTADT: Objection to the form.
21 Misstates the testimony.
22 THE WITNESS: It's very much like the
23 definition of pornography. I know it when I see it.
24 Defining exactly what it is is hard.
25 And to bring to something I think you said,
54
1 I'm here more talking about security systems as
2 opposed to the mathematics of cryptography. The
3 mathematics of cryptography is really much more cut
4 and dried, and that publication is pretty much
5 always a good idea.
6 BY MS. MILLER:
7 Q. Publication of the actual encryption
8 algorithm? I just want to understand when you say
9 publication of the "mathematics of cryptography."
10 A. Publication of the research, which in
11 mathematics is generally mathematical research,
12 which is generally a paper that includes algorithms
13 and equations and an analysis. And that's sort of
14 one end.
15 The other end is analysis of working
16 security systems which would presume cryptography
17 but would also would include analysis of the
18 software, analysis of the procedures, analysis of
19 the usage.
20 Q. And the last sort of line of questions that
21 we've been engaged in here, I'm really more
22 interested in your view about developing and
23 disseminating particular tools that allow an
24 individual to exploit a flaw in a security system
25 that a person engaged in encryption research might
55
1 have been able to uncover.
2 A. Um-hum.
3 Q. Is your point of view on that still in a
4 state of flux?
5 A. My point of view is still in a state of
6 flux. I believe I have a consistent, coherent point
7 of view, but exceptions and special cases are still
8 arising, so my view is still being refined.
9 Q. And the point of view that you just
10 testified to though is more in -- strike that --
11 analogous to like you just said, pornography, you
12 know it when you see it. Do you know a bad exploit
13 of a tool as opposed to a good one?
14 MR. HERNSTADT: I'm sorry. Could you read
15 that question back please.
16 MS. MILLER: That was not a good -- the
17 most articulate question.
18 MR. HERNSTADT: Do you want to try again?
19 THE WITNESS: I can answer it.
20 MR. HERNSTADT: Don't answer until I hear
21 it because I want to make sure I have some vague
22 idea.
23 THE WITNESS: Maybe I should hear it again
24 too.
25 (Record read.)
56
1 MR. HERNSTADT: Objection to the form.
2 THE WITNESS: I believe that's true,
3 although it's not impossible that someone would show
4 me a special case that I would have no idea of my
5 opinion on it until I thought about it a lot.
6 MS. MILLER: Okay.
7 MR. HERNSTADT: Is this a good time to take
8 two for unstated reasons?
9 MS. MILLER: Sure.
10 THE VIDEOGRAPHER: Going off the record.
11 The time is 11:56.
12 (Break taken.)
13 THE VIDEOGRAPHER: We're back on the
14 record. The time is 12:05. You may proceed.
15 BY MS. MILLER:
16 Q. Mr. Schneier, I'm going to show you a
17 document that I'll have marked as Exhibit 4 for your
18 deposition.
19 (Plaintiffs' Exhibit No. 4 is marked.)
20 BY MS. MILLER:
21 Q. Now initially, Mr. Schneier, I'd like you
22 to focus your attention on the first two pages of
23 this document. So we have a clear record, I'll
24 represent to you that this is a document that I
25 printed from the Counterpane Web site. It is
57
1 entitled "Crypto-Gram." The date of the document is
2 January 15th, 2000. It says, "By Bruce Schneier,
3 founder and CTO, Counterpane Internet Security,
4 Inc." And the initial article is entitled, "'Key
5 Finding' Attacks and Publicity Attacks."
6 Now Mr. Schneier, earlier in your testimony
7 you referred to "Crypto-Gram." What is
8 "Crypto-Gram"?
9 A. "Crypto-Gram" is a monthly newsletter, a
10 free e-mail newsletter, that I write and publish
11 every month.
12 Q. Is this document that I've just shown you
13 that's been marked as Exhibit 4 a copy of the
14 monthly newsletter Crypto-Gram that you write?
15 A. Without examining every word of it, I
16 assume it is.
17 Q. If you could take a moment to look at the
18 first two pages of the document that I've handed
19 you, I'd like to ask you some questions about it.
20 Tell me when you're ready.
21 MR. HERNSTADT: I'm going to need a couple
22 minutes.
23 THE WITNESS: I'm ready.
24 MR. HERNSTADT: I'm not.
25 (Reviewing document.)
58
1 Okay.
2 BY MS. MILLER:
3 Q. Mr. Schneier, do you recognize this article
4 in this newsletter "'Key Finding' Attacks and
5 Publicity Attacks"?
6 A. I do.
7 Q. Did you write it?
8 A. I did.
9 Q. Now without me reading it word for word,
10 can you tell us just generally what the subject of
11 this article is.
12 A. The subject of this article is a particular
13 situation that occurred in January when a company
14 made a press announcement about what they claimed to
15 be a vulnerability in an Internet protocol and uses
16 that example as a jumping-off point to discuss some
17 of the pros and cons towards releasing information
18 about vulnerabilities, releasing vulnerability tools
19 and makes a stab at trying to draw some conclusions
20 about some of the issues we talked about earlier.
21 Q. What conclusion is drawn in this article
22 about releasing the tools that exploit
23 vulnerabilities and security systems?
24 MR. HERNSTADT: Objection. Are you asking
25 him to point out in the article where he draws a
59
1 conclusion?
2 BY MS. MILLER:
3 Q. No. At this point I'd like you to do it
4 from -- if it helps you to look at the article,
5 that's fine, however you want to answer the
6 question, if you understand the question.
7 A. You're asking me to discuss my thinking at
8 January 15th, not subsequent. What I say in this
9 essay is that one of the ways to look at a tool is
10 to look at the motivations of the person who
11 releases it, whether it's a tool that demonstrates a
12 vulnerability in some useful fashion, whether it's a
13 tool that simply allows someone without any skill to
14 exploit a vulnerability, whether the person
15 releasing the tool has any ulterior motives in
16 releasing it. And that's one way to get some idea
17 of whether it was a good thing or a bad thing.
18 Q. Okay. And you say the ulterior motives
19 that the person might have had in releasing the tool
20 is one of the factors in your mind that determines
21 whether or not the release of the tool is a good or
22 bad thing; is that correct?
23 A. That's what I said, yes.
24 Q. Now, in this particular situation that's
25 being described in this article, or the essay, "'Key
60
1 Finding' Attacks and Publicity Attacks," was there a
2 particular tool that was disseminated along with the
3 press release of the vulnerability in the Internet
4 protocol?
5 A. It's unclear. At the time I wrote this, I
6 believe there was. In subsequent conversations with
7 the company that released the press release, they
8 indicated that they did not release the tool. I do
9 not know if a tool was released, how widely it's
10 used, whether someone else took the research done
11 and wrote a tool.
12 So when I wrote this essay, I believe the
13 tool was released by the company that released the
14 press release, but I don't know if that's true.
15 Q. At this point do you know whether or not
16 there was a tool released?
17 A. At this point I believed the people I spoke
18 to from the company, and they said they did not
19 release a tool.
20 Q. Now you cite other examples in this essay,
21 and if I can just draw your attention to page 1, and
22 there are several bullet points. I'll read the
23 introductory phrase to the bullet point so you have
24 a sense of where I am. You say, "This kind of thing
25 is happening more and more, and I'm getting tired of
61
1 it. Here are some more examples" and bullet point
2 2.
3 MR. HERNSTADT: Carla, before you do that,
4 could you just read the first line of that sentence
5 before that -- the word "thing" is defined -- so we
6 know what kind of "thing" we are --
7 MS. MILLER: Well, I think if I want to
8 have that "thing" defined, I'll ask the witness to
9 define it, Mr. Hernstadt.
10 MR. HERNSTADT: All right. Then let me
11 object to any question that comes out based on that
12 it's vague that the term is undefined.
13 BY MS. MILLER:
14 Q. If you could look at bullet point 2 on page
15 1, Mr. Schneier, you indicate that, "Some people at
16 eEye" -- that's lower case "e," capital E-y-e --
17 "discovered a bug in IIS last year completely
18 compromising the product. They contacted Microsoft,
19 and after waiting only a week for them to
20 acknowledge the problem, they issued a press release
21 and a hacker tool. Microsoft rushed a fix out but
22 not as fast as the hackers jumped on the exploit.
23 EEye sells vulnerability assessment tools and
24 security consulting by the way."
25 Do you see that, what I've just read to
62
1 you?
2 A. I do.
3 Q. Now, did you do any verification of the
4 facts of eEye's rushing out and issuing a press
5 release and a hacker tool that exploited the
6 vulnerability in this Microsoft product?
7 A. No more verification than reading documents
8 and opinions and things other people had written.
9 Q. And did you think at the time that you
10 wrote this essay that those activities were a good
11 thing to do by eEye?
12 A. A lot of this is very situation dependent,
13 and often my objections are not based on what was
14 done but based on how it was done. My objections in
15 the eEye instance were based on the fact that eEye
16 seems to me to have used the exploit and the
17 publication of it as a publicity engine for their
18 company and not as a way to fix the problem.
19 So I'm not -- I have no objections to the
20 research, to the publication or the dissemination,
21 but the form of it was something I thought was not
22 the best it could have been.
23 Q. Okay. And the form of it that you're
24 describing, was that just the dissemination of the
25 hacker tool or just the fact that they were using
63
1 this whole incident to publicize their security
2 services?
3 A. It was that they were using the incident to
4 publicize.
5 Q. But you have no problem with them
6 disseminating the hacker tool that was designed to
7 exploit the vulnerability that they uncovered?
8 MR. HERNSTADT: Objection to the form.
9 THE WITNESS: Again, this is very dependent
10 on circumstance. Microsoft is a corporation that
11 will lie, will claim things that are true that are
12 not true, will deny the fact that exploits exist.
13 If you point out a security vulnerability, they will
14 tell you you're wrong. And the only way to get
15 Microsoft to fix a problem, a security problem, is
16 to release a tool.
17 So in dealing with Microsoft as a
18 researcher wanting to improve the security of
19 systems, you have no choice but to release an
20 exploit because without doing that, the system will
21 remain vulnerable.
22 BY MS. MILLER:
23 Q. You have no choice?
24 A. If you want to improve the security, you
25 have no choice.
64
1 Q. So if you want Microsoft to pay attention,
2 you have no choice but to exploit -- disseminate a
3 hacker tool that could exploit the security breach;
4 is that your testimony?
5 MR. HERNSTADT: Objection to form.
6 THE WITNESS: Historically that has been
7 the case.
8 BY MS. MILLER:
9 Q. And because -- again, I really am not
10 trying to put words in your mouth. I'm just trying
11 to understand your answer because you made some
12 statements about a particular point of view
13 obviously that you hold about Microsoft.
14 And based on that point of view about
15 Microsoft, if the security breach is found in a
16 Microsoft piece of software, then in your view
17 according to your testimony, it's acceptable to
18 disseminate a hacker tool that exploits that
19 vulnerability?
20 MR. HERNSTADT: Objection to the form of
21 the question and the lack of definition of the terms
22 used.
23 If you can answer that, go ahead.
24 THE WITNESS: I believe as a researcher
25 wanting to improve the security of systems that
65
1 simply publishing an academic paper describing the
2 vulnerability in a Microsoft system will not result
3 in any improvement. And the quickest way to improve
4 the security of the system is to release the tool
5 and to release the tool in a very public way so that
6 Microsoft has no choice but as a company to fix the
7 problem.
8 BY MS. MILLER:
9 Q. I don't suppose you'd be surprised if
10 someone at Microsoft felt differently about that,
11 would you?
12 MR. HERNSTADT: Objection to the form of
13 the question.
14 Go ahead.
15 THE WITNESS: Very few things surprise me
16 in this field.
17 BY MS. MILLER:
18 Q. Fair enough. Now, looking a couple
19 paragraphs down in the same essay, you say, "Here
20 are some examples of doing things right." In the
21 first bullet point, I quote, "The University of
22 California-Berkeley researchers have broken just
23 about every digital cell phone algorithm. They are
24 not profiting from these breaks. They don't publish
25 software packages that can listen in on cell phone
66
1 calls. That is research and good research."
2 Now, when we talked earlier about your
3 activities in helping to analyze some of the
4 encryption -- strike that -- flaws in some of the
5 encryption and security algorithms for digital cell
6 phone technologies, were you referring to this group
7 of University of California-Berkeley researchers?
8 A. Yes, I was.
9 Q. Is that the project you were involved in?
10 A. A piece of it. There are some different
11 cell phone security algorithms that this group has
12 successfully reverse engineered, analyzed and
13 published. One particular algorithm I was involved
14 in the process. There are several others that they
15 alone were involved in the process.
16 Q. Okay. Now you made the statement in this
17 essay, "This is research and good research." What
18 were you referring to when you drew the
19 conclusion -- excuse me -- about what "good
20 research" was?
21 MR. HERNSTADT: Objection to the form of
22 the question.
23 THE WITNESS: I was referring to the
24 cryptanalysis work done by the group in breaking the
25 algorithms.
67
1 BY MS. MILLER:
2 Q. Not the fact that they didn't publish
3 software packages that can listen in on cell phone
4 calls?
5 MR. HERNSTADT: Objection.
6 THE WITNESS: No. I was referring to the
7 research, and to me the research in this case was
8 the mathematical research on the algorithms.
9 BY MS. MILLER:
10 Q. If the University of California at Berkeley
11 researchers had published software packages that
12 listened in -- that allowed a person to listen in on
13 cell phone calls, would that still in your opinion
14 have been good research?
15 MR. HERNSTADT: Objection to the form of
16 the question.
17 THE WITNESS: It would still have been good
18 research. They would have done something additional
19 to that which I personally would question, but other
20 people would not.
21 BY MS. MILLER:
22 Q. Okay. But you personally would?
23 A. Yeah. I would -- if they did that, I might
24 have called them and asked, why did you do this?
25 And they might have had an explanation, and I would
68
1 have said, I guess you're right.
2 But I certainly would have thought twice if
3 I saw that, because in this particular case that
4 wasn't really part of the research.
5 Q. I'd like to direct your attention now to
6 the fourth bullet point in that same list that says,
7 I quote, "Perfecto markets security against CGI
8 attacks."
9 What is "CGI"?
10 A. I forget what it stands for. CGI scripts
11 are those interactive bits of code on Web pages that
12 let you type things into forms and submit them,
13 allow you to type comments in, click on radio
14 buttons or other things that make Xs happen, things
15 that don't bring you to a new Web page but that put
16 little bits of interactivity onto a Web page. I
17 think it's "computer graphics interface," but I
18 might be wrong as to what "CGI" stands for.
19 Q. I'm going to continue on reading that same
20 bullet point. "Although they try to increase
21 awareness of the risks, they don't go around writing
22 new CGI exploits and publicizing them. They point
23 to other CGI exploits done by hackers with no
24 affiliation to the company as examples of the
25 problem."
69
1 Now, based on the point of view that you've
2 been testifying to, I assume that this would fall
3 into your category of good research; is that
4 correct?
5 MR. HERNSTADT: Objection to the form.
6 That misstates the testimony of the witness
7 significantly.
8 If you can answer that, go ahead.
9 THE WITNESS: To me this is an example of
10 doing things right, as I said. Again, if there were
11 no CGI exploits, Perfecto would have to release some
12 to demonstrate that the vulnerabilities they're
13 describing and fixing are real. However, because
14 there are already CGI exploits that have been
15 published, that have been disseminated by the
16 underground community, Perfecto did not feel it
17 necessary to create new ones that didn't demonstrate
18 any new piece of research.
19 If they learned a new piece of research,
20 they might feel -- and I might agree with them --
21 that they should publish an exploit to demonstrate
22 this new piece of research. But as long as they are
23 fixing old problems, writing new tools to
24 demonstrate the old problems doesn't seem to add
25 anything to the discussion.
70
1 BY MS. MILLER:
2 Q. How are you using the word "exploits"
3 there?
4 A. It's a term of art in computer security.
5 An "exploit" is a program that makes use of a
6 vulnerability to attack a system. So it
7 demonstrates a vulnerability in a graphic way.
8 Q. Now looking at the last bullet point, you
9 say, "Steve Bellovin," B-e-l-l-o-v-i-n -- I hope I
10 pronounce his name correctly -- "at AT&T labs found
11 a serious hole in the Internet DNS system. He
12 delayed publication of this vulnerability for years
13 because there was no readily available fix."
14 Again, is this falling within your
15 definition of "good research"?
16 MR. HERNSTADT: Objection to the form of
17 the question. I don't think there's been a
18 definition of "good research," but if you can answer
19 the question, go ahead.
20 MS. MILLER: Certainly not a definition
21 because I think the witness has already testified
22 that it's sort of a situational thing. So I don't
23 mean to misstate your testimony when I say
24 "definition," but you've used the phrase and
25 characterized certain things and activities as good
71
1 research. That's all I'm asking you about.
2 MR. HERNSTADT: Are you referring to the
3 words where it says --
4 THE WITNESS: "Doing things right."
5 MR. HERNSTADT: -- "doing things right" up
6 top?
7 THE WITNESS: This is good research.
8 Additionally the research is finding the hole. The
9 delaying publication is a decision independent of
10 the research, and Steve in this case made a decision
11 not to publish but to keep the vulnerability quiet
12 until the Internet was able to deal with some of the
13 problems he found. That was his personal decision.
14 Other researchers would have probably made
15 different decisions. And in some ways it's good
16 that he did it, and in some ways it's bad that he
17 did it. That's probably the toughest example of the
18 five listed. That's the least obvious of the five
19 examples listed.
20 BY MS. MILLER:
21 Q. Now, when you say that "he delayed
22 publication of this vulnerability for years because
23 there was no readily available fix," in your mind is
24 that one of the factors that should be considered in
25 determining whether or not this is a responsible or
72
1 a right thing to do in terms of publicizing the
2 vulnerability that you've been able to identify?
3 MR. HERNSTADT: Objection to the form.
4 THE WITNESS: My personal opinion is that
5 whether a fix is possible and how easily it is and
6 how expensive it is is one of the many factors that
7 I would take into account before publishing.
8 BY MS. MILLER:
9 Q. Okay. Now, a couple more paragraphs down
10 in this same essay -- I'd like to direct your
11 attention to actually three paragraphs down from the
12 list of bullet points that we've just been referring
13 to. That starts, "And look at how it is released.
14 The nCipher" -- lower case N, capital C-i-p-h-e-r --
15 "release included a hacker tool. As the New York
16 Times pointed out, 'thus making e-commerce sites
17 more vulnerable to attack and more likely to buy
18 nCipher's products.' Announcements packaged with
19 hacker tools are more likely to be part of the
20 problem than part of the solution."
21 Do you see the sentences that I've just
22 read to you, Mr. Schneier?
23 A. I do.
24 Q. Now I understand you've previously
25 testified that nCipher I believe indicated to you
73
1 that they in fact did not publish a hacker tool. I
2 understand that aspect of your prior testimony. But
3 you seem to express an opinion at the end of these
4 last couple of sentences that "announcements
5 packaged with hacker tools are more likely to be
6 part of the problem than part of the solution."
7 What "problem" were you referring to?
8 A. In the essay I'm talking about the problem
9 of bad computer security and whether a particular
10 release of information of tools increases the
11 problem of bad security or helps solve the problem
12 of bad security by making security better.
13 In that sentence I said that tools -- if
14 something is released with a tool, it is more
15 likely, although -- I mean that it is more likely to
16 be part of the problem. So it's more likely to
17 result in bad security -- it's more likely to be a
18 release that exacerbates the security problems than
19 a release that will fix it. Certainly it's not cut
20 and dried. This is just one of the many things you
21 can look at in trying to figure out whether
22 something was good or bad. That's probably too
23 strong a word for it.
24 Q. I know. I understand. I appreciate this
25 is a gray area that we're talking about. That's all
74
1 I have at this time for this document.
2 Now Mr. Schneier, have you personally ever
3 notified the provider or the developer of a security
4 system that you're interested in researching before
5 engaging in that research?
6 A. I have not. The only possible exception is
7 when I was hired as a consultant to research a
8 system in which case they would know that I was
9 doing it.
10 Q. Because they hired you?
11 A. But it would be under contract. If as an
12 academic I engaged in research, I have never
13 notified an organization or a company first.
14 Q. Have you personally after engaging in
15 encryption research ever notified the organization
16 whose security system you were testing before
17 disseminating the results of your findings?
18 A. I don't remember. I believe when I
19 published an analysis of Microsoft PPTP, which
20 stands for point-to-point tunneling protocol, I sent
21 a copy of my draft paper to some colleagues at
22 Microsoft before publishing, although this is my
23 best recollection.
24 Q. How long ago would that have been that you
25 engaged in this research on Microsoft PPTP?
75
1 A. I do not remember, but the paper is dated
2 on my Web site.
3 Q. That paper is also on your Web site?
4 A. Everything is on my Web site.
5 Q. Why did you send a copy of your draft
6 paper to your colleagues at Microsoft?
7 A. Professional courtesy. I was afraid that
8 when the paper was released they would be asked by
9 their superiors to explain what was going on, and I
10 wanted to give them the opportunity to read what I
11 had written and have a little time to think about
12 what a response would be.
13 Q. Is that only because you knew these people
14 personally?
15 A. Yes, that's true.
16 Q. So if you didn't have this personal
17 relationship with the people at Microsoft that you
18 sent the draft to, you wouldn't have bothered to
19 send the draft of your research results?
20 A. I probably would not have.
21 Q. Why not?
22 A. Because the only benefit that that would
23 have served was to allow the Microsoft PR machine to
24 basically spread propaganda about the results before
25 they were released. It would have not helped the
76
1 program. It would have made it worse.
2 Q. How do you know that?
3 A. It's been the historical -- historically
4 that's what Microsoft does.
5 Q. What about other companies whose security
6 systems you've researched that maybe don't have that
7 same historical response as Microsoft?
8 A. One example that comes to mind is the
9 Digital Cellular Consortium, and we did not alert
10 them.
11 Q. Was there a conscious decision not to alert
12 them?
13 A. I don't know. I don't remember if it was
14 actually discussed. So I don't recall if it was a
15 conscious or unconscious decision.
16 Q. You don't recall any discussions amongst
17 the research group about whether or not the Digital
18 Cellular Consortium should be notified?
19 MR. HERNSTADT: Objection to form.
20 THE WITNESS: I don't recall.
21 BY MS. MILLER:
22 Q. But in your mind as a participant in that
23 activity, you didn't find -- strike that -- you
24 didn't think that there was any issue involved in
25 not notifying the Digital Cellular Consortium before
77
1 publishing the results of the research?
2 MR. HERNSTADT: Objection to form.
3 THE WITNESS: Certainly there are issues,
4 but we felt that the greater good would have been
5 served by publishing and that there was no benefit
6 to alerting the cell phone manufacturers.
7 BY MS. MILLER:
8 Q. When in your mind would there be a benefit
9 to alerting a particular corporation whose security
10 systems you've been involved in testing?
11 A. An example is if a flaw is found in a
12 browser that as a researcher you might go to the
13 company -- let's say Netscape -- and say, we found
14 this flaw. This is it. This is how it works.
15 We're going to be releasing our findings in two
16 weeks. Wouldn't it be nice if at the same time you
17 could release an updated version of the browser.
18 And there's an example where the researcher and the
19 company effected could work in concert.
20 Q. But in the example that you just cited --
21 strike that.
22 Are there any other examples that you can
23 cite apart from the one you just gave us?
24 A. Probably, but none come to mind right now.
25 Q. Okay. So if I understand your answer, it
78
1 would be beneficial to notify the company whose
2 security systems were being tested if in the mind of
3 the researcher the researcher thought that the
4 company and researchers could come to some sort of
5 an accord on how to fix the problem?
6 MR. HERNSTADT: Objection to the form. I
7 think that misstates the testimony.
8 You can answer. If you can, go ahead.
9 THE WITNESS: That's one of the things to
10 consider. Will the vendor mischaracterize the
11 research? Will the vendor work with the researcher
12 to fix the problem? Are there any political agenda
13 that the vendors might have?
14 There are examples where security systems
15 have been deliberately weakened because of
16 government intervention. Those are examples where
17 dealing with the vendor beforehand wouldn't make any
18 sense because in some ways the vendor was a pawn
19 also. So that's one of the considerations. There
20 are certainly many of them.
21 BY MS. MILLER:
22 Q. By a "pawn," you mean a pawn of the
23 government?
24 A. "Pawn" is probably too strong a word. But
25 they were influenced by the government possibly to
79
1 deliberately weaken their systems. This has
2 occurred many times in security.
3 Q. Again, I don't mean to misstate what you
4 just said, but I want to have a better understanding
5 of your point of view. But as I interpret what you
6 just said, it sounds like a lot of the consideration
7 depends on the vendor that's involved from the
8 researcher's point of view.
9 MR. HERNSTADT: Objection to the form. I
10 don't think that accurately states the testimony.
11 THE WITNESS: Some of it does. I'm
12 hesitant to define percentages of what refers to
13 what, but certainly that's one of the
14 considerations.
15 BY MS. MILLER:
16 Q. Okay. Now, in your point of view, if there
17 were a law that required a cryptographer to notify
18 the owner or the provider of a particular security
19 system that they were engaged in encryption research
20 concerning, would you think that that would restrict
21 your ability to engage in such research?
22 A. I think it would restrict it in a very
23 large way.
24 Q. How so?
25 A. A number of reasons. One, it presumes that
80
1 the cryptographer knows who to contact. For
2 example, a cryptographer might research an
3 encryption algorithm, Blowfish, which is an
4 algorithm I wrote. And I know that Blowfish is in
5 over a hundred products, and I know there are
6 products that I don't know about that Blowfish is
7 in. So if a cryptographer wanted to research
8 Blowfish, it would be impossible for him to notify
9 them all because he just wouldn't know who to
10 notify.
11 In any real system, the company researched,
12 being researched, might say no, might not give him
13 permission. And that would mean that he would not
14 be able to do the research, which means we would not
15 learn about the system, we would not learn about its
16 weaknesses, and we would not be able to build better
17 systems because of it.
18 So putting the burden on the cryptographer
19 to get permission is, one, something he can't do
20 and, two, likely to stifle research because
21 permission might not be forthcoming especially in
22 examples where there are many companies using the
23 same type of cryptography, and they need permission
24 from everybody.
25 MS. MILLER: Take one minute. Allow the
81
1 videographer to change the tape.
2 THE VIDEOGRAPHER: This is the end of Tape
3 No. 1 in the deposition of Bruce Schneier. We're
4 going off the record. The time is 12:42.
5 (Break taken.)
6 (Record read.)
7 THE VIDEOGRAPHER: This is the beginning of
8 Tape No. 2, Volume 1 in the deposition of Bruce
9 Schneier. We're going back on the record. The time
10 is 12:54. You may proceed.
11 BY MS. MILLER:
12 Q. Now, Mr. Schneier, in your last answer you
13 expressed a point of view about requiring
14 cryptographers to seek permission before engaging in
15 cryptographic research and how that might inhibit
16 that research. Do you feel that the owner of a
17 security system has the right to grant permission to
18 someone who might be interested in researching that
19 system?
20 MR. HERNSTADT: Objection to the form of
21 question and so far as it calls for a legal
22 conclusion.
23 THE WITNESS: Speaking morally and not
24 legally, I don't know what the law says, but I
25 believe personally the answer is no.
82
1 BY MS. MILLER:
2 Q. So a person that puts a particular security
3 system in place to protect their copyright content
4 shouldn't have any right to have people come to them
5 and ask permission before engaging in encryption
6 research or perhaps disseminating the results of
7 that research to the extent that it might allow
8 people to exploit vulnerabilities in that security
9 system?
10 MR. HERNSTADT: Objection to the form of
11 the question. It's compound. It also is
12 argumentative, and it's difficult.
13 MS. MILLER: That's what "objection to
14 form" means.
15 THE WITNESS: Again, personally and not
16 legally, I believe the answer is either no or yes
17 depending on which one was -- does not have to ask
18 permission. I just forgot the question in all the
19 objecting.
20 MS. MILLER: Could we read back the
21 question so the witness can understand.
22 (Record read.)
23 THE WITNESS: Yes.
24 MR. HERNSTADT: I have to object also that
25 it's unintelligible.
83
1 THE WITNESS: Yes. Again, morally and
2 ethically, personally and not legally, I believe
3 someone who fields a security system is putting it
4 out in public and at that point does not maintain
5 any control over who analyzes it, that in fact
6 someone can analyze it without asking permission or
7 asking permission before analyzing or releasing
8 information as a result of that analysis.
9 (Interruption in proceedings.)
10 THE VIDEOGRAPHER: We're going off the
11 record. The time is 12:57.
12 (Brief recess is taken.)
13 THE VIDEOGRAPHER: We're back on the
14 record. The time is 1:02. You may proceed.
15 BY MS. MILLER:
16 Q. Now Mr. Schneier, do you know when --
17 MS. MILLER: First of all, let's do this.
18 Mr. Hernstadt, I believe a colleague of yours has
19 just joined the deposition.
20 MR. HERNSTADT: Yeah.
21 MS. MILLER: Could he please make an
22 appearance or identify himself for the record.
23 MR. LEVY: Sure. This is Allonn Levy from
24 the firm of Huber Samuelson. I think the court
25 reporter has my card already.
84
1 MS. MILLER: Mr. Levy, have you already
2 been admitted pro hac vice as an attorney in this
3 lawsuit?
4 MR. LEVY: Yes, I believe so in the
5 original hearing.
6 MS. MILLER: Thank you.
7 BY MS. MILLER:
8 Q. Mr. Schneier, do you know when the CSS, the
9 content scrambling system, was first developed?
10 A. I do not.
11 Q. In the reading that you did in preparing
12 the essay, the November 15th essay, that you've
13 testified about that was the precursor to your
14 declaration that you filed in this case, did any of
15 the documents that you read in preparing that essay,
16 did any of them indicate when the content scrambling
17 system was developed?
18 A. It's certainly possible.
19 Q. But you have no recollection from that
20 reading when it was developed?
21 A. I do not.
22 Q. Do you have any idea when DVDs were first
23 introduced into the United States marketplace?
24 A. I have some idea, but I couldn't give you a
25 year.
85
1 Q. Okay. If I were to represent to you that
2 the content scrambling system was developed
3 somewhere around the late '90s, approximately 1996,
4 would you have an objection to working off of that
5 time frame for purposes of further questioning?
6 A. No. That's certainly plausible.
7 Q. Do you have any knowledge of United States
8 export guidelines concerning encryption
9 technologies?
10 A. I do.
11 Q. How is that knowledge derived?
12 A. From reading, reading and conversation.
13 Q. What, if you could tell me, have you read
14 to gain understanding that you have today about U.S.
15 export guidelines on encryption technologies?
16 A. Everything that I saw on the topic.
17 Q. Can you give us specific examples?
18 A. No.
19 Q. Journals? Web pages?
20 A. Journals, Web pages, articles, speeches,
21 books, magazine articles.
22 Q. Have you ever looked at the law yourself,
23 the guidelines?
24 A. Yes, I have.
25 Q. And do you remember the citation for any of
86
1 the guidelines that you looked at? Was it actually
2 the statute itself or the implementation guidelines?
3 A. Probably both. Parts of the statute were
4 reprinted in one of my books, so I could go there
5 and tell you exactly what I read because I could
6 tell you exactly what I reprinted.
7 Q. Which book would that be?
8 A. Applied Cryptography.
9 Q. When was Applied Cryptography published?
10 A. The first edition was published in
11 November -- sorry -- in October of 1993. And the
12 second edition was published in October of 1995.
13 You'll find that the copyright dates of the books
14 don't match that. That's because publishers often
15 play fast and loose with copyright dates.
16 Q. Fair enough. And at the time of the
17 publication of the first and second editions of
18 Applied Cryptography, did you reprint the export
19 guidelines in both the editions?
20 A. I do not remember. I know they're in the
21 second edition. I don't know if they're in the
22 first edition.
23 Q. And in 1995, the publication date of the
24 second edition, that actually reprints a current --
25 or then current version of the export regulations as
87
1 you understood them?
2 MR. HERNSTADT: Objection to form.
3 THE WITNESS: As I understood them at the
4 time, yes.
5 MR. HERNSTADT: You might want to
6 establish when the book was actually published.
7 MS. MILLER: I thought we already did.
8 BY MS. MILLER:
9 Q. Did you answer my question when the book
10 was actually published?
11 A. I think so.
12 Q. I thought so too. Thank you.
13 MR. HERNSTADT: I thought you said the
14 dates weren't --
15 MS. MILLER: Wake up, Ed. Let's move on.
16 BY MS. MILLER:
17 Q. The book -- second edition of the book to
18 your understanding was published in 1995?
19 A. In October of '95, even though the
20 copyright date says 1996.
21 MR. HERNSTADT: I got it the other way
22 around. Sorry.
23 BY MS. MILLER:
24 Q. Now in 1995 when the second edition of
25 Applied Cryptography was published, do you recall if
88
1 there were any limitations on the length of
2 encryption keys that were imposed by the U.S. export
3 guidelines?
4 A. Export guidelines did impose -- the export
5 guidelines themselves didn't impose limits.
6 Q. Did not?
7 A. Did not impose limits. There were
8 effective limits really based on hearsay and things
9 that had been granted export versus things that had
10 not been granted export.
11 At that time encryption algorithms with a
12 key length of less than 40 bits were allowed
13 exports. And encryption algorithms with key lengths
14 greater than 40 bits were not except for some
15 special circumstances.
16 Q. And do you have an understanding of what
17 those special circumstances were?
18 A. "Understanding" is a bad word because the
19 government went out of its way to make sure people
20 did not understand the rules.
21 Q. Do you have any knowledge about what
22 those --
23 A. In general if you were to design your
24 algorithm so badly that the key length was
25 irrelevant, you would be allowed to export things
89
1 with a greater key length. But as I said, these
2 rules were not well defined. They were not
3 codified. They were not written down. You
4 basically had to submit something and hope for the
5 best. So people tended to err on the side of making
6 systems lousy.
7 Q. Mr. Schneier, in your opinion as a
8 cryptographer, is it possible to design an
9 uncrackable encryption methodology?
10 MR. HERNSTADT: Objection to form.
11 THE WITNESS: Defining "uncrackable" as
12 beyond the limits of our understanding of
13 mathematics, yes.
14 BY MS. MILLER:
15 Q. Has any such system been designed to your
16 knowledge?
17 A. There are many systems in use today that
18 are believed to be uncrackable. Unfortunately in
19 cryptography you can't make mathematically --
20 mathematical statements that this is unbreakable.
21 But you can say that with our present understanding
22 of mathematics, this is unbreakable. And there are
23 many algorithms of which the latter holds true.
24 Q. Is it fair to say that it's more
25 probabilistic? You can express an opinion that's it
90
1 more probably able to be cracked or less probably
2 able to be cracked given our current understanding
3 of mathematics?
4 A. "Probabilistic" is also a tough term.
5 MR. HERNSTADT: Objection to form.
6 THE WITNESS: "Probabilistic" is also a
7 tough term because it's a term of art in
8 cryptography.
9 BY MS. MILLER:
10 Q. I see.
11 A. Really what you can say is that a
12 particular algorithm cannot be broken by any method
13 we know, nor do we have any road map that might get
14 to a method that would break the algorithm. Of
15 course, you could end up being wrong, but
16 cryptographers often have a pretty good idea of what
17 is and isn't breakable.
18 Q. Do you have any understanding of what's
19 considered -- or is there currently a standard for
20 key lengths for encrypted data over the Internet?
21 MR. HERNSTADT: Objection to form.
22 THE WITNESS: There's no standard. There
23 are a bunch of guidelines. In 1997 I believe a
24 group of about nine or ten very respected
25 cryptographers, myself included, wrote a paper which
91
1 talked about minimal key lengths for commercial
2 security and looked at different key lengths and
3 forward in the years as to what would be minimal
4 security that's required.
5 On the Internet today, the standard
6 algorithm -- "standard" is a bad word. The most
7 commonly trusted algorithm is a -- something called
8 triple DES which has a 112-bit key. The government
9 right now, the National Institute of Standards and
10 Technologies, or NIST, is proposing a new encryption
11 standard, and that will have key lengths of 112
12 bits, 192 bits and 256 bits.
13 Single DES, which is 56 bit long, is used
14 in some very low-security applications, but everyone
15 knows that a key length of 56 bits is just not long
16 enough to be any good for most applications.
17 BY MS. MILLER:
18 Q. Known not to be any good for most
19 applications in terms of what? What's the basis for
20 that statement that you just made?
21 A. The easiest way to break an algorithm is to
22 try every possible key.
23 Q. That's what's called a brute force attack?
24 A. Yes. A brute force attack can be
25 implemented against any algorithm regardless of the
92
1 math, regardless of how complicated it is just by
2 trying every possible key. It's always possible.
3 It always works. The question you ask is, how long
4 does that take? How long would it take a computer
5 to try every possible key?
6 And a 56-bit key as of a few years ago is
7 commonly known to be possible to break. There was a
8 very public break against DES which used hardware
9 that broke a 56-bit key in I think under a day.
10 There have been distributed attacks on the Internet
11 that have broke a 56-bit key over the course of
12 days. And of course these numbers are getting
13 faster as computer power increases.
14 Q. And what was the processing power of that
15 computer that you just testified to where it was
16 publicized that it broke DES in under a day?
17 A. I don't remember. Going back to
18 Crypto-Gram, there was an essay that goes into all
19 the details of processing.
20 Q. What time frame did that occur?
21 A. I don't remember. Look in the index of
22 back issues.
23 Q. Was it a year ago? More than a year ago?
24 A. I believe it was two years ago that I wrote
25 about it.
93
1 Q. I'd like to now turn to your declaration,
2 Mr. Schneier. Now, on page 2 of your declaration --
3 the pages are actually not numbered, but let's look
4 at paragraph 2, appears on the second page. You
5 state, I quote, "The entertainment industry knew
6 even as it implemented it that the security system
7 created to protect DVDs would be broken."
8 What is the basis for you making that
9 statement?
10 A. The system is so robustly and profoundly
11 bad that it's inconceivable to me that an engineer
12 could have designed it without knowing that it was
13 flawed.
14 Q. So that's just an assumption on your part
15 based on the, as you said, the "robustly and
16 profoundly bad" system that was put into place? In
17 other words, you didn't speak to anyone within the
18 entertainment industry to actually ascertain that
19 they knew the security system put in place to
20 protect DVDs would be broken?
21 MR. HERNSTADT: Which question do you want
22 him to answer?
23 MS. MILLER: The latter one.
24 MR. HERNSTADT: No objection to that
25 question.
94
1 THE WITNESS: No, I did not talk to
2 anybody. It's like if you see a screen door on a
3 submarine, you don't need to ask whether the
4 engineers understood that the submarine would sink.
5 It just seems sort of obvious.
6 BY MS. MILLER:
7 Q. That the engineers who put a screen door on
8 a submarine would know that the submarine would
9 sink?
10 A. It's just inconceivable to me that someone
11 could make -- that would be an honest mistake.
12 Q. Again, just to be clear, when you say the
13 industry -- "entertainment industry knew," you never
14 had any conversations with anybody in the
15 entertainment industry that actually confirmed that
16 statement?
17 A. I did not.
18 MR. HERNSTADT: Asked and answered.
19 THE WITNESS: I did not.
20 BY MS. MILLER:
21 Q. Going on to paragraph 2 you say that,
22 "They" -- I assume that the "they" refers back to
23 the entertainment industry -- "expected the Internet
24 to be used to distribute programs that assist
25 skilled consumers to remove the copy protection on
95
1 DVDs." Let's stop there.
2 What is the basis for making that
3 statement, Mr. Schneier?
4 A. Again, it was my analysis of the system,
5 my analysis of the security properties of DVD and
6 digital content and what's inevitable for digital
7 communication systems.
8 Q. Okay. But that's not exactly the question
9 that I'm asking you.
10 A. Try again.
11 Q. You indicated that the entertainment
12 industry knew that the Internet would be "used to
13 distribute programs that assist skilled consumers to
14 remove the copy protection on DVDs." I'm asking you
15 how you knew that the entertainment industry
16 expected the Internet to be used to distribute these
17 programs.
18 MR. HERNSTADT: Objection. Asked and
19 answered.
20 THE WITNESS: It seemed obvious to me based
21 on the way the system worked.
22 BY MS. MILLER:
23 Q. It seemed obvious to you that the
24 entertainment industry expected the Internet to be
25 used to distribute programs such as DeCSS?
96
1 A. Yes. This has been something I have been
2 saying for years that this would happen. It's
3 inconceivable to me that the entertainment industry
4 could be that blind to the inevitability of this.
5 Q. You've been saying this for years?
6 A. Yes, that digital content will be
7 distributed on the Net, that programs that will
8 defeat any copy protection scheme that could be
9 designed will be made available, that it is
10 impossible to fix this problem through content
11 protection.
12 Q. Just because you've been saying that for
13 years doesn't necessarily mean that the
14 entertainment industry expected the Internet to be
15 used to distribute programs such as DeCSS, correct?
16 MR. HERNSTADT: Objection. That's
17 argumentative.
18 If you can answer it, go ahead.
19 THE WITNESS: I'm really giving them the
20 benefit of the doubt. I'm assuming that they're not
21 stupid. I suppose it is possible that they were
22 really, really, really dumb. It seems
23 extraordinarily unlikely.
24 BY MS. MILLER:
25 Q. Continuing on, I'll restate that or again
97
1 quote from paragraph 2. You said, "They expected
2 the Internet to be used to distribute programs that
3 assist skilled consumers to remove the copy
4 protection on DVDs and play and edit and (with great
5 difficulty) copy them."
6 What do you mean by "with great difficulty
7 copy them"?
8 MR. HERNSTADT: Objection to form. It says
9 what it says.
10 THE WITNESS: There's a lot of difficulties
11 associated with copying DVDs simply because of the
12 availability of DVD writers. They're not common.
13 DVD has a lot of data which is difficult to
14 transport and store, so any intermediate form
15 makes -- is difficult to deal with.
16 So copying DVDs irrespective of any copy
17 protection is something difficult to do because it
18 requires specialized tools and hardware and
19 software. It's not something -- for example, my
20 computer at home, I do not have enough storage to
21 copy a DVD.
22 BY MS. MILLER:
23 Q. How much storage do you have on your
24 computer at home?
25 A. I don't know, but less than 4 point
98
1 something gigabytes which is what a DVD is.
2 Q. And -- strike that.
3 Do you have any idea what standard home
4 computer packages that are available in the consumer
5 marketplace are being shipped with in terms of hard
6 drive storage space?
7 MR. HERNSTADT: Objection to the question.
8 If you have any idea, go ahead.
9 THE WITNESS: I don't, but I'm sure I can
10 pull any magazine off the shelf at a bookstore and
11 find out.
12 MR. HERNSTADT: Mr. Schneier is not being
13 presented for anything remotely like that.
14 BY MS. MILLER:
15 Q. Would it surprise you to learn that a
16 consumer can purchase, for example, from Dell
17 Computers a fairly low-end personal computer system
18 with a 20-gigabyte hard drive?
19 MR. HERNSTADT: Objection to the form of
20 the question.
21 THE WITNESS: It would not surprise me.
22 BY MS. MILLER:
23 Q. Okay. You've already testified that you've
24 never used the DeCSS utility; is that correct?
25 A. That is correct.
99
1 Q. So have you heard from anyone whether or
2 not it's difficult to use DeCSS to copy movie files?
3 A. I have not.
4 MR. HERNSTADT: Objection to the form of
5 the question insofar as "difficult" is referring
6 back to a prior question.
7 Go ahead.
8 THE WITNESS: I have not.
9 BY MS. MILLER:
10 Q. I'd like for you now to look at paragraph 6
11 of your declaration, Mr. Schneier. In the second
12 sentence of paragraph 6 you state, "Instead, DVD
13 software manufacturers were supposed to disguise the
14 decryption program and possibly the playing program
15 using some sort of software obfuscation techniques."
16 Do you see the sentence that I just read?
17 A. I do.
18 Q. What's the basis for you making this
19 statement that DVD software manufacturers are
20 supposed to disguise decryption programs?
21 MR. HERNSTADT: Asked and answered. Go
22 ahead.
23 THE WITNESS: That was based on my reading
24 of the -- of information about CSS and DeCSS and my
25 perusing of the various Web pages and writings on
100
1 the topic, that the different software players all
2 used obfuscation techniques to try to disguise the
3 working algorithm to make reverse engineering
4 harder.
5 BY MS. MILLER:
6 Q. Can you tell me what specific documents you
7 read to gain that understanding?
8 A. I cannot. I would start with the ones on
9 at the bottom of the essay and work from there.
10 Q. The November 15th essay --
11 A. Yes.
12 Q. -- that we talked about? Now are you aware
13 of any efforts by anyone to reverse engineer a
14 software-based DVD player prior to the development
15 of DeCSS to ascertain the CSS encryption algorithm?
16 MR. HERNSTADT: Object to the form. I
17 think that's unintelligible.
18 THE WITNESS: Personally I am not.
19 BY MS. MILLER:
20 Q. You understood my question, didn't you
21 Mr. Schneier?
22 A. I hope so.
23 Q. The next sentence you indicate, "This is a
24 technique that has never worked: There is simply no
25 way to obfuscate software because it has to be on
101
1 the computer somewhere and is thus accessible to
2 researchers, people engaged in reverse engineering
3 and the like."
4 Do you have any idea of how the DeCSS
5 utility was developed?
6 A. I do not.
7 Q. And what is the basis of the statement that
8 you've made in paragraph 6 in that last sentence
9 that there's "simply no way to obfuscate software"?
10 A. It's a mathematical truth.
11 Q. Based on what principles?
12 A. Mathematics, logic, computer architecture.
13 It's not a problem that can be solved.
14 Q. What's not a problem that can be solved?
15 A. The problem of obfuscating software such
16 that someone cannot reverse engineer it. You might
17 be able to make it harder, but you cannot stop it.
18 Q. But it is possible to make it harder
19 through obfuscation to reverse engineer software?
20 A. It's possible to make it more difficult,
21 but there's a limit after which you can't make it
22 any more difficult, and that limit is still the
23 limit where it's possible to reverse engineer it.
24 Q. Okay. But again, just to make sure I
25 completely understand your answer, are these the
102
1 same principles that you testified to earlier that
2 say, for example, in a brute force attack that as
3 long as you throw enough processing power at a
4 problem in attempting to reverse engineer something,
5 eventually depending on how long, you'll eventually
6 be able to break it or get to the solution?
7 MR. HERNSTADT: Object to the form of the
8 question. I don't understand the question at all.
9 Would you read it back please.
10 (Record read.)
11 MR. HERNSTADT: What "principles" are you
12 referring to?
13 MS. MILLER: The mathematical principles
14 that Mr. Schneier testified to earlier that go into
15 a brute force attack.
16 MR. HERNSTADT: Okay.
17 MS. MILLER: For example, in trying to
18 crack an encryption algorithm.
19 THE WITNESS: No, they're completely
20 different. The brute force attack principles are
21 based on the blind and mechanistic trying of every
22 possible key. In this case, this is not something
23 based on a time-consuming computer run of trying
24 possibilities until you find the right one.
25 BY MS. MILLER:
103
1 Q. That's what I want to understand.
2 A. No, it's completely different.
3 Q. Could you explain what it's based on.
4 A. In a computer, the code, the object code,
5 must be intelligible to the processor. Otherwise it
6 can't actually run. So by definition, any
7 obfuscation technique will through the course of
8 running the software be unobfuscated because
9 otherwise the software could not run on the machine.
10 At that point after the software has been
11 unobfuscated, a researcher or reverse engineer can
12 intercept the stream.
13 Q. I see what you're saying.
14 A. So it has nothing to do with a brute force
15 attack. It's a more -- it's real time, and it's
16 based on the inevitability of the processor needing
17 to deal with the raw information.
18 Q. So basically just analyzing the strings of
19 zeroes and ones that happen to be in the computer
20 register at that point in time and determining
21 exactly what software steps the computer is
22 executing?
23 A. Yes.
24 Q. I understand. Based on this testimony, is
25 it your understanding that it's only through this
104
1 process that a software engineer then would be able
2 to understand once the software has been, if you
3 will, unobfuscated for purposes of having it run on
4 the machine, that they'll be able to intercept that
5 stream and understand what's going on with the
6 software?
7 MR. HERNSTADT: Object to form.
8 THE WITNESS: No, that's not the only way.
9 That's just a way that always works and cannot be
10 stopped. You can certainly analyze the obfuscated
11 stream and understand the obfuscation techniques and
12 sort of reverse engineer it that way.
13 BY MS. MILLER:
14 Q. Okay.
15 A. It's possible to build a system that
16 automatically unobfuscates code; again, after
17 understanding the techniques.
18 Q. Okay.
19 A. So I just used the example of looking at
20 the code after it's been unobfuscated as proof that
21 it's impossible to do it and that always works, but
22 there are certainly other ways.
23 Q. Again, to make sure I clarify. I don't
24 want to interrupt your answer. But that's as the
25 code is being executed by the machine in the first
105
1 example that you gave?
2 MR. HERNSTADT: Objection to the form.
3 That misstates the testimony.
4 THE WITNESS: Yes. If you were going to do
5 this methodology that always works, which is looking
6 at the code as it's being read by the processor,
7 that would be during execution of a legitimate
8 program.
9 BY MS. MILLER:
10 Q. Okay.
11 A. But there are ways to reverse engineer a
12 code and obfuscation techniques that don't involve
13 doing that.
14 MS. MILLER: Off the record.
15 THE VIDEOGRAPHER: We're going off the
16 record. The time is 1:34.
17 (Break taken.)
18 THE VIDEOGRAPHER: We're going back on the
19 record. The time is 1:41. You may proceed.
20 BY MS. MILLER:
21 Q. Mr. Schneier, just a couple of really quick
22 questions I just want to make sure we've gone
23 through in your testimony today. Now, have you ever
24 personally been involved in any effort to reverse
25 engineer CSS?
106
1 A. No.
2 Q. Looking again at paragraph 9 in your
3 declaration, you state, "Finally, as a matter of
4 basic computer and cryptological science, the DVD
5 break consisting of, among other utilities, DeCSS,
6 is a very good thing. It is good research
7 illustrating how bad the encryption algorithm is and
8 how poorly thought out the security model is and
9 must be available to cryptologists, programmers and
10 others as a research and intellectual tool through
11 the normal channels -- included but not limited to
12 posting it on the Internet."
13 Now, in that statement when you say, "The
14 DVD break, consisting of among other utilities,
15 DeCSS," are you referring to DeCSS in its source
16 code form or its object code form?
17 A. I'm referring to neither. I'm referring to
18 it in general.
19 Q. Okay. But you've earlier testified that
20 you've never seen the source code for DeCSS; is that
21 correct?
22 A. I have not.
23 Q. You also testified that you've never seen
24 the object code for DeCSS; is that correct?
25 A. I have not. I have testified that I have
107
1 not.
2 MS. MILLER: Thanks. That's actually all I
3 have at this time in your deposition, Mr. Schneier,
4 subject to the few document requests that I've made
5 of Mr. Hernstadt and if you don't mind searching for
6 the e-mails that we've talked about that you
7 testified to that you might have. I'd like to leave
8 the deposition open in case there are any follow-up
9 questions. I know Mr. Hernstadt feels differently,
10 and he will so state that on the record, I presume.
11 MR. HERNSTADT: You're welcome to state my
12 position for me since we -- depending on --
13 MS. MILLER: Shortcut things.
14 MR. HERNSTADT: -- depending on who takes
15 the deposition, we each say the same thing. But
16 obviously I think the deposition is concluded, and
17 thank you very much. I appreciate it.
18 MS. MILLER: I thank you for your time and
19 candor.
20 (Discussion off the record.)
21 MR. HERNSTADT: Because the trial is
22 scheduled to start on July 17th, we've requested
23 that the court reporter with respect to the
24 depositions of Chris DiBona, Barbara Simons and
25 Bruce Schneier, to provide the originals immediately
108
1 or as soon as they're completed for review and
2 signing, and then those will be returned to the
3 party that's noticed the deposition. And we
4 appreciate the reporter's willingness to assist us
5 with this. Thank you.
6 THE VIDEOGRAPHER: This is the end of Tape
7 No. 2 in the deposition of Bruce Schneier. Going
8 off the record. The time is 1:45.
9 (Time noted: 1:45 p.m.)
10
11
12
13 ______________________
14 BRUCE SCHNEIER
15
16
17
18
19
20
21 Subscribed and sworn to before me
22 this__________ day of__________________, 2000
23 Notary Public in and for the State of
24 California, County of Santa Clara
25
109