See related files:
http://www.eff.org/IP/Video (EFF Archive)
http://jya.com/cryptout.htm#DVD-DeCSS (Cryptome Archive)
http://www.2600.com/dvd/docs (2600 Archive)
http://cyber.law.harvard.edu/openlaw/dvd/ (Harvard DVD OpenLaw Project)
1
1 UNITED STATES DISTRICT COURT
SOUTHERN DISTRICT OF NEW YORK
2 00 Civ. 20277
- - - - - - - - - - - - - - - - -X
3
UNIVERSAL CITY STUDIOS, INC., :
4 PARAMOUNT PICTURES CORPORATION,
METRO-GOLDWYN-MAYER STUDIOS, INC., :
5 TRISTAR PICTURES, INC., COLUMBIA
PICTURES INDUSTRIES, INC., TIME :
6 WARNER ENTERTAINMENT CO., L.P.,
DISNEY ENTERPRISES, INC., and :
7 TWENTIETH CENTURY FOX FILM
CORPORATION, :
8
Plaintiffs, :
9
Vs. :
10
SHAWN C. REIMERDES, ERIC CORLEY, :
11 a/k/a "EMMANUEL GOLDSTEIN" and
ROMAN KAZAN and 2600 ENTERPRISES, :
12 INC.,
:
13 Defendants.
14 - - - - - - - - - - - - - - - - - - X
15 Videotape deposition of EDWARD FELTON,
16 taken in the above-entitled matter before
17 Michele Anzivino, Notary Public of the
18 State of New York, taken at the offices of
19 PROSKAUER ROSE, 1585 Broadway, New York, New
20 York on Friday, July 7, 2000 commencing at
21 10:28 a.m.
22
23 NEW YORK REPORTING COMPANY (USA), LTD.
245 PARK AVENUE
24 39TH FLOOR
NEW YORK, NEW YORK 10167
25 (212) 792-5623 Fax: (212) 792-5624
2
1
2 A P P E A R A N C E S:
3
PROSKAUER ROSE, LLP
4 1585 Broadway
New York, New York 10036-8299
5 Attorney for Plaintiffs
(212) 969-3095
6 By: WILLIAM M. HART, ESQ.
LEON PHILLIP GOLD, ESQ.
7
FRANKFURT, GARBUS, KLEIN & SELZ, P.C.
8 BY: MARTIN GARBUS, ESQ.
488 Madison Avenue
9 New York, New York 10022
(212) 826-5582
10 Attorney for Defendant Eric Corley
11
12
13 Also present: Eileen McDonald, Videographer
14
15
16
17
18
19
20
21
22
23
24
25
3
1
2 I N D E X
3
4 WITNESS EXAMINATION BY PAGE
5 EDWARD FELTEN
6 Mr. Hart 5
7
INDEX TO EXHIBITS
8
PAGE
9 1 Documents 8
10 2 Documents 8
11 3 Copy of declaration 8
12
13
14
15
16
17
18
19
20
21
22
23
24
25
4
1
2 THE VIDEOGRAPHER: This is
3 Eileen Dougherty. We are going on
4 the record at 10:30 a.m. on July 7,
5 2000. We are here for the case
6 Universal versus Reimerdes. The
7 witness today is Edward Felten. We
8 are at the location of 1585
9 Broadway, New York, New York.
10 Will the attorneys please state
11 their appearances for the record.
12 MR. HART: Yeah. This is Bill
13 Hart from Proskauer Rose for the
14 plaintiffs.
15 MR. GARBUS: Martin Garbus,
16 Frankfurt, Garbus, Klein & Selz for
17 the defendant.
18 THE VIDEOGRAPHER: Will the
19 court reporter please administer
20 the oath.
21 E D W A R D F E L T E N ,
22 having been first duly sworn, was examined and
23 testified as follows:
24 EXAMINATION
25 BY MR. HART:
5
1 EDWARD FELTON
2 Q. Good morning, Mr. Felten.
3 A. Good morning.
4 Q. Have you ever been deposed before?
5 A. Yes, twice.
6 Q. In what matters?
7 A. Both times in U.S. versus
8 Microsoft, the antitrust case.
9 Q. Oh.
10 And if you can just tell me
11 generally what the subject matter was that you
12 testified to in those depositions.
13 A. Sure. The first time was in the
14 main part of the case, and I testified mostly
15 about issues relating to software design and
16 software construction, about operating systems
17 and browsers and how they related to each other
18 in general. And then specifically how
19 Microsoft's products, Windows '95 and '98 and
20 Internet Explorer, related.
21 Q. Okay.
22 And what you just described was the
23 subject matter of both of the depositions you
24 referred to?
25 A. Both depositions talked about those
6
1 EDWARD FELTON
2 matters.
3 And then the second deposition I
4 also talked about -- that was in the rebuttal
5 phase of the trial. And so I talked about
6 rebutting some of the Microsoft witnesses
7 statements on those same topics.
8 Q. Okay.
9 And who were you testifying on
10 behalf of?
11 A. Of the -- of the Department of
12 Justice.
13 Q. Okay.
14 Did you ever testify at the trial
15 or in any of the court proceedings in that
16 action?
17 A. Yes, I testified twice in court.
18 Q. Okay.
19 And was your testimony related to
20 the same subjects that you just described?
21 A. Yes.
22 Q. Was there anything else in your
23 court testimony in addition to what you
24 described regarding your deposition testimony?
25 A. Let me think about that. There was
7
1 EDWARD FELTON
2 a discussion of security issues in -- in my
3 court testimony which I -- which was not on the
4 list I gave you before.
5 Q. Okay.
6 And by "security issues," what do
7 you mean?
8 A. The implications for the security
9 of PCs of various things that Microsoft had
10 done.
11 Q. Okay.
12 And by "security," do we mean
13 preventing people from getting unauthorized
14 access into the P.C. or what? I mean, I just
15 --
16 A. Both. Both preventing unauthorized
17 access to the P.C. and also privacy issues.
18 That is, what kinds of information about the
19 user of the P.C. become available to other
20 people across the Net.
21 Q. Got you. Okay.
22 I want to mark a couple of
23 exhibits, and I'm trying to do this as
24 efficiently as possible.
25 MR. HART: Ms. Reporter, I'm
8
1 EDWARD FELTON
2 going to hand you Exhibits 1, 2 and
3 3 in that order. Marty, just give
4 us a moment.
5 Q. Mr. Felten, I'll have you identify
6 these for the record once the reporter has
7 marked them.
8 A. Okay.
9 MR. HART: Actually, those
10 copies are for you, Marty, because
11 I prefer the witness refer to the
12 ones that will have exhibit numbers
13 to make it a little easier.
14 (Thereupon, Documents marked as
15 Felten Exhibits 1, 2 and 3 for
16 identification as of today's date)
17 Q. Okay. If you would sequentially,
18 Exhibits 1, 2 and 3, and if you don't mind my
19 just asking --
20 A. Okay.
21 Q. -- a group question for all of
22 them.
23 A., Have you ever seen the document
24 before, and B., If so, what is it?
25 A. Okay. Number 1, I do not think I've
9
1 EDWARD FELTON
2 seen.
3 Q. Okay.
4 A. I've not seen Number 2.
5 Q. Okay.
6 A. And Number 3 I have seen, and this
7 was a copy of a declaration which -- which I
8 prepared.
9 Q. Okay.
10 A. And it has my C.V. as -- as an
11 appendix to it.
12 Q. Very good.
13 Are you going to be testifying in
14 the trial of this case?
15 A. I expect to.
16 Q. Okay.
17 Is there any reason, to your
18 knowledge, based on your own availability that
19 you wouldn't be able to, assuming that the
20 court goes forward on the date scheduled?
21 A. It depends on the length of the
22 trial.
23 Q. Okay.
24 A. I understand the trial is scheduled
25 to start on the 17th.
10
1 EDWARD FELTON
2 Q. Right.
3 A. And for the first two weeks
4 beginning on the 17th, I'm available.
5 Q. Okay.
6 A. The following week I am not sure
7 about my availability. I have a consulting job
8 that will involve a trip to Ottawa, and I'm not
9 sure which day that will be on. That still has
10 to be arranged with the people I would be
11 visiting.
12 Q. Okay.
13 A. And if the trial goes beyond the
14 third week, then I'm not sure.
15 Q. I understand.
16 Were you asked to collect any
17 documents in your possession or control to turn
18 over in connection with this case or with your
19 deposition?
20 A. No.
21 Q. Okay.
22 When were you first contacted about
23 the possibility of your testifying in some form
24 or another in connection with this case? And
25 by "testifying" I mean both in deposition
11
1 EDWARD FELTON
2 and/or at trial.
3 A. I don't recall exactly when it was.
4 I think -- I'd estimate it was perhaps two
5 months ago.
6 Q. Okay.
7 And who made that contact to you?
8 A. The first -- the first contact I
9 had actually was at a -- at a lunch. Professor
10 Appel was going to have lunch with Mr. Garbus
11 in Princeton and -- and Professor Appel invited
12 me to come along and I talked with Mr. Garbus
13 at that lunch. That was the first contact I'd
14 had.
15 Q. Okay.
16 And prior to being invited to that
17 lunch had you ever heard of this case before?
18 A. Yes.
19 Q. When did you first hear of this
20 case?
21 A. I don't remember exactly when I
22 heard of it. It was, to estimate, perhaps
23 January.
24 Q. Okay.
25 And how did you first hear of it?
12
1 EDWARD FELTON
2 A. In conversations with -- with
3 colleagues. I think that's when I first heard
4 of it.
5 Q. Colleagues where?
6 A. It -- it would have been at a
7 conference, at a discussion during a break
8 session in a conference.
9 Q. Is this a conference at Princeton
10 or elsewhere?
11 A. I went to a number of conferences
12 in January, but I don't -- it would have been
13 elsewhere, but I don't know which conference
14 exactly.
15 Q. Okay.
16 Was Mr. Appel one of the colleagues
17 that you include?
18 A. No.
19 Q. Okay.
20 A. I should -- let me clarify. By
21 "colleagues" I mean people working in the same
22 field as me, not necessarily people at
23 Princeton.
24 Q. Got you.
25 But Mr. Appel was not at that
13
1 EDWARD FELTON
2 conference?
3 A. He was not -- no, he was not at any
4 of the conferences I went to.
5 Q. Now, you work -- I don't mean to
6 interrupt you.
7 A. I'm finished.
8 Q. Okay. I'll try not to do that.
9 You work with Mr. Appel at
10 Princeton?
11 A. Yes.
12 Q. Okay.
13 Can you tell me what differences
14 there are between your two respective
15 specialties or knowledges or areas of
16 expertise?
17 A. Sure. I can talk about some areas
18 in which I have more knowledge and expertise
19 and other areas where he has more if that's a
20 helpful way to do.
21 Q. Fine. That would be great.
22 A. Okay. I think I have more
23 expertise in general, in issues relating to
24 security and cryptography. I have more
25 expertise related to operating systems and what
14
1 EDWARD FELTON
2 you might call Internet software. He has more
3 expertise related to programming languages,
4 software engineering and topics related to how
5 software is generally constructed.
6 Q. And are there areas where at least
7 in general you'd say the two of you overlap in
8 terms of your respective expertises, knowledge
9 or experience?
10 A. Sure. I think we both have -- when
11 I gave you the list of areas there, I didn't
12 mean to imply that he has no expertise in areas
13 where I have more, nor that I have none in
14 areas where he has more.
15 Q. I appreciate that.
16 A. So yes, there's -- there is a
17 significant amount of overlap between --
18 between our expertise.
19 Q. Okay.
20 When you said a minute ago that one
21 of the areas that you have special knowledge in
22 is in Internet software--
23 A. Yes.
24 Q. -- what do you mean by "Internet
25 software"?
15
1 EDWARD FELTON
2 A. I mean the workings and designs of
3 things like Web browsers and e-mail software
4 and so on, the sorts of software that people
5 use when accessing the Internet.
6 Q. Okay.
7 And does that also relate to --
8 does that expertise, if you will, also relate
9 to the networking capabilities and speed of
10 networks with respect to the Internet?
11 A. I think I probably have more
12 experience and expertise than he does relating
13 to how Internet -- the Internet works, sort of
14 the plumbing, the guts of it.
15 Q. Mm-hmm.
16 A. As far as the speeds, I'm not sure.
17 Q. Okay.
18 A. I'm not sure how I would
19 characterize that.
20 Q. Okay.
21 A. Whether I would know more or he
22 would know more.
23 Q. Okay. Fair enough.
24 Can you tell me in your
25 professional estimation what basic factors
16
1 EDWARD FELTON
2 contribute to or play a role in Internet
3 network speed?
4 A. Well, that's a big topic.
5 Q. I understand.
6 A. There are a number of -- and it's a
7 question that can be sort of answered at
8 different technological levels. But let me try
9 to give a basic answer.
10 Q. Please.
11 A. You -- one of the factors is what
12 is -- what are the basic hardware building
13 blocks you are using.
14 Q. Okay.
15 A. But there are a lot of other
16 factors that have to do with the -- the
17 distances over which you are communicating.
18 Q. Geographic distances?
19 A. Geographic distances, yes.
20 Q. Okay.
21 A. With the software that you are
22 using at the end points, with the amount of --
23 the effective speed you get depends on how much
24 congestion there is in the Net between Point A
25 and Point B, and it also depends in complicated
17
1 EDWARD FELTON
2 ways on sort of the design or architecture of
3 the Internet and the networks.
4 Q. Okay.
5 Are there any other factors in
6 general terms --
7 MR. GARBUS: Excuse me, what's
8 that noise?
9 MR. HART: I think you are
10 hearing footsteps again, Marty.
11 Just to be clear, I mean, there is
12 a paging system in the office, and
13 you may be hearing that and I
14 apologize for that.
15 MR. GARBUS: I see. I see.
16 A. No other factors come to mind.
17 Q. Okay.
18 A. I may be missing something.
19 Q. Well, we'll coming back to that.
20 Again, I was looking for a sort of general
21 answer --
22 A. Okay.
23 Q. -- at this point.
24 Did you have an opportunity to
25 review Mr. Appel's deposition transcript before
18
1 EDWARD FELTON
2 you appeared here today?
3 A. Yes.
4 Q. Okay.
5 Did he basically get it right? Are
6 there any things you disagree with in what he
7 said?
8 A. I don't recall disagreeing with
9 anything.
10 Q. Okay.
11 Apart from your declaration which
12 we've marked as Exhibit 3 here, have you
13 prepared any materials, whether written or
14 demonstrative, and by "demonstrative" I'm
15 including such things as software or
16 illustrations of how software works, in
17 connection with your involvement in this case?
18 A. No.
19 Q. Do you plan to, prior to testifying
20 at the trial?
21 A. No, I don't have any plans to do
22 that.
23 Q. Okay.
24 Can you tell me, to the best of
25 your knowledge, what general areas you intend
19
1 EDWARD FELTON
2 to or are prepared to testify on in the trial
3 of this case?
4 A. Sure.
5 Q. Yes.
6 A. Well, of course I'll answer
7 whatever questions I'm asked.
8 Q. Of course.
9 A. But what I would anticipate is I
10 think laid out pretty well in the declaration.
11 Q. Okay.
12 A. And there is a list of four topics
13 here.
14 Q. Okay.
15 There is nothing else, to your
16 knowledge, as we sit here today that you plan
17 to testify on at the trial or that you are
18 right now prepared to testify on at the trial
19 apart from what's in your declaration?
20 A. I don't plan to testify to anything
21 beyond this as opposed to -- if -- if you're --
22 with regard to what I'm prepared to testify
23 about in this -- I have a lot of general
24 knowledge about computer science and my -- and
25 my areas of specialty --
20
1 EDWARD FELTON
2 Q. Got you.
3 A. -- which I think I'm prepared to
4 testify about that, but I don't expect to.
5 Q. Got you. Okay.
6 Have you ever personally been
7 involved in a situation where a security or
8 encryption system has been hacked, in a
9 nonpejorative sense, and the results of that
10 hack disseminated to others?
11 MR. GARBUS: By "hack" you mean
12 also broken or compromised?
13 Q. And again, I'm not trying to -- to
14 be pejorative in any sense. If you have a
15 better word, I'll use your word.
16 A. Right. So I'm interpreting
17 "hacked" here to mean broken -- the system was
18 broken or a flaw was found in it.
19 Q. Okay. Fine.
20 A. And the result -- and the results
21 of that -- if you take the results of that to
22 include the knowledge of what was wrong with
23 the system and how the -- how the -- the -- the
24 flaw was discovered and so on, how it was
25 fixed, then yes.
21
1 EDWARD FELTON
2 Q. In how many instances have you been
3 involved in such a situation?
4 A. I'd estimate about a dozen.
5 Q. Okay.
6 In each of those instances, was the
7 proprietor of the system contacted after the
8 flaw was discovered or the system was broken?
9 A. So when I said it doesn't, I meant
10 ones in which I had been involved in
11 discovering the security flaw in one way or
12 another.
13 Q. As opposed to?
14 A. As opposed to ones in which someone
15 else had discovered it and I was aware of what
16 was happening and so on.
17 Q. And in the latter category, how
18 many were you involved in, in that way, where
19 you weren't the discoverer but you were
20 involved to one degree or another?
21 A. Maybe five.
22 Q. Okay.
23 And what -- can we put a time span
24 on all of these? I mean, is there --
25 A. Sure. We can start in, say, early
22
1 EDWARD FELTON
2 1996 up until about the present.
3 Q. Okay.
4 Now, with respect to any of them --
5 and I'm including for the purposes of these
6 questions both the ones that you were the
7 discoverer of a flaw in and the ones where you
8 weren't the discoverer but you were involved in
9 some way or another in the exercise. Were
10 there any that involved some kind of contact or
11 communication with the proprietor of the system
12 regarding the existence of the flaw or of the
13 compromise or of the break?
14 A. Yes.
15 Q. Did all of them involve some
16 contact or communication with the proprietor of
17 the system regarding that subject?
18 A. All of them did eventually.
19 Q. Okay.
20 And by "eventually," what do you
21 mean?
22 A. What I mean was that at some point
23 in time the person who discovered the flaw
24 communicated with the -- the -- what you call
25 the proprietor, the -- the creator of the
23
1 EDWARD FELTON
2 system to discuss the flaw.
3 Q. Okay.
4 Now, in the 12 instances where you
5 personally were the discoverer of the flaw, was
6 it you in each of those 12 instances that
7 communicated with the proprietor of the system
8 regarding the flaw?
9 A. Yes.
10 Q. Okay.
11 And how did you do that in each
12 instance?
13 A. If I knew who were the engineers
14 within the -- the -- the proprietor of the
15 system who were responsible for the security
16 aspects of it, I would just call them directly.
17 Q. Got you.
18 A. Although it's not easy to find out
19 who those people are if you don't already have
20 a relationship with the company.
21 Q. Okay.
22 A. And so if you don't, then you have
23 to go in through the front door.
24 Q. Right.
25 A. But -- bug reporting mechanism or
24
1 EDWARD FELTON
2 something like that.
3 Q. Got you. Okay.
4 Now, were any of the 12 instances
5 that you were involved in as the discoverer of
6 the flaw situations where you had some
7 relationship with the company that was the
8 proprietor of the system?
9 A. No, not always.
10 Q. Okay.
11 Was there any where you did have a
12 relationship with the proprietor of the system?
13 A. Yes.
14 Q. How many out of the 12, roughly?
15 A. The majority of them.
16 Q. Okay.
17 And by "relationship" what do --
18 what do you mean?
19 A. What -- what I mean by that is I
20 had already had some discussions or some
21 dealings with the engineers within those
22 companies who were responsible for the security
23 of the products.
24 Q. Okay.
25 And did that mean that the process
25
1 EDWARD FELTON
2 of your discovering the flaw in the system and
3 communicating it to the proprietor was a role
4 that you played with the company's approval?
5 MR. GARBUS: I would object to
6 the form, but I'll allow the
7 witness to answer it.
8 A. I'm not sure I fully understand
9 what you mean. I didn't need anyone's approval
10 to call these people and talk to them.
11 Q. No -- okay. Fair enough.
12 And I guess what I'm trying to get
13 at, and I apologize for the awkwardness of my
14 question, is you say in the majority of
15 instances you did have some relationship with
16 the proprietor.
17 MR. GARBUS: I think the use of
18 the word "relationship" is vague,
19 and I think you could probably be
20 more specific and get the answers
21 that you want.
22 A. Well, I said what I meant by
23 relationship a minute ago.
24 Q. Right.
25 A. Which was that I had had some
26
1 EDWARD FELTON
2 dealings with the engineers within the company
3 responsible for the security of the product.
4 Q. Okay.
5 A. And that those dealings could just
6 have been a few conversations.
7 Q. Got you.
8 A. Because it -- just to clarify, it
9 does not necessarily mean any kind of formal
10 relationship with the company.
11 Q. Okay.
12 In any of the instances where you
13 discovered the flaw in a security system, was
14 that done with the company's awareness at the
15 time?
16 A. In some of them.
17 Q. Okay.
18 How many of the 12?
19 A. It depends exactly how you
20 interpret "awareness."
21 Q. Okay.
22 A. The companies were -- I'd say in
23 the majority of the cases the companies were
24 aware that we were examining their software --
25 Q. Okay.
27
1 EDWARD FELTON
2 A. -- in general, or that we were
3 examining software that was in the same general
4 area as theirs. So they might have suspected
5 that we were looking for flaws in their
6 software.
7 Q. In how many instances?
8 A. In the majority of instances --
9 Q. Okay.
10 A. -- the companies were aware at
11 least that we were out there and we were
12 looking at security vulnerabilities in a
13 particular category of software.
14 Q. And to your knowledge, how were the
15 companies aware of that fact?
16 A. In most of the cases, because --
17 either because of conversations I had had with
18 the -- the engineers or because we had found
19 previous security flaws in that company's
20 software or because of the reports in press.
21 Q. Okay. Let's take the last two.
22 Because you had previously
23 discovered flaws in that company's security
24 system.
25 A. Yes.
28
1 EDWARD FELTON
2 Q. Not necessarily the same system or
3 the same system?
4 A. There would -- there would have
5 been some cases of each.
6 Q. Okay.
7 And in the instances -- in those
8 instances where you had previously discovered a
9 flaw in one of those companies systems, had
10 you communicated that fact to that company at
11 that time?
12 A. At which time?
13 Q. At the previous time.
14 A. At the time that we discovered the
15 previous flaw?
16 Q. Previous. Correct.
17 A. Let me think, think about the
18 cases.
19 MR. GARBUS: May I hear the
20 last question?
21 (Record read)
22 A. Yes.
23 Q. Okay.
24 And I believe you said as the third
25 prong of your answer a couple of questions ago
29
1 EDWARD FELTON
2 something about because some information
3 concerning a flaw had been published. And I
4 don't want to mischaracterize your testimony.
5 We can go back and reread it.
6 A. I think I said because of reports
7 in the press.
8 Q. Reports in the press. And --
9 A. Yes.
10 Q. -- can you describe what you mean
11 by "reports in the press"?
12 A. Sure. What I mean is by stories in
13 major newspapers, for example, and Internet
14 media about the existence of flaws and our
15 discovery of them.
16 Q. Okay.
17 Now, in each instance where you
18 were the discoverer of a flaw, did you make an
19 effort to contact the proprietor of the
20 compromised system, if you will, prior to
21 causing the disclosure of any information
22 concerning the weakness to be generally
23 publicized?
24 A. We did make an attempt in every
25 case, but we were not always successful.
30
1 EDWARD FELTON
2 Q. Got you.
3 A. Actually, let me clarify a little
4 bit.
5 Q. Yes, please.
6 A. I can think of at least one
7 instance in which we did report the existence
8 of the vulnerability to the company through a
9 sort of pub -- general public bug reporting
10 mechanism. And nothing happened as a result of
11 that. We were unable to determine who else to
12 talk to inside the company, and later the --
13 the company reported that -- that they had --
14 that they essentially don't look through those
15 -- those bug reports.
16 Q. Got you.
17 A. So in other words --
18 Q. You did --
19 A. We attempted to reach the right
20 people within the company, but not already
21 having a relationship with the company, we were
22 unable to actually effectively communicate with
23 them.
24 Q. Got you.
25 And just to clarify a general
31
1 EDWARD FELTON
2 public bug reporting mechanism in lay terms,
3 would that be --
4 A. So that --
5 Q. -- a facility that the company
6 itself sets up, like a hotline or an e-mail
7 line --
8 A. That's right, yes.
9 Q. -- that says, gee, if you have
10 discovered any flaws or bugs in our software,
11 please communicate those to us at this address?
12 A. Yes, that's what I meant.
13 Q. Okay.
14 And apart from that instance where
15 your -- which you just described, in all of the
16 other instances that you've been involved in,
17 either the 12 where you were the discoverer or
18 the 5 where you were in some way involved but
19 not the discoverer of the flaw, to the best of
20 your knowledge, was an effort made to
21 communicate with the proprietor of the system
22 concerning the flaw before any information
23 concerning the flaw was generally publicized?
24 A. No, I don't believe that was the
25 case in -- in every -- in every situation.
32
1 EDWARD FELTON
2 Q. Okay.
3 Which ones were the exceptions?
4 A. I can think of a couple in which
5 the information was publicized on the Net, and
6 in at least one case in the news media before
7 -- before, as far as I know, the -- the vendor
8 of the system was -- was contacted.
9 Q. Okay.
10 And so in total, out of the 17 we
11 are talking about, both where you were the
12 discoverer and the ones where you were
13 involved, how many fit into this category?
14 A. Category of --
15 MR. GARBUS: Category of?
16 Public notice before --
17 Q. Where some information was
18 disclosed publicly before the proprietor of the
19 system was communicated with about the flaw.
20 A. Out of the roughly 17, perhaps 13
21 or 14 would fall into that category.
22 Q. That is, some disclosure was made
23 publicly before --
24 A. No, I'm sorry. Some dis -- some --
25 some disclosure or discussion with the vendor
33
1 EDWARD FELTON
2 occurred before --
3 Q. Okay.
4 A. -- information became public.
5 Q. So in 13 cases approximately out of
6 the 17 --
7 A. Approximately.
8 Q. -- the vendor was contacted before
9 any of the public disclosure was made?
10 A. Approximately, yes.
11 Q. Leaving us with approximately four
12 where disclosure publicly was made about the
13 flaw before the vendor was contacted, is that
14 right?
15 A. That's right.
16 Q. Okay. Sorry for the confusion.
17 Thanks for clarifying that.
18 Now, of those four, okay -- and you
19 know which four I'm referring to?
20 A. Yes.
21 Q. Okay.
22 -- how many of those were ones
23 where you were the discoverer of the flaw as
24 opposed to you were just involved but not the
25 discoverer of the flaw?
34
1 EDWARD FELTON
2 A. I believe there was one, one case
3 where we were -- where I was one of the
4 discoverers in which it was -- where -- in
5 which the information became public before the
6 --
7 Q. Got you.
8 A. -- the vendor was aware of it.
9 MR. GARBUS: Do you want some
10 more water?
11 THE WITNESS: Please.
12 Q. Okay.
13 Let's focus on that one for a few
14 minutes.
15 A. Okay.
16 Q. That's where we are going to spend
17 a little time.
18 How much detail can you give me
19 here today about whose system it was, what the
20 system was, what the flaw was and where it was
21 publicized?
22 A. Sure. So the one that I'm
23 referring to is the one that I referred to
24 before in which we made an attempt to talk to
25 the -- the vendor, but we were unsuccessful in
35
1 EDWARD FELTON
2 doing it.
3 Q. Oh, okay.
4 So let me just have her read back.
5 It's for my sake, not for yours. I'm trying to
6 keep this as accurate as possible.
7 MR. HART: Ms. Reporter, if
8 you'd go back three questions ago,
9 I think, and answer.
10 THE VIDEOGRAPHER: Off the
11 record at 11:00.
12 (Record read)
13 THE VIDEOGRAPHER: Back on the
14 record, 11:05.
15 MR. HART: Thank you.
16 Q. Okay.
17 And before we went off the record,
18 just to make sure we didn't miss a beat here,
19 the one instance where you were involved as the
20 discoverer where information concerning the
21 flaw was publicized before the vendor was
22 effectively contacted was, I believe, the
23 instance you said earlier you had tried to
24 communicate through the general public bug
25 reporting mechanism, but apparently that
36
1 EDWARD FELTON
2 communication didn't work.
3 A. That's right.
4 Q. Okay.
5 Now, of the other three where you
6 weren't the discoverer of the flaw and where
7 something about the flaw was publicized prior
8 to the vendor being contacted, can you just
9 tell me generally the circumstances in which
10 each of those went down?
11 A. Well, the -- I don't recall the
12 specific details, although what I -- what I
13 recall is that -- what I recall is that the
14 people who discovered those flaws did talk
15 about them publicly before they contacted the
16 vendors. I don't -- I don't recall the
17 specific circumstances or why they did that.
18 Q. Okay.
19 Do you regard that as inappropriate
20 in terms of ethical standards or any other
21 practice in your experience with respect to
22 security, testing security or discovering
23 flaws?
24 A. I think it de --
25 MR. GARBUS: I was going to say
37
1 EDWARD FELTON
2 I object to the form of the
3 question. I also object to the
4 substance. Mr. Felten clearly will
5 answer it.
6 MR. HART: Okay.
7 A. I think it depends on the
8 circumstances really. I don't think there is a
9 general ethical requirement to -- to discuss
10 these things with the vendor before discussing
11 them with anyone else.
12 Q. Is there a general practice that
13 that be done, even if there is not a
14 requirement in other words?
15 MR. GARBUS: I would object to
16 that. I'll allow Mr. Felten to
17 answer it.
18 A. I think there -- there are
19 different schools of thought about what is the
20 best way to proceed in those situations. And
21 -- well, I want to make clear that what I'm
22 talking about here is not whether you discuss
23 these things publicly, but just the timing.
24 Whether one discusses -- I think in general
25 it's helpful to discuss these sorts of issues
38
1 EDWARD FELTON
2 with what -- to discuss them widely. And we
3 are just talking about whether -- who you call
4 first essentially, not whether you call anyone
5 in particular.
6 Q. But is it your testimony that as a
7 matter of practice, professionally speaking --
8 A. I think --
9 Q. -- that -- and I don't want to --
10 maybe I'll should reframe the question, because
11 I don't want to combine it with a lot of double
12 negatives.
13 As a matter of practice, is it the
14 norm to contact the vendor first?
15 MR. GARBUS: Objection.
16 THE WITNESS: I'm not sure
17 there is a norm that's -- that is
18 widely followed.
19 Q. Let me ask you this, because I
20 believe you said, correct me if I'm wrong, that
21 out of the 12 where you were the discoverer,
22 that in every one, say one, the vendor was
23 contacted. And in the one -- for the one
24 exception, you had indeed contacted the vendor
25 through the general reporting bug mechanism but
39
1 EDWARD FELTON
2 that didn't take, if you will?
3 A. Yes, that's right.
4 Q. Okay.
5 A. And the reason we did that --
6 Q. We or you?
7 A. Me in particular. I say "we"
8 because I'm referring to a research group of
9 which I'm the head.
10 Q. Okay.
11 A. And so if the -- when the contact
12 would occur I would be the one who did it.
13 Q. Okay.
14 A. That would sort of be on behalf of
15 the group.
16 Q. Okay. Got you.
17 A. And the reason that -- the reason
18 that we have typically done it in -- in that
19 way, the reason we've typically contacted the
20 vendor first is that that seems to cause the
21 vendor to -- to be more careful and thoughtful
22 when they issue their first pub -- public
23 reaction to the -- to the discovery of the
24 flaw. It helps -- I've found it helps to give
25 them some time to think about it before they
40
1 EDWARD FELTON
2 have to answer questions from the reporters or
3 from the public about the flaw.
4 Q. Okay.
5 A. And that's -- that's the main
6 reason why -- why -- why we have typically
7 talked to the vendor first.
8 Q. Does it also give the vendor an
9 opportunity to fix, ameliorate or at least put
10 a Band-Aid on the flaw, if you will?
11 A. It lets them start the process of
12 fixing the flaw --
13 Q. Okay.
14 A. -- but it is not our practice of
15 waiting until they ship to fix.
16 Q. I understand.
17 But is part of your purpose in
18 contacting the vendor before making disclosure
19 generally to give the vendor some kind of head
20 start in attempting to make a fix?
21 A. That's part of it. To make a head
22 start, to have a little bit of time to think
23 about what their approach is going to be to
24 fixing it, and so on.
25 Q. Okay.
41
1 EDWARD FELTON
2 A. And we would typically --
3 Q. Yeah. Okay.
4 A. So we would typically give sort of
5 48 to 72 hours sort of head start to the
6 vendor, talk to them, and then after a delay of
7 a couple of days discuss the -- the
8 vulnerability publicly.
9 Q. When you say "discuss the
10 vulnerability publicly," in each of the 12
11 instances where you were the discoverer, how
12 did you wind up discussing the vulnerability
13 publicly? And if you can answer generally,
14 that's fine. If you have to go through --
15 A. Generally in a number of different
16 ways.
17 Q. Go ahead.
18 A. We would put something on our Web
19 site discussing the -- the vulnerability. We
20 would typically send a message to the Risks
21 Digest, which is a -- an online forum for
22 discussing -- for discussing in general the
23 risks and vulnerabilities relating to
24 computerized systems, and send it to other
25 similar places.
42
1 EDWARD FELTON
2 We would talk to any reporters,
3 members of the press who -- who had seen those
4 announcements. And there were, into addition,
5 some people in the press who specifically
6 requested that we inform them when we found
7 something, and we would inform them. And then
8 that would -- that would be the immediate
9 steps. And then we would later pub -- publish
10 papers describing what we had found and what we
11 could learn from it.
12 Q. Okay.
13 A. But, of course, the academic cycle
14 is a bit longer.
15 Q. I understand.
16 A. So those would become available to
17 the public later.
18 Q. Got you.
19 And by "public," are you referring
20 to the academic, scientific and scholarly
21 community or the general public or both?
22 A. Both.
23 Q. Okay.
24 Now, in this first wave of
25 disclosure, if you will, before scholarly
43
1 EDWARD FELTON
2 publications are issued, can you generally
3 describe the content of the disclosure that was
4 made in each instance?
5 A. Well, we would typically describe
6 it in different levels of technical detail
7 because -- because we -- there are different
8 audiences of people who are interested. The
9 general public doesn't necessarily want to know
10 all the bits and bytes, but there's a large
11 community of -- of computer experts who do.
12 And so we would -- we might write two or three
13 different descriptions of -- ranging from
14 sort of what the general public -- what we
15 thought the general public would want to know,
16 what's the general nature of the vulnerability,
17 how can they protect themselves, and so on, and
18 ranging up to more technical descriptions for
19 people who were really interested in the -- in
20 the details and wanted to understand in more
21 detail how -- what the vulnerability was.
22 Q. Okay.
23 And would those more technical
24 descriptions include algorithm as part of the
25 disclosure?
44
1 EDWARD FELTON
2 A. In some cases.
3 Q. Okay.
4 Would it include code?
5 A. In some cases there -- there was
6 code in there.
7 Q. Which cases? We are talking about
8 the 12 now?
9 A. We are talking about, yes, the ones
10 in which we -- in which I was involved as a
11 discoverer.
12 Q. Okay. How many -- I'm sorry.
13 How many of the 12 involved the
14 publication of some form of code in connection
15 with the disclosure of the weakness?
16 A. And here we're talking about just
17 the immediate disclosure that occurs, not what
18 we do --
19 Q. Scholarly later.
20 A. -- later. Right.
21 The later papers are not only for
22 scholars, but also intended in some cases for
23 -- more for members of the public.
24 Q. Okay. Fair enough. I didn't mean
25 to -- sorry.
45
1 EDWARD FELTON
2 A. Right. I mean scholarly articles
3 in the usual scholarly places. Also, the
4 magazines that are more widely read,
5 information on our Web site which gets accessed
6 by a lot of people with different levels of
7 expertise.
8 But to return back to the
9 clarification to the -- to the initial question
10 --
11 Q. Right.
12 A. -- in the initial disclosure -- I'm
13 sorry, I've lost the question now. You were
14 asking what was --
15 Q. I was trying to get at how much
16 detail was disclosed, and you said well, that
17 varied depending on the audience.
18 A. Yes.
19 Q. And I think you said in some
20 instances it was more technical. And then we
21 were focusing on the more technical
22 disclosures, and I asked you whether in any
23 instances that included algorithms, and I
24 believe you said yes. And then I asked you if
25 in any of those instances it included code in
46
1 EDWARD FELTON
2 one form or another, and I believe you said
3 yes. And I think the question we're up to now
4 was out of those 12, which instances of the 12
5 included code in the initial wave of
6 disclosure?
7 A. I could only guess.
8 Q. Well, I don't want you to guess,
9 but if you could approximate that would be
10 great.
11 A. Out of 12, maybe 3 --
12 Q. Okay.
13 A. -- would be an estimate.
14 Q. Okay.
15 And I'm going to work with that
16 three number for now unless you --
17 A. Right, with the understanding it's
18 an approximation.
19 Q. I understand. And I -- again, I'm
20 not trying to box you in.
21 A. Sure.
22 Q. We need to organize this in some
23 way, so I'm going to work with those three
24 which involved in the initial wave of
25 disclosure, if you will, some form of code in
47
1 EDWARD FELTON
2 one way or another. Okay?
3 A. Okay.
4 Q. Good.
5 Can you recall whether that
6 involved the inclusion of source code or object
7 code or both?
8 A. I think it would have been source
9 code in the initial -- in the initial
10 disclosure.
11 Q. Okay.
12 A. And I'm talking here again only
13 about the initial disclosure.
14 Q. I understand.
15 And was there a reason why source
16 code was used rather than object code in the
17 initial disclosure?
18 A. Yes.
19 Q. Why was that?
20 A. I can think of two reasons. Number
21 one is that the -- the soft -- the flaws that
22 we were looking at generally were ones that
23 applied across different platforms, different
24 types of computers, different operating
25 systems. And so with object code you would
48
1 EDWARD FELTON
2 have had to make -- we would have had to make a
3 different version for each platform.
4 Q. Okay.
5 A. And in the initial disclosure, one
6 of the things we want to do is get the
7 information out there quickly.
8 Q. Right.
9 A. And so it's more expedient in that
10 situation to -- to distribute source code.
11 Q. That's reason one, correct?
12 A. Right.
13 Q. What was reason number two?
14 A. Reason two is with -- is that
15 source code is generally easier for people to
16 read. And again, in the sort of the quickie
17 initial disclosure --
18 Q. Got you.
19 A. -- that's -- we would rather do
20 less work than more in order to get it out
21 quickly. So if we had to do one thing, that's
22 what we would do.
23 Q. I understand.
24 And with respect to the inclusion
25 of source code in these initial public
49
1 EDWARD FELTON
2 disclosures, was that annotated code with
3 comment or was it -- and you probably have a
4 more scientific term for this. I would say
5 unexpurgated code.
6 A. It could be either.
7 Q. What was it, in fact, in the three
8 instances?
9 A. I'm not sure which one it would
10 have been.
11 Q. Okay.
12 A. Generally, we would have taken what
13 we had --
14 Q. Got you.
15 A. -- what we would have developed
16 ourselves in our own internal experimentation,
17 and if that had comments in it, then the
18 comments would probably be there when we
19 disclosed it. If it didn't when we were
20 working with it internally, then probably it
21 would not.
22 Q. But you can't remember as you sit
23 here today?
24 A. I can't remember the specific cases
25 what -- what the situation was.
50
1 EDWARD FELTON
2 Q. Do you have data within your
3 possession or control in some form that would
4 give you an answer to that if you were able to
5 look?
6 A. I might be able to. We -- we may
7 have access to some of the initial disclosures.
8 I don't think we have them all.
9 Q. And when you say we might have
10 access, what do you mean?
11 A. What I mean is that if things were
12 sent in e-mail there might be -- there might be
13 -- I might still have copies of some of the
14 e-mail, for example.
15 Q. Okay.
16 And again, we are not -- just to be
17 clear, we are not talking about the disclosure
18 of the vendor, we are talking about the initial
19 public disclosure?
20 A. Right, the initial public
21 disclosure, that's right.
22 Q. Okay.
23 Now -- and those e-mails would be
24 resident somewhere on a computer somewhere at
25 Princeton somewhere within your office area or
51
1 EDWARD FELTON
2 your lab?
3 A. If I have them, yes.
4 Q. Yeah. I understand. Okay.
5 Now, in the three instances that
6 we're talking about, to the best of your
7 recollection was -- what was the code that was
8 part of the initial public disclosure; was it
9 code of the system that had the flaw, was it
10 code of the thing that enabled you to detect
11 the flaw or was it something else?
12 A. It would not have been code of the
13 flawed system, because we did not have
14 permission. In most cases we did not have
15 source code for the flawed system, and in cases
16 where we did, we did not have permission to
17 publish it.
18 Q. Okay.
19 A. That is, you know, we had received
20 it under some kind of confidentiality agreement
21 or under some kind of license that did not
22 allow us to republish it. So it would have
23 been code -- it would have had to have been
24 code related to the exploitation of the
25 vulnerability or demonstration of it.
52
1 EDWARD FELTON
2 MR. HART: Okay. Can you just
3 read the last answer back? And,
4 again it's my brain, not your
5 testimony.
6 (Record read)
7 Q. Okay.
8 So again, focusing on the three
9 instances approximately where you were the
10 discoverer of the flaw, where the initial wave
11 of public disclosure included code in one form
12 or another --
13 A. Mm-hmm.
14 Q. -- it's your testimony that you did
15 not disclose the code of the system because you
16 got access to the system code or the system
17 itself by either confidentiality agreement or
18 license; is that --
19 A. That's right, yes.
20 Q. Okay.
21 A. In -- some companies have policies
22 in which they will provide source code for
23 products to any academic researcher under some
24 kind of confidentiality agreement, and under
25 some cases we had that -- that kind of
53
1 EDWARD FELTON
2 arrangement. So I don't -- I didn't mean to
3 imply that it was a special arrangement made
4 between the vendor and us necessarily.
5 Q. Got you.
6 A. It may have been a sort of blanket
7 one that they make available to everyone in the
8 academic community.
9 Q. Fair enough.
10 But just to be clear, with respect
11 to the three instances where the initial public
12 disclosure involved the publication of code in
13 one form or another, in each of those three
14 instances you had gotten access to the system
15 or to the system code through some kind of
16 license or confidentiality agreement?
17 A. To the source code.
18 Q. Okay.
19 A. Via -- right.
20 Q. Okay.
21 A. Either I or my boss had signed a
22 piece of paper promising not to publish that
23 code.
24 Q. Got you. Okay.
25 And you said that was disclosed,
54
1 EDWARD FELTON
2 therefore, in the initial wave of public
3 disclosure as not the source code of the system
4 but rather what?
5 A. Source code that was needed in one
6 way or another to discuss or demonstrate the --
7 the vulnerability that we -- that we were
8 disclosing.
9 Q. Okay.
10 And can you tell me as you sit here
11 today with respect to the three -- or
12 approximately three instances that we're
13 talking about, what in each of those three
14 instances was included in the dissemination,
15 how much code, what did it reveal?
16 A. No, I can't tell you the specifics
17 as I sit here today.
18 Q. Okay.
19 Can you tell me generalities?
20 A. Well, in general we would disclose
21 --
22 MR. GARBUS: I think he's
23 answered that already.
24 A. -- whatever we thought was
25 necessary in order to -- in order to
55
1 EDWARD FELTON
2 communicate the message that we were trying to
3 communicate, the nature of the vulnerability.
4 Q. Got you.
5 A. The fact that the -- what the risk
6 was to -- to members of the public, what the
7 cause of the vulnerability might have been and
8 so on.
9 Q. Okay. I'm sorry. I didn't mean to
10 --
11 A. That's all.
12 Q. Cool.
13 When you say to alert the public in
14 each of these three instances, what was the
15 concern for public safety or security?
16 A. Well, there are several aspects to
17 that. There are several reasons to alert the
18 public in this sort of situation.
19 One is that members of the public
20 were using software systems which made them
21 vulnerable, and we thought they had a right to
22 know that, to understand what the nature of the
23 vulnerability was, what the conse -- possible
24 consequences were.
25 Also, we thought that the public
56
1 EDWARD FELTON
2 had a -- a need to sort of understand the track
3 record of the various vendors over time.
4 Q. Okay.
5 A. And understand that.
6 We felt the people who were
7 thinking about buying into a particular
8 technology in one way or another, either by
9 using it, by partnering with the vendor, by --
10 or whatever way, had a right to understand what
11 they were getting. And we also believed that
12 discussion of these sorts of vulnerabilities
13 leads to progress in understanding how to build
14 better systems.
15 Q. Okay.
16 And all of these considerations
17 that you just described in your last answer
18 were applicable in the initial public
19 disclosure of the flaw in the three instances
20 where we're talking about where code was
21 present in one form --
22 A. That's why we -- the reasons I gave
23 you were why we communicate with the public
24 about these things --
25 Q. Okay.
57
1 EDWARD FELTON
2 A. -- and whatever disclosures we make
3 in general are motivated by those -- by those
4 goals. So without going into specifics
5 because, as I said, I don't remember the
6 specific circumstances in detail --
7 Q. Right.
8 A. -- we -- in each of these
9 situations we would have done what we thought
10 were best to achieve those goals.
11 Q. Got you. Okay.
12 Now, in each of the three instances
13 where there was an initial public disclosure
14 that included some code in one form or another,
15 okay, did any of those three involve the making
16 available to the general public of some kind of
17 executable utility that would enable people to
18 use that utility to take advantage of the flaw?
19 A. By "executable utility," you mean
20 object code --
21 Q. Well --
22 A. -- in particular or what?
23 Q. Yeah, I guess. And obviously you
24 have a little bit more expertise in that area
25 than I do, so I apologize for my clumsiness.
58
1 EDWARD FELTON
2 But when I say an "executable
3 utility," what I mean is software that is
4 operable to do a machine function or a process.
5 And specifically in this context, despite my
6 question, I'm talking about software that's
7 operable on a machine to actually take
8 advantage of the flaw that was discovered.
9 MR. GARBUS: Can I have the
10 question read?
11 (Record read)
12 MR. GARBUS: I object to the
13 question. I think the witness has
14 already answered it.
15 MR. HART: Okay. I don't want
16 you to testify, Marty. I'd like an
17 answer to the question.
18 MR. GARBUS: Okay, but --
19 MR. HART: Marty, if you have
20 an objection, state the objection
21 briefly. I do not want you
22 coaching the witness.
23 MR. GARBUS: I don't care to be
24 lectured.
25 MR. HART: I'm not lecturing.
59
1 EDWARD FELTON
2 MR. GARBUS: I'm objecting to
3 the question on the grounds that
4 the witness has already answered
5 the question.
6 MR. HART: He has not. Are you
7 instructing him?
8 MR. GARBUS: I have no
9 objection to allowing the witness
10 to answer the question. I am not,
11 in any objection that I make, going
12 to tell this witness not to answer
13 any question.
14 MR. HART: Good. So can I have
15 an answer?
16 MR. GARBUS: I'm entitled to
17 state the grounds for my objection,
18 and I would appreciate it if you
19 would not interrupt me. Go ahead,
20 Mr. Felten.
21 MR. HART: Thank you,
22 Mr. Garbus.
23 A. Okay. There's a distinction here
24 between exploiting the vulnerability and
25 demonstrating it --
60
1 EDWARD FELTON
2 Q. Okay.
3 A. -- okay, which I want to draw.
4 Q. Okay.
5 A. And by "demonstrating" what I mean
6 is showing that -- showing that the flaw or the
7 vulnerability exists by actually doing
8 something which -- which the designers of the
9 system say is supposed to be impossible.
10 Q. Mm-hmm.
11 A. And by "exploiting" I mean using
12 that capability of violating the designer's
13 rules to actually do something which is illegal
14 or damaging.
15 Q. Got you.
16 A. So we would not distribute code
17 which -- which breaks the law, say, which
18 allows you to break into someone else's
19 computer, but we would -- but we would, if --
20 in certain circumstances distribute code which
21 demonstrated that the rules could be violated.
22 Q. Okay.
23 And appreciating the distinction
24 that you just made --
25 A. Yes.
61
1 EDWARD FELTON
2 Q. -- how do you -- how did you do
3 that in actuality?
4 A. So, let me give an example, okay?
5 Suppose that -- suppose that we had found a
6 flaw which let someone construct a Web page
7 such that when someone views the Web page the
8 Web page can sort of take over their Web
9 browser and do whatever the constructor of the
10 page wants it to do, okay? So you can
11 demonstrate that by making a Web page which,
12 say -- by making a Web page which demonstrates
13 that it can create some harmless file on the
14 person's machine.
15 Q. Right.
16 A. As opposed to something which
17 actually seizes control of their machine.
18 Q. Okay. Let's -- that's an
19 instructive example.
20 A. So it steps outside the rules of
21 what the browser's security system says is
22 supposed to be possible, and it does something
23 which demonstrates that those rules are not
24 enforced.
25 (Record read)
62
1 EDWARD FELTON
2 Q. I just want to concretize what you
3 said in the context of the specific ones you've
4 -- the situations you were involved in. And
5 you gave an instructive example.
6 With respect to the three where
7 some code was included in the initial public
8 disclosure of the weakness of the system, was
9 there public dissemination of computer code
10 that was functional code to enable someone to
11 defeat the system or to take advantage of the
12 flaw?
13 A. Well, whatever code we would have
14 distributed would be functional code in the
15 sense that I'm taking from your previous
16 explanations and the questions, that is, code
17 which actually describes or specifies behavior.
18 Q. Right.
19 A. That's what code is designed to do,
20 to describe behavior.
21 Q. Got you.
22 A. And -- I'm sorry. Could I repaet the
23 question back then?
24 Q. Well, let me -- let me ask it a
25 different way, because I think we're getting
63
1 EDWARD FELTON
2 hung up unnecessarily here.
3 MR. GARBUS: That was the basis
4 of my previous objection, that you
5 were not understanding what the
6 witness was saying. And that's why
7 --
8 MR. HART: Well, I think I am,
9 Marty.
10 MR. GARBUS: -- and that's why
11 --
12 MR. HART: I don't need to be
13 lectured either. So if you have an
14 objection, make it. Otherwise,
15 let's proceed.
16 MR. GARBUS: And that's why
17 there is confusion.
18 MR. HART: I don't think there
19 was any confusion, Marty. If you
20 have an objection, make it.
21 Otherwise, let's proceed.
22 Q. You said all code is functional to
23 some degree.
24 A. Yes.
25 Q. Okay.
64
1 EDWARD FELTON
2 A. In the sense that it describes
3 behavior, it has that -- it has that aspect.
4 It's functional in the sense that it describes
5 a particular thing the computer could do.
6 Q. Okay.
7 What I'm trying to get at here in
8 the three instances that we've been focused on
9 for the last 15 or 20 minutes is whether as
10 part of the initial public disclosure you or
11 the people you worked with disseminated
12 software that was immediately operable in
13 someone else's computer to take advantage of
14 the flaw or the defect in the system.
15 MR. GARBUS: Object to the form
16 of the question.
17 A. Not immediately operable in the
18 sense that it was not object code.
19 Q. Okay.
20 A. And again, I don't -- I don't
21 recall the specifics of these situations, but
22 in general as I said, our policy was to include
23 whatever we thought needed to be included to --
24 to make the points to -- to satisfy the goals
25 that -- that we were trying to satisfy in
65
1 EDWARD FELTON
2 disclosing the -- and discussing the
3 vulnerability. And so to the extent that that
4 required us to -- to disclose code, then we
5 did.
6 Q. Okay.
7 But in disclosing code, were you
8 cognizant of trying to avoid providing
9 something to people that could be used to take
10 advantage of the flaw?
11 A. That was --
12 MR. GARBUS: I object to the
13 question. It's already been asked
14 and answered.
15 A. That was -- that was one of the
16 things we took into account in deciding what to
17 disclose or what to discuss publicly.
18 Q. And we've been making a distinction
19 so far between what I think was the initial
20 public disclosure --
21 A. Yes.
22 Q. -- versus what was later disclosed?
23 A. Yes.
24 Q. Okay.
25 Now I'd like to go to the -- what
66
1 EDWARD FELTON
2 was later disclosed --
3 A. Okay.
4 Q. -- and essentially ask you the same
5 question, which is in terms of disseminating to
6 the public code in any form in these later
7 disclosures, whether you made available to the
8 general public an executable utility or some
9 other piece of software that enabled people to
10 take advantage of the flaw as opposed to merely
11 illustrating the flaw?
12 A. In -- in general, the later
13 discussions were in more detail. They had more
14 technical details in them, they were lengthier,
15 and we had more time to prepare them. So there
16 would be more detail there than was in the
17 initial -- initial discussions.
18 Q. Okay.
19 A. Also, given that time would usually
20 pass before the later, say, academic
21 publications or magazine articles would become
22 available, there would be perhaps new versions
23 of the software, of the flawed software out
24 there, and that would also factor into our
25 calculations.
67
1 EDWARD FELTON
2 Q. Got you.
3 A. So, in general, there would have
4 been more disclosure of details of
5 vulnerability --
6 Q. Okay.
7 A. -- of vulnerabilities in the later
8 discussion.
9 MR. GARBUS: Can we take a
10 bathroom break after your next
11 question?
12 MR. HART: After a couple of
13 next questions, absolutely. Let me
14 just kind of try and wrap up this
15 area of inquiry. I appreciate your
16 candor.
17 Q. Is it fair to say that with respect
18 to any of the situations where you were the
19 discoverer of system flaw that at no time,
20 whether in the initial public disclosure or in
21 any subsequent disclosure, did you make
22 available an object code utility or an
23 executable computer program that enabled people
24 to take advantage of the flaw?
25 A. We -- in the instances that we were
68
1 EDWARD FELTON
2 in, we were able to show how to demonstrate the
3 flaw without -- without exploiting it to do
4 damage.
5 Q. Got you.
6 A. There is no doubt, though, that
7 discussing how to demonstrate the flaw provides
8 information that someone could use in a harmful
9 way.
10 Q. Got you.
11 But do you see in your mind,
12 professionally speaking, a difference between
13 providing information describing a flaw and
14 providing basically a tool that enables people
15 to take advantage of the flaw?
16 A. I think there is a difference
17 between those things. It depends on the
18 circumstances whether it's possible, for
19 example, to demonstrate a flaw without also
20 providing a way to -- to exploit it.
21 Q. Got you.
22 A. A demonstration plus some other
23 steps may be an exploitation.
24 Q. Got you.
25 But in all of the --
69
1 EDWARD FELTON
2 MR. HART: Please.
3 Q. But in all of the 12 instances
4 where you were the discoverer of the flaw and
5 you were involved in one way or another in the
6 ultimate public disclosure of that flaw, in no
7 instance did you find it necessary to provide
8 people with the tool to take advantage of the
9 flaw in order to describe it, discuss it,
10 illustrate it or analyze it, right?
11 MR. GARBUS: I'll object to it.
12 That's not what the witness has
13 testified to. That's an
14 oversimplification.
15 A. We did not provide -- we never
16 provided a tool which let someone -- which gave
17 someone all of the steps of breaking into
18 someone's computer and doing damage.
19 Q. And you -- you deliberately avoided
20 doing that; isn't that true?
21 A. That's correct.
22 Q. Thank you.
23 A. We did provide the information that
24 -- that we thought the people -- the public
25 needed in order to understand the situation, in
70
1 EDWARD FELTON
2 order to further research. And that did
3 include code which demonstrated the flaw, which
4 would mean it included necessarily one or some
5 of the steps that someone would need to do
6 damage.
7 Q. Got you. Thanks.
8 MR. GARBUS: Can we take our
9 break?
10 MR. HART: We are going to take
11 our break now. I thank you.
12 THE VIDEOGRAPHER: Off the
13 record, 11:43.
14 (Brief recess taken)
15 THE VIDEOGRAPHER: Back on the
16 record, 11:59.
17 MR. HART: Everybody ready?
18 MR. GARBUS: Yes.
19 MR. HART: Do you want to put
20 your mike back on there, Marty?
21 MR. GARBUS: I'm not doing very
22 much talking, so I'm sure it's not
23 necessary. Go ahead.
24 MR. HART: Promises, promises.
25 Q. Have you ever had occasion to
71
1 EDWARD FELTON
2 examine what's referred to as DeCSS?
3 A. Yes.
4 Q. When did you first do that?
5 A. I don't recall precisely. I would
6 estimate maybe six months ago.
7 Q. Okay.
8 I'm -- six months ago means roughly
9 when?
10 A. Means either early this year or
11 perhaps the end of 1999.
12 Q. Okay.
13 And was this prior to your lunch
14 meeting with Mr. Garbus and Mr. Appel?
15 A. Yes, it was well before that.
16 Q. Okay.
17 And where did you get access to
18 DeCSS in order to examine it?
19 A. I did a Web search and found a site
20 that had it.
21 Q. Okay.
22 Do you recall which site had it?
23 A. No.
24 Q. What form was it in?
25 A. What I got was in the form of a zip
72
1 EDWARD FELTON
2 file that had source code and object code for
3 DeCSS along with a couple other related things.
4 There was something called CSSAuth and there
5 was something called LIVID.
6 Q. LIVID?
7 A. LIVID, L-I-V-I-D.
8 Q. And did you examine CSSAuth?
9 A. I believe I did.
10 Q. And what is it?
11 A. I don't recall now.
12 Q. Did you examine LIVID?
13 A. I don't remember whether I did or
14 not.
15 Q. Do you recall what LIVID was?
16 A. I'm not sure what -- what it is.
17 There's something in -- something in the back
18 of my mind saying it might be a Linux video
19 player, but I'm not sure of that.
20 Q. Okay.
21 So you downloaded the files you
22 just mentioned from a Web site?
23 A. A Web site which I found by Web
24 search.
25 Q. Got it.
73
1 EDWARD FELTON
2 Do you still have those downloads
3 on your computer today?
4 A. Yes.
5 Q. Okay.
6 What have you done with them?
7 A. I have -- I've read the material --
8 with respect to DeCSS I've read the -- there
9 was -- there was a file in the distribution
10 which was a readme or some sort of descriptive
11 -- short descriptive file saying what was
12 there. I have read the source code, I ran the
13 object code. It didn't do anything on my
14 computer because I don't have a DVD drive.
15 With respect to CSSAuth, I believe
16 that I read descriptive files and source code,
17 as well.
18 Q. Okay.
19 When you say descriptive files in
20 source code?
21 A. And source code.
22 Q. Oh, and source code. Okay.
23 A. So a readme file and whatever --
24 whatever it is that was there.
25 Q. So that's what I want to come back
74
1 EDWARD FELTON
2 to. You said in the early part of your answer
3 there was a readme file. That was in English?
4 A. That's right. Just saying -- what
5 I recall is it said something like here's a
6 list of the files that are here and this is
7 what each one is --
8 Q. Got you.
9 A. -- or some such thing.
10 Q. Okay.
11 And what was your purpose in
12 looking at the source code and in running the
13 executable utility, if you will?
14 A. First with respect to looking at
15 the source code, I had read and heard about CSS
16 and the flaws that had been found in it, and I
17 wanted to find out more about that. And so one
18 of the things I wanted to do, one of things
19 that made sense for me to do was to get the
20 code and understand what it did. I also looked
21 at that code in conjunction with Frank
22 Stephenson's paper at one point --
23 Q. Okay.
24 A. -- again, to understand what this
25 thing did, to understand how CSS worked, how
75
1 EDWARD FELTON
2 the corresponding decryption process worked,
3 and to see for myself what the flaws were that
4 were there and that were described in
5 Stephenson's paper.
6 Q. Okay.
7 And what was your purpose in
8 running the utility?
9 A. I wanted to see whether I could
10 tell what it did on a machine that did not have
11 a -- a DVD drive. And it turns out, as far as
12 I can tell it doesn't do anything if you don't
13 -- it didn't do anything on my machine as far
14 as I can tell.
15 MR. HART: Let the record
16 reflect we have an interruption.
17 (Brief interruption)
18 MR. HART: Let's read the last
19 answer back. I was distracted.
20 I'm easily distracted as Marty
21 knows.
22 (Record read)
23 Q. And was there any value, then, in
24 running DeCSS on your machine as far you were
25 concerned?
76
1 EDWARD FELTON
2 A. It turned out that there was no
3 value to me in the -- in the very brief
4 experiment I did. Had I had a DVD drive, I --
5 there would have been value because this would
6 have provided a demonstration of that -- of the
7 -- of the flaw in -- in DeCSS.
8 Q. Got you.
9 A. That's the kind of demonstration
10 that I was talking about before when I talked
11 about code which demonstrates that a flaw
12 exists. It would have enabled me to go take
13 some files off a DVD and verify that they were
14 actually the content that was originally on the
15 DVD. So I could have been able to verify for
16 myself without understanding a lot of theory
17 that what people were saying about the
18 weaknesses in CSS was right.
19 Q. Okay.
20 So what is it, to your
21 understanding, that DeCSS does?
22 A. My understanding of what it does is
23 that it -- it allows you to take files which
24 are stored on a DVD disc and copy them onto,
25 say, the hard drive of your computer.
77
1 EDWARD FELTON
2 Q. And in doing that, does it decrypt
3 CSS?
4 A. Yes, it does -- it does perform
5 decryption as part of that operation.
6 Q. Okay.
7 A. Of course, decryption is necessary
8 in order to get the files onto the -- onto the
9 hard drive in a form where they're -- they're
10 usable for many of the purposes that I might
11 want to put them to if I were the owner of a
12 DVD.
13 Q. Do you own a DVD player?
14 A. No, I don't.
15 Q. Do you own a VHS type VCR?
16 A. Yes.
17 Q. Okay.
18 How many computers do you have or
19 have access to in your ordinary routine?
20 A. Let me think. I have -- in my
21 office at work I have one computer. There is
22 also a lab that has maybe 10 computers in it.
23 At home -- this is embarrassing -- I think five
24 computers.
25 MR. GARBUS: All for your
78
1 EDWARD FELTON
2 child.
3 Q. Are any of those computers
4 operating using the Linux operating system?
5 A. Yes.
6 Q. Which ones?
7 A. One of the machines in my home runs
8 Linux and some of the -- some of the 10 in my
9 lab run Linux, maybe three or four would be my
10 -- would be my estimate.
11 Q. Okay.
12 And do you also have Windows-based
13 operating system on any of your home computers?
14 A. Yes.
15 Q. Okay.
16 And what about in the lab?
17 A. Yes, there are some Windows
18 machines in the lab.
19 Q. And what about the computer that's
20 in your office, what operating system does that
21 use?
22 A. Windows.
23 Q. It's a Windows system. Okay.
24 And what kind of Internet
25 connection do you have, if any, with respect to
79
1 EDWARD FELTON
2 your office computer?
3 A. The office computer is connected to
4 our departmental network --
5 Q. Okay.
6 A. -- which inside the department is
7 100 megabits per second.
8 Q. Okay.
9 And what about with respect to the
10 five computers you have at home, what kind of
11 Internet connection or connections do you have
12 with respect to any of them?
13 A. The connection from my home is a
14 DSL connection which goes to the computer
15 science department at Princeton.
16 Q. Okay.
17 A. And that -- so that between my home
18 and Princeton I get about perhaps 2 megabits
19 per second.
20 Q. Okay.
21 Do you have any other Internet
22 connection at home?
23 A. No. And it's usual -- I should
24 say, all of those -- the bandwidth I'm quoting
25 are internal. That's from one place in the
80
1 EDWARD FELTON
2 building to another place in the building.
3 That's not the bandwidth to arbitrary places on
4 the Net.
5 Q. But the bandwidth that you're
6 talking about which is what, somewhere between
7 2 megabytes a second to 100 megabytes per
8 second, depending on whether we're talking
9 about the DSL at home or the one in your
10 office?
11 A. Megabits per second.
12 Q. I'm sorry. Excuse me. I
13 apologize.
14 Those allow you to connect through
15 a network to Princeton University?
16 A. Just within the computer science
17 department at those rates.
18 Q. I see.
19 And what about the rest of the
20 university?
21 A. I don't know exactly what kind of
22 connectivity we have to the rest of the
23 university. I know there is at least one link
24 between our department's network and the
25 university's backbone, I guess. But that, of
81
1 EDWARD FELTON
2 course, is shared with everyone else in the
3 department.
4 Q. All right.
5 You're saying you have no specific
6 knowledge of the network --
7 A. But I don't know specifically how
8 fast that is.
9 Q. Okay. I'm sorry. Let me finish
10 the question and then you can give the answer
11 --
12 A. Okay.
13 Q. -- just to make the record clear.
14 You have no specific knowledge
15 concerning the network at Princeton that's
16 available to people outside of the computer
17 department, for example, like students, and the
18 connectivity and the speeds and the bandwidth
19 of that facility?
20 A. I think I know generally what's
21 available to people within their own little
22 area of the network, but I don't understand how
23 the various local networks -- I don't
24 understand in detail how the various local
25 networks are connected together.
82
1 EDWARD FELTON
2 Q. Okay.
3 And among the local networks that
4 you have some understanding of, would that
5 include networks that students have access to
6 from dorm rooms or other?
7 A. I'm generally familiar with dorm
8 room networks.
9 Q. And what's the bandwidth of those,
10 to your knowledge?
11 A. A typical bandwidth would be 10
12 megabits per second on a shared link.
13 Q. As opposed to a switched link?
14 A. That's correct.
15 Q. Now, are the various dorm rooms set
16 up so that each floor is a shared link unto
17 itself, and then each floor is separately
18 switched?
19 A. I don't know.
20 Q. You don't know the overall network
21 configuration?
22 A. I don't know those details, no.
23 Q. Okay. That's fine. Fine.
24 Do you have any knowledge of video
25 compression technologies?
83
1 EDWARD FELTON
2 A. Only in a very general way.
3 Q. Generally, what do you know if you
4 can sum it up?
5 A. Well, I know that it's -- it's
6 possible to compress video and to get some --
7 some -- a modest -- relatively modest amount of
8 compression out of them. I know that video
9 compression technologies are widely used
10 because video files are so big.
11 Q. Does that sum up the state of your
12 knowledge in video codex?
13 A. In general. I know some of the
14 acronyms and buzzwords, as well, but I'm not an
15 expert by any means.
16 Q. Give me some of the acronyms that
17 are?
18 A. Well, a compression mechan --
19 compression algorithms like MPEG and the
20 various versions of MPEG, for example, are
21 widely used. I know that some of my colleagues
22 do research into video compression algorithms,
23 but I'm not really up on their work.
24 Q. Okay.
25 Have you ever heard of Divx?
84
1 EDWARD FELTON
2 A. Yes, I've heard of it.
3 Q. Do you know anything about it?
4 A. I don't -- I don't understand it in
5 any detail.
6 Q. You do you know if it's widely
7 available?
8 A. I don't know that.
9 MR. GARBUS: I object to the
10 use of the word "widely."
11 THE WITNESS: I don't know how
12 widely available it is.
13 Q. Okay.
14 Now, did you ever have any
15 communications with Eric Corley or Emmanuel
16 Goldstein?
17 A. No.
18 Q. Do you know who that is?
19 A. Yes. I understand that that's one
20 person.
21 Q. That's a start.
22 A. And that he's one of the defendants
23 in this case.
24 Q. Okay.
25 A. And that he is the publisher or
85
1 EDWARD FELTON
2 otherwise associated with 2600 Magazine.
3 Q. Had you ever heard of 2600 Magazine
4 before, let's say, your luncheon meeting with
5 Mr. Garbus?
6 A. Yes, yes.
7 Q. Had you ever read it before?
8 A. Yes.
9 Q. Had you ever visited the 2600 Web
10 site before your luncheon meeting with
11 Mr. Garbus?
12 A. Yes.
13 Q. And I'm sorry, you may have
14 answered this. I apologize.
15 Can we place a rough date on your
16 luncheon meeting with Mr. Garbus?
17 A. It was a couple months ago. That's
18 the best I can do.
19 Q. Okay.
20 And can you give me the gist of
21 what was said at that luncheon meeting?
22 A. Sure. There was some general
23 discussion about this case, and Professor Appel
24 was present at the lunch along with Mr. Garbus
25 and me. And so -- and at that point Mr. Garbus
86
1 EDWARD FELTON
2 had discussed, I understand, in the past with
3 Professor Appel, the possibility of his
4 testifying. And so there was some discussion
5 about that.
6 There was some discussion about
7 what the case was about in general, issues of
8 schedule.
9 There was some discussion about the
10 -- the topics that were discussed in a paper
11 that Professor Appel and I wrote and submitted
12 to the Copyright Office and then later to
13 Communications of the ACM, and there was, I
14 think, also some discussion of issues involved
15 in a -- in declarations that Professor Appel
16 had written in other cases previously relating
17 to the role of source code as a means of
18 expression for computer scientists.
19 Q. Okay.
20 Were there areas of potential
21 testimony or analysis that were focused on you,
22 Ed Felten?
23 A. I -- I think there was a general
24 discussion of my background and what my areas
25 of specialization were and so on. But I don't
87
1 EDWARD FELTON
2 recall anything more specific than that.
3 Q. There was no discussion of areas
4 where you might be qualified to testify in the
5 case or provide a declaration at that luncheon
6 meeting?
7 A. I don't remember any discussion at
8 that lunch meeting except that at the very end
9 there was a very brief exchange about whether I
10 might potentially be interested in testifying.
11 Q. And did you -- who -- who asked you
12 whether you might potentially be interested in
13 testifying, Mr. Garbus?
14 A. Mr. Garbus.
15 Q. Okay.
16 And did you respond to that query?
17 A. Yes. I said that I was interested
18 in discussing it more.
19 Q. Okay.
20 A. But not a yes or no.
21 Q. Okay.
22 Was there anyone else present at
23 the luncheon aside from you, Appel and Garbus?
24 A. No.
25 Q. When did you next have occasion to
88
1 EDWARD FELTON
2 speak to anyone or communicate with anyone
3 regarding this case or your involvement in it
4 like an e-mail or in-person or telephonic?
5 A. I talked to Professor Appel not
6 long after that -- I'll wait.
7 (Brief interruption)
8 Q. Okay.
9 A. Now that the tape is back, I talked
10 to Professor Appel not long after that -- that
11 lunch that I just referred to --
12 Q. Okay.
13 A. -- in general about -- about the
14 possibility of me testifying.
15 Q. Okay.
16 A. That was, I think, the next
17 discussion.
18 Q. Okay.
19 To your knowledge, had Professor
20 Appel already committed to testifying in this
21 case?
22 A. I don't know whether he had
23 committed or not.
24 Q. All right.
25 Did Professor Appel encourage you
89
1 EDWARD FELTON
2 in any way to testify in this case?
3 A. No, I don't think he did. I don't
4 think he expressed an opinion one way or the
5 other about whether I should or should not.
6 Q. Did you have any discussion with
7 Professor Appel in any way about whether you
8 should or should not?
9 A. I don't think I did, no.
10 Q. So what was discussed with Appel
11 regarding your involvement in the case?
12 A. Information about the case, what he
13 might be -- what he was expecting to testify
14 about, which areas and so on.
15 One of the things that I wanted to
16 understand was, you know, what -- where -- the
17 extent to which my testifying would sort of add
18 to what he was saying.
19 Q. Okay.
20 A. Whether --
21 Q. I'm sorry. Go ahead.
22 A. Whether there were areas, relevant
23 areas in which I had expertise beyond his.
24 Q. Okay.
25 A. So I wanted to understand what he
90
1 EDWARD FELTON
2 might talk about.
3 Q. Okay.
4 Were you able to identify during
5 that conversation with Professor Appel any
6 areas where you might add to what he had to
7 offer?
8 A. I'm not sure whether I identified
9 things during the conversation, but I
10 eventually came to an understanding about that.
11 Q. And when did you come to an
12 understanding about that?
13 A. I think it happened over a period
14 of time starting after the -- the lunch meeting
15 that we talked about and going forward for, I
16 don't know, some period of weeks probably.
17 Q. Okay.
18 And you are in pretty much daily
19 contact with Professor Appel when you're both
20 in the office, is that right?
21 A. More or less, yeah. We -- probably
22 more -- I speak to him the majority of days
23 about one thing or another.
24 Q. Okay.
25 Your offices are adjacent to each
91
1 EDWARD FELTON
2 other?
3 A. Down the hall.
4 Q. Right. Okay. Okay.
5 And did you speak with anyone else
6 other than Professor Appel in trying to clarify
7 or crystallize in your mind what things you
8 might be able to add to what he might testify
9 to?
10 A. Yes. I later spoke to Mr. Garbus
11 and also Mr. Hernstadt.
12 Q. Okay.
13 And can you tell me, relative to
14 the lunch meeting, when that occurred or when
15 those conversations occurred?
16 A. It would have been in a series of
17 phone conversations between -- starting
18 sometime after the -- the lunch meeting and
19 going up until, say, sometime in June.
20 Q. Okay.
21 A. So I would have spoken on the phone
22 to them a few times during that -- during that
23 period.
24 Q. And is it your testimony that it
25 was partly your own reflection, partly your
92
1 EDWARD FELTON
2 discussions with Professor Appel and partly
3 your discussions with Messrs. Hernstadt and
4 Garbus that helped you sort of crystallize in
5 your mind what areas of additional testimony
6 you might be able offer over and above that of
7 Professor Appel?
8 A. I think in understanding what I
9 could testify about, which areas I had sort of
10 knowledge or expertise beyond Professor Appel,
11 it was really my discussions with him that --
12 Q. Got you.
13 A. -- that helped me understand that.
14 Q. Okay.
15 But that you could ultimately wind
16 up communicating your thoughts to
17 Messrs. Garbus or Hernstadt on that subject?
18 A. We did talk about whether -- about
19 what areas -- in what areas I -- I would be
20 testifying, yes.
21 Q. Okay.
22 In addition to that which Appel was
23 going to cover or might cover, is that right?
24 A. That's right.
25 Q. Okay.
93
1 EDWARD FELTON
2 This is not a trick question. I'm
3 really just trying to focus on what you bring
4 to the table, sir.
5 A. And also to the extent that I have
6 some expertise in the same areas as Professor
7 Appel, there's -- there's obviously some
8 overlap between our testimony, as well.
9 Q. Okay.
10 Can you tell me in subject matter
11 areas what areas you discussed testifying in
12 with Professor Appel and/or Mr. Garbus and/or
13 Mr. Hernstadt, whether those overlapped or were
14 separate and apart or in addition to those
15 Appel might testify to?
16 A. Well, a good place to start is the
17 -- the list of four topics -- that is in the
18 declaration.
19 Q. Right.
20 A. And let me look at that --
21 Q. Sure. Please.
22 A. -- and see whether there's anything
23 else that comes to mind.
24 Q. Okay.
25 A. I -- I don't recall discussing
94
1 EDWARD FELTON
2 anything else that's not listed here.
3 Q. Okay.
4 Now, we are talking about the four
5 subject matter categories that are identified
6 in Paragraph 3 of your declaration that's been
7 marked Exhibit 3, right?
8 A. That's right.
9 Q. Okay.
10 Let's work backwards, I guess.
11 A. Okay.
12 Q. The fourth category is the
13 relationship between studying and improving the
14 practice of cryptography and computer security
15 related to the foregoing. I guess that is
16 going to lead us into the earlier ones, but I
17 -- is this subject matter, Number 4 in
18 Paragraph 3, that which we were talking about a
19 little bit earlier in terms of detecting
20 weaknesses in systems and system security and
21 making information concerning those weaknesses
22 available?
23 A. We talked earlier about my
24 experiences in doing that, but we did not talk
25 about why it's valuable to the value of that
95
1 EDWARD FELTON
2 sort of testing and that sort of discussion for
3 education and practice in -- in security and
4 cryptography. So we talked about any
5 experience, but not about the topic in general
6 or the implications of -- of discussion.
7 Q. Fair enough. And again, I'm really
8 trying to do this to expedite things.
9 A. Sure.
10 Q. So you'll stop me if I in any way
11 misstate anything you say, please. But we did
12 touch upon what I thought were your beliefs as
13 to the value of testing security systems, if
14 you will, and the value of making the
15 weaknesses known.
16 Is that part of the Subject Matter
17 4, the relationship between studying and
18 improving the practice of cryptography in
19 computer security?
20 A. That's -- that's part of the
21 subject matter, yes.
22 Q. What else in addition to what we
23 talked about is covered by this Subject Matter
24 4?
25 A. The use -- for example, the use of
96
1 EDWARD FELTON
2 information about vulnerabilities and
3 historical vulnerabilities, and testing and so
4 on. The use of all of that in education, and
5 how these sort of activities contribute to the
6 practice, by which I mean the making of better
7 and stronger systems in the future.
8 Q. Okay.
9 A. That's an example of something that
10 goes beyond what we talked about earlier.
11 Q. When you talk about -- I'm sorry.
12 A. I'm done.