Bruce Schneier Deposition, in MPAA v. 2600

CA; July 9, 2000

See related files:
http://www.eff.org/IP/Video (EFF Archive)
http://cryptome.org/cryptout.htm#DVD-DeCSS (Cryptome Archive)
http://www.2600.com/dvd/docs (2600 Archive)
http://eon.law.harvard.edu/openlaw/dvd/ (Harvard DVD OpenLaw Project)


      1   UNITED STATES DISTRICT COURT
      2   SOUTHERN DISTRICT OF NEW YORK
      3
          UNIVERSAL CITY STUDIOS, INC.;
      4   PARAMOUNT PICTURES CORPORATION;
          METRO-GOLDWYN-MAYER, INC.; 
      5   TRISTAR PICTURES, INC.; COLUMBIA
          PICTURES INDUSTRIES, INC.; TIME
      6   WARNER ENTERTAINMENT CO.; L.P.;
          DISNEY ENTERPRISES, INC., and
      7   TWENTIETH CENTURY FOX FILM 
          CORPORATION,
      8
                             Plaintiffs,
      9
          vs.                               NO. 00 Civ. 0277   
     10                                             (LAK)
     11   ERIC CORLEY a/k/a "EMMANUEL
          GOLDSTEIN"; and 2600 ENTERPRISES,
     12   INC.,
     13                      Defendants.
          _______________________________/
     14
     15   DEPOSITION OF BRUCE SCHNEIER
     16   DATE:         July 9, 2000
     17   DAY:          Sunday
     18   TIME:         10:26 a.m.
     19   PLACE:        Weil, Gotshal & Manges
                        2882 Sand Hill Road, Suite 280
     20                 Menlo Park, California
     21   PURSUANT TO:  Subpoena      
     22   REPORTED BY:  Kim Meierotto, CSR No. 11602
          __________________________________________________
     23
          COMP-U-SCRIPTS
     24   OFFICIAL REPORTERS AND NOTARIES
          1101 South Winchester Blvd., Suite D-138
     25   San Jose, California 95128
          (408) 261-9795
                                                           1
               



      1   APPEARANCES:
      2   For the Plaintiffs:     PROSKAUER ROSE LLP
                                  BY:  CARLA M. MILLER,
      3                                ATTORNEY AT LAW
                                  1585 Broadway 
      4                           New York, NY 10036-8299
                                  (212) 969-3713
      5
      6   For the Defendants:     FRANKFURT GARBUS KURNIT      
                                  KLEIN & SELZ
      7                           BY:  EDWARD HERNSTADT,
                                       ATTORNEY AT LAW
      8                           488 Madison Avenue
                                  New York, NY 10022
      9                           (212) 826-5582
     10   and                     HUBER SAMUELSON
                                  BY:  ALLONN E. LEVY,
     11                                ATTORNEY AT LAW
                                  210 North Fourth Street
     12                           Suite 400
                                  San Jose, CA 95112
     13                           (408) 295-7034
     14
          The Videographer:       McMAHON & ASSOCIATES
     15                           BY:  JASON BUTKO
                                  One Almaden Boulevard
     16                           Suite 829 
                                  San Jose, CA 95113
     17                           (408) 298-6686
     18
     19
     20
     21
     22
     23
     24
     25
                                                           2
               



      1   INDEX OF EXAMINATIONS
      2                                            Page
      3   By Ms. Miller                              5
      4
      5
      6
      7   INDEX OF EXHIBITS 
      8   Plaintiffs'                              Page
      9   1    Subpoena of deponent                 21
     10   2    Article by deponent entitled         24
               "DVD Encryption Break is a Good
     11        Thing"
     12   3    Declaration of deponent              25
     13   4    Article by deponent entitled         27
               "'Key Finding' Attacks and
     14        Publicity Attacks"
     15
     16
     17
     18
     19
     20
     21
     22
     23
     24
     25
                                                           3
               



      1                         --oOo--
      2            THE VIDEOGRAPHER:  Good morning.  We're 
      3   going on the record.  The time on the screen is 
      4   10:30 a.m.
      5            Today's date is Sunday, July 9, 2000.  
      6   We're located at the offices of Weil, Gotshal & 
      7   Manges, 2882 Sand Hill Road, Menlo Park, California.
      8            This is Tape No. 1 of the deposition of 
      9   Bruce Schneier, case name Universal City Studios 
     10   versus Corley venued in the U.S. District Court, 
     11   Southern District of New York, Case No. 00 Civ. 
     12   0277.
     13            My name is Jason Butko, legal video 
     14   specialist and notary, representing McMahon & 
     15   Associates, One Almaden Boulevard, Suite 829, San 
     16   Jose, California 95113.
     17            The court reporter is from Comp-U-Scripts.  
     18   The court reporter is Kim Meierotto.
     19           Counsel, would you please identify yourself 
     20   starting with the questioning attorney.
     21            MS. MILLER:  Carla Miller from the law firm 
     22   of Proskauer Rose LLP in New York representing all 
     23   plaintiffs.
     24            MR. HERNSTADT:  Edward Hernstadt from 
     25   Frankfurt Garbus Kurnit Klein & Selz representing 
                                                           4
               



      1   the defendants.
      2            THE VIDEOGRAPHER:  You may proceed.  I'm 
      3   sorry.  Court reporter, can you please swear in the 
      4   witness.
      5   --oOo--
      6   BRUCE SCHNEIER,
      7             having been duly sworn by the 
      8             Certified Shorthand Reporter to tell   
      9             the truth, the whole truth, and        
     10             nothing but the truth, testified        
     11             as follows:
     12
     13            THE VIDEOGRAPHER:  You may proceed.
     14
     15                EXAMINATION BY MS. MILLER:
     16        Q.  Good morning, Mr. Schneier.
     17        A.  Hi.
     18        Q.  Have you ever been deposed before?
     19        A.  Nope.
     20        Q.  Have you ever testified in a court 
     21   proceeding?
     22        A.  No.
     23        Q.  Just so you understand, you're in a 
     24   deposition obviously.  The court reporter seated to 
     25   your right is taking down stenographically every 
                                                           5
               



      1   word that's being spoken here today as among myself, 
      2   you and Mr. Hernstadt.
      3            Just as a matter of procedure, because the 
      4   court reporter has to take down everything that you 
      5   and I say, I'll try my best to make sure that I do 
      6   not interrupt your answer with another question, and 
      7   also if you could make sure that if I'm in the 
      8   middle of a question, you don't start answering 
      9   until I'm finished with the question.
     10            Mr. Hernstadt, of course, will be here, and 
     11   he'll be making objections, and again, if we could 
     12   avoid talking over each other, I'm sure the court 
     13   reporter will appreciate that, and we'll have a much 
     14   cleaner transcript of everything that's said today.
     15            Are you currently employed, Mr. Schneier?
     16        A.  Yes.
     17        Q.  Where are you employed?
     18        A.  Company called Counterpane Internet 
     19   Security, Incorporated, here in San Jose.
     20        Q.  What's your role at Counterpane Internet?
     21        A.  My title is chief technology officer.  I'm 
     22   one of the founders of the company.
     23        Q.  Who are the other founders of the company?
     24        A.  The other founder's a man named Tom Rowley.
     25        Q.  Tom Rowley?
                                                           6
               



      1        A.  R-o-w-l-e-y.
      2        Q.  How long ago was Counterpane founded by 
      3   yourself and Mr. Rowley?
      4        A.  The company was founded approximately a 
      5   year ago.
      6        Q.  Is it a public company?
      7        A.  No, it is not.
      8        Q.  Are you a shareholder in the company?
      9        A.  Yes, I am.
     10        Q.  Is Mr. Rowley also a shareholder?
     11        A.  Yes, he is.
     12        Q.  Are there any other shareholders in the 
     13   company?
     14        A.  Yes, there are.
     15        Q.  Prior to founding Counterpane, were you 
     16   employed?
     17        A.  Yes, I was.
     18        Q.  Where were you employed?
     19        A.  I was president of another company called 
     20   Counterpane Systems.
     21        Q.  Where was Counterpane Systems located?
     22        A.  The company -- it's a hard question.  The 
     23   company had three employees, and we all worked out 
     24   of our homes.  So the company was located in 
     25   Illinois, although most of the people worked 
                                                           7
               



      1   elsewhere.
      2        Q.  When you say "the company was located in 
      3   Illinois," does that mean it was incorporated in 
      4   Illinois?
      5        A.  It was a sole proprietorship.  It was just 
      6   my company.
      7        Q.  Were you living in Illinois at the time?
      8        A.  Yes, I was.
      9        Q.  Who were the other three employees of 
     10   Counterpane Systems?
     11        A.  The other cryptographers were John Kelsey, 
     12   Chris Hall and Neils Fergusen.
     13        Q.  How long was Counterpane Systems in 
     14   existence?
     15        A.  I believe I formed it in 1993.
     16        Q.  Was working for yourself with Counterpane 
     17   Systems your sole employment from 1993 until about a 
     18   year ago?
     19        A.  Yes, it was.
     20        Q.  Prior to 1993, were you employed?
     21        A.  Yes.
     22        Q.  By whom?
     23        A.  AT&T Bell Laboratories.
     24        Q.  Where before AT&T did you work?
     25        A.  Naperville, Illinois.
                                                           8
               



      1        Q.  Midwesterner.  How long were you employed 
      2   by AT&T?
      3        A.  About a year.
      4        Q.  Were you employed as a cryptographer?
      5        A.  No, I was not.  I was employed as a systems 
      6   engineer.
      7        Q.  Prior to AT&T what was your employment?
      8        A.  I worked for a company called Intelligent 
      9   Resources Integrated Systems also in Illinois.
     10        Q.  What type of business is Intelligent 
     11   Resources engaged in?
     12        A.  They made video hardware for Macintosh 
     13   computers.
     14        Q.  What was your role in Intelligent 
     15   Resources?
     16        A.  I oversaw operations.
     17        Q.  What type of operations?  The company's 
     18   operations in general or a particular development of 
     19   the video hardware?
     20        A.  Engineering operations.  The development of 
     21   the hardware and things associated with that.
     22        Q.  Prior to Intelligent Resources Integrated 
     23   Systems, what was your employment?
     24        A.  I worked for the Department of Defense in 
     25   Washington, D.C.
                                                           9
               



      1        Q.  And how long were you employed by the 
      2   Department of Defense?
      3        A.  From 1984 through 1990 or '91.
      4        Q.  What did you do for the Department of 
      5   Defense?
      6        A.  That's classified.
      7        Q.  Was it in the field of cryptography, or can 
      8   you tell us?
      9        A.  It was in the field of communications.
     10        Q.  Prior to working for the Department of 
     11   Defense, what was your employment?
     12        A.  That was my first job.
     13        Q.  Was this your first job after completing 
     14   your education?
     15        A.  After getting my Bachelor's degree, yes.
     16        Q.  Where did you get your Bachelor's degree?
     17        A.  University of Rochester.
     18        Q.  In what field did you obtain a Bachelor's 
     19   degree?
     20        A.  Physics. 
     21        Q.  Did you obtain any other degrees after your 
     22   Bachelor degree?
     23        A.  I have a Master's of Science, of computer 
     24   science, from American University.
     25        Q.  And what year did you receive your 
                                                           10
               



      1   Bachelor of Science degree?
      2        A.  I received the degree in '85.
      3        Q.  What year did you receive your Master of 
      4   Science degree?
      5        A.  '86, I believe.
      6        Q.  But you said you began working for the 
      7   Department of Defense in 1984; is that correct?
      8        A.  Yes.
      9        Q.  So you began working for the Department of 
     10   Defense while you were still an undergrad?
     11        A.  I finished all my course work except one 
     12   class, so I sort of graduated, started working for 
     13   DOD, eventually graduated a year later.  So there's 
     14   an overlap in the time but not really in what I was 
     15   doing.
     16        Q.  Okay.  In the course of obtaining your 
     17   Master's degree in computer science, did you take 
     18   any courses in computer programming?
     19        A.  Yes.
     20        Q.  Did you obtain any proficiency in any 
     21   programming languages?
     22        A.  I did work in C and Pascal and LISP.
     23        Q.  Did you take any telecommunications courses 
     24   in the course of obtaining your Master of Science 
     25   degree?
                                                           11
               



      1        A.  I did not.
      2        Q.  What is the current address for Counterpane 
      3   Internet, your current company?
      4        A.  3031 Tisch Way, T-i-s-c-h, Suite 100 Plaza 
      5   East, San Jose, California.
      6        Q.  In what type of business is Counterpane 
      7   Internet engaged?
      8        A.  We do managed security monitoring.  We do 
      9   Internet security for organizations.
     10        Q.  What does that entail, "Internet 
     11   security"?
     12        A.  What we do is we monitor our customers' 
     13   Internet networks against intrusions.  So we provide 
     14   basically a monitoring service where we will watch a 
     15   customer's network and look for attacks, intrusions 
     16   and alert the customer.
     17        Q.  Is it fair to say you're like a burglar 
     18   alarm service, a high-tech service?
     19        A.  A burglar alarm is the kind of analogy we 
     20   like to use.
     21        Q.  And how many employees does Counterpane 
     22   Internet have?
     23        A.  Approximately a hundred.
     24        Q.  And apart from monitoring the customer's 
     25   Internet security, does Counterpane provide any
                                                           12
               



      1   security -- strike that -- provide any security 
      2   solutions for Internet businesses?
      3        A.  Monitoring is in itself a solution.  
      4   Detection response we feel is a solution to Internet 
      5   security and in a lot of cases a much better 
      6   solution than prevention.
      7        Q.  Does it provide any prevention solutions in 
      8   terms of actual security systems' products?
      9        A.  We don't provide products.  We monitor 
     10   other companies' products.
     11        Q.  How many customers, if you know, does 
     12   Counterpane Internet have?  What's the customer 
     13   base?
     14        A.  We don't release that number.  Many of our 
     15   customers prefer not to be named.
     16        Q.  I'm not asking you for the name but for the 
     17   customer base.  But you said you don't release the 
     18   actual number of customers either?
     19        A.  Yes.
     20        Q.  Do you have an up-to-date resume or 
     21   curriculum vitae, Mr. Schneier?
     22        A.  The best is on my Web site.  I don't have a 
     23   paper copy with me. 
     24        Q.  What is the URL for the Web site that you 
     25   just referred to?
                                                           13
               



      1        A.  Www.counterpane.com.  Then follow the link 
      2   to "about us" and then find my name. 
      3        Q.  Now as you understand it, you've been asked 
      4   to testify as an expert witness in this lawsuit; is 
      5   that your understanding?
      6        A.  That's my understanding.
      7        Q.  Does your involvement in this case call 
      8   upon any special skills or knowledge that you have?
      9        A.  I guess I don't know yet.  I assume so.
     10        Q.  Were you asked to provide any special 
     11   skills in your testimony -- strike that.
     12            Were you asked to rely on any special 
     13   skills you have in providing your testimony in this 
     14   case?
     15        A.  I was asked to talk about cryptography 
     16   research, so presumably talking about that relies on 
     17   my knowledge and skills as a cryptography 
     18   researcher.
     19        Q.  How long would you say you've been a 
     20   cryptography researcher?
     21        A.  I would say in the academic arena, in the 
     22   public arena, since 1992.
     23        Q.  What's involved in being a cryptography 
     24   researcher?
     25        A.  A lot of mathematics.
                                                           14
               



      1        Q.  Would you say that that's the only skill 
      2   involved or specialized training that one would need 
      3   to be a cryptography researcher?
      4        A.  Cryptography is really a subset of 
      5   mathematics.  It involves a lot of mathematical 
      6   disciplines.  It involves a mindset of making and 
      7   breaking systems. 
      8        Q.  Now if I decided that I wanted to be a 
      9   cryptographer, what type of training would you 
     10   advise me to undertake in terms of educational 
     11   background course work and university?
     12        A.  Sort of two areas I would advise.  There 
     13   are certain classes in mathematics.  Some 
     14   universities actually have specialties in 
     15   cryptography, so you can take courses in 
     16   cryptographic mathematics.  There are other general 
     17   mathematic courses that are useful.
     18            More importantly is to practice.  It's 
     19   easier to teach the mathematics than the mindset.  
     20   The mindset of looking at a system and figuring out 
     21   how to break it and then by learning how to break it 
     22   how to fix it and how to make it better, that's 
     23   something you can really only learn through practice 
     24   by doing it again and again.
     25        Q.  How would you characterize that mindset so 
                                                           15
               



      1   I understand what sort of mindset is generally 
      2   required?
      3        A.  It's a mindset of looking at systems and 
      4   figuring out how to get around them.  It's the kind 
      5   of mindset that would walk into a building and look 
      6   at the security system and see, I think there are 
      7   some weaknesses here.  It's a mindset of looking at 
      8   a piece of mathematics and saying, this doesn't do 
      9   what the designer thought it did.
     10            So it's a mindset of looking for holes in 
     11   systems.  In cryptography it's mathematical systems.
     12        Q.  Is it fair to say that just one general 
     13   personality trait that might benefit a cryptographer 
     14   is curiosity?
     15        A.  Curiosity is good.  I've also been asked by 
     16   many people what does it take to be a cryptographer, 
     17   and I did write an essay on this topic.  It's on my 
     18   Web site.  It's called "So You Want to be a 
     19   Cryptographer," and I talk about some of this.  It's 
     20   hard to quantify.
     21            When I did consulting I would try to figure 
     22   out who would be the right people to hire.  I'm not 
     23   sure there are traits I can point to and say these 
     24   are the exact traits.  I know it when I see it, but 
     25   it's very hard to divide into components.
                                                           16
               



      1        Q.  What did you look for when you were looking 
      2   for people to hire as you just testified to?  
      3        A.  People who had done it.  What I was looking 
      4   for as someone running a consulting company was not 
      5   someone I could train but someone who had already 
      6   exhibited proficiency in breaking systems, in fixing 
      7   systems, in cryptography, in mathematics.
      8            Writing ability.  A lot of what we are 
      9   doing is writing papers and reports explaining what 
     10   we've done.  Good interpersonal skills because we're 
     11   often talking to people about the work we've done.  
     12   So I looked for more finished products than people I 
     13   could train.
     14        Q.  So more experience than -- now you also 
     15   mentioned that some universities have specialized 
     16   course work in cryptography.  Does American 
     17   University have specialized course work in 
     18   cryptography, if you know?
     19        A.  It did not when I went there.
     20        Q.  Does the University of Rochester?
     21        A.  It did not when I went there.
     22        Q.  Do either one of those universities now if 
     23   you know have specialized course work?
     24        A.  I don't know.
     25        Q.  What are some of the universities that 
                                                           17
               



      1   you're aware of that have specialized course work in 
      2   cryptography?
      3        A.  MIT does.  University of California -- I'm 
      4   sorry -- Stanford University, University of 
      5   California-Davis, University of Waterloo, Cambridge 
      6   University in the U.K., L'ecole Normale et Supereur 
      7   in Paris, a university in Belgium that I can't 
      8   pronounce.  And there are others.
      9        Q.  When were you first approached about 
     10   getting involved in this lawsuit?
     11        A.  Sometime in the spring.
     12        Q.  In the spring of 2000?
     13        A.  Spring of 2000.
     14        Q.  Do you have any recollection of what 
     15   specific month?
     16        A.  I really don't.  I'm sure it was before my 
     17   signed documents, so we can work backwards from 
     18   there.
     19        Q.  How were you contacted about getting 
     20   involved in this case?
     21        A.  Either by phone or e-mail.
     22        Q.  You don't recall which?
     23        A.  I do not.
     24        Q.  Who contacted you?
     25        A.  Some attorney.
                                                           18
               



      1        Q.  You don't recall a name?
      2        A.  No. 
      3        Q.  Do you recall the name of the law firm?
      4        A.  That would be harder than the name of a 
      5   person.
      6        Q.  Was it Mr. Hernstadt?
      7        A.  It might have been.  I actually don't 
      8   remember.
      9        Q.  You don't know.  You say you think it was 
     10   either by phone or by e-mail that you were first 
     11   contacted.  If it was by e-mail, would you have 
     12   saved that e-mail?
     13        A.  No, I would not have.
     14        Q.  But you don't know if it was by e-mail?
     15        A.  I don't remember.  I really don't.
     16        Q.  Do you recall anything about this initial 
     17   conversation with the attorney you can't recall who 
     18   asked you to get involved in the case?  What was the 
     19   substance of the conversation?
     20        A.  I don't remember, but presumably I was 
     21   asked if I would write a declaration.
     22        Q.  And did you do that?
     23        A.  I did.
     24        Q.  To whom did you send that declaration once 
     25   it was written?
                                                           19
               



      1        A.  This was done by e-mail, and I probably -- 
      2   I sent it to either whoever the attorney was who 
      3   contacted me or whoever I spoke to afterwards.
      4        Q.  But you have no idea who it was sent to?
      5        A.  I don't remember.  It might have been Ed, 
      6   but I actually don't remember.
      7        Q.  Apart from the declaration that you 
      8   prepared and submitted in this case, have you 
      9   prepared any other reports for submission to the 
     10   court at trial?
     11        A.  I have not.
     12        Q.  Have you been asked to prepare any 
     13   additional reports other than your declaration?
     14        A.  I have not.
     15        Q.  As far as you know, will you be testifying 
     16   in the trial of this case?
     17        A.  I believe I will be.
     18        Q.  You have been asked to testify at trial?
     19        A.  We've talked about testifying.
     20        Q.  Who have you talked to about testifying?
     21        A.  Ed.
     22        Q.  When was the last time you talked to Ed 
     23   about testifying?
     24        A.  I don't know.  Maybe a couple weeks ago, 
     25   last week.  Dates were being discussed, and I gave 
                                                           20
               



      1   my calendar.
      2        Q.  Trial dates or dates for this deposition 
      3   that you're testifying in today?
      4        A.  Trial dates.
      5        Q.  Are you being compensated for your 
      6   involvement in this case?
      7        A.  I am not.
      8        Q.  If you are to testify in the trial of this 
      9   case in New York, has anyone offered to pay your 
     10   travel expenses for going there?
     11        A.  No one has.
     12        Q.  Let me show you a document, Mr. Schneier,  
     13   I'd like to first have marked as Exhibit 1.
     14            (Plaintiffs' Exhibit No. 1 is marked.) 
     15   BY MS. MILLER:
     16        Q.  If you can take a moment and flip through 
     17   that and tell me once you've had an opportunity to 
     18   look through it.
     19        A.  (Reviewing document.)
     20            Okay.
     21        Q.  Have you ever seen this document before, 
     22   Mr. Schneier?
     23        A.  No.
     24        Q.  Ever seen a document that looks like this?
     25        A.  Probably.
                                                           21
               



      1        Q.  In connection with this case?
      2        A.  No.
      3        Q.  So you have seen, you think, a subpoena 
      4   before in your life but not a subpoena directed to 
      5   you for your testimony in this case?
      6        A.  That is correct.
      7        Q.  Now, in preparing your declaration that's 
      8   been submitted in this case, did you look at any 
      9   documents or materials?  When I use the word 
     10   "document," I mean it in the broadest possible 
     11   sense, like Internet Web sites or Web pages, DVDs, 
     12   anything that you might have looked at in preparing 
     13   the declaration that you submitted.
     14        A.  Yes.
     15        Q.  What documents were those?
     16        A.  The declaration came out of an essay I 
     17   wrote in November about the DVD copy protection 
     18   scheme and the breaking of it that appeared in a 
     19   newsletter I publish.  So I relied on the essay I 
     20   wrote to write the declaration.
     21            In writing the essay and the declaration, I 
     22   looked at a variety of documents on the Web on the 
     23   DVD copy protection scheme, on the DeCSS program, on 
     24   the cryptographic algorithm and on a variety of the 
     25   politics associated with the system and its 
                                                           22
               



      1   breaking.
      2        Q.  Can you tell me specifically in those 
      3   categories of documents you just described which 
      4   documents in particular you looked at or which 
      5   Internet Web sites one might go to to look at those 
      6   same documents that you looked at in preparing your 
      7   declaration?
      8        A.  I can't.  At the end of the essay I wrote
      9   in mid November I gave a list of URLs I found 
     10   particularly interesting or illuminating.  Those I 
     11   can produce.  The other ones I looked at I have no 
     12   idea.  I used a search engine.  I followed links.  I 
     13   did my research online, and I only kept records of 
     14   the stuff that I thought was particularly useful.
     15        Q.  And those things that you found 
     16   particularly useful in conducting your online 
     17   research, those are the links that you just 
     18   testified about that would appear at the end of the 
     19   essay you wrote in November?
     20        A.  It's not a complete list.  I do a
     21   newsletter every month, and I write a number of 
     22   articles on security topics.  And at the end I like 
     23   to give a list of links that the reader might want 
     24   to follow up.
     25            So this list is not the total of everything 
                                                           23
               



      1   I found that's interesting.  It's a subset of what I 
      2   thought the reader of the essay might find 
      3   interesting and links he might want to follow to get 
      4   more information.
      5            (Plaintiffs' Exhibit No. 2 is marked.) 
      6   BY MS. MILLER:
      7        Q.  Mr. Schneier, I've just -- or the court 
      8   reporter has just handed you what we've marked as 
      9   Schneier Exhibit 2, and it appears to be an article 
     10   entitled "DVD Encryption Break is a Good Thing" by 
     11   Bruce Schneier.  It says "Special to ZDNet" and 
     12   dates -- or it's dated November 16th, 1999.
     13            Is this the essay that you just referred 
     14   to?
     15        A.  This is a similar essay.  The essay I'm 
     16   referring to appeared in my newsletter on November 
     17   15th.  This is almost the same essay.  There's some 
     18   minor differences that appeared on the ZDNet Web 
     19   site.  This version does not include the links, and 
     20   there are probably other minor additions or 
     21   changes.  I forget.  I know they're not identical, 
     22   but they're very similar.
     23        Q.  Your essay that appears on your Counterpane 
     24   Web site in the November 15th edition of your 
     25   newsletter is the one you actually looked at and 
                                                           24
               



      1   relied upon in preparing your declaration in this 
      2   case?
      3        A.  Yeah.  That's the later one.  I believe 
      4   this is an earlier draft of that.  Even though it 
      5   appeared later, it was submitted to ZDNet earlier.
      6            (Plaintiffs' Exhibit No. 3 is marked.) 
      7   BY MS. MILLER:
      8        Q.  Mr. Schneier, you've just been handed 
      9   what's been marked as Schneier declaration 
     10   Exhibit 3 -- pardon me -- Deposition Exhibit 3.
     11            Is this the declaration that you prepared 
     12   for this case?
     13        A.  Yes, it is.
     14        Q.  The day of this declaration just flipping 
     15   to the last page is April 28th, 2000; is that 
     16   correct?
     17        A.  That's what it says.
     18        Q.  So earlier you testified that you believe 
     19   you were approached to participate in this case 
     20   sometime before obviously the submission of this 
     21   declaration, and I'm looking at the date of the 
     22   declaration.  Does that help refresh your 
     23   recollection as to when you might have been first 
     24   contacted about getting involved in the case?
     25        A.  Presumably it was before April 28th.
                                                           25
               



      1        Q.  You still don't know --
      2        A.  I'm sorry.
      3        Q.  -- whether it was two weeks before?  Three 
      4   weeks before?
      5        A.  I remember it being a pretty fast 
      6   turnaround, but no.  It was probably not more than a 
      7   few weeks before.
      8        Q.  Okay.  Did the person that contacted you 
      9   about getting involved in the case, did they 
     10   indicate that they had seen your previous essay on 
     11   the DVD encryption break?
     12        A.  I remember being contacted because of that 
     13   essay.
     14        Q.  Okay. 
     15        A.  Because the opinions in that essay were 
     16   germane to the case.
     17        Q.  Now, I want to ask you something about -- 
     18            THE VIDEOGRAPHER:  Going off the record.  
     19   The time is 11:05. 
     20            (Break taken.) 
     21            THE VIDEOGRAPHER:  We're back on the 
     22   record.  The time is 11:09.  You may proceed.
     23   BY MS. MILLER:
     24        Q.  Mr. Schneier, I believe we just marked as 
     25   Exhibit 3 your declaration in this case.
                                                           26
               



      1            MS. MILLER:  Can you read back the last 
      2   question please.
      3            (Record read.)
      4   BY MS. MILLER:
      5        Q.  Now I want to ask you some questions about 
      6   how this declaration was drafted, Mr. Schneier.  Did 
      7   you actually type the declaration yourself?
      8        A.  I don't remember.  I believe what happened 
      9   was that one of the attorneys took my essay, put it 
     10   in this form numbering the paragraphs, and then I 
     11   added stuff, deleted stuff and made modifications 
     12   based on what I wanted to say in the case.
     13        Q.  Okay.  So the first time that you saw a 
     14   draft of the document that eventually became your 
     15   declaration, was that after the attorney had typed 
     16   it up in the format with the paragraph numbers using 
     17   the information in your essay?
     18        A.  One would hope the attorney wouldn't be 
     19   dumb enough to type it.  What I saw was my essay, 
     20   the identical essay, just with the paragraphs 
     21   numbered.  So my assumption is that someone took the 
     22   document off the Web, didn't change words, put it in 
     23   this format and said, "Here, start."
     24        Q.  Okay.  But that's your assumption just 
     25   based on, as you said, your view that no one would 
                                                           27
               



      1   be dumb enough to just sit there and retype your 
      2   essay?
      3        A.  And the fact that all the words were the 
      4   same.
      5        Q.  You just answered my question for me. 
      6        A.  I think that's my job.
      7        Q.  You're right.  Now when you were first sent 
      8   an initial draft of this declaration from the 
      9   attorney, was that transmitted to you by e-mail?
     10        A.  Yes, it was.
     11        Q.  Do you recall?  Did you save that e-mail?
     12        A.  I did not.
     13        Q.  Did you save the document attached to the 
     14   e-mail?
     15        A.  I did not.
     16        Q.  Do you recall at this point the name of the 
     17   person that would have e-mailed you the document?
     18        A.  I don't.  It might have been Ed, but I 
     19   actually don't remember.
     20        Q.  Once you got the e-mail with the draft 
     21   document, did you call anyone to discuss the draft?
     22        A.  I either called or sent e-mail, and 
     23   conversations did occur either by phone or e-mail.
     24        Q.  But you don't recall one way or the other?
     25        A.  Phone and e-mail are pretty much the same 
                                                           28
               



      1   in my mind.
      2        Q.  Okay.  But of course you can't keep a 
      3   documentary record of a phone call; is that correct?
      4        A.  You cannot.  And I don't keep a documentary 
      5   record of e-mail.
      6        Q.  How many drafts did this declaration go 
      7   through before you finally signed it?  Do you 
      8   recall?
      9        A.  I don't remember.  Not very many.
     10        Q.  Five?
     11        A.  Possibly five, possibly less.  Probably not 
     12   more but possibly more.
     13        Q.  Not more than five?
     14        A.  Or maybe more than five.  I honestly don't 
     15   remember.  Certainly not hundreds.
     16        Q.  Could it have been ten?
     17        A.  Probably not as many as ten.
     18        Q.  So could have been more than five but 
     19   probably not as many as ten?
     20        A.  Um-hum, yes.
     21        Q.  And you said that it could have been Ed 
     22   that sent you the drafts of the declaration?
     23        A.  Yeah.  I do not remember, but it certainly 
     24   could have been him.
     25            MS. MILLER:  Mr. Hernstadt, if in fact it 
                                                           29
               



      1   was you that sent the draft declarations or someone 
      2   from your firm that sent the draft declarations to 
      3   Mr. Schneier, I'd like to call for the production of 
      4   those drafts if they exist at this time.
      5            MR. HERNSTADT:  We will take it under 
      6   advisement.
      7            MS. MILLER:  Thank you.  And, of course, 
      8   any e-mails that accompanied the drafts. 
      9   BY MS. MILLER:
     10        Q.  Do you recall, Mr. Schneier, over what 
     11   period of time these drafts were transmitted back 
     12   and forth between yourself and whomever you were 
     13   sending them to?  Was it a week?
     14        A.  No, I don't remember.  Presumably it was 
     15   days before it was signed.
     16        Q.  When did you first hear about DeCSS?
     17        A.  Sometime between October 15th and November 
     18   15th.
     19        Q.  How did you hear about it?
     20        A.  Don't remember.
     21        Q.  Was it over the Internet?
     22        A.  Most likely.
     23        Q.  Do you know whether it was on a 
     24   news-oriented Web site or in a chat room?
     25        A.  It wouldn't be a chat room.  It might have 
                                                           30
               



      1   been a news-oriented Web site.  It might have been a 
      2   personal e-mail.
      3        Q.  It might have been a personal e-mail.  What 
      4   is your understanding of what DeCSS does?
      5        A.  Is that DeCSS?
      6        Q.  DeCSS.
      7        A.  DeCSS.  DeCSS is a program that removes the 
      8   obfuscation and scrambling of DVDs.
      9        Q.  Have you ever used DeCSS?
     10        A.  I have never used it.
     11        Q.  Have you ever seen the source code for 
     12   DeCSS?
     13        A.  I have never seen source code.
     14        Q.  And how did you gain the understanding 
     15   that you just testified to of what DeCSS does, if 
     16   you recall?
     17        A.  I read it off other people's writings and 
     18   essays and research papers.
     19        Q.  Do you recall any of the people's essays or 
     20   writings or research papers that you read?
     21        A.  The only one that I recall, although the 
     22   list of URLs in my essay is probably a good list,  
     23   is the -- 
     24        Q.  I'm sorry.  That's the November 15th essay 
     25   that's on your Web site?
                                                           31
               



      1        A.  I'm sorry, yes.
      2        Q.  Was the most complete essay that you wrote?
      3        A.  Yes.  There is one paper that was written 
      4   by someone who actually did the cryptanalysis of the 
      5   encryption algorithm.
      6        Q.  Do you remember that person's name?
      7        A.  I do not.  But if I saw it, I would say, 
      8   yeah, that's him.
      9        Q.  Do you know the name Frank Stevenson?
     10        A.  That's him.
     11        Q.  Have you ever spoken to Mr. Stevenson 
     12   personally, or did you just read something that he 
     13   had written?
     14        A.  I just read that one thing he had written.  
     15   I had never heard from him before, and I have not 
     16   heard from him since.  
     17        Q.  Had you heard of him before?
     18        A.  I had not heard of him before.
     19        Q.  When did you first hear about CSS?
     20        A.  At the same time I heard about --
     21            MR. HERNSTADT:  Objection.  Assumes facts 
     22   not in evidence.
     23   BY MS. MILLER:
     24        Q.  Had you heard of CSS?
     25        A.  Yes.
                                                           32
               



      1        Q.  When was the first time you heard of CSS?
      2        A.  At the same time I heard of DeCSS.
      3        Q.  This would have been sometime between 
      4   October 15th and November 15th of 1999 as you've 
      5   testified?
      6        A.  That is correct.
      7        Q.  Now before that period of time -- and by
      8   "that period of time" I mean October 15th to 
      9   November 15th, 1999 -- did you know anything about a 
     10   security system put in place to protect DVD content?
     11        A.  I knew something that this was happening.  
     12   I had done some consulting for companies who had 
     13   video content to protect, and so I was familiar with 
     14   the class of systems, their security properties, how 
     15   they might work, how they might fail.  I knew 
     16   nothing about the particular CSS system, exactly how 
     17   it worked and exactly its flaws.
     18        Q.  What companies did you do this consulting 
     19   work for that had digital content that you just 
     20   testified to?
     21        A.  Counterpane keeps its customer list 
     22   confidential.
     23        Q.  But this was in connection with Counterpane 
     24   Internet or Counterpane Systems?  
     25        A.  This is in connection with Counterpane 
                                                           33
               



      1   Systems, and this was several years ago, probably 
      2   before the CSS system was developed.
      3        Q.  Do you know when the CSS system was 
      4   developed?
      5        A.  No.  I'm guessing.
      6        Q.  So you don't really know whether this was 
      7   before the CSS system was developed?
      8        A.  No.
      9        Q.  Do you have an understanding now of how 
     10   CSS, or the content scrambling system, operates?
     11        A.  I have an understanding based on documents 
     12   I've read, yes.
     13        Q.  What documents have you read to gain that 
     14   understanding?
     15        A.  Again, documents I produced before writing 
     16   my essay in mid November including that 
     17   cryptanalysis paper we mentioned earlier.
     18        Q.  Do you know who the authors of DeCSS are?
     19        A.  I do not.
     20        Q.  A moment ago I believe you testified that 
     21   it was your understanding that DeCSS removes the 
     22   obfuscation and scrambling of DVDs.  Are you aware 
     23   of any other functions that it performs?
     24        A.  I am not.
     25        Q.  Have you ever seen or examined the object 
                                                           34
               



      1   code for DeCSS?
      2        A.  I have not.
      3        Q.  Have you ever visited a Web site with the 
      4   URL www.2600.com?
      5        A.  Yes, I have.
      6        Q.  When was the first time you visited the 
      7   2600.com Web site?
      8        A.  I don't remember.  It was several years 
      9   ago.
     10        Q.  So you were familiar with the 2600.com Web 
     11   site before your involvement in this case?
     12        A.  Yes, I was.
     13        Q.  Have you ever met Mr. Eric Corley?
     14        A.  Yes, I have.
     15        Q.  When was the first time you met him?
     16        A.  It was several years ago.  I believe it was 
     17   at a hackers conference.  I do not remember which 
     18   one.
     19        Q.  Do you remember where the hackers 
     20   conference took place?
     21        A.  Either in New York or Las Vegas since those 
     22   are the only two cities and conferences I've been to 
     23   that are hackers conferences.
     24        Q.  That would stand to reason.  Was that the 
     25   only time you met Mr. Corley?
                                                           35
               



      1        A.  I believe I met him several times.
      2        Q.  When was the last time you saw Mr. Corley?
      3        A.  Again, I don't remember.  It was at some 
      4   conference also.
      5        Q.  Okay.  Was it after this lawsuit was filed?
      6        A.  No, no.  It was before that.
      7        Q.  Have you spoken to Mr. Corley since this 
      8   lawsuit has been filed?
      9        A.  I have not.
     10        Q.  Have you exchanged any e-mails with 
     11   Mr. Corley since this lawsuit has been filed?
     12        A.  I believe he sent me an e-mail thanking me 
     13   for the declaration, but I don't remember exactly.
     14        Q.  Would you have saved that e-mail if in fact 
     15   you sent it?
     16        A.  I might have.  Probably not but possible.
     17            MS. MILLER:  Mr. Hernstadt, if it is at all 
     18   possible that Mr. Schneier saved that e-mail, I'd 
     19   like you to check.  And if so, I would like to call 
     20   for production of the e-mail between Mr. Corley and 
     21   Mr. Schneier.
     22            MR. HERNSTADT:  The e-mail saying, "Thank 
     23   you for your declaration"?
     24            MS. MILLER:  I don't know that that's what 
     25   the e-mail says.  I doubt that you know that that's 
                                                           36
               



      1   what the e-mail says.
      2            MR. HERNSTADT:  That's what Mr. Schneier 
      3   said it said, but we will take it under advisement.
      4            MS. MILLER:  Thank you.
      5            MR. HERNSTADT:  Sure.
      6   BY MS. MILLER:
      7        Q.  Were you told anything about Mr. Corley's 
      8   activities which gave rise to this lawsuit?
      9        A.  I was not.
     10        Q.  Have you ever seen the Complaint that's 
     11   filed in this lawsuit by the plaintiffs?
     12        A.  I saw it.  I skimmed it.  I didn't read it.
     13        Q.  How did you see it?
     14        A.  I believe I went to the Web and found it.
     15        Q.  Do you remember what Web site you found it 
     16   on?
     17        A.  I do not.
     18        Q.  How long ago did you skim the Complaint?
     19        A.  Around the same time I wrote the 
     20   declaration.
     21        Q.  Did you -- strike that.
     22            When was the last time that you visited the 
     23   2600.com Web site if you recall?
     24        A.  I think a couple of weeks ago.
     25        Q.  Have you ever heard of a Digital Millenium 
                                                           37
               



      1   Copyright Act?
      2        A.  Yes, I have.
      3        Q.  Did you at any time, Mr. Schneier, testify 
      4   before Congress in connection with the legislative 
      5   process involved in enacting the Digital Millenium 
      6   Copyright Act?
      7        A.  I did not.
      8        Q.  Did you write any essays during the time 
      9   that Congress was considering passing the Digital 
     10   Millenium Copyright Act stressing a point of view 
     11   about that law?
     12        A.  I did.
     13        Q.  If I wanted to find those essays, where 
     14   would I go to find them?
     15        A.  They would be on the Counterpane Web site 
     16   in the Crypto-Gram archives.
     17        Q.  When was the Digital Millenium Copyright 
     18   Act passed if you know?
     19        A.  I do not remember.  If you could refresh me 
     20   with that date, I could put other things in context.
     21        Q.  If I was to represent to you that it was 
     22   enacted in 1998, would that seem consistent with 
     23   your recollection in terms of the general time frame 
     24   or how long ago?
     25        A.  Yes.
                                                           38
               



      1        Q.  So if we proceed on the assumption that it 
      2   was passed in 1998, that's fine for you?
      3        A.  Yeah.  Actually, do you have a month? 
      4        Q.  Now you're testing me.  I believe it was 
      5   actually October or November.
      6            MR. HERNSTADT:  October.
      7   BY MS. MILLER:
      8        Q.  Now did you review any drafts of the 
      9   Digital Millenium Copyright Act in conjunction with 
     10   preparing the essay you wrote about it?
     11        A.  Yes, I did.
     12        Q.  Did you ever review the final bit of 
     13   legislation as signed by President Clinton?
     14        A.  Yes, I did.
     15        Q.  Do you recall any differences between the 
     16   draft legislation that you reviewed around the time 
     17   that you wrote your essay and what was finally 
     18   enacted by Congress?
     19        A.  I believe there are several differences, 
     20   and I reviewed several different drafts, and I also 
     21   probably wrote several different essays.
     22        Q.  The first essay that you wrote about the 
     23   Digital Millenium Copyright Act, did you express any 
     24   concerns about the Act and its provisions and how 
     25   that might impact people that do the type of work 
                                                           39
               



      1   that you do?  By that I mean encryption research.
      2        A.  I do not remember the contents of the 
      3   essays.  I would have to look them up to refresh my 
      4   memory.  It is likely that I would have expressed 
      5   concern over the Act and the stifling effect that it 
      6   would have on cryptographic and security research.
      7        Q.  And what in your view was that stifling 
      8   effect at the time that you wrote the essay?
      9        A.  The Act, because of its prohibition against 
     10   circumvention and reverse engineering, would serve 
     11   to limit the research cryptographers and computer 
     12   security scientists could do.  It would limit their 
     13   ability to analyze systems, to study systems, to 
     14   learn from systems and to teach others about the 
     15   security of systems.
     16            MR. HERNSTADT:  Let me just intercede at 
     17   one point that Mr. Schneier's testifying from his 
     18   personal opinion.  He's not testifying as a lawyer 
     19   and about the legal meaning of the Act but merely 
     20   his understanding, his personal understanding, of 
     21   the Act.
     22            MS. MILLER:  I understand that.  I haven't 
     23   asked you any questions about what your legal -- 
     24   what the legal meaning is of the Act.  I understand 
     25   that you're not -- 
                                                           40
               



      1            THE WITNESS:  In the time period we were 
      2   talking about, there was no actual law.  These were 
      3   just drafts.
      4   BY MS. MILLER:
      5        Q.  When was the last time you looked at the 
      6   final legislation?
      7        A.  It was soon after it was passed.
      8        Q.  From the time that you originally expressed 
      9   concerns about, as you said, the prohibitions 
     10   against reverse engineering to the final draft of 
     11   the legislation, do you recall whether any of those 
     12   prohibitions were removed?
     13        A.  I believe they were not.  I believe wording 
     14   was changed, but I believe basically the 
     15   prohibitions remained.  Again, I would have to 
     16   refresh myself by looking at the actual law and the 
     17   drafts if I could find them.
     18        Q.  And the last time you looked at the final 
     19   legislation as passed was shortly after it was 
     20   passed?
     21        A.  Yes.  Although if you showed me an essay I 
     22   wrote between then and now that mentioned it, I 
     23   certainly would not be surprised.  I do not recall 
     24   writing any such.
     25        Q.  In the final version of the -- I'm just 
                                                           41
               



      1   going to refer to it from here on out as the "DMCA" 
      2   because the "Digital Millenium Copyright Act" is 
      3   quite a mouthful -- in the final version of the DMCA 
      4   that you reviewed after it was passed, do you recall 
      5   seeing any specific exemptions for 
      6   reverse-engineering activities?
      7        A.  I don't remember.  At some point during the 
      8   process there were exemptions for compatibility 
      9   purposes.  I forget if they were struck.  I believe 
     10   the exemption for research purposes is still there, 
     11   but I remember it being very narrowly defined and 
     12   the burden of proof put on the researcher.
     13            Again, I forget if this stayed or if it 
     14   left.  Unfortunately when I was working on this and 
     15   writing about this, it was a while ago, and I've 
     16   since then forgotten.  If I was to write about this 
     17   again, I would have to refresh my memory.
     18        Q.  Now when you said the research exemption, 
     19   were you referring to an encryption research 
     20   exemption, or what type of a research exemption were 
     21   you referring to?
     22        A.  It was either an exemption for crypto 
     23   research or for security research, but there was an 
     24   exemption for researching the effectiveness of these 
     25   security systems for which reverse engineering was 
                                                           42
               



      1   prohibited.
      2        Q.  I see.  And in viewing the final version of 
      3   the DMCA as enacted and that research exemption that 
      4   you just testified about, were you satisfied that
      5   your initial concerns in looking at earlier drafts 
      6   of the legislative -- strike that -- of the 
      7   legislation had been addressed?
      8        A.  I was -- 
      9            MR. HERNSTADT:  Object to the form of the 
     10   question.  It's vague.
     11            Go ahead.  You can answer.
     12            THE WITNESS:  I was definitely unsatisfied.
     13   BY MS. MILLER:
     14        Q.  And why were you unsatisfied?
     15        A.  Because I felt that the provisions in the 
     16   law as it remained would still have the same 
     17   stifling effect on research that I foretold when I 
     18   first heard about the law and the provision.
     19        Q.  What in your view was that stifling effect?
     20        A.  What the law does as far as I know from my 
     21   understanding is that it makes it very difficult if 
     22   not impossible to take an existing security system, 
     23   reverse engineer it, study it, publish the results 
     24   of that study and thereby learn from the mistakes 
     25   made by the people who designed it.
                                                           43
               



      1        Q.  And how was the understanding that you just 
      2   testified to derived?
      3        A.  The understanding of the mistakes -- the 
      4   understanding of the details of a security system 
      5   are derived from learning how it works, studying how 
      6   it works and figuring out how to break it.
      7            MR. HERNSTADT:  Was that what you were 
      8   asking, or were you asking about his understanding 
      9   of the DMCA?
     10            MS. MILLER:  I'll get to both.
     11            MR. HERNSTADT:  Okay.  Let me make a very 
     12   delayed objection to the form of the question as 
     13   being unclear.
     14            MS. MILLER:  I know that you're objecting 
     15   to the question but to his answer -- I'll ask 
     16   another question.
     17            MR. HERNSTADT:  The answer is fine, but 
     18   that just made me realize I thought that you were 
     19   asking something else, and then I realized the 
     20   question could have been asking either so -- 
     21            MS. MILLER:  Could you read back the 
     22   witness' last answer please.
     23            (Record read.)
     24   BY MS. MILLER:
     25        Q.  Mr. Schneier, my question actually was, how 
                                                           44
               



      1   is your understanding of the research exemption in 
      2   the DMCA derived?
      3        A.  My understanding back then was derived from 
      4   reading it and talking to other people who were 
      5   involved in lobbying and speaking about it.
      6        Q.  Okay.  Do you remember the names of any of 
      7   the other people that you talked to that were 
      8   involved in lobbying and speaking about it?
      9        A.  I do not.  The CCIA -- I forget what that 
     10   stands for -- was involved in lobbying, and I did 
     11   have contact with them.  And then anybody else who 
     12   was likely to talk about it at conferences I'm at, 
     13   I'm likely to hear their opinions.
     14            And the EFF and EPIC are two organizations 
     15   whose opinions if they were written I would have 
     16   read. And presumably there were other people.
     17        Q.  The CCIA and the EFF I'm familiar with.  
     18   What is "EPIC"?
     19        A.  EPIC is Electronic Privacy Information 
     20   Center.  They're in Washington, D.C.
     21        Q.  What does the Electronic Privacy 
     22   Information Center do as you understand it?
     23        A.  As I understand it, they do several things.  
     24   They are a privacy watchdog against industry and the 
     25   government.  They do a lot of FOIA of different 
                                                           45
               



      1   documents from the government and publish what they 
      2   find.
      3        Q.  By "FOIA" do you mean F-O-I-A, Freedom of 
      4   Information Act?
      5        A.  Yes, I do.  They do a lot of testifying 
      6   before Congress on privacy and -- a lot of 
      7   testifying before Congress on privacy laws, and they 
      8   do a lot of education on privacy issues as they 
      9   relate to computers and computer networks.
     10        Q.  Are there any professional organizations 
     11   of cryptographers that you're aware of, 
     12   Mr. Schneier?
     13        A.  Yes, there are.  The IACR, the 
     14   International Association of Cryptologic Research, 
     15   is the international cryptography professional 
     16   organization.
     17        Q.  Now, in your experience or to your 
     18   knowledge, are there any ethical constraints on 
     19   cryptographic activities with respect to 
     20   disseminating the results of encryption research on 
     21   a particular system?
     22            MR. HERNSTADT:  Objection to the form of 
     23   the question.  That's a very vague and broad 
     24   question.
     25            If you can answer it, please go ahead.
                                                           46
               



      1            THE WITNESS:  You asked me if I have any 
      2   ethical constraints or if anybody has any ethical 
      3   constraints?
      4   BY MS. MILLER:
      5        Q.  I asked you first if anybody or if any 
      6   organization that you're aware of issues ethical 
      7   guidelines concerning dissemination of the results 
      8   of cryptographic research activities.
      9            MR. HERNSTADT:  Objection to the form of 
     10   the question.  It's compound.
     11            If you can answer that -- 
     12            THE WITNESS:  Certainly, the National 
     13   Security Agency classifies cryptographic research,  
     14   as presumably do the intelligence organizations of 
     15   other companies around the world.  Some 
     16   cryptographers work for companies, and presumably 
     17   some of the work they do is proprietary, not 
     18   disseminated.  And quite possibly cryptographers may 
     19   or may not on their own initiative decide to 
     20   publish.
     21            Certainly anybody using cryptography to 
     22   commit a crime using the results of analysis to 
     23   break into systems is likely not to disseminate his 
     24   techniques.  And there certainly could be other 
     25   ethical objections that people might have.
                                                           47
               



      1   BY MS. MILLER:
      2        Q.  But as far as you're aware, is there a 
      3   standards making organization that issues guidelines 
      4   with respect to ethical consideration in 
      5   cryptographic research?
      6            MR. HERNSTADT:  Objection to the form.
      7            THE WITNESS:  As far as I know, no 
      8   standards body or professional organization or group 
      9   of cryptographers has issued any standards of what 
     10   shouldn't be published.
     11   BY MS. MILLER:
     12        Q.  Okay. 
     13        A.  The primary -- the overriding ethic in the 
     14   cryptographic community is that publication serves 
     15   research and advances knowledge and is a good thing.
     16        Q.  Now Mr. Schneier, have you personally ever 
     17   had occasion to crack an encryption algorithm that 
     18   was developed by someone else?
     19        A.  Yes, I have.
     20        Q.  Which ones?
     21        A.  There are literally dozens of academic 
     22   papers on my Web site that break different 
     23   algorithms and I could provide a list, but it's easy 
     24   to go to the Web site and look at the papers.
     25        Q.  Can you give me an example of some of the 
                                                           48
               



      1   systems that these encryption systems were designed 
      2   to protect?
      3        A.  Most of them are academic systems, and they 
      4   weren't designed to protect anything.  They were 
      5   just designed.  Generally most encryption algorithms 
      6   are completely orthogonal to the way they're used.  
      7   So an algorithm might be a proposed, and it might be 
      8   used in a variety of applications, none of which the 
      9   proposer had any idea they would be used in.
     10            An example of one that was a -- that was 
     11   proposed and used in a particular system was an 
     12   algorithm used in some digital cellular telephone 
     13   systems.
     14        Q.  For telephones, okay.  Were you personally 
     15   involved in cracking some of the encryption 
     16   algorithms for the digital cellular telephone 
     17   systems?  
     18        A.  I was a member of a group that did, yes.
     19        Q.  Was this an academic group, or what was the 
     20   group that was involved in cracking these digital 
     21   cellular telephone systems?
     22        A.  It was a group of researchers.  It was not 
     23   part of a consulting project.
     24        Q.  Were these all academics?
     25            MR. HERNSTADT: Objection to the form of the 
                                                           49
               



      1   question.
      2            Do you understand?  
      3            THE WITNESS:  It's a hard question because 
      4   many people who are paid by companies engage in 
      5   academic research.  So if "academic" means someone 
      6   who is paid by a university, the answer is one of 
      7   the members of our group was.  If the question is, 
      8   were these people people active in the academic 
      9   community, the answer is all of them.
     10   BY MS. MILLER:
     11        Q.  How many people were in this group?
     12        A.  The paper was written by three people, 
     13   although this is my recollection and I would have to 
     14   look at the paper to be sure, but I remember three 
     15   of the researchers.
     16        Q.  Is this paper on your Web site?  
     17        A.  The paper is on my Web site, yes.
     18        Q.  Now, did you after cracking this encryption 
     19   system that was designed to protect digital cellular 
     20   telephone communications design a computer program 
     21   or software utility that would allow anyone else to 
     22   then crack into the digital cellular telephone 
     23   systems to exploit the weaknesses that you were able 
     24   to uncover?
     25            MR. HERNSTADT:  Could you read back that 
                                                           50
               



      1   question please.
      2            (Record read.)
      3            MR. HERNSTADT:  Objection to the form of 
      4   the question.  It's compound, and it assumes a lot 
      5   of facts not in evidence.
      6            You can answer it if you can.
      7            THE WITNESS:  I personally did not.  Our 
      8   team did write demonstration software both to test 
      9   our hypotheses and to demonstrate to whomever needed 
     10   to verify our results that they were correct.  I do 
     11   not remember how the software worked and exactly how 
     12   usable it would be by other people.
     13   BY MS. MILLER:
     14        Q.  Is this piece of software available on your 
     15   Web site in connection with the research paper 
     16   that's posted on the Web site?
     17        A.  It might very well be.  The way to check is 
     18   to go to the Counterpane Web site, go to the 
     19   Counterpane lab Web sites, look at the CMEA button 
     20   on the left-hand side, M dash -- that's the name of 
     21   the algorithm, M dash -- and follow the link.
     22        Q.  But you said you don't know how useful the 
     23   software utility that was developed might be to 
     24   anyone else that might try to use it.  Is that what 
     25   you said?
                                                           51
               



      1            MR. HERNSTADT:  Objection to the form.
      2   BY MS. MILLER:
      3        Q.  I just want to make sure I understand your
      4   answer.  I'm really not trying to misstate what you 
      5   said.
      6        A.  I don't remember.  It was several years 
      7   ago.
      8        Q.  Do you have a point of view on whether or 
      9   not a person that's engaged in encryption research 
     10   should at the same time as that person disseminates 
     11   the results of that encryption research disseminate 
     12   a tool that will allow you to exploit the weaknesses 
     13   in a particular encryption system?
     14            MR. HERNSTADT:  Objection to form.
     15            THE WITNESS:  I have an opinion.  In a lot 
     16   of cases part of the research is writing the tool, 
     17   and part of disseminating the research is 
     18   disseminating the tool.  Personally there are many 
     19   cases where I feel that writing a tool whose sole 
     20   purpose is to attack and break systems is not a good 
     21   thing.  There are some instances where writing such 
     22   a tool is the only possible way to get the problem 
     23   fixed.
     24            So it's a very complicated issue.  It's one 
     25   I have written on in the past few months.  There's 
                                                           52
               



      1   an essay on this topic that I've written.  This is a 
      2   topic where my ideas are still in flux because it's 
      3   a very difficult question.
      4   BY MS. MILLER:
      5        Q.  I understand.  You said that you can 
      6   imagine that there would be times when it wouldn't 
      7   be a good thing to disseminate a tool that's 
      8   designed to exploit the weaknesses.  Can you give 
      9   some examples of in your view when it wouldn't be a 
     10   good thing to do that. 
     11            MR. HERNSTADT:  Objection to the form.
     12            THE WITNESS:  An example would be a tool 
     13   that doesn't actually demonstrate anything new, that 
     14   endangers life and limb and that exploits a problem 
     15   that can't easily be fixed are examples where I 
     16   would question the judgment of the person who 
     17   released the tool. 
     18   BY MS. MILLER:
     19        Q.  And in your review in what instances would 
     20   a problem not easily be fixed?
     21            MR. HERNSTADT:  Objection to the form.
     22            THE WITNESS:  In closed proprietary 
     23   systems.  So in systems that are -- systems not on a 
     24   general purpose computer are often much harder to 
     25   fix than systems that are on a general purpose 
                                                           53
               



      1   computer.
      2            A system in a closed system like nuclear 
      3   command and control or a stand-alone ATM machine, 
      4   these might involve widespread deployment of 
      5   equipment across the country or across the world 
      6   which is very different than a version of a piece of
      7   software which could be updated relatively quickly.  
      8   Again, I understand this is a gray line.
      9   BY MS. MILLER:
     10        Q.  From your point of view it's a gray line or 
     11   from the point of view of cryptographers generally?
     12        A.  From my point of view.
     13        Q.  Is it fair to say that -- you said your 
     14   ideas about this are in a state of flux, so is it 
     15   fair to say that at this point you don't have a 
     16   fully formed view on in which instances 
     17   disseminating a tool to exploit a flaw in a security 
     18   system might be permissible and other instances 
     19   where it might not be permissible?
     20            MR. HERNSTADT:  Objection to the form.  
     21   Misstates the testimony.
     22            THE WITNESS:  It's very much like the 
     23   definition of pornography.  I know it when I see it.  
     24   Defining exactly what it is is hard.
     25            And to bring to something I think you said, 
                                                           54
               



      1   I'm here more talking about security systems as 
      2   opposed to the mathematics of cryptography.  The 
      3   mathematics of cryptography is really much more cut 
      4   and dried, and that publication is pretty much 
      5   always a good idea. 
      6   BY MS. MILLER:
      7        Q.  Publication of the actual encryption 
      8   algorithm?  I just want to understand when you say 
      9   publication of the "mathematics of cryptography."
     10        A.  Publication of the research, which in 
     11   mathematics is generally mathematical research, 
     12   which is generally a paper that includes algorithms 
     13   and equations and an analysis.  And that's sort of 
     14   one end.
     15            The other end is analysis of working 
     16   security systems which would presume cryptography 
     17   but would also would include analysis of the 
     18   software, analysis of the procedures, analysis of 
     19   the usage.
     20        Q.  And the last sort of line of questions that 
     21   we've been engaged in here, I'm really more 
     22   interested in your view about developing and 
     23   disseminating particular tools that allow an 
     24   individual to exploit a flaw in a security system 
     25   that a person engaged in encryption research might 
                                                           55
               



      1   have been able to uncover.
      2        A.  Um-hum.
      3        Q.  Is your point of view on that still in a 
      4   state of flux?
      5        A.  My point of view is still in a state of 
      6   flux.  I believe I have a consistent, coherent point 
      7   of view, but exceptions and special cases are still 
      8   arising, so my view is still being refined.
      9        Q.  And the point of view that you just
     10   testified to though is more in -- strike that --  
     11   analogous to like you just said, pornography, you 
     12   know it when you see it.  Do you know a bad exploit 
     13   of a tool as opposed to a good one?
     14            MR. HERNSTADT:  I'm sorry.  Could you read 
     15   that question back please.
     16            MS. MILLER:  That was not a good -- the 
     17   most articulate question.
     18            MR. HERNSTADT:  Do you want to try again?
     19            THE WITNESS:  I can answer it.
     20            MR. HERNSTADT:  Don't answer until I hear 
     21   it because I want to make sure I have some vague 
     22   idea.  
     23            THE WITNESS:  Maybe I should hear it again 
     24   too.
     25            (Record read.)
                                                           56
               



      1            MR. HERNSTADT:  Objection to the form.
      2            THE WITNESS:  I believe that's true, 
      3   although it's not impossible that someone would show 
      4   me a special case that I would have no idea of my 
      5   opinion on it until I thought about it a lot.
      6            MS. MILLER:  Okay. 
      7            MR. HERNSTADT:  Is this a good time to take 
      8   two for unstated reasons?
      9            MS. MILLER:  Sure.
     10            THE VIDEOGRAPHER:  Going off the record.  
     11   The time is 11:56.
     12            (Break taken.)
     13            THE VIDEOGRAPHER:  We're back on the 
     14   record.  The time is 12:05.  You may proceed.
     15   BY MS. MILLER:
     16        Q.  Mr. Schneier, I'm going to show you a 
     17   document that I'll have marked as Exhibit 4 for your 
     18   deposition.
     19            (Plaintiffs' Exhibit No. 4 is marked.) 
     20   BY MS. MILLER:
     21        Q.  Now initially, Mr. Schneier, I'd like you 
     22   to focus your attention on the first two pages of 
     23   this document.  So we have a clear record, I'll 
     24   represent to you that this is a document that I 
     25   printed from the Counterpane Web site.  It is 
                                                           57
               



      1   entitled "Crypto-Gram."  The date of the document is 
      2   January 15th, 2000.  It says, "By Bruce Schneier, 
      3   founder and CTO, Counterpane Internet Security, 
      4   Inc."  And the initial article is entitled, "'Key 
      5   Finding' Attacks and Publicity Attacks."
      6            Now Mr. Schneier, earlier in your testimony 
      7   you referred to "Crypto-Gram."  What is 
      8   "Crypto-Gram"?
      9        A.  "Crypto-Gram" is a monthly newsletter, a 
     10   free e-mail newsletter, that I write and publish 
     11   every month.
     12        Q.  Is this document that I've just shown you 
     13   that's been marked as Exhibit 4 a copy of the 
     14   monthly newsletter Crypto-Gram that you write?
     15        A.  Without examining every word of it, I 
     16   assume it is.
     17        Q.  If you could take a moment to look at the 
     18   first two pages of the document that I've handed 
     19   you, I'd like to ask you some questions about it.  
     20   Tell me when you're ready.
     21            MR. HERNSTADT:  I'm going to need a couple 
     22   minutes.  
     23            THE WITNESS:  I'm ready.
     24            MR. HERNSTADT:  I'm not.
     25            (Reviewing document.)
                                                           58
               



      1            Okay.
      2   BY MS. MILLER:
      3        Q.  Mr. Schneier, do you recognize this article 
      4   in this newsletter "'Key Finding' Attacks and 
      5   Publicity Attacks"?
      6        A.  I do.
      7        Q.  Did you write it?
      8        A.  I did.
      9        Q.  Now without me reading it word for word, 
     10   can you tell us just generally what the subject of 
     11   this article is. 
     12        A.  The subject of this article is a particular 
     13   situation that occurred in January when a company 
     14   made a press announcement about what they claimed to 
     15   be a vulnerability in an Internet protocol and uses 
     16   that example as a jumping-off point to discuss some 
     17   of the pros and cons towards releasing information 
     18   about vulnerabilities, releasing vulnerability tools 
     19   and makes a stab at trying to draw some conclusions 
     20   about some of the issues we talked about earlier.
     21        Q.  What conclusion is drawn in this article 
     22   about releasing the tools that exploit 
     23   vulnerabilities and security systems?
     24            MR. HERNSTADT:  Objection.  Are you asking 
     25   him to point out in the article where he draws a 
                                                           59
               



      1   conclusion?
      2   BY MS. MILLER:  
      3        Q.  No.  At this point I'd like you to do it 
      4   from -- if it helps you to look at the article, 
      5   that's fine, however you want to answer the 
      6   question, if you understand the question.
      7        A.  You're asking me to discuss my thinking at 
      8   January 15th, not subsequent.  What I say in this 
      9   essay is that one of the ways to look at a tool is 
     10   to look at the motivations of the person who 
     11   releases it, whether it's a tool that demonstrates a 
     12   vulnerability in some useful fashion, whether it's a 
     13   tool that simply allows someone without any skill to 
     14   exploit a vulnerability, whether the person 
     15   releasing the tool has any ulterior motives in 
     16   releasing it.  And that's one way to get some idea 
     17   of whether it was a good thing or a bad thing.
     18        Q.  Okay.  And you say the ulterior motives 
     19   that the person might have had in releasing the tool 
     20   is one of the factors in your mind that determines 
     21   whether or not the release of the tool is a good or 
     22   bad thing; is that correct?
     23        A.  That's what I said, yes.
     24        Q.  Now, in this particular situation that's 
     25   being described in this article, or the essay, "'Key 
                                                           60
               



      1   Finding' Attacks and Publicity Attacks," was there a 
      2   particular tool that was disseminated along with the 
      3   press release of the vulnerability in the Internet 
      4   protocol?
      5        A.  It's unclear.  At the time I wrote this, I 
      6   believe there was.  In subsequent conversations with 
      7   the company that released the press release, they 
      8   indicated that they did not release the tool.  I do 
      9   not know if a tool was released, how widely it's 
     10   used, whether someone else took the research done 
     11   and wrote a tool.
     12            So when I wrote this essay, I believe the 
     13   tool was released by the company that released the 
     14   press release, but I don't know if that's true.
     15        Q.  At this point do you know whether or not 
     16   there was a tool released?
     17        A.  At this point I believed the people I spoke 
     18   to from the company, and they said they did not 
     19   release a tool.
     20        Q.  Now you cite other examples in this essay, 
     21   and if I can just draw your attention to page 1, and 
     22   there are several bullet points.  I'll read the 
     23   introductory phrase to the bullet point so you have 
     24   a sense of where I am.  You say, "This kind of thing 
     25   is happening more and more, and I'm getting tired of 
                                                           61
               



      1   it.  Here are some more examples" and bullet point 
      2   2.
      3            MR. HERNSTADT:  Carla, before you do that, 
      4   could you just read the first line of that sentence  
      5   before that -- the word "thing" is defined -- so we 
      6   know what kind of "thing" we are -- 
      7            MS. MILLER:  Well, I think if I want to 
      8   have that "thing" defined, I'll ask the witness to 
      9   define it, Mr. Hernstadt.
     10            MR. HERNSTADT:  All right.  Then let me 
     11   object to any question that comes out based on that 
     12   it's vague that the term is undefined.
     13   BY MS. MILLER:
     14        Q.  If you could look at bullet point 2 on page 
     15   1, Mr. Schneier, you indicate that, "Some people at
     16   eEye" -- that's lower case "e," capital E-y-e --   
     17   "discovered a bug in IIS last year completely 
     18   compromising the product.  They contacted Microsoft, 
     19   and after waiting only a week for them to 
     20   acknowledge the problem, they issued a press release 
     21   and a hacker tool.  Microsoft rushed a fix out but 
     22   not as fast as the hackers jumped on the exploit.  
     23   EEye sells vulnerability assessment tools and 
     24   security consulting by the way."
     25            Do you see that, what I've just read to 
                                                           62
               



      1   you?
      2        A.  I do.
      3        Q.  Now, did you do any verification of the 
      4   facts of eEye's rushing out and issuing a press 
      5   release and a hacker tool that exploited the 
      6   vulnerability in this Microsoft product?
      7        A.  No more verification than reading documents 
      8   and opinions and things other people had written.
      9        Q.  And did you think at the time that you 
     10   wrote this essay that those activities were a good 
     11   thing to do by eEye?
     12        A.  A lot of this is very situation dependent, 
     13   and often my objections are not based on what was 
     14   done but based on how it was done.  My objections in 
     15   the eEye instance were based on the fact that eEye 
     16   seems to me to have used the exploit and the 
     17   publication of it as a publicity engine for their 
     18   company and not as a way to fix the problem.
     19            So I'm not -- I have no objections to the 
     20   research, to the publication or the dissemination, 
     21   but the form of it was something I thought was not 
     22   the best it could have been.
     23        Q.  Okay.  And the form of it that you're 
     24   describing, was that just the dissemination of the 
     25   hacker tool or just the fact that they were using 
                                                           63
               



      1   this whole incident to publicize their security 
      2   services?
      3        A.  It was that they were using the incident to 
      4   publicize.
      5        Q.  But you have no problem with them 
      6   disseminating the hacker tool that was designed to 
      7   exploit the vulnerability that they uncovered?
      8            MR. HERNSTADT:  Objection to the form.
      9            THE WITNESS:  Again, this is very dependent 
     10   on circumstance.  Microsoft is a corporation that 
     11   will lie, will claim things that are true that are 
     12   not true, will deny the fact that exploits exist.  
     13   If you point out a security vulnerability, they will
     14   tell you you're wrong.  And the only way to get 
     15   Microsoft to fix a problem, a security problem, is 
     16   to release a tool.
     17            So in dealing with Microsoft as a 
     18   researcher wanting to improve the security of 
     19   systems, you have no choice but to release an 
     20   exploit because without doing that, the system will 
     21   remain vulnerable.
     22   BY MS. MILLER:
     23        Q.  You have no choice?
     24        A.  If you want to improve the security, you 
     25   have no choice.
                                                           64
               



      1        Q.  So if you want Microsoft to pay attention, 
      2   you have no choice but to exploit -- disseminate a 
      3   hacker tool that could exploit the security breach;  
      4   is that your testimony?
      5            MR. HERNSTADT:  Objection to form. 
      6            THE WITNESS:  Historically that has been 
      7   the case.
      8   BY MS. MILLER:
      9        Q.  And because -- again, I really am not 
     10   trying to put words in your mouth.  I'm just trying 
     11   to understand your answer because you made some 
     12   statements about a particular point of view  
     13   obviously that you hold about Microsoft.
     14            And based on that point of view about 
     15   Microsoft, if the security breach is found in a 
     16   Microsoft piece of software, then in your view 
     17   according to your testimony, it's acceptable to 
     18   disseminate a hacker tool that exploits that 
     19   vulnerability?
     20            MR. HERNSTADT:  Objection to the form of 
     21   the question and the lack of definition of the terms 
     22   used.
     23            If you can answer that, go ahead.
     24            THE WITNESS:  I believe as a researcher 
     25   wanting to improve the security of systems that 
                                                           65
               



      1   simply publishing an academic paper describing the 
      2   vulnerability in a Microsoft system will not result 
      3   in any improvement.  And the quickest way to improve 
      4   the security of the system is to release the tool 
      5   and to release the tool in a very public way so that 
      6   Microsoft has no choice but as a company to fix the 
      7   problem.
      8   BY MS. MILLER:
      9        Q.  I don't suppose you'd be surprised if 
     10   someone at Microsoft felt differently about that, 
     11   would you?
     12            MR. HERNSTADT:  Objection to the form of 
     13   the question.
     14            Go ahead.
     15            THE WITNESS:  Very few things surprise me 
     16   in this field.
     17   BY MS. MILLER:
     18        Q.  Fair enough.  Now, looking a couple 
     19   paragraphs down in the same essay, you say, "Here 
     20   are some examples of doing things right."  In the 
     21   first bullet point, I quote, "The University of 
     22   California-Berkeley researchers have broken just 
     23   about every digital cell phone algorithm.  They are 
     24   not profiting from these breaks.  They don't publish 
     25   software packages that can listen in on cell phone 
                                                           66
               



      1   calls.  That is research and good research."
      2            Now, when we talked earlier about your 
      3   activities in helping to analyze some of the
      4   encryption -- strike that -- flaws in some of the 
      5   encryption and security algorithms for digital cell 
      6   phone technologies, were you referring to this group 
      7   of University of California-Berkeley researchers?
      8        A.  Yes, I was.  
      9        Q.  Is that the project you were involved in?
     10        A.  A piece of it.  There are some different 
     11   cell phone security algorithms that this group has 
     12   successfully reverse engineered, analyzed and 
     13   published.  One particular algorithm I was involved 
     14   in the process.  There are several others that they 
     15   alone were involved in the process.
     16        Q.  Okay.  Now you made the statement in this 
     17   essay, "This is research and good research."  What 
     18   were you referring to when you drew the 
     19   conclusion -- excuse me -- about what "good 
     20   research" was?
     21            MR. HERNSTADT:  Objection to the form of 
     22   the question.
     23            THE WITNESS:  I was referring to the 
     24   cryptanalysis work done by the group in breaking the 
     25   algorithms.
                                                           67
               



      1   BY MS. MILLER:
      2        Q.  Not the fact that they didn't publish 
      3   software packages that can listen in on cell phone 
      4   calls?
      5            MR. HERNSTADT:  Objection.
      6            THE WITNESS:  No.  I was referring to the 
      7   research, and to me the research in this case was 
      8   the mathematical research on the algorithms.
      9   BY MS. MILLER:
     10        Q.  If the University of California at Berkeley 
     11   researchers had published software packages that 
     12   listened in -- that allowed a person to listen in on 
     13   cell phone calls, would that still in your opinion 
     14   have been good research?
     15            MR. HERNSTADT:  Objection to the form of 
     16   the question.
     17            THE WITNESS:  It would still have been good 
     18   research.  They would have done something additional 
     19   to that which I personally would question, but other 
     20   people would not.
     21   BY MS. MILLER:
     22        Q.  Okay.  But you personally would?
     23        A.  Yeah.  I would -- if they did that, I might 
     24   have called them and asked, why did you do this?  
     25   And they might have had an explanation, and I would 
                                                           68
               



      1   have said, I guess you're right.
      2            But I certainly would have thought twice if 
      3   I saw that, because in this particular case that 
      4   wasn't really part of the research. 
      5        Q.  I'd like to direct your attention now to 
      6   the fourth bullet point in that same list that says, 
      7   I quote, "Perfecto markets security against CGI 
      8   attacks."
      9            What is "CGI"?
     10        A.  I forget what it stands for.  CGI scripts 
     11   are those interactive bits of code on Web pages that 
     12   let you type things into forms and submit them, 
     13   allow you to type comments in, click on radio 
     14   buttons or other things that make Xs happen, things 
     15   that don't bring you to a new Web page but that put 
     16   little bits of interactivity onto a Web page.  I 
     17   think it's "computer graphics interface," but I 
     18   might be wrong as to what "CGI" stands for.
     19        Q.  I'm going to continue on reading that same 
     20   bullet point.  "Although they try to increase 
     21   awareness of the risks, they don't go around writing 
     22   new CGI exploits and publicizing them.  They point 
     23   to other CGI exploits done by hackers with no 
     24   affiliation to the company as examples of the 
     25   problem."
                                                           69
               



      1            Now, based on the point of view that you've 
      2   been testifying to, I assume that this would fall 
      3   into your category of good research; is that 
      4   correct?
      5            MR. HERNSTADT:  Objection to the form.  
      6   That misstates the testimony of the witness 
      7   significantly.
      8            If you can answer that, go ahead.
      9            THE WITNESS:  To me this is an example of 
     10   doing things right, as I said.  Again, if there were 
     11   no CGI exploits, Perfecto would have to release some 
     12   to demonstrate that the vulnerabilities they're 
     13   describing and fixing are real.  However, because 
     14   there are already CGI exploits that have been 
     15   published, that have been disseminated by the 
     16   underground community, Perfecto did not feel it 
     17   necessary to create new ones that didn't demonstrate 
     18   any new piece of research.
     19            If they learned a new piece of research, 
     20   they might feel -- and I might agree with them -- 
     21   that they should publish an exploit to demonstrate 
     22   this new piece of research.  But as long as they are 
     23   fixing old problems, writing new tools to 
     24   demonstrate the old problems doesn't seem to add 
     25   anything to the discussion.
                                                           70
               



      1   BY MS. MILLER:
      2        Q.  How are you using the word "exploits" 
      3   there?
      4        A.  It's a term of art in computer security.  
      5   An "exploit" is a program that makes use of a
      6   vulnerability to attack a system.  So it 
      7   demonstrates a vulnerability in a graphic way.
      8        Q.  Now looking at the last bullet point, you 
      9   say, "Steve Bellovin," B-e-l-l-o-v-i-n -- I hope I 
     10   pronounce his name correctly -- "at AT&T labs found 
     11   a serious hole in the Internet DNS system.  He 
     12   delayed publication of this vulnerability for years 
     13   because there was no readily available fix."
     14            Again, is this falling within your 
     15   definition of "good research"?
     16            MR. HERNSTADT:  Objection to the form of 
     17   the question.  I don't think there's been a 
     18   definition of "good research," but if you can answer 
     19   the question, go ahead.
     20            MS. MILLER:  Certainly not a definition 
     21   because I think the witness has already testified 
     22   that it's sort of a situational thing.  So I don't 
     23   mean to misstate your testimony when I say 
     24   "definition," but you've used the phrase and 
     25   characterized certain things and activities as good 
                                                           71
               



      1   research.  That's all I'm asking you about.
      2            MR. HERNSTADT:  Are you referring to the 
      3   words where it says -- 
      4            THE WITNESS:  "Doing things right."
      5            MR. HERNSTADT:  -- "doing things right" up 
      6   top?
      7            THE WITNESS:  This is good research.  
      8   Additionally the research is finding the hole.  The 
      9   delaying publication is a decision independent of 
     10   the research, and Steve in this case made a decision 
     11   not to publish but to keep the vulnerability quiet 
     12   until the Internet was able to deal with some of the
     13   problems he found.  That was his personal decision.
     14            Other researchers would have probably made 
     15   different decisions.  And in some ways it's good 
     16   that he did it, and in some ways it's bad that he 
     17   did it.  That's probably the toughest example of the 
     18   five listed.  That's the least obvious of the five 
     19   examples listed.
     20   BY MS. MILLER:
     21        Q.  Now, when you say that "he delayed 
     22   publication of this vulnerability for years because 
     23   there was no readily available fix," in your mind is 
     24   that one of the factors that should be considered in 
     25   determining whether or not this is a responsible or 
                                                           72
               



      1   a right thing to do in terms of publicizing the 
      2   vulnerability that you've been able to identify?
      3            MR. HERNSTADT:  Objection to the form.
      4            THE WITNESS:  My personal opinion is that 
      5   whether a fix is possible and how easily it is and 
      6   how expensive it is is one of the many factors that 
      7   I would take into account before publishing.
      8   BY MS. MILLER:
      9        Q.  Okay.  Now, a couple more paragraphs down 
     10   in this same essay -- I'd like to direct your 
     11   attention to actually three paragraphs down from the 
     12   list of bullet points that we've just been referring 
     13   to.  That starts, "And look at how it is released.  
     14   The nCipher" -- lower case N, capital C-i-p-h-e-r -- 
     15   "release included a hacker tool.  As the New York 
     16   Times pointed out, 'thus making e-commerce sites 
     17   more vulnerable to attack and more likely to buy 
     18   nCipher's products.'  Announcements packaged with 
     19   hacker tools are more likely to be part of the 
     20   problem than part of the solution."
     21            Do you see the sentences that I've just 
     22   read to you, Mr. Schneier?
     23        A.  I do.
     24        Q.  Now I understand you've previously 
     25   testified that nCipher I believe indicated to you 
                                                           73
               



      1   that they in fact did not publish a hacker tool.  I 
      2   understand that aspect of your prior testimony.  But 
      3   you seem to express an opinion at the end of these 
      4   last couple of sentences that "announcements 
      5   packaged with hacker tools are more likely to be 
      6   part of the problem than part of the solution."  
      7   What "problem" were you referring to?
      8        A.  In the essay I'm talking about the problem 
      9   of bad computer security and whether a particular 
     10   release of information of tools increases the 
     11   problem of bad security or helps solve the problem 
     12   of bad security by making security better.
     13            In that sentence I said that tools -- if 
     14   something is released with a tool, it is more 
     15   likely, although -- I mean that it is more likely to 
     16   be part of the problem.  So it's more likely to 
     17   result in bad security -- it's more likely to be a 
     18   release that exacerbates the security problems than 
     19   a release that will fix it.  Certainly it's not cut 
     20   and dried.  This is just one of the many things you
     21   can look at in trying to figure out whether 
     22   something was good or bad.  That's probably too 
     23   strong a word for it.
     24        Q.  I know.  I understand.  I appreciate this
     25   is a gray area that we're talking about.  That's all 
                                                           74
               



      1   I have at this time for this document. 
      2            Now Mr. Schneier, have you personally ever 
      3   notified the provider or the developer of a security 
      4   system that you're interested in researching before 
      5   engaging in that research?
      6        A.  I have not.  The only possible exception is 
      7   when I was hired as a consultant to research a 
      8   system in which case they would know that I was 
      9   doing it.
     10        Q.  Because they hired you?
     11        A.  But it would be under contract.  If as an 
     12   academic I engaged in research, I have never 
     13   notified an organization or a company first.
     14        Q.  Have you personally after engaging in 
     15   encryption research ever notified the organization 
     16   whose security system you were testing before 
     17   disseminating the results of your findings?
     18        A.  I don't remember.  I believe when I 
     19   published an analysis of Microsoft PPTP, which 
     20   stands for point-to-point tunneling protocol, I sent 
     21   a copy of my draft paper to some colleagues at 
     22   Microsoft before publishing, although this is my 
     23   best recollection.
     24        Q.  How long ago would that have been that you 
     25   engaged in this research on Microsoft PPTP?
                                                           75
               



      1        A.  I do not remember, but the paper is dated 
      2   on my Web site.
      3        Q.  That paper is also on your Web site?
      4        A.  Everything is on my Web site.
      5        Q.  Why did you send a copy of your draft 
      6   paper to your colleagues at Microsoft?
      7        A.  Professional courtesy.  I was afraid that 
      8   when the paper was released they would be asked by 
      9   their superiors to explain what was going on, and I 
     10   wanted to give them the opportunity to read what I 
     11   had written and have a little time to think about 
     12   what a response would be.
     13        Q.  Is that only because you knew these people 
     14   personally?
     15        A.  Yes, that's true.
     16        Q.  So if you didn't have this personal 
     17   relationship with the people at Microsoft that you 
     18   sent the draft to, you wouldn't have bothered to 
     19   send the draft of your research results?
     20        A.  I probably would not have.
     21        Q.  Why not?
     22        A.  Because the only benefit that that would 
     23   have served was to allow the Microsoft PR machine to 
     24   basically spread propaganda about the results before 
     25   they were released.  It would have not helped the 
                                                           76
               



      1   program.  It would have made it worse.
      2        Q.  How do you know that?
      3        A.  It's been the historical -- historically 
      4   that's what Microsoft does.
      5        Q.  What about other companies whose security 
      6   systems you've researched that maybe don't have that 
      7   same historical response as Microsoft?
      8        A.  One example that comes to mind is the 
      9   Digital Cellular Consortium, and we did not alert 
     10   them.
     11        Q.  Was there a conscious decision not to alert 
     12   them?
     13        A.  I don't know.  I don't remember if it was 
     14   actually discussed.  So I don't recall if it was a 
     15   conscious or unconscious decision.
     16        Q.  You don't recall any discussions amongst 
     17   the research group about whether or not the Digital 
     18   Cellular Consortium should be notified?
     19            MR. HERNSTADT:  Objection to form.
     20            THE WITNESS:  I don't recall.
     21   BY MS. MILLER:
     22        Q.  But in your mind as a participant in that
     23   activity, you didn't find -- strike that -- you 
     24   didn't think that there was any issue involved in 
     25   not notifying the Digital Cellular Consortium before 
                                                           77
               



      1   publishing the results of the research?
      2            MR. HERNSTADT:  Objection to form. 
      3            THE WITNESS:  Certainly there are issues, 
      4   but we felt that the greater good would have been 
      5   served by publishing and that there was no benefit 
      6   to alerting the cell phone manufacturers.
      7   BY MS. MILLER:
      8        Q.  When in your mind would there be a benefit 
      9   to alerting a particular corporation whose security 
     10   systems you've been involved in testing?
     11        A.  An example is if a flaw is found in a 
     12   browser that as a researcher you might go to the 
     13   company -- let's say Netscape -- and say, we found 
     14   this flaw.  This is it.  This is how it works.  
     15   We're going to be releasing our findings in two 
     16   weeks.  Wouldn't it be nice if at the same time you 
     17   could release an updated version of the browser.  
     18   And there's an example where the researcher and the 
     19   company effected could work in concert.
     20        Q.  But in the example that you just cited -- 
     21   strike that.
     22            Are there any other examples that you can 
     23   cite apart from the one you just gave us?
     24        A.  Probably, but none come to mind right now.
     25        Q.  Okay.  So if I understand your answer, it 
                                                           78
               



      1   would be beneficial to notify the company whose 
      2   security systems were being tested if in the mind of 
      3   the researcher the researcher thought that the 
      4   company and researchers could come to some sort of 
      5   an accord on how to fix the problem?
      6            MR. HERNSTADT:  Objection to the form.  I 
      7   think that misstates the testimony.
      8            You can answer.  If you can, go ahead.
      9            THE WITNESS:  That's one of the things to 
     10   consider.  Will the vendor mischaracterize the 
     11   research?  Will the vendor work with the researcher 
     12   to fix the problem?  Are there any political agenda 
     13   that the vendors might have?
     14            There are examples where security systems
     15   have been deliberately weakened because of   
     16   government intervention.  Those are examples where 
     17   dealing with the vendor beforehand wouldn't make any 
     18   sense because in some ways the vendor was a pawn 
     19   also.  So that's one of the considerations.  There 
     20   are certainly many of them.
     21   BY MS. MILLER:
     22        Q.  By a "pawn," you mean a pawn of the 
     23   government?
     24        A.  "Pawn" is probably too strong a word.  But 
     25   they were influenced by the government possibly to 
                                                           79
               



      1   deliberately weaken their systems.  This has 
      2   occurred many times in security.
      3        Q.  Again, I don't mean to misstate what you 
      4   just said, but I want to have a better understanding 
      5   of your point of view.  But as I interpret what you 
      6   just said, it sounds like a lot of the consideration 
      7   depends on the vendor that's involved from the 
      8   researcher's point of view.
      9            MR. HERNSTADT:  Objection to the form.  I 
     10   don't think that accurately states the testimony.
     11            THE WITNESS:  Some of it does.  I'm 
     12   hesitant to define percentages of what refers to 
     13   what, but certainly that's one of the 
     14   considerations.
     15   BY MS. MILLER:
     16        Q.  Okay.  Now, in your point of view, if there 
     17   were a law that required a cryptographer to notify 
     18   the owner or the provider of a particular security 
     19   system that they were engaged in encryption research 
     20   concerning, would you think that that would restrict 
     21   your ability to engage in such research?
     22        A.  I think it would restrict it in a very 
     23   large way.
     24        Q.  How so?
     25        A.  A number of reasons.  One, it presumes that 
                                                           80
               



      1   the cryptographer knows who to contact.  For 
      2   example, a cryptographer might research an 
      3   encryption algorithm, Blowfish, which is an
      4   algorithm I wrote.  And I know that Blowfish is in 
      5   over a hundred products, and I know there are 
      6   products that I don't know about that Blowfish is 
      7   in.  So if a cryptographer wanted to research 
      8   Blowfish, it would be impossible for him to notify 
      9   them all because he just wouldn't know who to 
     10   notify. 
     11            In any real system, the company researched, 
     12   being researched, might say no, might not give him 
     13   permission.  And that would mean that he would not 
     14   be able to do the research, which means we would not 
     15   learn about the system, we would not learn about its 
     16   weaknesses, and we would not be able to build better 
     17   systems because of it.
     18            So putting the burden on the cryptographer 
     19   to get permission is, one, something he can't do 
     20   and, two, likely to stifle research because 
     21   permission might not be forthcoming especially in 
     22   examples where there are many companies using the 
     23   same type of cryptography, and they need permission 
     24   from everybody.
     25            MS. MILLER:  Take one minute.  Allow the 
                                                           81
               



      1   videographer to change the tape.
      2            THE VIDEOGRAPHER:  This is the end of Tape 
      3   No. 1 in the deposition of Bruce Schneier.  We're 
      4   going off the record.  The time is 12:42. 
      5            (Break taken.) 
      6            (Record read.)
      7            THE VIDEOGRAPHER:  This is the beginning of 
      8   Tape No. 2, Volume 1 in the deposition of Bruce 
      9   Schneier.  We're going back on the record.  The time 
     10   is 12:54.  You may proceed.
     11   BY MS. MILLER:
     12        Q.  Now, Mr. Schneier, in your last answer you 
     13   expressed a point of view about requiring 
     14   cryptographers to seek permission before engaging in 
     15   cryptographic research and how that might inhibit 
     16   that research.  Do you feel that the owner of a 
     17   security system has the right to grant permission to 
     18   someone who might be interested in researching that 
     19   system?
     20            MR. HERNSTADT:  Objection to the form of 
     21   question and so far as it calls for a legal 
     22   conclusion.
     23            THE WITNESS:  Speaking morally and not 
     24   legally, I don't know what the law says, but I 
     25   believe personally the answer is no.
                                                           82
               



      1   BY MS. MILLER:
      2        Q.  So a person that puts a particular security 
      3   system in place to protect their copyright content 
      4   shouldn't have any right to have people come to them 
      5   and ask permission before engaging in encryption 
      6   research or perhaps disseminating the results of 
      7   that research to the extent that it might allow 
      8   people to exploit vulnerabilities in that security 
      9   system?
     10            MR. HERNSTADT:  Objection to the form of 
     11   the question.  It's compound.  It also is 
     12   argumentative, and it's difficult.
     13            MS. MILLER:  That's what "objection to 
     14   form" means.
     15            THE WITNESS:  Again, personally and not 
     16   legally, I believe the answer is either no or yes 
     17   depending on which one was -- does not have to ask 
     18   permission.  I just forgot the question in all the 
     19   objecting.
     20            MS. MILLER:  Could we read back the 
     21   question so the witness can understand.
     22            (Record read.)
     23            THE WITNESS:  Yes.
     24            MR. HERNSTADT:  I have to object also that 
     25   it's unintelligible.  
                                                           83
               



      1            THE WITNESS:  Yes.  Again, morally and 
      2   ethically, personally and not legally, I believe 
      3   someone who fields a security system is putting it 
      4   out in public and at that point does not maintain 
      5   any control over who analyzes it, that in fact 
      6   someone can analyze it without asking permission or 
      7   asking permission before analyzing or releasing 
      8   information as a result of that analysis.
      9            (Interruption in proceedings.)
     10            THE VIDEOGRAPHER:  We're going off the 
     11   record.  The time is 12:57.
     12            (Brief recess is taken.)
     13            THE VIDEOGRAPHER:  We're back on the 
     14   record.  The time is 1:02.  You may proceed.
     15   BY MS. MILLER:
     16        Q.  Now Mr. Schneier, do you know when --
     17            MS. MILLER:  First of all, let's do this.  
     18   Mr. Hernstadt, I believe a colleague of yours has 
     19   just joined the deposition.
     20            MR. HERNSTADT:  Yeah.
     21            MS. MILLER:  Could he please make an 
     22   appearance or identify himself for the record.
     23            MR. LEVY:  Sure.  This is Allonn Levy from 
     24   the firm of Huber Samuelson.  I think the court 
     25   reporter has my card already.
                                                           84
               



      1            MS. MILLER:  Mr. Levy, have you already
      2   been admitted pro hac vice as an attorney in this 
      3   lawsuit?
      4            MR. LEVY:  Yes, I believe so in the 
      5   original hearing.
      6            MS. MILLER:  Thank you.
      7   BY MS. MILLER:
      8        Q.  Mr. Schneier, do you know when the CSS, the 
      9   content scrambling system, was first developed?
     10        A.  I do not.
     11        Q.  In the reading that you did in preparing 
     12   the essay, the November 15th essay, that you've 
     13   testified about that was the precursor to your 
     14   declaration that you filed in this case, did any of 
     15   the documents that you read in preparing that essay, 
     16   did any of them indicate when the content scrambling 
     17   system was developed?
     18        A.  It's certainly possible.
     19        Q.  But you have no recollection from that 
     20   reading when it was developed?
     21        A.  I do not.
     22        Q.  Do you have any idea when DVDs were first 
     23   introduced into the United States marketplace?
     24        A.  I have some idea, but I couldn't give you a 
     25   year.
                                                           85
               



      1        Q.  Okay.  If I were to represent to you that 
      2   the content scrambling system was developed 
      3   somewhere around the late '90s, approximately 1996, 
      4   would you have an objection to working off of that 
      5   time frame for purposes of further questioning?
      6        A.  No.  That's certainly plausible.
      7        Q.  Do you have any knowledge of United States 
      8   export guidelines concerning encryption 
      9   technologies?
     10        A.  I do.
     11        Q.  How is that knowledge derived?  
     12        A.  From reading, reading and conversation.
     13        Q.  What, if you could tell me, have you read 
     14   to gain understanding that you have today about U.S. 
     15   export guidelines on encryption technologies?
     16        A.  Everything that I saw on the topic.
     17        Q.  Can you give us specific examples?
     18        A.  No.
     19        Q.  Journals?  Web pages?
     20        A.  Journals, Web pages, articles, speeches, 
     21   books, magazine articles.
     22        Q.  Have you ever looked at the law yourself, 
     23   the guidelines?
     24        A.  Yes, I have.
     25        Q.  And do you remember the citation for any of 
                                                           86
               



      1   the guidelines that you looked at?  Was it actually 
      2   the statute itself or the implementation guidelines?
      3        A.  Probably both.  Parts of the statute were 
      4   reprinted in one of my books, so I could go there 
      5   and tell you exactly what I read because I could 
      6   tell you exactly what I reprinted.
      7        Q.  Which book would that be?
      8        A.  Applied Cryptography.
      9        Q.  When was Applied Cryptography published?
     10        A.  The first edition was published in 
     11   November -- sorry -- in October of 1993.  And the 
     12   second edition was published in October of 1995.  
     13   You'll find that the copyright dates of the books
     14   don't match that.  That's because publishers often 
     15   play fast and loose with copyright dates.
     16        Q.  Fair enough.  And at the time of the 
     17   publication of the first and second editions of 
     18   Applied Cryptography, did you reprint the export 
     19   guidelines in both the editions?
     20        A.  I do not remember.  I know they're in the 
     21   second edition.  I don't know if they're in the 
     22   first edition.
     23        Q.  And in 1995, the publication date of the 
     24   second edition, that actually reprints a current -- 
     25   or then current version of the export regulations as 
                                                           87
               



      1   you understood them?
      2            MR. HERNSTADT:  Objection to form.
      3            THE WITNESS:  As I understood them at the 
      4   time, yes.
      5            MR. HERNSTADT:  You might want to 
      6   establish when the book was actually published.
      7            MS. MILLER:  I thought we already did.
      8   BY MS. MILLER:
      9        Q.  Did you answer my question when the book 
     10   was actually published?  
     11        A.  I think so.
     12        Q.  I thought so too.  Thank you.
     13            MR. HERNSTADT:  I thought you said the 
     14   dates weren't -- 
     15            MS. MILLER:  Wake up, Ed.  Let's move on.
     16   BY MS. MILLER:
     17        Q.  The book -- second edition of the book to 
     18   your understanding was published in 1995?
     19        A.  In October of '95, even though the 
     20   copyright date says 1996.
     21            MR. HERNSTADT:  I got it the other way 
     22   around.  Sorry.
     23   BY MS. MILLER:
     24        Q.  Now in 1995 when the second edition of 
     25   Applied Cryptography was published, do you recall if 
                                                           88
               



      1   there were any limitations on the length of 
      2   encryption keys that were imposed by the U.S. export 
      3   guidelines?
      4        A.  Export guidelines did impose -- the export 
      5   guidelines themselves didn't impose limits.
      6        Q.  Did not?
      7        A.  Did not impose limits.  There were 
      8   effective limits really based on hearsay and things 
      9   that had been granted export versus things that had 
     10   not been granted export.
     11            At that time encryption algorithms with a 
     12   key length of less than 40 bits were allowed 
     13   exports.  And encryption algorithms with key lengths 
     14   greater than 40 bits were not except for some 
     15   special circumstances.
     16        Q.  And do you have an understanding of what 
     17   those special circumstances were?
     18        A.  "Understanding" is a bad word because the 
     19   government went out of its way to make sure people 
     20   did not understand the rules.
     21        Q.  Do you have any knowledge about what 
     22   those -- 
     23        A.  In general if you were to design your 
     24   algorithm so badly that the key length was 
     25   irrelevant, you would be allowed to export things 
                                                           89
               



      1   with a greater key length.  But as I said, these 
      2   rules were not well defined.  They were not 
      3   codified.  They were not written down.  You 
      4   basically had to submit something and hope for the 
      5   best.  So people tended to err on the side of making 
      6   systems lousy.
      7        Q.  Mr. Schneier, in your opinion as a 
      8   cryptographer, is it possible to design an 
      9   uncrackable encryption methodology?
     10            MR. HERNSTADT:  Objection to form.
     11            THE WITNESS:  Defining "uncrackable" as 
     12   beyond the limits of our understanding of 
     13   mathematics, yes.
     14   BY MS. MILLER:
     15        Q.  Has any such system been designed to your 
     16   knowledge?
     17        A.  There are many systems in use today that 
     18   are believed to be uncrackable.  Unfortunately in 
     19   cryptography you can't make mathematically --  
     20   mathematical statements that this is unbreakable.  
     21   But you can say that with our present understanding 
     22   of mathematics, this is unbreakable.  And there are 
     23   many algorithms of which the latter holds true.
     24        Q.  Is it fair to say that it's more 
     25   probabilistic?  You can express an opinion that's it 
                                                           90
               



      1   more probably able to be cracked or less probably 
      2   able to be cracked given our current understanding 
      3   of mathematics?
      4        A.  "Probabilistic" is also a tough term.
      5            MR. HERNSTADT:  Objection to form.
      6            THE WITNESS:  "Probabilistic" is also a 
      7   tough term because it's a term of art in 
      8   cryptography.
      9   BY MS. MILLER:
     10        Q.  I see.
     11        A.  Really what you can say is that a 
     12   particular algorithm cannot be broken by any method 
     13   we know, nor do we have any road map that might get 
     14   to a method that would break the algorithm.  Of 
     15   course, you could end up being wrong, but 
     16   cryptographers often have a pretty good idea of what 
     17   is and isn't breakable.
     18        Q.  Do you have any understanding of what's 
     19   considered -- or is there currently a standard for 
     20   key lengths for encrypted data over the Internet?
     21            MR. HERNSTADT:  Objection to form.
     22            THE WITNESS:  There's no standard.  There 
     23   are a bunch of guidelines.  In 1997 I believe a 
     24   group of about nine or ten very respected 
     25   cryptographers, myself included, wrote a paper which 
                                                           91
               



      1   talked about minimal key lengths for commercial 
      2   security and looked at different key lengths and 
      3   forward in the years as to what would be minimal 
      4   security that's required.
      5            On the Internet today, the standard 
      6   algorithm -- "standard" is a bad word.  The most 
      7   commonly trusted algorithm is a -- something called 
      8   triple DES which has a 112-bit key.  The government 
      9   right now, the National Institute of Standards and 
     10   Technologies, or NIST, is proposing a new encryption 
     11   standard, and that will have key lengths of 112 
     12   bits, 192 bits and 256 bits.
     13            Single DES, which is 56 bit long, is used 
     14   in some very low-security applications, but everyone 
     15   knows that a key length of 56 bits is just not long 
     16   enough to be any good for most applications.
     17   BY MS. MILLER:
     18        Q.  Known not to be any good for most 
     19   applications in terms of what?  What's the basis for 
     20   that statement that you just made?
     21        A.  The easiest way to break an algorithm is to 
     22   try every possible key.
     23        Q.  That's what's called a brute force attack?
     24        A.  Yes.  A brute force attack can be 
     25   implemented against any algorithm regardless of the 
                                                           92
               



      1   math, regardless of how complicated it is just by 
      2   trying every possible key.  It's always possible.  
      3   It always works.  The question you ask is, how long 
      4   does that take?  How long would it take a computer 
      5   to try every possible key?
      6            And a 56-bit key as of a few years ago is 
      7   commonly known to be possible to break.  There was a 
      8   very public break against DES which used hardware 
      9   that broke a 56-bit key in I think under a day.  
     10   There have been distributed attacks on the Internet 
     11   that have broke a 56-bit key over the course of 
     12   days.  And of course these numbers are getting 
     13   faster as computer power increases.
     14        Q.  And what was the processing power of that 
     15   computer that you just testified to where it was 
     16   publicized that it broke DES in under a day?
     17        A.  I don't remember.  Going back to 
     18   Crypto-Gram, there was an essay that goes into all 
     19   the details of processing.
     20        Q.  What time frame did that occur?
     21        A.  I don't remember.  Look in the index of 
     22   back issues.
     23        Q.  Was it a year ago?  More than a year ago?
     24        A.  I believe it was two years ago that I wrote 
     25   about it.
                                                           93
               



      1        Q.  I'd like to now turn to your declaration, 
      2   Mr. Schneier.  Now, on page 2 of your declaration -- 
      3   the pages are actually not numbered, but let's look 
      4   at paragraph 2, appears on the second page.  You 
      5   state, I quote, "The entertainment industry knew 
      6   even as it implemented it that the security system 
      7   created to protect DVDs would be broken."
      8            What is the basis for you making that 
      9   statement?
     10        A.  The system is so robustly and profoundly 
     11   bad that it's inconceivable to me that an engineer 
     12   could have designed it without knowing that it was 
     13   flawed.
     14        Q.  So that's just an assumption on your part 
     15   based on the, as you said, the "robustly and 
     16   profoundly bad" system that was put into place?  In 
     17   other words, you didn't speak to anyone within the 
     18   entertainment industry to actually ascertain that 
     19   they knew the security system put in place to 
     20   protect DVDs would be broken?
     21            MR. HERNSTADT:  Which question do you want 
     22   him to answer?
     23            MS. MILLER:  The latter one.
     24            MR. HERNSTADT:  No objection to that 
     25   question.
                                                           94
               



      1            THE WITNESS:  No, I did not talk to 
      2   anybody.  It's like if you see a screen door on a 
      3   submarine, you don't need to ask whether the 
      4   engineers understood that the submarine would sink.  
      5   It just seems sort of obvious.
      6   BY MS. MILLER:
      7        Q.  That the engineers who put a screen door on 
      8   a submarine would know that the submarine would 
      9   sink?
     10        A.  It's just inconceivable to me that someone 
     11   could make -- that would be an honest mistake.
     12        Q.  Again, just to be clear, when you say the 
     13   industry -- "entertainment industry knew," you never 
     14   had any conversations with anybody in the 
     15   entertainment industry that actually confirmed that 
     16   statement?
     17        A.  I did not.
     18            MR. HERNSTADT:  Asked and answered.
     19            THE WITNESS:  I did not.
     20   BY MS. MILLER:
     21        Q.  Going on to paragraph 2 you say that, 
     22   "They" -- I assume that the "they" refers back to 
     23   the entertainment industry -- "expected the Internet 
     24   to be used to distribute programs that assist 
     25   skilled consumers to remove the copy protection on 
                                                           95
               



      1   DVDs."  Let's stop there.
      2            What is the basis for making that 
      3   statement, Mr. Schneier?
      4        A.  Again, it was my analysis of the system,  
      5   my analysis of the security properties of DVD and 
      6   digital content and what's inevitable for digital 
      7   communication systems.
      8        Q.  Okay.  But that's not exactly the question 
      9   that I'm asking you.
     10        A.  Try again.
     11        Q.  You indicated that the entertainment 
     12   industry knew that the Internet would be "used to 
     13   distribute programs that assist skilled consumers to 
     14   remove the copy protection on DVDs."  I'm asking you 
     15   how you knew that the entertainment industry 
     16   expected the Internet to be used to distribute these 
     17   programs.
     18            MR. HERNSTADT:  Objection.  Asked and 
     19   answered.
     20            THE WITNESS:  It seemed obvious to me based 
     21   on the way the system worked.
     22   BY MS. MILLER:
     23        Q.  It seemed obvious to you that the 
     24   entertainment industry expected the Internet to be 
     25   used to distribute programs such as DeCSS?
                                                           96
               



      1        A.  Yes.  This has been something I have been 
      2   saying for years that this would happen.  It's 
      3   inconceivable to me that the entertainment industry 
      4   could be that blind to the inevitability of this.
      5        Q.  You've been saying this for years?
      6        A.  Yes, that digital content will be 
      7   distributed on the Net, that programs that will 
      8   defeat any copy protection scheme that could be 
      9   designed will be made available, that it is 
     10   impossible to fix this problem through content 
     11   protection.
     12        Q.  Just because you've been saying that for 
     13   years doesn't necessarily mean that the 
     14   entertainment industry expected the Internet to be 
     15   used to distribute programs such as DeCSS, correct?
     16            MR. HERNSTADT:  Objection.  That's 
     17   argumentative.
     18            If you can answer it, go ahead.
     19            THE WITNESS:  I'm really giving them the 
     20   benefit of the doubt.  I'm assuming that they're not 
     21   stupid.  I suppose it is possible that they were 
     22   really, really, really dumb.  It seems 
     23   extraordinarily unlikely.
     24   BY MS. MILLER:
     25        Q.  Continuing on, I'll restate that or again 
                                                           97
               



      1   quote from paragraph 2.  You said, "They expected 
      2   the Internet to be used to distribute programs that 
      3   assist skilled consumers to remove the copy 
      4   protection on DVDs and play and edit and (with great 
      5   difficulty) copy them."
      6            What do you mean by "with great difficulty 
      7   copy them"?
      8            MR. HERNSTADT:  Objection to form.  It says 
      9   what it says.
     10            THE WITNESS:  There's a lot of difficulties 
     11   associated with copying DVDs simply because of the 
     12   availability of DVD writers.  They're not common.  
     13   DVD has a lot of data which is difficult to 
     14   transport and store, so any intermediate form 
     15   makes -- is difficult to deal with.
     16            So copying DVDs irrespective of any copy 
     17   protection is something difficult to do because it 
     18   requires specialized tools and hardware and 
     19   software.  It's not something -- for example, my 
     20   computer at home, I do not have enough storage to 
     21   copy a DVD. 
     22   BY MS. MILLER:
     23        Q.  How much storage do you have on your 
     24   computer at home?
     25        A.  I don't know, but less than 4 point 
                                                           98
               



      1   something gigabytes which is what a DVD is.
      2        Q.  And -- strike that.
      3            Do you have any idea what standard home 
      4   computer packages that are available in the consumer 
      5   marketplace are being shipped with in terms of hard 
      6   drive storage space?
      7            MR. HERNSTADT:  Objection to the question.
      8            If you have any idea, go ahead.
      9            THE WITNESS:  I don't, but I'm sure I can 
     10   pull any magazine off the shelf at a bookstore and 
     11   find out.
     12            MR. HERNSTADT:  Mr. Schneier is not being 
     13   presented for anything remotely like that.
     14   BY MS. MILLER:
     15        Q.  Would it surprise you to learn that a 
     16   consumer can purchase, for example, from Dell 
     17   Computers a fairly low-end personal computer system 
     18   with a 20-gigabyte hard drive?
     19            MR. HERNSTADT:  Objection to the form of 
     20   the question.
     21            THE WITNESS:  It would not surprise me.
     22   BY MS. MILLER:
     23        Q.  Okay.  You've already testified that you've 
     24   never used the DeCSS utility; is that correct?
     25        A.  That is correct.
                                                           99
               



      1        Q.  So have you heard from anyone whether or 
      2   not it's difficult to use DeCSS to copy movie files?
      3        A.  I have not.
      4            MR. HERNSTADT:  Objection to the form of 
      5   the question insofar as "difficult" is referring 
      6   back to a prior question.
      7            Go ahead.
      8            THE WITNESS:  I have not.
      9   BY MS. MILLER:
     10        Q.  I'd like for you now to look at paragraph 6
     11   of your declaration, Mr. Schneier.  In the second 
     12   sentence of paragraph 6 you state, "Instead, DVD 
     13   software manufacturers were supposed to disguise the 
     14   decryption program and possibly the playing program 
     15   using some sort of software obfuscation techniques."
     16            Do you see the sentence that I just read?
     17        A.  I do.
     18        Q.  What's the basis for you making this 
     19   statement that DVD software manufacturers are 
     20   supposed to disguise decryption programs?
     21            MR. HERNSTADT:  Asked and answered.  Go 
     22   ahead.  
     23            THE WITNESS:  That was based on my reading 
     24   of the -- of information about CSS and DeCSS and my 
     25   perusing of the various Web pages and writings on 
                                                           100
               



      1   the topic, that the different software players all 
      2   used obfuscation techniques to try to disguise the 
      3   working algorithm to make reverse engineering 
      4   harder.
      5   BY MS. MILLER:
      6        Q.  Can you tell me what specific documents you 
      7   read to gain that understanding?
      8        A.  I cannot.  I would start with the ones on 
      9   at the bottom of the essay and work from there.
     10        Q.  The November 15th essay --
     11        A.  Yes.
     12        Q.  -- that we talked about?  Now are you aware 
     13   of any efforts by anyone to reverse engineer a 
     14   software-based DVD player prior to the development 
     15   of DeCSS to ascertain the CSS encryption algorithm?
     16            MR. HERNSTADT:  Object to the form.  I 
     17   think that's unintelligible.
     18            THE WITNESS:  Personally I am not.
     19   BY MS. MILLER:
     20        Q.  You understood my question, didn't you 
     21   Mr. Schneier?
     22        A.  I hope so.
     23        Q.  The next sentence you indicate, "This is a 
     24   technique that has never worked:  There is simply no 
     25   way to obfuscate software because it has to be on 
                                                           101
               



      1   the computer somewhere and is thus accessible to 
      2   researchers, people engaged in reverse engineering 
      3   and the like."
      4            Do you have any idea of how the DeCSS 
      5   utility was developed?
      6        A.  I do not.
      7        Q.  And what is the basis of the statement that 
      8   you've made in paragraph 6 in that last sentence 
      9   that there's "simply no way to obfuscate software"?
     10        A.  It's a mathematical truth.
     11        Q.  Based on what principles?
     12        A.  Mathematics, logic, computer architecture.  
     13   It's not a problem that can be solved.
     14        Q.  What's not a problem that can be solved?
     15        A.  The problem of obfuscating software such 
     16   that someone cannot reverse engineer it.  You might 
     17   be able to make it harder, but you cannot stop it.
     18        Q.  But it is possible to make it harder 
     19   through obfuscation to reverse engineer software?
     20        A.  It's possible to make it more difficult, 
     21   but there's a limit after which you can't make it 
     22   any more difficult, and that limit is still the 
     23   limit where it's possible to reverse engineer it.
     24        Q.  Okay.  But again, just to make sure I 
     25   completely understand your answer, are these the 
                                                           102
               



      1   same principles that you testified to earlier that 
      2   say, for example, in a brute force attack that as 
      3   long as you throw enough processing power at a 
      4   problem in attempting to reverse engineer something, 
      5   eventually depending on how long, you'll eventually 
      6   be able to break it or get to the solution?
      7            MR. HERNSTADT:  Object to the form of the 
      8   question.  I don't understand the question at all.  
      9   Would you read it back please.
     10            (Record read.)
     11            MR. HERNSTADT:  What "principles" are you 
     12   referring to? 
     13            MS. MILLER:  The mathematical principles 
     14   that Mr. Schneier testified to earlier that go into 
     15   a brute force attack.
     16            MR. HERNSTADT:  Okay.
     17            MS. MILLER:  For example, in trying to 
     18   crack an encryption algorithm.
     19            THE WITNESS:  No, they're completely 
     20   different.  The brute force attack principles are 
     21   based on the blind and mechanistic trying of every 
     22   possible key.  In this case, this is not something 
     23   based on a time-consuming computer run of trying 
     24   possibilities until you find the right one.
     25   BY MS. MILLER:
                                                           103
               



      1        Q.  That's what I want to understand.
      2        A.  No, it's completely different.
      3        Q.  Could you explain what it's based on.
      4        A.  In a computer, the code, the object code, 
      5   must be intelligible to the processor.  Otherwise it 
      6   can't actually run.  So by definition, any 
      7   obfuscation technique will through the course of 
      8   running the software be unobfuscated because 
      9   otherwise the software could not run on the machine. 
     10   At that point after the software has been 
     11   unobfuscated, a researcher or reverse engineer can 
     12   intercept the stream.
     13        Q.  I see what you're saying.
     14        A.  So it has nothing to do with a brute force 
     15   attack.  It's a more -- it's real time, and it's 
     16   based on the inevitability of the processor needing 
     17   to deal with the raw information.
     18        Q.  So basically just analyzing the strings of 
     19   zeroes and ones that happen to be in the computer 
     20   register at that point in time and determining 
     21   exactly what software steps the computer is 
     22   executing?
     23        A.  Yes.
     24        Q.  I understand.  Based on this testimony, is 
     25   it your understanding that it's only through this 
                                                           104
               



      1   process that a software engineer then would be able 
      2   to understand once the software has been, if you 
      3   will, unobfuscated for purposes of having it run on 
      4   the machine, that they'll be able to intercept that 
      5   stream and understand what's going on with the 
      6   software?
      7            MR. HERNSTADT:  Object to form.
      8            THE WITNESS:  No, that's not the only way.  
      9   That's just a way that always works and cannot be 
     10   stopped.  You can certainly analyze the obfuscated 
     11   stream and understand the obfuscation techniques and 
     12   sort of reverse engineer it that way.
     13   BY MS. MILLER:
     14        Q.  Okay.
     15        A.  It's possible to build a system that 
     16   automatically unobfuscates code; again, after 
     17   understanding the techniques.
     18        Q.  Okay.
     19        A.  So I just used the example of looking at 
     20   the code after it's been unobfuscated as proof that 
     21   it's impossible to do it and that always works, but 
     22   there are certainly other ways.
     23        Q.  Again, to make sure I clarify.  I don't 
     24   want to interrupt your answer.  But that's as the 
     25   code is being executed by the machine in the first 
                                                           105
               



      1   example that you gave?
      2            MR. HERNSTADT:  Objection to the form.  
      3   That misstates the testimony.
      4            THE WITNESS:  Yes.  If you were going to do 
      5   this methodology that always works, which is looking 
      6   at the code as it's being read by the processor, 
      7   that would be during execution of a legitimate 
      8   program. 
      9   BY MS. MILLER:
     10        Q.  Okay. 
     11        A.  But there are ways to reverse engineer a 
     12   code and obfuscation techniques that don't involve 
     13   doing that.
     14            MS. MILLER:  Off the record.
     15            THE VIDEOGRAPHER:  We're going off the 
     16   record.  The time is 1:34.
     17            (Break taken.)
     18            THE VIDEOGRAPHER:  We're going back on the 
     19   record.  The time is 1:41.  You may proceed.
     20   BY MS. MILLER:
     21        Q.  Mr. Schneier, just a couple of really quick 
     22   questions I just want to make sure we've gone 
     23   through in your testimony today.  Now, have you ever 
     24   personally been involved in any effort to reverse 
     25   engineer CSS?
                                                           106
               



      1        A.  No.
      2        Q.  Looking again at paragraph 9 in your 
      3   declaration, you state, "Finally, as a matter of 
      4   basic computer and cryptological science, the DVD 
      5   break consisting of, among other utilities, DeCSS, 
      6   is a very good thing.  It is good research 
      7   illustrating how bad the encryption algorithm is and 
      8   how poorly thought out the security model is and 
      9   must be available to cryptologists, programmers and 
     10   others as a research and intellectual tool through 
     11   the normal channels -- included but not limited to 
     12   posting it on the Internet."
     13            Now, in that statement when you say, "The 
     14   DVD break, consisting of among other utilities, 
     15   DeCSS," are you referring to DeCSS in its source 
     16   code form or its object code form?
     17        A.  I'm referring to neither.  I'm referring to 
     18   it in general.
     19        Q.  Okay.  But you've earlier testified that 
     20   you've never seen the source code for DeCSS; is that 
     21   correct?
     22        A.  I have not.
     23        Q.  You also testified that you've never seen 
     24   the object code for DeCSS; is that correct?
     25        A.  I have not.  I have testified that I have 
                                                           107
               



      1   not.
      2            MS. MILLER:  Thanks.  That's actually all I 
      3   have at this time in your deposition, Mr. Schneier,  
      4   subject to the few document requests that I've made 
      5   of Mr. Hernstadt and if you don't mind searching for 
      6   the e-mails that we've talked about that you 
      7   testified to that you might have.  I'd like to leave 
      8   the deposition open in case there are any follow-up 
      9   questions.  I know Mr. Hernstadt feels differently, 
     10   and he will so state that on the record, I presume.
     11            MR. HERNSTADT:  You're welcome to state my 
     12   position for me since we -- depending on --
     13            MS. MILLER:  Shortcut things.
     14            MR. HERNSTADT:  -- depending on who takes 
     15   the deposition, we each say the same thing.  But 
     16   obviously I think the deposition is concluded, and 
     17   thank you very much.  I appreciate it.
     18            MS. MILLER:  I thank you for your time and 
     19   candor.
     20            (Discussion off the record.)
     21            MR. HERNSTADT:  Because the trial is 
     22   scheduled to start on July 17th, we've requested 
     23   that the court reporter with respect to the 
     24   depositions of Chris DiBona, Barbara Simons and 
     25   Bruce Schneier, to provide the originals immediately 
                                                           108
               



      1   or as soon as they're completed for review and 
      2   signing, and then those will be returned to the 
      3   party that's noticed the deposition.  And we 
      4   appreciate the reporter's willingness to assist us 
      5   with this.  Thank you. 
      6            THE VIDEOGRAPHER:  This is the end of Tape 
      7   No. 2 in the deposition of Bruce Schneier.  Going 
      8   off the record.  The time is 1:45. 
      9            (Time noted:  1:45 p.m.)
     10
     11
     12
     13                            ______________________ 
     14                                BRUCE SCHNEIER
     15
     16
     17
     18
     19
     20
     21   Subscribed and sworn to before me
     22   this__________ day of__________________, 2000
     23   Notary Public in and for the State of
     24   California, County of Santa Clara
     25
                                                           109