Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 1 of 11
`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 1 of 11
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`DKT. 125-15
`DKT. 125-15
`(REDACTED)
`(REDACTED)
`
`REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`

`

`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 2 of 11
`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 2 of 11
`UNREDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`UNREDACTED VERSION OF DOCUMENT SOUGHTTO BE SEALED
`
`(cid:40)(cid:91)(cid:75)(cid:76)(cid:69)(cid:76)(cid:87)(cid:3)(cid:22)(cid:3)
`Exhibit 3
`(cid:11)(cid:53)(cid:72)(cid:71)(cid:68)(cid:70)(cid:87)(cid:72)(cid:71)(cid:12)(cid:3)
`(Redacted)
`
`

`

`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 3 of 11
`UNREDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes Only
`
`May 09, 2018May 09, 2018
`
`· · · · · · · · · · UNITED STATES DISTRICT COURT
`
`· · · · · · · · · ·NORTHERN DISTRICT OF CALIFORNIA
`
`· · · · · · · · · · · ·SAN FRANCISCO DIVISION
`
`· · · ___________________________________
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · FINJAN, INC., a Delaware· · · · · ·)
`· · · Corporation,· · · · · · · · · · · ·)
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · · · · · · · · Plaintiff,· · · · · ·)
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · vs.· · · · · · · · · · · · · · · · )· No. 3:17-CV-05659
`· · · · · · · · · · · · · · · · · · · · ·)· · · WHA
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · JUNIPER NETWORKS, INC., a· · · · · )
`· · · Delaware Corporation,· · · · · · · )
`· · · · · · · · · · · · · · · · · · · · ·)
`· · · · · · · · · · Defendant.· · · · · ·)
`· · · ___________________________________)
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes Only
`
`May 09, 2018May 09, 2018
`
`· ·
`
` · · · · · ·HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`· · · · · · · ·VIDEOTAPED DEPOSITION OF YULY TENORIO
`
`· · · · · · · · · · · · · · · VOLUME I
`
`· · · · · · · · · · · · · · ·May 9, 2018
`
`· · · · · · · · · · · · · · · 9:04 a.m.
`
`· · · · · · · · · ·1133 Innovation Way, Building A
`
`· · · · · · · · · · · · Sunnyvale, California
`
`
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`
`· · · ·
`
` · · REPORTED BY:
`
`· · · LANA L. LOPER,
`
`· · · RMR, CRR, CCP, CME, CLR, CSR No. 9667
`
`
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`
`
`
`··
`
`

`

`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 4 of 11
`UNREDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes Only
`
`May 09, 2018May 09, 2018
`
`Page 6
`
`Page 8
`
`
`·1· · component called the Web API; the UI API; a product thatcomponent called the Web API; the UI API; a product that
`
`·1· · · · · · · · · · ·Sunnyvale, California;
`·2· · we call Cascade; any related features to the Web API,
`·2· · · · · · · · Wednesday, May 9, 2018, 9:04 a.m.
`related features to the Web API,·2· · we call Cascade; any r
`
`·3· · including RDB, mostly.
`·3· · including RDB, mostly.
`·3
`·4· · · · · · ·That's what comes to mind at this moment.
`·4· · · · · · ·THE VIDEOGRAPHER:· Good morning.· We are now on
`You mentioned Web API, correct?
`·5· · · · Q· · You mentioned Web API, correct?
`·5· · the record.
`·6· · · · A· · Correct.
`·6· · · · A· · Correct.
`·6· · · · · · ·This is the recorded video deposition of Yuly
`·7· · · · Q· · What is Web API?
`·7· · · · Q· · What is Web API?
`·7· · Tenorio, in the matter of Finjan, Inc., versus Juniper
`·8· · · · A· · The Web API is the internal API that the --
`·8· · · · A· · The Web API is the internal API that the --
`·8· · Networks, Inc., taken on behalf of the plaintiff,
`·9· · what we call the adapters use to get new samples to
`·9· · what we call the adapters use to get new samples to
`·9· · Finjan.
`10· · analyze, so made results of analyzed samples; and let
`10· · analyze, so made results of analyzed samples; and let
`10· · · · · · ·This deposition is taking place at Juniper
`11· · the SkyATP -- let the Web API know --
`11· · the SkyATP -- let the Web API know --
`11· · Networks, Inc., 1133 Innovation Way, Building A,
`12· · · · · · ·THE REPORTER:· I'm sorry, SkyAP...?
`12· · · · · · ·THE REPORTER:· I'm sorry, SkyAP...?
`12· · Sunnyvale, California 94089, on May 9, 2018.· The time
`13· · · · · · ·THE WITNESS:· SkyATP, let the system know
`13· · · · · · ·THE WITNESS:· SkyATP, let the system know
`13· · is 9:04 a.m.
`14· · whether they're having any issues, like errors.
`14· · whether they're having any issues, like errors.
`14· · · · · · ·My name is Kevin McMahon.· I'm the
`15· · · · · · ·Primarily, it's that, uh-huh.
`15· · · · · · ·Primarily, it's that, uh-huh.
`15· · videographer, with U.S. Legal Support, located at 440
`
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes Onlyi li l AttAtt ' E' E O lO l
`
`
`
`
`
`
`16· · BY MR. LEE:
`16· · BY MR. LEE:
`16· · Montgomery Street, Suite 550, San Francisco, California,
`
`May 09, 2018May 09, 2018
`88
`17· · · · Q· · When you say Web API is an internal API, can
`17· · · · Q· · When you say Web API is an internal API, can
`17· · 94104.
`18· · you elaborate?
`18· · you elaborate?
`18· · · · · · ·Video and audio recording will be taking place,
`19· · · · · · ·Like, can you elaborate what it means to a
`19· · · · · · ·Like, can you elaborate what it means to a
`19· · unless all counsel have agreed to go off the record.
`20· · layperson, what "internally" means?
`20· · layperson, what "internally" means?
`20· · · · · · ·Would all present please identify themselves,
`·MS. CARSON:· Objection.· Form.
`21· · · · · · ·MS. CARSON:· Objection.· Form.
`21· · beginning with the witness.
`22· · · · · · ·THE WITNESS:· What I mean is we -- in SkyATP,
`22· · · · · · ·THE WITNESS:· What I mean is we -- in SkyATP,
`22· · · · · · ·THE WITNESS:· My name is Yuly Tenorio.
`23· · we have various deployments.· Each deployment is its own
`23· · we have various deployments.· Each deployment is its own
`23· · · · · · ·MS. CARSON:· Rebecca Carson, of Irell &
`24· · virtual private cloud.· It's internal to the private24· · virtual private cloud.· It's internal to the private
`
`24· · Manella, on behalf of Juniper Networks.
`25· · cloud.· It's not publicly available.·
`It's API.· It's
`25· · cloud.· It's not publicly available.· It's API.· It's
`25· · · · · · ·MR. LEE:· Michael Lee, from Kramer Levin,
`
`Page 7
`
`·1· · representing Finjan.
`·2· · · · · · ·THE VIDEOGRAPHER:· The court reporter is Lana
`·3· · Loper.
`·4· · · · · · ·Would you please swear in the witness.
`·5· · · · · · · · · · · · · YULY TENORIO,
`·6· · · · · · ·having been first administered an oath
`·7· · · · · · ·in accordance with CCP Section 2094, was
`·8· · · · · · ·examined and testified as follows:
`·9
`10· · · · · · ·THE VIDEOGRAPHER:· Please proceed.
`11
`12· · · · · · · · · · · · · ·EXAMINATION
`13· · BY MR. LEE:
`14· · · · Q· · Where do you work?
`15· · · · A· · I work at Juniper Networks.
`16· · · · Q· · What is your position at Juniper Networks?
`17· · · · A· · I'm a senior software engineer.
`18· · · · Q· · What are your responsibilities as senior
`19· · software engineer?
`20· · · · A· · I design program tests, in charge of any -- any
`21· · issues that come up with the features that I am
`22· · responsible for.
`23· · · · Q· · What features are you responsible for?
`24· · · · A· · It varies from time to time.
`25· · · · · · ·At this moment, I'm responsible for the
`
`
`Page 9Page 9
`
`·1· · only available to the adapters that are internal to the·1· · only available to the adapters that are internal to the
`·2· · VTC.
`·2· · VTC.
`·3· · · · · · ·There are -- some adapters are external, but
`·3· · · · · · ·There are -- some adapters are external, but
`·4· · they're white-listed, so no one else can really
`·4· · they're white-listed, so no one else can really
`·5· · interface with this API.
`·5· · interface with this API.
`You mentioned adapters.· Which adapters?
`·6· · · · Q· · You mentioned adapters.· Which adapters?
`·7· · · · · · ·MS. CARSON:· Objection.· Form.
`·7· · · · · · ·MS. CARSON:· Objection.· Form.
`·8· · · · · · ·THE WITNESS:· All of the adapters interface
`·8· · · · · · ·THE WITNESS:· All of the adapters interface
`·9· · with the Web API.
`·9· · with the Web API.
`10· · BY MR. LEE:
`10· · BY MR. LEE:
`11· · · · Q· · Can you name the adapters?
`11· · · · Q· · Can you name the adapters?
`12· · · · A· · I can name the ones that come to mind: the hash
`12· · · · A· · I can name the ones that come to mind: the hash
`
`
`
`
`13 lookup adapter; the meta-defender adapter; greyduckling13131313· ·· ·· ·· · lookuplookuplookuplookup
`13· · lookup adapter; the meta-defender adapter; greyduckling
`
`legalsupplegalsupp
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`14· · adapter; the verdict engine adapter; the Reputation.
`14· · adapter; the verdict engine adapter; the Reputation.
`15· · The URL Reputation is considered an adapter, but it's
`15· · The URL Reputation is considered an adapter, but it's
`16· · not really an adapter.· There's also the Reputation.
`16· · not really an adapter.· There's also the Reputation.
`17· · · · · · ·I think those were named hash lookup.· And the,
`17· · · · · · ·I think those were named hash lookup.· And the,
`18· · what we call, the deception adapter, which interfaces
`18· · what we call, the deception adapter, which interfaces
`19· · with Joe Sandbox.
`19· · with Joe Sandbox.
`20· · · · · · ·THE REPORTER:· Just a moment.
`21· · · · · · ·I'm having trouble -- since you're not looking
`22· · towards me, I'm having trouble hearing you.
`23· · · · · · ·THE WITNESS:· I'm sorry.
`24· · · · · · ·THE REPORTER:· I'm moving around.· It's okay;
`25· · it's just that you're facing away from me a little bit.
`
`
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`
`
`
`6 to 9 6 to 9
`
`
`
`YVer1fYVer1f
`
`

`

`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 5 of 11
`UNREDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes Only
`
`May 09, 2018May 09, 2018
`
`Page 10
`
`Page 12
`
`·1· · to look up just based on the hash that is provided to· to look up just based on the hash that is provided to
`·1· · · · · · ·THE WITNESS:· I'm sorry.
`·2· · that adapter.· So the adapter asks the Web API, is there
`·2· · · · · · ·THE REPORTER:· Thank you.
`·2· · that adapter.· So the adapter asks the Web API, is there
`·3· · any sample ID or SHA-256 to look up -- any dust to look
`·3· · any sample ID or SHA-256 to look up -- any dust to look
`·3· · · · · · ·MS. CARSON:· It's okay.· We'll all adjust to
`·4· · up.· So greyduckling is a different adapter.
`·4· · up.· So greyduckling is a different adapter.
`·4· · whatever makes you comfortable.· Just do what you're
`·5· · BY MR. LEE:
`·5· · BY MR. LEE:
`·5· · doing and we'll adjust.
`·6· · · · Q· · You mentioned a sample ID or SHA-56, SHA-256?
`·6· · · · Q· · You mentioned a sample ID or SHA-56, SHA-256?
`·6· · · · · · ·THE WITNESS:· Okay.
`·7· · · · A· · SHA-256.
`·7· · · · A· · SHA-256.
`·7· · BY MR. LEE:
`What is a sample ID?
`·8· · · · Q· · What is a sample ID?
`·8· · · · Q· · What's the purpose of an adapter?
`·9· · · · · · ·MS. CARSON:· Objection.· Form.
`·9· · · · · · ·MS. CARSON:· Objection.· Form.
`·9· · · · · · ·MS. CARSON:· Objection.· Form.
`10· · · · · · ·THE WITNESS:· In order to identify samples or
`10· · · · · · ·THE WITNESS:· In order to identify samples or
`10· · BY MR. LEE:
`perform a hash,11· · files that are coming in to SkyATP, we
`
`11· · files that are coming in to SkyATP, we perform a hash,
`11· · · · Q· · The main purpose of any adapter is to -- it was
`12· ·
`, on the contents of the files.the SHA-256 hash,
`
`12· · the SHA-256 hash, on the contents of the files.
`12· · named adapter, because you usually have an adapter for
`BY MR. LEE:
`13· · BY MR. LEE:
`13· · cable to adapt to something else.· That's why it was
`14· · · · Q· · Can you provide an example of the type of
`14· · · · Q· · Can you provide an example of the type of
`14· · named an adapter.
`
`15· · contents that you perform a SHA-256 hash on?yyyy
`· It's mostly to -- it's what we use as a -- as
`15· · contents that you perform a SHA-256 hash on?
`15· · · · A· · It's mostly to -- it's what we use as a -- as
`
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyY lY l TT ii V lV l I Hi hlI Hi hl CC ff i li l AttAtt ' E' E O lO l
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`16· · an interface, an adapter to SkyATP, to anything else onelse onelse onelse onelse on
`16· · · · · · ·MS. CARSON:·
`Objection.· Form.
`16· · · · · · ·MS. CARSON:· Objection.· Form.
`16· · an interface, an adapter to SkyATP, to anything else on
`
`May 09, 2018May 09, 2018
`
`May 09, 2May 09, 2
`88
`17· · the other side.· Uh-huh.
`17· · · · · · ·THE WITNESS:· That's pretty broad, and it
`17· · · · · · ·THE WITNESS:· That's pretty broad, and it
`17· · the other side.· Uh-huh.
`samples?18· · · · Q· · Are adapters used to analyze
`
`18· · depends on various factors.
`18· · depends on various factors.
`18· · · · Q· · Are adapters used to analyze samples?
`19· · · · · · ·MS. CARSON:· Objection.· Form.
`accept all kinds of files,19· · · · · · ·We -- SkyATP doesn't
`
`19· · · · · · ·We -- SkyATP doesn't accept all kinds of files,
`19· · · · · · ·MS. CARSON:· Objection.· Form.
`20· · · · · · ·THE WITNESS:· It -- it is -- they are used to·THE WITNESS:· It -- it is -- they are used to
`
`
`20· · so it depends on how the system is set up with the
`20· · so it depends on how the system is set up with the
`21· · analyze sample and for other things as well, sorry.
`21· · analyze sample and for other things as well, sorry.
`21· · customer's devices.·
`But some examples are PDFs, Word
`21· · customer's devices.· But some examples are PDFs, Word
`22· · BY MR. LEE:
`22· · documents, executables.
`22· · BY MR. LEE:
`22· · documents, executables.
`23· · · · Q· · Other things, like hash lookups and Reputation
`lookups and Reputation23· · · · Q· · Other things, like hash
`
`
`23· · BY MR. LEE:23· · BY MR. LEE:
`24· · lookups, is that -- when you say other things?
`name of the component that performs24· · · · Q· · What is the
`
`24· · lookups, is that -- when you say other things?
`24· · · · Q· · What is the name of the component that performs
`· ·MS. CARSON:· Objection.· Form.
`25· · the SHA-256 hash on the files?
`25· · · · · · ·MS. CARSON:· Objection.· Form.
`25· · the SHA-256 hash on the files?
`
`Page 13
`
`Page 11
`
`·1· · · · · · ·MS. CARSON:· Objection.· Form.·MS. CARSON:· Objection.· Form.
`
`·1· · · · · · ·THE WITNESS:· Yes.· Those are some of the other·THE WITNESS:· Yes.· Those are some of the other
`·2· · · · · · ·THE WITNESS:· Um, I believe, right now, it's --
`·2· · things, uh-huh.
`·2· · · · · · ·THE WITNESS:· Um, I believe, right now, it's --
`·2· · things, uh-huh.
`·3· · it's primarily done in what we call Kookaburra
`·3· · it's primarily done in what we call Kookaburra
`·3· · BY MR. LEE:
`·4· · internally.· It's like the SRX API.· It is what receives
`·4· · · · Q· · You mentioned SkyATP, correct?
`·4· · internally.· It's like the SRX API.· It is what receives
`·5· · the files coming from the SRX devices.
`·5· · the files coming from the SRX devices.
`·5· · · · A· · Uh-huh, yes.
`·6· · BY MR. LEE:
`·6· · BY MR. LEE:
`·6· · · · Q· · What is SkyATP?
`·7· · · · Q· · Did you say Kookaburra?
`·7· · · · Q· · Did you say Kookaburra?
`·7· · · · A· · SkyATP is Juniper Networks advanced
`·8· · · · A· · Kookaburra.
`·8· · · · A· · Kookaburra.
`·8· · anti-malware and threat protection system.
`·9· · · · Q· · Can you spell that?
`You mentioned hash lookup adapter.
`·9· · · · Q· · Can you spell that?
`·9· · · · Q· · You mentioned hash lookup adapter.
`10· · · · A· · KO -- I think it's double O -- K-o-o-k-a-b, as
`10· · · · · · ·Do you recall that?
`10· · · · A· · KO -- I think it's double O -- K-o-o-k-a-b, as
`10· · · · · · ·Do you recall that?
`11· · in boy, u-r-r-a.
`11· · · · A· · Uh-huh, yes.
`11· · in boy, u-r-r-a.
`11· · · · A· · Uh-huh, yes.
`12· · · · Q· · What is Kookaburra?
`12· · · · Q· · What is the hash lookup adapter?
`12· · · · Q· · What is Kookaburra?
`12· · · · Q· · What is the hash lookup adapter?
`
`
`
`
`13 A· · It's what we used to call the SRX API.13131313· · · ·· · · ·· · · ·· · · · AAAA····
`
`·MS. CARSON:· Objection.· Form.U.S. .orm.ormormorm
`13· · · · A· · It's what we used to call the SRX API.
`13· · · · · · ·MS. CARSON:· Objection.· Form.
`
`legalsupport.comlegalsupport.com
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`14· · · · · · ·THE WITNESS:· The hash lookup adapter looks up
`14· · · · Q· · So is Kookaburra the component that the SRX
`14· · · · · · ·THE WITNESS:· The hash lookup adapter looks up
`14· · · · Q· · So is Kookaburra the component that the SRX
`15· · hashes on any engine that could be on the other side,
`15· · uses to perform a hash of files for lookups at SkyATP?
`15· · hashes on any engine that could be on the other side,
`15· · uses to perform a hash of files for lookups at SkyATP?
`16· · that can vary which engine is on the other side.
`16· · · · · · ·MS. CARSON:· Objection.· Form.
`16· · that can vary which engine is on the other side.
`16· · · · · · ·MS. CARSON:· Objection.· Form.
`17· · · · · · ·Right now, I believe that that engine is -- I
`17· · · · · · ·THE WITNESS:· It's not exactly as you just
`17· · · · · · ·Right now, I believe that that engine is -- I
`17· · · · · · ·THE WITNESS:· It's not exactly as you just
`18· · think it is meta-defender at this point, but I could
`18· · described.
`18· · think it is meta-defender at this point, but I could
`18· · described.
`19· · be -- that information could be additive, but I think it
`19· · · · · · ·The SRX start sending data to SkyATP using the
`19· · be -- that information could be additive, but I think it
`19· · · · · · ·The SRX start sending data to SkyATP using the
`20· · is meta-defender.
`20· · SRX API.· The SRX API itself starts getting the file
`20· · is meta-defender.
`20· · SRX API.· The SRX API itself starts getting the file
`21· · BY MR. LEE:
`
`21· · metadata and then hashes the content of any file that is21· · metadata and then hashes the content of any file that is
`21· · BY MR. LEE:
`22· · · · Q· · Can hash lookup be used for other adapters,
`22· · coming in.
`22· · coming in.
`22· · · · Q· · Can hash lookup be used for other adapters,
`
`23· · like greyduckling or deception?23· · like greyduckling or deception?
`23· · BY MR. LEE:
`23· · BY MR. LEE:
`24· · · · · · ·MS. CARSON:· Objection.· Form.
`24· · · · Q· · Can you elaborate, what do you mean by "content
`24· · · · · · ·MS. CARSON:· Objection.· Form.
`24· · · · Q· · Can you elaborate, what do you mean by "content
`25· · · · · · ·THE WITNESS:· No, because its -- its purpose is
`25· · of any file"?
`25· · · · · · ·THE WITNESS:· No, because its -- its purpose is
`25· · of any file"?
`
`
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`
`
`
`10 to 13 10 to 13
`
`
`
`YVer1fYVer1f
`
`

`

`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 6 of 11
`UNREDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes Only
`
`May 09, 2018May 09, 2018
`
`Page 54
`
`Page 56
`
`
`·1· · submits results.· submits results.
`BY MR. LEE:
`·1· · BY MR. LEE:
`·2· · BY MR. LEE:
`·2· · · · Q· · Are you aware of anything else included in
`·2· · BY MR. LEE:
`·2· · · · Q· · Are you aware of anything else included in
`·3· · · · Q· · What are the databases that store greyduckling
`·3· · greyduckling results other than the positive features
`·3· · · · Q· · What are the databases that store greyduckling
`·3· · greyduckling results other than the positive features
`·4· · results?
`·4· · results?
`·4· · and the score?
`·4· · and the score?
`·5· · · · · · ·MS. CARSON:· Objection.· Form.
`·5· · · · · · ·MS. CARSON:· Objection to form.
`·5· · · · · · ·MS. CARSON:· Objection.· Form.
`·5· · · · · · ·MS. CARSON:· Objection to form.
`·6· · · · · · ·THE WITNESS:· It is my understanding that we
`·6· · · · · · ·THE WITNESS:· It probably includes the model,
`·6· · · · · · ·THE WITNESS:· It is my understanding that we
`·6· · · · · · ·THE WITNESS:· It probably includes the model,
`·7· · only use the schema-less DynamoDB from AWS to store all
`·7· · the machine learning model, that was used.
`·7· · only use the schema-less DynamoDB from AWS to store all
`·7· · the machine learning model, that was used.
`·8· · the results from all the adapters that fit within a
`·8· · BY MR. LEE:
`·8· · the results from all the adapters that fit within a
`·8· · BY MR. LEE:
`·9· · record in DynamoDB.
`·9· · · · Q· · Anything else?
`·9· · record in DynamoDB.
`·9· · · · Q· · Anything else?
`10· · · · · · ·When the results from an adapter are too big --
`10· · · · A· · I think that if the file wasn't signed
`10· · · · · · ·When the results from an adapter are too big --
`10· · · · A· · I think that if the file wasn't signed
`11· · I think "too big" means over -- over eight megabytes. I
`11· · correctly, or something was incorrect about the way it
`11· · I think "too big" means over -- over eight megabytes. I
`11· · correctly, or something was incorrect about the way it
`12· · don't remember the exact cutoff.
`12· · was signed, or if there's some mismatch, it is my
`12· · don't remember the exact cutoff.
`12· · was signed, or if there's some mismatch, it is my
`13· · · · · · ·If the results coming from an adapter, the JSON
`13· · recollection that that is included as well, like, how it
`13· · · · · · ·If the results coming from an adapter, the JSON
`13· · recollection that that is included as well, like, how it
`14· · results, are too big, then they are stored in another
`14· · was inappropriately signed, or like what -- like,
`14· · results, are too big, then they are stored in another
`14· · was inappropriately signed, or like what -- like,
`15· · AWS solution, which is called S3.· It's a storage
`
`
`
`
`15· · sometimes a file can be self-signed or things like that.gggg gggg
`
`
`
`
`15· · AWS solution, which is called S3.· It's a storage
`15· · sometimes a file can be self-signed or things like that.
`
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyY lY l TT ii V lV l I Hi hlI Hi hl CC fidfid i li l AttAtt ' E' E O lO l
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`16· · · · · · ·It is my recollection that it includes someMay 0somesomesomesome
`16· · solution.· It's basically an online file system, so it
`16· · solution.· It's basically an online file system, so it
`16· · · · · · ·It is my recollection that it includes some
`
`May 09, 2018May 09, 2018
`May 0
`88
`17· · information about the way it was signed.
`17· · gets stored there.
`17· · gets stored there.
`17· · information about the way it was signed.
`18· · · · Q· · Do the greyduckling results also include the
`18· · BY MR. LEE:
`18· · BY MR. LEE:
`18· · · · Q· · Do the greyduckling results also include the
`19· · sample ID?
`19· · · · Q· · Is there a name for that storage solution?
`19· · · · Q· · Is there a name for that storage solution?
`19· · sample ID?
`20· · · · · · ·MS. CARSON:· Objection.· Form.
`20· · · · · · ·Oh, is it called S3?
`20· · · · · · ·Oh, is it called S3?
`20· · · · · · ·MS. CARSON:· Objection.· Form.
`21· · · · · · ·THE WITNESS:· Sample ID is required by the
`21· · · · A· · Yes, AWS S3.
`21· · · · A· · Yes, AWS S3.
`21· · · · · · ·THE WITNESS:· Sample ID is required by the
`22· · submit sample API.· So you have to say, I am submitting
`Are you aware of something called results
`22· · · · Q· · Are you aware of something called results
`22· · submit sample API.· So you have to say, I am submitting
`23· · results for this sample ID from this adapter, and these
`23· · database?
`23· · database?
`23· · results for this sample ID from this adapter, and these
`24· · are the results.
`24· · · · · · ·MS. CARSON:· Objection.· Form.24· · · · · · ·MS. CARSON:· Objection.· Form.
`
`24· · are the results.
`
`25· · · · · · ·So it's included along with everything in the25· · · · · · ·So it's included along with everything in the
`25· · · · · · ·THE WITNESS:· What we call internally results
`25· · · · · · ·THE WITNESS:· What we call internally results
`
`
`Page 57Page 57
`Page 55
`
`·1· · database is the interface code in everything we use to·1· · database is the interface code in everything we use to
`
`·1· · API.· But I don't think the sample ID is inside the JSON· API.· But I don't think the sample ID is inside the JSON
`·2· · store results in the back-end schema-less database.
`·2· · results.
`·2· · store results in the back-end schema-less database.
`·2· · results.
`·3· · · · · · ·The RDB, or Results DB, as a component as code,
`·3· · BY MR. LEE:
`·3· · · · · · ·The RDB, or Results DB, as a component as code,
`·3· · BY MR. LEE:
`·4· · was written to interface with any back end database,
`·4· · · · Q· · How does greyduckling link the sample ID to the
`·4· · was written to interface with any back end database,
`·4· · · · Q· · How does greyduckling link the sample ID to the
`·5· · really.
`·5· · results?
`·5· · really.
`·5· · results?
`·6· · · · · · ·So in this -- right now, it's a interfacing
`·6· · · · · · ·MS. CARSON:· Objection.· Form.
`·6· · · · · · ·So in this -- right now, it's a interfacing
`·6· · · · · · ·MS. CARSON:· Objection.· Form.
`·7· · with the schema-less DynamoDB, as well as MySQL, for
`·7· · · · · · ·THE WITNESS:· So greyduckling has the sample
`·7· · with the schema-less DynamoDB, as well as MySQL, for
`·7· · · · · · ·THE WITNESS:· So greyduckling has the sample
`·8· · some things.
`·8· · ID, because when it says, is there another sample to
`·8· · some things.
`·8· · ID, because when it says, is there another sample to
`·9· · · · · · ·I think those two are it, if I'm correct.
`·9· · analyze, it gets the sample ID.
`·9· · · · · · ·I think those two are it, if I'm correct.
`·9· · analyze, it gets the sample ID.
`10· · BY MR. LEE:
`10· · · · · · ·This sample ID gets passed back to the Web API
`10· · BY MR. LEE:
`10· · · · · · ·This sample ID gets passed back to the Web API
`11· · · · Q· · What is the MySQL database that is used by RDB?
`11· · as part of the API parameters.· But it's not included in
`11· · · · Q· · What is the MySQL database that is used by RDB?
`11· · as part of the API parameters.· But it's not included in
`12· · · · · · ·MS. CARSON:· Objection.· Form.
`12· · the JSON results themselves.
`12· · · · · · ·MS. CARSON:· Objection.· Form.
`12· · the JSON results themselves.
`
`
`
`
`13· · · · · · ·THE WITNESS:· From what I can remember, in13131313· · · · · ·· · · · · ·· · · · · ·· · · · · ·
`
`
`
`
`13· · · · · · ·So in the API post request, you can -- youyou can -- youyou can -- youyou can -- youyou can -- you
`13· · · · · · ·THE WITNESS:· From what I can remember, in
`13· · · · · · ·So in the API post request, you can -- you
`
`legalsupport.comlegalsupport.com
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`14· · send, for this ability from this adapter, these are the
`14· · Results DB, we store in MySQL index to more rapidly look
`14· · send, for this ability from this adapter, these are the
`14· · Results DB, we store in MySQL index to more rapidly look
`15· · results.
`15· · up data about all of the submissions.
`15· · results.
`15· · up data about all of the submissions.
`16· · · · · · ·Does that make sense?
`16· · · · · · ·For example, it includes, the sample ID was
`16· · · · · · ·Does that make sense?
`16· · · · · · ·For example, it includes, the sample ID was
`17· · BY MR. LEE:
`last submitted at this date; this sample ID was --
`17· · BY MR. LEE:
`17· · last submitted at this date; this sample ID was --
`18· · · · Q· · Are greyduckling results stored in a database?
`18· · was -- had this score, this numerical score from this
`18· · · · Q· · Are greyduckling results stored in a database?
`18· · was -- had this score, this numerical score from this
`19· · · · · · ·MS. CARSON:· Objection.· Form.
`19· · adapter; this sample ID is completely done, like all
`19· · · · · · ·MS. CARSON:· Objection.· Form.
`19· · adapter; this sample ID is completely done, like all
`20· · · · · · ·THE WITNESS:· Greyduckling adapter itself
`20· · of -- done in the pipeline, things like that, to allow a
`20· · · · · · ·THE WITNESS:· Greyduckling adapter itself
`20· · of -- done in the pipeline, things like that, to allow a
`21· · doesn't interact with the database.· We have the Web API
`21· · researcher, an engineer on our side, to take a look at
`21· · doesn't interact with the database.· We have the Web API
`21· · researcher, an engineer on our side, to take a look at
`22· · to interface the adapters to the rest of SkyATP.
`22· · all of the results -- not results -- to take a look at
`22· · to interface the adapters to the rest of SkyATP.
`22· · all of the results -- not results -- to take a look at
`23· · · · · · ·When the greyduckling adapter submits a result
`23· · all of the samples that were submitted in a more general
`23· · · · · · ·When the greyduckling adapter submits a result
`23· · all of the samples that were submitted in a more general
`24· · to the Web API, the Web API uses a schema-less database,24· · to the Web API, the Web API uses a schema-less database,
`
`24· · way.
`24· · way.
`25· · DynamoDB, to store the JSON results for any adapter that
`25· · · · · · ·For example, give me the sample IDs from all
`25· · DynamoDB, to store the JSON results for any adapter that
`25· · · · · · ·For example, give me the sample IDs from all
`
`
`
`U.S. LEGAL SUPPORT | www.uslegalsupport.comU.S. LEGAL SUPPORT | www.uslegalsupport.com
`
`
`
`54 to 57 54 to 57
`
`
`
`YVer1fYVer1f
`
`

`

`Case 3:17-cv-05659-WHA Document 423-24 Filed 04/11/19 Page 7 of 11
`UNREDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
`
`
`Yuly Tenorio Volume I Highly Confidential - Attorneys' Eyes OnlyYuly Tenorio Volume I Highly Confidential - Attorneys' Eyes Only
`
`May 09, 2018May 09, 2018
`
`Page 60
`
`Page 58
`
`·1· · BY MR. LEE:· BY MR. LEE:
`the executables that were submitted in the last 30 days.
`·1· · the executables that were submitted in the last 30 days.
`·2· · · · Q· · Is this interface used for storing data in the
`·2· · Now, give me the sample IDs of all the executables that
`·2· · · · Q· · Is this interface used for storing data in the
`·2· · Now, give me the sample IDs of all the executables that
`·3· · database and looking up data in the database?
`·3· · were malware, which means they had a score of .65 or
`·3· · database and looking up data in the database?
`·3· · were malware, which means they had a score of .65 or
`·4· · · · · · ·MS. CARSON:· Objection.· Form.
`·4· · · · · · ·MS. CARSON:· Objection.· Form.
`·4· · above or greater.
`·4· · above or greater.
`·5· · · · · · ·THE WITNESS:· This interface code is used to --
`·5· · · · · · ·MySQL contains indexes to -- to make queries
`·5· · · · · · ·THE WITNESS:· This interface code is used to --
`·5· · · · · · ·MySQL contains indexes to -- to make queries
`·6· · a lot of things, including let's store results in the
`·6· · like this more performant, because the actual results,
`·6· · a lot of things, including let's store results in the
`·6· · like this more performant, because the actual results,
`·7· · schema-less database; let's -- let me look up samples
`·7· · for example, which are contained in the schema-less
`·7· · schema-less database; let's -- let me look up samples
`·7· · for example, which are contained in the schema-less
`·8· · that were executables, just give me the sample IDs;
`·8· · DynamoDB, there is no way to -- because it doesn't have
`·8· · that were executables, just give me the sample IDs;
`·8· · DynamoDB, there is no way to -- because it doesn't have
`·9· · update the counters for this sample, because we've
`·9· · a schema, there are no indexes that we can use in
`·9· · update the counters for this sample, because we've
`·9· · a schema, there are no indexes that we can use in
`10· · received it again, so like incremental counter.
`10· · DynamoDB.· That's why