Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 1 of 45
`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 1 of 45
`
`
`
`
`
`EXHIBIT 1
`EXHIBIT 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 2 of 45
`
`APPEARANCES (CONTINUED):
`
`For Defendant: IRELL & MANELLA LLP
` 1800 Avenue of the Stars, Suite 900
` Los Angeles, California 90067-4276
` BY: JONATHAN S. KAGAN, ESQ.
` ALAN J. HEINRICH, ESQ.
` JOSHUA GLUCOFT, ESQ.
` CASEY CURRAN, ESQ.
`
` IRELL & MANELLA LLP
` 840 Newport Center Drive, Suite 400
` Newport Beach, California 92660
` BY: REBECCA CARSON, ESQ.
`
`
` Volume 2
` Pages 198 - 397
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`BEFORE THE HONORABLE WILLIAM H. ALSUP, JUDGE
`
`)
`FINJAN, INC.,
` )
` Plaintiff,
`)
` )
` VS. ) No. C 17-5659 WHA
` )
`JUNIPER NETWORKS, INC.,
`)
` )
` Defendant.
`)
` ) San Francisco, California
` Tuesday, December 11, 2018
`
`
`TRANSCRIPT OF PROCEEDINGS
`
`
`APPEARANCES:
`
`For Plaintiff: KRAMER, LEVIN, NAFTALIS & FRANKEL LLP
` 990 Marsh Road
` Menlo Park, California 94025
` BY: PAUL J. ANDRE, ESQ.
` LISA KOBIALKA, ESQ.
` JAMES HANNAH, ESQ.
`
` KRAMER LEVIN NAFTALIS AND FRANKEL LLP
` 1177 Avenue of the Americas
` New York, New York 10036
` BY: CRISTINA LYNN MARTINEZ, ESQ.
`
`(Appearances continued on next page)
`
`
`
`
`Reported By: Katherine Powell Sullivan, CSR No. 5812, RMR, CRR
` Jo Ann Bryce, CSR No. 3321, RMR, CRR
` Official Reporters
`
`
`TRIAL EXHIBITS IDEN EVID VOL.
`
`
`I N D E X
`
` 201
`
` E X H I B I T S
`
`1
`
`338
`
`2
`
`22
`
`23
`
`57
`
`74
`
`91
`
`342
`
`372
`
`382
`
`363
`
`363
`
`388
`
`391
`
`283
`
`279
`
`263
`
`384
`
`2
`
`2
`
`2
`
`2
`
`2
`
`2
`
`2
`
`2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 200
`
`I N D E X
`
`
`Tuesday, December 11, 2018 - Volume 2
`
`PLAINTIFF'S WITNESSES PAGE VOL.
`
`BIMS, HARRY (RECALLED)
`(PREVIOUSLY SWORN)
`Direct Examination resumed by Mr. Andre
`Cross-Examination by Mr. Kagan
`Redirect Examination by Mr. Andre
`
`HARTSTEIN, PHILIP
`(SWORN)
`Direct Examination by Ms. Kobialka
`Cross-Examination by Ms. Carson
`Redirect Examination by Ms. Kobialka
`
`KROLL, DAVID
`(SWORN)
`Direct Examination by Mr. Hannah
`Cross-Examination by Mr. Heinrich
`Redirect Examination by Mr. Hannah
`
`NAGARAJAN, CHANDRA
`By Videotaped Deposition
`
`COLE, ERIC
`(SWORN)
`Direct Examination by Mr. Andre
`
`224
`225
`239
`242
`
`243
`244
`294
`324
`
`337
`338
`347
`359
`
`364
`
`367
`368
`
`2
`2
`2
`2
`
`2
`2
`2
`2
`
`2
`2
`2
`2
`
`2
`
`2
`2
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 3 of 45
`
`PROCEEDINGS
`
` 207
`tomorrow.
`THE COURT: All right. Then work it out. But if they
`don't bring him, you get to use the deposition.
`Next. Finjan's motion to seal because of -- no. No way
`we're going to do that. Those documents -- you're just
`trying -- Finjan wants to seal the courtroom and keep all these
`people out so that the rest of the world won't see what you're
`up to. No way. No way.
`MR. ANDRE: Your Honor, we're required to do that by
`agreement with the third party.
`THE COURT: Fine. You've tried. Denied.
`MR. ANDRE: Thank you.
`THE COURT: The public is going to see what Finjan is
`
`up to.
`Next, three, Finjan's Objections to Juniper's Exhibits for
`Late Disclosure. I don't know what this is even about. What
`is that motion about?
`MR. ANDRE: This is what is called the 282 disclosure.
`THE COURT: Yes?
`MR. ANDRE: They didn't make one.
`THE COURT: What do you mean 282?
`MR. ANDRE: 35 U.S.C. 282 requires a defendant in a
`patent case to disclose any prior art or state of the art
`references 30 days before trial. They just didn't make a
`disclosure.
`
`PROCEEDINGS
`MR. ANDRE: Their case.
`THE COURT: I've got a little bit of time on this
`
` 209
`
`then.
`
`MR. ANDRE: Yes.
`THE COURT: Is it true that the law requires a
`specific disclosure?
`MR. HEINRICH: No. In fact, the law is the opposite.
`282 says it has to be in pleadings or otherwise in writing.
`There's a Federal Circuit case, Eaton v. Appliance Valves.
`It's 790 Fed. 2d 874 from the Federal Circuit. And that case
`says that the purpose of this is to avoid unfair surprise.
`It's not a formalistic requirement.
`THE COURT: But did that decision allow somebody to
`get away with doing it the way you did it?
`MR. HEINRICH: Well, it was much -- they did much less
`in that case, Your Honor. They --
`THE COURT: All right. Stop. What's the name of that
`decision?
`MR. HEINRICH: All right Eaton v. Appliance Valves.
`THE COURT: What do you say to Eaton?
`MR. ANDRE: Your Honor, I'm not familiar with that
`case. We cited the case in our letter we sent to you, a
`Federal Circuit case, that said just the opposite. So I'd have
`to go back and look at Eaton. They didn't give us that case
`last night.
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`PROCEEDINGS
` 206
`MR. ANDRE: Your Honor, we're actually -- we got this
`letter late last night as well. We're going to withdraw
`Mathena.
`THE COURT: Thank you.
`MR. ANDRE: So we'll make that move.
`THE COURT: Thank you.
`Scott Coonan.
`MR. ANDRE: We're not withdrawing that one.
`THE COURT: What?
`MR. ANDRE: We're not withdrawing that one.
`THE COURT: No, no. I'm either going to allow it --
`it's ridiculous for you to object to this. Either you bring
`Mr. Coonan in so that they can put him on the stand and do it
`through him, or I'm going to let him use the deposition.
`You're just trying to keep out that transcript where your
`guy did some bad things. No way.
`MR. KAGAN: That's not going to happen. We are
`presenting Mr. Coonan in our case-in-chief.
`THE COURT: No. Bring him so he can present him in
`his case-in-chief, or I'm going to let him use the deposition.
`MR. KAGAN: Okay. We'll make an election.
`THE COURT: You can use the deposition. You can use
`the deposition unless they supply you today with Mr. Coonan at
`your convenience when you want to call him.
`MR. ANDRE: Your Honor, he'll be for most likely
`
` 208
`
`PROCEEDINGS
`We didn't think they were going to bring in prior art
`because validity is not in the case.
`THE COURT: Well, then how do you get around that?
`MR. HEINRICH: Well, we made multiple disclosures in
`this case, Your Honor.
`THE COURT: Did you do it within 30 days?
`MR. HEINRICH: Absolutely. We did invalidity
`contentions in this case.
`THE COURT: No. I mean, earlier than 30 days.
`MR. HEINRICH: Yes. Earlier than 30 days we did
`invalidity contentions back in April. We did an opening expert
`report in September.
`THE COURT: Did you disclose the specific prior art?
`MR. HEINRICH: Absolutely.
`THE COURT: Well, then, Mr. Andre, what are you
`talking about?
`MR. ANDRE: Your Honor, under 35 U.S.C. 282, giving
`discovery responses is not enough. You have to go in and give
`very specific disclosures. When I do defense work, this is
`something on my calendar every single time.
`Now, we didn't think they would be using any prior art or
`state of the art because that's not in the case; but yesterday
`they disclosed a bunch of prior art exhibits, and so --
`THE COURT: All right. Is this coming up for their
`
`case?
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 4 of 45
`
`PROCEEDINGS
` 211
`"Finjan as the present patent holder had the burden of
`proving damages by a preponderance of the evidence."
`Now, I haven't had this -- I've thought about this problem
`in the past but it's been a few months or years. Who has the
`burden of showing what the unpatented features are of an
`accused device?
`MR. ANDRE: Your Honor, I think that would be the
`patentee's burden. I think it's our burden, and what we're
`doing is --
`THE COURT: You haven't done that.
`MR. ANDRE: Well, we haven't -- we're just presenting
`our damages case and we're going to put a fact-based case on.
`And what we have -- and I'll just take a step back.
`I actually argued the Finjan/Blue Coat case at the
`Federal Circuit so I got --
`THE COURT: You got your head handed to you.
`MR. ANDRE: Just on that issue. I won everything
`
`else.
`
`THE COURT: Okay. Okay, yeah. Sorry. Good lawyers
`win some and they lose some, otherwise they wouldn't be any
`good because they can't bat 1,000.
`All right. Go ahead.
`MR. ANDRE: All right. So in that case I argued that
`what they called the DRTR was the small sellable unit;
`therefore, we get 100 percent of --
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 210
`
`PROCEEDINGS
`It's not going to be up until tomorrow or the next day,
`so --
`
`THE COURT: Well, okay. You need by 5:00 p.m.
`today -- look at all these lawyers. By 5:00 p.m. today, one of
`these lawyers will submit a three-page brief on this subject,
`both sides, by 5:00 p.m. today.
`Next. I want to go over this. I sent out something that
`I'm concerned about this issue of apportionment. How does
`it -- I understand the Blue Coat decision, I think, but how
`does it work?
`It does make some statement. I'll read you the statement.
`This is the Federal Circuit talking (reading):
`"In such cases" -- this is a quote now. "In such
`cases the patentee must," quote, "give evidence tending to
`separate or apportion the infringer's profits and the
`patentee's damages between the patented features and the
`unpatented features and such evidence must be reliable and
`tangible and not conjectural or speculative."
`And that's citing to some case called Garretson versus
`Clark, U.S. Supreme Court 1884. Now, I just love it when they
`can find something that old. That's good. That's good. I
`wish we could go back to those simpler days, but here we are.
`They got it.
`Okay. (reading)
`"Finjan as the" -- this is your -- it was against you.
`
`PROCEEDINGS
` 213
`is the infringing use, the one that gets scanned and stored in
`the database.
`So we've already apportioned down to what the
`Federal Circuit says the infringing and noninfringing
`functions. The noninfringing functions would be the antivirus,
`for example.
`THE COURT: It didn't say "functions." It says
`"features."
`MR. ANDRE: Yeah. Also in the next paragraph when you
`talk about the DRTR after the WebPulse, it says (reading):
`"DRTR, which stands for ratings as part of WebPulse,
`and it performs both infringing and noninfringing
`functions."
`THE COURT: Where do you see the word "functions"?
`MR. ANDRE: It's the paragraph right here
`(indicating). It's right up here (indicating). It starts with
`"DRTR, which stands for..."
`THE COURT: Yeah.
`MR. ANDRE: At the end of that first sentence "both
`infringing and noninfringing functions."
`(Pause in proceedings.)
`THE COURT: All right. I see the word "functions" in
`that paragraph. Hold that thought.
`All right. What does the other side say about what I just
`heard?
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`PROCEEDINGS
` 212
`THE COURT: Don't tell me about that case. I'll never
`get it. Just tell me, do you have the burden to show the
`unpatented features and then show the patented features and
`then apportion between them?
`MR. ANDRE: Yes. And so what we're doing in this case
`is we're doing that.
`THE COURT: How are you going to do that without an
`
`expert?
`
`MR. ANDRE: Well, we have their corporate
`representative.
`THE COURT: Who?
`MR. ANDRE: The corporate representative, 30(b)(6)
`witness --
`THE COURT: Yeah.
`MR. ANDRE: -- who went in and said that all the files
`that come into Sky ATP, only 40 percent of them get processed
`through the infringing components. So only 40 percent of all
`files.
`So we've already apportioned down to the -- what the
`Federal Circuit says the infringing and noninfringing uses. So
`the 60 percent is noninfringing. They do other things. They
`do antivirus. They do geolocation, whatever else.
`But 40 percent of the files come in. We have this
`right -- they actually ran a test. The 30(b)(6) witness ran a
`test and said only 40 percent of the files coming into Sky ATP
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 5 of 45
`
`PROCEEDINGS
` 223
`page and he talked about he would be creating these videos, and
`we had not created them and given to them in his report. So,
`once again --
`THE COURT: I'm going to exclude it because it should
`have been -- everyone knows the same ground rule. The
`demonstrative should have been attached to the report.
`MR. ANDRE: That's fine.
`THE COURT: Out. But it's going to apply to you too.
`MS. CARSON: Thank you, Your Honor.
`THE COURT: All right. What's next?
`MR. ANDRE: One last housekeeping matter. I think
`this was raised in the pretrial but I'm not 100 percent sure,
`about fact witnesses sitting in the courtroom. I think they --
`THE COURT: Who?
`MR. ANDRE: Fact witnesses.
`THE COURT: They should not be in the courtroom --
`MR. ANDRE: Yes, sir.
`THE COURT: -- unless you both agree.
`MR. ANDRE: Okay. Thank you, Your Honor.
`THE COURT: Fact witnesses should not. Is it okay if
`experts stay?
`MR. ANDRE: Yeah. We usually agree the experts can
`stay and one corporate representative, yes, Your Honor.
`MR. KAGAN: Yeah. So we have a corporate
`representative who is likely going to be a fact witness.
`
`BIMS - DIRECT / ANDRE
` 225
`You-all over there in the jury box will remember that we
`just got into the evidence.
`And is it Dr. or Mr. Bims? I can't remember.
`THE WITNESS: Doctor.
`THE COURT: Dr. Bims had just started his testimony
`and Mr. Andre is asking the questions. He represents Finjan.
`And we're in the very outset of the plaintiff's case. So we're
`just going to get right into it and start.
`Do you-all have -- you don't have to take notes, but it's
`up to you. Are you ready to go?
`(Nodding heads.)
`THE COURT: Mr. Andre, the floor is yours.
`MR. ANDRE: Thank you, Your Honor. May it please the
`
`Court.
`
`DIRECT EXAMINATION (resumed)
`BY MR. ANDRE:
`Q. Good morning, Dr. Bims.
`A. Good morning.
`Q. So when we left off yesterday, we were just talking about
`why you're here this week, your assignment. Can you just
`remind the jury what you're going to be talking about the next
`15, 20 minutes?
`A. Sure. So it's my job here to give a high-level overview
`through a tutorial on the technology that's going to be
`discussed this week.
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`PROCEEDINGS
` 222
`MS. MARTINEZ: Correct, Your Honor. We have other
`documents as well that do show the markings. So this is just,
`you know, a further -- further evidence.
`THE COURT: No. You're not going to be allowed to use
`something for substantive proof that you didn't disclose in
`response to their -- well, you should have put it in your
`initial disclosures. You should have --
`Did you ask for it in a document request?
`MS. CARSON: We did and also in an interrogatory.
`THE COURT: Did they?
`MS. MARTINEZ: They did, Your Honor.
`THE COURT: Well, then, you should have produced this
`document in response and you did not.
`Now, I'm sure they are guilty of this too. So before the
`trial is over, you'll get to say, "Remember, Judge, you
`excluded this document." And then they will be coming up with
`lame excuses trying to figure out a way around that.
`But, remember, this is going to work against you too.
`Okay. The Juniper people win on that one.
`MS. CARSON: There's one more as well. It's a
`demonstrative to their expert's testimony, also Demonstrative
`Number 2, and it was not disclosed with expert reports. We
`request that that be excluded as well.
`THE COURT: All right. What do you say to that one?
`MR. ANDRE: Your Honor, it's a video of the CNM Web
`
` 224
`
`PROCEEDINGS
`THE COURT: All right. Well, the corporate
`representative can definitely stay.
`MR. ANDRE: Yes.
`THE COURT: But the experts, do you both want them
`here or not?
`MR. ANDRE: Sure.
`THE COURT: You both agree?
`MR. KAGAN: Yes, Your Honor.
`THE COURT: All right. Experts can stay. I'm talking
`about retained experts, you know, the kind that did a Rule 26
`report. I'm not talking about some software engineer who's
`going to happen to give something that might be opinion
`testimony.
`All right. Okay. Are we done?
`MR. KAGAN: Yes, Your Honor.
`THE COURT: Let's see if the jury is all here.
`(Pause in proceedings.)
`THE COURT: Where's our witness? Let's have him come
`up to the stand.
`Mr. Bims, welcome back. Please have a seat.
`HARRY BIMS,
`called as a witness for the Plaintiff, having been previously
`duly sworn, testified further as follows:
`(Proceedings were heard in the presence of the jury:)
`THE COURT: Welcome back, everybody, and have a seat.
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 6 of 45
`
`BIMS - DIRECT / ANDRE
` 227
`which the virus would propagate would be limited to your local
`area network.
`But the Internet is actually a connection --
`interconnection of local area networks. That's why they call
`it the Internet. So through the Internet, you can actually
`spread a virus from one local area network to another and
`literally span the globe hacking into computers anywhere.
`Q. And when we talk about communication between computers on
`the Internet, could you describe to the jury how that happens?
`A. Okay. So generally computers communicate with one another
`by agreeing on a common language for how they talk to one
`another, and that language is coded in a series of ones and
`zeros that are sent over a wire. And so that language we call
`a communication protocol. And so that's how they talk. They
`talk back and forth by just sending ones and zeros to each
`other.
`Q. And using the Internet as an example, could you explain to
`the jury how a request is made and how that content comes back?
`A. Yeah. So when you're sitting at home and you're using
`your laptop or you're using your phone to reach the Internet,
`you can send out a request to visit a website and the data that
`comes back doesn't just magically appear on the screen.
`There's actually a lot of complex technology going on
`underneath the hood that you don't see that makes all that
`happen.
`
` 229
`
`BIMS - DIRECT / ANDRE
`web server. What are those?
`A. So those little tiny boxes are what we call packets,
`packets of information. Generally what's displayed on your
`screen comes from hundreds or maybe even thousands of these
`packets that are traveling across the Internet, and sometimes
`they come from multiple locations because the content that's
`displayed on the screen might actually have come from
`advertisers or third parties or et cetera, and all that data is
`merged together to be displayed on your screen.
`Q. How do hackers take advantage of this type of a network?
`And you can just use the graphic here again to show that.
`A. So in this example what a hacker has figured out is that
`if they can hack into the website that you're viewing and
`millions of people are accessing that one website, then they
`can infect millions of users fairly quickly without going
`through the trouble of breaking into each home around the
`country and installing the virus manually. They can just
`install it on the ESPN and then they've got millions of
`computers infected.
`Q. When you said that the information that goes back in these
`packets can come from multiple locations, can a hacker get into
`any one of those locations and infect your computer?
`A. Yeah. Any source of the content that's displayed on your
`screen is a possible vulnerability for downloading a virus into
`your computer.
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`BIMS - DIRECT / ANDRE
` 226
`Q. As we start this, tell the jury how security has changed
`over the years. Computer security, not any kind of security.
`A. Okay. So prior to the mid-'90s, the Internet had not yet
`taken off so computer security was generally in the form of
`either physical security because computers were not connected
`to anything else so you had to physically break into the room
`and install some kind of program that would hack into the
`computer; or hackers also realized that people were installing
`application programs on their PCs by going to a retail store
`and they'd buy a game from the store that was on a floppy disk
`drive, they'd take it home, and install it in their computer.
`So they figured out that if you could hack into that
`floppy disk drive and install the virus program that way, then
`when the consumer bought the application and took it home, they
`would install the virus onto their machine.
`And so that was a fairly slow way of propagating viruses
`at the time; but then once the Internet came about, then it was
`much, much easier for viruses to simply be downloaded over the
`Internet.
`Q. And how have computer networks changed over that same time
`period?
`A. So back in those early days, a computer network was
`generally a local area network. So, for example, this building
`would have its own local area network that was isolated from
`other local area networks in other buildings. So the extent to
`
`BIMS - DIRECT / ANDRE
` 228
`What happens is the request goes out through a series of
`equipment that we call routers to the destination that you're
`requesting data from, and then the content that you're
`requesting comes back through the series of routers back to
`your laptop or your smartphone.
`Q. Using the next slide, the graphic, could you explain how
`that operates, how that actually works?
`A. Yeah. So in this example, you might be, you know, staying
`at a place in the Northwest and the web server that you're
`visiting is on the other side of the country. Let's say you
`want to check out the San Francisco Giants sports score or
`something like that, but the server that has that information
`is on the other side of the country.
`So what will happen is the request that's sent from your
`computer goes through a series of routers that are
`strategically located all across the country and it's their job
`to relay the information that you sent, the request that you
`sent, to relay that information to a computer called a web
`server that's going to receive that request and then create a
`response, which will be the data that you see displayed on your
`screen. And that data is then communicated back along a
`pathway across the country through a series of routers back to
`your device.
`Q.
`I notice on the animation there's a single request that
`goes out but there's several smaller things going back from the
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 7 of 45
`
`BIMS - DIRECT / ANDRE
` 231
`because the Internet in its early days was wide open, there was
`really no security at all, so to solve this problem, engineers
`came up with a concept of a special product called a gateway.
`And the idea of the gateway is that it would sit in the pathway
`between you as the user and whatever website you're trying to
`view, and its job is to monitor all the packets going back and
`forth, all the data going back and forth, for the purpose of
`analyzing it to determine is this something that looks like it
`could be harming your computer by downloading a virus or
`stealing your passwords, or something like that. So it's going
`to be the security for your computer.
`Q. And could you describe how that works using this graphic?
`A. So in this example, the gateway is located on premises.
`So if you're working at a company, your office might buy a
`gateway and install -- and the IT Department would install it
`in the office, and its job would be to monitor all traffic
`going in and out of the office; and that gateway is
`responsible, then, to provide security for that office by
`detecting whether or not there are any viruses being downloaded
`or anything else that might harm the computers in the office.
`Q. Can you also put that gateway elsewhere, like in the
`cloud? I think we have the next graphic for that.
`A. So in this example, the gateway product is not located in
`the office but it's located somewhere else on the Internet; and
`the reason to do that is that it might be more cost effective
`
`BIMS - DIRECT / ANDRE
` 233
`scenarios. For example, most of the time a company is not
`being hacked into so they don't need to have lots and lots of
`equipment; but if they are being attacked, they need to be able
`to scale up their defenses to match the scale of the attack.
`So by having a hybrid approach, you're able to buy a
`minimal set of security that is scalable in realtime in the
`midst of an actual attack on the network.
`Q. Now, we're talking about a lot of solutions to these type
`of attacks. Could you briefly describe the difference between
`what we refer to as reactive technology and proactive
`technology?
`A. Sure. So in the reactive approach, what's typically used
`is something called virus scanning in which you look for a
`signature in the data that's being transmitted.
`One thing that we learned early on was that most viruses
`have a unique pattern of ones and zeros embedded in the data,
`kind of like your fingerprint. Each one had a different
`fingerprint. So if you scan for a particular string of ones
`and zeros and you find a match to the fingerprint, then you've
`identified this must be a virus.
`So that was the original way in which viruses were
`detected using this scanning approach looking for signature
`matches.
`Q. And what about the proactive approach? Generally describe
`that.
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`BIMS - DIRECT / ANDRE
` 230
`THE COURT: You used the word "ESPN." You said
`install it on the ESPN, and I don't think you defined -- most
`of us think of that as sports. But do you mean that ESPN?
`THE WITNESS: That's what I meant was the espn.com
`website.
`THE COURT: Okay. I see. So you're using that as the
`example.
`Okay. All right. It wasn't clear. Thank you. Now I
`understand.
`BY MR. ANDRE:
`Q. So if someone -- if I'm at my computer and I go to
`www.espn.com, are you saying that not all the contents that
`will come back comes from ESPN's server sitting in Bristol,
`Connecticut?
`A. Yes, it depends. In some scenarios, the place you're
`visiting might actually have contracts with third parties.
`They might be advertisers. They may be other partners who are
`offering companion services, et cetera, and they are supplying
`content in addition to the website you're viewing. So you
`think you're going to one site to view content. In reality,
`the content is coming to you from a number of different places.
`Q. And could you describe some of the security protocols and
`scanning technologies that can be used to combat this type of
`hacking?
`A. So, sure. So the -- so one way to solve this problem --
`
`BIMS - DIRECT / ANDRE
` 232
`for the company to, for example, rent time on a machine rather
`than actually buy a physical box or maybe they don't have space
`to install the physical box or they don't want to deal with the
`hassle of maintaining a physical box of equipment. They can
`contract with a third party who would take care of all of that
`for them and simply connect to the box over the Internet, and
`that box would then sit in the pathway between all
`communications going in and out of the office and the Internet.
`Q. So when you look at a user going through the cloud --
`first of all, what is the cloud? I mean, the cloud sounds like
`something up in the sky. What is the cloud when computer
`scientists refer to that?
`A. Sure. So when we talk about the cloud, what we're
`actually talking about is a set of computers and those
`computers are connected to the Internet, and what they do is
`they provide a common set of services. So in this example,
`that set of computers is providing the service of network
`security.
`Q. Could you describe the scenario where you use both the
`on-premises and the cloud-scanning technology and why you would
`want to do that?
`A. Okay. So in some cases this hybrid approach works where a
`company might buy a physical gateway appliance and at the same
`time also contract with a third party over the Internet to
`provide additional services, and that's useful in many
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`

`

`Case 3:17-cv-05659-WHA Document 432-2 Filed 04/11/19 Page 8 of 45
`
`BIMS - DIRECT / ANDRE
` 235
`Q. Does this method only detect known viruses?
`A. Yeah. So the fingerprint of the virus has to be known
`ahead of time and installed into a database. So when the first
`wave of virus attacks begins, there is no fingerprint in the
`database and the viruses will get through until such a time as
`the database is updated with the new fingerprint of this new
`virus.
`Q. So on the graphic we have here -- can we just run that
`again?
`On the graphic we have here where there's no signature,
`would the application go to the computer, to the user?
`A. So in this case the virus has fooled the virus detection
`software. The software looked for the fingerprint in the
`database. It didn't find it. So the virus was allowed to run
`on your computer.
`Q. Okay. Go to the next slide.
`Does that demonstrate how the new virus actually gets into
`the computer?
`A. Yes, exactly. So there's no match to the virus and so the
`virus is allowed to come into your computer and execute.
`Q. Let's talk about the behavior analysis that you discussed,
`the proactive approach. Could you describe how that works?
`A. Yeah. So with the behavioral analysis approach, the
`gateway will actually look at the functions performed by the
`data when it is downloaded onto your computer, because the data
`
`BIMS - DIRECT / ANDRE
` 237
`compared and analyzed to detect whether or not it looks like it
`could be a virus. So certain viruses have certain security
`profiles.
`So if a delete command is associated with Word documents
`or Excel documents, then that looks suspicious; or if a command
`is going to grab, you know, e-mails from your friends and send
`them to a third party source, that might be suspicious. So the
`profile would pick that up, and then that would be a red flag
`that what's about to be executed on your machine is a virus.
`Q. And if there is -- go to the next slide.
`So if the security profile does not indicate danger, what
`happens then?
`A. So if the security profile that's been created looks like
`it's not going to do anything harmful to your machine, then the
`content is allowed to then be downloaded onto your machine and
`executed.
`Q. So what can you do with a -- what are the different type
`things you can do with the security profiles that you were just
`talking about?
`A. So one thing you can do with a security profile is you can
`store it in a database for later retrieval because the process
`of analyzing the data coming in from the Internet in order to
`create a security profile is fairly expensive and
`time-consuming. So rather than repeat that process every
`single time, the security profile that's created can be stored
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
`
`
`91
`
`0
`11
`1