`
` 220
`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF CALIFORNIA
`
`THE HONORABLE CATHY ANN BENCIVENGO
`
`
`FINJAN, INC., )
` )
` Plaintiff, ) CASE NO. 17CV183-CAB-BGS
` )
` vs. ) SAN DIEGO, CALIFORNIA
` )
`ESET, LLC and ESET SPOL. S.R.O.,) WEDNESDAY, MARCH 11, 2020
` )
` Defendants. )
`
`
`
`
`
`
`
`
`Reporter's Transcript of Jury Trial, Volume 2, Day 2
`Pages 220-387
`
`
`
`
`
`
`
`
`
`P r o c e e d i n g s r e p o r t e d b y s t e n o g r a p h y , t r a n s c r i p t p r o d u c e d b y
`c o m p u t e r a s s i s t e d s o f t w a r e
`
`M a u r a l e e R a m i r e z , R P R , C S R N o . 1 1 6 7 4
` F e d e r a l O f f i c i a l C o u r t R e p o r t e r
`o r d e r t r a n s c r i p t @ g m a i l . c o m
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39061 Page 2 of 168
`
` 221
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`APPEARANCES:
`For The Plaintiff: Kramer Levin Naftalis & Frankel, LLP
` Paul Andre
` James Hannah
` Lisa Kobialka
` Kristopher Kaskins
` 990 Marsh Road
` Menlo Park, California 94025
`
` Cristina Lynn Martinez
` 1177 Avenue of the Americas
` New York, New York 10036
`
`
`
`For the Defendants: Eversheds Sutherland (US) LLP
` Nicola A. Pisano
` Scott A. Penner
` Regis Worley
` 12255 El Camino Real, Suite 100
` San Diego, California 92130
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39062 Page 3 of 168
`
` 222
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`San Diego, California; Wednesday, March 11, 2020; 8:15 a.m.
`(Case called)
`(Appearances stated)
`THE COURT: All right. I got the dispute issue about
`the demonstratives for Dr. Cole's testimony as well as the
`exhibits, and fundamentally this comes down to the question
`that was raised in the motions in limine as to whether or not
`there's foundation for tests that were done, and I think there
`is no dispute that these products are post-expiration of the
`patent.
`
`MR. ANDRE: That's correct, Your Honor. But then
`technology was during the infringement period.
`THE COURT: And he has an opinion that they are the
`same as what was earlier?
`MR. ANDRE: That's correct, Your Honor.
`THE COURT: And was that in his report anywhere?
`MR. ANDRE: It was, Your Honor.
`MR. PENNER: If they can point to us where in the
`report he provides that because we don't believe it's in the
`report, and we also don't believe it's accurate.
`THE COURT: Well, accurate is a different question.
`MR. PENNER: I understand, Your Honor. But I don't
`believe that's in his report where he says after the expiration
`date are the same as those before.
`MR. ANDRE: Your Honor, the testing is ThreatSense
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39063 Page 4 of 168
`
` 223
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Engine that was put in sometime, I think, 2010.
`MR. PENNER: The ThreatSense engine changes every day,
`Your Honor.
`MR. ANDRE: No.
`MR. PENNER: Multiple times a day.
`THE COURT: Shh. He's talking.
`MR. ANDRE: Thank you, Your Honor. And the cloud
`malware protection system was put in 2013. We can give you the
`cites in his report, but he's going to lay a foundation that he
`ensured by looking at the source code technical documents that
`functionality that he tested. And it's very superficial, to be
`candid with you. We're not getting into the weeds with his
`testing. But he did want to confirm through testing that what
`he found in the technical documents was still in the product
`and functioned the way he thought it was. And that's all it
`is.
`
`THE COURT: I understand that these product names have
`existed over the course of time. I have many iPhones, but I
`don't think if you test the presence of something in an iPhone
`10 you could necessarily conclude it was present in an iPhone
`6, but they're all still iPhones. So if that's their argument,
`that he's going to need to show that he actually looked at the
`original products that were available for sale during the
`relevant time and can say with some certainty that these
`features were available in these products, I mean, that's the
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39064 Page 5 of 168
`
` 224
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`problem.
`
`MR. ANDRE: What he does is look at source code for
`the products and shows where the changes in the source code are
`and where they changed from what we're looking at, an
`infringing functionality. He looks at technical
`specifications. There's nothing to show that the infringing
`aspect has changed at all. Granted with the iPhone 11, you
`might get a better camera but they probably didn't change some
`of the other core components. What we're showing is those core
`components that were in the iPhone 5 generation are still
`there. These are core components. These are not user
`interface. Dr. Cole will discuss that, and he confirmed
`looking at technical documents that his testing just confirmed
`what was there previously is still there.
`THE COURT: I'm going to allow the testimony subject
`to motion to strike. If he doesn't lay a proper foundation,
`then you can move to strike it.
`MR. PENNER: So to be clear, just so I'm
`understanding, your Honor, and I think your iPhone analogy is
`probably a pretty good one here. Just because the
`functionality can still block software doesn't mean it's
`blocking it the same way underneath. I mean, the modules have
`changed, and there's going to be testimony that the modules
`change every four to six hours in some cases. And as you can
`see from our listing on our brief here, every one of the
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39065 Page 6 of 168
`
` 225
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`modules that they accuse, including the engine, which is the
`detection engine which is the very first one there, it shows a
`version dated November 17, 2018. That's the model that they're
`accusing so there's no evidence -- first of all, the source
`code wasn't produced for that and so it wasn't requested during
`discovery and obviously this was in 2018. So there's no
`evidence that shows that source code matches up with the source
`code he reviewed. If that's the foundation he has to lay, I
`don't think he's going to be able to do that because he doesn't
`have the source code available to say yes, the same features
`were in the source code in 2018 that were in the source code
`when I reviewed it in 2016.
`THE COURT: All right. I understand the problem, but
`they say they're going to be able to demonstrate --
`MR. PENNER: Is that what they're going to have to
`demonstrate?
`THE COURT: -- make the link that this testis relevant
`because the source code is the same. And if he can't make the
`link, the Court will strike his testimony regarding to this
`testing.
`
`With regard to the deposition, do you need to do those
`this morning? Is that going to happen before the first break?
`MR. ANDRE: No.
`THE COURT: Then I don't want to keep the jury
`
`waiting.
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39066 Page 7 of 168
`
` 226
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`MR. PENNER: Your Honor, there were also two other
`exhibits that didn't necessarily relate to the source code
`issue, but relate to the products that didn't release until
`after, which is JTX-61 and JTX-75, which is the ESET threat
`intelligence. Both of those were products that there is no
`evidence in the record that existed or were sold prior to the
`expiration of the patents as well.
`MR. ANDRE: We disagree with that assertion, but
`nonetheless, on JTX-61 what we are using this exhibit for is on
`the right-hand side there, Your Honor, you'll see the cloud
`malware protection system. We have evidence that was
`introduced in 2013. We wanted to talk about that, and that's
`what this document is used for.
`With respect to JTX-75, there's a portion that talks
`about the Malware Analyzer. That was also done in 2013. So we
`have the justification for those technology components being
`around, at least, since 2013.
`MR. PENNER: Again, those are changes that have
`happened over time to both of those since ETI was released
`using a completely different aspect to produce the ETI -- I'm
`sorry. I keep using the -- ESET Threat Intelligence, again,
`post-dates the expiration of the patents. So to show the jury
`a document about ESET Threat Intelligence...
`THE COURT: This is an ad, right?
`MR. PENNER: Right. An ad for a product that didn't
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39067 Page 8 of 168
`
` 227
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`exist until after expiration of the products.
`THE COURT: They're not going to prove infringement
`with that ad.
`MR. PENNER: They're trying, it appears.
`THE COURT: You can cross-examine on the relevance of
`this ad if it isn't related to a product that's accused of
`infringement, if it's an ad for a current product. I'm not
`seeing that one. The 75 -- JTX-75. Again, this is from a
`website, or what is this?
`MR. ANDRE: This is one the technical specifications,
`Your Honor. And this is a technical specification that is -- I
`don't know. I don't see a date on this. But we are using it
`for the limited purpose to show a technology component that has
`been around since 2013.
`MR. PENNER: Again, the top of that line says it's for
`ESET Threat Intelligence. That's the second document talking
`about ESET Threat Intelligence. Again, that's a product that
`did not exist during the time period. So this is a technical
`document now about a product that did not exist during the
`relevant damages period.
`THE COURT: Again, you're going to have to lay some
`foundation before it can come in and be shown to the jury,
`because obviously there is a difference of opinion here about
`whether ESET Threat Intelligence is a product that is covered
`by this patent. I've seen it throughout all of the lists here
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39068 Page 9 of 168
`
` 228
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`of the accused products and services.
`MR. PENNER: I'm not sure the Threat Intelligence is
`actually an accused product. It's not listed in the pretrial
`order.
`
`THE COURT: All right. They're going to have to lay a
`foundation, and I'm going to let them proceed on those grounds.
`Okay. Go ahead.
`(Jury entering at 8:35 a.m.)
`THE COURT: Good morning, ladies and gentlemen.
`The jury is all present and we are prepared to
`proceed. So, Finjan, you may call your next witness.
`MR. ANDRE: Thank you, Your Honor. May it please the
`court. We're going to begin our technical presentations today,
`hopefully without too much technobabble, but we'll see what we
`can do. We would like to hand out the jury binders, and so
`with that in mind, I would like to move in JTX-1, which is the
`'844 patent; JTX-2, which is the '780 patent; JTX-3, which is
`the '086 patent; JTX-4, which is the '621 patent and JTX-5,
`which is the '755 patent. I would like to move those into
`evidence.
`THE COURT: I assume no objections?
`MR. PENNER: No objection, Your Honor.
`THE COURT: They are all received and admitted.
`(Exhibits JTX-1, JTX-2, JTX-3, JTX-4, JTX-5 admitted)
`MR. ANDRE: And also -- in the jury binder there is
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39069 Page 10 of 168
`
` 229
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`also that one page on Your Honor's claim construction.
`THE COURT: So you're going to get binders now.
`They're going to have the patents at issue in the case you can
`use as reference materials. And while they're explaining
`different aspects of the patents if you want to mark on them or
`write on them, they're yours to do that with. There are also
`in there the definitions the Court has provided for certain
`terms in the patent where there were disputes on how they
`should be interpreted. All right.
`MR. HANNAH: Your Honor, may it please the Court. We
`would like to call to the stand Dr. Harry Bims to provide an
`overview of the technology.
`Harry Bims, Ph.D, called as a witness, testifies as follows:
`(Witness given an oath)
`MR. HANNAH: Your Honor, may I approach?
`THE COURT: Yes, you may.
`THE CLERK: Sir, will you please state your name,
`spelling your last name for the record.
`THE WITNESS: Harry Bims, B-i-m-s.
`DIRECT EXAMINATION
`
`BY MR. HANNAH:
`Q
`Good morning.
`A
`Good morning.
`Q
`Dr. Bims, let's start with your educational background.
`Will you please explain to the jury your educational
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39070 Page 11 of 168
`
` 230
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`background?
`A
`Yes. So I have three engineering degrees across a couple
`of universities, RPI and Stanford. Those three engineering
`degrees were supported by a company called AT&T Bell
`Laboratories, which at the time, was considered the preeminent
`science and engineering research company. And while I was
`going to school, I also worked in various locations alongside
`their engineers on various research projects.
`So I'll start with my undergraduate degree in which I
`focused on computer architecture as one of the topics, and in
`particular, the hardware and software aspects of how a computer
`is designed. So on the hardware level, it's things like
`processor, cores, memory, bus interfaces, things of that sort.
`And then also, I had also learned several programming
`languages and then applied those languages to develop software
`that would interface with this hardware and which is commonly,
`you know, described as like an operating system. So an
`operating system is really just software running on the
`computer that will interface with the hardware components of
`the computer and also interface with any software applications
`that run on the computer. So that experience allowed me to be
`able to basically from the ground up build a computer from the
`hardware standpoint, as well the software standpoint.
`From there, I went on to Stanford and focused on computer
`networking concepts which is really around how you take a
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39071 Page 12 of 168
`
` 231
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`computer that's been built and make it talk to another
`computer. So they talk to one another over these networks
`which are using these languages that we call communication
`protocols. And a protocol is just a language that the
`computers use to interface to each other. So I did a lot of
`research there at Stanford in that area. In fact, my research
`adviser invented DSL while I was a grad student there.
`But I took those ideas and I focused in on the direction of
`wireless communications. So one of the three professors who
`reviewed my dissertation, Marty Hellman, is well known in the
`network security space. So any time you do an online purchase
`today, that purchase is done in security. There is a little
`lock symbol in your browser. When that little lock symbol
`closes, that means there's a secure transaction happening over
`the internet. But underneath the hood, there's a lot of
`algorithm processing going on. And Marty Hellman coinvented
`that network security algorithms back in the 1960s. So through
`that relationship, we began talking about network security in
`the context of wireless, and so his name comes up in my future
`work post-Stanford.
`Q
`Let's talk about that future work. After you got your
`Ph.D, can you tell us a little bit about your employment
`history?
`A
`Yeah. So I have many years of experience working in this
`computer networking space. So the -- what I have listed here
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39072 Page 13 of 168
`
` 232
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`are some of the projects that I've worked on at companies like
`Glenayre Technologies and AirFlow Networks, for example,
`working on -- I started in the early days working on pagers,
`right? Back in the day, there were pagers that could only
`receive information, but I was working at a company called
`Glenayre that developed a two-way pager; in other words, a
`pager that was able to send and receive email messages.
`I also, from there, worked on cellular network
`infrastructure, so the actual networking components that allows
`for cell phones to be able to communicate with the internet.
`And then I worked at a company called AirFlow Networks,
`which is a company that I founded with some VC money in the
`Valley to develop a novel WiFi access that was designed for
`large-scale deployments.
`So at GlenAyre, when we were deploying our two-way pagers,
`we noticed that hackers had figured out a way to hijack the
`communications going on across the nationwide paging network,
`so the company put me in charge of an effort to try to secure
`those communications. And that's when I reached out to Marty
`Hellman and brought his expertise to bear to develop a secure
`version of our email application. And that's when I began to
`realize the importance of network security in all aspects of
`wireless networking. And that continued through my work with
`Synergy Communications focused on cellular network
`infrastructure because cell phones needed to be secure.
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39073 Page 14 of 168
`
` 233
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Then at AirFlow Networks, we had a product called the Air
`Switch Gateway, and that from day one was designed to have
`network security features built into it because we didn't want
`our customers to run the risk of their communications being
`hijacked by hackers who hack into the WiFi network.
`So in addition to that, I've also been actively involved in
`the development of U.S.-based standards for networking
`projects. Like ethernet, for example, is a U.S.-based standard
`and WiFi is also a U.S.-based standard. So I'm actually on
`the -- one of the voting members on the WiFi standard itself.
`There are about 350-some-odd engineers who come together every
`couple of months, and we decide what technologies to add to the
`WiFi to improve it. So back in the early days of WiFi, hackers
`again figured out how to highjack WiFi communications, so we
`had to do something about that. So we've worked over a series
`of amendments to WiFi that we call WiFi protected access, so
`there's a WPA1, there's a WPA2 and there's a WPA3, each one an
`evolution in network security technology because the hackers
`have gotten more sophisticated, and we have had to respond to
`that by updating the wireless protocol to make sure they don't
`break into the network.
`So WiFi and security kind of go hand in hand when you're
`developing these things. And I also see that occurring in
`other wireless standards that I have been engaged in. So
`things like the WiMAX standard and other U.S.-based standards
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39074 Page 15 of 168
`
` 234
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`that are being proposed, for example, to try to deal with these
`PG&E fires. You know, the idea that you have to call 911 to
`report a downed power line, which is kind of crazy in today's
`world. So the idea is to use the WiMAX wireless network to
`monitor all the transmission lines so that way you can really
`speed up the process of responding to that kind of event. And
`then, it's also being considered for tracking drones across the
`United States. The FAA wants to make sure that none of these
`drones are flying into airports and stuff like that. So WiMAX
`has some opportunity there as well. So I have been working as
`an expert in WiMAX on evolving that WiMAX standard to be able
`to meet those needs. So that's kind of a summary, I think, of
`my employment history.
`Q
`Okay. Great. Can you just tell us briefly about the
`patents that you're involved with? It says you have 23 patents
`here.
`A
`Yes. So over the years, I have invented 23 patents. A lot
`of them are related to my work at AirFlow Networks in the WiFi
`space, but they also deal with other wireless technologies as
`well, and some of them talk about the integration of network
`security with the wireless network at gateway level.
`MR. HANNAH: So at this point, Your Honor, we would
`like to tender Dr. Bims as an expert in computer networking and
`security.
`THE COURT: Any objection?
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39075 Page 16 of 168
`
` 235
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`MR. PISANO: No objection.
`THE COURT: He is received as an expert in that
`subject area.
`MR. HANNAH: Thank you, Your Honor.
`BY MR. HANNAH:
`Q
`Dr. Bims, what was your assignment in this case?
`A
`To provide a very high-level overview of the technology
`that is going to be discussed just to lay a foundation on what
`these terms are at a high level and what they mean, and also to
`provide a brief introduction as an example of network security
`products to provide a brief introduction to ESET products in
`the context of that high level.
`Q
`And did you help prepare some demonstratives to aid in your
`presentation today?
`A
`Yes. I do have a series of slides that will help to
`describe in high level what is going on with this network
`technology.
`Q
`Let's start at the beginning here. Looking at the first
`slide, can you explain to the jury what's being shown here and
`how that interaction with the internet works?
`A
`Sure. So at a very high level, the way your computer
`accesses information over the internet is this call/response
`process in which the first thing that happens is your computer
`or your smart phone will issue a request into the internet for
`information. Maybe you're visiting a website, so a request
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39076 Page 17 of 168
`
` 236
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`goes out to that website hey, I want some information from you.
`The website will then respond with the content you're looking
`for, and that content flows back from the internet into your
`device.
`Q
`So when you're talking about this request and this content,
`is that clicking a link to go to CNN.com for instance?
`A
`Yes. So if you have a web browser, you would click on that
`link and it will go out and request information. There are
`other ways which your device can be triggered to send out a
`request for information, but with a browser, that's how it's
`done.
`Q
`And when your request is made for different content or web
`pages, how does that work on a global level in terms of the
`request?
`A
`So if we drill down a little bit in terms of how the
`internet is organized. It's really organized as a series of
`computers spread across the country. Each one of those
`computers is like a web server that is going to route
`information, either requests for information or content that
`has been requested. And you can see in this map here, it looks
`kind of like an interstate highway system, only here instead of
`cars going back and forth across the country, there are packets
`of information that contain requests for information, and then
`the content coming back the other way.
`Q
`So, again, when we see these little cars traveling across
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39077 Page 18 of 168
`
` 237
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`here, where are those cars going? From the user to the
`internet?
`A
`Yeah. So what you see here in this animation are requests
`for information coming from the laptop on one side of the
`country along a pathway to the website, and that website might
`be one computer server or a collection of computer servers that
`work together to create the content that is then delivered back
`to your computer.
`Q
`How can hackers come into this process and affect the user?
`A
`So what hackers have figured out is if they want to infect
`your computer with a virus, then they can actually add
`additional content that you weren't aware of to whatever you're
`downloading from your website. So the website might be a
`sports site that is downloading sports scores, but then without
`your knowledge, there is additional information being
`downloaded into your computer that is put there by a hacker,
`and that information is then used to infect your computer and
`do all kinds of things.
`Q
`Is that what is being shown with the bomb that is coming
`from the hacker to the user in this demonstrative?
`A
`Yes. That's an example of malware or a virus that is
`associated with the content that travels with it from the site
`into your computer.
`Q
`Now, before the internet, how would you protect against
`these types of attacks, or how would you protect against
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39078 Page 19 of 168
`
` 238
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`viruses?
`A
`Okay. So in the early days before the internet, viruses
`are basically a file, and in that file, you'll see a string of
`1s and 0s, and those 1s and 0s contain commands for your
`computer to execute, operations for your computer to execute.
`And what people discovered is that with every new virus created
`had a pattern of 1s and 0s embedded in it unique to that
`particular virus. So the way virus protection worked, once a
`virus was released, passed from computer to computer using
`something called a floppy disk drive and floppy disks, once the
`virus was out there infecting computers, a sample of the virus
`has to be sent into the security company so they could analyze
`it in their lab, and once they've analyzed it in their lab, it
`would be discovered what is this unique pattern of 1s and 0s
`only associated with that particular virus and then published
`to their particular customers.
`So the customer's computer can then monitor all content
`that's downloaded to see if that unique pattern is there,
`because if it's there, then it would test positive for that
`particular virus, and that content would be blocked from
`running on your computer. So that's the way in which the
`reactive technology or antivirus technology worked prior to the
`internet.
`Q
`Why is it called "reactive technology"?
`A
`It's called reactive because the process is reacting to the
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39079 Page 20 of 168
`
` 239
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`spread of a computer virus that has already happened. So only
`after it has become a problem is a sample of the virus sent
`into the lab for analysis, a unique pattern is identified.
`It's kind of like a fingerprint that identifies the virus. In
`the industry, we call it a signature. Then the signatures have
`to be published to all the computers. And this is all
`happening after the fact, after this virus is already spreading
`around to various computers.
`Q
`So with the internet, how did security evolve?
`A
`So with the emergence of the internet, two things happened:
`One, with internet-based technology, viruses can spread a lot
`faster than they did prior to the internet. So in a matter of
`seconds, millions of computers can be affected. The other
`thing is hackers got a lot more intelligent about the way they
`wrote code to infect your computer. So the additional methods
`of looking for a signature weren't as effective as they used to
`be.
`So on this slide, you say that this technology is
`Q
`proactive. Can you explain what "proactive technology" is?
`A
`Okay. So what we're showing here in this slide is a user
`who requests content from the internet. And the content that
`comes back from the internet has to be scanned or searched to
`look for any behavior that the content is going to do. So we
`mentioned before that viruses have 1s and 0s, and those 1s and
`0s are understood by the computer as a set of commands to do
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39080 Page 21 of 168
`
` 240
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`certain operations inside your computer, maybe steal your
`passwords or encrypt your data so you can't get access to it.
`So in proactive technology, you're not looking for a
`particular fixed pattern of 1s and 0s, instead what you're
`doing is you're trying to figure out what is this code that's
`being downloaded, what is it actually going to do when it runs
`on the computer. So you want to know that ahead of time to be
`able to determine whether or not this is a virus, because you
`don't have a signature for it. The only way to know if it's a
`virus is to try to figure out what it's going to do, what its
`behavior is going to be.
`So that's the process here of scanning, for example, a web
`page to try to look at what are the commands going on in this
`web page to see if there's anything in there that looks
`suspect. So the process here is that as the page is being
`scanned, a security profile is created. So a security profile
`is really just a list of all of the operations that this web
`page will perform if it were to run on your computer. So that
`occurs to be able to capture in one place all of those
`operations. Once the security profile is created, that profile
`is compared against the profiles of what would look like a
`virus.
`Q
`And here you say that it can protect against unknown
`malware. First of all, what is malware?
`A
`So malware is really a contraction of malicious software.
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39081 Page 22 of 168
`
` 241
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`You put the two together, you get malware. So it's really just
`the next generation of a virus technology that would infect
`your computer.
`Q
`And how can this proactive technology using these behavior
`signatures, how does that protect against unknown malware?
`A
`Okay. So it does this because it doesn't need to know what
`the signature of the malware is. It simply monitors the
`behavior of the malware either by analyzing the operations that
`are listed in the malware or by executing the malware, running
`the malware on another computer to see what happens. And it
`looks like what happens is it's going to grab passwords and you
`know right away that this is not something that needs to run on
`the computer.
`Q
`Now, did computer security evolve, and how do you enhance
`this type of computer security?
`A
`Okay. So it turns out that you can form network security
`at this level in three different locations. And to increase
`the reliability of the security profile, you can actually layer
`them together to provide a multilayer approach to network
`security, so that way, if the hacker manages to get past one
`layer, maybe the next layer will stop them. So it's a more
`reliable way of building the system.
`So what I've shown here, for example, is that the user
`endpoint might be your smart phone or your computer at home.
`On that device, you can run software that will try to perform
`
`
`
`Case 3:17-cv-00183-CAB-BGS Document 804 Filed 08/18/20 PageID.39082 Page 23 of 168
`
` 242
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`tests for viruses and malware coming in from the internet, and
`if anything tests positive for a malware, then it will block
`it. But in addition to that, there are other products called
`gateway products. And gateway