Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 1 of 9 Bradlee R. Frazer, ISB No. 3857 Jason D. Scott, ISB No. 5615 HAWLEY TROXELL ENNIS & HAWLEY LLP 877 Main Street, Suite 1000 P.O. Box 1617 Boise, ID 83701-1617 Telephone: 208.344.6000 Facsimile: 208.954.5262 E-mail: bfrazer@hawleytroxell.com jscott@hawleytroxell.com Attorneys for Defendants Southfork Security, Inc. and Corey Thuen UNITED STATES DISTRICT COURT FOR THE DISTRICT OF IDAHO BATTELLE ENERGY ALLIANCE, LLC, a Delaware limited liability company Plaintiff, Case No. 4:13-cv-00442-BLW DECLARATION OF COREY THUEN vs. SOUTHFORK SECURITY, INC., an Idaho corporation, COREY THUEN, an individual, and DOES 1 through 10, inclusive, Defendants. I, Corey Thuen, declare as follows: 1. I am over 18 years of age and competent to testify as to the matters asserted herein if called to do so. This declaration is based on my own personal knowledge. 2. I reside in Idaho Falls, Idaho. I have lived there since June 2009. 3. I am a named defendant in this action, and I am the president and co-owner of the other named defendant, Southfork Security, Inc. ("Southfork"). Southfork was formed as an Idaho corporation on or about May 7, 2012. DECLARATION OF COREY THUEN - 1 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 2 of 9 Programming Skills 4. I am a computer programmer. I have been writing code for at least 14 years, and I am conversant with coding in several programing languages, including but not limited to C, C++, Javascript, HTML, Java, Perl, and PHP. I was proficient in those languages before the onset of my employment, described below, with Plaintiff Battelle Energy Alliance, LLC ("Battelle"). Job at Battelle 5. My job title when Battelle hired me in or about July 2009 was "Cybersecurity Researcher." My job duties included conducting vulnerability assessments of computer systems and components (primarily critical infrastructure systems), writing code for various projects, system administration, and additional miscellaneous tasks. In other words, my job was to hack into systems used to run critical infrastructure, like power systems, water treatment plants, chemical plants, etc. I worked with the creators and asset owners of these systems to find security problems so they could fix them. Security Professional 6. As a cybersecurity professional, I am aware of, and possess ability for, many "hacking" techniques that may be used in illegal ways, but I put them to use improving my customers' security. In other words, I'm much like a locksmith who possesses the ability to pick a lock and uses his knowledge to help as a contributing member of society. Battelle paid me to do precisely this type of work from the period of on or about July 1, 2009, to on or about February 25, 2013. In my career, I have held government clearances with the Federal Bureau of Investigation and the United States Department of Energy, which required me to pass multiple lie detector tests, psychological tests, extensive background checks, and other miscellaneous tests. DECLARATION OF COREY THUEN - 2 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 3 of 9 Sophia Familiarity 7. I was assigned to become part of the Battelle team researching, designing, and coding software known as the Sophia Industrial Control System Computer Network Fingerprinting Tool ("Sophia"). 8. As one of the architects of Sophia, I am familiar with aspects of its architecture, structure, and programming languages. I am intimately familiar with the components that I personally designed and authored and less familiar with components I did not author. Sophia was written using the C programming language. To my knowledge, it makes minimal use of open source libraries. 9. Battelle intended to commercialize Sophia, upon its completion, by licensing it to a third party. While working on Sophia, I became interested in bidding for the license to Sophia. I formed Southfork partly for the purpose of potentially submitting a bid. 10. Also while working on Sophia, I created, on my own initiative and without direction from Battelle, some promotional videos to showcase Sophia's capabilities. I provided those vides to Battelle, which posted them to the Sophia homepage (http://sophiahome.inl.gov). In or about June 2012, when Southfork was a potential licensee of Sophia, I mirrored those videos to the Southfork youtube channel. Battelle legal contacted me and asked that I remove the videos from the Southfork youtube channel and remove any links to them from Southfork's website. I promptly complied. 11. I have had no access to Sophia since on or about August 2, 2012, when Battelle removed me from the Sophia project, moved my desk away from the remaining Sophia developers, and revoked my access to Sophia files. These steps were taken because of my interest, through Southfork, of licensing Sophia upon its completion, which was perceived as a DECLARATION OF COREY THUEN - 3 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 4 of 9 conflict of interest with my continuing to work on Sophia. I remained employed by Battelle, working on other projects. Leave of Absence 12. I took a one-year unpaid professional leave of absence from Battelle beginning on or about February 25, 2013. The terms of the leave of absence entitled me to pursue my own business interests. I completed conflict-of-interest paperwork and spoke with representatives in the Battelle Conflict of Interest office (in particular a Mr. Moriarty) and was informed that my proposed involvement in Southfork was permissible. 13. Although I had been scheduled to return to work at Battelle on or about February 25, 2014, Battelle terminated the employment relationship on or about June 27, 2013. Development of Visdom 14. On or about March 1, 2013, I began writing a computer program known as "Visdom," with the assistance of a co-developer, Kristopher Watts. The purpose of Visdom is to improve network security and situational awareness, particularly for critical infrastructure. We intended it at all times to be open source and freely available to the public at no charge. I think that no utility, company, or individual should be without network security because of the size of its checkbook. Southfork plans to earn money from Visdom through the sale of support contracts and proprietary add-on modules. 15. Visdom was written in HTML, Javascript, and Go. As previously mentioned, Sophia was written in C. Visdom is not a translation of Sophia from C to the languages in which Visdom is written. We did not have the Sophia code when we created Visdom. 16. Further, a program written in one programming language cannot be cut-and- pasted into another programming language. Programming languages have different lexicographical grammars. As an example, if I'm writing code in C I have to deal with memory DECLARATION OF COREY THUEN - 4 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 5 of 9 management; I have to keep track of the resources used by my programs. Javascript has no such concept, and any C code that does these functions would be impossible to translate into Javascript. Further, Javascript is an interpreted language and C is a compiled language. In other words, C creates software that runs on hardware, whereas Javascript creates software that runs in programs that run on hardware. 17. No two programmers who translate from one language to another, or from C to Javascript in particular, would produce the same output for any complex program. Those two languages, and their paradigms, are incompatible. A program written in C will inherently solve the problem to which it is directed in a different way than a program directed at the same problem but written in Javascript. 18. In developing Visdom, I specifically avoided any code, modules, sequences, routines, structures, screenshots, or any other materials that may have constituted some part of Sophia, based on my knowledge of Sophia as of the end of my access to it on or about August 2, 2012. Visdom is intended to solve the same problems as Sophia, but it is not a copy of Sophia, just as an electric car is not a copy of a gas-powered car simply because both are used for the same purpose. 19. Visdom, unlike Sophia, makes heavy use of third party open source libraries to accomplish many of the tasks for which the Sophia development team had to write code ourselves. An example for illustration: as part of my work on Sophia, I created a scrollbar from scratch, which means I had to implement the click and drag behavior (along with buttons) that causes a scrollbar to do what the average user expects a scrollbar to do. Visdom, on the other hand, builds on top of other, third party components that make scrollbars inherent. In other words, on Sophia development I spent significant time creating basic components to a user DECLARATION OF COREY THUEN - 5 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 6 of 9 interface, whereas Visdom did not require such efforts. Visdom's heavy use of open source libraries facilitated its development in a matter of several months. Visdom Source Code Availability 20. On or about July 18, 2013, I placed the source code for Visdom in an open source repository on the Internet called github.com. See https://github.com/visdom/. Since that time, the actual source code for Visdom has been freely and publicly available to all persons, including Battelle, and it can easily be located through a Google search for "Visdom." I placed the source code for Visdom on github.com as a means of fostering collaboration among code writers and creating opportunities for programmers to write applications that work with Visdom. I would not have done it if I intended to hide Visdom from Battelle. Github.com is well known among computer programmers and is among the most popular Internet repositories for open source software. The other Battelle architects of Sophia undoubtedly are familiar with it. Further, the placement of the Visdom source code on github.com reveals nothing about the Sophia source code because the respective source codes are not the same and no one can use the Visdom source code to "reverse engineer" or otherwise gain insight into the Sophia source code. 21. Visdom's co-developer, Kristopher Watts, took a job with Battelle as a cybersecurity researcher after the source code for Visdom was placed on github.com. It is my understanding, based on my knowledge of the Battelle conflict-of-interest disclosure and mitigation process, as well as based on a conversation with Watts that took place before this lawsuit was filed, that, upon his employment with Battelle, Mr. Watts submitted conflict-ofinterest paperwork to Battelle in which he explicitly declared his intent to continue contributing code to Visdom, as well as provided a link to where Visdom can be found on the GitHub repository. DECLARATION OF COREY THUEN - 6 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 7 of 9 Sophia Commercialization Withdrawal 22. Southfork submitted a bid to license Sophia from Battelle. However, Southfork is passionate about open source software and security, and it became clear that open source did not fit in with the goals of Battelle's technology deployment personnel. I disagree with Battelle that security software like Sophia or Visdom cannot be open source because then hackers would have access to the source code. Security systems are better served by being open source so that complicated things, like cryptographic algorithms and implementations, can be reviewed by independent expert auditors rather than sitting behind smoke screens. The plethora of open source software used in secure systems today completely debunks the notion that you cannot have valuable and secure software that is also open source. Battelle's view that security software cannot be open source is like thinking that, because an individual knows the inner workings of a camera design, he can make himself invisible to the camera. 23. In addition to this philosophical difference, the Sophia bid process was slow- moving and often contentious, causing me to think it would be faster and easier simply to write a Sophia competitor from scratch. That is what Southfork decided to do--move on from the Sophia license bid and to release our own open source, free software, defensive tool for critical infrastructure. And it was faster and easier to develop Visdom than to pursue the Sophia license. We released our own, 100% original product before the Sophia bid process ended. Meeting with Michael Sayre 24. I met with Michael Sayre of NexDefense in our about July 2013 in a local brewery in Idaho Falls. My purpose for the meeting was to engage NexDefense in a business relationship and assess whether we would have any future working together. Mr. Sayre did ask if I had taken any intellectual property from Idaho National Laboratory, to which I consistently and repeatedly replied that Visdom was a "made from scratch, clean room implementation" that DECLARATION OF COREY THUEN - 7 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 8 of 9 seeks to solve the same problems of Sophia. In that meeting, I also shared that Visdom was written in an entirely different language to illustrate this point. Also during this meeting, I explained how we were able to author Visdom so much more quickly than Sophia had been authored. 25. Any comment that I made to Mr. Sayre on the quality of Sophia source code would have been in reference to the code I wrote on the Sophia project. I have not had enough experience with the rest of the Sophia code base to comment on the quality of the work. Business Impact 26. Visdom is only part of Southfork's business. If Southfork--a growing, Idaho- based, start-up computer security business--is prohibited from operating its website pending trial, Southfork will be unable to attract customers and continue in business. Southfork has generated approximately $160,000 in revenue since we started operating in February 2013. Southfork's profit has been approximately one-third of that amount, but by far its largest expense is compensating me and its other owner-employee. Southfork is fortunate to be in a rapidly growing industry and is currently attempting to acquire more employees to meet our demand, which is large. If the requested injunction is not entered, I project that Southfork will generate $2,500,000 in revenue during the next eighteen months (including Visdom-related revenue, for which there is significant potential), and that Southfork will continue growing after that. I declare under penalty of perjury that the foregoing is true and correct and was executed within the United States on October 22, 2013. /s/ Corey Thuen DECLARATION OF COREY THUEN - 8 46556.0001.6141445.10 Case 4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 9 of 9 CERTIFICATE OF SERVICE I HEREBY CERTIFY that on this 22nd day of October, 2013, I filed the foregoing document electronically through the CM/ECF system which caused the following parties or counsel to be served by electronic means, as more fully reflected on the Notice of Electronic filing: Scott E. Randolph serandolph@hollandhart.com A. Dean Bennett adbennett@hollandhart.com Mark A. Miller mmiller@hollandhart.com Ginger Utley gutley@hollandhart.com HOLLAND & HART LLP Jason D. Scott 46556.0001.6141445.10