Company Aims To Patent Security Patches

Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."

Stunning

[frinkacheese (790787)]

Only in America dudes.. Oh wait!

Re:

[dpninerSLASH (969464)]

As nonsensical as the U.S. Patent Office can appear, they will never fall for this. This is a non-starter.

Re:Stunning

[tomhudson (43916)]

Even if the USPTO does, it won't matter:

"... the system takes, on average, seven years to churn out a new patent. The vendor has to have deep pockets so it can pay damages, and your solution has to be simple enough to be explained to a jury."

So,not to be TOO obvious, but ...

1. by the time they patent it, it will be obsolete;
2. if its simple enough to explain to a jury, it may be too simple to patent (patents have to be for non-obvious inventions);
3. looks like free/libre software gets a free ride (target must have deep pockets).

Isn't it funny how one of the biggest patent trolls [microsoft.com] sounds custom-made as the target.

KSR v Teleflex kills it

[PatentMagus (1083289)]

The recent supreme court case KSR v Teleflex broadened the test for obviousness a bit. KSR expanded obviousness to include stuff that is "inevitable due to market forces" or "inevitable to try by one practiced in the art" within some unknown limits.

This security bug scheme is borderline obvious under the old test. It is stunningly weak after KSR. Unless the applicant discovers the bug. Hmmmmm.... (whispers: hey f-secure, call me).

Funny, this scheme also encourages folks to reveal security holes

Idiots

[Zeinfeld (263942)]

Not only is it certain that the fix would fail to meet the obviousness standard it will be five years before they have a patent issued.

Suing companies for five year old infringements is not going to work too well.

Moreover this type of behavior is exactly the type of action Congress might find sufficiently indefensible to act on patent law.

Re:

[endianx (1006895)]

Can't you sue while your patent is still "pending"?

Re:

[morgan_greywolf (835522)]

Yes. (IANAL) That's exactly what they'll do -- sue while the patent is pending. It's often cheaper to pay someone off than it is to go to court -- even MSFT has paid off patent trolls to avoid a court battle.

Royalties

[Venner (59051)]

You can give the potential infringer notice that you have a patent application pending that covers their 'invention.' If they don't stop once you give notice, then you can collect 'reasonable royalties' from the time of your notice to them until your patent actually issues - if your patent issues. (What in the world would be 'reasonable royalties' in this case, btw? Damned if I know.) After it the patent issues, you have the normal patent remedies. Damages + a permanent injunction (which is thankfully not

Re:

[Don_dumb (927108)]

No software patents and you dont have this nonsense. I hope the EU sticks to its guns on software patents. . . . we still no have software patents, don't we?

Re:

[richie2000 (159732)]

I hope the EU sticks to its guns on software patents. . . . we still no have software patents, don't we?

If by "no" you mean in the range of 30-40 000 of them, sure, we have no software patents in the EU. http://www.nosoftwarepatents.com/en/m/untruths/mot her.html [nosoftwarepatents.com]

From MS v. ATT

[Lockejaw (955650)]

we still no have software patents, don't we?

"You can't patent on-off on-off code in the abstract, can you?"
-- Scalia

"I take it that we are operating under the assumption that software is patentable? We have never held that in this Court, have we?"
-- Breyer

The Supreme Court on the whole also seems leery of the idea that software is patentable, but they can't rule on it until they hear a case where patentability of software is disputed.

(IANAL)

Re:

[Rogerborg (306625)]

Au contraire; you can charge people for your patent from the instant that you file it, and collect the money retroactively if and when it's granted. Since these parasites have no other business, there's little point in any individual company fighting them over this. They'll get their Danegeld, make no mistake about it. [wikipedia.org]

Re:

[DigitalSorceress (156609)]

"Moreover this type of behavior is exactly the type of action Congress might find sufficiently indefensible to act on patent law."

OOh, THAT would be a happy day indeed.

These guys are weasels, through and through, but if it helps to bring down our Evil Patent Overlords...

Go scumbags, go scumbags, yaaaaaaaay SCUMBAGS!

Re:

[*weasel (174362)]

Beyond that, it'd really only work with architectural security faults.
You can't go out and patent "IE, but without these four buffer overflows". So 'patches' aren't at risk.

Further, the concept of boxing in a software vendor with patents on architectural security improvements implies that these guys can cover a sufficiently wide range of improved architectural security implementations - which is far trickier and more expensive than the summary makes it sound. Particularly when you're trying to pin large c

Re:

[arivanov (12034)]

Not necessarily. Some fixes can definitely meet the non-obviousness criteria. And looking for vulnerabilities which require non-obvious fixes and patenting them is a viable business model as well.

In fact, there is a well known precedent, when the icmp-tcp interaction and various windowing flaws in tcp implementations were discovered around 2001(IIRC) the fixes were brainstormed at IETF and a list of suggested fixes came out. And surprise, surprise it appeared that Cisco who had the worst list of flaws and w

Re:

[Dunbal (464142)]

but until then they will use the patent system against same big corporations that abuse it too, giving them a taste of their own medicine.

      Until a big corporation buys them. Ooops. Microsoft says - all your patches are belong to us.

A great idea

[antoinjapan (450229)]

I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products without paying. On the flip side should they succeed with this companies may see better quality control leading to increased savings in the long run, giving us all stable software from the get go. It's win-win, race to the bottom I say, make haste.

Re:A great idea

[madcow_bg (969477)]

OTOH, just imagine the dialogue:
User: I want it fixed, now!
Company: No can't do, sir. We are prohibited by law to do this.
... and since the people does not control the legislators in the USA ...

Re:

[sg3000 (87992)]

> I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products
> without paying.

I don't think so. Companies will just change their EULA to say that if any bugs or security vulnerabilities are found, they should be reported to the originating company and not sold for profit. Then the Company can just say that any deal with Intellectual Weapons is a violation of the EULA.

Re:

[dnixon112 (663069)]

Exactly my thoughts. We need more overt and belligerent patent abuse in order to move along software patent reform.

Re:A great idea

[elrous0 (869638)]

At this point, I don't think ANYTHING can fix the U.S. patent system. The U.S. patent office simply wasn't designed to handle the modern influx of very complex patents and patent claims. It simply can't scale to the size that it needs to be to actually review and police so many patents that are so complex in nature. So they've basically just thrown up their hands and said "Let the courts work it out."

The problem with "Let the courts work it out" is that it effectively stifles the "little guy," the small company or inventor without the significant financial resources to defend his inventions in court. Any given invention or innovation today might step on dozens of vague existing patents. This has the very real effect of stifling the very innovation and invention that the patent system was designed to PROTECT, and of restricting what innovation and invention there *is* to large mega-corps that can afford to defend against multiple patent lawsuits.

Don't believe it? Just take Linux as an example. MS can afford to essentially outlaw Linux if they wanted to (only the public backlash is holding them back). And, even if every one of their patent claims against Linux is bogus, who's going to step up to the plate and put up the millions of $ needed to defend it against an avalanche of MS patent lawsuits?

Re:A great idea aka ridiculouser and ridiculouser

[asliarun (636603)]

I agree with you wholeheartedly, but from the slightly different perspective. Things like the patent system (or DRM or privacy issues) have become so illogical that there's no way an average person can fight against the system by sane and normal means such as lawsuits, petitions, or elections. The most effective way to get rid of these stupid laws, IMHO, is by making sure that they self-destruct, i.e. become utterly ridiculous in the eyes of the media and the public. So, rejoice when people start filing patents for their navel lint or nasal hair structure. Chuckle gleefully when DRM softwares start taking people's system and create massive security holes. Cackle manically if some wiseguy sues McD for kaching-illion dollars because their "Happy Meal" didn't exactly make him happy. For remember, the candle burneth brightest before it dies out, to rehash a hoary saw. Or at least, we hope.

tut.

[joe 155 (937621)]

But they would need to be really fast to get the application in, and it would surely need not to mention the actual product, right? Because if they said "a method for preventing a macro hole in Word from executing", or something, wouldn't MS be able to sue on the grounds of reverse engineering/ copyright/ their own patents.

I kinda feel that this wouldn't really be practical.

Re:

[Antique Geekmeister (740220)]

Not really. There has to be a quick *patent application*. Violations of the patent date from the submission of the patent. If the fix was applied before the patent was applied, that would be prior art. The patent system recognizes that patents can be violated while the patent is pending, and that the vioilation can be addressed after the patent is finally granted. (I say this as someone who's helped establish prior art and helped establish that similar technologies are not described by the same patent, not

UAC

[by Anonymous Coward]

You are being sued for patent infringement. Cancel or Allow?

Re:

[Fnord666 (889225)]

is difficult to dismiss the feeling that some patent lawyer snookered a client out of a fee. What are the chances of prevailing in such suit?

No way to tell, but I'll bet the aforementioned lawyer is willing to put in as many hours as it takes, and then some, in the attempt.

I hereby patent

[clickclickdrone (964164)]

"A method of entering replies in to slashdot using a computer keyboard to generate alphanumeric characters which are used to create textural comments to a news item.". If *anyone* else says *anything* from now on, you have to pay me.

Re:

[tygerstripes (832644)]

Curses! It's a good thing I'm commenting on your comment, and not on a news item. Otherwise I'd run the risk of being sued for every mod-point I've got.

By the way, this reply is copyrighted.

Re:

[clickclickdrone (964164)]

Dammit, a gaping hole in my patent. I'm suing that pesky lawyer for incompetance, shifty eyes and drinking too much of my coffee.

Don't Start Cheering Yet...

[VE3OGG (1034632)]

I know there are a lot of you out there saying: this is the kind of action that will spur congress to get off their deriere, but frankly, I can only see this as YANITC (yet another nail in the coffin).

We looked on in horror when the thought of software patents came up, and we said that surely no one would be dumb enough (or greedy enough) to do it. We were wrong...

Then there was Bezo's one-click patent and we shielded our eyes saying: the fireworks are going to start any time now... Again, however, the sky was clear and there we no signs of change on the horizon.

Then you had all the spurrious patents from SCO, Microsoft and IBM, and we thought, well maybe this time! However, as was before, so was then...

Then Microsoft threatened Linux and we said "they are running scarred!" and "no one would be dumb enough to..." They were, and they are. Not only that, but mere weeks later, you have several major contributors signing licensing deals to patent infringements that were never released. My God, that costs the companies money and they do nothing but bend over...

Today we got word of Bezo's expansion of the one-click patent, and on top of that the willingness of the USPTO to accept the patent with little to no effort. The USPTO, after all, has employees they have to pay...

And now you have this, and again we here individuals decrying the "end times" for software patents. No, that isn't going to happen. They are here to stay, because the system is working for its citizens in a very efficient way. It is just that we think that we are the citizens. Much like TV viewers or magazine subscribers think that they are the clients of the company. They aren't, they are the product.

We are the product and the consumer, but not the client of the government. The government is there to protect the interests of its citizens, it's just that its citizens have trademarked names. We have gone form Micro to Macro folks.

Indeed

[palladiate (1018086)]

Excellent post. You are right, software patents aren't going anywhere. You will see more properties like this, where basic, everyday information is walled away from you. And as long as we allow congress to be bribed by lobbyists, this will continue to happen. Remember, what's good for GM is good for America. We have a long tradition of bending over for business interests.

Consider too, that many companies like Microsoft would love the chance to spend their research dollars on finding vital security hol

Re:

[Oswald (235719)]

Well, there is one small difference that may (or may not) turn out to be important. These guys are no more constituents (I'm taking liberty with your terminology) of the government than you and I are. As far as the real constituents--Microsoft/Amazon/IBM/etc.--are concerned, Intellectual Weapon are the barbarians at the gate of the city. And if the big boys manage to swat this bug, there are a hundred more waiting in the wings now that the way has been shown.

We can hope, anyway.

IT's everywhere

[Danathar (267989)]

Evil(TM/Copyright/Patent Pending) is spreading

Shouldn't this fail for a number of reasons?

[starseeker (141897)]

If someone exploits a bug or flaw in a program's design (and just how does one define that in a precise enough fasion for a patent, anyway), I should think the most obvious thing in the world would be to fix the bug/flaw. HOW one fixes it is going to vary widely, from "opps that should have been +1 not -1" to "some guy at *UNIVERSITY* just found a new algorithm that cracks our protection, back to the drawing boards". A lot of fixes should fail instantly on the obviousness criteria - the attack itself ofte

Contact Information

[Spy der Mann (805235)]

contact@intellectualweapons.com
submit@intellectualweapons.com
apply@intellectualweapons.com

Now listen: do *NOT* post these e-mail addresses in public places, specially forums, you know how bad SPAM can get! ;-)

sue for damages?

[liam193 (571414)]

Assuming this organization gets off the ground, I wonder if there would be any grounds for a lawsuit against them for "damages sustained" while a vendor is arguing over the price for a fix. For example, if the vendor wished to create a fix for me but couldn't because this organization was giving them grief, could I or my customers sue because of losses sustained due to the vulnerability. What if the breached caused directly traceable bodily injury (someone breaking into a system used by law enforcement, h

Here is a Tin-Foil Tangent Thought...

[VE3OGG (1034632)]

Has anyone noticed that patents may well be the farming and agriculture of the 21st century? Allow me to explain.

During the shift to urbanization, it was common for individuals to keep cattle, chickens, pigs and sheep in the city. The animals would be allowed to roam free and would then be captured and slaughter/sheered as was necessary. It was subsistence living in an urban environment where barter was VERY common.

However, as time went on, factories and other places of employment found that they couldn't get enough workers for the lower level jobs. Why would the poor go work there in a crappy environment, when they could breed their cattle and chickens for rent and food?

So these companies petitioned the government to disallow animals, citing disease and the cause (and to some degree, this was true, especially with large amounts of fecal matter in the city -- but then not everyone had plumbing either). This in turn caused people to starve and move to these companies to be paid in "money".

Now, however, we have patents. Patents force the little guy out of the market (let's face it, no individual can afford to beat MS, IBM, Monsanto, et al in a court where lawyers form 99.9% of your chances) Small companies are forced out of business and big companies get to take over. The small companies are the only real thorn in the side of the bigger ones as they might offer a product that revolutionizes the field, but ends up costing a major conglomerate billions to redevelop their products). So patents force them out of business, causing the owners to work for the mega-corp and thus give the mega-corp control.

Perhaps in a few years, everyone will be working for a mega-corp and that will define our identities. We are theirs after all...

Sorry, but...

[Zaatxe (939368)]

AAAAAAAARRRRRGHHH!!

Sorry again, I couldn't keep it...

Maybe

[C_Kode (102755)]

Maybe, this will finally be the straw that breaks the software patent camel's back.

Better coding at last?

[PhysicsPhil (880677)]

Maybe the prospect of having to pay for its bugs will finally force Microsoft to ship better code.

Hoax.

[seaturnip (1068078)]

Come on people. Nothing indicates this "company" is anything more than a single guy putting up a website on a lark, either purely for Slashdot hits or to make a point about the patent system. The whole idea is wildly impractical (what are these magic methods they say they'll use to expedite the patent process?), and a real company would privately hire their own security researchers instead of announcing their plans in detail to the public.

Intentionally or not, this is a joke

[Infonaut (96956)]

Nothing indicates this "company" is anything more than a single guy putting up a website on a lark, either purely for Slashdot hits or to make a point about the patent system.

I agree. That there is no information about the people involved is the first tip off that this is either a gag or something put together by unscrupulous folks who are looking to obtain security vulnerabilities from nitwits. This is certainly not a legitimate law firm.

"We actively market the IP" is not language a law firm is allow

Microsoft claims....

[bhmit1 (2270)]

...that they have 900,000 instances of prior art, give or take.

(Sorry, couldn't resist.)

Expect to see more of this

[palladiate (1018086)]

I frequently post about Intellectual Property in threads like this. Usually I get some responses saying that I'm full of it, and companies wouldn't slash our throats and bleed us dry. I have four words for you:

Are you convinced yet?

There are too many market pressures on monopolizing ideas. A monopoly on an idea gives you an excellent competitive advantage. For some goods, say a book, a copyright is neccessary for you to take a risk and publish the book. For others, it lets you invent things like a cotton gin and make money off of it while being a good citizen and showing the world how it works, and what new technologies you have invented. On the whole, these are to the public's advantage when used wisely.

But a monopoly is always a competitive advantage, even when it isn't in the public's advantage. And currently, business lobbies are pushing to allow more and more kinds of monopolies because they make business sense. Granted, plot patents, business patents, process patents, software patents, copyright on 3 note sequences, etc, etc, etc are not in the public's interest, as we don't carry massive IP portfolios to cross-license or lawyers to fight with. But they do allow large companies to create a massive barrier to entry that only certain industries or monopolies enjoyed before.

There is money to be made in massively expanding the definition of IP to include all ideas. There is more money in eternally owning ideas than in all of the property rights or mineral rights in the solar system. This fight will not be over in our lifetimes.

This is the reason

[Catiline (186878)]

This sort of thing is the reason why I have retained a patent lawyer who, the day the "first to file" change is passed into law [businessweek.com], will put in an application for a business method patent. The brief, non-legalese version basically covers the business model of suing over patents which the owning company does not themselves utilize. (That way, I can sue into oblivion any business attempting craziness like this.)

Naturally, anyone attempting to argue whether I practice my own patent may find themselves falling into a logical paradox, as my patent itself implies I cannot practice my patent.

I like it

[nanosquid (1074949)]

I think the patent system is absurd, but this strikes me as a good use for it. Right now, vendors absolve themselves of any responsibility and think they have a right to get free reports and bug fixes from users. In fact, they have even created the impression that it is blackmail when bug reporters ask for money for their discoveries.

As I see it, if this company gets away with it, either, big companies will improve the quality of their software so that they have fewer vulnerabilities in the first place, or they will start to push for weakening software patents. Either way, everybody wins.

This is a much better idea.

[zero1101 (444838)]

Tom Ptacek says: [matasano.com]

Patents are a crappy way to lock up the fix for a vulnerability. 10 years from now, it's vanishingly unlikely that your discovery will still be relevant. If it is, you've got better things to do with it than sell it to bottom-feeders.

Here's a better idea: copyright law. Copyright is immediate.

Here's what you do:

Find a vulnerability --- anything; say, memory corruption in some OS service --- and devise a third-party patch for it.

Publish the patch. Only the patch.

But before you do, wrap the patch up in a DRM scheme. An in-kernel, interrupt-hooking virtual machine with an encrypted instruction set should do nicely. It's worth the work; you'll be doing this over and over again. You want people to sweat to figure out how your patch works.

Alert the world to your discovery. You're a hero! You can root any computer on the Internet!

Don't publish the details of the vulnerability. No, wait, don't even allow the details to be published. If anyone figures out how your patch works, sue them under the DMCA. Especially if it's the vendor.

The vendor will, of course, claim they have the right to reverse-engineer your "intellectual property" for security and interoperability purposes. Let the courts decide. In the mean time: nice of them to establish some precedent.

Points to anyone who can prove to me that this doesn't qualify as "responsible disclosure".

Re:

[laffer1 (701823)]

They just have to guess what the patch will do. Remember the Amazon 1-click patent is not specific to an implementation. Its just the idea of 1-click with some obvious ground rules. The current patent system will allow stupid patents like this.

Re:

[rs232 (849320)]

"my patent will be on any system or method that can predict what the next patch will be required by any given software product"

I patent a method for writing a patent on a method that can predict what the next patch will be required by any given software product ..

Macrovision already does it

[Overzeetop (214511)]

Every time the come up with a DRM method, they also patent every circumvention method they can think of. That way, nobody can legally create a "decoder" for their wares. Sneaky, tehy are. It really adds weight to the idea of "produce in commercial quantities or default to statutory licensing set by the government."