Company Aims To Patent Security Patches 182
Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."
Re:Idiots (Score:3, Interesting)
A great idea (Score:5, Interesting)
tut. (Score:5, Interesting)
I kinda feel that this wouldn't really be practical.
Re:Idiots (Score:3, Interesting)
Re:A great idea (Score:5, Interesting)
User: I want it fixed, now!
Company: No can't do, sir. We are prohibited by law to do this.
Hoax. (Score:3, Interesting)
This is the reason (Score:3, Interesting)
Naturally, anyone attempting to argue whether I practice my own patent may find themselves falling into a logical paradox, as my patent itself implies I cannot practice my patent.
one word (Score:2, Interesting)
From MS v. ATT (Score:3, Interesting)
-- Scalia
"I take it that we are operating under the assumption that software is patentable? We have never held that in this Court, have we?"
-- Breyer
The Supreme Court on the whole also seems leery of the idea that software is patentable, but they can't rule on it until they hear a case where patentability of software is disputed.
(IANAL)
KSR v Teleflex kills it (Score:3, Interesting)
This security bug scheme is borderline obvious under the old test. It is stunningly weak after KSR. Unless the applicant discovers the bug. Hmmmmm.... (whispers: hey f-secure, call me).
Funny, this scheme also encourages folks to reveal security holes immediately because keeping it a "trade secret" leaves the door open for someone else to try to patent the fix. Also, privately alerting the security guys probably leaves the bug open to a patent exploit.
Re:From MS v. ATT (Score:2, Interesting)
This is a much better idea. (Score:4, Interesting)
Patents are a crappy way to lock up the fix for a vulnerability. 10 years from now, it's vanishingly unlikely that your discovery will still be relevant. If it is, you've got better things to do with it than sell it to bottom-feeders.
Here's a better idea: copyright law. Copyright is immediate.
Here's what you do:
Find a vulnerability --- anything; say, memory corruption in some OS service --- and devise a third-party patch for it.
Publish the patch. Only the patch.
But before you do, wrap the patch up in a DRM scheme. An in-kernel, interrupt-hooking virtual machine with an encrypted instruction set should do nicely. It's worth the work; you'll be doing this over and over again. You want people to sweat to figure out how your patch works.
Alert the world to your discovery. You're a hero! You can root any computer on the Internet!
Don't publish the details of the vulnerability. No, wait, don't even allow the details to be published. If anyone figures out how your patch works, sue them under the DMCA. Especially if it's the vendor.
The vendor will, of course, claim they have the right to reverse-engineer your "intellectual property" for security and interoperability purposes. Let the courts decide. In the mean time: nice of them to establish some precedent.
Points to anyone who can prove to me that this doesn't qualify as "responsible disclosure".