Company Aims To Patent Security Patches

Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."

Re:Idiots

[endianx]

Can't you sue while your patent is still "pending"?

A great idea

[antoinjapan]

I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products without paying. On the flip side should they succeed with this companies may see better quality control leading to increased savings in the long run, giving us all stable software from the get go. It's win-win, race to the bottom I say, make haste.

tut.

[joe 155]

But they would need to be really fast to get the application in, and it would surely need not to mention the actual product, right? Because if they said "a method for preventing a macro hole in Word from executing", or something, wouldn't MS be able to sue on the grounds of reverse engineering/ copyright/ their own patents.

I kinda feel that this wouldn't really be practical.

Re:Idiots

[morgan_greywolf]

Yes. (IANAL) That's exactly what they'll do -- sue while the patent is pending. It's often cheaper to pay someone off than it is to go to court -- even MSFT has paid off patent trolls to avoid a court battle.

Re:A great idea

[madcow_bg]

OTOH, just imagine the dialogue:
User: I want it fixed, now!
Company: No can't do, sir. We are prohibited by law to do this.
... and since the people does not control the legislators in the USA ...

Hoax.

[seaturnip]

Come on people. Nothing indicates this "company" is anything more than a single guy putting up a website on a lark, either purely for Slashdot hits or to make a point about the patent system. The whole idea is wildly impractical (what are these magic methods they say they'll use to expedite the patent process?), and a real company would privately hire their own security researchers instead of announcing their plans in detail to the public.

This is the reason

[Catiline]

This sort of thing is the reason why I have retained a patent lawyer who, the day the "first to file" change is passed into law [businessweek.com], will put in an application for a business method patent. The brief, non-legalese version basically covers the business model of suing over patents which the owning company does not themselves utilize. (That way, I can sue into oblivion any business attempting craziness like this.)

Naturally, anyone attempting to argue whether I practice my own patent may find themselves falling into a logical paradox, as my patent itself implies I cannot practice my patent.

one word

[BlindRobin]

koyaanisqatsi

From MS v. ATT

[Lockejaw]

we still no have software patents, don't we?

"You can't patent on-off on-off code in the abstract, can you?"
-- Scalia

"I take it that we are operating under the assumption that software is patentable? We have never held that in this Court, have we?"
-- Breyer

The Supreme Court on the whole also seems leery of the idea that software is patentable, but they can't rule on it until they hear a case where patentability of software is disputed.

(IANAL)

KSR v Teleflex kills it

[PatentMagus]

The recent supreme court case KSR v Teleflex broadened the test for obviousness a bit. KSR expanded obviousness to include stuff that is "inevitable due to market forces" or "inevitable to try by one practiced in the art" within some unknown limits.

This security bug scheme is borderline obvious under the old test. It is stunningly weak after KSR. Unless the applicant discovers the bug. Hmmmmm.... (whispers: hey f-secure, call me).

Funny, this scheme also encourages folks to reveal security holes immediately because keeping it a "trade secret" leaves the door open for someone else to try to patent the fix. Also, privately alerting the security guys probably leaves the bug open to a patent exploit.

Re:From MS v. ATT

[spectro]

Has anybody used the "software is not patentable" defense against a patent troll already? Then somebody please use it and appeal all the way up. Breyer is hinting everybody that the Supreme Court is waiting for somebody to present this to them so this defense is going to be accepted and ruled upon.

This is a much better idea.

[zero1101]

Tom Ptacek says: [matasano.com]

Patents are a crappy way to lock up the fix for a vulnerability. 10 years from now, it's vanishingly unlikely that your discovery will still be relevant. If it is, you've got better things to do with it than sell it to bottom-feeders.

Here's a better idea: copyright law. Copyright is immediate.

Here's what you do:

Find a vulnerability --- anything; say, memory corruption in some OS service --- and devise a third-party patch for it.

Publish the patch. Only the patch.

But before you do, wrap the patch up in a DRM scheme. An in-kernel, interrupt-hooking virtual machine with an encrypted instruction set should do nicely. It's worth the work; you'll be doing this over and over again. You want people to sweat to figure out how your patch works.

Alert the world to your discovery. You're a hero! You can root any computer on the Internet!

Don't publish the details of the vulnerability. No, wait, don't even allow the details to be published. If anyone figures out how your patch works, sue them under the DMCA. Especially if it's the vendor.

The vendor will, of course, claim they have the right to reverse-engineer your "intellectual property" for security and interoperability purposes. Let the courts decide. In the mean time: nice of them to establish some precedent.

Points to anyone who can prove to me that this doesn't qualify as "responsible disclosure".