Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Patents Businesses Security The Almighty Buck The Courts

Sued For Using HTTPS: Companies In Crypto Patent Fight (theregister.co.uk) 130

yoink! writes: According to an article in The Register, corporations big and small are coming under legal fire from CryptoPeak. The Company holds U.S. Patent 6,202,150, which describes "auto-escrowable and auto-certifiable cryptosystems" and has claimed that the Elliptic Curve Cryptography methods/implementations used as part of the HTTPS protocol violates their intellectual property. Naturally, reasonable people disagree.
This discussion has been archived. No new comments can be posted.

Sued For Using HTTPS: Companies In Crypto Patent Fight

Comments Filter:
  • NeXTStep had ECC... (Score:5, Interesting)

    by mlts ( 1038732 ) on Tuesday December 01, 2015 @04:12AM (#51032155)

    In 1991, NeXTStep had ECC encryption for E-mail in version 3.0 (called FastECC.) If there were a patent made then, it definitely would be expired by now.

    • by thaylin ( 555395 )

      From the article the patent was granted in 1997, just a few short years later. It is possible that they did the extended application process, but I really doubt the patent covers this.

    • from wikipedia
      Netscape Communications created HTTPS in 1994 for its Netscape Navigator web browser.[41] Originally, HTTPS was used with the SSL protocol. As SSL evolved into Transport Layer Security (TLS), the current version of HTTPS was formally specified by RFC 2818 in May 2000.

      so HTTPS itself does predate the patent filing and patent. The current version of HTTPS implementation is after the patent filing and before the patent grant in 1997.

      Not sure what that adds up to. But if a specific method covere

      • by thaylin ( 555395 )

        You missed the part of his post where he was talking about ECC being created, not HTTPS using it. Do we really want an ECC but in a browser not email, similar to "but on a computer"?

    • This is for Elliptic Curve ciphers (EC), not Error Correcting Code (ECC).

      It should be possible to remove these ciphers from your TLS configuration. If you consider the current best practice [hynek.me] for Apache:

      SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

      Then removing Elliptic Curve should be as simple as:

      SSLCipherSuite DH+AESGCM:DH+AES256:DH+AES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

      That doesn't seem

  • Twats (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 01, 2015 @04:13AM (#51032157)

    What a bunch of patent trolling twats.

    • It's like we have to drive without headlights because somebody has a patent for "Using electric lights to see in the dark"

      Totally screwed up

  • by Anonymous Coward

    Patents suck for this exact reason.

  • by Anonymous Coward

    Surely there is a boatload of prior art on this one.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Surely there is a boatload of prior art on this one.

      Yes, but it's more expensive to find it and take it to court than it is just to pay up.

      That's kinda the whole point of an extortion racket.

    • Well, it's interesting, because the question is on the "elliptic curve cryptography" which is a method of generating keys that are more efficient than the older, larger RSA-style keys. So, technically, you could still implement HTTPS with RSA cryptography, which would increase the work done on both ends of the secure connection to encrypt / decrypt with the same level of security.

      As someone mentioned above though, there is prior art even with ECC-generated keys by almost a decade to when the patent was gra

  • by aglider ( 2435074 ) on Tuesday December 01, 2015 @04:41AM (#51032203) Homepage
    We're just missing

    "methods and devices to manipulate and store data encoded into electronic devices by means of electromagnetic field gradients"

    and

    "methods and devices to enable the interaction between users and electronic devices by means of electromagnetic field gradients".

    and

    "methods and devices to harass individuals and companies by filing, claiming and legally enforce trivial methods and devices as patentable intellectual properties"

    Then we're done.

  • by Anonymous Coward on Tuesday December 01, 2015 @04:47AM (#51032219)

    The patent troll responsible for this nonsense, specifically the primary manager of the entity known as CryptoPeak Solutions, LLC [corporationwiki.com] is operated by a fellow named Nicolas Joseph Labbit [linkedin.com], who happens to be the sole member of a "law firm" known as The Labbit Law Firm [corporationwiki.com] in Longview, Texas. Just thought some folks might be interested in knowing a little more about the charming young man behind this gross abuse of the legal system. HTH. -PCP

  • The USPTO can (and does) award patents for almost anything. The patent examiners aren't experts in every field and if they receive advice that an item, method, or process is unique and non-obvious, they will award a patent.

    But a patent is just a pretty piece of paper until you try to enforce it. Only then will the courts actually look at the merit of the patent and declare it enforceable or invalid.

    The main reason for granting patents is to persuade inventors to publish their ideas and in return they
    • The USPTO can (and does) award patents for almost anything.

      . . . so I'm thinking of filing a patent titled, "A Method and Process of Doing Stuff with Things." Then I will open it up for free in the public domain.

      That should end this patent mess that has evolved.

    • by Anonymous Coward

      But a patent is just a pretty piece of paper until you try to enforce it. Only then will the courts actually look at the merit of the patent and declare it enforceable or invalid.

      Except that the court assumes the patent is valid and the victim has to demonstrate that it isn't which is effectively guilty until proven innocent.

      It is always cheaper to settle and licence the patent out of court than it is to defend the claim and risk losing.

      • by Sique ( 173459 )
        As we are in Civil Law and not in Criminal Law, there is no such concept of "being guilty". Are you infringing on their rights? Yes, as they have a monopoly on their invention granted by the state. Are they infringing on your rights? Of course they are, but they have a patent that allows them to do so.

        There are two ways to get out of this mess: first, prove you are not infringing on their rights. That would mean that you prove none of the claims in their patent fits to you, or it is already covered by pri

        • by Rob Y. ( 110975 )

          There should be some form of malpractice coverage (insurance?) to pay the court costs for those harmed by lawsuits based on patents that are ultimately found to be bogus. Perhaps covered by a fee on patent applications.

    • by Anonymous Coward

      The USPTO can (and does) award patents for almost anything. The patent examiners aren't experts in every field and if they receive advice that an item, method, or process is unique and non-obvious, they will award a patent.

      Yes, it would be ridiculous for modern patent offices to employ experts in every field. If it were even possible, it would be an incredible waste of talent.

      But a patent is just a pretty piece of paper until you try to enforce it. Only then will the courts actually look at the merit of the patent and declare it enforceable or invalid.

      I'm not sure about this. It could be different in different jurisdictions, but my understanding is that it is generally not the role of the courts when ruling on a patent infringement case to determine the merit of the patent (since, in theory, the patent office is supposed to ensure this), but rather only to determine whether the alleged infringing ac

      • Employ? Who says anything about employment?

        Implement a "public forum" where all applications are published and input from the broad public can be gathered - if someone knows prior art, or is able to point out triviality of the patent (e.g. "[doing an extremely common thing] over the Internet" ) they can post it and the USPTO clerk will just reject the application without further ado.

        • It looks like you can search US patent applications, and submit documents relevant to a patent application, for a fee.

          To search patent applications:

          • Go to Patent Full-Text Databases [uspto.gov].
          • Under Applications (right-hand side), click Advanced Search.
          • Enter the Query: PD/20151126 AND (CPCL/G06F OR CPCL/H04L)
          • Click Search.

          This will give you the 1,247 applications relating to Electrical Digital Data Processing or Transmission of Digital Information that were published last week. (Applications are published on the Thurs

          • The community could actually vastly reduce the workload - especially removing a lot of burden of searching for the prior art.

    • I think it was a good system when it started out. But now we have a more formalized scientific processes such that it is no longer difficult to reproduce so-called trade secrets. Someone else will eventually figure it out and publish the invention and/or improve upon it.
      • > I think it was a good system when it started out.

        A great deal of the difficulty is software patents. They overwhelm the patent offices resources, they're proven very difficult to differentiate, and they've been wildly abused both to harass legitimate developers and to develop overwhelming and impenetrable patent suites to protect patent violating companies from legitimate lawsuits.

        • Software patents also tend to be constantly amended until they are as vague as possible. These can then sit unused for 10 years at which time they are dusted off, interpreted to apply to some widely used technology, and pointed at to demand payments for use of said technology.

    • The USPTO can (and does) award patents for almost anything. The patent examiners aren't experts in every field and if they receive advice that an item, method, or process is unique and non-obvious, they will award a patent. But a patent is just a pretty piece of paper until you try to enforce it. Only then will the courts actually look at the merit of the patent and declare it enforceable or invalid.

      That's a nice fiction, but legal reality is different. Legally, if a patent examine grants a patent, it is pr

      • The only problem with this is that the costs for checking the validity of patents would then be put on the companies sued for patent infringement. Small companies might not be able to afford lengthy lawsuits and might just settle with the patent trolls so bad patents would not only continue to be used, but would get "settlement momentum" in their favor.

        If patent examiners actually examined patents, the courts would only need to deal with the edge cases and the patent lawsuit costs on businesses would drop.

        • The only problem with this is that the costs for checking the validity of patents would then be put on the companies sued for patent infringement.

          You got it backwards, because that's the current situation: if you get sued for patent infringement, it is your legal and financial responsibility to challenge the validity of the patent. That's why we have patent trolls. What I suggest, namely dropping the presumption of validity, means that the burden of proof shifts to the company that is suing for patent infri

      • We should change the patent system so that it works more like how you imagine it works, namely that patent examiners only do some simple sanity checks, and that validity only gets established through court challenges. But that's not the patent system we have right now.

        Those systems exist in other countries, and they're uniformly terrible. Remember all those stories about someone patenting the wheel in Australia [newscientist.com]? That was a registration-only system.
        They're also much more expensive for people accused of infringement, since the trials are much more involved, with having to first examine every aspect of patentability.

    • The USPTO can (and does) award patents for almost anything. The patent examiners aren't experts in every field and if they receive advice that an item, method, or process is unique and non-obvious, they will award a patent.

      But a patent is just a pretty piece of paper until you try to enforce it. Only then will the courts actually look at the merit of the patent and declare it enforceable or invalid.

      Except the courts tend to start from the position "If the USPTO granted this, it is valid unless proven otherw

    • The main reason for granting patents is to persuade inventors to publish their ideas and in return they are given exclusive licensing rights for a reasonable amount of time. The publishing and sharing of new ideas is the good side of patents.

      ...which is valid for physical invetion. I.e.: actual device that need to be researched and build.
      Because you need exclusivity, so you can ask for money and investment in order to get the necessary resources to research, develop and built the device, then ramp-up production and sell it.

      The problem with that crappy patent is that nearly every single claim point begins with :
      "Claim n. A method..."
      Yup. Methods. As in "I just had this idea and suddenly want every single other person who might have the same idea

    • The USPTO can (and does) award patents for almost anything. The patent examiners aren't experts in every field and if they receive advice that an item, method, or process is unique and non-obvious, they will award a patent.

      Nope, they're experts in their own field. The USPTO is divided up into several thousand art groups, and Examiners only review applications that are in their field. You don't have chemists examining crypto any more than you have computer scientists looking at a new drug formulation.

  • by Anonymous Coward on Tuesday December 01, 2015 @06:07AM (#51032387)

    While I'm totally against personal death penalty, there should be a corporate death penalty, where a company is completely disbanded: its assets (yeah, the investor's and bank's too!) are confiscated and put towards public good. Naturally just for a particularly outrageous behaviour, but patent trolls seem to fit the bill.

    This way investors would have to make sure they check the moral side of their investment (and not only the financial).

    I'm not a believer in the Invisible Hand, mind you -- but lobbyism, nepotism and too much corporate power is obstructing the few good things it *could* reasonably do.

    • by Pieroxy ( 222434 )

      The problem is not in the companies abusing the system, it's in the system for setting up such a business model. The more laws in place, the more fuckups like this one. The problem is that these companies are shielded by the law, so theu're hard do counter fight.

      I'm not advocating a zero-laws system, but there are clearly too much things in place. We don't need more of it, we need less.

    • by jpatters ( 883 ) on Tuesday December 01, 2015 @06:58AM (#51032507)

      I would advocate replacing the current practice of corporations being legally required to act in the best interests of shareholders only with a new hierarchy or rules, much like Asimov's laws if you will:

      First, a corporation must act reasonably in the best interest of the general public.
      Second, a corporation must act reasonably in the best interest of their employees where it doesn't conflict with the first rule.
      Third, a corporation must act reasonably in the best interest of their shareholders where that doesn't conflict with the first or second rule.

      A corporation jacks up the price of a generic drug by 7,000,000%? Sued by the general public.

      A corporation informs employees that they will have to train their H1B replacements? Sued by their employees.

      A corporation pays its CEO an unreasonably large salary with no evidence that that results in better executive performance? Sued by their shareholders. (This should be happening now...)

      I like it better than a corporate death penalty, because many corporations do have value and importance to the general public that would be at risk of being destroyed because of a single bad acting CEO. With this scheme, the courts would have a framework for redressing these issues.

      In the case of patent trolls, some patents are more obviously bullshit then others. The more obviously bullshit the patent, the more strong a case members of the general public would have to individually sue the trolls for obstructing their use of the technology. What if everybody who uses HTTPS could sue these clowns?

      • First, a corporation must act reasonably in the best interest of the general public.
        Second, a corporation must act reasonably in the best interest of their employees where it doesn't conflict with the first rule.
        Third, a corporation must act reasonably in the best interest of their shareholders where that doesn't conflict with the first or second rule.

        +1, I think you could be on to something there.

      • by Anonymous Coward

        If you want something to act in the interest of the public, it should be held publicly. Asking corporations to do so sounds like something a child would suggest.

        • The only reason that corporations act the way they do is because common and case law have led it in that direction. There is nothing scared about the "rules" of a corporation. They are changeable.

      • Re: (Score:2, Flamebait)

        First, a corporation must act reasonably in the best interest of the general public.
        Second, a corporation must act reasonably in the best interest of their employees where it doesn't conflict with the first rule.
        Third, a corporation must act reasonably in the best interest of their shareholders where that doesn't conflict with the first or second rule.

        A corporation jacks up the price of a generic drug by 7,000,000%? Sued by the general public.

        The only reason a corporation can do that is because of monopolis

        • It very well may be, but it's probably also true that you've drank the corporate kool-aid.

          • It very well may be, but it's probably also true that you've drank the corporate kool-aid.

            I'm under no illusions about what corporations are and what they want. However, I'm also under no illusion about what governments are and what they want. And when it comes right down to it, corporations can't force you to do anything you don't want to; only government can.

            You need to lay off the statist and totalitarian cool-aid.

        • by Anonymous Coward

          A corporation informs employees that they will have to train their H1B replacements? Sued by their employees.

          For what? Lowering their costs?

          No. For blatantly abusing the H1B visa system. The whole *point* of H1B visas is that they are to be used to bring people into the country to do jobs which require skill sets which aren't readily available in the country. The idea that you currently *have* workers who can do the job *and* train the incoming H1B replacements completely obviates the need for the H1B workers to come in in the first place.

        • by KlomDark ( 6370 )

          Your flaw: Corporations only exist by the consent of the government, thus the people. Thus you are the imbecile.

          • Your flaw: Corporations only exist by the consent of the government, thus the people.

            Private property and the ability to engage in private business transactions are fundamental human rights and are Constitutionally guaranteed; they do not require "consent of the government" or "consent of the people".

            • by sjames ( 1099 )

              Corporations are not human beings, they have no rights, not even the right to exist. If you want to own property and engage in private business, have at it. As a human being, you DO have those rights.

              If you wish to work cooperatively with others, you are also welcome to do so. However, if you wish to sever personal liability from the organization formed, that is a PRIVILEGE that the public may (or may not) choose to grant you. If it does, it will be under the condition that the organization act first in the

              • However, if you wish to sever personal liability from the organization formed, that is a PRIVILEGE that the public may (or may not) choose to grant you.

                It's not really a "privilege", it's just a formalization of one form of structuring a private business transaction. As a business owner, I could also write liability limits into each contract. It's just easier to have a bunch of standardized legal forms for doing so. If you do business with a corporation, you know how its liability is limited, and if you don

                • by sjames ( 1099 )

                  The separation of liability goes well beyond what you can accomplish in a contract since it includes criminal liability. For example, if a corporation commits negligent homicide, there is a high barrier to having that liability fall upon anyone personally. That is, typically nobody goes to jail or ends up picking up litter along the highway.

                  As for the rest, if you are referring to capricious actions, then I agree. There is no place for capriciousness in the rule of law. OTOH, if you mean that the people col

                  • For example, if a corporation commits negligent homicide, there is a high barrier to having that liability fall upon anyone personally.

                    The "high barrier" doesn't result from any kind of special corporate treatment, but the simple fact that it is hard to determine in a complex organization who is responsible for any particular act. The only people that creation of a corporation protects is its investors, for the simple reason that the act of investing in a legally established company cannot be by itself crim

                    • by sjames ( 1099 )

                      I have no idea where your bizarro notions come from, but I hope you one day find a way to return to your home dimension.

      • the current practice of corporations being legally required to act in the best interests of shareholders only

        Citation needed please. What law requires this?

        • It's case law, and it's too common knowledge to require a citation.

          IANAL, but suggest that a corporation should take care of its employees in an investor's forum and you'll get a citation.

        • by suutar ( 1860506 )

          This [professorbainbridge.com] is what I found on the subject. (I'm not saying, btw, that it proves you're wrong... or right. I just present it as an information source.)

    • by Anonymous Coward

      Yea great idea. When you have a competing company just get a law passed making your competition illegal and have it destroyed by the government. No need to compete anymore, its just a race to get your corporate execution applied to your competition. Sounds awesome.

      When government buys GM and can't compete with Toyota, instead of the NTSB making up false stories about sticking gas peddles, just seize Toyota and guess what? That same corrupt government gets the assets of it in the US for their own use!

      Isn

    • there should be a corporate death penalty, where a company is completely disbanded: its assets (yeah, the investor's and bank's too!) are confiscated and put towards public good

      This is a patent troll; they don't have any assets. And it's easy to disband a company, namely by getting a legal judgment against it that is larger than its assets. Lawyers like the "owner" of this company can also be held in contempt of court and disbarred.

      but lobbyism, nepotism and too much corporate power is obstructing the few

  • by Anonymous Coward

    by the original patent holders---selling at 18 years.. just sayin'

    not a fan of shotgun ligation strategy.. filing dozens of suits nearly immediately upon receiving assignment of the patent. that alone should say its just a money grab attempt.. aren't patent holders supposed to at least try to negotiate and shit before litigation?

    but shouldnt they be going after the implementers of https if that in fact was the infringing tech, not the users of the software that has the feature? like microsoft, apache, nginx

    • Dude, a schoolyard bully is not going to try to beat up the champion of the school's boxing team, ok? He's going after the nerd.

  • It's still illegal to shoot patent trolls on sight?

    I thought by now it would be considered pest control.

    • It's still illegal to shoot patent trolls on sight?

      Yes, but it's only a $25 fine.

    • by Chrisq ( 894406 )

      It's still illegal to shoot patent trolls on sight?

      It infringes my patent on means to destroy vermin .... oh wait, put that gun down!

  • by Anonymous Coward

    The National Security Agency cleared the way on ECC patens to prevent this very thing. Take a look at the license agreements of OpenSSL.

  • Someone more knowledgeable can answer this: isn't the "patent" in question just a description that could be found in any textbook on security and cryptography?
  • "based in Longview, Texas" ... that kind of says it all, doesn't it?

  • Recently a judge declared that the song "Happy Birthday" is now public property. This is used to protect the public and should be their property.
    • by caseih ( 160668 )

      Are you sure? From what I've read, all the court said was that the Warner/Chappell Music did not hold the copyright on it. It's entirely possible that someone somewhere has a legitimate copyright over this song. They certainly did not declare the song was in the public domain, though it probably is.

      • The judgement effectively put the song in the public domain. If someone else stepped forward today to claim copyright on the song, they would need to prove not only why they should be granted copyright on it, but why they stayed silent so long while Warner/Chappell Music claimed copyright on it. In short, they would have a severe uphill battle to be awarded copyright on Happy Birthday.

      • There were long periods since the authorship of "Happy Birthday" when copyrights required renewal to remain valid. Given that there were no such renewals, it lapsed into public domain decades ago.

  • Choosing a private key in ECC is no magic - you can pick any number, anything as long as its smaller than the order of the group you're working in - and its a valid private key.

    • Choosing a private key in ECC is no magic - you can pick any number, anything as long as its smaller than the order of the group you're working in - and its a valid private key

      Finding curves with the correct properties was the key to getting ECC working. I worked on ECC some in the late 80's and randomly selected curves were completely useless.

  • ...if they're smart enough to not sue Newegg?
  • It seems to be working, the lawyers plan that is, as I clicked on a couple of the lawsuits and they've already been settled. BSNF and Scottrade have at least settled. That's the trick usually, sue for enough to make money, but not enough that it's worth the companies actually fighting.
  • I hear our (USA) government has decided to come to our (everyone's) defense and pay the guy approximately 5 trillion in unmarked twenties.

    Done...

    Next...

  • Since when do you sue the user of a product (in this case, corporations hosting HTTPS-enabled websites) rather than the implementer of the product (whoever wrote the web server's crypto stack)?

    If I build an electric shaver that violates Braun's patents and sell it to some people, Braun has grounds to sue me. Do they really have grounds to sue the people to whom I sold my infringing product?

Failure is more frequently from want of energy than want of capital.

Working...