Slashdot Mirror
Company Aims To Patent Security Patches
Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."
Only in America dudes.. Oh wait!
Suing companies for five year old infringements is not going to work too well.
Moreover this type of behavior is exactly the type of action Congress might find sufficiently indefensible to act on patent law.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products without paying. On the flip side should they succeed with this companies may see better quality control leading to increased savings in the long run, giving us all stable software from the get go. It's win-win, race to the bottom I say, make haste.
But they would need to be really fast to get the application in, and it would surely need not to mention the actual product, right? Because if they said "a method for preventing a macro hole in Word from executing", or something, wouldn't MS be able to sue on the grounds of reverse engineering/ copyright/ their own patents.
I kinda feel that this wouldn't really be practical.
*''I can't believe it's not a hyperlink.''
You are being sued for patent infringement. Cancel or Allow?
"A method of entering replies in to slashdot using a computer keyboard to generate alphanumeric characters which are used to create textural comments to a news item.". If *anyone* else says *anything* from now on, you have to pay me.
I want a list of atrocities done in your name - Recoil
How are they going to patent security patches AFTER they are released ?
They would have to patent the security fixes before the vendor releases them otherwise its not theirs to patent. Even then the patent could only apply to their exact way to patch the security hole which would unlikely be exactly the same as the vendor will produce.
So they must be trying to patent security exploits BEFORE the companies release the patches, not afterward, otherwise they have nothing to patent. You can't download someones patch and then try to patent it, that's retarded.
I'm going to patent a method for accomplishing tasks on a computing device.
This just in, the patent system was severely broken by attemts of obtaining easy money by multiple companies. Unfortunately it cannot be fixed, as this would break several patents held by these companies, which are addressed to patching systems.
To not EVER get successful or they will have ample reason to patent your holes to where you can't afford to fix em.
I know there are a lot of you out there saying: this is the kind of action that will spur congress to get off their deriere, but frankly, I can only see this as YANITC (yet another nail in the coffin).
We looked on in horror when the thought of software patents came up, and we said that surely no one would be dumb enough (or greedy enough) to do it. We were wrong...
Then there was Bezo's one-click patent and we shielded our eyes saying: the fireworks are going to start any time now... Again, however, the sky was clear and there we no signs of change on the horizon.
Then you had all the spurrious patents from SCO, Microsoft and IBM, and we thought, well maybe this time! However, as was before, so was then...
Then Microsoft threatened Linux and we said "they are running scarred!" and "no one would be dumb enough to..." They were, and they are. Not only that, but mere weeks later, you have several major contributors signing licensing deals to patent infringements that were never released. My God, that costs the companies money and they do nothing but bend over...
Today we got word of Bezo's expansion of the one-click patent, and on top of that the willingness of the USPTO to accept the patent with little to no effort. The USPTO, after all, has employees they have to pay...
And now you have this, and again we here individuals decrying the "end times" for software patents. No, that isn't going to happen. They are here to stay, because the system is working for its citizens in a very efficient way. It is just that we think that we are the citizens. Much like TV viewers or magazine subscribers think that they are the clients of the company. They aren't, they are the product.
We are the product and the consumer, but not the client of the government. The government is there to protect the interests of its citizens, it's just that its citizens have trademarked names. We have gone form Micro to Macro folks.
my patent will be on any system or method that can predict what the next patch will be required by any given software product.
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
Evil(TM/Copyright/Patent Pending) is spreading
If someone exploits a bug or flaw in a program's design (and just how does one define that in a precise enough fasion for a patent, anyway), I should think the most obvious thing in the world would be to fix the bug/flaw. HOW one fixes it is going to vary widely, from "opps that should have been +1 not -1" to "some guy at *UNIVERSITY* just found a new algorithm that cracks our protection, back to the drawing boards". A lot of fixes should fail instantly on the obviousness criteria - the attack itself often suggests a solution to one skilled in the art. I would hope such approaches would fail for other reasons, but I'm not an expert in patent law.
On the other hand, this behavior is so egregiously anti-social that even if it is currently legal it might actually prompt a response from lawmakers. (One plus to all this might be that research funding into security techniques and formal development methods might see a boost - attempt to influct death by starvation, so to speak.)
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
contact@intellectualweapons.com
;-)
submit@intellectualweapons.com
apply@intellectualweapons.com
Now listen: do *NOT* post these e-mail addresses in public places, specially forums, you know how bad SPAM can get!
Software vendors just need to apply for the patent first, for example when they write the flaw... ... and pay me first, of course, as I have just patented this.
Assuming this organization gets off the ground, I wonder if there would be any grounds for a lawsuit against them for "damages sustained" while a vendor is arguing over the price for a fix. For example, if the vendor wished to create a fix for me but couldn't because this organization was giving them grief, could I or my customers sue because of losses sustained due to the vulnerability. What if the breached caused directly traceable bodily injury (someone breaking into a system used by law enforcement, health care, firefighters, etc.)? If this kind of suit is possible, I would think that a patent on the "fix" for something would be a risky business.
I agree completely. I'm off to patent valuable sequences of mouse clicks and keystrokes.
Has anyone noticed that patents may well be the farming and agriculture of the 21st century? Allow me to explain.
During the shift to urbanization, it was common for individuals to keep cattle, chickens, pigs and sheep in the city. The animals would be allowed to roam free and would then be captured and slaughter/sheered as was necessary. It was subsistence living in an urban environment where barter was VERY common.
However, as time went on, factories and other places of employment found that they couldn't get enough workers for the lower level jobs. Why would the poor go work there in a crappy environment, when they could breed their cattle and chickens for rent and food?
So these companies petitioned the government to disallow animals, citing disease and the cause (and to some degree, this was true, especially with large amounts of fecal matter in the city -- but then not everyone had plumbing either). This in turn caused people to starve and move to these companies to be paid in "money".
Now, however, we have patents. Patents force the little guy out of the market (let's face it, no individual can afford to beat MS, IBM, Monsanto, et al in a court where lawyers form 99.9% of your chances) Small companies are forced out of business and big companies get to take over. The small companies are the only real thorn in the side of the bigger ones as they might offer a product that revolutionizes the field, but ends up costing a major conglomerate billions to redevelop their products). So patents force them out of business, causing the owners to work for the mega-corp and thus give the mega-corp control.
Perhaps in a few years, everyone will be working for a mega-corp and that will define our identities. We are theirs after all...
So when the majority of the bugfixes are as commonplace as could be (e.g. fail to sanitize input, buffer overflow, etc), can prior art arguments be made to nullify all of these "novel" discoveries?
This sounds like another EFF attempt to undermine the software patent system by exploiting the security holes in the patent office. I seem to remember they did something similar a while back using a DRM patent that could make all other DRM implementations illegal. The irony of exploiting software patents to damage their most ardent supporters is delicious.
AAAAAAAARRRRRGHHH!!
Sorry again, I couldn't keep it...
So say we all
Excellent post. You are right, software patents aren't going anywhere. You will see more properties like this, where basic, everyday information is walled away from you. And as long as we allow congress to be bribed by lobbyists, this will continue to happen. Remember, what's good for GM is good for America. We have a long tradition of bending over for business interests.
Consider too, that many companies like Microsoft would love the chance to spend their research dollars on finding vital security holes in programs like Apache and Open Office, patenting them, and preventing anyone from releasing a patch. Don't think they wouldn't. This could be turned into a terrible weapon against the competition. You are not required by law to develop your patents, remember. Nor are you required to sell them if you do. Funny, the company name is Intellectual Weapons...
Maybe, this will finally be the straw that breaks the software patent camel's back.
Or buying them?
Maybe the prospect of having to pay for its bugs will finally force Microsoft to ship better code.
Come on people. Nothing indicates this "company" is anything more than a single guy putting up a website on a lark, either purely for Slashdot hits or to make a point about the patent system. The whole idea is wildly impractical (what are these magic methods they say they'll use to expedite the patent process?), and a real company would privately hire their own security researchers instead of announcing their plans in detail to the public.
...that they have 900,000 instances of prior art, give or take.
(Sorry, couldn't resist.)
I agree with you wholeheartedly, but from the slightly different perspective. Things like the patent system (or DRM or privacy issues) have become so illogical that there's no way an average person can fight against the system by sane and normal means such as lawsuits, petitions, or elections. The most effective way to get rid of these stupid laws, IMHO, is by making sure that they self-destruct, i.e. become utterly ridiculous in the eyes of the media and the public. So, rejoice when people start filing patents for their navel lint or nasal hair structure. Chuckle gleefully when DRM softwares start taking people's system and create massive security holes. Cackle manically if some wiseguy sues McD for kaching-illion dollars because their "Happy Meal" didn't exactly make him happy. For remember, the candle burneth brightest before it dies out, to rehash a hoary saw. Or at least, we hope.
You can give the potential infringer notice that you have a patent application pending that covers their 'invention.' If they don't stop once you give notice, then you can collect 'reasonable royalties' from the time of your notice to them until your patent actually issues - if your patent issues. (What in the world would be 'reasonable royalties' in this case, btw? Damned if I know.) After it the patent issues, you have the normal patent remedies. Damages + a permanent injunction (which is thankfully not certain anymore. The Federal Circuit has actually been using the SCOTUS' guidelines in last year's eBay case and not automagically granting injunctive relief.)
A preposition is a terrible thing to end a sentence with.
I've just started a company to patent the security holes themselves.
...
1. Find hole
2. Patent the hole
3.
4. Profit!
Excellent post.
I frequently post about Intellectual Property in threads like this. Usually I get some responses saying that I'm full of it, and companies wouldn't slash our throats and bleed us dry. I have four words for you:
Are you convinced yet?
There are too many market pressures on monopolizing ideas. A monopoly on an idea gives you an excellent competitive advantage. For some goods, say a book, a copyright is neccessary for you to take a risk and publish the book. For others, it lets you invent things like a cotton gin and make money off of it while being a good citizen and showing the world how it works, and what new technologies you have invented. On the whole, these are to the public's advantage when used wisely.
But a monopoly is always a competitive advantage, even when it isn't in the public's advantage. And currently, business lobbies are pushing to allow more and more kinds of monopolies because they make business sense. Granted, plot patents, business patents, process patents, software patents, copyright on 3 note sequences, etc, etc, etc are not in the public's interest, as we don't carry massive IP portfolios to cross-license or lawyers to fight with. But they do allow large companies to create a massive barrier to entry that only certain industries or monopolies enjoyed before.
There is money to be made in massively expanding the definition of IP to include all ideas. There is more money in eternally owning ideas than in all of the property rights or mineral rights in the solar system. This fight will not be over in our lifetimes.
But who do you have to blame?
Deleted
One thing I noticed reading the site is that the researcher who submits the vulnerability report gets a share of the net profit not the gross income or a guaranteed fee. This is a standard Hollywood tactic to avoid paying the people who do the real work. All the gross income gets eaten up in various expenses so there is little or no net profit.
The researcher also has to trust the company not to just steal their information by claiming someone who wishes to remain anonymous has already reported that vulnerability.
It reads like a scam to me. Maybe I am just old and cynical.
This sort of thing is the reason why I have retained a patent lawyer who, the day the "first to file" change is passed into law, will put in an application for a business method patent. The brief, non-legalese version basically covers the business model of suing over patents which the owning company does not themselves utilize. (That way, I can sue into oblivion any business attempting craziness like this.)
Naturally, anyone attempting to argue whether I practice my own patent may find themselves falling into a logical paradox, as my patent itself implies I cannot practice my patent.
Do you like Japanese imports?
So you advertise to go create 0day exploits, for which patents can be applied for that are
broad enough to use. Then release exploit, demand $$.
Sounds like a form of extortion to me.
RICO?
You beat me to it.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
So, no problems arise with patches that involve making sure buffers don't overflow, tempfiles are opened without a race condition occurring, input passed on to command interpreters doesn't contain escapes, and so on.
Then there's the rarer situation where a system needs a novel idea to function securely. The implementor creates the system without any awareness of the need for new security mechanisms and writes an insecure system. I'd say that in this case, the person who finds the flaw and the fix actually deserves compensation. Actually, forget the fix. They've made a contribution to the field just by understanding the flaw.
Still, making it harder or more expensive for companies to fix their broken software? That's something I just can't get behind.
Fuck the system? Nah, you might catch something.
I'm going to patent "a process whereby a corporation enters into a contract to 'eliminate' (wink, wink) holders of spurious patents designed to inhibit innovation and advancement of technology".
Because you know damn well that day is coming, where it will be cheaper to whack someone and risk prison than fight the bastards. Of course, when that day does come, I'm in deep shit as the holder of this patent...
I HAVE CUBIC WISDOM THAT TRANSCENDS AND CONTRADICTS ONE DAY GODS
i have something better
1) patent patches
2) patent tuesdays
3) $Profit$
koyaanisqatsi
It would seem to me that a patch to copyrighted software would be a derivative work based on the software and therefore should be covered under most boiler plate license agreements. Is this not the case?
--I like turtles...
If this doesn't lead to change in patent law, nothing will.
Why don't these guys do something truly good for humanity, and patent malware and spam? Should clear up those problems in an instant!
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
I think the patent system is absurd, but this strikes me as a good use for it. Right now, vendors absolve themselves of any responsibility and think they have a right to get free reports and bug fixes from users. In fact, they have even created the impression that it is blackmail when bug reporters ask for money for their discoveries.
As I see it, if this company gets away with it, either, big companies will improve the quality of their software so that they have fewer vulnerabilities in the first place, or they will start to push for weakening software patents. Either way, everybody wins.
-- Scalia
"I take it that we are operating under the assumption that software is patentable? We have never held that in this Court, have we?"
-- Breyer
The Supreme Court on the whole also seems leery of the idea that software is patentable, but they can't rule on it until they hear a case where patentability of software is disputed.
(IANAL)
(IANAL)
In the stomach. Once a day. Every day. Except Sunday.
Their dark-on-dark website scheme is really conveying a professional image for them.
The recent supreme court case KSR v Teleflex broadened the test for obviousness a bit. KSR expanded obviousness to include stuff that is "inevitable due to market forces" or "inevitable to try by one practiced in the art" within some unknown limits.
This security bug scheme is borderline obvious under the old test. It is stunningly weak after KSR. Unless the applicant discovers the bug. Hmmmmm.... (whispers: hey f-secure, call me).
Funny, this scheme also encourages folks to reveal security holes immediately because keeping it a "trade secret" leaves the door open for someone else to try to patent the fix. Also, privately alerting the security guys probably leaves the bug open to a patent exploit.
I am a lawyer, but not yours. Anything I tell you might be a total lie intended to benefit my clients at your expense.
Patents are pretty much proof against copyright infringement. If you can't name names, then enabling the invention is tougher. Most corporate clients, however, prefer that only their own names/trademarks/etc. appear in a patent.
One patent doesn't violate another patent. Only activities/products can infringe.
Reverse engineering isn't a huge problem. You only have to enable (say how it works) a fix in the application. It doesn't have to be the best fix or the fix that someone with full source access would implement.
I am a lawyer, but not yours. Anything I tell you might be a total lie intended to benefit my clients at your expense.
Business Process:
Suing companies for violating patents.
"Oh I'm sorry, your suing of company x violates our patent, we will now sue you."
"You're not balancing your internal energy with the environment." -Gary Busey
Nothing indicates this "company" is anything more than a single guy putting up a website on a lark, either purely for Slashdot hits or to make a point about the patent system.
I agree. That there is no information about the people involved is the first tip off that this is either a gag or something put together by unscrupulous folks who are looking to obtain security vulnerabilities from nitwits. This is certainly not a legitimate law firm.
"We actively market the IP" is not language a law firm is allowed to use in the US, because law firms are not allowed to obtain legal business from a client then perform marketing services for that same client. "You share in the profits" is also prohibited language, because it implies a guaranteed result, which is prohibited in legal advertising. Discussion of distribution of "profits" from legal activity is also prohibited in US legal advertising.
Combining the technical fix and the legal work under one marketing vehicle is also forbidden under US law. Also, if "Intellectual Weapons" is going to provide services in a variety of countries, where are they licensed? The list of gaping holes in this site goes on. This is a joke, even if it is actually intended to be serious.
Read the EFF's Fair Use FAQ
Every time the come up with a DRM method, they also patent every circumvention method they can think of. That way, nobody can legally create a "decoder" for their wares. Sneaky, tehy are. It really adds weight to the idea of "produce in commercial quantities or default to statutory licensing set by the government."
Is it just my observation, or are there way too many stupid people in the world?
When is this nonsense going to stop? I mean, if we're gonna have to pay royalties when somebody patents the act of going to the toilet, that's not going to make any of us too happy... Is there a way to stop this?
MS (for example) has demonstrated that they have no problem illegally copying IP whenever it is available. As I understand patent law, they will be able to stand in front of a judge 5 years later (and 4 years after they've obsoleted the product) and say "we never profited directly from that patent and we would be happy to comply with a cease order". In fact, this is like a Bill Gates wet dream. All they have to do to fill the straight is convince congress that it should be illegal to run software with known vulnerabilities. the end result would be "You have to upgrade to Microsoft Panorama because we are not allowed to fix Vista and it is illegal for you to run it unless you do. It's not our fault(tm)."
Don't say it won't happen. To me it looks like just one more small step towards converting the FBI and USCBP to glorified mall cops (I think that describing them as a latter-day Pinkertons gives their new duties WAY too much credit).
Yeah, but consider two points:
* They want money, so OSS is pretty much safe.
* If enough people are disgusted by this, they might actually reform patents (hopefully getting RID of software patents either via the courts or the legislature).
Besides, I'm hoping they won't find anything patentable and it'll be mostly FUD to begin with. It takes a LOT longer to get a patent than it does to patch a hole.
Tom Ptacek says:
Patents are a crappy way to lock up the fix for a vulnerability. 10 years from now, it's vanishingly unlikely that your discovery will still be relevant. If it is, you've got better things to do with it than sell it to bottom-feeders.
Here's a better idea: copyright law. Copyright is immediate.
Here's what you do:
Find a vulnerability --- anything; say, memory corruption in some OS service --- and devise a third-party patch for it.
Publish the patch. Only the patch.
But before you do, wrap the patch up in a DRM scheme. An in-kernel, interrupt-hooking virtual machine with an encrypted instruction set should do nicely. It's worth the work; you'll be doing this over and over again. You want people to sweat to figure out how your patch works.
Alert the world to your discovery. You're a hero! You can root any computer on the Internet!
Don't publish the details of the vulnerability. No, wait, don't even allow the details to be published. If anyone figures out how your patch works, sue them under the DMCA. Especially if it's the vendor.
The vendor will, of course, claim they have the right to reverse-engineer your "intellectual property" for security and interoperability purposes. Let the courts decide. In the mean time: nice of them to establish some precedent.
Points to anyone who can prove to me that this doesn't qualify as "responsible disclosure".
A. You should submit as soon as possible [...]. The longer you wait, the higher the risk that product upgrades will eliminate your vulnerability. Being anxious about maintaining one's vulnerability in order to make some money sounds rather cynical. A well-done parody might exactly sound like that, but these people seem to be serious.
Won't this money-hungry company have to prove intricate knowledge of HOW to solve the security vulnerability? How can you do that effectively with (presumably) closed-source targets? It seems like this is a large task to take on: beating the vendors to the fixes to their security holes.
Now, in the case of holes in open source systems, they may be able to pull off staying ahead of the developers, but c'mon, it's open source-- how can they possibly expect to force people to pay up for patching open source?!?
And won't this put a whole new slant on the bounties for zero-day security holes? Imagine, if patents could force these vulnerable vendors to pay these pirates big dollars for patent compliance just to patch their software, there will suddenly be a HUGE black market for zero-day sploits. That's the last thing the world needs.
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
I will patent government inefficiency!
Gates, I will make you look poor.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Wow.... I just read their website and it is stunningly similar to the "Get-Rich-Quick" schemes and scams that you see posted up in every college hallway and classroom.
Read the "How It Works" part. If that doesn't sound really shady and iffy, then I have a bridge to sell you!
So let me see, they want to copyright/patent security holes that they find and other people find. How can you patent/copyright aspects of someone else's programming or code?
I mean, it's like somebody finding an unlocked door to my house, and then claiming ownership of it because they found that it was unlocked, and charging anyone who tries to lock it with patent infringement if they lock it without paying these lunatics "royalties"
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
He's just gonna be suing Microsoft. Apple and Linux don't have security bugs. The bigger question is if MS will support better software or weaker patents. Everybody wins!He's just gonna be suing Microsoft. Apple and Linux don't have security bugs. The bigger question is if MS will support better software or weaker
To find prior art...
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
This is an attempt to become John Smith's Landlord. (John Smith is one of the classic philosophers who defined capitalism.) In his book "The Wealth of Nations," he defined the landlord as a class of people who collected rent as an attempt to live without doing work. Now, Intellectual Weapons is trying to figure out a way to use the legal system so they can gain income without doing real work.
No, I will not work for your startup
This is so obviously satire. The site is called Intellectual Weapons. It regularly refers to "exploiting IP patents."
These guys are one of us. I'm surprised so many of you have been so, so duped.
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
The author of the 1776 classic economic text An Inquiry into the Nature and Causes of the Wealth of Nations, often abbreviated as The Wealth of Nations, is Adam Smith, not John Smith.
My truck is like a series of tubes.
You can patent an element!
The sending of this message pretty much inconveniences everyone involved.
MS has prior art. Waaaaaay prior. Art is up for discussion, though.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
MOD PARENT INSIGHTFUL
I thought extortion was "supposed" to be illegal. Even if someone wants to use bogus patents to sue you into oblivion, they are supposed to make the claim that they're really shocked and horrified that said patent was infringed. This sounds like an open declaration of intent to commit a crime.
Also, if reverse-engineering is illegal per the contract, wouldn't trying this be declaring yourself guilty of breach of contract? Or conspiracy to do so?
Also, what reserves of cash will this company draw on to survive in such a lawsuit against a company with "deep pockets"?
Well said. This is the inescapable conclucsion to software patent nonsense. Each time vague or rediculous patent claim is taken seriously, the scope of future patents will become broader and even more rediculous.
General purpose computers can do... anything! That is if you work hard enough on making them do so.
Writing in a patent that you are going to make a computer do something is trivial because the answer to "can a computer do x?" is always yes in the end. (Laws of physics not withstanding)
All patents are doing for software is allowing for the theft of the hard work of people who can make computers do things by the losers who can't but wish that they could.
Call it what you will bt the more the cult of IP dominates our society, the larger the parasitic element of people who don't create or contribute anything becomes. Just think about how may "careers" there are now that involve nothing more than profiting off of what others create.
To boldly use to and too two times and get it right too! They're not gonna believe their eyes when they see it there!
The troublesome thing about this scheme is that it seems very sound legally (IANAL).
To patent something, it must be novel and non-obvious. Clearly, the fix for ANY software defect qualifies:
Novel: If someone had already done it, the software would already work.
Non-obvious: If the fix was so obvious, why didn't the author just fix it before releasing it the first place?
It also seems viable from a practical standpoint. Consider that patent holding isn't about protecting your invention. It is about convincing your victims to settle out of court, since patent litigation is so expensive and risky. All you need to do is make a quick settlement seem more appealing than a long legal battle.
http://xkcd.com/756//
This approach seems unlikely to work. Patent holders win huge jury awards because they, in the jury's eyes, have been legitimately wronged. In this case, the jury may see the vendor as the one being exploited.