Slashdot Mirror
Company Aims To Patent Security Patches
Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."
I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products without paying. On the flip side should they succeed with this companies may see better quality control leading to increased savings in the long run, giving us all stable software from the get go. It's win-win, race to the bottom I say, make haste.
But they would need to be really fast to get the application in, and it would surely need not to mention the actual product, right? Because if they said "a method for preventing a macro hole in Word from executing", or something, wouldn't MS be able to sue on the grounds of reverse engineering/ copyright/ their own patents.
I kinda feel that this wouldn't really be practical.
*''I can't believe it's not a hyperlink.''
The recent supreme court case KSR v Teleflex broadened the test for obviousness a bit. KSR expanded obviousness to include stuff that is "inevitable due to market forces" or "inevitable to try by one practiced in the art" within some unknown limits.
This security bug scheme is borderline obvious under the old test. It is stunningly weak after KSR. Unless the applicant discovers the bug. Hmmmmm.... (whispers: hey f-secure, call me).
Funny, this scheme also encourages folks to reveal security holes immediately because keeping it a "trade secret" leaves the door open for someone else to try to patent the fix. Also, privately alerting the security guys probably leaves the bug open to a patent exploit.
I am a lawyer, but not yours. Anything I tell you might be a total lie intended to benefit my clients at your expense.
Tom Ptacek says:
Patents are a crappy way to lock up the fix for a vulnerability. 10 years from now, it's vanishingly unlikely that your discovery will still be relevant. If it is, you've got better things to do with it than sell it to bottom-feeders.
Here's a better idea: copyright law. Copyright is immediate.
Here's what you do:
Find a vulnerability --- anything; say, memory corruption in some OS service --- and devise a third-party patch for it.
Publish the patch. Only the patch.
But before you do, wrap the patch up in a DRM scheme. An in-kernel, interrupt-hooking virtual machine with an encrypted instruction set should do nicely. It's worth the work; you'll be doing this over and over again. You want people to sweat to figure out how your patch works.
Alert the world to your discovery. You're a hero! You can root any computer on the Internet!
Don't publish the details of the vulnerability. No, wait, don't even allow the details to be published. If anyone figures out how your patch works, sue them under the DMCA. Especially if it's the vendor.
The vendor will, of course, claim they have the right to reverse-engineer your "intellectual property" for security and interoperability purposes. Let the courts decide. In the mean time: nice of them to establish some precedent.
Points to anyone who can prove to me that this doesn't qualify as "responsible disclosure".