Slashdot Mirror
Company Aims To Patent Security Patches
Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."
Suing companies for five year old infringements is not going to work too well.
Moreover this type of behavior is exactly the type of action Congress might find sufficiently indefensible to act on patent law.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I for one think this is a great idea. Nothing will speed up software patent reform faster than when companies are unable to fix bugs in their products without paying. On the flip side should they succeed with this companies may see better quality control leading to increased savings in the long run, giving us all stable software from the get go. It's win-win, race to the bottom I say, make haste.
But they would need to be really fast to get the application in, and it would surely need not to mention the actual product, right? Because if they said "a method for preventing a macro hole in Word from executing", or something, wouldn't MS be able to sue on the grounds of reverse engineering/ copyright/ their own patents.
I kinda feel that this wouldn't really be practical.
*''I can't believe it's not a hyperlink.''
You are being sued for patent infringement. Cancel or Allow?
I know there are a lot of you out there saying: this is the kind of action that will spur congress to get off their deriere, but frankly, I can only see this as YANITC (yet another nail in the coffin).
We looked on in horror when the thought of software patents came up, and we said that surely no one would be dumb enough (or greedy enough) to do it. We were wrong...
Then there was Bezo's one-click patent and we shielded our eyes saying: the fireworks are going to start any time now... Again, however, the sky was clear and there we no signs of change on the horizon.
Then you had all the spurrious patents from SCO, Microsoft and IBM, and we thought, well maybe this time! However, as was before, so was then...
Then Microsoft threatened Linux and we said "they are running scarred!" and "no one would be dumb enough to..." They were, and they are. Not only that, but mere weeks later, you have several major contributors signing licensing deals to patent infringements that were never released. My God, that costs the companies money and they do nothing but bend over...
Today we got word of Bezo's expansion of the one-click patent, and on top of that the willingness of the USPTO to accept the patent with little to no effort. The USPTO, after all, has employees they have to pay...
And now you have this, and again we here individuals decrying the "end times" for software patents. No, that isn't going to happen. They are here to stay, because the system is working for its citizens in a very efficient way. It is just that we think that we are the citizens. Much like TV viewers or magazine subscribers think that they are the clients of the company. They aren't, they are the product.
We are the product and the consumer, but not the client of the government. The government is there to protect the interests of its citizens, it's just that its citizens have trademarked names. We have gone form Micro to Macro folks.
contact@intellectualweapons.com
;-)
submit@intellectualweapons.com
apply@intellectualweapons.com
Now listen: do *NOT* post these e-mail addresses in public places, specially forums, you know how bad SPAM can get!
Has anyone noticed that patents may well be the farming and agriculture of the 21st century? Allow me to explain.
During the shift to urbanization, it was common for individuals to keep cattle, chickens, pigs and sheep in the city. The animals would be allowed to roam free and would then be captured and slaughter/sheered as was necessary. It was subsistence living in an urban environment where barter was VERY common.
However, as time went on, factories and other places of employment found that they couldn't get enough workers for the lower level jobs. Why would the poor go work there in a crappy environment, when they could breed their cattle and chickens for rent and food?
So these companies petitioned the government to disallow animals, citing disease and the cause (and to some degree, this was true, especially with large amounts of fecal matter in the city -- but then not everyone had plumbing either). This in turn caused people to starve and move to these companies to be paid in "money".
Now, however, we have patents. Patents force the little guy out of the market (let's face it, no individual can afford to beat MS, IBM, Monsanto, et al in a court where lawyers form 99.9% of your chances) Small companies are forced out of business and big companies get to take over. The small companies are the only real thorn in the side of the bigger ones as they might offer a product that revolutionizes the field, but ends up costing a major conglomerate billions to redevelop their products). So patents force them out of business, causing the owners to work for the mega-corp and thus give the mega-corp control.
Perhaps in a few years, everyone will be working for a mega-corp and that will define our identities. We are theirs after all...
I agree with you wholeheartedly, but from the slightly different perspective. Things like the patent system (or DRM or privacy issues) have become so illogical that there's no way an average person can fight against the system by sane and normal means such as lawsuits, petitions, or elections. The most effective way to get rid of these stupid laws, IMHO, is by making sure that they self-destruct, i.e. become utterly ridiculous in the eyes of the media and the public. So, rejoice when people start filing patents for their navel lint or nasal hair structure. Chuckle gleefully when DRM softwares start taking people's system and create massive security holes. Cackle manically if some wiseguy sues McD for kaching-illion dollars because their "Happy Meal" didn't exactly make him happy. For remember, the candle burneth brightest before it dies out, to rehash a hoary saw. Or at least, we hope.
I frequently post about Intellectual Property in threads like this. Usually I get some responses saying that I'm full of it, and companies wouldn't slash our throats and bleed us dry. I have four words for you:
Are you convinced yet?
There are too many market pressures on monopolizing ideas. A monopoly on an idea gives you an excellent competitive advantage. For some goods, say a book, a copyright is neccessary for you to take a risk and publish the book. For others, it lets you invent things like a cotton gin and make money off of it while being a good citizen and showing the world how it works, and what new technologies you have invented. On the whole, these are to the public's advantage when used wisely.
But a monopoly is always a competitive advantage, even when it isn't in the public's advantage. And currently, business lobbies are pushing to allow more and more kinds of monopolies because they make business sense. Granted, plot patents, business patents, process patents, software patents, copyright on 3 note sequences, etc, etc, etc are not in the public's interest, as we don't carry massive IP portfolios to cross-license or lawyers to fight with. But they do allow large companies to create a massive barrier to entry that only certain industries or monopolies enjoyed before.
There is money to be made in massively expanding the definition of IP to include all ideas. There is more money in eternally owning ideas than in all of the property rights or mineral rights in the solar system. This fight will not be over in our lifetimes.
Even if the USPTO does, it won't matter:
"... the system takes, on average, seven years to churn out a new patent. The vendor has to have deep pockets so it can pay damages, and your solution has to be simple enough to be explained to a jury."
So,not to be TOO obvious, but ...
Isn't it funny how one of the biggest patent trolls sounds custom-made as the target.
The recent supreme court case KSR v Teleflex broadened the test for obviousness a bit. KSR expanded obviousness to include stuff that is "inevitable due to market forces" or "inevitable to try by one practiced in the art" within some unknown limits.
This security bug scheme is borderline obvious under the old test. It is stunningly weak after KSR. Unless the applicant discovers the bug. Hmmmmm.... (whispers: hey f-secure, call me).
Funny, this scheme also encourages folks to reveal security holes immediately because keeping it a "trade secret" leaves the door open for someone else to try to patent the fix. Also, privately alerting the security guys probably leaves the bug open to a patent exploit.
I am a lawyer, but not yours. Anything I tell you might be a total lie intended to benefit my clients at your expense.
Tom Ptacek says:
Patents are a crappy way to lock up the fix for a vulnerability. 10 years from now, it's vanishingly unlikely that your discovery will still be relevant. If it is, you've got better things to do with it than sell it to bottom-feeders.
Here's a better idea: copyright law. Copyright is immediate.
Here's what you do:
Find a vulnerability --- anything; say, memory corruption in some OS service --- and devise a third-party patch for it.
Publish the patch. Only the patch.
But before you do, wrap the patch up in a DRM scheme. An in-kernel, interrupt-hooking virtual machine with an encrypted instruction set should do nicely. It's worth the work; you'll be doing this over and over again. You want people to sweat to figure out how your patch works.
Alert the world to your discovery. You're a hero! You can root any computer on the Internet!
Don't publish the details of the vulnerability. No, wait, don't even allow the details to be published. If anyone figures out how your patch works, sue them under the DMCA. Especially if it's the vendor.
The vendor will, of course, claim they have the right to reverse-engineer your "intellectual property" for security and interoperability purposes. Let the courts decide. In the mean time: nice of them to establish some precedent.
Points to anyone who can prove to me that this doesn't qualify as "responsible disclosure".