Vulnerability Patents
Thomas Ptacek | June 6th, 2007 | Filed Under: Defenses, Uncategorized
You wouldn’t normally want to dignify something like this, but it’s too interesting for me to pass up. Hat tip to Naraine for the headsup.
Intellectual Weapons is a “venture” that plans to solicit vulnerabilities from researchers so that the fixes can be patented and ransomed to vendors. Nice, huh?
Here’s why you shouldn’t care: it takes over 7 years (from the time you complete a filing) to have a patent issued. It takes many more years to initiate, litigate, and prevail in a patent claim, especially against an established software vendor. Presuming you do prevail; you likely won’t.
“Intellectual Weapons” has thought of this, of course: they’re not actually filing US Patents, which would be futile. Instead, your “intellectual property” will be enforced in venues that offer “utility models” (patents-lite), including various EU countries as well as places like Belarus and Tajikistan.
Would it be possibly for an outfit like “Intellectual Weapons”, exploiting the services of contingency-fee lawyers, to get an injunction against a Microsoft security fix in the Republic of Moldova? Anything’s possible. My money is on: this never happens. Not worth it, to anybody. The problem with international patents is that you have to fight them out jurisdiction-by-jurisdiction. In this case, you’d be slogging through those fights for a shot at a tiny sliver of the revenue generated by the products you’re targeting. This is nothing like NTP vs. RIM, where NTP’s claims enabled RIM’s entire product.
Here’s why you should care: “Intellectual Weapons” isn’t nearly first company to come up with this. Some companies have done this quite successfully, particularly with cryptography. You can absolutely patent a defense against an attack; if you discover the attack and patent every conceivable fix, and that attack is meaningful, you’ve got a very valuable piece of IP. By all means, if you break all known hash functions, or come up with a reliable remote side-channel attack that breaks TLS/SSL, patent away! 10 years from now, you might get a few tens of millions of dollars from it.
ol
June 7th, 2007 2:20 amSo should they have patented rainbow tables?
Dan Weber
June 7th, 2007 9:39 amIn my experience, patents issue much quicker than 7 years. Maybe 3 or 4 years. Which is still rather slow for what IW wants to do.
ShawnF
June 7th, 2007 11:55 amAs you eluded to, thats what happened with DPA. First the attack came quickly followed by all (most?) countermeasures to the attack, patent applications were submitted for everything. The IC manufactures who where effected by the attack developed countermeasures. Of course they were the same ones. Circa 8 years later the patents came through. Now the card vendors are being asked to pay a lic fee. BRILLIANT!
Leave a reply