Matasano Chargen » Blog Archive » Vulnerability Patents

Vulnerability Patents

Thomas Ptacek | June 6th, 2007 | Filed Under: Defenses, Uncategorized

You wouldn’t normally want to dignify something like this, but it’s too interesting for me to pass up. Hat tip to Naraine for the headsup.

Intellectual Weapons is a “venture” that plans to solicit vulnerabilities from researchers so that the fixes can be patented and ransomed to vendors. Nice, huh?

Here’s why you shouldn’t care: it takes over 7 years (from the time you complete a filing) to have a patent issued. It takes many more years to initiate, litigate, and prevail in a patent claim, especially against an established software vendor. Presuming you do prevail; you likely won’t.

“Intellectual Weapons” has thought of this, of course: they’re not actually filing US Patents, which would be futile. Instead, your “intellectual property” will be enforced in venues that offer “utility models” (patents-lite), including various EU countries as well as places like Belarus and Tajikistan.

Would it be possibly for an outfit like “Intellectual Weapons”, exploiting the services of contingency-fee lawyers, to get an injunction against a Microsoft security fix in the Republic of Moldova? Anything’s possible. My money is on: this never happens. Not worth it, to anybody. The problem with international patents is that you have to fight them out jurisdiction-by-jurisdiction. In this case, you’d be slogging through those fights for a shot at a tiny sliver of the revenue generated by the products you’re targeting. This is nothing like NTP vs. RIM, where NTP’s claims enabled RIM’s entire product.

Here’s why you should care: “Intellectual Weapons” isn’t nearly first company to come up with this. Some companies have done this quite successfully, particularly with cryptography. You can absolutely patent a defense against an attack; if you discover the attack and patent every conceivable fix, and that attack is meaningful, you’ve got a very valuable piece of IP. By all means, if you break all known hash functions, or come up with a reliable remote side-channel attack that breaks TLS/SSL, patent away! 10 years from now, you might get a few tens of millions of dollars from it.

Viewing 4 Comments

ol 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

So should they have patented rainbow tables?

reply edit reblog flag

Dan Weber 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

In my experience, patents issue much quicker than 7 years. Maybe 3 or 4 years. Which is still rather slow for what IW wants to do.

reply edit reblog flag

http://danweber.blogspot.com/

ShawnF 2 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

As you eluded to, thats what happened with DPA. First the attack came quickly followed by all (most?) countermeasures to the attack, patent applications were submitted for everything. The IC manufactures who where effected by the attack developed countermeasures. Of course they were the same ones. Circa 8 years later the patents came through. Now the card vendors are being asked to pay a lic fee. BRILLIANT!

reply edit reblog flag

sohbet 4 days ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

SOHBET
BURSA SOHBET
ISTANBUL CHAT
ISLAMI CHAT
IZMIR CHAT
ANKARA ARKADAS
ALMANYA CHAT
TURKEY CHAT
MYNET
SITE EKLE
VIDEO KLIP IZLE

reply edit reblog flag

1 /people/chatsohbet/ /people/chatsohbet/following/ http://www.odasohbeti.com

Vulnerability Patents

Add New Comment

Viewing 4 Comments

Add New Comment

Trackbacks

People We Read

Things We Write

RSS Feed

Archives