[ISN] New Firm Eager to Slap Patents on Security Patches

From: InfoSec News (alerts@private)
Date: Fri Jun 08 2007 - 07:05:02 PDT


http://securitywatch.eweek.com/patches/new_firm_eager_to_slap_patents_on_security_vulnerabilities.html

By Lisa Vaas 
June 7, 2007

Security researchers, are you tired of handing your vulnerability 
discoveries over to your employer, as if that were what you're paid to 
do? Helping vendors securing their products —for free— so that their 
users won't be endangered by new vulnerabilities? Showing your hacking 
prowess off to your friends, groveling for security jobs or selling your 
raw discoveries to middlemen for a fraction —a pittance— of their real 
value?

Take heart, underappreciated, unremunerated vassals, for a new firm is 
offering to work with you on a vulnerability patch that they will then 
patent and go to court to defend. You'll split the profits with the 
firm, Intellectual Weapons, if they manage to sell the patch to the 
vendor. The firm may also try to patent any adaptations to an intrusion 
detection system or any other third-party software aimed at dealing with 
the vulnerability, so rest assured, there are many parties from which to 
potentially squeeze payoff.

Intellectual Weapons is offering to accept vulnerabilities you've 
discovered, as long as you haven't told anyone else, haven't discovered 
the vulnerability through illegal means or have any legal responsibility 
to tell a vendor about the vulnerability.

Also, the vulnerability has to be profitable—the product must be "highly 
valuable," according to the firm's site, "especially as a percentage of 
the vendor's revenue." The product can't be up for upcoming 
phaseout—after all, the system takes, on average, seven years to churn 
out a new patent. The vendor has to have deep pockets so it can pay 
damages, and your solution has to be simple enough to be explained to a 
jury.

Because goodness, you will be looking at juries and lawyers, you can 
count on that. Intellectual Weapons says this isn't for everybody. The 
firm says it "fully [anticipates] major battles."

"We need people who have the emotional stability and the tenacity to 
persevere with each project—from describing the vulnerability, and 
helping develop the fix, through to generating and enforcing the IP," 
the firm states on its site.

Patenting may be a new twist, but the idea of profiteering from 
vulnerabilities is nothing new. iDefense Labs has its Vulnerability 
Contributor Program, and TippingPoint has its Zero Day Initiative. Even 
the Mozilla Foundation tried it, although of course the open-source 
software project dedicated funds to bugs found in only its own code.

The blogosphere is frothing.

"Nice. The race to the bottom started by [TippingPoint parent company] 
3Com and [iDefense] is now complete. I for one hope that Matasano is 
able to use this idea in regards to a TippingPoint vulnerability," wrote 
Chris_BJune in a response to a blog from security firm Matasano's Thomas 
Ptacek.

According to Ptacek, the reasons why nobody should care about 
Intellectual Weapons includes the fact that the time required to 
complete a patent filing is over seven years. Add on to that the years 
it will take to "initiate, litigate and prevail in a patent claim, 
especially against an established software vendor," Ptacek said. 
"Presuming you do prevail; you likely won't."

Intellectual Weapons has plans to deal with these inconveniences, 
however. The company says that it may try to use a Petition to Make 
Special in order to speed up the examination process when filing a U.S. 
patent. Another strategy the firm proposes using is to go after a 
utility model rather than a patent—a utility model being similar to a 
patent but easier to obtain and of shorter duration—typically six to 10 
years.

"In most countries where utility model protection is available, patent 
offices do not examine applications as to substance prior to 
registration," the company says. "This means that the registration 
process is often significantly simpler, cheaper and faster. The 
requirements for acquiring a utility model are less stringent than for 
patents."

Ptacek calls utility models "patents-lite." Other nicknames are "petty 
patent," "minor patent" and "small patent." Such patent workarounds are 
available in some EU countries and other countries including Argentina, 
China, Malaysia, Mexico, Morocco, Philippines, Poland, Russia, South 
Korea and Uzbekistan.

"Would it be [possible] for an outfit like 'Intellectual Weapons,' 
exploiting the services of contingency-fee lawyers, to get an injunction 
against a Microsoft security fix in the Republic of Moldova? Anything's 
possible," Ptacek said.

He doesn't believe it will happen, however, given that international 
patents have to be fought jurisdiction by jurisdiction. "In this case, 
you'd be slogging through those fights for a shot at a tiny sliver of 
the revenue generated by the products you're targeting. This is nothing 
like NTP vs. RIM, where NTP's claims enabled RIM's entire product."



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri Jun 08 2007 - 07:11:23 PDT