There is little doubt that the US Patent and Trademark office is in need of some serious upgrades. For too long the Federal Government has siphoned off the money they patent office generates without investing enough back in the way of resources that are sorely needed to keep up with today's digital domain. As a result we see a fair number of patents that on their face seem to be obviously improper. Usually because the process being patented seems to be one that has been in use well before the patent was applied for, let alone issued (which could take years). A perfect example of this is the curious case of patent 232 or more properly Patent No. 7185232.
Now I like many in the open source community have a problem with patents to begin with. But 232 is an even tougher pill to swallow. Patent 232 was applied for back in 2002 and was granted in 2007 (that delay alone should tell you about the state of our patent system). It was granted to an application security company called Cenzic. The patent is for "Fault injection methods and apparatus". According to the web site Stop232.com it covers:
The problem is that this type of program has been widely used by penetration testers and other security folks for many years. In fact it would appear for many years prior to the patent application. Part of the patent granting process is supposed to be a check for prior art. But really unless the patent office has experts in the application security testing field, how would they know about this? Exactly why we need to overhaul the system. The patent was granted in 2007. You would think in the 4 to 5 years it took to grant the patent they would have done some digging for prior art.
Upon being granted the patent Cenzic at first went after SPI Dynamics which was being sold to HP. After that their next target was IBM. Hey what the heck if you are going to go after some deep pockets, those are two of the deeper ones. Both of those claims ended in cross-licensing deals between Cenzic and HP and IBM. My sources tell me that no money was exchanged on either deal. Cenzic was already paying IBM for using one of their patented processes so they got a better deal as a result of the agreement.
So now Cenzic began looking around for who else they might be able to extract some money from. It appears their next target was a company called NT Objectives. Now you may not have heard fo NT Objectives before. Two friends of mine are the co-CEOs. Matthew Cohen and Dan Kuykendall. When Cenzic contacted them looking for licensing fees Dan and Matthew looked around and said hold on. There are numerous instances showing that what Cenzic's patent is about was in use well before this a patent was applied for, let alone granted.
A great illustration of this is a blog post by another friend of mine Chris Eng. Chris is with Veracode and back in 2007 with the original HP suit, Chris called BS on this patent. Chris points out two different tools he was using back in 2001 that did just this. From speaking to others in the community, those are not the only two either. In fact the popular security site, Security Focus has published code for this kind of thing before the patent was applied for as well. At best this should have been a defensive patent that is instead being used as a hammer.
So being threatened with litigation, NT Objectives moved for a declaratory judgment against Cenzic's claims. Cenzic playing the part of the blushing bride, dressed in white and left at the alter then had "no choice" but to sue NT Objectives. But lets be clear here the NT Objectives team felt as if a gun was pointed at their head by Cenzic and they had to act. I don't know what Cenzic was looking for in the way of licensing fees but it was not trivial.
Now NT Objectives is asking those in the community to help gather evidence of prior art. Enrique Montellano has set up a web site called Stop232Patent.com to help gather the evidence. But lets be clear this patent goes well beyond NT Objectives and even web application scanners. Many think this patent can apply to any vulnerability type scanner like those used by Qualys, Rapid 7, Metasploit, etc. This could have a major impact on the industry.
Now of course trying to exert a patent like this on a community of security researchers and pen testers is a risky proposition. Generally not the kind of follks you want to upset. For proof, have a look at what happened to security firm HB Gary and the folks at Anonymous. But in a case of delicious irony, the same folks who brought us HB Gary were also some of the founders of Cenzic. Maybe they didn't learn their lesson?
In any event this is big news in the security world. But it is equally as important in open source software. If patents are a neccessary part of the landscape, we have to do a better job of making sure that when a patent is issued, it is truely a valid patent for something that someone is doing differently than anyone else has done before.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.