LogAnalysis
[logs] Eventlog to syslog Feb 29 2008 12:59PM
Marcelo de Souza (marcelo marcelosouza com) (3 replies)
Re: [logs] Eventlog to syslog Mar 06 2008 10:49PM
Anton Chuvakin (anton chuvakin org) (1 replies)
[logs] SYSLOG patent? Mar 12 2008 08:16AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 11:18AM
Stefano Zanero (zanero elet polimi it) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 04:22PM
Balazs Scheidler (bazsi balabit hu) (4 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 03:15AM
Bill Scherr IV (bschnzl cotse net) (1 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 11:29PM
Marcus J. Ranum (mjr ranum com)
A couple comments about patents - speaking not as a lawyer, but as someone who has been involved as an expert explaining the technical side of numerous IDS and firewall patents to lawyers...

The objective of someone filing a patent is to make it as broad as possible while still containing a few unique ideas. The patent is granted based on the unique claims; i.e.: it is very unlikely that this represents a patent for syslog. I have not reviewed the patent's claims in detail but it sounds like this covers _A_ specific method of transferring system logs.

You'll notice, for example, that the patent is entitled "The method for..." but the introduction of the patent says "A method for..." This is a critical distinction. :) Nobody is going to be able to patent THE method, but pretty much anyone can patent A method as long as it's unique and is not obvious to a skilled practitioner. You'll note that in the preamble to the patent it describes using TCP syslog as well as TLS. What the patent's author is doing there is marking those as clear prior art, upon which they will advance claims of further innovation. In fact, the system that is then described in the patent (the stuff that is actually being patented) is the technique of sending specially constructed syslog messages to step up or step down encryption.

That's a perfectly legitimate thing to patent and "so what?" comes to mind.

They do not have a patent over syslog or _THE_ method of transferring logs. In fact, they called out the idea of using syslog over TLS over TCP as prior art, which is nice because now anyone who reviews patents on syslog will find this patent and review the prior art and won't attempt to patent either syslog over TCP or syslog over TLS over TCP.

Let me give an example of how a patent regarding syslog might work. Suppose I patent the idea of syslog over UUCP, with the messages encrypted as PGP messages. That's a perfectly legit patent to write - but it does not give me claims over any of: syslog, PGP, or uucp. It's simply the combination of those components into a complete system. Someone could challenge that patent by arguing that the combination is obvious to a skilled practitioner, to which I would reply, "then how come nobody has done it yet?" The answer is "because it's stupid" but that would not invalidate the patent.

In the case of this patent, the patent holders are extremely unlikely to attempt to enforce this patent on anyone, unless some large vendor made the mistake of thinking "oh, that's a good idea!" and simply adopting their approach or something quite close to it. In other words, a large vendor would be well-served to adopt a standards-based approach (like using TLS!) because at that point the "obvious to a skilled practitioner" kicks in. I doubt anyone would want to try to argue that using a VPN to protect syslog data, for example, would be covered by this patent and was non-obvious.

So, to recap:
The goal of a person writing a patent is to make it sound as broad as possible.
The goal of a person reading the patent is to identify where prior art is described and see what claims the patent makes above and beyond the prior art.

There are lots of tricks that are played with patents these days. For example, there are some jurisdictions that are notoriously friendly to patent litigation (circuit court judges who used to be patent lawyers - not that I'm saying that they're on the take or anything, but...)* much like there are jurisdictions that specialize in asbestos cases. We have the best justice system money can buy. Some companies have a corporate strategy of filing for patents and hoping they hit one; then they relocate to the patent-friendly jurisdiction and begin demanding royalties from small companies that are likely to settle instead of facing a lawsuit. The theory is that if they can get 3 or 4 small companies to settle then they can try to squeeze a settlement out of Microsoft, IBM, or Cisco. The good news is that those 3 companies have very good legal teams and generally are going to shrug off that kind of trick unless the patent really is good and covers something unique about something i!
mporta
nt. Those of us in infosec will be happy to know that the prior art for core security stuff like signature checking, firewalls, and intrusion detection has been very broadly established and - even though PTO appears to allow one or 2 stupid IDS patents a year - they are mostly garbage patents that evaporate like a B-movie vampire exposed to daylight.

Why do companies keep filing these garbage patents? Because many VCs are very technically unsophisticated and often start-ups will inflate the apparent value of their company by making it look like "ZOMG! We have a PATENT on SYSLOG!" In some of the expert work I've done in the last year I've had the dubious pleasure of attempting to adjust VCs expectations on the value of their portfolio companies; this gets interesting and a bit stressful. Try explaining to a VC that the company they thought was worth $100 million because they have a patent on "firewalls" is really worth only, at best, 2x leading revenues because they are NOT going to sue Checkpoint for $50 million and win - it's especially fun when the management team of the company is sitting across the table from you while you're doing it. As I explained to my dad, once, when he asked me what I do for a living: "I am a professional a**hole." Anyhow, when I was running a start-up of my own back in the late 90's one of th!
e ques
tions I got every single board meeting was "do we have any patents, yet?" So finally we filed some patents for detailed parts of our system, and that made them happy.

Companies also play games with the patent office. First thing you need to know is that examiners are graded on how many patent actions they do. So each examiner is expected to do a certain number of patent-related things a day. One of those things can be "reject". So if you're a lazy examiner, you reject every single patent you see the first time it hits your desk - and then you look very busy. This makes the patent lawyers happy, too, because then they can appeal the patent and charge the company a whole bunch more money for re-submitting basically the same document. Another trick I've seen done is what's called "examiner stuffing." Basically, the idea is to submit a small tractor-trailer load full of documentation as "prior art." The examiner is not going to actually READ all of that because it would take too long - so they simply leave it attached to the patent as prior art that (in theory) was examined and found not to invalidate the patent. Patent lawyers love this appr!
oach,
too, because it makes lots and lots of work for them for each patent that gets applied for. I was an expert on a case several years ago in which the "prior art" consisted of 4 coffin boxes of solid paper - a total of 120lbs of prior art approximately 60,000 pages. The prior art completely invalidated the patent but obviously the examiner had not read any of it. Great, huh? Unfortunately for the company with that particular patent, some of the prior art they forgot to include was conference publications from their own employees, years before the patent was filed, which described the system in detail. Oops. Poof. Of course the lawyers loved this because the lawyers on each side of that case got a couple hundred thousand dollars worth of billable hours, and, well, it didn't hurt the experts a whole lot either. I mean, anytime someone wants to pay me hundreds of dollars an hour to sit in a rocking chair on my porch with a beer and my dogs and review 60,000 pages - well, you know!
how t
o get hold of me. It was not a bad way to spend a summer.

The patent system is utterly broken. But, as one patent lawyer I did some stuff for once said, "it's broken, but it SURE IS GREAT!"

mjr.
(* they're on the take)
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] SYSLOG patent? Mar 14 2008 08:13PM
Stephen John Smoogen (smooge gmail com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:22PM
Rainer Gerhards (rgerhards hq adiscon com) (2 replies)
RE: [logs] SYSLOG patent? Mar 14 2008 06:46PM
Dee-Ann LeBlanc (dee splunk com)
Re: [logs] SYSLOG patent? Mar 14 2008 06:44PM
Ray Van Dolson (rvandolson esri com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:15PM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] Eventlog to syslog Feb 29 2008 07:37PM
Anton Chuvakin (anton chuvakin org) (2 replies)
RE: [logs] Eventlog to syslog Feb 29 2008 09:06PM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] Eventlog to syslog Feb 29 2008 08:33PM
Daniel Cid (dcid ossec net)
Re: [logs] Eventlog to syslog Feb 29 2008 07:27PM
tbird precision-guesswork com (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 09:10PM
David Corlette (DCorlette novell com) (1 replies)
[logs] wny not syslog on microsoft platforms Feb 29 2008 11:13PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Feb 29 2008 08:52PM
Rodney Thayer (rodney canola-jones com) (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:02PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:49PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] Eventlog to syslog Feb 29 2008 10:17PM
tbird precision-guesswork com (4 replies)
RE: [logs] Eventlog to syslog Mar 03 2008 09:53PM
Desai, Ashish (Ashish Desai fmr com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:08PM
Patrick Hull (nethead69 gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 08:47PM
David Corlette (DCorlette novell com) (1 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 09:20PM
Patrick Hull (nethead69 gmail com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:58PM
Mark Bagley (mbagley splunk com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:56PM
David Corlette (DCorlette novell com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:46PM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 01 2008 02:31AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] Eventlog to syslog Mar 01 2008 02:55AM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 02 2008 08:34PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Mar 01 2008 03:05AM
A Ananth (ananth802 yahoo com)
Re: [logs] Eventlog to syslog Mar 01 2008 02:17AM
Rodney Thayer (rodney canola-jones com)


 

Privacy Statement
Copyright 2010, SecurityFocus