I think he holds both patent and prior art ...
... on being an attention-seeking self-aggrandizing loud-mouthed bellend.
Twitter is the latest major web service to beef up its security two-factor authentication (2FA). The security feature is a pretty simple and effective approach - and one the notorious Mega kingpin Kim Dotcom claims today to have invented back in the '90s. Two-factor auth is a simple process for verifying that the user …
"Also, he's a hero. People hate, but effectively he's living the dream. Doesn't matter how he got there."
I'm not aware of this new definition of hero. Usually the dictionary suggest selflessness rather than convictions for fraud and blatant attempts at IP theft as criteria for the honorific.
So it sounds like he did invent it, with the caveat that someone else got there just before him. But presumably he was not aware of that and did not copy the others. This sort of thing is very common: http://en.wikipedia.org/wiki/Multiple_discovery
Of course, it's possible that Kim Dotcom did copy other people's ideas and then patent them, but it seems like a conclusion you'd come to if you hated Kim Dotcom, rather than the one Occam's razor would suggest.
Ordinarily, I would support your statement.
Having followed Kimble's career with interest for the past 15 years or so, I will make an exception in this case and suggest that patenting previously patented stuff for the purposes of claiming to have invented it in the future is the correct explanation.
To do anything more than basic Banking at Natwest - I have to put my card into a battery operated unit and type a code that the website generates into it and then type the code the unit generates into the website. This verifies that I have physical possession of the card that is tied to my account. Is this not a form of 2 step authentication? What about USB dongles or smartcards that are needed to login to a computer system (after entering username and password) is this not also 2 step authentication? OK so this specific example is via SMS but the mechanism is essentially the same - we could even simplify the system further and refer to 2 step authentication as handshaking - in which case it's been around for donkeys years. This of course is the biggest problem with patents - common sense says that is describing a system that already existed in a different form (think "to lock the door / gate you slide the bolt into the hole and to unlock it you slide the bolt back out of the hole" the process is the same whether it is physical or virtual)
ATM cards are weak 2FA. For an unskilled attacker, there are two factors: the PIN ("thing you know") and the card itself ("thing you have"). Skilled attackers, though, can get the PIN from the card - it's on the magstripe - or, if they get your PIN and account information through other means (eg a skimmer) can duplicate the physical card.
ATM cards are thus a good example of using 2FA to prune the most prominent branches from the attack tree and raise the work factor above profitability for most petty criminals - at least before cheap skimmers became widely available.
So yes, obvious prior art for 2FA in general - which is not what this patent claims, but is what its holder is claiming.
Dotcom claims: "I never sued them. I believe in sharing knowledge & ideas for the good of society. But I might sue them now 'cause of what the US did to me."
Except that the filings in the opposition procedure at the European Patent Office say otherwise. In particular, in a letter from his European patent attorney, dated January 22 2010 and available through https://register.epo.org/espacenet/application?documentId=EPV3JPRS0966J10&number=EP98100688&lng=en&npl=false , he asks for an acceleration in the proceedings, because (in German):
"Die Patentinhaberin erwägt die gerichtliche Durchsetzung des korrespondierenden US-Patents (US 6 078 908) in den USA."
Translated:
"The patentee is considering the legal enforcement of the corresponding US patent (US 6 078 908) in the USA."
This was almost two years before his arrest...He isn't just a leech and a patent troll, he's also a very bad liar indeed...
Can we stop calling him "Kim Dotcom" and go back to his former name of KIMBLE? El Reg, you used to absolutely skewer this fat charlatan back in the day. "Innovator..." my arse. He "innovated" his crack team of skript kiddies after 9/11 called "YIHAT" who then proceeded to do...nothing, but pretended they were hax0ring Islamic banks. He "innovatively" defrauded stupid venture capitalists and went on the run, before being arrested and proclaiming himself "King Kimble of the Kimpire" (and then threatening suicide).
Too bad Kimble's unintentionally hilarious homepage at kimble.org no longer exists...those awful animations of him as a "secret agent" making Bill Gates piss himself were comedy gold.
Go to attrition.org's charlatan page for a better dossier on this so-called "innovator." Brilliant scammer? Maybe. "Innovator?" Heh.
Oh, Texas is absolutely full of illiterate, imbred rednecks. The courts there being no exception. Patent trolls LOVE taking their cases the district court for the eastern district of texas, as they favor the patent holder an exceptionally high percentage of the time. (I'm not saying Dotcom is a patent troll by any means, but he would want his case done there.)
Just to go further back was not the return dial up feature a form of @ way authenticaton. You dialed the modem you wanted to connect to eg say a security system then hang up , it would dial you back to confirm it was infact that connection. Not sure if that was patented though.
No, that's not two factor authentication, I thought.
But then I realised that it is exactly analogous to the SMS code thing. Having provided a name you prove you are have the phone linked to your name. I used that in the late 80's although it was touted as a way of saving money, not for authentication.
On the other hand, in the mid nineties I used the RSA two-factor token which was already well-established by then....
If Kim CantDecide did invent 2FA he must have sat on it for a very long time while passing it on to world+dog thereby invalidating his own patent ...
Dial-back coupled with a conventional credentials (username/password) check is indeed two-factor authentication. One factor is a "thing you know" - the credentials. The other is a "thing you have": the phone number that the system will call back to. In this case the "thing you have" factor is a virtual rather than physical possession, but it still behaves like a possession for authentication purposes.
(Dial-back without a separate login of some sort, either before or after the connection is made, is not 2FA, unless the number you initially call is secret. Then it becomes a key, but a decidedly weak one.)
Similarly, location-specific authentication systems, where you can only sign in to a particular account if you're using a specific physical terminal, are 2FA, though whether the second factor counts as a "thing you have" (physical access to the terminal) or a "thing you are" (your location) is a philosophical question. (Usually the "thing you are" class of factors refers to biometrics, but more generally it refers to attributes of the user that aren't possessions or knowledge.[1]) Such systems are still used with many mainframe installations, for example.
[1] Though complicating the question still further is the fact that some researchers like to restrict the "thing you are" category to attributes that are difficult to alienate - i.e., rarely lost, and difficult or expensive or to transfer to another user or attacker. That's claimed as an advantage for biometrics, though it's also held up as a disadvantage of biometrics, since few of us keep secrets that we want to lose, say, a finger over. Your location is an eminently alienable attribute, which makes it in this sense more like a "thing you have". What this really shows is the know/have/are schema, while a useful introduction to the idea of multifactor authentication, is a poor theoretical framework. What security experts really mean (or really should mean) by two-factor authentication is "two factors with significantly disjoint threat models".