back to article Brit says sorry after waving around nonce patent and leaning on sites to cough up

The director of a tiny UK company has apologised after sending letters to businesses suggesting they had infringed his patents that he claimed covered an age-old web standard. The tech in question is the content security policy (CSP) mechanism that websites use to protect their visitors from cross-site scripting (XSS) attacks …

  1. Anonymous Coward
    Anonymous Coward

    Well, at least in this case, it was actually his patent, and not one bought in.

    HOWEVER, yet another patent on something obvious. If years back, someone came to me and asked for a way to stop these types of attacks, this would have been my solution. It would also have been the same solution from 99% of the readers here.

    1. Blue Sky Pen

      It’s easy once you know a solution to claim how obvious it was in hindsight. Every football armchair captain does the same thing.

      Patents are not awarded for what is obvious now (years after someone already solved a problem and showed everybody else how to solve it) they’re awarded for what was new and not obvious back then.

      At the time it was patented wasn’t obvious. It wasn’t a widely published or implemented solution. At least the examiners of the patent didn’t think it was an obvious solution. Maybe they missed some prior art. Hard to say without a court.

      For sure this is definitely something my browser is using right now. IMHO he deserves a bit of respect. He helped publish something everybody now uses. That’s worth something.

      1. a_yank_lurker Silver badge

        The key to getting a patent is supposed to be based on whether it would be 'not obvious to one skilled in the arts'. This standard means it would must not be something a person knowledgeable in the specific area would do or try as a solution. If the assertion is correct, it is out my expertise, that upon reflection anyone 'skilled in the arts' would see this as a potential solution then it is not supposed to be patentable. However the feral UPTO is notorious for granting patents on something that has been known for 10 or 15 years ('prior art').

      2. Anonymous Coward
        Anonymous Coward

        Yes, it was obvious to anyone who does programming with a security angle.

        I'd expect a sophomore comp. sci. student to be able to solve it, when given the details of how the exploits worked.

        As for patents, they are MEANT to be non-obvious, but obvious (to people in the field) patents are granted all the time! I'm sure you know many patents get invalidated after the affect, due to prior art and other complaints.

        As for this guy, I'm not hating on him. He's not a troll, and if he got in there first, then that seems to be the way things work as far as credit is concerned. But by your logic, every single useful piece of a piece of software should deserve a patent. The only non-patentable software suite would just be clones of what went before.

        By the way, a quick google brings up this paper on nonces from 2004 - https://www.cs.ucdavis.edu/~rogaway/papers/nonce.pdf

      3. Doctor Syntax Silver badge

        TFA cites a blog post about 6 years earlier than the patent filing therefore obvious to someone else and made public knowledge.

      4. William Coppock

        Thank you for your kind comment.

        I have a deep respect for the idea that the late Gervase Markham had in 2005, but as far as can be told from his blog post and subsequent internal communications in W3C, his idea was abandoned and not put into practice. It seems it was abandoned for the same reason that nobody has heard of Scriptlock until now. The world wasn't ready for it.

        I came up with Scriptlock independently of his idea. My original idea was to see if I could protect against XSS in then current browsers by using JavaScript itself to rewrite JavaScript. As the idea developed I found myself needing to add things in like the password, a server side component, etc. until I had a working prototype, which yes, save for the fact that it does it using JavaScript, does exactly the same job as the CSP nonce.

        Indeed the invention can emulate the CSP nonce in IE10/IE11. So what proof do you need?

        It was a very exciting development. I felt that using a password to authorise the execution of JavaScript in a webpage was going to revolutionise website security and make the internet a more secure place, so I patented it. My very good patent attorneys asked me to conceive of other ways in which it could be done and to create a generalised model, explaining that if you invent a table that extends using flaps and nobody has invented a table before then you claim: a table, a table with legs, a table that extends etc. So that your patent can't be circumvented by doing things slightly differently.

        Unfortunately, just like nobody was interested in Gervase's idea. Nobody was interested in my invention. In 2012 I wrote to several of the big companies after my patent was published to see if they wanted to use the product. I got no reply.

        The problem was that CSP1.0 had come along with its white listing techniques and the world had gone stir crazy with moving JavaScript into external script files. The mere mention of inline events became an absolute taboo. So there seemed to be no future for something that promoted inline script and inline events. In fact I remember contacting someone on the now defunct ha.ckers.org website, whose response was, “Interesting…But what does this achieve that CSP[1.0] white listing does not?”.

        Disheartened I let the idea go and went back to my day job, though I kept the website up all this time.

        No, we can't use what we know now to change history: In 2011 nobody practicing the art of computer security believed that embedding a password in plain text into a web page could in any way add to the security of the page. So, as far as can be told, nobody put it into practice. Two different patent examiners agreed. In 2011 I showed it could be done within the browsers available at the time and that it did work. Heck, the original version worked in IE9!

        As to my motives to do something now:

        I am a 45 year old father of six children, two of whom have disabilities, one very severe. 18 months ago I was diagnosed with a rare combination of cancers (Thyroid cancer and Lymphoma), which has left me struggling to function every day.

        For the last six years I have had to watch on as the biggest companies in the world use what looks like my patent… and now I’m struggling to support them and I can’t do anything about it.

        The patent system was devised to protect small inventors like me. But to small inventors patents are worthless. It costs millions of pounds to enforce them and in this case would entail me going up against the biggest companies in the world, which I find a terrifying prospect.

        It was my hope to be able to revive my invention and build up a business based on it with the view that maybe one day I might have the financial strength to address the bigger problem. My letter was simply to seek the support of people benefiting from this invention with a voluntary contribution. I made a gross error in judgement with my approach and choice of words. Sorry.

        I have offered to pay any costs they incurred getting legal advice.

        The fights been knocked out of me by this cancer, so as I said to Gareth, I'm not sure I can be bothered.

        There is a voluntary scheme in place on my website if anyone does want to contribute.

        William

  2. Arthur the cat Silver badge

    Nonces

    Whichever way you take the word, they've been around since long before 2011.

  3. John Robson Silver badge

    RIP Gerv.

    That's all.

  4. Allonymous Coward

    I didn’t know Gervase Markham had died. Sad to hear that.

    Sorry to hear this other bloke apparently has cancer too, attempted patent troll or no.

    Sometimes life feels too short to worry about boring things like computers or patent law.

  5. Gene Cash Silver badge

    "chancing his arm"

    Awright, I learn something new every day from El Reg...

    1. Anonymous Coward
      Anonymous Coward

      Re: "chancing his arm"

      Awright All right.

      There you've learned another thing.

  6. The Man Who Fell To Earth Silver badge
    Alert

    Obligatory Animal House quote

    "So, if you mention extortion again, I'll have your legs broken." - Mayor Carmine DePasto (Animal House, 1978)

  7. DJV Silver badge

    Well done, Mr Plonker!

    So, he was granted a patent on something that already had prior art. Then it looks like what appears to be a devious law firm (and I sometimes wonder if there's any law firm out there that has never done anything devious) has said he can gain monetary benefits by sending out letters that are just short of threatening. Well, he's right about one thing - he's definitely a plonker though that realisation is probably only due to the current backlash!

  8. Potemkine! Silver badge

    law firm

    The best thing law firms are able to do is to issue bills to their customers. For the rest, the quality of service is more random

    1. MNB
      Coat

      Best?

      Issuing invoices is not the best thing that law firms do... It is merely the thing that they do best.

      I'll get my coat on the way out, it's the one with the pedant's hat in the pocket.

  9. Anonymous Coward
    Anonymous Coward

    The law is clear

    He was first to file, and receive, the patent. End of discussion. Just because someting becomes a standard doesn't mean we can let the law be ridden over roughshod

    As I see it, the browser and toolkit providers have no option but to license (or buy for a body like the Open Innovation Network) these patents.

    Or do we consider all tehcnology patents like exFAT suddenly null and void?

    What the entrenched power are upset at is that it's a smaller operator doing the patent shakedown for a change and not them. Tough tits. Pay up.

    1. Yet Another Anonymous coward Silver badge

      Re: The law is clear

      RTFM - he was granted the patent in 2011 for an invention that was published in 2005

      The US patent office at the time only considered prior art in other patents - it lets the courts deal with things published elsewhere.

      So if the exFAT included a patent on ordering files by their initial letter - then I suspect that would be null and void.

      1. William Coppock

        Re: The law is clear

        Gerv's blog 2005 post isn't detailed enough to count as prior art because there is not enough information to put the idea into practice, even when combined with other ideas. Even he says in the opening line that it's an idea. An idea is akin to the claims in a patent. Not the actual detail.

        The comments section in the blog shows that it raises more questions than it answers and several posts shoot holes in his idea. For example Luke asks a question and Vi assumes the answer: that the script key is protected by the fact that Javascript cannot run without the key. But this fails to acknowledge that there is a trust/untrust boundary issue with the entire scripting environment and that you actually need to take measures to obscure the script key from untrusted script, whether it be other JavaScript or HTML, because execution is not just coming from the JavaScript. If I recall, even the first production release of CSP nonce got this wrong. It didn't obfuscate the nonce from the DOM. The answer to his boundary issue is discussed at length in my patent and makes its way into both the server and client side components. The boundary issues created by a plain text nonce are very different from the boundary issues relating to other methods so you can't guess the solution from other related ideas such as BEEB, which is based on hashes.

        Another issue not discussed is the conveying of trust and/or protection to newly created ancillary portions of the scripting environment, such as IFRAMES or SCRIPT tags created with createElement. This is akin to the problem only recently solved by the addition of strict-dynamic to CSP nonce, ten years after my patent. My patent describes the problem and process of solving it.

        These are just two examples of things that even if my Claim 1 was debunked, the remaining claims would remain intact and still describe many of the methods needed to implement the CSP nonce successfully.

    2. Martin Silver badge
      Happy

      Re: The law is clear

      By your argument, I could be the first to file and receive a patent on the Revolving Axle-Mounted Transport Assistance Device (RAMTAD) and then - bingo! every car and bicycle owner in the world owes me money. Just because the wheel is a standard doesn't mean my RAMTAD can't be patented.

      Don't think it works like that.

      1. Yet Another Anonymous coward Silver badge

        Re: The law is clear

        “circular transportation facilitation device” beat you to it in 2001

        1. Martin Silver badge
          Happy

          Re: The law is clear

          Maybe, but I think RAMTAD is a much better acronym than CTFD.

    3. Anonymous Coward
      Anonymous Coward

      Re: The law is clear

      To be honest, I'm struggling to see how this isn't a "software patent", and thus not eligible for protection via patent in Europe

    4. Andy The Hat Silver badge

      Re: The law is clear

      He has a patent and apparently he was the developer (of what he believed is) a valid patent. In my book he is not a patent troll.

      In that context *we* cannot judge whether the patent is valid or not - that's his decision to enforce his patent through the courts and the court's job to decide whether it's valid or not. No level of jaw ache by people here will make any difference unless they are called as expert witnesses for the case.

      1. Anonymous Coward
        Anonymous Coward

        Re: The law is clear

        Except *we* can judge, it just won't be taken notice of. This should never have been granted.

  10. This post has been deleted by a moderator

    1. Yet Another Anonymous coward Silver badge

      Re: Eh?

      Merriam Webster dictionary

      The word was especially used in the phrase for the nonce, meaning "for the one purpose," in Geoffrey Chaucer's "Prologue" of Canterbury Tales:

      In the specific mathematical sense it was used in 1880

  11. Zippy´s Sausage Factory
    Joke

    Worst Patent Troll. Ever.

    Still, at least that's the British way - try, mess it up, and then apologise profusely. Tea, anyone?

    1. DS999 Silver badge

      Re: Worst Patent Troll. Ever.

      As opposed to the Canadian way, where he'd apologize first?

    2. EnviableOne Silver badge

      Re: Worst Patent Troll. Ever.

      exactly what I thought was going to happen with Brexit (might still do ....)

      "apologies for all that leaving and article 50 stuff, lets just forget it all happened and have a jolly good brew....

  12. Hubert Cumberdale Silver badge

    And there's me thinking that a "cryptographic nonce" was just someone trying to avoid revealing the full contents of his hard drive.

  13. JDPower666 Bronze badge
    Angel

    I really tried to take this article seriously but so much use of the word 'nonce'.

    On the plus side, I learned a new meaning of a word today lol

  14. Blue Sky Pen

    If it was a valid patent

    He would have been better off sending this to the companies that build the major browsers that implemented the technology.

    Whether or not his legal arguments have merit is a subject for the courts. The case belongs there not here.

    1. Cuddles Silver badge

      Re: If it was a valid patent

      "He would have been better off sending this to the companies that build the major browsers that implemented the technology."

      Indeed, and this is why I have very little sympathy for him. Even if he truly believed he had a genuine invention that was being unfairly exploited, he chose to go after a bunch of random small businesses that happened to be using a product instead of the people who actually made the infringing product. If Ford accuse Vauxhall of copying something in a car, you don't get to sue me for driving to the shops. Whatever the merits of the patent itself, there is no excuse for deliberately targeting people who had absolutely nothing to do with any infringement.

    2. Roland6 Silver badge

      Re: If it was a valid patent

      >He would have been better off sending this to the companies that build the major browsers that implemented the technology.

      Not been following the patent law cases - remember MS went after organisations using Linux because according to MS, Linux contained tech that infringed various MS patents...

      Whilst we can question the validity of the patent, what we should actually be questioning is the legality of patent holders going after end-users who have simply enabled available options in a third-party product or combined third-party products in a way obvious to those "skilled in the art"(*)

      (*) As someone in IT, I make sure I only employ people "skilled in the art" so any solution they arrive at is naturally obvious to someone "skilled in the art" and so can't infringe a patent of a bona-fida invention...

    3. random boffin

      Re: If it was a valid patent

      Probably did this at the behest of the lawyers.

      Q: Why do sharks not eat lawyers?

      A: Professional courtesy.

    4. fajensen

      Re: If it was a valid patent

      He could get lucky in that they don't bother with the inconvenience of courts and just do a settlement.

  15. DrXym Silver badge

    Shakedown time

    CSP nonces are a pain to implement but the idea is that every script element in the page must declare a random tag that must match the one in the CSP. It's called a nonce because every page request generates a new random tag. If a script block doesn't have the right tag it won't run. The idea being that if someone somehow managed to inject script into the content, e.g. to sniff bank credentials, it still wouldn't work because it would lack the tag and there is no way to extract the tag from the DOM.

  16. sreynolds Bronze badge

    The bar for patents is too fucking low....

    So much bullshit. No real filtering at the granting stage.

  17. localzuk

    UK law

    So, UK law states that patents must involve an invention - and the law also says software programs cannot be inventions. So, from a cursory look, this UK patent would not survive a challenge in court.

    The UK Patent Office really needs to stop issuing patents to software only systems - they aren't legal, and have been thrown out repeatedly by the courts.

    1. EnviableOne Silver badge

      Re: UK law

      the invention is not the software, but the algorithm that calculates the nonce

      1. sreynolds Bronze badge

        Re: UK law

        Let's not forget the derivatives. Someone invented javascript, and someone needed to invent some thing to make it more secure.

        For example, someone invented patents, and thereafter someone invented the patent troll. Does anyone know the patent number for the paten troll invention?

      2. localzuk

        Re: UK law

        Does the invention have any use outside of software? If the answer is no, then it is a software invention...

  18. FlamingDeath Silver badge

    Patents are a form of theft IMO

    Sure people should be rewarded for their good ideas, but some remote jungle tribe with no contact with the modern world could independently create a patented idea.

    To say Patents are a bit stupid, is probably underestimating human greed

  19. Shez
    FAIL

    reminds me of...

    https://www.theregister.com/2000/06/19/bt_claims_ownership_of_hyperlinks/

  20. RegGuy1 Silver badge

    Extradition...

    Isn't this one of those rare instances when it could be a good idea to get the US to invoke the asymmetric extradition law to deter others?

    If he puts the shits up innocent businesses, putting the shits up him could deter others.

  21. hoofie

    Legal Opinon

    May I refer him and his learned friends to the advice given in the commonly cited precedent of Pressdram vs Arkell ?

  22. richardcox13

    Not over

    https://twitter.com/Scott_Helme/status/1432694034481532928

    They're throwing DCMA takedowns around now,,,

    1. diodesign (Written by Reg staff) Silver badge

      Re: Not over

      Yeah, we've noticed and investigating.

      C.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022