Friday, October 25, 2013

Originally shared by Andreas Schou

Originally shared by Andreas Schou

Why I'm Paying Ex Bono For A Former Client: Battelle v. Southfork

As anyone who's been following my stream for the past week knows, late last week, an Idaho security startup -- Southfork Security -- was recently the subject of an unprecedented ex parte data seizure and injunctive order. Between competitors in a single industry, this might be relatively normal. It might be the kind of case which would be worth hashing out at length and enriching the lawyers.

But instead, the day I found out, I sent $500 to my ex-client's legal defense fund. I'm going to send another $500 bucks today. And because I can't take his case pro bono, and am not his lawyer with respect to any related issue, if this drags on, I'm going to keep sending his legal defense fund $500 until I've refunded every last dime he's paid me in legal fees. 

That's how important this is to me. And here's why:

Battelle Isn't A Competitor. It's a Government Contractor.

As many of you might know, Battelle isn't a cybersecurity company. It's an enormous, hypothetically not-for-profit government contractor that runs a number of American national labs. That includes Idaho National Laboratory, which hosts ICS-CERT (the embarrassingly-named 'Industrial Control System Cyber Emergency Response Team') and a number of associated laboratories, each of which is associated with critical infrastructure vulnerability assessment and protection.

This year, Battelle licensed a product it had been working on -- a network visualization, whitelisting, and fingerprinting tool -- to a private company, NexDefense. Southfork Security, my former client, also bid to open-source the software, but withdrew before the competition was over. If you're aware of the state of network security, you're probably aware that this is a solved problem. Perhaps not the special case of industrial control system security, but the principle is not substantially different. 

That leads us to the second problem.

Battelle Tried to Patent Sophia.

Up front, this case is nominally about copyright. I mean, all the pleadings are about copyright, and all the damages are based on copyright, but -- as the complaint mentions here -- the real issue is probably the patent.

On May 23, 2012, BEA filed for a patent entitled “Systems, Methods, and Computer Readable Media for Monitoring Communications on a Network,” Serial No. 13/478,343 (the “Sophia Method Patent”). The named inventors on the patent are theDevelopers. However, pursuant to their employment agreements with BEA, the Developers have each assigned all right and title to the Patent Application to BEA.

What everyone in the field is aware of, and Battelle is apparently not, is that there is a giant expanse of prior art. And government funds are being used to reach into that prior art, and -- if we, the public, are unlucky -- indefinitely swipe valuable, if not particularly novel, ideas from the public domain. On behalf of a private entity.

If there's an open-source product, the complainant -- that's NexDefense, which after yesterday no longer has a web presence -- might find it impossible to use its taxpayer-funded monopoly to extract license fees from its competitors. That's in the purely hypothetical event that it had a patent, which it doesn't.

Which leads us to our next problem.

Some Basic Googling Would Have Prevented This.

As Corey Thuen discusses at length in his declaration, and has been entered into evidence in the form of commit logs, Visdom's source code has been up on the web since the first stable release. It's on the second page of the Google search results. And its commit logs go back to March, after he took an unpaid leave of absence from Battelle to bid on Sophia.

Although you might notice the plaintiff's claim that the code submitted on March 28th was "substantially complete," you might also notice that (per the declaration) that that first commit was only 2000 lines. The last commit brings it up to a total of 19,000 lines. Perhaps I am missing a full understanding of what the phrase "substantially complete" means.

But probably not.

Oh, and it's also in Javascript. Which is an interpreted language. And the original is in C. Which is a compiled language. 

Also, Corey Thuen, who was the only Sophia dev accused, didn't write the back end. Someone else did. That person had never seen Sophia's code. He now works for Battelle, and as far as anyone knows, he disclosed the Github address in his COI paperwork.

Battelle Accused Corey of Being a Hacker. This Is What They Hired Him For.

In order to get the most invasive civil evidence order I've ever seen -- an ex parte order for preservation of evidence which required him to shut down his business for the better part of a week -- Battelle's investigator swore out an affidavit claiming that "hackers" are well-known to cover their tracks, and are capable of deleting evidence. And while I suppose that is the case, I -- a lawyer who owns a power drill and an electromagnet -- am perfectly capable of munging my hard drive until it'd be hard to get something off of it.

And here's the difference between me and my belt sander, and Corey and his sophisticated hacking skills:

I am not a guy who has passed incredibly invasive clearance interviews to gauge my propensity to munge my hard drive with a drill, electromagnet, and hammer. Corey Thuen is. When I was asked, when I was interviewed for his clearances, whether he had a reputation for honesty and forthrightness, I didn't hesitate. Of course he does. 

Which is why he's been, for his entire career, an incredibly trustworthy public servant, defending our country from both cyberattacks on our infrastructure and self-serving bullshit from antiterrorism hacks about cyberattacks on our infrastructure. Both of which are incredibly valuable.

They Haven't Dropped Their Lawsuit Yet.

You would think that, after receiving the source code, finding out that it was in the wrong programming language, and running a guy whose business and clearances depend on his reputation through the mud, Battelle would stop digging. 

The problem is they haven't. They're still coming.

As an enormous company that buys legal services in bulk, they can afford to lose this case as slowly as they care to. As two guys who buy legal services at retail, Southfork can't afford to win slowly. Which means that even if they're not bankrupted by an expert-intensive IP suit, they could easily be bankrupted by their own reliance on their attorneys. (Which is not to criticize Brad and Jason at Hawley Troxell. For IP litigators, they're working cheap. This case is just a lot of work.)

So long as Battelle keeps coming, I'm going to keep shoving money into Southfork's bankroll. I guess I'll just call it ex bono -- I've already done the work. I'm just giving them their cash back for it, because I believe in what they're doing.

If you care about software patents, or open-source software, or public-private coercion, or government overreach, or big corporations crushing the little guy, there's something here to outrage anyone of any political orientation. This is an important issue.

So let's tilt at some windmills. Because, seriously: screw this windmill. 
http://www.indiegogo.com/projects/visdom-legal-defense

No comments:

Post a Comment