Cenzic 232 Patent
Paid Advertising
web application security lab

Cenzic Sues SPI Dynamics Over Scanning Patent

It looks like Cenzic is suing SPI Dynamics (now owned by HP) over a patent infringement. Cenzic has patented fault injection. Cenzic obviously feels confident that SPI is infringing on the technology they have patented. It’s a strange move, given how many people have vested interesting in making this patent go away. Now that Cenzic has become litigious it seems like it would be in the best interest of the industry and indeed all companies everywhere that use other scanning technology to get the patent thrown out. At first I didn’t care about this when I first read about it but now that Cenzic has taken to suing companies, I feel compelled to take action.

Personally I hope that SPI wins this and the patent is thrown out for a number of reasons. I think the patent is both obvious, has been done prior to their claims and been invented by dozens of people and companies over the years who have released their findings under various copyrights and licenses (myself included - I built a number of tools that injected specific faults into systems as early as 1995 and let’s not forget SATAN written in 1993 and stuff like the PHF scanning worms in 1996). But most importantly it’s hostile to the industry as a whole. It would only make things far more difficult, inhibit innovation and reduce our ability to secure the Internet as a whole. I have nothing against Cenzic, but this patent must die. In the mean-time, until this patent is thrown out, you are taking a risk if you have built any fault injection scanning technology that does not license Cenzic’s patent. Everyone else, please submit your prior art to the comments of this post or to SPI’s lawyers as you see fit.

18 Responses to “Cenzic Sues SPI Dynamics Over Scanning Patent”

  1. Thomas Says:

    There is very little innovation in the security field that is not derived work. I hope cenzic gets sued for being retarded.

    No one tried some kind of fuzzing before February 28, 2002 then?

  2. Thomas Says:

    1990 fuzz paper: ftp://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf

  3. Ronald Says:

    In my country (NL) they would fail due to our fair trade commission. It’s Illegal to gain monopoly for one company in my country, and for good reason. This really sucks Cenzic, Let’s patent the air Cenzic is breathing, it’s basically the same: you kill something.

  4. MikeA Says:

    A while back I had a good look at this patent and certainly came to the conclusion (along with several other experts and people in law) that is just wasnt defensibe. However, it costs a lot of money to attack a patent, not to mention the potential risk of losing. In the end we decide it just wasnt worth the risk.

    I’m hoping that HP does go ahead an attack the patent both to protect themselves and as a service to the community (is there any way we can get in contact with the to voice our support and possible service?) as they certainly have deep enough pockets to do so.

  5. zeno Says:

    SPI has existed longer than cenzic and will easily show prior art in their own product. This is a pretty weak move by cenzic and shows just how desperate they are.

  6. David Byrne Says:

    Funny stuff. Cenzic must be bitter for having been left out of the acquisition game. I wonder how they chose HP (http://support.openview.hp.com/SPY_Dynamics_Support.jsp) over IBM (http://www-306.ibm.com/software/rational/welcome/watchfire/).

    This really smacks of desperation. They’re probably not as desperate as SCO was, but they have to know this suit is a long shot, especially given recent rulings like KSR v. Teleflex.

  7. Erich Says:

    The timing on this seems suspect. I’m sure the lawsuit is less about about the technology and more about HP’s acquisition of SPI.

    Anything that slows a smooth transition works to Cenzic’s advantage.

  8. watcher Says:

    This must have come up in due diligence for the HP acquisition. HP must have known of this during the purchase diligence. You can’t just sue, you have to notify first, which most likely would have happened before Aug 1st.
    It would seem that HP and SPI decided to disregard this as a real threat, or the deal most likely would have been called off, or delayed until outcome was certain. Hope that bodes well for the defeat of this patent.

  9. n Says:

    David Byrne, get back to work!

  10. MikeA Says:

    Doest IBM hold another patent on web scanning (via Sanctum -> Watchfire) that is much more comprehensive than the cenzic one?

    http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6,584,569.PN.&OS=PN/6,584,569&RS=PN/6,584,569

    Looks to me that both of these are very similar to each other, so at the minimum the cenzic one is probably going to be dismissed as the later filee.

    It’s not unusual for big companies to simply hold patents in hand as “mutually assured destrution” in case another big company sues them. From that aspect I’d much rather have IBM or HP as the patent holder as they are more likley just to ignore the “little guy”.

    This is certainly going to be interesting though :)

  11. Justin Clarke Says:

    It seems to me that this patent is based on network fault injection, so it is broader that the Watchfire patent. For those of us who remember, Cenzic had a product (also, confusingly, called Hailstorm) back in the 2000 timeframe that did network fault injection - this is what I think this patent is based off.

  12. Ronald Says:

    *cough*

    1988:

    Z.Segall, T.Lin, “FIAT: Fault Injection Based Automated Testing Environment”. In Proc. 18 th Int. Symp. Fault - Tolerant Computing., pp 102-107, June 1988.

    ;)

  13. Sneaky Says:

    Two things:
    1. Software patents, except in a very few specific cases, are bad for almost everyone, and shouldn’t exist. Maybe this is a debate for another day, but I think its clear that software patents don’t spur innovation, as I’ve never met a person who coded something he wouldn’t have if he couldn’t patent it.

    2. Cenzic’s patent is actually more restrictive than most people here seem to understand. It isn’t only restricted to network fault injection, but also to a certain approach. Most other scanners are NOT in conflict with this patent because they scan based on prior knowledge of specific vulnerabilities. This patent specifically applies to an iterative process testing parameters for a class of common coding errors, using a complex grammar to do so.

    Now, I’m not saying that there isn’t prior art, because my experience is that there isn’t a software patent without prior art, but there isn’t as much as many here imply. MOST security scanners, and specifically scanners that operate based on real vulnerability information do not step on this patent.

  14. Paizan Says:

    Is this a new way to secure funding?

  15. MILTON WADDAMS Says:

    My advice to cenzic is that they should buy a red stapler and move to the basement.

  16. Mystery Says:

    I’ll make a bet… SPI sues Cenzic and both get dropped.

  17. wwweirdo Says:

    “I’ll make a bet… SPI sues Cenzic and both get dropped.”

    SPI already sued Cenzic. This is the response.

    It’s clear that only 2 people on this entire thread read the patent.

  18. RSnake Says:

    Whelp, looks like you were right, wwweirdo: http://www.securityfocus.com/brief/600

    In the worst possible outcome both patents are no longer being contested. Makes me want to write my congressman about patent reform.