(Total Views: 679)
Posted On: 02/07/2019 1:39:43 AM
Post# of 82676
SFOR Argument transcript -
*Please note that this may have minor errors, however every attempt was made to be as close to exact as spoken by the parties involved in oral arguments.
SFOR: May I please the court. As this court held in Ancora which we addressed in the 28J letter, improving computer security can be non-abstract improvement if done by a specific technique that the parts from earlier approaches to solve a specific computer problem. And that is precisely what we have here. In fact, the analogy between the systems and improvements here and Ancora are very stark.
In Ancora, as here, the problem was the software license was subject to hacking. That’s at 13.44.
Now some systems have tried to improve upon the prior art such as with a unique identification code, and that is true here as well, as in Wesinger patent that is described and disparaged in specification in these patents. Um, the other attempts have been to place the license in a specific place, a non-modifiable ROM. What the claims that were upheld there did was it broke with that traditional approach by placing the license in a different place, in a modifiable part of the memory in the BIOS. That is the same thing as we have here. Prior art systems had, have the problem of all of the identification information coming in through the access channel. Whether it was in-band or whether even it was a partially out-of-band system, in all of those systems the identification information was coming back in through the access channel, which made it particularly susceptible to hacking.
And in a self-authenticating environment , where everybody is, is, really ah, operating in an anonymous fashion and if you have the credentials you look like the real person whether you may be a hacker or not. There was no way to authenticate that the person presenting the credentials was who they said they were.
And so these claims solve that problem by relocating the authentication to a different place, just as was true in Ancora.
In contrast to the other systems where you had either in-band or even partial out-of-band always coming back through the access channel. Here, we have two separate channels. We have the access channel....
Judge: Suppose we were to disagree with you on that and to say that the idea of having two separate channels Is an abstract idea that doesn’t involve the complete , ah, separation, doesn’t involve, ah, an inventive concept. Is there anything about the diversion the interception that is, ah, an inventive concept?
SFOR: I-I think here , your honor, it is true that the specific solution -because here we don’t proport to preempt the notion of complete out-of-band communication or even complete out of band authentication. Because you can have a system in which the accessor initiates the communication with the security computer and establishes the authentication channel, that would not be covered by these claims if it simply at that point goes directly from the security computer to the host computer and says grant access.
Judge: Ok but I understand you are arguing and that that means that there’s not complete preemptions here but, are you arguing that the diversion, the interception is itself an innovative concept?
SFOR: I think that the interception device really underscores the inventive aspect of this because...
Judge: If not in and of itself an innovative concept....
SFOR: Not in and of itself, but what it does is is it underscores that as in {DVR} you are overriding the traditional method in which , uh, uh, identification is verified. In the traditional method it goes straight down the access channel and all you are able to do is establish that the credentials are credentials that match up with authorized credentials; but you are not able to establish that the person presenting those credentials is in fact the authorized user.
What this does is an interception device , I think sort of is the exclamation point , it cuts that off, it overrides that traditional process by sending it off into the separate authentication channel . And then in the separate authentication channel there is specific components that are arranged in a way that allow you to know that the, um, accessor is in fact the authorized accessor. And that’s because you have a predetermined address or telephone number that you reach out to, establish that authentication channel, and the fact that the person answers and is able to supply the predetermined data in response, again through the authentication channel, allows you to know that it is in fact the authorized user.
In fact, unlike with prior art systems which some of which did use biometric data, the use of biometric data in a system in which all the information is coming back through the access channel doesn’t really significantly improve security. Because if you have a hacker there and they capture the biometric data , your fingerprint, all that is is digitized data. It’s the same as any other digitized data that can be replicated by the hacker in a later attempt to access.
If however, you have two physically separate channels, the authentication channel completely, physically, independent of the access channel, then if you use biometric data it’s not going to be captured unless the hacker simultaneously is hacking two different channels at the same time. This way you know that the person is inputting the biometric data in the authentication channel is in fact the authorized user.
It’s those improvements over the prior art that are described and have to be accepted as true at this point- which is a motion to dismiss!
Under Berkenheimer and Atrix - under Vascom it has to be accepted as true. And, And, I think really again as in Ancora the court said, how are we to know whether these are, in fact, improvements over the prior art as they are claiming to be in this specification we have to accept that as true at this point in the litigation.
What the court has consistently advised against is treating the 101 inquiry as though it were 103 lite. And that is particularly the opposite here, because these claims have already survived multiple 103 challenges. There were two IPR’s each with multiple grounds, that were not instituted because the prior art that they had to cobble together -3 or more references - did not disclose all the limitations of these claims.
And so when you have something that is sufficiently robust and inventive, non-obvious, to survive multiple 103 challenges- to allow something to waltz in and say ‘well but it’s a lot like if you try to go into preschool and try to somehow try to map in on to..
Judge: But what they did say was that every step was known and that the combination of steps was known. Maybe , Isn’t that clear as a given? Is it, that these other aspects were set aside?
SFOR: Your Honor, I want to make/be clear the preschool analogy that they use to suggest that all these steps were already known is not our system. In that hypothetical that they give forth, Aunt Sally or whoever the relative is that is coming -all they are able to do is to verify that Aunt Sally has permission to pick up the child. They’re not able to verify Aunt Sally is Aunt Sally. It’s the latter problem that is the real problem of computer technology where you have a man in the middle , the hacker, in the self-authenticating environment. Because whoever comes in and says I’m Aunt Sally looks just like Aunt Sally if they are anonymous.
They’re just ...
Judge: All you need to do is change the hypothetical and ask the parent what Aunt Sally looks like.
SFOR: Well your Honor, But again, I think because of the unique nature of the new technology it could be Aunt Sally’s twin. Aunt Sally has authorization but Aunt Bertha, who is Aunt Sally’s twin, does not. And you can’t distinguish them from their credentials. From the credentials they each have the same drivers license, you can’t distinguish them. That is the true problem of user authentication - authenticating that the person is who they claim to be.
All of the other systems are designed to make sure that the credentials are authorized credentials, they don’t authenticate that the user accessor is the accessor. And that’s what these claims do-precisely because of the particular architecture that they use.
It may be that the elements of it, a router, a security computer, etc are known elements but they are arranged in a way here that allows you to do something that the prior art was not able to do.
It’s that improvement that is claimed.
And again, it is not all out-of-band there are a lots of out-of-band systems that don’t do it the way that are claimed here. In fact, Wesinger is a version of out-of-band it’s partial out-of-band because you send the information out through out-of-band but it comes back through the access channel. And again as I said before it doesn’t even preempt all completely out-of-band systems. But what this completely out-of-band system does, arranged as these elements are arranged, is it allows you to insure the person seeking to access is in fact the authorized accessor.
Judge: What allows you to do it, is the advancement, the capabilities of technology, and what they say, and held, was this that this is just an old idea it’s just we now - that we now are able to implement it.
SFOR: No, your honor, I think that what’s true, I mean again, the sending the PIN out through the mail from the bank example that they give, and then you bring the PIN back in. All the PIN is, is a password, thats the the old art. All the PIN is, is the password because it is coming back in through the authentication channel. You may be an imposter but if you were there when the mail was delivered and you picked up the PIN you are able to use the PIN. So you don’t know whether the person is who they claim to be, only that they have the right credential. What this system does is organize things, especially I think it’s critical again, the physical separation of the channels so that no hacker can get the authenticating information. Because they are not-the hackers in the access channel- they are not in the authentication channel, because there is nothing there there is no information there. They are not in the authentication channel because they are not in the authentication channel, if for example you use the biometric data, the fingerprint, they don’t get it. And you know the accessor is the accessor.
It’s that unique combination, and the specification chooses that language. And in Berkenheimer and Atrix and Vascom the court has said you have to accept these allegations that it is an improvement , it is not a well understood common routine arrangement. It is one that is not, it improves on the prior art and those have to be accepted as true at this point in the process. So at most we would be entitled to a Remand to establish that those facts as alleged in this specification are true!
I think that you can actually resolve this at step one for the reasons I have already said.
I would like to reserve the balance of my time...
Judge: Ok, thank you.... ...let’s hear from Mr, Anapol when you are ready.
Thank you for your support!
B )
*Please note that this may have minor errors, however every attempt was made to be as close to exact as spoken by the parties involved in oral arguments.
SFOR: May I please the court. As this court held in Ancora which we addressed in the 28J letter, improving computer security can be non-abstract improvement if done by a specific technique that the parts from earlier approaches to solve a specific computer problem. And that is precisely what we have here. In fact, the analogy between the systems and improvements here and Ancora are very stark.
In Ancora, as here, the problem was the software license was subject to hacking. That’s at 13.44.
Now some systems have tried to improve upon the prior art such as with a unique identification code, and that is true here as well, as in Wesinger patent that is described and disparaged in specification in these patents. Um, the other attempts have been to place the license in a specific place, a non-modifiable ROM. What the claims that were upheld there did was it broke with that traditional approach by placing the license in a different place, in a modifiable part of the memory in the BIOS. That is the same thing as we have here. Prior art systems had, have the problem of all of the identification information coming in through the access channel. Whether it was in-band or whether even it was a partially out-of-band system, in all of those systems the identification information was coming back in through the access channel, which made it particularly susceptible to hacking.
And in a self-authenticating environment , where everybody is, is, really ah, operating in an anonymous fashion and if you have the credentials you look like the real person whether you may be a hacker or not. There was no way to authenticate that the person presenting the credentials was who they said they were.
And so these claims solve that problem by relocating the authentication to a different place, just as was true in Ancora.
In contrast to the other systems where you had either in-band or even partial out-of-band always coming back through the access channel. Here, we have two separate channels. We have the access channel....
Judge: Suppose we were to disagree with you on that and to say that the idea of having two separate channels Is an abstract idea that doesn’t involve the complete , ah, separation, doesn’t involve, ah, an inventive concept. Is there anything about the diversion the interception that is, ah, an inventive concept?
SFOR: I-I think here , your honor, it is true that the specific solution -because here we don’t proport to preempt the notion of complete out-of-band communication or even complete out of band authentication. Because you can have a system in which the accessor initiates the communication with the security computer and establishes the authentication channel, that would not be covered by these claims if it simply at that point goes directly from the security computer to the host computer and says grant access.
Judge: Ok but I understand you are arguing and that that means that there’s not complete preemptions here but, are you arguing that the diversion, the interception is itself an innovative concept?
SFOR: I think that the interception device really underscores the inventive aspect of this because...
Judge: If not in and of itself an innovative concept....
SFOR: Not in and of itself, but what it does is is it underscores that as in {DVR} you are overriding the traditional method in which , uh, uh, identification is verified. In the traditional method it goes straight down the access channel and all you are able to do is establish that the credentials are credentials that match up with authorized credentials; but you are not able to establish that the person presenting those credentials is in fact the authorized user.
What this does is an interception device , I think sort of is the exclamation point , it cuts that off, it overrides that traditional process by sending it off into the separate authentication channel . And then in the separate authentication channel there is specific components that are arranged in a way that allow you to know that the, um, accessor is in fact the authorized accessor. And that’s because you have a predetermined address or telephone number that you reach out to, establish that authentication channel, and the fact that the person answers and is able to supply the predetermined data in response, again through the authentication channel, allows you to know that it is in fact the authorized user.
In fact, unlike with prior art systems which some of which did use biometric data, the use of biometric data in a system in which all the information is coming back through the access channel doesn’t really significantly improve security. Because if you have a hacker there and they capture the biometric data , your fingerprint, all that is is digitized data. It’s the same as any other digitized data that can be replicated by the hacker in a later attempt to access.
If however, you have two physically separate channels, the authentication channel completely, physically, independent of the access channel, then if you use biometric data it’s not going to be captured unless the hacker simultaneously is hacking two different channels at the same time. This way you know that the person is inputting the biometric data in the authentication channel is in fact the authorized user.
It’s those improvements over the prior art that are described and have to be accepted as true at this point- which is a motion to dismiss!
Under Berkenheimer and Atrix - under Vascom it has to be accepted as true. And, And, I think really again as in Ancora the court said, how are we to know whether these are, in fact, improvements over the prior art as they are claiming to be in this specification we have to accept that as true at this point in the litigation.
What the court has consistently advised against is treating the 101 inquiry as though it were 103 lite. And that is particularly the opposite here, because these claims have already survived multiple 103 challenges. There were two IPR’s each with multiple grounds, that were not instituted because the prior art that they had to cobble together -3 or more references - did not disclose all the limitations of these claims.
And so when you have something that is sufficiently robust and inventive, non-obvious, to survive multiple 103 challenges- to allow something to waltz in and say ‘well but it’s a lot like if you try to go into preschool and try to somehow try to map in on to..
Judge: But what they did say was that every step was known and that the combination of steps was known. Maybe , Isn’t that clear as a given? Is it, that these other aspects were set aside?
SFOR: Your Honor, I want to make/be clear the preschool analogy that they use to suggest that all these steps were already known is not our system. In that hypothetical that they give forth, Aunt Sally or whoever the relative is that is coming -all they are able to do is to verify that Aunt Sally has permission to pick up the child. They’re not able to verify Aunt Sally is Aunt Sally. It’s the latter problem that is the real problem of computer technology where you have a man in the middle , the hacker, in the self-authenticating environment. Because whoever comes in and says I’m Aunt Sally looks just like Aunt Sally if they are anonymous.
They’re just ...
Judge: All you need to do is change the hypothetical and ask the parent what Aunt Sally looks like.
SFOR: Well your Honor, But again, I think because of the unique nature of the new technology it could be Aunt Sally’s twin. Aunt Sally has authorization but Aunt Bertha, who is Aunt Sally’s twin, does not. And you can’t distinguish them from their credentials. From the credentials they each have the same drivers license, you can’t distinguish them. That is the true problem of user authentication - authenticating that the person is who they claim to be.
All of the other systems are designed to make sure that the credentials are authorized credentials, they don’t authenticate that the user accessor is the accessor. And that’s what these claims do-precisely because of the particular architecture that they use.
It may be that the elements of it, a router, a security computer, etc are known elements but they are arranged in a way here that allows you to do something that the prior art was not able to do.
It’s that improvement that is claimed.
And again, it is not all out-of-band there are a lots of out-of-band systems that don’t do it the way that are claimed here. In fact, Wesinger is a version of out-of-band it’s partial out-of-band because you send the information out through out-of-band but it comes back through the access channel. And again as I said before it doesn’t even preempt all completely out-of-band systems. But what this completely out-of-band system does, arranged as these elements are arranged, is it allows you to insure the person seeking to access is in fact the authorized accessor.
Judge: What allows you to do it, is the advancement, the capabilities of technology, and what they say, and held, was this that this is just an old idea it’s just we now - that we now are able to implement it.
SFOR: No, your honor, I think that what’s true, I mean again, the sending the PIN out through the mail from the bank example that they give, and then you bring the PIN back in. All the PIN is, is a password, thats the the old art. All the PIN is, is the password because it is coming back in through the authentication channel. You may be an imposter but if you were there when the mail was delivered and you picked up the PIN you are able to use the PIN. So you don’t know whether the person is who they claim to be, only that they have the right credential. What this system does is organize things, especially I think it’s critical again, the physical separation of the channels so that no hacker can get the authenticating information. Because they are not-the hackers in the access channel- they are not in the authentication channel, because there is nothing there there is no information there. They are not in the authentication channel because they are not in the authentication channel, if for example you use the biometric data, the fingerprint, they don’t get it. And you know the accessor is the accessor.
It’s that unique combination, and the specification chooses that language. And in Berkenheimer and Atrix and Vascom the court has said you have to accept these allegations that it is an improvement , it is not a well understood common routine arrangement. It is one that is not, it improves on the prior art and those have to be accepted as true at this point in the process. So at most we would be entitled to a Remand to establish that those facts as alleged in this specification are true!
I think that you can actually resolve this at step one for the reasons I have already said.
I would like to reserve the balance of my time...
Judge: Ok, thank you.... ...let’s hear from Mr, Anapol when you are ready.
Thank you for your support!
B )
(3)
(0)
Scroll down for more posts ▼