Ric Richardson, the Byron Bay inventor who went toe-to-toe with Microsoft in a massive patent battle and won, is raising funds for a computer security solution he says could be “much bigger” than his last one.
Mr Richardson was one of the largest shareholders in Singapore’s Uniloc when Microsoft reportedly paid it about $300 million in 2012 to settle claims that the software giant made billions infringing Uniloc’s anti-piracy technology patents. Microsoft had been using the technology as the basis for its Office and Windows software activation.
The final settlement was never disclosed. However, a patent jury had ordered Microsoft to pay US$388 million before the software maker succeeded in appealing the decision. Had it been upheld, it would have been one of the largest awarded in US patent history.
Mr Richardson said he was currently working closely with intellectual property experts in the US and a major capital investment provider in Australia to raise funds to commercialise security technology that would eliminate the need to use passwords for online transactions.
“My first patent has expired and it’s now time to get on and use the lessons learned,” he said.
Mr Richardson said he had been working on the security system on and off for about two years but had a breakthrough three months ago.
“When I spoke to the right guys about it – people that I trust down in Sydney – they looked to me and asked ‘is this it?’ and I had to make a decision about whether it was close enough to be something that’s going to make a difference, and it’s turned out that it is, so far,” he said.
“It’s turned into something that feels as big as software activation when I started working on that back in 1992.”
The two-factor security system uses a combination of proven private-public key encryption technology and local authentication in a way that eliminates the need for servers to store passwords or biometric information.
Users log on to their device using a PIN or biometric which is used to generate a private key. The key then generates a string of public keys that becomes the basis for communication with the server. The server then only accepts the next public key expected from the device for the next session, he said.
“It’s an exchange of secrets between the machines that doesn’t require a human to intervene where the machines know each other and recognise each other.”
The system also allowed for “session sharing” – letting a smartphone be used to authenticate another computer, such as one in an internet cafe, without the need to divulge sensitive information.
The beauty of the system was that it left hackers without an avenue to steal private user information stored on a central server, he said, pointing to the recent Heartbleed vulnerability in OpenSSL.
“It underscores the fact that people are imperfect and they make mistakes and hackers can rely on that.”
Ty Miller, founder of computer security consultancy Threat Intelligence said any system that left passwords less vulnerable to theft would help overcome security problems caused when individuals used the same passwords on multiple services.
However, he expressed concerns that Mr Richardson’s system might draw hackers’ attention to local devices.
“If the source of truth comes back to your own machine and storing a private key there, if that becomes compromised then all of your accounts become compromised,” Mr Miller said.
Mr Richardson was reluctant to the name his business advisers but said “we’re certainly working to and obeying all the rules that they would require to be eligible” to work with them later on.
He had some lingering concerns that the simplicity of the concept behind his system could leave it vulnerable to accusations that it lacked novelty to warrant patenting – just as the Uniloc’s software activation patents had.
However, he did not want to be left with any regrets for not taking a punt on the idea.
“I’m not saying that this will change the world. But I have had some experience with things that have changed the world so, if I don’t have a go at it, I’m a mug,” he said.