This is the real reason why most large companies now have email retention policies and auto-delete everything after 30..90 days.

It is a cheaper "fix".

You miss the point - the researchers discovered an application of the laws of physics to cryptanalysis. Cool, interesting, but not inherently patentable. Then they patented every way to fix that problem, many of which would be obvious to someone skilled in the art.

If I discover that 1+2 = 3, I cannot patent that equation. If I discover an application of that equation to a physical problem, the intent of the framers in patent law was that only a non obvious application may be patented. The fact that they discovered the problem doesn't (at least by law) eliminate or nullify the PHOSITA requirement.

The researchers found a hard to find problem, then patented the obvious solutions to that problem.

This is one of the problem with patents in general - patents are being issued where the person "skilled in the art", i.e. someone who has the same degree of specialization, would have developed the same solution, and the USPTO no longer makes a reasonable effort to prevent that.

Not everyone who complains on Slashdot is naive on patent realities, and the problem is real and ugly.

Aside from the legal fiction of the PHOSITA (Person Having Ordinary Skill In The Art), the intent of this clause by the framers was that it should not be possible for anyone to obtain a patent on something that would be obvious to someone working in the field.

In this specific case, once the feasibility of power vector side channel attacks was understood, any ideas that should have been obvious to someone having ordinary skill in the applicable fields (cryptanalysis of side channels, EE, FPGA layout internals) should not be patentable.

While credit must be given to researches who discovered these attack vectors, the fact remains that the patents they obtained are broad enough to intersect essentially every idea a PHOSITA would come up with. While it is possible to interpret claims narrowly through the context of the background and description, juries often (especially in East Texas) fail to narrow interpretations sufficiently, and just attempting just a narrow interpretation will still cost you $1-3M in legal fees.

If your job includes evaluation of risk of patent infringement (which mine does, for one of the worlds largest companies) then you would understand that the combination of lowering the bar on "obvious" and "prior art", along with the challenges that venue shopping presents, have created a situation where it has become nearly impossible to do anything interesting without infringing many patents that should NOT have been issued.

An interesting blurb from the Actel linked page:

Many of the fundamental techniques used to defend against DPA and other side-channel attacks are patented by Cryptography Research, Inc. ... One of CRI's businesses today is licensing this portfolio of very fundamental patents. Nearly all the secure microcontrollers used in smart cards, set-top boxes, SIM cards for GSM phones and Trusted Platform Modules (TPM) for personal computers are built under license to CRI, amounting to about 4.5 billion chips per year in total.

Yet another critical set of concepts which should be obvious to anyone working in the field locked behind a paywall due to USPTO incompetence and/or malfeasance...

The only thing changing is that IT in general is generally considered a "cost center" to trim, IT security an even less indirectly profitable component of that cost center, and management of most organizations is becoming more aggressive at reducing that cost. Add outsourcing and subcontracting issues and you end up with a system where there is real interest only in having an appearance of security, and standard practices revolve around plausible deniability and passing the buck.

Almost everyone whose been in enterprise security for a while has a collection of cringe worthy stories they cannot share... (sigh)