Security Patents Invite Hacker Exploitations

Tuesday, August 24, 2010

Joe Morrissey


How dare you!

No doubt in some quarters, the headline of this short post will be greeted with shock, surprise,  and a probable and almost audible “tut tutting” from the administrators of patents, that so many invest in heavily to obtain.

Please don’t get me wrong –  I’m not saying this applies in all cases, they do serve a purpose – however this is one in which I think they fail enormously, please- stay with me and see our viewpoint.

The reason I raise this observation, in a granted “self serving manner”, is that it recently dawned on us in VentiSys, that the trophy we were chasing was in fact – possibly the most poisoned chalice, we could set our goals against. This rant (for want of a better word) –  is the conclusion we have distilled down to presently.

So no apologies – you have been warned – this is somewhat self serving  - in that we’d like to share our experience thus far, and that it may get a response that could jolt us out of our current thinking? Or get some other takes on it, possibly people with comments in relation to the dilemma, we find ourselves in.

Our perspective...

To appreciate where we are coming from on this, requires readers to understand we provide information security tools / software and service, to businesses. We have a “novel” new, “non obvious” “useful” and exciting “technical effect” that secures information on data endpoints (Laptops and PC’s).

The words novel, new,  non obvious, useful, and technical effect could be put beside tick boxes on a patent attorneys initial review, and as the line above shows – he would get ticks in all the boxes, Woohoo? – well, not quite.

The damn thing is – if we file even a long term patent application it would be kept secret for 18 months, after which – low and behold, and without warning, –  it is published for all and sundry to read, study and fully grasp.

Now – I don’t know about you – but if you had devised a new, novel, non obvious and useful lock for protecting your house – would you give the thief a drawing of the lock, so he could fabricate a key? No, bloody right you wouldn’t – nor would I.

The thing is when filing a patent for our “security system” that’s exactly what we would be required to do. It’s a bit like giving a hacker directions to the Map Store (Patent Office), and giving him the map reference (Patent filing reference) and expecting him after studying this – not to be tempted to have a go breaking into our house.

Not going to happen folks, now is it?

So, how can this be the case?

Of course, there is a very good reason  - The patent system is there since it’s first iteration in 500BC, when a guy from Greece / now southern Italy sought to increase refinements of luxury. Basically any profit’s arising from the sale of silk toilet paper etc, went to the inventor for a period of 1 year, where they went after that- who knows, but that is beside the point.

A Florentine architect was the next benefactor, devising a barge with a hoist on it – he upped the duration to 3 years. Then King Henry in 1449 granted a patent to a coloured glass maker introducing the technology to England, and prevent even those knowing how to directly copy the techniques and material usage from doing so for the duration of the patent.

And it evolved from this, to what we have today, a conduit for the spread of knowledge- but the guarding of the interest and rights of those who filed first- the same thing effectively as what was knocking around medieval England under Henry. A hacker, on the other hand doesn’t give a hoot for this history, the system design, the rights, or interest’s of anyone- he / she only wants  to understand it’s design, so as to craft a key that fits the lock.

What I’m saying is that the hacker does not profit from emulating-  he profits from theft, or simply enjoy’s grinding keys to look at what’s held inside the Vault, maybe even only leaving a “Joe woz ere – nice system”.

If the sum total of the technical effect, achieves a greater system, but that technical effect is negated because of disclosure- what’s the damn point?

Our Choice?

If we had a choice (and thankfully we do) between keeping secret (how our lock works) knowing the hacker could never look at it / or dismantle it / reverse engineer it- V’s having disclosed the design in order to prove it delivers it’s technical effect- you have no doubt probably guessed that we would not give a damn about a piece of paper that says we protected it, but were dumb enough to tell the world how it worked and where to get the details.   Oh, by the way, here is the cited reference numbers you will need.

Angel investors, and venture capitalists love patents don’t they?

So how does this affect company valuations then- Patents are considered the strong arm to guard against one of Mr Porters five forces,  namely the threat of competitive entry. But they don’t really apply here, or do they?

Mr Porter in his unquestionable wisdom correctly suggested that we set off on our voyage in the race to secure our  chalice,  but, when we had it in our grasp, overflowing- we didn’t like the scent of the wine- it was corked! 

Cross-posted from Venitblog

Possibly Related Articles:
Security Awareness
Legal Intellectual Property
Post Rating I Like this!
Fred Williams What a dilemma! I think your strategy of 'trade secrets' is the best way to go. The intellectual property systems are having trouble keeping up with the rapid advances in technology.

The idea of patents is that a patent will allow an inventor to enjoy a relative monopoly on an invention for a specific period of time with the promise that the greater good of the world gets served in the future once the patent expires.

However, you have raised a good point that the greater good of the world (and your company) may not be served with the impending release of your invention.
Dr. Steve Belovich I disagree. The assumption that you make is that if you know the inner workings of something, then you can defeat it. That is not always true.

Anything with a formal logical, mathematical or physical basis can be disclosed without fear of compromise.

O/S security done correctly cannot be defeated (please see IT Security History & Architecture Part 4 - The Reference Monitor).

So, if you truly have a bullet-proof approach to securing the desktop, then there should be no issue with disclosing it per the relevant patent laws.
Joe Morrissey Fred / Steve Thanks for your comments. No issue exists in disclosing our methods, it's just that in so doing we lessen the burden and workload for a potential attacker, by implying and thereby reducing variables that otherwise he/she or indeed it would have to discover - an arduous process at best, and one that can be detected before they even get close to the "lock". Steve's point is correct, security done correctly and adhered to - cannot be defeated. But it's all about stacking the deck against attack vectors.
We discussed at length to file, or not to file - we uphold the philosophy that data should remain secret under the confidentiality, availability, & integrity triad , but agree that how it is kept secret should not be secret. We will engage and disclose sufficiently to demonstrate capability once it is clear who we are engaging with. A scientifically published patent reference will not allow us access our recipients. This is one of the major failings we see with the process, and the reason we have chosen this route. The main purpose of the blog post was to capture other peoples thinking, and get some good dialogue going, and so I'm thankful for your feedback.
Fred Williams Joe - let me see if I understand this correctly - you don't have a problem in disclosing your invention if/when the patent is granted. But your main issue is that the patent office will not give you a list of people who are interested in your patent?
shawn merdinger In my recent presentations on "hacking electronic door access controllers" I provide a tangible example of hackers using patents to get a better idea of what to attack. See slide 17 here:

Specifically, the patent is by S2 Security for a proprietary protocol. More here:
Joe Morrissey No, we are not inclined to go down the patent route at all at present, as you say for the "greater good".

We will however engage with Info sec professionals if required to assure them that our "bullet proof" vest does what it says, this can be via peer review / 3rd party independent review etc.

Say we divulge all to a patent application, and should that patent be approved or granted - it "may" protect our IP, but this gain is at the detriment of it being published to "anyone" including malicious intent reviewers.

We consequently, as an industry and a company, loose the option of filtering out who gets the information because of the nature of the patent system.

Remember Patents were designed to spread technical know how and knowledge, subsequently adopted by the law profession as a vehicle to prove "first to invent" - who cares?

Our goal under porters forces of competitive entry was to build a barrier to prevent others emulating us, we still could do this but to what effect? A malicious reviewer doesn't give a damn either way, only to learn as much as possible, make informed decisions then to engineer attacks with the greatest probability of success. I guess the main thrust of my post was to see if others see the patent system as a poor conduit for security IP, or not as the case might be. We see it as weakening the stack bias in favour of the attacker, not stacking the deck against them.
Joe Morrissey Shawn - Thanks, that's exactly the type of info that any attacker will seek, I mean it's a detailed technical description from which any number of assumptions / as opposed to guesses can be drawn by a malicious reviewer. Malicious - they're the bad guys, right? Our Enemies? The reason we all go to work every day???
Stan Trepetin Perhaps the solution is to handle security IP in several ways. If the patent application publishes after 18 months (as they typically do in the US after application submission), the novel security architecture becomes public knowledge. This may invite hackers to assess the technology's weaknesses and defeat it.

The flip side is to do as Joe suggests--have a review by some independent but expert party, and then present that as "evidence" to any clients that want to buy the technology. Customers feel confident in buying because of the independent review.

As an "non-practicing academic" (i.e., with a PhD but not teaching :), I can state that publishing papers in peer-reviewed journals on new security techniques is a more common way of establishing the credibility of new security technologies. Afterwards, companies or products built around the technologies have even more validity because the publications supposedly underwent peer review.

Each of these approaches has its own strengths and weaknesses. Protecting new security technologies as trade secrets but offering a report (or summary) of an independent review to clients can certainly be done. The inventor is protected from hackers and competition because the technology remains a "secret". An independent review means the company's customers can buy it with some confidence. On the other hand, is the security the best? Professional, independent security reviewers may be good, but as we were told in academia, the best security techniques are those which don't remain secret; only the algorithm's key should remain secret. Would several independent reviews be better? Further, keeping the architecture secret will not necessarily prevent hacking. If thieves feel that the protected data/infrastructure is valuable they will attack. And if they succeed, there is a breach, and, further, competition can arise and come up with a slightly better mousetrap because there will be no patent to protect it.

Pursuing a patent of the invention protects the inventor from competition but says nothing about the technology’s validity. It could be novel, but, in fact, not be secure. (I’ve seen a number of those reviewing published patents from the PTO). And, again as was stated, hackers might become interested in attacking after the patent application publishes.

Publication in peer-reviewed journals is probably the best way of establishing the robustness of the technology, but nevertheless does expose the concept to public scrutiny and hackers around the world; and, at the same time, provides no protection to the inventor and could encourage competition because the information becomes public.

Maybe the solution is to use multiple approaches. If the intent is to protect the inventor from competition, have the best protection against hackers, and establish credibility in the eyes of customers, maybe all three techniques should be pursued. Maybe one can patent while getting an independent review to establish initial protection and a sufficient amount of credibility. Then a publication can follow in a year or two to more definitively establish the robustness of the technology (which will be established over time as others write critiques and analyses of the technology in the years following).

My thoughts about this :)

Joe Morrissey Thanks for the great post Stan - nothing like good constructive feedback!

You raise a number of very interesting points, a multi "pronged" approach could be shoehorned into a good fit, It's all then about what's filed, and what claims are assigned to the filing.

Maybe this is where the corporate money making taints information security, as it would appear the more you claim to be able to do, the more you need to demonstrate and divulge.

You have given me a "bump" or insight into an alternative approach, hybrid thought model - namely to trade secret the process akin to Coca Cola, and attempt patenting an essential element that comprises a small element of the process. Back to the drawing board!!!

This is where the protection against competitive entry raises it head again, as the greater the claims the "mousetrap" makes, the harder it is to not infringe on the trap. A hacker doesn't care a hoot about infringement.

The hacker though I think is a moot point, as Stan states correctly if there is value to derive the attack will come.

If anything I think we are in broad agreement that the patent vehicle is a questionable conduit in info sec applications, one that has value absolutely from the business sense, but it is not everything (At best) and dangerous (At worst).

What I wanted to convey in the original blog was that from a entrepreneurial perspective, the "patent" is the guiding "prize", as it undoubtedly affects valuation.
This is achieved at great cost however, as Shawn demonstrates in his slides - if the claims and demonstrated art is extensive to support the said "claims", and they will be to cover the attorneys hind quarter, the spring of the mousetrap becomes increasingly "implied", the reviewer picks up on this, or uses processes of elimination to narrow the available options.

I still believe there is an enormous disconnect between using the patent system, unless you are equipped with an army of legal eagles - in which case you can likely afford, contest any damn patent you wish.

A fine art it is achieving a good balance.
Fred Williams This is a really good thread! I finally see what your overall point is, Joe. Sorry it took me so long to get it! When I started looking around for more information on how security related patents are handled in general by the US Patent office, I came across some eye-opening material. It seems that the Pentagon and NSA can and have been barring patents by private inventors in the interest of national security. After an initial review, the patent office will send the data over to the Pentagon for further review. I'm sure your invention will not come under that scrutiny but it does illustrate the problems with security related patents.

I will adjust my thoughts to recommend the hybrid approach also. Remembering back to my ethics course, most companies use a layered approach also.
Joe Morrissey Interesting point Fred, in effect the NSA and pentagon are pretty much doing what we have elected to do, given the technology exists why publicise the workings and loose competitive advantage.

Just because a patent doesn't exist for a security product - doesn't mean the product is not of good integrity. So we have come full circle - the question is now what happens the barred applicants and the technology they proposed??

Glad others are enjoying this dilemma, thanks for the constructive interaction folks.
Desmond ONeill Welcome to the world of invention. While your post raises some excellent security questions, you don't really understand the purpose of the patent process.

I speak from experience in software security and owner of 8 patents around software design.

The purpose is not to lock out hackers, but to protect you and your investors from even bigger thieves - counterfeiters who steal you idea and do not compensate you for it. Investors need to know that they will be able to protect their investment that resulted in your invention.

The point I most disagree with is we are teaching hackers how to break your system. Yes, patents do provide insight to the claimed invention, but for security related patents, they do not tell how to specifically break a particular instance.

Just did a scan of Master Padlock's at the patent office. The patent discloses how a tumbler padlock works, but it does not tell me how to break into a padlock that is used today on my neighbors toolshed. I know how the lock works, but I do not have the knowledge to break into the woodshed.

Had Master Lock not patented this well known design, they would most likely be out of business. Since they were protected, they were able to establish a successful security company that has improved the design of the padlock until this very day.

A competitor may have learned how Master Lock did it, but could not use that design without paying a royalty. Without the patent, they could have ripped off the invention and both Master Lock and the security industry would be worse off.

I understand how AES-256 works, math and all, but that does not help me break it. It does save me time guessing, but the beauty of the invention is how secure the idea is.

If your idea is published as a patent and someone can use the information to break the invention, then maybe it wasn't such a great invention after all. The Master Lock patent I found for a padlock was filed in 1948. From what I can tell, that design is still being used today very successfully.

I should know. We are currently in a court battle with a party who saw our invention, agreed to pay a license if they used it, then stole the idea. We are now having to put our resources into enforcing the patent. Without a patent, we would not have any value left in our invention(s).

With the patent, it is very clear what we claimed as an invention and what aspects of the other parties use of the invention are in violation. Their burden now is to show there was no invention to start with. Without the patent, we would have suffered irreparable harm.

Yes, you may provide information for a potential cracker, but a hacker (using hacker as a good term) might be able to read your patent and find a flaw for you before you know it. The cracker was going to break the system eventually, patent info or not. The hacker is going to help you improve your invention and spawn additional advancements in the state of the art.
Stan Trepetin I mostly agree with Desmond's comments. A patent protects you from the competition (or thieves, depending on how scrupulous they are :). You exchange the secrecy of the idea--which buys you some “protection” because competitors don’t know what you’re doing—to much stronger protection against the competition, if your claims are worded sufficiently broad. Remember that the competition can—again if they feel it’s worthwhile—reverse engineer your idea. Then they can steal it without paying royalties, as Desmond says.

Although the patent does expose the idea to hackers, the best security ideas should ultimately really be public information. In the best designs the only thing you should be protecting really is the private key. :)

My only question with the above is about hackers finding the flaw in a patented idea (or its published application) and improving the state of the art. One hopes that what one patents is in fact “secure”. If someone should break the security then what you’ve patented is really not worth much. Which is why some kind of private review is probably useful. That way, you hopefully wind up patenting a better mousetrap. (So maybe my original post should be slightly changed. Maybe one shouldn’t do a review while submitting a patent application—perhaps the review should be completed first. Then one’s customers and you :) have confidence in the idea. Then the patent can be applied for)...
Joe Morrissey Desmond - I fully appreciate your point - it does however "read" to me that we are saying the same thing, but from a different slant. "If your idea is published as a patent and someone can use the information to break the invention, then maybe it wasn't such a great invention after all."

Couldn't have put it better myself, the question is - do I patent (decrease the threat of competitive entry, or theft of invention - whilst ensuring I can defend my secure or not so secure idea regardless?)Hey I have a patent - sign here Mr investor.

What's to stop somebody harvesting 98% of the idea, to vary a small element or apply it slightly differently, what's to stop the big players killing me slowly with legal bills?

I fully admit and it's probably evident that I am no expert on patenting or associated law, my post was written to describe what an inventor that found he could build a business out of his invention - discovered travelling through the patent process. We are not a multi national global incorporation - we have finite resources - it seemed to me the attorneys (whilst covering their behinds) would demand everything and all details sufficient I believe to cue an intelligent reviewer into an understanding of how to build a machine to attack (key)in the same way you or I could postulate how to structure an attack on AES with a better chance of success, or finding the 12 sticky points of a masterlock.

Masterlocks have been hacked - DES has been hacked. AES will be hacked - It's just a matter of when, and it's just a matter of the value of the prize the key unlocks that will justify the cost and effort. Every lock has a key, otherwise it isn't a lock. So, why should I make it more affordable for a cracker to engineer an attack?

I am not claiming to be the worlds greatest mathematician hacker or oracle - I'm sure there are smarter people out there that can don the "white hat" and advance the state of the art, but what if they are more black hat than white?

Let's suppose a separate IP body or IP class existed for IP associated with "Security" akin to the trusted computing group, all white hats. If their M.O. was such that the process was public but only to a select and "trusted" panel (of whatever size), surely this would be a better way forward for all concerned? Maybe this is already happening as Fred has identified with NSA etc, the technology exists but it isn't going to be public domain.

I had thought about going down the route Stan suggests, namely completing the review before the patent, and it seems the best approach certainly the lesser of two evils, at least it's exposure could be partially controlled, as opposed to full publication.

I'm fully sold on transparency - it is the only way something can be truly secure. I'm not sold on that transparency being applicable to the world and his dog - this is my issue with the patent publication.

Thanks for the great feedback guys.

Joe Morrissey Supplemental to, but demonstrable of points raised in this discussion are reflected in the following for those interested.
If you read any of this article read the last paragraph.

Thanks again folks.
Desmond ONeill Joe, Part of the patent application process is a complete and thorough review of the current state of the art. This is partially why applications can get expensive. But it is up to the patent applicant to show the examiner and the world the state of the art just before your big reveal on what you invented. Many times you find your new idea has already been patented (there are millions out there) or is very similar to one already on the books. Better to know that now than go into production and have someone come out of the woodwork and lay an injunction on you because you are using their patent without permission, even if you developed it on your own without knowing of the invention.

You also have to reference articles, patents, and other information one skilled in the art might be familiar with to show you were aware of the IP in the industry at the time of your invention. You are basically doing the patent examiners job by listing at the start of your patent those patents and industry sources you reviewed and do not think infringe on your invention.

About your question around someone reading your patent and making a minor modifications to your idea and patenting around you. There is a method for containing this. The idea is the first patent you go for is broad, overall patent defining the invention in broad terms. A good patent attorney (this is where they earn their keep) can help find the balance between too broad and not broad enough. If you can convince the examiner of your general invention, you then file subordinate patents that define all the "sub use cases" within your general invention. These are simpler and less expensive to file, because you basically cut and paste the general patent and define the particular detail you want to protect. You might end up with one broad patent and half a dozen subordinate patents that patent variations on a theme. I did find a MasterLock patent that is newer than the previous one, but it referred back to the original patent and extended it by patenting a new design that was more up to date.

The classic example is HP and the laserjet. They got a patent on the general concept of laser printing. But they knew Japanese printer companies would make a small modification and try to patent that. HP spent an enormous amount of time patenting all aspects of Laserjet printing and similar ideas they tried but did not put into production. When they went to market, the Japanese, which dominated the printer market at that time with dot matrix printers, found they had no recourse but to license the technology from HP, giving them the dominate position they enjoy today in the printer market (and why they can rape us with printer cartridges).

There is the way it is today. There is a proposal to rework the patent process due to the backlog and how the current process is not really great for software. The new process would use a more of an open source/RFC approach where you would post the patent content to a website, where it would be reviewed by others in your field and they would post comments. Eventually, the patent would be issued by group consensus with a patent office employee moderating the effort. This helps get around the shortage of highly skilled patent reviewers at the PTO. Not sure where this is, but last I heard the lawyers were bogging this down as it would cut into their gravy train.

As for padlocks, DES, and AES, yes they all can be cracked eventually, but notice they are still being used. (I prefer to show my age - hackers help find flaws, crackers abuse the flaw for personal gain.) Car door keys were replaced by electronic car door keys and are now being replaced by proximity fobs. Time and inventiveness march on.
Joe Morrissey Desmond - Thank you for taking the time to put such a helpful reply together.

Broad overall claim, with subordinates is another feature I will broach with the attorney - (who had not brought this up). Maybe I will seek out counsel from an alternative. I'm not at all surprised to hear the alternative review process is finding difficulty gaining acceptance of all concerned. I do however see the lawyers concerns also.

Certainly plenty to ponder.

Thanks again

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.