NSA Patents Available for License

There's a new article on NSA's Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn't find anything interesting in the catalog. Does anyone see something I missed?

My guess is that the good stuff remains classified, and isn't "transferred" to anyone.

Slashdot thread.

Posted on September 29, 2014 at 6:02 AM • 32 Comments

Comments

ThothSeptember 29, 2014 6:12 AM

I am highly skeptical whether they will actually release the actual technology or at most release just parts of the stuff they promised or even worse, release a modified "civilian" version that might contain nasty stuff inside.

SSSeptember 29, 2014 6:54 AM

Why are they allowed to even file patents? Government must put copyrightable material in the public domain, shouldn't it be the same with patents?

paulSeptember 29, 2014 8:33 AM

At least this is a step up from the old practice of issuing patent secrecy orders, which essentially prevented independent inventors from getting patents on things the NSA didn't like.

I wonder what the motivation was for getting the patents. In a crazy backwards way, it might have been intended to get stuff out into the public domain. Because if someone else invented it independently (or even just stole it) there wouldn't be a whole lot of visible prior art.

Jim ASeptember 29, 2014 10:18 AM

ISTR being told by somebody at the USPTO that there is no such thing as a classified patent. Rather there are classified patent applications...

Clive RobinsonSeptember 29, 2014 10:28 AM

@ Paul,

I wonder what the motivation was for getting the patents. In a crazy backwards way, it might have been intended to get stuff out into the public domain.

The NSA have quite a few primary patent ideas in areas such as speach compression and data storage, in the hands of a corporate they could stop some industries dead. Take your mobile phone the speach compression and digitisation comes directly from NSA work, think just how much that wold be worth in cross patenting or preventng market entry from competitors.

However there are some out there that say "Hang on, is this tech back doored?" To which the answer could be either way as nobody else has the experience to say...

So that CELP speech codec, "Does it have side channels that can be exploited in a very low bandwidth way?" Simple answer is probably, "Are the NSA exploiting them if they do?" Again probably. However you need to first ask "Is there anyway to do the speech compression and digitization without having side channels that leak information?" Simple answer is probably not.

Is there a downside to the NSA patents for the NSA or US Gov? Well yes they enable others to infer the direction of some research within the NSA and that information could be used by hostile others to either "Up or Change their game" to the NSAs detriment. Because of this I suspect there may well be a lot of quite marketable tech in the NSA that won't end up in patents any time soon...

Clive RobinsonSeptember 29, 2014 10:42 AM

@ Bruce,

Did the journos catch you "on a bad hair day" your reported responses sound a little off of the norm for you...

Nick PSeptember 29, 2014 10:52 AM

@ Bruce

"My guess is that the good stuff remains classified, and isn't "transferred" to anyone."

Nah they're being transferred to private industry by Alexander for millions, remember? ;)

ThothSeptember 29, 2014 10:56 AM

@Nick P
Transferred, controlled, gain big bucks. You have backdoors, patents and cash all rolled together in a neat package making it more acceptable to the public and easier to enter for the boys in the HQ.

jonesSeptember 29, 2014 11:15 AM

It would certainly be a departure for an entity like the NSA, were the secrets of nature not to remain secrets of state....

The private space launches that NASA plans to pay for all derive from technology that NASA developed; this NSA patent licensing is probably a similarly curious type of "privatization." For example, patent 8,380,485 from the catalog is branded "ScribeZone (TM)." This is PR, like the Army developing video games.

James SutherlandSeptember 29, 2014 12:29 PM

From the mention of NDAs I saw in this context earlier, presumably the really good offerings get bought up in secret, then kept secret by whichever big US corporation bought them, without ever getting published in catalogs?

There's something worrying about any technical article which refers to "creating a long-distance GPS signal if they go down far from any phone towers" though.

dsmSeptember 29, 2014 2:13 PM

So what happend to the Tech that went into NSA sponsored companies from UK Lend lease repayments, do we get some of the money back for UK?

Nick PSeptember 29, 2014 6:29 PM

@ James

That's actually how I operated for a long time. It helps to obfuscate the technology and avoid legal liability. The prerequisite is that the organization is capable of protecting your secret. My strategy was to only work with companies that invested in decent security or would take extra measures to protect my secret. If it's an appliance, it's even better because they don't need to be told the secret.

I also did work by referral, avoided mass market, used NDA's, and enforced liability contractually with very specific requirements for both sides.

Nick PSeptember 29, 2014 6:33 PM

@ Clive

CELP is one of the technologies they use in their Type 1 systems. Unlikely that it's weakened. Many other things have a government specific variant. Those are the weakened standards.

4fu3yfu3yfgu3ygfSeptember 29, 2014 10:31 PM

@Thoth: If what's in the leaks is all they have, they should actually be asking the private sector for licenses.. You can buy everything they have except the firmware for very little money even in low-bulk fabricated PCB form..

I was actually surprised it was so sensationalized considering their most advanced kit was basically a NIC with a low-throughput(not even the close to what hobby market has access to) ARM chip running custom packet logging firmware..

SUMMARY: Either the leaked kits are part of some fake NSA program, or NSA has some really bad management and a lot of speculation based on little data regarding NSA technological advances over the past four decades has been way off..

Nick PSeptember 30, 2014 12:08 AM

@ 4fu

"and a lot of speculation based on little data regarding NSA technological advances over the past four decades has been way off.."

That's the answer. I think it was foolish to have speculated the way they [and to a degree, I] did. The truth is NSA is government organization that relies on the private sector, had serious management issues, and often relies on existing tactics to get the job done. That should've told us they'd develop custom software and hardware products targeting similar vulnerabilities using existing technology unless exotic was necessary. That's what they did.

Of course, it's understandable that we overestimated an organization that claimed to hire the world's best minds to work on/with secret knowledge leveraging huge budgets for decades. We *though* that would result in mind-boggling technologies. So we thought...

K-VeikkoSeptember 30, 2014 2:23 AM

> good stuff remains classified

The mere existence of "classified patents" reminds me of the true reason for patent-system: State control for ingenuity, the worst enemy.

Any patent application can be rejected on the basis that this invention is owned by the state. Even in the case that the ownership was established after the patent application first took place.

WinterSeptember 30, 2014 3:22 AM

I do not see any mystery in these patents. They allow the NSA to block anyone from using these patented technologies. You can license them, but only under the conditions of the NSA.

Say, for the sake of argument, the NSA has a "patent" on encrypting speech on mobile phones. Then, anyone who tries to sell a mobile phone that encrypts speech will get a cease and desist letter.

It is not that the government prohibits the use of encrypted phones. No Sir, nothing nefarious. This is just a commercial licensing question. You just have to sign the license, which stipulates how you implement this encryption.

SamSeptember 30, 2014 3:59 AM

@4fu3yfu3yfgu3ygf

Perhaps NSA don't want off-the-shelf components because those are the ones already backdoored by every other agency? If you want to know that no-one else is listening in on you listening in, you'll have to do a lot more in-house and have more intense testing cycles etc on your kit.

Clive RobinsonSeptember 30, 2014 4:45 AM

@ Nick P,

Re CELP, I was using it as an example of questions to ask (and yes it does have side channel issues in software versions).

The fact that the NSA use it at the highest level is not an indicator it's safe to use in your own product. Never ever make the mistake of falling into the mindset of "if the NSA use it it must be OK", it's a trap that was set long prior to the NSA existing, and is a follow on from the famous "The enemy knows the system" premise.

The NSA and other Signals Security Agencied have a history of making "brittle" or "theoreticaly secure" technology which becomes broken if not implemented correctly. This mind set goes back prior to the NSA to mechanical cipher systems that had strong, weak and very weak keys. If you either used the machine as is or developed your own the chances were better than even that you would not know which keys were strong and which weak, thus would send a sizable proportion of traffic under weak keys.

Remember Clipper/CapStone, when the algorithm became known it was described as "brittle" for exactly these reasons.

The NSA and other Signals Security Agencies spend a lot of their time designing secure systems with hidden defects in them, which are secure if you have the knowledge to spot and avoid the defects, but leak information or are weak if you don't.

Thus if the enemy steals your system and "uses it because you use it" they have as the Trojans did wheel the wooden horse into the heart of their defenses...

ThisCantBeGoodSeptember 30, 2014 6:14 AM

You want some of that patented software, here it comes:

FBI Plans To Open Up Malware Analysis Tool To Outside Researchers

http://tech.slashdot.org/story/14/09/30/0313255/fbi-plans-to-open-up-malware-analysis-tool-to-outside-researchers

While the software may do what it advertises, it is almost a certainty that it will be a carrier of snoop agency malware, and probably make any target computer part of a botnet. If so, it won't be the first time that malware came disguised as a malware fighting tool. And who are those outside researchers...probably retired snoops or shills. So, they no longer have to depend on ISPs forwarding data, it will likely come in directly from users (and the users will be charged for the transmission as part of their data plan).

paulSeptember 30, 2014 9:26 AM

As for licensing, I was under the impression that the government was required to do some kind of FRAND setup, but I could easily be wrong.

Slightly off topic, I remember the days when the DoD took out a series of trademarks covering the Ada programming language. There, the purpose was very specifically to make sure that a) no single company had control of the name and b) implementations and development tools actually conformed to whatever standard was hammered out, or else forfeited the right to use the name. (Didn't quite work out that way, of course.)

albertSeptember 30, 2014 12:09 PM

@Bruce
"...program to license NSA patents to private industry..."? Sounds like an opening line of a George Carlin/Lewis Black/Robin Williams monologue...I'm laughing already...
.
As usual, good comments by all.
.
There are several issues here.
.
The gov't can 'classify' patent applications under the catchall umbrella of 'national security'. This could happen if the application reveals something new the Gov't would like to monopolize, or something they already have, and want to keep secret.
.
There are a plethora of bogus software patents issued every day. Most are math or method patents using computers. The idea of backdoors is silly, unless you're dealing with binaries, and even then, it's not that difficult to detect 'your' softwares questionable activities. Is anyone stupid enough to use NSA or FBI-generated binaries? I didn't think so.
.
FBI malware detection software? LOL. Dollars to donuts it won't 'detect' FBI malware:)
.
Software patent applications generally avoid as much disclosure as possible, so they can be made as general as possible. The NSA, etc., aren't going to disclose anything useful, because doing so would allow workarounds. They can easily clamp a lid on anything they don't like, as they are not bound by patent law.
.
I don't see the point of all this, unless it's to simply make more money...
.
I gotta go...

name.withheld.for.obvious.reasonsSeptember 30, 2014 2:57 PM

@ Clive Robinson

Thus if the enemy steals your system and "uses it because you use it" they have as the Trojans did wheel the wooden horse into the heart of their defenses...
...if we built a wooden badger...

SamSeptember 30, 2014 4:25 PM

Slashdot comment from someone who claims to have worked in the office:

http://yro.slashdot.org/comments.pl?sid=5759697&cid=48003687


Former TTP contractor here: First, there are PLENTY of issues one can have today with NSA and the American defense and intelligence community as a whole (note: FORMER federal contractor)... but it can be argued that TTP is one of the few unqualified "good" things the agency does.
In short, there are a bunch of federal regulations and statutes dictating that technologies paid for by the federal taxpayers should (barring lingering classification concerns) be made available for licensing and further development by those taxpayers, usually in the form of private companies, universities, the staffs of other public agencies, etc. There are different rules and processes for each, with the "fees" often being nominal and dependent on the scope and extent of the patent's application, and working to the benefit of the actual inventor(s).
Also, this is NOT an NSA-specific exercise. Most (and I imagine all, but can't confirm individually!) federal laboratories participate in technology transfer - the Federal Laboratory Consortium is a publicly available entity maintained for just that specific purpose.
And as a final aside... if you had seen the size of the Agency's TTP office (manned by a skeleton crew of administrative staff and often at the mercy of the general counsel/patent attornies) and the numbers TTP actually deals with, you would find a lot of the scare language in the original article patently (puns!) ridiculous. It took us two years to get an update on the NSA.gov website, which apparently only ended up being a basic refresh of content - so much for all the hidden Agency slush fund pull!

ThothSeptember 30, 2014 8:50 PM

Off Topic:
Therminator sounds like a good name for a thermite protecting vault system if Nick P's interested :) .

On Topic:
NSA and FBI are suddenly making to the News with their TTP. Any motive for that ?

Are they going to somehow steer expectations, implant bugs or weaknesses for future use via their TTP ?

MikeBOctober 4, 2014 10:37 PM

Great example of NSA working against US Citizens -- Silent Runner (SR):

NSA developed Silent Runner to be used during the Cold War against non-Americans.

NSA then turns around and sells the Cold War technology they developed using US Taxpayer monies to Raytheon.

Software developed by two NSA computer scientists has been used as the basis for Raytheon's Silent Runner network security software, saving Raytheon some of the cost and time in developing the product on their own, and netting the two NSA programmers, Dr. Marc Damasheck and Dr. Jonathan Cohen, a royalty check for every commercial sale Raytheon makes. http://www.forbes.com/2001/02/16/0216nsa.html

Raytheon (Dr. Hugo Poza Original SR Program Manager) turns around and sells the repackaged SR technology to US Companies to use against their US employees.

The companies probably charged the SR purchase back to the US Taxpayer?

At the end of the Forbes article: "The cross-pollination between it (NSA) and private industry should do it some good". ?

The SR product was sold from Raytheon to Computer Associates in 2003. Then the product was renamed to eTrust Network Forensics. In September 2008, AccessData purchased the rights to the product and also took the original name back.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.