lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 07 Feb 2014 10:01:42 -0500
From: Alan Kaminsky <>
Subject: Never read a patent

In their book "Practical Cryptography" (Wiley Publishing, 2003), pages 
375-376, noted cryptographers Neils Ferguson and Bruce Schneier say this:

"One word of advice: never read a patent. That's right. You'd think that 
reading patents to see what they cover is a good idea. It is not. If you 
infringe on a patent without having known that you did so, you may end up 
paying damages to the patent holder. But if they can prove that you willfully 
infringed (because you knew about their patent), you may end up paying triple 
damages. So if you read a patent, you automatically increase your liability 
for infringing that patent by a factor of three.

"And now for the real stinger: even if you read a patent and decide, as an 
expert in your field, that your work is not covered by the patent, the judge 
might still find that you willfully infringed. You see, you as an expert are 
not qualified to judge what a patent covers. Only a patent lawyer can do that. 
So if you want to avoid the possibility of having to pay triple damages, you 
have to pay a patent lawyer to figure out whether you are infringing the 
patent or not. There are millions of patents out there, and you cannot 
possibly afford to pay a patent lawyer to read every one of them.

"Therefore, the safest solution is to never read a patent. At least you can 
then claim that you didn't willfully infringe on the patent."

I would think long and hard before starting to analyze patents related to 
password hashing. I would think even longer and harder before designing a 
password hashing algorithm specifically to try to avoid a patent's claims.

-Alan Kaminsky
  Department of Computer Science
  B. Thomas Golisano College of Computing and Information Sciences
  Rochester Institute of Technology

Powered by blists - more mailing lists