Thanks. I figured that was obvious enough to not need explanation. So I decided it was out of scope. But, I am wrong all the time.

I am assuming you feel that we should teach our admins to test all their SSH passwords against standard attack dictionaries and disable/notify any that fail. This is a good idea. I will try to add it tomorrow.

Are there other conditions that are detectable by SSH admins that require disabling passwords?

That is an interesting idea. It is easy to MITM our SSH client connections. But, this control comes with a large expense. Because it is easy for our clients to see Security's actions, and it is hard for them to see the actions of attackers, they will conclude that Security is being evil for no good reason. This will greatly reduce our effectiveness by isolating Security from our community. Other controls may mitigate this problem with less expense.

For example, we are currently pushing our people to adopt widespread 2-factor authentication. Our people are ready to accept 2-factor. They understand it's value. They are familiar with it's use. We have multiple cheap 2-factor solutions. 2-factor somewhat mitigates MITM and also helps other issues.

That said, I think we really need a simpler form of SSH for trusted point-to-point communications. It should exclusively use pre-distributed one-time pads for it's authentication and encryption. We can now generate and distribute 100+ Gigabyte files of true-random data. This data can be used to authenticate. It can be used to generate secure symmetric encryption keys. We can handle millions of secure connections before we need to redistribute pads again.

Since I am not a cryptographer, this idea has many problems. But I believe that securely using these huge one-time pads could be as easy as:

• Ask Schneier for a good, symmetric encryption algorithm :)
• Select a key-size that is twice as long as Schneier thinks we need :) So, if Schneier thinks 512bits are fine, we use 1024 bit keys. This is only 128 bytes.
• Generate about 128 Gigabytes of random data from a truly random noise source. Use 64Gigs of it for connection keys. That will allow about 512 million connections. This may be excessive and need to be adjusted.
• Use the rest of the Random data 2 Gigs at a time. This gives you 32 records. The server always gets the first copy/install of the file. The server always uses the first record. Each subsequent client copy/install uses the data in it's record for install identification and session identification. This may not be enough records. It may need to be adjusted. But, it probably should not increase to hundreds. If there are too many copies, it is impossible to protect confidentiality.
• Throw away the first key record. You can spare some. Use that space to write down the GMT time-stamp when this file was created and the number of times the file has been copied.
• Use the next key record as the FileID for this file.
• The server only tries to use uses 1 pad file at a time.
• When the server starts up, it skips down the number of keys indicated by it's current key index or the number of minutes since pad creation, whichever is greater. If the server detects that GMT time is running backwards, it should terminate with a descriptive error message.
• Every minute, it switches to the next key in the list. Don't worry, this will only use up 10 million of your possible keys in 20 years. The server should not attempt to respond to more than one connection attempt per second.
• Whenever the server has authenticated a successful connection, it switches to the next key in the list.
• When something pokes it's port, the server assembles a message that says something like: Number of non-padding bytes in message. Message Type 0. Server Message#1. I have received 0 of your messages. I am copy 1 of the file with the ID of #FileID. My Copy ID is (the first field in my Copy ID Record). The local time is (current time). The number of times I have incremented keys is: (CurrentKeyIndex). The number of successful connections is (ConnectionNumber). The authentication number for this connection is (use ConnectionNumber to index into the Copy ID Record and retrieve the value). Optional padding. End of Server Message #1.
• Then the server encrypts all that info using the current encryption key and sends it out to the client. It should all fit in a standard ethernet/IP/TCP packet. All messages must be padded to the same length. A good starting message length is probably 1400 bytes.
• The client uses the current time as a guess to a starting index into the key data. It should probably start 1 before to allow for sloppy timekeeping. It sequentially tries each key until it manages to decrypt the server's message. It should probably give up and fail with an error if tries more than 20 keys. This number may need adjusting. When it fails, the client drops the connection without saying anything.
• If the client decodes the server message, it then checks it's own expected and calculated information against the info provided by the server. If it doesn't check out, it drops the connection and sends an urgent error message that somebody is attempting to mimic the server using a replay attack. If it checks out, it uses the key to encrypt it's response. It also updates it's CurrentKeyIndex.
• The response of the client looks like: Number of non-padding bytes in message. Message Type 1. The latest message I have decoded from you is (LastServerMessageNumber). This is my Message #1. Nice to meet you. I am copy (whatever) of the file with the ID of #FileID. My Copy Id is (the first field in my Copy ID Record. My local time is (timestamp). I have now updated and crossed off (CurrentKeyIndex) number of keys. My number of successful connections is (ConnectionNumber). The authentication number for this connection is (use ConnectionNumber to index into the Copy ID Record and retrieve the value.) Optional padding. End of Client Message #1.
• Then the server checks the client's supplied info for inconsistencies. If it fails, the server crosses off the key, drops the connection, and sends an urgent error message that somebody is attempting to mimic the client via a replay attack. It if checks out, the server sends an encrypted acknowledgement, and updates it status information on that copy of the file.
• Once the client receives the acknowledgement, it updates it's info on the server. Then both sides continue the encrypted conversation. The conversation looks like a sequence of encrypted messages.
• Most messages have the same format: Number of non-padding bytes in message. Message Type 2. Timestamp. From (Copy #) To (Copy #). Your latest message was (whatever). This is my message (whatever). [MESSAGE CONTENTS] Optional padding. End of message (whatever).
• You will also need some utility messages. A NAK may look like: Number of non-padding bytes in message. Message Type 3. Timestamp. From (Copy #) To (Copy #) Please re-transmit everything after message (whatever). This is my message (whatever). Optional padding. End of message (whatever).
• A FIN may look like: Number of non-padding bytes in message. Message Type 4. Timestamp. From (Copy #) To (Copy #) Your latest message was (whatever). Time to say goodbye. Optional padding. End of message (whatever).
• A Change Key may look like: Number of non-padding bytes in message. Message Type 5. Timestamp. From (Copy #) To (Copy #) Your latest message was (whatever). I'm feeling paranoid. Lets change to the next key. Optional padding. End of message (whatever).
• An Oh Shit may look like: Number of non-padding bytes in message. Message Type 6. Timestamp. From (Copy #) To (Copy #) Somebody just showed up with a NSL. I'm wiping my key-files/one-time pads. You should wipe this key-file/pad. Send lawyers, money, guns. So long and thanks for all the fish. Optional padding. End of message (whatever).

As you can see, this system is very simple,crude and inefficient. We are just re-implementing the old concepts of secure phones using 1-time pads. None of this is new. We can use simple logic because we don't want or need complexity. It allows for 1 server and multiple clients. You have to redo this logic to have more than one server per pad/keyfile. It only solves one problem, but it is so simple that it should eliminate almost all opportunity for logic and programming flaws. Remember, complexity is the enemy. We don't care about efficiency. We want security. The NSA has used feature creep to corrupt many forms of existing crypto.

This proposal is connection oriented, but it can run on TCP or UDP or ICMP. You probably want to use TCP to reduce spoofing, DoS opportunities and sort out some of the low level attacks. If you do, you have to remember that you can't trust TCP to eliminate spoofing or verify message delivery.

Protecting SSH communications for your organization is fairly straightforward if you do some work. You need to use multiple layers. Here is our guide to protecting SSH:

https://it.wiki.usu.edu/ssh_de...

We try to use multiple overlapping security layers to protect SSH:

• * If possible, use firewalls to limit the vulnerable scope of SSH to a few trusted hosts.
• * Configure firewalls to limit credential guessing by rate-limiting connections to the SSH port.
• * If possible, treat the SSH Port as a shared secret. Then, only interesting, targeted attacks find the SSH server. In many situations, this gives you very real protection. This protection is based on the very real increase in cost for an attack to find and attack an SSH server on an alternate, properly obscured port.
• * The SSH server should not allow known usernames including root. The attacker must find a username.
• * Motivated admins should use 2-factor authentication to access their critical SSH servers.
• * Admins are trained to create good passwords for their usernames.
• * SSH users should verify the identity of their systems when they first connect.
• * System admins must regularly review the activity of their SSH servers.
• * Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• * We have SSH Honeypots that help us track, understand and respond to SSH attack. These Honeypots allow us to track which credentials are being attacked. They give us advance warning when a institutional credential is attacked. And, analyzing the use of unique credential lists gives us insight into our attackers.

Much of this work can be automated. The rest is excellent training material for new security recruits and interns.

Looking back, the main change I should have made to improve our SSH protections would be to default block incoming TCP/22 at the border years ago. Then, only allow it for groups that can show they use it to provide services to a large community. Anybody using SSH for administration can change the SSH port.

Anything that inflates the Exploit/Vul marketplace just hurts us all. We can fight hackers. We can even fight governments. But, we can't fight economics. If economics strongly encourage the discovery and secret utilization of exploit, we are all doomed. A few may experience a short-term benefit from a booming market in exploit and vulnerability, but the consequences of that marketplace will harm all the rest of us. The only sane behavior is to do everything we can to depress the market for vulnerability and exploit. We have to change the economics.

• 1) The government must always, immediately, publicly, disclose any purchased vulnerability or exploit. Once they are for sale, there is no point in keeping them secret. Secrecy inflates the market. Then the market creates more vulnerability and exploit.
• 2) Any benevolent government should target the exploit marketplace. This is a sensible and reasonable target for the NSA and the FBI. The exploit market creates the uncontrollable weapons of the internet apocalypse. Any exploit or vulnerability that the FBI or NSA can seize from others should be immediately published. This will suppress the desirability of the goods in the exploit marketplace.
  • * The legal fictions of intellectual property should never be allowed to adhere to exploit information.
  • * There is no public interest in preserving exploit.
  • * There is a great deal of public harm in encouraging exploit.
• 3) For the good of us all, we need to beat the NSA black and blue and force them to publicly disclose any of their vulnerabilities and exploits that are over a year old.
  • * This provides the NSA with tangible deliverables that they can use to justify their existence and we can use to measure their competence.
  • * This gives them a year to play with their toys.
  • * This will greatly suppress the exploit marketplace.

I heartily agree. Improving the process of litigating patents is nice, but we really need to improve the quality of granted patents. I believe that this problem is solvable, if we can muster the courage to admit that we have made mistakes in managing the patent office. In my opinion, the most important of these mistakes are:

1) More patents are not better than fewer patents.

Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. An occasional lawsuit might spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production. Reform must recognize that patents are dangerous monopolies. Reform must place hard limits on the number of patents.

2) Running the US Patent Office as a cost-recovery operation is a mistake.

The US Patent Office is a very small, but critical component of the US economy. It's purpose was "..to promote the Progress of Science and useful Arts.." (US Constitution Article One, Section 8(8).) But, once the USPTO became completely cost recovery (Omnibus Budget Reconciliation Act of 1990, Title X, Subtitle B), that primary goal became overshadowed by the more pressing goal of securing funding via patent fees. The primary effect of cost recovery has been to promote the collection of patent fees.

Reform is painful, but simple. Admit cost recovery is a failed experiment. Revert the funding model to the model used for the first 200 years. The USPTO must be centrally funded by the US government. Any collected fees should be returned to the US Government.

3) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents.

Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities." A recent study by the Richmond School of Law found that the USPTO's actual grant rate is currently running at about 89%. In 2001, it was as high as 99%. See http://papers.ssrn.com/sol3/pa... page 9. In 2001, it didn't matter if an application was overbroad, obvious, trivial, a duplicate, or unreasonable, they ALL got granted. Things haven't improved much since then.

Reform could come in many forms, but the simplest and most reliable would be to eliminate and unify the Patent office fees into a single filing fee. This fee would provide no guarantee of receiving a patent, only a guarantee that your patent would be considered. This would free the Patent Office to be able to deny poor patents. The filing fee should be high enough to discourage spurious patent applications.

4) Scaling up the Patent Office to produce more poor quality patents is a mistake.

Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)." Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process.

Reform must tightly control and limit the number of patent examiners.

5) It is a mistake to grant all patents that meet minimum standards.

A review of the last couple decades changes in the patent approval criteria will reveal that the minimum standard for granting a patent has consistently shifted downwards. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always degrades. Reform is easy. You rank Patent Applications according to an agreed measure of quality, and only grant the top few percent. Over time, the pressure will be to improve the quality of patent applications, instead of degrade them.

6) Finally, please consider that it is a mistake to allow patent applicants to modify or extend their patents after submission.

This complicates the patent pipeline. It facilitates ‘submarine’ patents. It enables capturing Standards. It also enables gaming the patent system. Reform must simplify and reduce the patent process. Patents should be quickly evaluated. Most should be denied. If an applicant wishes to modify a denied patent, they should alter it, resubmit, and pay a new filing fee.

Real patent reform is possible. The pressures that currently give rise to bad patents are fairly obvious. We can mitigate those pressures and institute processes that tend to increase patent quality. If we can just summon the courage and political will to correct our mistakes.

At this point, governance of the NSA is a constitutional sham. There is no just rule because there is no consent of the governed.

There appear to be 2 paths forward.

1. 1) The path of trusted representation. If you can trust your representatives, maybe you can trust their oversight. This is the pathway that started with Frank Church and lead to Dianne Feinstein. The problem is, how do you regain trust when it has been so thoroughly abused? We now have lots of evidence that both the process and the people involved in this distribution of trust are not trustworthy. Simply resetting the process will not restore trust.
2. 2) The path of transparency. For the last few years, our dreams of empire have tempted us to discard openness, transparency and rightful rule. But these are the very things that have created and preserved us. There is nothing new about the temptations of tyranny. The dream of power has not changed or evolved in the last few thousand years. The architects of our nation were just as familiar with these temptations are are we. We just need to turn back to open laws, open courts, and open public discourse.

So, now it turns out that the NSA really was attacking me. Just because I ran the routers and a few other critical things.

20 years ago, when I first started ranting about the NSA it was mostly theoretical. I ranted because there was no proof they were not evil. The stickers on my laptop's mic and camera were a bit of a joke. People would ask about them and it would give me a chance to rant. That's all I really wanted. A chance to rant from time to time.

But, now it is clear that all my rants were too conservative.

Now I am doing IT security for a university. I spend all day attempting to hold off the attacks of foreign governments. Some of those attacks now appear to be my own government. I never really wanted to be this paranoid. And it still appears that I am not paranoid enough.

When will I ever be able to take off this stupid tinfoil hat?

Congress keeps railing against money wasted on social programs. It appears the NSA and the CIA are elaborate social programs for sociopaths. Why can't we defund them?

But, for the last 10 years, the NSA has not walked the line at all. If the NSA could evenly balance the equities issue: https://www.schneier.com/blog/..., then there would less problems. But, now, there is no balance. The NSA takes many actions that demonstrate that their drive to Attack has suppressed their duty to Defend. They include:

1. 1) BULLRUN - http://en.wikipedia.org/wiki/B...
2. 2) The exploit marketplace is greatly enhanced by the activities of the NSA. This marketplace drives the creation of new exploit. It threatens us all. The NSA never publishes an exploit. Instead, they purchase exploit. Again and again. Many times, they are purchasing exploit they already own, because they don't want to reveal what they own. It is inevitable that they frequently purchase info on exploit that they create. The exploit marketplace would collapse, if the NSA, CyberCommand and their consultants would just stop buying. The exploit marketplace would vanish, if the NSA freely disclosed a fraction (say 30%) of their exploits every year.
3. 3) Large networks of Bots can only exist at the sufferance of the NSA. Again, if the NSA wished, they could easily, trivially track the C&C of the large criminal Bots. Then they could be dismantled using the ShadowServer's infrastructure: https://www.shadowserver.org/w... Instead, it appears the NSA is maintaining the existence of the Bots for it own reasons.
4. 4) The lack of malware Epidemiology. The NSA could publish accurate statistics on incidence of malware. Again, the NSA is in a unique position to track the dissemination and activity of malware. With those stats, we could make accurate determinations of the effectiveness of different security measures. With accurate Epidemiology, we can move defense from superstition to science. Instead, it appears the NSA doesn't want effective defense.
5. 5) Spoofed DoS packets on the internet can only exist because the NSA tolerates them. If the NSA wished, they could easily, trivially identify all the sources of Spoofed packets. The NSA has enough listening points they can track a stream of spoofed packets back to it's source. Then those sources would be identified, fixed/shunned, and eliminated. Instead, it appears the NSA maintains those sources as cover for their own activities.

That is why Schneier is advocating the breakup of the NSA. We must remove the equities debate from their hands. One part will be driven by offense, the other by defense. And Offense will stop being able to suppress Defense.

Looking at the FBI Mission: http://www.fbi.gov/about-us/qu... it looks like the Priorities are based on Crazy Congressional Wishlist. There are just too many Priorities. And, they are ranked according to sensationalism, not importance to the survival of the Nation. That page lists them as:

1. 1. Protect the United States from terrorist attack
2. 2. Protect the United States against foreign intelligence operations and espionage
3. 3. Protect the United States against cyber-based attacks and high-technology crimes
4. 4. Combat public corruption at all levels
5. 5. Protect civil rights
6. 6. Combat transnational/national criminal organizations and enterprises
7. 7. Combat major white-collar crime
8. 8. Combat significant violent crime
9. 9. Support federal, state, local and international partners
10. 10. Upgrade technology to successfully perform the FBI’s mission

At this point, I think we can all clearly see that Terrorism only has as much importance as we create for it. If we don't regard it as important, the Terrorism threat goes almost entirely away. If you were to rank these Priorities according to what most impacts the survival of the Nation, I believe it would look more like:

1. 1. Combat public corruption at all levels
2. 2. Combat transnational/national criminal organizations and enterprises
3. 3. Protect civil rights
4. 4. Combat major white-collar crime
5. 5. Combat significant violent crime
6. 6. Support federal, state, local and international partners
7. 7. Upgrade technology to successfully perform the FBI’s mission
8. 8. Protect the United States against cyber-based attacks and high-technology crimes
9. 9. Protect the United States against foreign intelligence operations and espionage
10. 10. Protect the United States from terrorist attack

Freewill is fun to debate. There are so many levels:

• 1) If It bothers you to be following somebody else's orders, then you probably have free will.
• 2) If you can ask: "Do I have Free Will?" then you have finished level 2.
• 3) You complete Level 3 by doing a random thing, and then saying: "I'll bet they didn't predict that!"
• 4) Level 4 consists of unproductive analysis of the limits of comprehension and influence of an unknown Capable Mind.
• 5) Level 5 is when you realize that you don't need to know everything, you just need to know yourself. Once you clearly understand yourself, you lose free will.
• 6) Level 6 mostly consists of drunken babbling.

Here is the guide we provide to the SSH users at our University: https://it.wiki.usu.edu/ssh_description

Some of the major points:

• We try to use multiple overlapping security layers to protect SSH:
• * The firewall limits the vulnerable scope of SSH to a few trusted hosts.
• * The firewall can also be used to prevent credential guessing by rate-limiting connections to the SSH port.
• * The SSH Port is treated as a shared secret. Only interesting, targeted attacks find the SSH server.
• * The SSH server should not allow known usernames including root. The attacker must find a username.
• * The admin is trained to create good passwords for his usernames.
• * SSH users are taught to verify the identity of their systems when they first connect.
• * System admins must regularly review the activity of their SSH servers.
• * USU IT Security monitors all SSH connections, including ones on non-standard ports. We follow up on interesting connections.
• * USU has SSH Honeypots that help us respond to SSH attack.

Hi Ruir,

I work for USU. We are the Land Grant university for Utah. We built the WISE satellite for NASA.

If you are interested in our approach to security, I made a couple introductory Youtube videos:

• https://www.youtube.com/watch?v=LDah5RdP3gc describes our security approach for our people.
• https://www.youtube.com/watch?v=dQc5FU_jqCk describes some of the legal implications of our security monitoring.

Good Luck!

I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.

The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.

But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:

Critical Control 1: Unity of Vision

Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?

• A. How does your organization create a sense of community?
• B. What are your Institution's Goals?
• C. How are those goals propagated throughout the organization?
• D. How do your security actions promote your institutional goals?
• E. How do your security actions provide assurance to your institution?
• F. How does your institution reward long term loyalty?

Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:

Critical Control 3: Enable a Better Future

This control assumes that our actions affect the future. Do your actions enable a more secure future?

• A. How do you increase the cost of attack?
• B. Do you report attack to the remote ISP/attacker?
• C. How do you coordinate with law enforcement?
• D. How do you decrease the cost of defense for yourself and others?
• E. How do you reduce the motivation for local attack?
• F. Do you disclose vulnerabilities to others? If so, will your institution protect it’s people when others attempt to punish disclosure?
• G. Do you facilitate others disclosing vulnerabilities to you?
• H. Do you help your peers improve their security?

The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?

We finally found the NSA mentioned in the same sentence as an actual, tangible, external threat. And now we see that instead of attacking them, they are giving them money?!? How can they get confused on this? You ATTACK enemies. You HELP friends.

The Exploit marketplace (here symbolized by VUPEN) is possibly the greatest threat to to existence of the internet. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is a great driving force reconfiguring the Internet for Attack, instead of Defense.

VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.

It looks like the Exploit Marketplace was dreamed up, founded and sustained by the NSA. The leaked Black Budget showed that the NSA devotes huge resources to purchasing exploit. We have also learned that the NSA's budget included vast resources to create exploit:

So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace. The NSA is no longer debating the Equities issue (https://www.schneier.com/blog/archives/2008/05/dualuse_technol_1.html ) They have only token interest in defending the Internet.

If we could just get the NSA out of the exploit market, the whole thing would probably collapse like 2008's Housing bubble.

I'd like to think that this mess is unintentional. But many of the recent changes to the USPTO appear to have optimized it to create lots of poor quality patents. I believe that we could reverse these changes. But, we would need to muster the political will to admit we have made mistakes. I have listed some of these obvious structural problems at: https://plus.google.com/b/101806809558932714222/101806809558932714222/about

I believe that the most serious problems with the structure of the USPTO are:

• 1) More patents are not better than fewer patents. Patents are not Innovation. Patents are not Progress. Patents are simply grounds to file a lawsuit against an industry. More Patents are simply more grounds for more lawsuits. An occasional lawsuit might spur innovation. BUT LAWSUITS DO NOT PRODUCE. Lawsuits are parasitic on innovation and production. Reform must recognize that patents are dangerous monopolies. Reform must place hard limits on the number of patents.
• 2) Running the US Patent Office as a cost-recovery operation is a mistake. The US Patent Office is a very small, but critical component of the US economy. It's purpose was "..to promote the Progress of Science and useful Arts.." (US Constitution Article One, Section 8(8).) But, once the USPTO started to become completely cost recovery, (See: Omnibus Budget Reconciliation Act of 1990, Title X, Subtitle B), that primary goal became overshadowed by the more pressing goal of securing funding via patent fees. The primary effect of cost recovery has been to promote the collection of patent fees. Reform is painful, but simple. Admit cost recovery is a failed experiment. Revert the funding model to the model used for the first 200 years. The USPTO must be centrally funded by the US government. Any collected fees should be returned to the US Government.
• 3) It is a mistake to organize the US Patent Office to create economic incentives to grant poor patents. Currently most of the revenue of the US Patent Office comes from GRANTING patents. See the USPTO FY 2013 President's Budget page 37: www.uspto.gov/about/stratplan/budget/fy13pbr.pdf "..More than half of all patent fee collections are from issue and maintenance fees, which essentially subsidize examination activities." A recent study by the Richmond School of Law found that the USPTO's actual grant rate is currently running at about 89%. In 2001, it was as high as 99%. See http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2225781 page 9. In 2001, it didn't matter if an application was overbroad, obvious, trivial, a duplicate, or unreasonable, they ALL got granted. Things haven't improved much since then. Reform could come in many forms, but the simplest and most reliable would be to eliminate and unify the Patent office fees into a single filing fee. This fee would provide no guarantee of receiving a patent, only a guarantee that your patent would be considered. This would free the Patent Office to be able to deny poor patents. The filing fee should be high enough to discourage spurious patent applications.
• 4) Scaling up the Patent Office to produce more poor quality patents is a mistake. Currently, we expand the number of patent examiners based on demand. See the USPTO FY 2013 President's Budget, page 60, Gap Assessment: "Meeting this commitment assumes efficiency improvements brought about by reengineering many USPTO management and operational processes (e.g., the patent examination process) and systems, and hiring about 3,000 patent examiners in the two-year period FY 2012 and FY 2013 (including examiners for Three-Track Examination)." Again, the assumption is, more patents are better, even if it means decreasing examination, and increasing the number of untrained examiners. Poor quality is an inevitable result of this patent process. Reform must tightly control and limit the number of patent examiners.
• 5) It is a mistake to grant all patents that meet minimum standards. A review of the last couple decades changes in the patent approval criteria will reveal that the minimum standard for granting a patent has consistently shifted downwards. We must abandon the idea that any patent that meets minimum standards is granted. Over time, the standard always degrades. Reform is easy. We rank Patent Applications according to an agreed measure of quality, and only grant the top few percent. Over time, the pressure will be to improve the quality of patent applications, instead of degrade them.
• 6) Finally, I suggest that it is a mistake to allow patent applicants to modify or extend their patents after submission. This complicates the patent pipeline. It facilitates ‘submarine’ patents. It enables capturing Standards. It also enables gaming the patent system. Reform must simplify and reduce the patent process. Patents should be quickly evaluated. Most should be denied. If an applicant wishes to modify a denied patent, they should alter it, resubmit, and pay a new filing fee.