Patent Wars

And so it begins.

 

Slashdot posted an article today about some patent claims against Open Source developers. They linked to an article by Bruce Perens, a well known OSS advocate, detailing some of the issues surrounding 2 particular patent cases currently pending. The first case is a recent case against RedHat regarding their Hibernate software package. Firestar Software is claiming that they hold a patent on what they call Object Relational Mapping. If I understand correctly, this is a programming technique used to hide the implementation details of a database behind an object. In other words, it’s basically encapsulating the database within an object.

Umm.. yeah. Duh. Ok, so let me get this straight. If I create an object in a programming language that can be used within the program to prevent having to write direct SQL calls, then that falls under this patent? Well, I guess I’ll have someone banging on my door pretty soon. phpTodo uses this same technique! Isn’t this an obvious extension of the object-orientation paradigm in most modern programming languages? It’s the next logical step from creating procedures or functions to accomplish the same thing!

According to the article by Bruce, there is plenty of prior art that covers this. And rightly so! The problem here seems to be the US patent system as a whole. Patents on their own seem, at least to me, to be something useful. At least, useful to a degree. I don’t hold any patents so, if anything, I’m biased against the system. But I do see some worth in it. I can see the need to defend a new, unique idea, at least for a time. However, it seems that patents are being granted on the most ridiculous things! For instance, check out patent number 6,368,227. WHAT? Are you kidding me? A patent for swinging on a swing? Sure, it’s side to side instead of the traditional forward and backward swing, but give me a break. I did this when I was a kid, and probably in the same manner.

Check out this excerpt from the patent itself :

“It should be noted that because pulling alternately on one chain and then the other resembles in some measure the movements one would use to swing from vines in a dense jungle forest, the swinging method of the present invention may be referred to by the present inventor and his sister as ‘Tarzan’ swinging. The user may even choose to produce a Tarzan-type yell while swinging in the manner described, which more accurately replicates swinging on vines in a dense jungle forest. Actual jungle forestry is not required.”

 

 

 

It seems to me that the patent system needs a major overhaul. I swear I’m not trying to jump on the bandwagon here, but when larger companies start leveraging these ridiculous patents, I get a bit scared. I’m just as open to getting sued as RedHat is. I think most of the uproar over the Firestar patent has to do with them suing an Open Source company, but the same remains true for any other company. For instance, the patent dispute against RIM. My main issue with that case isn’t so much the content of the patents, but rather the company that held the patents. NTP is a holding company. The entire reason NTP exists is as an entity that owns patents and collects fees based on usage of those patents. From my point of view, this is extortion. Basically, these companies hold the patents and require the user of the patent to pay fees for continued use. But they never use the patent themselves! In fact, given the task, I doubt any patent holding company could ever hope to implement any of the patents they hold.

But even patents that are blatantly obvious and are easily overturned are still extremely harmful. The second case that Bruce mentions is against a small open-source developer, Bob Jacobsen, who makes no money from his creation, JMRI. KAM, the company that filed the claim, holds the rights to patent 6,530,329 which outlines a method for sending commands from a computer to a model train.

This *sounds* like a patentable idea to me, but, upon further inspection, they haven’t really invented anything. First, they seem to be using pre-existing hardware and merely writing software to control it. Second, it’s basically a queueing system. Essentially, the patent outlines how a queue works. User 1 sends a command and the digital controller sends an acknowledgement; A second user sends a command and the same process occurs; And so and so forth. The interesting part here is that the patent language makes it a point to explain that these acknowledgements are intended to inform the user that the action requested has taken place, when, in fact, it it merely queued. I can think of some other ways to do this, but the idea generally works. So where’s the new invention? It sounds to me like they took a pre-existing system and added a queue. That’s patentable?

So, because they have this patent, they have decided to sue Mr. Jacobsen. They are asking for $19 per user of JMRI. I’m not entirely sure how they determined how many users JMRI has, but my guess is that they merely looked at the number of downloads the software has received. It looks like version 1.4 received about 11000 downloads which is about right for the $200,000 they’re apparently asking for. However, it appears that there may be plenty of prior art to fght this claim, so what’s the big deal? The problem here is that Mr. Jacobsen probably doesn’t have a few thousand dollars lying around that he can use to defend himself. Depending on how the lawsuit proceeds, it can possibly take several months or years to either overturn the patent, or lose the case. Either way, it would cost Mr. Jacobsen a lot of money he likey doesn’t have.

This type of patent abuse only serves to hurt everyone in the long run. Some developers may stop developing, or at least stop releasing their code out of fear. If small developers can be sued like this, even for patents that were so obviously granted without proper review, then they run the risk of losing more than just the right to develop a product. OSS developers are usually independent and don’t have the luxury of a corporate umbrella to protect them. They run the risk of losing everything they own. Something needs to be done about this system.

 

Here are some of my ideas for patent reform. They are listed in no specific order :

  • Existing patents should be re-examined for validity.
  • Any patent over a certain age should be considered public.
  • Any patents held by companies that are not implementing them should be given two choices. Either start working on an implementation of the patent, or sell the patent to a company that will implement it. Either way, a deadline should be set to prevent the company from sitting on the patent. If they exceed the deadline, the patent should be placed into the public domain.
  • All new patents should be scrutinized for validity beyond the current methods. If insufficient expertise is available at the patent office, then an expert in that area should be consulted.
  • All new patents should be open to public review. (I believe this is already the case, but I may be mistaken)
  • All granted patents should have a shelf-life. This shelf-life should be the same across all patents regardless of what the patent is on.
  • Patents on software should either not exist at all, or should be very critically and very carefully reviewed before being granted. There are too many ways patents like this can be exploited.

 

I’m sure there is a lot more that should be covered, but this, at least, is a start. This would put everyone on a level playing field and help prevent the stifling of innovation. Let’s get real here. If patents such as the Object Relational Mapping patent are allowed to survive and are enforceable, then innocent developers such as myself and others are in danger. I have no prior knowledge of the existance of that patent, and I never would have bothered to check. This, to me, seems to be a common sense bit of programming!

 

Hopefully we’ll see a larger movement to reform the current patent system, or to do away with it entirely. While there is worth in the system as it is today, I think it has much more potential to do harm.

BumpTop : Taking your messy desk into cyberspace

Slashdot had an interesting story today about a new type of desktop organization called BumpTop. It’s definitely interesting from a “wow” perspective, but I’m not sure how useful it is in practice. Basically, it allows you to treat your files like magazines on a table. You can stack them, knock them down, toss them about. And then there are some useful tools like sorting, auto stacking, and searching.

 

It seems to be pretty processor intensive from the outside, though. The graphics are decent, but it seems to use true physics to control the movement and behaviour of the icons. They collide against each other, fall over, bounce around, etc. Seems to be a little much, but I guess processor power is increasing while cost is decreasing.

 

There have been other desktop improvements suggested over the years. One of the more popular styles is the 3D desktop design. Sphere is an example of this design. Basically, all of the windows become 3D objects that can be manipulated, moved around in a three dimensional state, tacked up in various areas, etc. I tried it back when it was in Beta. Pretty neat, but not something I wanted to use on a regular basis. Checking today, it looks like they’ve added an IE version as well that looks to do the same thing, but for individual web pages.

 

The idea of an alternate desktop is a neat one. I’m not sure what direction the future will go in, but it’s likely that it will have a lot to do with physical interactions such as pen and touch screens. And, perhaps, even further into the future we’ll see 3D interactive holographic systems. Something along the lines of a Star Trek Holodeck.

 

Wow, the future is exciting…

Review: Star Wars Battlefront II (PSP)

Anticipation : 7
Expectation : 7
Initial Reaction : 7
Overall : 7
Genre : Third-Person Shooter

Star Wars is a franchise near and dear to my heart, having grown up the the original three. (Let’s not delve into the recent three) Battlefront gives you the ability to immerse yourself in that universe and wage war using the weapons and vehicles seen in the movies.

 

The PSP version of this game is merely a port of the PS2 version with a few extras thrown in. Unfortunately, the controls seem to be a little lacking. They definitely tried to get creative, using the S/C/T/X buttons as camera controls. But, overall, the controls seem a little lacking. Or maybe I just haven’t played enough to find the right combination. Without fine camera control, hitting some of the enemies is a little tough, even with the auto-aim feature enabled.

 

The graphics are basically the same as the PS2 version, just on a smaller scale. The actions is intense and fast paced. Overall, it’s a great game and lots of fun to play. I recommend it to any Star Wars fan, or any fan of shooters in general.

 

Whois Query Fun

network

I ran across a really neat way to use the whois tool in Linux the other day. There is apparently a lot more information available than I knew about! Check out the full article for more.

Basically, in addition to the normal owner/tech contact data that you can get from the standard whois servers, and the IP block assignment information you can get from ARIN, there’s also some additional IP information you can get from Cymru. Specifically, you can run queries against ‘whois.cymru.com’ to determine what ISP hosts/owns the netblock. Check it out :

[user@localhost ~]$ whois -h whois.cymru.com 204.10.167.1

[Querying whois.cymru.com]
[whois.cymru.com]
AS | IP | AS Name

33241 | 204.10.167.1 | EMCS-AS – Endless Mountain Cyb

In addition to that, you can also check another server, ‘v4-peer.whois.cymru.com’ to check for upstream peers. Extremely useful for determining how “connected” a provider is when you’re looking for new service. Or, for determining what providers you need to talk to for help in blocking possible attacks. Check it out :

[user@localhost ~]$ whois -h v4-peer.whois.cymru.com 204.10.167.1


[Querying v4-peer.whois.cymru.com]
[v4-peer.whois.cymru.com]
PEER_AS | IP | AS Name
3593 | 204.10.167.1 | EPIX – EPIX
3737 | 204.10.167.1 | PTD-AS – PenTeleData Inc.

Overall, I find this to be quite useful and I’ll definitely be using it! I hope you find it just as useful…

 

AJAX Security

I read an interesting article today over at Darknet. It brings to light some of the “new” techniques that can be used to exploit newer Web 2.0 applications.

 

The article was an interesting read and got me thinking about application security again. I find myself spending more and more time on security in an application, and less time on features and actual logic. Generally I’m splitting coding time between idiot proofing the application so the end user is forced to put in the right data, and hack proofing the code against would-be hackers. Even with custom frameworks to handle the boring bits, it still takes a lot of time and effort to make sure you’ve covered your bases. Oh well, such is the world we live in nowadays.

The new ways to exploit applications are interesting as well. Actually, most of them aren’t new, but rather the same old hacks used to exploit the new way of doing things. For instance, in an AJAX application you pass information between the browser and the server, behind the scenes. Ok, all well and good, but how do you make sure you’re still talking to the original browser that opened the request? You could use a cookie, or perhaps some sort of a session ID. Maybe a combination of the two. And on top of it, you might check the User Agent string and the referrer URL. Mind you, this can all be spoofed. In fact, spoofing the UA and referrer is extremely easy and can be done with tools like curl and wget. So what is the best way to secure these apps?

I haven’t really started working with AJAX very seriously, so I haven’t done much research into the matter. But, thinking about it, maybe there is a way to secure things a little better? Perhaps a variable in the browsers memory rather than a cookie? Combined with a session ID? Right now I like to secure my apps by using a combination of a session ID, the IP address of the user, and a cookie with seemingly random data in it. This has worked pretty well thus far, but I’m not sure how hard anyone has tried to hack it. I’m definitely interested in more security, though, provided it doesn’t slow things to a grinding halt.

Of course, there’s always the one true way for security. Unplug it. Turn it off. If it’s not running, it can’t be broken into.. Well, not yet anyways.. There’s always the quantum level.

Qmail SPP 0.42

Pawel Foremski is preparing to release the latest version (0.42) of his qmail-spp patch for qmail. This incredibly useful patch allows you to modify the behaviour of qmail, on the fly, through use of external scripts. These external scripts can be written in any programming language that allows STDIN and STDOUT. I have found this to be incredibly useful and it has haled tremendously when targeted by spammers and virii.

 

There was some initial concern about the overhead involved with calling an external program for processing, but my fears have been calmed since then. I’ve seen this patch in production on machines processing over 250,000 emails per day. That’s a LOT of email.

 

The patch allows you to inject special processing during specific portions of the smtpd process. These areas include
HELO/EHLO, MAIL, RCPT, DATA and (if supported) AUTH. There is also another hook available when the client connects, before any data is transferred between the client and server. These 6 areas allow for a massive amount of power. For instance, you can interrupt the process right after the HELO/EHLO and run an spf plugin. Or, you can check the from address during the RCPT portion and determine if the user is relaying, and if they’re allowed. Basically, a chkusr function. Tarpitting is fairly simple at the RCPT level as well. The initial connection point is a great time to check for blacklists. In fact, you can set different SPP config files for use depending on where the connection originates. Thus, you can add additional RBL lists depending on the source. So, you can skip RBL altogether for known local connections, and use a wider range of blocklists for external connections. All in all, the flexibility is incredible.

 

I highly recommend the use of this patch for any qmail installation intended for normal mail use. Obviously if you’re never going to allow mail delivery, there’s no real point, but if you need a strong, secure mail server, this is definitely a step in the right direction. In fact, I worked with Pawel to create a patch that will work with the SMTP AUTH/TLS patch that Bill Shupp put together. Bill has a nice page with a complete qmail toaster on it. His toaster was the basis for my own foray into the qmail scene, and I owe a lot to the work he’s done. I’ve built my own toaster based loosely on his, but using the qmail-spp patch, and some of my own experience. You can find my toaster by either clicking here, or on the link to the right.

Review: Daxter (PSP)

Anticipation : 9
Expectation : 9
Initial Reaction : 10
Overall : 10
Genre : Third-Person Action/Adventure

 

To say I was expecting a lot from Daxter would be an understatement. I wasn’t aware of Daxter as a title initially, but I became aware of it when the Big Boss at Ready At Dawn spoke out against other PSP Devs. Bold words, so I had to check out the game..

 

The premise is pretty simple. Daxter is in town, not working with Jak at the moment. He boasts a bunch at a bar and an elderly exterminator hires him to kill bugs. Ok, it sounds kinda corny, but it’s actually a pretty decent game. I’m not too far into the story, but it’s pretty decent so far.

 

The gameplay is top notch. Your primary weapon, at least to start, is a glorified bug swatter, electrified of course. Then comes the canister of bug spray, and then.. well, you’ll see. So far most of the game is on foot, but there are some vehicle sequences. There are some dream sequences too, but I’ll leave those up to you to find. They are interesting though.. :P

 

You have the choice of using the D-Pad or the analog stick to move Daxter, and the left and right shoulder buttons to spin the camera. Very effective, and nothing new. I’ve seen it used in other games, so I don’t think there’s anything new there. It works though, and very effectively on the PSP.

 

The RaD boss was right. Just because it’s a handheld, or only has one analog stick, doesn’t mean it can’t have good games. Daxter is excellent and I highly recommend it.

K I S S

I’ve been perusing the boards over at PHP Freaks

lately and I’ve noticed a few annoying practices that I want to highlight. In my experience, keeping things as simple as possible helps to keep the code clean and usable. It’s easier to debug, easier to change, and lasts longer. When dealing with something like PHP, you inevitably run into the problem of differentiating languages. PHP, HTML, CSS, Javascript, UGH! Far too many people combine everything in one file and try to make sense of it. It’s rough enough for some people to keep one language straight, let alone 4. So, let’s use some common sense. It’s possible to separate them, so why don’t we?

 

Let’s start with the simple ones. CSS and Javascript are easily put in separate files. Creating a .js and .css file is a good practice and should be a standard step in all web creation. Granted, this should be done with some additional common sense. Creating either file for one or two small additions is not necessary unless those functions/definitions are used frequently through several pages.

 

So, we’ve removed 2 of the 4 languages and separated them out to their own files. How about the PHP and HTML? Well, there’s a fairly easy solution there too. I, personally, use the Smarty Template Engine. I believe there are other template systems out there, but Smarty works for me and I like it. Basically, you put all your php code in one file, make calls to $smarty->assign() and variables from php appear as Smarty variables in the template. From there you can easily “print” them in the template by using something like {$var} … Extremely flexible. Smarty also allows you to do some primitive programming. Enough to make it useful, but not so much that you get confused once more by 2 languages in one file.

 

So now we’ve separated everything into it’s own file. It’s easier to read, easier to understand, and easier to make changes. Imagine being able to simply change the HTML only and not worry about impacting the logic in the PHP program! Ahh.. flexibility!

 

Next on my pet peeve list is programmers who just won’t use functions like sprintf()… Let’s try an example here.. Which looks simpler :

 

$query = ‘SELECT id, name, age, salary FROM users WHERE name LIKE “%’ . $name . ‘%” AND age > ‘ . $age . ‘ AND salary > ‘ . $salary . ‘ ORDER BY name’;

 

or this :

 

$query = sprintf(‘SELECT id, name, age, salary FROM users WHERE name LIKE “%%%s%%” AND age > %d AND salary > %f ORDER BY NAME’, $name, $age, $salary);

 

Now, at first glance, the second one looks a little suspect. That’s because I chose what might be considered an ugly example. But, an experienced programmer can tell at a glance what the intended value of the 3 variables used in the query should be. String, Decimal, and Float. In addition to making it look a little nicer, you also gain some security. If someone snuck a string in for $age, it has no effect. So even if you skip sanitizing your variables, you still have a little bit of security. (Don’t skip sanitization…)

 

Simple additions to your coding toolkit, tons and tons of enhancements to your skillset. Please, code responsibly.

AJAX : It’s not just for cleaning anymore…

There’s a new or, rather, old programming language.. wait.. language? Hrm.. mixture of concepts is more like it. Anyways, there’s this new way of doing things on the web. It’s called AJAX which is an acronym for Asynchronous Javascript and XML. Based on the XMLHttpRequest object, it allows a web programmer to transfer information between the server and the web browser without requiring a complete reload of the web page. Pretty nifty stuff.

 

Dubbed Web 2.0, this “new” technology is revolutionizing the way users interact with the web. More than a mere buzzword, AJAX is sweeping the web and offering up some very powerful web applications. Gmail has been using AJAX for a while now. AJAX, combined with DHTML, allows you to “build” your Google homepage, and allows that same page to be updated on the fly without reloading the entire page. More recently, sites such as Netvibes, Pageflakes, and Eskobo offer “Web Desktops”. Other sites such as Yahoo Maps and Google Local offer web based mapping software without the arrow clicking and page reloading.

I’ve purchased a book on AJAX to enhance my own knowledge of this powerful web development tool. It’s definitely an intruiging concept and it seems simple enough up front, but extremely powerful when you get deep into it. Stay tuned for more!!!

Phew! There’s a backup!

Network management is a field I’ve been in for the past few years. In addition to making sure that packets get from point A to point B in the most efficient manner, I’ve also had to deal with network failures and disaster recovery. Essential to the disaster recovery scenario is the concept of backups. We’ve all heard of backing up the files on your computer, and backing up the servers, and storing them off-site, etc. But sometimes people overlook other backups that need to be handled. Namely, network device configuration backups. It really sucks when you realize that the smoking router in the corner has the only copy of the configuration you need to get the network back up…

 

I’ve written a bunch of code in the past to handle backing up a bunch of different types of equipment, and I’ve decided to make it open source. This new project will be hosted at SourceForge, and there is a link to the project page in the links section of this blog.

 

The initial code release will take a little bit to put together, but I’m hoping to have an alpha release within a month or so. It’s all written in object-oriented perl, a language I find fun to code in. I hope someone out there finds this useful. I know I spent quite a bit of time looking for a solution like this, and was sadly disappointed that I did not find one…