Brian Carnell's Wiki

User Tools

Site Tools

Trace: american_prisoners_of_the_revolution Security Now! - Episode 93
security_now_episode_93

Security Now! - Episode 93

SERIES: Security Now!

EPISODE: #93

DATE: May 24, 2007

TITLE: Microsoft Patent Wars

SPEAKERS: Steve Gibson & Leo Laporte

SOURCE FILE: http://media.GRC.com/sn/SN-093.mp3

FILE ARCHIVE: http://www.GRC.com/securitynow.htm

DESCRIPTION: Steve and Leo tackle the past, present and future of software patents. Their discussion of this non-security topic was triggered by Microsoft’s recent declaration that since free and open source software (FOSS) was infringing at least 235 of their software patents, someone ought to be paying them.

INTRO: Netcasts you love, from people you trust. This is TWiT.

LEO LAPORTE: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting.

This is Security Now! with Steve Gibson, Episode 93 for May 24, 2007: Software Patents.

Time to take a look at security with our good friend Steve Gibson the security guru, from his fortress, his lair, his shielded manse in beautiful Irvine, California. Hello, Steve.

STEVE GIBSON: Hello, Leo. Great to be back with you.

LEO: And did we break 50 million?

STEVE: Oh. Yes, in fact, I meant to tell you. Something happened about four weeks ago that another person in our newsgroup pointed out, because I chart - there’s a chart on the 12th original page of ShieldsUP which shows how many unique IPs we encountered every day. And someone somewhere must have, like, written an article or something significant about ShieldsUP because we’ve been about double the normal rate of uses. And it just blasted us through the 50 million mark.

LEO: Oh, excellent.

STEVE: And I don’t - my first thing was I was a little suspicious of, well, could that be some automated thing which is, you know, pumping the numbers up. Except that there is a standard weekly cycle of activity where you can see it. It’s a seven-day period as people are - I think they’re busier on Mondays. It’s like in the beginning of the week we’re busier, and less so as the week goes on. And so it’s, like, amplified that - not only has it doubled the number, but it’s amplified the size of that sine wave of weekly cycles. So it looks like these are really valid uses of ShieldsUP, that something happened somewhere where it got a lot of extra attention, and it seems to be sustaining, so…

LEO: It couldn’t have anything to do with the fact that you’re appearing on the radio show talking about ShieldsUP, could it? Does it go up on Saturday or Sunday? Does it go up on the weekend? No.

STEVE: I don’t - I never really actually looked to figure out which was the peak day. So I’m not sure. That would be really interesting.

LEO: Congratulations on your 50 millionth.

STEVE: Thank you.

LEO: 50 million systems tested by ShieldsUP. GRC.com. Whenever I get a new router or firewall, that’s what I try. It’s absolutely free. It’s marvy.

STEVE: Well, it’s quick and easy. I think that’s probably one of the nicest things about it. It’s entirely client-side, you don’t have to load anything on your computer, you just go there and visit it with your browser. And it just gives you a real quick thumbs-up. In fact, I had an interesting dialogue with a tech writer for a paper in Houston who said that Apple’s AirPort was not giving him stealth. It was showing closed ports. And he had had a conversation with Apple, and they said, yes, well, you know, our AirPorts work that way, and we don’t think it’s a problem. He talked to Bruce Schneier, and Bruce said, oh, you know, as long as you don’t have things open it probably doesn’t matter. And he said, so, you know, what do you think? And I said, well, what’s interesting is that Apple’s own firewall has a stealth option. So, you know, you can tell Apple’s firewall not to return any packets in response to something coming in. Don’t declare that you’re even there at that IP. I said, so it seems interesting to me that Apple would take the trouble to put that in their own OS firewall, clearly seeing some value there, but not offer the same sort of opportunity in their AirPort router. So I said, you know, and I don’t disagree with Bruce, I said, but it’s so simple for a router to be stealthful, even though it’s a technical breach of the RFCs, I mean…

LEO: Oh, it is?

STEVE: Yeah.

LEO: Oh, I didn’t know that.

STEVE: The formal specification says that a packet arriving at a closed port should return a reset in response to a SYN to say, I’m here, but this port is closed, thank you anyway. And the reason is a stealth port will receive four SYN packets because the TCP stack at the sending end will send a packet, a SYN packet, and it will wait typically two seconds. Then it will send another one and wait four seconds, send another one and wait eight seconds, send another one and wait 16. Except that my math didn’t work right because it ends up taking - oh, no, maybe if you add them all up. But not even then. But it ends up taking, like, 45 seconds for a TCP stack to say I’m unable to open a connection because it will try four or five times. And it exponentially scales the period of time it’s waiting each time. So the nice thing about sending a reset back is that you affirmatively say, I got your SYN, I’m closed. And so it does…

LEO: That saves time. It makes sense, yeah.

STEVE: Yes. It saves time. It cleans up the ‘Net a little bit. You’re not having these redundant SYNs.

LEO: Go away, I’m not here. But your point is that, if you say that, you’re telling a hacker you are there, you’re just not open for business.

STEVE: Yes. And so the point I made to this guy in Houston was, you know, I’m not here to preach stealthfulness, although it’s so simple to do that, I mean, it’s just so simple not to respond that, if you just gave a switch where you asked a user, would you rather that someone could see that you’re there but closed for business, or believe that, you know, you’ve unplugged your router and you’re not there at all, almost any user I can imagine would say I’d just as soon not be here at all. So, you know, it’s simple. So it’s like, okay, I can’t speak to why Apple’s not doing it, but I sure do know that all the typical commercial non-Apple routers certainly allow you to do that. I mean, it’s something that they promote. And it’s funny because he said, do you think you’re responsible for that? I said, oh, as a matter of fact I’m pretty sure I am.

LEO: Might be, yeah. I don’t think anybody even - you coined the term “stealth,” didn’t you?

STEVE: I did coin the term “stealth” because of course the whole thing, being a Trekkie myself, the whole - obviously ShieldsUP comes from “raise our shields.” And so when I was trying to think of, okay, we have open and closed ports, what would it be if a port didn’t respond at all? And of course, you know, the cloaking generator that the Romulans always had, you know, you were stealthed. So and in fact there were some notes on Linksys and Netgear routers where they were talking about - I remember seeing some firmware change notes where they said “fixes a problem with router not being fully stealthed for ShieldsUP.”

LEO: Oh, wow.

STEVE: It’s like, yeah, I guess that’s…

LEO: Somebody’s paying attention.

STEVE: Well, because, you know, the end-users complained to their router maker, it’s like, hey, I’m not completely stealthed on ShieldsUP, you know, better fix that. And it’s funny, too, because there have been firmware bugs where suddenly random ports stopped being stealthful, and ShieldsUP caught it, and then the router manufacturers were told by their customers. So there’s a nice sort of closed-loop feedback system in place, too, where ShieldsUP ends up getting used to find problems in routers. The customers then report, and the firmware gets updated. So it’s a little nice ecosystem we have.

LEO: So shall we handle some errata?

STEVE: We’ve got a couple, well, actually just one little thing, and I had a fun…

LEO: We never make mistakes, of course.

STEVE: I had a fun little anecdote, again, a little bit of SpinRite. In fact, even this errata is SpinRite. You may remember that a couple weeks ago I read a note from a neat 12-year-old computer guy, Justin Gerard, who told us how his computer went wonky, and he called someone from the Geek Squad, which are the Best Buy people, who came out and ran SpinRite on his machine in order to fix it. And that was really cool, except I made unfortunately the observation that, well, the correct observation that they don’t have any permission to run SpinRite.

LEO: Whoops. Whoops.

STEVE: We do have an enterprise-class license that they could get. You know, and like our Nerds On Site guys have an agreement with me that allows them to use SpinRite formally and officially on all their customers’ computers, these guys don’t. So I wanted to give credit to the Geek Squad for immediately following up.

LEO: Oh, good.

STEVE: When the broadcast went out, someone in the Geek Squad administration immediately contacted our office and said, we don’t have any record of fixing a Justin Gerard’s PC. Could you find out any - could you get any…

LEO: It’s probably his parents’ name…

STEVE: …additional information, exactly. And this person suggested, since he’s 12 years old, it’s probably in his parents’ name. Could you let us know, you know, who this is so we can track it down because we certainly don’t want any of our geeks using their own software in an unlicensed way as part of their - in their business dealings with us. So I contacted Justin. And it turns out that his note was a few months before. He couldn’t find a receipt. He didn’t know who it was, didn’t have any other information, blah blah blah. And we both sort of expressed we didn’t really, either of us, want to get this particular geek in trouble for, first of all, saving Justin’s computer, which he did. But, you know, at the same point I wanted to raise the issue that this was not something, I mean, this goes a little - this stretches my touchy-feely feeling about…

LEO: You don’t want to give this - no, this is your job.

STEVE: Yeah, exactly. It really does pay the bills here. So anyway, so I did want to share - I wanted to make sure we closed that issue, to know that the Geek Squad is…

LEO: They followed up on it, which is good.

STEVE: They followed up immediately and were as responsible as I could ask them to be. So I really did appreciate that.

LEO: Well, there’s one more thing they could have done is buy a site license. But okay. We won’t belabor…

STEVE: That hasn’t happened yet, but that would be great.

LEO: They should.

STEVE: I think they should. Obviously SpinRite works.

LEO: It works.

STEVE: And in fact, I got a note from a Dennis Constant, who I guess must be somewhere around me in Southern California because he says, “Steve, I recently flew from Southern California to Chicago to spend a week with my closest friend, who was recovering from heart surgery. He was well enough to have me drive him to his office.” I guess he was well enough. “And while there I learned that his old PC had problems. Most of the time when he turned it on it would not boot, but produced a horrible click-click sound, which indicated that the hard drive was possibly dying.” That’s a good indication, yeah. He says, “I had brought my laptop on the trip and had my trusty CD of SpinRite, and I ran SpinRite on his PC using Level 2.” Now, Level 2 is a read-only, like a faster read-only pass, which is used just sort of for seeing if there’s any glaring problems on the drive.

Anyway, so he says, “After a couple of hours, when the process was finished, I noticed that the PC seemed a little better, but still wouldn’t boot most of the time. Before I left the office I started SpinRite again, this time using Level 5. It ran all night. The next day I left for Chicago. When I called my friend a few days later and asked about the PC, he said it worked perfectly, almost like new. He had no trouble getting the drive to boot, and the computer was faster than ever. Once again SpinRite performed miracles. Thanks and regards, Dennis Constant.”

LEO: That’s good, that’s good news.

STEVE: Yeah, so that’s a nice story. And keep those stories coming. I love to get them.

LEO: We do, we do. So that is good news, a happy ending for the Geek Squad. Shall we launch into patents?

STEVE: Yeah. Every so often something comes up or happens that has nothing to do with security, which is obviously the focus of where we spend most of our time talking these last 93 episodes. But it’s something that is, I think, really interesting or really important or something that, you know, bears on us, Leo. And so I take the opportunity - infrequently, but when I think it’s important - to sort of say, wait a minute, we’ll get back to security issues next week, but something bears discussing that I think is important. And…

LEO: Well, and you have some particular interest and expertise in this because you have patents.

STEVE: Well, I never bothered to follow through because they weren’t things I was doing for myself. They were things I was doing as a consultant. And while pursuing the process, which is very lengthy, things changed such that it didn’t make sense to pursue them. But I have had many involvements with patents. I’ve also served as an expert witness, testifying in a number of trials that involved patents. And software patents is something I’ve been very - it’s something I have very, if I may say, Richard Stallman-like feelings about.

LEO: Uh-oh.

STEVE: Okay, not as extreme as Stallman. Nobody…

LEO: But he’s very anti-software patent. He thinks they’re the spawn of Satan, you know, I mean…

STEVE: Well, and my problem is, it’s the test of non-obviousness. Any patent - I guess we ought to step back a little bit. In so many online postings I see confusion between patent, copyright, and trademark. They’re, you know, those are sort of like the three pillars of intellectual property. A trademark obviously is a phrase or a name for something which a company wants protection on so that nobody else can use that in a way that would confuse a consumer. So for…

LEO: We have a trademark on TWiT, for instance, so that - and that doesn’t mean you couldn’t have an ice cream cone named TWiT, but you couldn’t have a podcast named TWiT.

STEVE: Yes. And in fact I had an interesting event that not long ago - I have mentioned here that I trademarked the phrase “It’s my computer,” sort of as a battle cry. It’s like, you know, hands off, it’s my computer. And we were challenged a few months ago by, unfortunately, Network Solutions, who has the - who said “Our trademark, “My computer,” is too similar to yours, and we have preexisting usage of that.

Well, I’ve got a very good patent firm. They’re the ones, in fact, that Apple uses, and Ashton-Tate used. And it’s a good L.A. firm, and they also have offices up in Silicon Valley. And so it turns out that, I mean, we did everything right. I mean, I spent the money. We applied for a trademark on “It’s my computer.” I showed use of it. We even filed for challenge, which is something where in a national registry we say we’re applying for the trademark “It’s my computer.” Does anyone have any problem with that? And so all the intellectual property firms are supposed to be checking that and saying, wait a minute, we have a client, Network Solutions, that has some intellectual property in the trademark “My computer.” You guys are in the same industry. This is confusingly similar. We object to that trademark. Well, that didn’t happen. No one raised an objection. We got the trademark assigned, and I have a trademark. Well, then along marches the law firm representing Network Solutions, saying you can’t have that, it’s too confusingly similar. And in fact they hadn’t even applied for a trademark because we did a trademark search to make sure that there was nothing…

LEO: But they don’t have to; right? I mean, they can say you can’t…

STEVE: That is true. The bottom line is they…

LEO: So if somebody’s been calling their podcast “TWiT” without trademarking it for years, they could contest my trademark.

STEVE: Yes, because prior use is the ultimate winner in this kind of dispute. So essentially we were going to lose. So I said, well, shoot. I really like that trademark. I like my little battle cry. And so my attorney said, well, why don’t we tell them that they can have, you know, that we will stop using it and relinquish it for $5,000. And I said, oh, I like that. That sounds good. So, you know, my attorney sent a note to their attorney. Their attorney sent a note back saying, how about $2,500? And so my attorney said, why don’t we say four? I said, no, let’s say five. They’re Network Solutions.

LEO: They can afford it.

STEVE: Tell them - exactly. Tell them we’ll settle for five, and we’ll reconsider our options if that’s not okay with them. So we got a check for $5,000.

LEO: That’s fair.

STEVE: And then I gave up my trademark, which I actually was going to, you know, if they wanted to fight me I was going to spend way more money than that and lose anyway, so…

LEO: But I presume you have SpinRite trademarked.

STEVE: Absolutely.

LEO: And there’s no contesting that. And frankly, it wouldn’t be worth - it’d be worth a lot more than five grand. I mean, nobody’s going to take that name.

STEVE: Right. Well, and I’ve got 20 years of prior use, so…

LEO: And frankly, nobody seems to want TWiT, so I think we’re safe on that.

STEVE: Well, and it’s funny, too, because I did hear Kevin talking about Digg and how he’s had…

LEO: He has to pursue them, yeah.

STEVE: Yeah, I mean, the idea is, if someone is infringing a trademark, you have to stand up for your rights, or someone can come along…

LEO: Defend it or lose it.

STEVE: Yup, they’re able to say that. So that’s trademark. So copyright is what probably people are most familiar with, is essentially something saying, here’s a book, and I’m copyrighting it. You cannot make a substantial copy of this piece of work. And so of course copyright is one of the protections that all software seeks and obtains just to protect essentially someone from duplicating or substantially duplicating the entire thing. So…

LEO: You don’t have to apply for a copyright. You get it. Automatically you get a copyright just by creating a work.

STEVE: That’s absolutely true. In fact, you…

LEO: You can apply, but there’s no real - I don’t think there’s really an advantage.

STEVE: Right. And essentially the only thing you need to do is you need to state on the work that you are claiming copy rights in the work. And so you just say “copyright” and the little circle C, and then the year that you’re making that claim. And it sort of stamps it as, look, I’m asserting my ownership in this work, my copyright. And that’s all you need to do.

So a patent, however, is completely different. A patent is - the claim is that there’s something that has been invented, something that is, well, in fact, there are three tests for an invention. It needs to be novel, it needs to be non-obvious, and it needs to be useful. So the Patent Office, when they’re looking at these things, they’re saying, okay, is this new? Is this something that has not been done before? Would it not be obvious to someone trained in the art, is the way the actual language reads, meaning that, you know, for example in the case of software, some software guy says, oh, look what I invented. And the question would be, would another software person think that was amazing, or would they go…

LEO: You can’t invent a bubble sort. It’s been around for years. That’s non-obvious. Or it is obvious.

STEVE: Exactly.

LEO: One plus one equals two, that’s obvious.

STEVE: And just, I guess, to limit frivolous patents, the Patent Office also says, and it has to be useful. So, you know, I guess - I can’t imagine, nothing occurs to me off the top of my head that would be like, why anyone would bother patenting something useless, especially these days when it is so expensive to patent anything. But still, they certainly want, you know, those are traditionally the tests that are applied.

So my own problem with software patents has been that, when I’ve seen software patents, they’ve seemed obvious to me. I mean, I’m obviously - I’m into software. I love software. I spend a lot of time in that domain. I’m no super software genius, so I’m not saying that, you know, something that’s obvious to me would be non-obvious to other people. I think in general most of what I see people saying they invented, I mean, often seems obvious. Now…

LEO: Well, a good example is Jeff Bezos and Amazon’s - this is one of the early software patents.

STEVE: Oh, yes.

LEO: The one-click patent. Very controversial. They claim that they own the rights to the idea that, if you see something, and you click one button to buy it, and it buys it automatically, that’s theirs. That’s ours, we own it, we bought it, we invented it.

STEVE: Yeah. And I think that fails the non-obvious test. Now, certainly something like crypto algorithms, it’s like, good, have that.

LEO: Non-obvious.

STEVE: You invented that, baby. I look at those diagrams of S-boxes and rotations and scrambling things, it’s like, whoa. Somebody did some serious work. But what’s interesting is that even that, historically, would not have been patentable, although we now know RSA has patents and other people have patents on crypto.

LEO: But in the past you couldn’t patent that.

STEVE: True. The idea…

LEO: Because it’s software or…

STEVE: No, because the original thinking about software was that software is math, that software algorithms are just mathematics. And you cannot invent math. You can discover math, but that’s not an invention. And so the idea was that math, you cannot patent math because it exists. I mean, it’s like it’s inherent in reality is one plus one, oh, yeah, is two. So the idea being that the original feeling in the Patent Office was that no software could be patented because it was tantamount to patenting math because that’s what software was.

So for me, many years ago, probably 20 years ago, I did some consulting and was inventing things. And the people that I was doing this work for wanted to acquire patents. Now, I’ve never sought any myself. I mean, arguably there are things in SpinRite that I invented. I mean, there’s some very cool things in SpinRite. But, I mean, it’s like practicing what you preach. I don’t really see the value in that. I mean, I understand politically what the value is. But anyway, so on other people’s behalf I said, fine, I’ll work with your patent attorney if you want to protect this thing that you say I’ve invented. Well, the patent attorney said, okay, here’s our problem. The Patent Office won’t give us a patent on software. Now, remember, this is two decades ago. He said, so this is how we get around that. He said, give me a description of what you’ve done in hardware because hardware we can patent. And even though hardware is not what he called the “preferred embodiment” of this patent, of this invention, it’s not the preferred embodiment of the invention, software is, we’re going to get the patent on the hardware embodiment and say that, you know, this is an example of the invention implemented in hardware, and it may not be the preferred embodiment of the invention. So that protects us from anyone doing the same thing in software, so essentially you’ve got a software patent. And so I remember very well that those were my instructions then.

Well, the world has moved from that position incrementally over time to the point today, actually, I think things are relatively out of control. I mean, I’m sure you’ve seen the little news blurbs about people discovering genes, you know, in the human genome, or chromosomes, and patenting them. It’s like, wait a minute, this is in my blood. How can you patent something that, you know, we all have?

LEO: And they have a patent. I mean, they’ve been able to do it.

STEVE: I know, I know. It is happening. Now…

LEO: It’s so weird.

STEVE: Okay. So that’s sort of the way things have evolved. Now, what companies began doing as software patents became practical, I mean, possible to get, is they started amassing software patent portfolios. IBM was the leader in this just because, you know, they had always been patenting all their hardware gizmos and widgets and things. And so they were always, I’m sure, pushing on the Patent and Trademark Office, the PTO, to change the boundaries between software and hardware. And no doubt they had attorneys who were giving them the same sort of advice I was given about how to get a software patent by showing an embodiment in hardware, and that would also protect you from software that did the same thing.

So over time the Patent and Trademark Office changed their approach. IBM was acquiring tons of patents. Other companies, of course, were doing the same thing. Sun and virtually any computer company today has lots of patents. And of course we remember the famous original Apple-Microsoft lawsuit years ago where they were fighting each other over things, you know, it wasn’t clear whether they were - I guess they were design patents. They were saying, you know, this is our design of a desktop; and, you know, no one can infringe on that. And so Microsoft and Apple ended up essentially smoking a peace pipe by doing what’s called a cross-licensing deal where they would each agree to cross-license the other’s patents and not bring any litigation against each other. And so what’s happened is, as software patents became popular, computer companies turned, you know, spent some chunk of their money to build a patent portfolio, not necessary because they intended to sue anyone who infringed their patent, although that does happen, of course, we just saw - remember the case a few months ago with RIM, the BlackBerry company, and I think it was NTP was the company that was alleging…

LEO: Yeah, sued and won.

STEVE: Well, actually they…

LEO: But some of their patents got invalidated. It’s very confusing.

STEVE: I thought the way it turned out was that they settled. RIM paid them a ton of money, even though it was believed that many of the patents would have been invalidated if they were challenged.

LEO: Right, right.

STEVE: And this is a perfect segue to talk about one of the biggest problems we have is that many people now agree that the Patent and Trademark Office is issuing patents that they should not issue. The problem is that patent attorneys get involved in this process. And of course patent attorneys think that patents are good, and more patents are better. So there’s just lots of patents being issued. The problem is you end up with arguably bogus patents which give a company essentially a government-sponsored right to sue someone else who they feel is infringing on their patent. And I’ve been an expert witness in a number of lawsuits where my opinion as someone in the industry and somebody with some engineering background has been called upon to say, you know, what do I think about this. And the problem is, I’ve seen many things that should have never had a patent granted, and now a company is - all this money is flowing to the attorneys, who roll up their sleeves and fight this. Whereas, if the Patent and Trademark Office had just said no, this is obvious, then we would have never had this problem.

So, you know, and obviously here’s RIM that ended up having to pay a substantial amount of money, an amazing amount of money, to settle this infringement claim on patents that probably would not have been valid, but it would have cost them more money to get them invalidated and to fight against that than it did just to settle. So, I mean, this is a problem in the industry. So generally companies get these patents because they want to build a portfolio in order to smoke these peace pipes with other companies. Basically they want to do cross-licensing deals. And so that’s sort of been the way things have been going now for many years. Microsoft was a little slow to get going on the patent thing, probably because once - I really want to say probably because once they had more ethics than they do today, but…

LEO: Oh, yeah, ow, that burn.

STEVE: …that’s probably not fair. But, for example, in 2002 Microsoft applied for 1,411 patents. And by 2004 they had applied for 3,780 patents. Now, I looked at one, out of curiosity, that was granted to them last week, on May 17 I think it was, a patent just issued to Microsoft. And the patent is on how to make e-ink, electronic ink, flow more smoothly on a tablet PC. And I thought, okay, that’s interesting, I wonder what they’ve done. I read the patent. And it’s not easy to read these things. I mean, these make end-user license agreements seem easy.

LEO: They’re often very convoluted.

STEVE: Oh, my god, Leo.

LEO: Talk about non-obvious.

STEVE: Well, and the other thing that happens is that, first of all, companies that get into the software patent game end up telling their programmers, the software guys, let us know of anything you do that’s clever. I mean, it’s like it becomes a new extension of the programmer’s job to inform legal…

LEO: This is what cracks me up.

STEVE: Yes, of anything that they invent. And in fact it’s interesting because I was talking to our friend Mark Thompson at AnalogX about this a couple days ago because I’m pretty worked up about this whole issue. And he made a very good point because I was telling him about this particular patent that I read about the e-ink. And he said, you know, what normally happens, or what hopefully probably happens, is the programmers actually come up with something novel. But one of the other goals of a patent attorney is to get the broadest patent possible. That is, you start out with inventing something very specific. And in the specificity you could argue you might have something novel, you know, a programmer in all good conscience really thinks he came up with something amazing and unique. But then the patent attorney gets a hold of it and stretches this thing until, you know, because he wants the biggest umbrella he can make out of this in order to get as much breadth of a patent as possible because a broader patent is better.

And in fact that’s one of the main arguments the Patent and Trademark Office has, and I’ve had this experience with the patents that I have pursued, is again, I’ll express it like the way I really mean it. Then my patent attorney just makes it so that it could be any color, and it could be chrome and black and blue and white, and it even does apply to banana splits. And it’s like, and then I get it back, I go, well, okay. And he’s, oh, this is good, Steve, broad is good. We want the broadest patent possible. So then it gets submitted to the Patent and Trademark Office. They say, okay, this is overly broad. This covers too much. You need to narrow it. And so there is this back-and-forth negotiation until one side or the other blinks, and then you end up with something that results.

Well, so I read Microsoft’s patent. And I wanted there to be something amazing in this. It’s like, okay, what is it, what’s the secret for making e-ink flow smoothly? Turns out that Microsoft’s patent involves priority queues, where you put the e-ink events in a separate queue that the operating system treats with higher priority than all non-e-ink events. That way the operating system will make sure to refresh the screen to show the e-ink before it does other things that it has to do like worry about updating the time of day and dragging windows around or whatever. And it’s like, okay. So then I read it again, trying to find what I had missed. Because, I mean…

LEO: That seems obvious to you.

STEVE: Leo, not only is it obvious, it’s obvious to everybody.

LEO: Right.

STEVE: And priority queues is one of the fundamental architectural components of any operating system. I’m sure it predates - I’m sure IBM had them on computers with tubes.

LEO: Any multitasking operating system would have to do it.

STEVE: And this is not, I mean, I looked for something that was special, something different. That’s all it is. And then I got a little perversely curious, and so I looked at a few others. There was another one where they were talking about a counter and how a counter goes negative, and then when it’s positive it means one thing, and then the mode changes. And I realized this was so that you could use a stroke on the tablet to capitalize the next letter, and the counter would be incremented, and then you’d do the letter, and then it would decrement it and put you back into lower case. And it’s like, oh, my god, they’re getting patents on this stuff. I mean, just bogus patents. And again, maybe once upon a time when this patent was originally created, that is, this idea happened, some programmer really did have something novel. But what ends up getting issued is a nightmare. And I think it’s a problem because a patent this weak just causes, as we said before, just causes real problems.

LEO: Well, it’s just asking for litigation. And it’s inevitably going to go back to the courts. But hasn’t the Supreme Court weakened this a little bit just recently?

STEVE: Yes, actually there was a fantastic decision. Actually patent watchers have been noticing that the Supreme Court has recently been taking up some cases in general about patents that they have not dealt with before. Microsoft won an issue at the Supreme Court level against AT&T that was trying to claim that Microsoft’s admitted infringement of AT&T’s voice technology - Microsoft acknowledged that they were infringing in the U.S. AT&T was saying, and everywhere else, and internationally. And so AT&T was essentially trying to enforce United States patents on a global scale. And the Supreme Court said no no no no no. It’s U.S. patent system. Your rights, AT&T, do not extend beyond the United States. But the other really good decision was a bizarre case. There was a company that was trying basically to patent the combination of two previously patented things. They were trying - it dealt with an adjustable gas pedal and an electronic throttle. And they put them together and said, look, this is our invention.

LEO: The spork.

STEVE: Wait a minute. The electronic throttle has been invented and patented. The adjustable gas pedal was patented a long time ago. You can’t just put those together and call that an invention. But it turns out that originally the Patent Office said no. It was appealed, and the Appellate Court overturned the Patent Office decision and said yes, that’s an invention. Now, the problem is, the Appellate Court are patent attorneys who of course think more patents are more better. So it went to the Supreme Court, that said no. And in fact the decision was written by Justice Anthony Kennedy, who said granting patent protection to advances that would occur in the ordinary course without real innovation retards progress. And so he’s making the point that essentially we’re being in general too patent-happy in this country, and that’s creating a problem. He also said that the results of ordinary innovation are not subject to exclusive rights under the patent laws where otherwise patents might stifle rather than promote the progress of useful arts.

LEO: And that’s really the whole point and the balance of patent law is to promote these arts without stifling creatively and innovation from others.

STEVE: Yes. Now, what happened about ten days ago that made this an issue for many people, there’s been a ton written about this in the last ten days on the ‘Net, is that the senior editor for legal affairs of Fortune magazine, a write named Roger Parloff, did a feature story for the May issue - I guess it’s mid-May. I don’t remember. Actually I got a copy of it because I wanted to make sure that there was nothing additional in the paper copy that was not online, and there isn’t. He did a feature story titled “Microsoft Takes On the Free World.” And essentially what happened was two of Microsoft’s guys, Brad Smith, who’s Microsoft’s chief counsel, and Horatio Gutierrez, who’s Microsoft’s vice president of intellectual property and licensing, they sat down with this guy at Fortune magazine to talk about patents and the fact that they feel that open source software, free and open source software - or FOSS, as it is now called, that’s the acronym that’s being used - is infringing on a ton of Microsoft patents.

And in fact for the first - now, Microsoft has made noises like this before. But they’ve just said, you know, free software is infringing on our patents, grumble grumble. Okay. This time they said the free and open source software is infringing 235 of our patents. And so they put a number to it. They said that the Linux kernel violates 42 of their patents; that the user interface and design elements infringe an additional 65; that OpenOffice infringes 45 of their patents; and that email and other open source programs infringe an additional 83. So Microsoft has clearly sat down with, I mean, taken the time to go through their own patent portfolio, which is no small job because they’ve been so patent happy. And they’ve been scrutinizing free software, the whole open source software movement, and specifically delineating which of their patents are being infringed by open source software.

So, okay, so we have a couple problems. First of all, remember, Leo, I’m sure - it was either you and I talked about it here, or you talked about it with your crew on TWiT back in November. I remember there was discussion - I’m sure you and I talked about it - about this weird Novell/Microsoft deal.

LEO: Yeah, yeah. Well, we talked about it a lot on all the podcasts.

STEVE: Yeah, because, I mean, we couldn’t figure out what it was. It was like, okay, what’s…

LEO: Novell agreed to indemnify its users against lawsuits from Microsoft and ended up giving Microsoft a lot of money for that indemnification.

STEVE: Well, and in fact, although Microsoft gave Novell more because what it was - yeah. And it seemed really strange. Why is Microsoft paying Novell more than Novell’s paying Microsoft? The reason was that this was, like we talked about before, it was a cross-licensing deal where Microsoft wanted access to Novell’s patents, meaning that they wanted to know that Novell’s networking patents were never going to be a problem for Microsoft, and Novell wanted the same thing from Microsoft. So they were cross-licensing their patents and agreeing, okay, we’re never going to sue each other on this basis. And of course this inherently extends to each company’s customers because the way patent law works is I’m violating somebody’s patent, even if I bought the software legally or am using the software legally, if in that software somewhere is somebody’s intellectual property, protected by a patent. I the user, because my software is doing that patented thing, I’m individually violating that patent.

LEO: Isn’t that amazing. So you’re liable, and you may not know anything about it.

STEVE: Right. Well, and in fact I’ve got to say that this Horatio Gutierrez, it sounds like maybe he’s been reading his own press releases a little bit too much. He said something that just really made my blood boil. He was quoted saying this is not - okay. And he’s the Microsoft guy, I should remind our listeners, who’s in charge of their intellectual property and licensing. He says, “This is not a case of some accidental, unknowing infringement. There is an overwhelming number of patents being infringed.” Well, of course he should have said “there are an overwhelming number,” but he said, you know. So he’s saying the fact that it’s 235 means that it’s intentional. It’s like, what a crock. I mean, first of all…

LEO: Well, worse than that, they’re not even going to say which patents are in violation. You’re supposed to find out. You’re supposed to figure it out and come to them.

STEVE: Well, okay, now, that makes a couple really good points. First of all, yes, you’re right. Everyone has been saying, okay, which 235?

LEO: Yeah. I mean, prove it. I’m willing to believe it if you could say show me the patents, and then we can judge whether it’s an obvious bad patent or whether it’s a good patent. But they won’t even say.

STEVE: Let me tell you, Leo, if one of those is the e-ink smooth flowing patent, I can tell you right off the bat they’ve got to drop that number to 234.

LEO: And I think it’s likely. I mean, I think it’s likely that they’ll be things like a stack, you know, things that of course all software uses, and the patent shouldn’t have been awarded, but it was awarded. And they won’t even say.

STEVE: That’s correct. Microsoft is refusing to name any of the 235 patents that they are now claiming are infringing. And the point was they were saying, during this Fortune magazine article they were quoted as saying we think people need to start paying for the use of our intellectual property. I mean, that’s the bottom line. They’re saying…

LEO: Just accept the fact that there’s violations, and you should just give us money?

STEVE: Well, so of course here’s the problem. I mean, look at me facing Network Solutions, saying, okay…

LEO: Well, frankly, Steve, if they’ve patented some obvious things, maybe you’re violating their patents.

STEVE: Oh, well, the problem is patents have been granted now with such abandon for the last decade that there’s no way anyone, first of all, can know if they’re violating someone else’s patents. I mean, no one can know. I mean, I can’t sit there and read all of Microsoft patents, all of Sun’s patents, all of IBM’s patents, and tiptoe through the tulips and somehow, I mean, first of all, I don’t even think I could write code that would not be in violation of these bogus patents.

LEO: The other issue that Linus Torvalds brought up is he said, well, nobody in the open source community is going to look for these patents because looking for and the knowledge of them exposes you.

STEVE: Well, what happens is, yes, if in court it can be shown that you knowingly violated a patent, then you’re subjected to triple damages.

LEO: So you’re not going to look. You don’t want to know.

STEVE: Exactly.

LEO: And if you accept, as I think everybody in the open source community does, that software patents are bad, have gone far too far, and it’s very risky because you may well have violated a patent because of this broken system, you’re not going to look. It’s too risky. So wait a minute, now we’re at a standoff because Microsoft’s not going to tell me, and I’m not going to look. What’s supposed to happen now?

STEVE: Well, and so, okay. So the problem is, here’s Microsoft, obviously the thousand-pound elephant in the room who’s just sort of - who clearly said to Novell, okay, look, you’re the number two distributor of Linux. Obviously Red Hat is number one. And it’s interesting because Red Hat’s guys have had conversations with Microsoft, and they’ve never been able to strike a deal, probably because the Red Hat guys, frankly, are a little more savvy about this. You have to imagine that Novell is wondering, you know, whether they did the right thing when they did this agreement in November. But so here’s Microsoft threatening to throw their substantial weight around and basically intimidating other companies into doing these sorts of deals, into doing cross-licensing and ultimately paying money for something that probably is entirely bogus. I mean, it is a problem.

Now, the good news is I think Microsoft probably waited too long. I think that, I mean, the reason this is coming up at all is because Microsoft, I assume, is on some level unhappy that someone can use Linux and OpenOffice and have a very useful system that Microsoft believes - and I sincerely believe they believe - infringes their intellectual property, whether or not it actually does, and that this person doesn’t pay Microsoft any tax. Basically Microsoft wants to tax free and open source software.

LEO: Oh, they want to do more than tax. They want to put it out of business. They’d like it to die and go away, wither up. I mean, that’s one of the reasons I think they’re not saying what these patents are. They want to put them out of business.

STEVE: Well, okay. It’s very clear that if they enumerated these patents, the free and open source software community would have a field day attacking them.

LEO: Exactly.

STEVE: And that’s just it. You end up with a distributed attack against Microsoft…

LEO: Good point. A distributed legal attack, yeah. Tie them up for years.

STEVE: Exactly. Because every patent would get tackled. People would be finding prior art because prior art is one thing that immediately invalidates a patent. If you can demonstrate that somewhere someone did something prior to your invention, it’s called “prior art,” and sorry, no more patent. So there would be that. And, you know, Linus would be happy to code the kernel around whatever Microsoft’s 42 claimed patents are that they say the kernel infringes. I mean, so the fact…

LEO: Well, if it’s priority queues they may not be able to code around it, but…

STEVE: Well, but neither is that a valid patent. So here’s what’s so frustrating, too, is that the fact that Microsoft won’t name the patents prevents anyone from curing the problem that Microsoft is complaining about. So they really don’t want the problem cured.

LEO: No. They want open source software to go away is what they want.

STEVE: Well, or, yes, in fact, I’m sort of worried because one of the side effects of the deal they did with Novell is that the idea is that anyone who gets Linux from Novell is protected because Microsoft and Novell did this cross-licensing deal. So you could see that this could tend to bias people towards Novell, concentrating Novell as a source.

LEO: Which is I’m sure Novell’s interest in making the deal in the first place.

STEVE: Probably was. But it seems to me that’s dangerous.

LEO: Well, a number of people, good quality people who worked for Novell, quit over this.

STEVE: Yes, in fact, one of the main Linux kernel guys did. I mean, he just resigned immediately when…

LEO: He saw what Novell was trying to do, essentially.

STEVE: Yeah, and I can’t really articulate why this feels dangerous to me. But the idea is, I guess, as long as Linux is spread out as widely as it is, distributed as widely as it is, there’s so many different ways that substantial companies can get distributions, the broader it is, the less power Microsoft has. If Microsoft can do something to focus the distribution of Linux through a fewer number of channels, to me that seems unsafe for the future of open source software. I think it really needs to be kept widespread. So, and Microsoft does think strategically. We’ve seen many examples of that through the ages. So anyway, it seems really clear to me that what they’re doing is not fair because they’re not saying we really want the problem solved. They’re really saying we’ve created this problem, the U.S. government is backing us with the Patent and Trademark Office, and we’re so big you can never afford - even the U.S. government couldn’t prevail against Microsoft in the anti-trust suit. So they’re saying, we’re so big, you can’t even think about fighting us and challenging us. So believe me, you don’t want us coming after you.

LEO: Yeah. Yeah.

STEVE: But the reason I think they waited too long is they waited this long because it took this long for the free and open source software movement to really achieve the critical mass it has today. I mean, they talk about many of their enterprise, Microsoft’s own enterprise customers who have hybrid server rooms where they’ve got Linux servers and Windows servers that need to cooperate and live and work together. And so that’s sort of the new model. Well, you know Microsoft cannot be happy that their customers are using Linux servers for some chunk of their infrastructure.

LEO: Now, it also gets complicated because - and we’ve talked a little bit about this on TWiT - because of the GPL, the new version 3 of the GPL, which makes this voucher program that Microsoft’s done with Novell backfire on Microsoft a little bit.

STEVE: Well, yes. It’s interesting. Version 2 of the GPL allowed Microsoft to do this deal. But what Novell did as part of this deal in November was Novell gave Microsoft some number of coupons, basically for a free version of their Linux enterprise server. Microsoft then sells these coupons or makes them available to their customers. And their customers are able to redeem them for Novell’s Linux server software. Well, it turns out that version 3 of the GPL that’s supposed to come into effect either in June or July, in a month or two, it closes a loophole that Microsoft was essentially taking advantage of that exists in version 2 of the GPL, which is what software is now being covered by, such that, if any Microsoft customer uses one of those coupons and redeems the coupon for a Novell copy of Linux, under version 3 of the GPL that makes Microsoft a distributor of free and open source software. And as a distributor, part of the GPL requires that all patents be licensed for free. That is, there are either no patents at all, or they are completely free patents. And so that forces Microsoft to essentially implicitly turn their entire patent base into royalty-free licensed patents so that no user then of any version of Linux could be sued by Microsoft for eternity.

LEO: I’ll put Eben Moglen against Brad Smith any day. Eben is the lawyer who wrote the GPL 3. I think he’s a very, very smart guy. And clearly this was a very smart move.

STEVE: Well, it looks like - essentially, I think Microsoft waited until now because they’re really beginning to see…

LEO: They’re scared.

STEVE: …open source software getting traction. I mean, it’s really getting - it’s gaining traction. The bad news is they waited so long that many heavyweight companies like IBM and HP and Sony and Sun, you know, there are many major companies, basically anyone that’s not Microsoft, that are saying, okay, this is our alternative to Microsoft. So they’re throwing their substantial clout behind free and open source software, and they’re going to defend it. Let alone all the developers around. So Microsoft can’t tell the world what patents it thinks - it’s claiming are being infringed because they know their case is weak. And again, it’s doubtless possible to engineer around the patents and cure the infringement, even if the patent were found to be valid. And Microsoft doesn’t want that. They don’t want the problem solved. They want this problem in order to use it as leverage. It’s wrong.

LEO: Well, it’s going to be interesting to watch. I have a feeling this is actually going to just kind of fade away because there’s no way Microsoft can really pursue this without opening themselves. It’s mutually assured destruction is really what it is. And I have a feeling this is just a dumb move, one more dumb move from Microsoft.

STEVE: Yeah, I think in retrospect Microsoft probably regrets that they had this discussion with Roger Parloff and Fortune magazine. They regret what has happened. And in fact I think that, in tipping their hand, they have put the whole open source software community on notice now. For example, you’ve really got to wonder whether any other major company will follow in Novell’s footsteps after this article and after so much attention has been given to this. And basically I think Microsoft’s bluff can now be called by anyone who wants to call it.

LEO: Right. Very interesting. Now, I’m sure we will see a This Week in Law on this with actual lawyers and so forth. And we should remind everybody that Steve and I aren’t lawyers. But Steve obviously has a lot of experience in this field, and I have to agree with you in your analysis of it. I’ll be interested to see what Denise Howell and her group come up with. That’s why we have This Week in Law.

STEVE: Well, and don’t forget, Leo, if Microsoft actually sued, they would have to name patents.

LEO: Right. Right. It’s mutually assured destruction. That’s what’s kept this thing afloat for so long. I’m so glad we did this. It isn’t exactly security, but you know so much about this subject. And it really is important, I think, for everybody to know about this. This is something that’s broken. And if you use software, you need to know about it and maybe stand up and be counted. Is Congress doing anything about this? Are they aware of this issue?

STEVE: Well, there actually is some congressional motion also. The problem is that what we really want are less patents, fewer patents, stronger patents. The problem is, for example, the pharmaceutical industry wants more patents, more easy patents. So there are strong lobbying pressures that are pushing Congress in the direction away from what most people feel is healthy patent legislation. And that’s a problem.

You know, my feeling is that things that are originally invented, sort of they have initial value, and that fades over time. Once upon a time, you know, the idea of a bitmap and a cursor was like, whoa, my god, look at that, that’s so cool. I mean, I remember looking at the first Macintosh and just moving the mouse around, and no one had ever seen anything like that before. And now it’s sort of like it gets absorbed by the ether. It just becomes so common, such common knowledge, such common practice, I mean, now everybody has bitmaps. Everybody’s got cursors. It’s like, you can no longer get money for that. When it was very brand new and fresh you could get money just because you had a bitmap and a cursor. Now everybody has them, so there’s no more value there. And I think similarly there were original innovations in the industry that would qualify as being special enough that the company who produced it could get money for it. And after a while they just became the way things are done. And so people who are really anti-Microsoft say that Microsoft is beginning to turn to litigation because they’ve run out of creativity. And so they’re going to do what old, mature companies do.

LEO: Sue the mothers.

STEVE: Exactly. Which is, you know, if that ends up being a proper characterization, it’s really unfortunate.

LEO: Yeah. People might say, well, this is the way that all - this is when it began, the beginning of the end. And I wouldn’t be surprised to see that.

All right. We’re going to wrap this thing up. I do thank you so much for joining us. Steve, I thank you. Next week another great Security Now!.

STEVE: We promise.

LEO: We promise. We’ll cover whatever’s going on in technology and security. If you want to know more, of course, go to GRC.com. That’s Steve’s site. ShieldsUP is there, all the free programs he does; SpinRite, of course, his great disk recovery and maintenance utility; and 16KB versions of the podcast plus transcripts, too, so you can read along as we talk. In fact, Steve’s got really extensive notes for this particular episode with lots of links. So if you want to know more, this is a good one to go research at GRC.com.

And of course TWiT.tv is the home of all these podcasts. If you want to support them there’s a couple of ways you could do it. Of course we’ve got great TWiT merchandise from the folks at SCOTTEVEST, and ThinkGeek hats and polos and fleeces. Those new polo shirts are great for summer. And you can also support us with your donations. Your recurring $2 a month subscription really makes a big difference for us. It keeps this little baby afloat. Steve doesn’t need it. We’ve got lots of advertising on this podcast.

Copyright © 2007 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/

security_now_episode_93.txt · Last modified: 2014/12/04 19:05 by 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki