IT Heresies

2010-03-30T13:57:00.000-07:00

In reply to Novell

Decision in the SCO Group vs. Novell Jury trial

Thank you Novell

David Mohring (NZHeretic) Says: Your comment is awaiting moderation.
March 30th, 2010 at 2:54 pm

Thank you for your long persistence in this matter.
I hope you will continue to abide by the terms of the Gnu Public Licence (GPL) upon which so much of your legal defense relied upon. I wish you could continue to show such great fortitude in confronting current threats to the Linux/Open source/Free Software ecosystem ( see website ).

2009-02-16T07:04:00.000-08:00

Acknowledge the doctrine of first sale and private use.

I blogged about this in May 2005. (Sorry for the verbosity of the following but I am trying to be more precise than concise.)

Current rights without needing permission

The doctrine of first sale ( also called "first-sale" doctrine or "exhaustion rule" ) is a limitation on copyright based on common sense: If you legally acquire an instance of a copyrighted work, you are legally allowed to sell or give away that particular instance of the work without needing permission of the copyright holder.

If you purchase a Paperback Book, DVD or CD, you can sell it or give it away.

Private use is also recognised in copyright law and is also based on common sense: When you legally acquire an instance of a copyrighted work, it is assumed that you must have the right to view the content.

If you purchase a DVD, you can put in a DVD player connected to your TV and view the movie.

It is also common sense that if you legally acquire an instance of a copyrighted work, you should have the right to modify that instance without needing permission of the copyright holder. Furthermore you are legally allowed to sell or give away that particular instance of the work without needing permission of the copyright holder.

If I purchase a book, I can legally write in the margins, rip out or glue in extra pages, and if I wish to, give or sell that one instance of a modified book to someone else.

Depending on the method of content acquisition, you may have other non-permissive rights. For example in New Zealand, you have the right to make and store a temporary copy of a Television Broadcast for later viewing: Time shifting with a Video Cassette Recorder (VCR), something not actually legal in New Zealand until the copyright act was amended in the mid 1980s.

The last Labour government also recognised that it should be legal for private individuals to create "temporary" copies of legally acquired copyrighted content. It is only common sense that if you can purchase portable Ipods and MP3 players ( in some cases made by the same corporations that sell movies and music ) then you should be able to make a "temporary" copy of tracks from a legally acquired CD to play on that device, and retain and use that "temporary" copy for as long as you retain legal possession of the source CD. You should expect to have the right to keep "temporary" duplicate copies of both legally acquired downloaded music tracks and CDs on your computer, for backup and playing, and on your portable MP3 player. These rights go way beyond the limits expressed in New Zealand 1961 copyright act.

Transformation of expectations by advances in technology

The technological revolution over the last 30 years has delivered into the market and to consumers devices that can capture, transform and reproduce content beyond what anyone dreamed of when copyright laws were first conceived. What most consumers today would consider "common sense" ( or in some countries fair use ) rights to copyrighted content far exceeds what worldwide copyright legislation currently grants.

Early adopters of technology often cross the legal boundaries before the rest of the public begin to adopt the same technologies that results in shaping the generally accepted public expectation of what should be common sense in respect to copyright. Democratic institutions and the resulting changes to legislation tend to lag way behind, in most cases by more than a decade.

Modern technologically informed common sense expectations

It is common sense to ask why should one source of content be any different to another, especially when the many of the corporations producing the content are involved in the manufacturing and selling of the devices that can copy, transform, reproduce and play the same content.

Since a laptop can also store and view many DVDs why should you not be legally able do the same as you would with CDs and portable MP3 players - store "temporary" copies of movies on the laptop's hard drive for later playback.

All the expressed rights should apply to all types of physical media and legally acquired digital content. When you legally acquire an instance of a copy of copyrighted work then you should have the all rights to that particular instance. Content providers or retailers of instances of copyrighted work should not be able to hide behind "provision as a service" and/or restrictive end user licenses: when you legally acquire an instance of a particular work, you should "own" that instance.

When you legally acquire an instance of a copy of copyrighted work it is only common sense that your private use rights should extend to view,use,modify,combine,inter-operate with, dispose or resell that one instance and should not be impeded by either legislation or technology or require the permission of the copyright holder. The copyright holder's exclusive rights should not extend to the private use right to deny combining a legally acquired instance of a copyrighted work with other works.

Why should time shifting be limited to only Television broadcasts? Any instances of copyrighted works broadcast by any method or streamed on the internet should be able to be captured and "temporary" copy held for later viewing. You should expect to treat that "temporary" copy as you would any legally acquired copy during the "temporary" time you hold it. The only exception being that you cannot sell or give it away since it is a "temporary" copy.

Adding value, increasing demand

You should have the right to distribute and/or sell, patches, recipes, digitised mixing instructions ( automated DJ producer! ), annotations and add-on components that refer and link to the content of the copyrighted work, as long as the distributed items do not contain content from the original copyrighted work. The resulting combined and/or transformed work that contains content from the copyrighted work sources can not be legally redistributed without the permission of all the copyright holders.

This last ability may seem to the content creators to be a major violation of their exclusive rights to a work that copyright grants, even if the derived combined result can not be redistributed. But consider, it legally requires an "original" copy, which the recipient is free to view in its original unmodified state.

Just as extra features distributed on DVDs tempt consumers to purchase even if they have seen the movie in the theatre or on TV, third party add-ons can dramatically increase the demand for the required original product. Also fan based user generated content, especially when combined with social networking, can deliver a large audience for comparatively little outlay.

Thinking beyond "free"

Participants in illegitimate content websites and Peer to Peer (P2P) networks distribute content on the expectation of other participants providing new and differing content. They still pay for bandwidth and local storage and not all older content remains available after the initial flood. There are undoubtedly a few hard-core providers with the personal goal of all digital content being "free". However, based on statistics from pirate bay, the majority of users of these illicit services will, after the initial rush of discovering the service, download only a few songs and one or two movies a month. Many who can afford to will switch to local legitimate content providers ( Itunes, Amazon ) when they become available because the wider range of immediately available content and better download speed.

The relative size of any black market is the product of two factors . The first is the relative cost of producing and distributing a reasonable quality facsimile in comparison to the price of the legitimate item. The second is the size of the prospective market of consumers who are alienated enough to choose the cheaper illegitimate option.

There is nothing that the current content industries can do about the first factor other than lowering the price to consumers of the legitimate item. All attempts to use a combination of technological restriction/obfuscation/DRM methods and legislative enforcement have failed and will always be circumvented in the future. The secondary effect of restrictions has resulted in a larger section of the prospective market becoming even more alienated, driving many more of them to choose the cheaper illegitimate option.

There is a lot more that the content industries can do about the second factor, reducing the level of alienation:-
* The reduction of private use restrictions, for example: the recent move of legitimate music services from DRM to unencumbered MP3/AAC formats. Make your content fully accessible by all digital technology.
* Making available legitimately freely re-distributable instances of digital content. Maybe lower quality, missing features and/or incorporating advertising.
* Easy and immediate access to legitimate downloadable content, directly though as many legitimate content providers ( Itunes etc ) as possible on first worldwide public release.
* Associate marketing via blogs and social networking sites. Make as many of the potential consumers part of the legitimate economy as possible. "Amateurs" can be "paid" via loyalty program discounts, professionals can be paid in cash.
* Transparency. People like to know what proportion of their payment will actually dribble down to the artists involved.

Conclusion

The potential gains from these liberating technological leaps, especially when combined with the relatively low cost of internet distribution, can deliver far greater profit for those who can see beyond the confines of the current, and almost obsolete, business models.

The above article is licensed under the Creative Commons Attribution-Share Alike 3.0 New Zealand . Please feel free to publish it anywhere under the linked terms and attributing it to David Mohring ( http://itheresies.blogspot.com/ )

2007-09-27T18:02:00.000-07:00

I have a question regarding the bundling binaries including code licensed under the GPL/LGPL/AGPL ( henceforth collectively as xGPL ) and Non-xGPL licensed binaries including code/data/game-files/trademark protected items etc.

It is perfectly legal to "bundle" collections of xGPL and Non-GPL/Non-Free binaries packages on installer medium or on a live CD/DVD or in a hardware appliance as long you abide by the terms of the xGPL licenses for the xGPL binaries. ( For example Redhat's trademark protected or Novell's proprietary enterprise distribution bundles - Still OK to do so? )...

... but what about combining xGPL code and non-GPL licensed items inside an application bundling system ( i.e. Glick http://www.gnome.org/~alexl/glick/ ) ...

"An application bundle is a single file that contains all the data and files needed to run an application, so all the user has to do is start it. There is no need to install it, and if you don't like it you can just remove that file and the whole program will be gone." ...

I'm thinking of the use of something similar to Glick for the distribution of products with all GPL/LGPL/AGPL licensed source code combined with Non-GPL licensed game/service/customized data.

The Non-GPL items in the application bundle could require Per-seat/unit/person licensing, and the combined bundle in some cases may not be legally redistributed...

Assuming that application bundling system could give the the user the ability to :-

(a) un-bundle the xGPL'ed licensed binaries ; AND

(b) the vendor/packager provides the xGPLed source and downstream rights under the terms of the xGPL ; AND
(c) the vendor/packager provides tools for the end user to combine modified xGPLed compiled binaries into a modified clone of their copy of the application bundle ; Then ..

Nothing would prevent retribution of the xGPL source or binaries, or the creation of third party rebuilds that replace the non-xGPL components and trademarks. For example projects that provide replacement game-files for the GPL Quake engines or rebuilt clones of Redhat's enterprise distribution that remove Redhat's trademark. However, depending of the licensing of the application bundle, any modified clone of an end users application bundle might not be legally redistributable.

Is distributing such application bundles, as described above, legal under the terms of the GPLv3, LGPLv3 and AGPLv3?

2006-07-17T04:30:00.000-07:00

Network Neutrality : Two question for the great debate. In California there was an outrage when it was disclosed that electricity companies had deliberately idled plants while supplies were tight and then waited for prices to skyrocket on the spot market. If the current Internet network infrastructure provided by the backbone providers and Internet service providers can currently support much higher speeds and data quantities to current customers, then is the act of packet filtering and setting arbitrary low speed and data caps also effectively providing an "idled" service? Is a tiered Internet service, where content providers would be effectively competing on a similar market to the electricity "spot market", a market based entirely on Artificial Scarcity?

2006-05-19T07:34:00.000-07:00

The Pierce Law IP News Blog points to a paper on software patents.

Bronwyn H. Hall and Megan MacGarvie's The Private Value of Software Patents takes an economic view of the patent system.

The first conclusion of the paper states "First, we conclude that, as measured by the stock market's reaction to legal decisions expanding the patentability of software, there is no evidence that the expansion of software patentability benefited firms in the software industry."

The second conclusion, derived from an analysis of stock values, states "Combining these two sets of findings, we conclude that the market evaluated software patents as unimportant ex ante and expected that the expansion of software patentability would negatively affect firms in downstream sectors and firms without patents."

If there is no actual benefit to the software industry why do we need to grant such monopolies?

2006-02-18T04:55:00.000-08:00

What anti-software patent advocates want.
In answer to Douglas Sorocco

See My February 24, 2005 Questions to USPTO On-Line, which may in part have prodded the USPTO and open source community into this latest action.

Failing direction from governmental legislation, software and other abstract method patents have been forced on the USPTO and the rest of the world by the back doors of legal and administrative precedent. How many countries have actually passed legislation explicitly legitimizing software or abstract patents? Not the USA for one.

Can the you point to any instances where the granting of software related patents has been an actual benefit to the progress of science, useful arts and the software industry in general? In a similar vein, can the you point to any instances where the granting of business method related patents has been an actual benefit to the progress of science, useful arts and industry in general? Have the intellectual property gurus even attempted to address the issues raised by the critics of software patents over the last two decades?

If no positive answer can be given to the above questions, why do we need to grant such monopolies?

Because of the time it takes to get a patent and the six to ten years it has taken to drag the first cases though the courts and appeals, the major negative effect of software patents have just begun to become noticeable. It is going to get a lot worse.

Because of the existing precedent, removing software patents will require the introduction of explicit legislation. That will take time, probably many years to undo the damage from the lobbying by intellectual monopoly advocates such as yourselves.

Until then, helping he USPTO track down prior art in publicly available open source software will greatly reduce the number of patents the software development industry will have to concern itself with.

Also opening up the patent application process could end up improving the quality the remaining granted patents.

2005-10-28T16:11:00.000-07:00

The open eleven steps to telecommuting

I have set up and supported remote sites and home based telecommuting. Listen to my advice, listen very carefully and save your sanity.

If your organization is large enough then it is likely that you will have a few older desktop PCs that have been or are due for replacement during an upgrade cycle. PCs that are inadequate for Microsoft XP and Office2003 are more than powerful enough for many current versions of Linux, especially for the role of server. Also second hand PCs with the required specifications are very cheaply acquired.

1) Find an older PC, at least a PII 300 with 256 MB memory, to set up as a headless ( no display or keyboard ) server and firewall. A simple web based interface ( or even an external hardware push button ) can be used by the local users to start/stop the server and internet connection. All other maintenance should be handled remotely via ssh, webmin and VNC.
2) Install a second NIC or connect the modem directly to the server. Connection to the Internet should be through the server and connection to the Office should be through a VPN on the server. Use a dynamic IP service for each site so you can remotely log on to the local server via ssh.
3) Install a new IDE hard drive in a 3.5" removable rack and tray. The drive should be than big enough for the operating system (Linux of course) and copies of some of the local desktop partitions. A telecommuter can shut down the server and bring in the drive during the day to resync and repair.
4) Install a DHCP demon on the local server to allocate local IP addresses, DNS and gateway settings. If the desktops are network boot capable then install TFTP to remotely boot and use Knoppix via PXE and the network. If the desktop OS is constantly crashing, or is infected by malware, the user can select PXE/network boot via the BIOS, and boot into Knoppix. The user can then be instructed over the phone to enable the ssh server to allow remote scan,repair and reimaging of the desktop partitions. The user can use the Knoppix desktop to continue working with full access to files while the the remote administrator fixes/reimages the drive in the background.( Consider hiring someone who knows how to customise Knoppix or another live Linux system for your setup )
5) Partition the desktops with as small as required C: partition ( or in the case of Linux the root partition ) for software. When software is install, use dd and netcat via live Knoppix to copy/clone a snapshot of the partition to the server. You can allocate the remaining free space as a persistent partition where documents are stored.
6) Install and enable remote VNC service on all the platforms, but only allow incoming connections from the local server ( which is redirected over a SSH tunnel ).
7) For local backup, create share directories on the desktop accessible by the server. On the local server create loopback encrypted file systems, unmount and copy the images to the desktops shares in chunks, using redundancy if enough space is available on the desktops. Checksum ( MD5 is enough ) each piece.
8) If the network load to the Office is taking up all the available internet bandwidth or the connection is just too slow then install proxy servers on the local server. You can also consider using a distributed filesystem ( OpenAFS is still the best ) with access to the local users via a SAMBA share.
9) If phone charges are eating into the budget, and the internet connection is good enough, then install Asterisk on the local server ( upgrade the server to a Celeron 800Mhz or better ) and PCI cards with enough FXS ports for each local user. Don't bother with software based phones/headsets. The phone will work when the desktop does not.
10) Set up a Linux server at the Office that operates as a thin client application server. Allow remote access though both FreeNX and VNC. Create login accounts and logins that operate as virtual meeting rooms, with multiple users logging in via VNC. Use VNCserver with a screen size of around 1000x600, that will operate via a VNC viewer on any 1024x768 desktop. Use phone based conference calling for voice -- it's a lot less hassle for the users
11) Add the usual list of cross platform applications: Firefox, Thunderbird, Gaim, and even OpenOffice etc.

The return on investment from the reduction in desktop downtime will quickly outweigh any initial outlay for any new hard drives and possibly FXS cards.

2005-10-09T18:19:00.000-07:00

Our Data:an appeal - a "Plimsoll line" for apps

From June 14 2002

However relatively bad the security of Microsoft's products are in comparison to what the free licensed and open source communities ( as well as practically every other vendor on the planet ) provide, Microsoft is not alone in the presence of vulnerabilities, this is a major issue for Linux/BSD and Unix as well as ever other OS and vendor.

From the Plimsoll Club history

Samuel Plimsoll brought about one of the greatest shipping revolutions ever known by shocking the British nation into making reforms which have saved the lives of countless seamen. By the mid-1800's, the overloading of English ships had become a national problem. Plimsoll took up as a crusade the plan of James Hall to require that vessels bear a load line marking indicating when they were overloaded, hence ensuring the safety of crew and cargo. His violent speeches aroused the House of Commons; his book, Our Seamen, shocked the people at large into clamorous indignation. His book also earned him the hatred of many ship owners who set in train a series of legal battles against Plimsoll. Through this adversity and personal loss, Plimsoll clung doggedly to his facts. He fought to the point of utter exhaustion until finally, in 1876, Parliament was forced to pass the Unseaworthy Ships Bill into law, requiring that vessels bear the load line freeboard marking. It was soon known as the "Plimsoll Mark" and was eventually adopted by all maritime nations of the world.

The risks,issues and solutions for providing a more secure operating and application enviroment have been known for decades.

Those who do not already comprehend the issues and are willing to learn, should take some time out to listen to some of the speeches at Dr. Dobbs Journal's Technetcast security archives, starting with Meeting Future Security Challenges by Dr. Blaine Burnham, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA)

The design and implementation of some applications and servers are just too unsafe to use in the "open ocean" of the internet.

Numerous security experts have railed against Microsoft's lack of security, best summed up by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc who rightly said:

Honestly, security experts don't pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft's poor products are one of the reasons we're in business. We pick on them because they've done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products' security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years...until people stop looking for them. Waiting six months isn't going to make this OS safer.)

However Microsoft's products are not alone in the presence of vulnerabilities, this is a major issue for Linux/BSD and Unix as well as any other OS and vendor.

In a recent speech "Fixing Network Security by Hacking the Business Climate", also now on Technetcast, Bruce Schneier claimed that for change to occur the software industry must become libel for damages from "unsecure" software. However, historically this has not always been the case, since most businesses can insure against damages and pass the cost along to the consumer.

The Ford Pinto and more recently the Ford Explorer's tires are two examples of public and media pressure being more successful than just threat of lawsuits. Even so, just as with the automotive industry, eventually though public pressure the governments around the world have to step in and pass regulations that set up a minimum set of requirements an automobile has to meet to be deemed "road worthy". This includes crash testing as well as the inclusion of safety equipment on all models. The requirement are not constant and change to meet the expectations and demands of the public and lawmakers.

The onus is not only on the automotive industry itself but also on the users. Most countries require that all automobiles undergo regular inspection and maintain an up to date "Warrant of Fitness".

In the same way, if you want a secure IT infrastructure, eventually the software design, implementation and each deployment will have to undergo the same type of regulation and scrutiny.

Unix,Linux,BSD and especially OpenBSD are currently far superior in terms of security, both in closing the vulnerabilities in applications before they have the chance to be widely exploited and implementing more secure access subsystems ( SELinux/LSM etc ).

However, should the Unix, open source and free licensed communities and vendors be taking a more active approach, including lobbying government, to
1) set up a minimum set of expectations, in the design and implementation of internet "accessing" software ; and
2) ensure that all deployments are more securely implemented ; and/or
3) remove inherently unsecure products from the marketplace,

IMO the above three are preferable to all software vendors, including Microsoft, than attempts to allow liability lawsuits against vendors for deployments which the vendors do not necessarily have any control over.

2005-09-29T01:40:00.000-07:00

Observations on why Linux misses Windows of opportunity: "Crest Electronics"

The above linked article about a failed deployment of SAP on Linux raises questions about Linux installation, configuration, updating and problem diagnosis. However, at least at the operating system level, Crest's IT manager Anthony Horton's statements don't quite ring true.

About OS Installation : SAP's documentation sets down guidelines for partitioning and the Red Hat package RPMs required. The contractor should have had set the system up for an installation of SAP and if requested, provided a kickstart script that would automate a pre-configured reinstall. The actual installation of the SAP provided RPMs is a breeze, (see for yourself). In comparison with Win2k and Win2k4 server, a Linux install can be a lot easier.

About OS Configuration : Red Hat Enterprise as well as Suse distros provide both CUI (ncurses) and fully GUI ( X11 ) interfaces for configuration and management. Both methods are remotely access able using SSH ( with port forwarding for X11 ). It is better to consult the manuals on how to use the provided interfaces, before diving in and manually editing config files in /etc directory. More often than not, updating problems are caused by administrators short cutting the distribution's configuration scripts -- work with the system not against it.

About OS Updating : For both Red Hat and Suse, SAP only certifies the kernels packages and glibc libraries. Aside from glibc, SAP links all their binaries to SAP provided libraries. It is easy enough to set Red Hat Network update to ignore the kernel*, glibc* and nscd for automatic updates. Automatic updates would then not affect the SAP deployment. Any updated packages dependent upon updated kernels or glibc packages would be installed automatically once the kernel or glibc packaged were manually upgraded.

About OS Problem Diagnosis : In comparison with Win2000 and Win2003 server, Linux is by far the easiest to provide remote support and diagnosis. Any credible contractor should have been able diagnose and fix any software problem via remote SSH ( or for servers behind firewalls a Reverse SSH tunnel ) connection. For Linux servers, the most likely issue that would cause a "core dump" is almost always related to either hardware based RAID drivers or just failing RAM modules. I have found that for Red Hat 3 and 2.4.X Linux kernels, software based RAID with SCSI is a lot more stable. For Red Hat 4 and later 2.6.X Linux kernels most Adaptec and Promise based hardware RAID is more than stable enough.

"We asked the customer to do a diagnostic test and the customer never responded, so it was impossible for us to address the issue,". The "failure" of Linux at Crest Electronics is probably due more to internal politics or incompetence rather than the choice of OS platform. That Anthony Horton, who inheriting the decision [to use Linux] when he took the job, chose not to respond to Red Hat's request, suggests that he was not all that enthusiastic to get SAP working on Linux. The Red Hat-recommended contractors, if actually consulted, should at least have been able to diagnose the hardware and system crashes post mortem, if only by turning on kernel debugging and passing the log information along to Red Hat and IBM.

If Mr Horton took over the deployment and management of SAP on Linux servers, then he probably approached managing Linux with the experience, skills and methods he acquired when administrating SAP on AIX. Although most of the skills can be translated to Linux, AIX is not Linux ( in fact there a few older Unix stalwart I know of who claim that AIX is barely UNIX ). Mr Horton probably got frustrated and started mucking around in the /etc directory with the result of screwing up the deployment on Linux, but it would have taken only a couple of rounds emails to SAP's and Red Hat's email forums to fix the problem.

Once installed, SAP provides a very similar interface to manage itself on Linux, Unix and Windows with IBM's or SAP's own Database. SAP's offerings are difficult to correctly deploy within an Enterprise, whatever the OS platform. I could believe that it could take a couple of days longer to deploy a solution on Linux rather than Windows, but not "The installation of SAP took two days on Windows, the installation on Linux Red Hat took two weeks". How much of the enterprise dependent configuration of the SAP environment were just copied over from the Red Hat to the Windows hosted deployment? Without that question being answered it looks more like a case of Pro-Microsoft FUD.

In Microsoft's sponsored studies and commissioned papers, Linux Vs Windows Total Cost of Ownership calculation rarely if ever take into account the amount of downtime suffered by the respective platforms once deployed. In terms of stability, Linux and open source has a far better record of reliability. In my experience, any extra effort employed to deploy a solution on Linux is almost always rewarded by long term solid solution that suffers a lot less downtime than a similar Windows hosted solution.

Update: Deploying Linux for ERP works better for others

2005-09-26T02:11:00.000-07:00

The non-beta release of the Google Toolbar for Firefox has added a "blog-this" button that hooks into it's blogger service ... ... and it works, but currently lacks all the rich editing features that Blogger's web interface provides.

2005-08-02T07:45:00.000-07:00

"Remote Attestation" and content access monopolies

The Trusted Platform Module provides the hardware functionality for digital rights software to provide effective remote attestation and digital key withholding.

Both Microsoft and Apple have plans for media-digital-content-viewers that, at the request of a digital content provider, will not allow the user to view or access specific digital content if the operating system has been modified in certain ways.

Because, for the foreseeable future, it is impossible for the digital rights management software to detect if an individual modification to a particular subsystem is hostile to the goals of the demanded digital rights, all software and subsystems relating to the operating system with storage and input to display will have to be digitally signed by Microsoft or Apple before it can be accepted by the DRM subsystem. Microsoft and Apple are effectively locking the user out from changing parts of the operating environment.

Because it is possible for hackers to read digital keys used to encrypt content direct from the computer's memory, the operating system has to be built with the ability to lock the user from being able to access pages of memory used by the mediaplayer and digital rights management system.

OS based Digital Right Management systems are based on the principle of locking the owner of the computer out of the ability to access sections of memory and disk space used by the DRM mediaplayer systems.

Locking the owner out of parts of the computer has become a major security issue.

Microsoft's Mediaplayer, Active-X ( still used with some DRM ), Real's realplayer, Adobe's PDF viewers, Apple's Quicktime and even Microsoft's and Sun's Java JVMs, have in the past had remotely exploitable vulnerabilities.

OS based DRM combined with TPM based encryption along with enviable future vulnerability holes in media access offers the malware/virus/worm creator the ability to hide a virus from any antivirus tool or live forensic analysis. Existing stealth viruses already have ability to hide the modifications it has made to files, going undetected by antivirus programs. DRM encryption offers the ability for the malware to store content, and without the keys to decode the content, keep it hidden from any forensic analysis.

Crackers and hackers always find ways to exploit the code to access or share protected content. There is not a DRM system that has not been cracked within months of widespread release. The focus on the code use d in such systems also comes to the attention of malware/virus creators. The same holes discovered by those who just want to freely access content may possibly also be abused by those wanting to crack into your computer. Similar holes in other types media viewers, the webbrowser and email programs, are increasingly being used for criminal gain by phishers and spyware makers.

Some vendors reportedly have in the past purposely left backdoors in the source code to allow access by US intelligence agencies. This has not only become a major issue for other countries who fear spying, since discovered backdoors quickly become the criminal's frontdoor into your PC.

Hollywood and the recording industry hold an effective monopoly on a large section of popular content. Both Microsoft and Apple are now offering the ability to content providers to demand that users must use unmodified systems to view said content. It locks you out of parts of your system that will inevitably be abused by third parties wanting to abuse you.

2005-06-21T13:15:00.000-07:00

The Scheme to Discredit Linux

When John C. Dvorak published an article on The Scheme to Discredit BitTorrent, the accusations against the accusers of Bittorrent seemed somewhat familiar to me....

The Scheme to Discredit Linux

One of the most fascinating and popular operating systems and collaboratively developed systems on the Internet is Linux, first released in 1994. Continuous improvements led to its emergence as a force in 1999; by early 2005 it was perhaps the second most dominant platform on the Net, second only to Microsoft itself. The problem is that no big company controls it, and Microsoft, asleep at the wheel, let it slip too long to do much about it. So now I suspect Microsoft is playing dirty to discredit the thing. There is no other explanation for the recent series of coincidental stories and events.

Linux is the brainchild of open source and kernel junkie Linus Torvalds , a certifiable genius who saw that radical thinking was needed if Unix was ever going to work well in mass-market environments.

Open source development. What Linus managed to figure out was a way to maximize development with GPL licensing that went beyond single vendor-centric methods, cathedrals, mystic man months and all the other schemes that have come and gone. Moreover, this idea ends up not costing the person distributing the Linux platform a lot of money, because the GPL license itself goes into the code, becomes what is called a commons, with uploads and downloads of patches all over the place in bits and pieces from developer to developer. When you begin to deploy a Linux system from distribution vendor, your machine includes software collectively developed by much many more vendors and developers. This process is kind of like the fission development with the mousetraps and the ping-pong balls, since the Linux system becomes enhanced by others and you get multiple developer collaboration. Meanwhile, you are still freely using bits from all of them. Development and patches are flying every which way and higher demand makes it work better!

Microsoft Takes Aim at Linux. The process for doing this is nontrivial, although Linus claims it's not that complicated. That said, he also tells me that nobody else seems to get it right, in particular Microsoft with its Longhorn project, which he calls vaporware and wrong. "They just do not get it," says Linux. "They have no clue about how development works. I don't know if they can't read the source or have not really looked at the code or documentation, but they do not understand it." To emphasize this issue he just posted a rebuttal to the Microsoft GetTheFacts documents in a mailing list.

Meanwhile, we are hearing about Longhorn as though it is out of beta. Articles begin to emerge about the product just as some dubious articles appear all over the Net about how Linux has something to do with intellectual property threats, failed development and business models. Interesting coincidences indeed.

Simple Lies, Told as Fact. There is no Unix source code in Linux. There is no way Linus is being tricked into delivering copyright violations. We hear that Linux files are "infected." What specific to the Linux kernel is infected? Is it the kernel files files? Or is it third party applications? If it's the third party applications ( a mediaplayer , for example) then what's it got to to do with Linux per se? Nothing, that's what.

Here's what happened. A failing company, the SCO Group, took out a lawsuit against IBM, of which part of the lawsuit is about supposed Unix code put into the Linux kernel by IBM. Instead of just pointing to the source code in question, and letting Linus remove the suspect code in question, the SCO group began widening its claims to Unix. Novell, who is the rightful holders of the copyright of the Unix works in question, say that the SCO group does not have the right to sue. If Linux didn't exist, the SCO group would still be accusing other platforms that included Unix-like source: NetBSD, FreeBSD or even Microsoft's windows OSs. Nothing would change. Linux in this instance is merely a target of opportunity for the SCO Group. You'd STILL get the lawsuit if you used something other than Linux. Spotlighting Linux is a cowardly way to discredit the product.

The Root of the Accusations. This was all accelerated by a Microsoft lackey named John C. Dvorak, who always describes himself as a "renowned" IT expert. By whose standards is he renowned? Has he written any recent books? Academic papers? What exactly besides articles for third rate Microsoft advertising funded rags such as PC Magazine and other Ziff Davies publications ? So where does this assertion come from? Himself?

He posted his Linux death notices on his opinion columns here. He discovered that The SCO Group was going to start a lawsuit against IBM and implied that Linux has more to do with Unix intellectual property than a casual coincidence. Does this guy know that Linux is developed by people who do a lot of development and care about keeping the result free to GPL license? The cause and effect logic here eludes me. Is he saying it's impossible to get sued without Linux?

Whatever the case, someone managed to get his predictions of doom (Dvorak predicting the death of anything is news?) into CNet News, eWeek and IDG News service, as well as hundreds of mainstream media publications talking about how Linux was "losing momentum". Hey, Linux will be deployed whatever you choose to say. How is this not news? This all happened just as the once skeptical, now wishy-washy Zdnet/Cnet (which also repeatedly reported on the SCO Case against Linux without questioning it) reported on Longhorn being oh-so-superior to Linux.

For a good laugh consider the history of Cairo and Longhorn. Microsoft keeps making all sorts of promises on new features that where supposed to be in Longhorn but will not actually be in the actual release version. I have never seen such a crock in my life. Can you say "dry lab?"

Where Is the News Reporting? What bothered me the most about this episode was that there was no reporting whatsoever regarding the Linux lawsuit claims or even the credibility of the renowned Dvorak. It was basically parroting a leap-of-faith accusation in a column that somehow developed into these eventual talking points: Use Linux and you'll get sued. Linux sucks, and oh, Microsoft has something better, although it's never been shipped—but it's better!

Does this sort of media irresponsibility and laziness ever end? Or why don't we just shoot everyone doing good work, lie about the facts, and turn everything over to Microsoft and its Redmond compound? The only defenders of Linux I saw regarding this issue were buried here and there on Slashdot. They sure were not in the newsrooms—or the blogs for that matter. All the stories I saw were disgraceful.

2005-06-13T10:02:00.000-07:00

The Mixed Constituent Proportional (MCP) electoral system

The problem with the First Past the Post (FFP) electoral system is that it is not always proportional as could be desired.

Mixed Constituent Proportional (MCP) representation is a fully proportional representation electoral system similar to Mixed Member Proportional (MMP) representation. MMP has been adopted countries such as Germany and New Zealand.

In both MCP and MMP, the number of constituent seats is half the number of seats in Parliament. Citizens get two votes. One vote to is used select their preferred local member of Parliament and the other vote to select for their preferred political party. The remaining non-constituent seats are allocated to the political parties so that each the number of party's seats in Parliament is in proportion to that party's percentage of the nationwide political party vote.

With MMP each party puts forward a list of candidates in an order of preference. In New Zealand potential candidates for members of Parliament can be on both the party list and also run for election as a local candidate. The non-constituent seats, called list seats, are allocated to the top candidates on that list who did not also win a constituent seat. The first problem with the MMP system is that, unlike the existing FFP system, the non-constituent list members of Parliament are not answerable to any local constituency. List members of Parliament are effectively only answerable to the party whips and their own continence. The second problem is that because the parties dictate who is on the list, it is effectively impossible for an electorate to veto particular individuals from becoming members of Parliament.

With MCP, as with the FFP system, all the candidates sit for election in constituents. Each party can field up to two candidates for each constituent seat : the candidate and an optional running mate. Each constituency is allocated two seats in Parliament, one constituent seat for the winning local candidate and an alternate seat which is allocated as follows. After the election, if one party gets more than fifty percent of the nationwide party vote, then the constituent seats where the party member came second is elected as the member of Parliament for those alternate party, then the running mates in the order of the constituencies with the highest proportion votes for the candidate, also become the member of Parliament for those seats, until the number seats that party holds in Parliament is proportional of their nationwide party vote. A list is then constructed for all remaining available alternate seats in order of the highest proportion of votes for the non-winning candidates. Then the alternate seats are allocated so that the proportion of seats each party holds in Parliament is proportional to that party's nationwide party vote.

The benefits with MCP are:

1) The alternate seat members are answerable to their local constituency; And

2) The electorate can effectively veto particular individuals from becoming members of Parliament; And

3) Each citizen has two local members of Parliament, one of whom is more than likely to be part of the Government; Therefore

4) The resulting Government is more likely to be answerable to all of the electorates, not just the majority as in FFP.

2005-06-07T12:28:00.000-07:00

Apple+Intel:Mac 924 Vs Microsoft Gremlin & Linux Mini-van

Apple on Intel is like the original Porsche 924. Either it's a very bad marketing decision or a precursor to a play for a much larger chunk of the mainstream market...

A long established sports car company Porsche, like Apple, use their unique design and reputation for performance and quality to set itself apart from other players in the same market.

In 1976 Porsche released the Porsche 924 as an entry level introduction for new customers to the Porsche brand. The 924 may have been designed by Porsche, but it also had the same engine as models of the AMC Gremlin and Volkswagen Mini-van, and was built by Audi ( at that time a division of Volkswagen ). In comparison to other similarly priced sports cars of the day, the engine failed to deliver the expected performance, even with the addition of a turbo in 1979.

Problems with the early model 924s really damaged the reputation of Porsche and most Porsche enthusiasts shunned it for the earlier model 911 series. Despite the loss of reputation, Porsche stuck with the 924 series for a few years. Sales were not as good as the 911 series and outsourcing the manufacturing turned out to be less cost effective than expected.

Because IBM failed to deliver the next generation of Power CPUs, Apple is need of a new engine. Intel and AMD can provide one, but Apple does not have enough market share for either to manufacture custom CPUs or a new proprietary bus architecture. That leaves moving MacOS/X to the same ia64 or x86 processors which are also used in the Microsoft Gremlin and Linux Mini-van. The latter two OSs are quite capable of providing very comparable desktop experience to MacOS/X well within the next two years.

There is not much Apple can do on the other side of processors bus which is going to deliver enough performance to set it apart from a new Laptop or PC from Dell, Lenovo, HP or any whitebox OEM. Apple style flashy external bodywork is being adopted by those same vendors. The inevitable comparisons will result in damage to the public's perception of Apple's uniqueness.

This leaves Apple with a choice. Either continue to remain the sole supplier of hardware for MacOS/X and loose a large chunk of the desktop market share OR choose to directly compete with Microsoft and let Dell, Lenovo and HP sell Apple designed/approved "built for MacOS/X" laptops and PCs. The OEMs would love to have Apple and Microsoft competing to sell on their hardware.

In my opinion if Apple does not choose the latter option, then it only because of very bad decisions by Apple's management or Sherman Act violating non-compete agreements with Microsoft.

2005-06-07T06:41:00.000-07:00

Apple on Intel is like the Original Porsche 924

In 1976 Porsche released the Porsche 924. The 924 may have been designed by Porsche, but it also had the same engine as models of the AMC Gremlin and Volkswagen Mini-van, and was built by Audi ( at that time a division of Volkswagen ).

Problems with the early model 924s really damaged the reputation of Porsche and most Porsche enthusiasts shunned it for the earlier model 911s.

2005-05-11T19:32:00.000-07:00

Acknowledge the doctrine of first sale and private use! When you purchase an instance of a copy of a copyrighted work, you own that particular instance of a copy of a copyrighted work. When I purchase a car, I own that car. I have the right to that particular instance of that car to use,modify ( pimp my ride ),combine, dispose or resell without having to seek permission from the car builders, vendors etc. Therefore is the following is self evident that copyright legislation should grant the following rights under the concept of fair use:

Acknowledge the supremacy of the doctrine of first sale : When you purchase an instance of a copy of copyrighted work, your rights to view,use,modify,combine,inter-operate with, dispose or resell that one instance should not be impeded by either legislation or technology. This fact has been recognized time and again by the US courts.
The doctrine of first sale applies to both physical media and digital content where the receiver pays a transaction for particular instances of a copyrighted works: When you purchase an instance of a copy of copyrighted work that involves the buyer making a choice for that instance of copyrighted work and entering into a transaction with the seller, then the buyer has the rights to that instance under the doctrine of first sale. Sellers of instances of copyrighted work cannot hide behind "provision as a service": when you pay for an instance, you own that instance.
You do not have the right to record content without permission of the copyright holders of a live performance ( play, concert etc ) or private performance ( film theater ) held on private property or performance venue. You pay to attend a performance at a physical venue, not for a copy of an instance of that performance.
Instances of copyrighted works broadcast ( as apposed to downloaded ) and received by a device held by individual person or on that person's property, may not be redistributed outside of that person's household to anyone who does not receive the content though the same service. You may record an instance of copyrighted work for later viewing ( timeshifting ) and distribute a copy along to any person whos household also receives that same broadcast service ( samaritan clause ). You many not redistribute or resell content recorded from a broadcast service to anyone not receiving that same broadcast service content.
Although you may not redistribute recorded copies of broadcast copyrighted content outside of the terms of (4), there should be no limit to what you may do with instances of those works within your household. You should have the right to modify the works, combine with other works and inter-operate with other works. You should also have the right to transform the instances of the copyrighted work so that it operates or can be viewed on other devices (mediashifting).
Copyright protection extends only to the particular work copyrighted. The copyright holder's exclusive rights should not extend to the right to deny others combining a legally acquired instance of a copyrighted work with other works. You should have the right to distribute and/or sell, patches, recipes and add-on components that refer and link to the content of the copyrighted work, as long as the distributed items do not contain content from the original copyrighted work. The resulting combined and/or transformed work that contains content from the copyrighted work sources can not be legally redistributed without the permission of all the copyright holders.

2005-04-11T15:44:00.000-07:00

Core, maintaining reputation and license to fork

The major commercial Linux distributions ( such as Redhat, Suze, Mandrake etc ) and bundling vendors ( such as openlogic's blueglue ) maintain a large number of open source software packages as part of their core products. The reputation each of these distributions is entirely dependent upon the quality and security of each component. All of the vendors apply patches to the software before compiling, so effectively they maintain the included packages for you. You can depend on the vendors desire to maintain their reputation to use the open source software they distribute.

The difference with pure proprietary software is that either through a desire to do the right thing or because of the terms of the license, changes made by the vendors get distributed back to the open source software project developers. If you see that the original developers are including patches from the vendors or applying their own solutions to fix the same issues in a timely manner, then you can expect to trust that software project independent of the vendor platform.

To a lesser extent, the same dynamics of reputation apply to "community" Linux distributions ( Debian, Gentoo ) and vendor "development" distributions ( Fedora ).

At some point some open source projects developers may go in a direction that the distribution vendors and end uses may disagree with. It is the licensing which allows a fork of the project to develop that sets the open source development model apart from the pure proprietary development model. Apache, X.org and even the current version of the GNU GCC compiler toolset have been all derived from an outside fork of an existing open source project. No vendor or open source software developer can block development for any substantial period of time without the risk of the development being taken over by a descendant of the same project -- it's called evolution.

Any so called analyst or even a journalist who covers open source software, that cannot grasp the above simple concepts must be lacking in either competence or integrity.

- republish at will

2005-03-15T05:06:00.000-08:00

Epic Ideas for Privacy Reform

Do you want the Good or Bad news first?

EPIC just published a very good paper by Daniel Solove and Chris Hoofnagle that offers suggested proposal for privacy reform in the wake of all the recent privacy breaches (ChoicePoint, Lexis/Nexis, Bank of America, DWS, etc.).

Good News

There may be a way to do this preserving privacy using public key cryptography and digital signatures.

Alice is an public individual or entity, Bob is a registered data holder, Curt is a privacy data register agent, and Darin is privacy data protection agent.

Alice registers her identity details ( name, SSID, current address ) along with her preferences and a public key, "Ap", with Darin.

Alice receives a public key from Darin, "Dp", to verify communications.

Darin verifies Alice's identity ( how? ), and then generates a unique key, "Ak".

Darin registers Alice's identity details along with Ak and Ap with Curt.

Curt has a copy of Alice's identity details associated with Darin's Ak and Ap.

Bob registers with Curt as a data holder, passing Curt a public key, "Bp", and receiving Curt's public key "Cp".

Bob passes Alice address, name etc, along with a unique ID "Bk" to Curt in a package encrypted with Cp.

Curt searches his data base and sends a tuple of Bk, Ak, Ap and Darrin address to Bob in an package encrypted with Bp.

When Bob performers an action where Alice should be notified or consulted, Bob creates a form ( including the public key Bp and reference Bk ) encrypted with Ap, in a package, "BA", address to Ak and sends it to Darin.

Darin receives BA from Bob and digitally signs it, and passes it on to Alice.

Alice receives BA from Darin, verifies it using Dp and can then choose to either:

1) Take note of the form or chose to ignore it;

2) Complete the form and send the result back to Bob, encrypted with Bp;

3) Complain to Bob directly;

4) Take action through the authorities or sue Bob using Darin's digital signature of BA as proof.

Neither Darin or Curt hold the unencrypted details of BA. The origin of BA could be obscured so Darin does not know who it comes from. Bob could cache Alice's privacy contact details for a limited period ( three months? ) to limit Curt's ability to perform traffic analysis. Alice is free to change from Darin to another privacy data protection agent, but would have to wait for Bob's timeout of Alice's privacy contact details before it is switched to the new provider. The latter is preferable to Curt's having to keep a record of each registered data holder that has Alice's details.

Bad News

Any centralized register and tracking system could be co-op'ed by the authorities or any good lawyer to further erode privacy. Each individual/entity would still have "more global" unique key: Ak . Although this would change when they change registered data holder agents, it would still greatly assist data matching. All it would take is a subpoena demanding that the centralized register agent forward the list of registered data holders and subpoenas to the registered data holders demanding that they forward a copy of an individual or companies data. Given the current political climate, do you really trust this current administration to legislate limits to such access by the courts, not to mention certain government agencies?

2005-02-24T12:16:00.000-08:00

Questions to USPTO On-Line

I tried to pose some questions to USPTO On-Line chat for Independent Inventors today, however the digichat java applet does not appear work with any combination of Linux Galeon/Mozilla/Firefox jdk1.5.0/j2re1.4.2_07 or MacOSX Firefox/Safari. Here is what I tried to ask:

I understand that the discovery of prior art and the evaluation of the obviousness of an invention are difficult tasks for the United States Patent and Trademark Office (USPTO) patent application examiners to perform. The percentage of patents being overturned under the scrutiny of the courts leads me to believe that the process is not quite as accurate as could be desired. In a few recent cases the existence of publicly accessible digital content has played a part in disclosing prior art. The public, technical and scientific communities use of Internet has to a large extent replaced printed media such as journals for the public disclosure of new ideas. To what extent does the current USPTO patent application examination process take into account public accessible website content? Do the patent examiners currently use Internet search engines such as Google ( http://www.google.com ) to locate instances of prior art? Is the changeable and unverifiable nature of some digital content a barrier to its being cited as prior art in the patent application examination process?

The USPTO patent application examiners task could be made more reliable if the examiners could consult one or more public online registries that document cases of prior art and public discoveries. The online registries could provide a means for the public to retroactively point to cases of preexisting prior art for pending patent applications and a means to proactively document publicly known ideas and concepts. Although websites and digitally stored content in general is changeable, individual entries and changes in an online registry could be legally authenticated by means of digital timestamping ( http://www.rsasecurity.com/rsalabs/node.asp?id=2347 ). An online registry could be hosted by the USPTO as an adjunct to the existing online public patent and patent pending databases. The USPTO could also publicly recognize other individual registries hosted by third parties such as a commercial entity or a non-profit community similar to Wikipedia ( http://www.wikipedia.org/ ). An individual adding an entry to such a publicly online registry does not involve granting that individual any form of monopoly, therefore the action need not have any artificial barrier involving fees or payments. Would the existence of digitally timestamped public content overcome any objections by the USPTO to its citing as prior art? Has the USPTO any plans to add some form of publicly accessible feedback mechanism to the patent application process?

It has been nine years since the USPTO updated the Guidelines for Computer-Related Inventions ( http://www.uspto.gov/web/offices/com/hearings/software/analysis/computer.html ). Since that time has the USPTO undertaken, commissioned or evaluated any studies on the effects that granting software related patents has had on the progress of science, useful arts and the software industry in general? If no such study has been performed or evaluated, why not? Can the USPTO point to any instances where the granting of software related patents has been an actual benefit to the progress of science, useful arts and the software industry in general? In a similar vein, can the USPTO point to any instances where the granting of business method related patents has been an actual benefit to the progress of science, useful arts and industry in general?

2005-01-25T06:00:00.000-08:00

Melding Bot : Convergence of Grid and Virtualized LSB

Take a pinch of Standard Linux
Wrap it up in Xen
Add a touch of SELinux
And a little bitty bit of Globus
Oh like a Sandboxed Platform
Oh Lordy, Lordy, mixed with Free and Open Source Code
You know you lump it all together
And you got a recipe for a Multi Vendor Development scene
It is coming though, you know, you know.

What we have is a great big melting pot
Big enough enough enough to take every vendor and all IT's got
And keep it stirring for a hundred years or more
And turn out Application Service and Content Providers by the score.

With apologies to Blue Mink.

2004-11-03T15:07:00.000-08:00

Unfortunately, the 2004 USA Election has been a victory of FUD over Facts.

"Everyone is entitled to their own opinion, but not their own facts"- Sen. Daniel Patrick Moynihan.

The mainstream forth estate news organizations, on both sides, have utterly failed to hold either Democrats or Republicans accountable for claims that diverge widely from the known facts. In cases where journalists have made a consistent argument, the news organization has allowed that position to be "shouted down" by political camp followers repeating the same lies over and over again though the same outlet. In those same replies, there was very rarely comments by the news organization when known facts obviously contradicted the opinion. Many news organizations seem unwilling to publicly chastise either party for continuing to avoid addressing serious questions when the facts do not concur. The result has been an outright failure of the concept of journalistic ethics.

Some alternative sources, be they partisan or bipartisan organizations, individuals, websites, documentaries, forums or the blogosphere, have done a better job at holding both sides accountable. Sadly, even the most popular alternative source reaches a small fraction of the audience covered by the mainstream media. However, to even that small fraction, those same sources have utterly failed to present an overall palatable, concise and coherent position to the opposing or undecided viewers.

The resulting output from both mainstream and alternative sources has only polarized each sides opinion of each other, further dividing the nation.

Democracy is effective only when a large majority of voters are capable of making an informed choice. In my opinion, the majority of voters, despite who they voted for, were badly served by those organizations who claim they are responsible for keeping the public informed. It's not as if the same could not be said for past elections in any country, but this election cycle the "Whopper" mud slinging has been so much worse than any election since the introduction of television.

What does this mean for the tech industry?

In a lot of ways, both sides campaigns are mirrored by Microsoft's unabated campaign of Fear, Uncertainty and Doubt ( commonly referred to in the information technology sector by the acronym FUD ). Microsoft's advocates probably consider the use of the same strategy by both Democrats and Republicans a green light to continue to spread FUD, despite the evidence which contradicts the claims, including Microsoft's own internal research. Any forum attached to an article that even hints at Linux being used on the desktop results in a similar barrage of FUD that is familiar in form to that spouted by the political camp followers. Microsoft's advocates claim the same thing happens whenever Microsoft's record of security is mentioned.

Whether choosing a political or consumer platform, it is possible to make an informed choice when the mainstream political or technical media performs its role to certain ethical standards.

From the International Federation of Journalists:

DECLARATION OF PRINCIPLES ON THE CONDUCT OF JOURNALISTS
Adopted by the Second World Congress of the International Federation of Journalists at Bordeaux on 25-28 April 1954 and amended by the 18th IFJ World Congress in Helsingör on 2-6 June 1986.
This international Declaration is proclaimed as a standard of professional conduct for journalists engaged in gathering, transmitting, disseminating and commenting on news and information and in describing events.

Respect for truth and for the right of the public to truth is the first duty of the journalist.
In pursuance of this duty, the journalist shall at all times defend the principles of freedom in the honest collection and publication of news, and of the right of fair comment and criticism.
The journalist shall report only in accordance with facts of which he/ she knows the origin. The journalist shall not suppress essential information or falsify documents.
The journalist shall use only fair methods to obtain news, photographs and documents.
The journalist shall do the utmost to rectify any published information which is found to be harmfully inaccurate.
The journalist shall observe professional secrecy regarding the source of information obtained in confidence.
The journalist shall be aware of the danger of discrimination being furthered by the media, and shall do the utmost to avoid facilitating such discrimination based on, among other things, race, sex, sexual orientation, language, religion, political or other opinions, and national or social origins.
The journalist shall regard as grave professional offences the following:

- plagiarism - malicious misrepresentation - calumny, slander, libel, unfounded accusations - the acceptance of a bribe in any form in consideration of either publication or suppression.
Journalists worthy of that name shall deem in their duty to observe faithfully the principles stated above. Within the general law of each country the journalist shall recognize in professional matters the jurisdiction of colleagues only, to the exclusion of every kind of interference by governments or others.

Consider the above and the current state of the mainstream and alternative news media. Both the mainstream political and technical news media are failing to follow the ethical standards necessary for people to make informed choices. When articles and content do not concur with known facts, or the journalist fails to seek and give enough time for an opinion from an opposing party in reply, it's not enough to claim that people are free to search for and consult other sources that have differing opinions. Such lack of action on the part of journalists is responsible for adding to the Confusion, Fear, Uncertainty and Doubt. Journalist and news media organizations are not performing their job and society and the consumer suffers as a result.

2004-10-12T11:50:00.000-07:00

Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs

Twelve Step TrustABLE IT:
Virtualised Linux Standard Base (VLSB)
in Virtual Demilitarized Network Zones (VDNZ)
from Trusted Build Agents (TBA)

Back in August 11, 1998, Microsoft's Vinod Valloppillil and Josh Cohen released a memorandum titled Linux OS Competitive Analysis: The Next Java VM?, in which they predicted that Linux would become ubiquitous as a services platform. However, the title of the paper could be even more prophetic.

Consider the following.

[1] It is well known that Linux is quite portable, in fact only NETBSD comes close to the number of hardware platforms supported.

[2] What is less well known is that the Linux kernel has even been ported to run on itself, as client for a virtual Monitor platform, and even to run virtualised on other operating systems including Win2K and XP.

[3] Other operating systems, such as BSD and Sun's Solaris can also use a compatbility layer to run applications compiled for Linux directly, without the need for virtualisation.

[4]The Linux Standard Base Mission Statement is to

To develop and promote a set of standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system. In addition, the LSB will help coordinate efforts to recruit software vendors to port and write products for Linux.

[5] The above standard also defines a generic subset of the standards for each hardware platform as a source level application interface. In fact for an application to be certified for the LSB it must be tested on two of the plaforms supported by the LSB, one chosen at random by the testing body. Following the standard, it's not that difficult a job to write portable C and C++ code : Write once, compile for each platfom.

[6] The GNU Compiler Collection's future GCC 4.0 Release Series now divides the task of compiling into two stages based around Static Single Assignment trees. It should be possible to use the new GCC front ends to compile each language into a SSA tree that represents the common generic subset of the Linux Standard Base: [5].The resulting SSA tree for a build could be dumped into files, analogous to Java's JVM intermediate format, and then complied to native code for the target platform: Write once, run everywhere.

Be it open or closed source, every binary or script you execute represents a risk. It is possible to introduce hostile code at any point along the build chain, before the point where the binary is checksummed and the result digitally signed.

[7] It is possible to use constraints built into any Linux or Unix like operating system to isolate and restrict what a binary executable has access to or can do. Even without employing SELinux's manditory access controls or chroot/jail'ed environments, it is possible to run a process under a different user identity and group identity. Unix servers have used this technique for decades . With desktop applications. virtual identities and home directories can be assigned each user, the application could be limited to what files it could read and write.

[8] Because operating system security is fallible, it is sometimes better to run some services and applications on a separate computer that is isolated behind a network firewall that limits its access to the internal network and servers. This network area is sometimes called the demilitarized zone, and is often given the designated color of orange in comparison to the red colored external network and the green internal network.

[9] It is possible to use operating system virtualization in [2], to provide a virtual client operating system that access the host operating though a virutal network device. This can be used to provide a Virtual Linux Standard Base (VLSB) platform that runs in a Virtual Demilitarized Network Zone ( VDNZ).

[10] It is also possible to grant remote servers access to the Virtual Demilitarized Network Zone though the use of a Virtual Private Network (VPN). Application service providers and webservices could use this gain restricted access to an organizations servers and users desktop environment. Using VLSBs the service could be distributed over the ASPs own servers, any third party distributed hosting provider , or even the customer's ISP. Each step could increase the bandwidth and reduce the latency between the service and the customer.

[11] It is possible to bootstrap and cross compile a GCC development build chain from scratch on many platforms to mitigate even Ken Thompson's Trusting Trust issue. If you use the same open libraries and compile using GCC hosted as an LSB application, then, using the same tool chain and libraries, it is possible reproduce the build on another platform based on the same Hardware LSB standard and produce a very similar, if not identical, binary. This ability to reproduce the the build and compare binaries can provide means to audit builds to confirm that a binary is the result of compiling a particular set of source code.

[12] Governments, organizations and individuals are becoming increasingly concerned about software compatibility, conflicts and the possible existance of spyware in the software applications they use. If you have access to the source code, then you can check it and compile it for yourself. This is not an option for closed source proprietary applications, and not everyone has the resources to check each line of source code. One solution for these issues is to employ a trusted third party, separate from the application developer, who is tasked with maintaining a trusted build environment, to build the binaries from source code. The Trusted Build Agent (TBA) would hold the source to each build in escrow, releasing the source code for only open source licensed code. Competing businesses providing a TBA service in a free market would compete with each other in not only price and level of certification, but also on the ability to detect hostile, vulnerable, incompatible or just plain buggy source code. You could request a trusted build from multiple TBAs test the ability to detect defects. Defects would be reported back to the application developers, along with any patches and suggestions that provide a fix. To a lesser extent, most Linux distributions and other operating system vendors that build and redistribute open source licensed code already provide this role.

While not all of the above steps are currently available, it is the ability to combine any of the above steps which makes Linux, and to a lesser extent any operating system capable of hosting VLSBs, such a powerful platform.

2004-05-05T08:00:00.000-07:00

In answer to Java's Opening and Bad Rep: Two replies to Joshua Marinacci.

Just the Java J2ME,J2SE,J2EE Libraries

It would benefit the entire Java based industry, including the free software, open source and proprietary based vendors, to open license the core J2ME,J2SE,J2EE libraries and Java to bytecode compilers.

Java's primary strength, the ability to write code which is constantly portable across many vendors platforms, would be greatly enhanced if all of the vendors were using the same core libraries.

To insure that the standard base core would not become polluted with incompatible forks, the source could be licensed with a clause requiring any incompatible changes or any additional classes or methods to be moved to and occupy only the vendors namespace. Another clause would require that the vendor version of the Java to bytecode compiler and any GUI IDE defaults to generating portable bytecode, without embedding any vendor specific references.

The OSF definition of an open source license clause five explicitly states: "The license may require derived works to carry a different name or version number from the original software."

Developers would only be required to shift changes to the vendors/developers namespace if the changes were incompatible with the JCP JSR open standards. This would not prevent the development/distribution of additional optimizations, ports or bug fixes. Since adoption of standards has for a long time been an open source tradition, it would not be much of an imposition.

Contributions to the core standard would be required to licensed under the same open source license. The existing JCP standard body could decide what becomes part of the Open Java Core. Sun would still retain the veto, and the Java J2ME, J2SE and J2EE brand would be still be protected under trademark law.

It should not be necessary to open source license Sun's JVMs. In the long run it could greatly benefit Sun to develop the JVM under a dual license as it doing with OpenOffice.org and selling StarOffice.

In fact, according to Jonathan Schwartz, Sun's recently appointed president and chief operating officer, Sun is considering the GPL license for Solaris. Why? In comparison to Linux, the range and quality of hardware drivers available to Solaris is pitiful. If Sun manages to get out from under the SCO claims on the old AT&T code base and does manage to GPL the Solaris kernel then Sun would be free to port any and all GPL'ed drivers and Linux kernel code to Solaris.

Java's got a Bad Rep: The Counterpoint

Here we go.

The Counterpoints

(1) There are many great benefits inherent to the open source development model, a centrally managed open source project can deliver code quality much higher than closed commercial equivalents. The issues of forking can be greatly mitigated by the terms of the open source license, covered separately above in this post.

(2) How can we use Java when it does not a provide an interface to some the host's desktop environment/OS/applications? There are plenty of cases where native toolsets provide the only choice. In the past Sun has tended to favor its own platform and application software as the lowest common denominator. Now that Sun has the Java Desktop and StarOffice, why not work to create a truly independent vendor neutral Document manipulation/extraction layer that works with OpenOffice,Microsoft Office suite and even Corel's Wordperfect Suite. Provide a constant Java API, which hooks into the vendor product, to extract and manipulate word processor, spreadsheet and presentation documents. Such a project would greatly benefit the adoption of Java, and could also be developed in an open source manner, not necessarily by the Office suit vendor.

(3) It's not that Java is missing feature that cannot be added on later or by a third party tool, it's that a lot of the core libraries could be made a lot easier to use if some of those same features were built in from the start. Generics is probably the best example. The use of generic containers alone could have greatly reduced the number of classes required for the developer to remember. Use of enumerators and other meta-data semantic sugar could have greatly reduced the complexity of the J2EE bean design. At some time in the future, the Java libraries could undergo a massive refactoring to produce a new version of the Java standard libraries running under a different namespace : Java3.

(4) Almost everybody uses Java, just like almost everybody used to use Cobol and BASIC. Cobol is a horrible language to actually program in and, like BASIC, should have died a death long ago, but tends to live on though the weight of its legacy base. If the amount of usage reflected the elegance of the design of the language then everybody would be coding in Common Lisp ( listen ). Java could be a much better programming environment.

(5) Which is why in December 2003, Sun invited IBM, Cray to collaborate on high-end computer language. This Portable Intermediate Language would not be a byte code but a tree based structure, similar to that used in GNU's GCC 3.5.0 Complier toolset . The latter can also be used to compile Java into a static binary.

The plan

Everything Joshua Marinacci suggested in Java's got a Bad Rep: The Rebuttal, PLUS:

Look into open license terms and dual licensing schemes for the licensing of the J2SE,J2ME and J2EE libraries that could benefit the whole Java industry.
Continue to open up and extend the desktop and application interfacing capability of Java - J2OF : Java2 Office Functionality
Start discussion on the next generation of Java and its standard libraries to see if it could not be designed from scratch to be a better product overall.
Lastly, FUD is countered by three methods: Facts, URIs linking to evidence backing up the facts and Development. Only development can address any actual weakness raised.

2004-04-26T18:29:00.000-07:00

The days of Daniel Boone are over and Doc Searls' IT Garage.

20/04/2005:The first three paragraphs of this article have been removed at the request of my former employer.

Deploying and managing Samba before 2000 required some knowledge, gained though a lot of head scratching and a little trial and error. It was not until late 2001 that it was truly possible to replace the last NT4 boxes for domain and print services. Tracking down the source of problems and finding workarounds required the support from other Samba users. Today there is two excellent books which fully document Samba and successfully deploying Samba. The former is already available to download for free.

Regardless whether software build upon is proprietary or FOSS, organizations often feel that they face a risk of lock-in when they are dependent on custom developed software from those who customised the source code. While this customised lock-in threat can be greatly mitigated by the availability the source code licensed in an open source manner, it can still take time to find a replacement person or contractor and for them to decipher what the changes do and effect. This is the one of the major factors that motivates organizations to prefer "off the shelf" solutions, be it either based proprietary or FOSS licensed software. Similar fears abound over "weird" deployment configurations that are only known to a few in the IT department. finding and training replacements takes time and money.

With the increased involvement of business in the development and use of Linux and other free licensed software and open sourced solutions, the environment is undergoing a change. Horace Greeley (1811-1872), from whom we get the phrase "Go west young man", stated thirty years later in 1871 "This Daniel Boone business is about played out.". Just like the USA in 1871, it is not that Linux lacks vast areas to exploit. A cultural change has taken place which makes the lone DIY self assembled approach less relevant to an increasing majority of the people living in the United States of Linux. Custom DIY projects still have their place, but the effort required remains unattractive to a growing mainstream audience.

The effort required to maintain the source code is one of the major reasons that open source developers often choose to contributed their changes back to the originating project. It is often better to work with the open source projects than just work on top of open source solutions. Developments contributed back can become "off the shelf" features integrated into future releases.

In depth DIY like technical articles can be both informative and enlightening, but they can also date quickly and are no substitute for uptodate complete documentation. Keeping such documentation uptodate is an effort, so why not contribute the article back to the projects they use in a form that can be become part of the "off the shelf" documentation integrated into future releases. It is better to write and maintain documentation which then can be turned into articles. O'Reilly & Associates often publish articles adapted from chapters of a book.

Good documentation and technical articles are hard to write. If the Linux and open source focused media and publishing companies want good articles that attract readers to buy the magazines or books, subscribe to the websites and click on the online ads, then it is likely that they are going to have become a closer part of the open source community equation.

Upcoming "The days of Nicholas Culpeper and The Complete Solution Repository"

2004-03-10T04:51:00.000-08:00

A plea for relief from Microsoft's escalating anti-competitive tactics.

An open letter to antitrust, competition, consumer and trade practice monitoring agency officials worldwide.

The role of trade practice and antitrust legislation is to provide the consumer with protection from abusive business practices and monopolies. In one of the most serous cases of monopolization in the information technology industry, the agencies charged with protecting the competitive process and the consumer have utterly failed to stem the offending corporation's anti-competitive practices.

The Microsoft corporation has been under continuous investigation by antitrust policing agencies since 1989. Despite this scrutiny, the Microsoft corporation, using covert and overt anti-competitive business tactics, has maintained an unabated campaign against alternatives to Microsoft Windows operating system platforms and Microsoft applications.

For years the Microsoft corporation has earned around 70% to 80% net profit from sales of its operating systems and application software. Only in areas like Thailand where Linux on the desktop has just begun to gain a foothold has Microsoft stated that it will release versions of its operating system platform and application software at a lower price to Original Equipment Manufactures (OEMs) and retail consumers than is available in the rest of the modern world. Consumers benefit where real competition exists.

The world desktop operating system market remains predominantly monopolized by Microsoft. Over the last decade, Microsoft continued to lever its desktop platform monopoly to the point where it now holds a dominant position worldwide in the application office suite and web browser software markets. On its own, the current USA Department Of Justice (DOJ) settlement with the Microsoft corporation has failed to bring about any restoration of serous competition to the desktop operating system market. Microsoft continues to use similar anti-competitive business tactics in an attempt to monopolize the digital media player and the desktop services server markets. Competing vendors increasingly find that they can no longer compete with Microsoft if they limit themselves to only the traditional closed source model of software development.

In the last six years information technology vendors have adopted techniques and resources from two existing movements geared toward the construction of software. The newer open source movement, represented by the non-profit Open Source Initiative (OSI) corporation, emphasizes the licensing of software in a manner which encourages its collaborative development in an open environment. The older free software movement, represented by the non-profit Free Software Foundation (FSF), focuses on the ethical issues surrounding the licensing of software. The free software movement emphasizes freedoms which are often taken for granted outside of the field of software: the freedom to use, study how something works, improve or adapt it and redistribute.

The Free Software Foundation offers two software license schemes which are compatible with their own goals and those of the Open Source Initiative: The GNU General Public License (GPL) and the GNU Library General Public License (LGPL). Essentially, the GPL and LGPL licenses grant the recipient extra rights than that granted by copyright law. Both licenses insure that a contributer or distributer of a GPL or LGPL licensed work may not further impede downstream recipients the rights granted by the same license. Many developing software in an open source manner have realized that this benefit offered by the GPL and LGPL licenses outweigh any potential losses. The licensing also insures that no contributing or distributing vendor or group of vendors could potentially monopolize the market, insuring that real market competition dictates price. Just as the automotive industry can commonize on standards for the production of the mechanisms of seats, instrument panels and doors while providing brand and regional differentiation across a wide array of models, the information technology community can collaboratively develop works under free licenses. Both vendors and consumers benefit from the resulting development cost reductions and competition from use of the resulting commons.

The Linux operating system and many other opens source and free applications have been developed in an open source manner under free license terms. Despite free licensing and open source licensing requiring that the source code is freely available there are numerous profitable business models. Vendors can offer proprietary software for open source platforms and/or take a hybrid approach dual licensing the development of software. Vendors can select, customizing and configure free software, offering the bundled result. Vendors can offer support services. Vendors can also offer hardware which runs the freely available software. The resulting collection of hardware, software and services has been widely deployed as a server operating environment. Many vendors, from small one person operators to large multinational conglomerates, now compete to provide goods and services for the resulting platform. Linux has restored true free market competition to the server arena.

Linux can provide just as capable a desktop platform, however Linux adoption in this area faces barriers resulting from Microsoft's anti-competitive tactics. Interoperation with Microsoft products is difficult while Microsoft continues to embrace and extend protocols developed in an open source manner, and along with Microsoft developed protocols and file formats, license the result in a manner unacceptable to competing vendors. In the field of digital media, Microsoft does not make its media player codecs available to the Linux platform. Despite the US DOJ settlement requirements for Microsoft's contracts with Original Equipment Manufactures (OEMs), Microsoft's current relationship with major OEM dealers requires OEMs to sell consumers personal computers with an operating system, in many cases requiring consumers wanting to replace Microsoft's operating system with Linux to go though a difficult refund process. Above and beyond the issues of interoperation and OEMs, customer perception is one of the greatest barriers to Linux adoption on the desktop.

The Microsoft corporation has maintained an unabated campaign against any and all competition to Microsoft's own products. The most significant common denominator to this ongoing campaign is the dissemination of Fear, Uncertainty and Doubt, commonly referred to in the information technology sector by the acronym FUD. While it is fair to point out relative deficiencies in competing vendors products or services, Microsoft corporation CEOs and agents of Microsoft have too often crossed the line by participating in the dissemination of outright untruthful statements. Refuting false allegations and incorrect assertions requires a significant effort, especially when previously refuted falsehoods are recycled and repeated as fact. Following the resulting arguments can require some technical knowledge, however in the last few years many of the more outrageously untrue statements in Microsoft's propaganda have backfired strongly enough to show up in Microsoft's own market research as a problem.

It now appears that Microsoft has chosen to escalate this disinformation campaign by actively participating in a situation to discredit the viability of the Linux platform and raise uncertainty to the cost of the Linux platform, manufacturing Fear, Uncertainty and Doubt.

The SCO Group has entered into a series of essentially inherently flawed lawsuits and fraudulent license claims against users of the Linux operating system. Since 1994, Caldera International and the Santa Cruz Operation have been accepting, profiting from and distributing software developed by hundreds of independent developers under the terms of the GPL and LGPL license. The SCO Group has failed to put forward any sustainable legal theory why it should not abide by the terms of the GPL license. Detailed investigation into other facts and evidence which regularly conflict with the SCO Group's various legal claims, filing, press and public statements, raises serous questions which can no longer be explained away by a lack of competence in either the SCO Group's CEOs or the SCO Group's legal representation.

There is now increasing evidence that Microsoft has been indirectly financing -- to the point of sustaining -- the SCO Group's campaign against Linux. Disclosed internal email memos back up by recent filings to the US Securities and Exchange Commission indicate that at least a third of SCO's entire market capitalization, and their entire current cash reserve, is payoffs funnelled from Microsoft.

The relationship between Microsoft, the SCO Group and the SCO Group's recent financial backers requires immediate investigation by all agencies entrusted with providing the consumer with protection from abusive business practices and monopolies.

The adoption of Linux on the desktop offers an opportunity to restore competition to the desktop market. The resulting freeing up by natural market forces will open up opportunities for vendors beyond Linux, open source and free licensed software vendors. Microsoft's escalating anti-competitive tactics raise further barriers which the consumer should not have to continue to face. Trade practice and antitrust legislation exist to provide the consumer with protection from abusive business practices and monopolies. We ask that agencies and officials entrusted with providing the consumer with protection act according to the intent of that legislation.