[In a series of posts, we will identify some legal issues related to software. As we grow up our tendency to ask questions goes down. For example, have you ever asked anyone what's the difference between an R or a TM written with a company's logo? Most of the discussion will be based on US laws but I'll really appreciate if somebody shares his/ her knowledge about Pakistani law (or Pakistanian law, as the rest of the world calls us) in this regard.]
Copyright Law was designed to protect expression of ideas such as a story or a pencil sketch in tangible form. A copyright gives the author exclusive rights on copying a particular way of expressing an idea. The ideas themselves are not protected. Anyone else can also (independently) come up with the same style of expression or use the idea in a different style/ form. Certain works can't be copyright-ed such as "Twinkle Twinkle Little Star." Such works are considered to be in public domain. However, copyright law allows copying for purposes such as education, criticism, comment, news reporting, etc. But this can be exploited. See, for example, the copyright notice at the end of this Matrix Reloaded Transcript. In my opinion, the "fair use" clause is a loophole in copyright protection which is a necessity as well. Comments?
The first step towards getting a copyright is to mark your work with a copyright notice (each copy must be marked with ©, the word Copyright, the year and the author's name). In order to settle disputes in court you should also register your work with a Copyright Office. But it's not a requirement. There is a good FAQ on copyright available here.
As opposed to copyright law (which was made to protect works of art in the first place), patents are intended to protect innovations/ scientific work. While a copyright can be held by two people who came up with the same expression independently, a patent is awarded to the person who came up with the invention first (regardless of who filed it first). The process of getting a patent is a bit more involved as the Patent Office must check all the past works in that field of work.
As you can see, a patent is the most fatal for competition. It gives you the right to exclude others from making or importing a similar invention. That tells you why hackers are against ePatents. A patent, however, is valid for a more limited time (usually 20 years or less). A rather funny quote about kernel optimization patents is attributed to Linus Torvalds:
Do not look up any patents on principle, because (a) it's a horrible waste of time and (b) I don't want to know. The fact is, technical people are better off not looking at patents. If you don't know what they cover and where they are, you won't be knowingly infringing on them. If somebody sues you, you change the algorithm or you just hire a hit-man to whack the stupid git.
A trade secret gives a company a competitive advantage over others. For example, a particular recipe is a trade secret because if it gets known to a competitor, it will cause severe loss to the business. Keeping the secret is the responsibility of the owner. Almost all employment contracts in software houses require a non-disclosure agreement just for that purpose.
A trade secret lets you sue a competitor who tries some unlawful method to get the secret. However, reverse engineering is not prohibited by the trade secret law. And software can be reverse engineered. It also doesn't cover copying issue.
Despite the short comings, it is very suitable for declaring an algorithm as a trade secret. An algorithm is an idea. Software is an expression of that idea. You can protect software by copyright law but not the algorithm. A trade symbol or a service mark is just a symbol such as a logo.
A much more detailed treatment of the terms is available at Wikipedia.
Look very closely at the Microsoft logo when your Windows machine boots up. Does it have an R or a TM at the top right?
Wednesday, December 29, 2004
Sunday, December 26, 2004
A Quick Introduction to XACML
The eXtensible Access Markup Language is a standard for defining Access Control Lists (ACL) and corresponding requests/ responses. ACL is a concept that comes under the umbrella of Authorization. An ACL defines who can access which resource under what conditions. The basis of decision lies in the security policy of an organization. The most common example of ACL is a file system such as NTFS where you can specify separate access rights for a folder/ file against every user/ group.
Traditionally, applications define their own mechanisms for handling requests and responses. The most common practices is to invoke an authorization request as a function call which in turn checks in a database (which has tables like user, role and user_roles, with the actions allowed to a role hard-coded in the application logic).
XACML, like many other standards, might be an overkill for small applications but for enterprise level applications it provides a single way of handling things. Thus, several distinctly developed applications/ components could interact seamlessly with each other.
[If you are a casual surfer who reached here, I think that's all you need to know about XACML. If you are still interested, read on.]
Three important types of XML documents exist in XACML: Policy, Request and Response. A policy is stored in a policy repository (which can be a database). Requests and Responses are dynamic XML documents created when somebody tries to access a protected resource.
The two most important components of XACML are Policy Enforcement Point (PEP) and Policy Decision Point (PDP). A PEP is a component that has the capability of protecting the resource or allowing access to it depending on what the policy says. A hypothetical XACML powered file system is a good example of a PEP as it is responsible for serving the contents of a folder or a file. Another good example is a hypothetical XACML powered web server. A PEP, however, can't take the decision itself.
A PDP, on the other hand, is the component which is responsible for evaluating the request and checking the appropriate policy and giving a verdict in terms of yes and no (or not applicable).
XACML Components @ Work
As you can see, a user interacts with a PEP for accessing a resource. The communication between the user and PEP is unchanged in XACML world (it can be an HTTP request in case of a web server, for example). The PEP forms an XACML request (by taking out user credentials from the request) and sends them to a PDP. The message from PEP to PDP follows XACML Request schema. The PDP in turn picks out the appropriate policy by consulting the policy repository. The Policy itself follows XACML Policy schema. The PDP evaluates the request with respect to the policy and forms an XACML response for PEP. The message from PDP to PEP follows XACML Response schema.
If you are going to use XACML, the chances are that you'll be writing a PEP or a PDP. There are open source implementations for both Java and .NET available on sourceforge. They are from Seth Proctor of Sun Microsystems and Diego Gonzalez of Lagash respectively. Quite interestingly, both of these projects don't have any other contributors. The implementations provide the basic framework for extracting appropriate fields from the request, match with the target policy, evaluate the policy, etc. The best point to learn more will be to read some examples of policy and requests/responses. Finally, you can read the complete specs here.
Traditionally, applications define their own mechanisms for handling requests and responses. The most common practices is to invoke an authorization request as a function call which in turn checks in a database (which has tables like user, role and user_roles, with the actions allowed to a role hard-coded in the application logic).
XACML, like many other standards, might be an overkill for small applications but for enterprise level applications it provides a single way of handling things. Thus, several distinctly developed applications/ components could interact seamlessly with each other.
[If you are a casual surfer who reached here, I think that's all you need to know about XACML. If you are still interested, read on.]
Three important types of XML documents exist in XACML: Policy, Request and Response. A policy is stored in a policy repository (which can be a database). Requests and Responses are dynamic XML documents created when somebody tries to access a protected resource.
The two most important components of XACML are Policy Enforcement Point (PEP) and Policy Decision Point (PDP). A PEP is a component that has the capability of protecting the resource or allowing access to it depending on what the policy says. A hypothetical XACML powered file system is a good example of a PEP as it is responsible for serving the contents of a folder or a file. Another good example is a hypothetical XACML powered web server. A PEP, however, can't take the decision itself.
A PDP, on the other hand, is the component which is responsible for evaluating the request and checking the appropriate policy and giving a verdict in terms of yes and no (or not applicable).
XACML Components @ Work
As you can see, a user interacts with a PEP for accessing a resource. The communication between the user and PEP is unchanged in XACML world (it can be an HTTP request in case of a web server, for example). The PEP forms an XACML request (by taking out user credentials from the request) and sends them to a PDP. The message from PEP to PDP follows XACML Request schema. The PDP in turn picks out the appropriate policy by consulting the policy repository. The Policy itself follows XACML Policy schema. The PDP evaluates the request with respect to the policy and forms an XACML response for PEP. The message from PDP to PEP follows XACML Response schema.
If you are going to use XACML, the chances are that you'll be writing a PEP or a PDP. There are open source implementations for both Java and .NET available on sourceforge. They are from Seth Proctor of Sun Microsystems and Diego Gonzalez of Lagash respectively. Quite interestingly, both of these projects don't have any other contributors. The implementations provide the basic framework for extracting appropriate fields from the request, match with the target policy, evaluate the policy, etc. The best point to learn more will be to read some examples of policy and requests/responses. Finally, you can read the complete specs here.
Wednesday, December 22, 2004
"The Cathedral and The Bazaar" and Other Essays
As I got free from the second term, I rushed to the library to find something interesting to read. By chance, I found a copy of The Cathedral and The Bazaar by Eric S. Raymond. It was on my reading list for quite some time. I had tried reading the papers via the web but it's always very tiring and I had never been successful to read past a few paragraphs.
The book is a collection of papers written by Eric Raymond about the Open Source Initiative, Hackerdom, the value of such software and the motivation behind the effort required to create huge free software. In fact, he has presented "a set of theories" about how and why things work in the open source world.
It's interesting but I won't categorize it as a must read. Reading from cover to cover will only be interesting for people who are doing some kind of research on OSS, such as this one.
I'll like to provide an abstract of the papers collectively published in this book:
A Brief History of Hackerdom is a very quick overview of the early days of computing - how people started writing software and enjoyed the beauty of it. It goes back to 1961!
The Cathedral and The Bazaar is perhaps the most interesting amongst the essays. It compares the classical way of building software (the cathedral) and the distributed open source methodology with very loose control over things (the bazaar). It tells you how classical theories about software fail in the open source world. If you have time only for one of the essays, read this one.
Homesteading the Noosphere builds a theory about the culture of hackers. It gives some hints why people write free software by creating analogy with homesteading (I still don't know what a noosphere is). Amongst other results, it indicates that the motivation behind spending time on free software is analogous to the motivation for status in a gift-culture. Of course, such people should have already stopped worrying about the lowest levels in Maslow's pyramid of needs. The essay also answered a question that had bothered me for some time, "why don't people fork open source projects?"
The Magic Cauldron will be very interesting for people who want to know about the economic value of open source software. Eric Raymond also contemplates on when it is feasible to go open source.
Finally, The Revenge of the Hackers is how Mozilla came into being. Amongst all the OSS, I like Mozilla the most - though there are die-hard fans of Linux, Apache, MySQL, Open Office, Mono, and many others. But there is something magical about Mozilla. Eric says that Netscape folks later told him that their decision to go open source was inspired by his writings! In fact, the paper tells us that the author was also involved with MPL (Mozilla Public License) and the shift from the words "Free Software" to "Open Source."
However, I don't agree with some of the conclusions/ afterword. Mainly, I believe that he downgrades Windows 2000 a lot. Personally, I believe Windows is a great environment to build for. I also think that Windows 2000 and now XP have come a long way from the days of Windows NT and deserve at the least some respect from the hackers.
One of the most weird things that Eric says at the end is an answer to the question, "How can I become a hacker?" Instead of indicating the complexity of software, he motivates the reader to start by learning HTML! Though HTML is really a good start for beginners but one should clearly indicate that if the reader starts learning HTML perhaps only his/ her children would be able to hack real code.
All in all, Eric Raymond is a great writer. He chooses words very carefully and has a very sound abilitiy to see things at a meta-level.
مشکلیں جب بھی آ جایں گی، درد حد سے گزر جاءے گا
کوءی غم نہ پھر ھو گا مجھے گر خوابوں میں تم آو گے
("Bikhra Hoon Main" by Jal)
The book is a collection of papers written by Eric Raymond about the Open Source Initiative, Hackerdom, the value of such software and the motivation behind the effort required to create huge free software. In fact, he has presented "a set of theories" about how and why things work in the open source world.
It's interesting but I won't categorize it as a must read. Reading from cover to cover will only be interesting for people who are doing some kind of research on OSS, such as this one.
I'll like to provide an abstract of the papers collectively published in this book:
A Brief History of Hackerdom is a very quick overview of the early days of computing - how people started writing software and enjoyed the beauty of it. It goes back to 1961!
The Cathedral and The Bazaar is perhaps the most interesting amongst the essays. It compares the classical way of building software (the cathedral) and the distributed open source methodology with very loose control over things (the bazaar). It tells you how classical theories about software fail in the open source world. If you have time only for one of the essays, read this one.
Homesteading the Noosphere builds a theory about the culture of hackers. It gives some hints why people write free software by creating analogy with homesteading (I still don't know what a noosphere is). Amongst other results, it indicates that the motivation behind spending time on free software is analogous to the motivation for status in a gift-culture. Of course, such people should have already stopped worrying about the lowest levels in Maslow's pyramid of needs. The essay also answered a question that had bothered me for some time, "why don't people fork open source projects?"
The Magic Cauldron will be very interesting for people who want to know about the economic value of open source software. Eric Raymond also contemplates on when it is feasible to go open source.
Finally, The Revenge of the Hackers is how Mozilla came into being. Amongst all the OSS, I like Mozilla the most - though there are die-hard fans of Linux, Apache, MySQL, Open Office, Mono, and many others. But there is something magical about Mozilla. Eric says that Netscape folks later told him that their decision to go open source was inspired by his writings! In fact, the paper tells us that the author was also involved with MPL (Mozilla Public License) and the shift from the words "Free Software" to "Open Source."
However, I don't agree with some of the conclusions/ afterword. Mainly, I believe that he downgrades Windows 2000 a lot. Personally, I believe Windows is a great environment to build for. I also think that Windows 2000 and now XP have come a long way from the days of Windows NT and deserve at the least some respect from the hackers.
One of the most weird things that Eric says at the end is an answer to the question, "How can I become a hacker?" Instead of indicating the complexity of software, he motivates the reader to start by learning HTML! Though HTML is really a good start for beginners but one should clearly indicate that if the reader starts learning HTML perhaps only his/ her children would be able to hack real code.
All in all, Eric Raymond is a great writer. He chooses words very carefully and has a very sound abilitiy to see things at a meta-level.
مشکلیں جب بھی آ جایں گی، درد حد سے گزر جاءے گا
کوءی غم نہ پھر ھو گا مجھے گر خوابوں میں تم آو گے
("Bikhra Hoon Main" by Jal)
Saturday, December 18, 2004
Bad Luck or Dumbness?
Salman Kasbati has posted a very enlightening entry on his blog, titled Luck vs. Details.
About 5 years ago, in the last year at FAST, I managed to make a group of some of the best people from our batch:
The aim was to win 11th All Pakistan AQ Khan Software Competition. Ideally it should have been a track back post but I think I should put the rest of the story on Salman's blog as comments.
About 5 years ago, in the last year at FAST, I managed to make a group of some of the best people from our batch:
- Ali Safri (joined ITIM after graduation, now in PWC Logistics, Dubai)
- Imran Saeed (TPS, Karachi)
- Qasim Ijaz (joined TPS, then Kalsoft and has just now finished his MS from Pennsylvania State University, USA)
- And yours truly (joined Cressoft, then Avanza Solutions and now in Chalmers University of Technology, Sweden)
The aim was to win 11th All Pakistan AQ Khan Software Competition. Ideally it should have been a track back post but I think I should put the rest of the story on Salman's blog as comments.
Wednesday, December 15, 2004
"Snow is white" is true if and only if snow is white
Tarski was the first person who argumented in this manner. Considering this from a purely software development point of view (and not as a Logician or Mathematician), this corresponds to the difference in the following two statements:
string s = "2+3 > 5";
bool b = 2+3 > 5;
As you can see, the two statements look alike but they are very different. The first one is just a sequence of symbols and the later is actually a comparison. However, one can write an eval function:
bool b = eval (s);
This can be thought of as interpretation of the syntax into semantics.
Trivial as it might seem, many people forget the difference while designing systems and realize this only some time later during development. For example, many times I have heard people saying, "we can store the names of the functions in a database table and call appropriate function by searching the name in the table." This really happens when people are naively designing a workflow engine kind of thing. How on earth are you going to relate the code with the string from the table? You need reflection!
I wanted to say a lot more but while writing this and looking for appropriate links, I found out this pdf. Too bad for me; nowadays, it's hard to come up with stuff people have not already thought of. I was trying to relate the completeness property of logic with software.
I just finished my second term here. The exams went pretty well, Alhumdo Lillah. My push-ups count has reached 3,597 in 30 days and I am lagging by 483 now! Exams are to be blamed.
پڑھ پڑھ لکھ لکھ لاویں ڈھیر، ڈھیر کتاباں چار چپھیر
گردے چانن، وچ انھیر، جاندی عمر نہیں اعتبار
اکو الف تیرے درکار
(Bulleh Shah, Sung by Junoon)
string s = "2+3 > 5";
bool b = 2+3 > 5;
As you can see, the two statements look alike but they are very different. The first one is just a sequence of symbols and the later is actually a comparison. However, one can write an eval function:
bool b = eval (s);
This can be thought of as interpretation of the syntax into semantics.
Trivial as it might seem, many people forget the difference while designing systems and realize this only some time later during development. For example, many times I have heard people saying, "we can store the names of the functions in a database table and call appropriate function by searching the name in the table." This really happens when people are naively designing a workflow engine kind of thing. How on earth are you going to relate the code with the string from the table? You need reflection!
I wanted to say a lot more but while writing this and looking for appropriate links, I found out this pdf. Too bad for me; nowadays, it's hard to come up with stuff people have not already thought of. I was trying to relate the completeness property of logic with software.
I just finished my second term here. The exams went pretty well, Alhumdo Lillah. My push-ups count has reached 3,597 in 30 days and I am lagging by 483 now! Exams are to be blamed.
پڑھ پڑھ لکھ لکھ لاویں ڈھیر، ڈھیر کتاباں چار چپھیر
گردے چانن، وچ انھیر، جاندی عمر نہیں اعتبار
اکو الف تیرے درکار
(Bulleh Shah, Sung by Junoon)
Sunday, December 05, 2004
Status Update
I have been here in Sweden for more than three and a half months now. About a quarter of the total time has passed. Within a week the final exams for the second quarter will start.
I took two courses -- Computer Security and Mathematical Logic this term.
The first lecture of Mathematical Logic was quite exotic for me; almost as exotic as Discrete Mathematical Structures was for me in the undergraduate days. Now, I can differentiate among Number Theory, Algebraic Structures and Logic. Jan Smith started the course with discussion on Foundations of Mathematics. Quite honestly, I couldn't understand even a single word from the lecture but it was very surprising for me as I believed I already knew Propositional and First-Order Predicate Logic that constituted more than half of the course.
When I came home after the first lecture, I opened up Firefox and started looking for the Foundations of Mathematics. Really, to my surprise whatever Jan Smith had said was available on Wikipedia as well. I have been studying till now, have learned quite a few things and might continue my exploration of the foundation after the exams.
Computer Security, however, is a very dull course. It's an undergraduate level course and I fail to understand why it is a compulsory course for Dependable Computer Systems. There are two sequels to this course: Language Security and Network Security. I think both of them will be very interesting.
Meanwhile, I have once again started reading Quran. I have done this for the fourth time in the last two years. Last time I had reached uptil para number 8. This time, I am noting down ayaats that I don't understand and those that I could understand and use them for reference sometime.
I should be free from exams after 15th. I intend to visit Stockholm. I also want to learn Swedish Language. And I have prepared a reading list for vacations. It's warm again. Yes, now I understand why Swedes call temperature above freezing point as "warm."
My pushups count has reached 2,815 in 21 days and I am lagging by 41 to maintain an average of 136. This has resulted in good effect on arms and specially on chest. But I must combine this with some other exercise, perhaps reach-ups.
I took two courses -- Computer Security and Mathematical Logic this term.
The first lecture of Mathematical Logic was quite exotic for me; almost as exotic as Discrete Mathematical Structures was for me in the undergraduate days. Now, I can differentiate among Number Theory, Algebraic Structures and Logic. Jan Smith started the course with discussion on Foundations of Mathematics. Quite honestly, I couldn't understand even a single word from the lecture but it was very surprising for me as I believed I already knew Propositional and First-Order Predicate Logic that constituted more than half of the course.
When I came home after the first lecture, I opened up Firefox and started looking for the Foundations of Mathematics. Really, to my surprise whatever Jan Smith had said was available on Wikipedia as well. I have been studying till now, have learned quite a few things and might continue my exploration of the foundation after the exams.
Computer Security, however, is a very dull course. It's an undergraduate level course and I fail to understand why it is a compulsory course for Dependable Computer Systems. There are two sequels to this course: Language Security and Network Security. I think both of them will be very interesting.
Meanwhile, I have once again started reading Quran. I have done this for the fourth time in the last two years. Last time I had reached uptil para number 8. This time, I am noting down ayaats that I don't understand and those that I could understand and use them for reference sometime.
I should be free from exams after 15th. I intend to visit Stockholm. I also want to learn Swedish Language. And I have prepared a reading list for vacations. It's warm again. Yes, now I understand why Swedes call temperature above freezing point as "warm."
My pushups count has reached 2,815 in 21 days and I am lagging by 41 to maintain an average of 136. This has resulted in good effect on arms and specially on chest. But I must combine this with some other exercise, perhaps reach-ups.
Subscribe to:
Posts (Atom)
Posts
