Am I evil, or is killing patents just plain fun?

The other day I re-discovered this post by Joel Spolsky on Hacker News, entitled “Victory Lap for Ask Patents.” I saw it when he originally posted it a while back, but it didn’t resonate with me at the time.

But re-reading it today, I realized how great an opportunity we, as software developers, have to force patent reform by actively contributing to this project. Ask Patents, if you haven’t heard of it, is a StackExchange site where you can ask questions about patents, or, in my case, respond to requests for prior art that invalidate an overly-broad patent. In my case, I focus on software patents.

I can hear what you’re thinking.

That sounds fucking boring

I know, right? But actually, I’ve found it to be quite a fun little puzzle to decrypt the legalese used by patent lawyers to try to get away with ridiculous patents. Here’s an example patent claim:

“A method comprising:

  1. generating, using a processor, time-based event boundaries detected in a plurality of images;
  2. computing inter-event durations;
  3. grouping events into clusters based on the inter-event durations; and
  4. validating, using a rule-based system, that each event belongs to an associated cluster based on event level content based features.”

Short version: a photo album that groups your photos by the time they were taken.

How hard do you think it was to find examples of prior art? (Hint: it wasn’t)

If you’re still wondering what I’m going on about, then perhaps a different motivator is called for. If you think this shit is boring and pedantic, how do you think someone at the USPTO feels when they have to read it day in and day out, and formally parse and research it to decide whether it should stand?

Let me put this another way – wouldn’t you rather those working for the USPTO were spending their time on legitimate patents? On getting a bunch of those “patent pending” labels off of everything we buy? On crippling the patent trolls, who raise the cost of doing business for anyone who gets successful enough to trespass on one of their dubious “works of genius”?

Well, you can help. Every minute you save the USPTO is another minute they can spend doing things that actually matter. I’m going to start doing it every day. I’ve already done 6 in the last hour. Time will tell whether my contributions actually do anything, but I suspect that, given how unglamorous the work is and how few people generally comment, even a little bit will be appreciated.

So how does this lead to patent reform? My hope is that the community can shred a lot of these useless patents before they take any brain cycles away from a qualified researcher. And if it happens enough, it will start to become clear to everyone involved that the vast majority of software patents are bullshit.

It might sound like a bad, or at least contradictory, idea coming from a programmer, but I genuinely hope (and have some reasons to believe) software patents go the way of the dodo in the next decade.

In fact, I would go so far as to wager the following. I will bet, on pain of writing an entire blog post dedicated to why patents are good, that no one reading this article can find a software patent granted in the last year that actually should exist. The requirements for a good patent are:

  1. Novelty
  2. Non-obviousness

Some software patents may technically be novel, but I’ve yet to find one that I thought was non-obvious. Maybe someone will be able to enlighten me.

Want to help some more? Take it to Twitter with the hashtag #patentreform!

Code red, the ship is on fire

Checking out Hacker News for a refreshing end to my work day, I was instead greeted with the worst of all tech-related bad news: Heartbleed, an exploit in popular versions of OpenSSL allowing attackers anonymous (read: no way to figure out how widely it’s been exploited up to this point) access to 64kb of memory of an affected client or server.

How bad is it? Tor had this to offer in its blog post on the subject:

If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.

Let’s play a doomsday scenario out a little bit:

  1. Attacker compromises the private key to Ubuntu’s (or any other distro’s) package repository
  2. Attacker generates their own certificate and phishes someone with write access
  3. Attacker pushes out legitimate-looking vulnerable versions of all your favorite packages, signed with the proper private key
  4. Attacker can effectively attack any machine that installs that vulnerable package

Let’s try another:

  1. Attacker gets private key for the instant messaging account for a security guy at Google, or their IRC server (thankfully, a Google employee was the one who found it, so at least they were probably first to patch against it)
  2. Attacker listens to all their communications to wait for an opportunity
  3. Attacker initiates a phishing attack using real-sounding information, impersonating an employee
  4. Attacker gets access to Google’s hosted JavaScript libraries, inserts a small keylogger
  5. Every user on every website using Google to include jQuery or other popular libraries gets keylogged

Both of these scenarios require a phishing attack to happen at some point, but even this wouldn’t be necessary. The possibilities are endless. And it’s better than a normal bug! Normal bugs are patched with software updates, and then they’re no longer an issue. Not so with this one. Every key, every password, every everything has to be assumed to have been compromised, and replaced. As you can probably imagine, that will take time.

Why am I posting this? It might seem I’m just predicting doom and giving no solutions. My hope is that you will help me in convincing all the parties affected by this to:

  1. Upgrade their vulnerable versions of OpenSSL
  2. Change all private keys that might’ve been compromised
  3. Generate new SSL certificates where necessary

This isn’t an easy prospect, and many will be slow to do everything necessary to protect against this exploit unless they have motivation to do so. Every day they wait, they potentially put millions of peoples’ sensitive data at risk.

Take it to Twitter using the #OpenSSLBug hashtag! Time is of the essence, and broad awareness is crucial.


You might want to stay off the Internet for a few days, assuming you’re not one of the unlucky few who have to go and clean this mess up.

Updates
Here is a tool to find out if your favorite sites support the vulnerable heartbeat feature, and thus probably need to do damage control. To name a few: Google, Twitter, and Instagram, although others may have simply disabled the feature temporarily, which unfortunately isn’t a complete fix.

Want to find more sites that need to be patched? Google the following, and you’ll begin to see just how deep the rabbit hole goes.

[REMOVED]

OpenSSL is trending on Twitter right now. It looks like people are starting to take notice.

For anyone running a website of their own, here’s a thread on ServerFault describing how to check your OpenSSL version and find any processes that might still be running on the old version once you’ve updated. If you’re running Ubuntu, they still haven’t released the new version, so head over to the OpenSSL site to grab the new version to compile from source. Once you’ve upgraded, restart all the services you get when running

lsof -n | grep ssl | grep DEL

When you’re ready to generate new keys and get new certificates:

Can’t remember all the keys you might need to rotate? Take these for a spin:

sudo find / -name "*.key" -type f
sudo find / -name "*.pem" -type f

This might also be a good time to tweak your webserver to use only secure SSL ciphers.

Introducing: Slowpoke

In the spirit of April Fool’s, but also because I think it might actually make me more productive, I’ve made a Google Chrome extension to slow down Facebook’s timeline feature.

Long for the days of 56k? All this high-speed gigaboot Internets nonsense got you frazzled? Just install Slowpoke in Chrome by going to “chrome://extensions/” and dragging the .crx file onto the page. Instantly, your Facebook addiction will be both sated and abated.

You’re welcome.

(Get it here)

Sociability > Profitability

“A man’s true wealth is the good he does in the world.”

— Mohammad

When you think of free market economics, undeniably the most championed principle is deregulation. By removing the obstacles that prevent us from economic exchanges, we become wealthier. Letting individuals be in total control of their financial decisions is the path to prosperity, as the thinking goes. Getting the state out of the way increases the number of transactions that will take place.

Inspired particularly by a book called The Rainforest by Victor Hwang and Greg Horowitt, I want to argue that traditional “free” markets are great, but that they’re not the pinnacle of value-creation.

Read More

3 reasons to throw out the Fisa Improvements Act, without reading it

As some of you may know, Democratic Senator Dianne Feinstein from California has introduced a bill called the Fisa Improvements Act that she is portraying as a reasonable reform of mass government surveillance. I’ve been skeptical from the beginning, reading headlines like “Stop the NSA ‘Fake Fix’ Bill” from EFF and others. I’ve read through some of the bill, but here’s a list of reasons why this bill should be dumped that don’t even require reading it.

The author of the Patriot Act is sponsoring a more reasonable bill

To my surprise, one author of the USA Patriot Act, Jim Sensenbrenner, is proposing a competing bill with the support of Democratic Senator Patrick Leahy, called the USA Freedom Act  (Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-Collection, and Online Monitoring Act). Here’s a summary of what the bill would bring about, including the elimination of the meta-data collection programs often mentioned in the revelations of Edward Snowden this summer, and a closing of the “backdoor” that allowed the NSA to search for data about Americans in collected data that was obtained with non-individualized warrants.

Silicon Valley is revolting in Feinstein’s backyard

Several California tech giants like Google, Facebook, Apple, and others have banded together to call for a reform to government surveillance initiatives to restore trust in the Internet. Crucially, they argue against the provisions in Feinstein’s bill that would continue to allow the meta-data collection programs, in favor of the USA Freedom Act mentioned above. If Feinstein is facing a revolt from the very California companies that she’s supposed to represent, there’s clearly something wrong.

Her donors list shows where her loyalties lie

According to Open Secrets, her biggest donors for the 2009-2014 election cycle include General Atomics, General Dynamics, BAE Systems, and Northrop Grumman, all of which involved in defense contracting. I wouldn’t call it a stretch to say she’s pretty invested in the defense industry, which happens to be the same defense industry the NSA contracts all this mass surveillance work to.

For these reasons, I urge you to write to your Senators to oppose this bill.

So I want to learn web development. Now what?

You might want to grab a cup of coffee

My last article about the importance of getting started on your programming education is my most-read article on Medium so far. Like anything in my life, my writing is an experiment. When I see as many people getting excited about programming as I have because of this, it excites me too, and tells me I’ve hit a nerve.

I think there’s a little more to the story that I didn’t fully flush out. So here, I want to set you on the path to writing your first line of code as quickly as possible. I don’t want to delude you: there is no getting over the fact that programming is an iterative process. I love this article, describing the process of programming through the allegory of cooking. The author describes the frustration of “just getting started” when there isn’t a clear picture of what “getting started” means. I can’t just yell at you to “GO FORTH AND CODE” without at least helping you understand what you need in order to do that.

Read More

Howdy

Welcome to my blog! I’ll be posting random musings about technology, privacy, entrepreneurship, politics, college, and everything else here. I’m always looking for interesting people with interesting ideas, so get in touch with me if you think you’d make a good fit as a contributor.