Interoperability

We integrate with X, and Y and Z.

-Any sales brochure.

A common requirement is for Product A to integrate with Product B. Unfortunately, this is often what goes on the requirements matrix. Such a requirement can be open to interpretation.

In short, beware of integration claims by vendors. Each integration requirement should offer specific functionality. Make sure you know exactly what that is. Which company maintains the integration between the two products? What versions of products are supported for the integration? How does the integration work? How long does it take to update the integration after one of the vendors updates their product? What happens if one of the systems goes down? These are just some of the questions that should be asked when dealing with interoperability.

To mitigate the risks associated with writing code to directly integrate products, another approach is to make the products with work a stable neutral ground. The additional complexity makes up by increasing flexibility down the road.

A basic example of this would be if Product A needed to send a file to Product B: It wouldn’t just send the file directly. There would be an output process in Product A to export it to a neutral ground (this could be something as simple as a secure share), and an input process on Product B to monitor the neutral ground and periodically pull all the files in. Depending on the products involved, this could be a very easy or a very difficult process. Naturally, an NTFS share is an oversimplified example.

One integration approach that I found to be cheap, fast and functional is to use a SOA type design. For example, a web service can be created to pull or push data to an application. This service would then be called from the other product. There are even applications that let you design and expose these services graphically. This creates a middle tier that provides a common platform to tie in multiple applications. That middle tier would have ties to all applications that need to play together. The advantages of this approach are self-evident; ease of testing, reliability, fast implementation, less custom code and most importantly component reuse.

Some Patent Troubles

America has always been known as the country of opportunities, the kind of opportunities that allows individuals to personally benefit from their skills, talents and hard work. The patent infrastructure allows individuals and companies to reap the rewards of their ingenuity and investment into research by allowing them a limited time monopoly on the products of their work. Without patent infrastructure in place, there would be little incentive for additional research into new technologies and an individual would not be able to benefit from his or her labor; which is just plain old un-American. However, with an increase in market competitiveness, patents are becoming tools of destruction aimed at hurting productive companies and the technology sector instead of instruments of investor protection.

The current issue with patents is twofold; trivial patents and several Patent Assertion Entities (PAE). Trivial patents are patents that are issued for technology that lacks ingenuity or is already implemented in a slightly different way. For example, IBM patent number 6,877,000 is for a “Tool for converting SQL queries into portable ODBC”. This practice was already used by almost every database that connects via an ODBC driver. Another example of trivial patent is, patent number 7,362,331 “Time-Based, Non-Constant Translation of User Interface Objects Between States” is essentially a row of items that re-arrange themselves when other items are added or removed. Additionally, trivial patents frequently just adopt existing technology to different, and often broad, hardware category. For example, in 1987 IBM filed for patent number 4,648,067 “Footnote management for display and printing” to patent something that has been standard in every word processor up to that point.

The second problem is PAEs, PAEs are companies that buy patents from companies to resell them or sue companies that may be using the patented technology. In all cases, PAEs are legal entities that are not using the patented technology to provide any services or goods, so the patent infringement does not directly impact their operations. There are several elements that make PAEs particularly dangerous to the industry.

First, they often sue a company using the patent through a shadow company, thereby limiting their own risk and media exposure. For example, in 1997 USPTO granted patent number 5,629,867 to Robert Goldman for a “selection and retrieval of music from a digital database”, essentially a digital collection of music that something like a radio station can select music from. This patent was transferred to Haltek America in 2007 and then assigned to Mission Abstract Data. In 2011 Mission Abstract Data changed its name to Intellectual Ventures Audio Data, a prominent PAE, and a week later change its name back to Mission Abstract Data then two months later filed a patent infringement lawsuit against 116 companies

The second reason that PAEs are dangerous is because they often don’t have the same risk as a direct competitor. For example, if Apple is suing Samsung on patent infringement, it is assumed that Samsung can retaliate over some patents that Apple may be infringing. If this occurred, it would actually cripple suing company’s operations and diminish features of existing products. However, that is not a risk for PAEs because they do not actively use the technology that is patented. As such, they can sue other companies with minimal risk to their operations.

The final risk is the increased cost of litigation. PAEs frequently sue in a court jurisdiction that favors liberal eDiscovery procedures to increase financial cost of litigation. In a typical litigation, the sued company would be required to produce all documents related to the patent or technology. This include internal documents, e-mails, meeting notes and much more. Search and retrieval of this information can cost a large company millions of dollars. Comparably, a PAE is usually small in size and would be easily able to burden similar eDiscovery request.

This risk-less environment created an opportunity for many companies to leverage PAEs to attack their competitors through privateering. In the previous example, this would equate to Apple assigning their patents to a PAE to sue their competition through the PAE. In this scenario, Apple is not directly involved in patent litigation, however their competition has to burden significant litigation cost and possibly risk product features.

In a real world example, there is a current litigation battle over patent number 6,170,073. The patent is owned by Nokia, but it is not directly involved in litigation, instead Intellectual Ventures is litigating. Intellectual Ventures I and II added this suit against Motorola in Florida, although there is already pending patent litigation between them in Delaware. This is probably to cause added expense of having lawyers work in different states on two separate cases.

In addition to the privateering and purposefully driving up litigation cost, the patent is trivial in nature. The technology described in the patent relates to transmission and rending of URLs in e-mail messages. This essentially translates to sending a web page, via embedded URL in an e-mail and the patent can be easily infringed on by sending an e-mail that has an img tag to someone who can render the e-mail in HTML.

The number of similar cases has significantly increased during the last decade and now verge on absurdity of bogus and general claims on patents that should have never been granted. It has reached a point that the United States Congress is looking into patent law and reform with backing from the white house. The Executive Office of the President (EOP) even published an official report “PATENT ASSERTION AND U.S. INNOVATION” in June 2013 that perfectly summarized the problem with the following bullet points:

·         However, Patent Assertion Entities (PAEs, also known as “patent trolls”) do not play such roles. Instead they focus on aggressive litigation, using such tactics as: threatening to sue thousands of companies at once, without specific evidence of infringement against any of them; creating shell companies that make it difficult for defendants to know who is suing them; and asserting that their patents cover inventions not imagined at the time they were granted.

·         Suits brought by PAEs have tripled in just the last two years, rising from 29 percent of all infringement suits to 62 percent of all infringement suits. Estimates suggest that PAEs may have threatened over 100,000 companies with patent infringement last year alone.

It’s hard to imagine that the system that was put in place to protect inventors and their labor has transformed itself to something that would serve as a hindrance and a road block to the industry as a whole. It is my humble opinion that with genius of today’s tech sector, a much better system can be collectively developed to create proper incentive for inventor as well as allow the industry to move forward without involving countless litigations. Re-working the patent legislature will serve as a true testament of today’s government commitment to future technology research, global prosperity and the U.S. economy. If Congress fails to act, more and more money that could have been spent on job creation, R&D and new product development will be wasted on frivolous litigation and awards to companies with no social output.

References

Bohannon, M. (2013, June 24). US government focuses on abusive patents. Retrieved from OpenSource.com: https://opensource.com/law/13/6/congress-patent-assertion-entities

Executive Office of the President. (2013, June). Patent Assertion and U.S. Innovation. Retrieved from White House : http://www.whitehouse.gov/sites/default/files/docs/patent_report.pdf

Klintz, J. A. (2005, May 8). About trivial software patents: the IsNot Case. Retrieved from http://citeseerx.ist.psu.edu: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.104.614&rep=rep1&type=pdf

Unknown. (2013, June 19). Itellectual Ventures Sues Motorola for Patent Infringement Again. Retrieved from Groklaw: http://www.groklaw.net/article.php?story=20130619184238925

WYATT, E. (2013, July 16). Inventive, at Least in Court - NYTimes.xom. Retrieved from New York Times: http://www.nytimes.com/2013/07/17/business/ftc-turns-a-lens-on-abusers-of-the-patent-system.html?pagewanted=1&_r=2&adxnnlx=1374240136-aDCirskWen7E7FVIWKdt3Q

Proposed Occupy Wall Street (OWS) Information Security Plan

Hippie Top Secret

Abstract

Information security is vital to accomplishment of the Occupy Wall Street’s (OWS) mission to facilitate a change in the current social, economic and political landscape. This document will provide a high level outline of specific security practices needed to ensure proper security controls are implemented to safeguard organizational information assets.

Introduction

The following policy will provide a high level overview of the organization security policy. Implementation of these controls will minimize risks and impacts of security incidents and will ensure that organization’s and member’s information is properly protected.

Access Control

Managing access to information and proper authentication and authorization of individuals is critical. Each member will be issued an identification card that will contain a picture and a small chip with an SSL certificate. The cards will require a 16 digit pin number to be activated. These cards will be required to access any information resource such as social media, intranet, OWS computers and other information systems.

Telecommunications and Network Security

Due to physical disparate network architectures, all members will be required to use Tor network client and then VPN into the corporate network. Juniper endpoint manager will be used to scan the connecting computer prior to connection and its settings will be configured for maximum security ensuring that no one’s computer is ever able to connect. This will provide additional cost savings by eliminating the need to purchase any additional VPN equipment.

Information Security Governance and Risk Management

A dedicated department of the most paranoid hippies will be established to develop organizational risk management strategy. All hypothesis, theories, news, delusions, concerns and fears will be taken as fact; no matter how unrealistic or unfounded. A risk management plan will be maintained to manage all of these concerns.

In addition, HR policies will incorporate mandatory background checks for all new personnel and members. Unless, the applicant has at least one felony and two misdemeanors, they will be automatically disqualified from employment.

Strict policies will be put in place to ensure cooperation of members, all personnel and work related communications will be intercepted, through mandatory internal software security package, and peer reviewed for signs of treachery. Access to employee’s social media accounts will also be required upon employment.

Software Development Security

Only open source and foreign software will be used on corporate resources. Several linguists may be necessary to translate the software to day to day business users. However, that is the only way to ensure that no government back doors are incorporated into the software.

Cryptography

All data at rest will be encrypted with AES symmetric encryption, all servers and mobile computers will require full disk encryption, as it works, someone will need to be present to physical reboot the servers every time. All data in transit will require 2048-bit encryption to ensure maximum security.

Security Architecture and Design

To facilitate overall secure architecture, all logs will be set to maximum logging and someone will go through them every day. To ensure nothing is missed, script parsing or aggregation will not be allowed.

Operations Security

All information systems will be patched daily; and only during core hours of 8 am to 5pm. No maintenance outside of this time window will be performed. Back-ups will also run during this time window to ensure the most up to date backup. In addition, all systems will be configured to run full daily antivirus scans, preferably starting at 9am.

Business Continuity and Disaster Recovery Planning

A disaster recovery and business continuity plan will be established. The business continuity plan will identify critical organizational functions and ensure adequate controls are in place for availability in case of a disaster. The business continuity plan will specifically focus on continuation of complaining and protesting after being evicted from public locations.

Legal, Regulations, Investigations and Compliance

All legal compliance will be taken very seriously! All member medical records will be immediately printed and stored in a huge safe, all digital copies will be deleted immediately after printing.

Physical (Environmental) Security

All facilities will be secured with a security checkpoint that will encompass armed guards, bomb sniffing dogs and polygraph detectors. Each person entering or exiting the facility will be required to present issued ID card, two other forms of picture ID and a biometric hair sample. In addition, they will be subjected to a search and a mandatory polygraph test.

In addition, the security checkpoint should always be understaffed, ensuring minimum number of persons pass each day. This will provide cost savings in procured office space.