Austin Technology Law Blog : Texas Technology Lawyers & Attorneys for Copyright, Trademarks & Software Licensing in Houston, Dallas & Austin TX

South by Southwest Interactive is just around the corner, coming March 11-15, 2011, and now it's time for the selection process to begin. For those of you who aren't familiar with the process check this out to get up to speed. There are three groups that vote on what panels will participate in the 2011 SXSWi: public (30%), SXSWi staff (30%), and advisory board (40%). There is a feeling here at ATLB that it's our duty to assist in crafting this year's event. I mean it's for the public, so why shouldn't we have a loud voice. This bog goes out to several different groups that have interest in a variety of things, so in order to provide a broad range of issues here are a couple that seem relevant to our readers: Bootstrapping, Entrepreneurism and Monetization, Funding, Web Apps, and our personal favorite Licensing, Fair Use and Copyright. Please check out these categories and see if a subject of interest pops up.

Additionally, there are a few individual panels this year that we'd like to suggest:

Apps vs. Mobile Web: Which to reach consumers?

Copyright Criminals

Download Illegally, It's the Right Thing to Do

Social Network Users' Bill of Rights: You Decide

Legal Frontiers In Social Networks, Blogs and Beyond

I.P. Fearlessly: Copyright, Contracts, and Clients

I'm sure there are many more that would do a great job of bring value to next year's event, but these were the ones that caught our eye on first go around. It would be a good idea to get on twitter and find some other good Austin Tech Sources to get a feel for some other good panels.

Enjoy the weekend!

• Email This
• Print
• Comments
• Trackbacks

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.
 

• Email This
• Print
• Comments
• Trackbacks

This is actually Chapter 4 in a rambling dissertation on why the "Cloud" is what it is.

In previous posts (see here, here and here), we have chronicled the evolution of the “Cloud”, Software as a Service and various permutations thereof and labels therefor. So, now that we think we know how we got here, what do we do now? If you are considering the procurement of cloud services and if you have the negotiating clout to request changes to the vendor’s standard contract, you need to consider some additional things to request.

In addition to the general considerations such as price, term, etc., the following are additional considerations to be discussed with the vendor and possibly included in the governing agreement:
1. In most cases, the vendor owns or licenses the software and the customer owns the data. The customer should always have the right to access and move its data, even in an alleged default situation. This is particularly true if the customer is in a regulated industry.
2. What happens if the vendor goes out of business, declares bankruptcy or is acquired? What happens if the acquirer is one of your competitors? The customer should have an exit strategy and the agreement should be compatible with such strategy.
3. How much responsibility or liability will the vendor assume if the systems are unavailable or if your data is lost? What are the backup procedures, business continuity plans and disaster recovery arrangements? Most vendors’ heads would explode if you requested that they be responsible for the value of your lost data but what are the procedures to recover the data, to back it up and protect it and who pays for that?
4. What kind of investment will the vendor make in software upgrades, enhancements and development? A company for which I once worked pledged 5% of its outsourcing revenue to software development and maintenance. Most companies won’t commit to a specified amount or percentage but a purchaser should review their plans and should have some input, through user groups or otherwise, into the direction of software development.
5. What will you use to determine if the software is functioning in the manner that you expected? What are the warranties surrounding such? Most software providers will warrant that the software will perform in accordance with its documentation but you should request that the basics of any functionality found in sales proposals, demos, RFPs or other material used to sell you on the software be part of the warranty.
6. A purchaser should consider whether the vendor routinely conducts a SAS 70 audit and makes the results available.
7. Since the purchaser has less control over the software used in a SaaS situation than in any on-site situation, a reputable vendor should be willing to provide an intellectual property indemnification that will pay for a legal defense (usually the biggest exposure for a user) and should provide an alternative if use of the subject system is enjoined or interrupted in any manner.
8. The escrow of source code, executables and other information necessary to carry on the processing if the vendor goes out of business or becomes unavailable should be considered. In most cases, this makes the user feel better but because of the long lead times involved, may be of marginal benefit.
9. Performance metrics, also called service level agreements (SLA) should be negotiated. Matters that are important to the user should be identified and reflected in the SLAs.
10. The foregoing are fairly standard components of most outsourcing contracts (which the delivery of cloud based software is, even if it is referred to as a software agreement). Perhaps the biggest divergence by Cloud based solutions from standard outsourcing situations is the question of security, the location of the data and the compliance of the system with Gramm Leach Bliley, HIPAA, Sarbanes Oxley and international data transfer restrictions. If the user is a financial institution or subject to HIPAA then the problem becomes particularly acute and addressing those issues in a manner that the benefit of Cloud computing can be realized by regulated entities is a difficult process.

Now that we've looked at the Cloud from both sides now, it may be the Cloud's illusions we recall and that we really don't know the Cloud at all.  Or it may be just that we are out of cheesy cloud references.

• Email This
• Print
• Comments
• Trackbacks

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco

ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.
 

• Email This
• Print
• Comments
• Trackbacks

Ina Fried, from CNET.com, reported this week that Microsoft filed a patent infringement case against SalesForce.com. SalesForce.com is, among other things, a customer relations management (CRM) software company that provides its product through the cloud. Microsoft is no stranger to patent lawsuits. In fact, they were just ordered to pay $200 Million to Virnet X in a patent infringement lawsuit regarding VPN technology. However, the peculiar thing about the lawsuit filed against SalesForce.com was that it was Microsoft doing the suing. Microsoft has only filed 4 suits against competitors. Most infringement issues involving Microsoft commonly end up in some type of license agreement with the alleged infringer. (See HTC) From this Microsoft receives damages and then licenses their technology to the competitor. However, there appears to be more uncertainty surrounding this case.

It is no secret Microsoft is one of the more established players in the IT world. However, Microsoft, along with everyone else has been losing ground to Google. Microsoft and Google are competitors in e-mail (Gmail/Hotmail), browsers (chrome/IE), search engines (Bing/Google), electronic documents (Office/Google docs), and soon in operating systems (Windows/Chrome OS). Microsoft is attempting to chase Google into the cloud computing realm, as evidenced by the direction Office 2010 and other products are trending. The lawsuit against Salesforce.com might be just another way to gain ground. One of the benefits of being in the game as long as Microsoft has is that they have ownership to some of the foundational technology we all use today. Take a look at the subject matter referenced in these patents:

Ø       7,251,653: Method and system for mapping between logical data and physical data

Ø       5,742,768: System and method for providing and displaying a web page having an embedded menu

Ø       5,644,737: Method and system for stacking toolbars in a computer display

Ø       6,263,352: Automated web site creation using template driven generation of active server page applications

Ø       6,542,164: Timing and velocity control for displaying graphical information

Ø       6,281,879: Timing and velocity control for displaying graphical information (the 164 patent above looks to just be a continuation of this patent)

Ø       5,845,077: Method and system for identifying and obtaining computer software from a remote computer

Ø       5,941,947: System and method for controlling access to data entities in a computer network

All of these patent subjects are associated with cloud computing factors. This is no surprise since Salesforce.com is run from the cloud, but it does question what Microsoft will do next? Will they pursue other companies that infringe on the broad patents? Are they trying to get enforcement out of their patents before the Supreme Court returns an opinion on In re Bilski? Are they just trying to get another license agreement?

• Email This
• Print
• Comments
• Trackbacks

Google's much anticipated operating system, Chrome OS, will finally be revealed at the Computex Taipei show early next month.  Reportedly, Acer will launch netbooks equipped with Chrome OS.  Via venturebeat.com:

It’s still unclear how Chrome OS-equipped netbooks will coexist with those running Google’s Android mobile operating system. We’ve known that Android netbooks would begin popping up this year since early 2009, and even Acer announced its intention to sell them.

This comes one day after Verizon CEO, Lowell McAdam, announced they were working with Google to create an Android-based tablet to rival Apple's iPad.

Update:  Acer has now denied the reports that they will be introducing netbooks running Chrome OS at Computex so we will have to wait a little longer to see the operating system in action.  In the meantime, here are some screenshots of what it might look like.

• Email This
• Print
• Comments
• Trackbacks

In a previous post, we chronicled the evolution of the provision of computing resources from the days of gigantic, room filling behemoths requiring chilling towers and close proximity to the users to the emerging concept of “cloud” computing where the computing resources are “somewhere out there” in the undefined, amorphous thing called the “cloud”.
In this post, we will discuss the evolution of the provision and use of software from floppy drive, hard drive based software to the cloud applications of today.
Once again, please forgive the trip down memory lane. At the advent of my legal career, the use of computers in anything other than a giant research lab was only a gleam in somebody’s eye. In my law office, documents were created on manual typewriters with carbon paper and onion skin. Lawyers dictated into a machine the size of a small refrigerator or to a stenographer who took it down in shorthand and transcribed it. It's true. 

Look it up on the interwebs. This is how it really happened. Electric typewriters with automatic correction capabilities (tamping a white, chalky substance into the indention made by the incorrect character) were a big breakthrough. Then we stepped into the new age. We obtained two “magcard” word processors that truly were the size of refrigerators and made so much noise that they had to be housed in a separate room lined with insulating material. The “software” was hard wired and resident on the machines and the documents were recorded on a magnetic card the size of the older data entry cards and these cards were read by the machine, which activated an electric typewriter that pounded out the document until a “stop code” was reached, whereupon an operator inserted the appropriate words in the blank. We were cutting edge.
At some point in my career, I was fortunate to obtain a job in-house with an outsourcing and software company, although I had neither experience nor knowledge of any such things. This company managed data centers (primarily for banks) and produced software (again primarily for banks) for giant, honking mainframes. Desktop computers were still the exception rather than the rule. In fact, my company had a “desktop czar” that had to approve all purchases for desktops (even in a “technology” company!). The software was generally written in COBOL and the computing resources were generally in the same room or building as the user and ordinarily owned by the company employing the users. The company I worked for changed that paradigm somewhat by entering into agreements whereby they purchased the computer equipment from the customer, hired the customer’s data processing personnel, operated the data center in place on the customer’s premises and installed my company’s proprietary software in the data center over the course of the contract term. My company also did some remote facilities management where they owned the data center off site from the customer and provided remote processing through dedicated lines. In all cases, the customer could touch, feel and taste the computing resources if desired.
Fast forward to the Internet age and then fast forward again to the age where massive amounts of computer resources are looking for users as opposed to the reverse. 

• Email This
• Print
• Comments
• Trackbacks

The first part of this entry was published on March 11 here.  The saga continues. 

In the 1980s, in the arena of big data processing users the cord ran from a workstation to a large mainframe or AS400 computer, which was often in the same room or in close proximity. The cord was whole, undivided and dedicated. Nothing would interfere with the communication between the workstation and the processor unless the cord was cut or the commands from the station caused the processor to work harder. Most of the computing assets were owned and maintained by the users and programming and maintenance staffs were huge.
The next step was removing the processor from the general vicinity of the workstation. The processor could be in the next building or the next county or state but was still connected by a dedicated cord (e.g. a dedicated T1 phone line or equivalent).
At some point in this process, it became advantageous for some users to not own the computing resources and “outsourcing” or “facilities management” came into vogue. With these delivery models, a party other than the user owned and controlled some part of the computing environment. However, both parties together owned and/or controlled the entirety of the environment with the exception of the lines leased from the phone company. Some companies even used the satellite transmission of data so the connecting “cord” traveled from the user to a satellite, down to the processing site and then in reverse.
Along with these changes, the processing environment became more diverse. Instead of connecting with one machine or one logical partition within the machine, data may be processed on numerous machines and stored on others and may be moved from one machine to another as needed by the processor and to optimize computing efficiency. At this point, the user could not directly identify the specific machine upon which its data resided or was processed, although the user generally knew the location of the data center or centers and could, if necessary, walk in the door and see and touch the machines where the data was processed and stored.
Cue the Internet.

• Email This
• Print
• Comments (2)
• Trackbacks

For over three decades, Microsoft has been arguably the most important and pervasive company in our day to day lives. But could the “Decade of Cloud Computing” end that reign? There is a very good article over at ZDnet.com examining that subject.  

"Under these conditions, how can we expect a company like Microsoft to welcome with open arms a Tsunami named Cloud Computing which will sweep away three quarters of its earnings and market valuation?" 

Microsoft is obviously too big to go away over night, but it will be interesting to see how it adapts to the changing industry over the next decade.

• Email This
• Print
• Comments
• Trackbacks

“Cloud” computing has garnered a lot of attention lately. Not as much as the iPad, but sufficient buzz to warrant the examination of this phenomenon and to determine what impact, if any, it has on the legal landscape, i.e. is this sufficiently different to require new legal approaches and what aspects of agreements relating to cloud computing should be examined carefully with this delivery model?

Over the next few weeks in this blog, we will examine how we got to this point, how cloud computing differs from previous delivery models and how it is similar. We will look at the evolution of computing and the evolution of legal concepts to address such evolution and we will try to determine what changes in contract language and deal structure need to occur to address issues unique to cloud computing.

• Email This
• Print
• Comments
• Trackbacks