Microsoft Patents Sudo?!!

GrokLaw ^ | 11/11/2009 | PJ

[Swordmaker]

Microsoft Patents Sudo?!! - Updated 2Xs

Wednesday, November 11 2009 @ 10:36 AM EST

Lordy, lordy, lordy. They have no shame. It appears that Microsoft has just patented sudo, a personalized version of it.

Here it is, patent number7617530. Thanks, USPTO, for giving Microsoft, which is already a monopoly, a monopoly on something that's been in use since 1980 and wasn't invented by Microsoft. Here's Wikipedia's description of sudo, which you can meaningfully compare to Microsoft's description of its "invention".

This is why what the US Supreme Court does about software patents means so much. Hopefully they will address the topic in their decision on Bilski. Sudo is an integral part of the functioning of GNU/Linux systems, and you use it in Mac OSX also. Maybe the Supreme Court doesn't know that, and maybe the USPTO didn't realize it. But do you believe Microsoft knows it?

Perhaps Microsoft would like everyone in the world to pay them a toll at least, even if they don't want to use Microsoft's software? Like SCO, but with more muscle behind the request? Or maybe it might be used as a barrier to competition? What do you personally believe Microsoft wants patents on things like sudo for? To make sure innovative new companies can compete on an even playing field with Microsoft?

And how do you like the final wording of the patent?:

Although the invention has been described in language specific to structural features and/or methodological steps, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features or steps described. Rather, the specific features and steps are disclosed as preferred forms of implementing the claimed invention.

Please don't ever again write to me that software patents are good for us because they include full disclosure, so others can build on the "invention".

And to the USPTO, whose representative just argued in oral argument in Bilski that software should be patentable and that software can make a regular computer a special use computer, and all that drivel, please put those thoughts together with this patent, and consider the market implications of giving anyone that kind of monopoly, and especially the implications of giving it to a monopoly named Microsoft. It's like giving a serial killer his very own machine gun, stronger than any gun his intended victims are allowed to purchase. You have to ask, what were you thinking?

Obviously, if they could figure that out, they'd never have issued this patent in the first place. The fact that they did, without realizing the implications, or the obviousness, or the prior art, tells us that the USPTO simply lacks the foundational technical information, or the awareness of technical history, to make wise patent decisions about software and patents.

The earliest sudo reference in the patent database Microsoft told the USPTO about is 1997, for patent 5655077, and in other references 1991, so for all the patent-loving dolts in the world, here is A Brief History of Sudo:

Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on a VAX-11/750 running 4.1BSD. An updated version, credited to Phil Betchel, Cliff Spencer, Gretchen Phillips, John LoVerso and Don Gworek, was posted to the net.sources Usenet newsgroup in December of 1985.

In the Summer of 1986, Garth Snyder released an enhanced version of sudo. For the next 5 years, sudo was fed and watered by a handful of folks at CU-Boulder, including Bob Coggeshall, Bob Manchek, and Trent Hein.

In 1991, Dave Hieb and Jeff Nieusma wrote a new version of sudo with an enhanced sudoers format under contract to a consulting firm called "The Root Group". This version was later released under the GNU public license.

In 1994, after maintaining sudo informally within CU-Boulder for some time, Todd Miller made a public release of "CU sudo" (version 1.3) with bug fixes and support for more operating systems. The "CU" was added to differentiate it from the "official" version from "The Root Group".

In 1995, a new parser for the sudoers file was contributed by Chris Jepeway. The new parser was a proper grammar (unlike the old one) and could work with both sudo and visudo (previously they had slightly different parsers).

In 1996, Todd, who had been maintaining sudo for several years in his spare time, moved distribution of sudo from a CU-Boulder ftp site to his domain, courtesan.com.

In 1999, the "CU" prefix was dropped from the name since there has been no formal release of sudo from "The Root Group" since 1991 (the original authors now work elsewhere). As of version 1.6, Sudo no longer contains any of the original "Root Group" code and is available under an ISC-style license.

In 2001, the sudo web site, ftp site and mailing lists were moved from courtesan.com to the sudo.ws domain (sudo.org was already taken).

In 2005, Todd rewrote the sudoers parser to better support the features that had been added in the past ten years. This new parser removes some limitations of the previous one, removes ordering constraints and adds support for including multiple sudoers files.

sudo, in its current form, is maintained by:

Todd Miller

Todd continues to enhance sudo and fix bugs.

I guess Microsoft forgot to mention that. They certainly must know.

And of course Microsoft and patent lovers will argue that this is a new and improved sudo, which has quirky new bells and whistles that no one else ever thought of before. From the patent:

The invention claimed is:

1. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device, cause the computing device to present a user interface in response to a task being prohibited based on a user's current account not having a right to permit the task, the user interface comprising: information indicating the task and an entity that attempted the task; a selectable help graphic wherein responsive to receiving selection of the selectable help graphic, the computer-readable instructions further cause the computing device to present the information; identifiers, each of the identifiers identifying other accounts having a right to permit the task, wherein the identifiers presented are based on criteria comprising: frequency of use; association with the user; and indication of sufficient but not unlimited rights; one of the identifiers identifies a higher-rights account having a right to permit the task, wherein the one of the identifiers comprises: a graphic identifying the higher-rights accounts associated with the user; and a name of the higher-rights account; an authenticator region capable of receiving, from the user, an authenticator usable to authenticate the higher-rights account having the right to permit the task, wherein: the authenticator comprises a password, and the authenticator region comprises a data-entry field configured to receive the password.

2. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising: determining multiple accounts capable of permitting a task not permitted by an account of a current user wherein the determining is based on criteria comprising: frequency of use; association with the current user; and indication of sufficient but not unlimited rights; receiving indicators for the multiple accounts capable of permitting the task; presenting a graphical user interface, the graphical user interface having: multiple account regions, each account region identifying one of the multiple accounts capable of permitting the task; an authenticator region capable of receiving an authenticator for one of the multiple accounts capable of permitting the task; receiving, through the graphical user interface, the authenticator for one of the multiple accounts capable of permitting the task; and responsive to receiving the authenticator for one of the accounts capable of permitting the task, packaging, into a computer-readable package, the received authenticator and the account capable of permitting the task associated with the authenticator, the package effective to enable authentication of the account capable of permitting the task.

Etc. blah, blah. Dude. It's sudo. With a gui. Sudo for Dummies. That's what it is.

Software and patents need to get a divorce, before all the geeks in the world either stop coding in disgust or die laughing.

Also, because so many of the In Re Bilski amicus briefs in Bilski warned of financial devastation and decreased innovation if the US Supreme Court limits what is patentable, I wanted to highlight a research study that seems to demonstrate the opposite. Here's the summary of the paper, Patents and the Regress of Useful Arts, by Dr. Andrew W. Torrance & Dr. Bill Tomlinson, [10 Colum. Sci. & Tech. L. Rev. 130 (2009) (Published May 15, 2009)]:

Patent systems are often justified by an assumption that innovation will be spurred by the prospect of patent protection, leading to the accrual of greater societal benefits than would be possible under non-patent systems. However, little empirical evidence exists to support this assumption. One way to test the hypothesis that a patent system promotes innovation is to simulate the behavior of inventors and competitors experimentally under conditions approximating patent and non-patent systems. Employing a multi-user interactive simulation of patent and non-patent (commons and open source) systems (―PatentSim‖), this study compares rates of innovation, productivity, and societal utility. PatentSim uses an abstracted and cumulative model of the invention process, a database of potential innovations, an interactive interface that allows users to invent, patent, or open source these innovations, and a network over which users may interact with one another to license, assign, buy, infringe, and enforce patents. Data generated thus far using PatentSim suggest that a system combining patent and open source protection for inventions (that is, similar to modern patent systems) generates significantly lower rates of innovation ...

Sometimes what "everyone" knows to be so, actually is not so. I thought, since the US Supreme Court seemed to me to accept as "fact" that patents are beneficial, it would be useful to point out that there is a significant basis for doubt that patents increase innovation.

Finally, here's a video Patently O put on its site, which addresses that very question. As Patently O's Dennis Crouch describes it, in part:

The video prominently features BU law professor and economist Michael Meurer whose book Patent Failure (with Jim Bessen) uses economic analysis to make the case that patents (particularly software patents) are a net drag on innovation.

You can read three chapters (here's the chapter on Abstract Patents and Software) of Patent Failure - How Judges, Bureaucrats, and Lawyers Put Innovators at Risk here, and then order it and read it.

Please.

Update: Steve Martin notes that sudo goes back even further, to the 1970s and mainframes:

Oh, good grief! This concept goes back way past BSD, back to the mainframe days. (See, for example, the XDS Sigma 7 UTS Reference manual (1971), Appendix B, the listing for monitor error code 09, subcode 00: "The user privilege level was not high enough to allow issuing a direct device OPEN".)

Update 2: More prior art. I got an email from a member who tells me this:

PJ,

There was also a unix utiliity that elevated user rights that we used until the late 1990s with even the same name as Microsoft chose- called runas. I used it quite a bit on Sun Microsystems computers and eventually on Linux until sudo became a standard on Linux bundles. I'm thinking that it was created by a few graduates of Old Dominion University, but not as an official program of the university. However, I am finding a few references in google searches and on archive.org....

Original link

[AFreeBird]

List users who have permission to execute an action gives crackers a road-map to break into the system, which decreases security.

I was going to bring up that very same concern.

[dangerdoc]

bump

[Omedalus]

What the hell is "sudo"?

It's something you say to your girlfriend in order to get her to make you a sandwich.

http://xkcd.com/149/

[Eepsy]

[altair]

That's my take on it too, so specifically it is not a GUI-ized sudo, it is a GUI-ized su and that has been around since the dawn of Unix. The difference is that sudo allows access to root without root password (and hence access to every other valid userid) and su requires knowledge of the password of the userid you wish to become.

The typical method on Unix to limit access to a specific application is through the use of group ids. You place every userid who requires access in the group and then fix the application to have only allowed group permissions and no world permissions.

To the best of my knowledge, and I have a quarter century experience with Unix, no one has ever GUI-ized that mechanism.

I find it something of a security risk so I'm not surprised no one on our side has done it before. Microsoft reliably "invents" dubious methods of bypassing security that were rejected in the Unix community years before starting with ActiveX and auto executing things coming from offhost.

The need to restrict access on a specific host for specific applications outside of an enterprise environment is nil other than parental controls - no QuickTime or World of Warcraft after 10pm on a school night, for example.

Oh and for the record, the first Unix system I ever had at home in 1985 had default crontab entries to restrict access to /usr/games inside business hours.

[altair]

The idea behind sudo was to find a way to preserve system security and still allow users to perform useful tasks.

I have been commanded by my managers at work to obtain sudo access to hosts, so let me explain with a real world example.

I manage an application which runs in a data center that I neither have physical access to, nor have any business on most other servers there. The application is managed by an account that has login access disabled for security reasons.

I am required to have access to various system logs that no one other than the assigned system management team should have access to. Sudo is the perfect solution to the dilemma of allowing me (limited) system admin access while also allowing me to manage the application.

$ sudo su APP-NAME

Allows me to obtain access to an otherwise inaccessible login and allows me to run dmesg.

With tiny, non-networked and single-user computers, it doesn't make much sense to restrict access on host. That is the original Microsoft DOS situation. With networked computers everything changes and it becomes extremely desirable to have very limited access to the system by default. It only took a decade and a half, but it appears that Microsoft has finally learned that lesson that we in the Unix world knew a decade before they started networking.

As I wrote in another post, I don't see much use, if any, for this patent. As with all software patents it's only going to hinder someone who does have a good use for the idea. The idea is not new.

[altair]

Typically patents, like this one, try to capture some very detailed scenarios, not just basic scenario such as “sudo”. The claim 1 is long and includes many limitations that are presumed novel.

I have to agree. This isn't the first time Microsoft has been awarded a patent that people fly off the handle and yell "They're patenting sudo! They're patenting sudo!", when in fact, they are not.

[stripes1776]

I'm getting an attorney and going after awk.

I'm staking out grep. I'm convinced it's the future of computing.

[grey_whiskers]

WHISKEY TUCKING FANGO!!!

Cheers!

[grey_whiskers]

This is so they can claim whatever EPIC FAIL is lurking in Windows 7, it was a "feature" and not the latest in an infinite series of unspeakably poor design choices and bugs.

"Oh, you're not authorized, but here's a list of everyone who *is*. Would you like to learn how to impersonate *them* ?"

Cheers!

[grey_whiskers]

I'm getting an attorney and going after awk.

OK, but I get vi and Emacs! /sarc>

Cheers!

[coconutt2000]

What they did patent is something that sudo does not do, namely, when an attempt to access an application fails, it presents a list of people who ARE authorized to execute the action.

*chuckle*

Patent security issue there... That's like a potential bank robber which of the bank employees know how to open the safe.

[zeugma]

OK, but I get vi and Emacs! /sarc>

I'm sorry, but in this universe the two are mutually exclusive. If you had both, it would create a rift in space/time that would destroy the universe. I'll take vi, which I shall refer to as '6' so as to confuse the Powers That Be. You can have emacs, which I hear is really an operating system masquerading as an editor.

[grey_whiskers]

Fool! You shall be assimilated.

(Once I master the Ctrl-Alt-F6-Assim key combo, that is...)

Cheers!

[zeugma]

(Once I master the Ctrl-Alt-F6-Assim key combo, that is...)

Funny. 

I always figured I wasn't smart enough to know emacs. 6 just seemed so much more natural for me to learn, and I still only know about 10% of its capabilities. However, in bash, I prefer to use the emacs keybindings for command line manipulation rather than set -o vi.

One of the things I love about Unix is the sheer number of choices available to us. It lets you do really powerful things fairly easily that just aren't possible in the windows world.

For instance. Recently I had a need to scan a network to determine reverse DNS names of every host in a subnet.

for((i=0;$i<=256;i=$(($i+1))));do
host 192.168.1.$i  >> localnet.log
done

How would you do that in windows without finding a program written for such things, or writing your own?

Granted, the script that I eventually deployed was somewhat more complex than that, as it was more generalized to allow it to query specific DNS servers and whatever network you wanted to scan, but the actual work was done in 3 lines of shell code.

Lots of folks don't need that kind of power (or at least don't realize they do), but for those of us who do need it, I thank G-d we have options.

[ShadowAce]

[KoRn]

That’s insane!!

Are they going to patent /etc too? LOL

[Tribune7]

Microsoft has the time and expense to do pretty much most things.

It wasted enough on SCO.

[2 Kool 2 Be 4-Gotten]

Update: Steve Martin notes that sudo goes back even further, to the 1970s and mainframes:

Wow, in addition to being wild and crazy, that's one busy guy!

[2 Kool 2 Be 4-Gotten]

I'm sorry, but in this universe the two are mutually exclusive. If you had both, it would create a rift in space/time that would destroy the universe.

Hey - I just issued the emacs command "term", and then ran vi from within an emacs terminal session and as far as I can tell, the universe is still functioning!