Surprises inside Microsoft Vista's EULA
Not a thing of beauty
Analysis It's Autumn in St. Louis, my favorite time of year in Missouri. Coats are getting progressively thicker as the temperature drops, trees are changing their leaves in a final show of brilliant color before their skeletons show, and darkness is starting to scare away the sun a bit earlier every day.
Every Thursday night this Autumn you'll find me teaching the latest iteration of a wonderful course at Washington University in St. Louis titled "Technology in Our Changing Society". Once a week my students and I examine a different issue about the point at which technology and social change intersect, and our discussions are as fulfilling as they are knotty. I can't tell you how many times this semester I've heard someone say, "This is a really complicated issue, and I'm not sure yet what I think.
I respect and understand completely what they're saying. After all, when you're wrestling with issues around free speech, biotechnology, identity online, or virtual property, discussions tend to operate in shades of grey instead of black and white. Sometimes issues are a bit more cut and dried, and a student will utter a bon mot that perfectly encapsulates an issue.
A long time ago, a high school kid who wasn't that great of a student told the class, after a long discussion about governments and politics, "Well, here's what I've learned: socialism is fair but doesn't really work, while capitalism isn't fair but does work mostly." Not too bad for a 9th grader. More recently, I had the adults in "Technology in Our Changing Society" read both the Windows XP EULA and the GNU General Public License. When I asked them what they thought, one woman said, "The EULA sounds like it was written by a team of lawyers who want to tell me what I can't do, and the GPL sounds like it was written by a human being who wants me to know what I can do." Nice
The next version of Windows is just around the corner, so the next time we discuss software licensing in my course, the EULA for Vista will be front and center. You can read the Microsoft Vista EULA yourself by going to the official Find License Terms for Software Licensed from Microsoft page and searching for Vista. I know many of you have never bothered to read the EULA - who really wants to, after all? - but take a few minutes and get yourself a copy and read it. I'll wait.
Back? It's bad, ain't it? Real bad. I mean, previous EULAs weren't anything great - either as reading material or in terms of rights granted to end users - but the Vista EULA is horrendous.
Ed Foster has written - with his usual righteous eloquence - a piece on his Gripelog titled "A Vista of Licensed Censorship" that covers several new restrictions in the upcoming Vista EULA. Vista Home now contains this gem:
9. MICROSOFT .NET BENCHMARK TESTING. The software includes one or more components of the .NET Framework 3.0 (".NET Components"). You may conduct internal benchmark testing of those components. You may disclose the results of any benchmark test of those components, provided that you comply with the conditions set forth at http://go.microsoft/fwlink/?LinkID=66406.
Foster brings up good points about the inevitable problems that this clause will bring. Microsoft can - and undoubtedly will - change the terms on that web page at any time, thus complicating life for anyone wanting to disclose test results.
Worse, another requirement dictates that any benchmarks must "be performed using all performance tuning and best practice guidance set forth in the product documentation and/or on Microsoft's support Web sites," thus forcing testers to use settings that aren't found in the workaday world, potentially distorting results. Foster gives this example, one that should resonate among the readers of this column:
Just by way of example, what about a security researcher who a year or so from now wants to compare the buffer overflow vulnerabilities of the original version of Vista with the inevitable SP1?
Under Microsoft's rules, the researcher could not make public the results of the older version of the software. And if you think it highly unlikely Microsoft would actually object to the benchmarks in such circumstances, think again. In 2001 Microsoft came down on an independent lab that was about to go public with performance benchmarks comparing Windows NT and Windows 2000.
Beyond the fact that censorship is almost always a bad thing (I'll agree that it's permissible in a very few cases involving national security, but that's about it), software is of such critical importance to people's lives that I can see virtually no reason why any limitations on benchmarking and testing results should ever be allowed to stand.
No virtualization for you!
Right now, consumers and businesses can buy two versions of Windows XP for their desktops: Home and Professional. Let's review the choices they're going to face, including pricing, when Vista rears its head:
- Starter (OEM pricing only)
- Home Basic ($199, or $99 upgrade)
- Home Premium ($239, or $159 upgrade)
- Business ($299, or $199 upgrade)
- Enterprise (OEM pricing only)
- Ultimate ($399, or $259 upgrade)
I understand that product differentiation among market segments is common and makes good sense. But this is ridiculous. Six different versions? Quick, which one is right for you: Home Premium or Business? Uhhhh...
If you're like many security professionals, you may not run Windows as your main OS, but you have to use it for testing purposes. In cases such as that, virtualization is the perfect answer. Fire up VMWare or Parallels, open up your image of Windows XP, and let 'er rip. In cases like that, the Home edition of XP was perfect: a lot cheaper than XP Pro, and still close enough that your testing was valid.
Things will be different with Vista. Buried deep in the back of the EULA, in the sections titled "MICROSOFT WINDOWS VISTA HOME BASIC" and "MICROSOFT WINDOWS VISTA HOME PREMIUM," are two identical clauses:
4. USE WITH VIRTUALIZATION TECHNOLOGIES. You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system.
So you can't create a virtual image using Home Basic ($199) or Home Premium ($239). However, the EULA does allow you to use Vista Business ($299) or Vista Ultimate ($399). Hmmm... I wonder why? It couldn't possibly be because those editions cost more, could it? Wanna bet? The fact that there aren't any technical restrictions in place to prevent users from loading Home editions into VMWare, only legal and support barriers, sure lends credence to that supposition.
It gets better, however. If you comply with Microsoft's licensing and use Ultimate within a virtualized environment, you still have to comply with section 6 of the "MICROSOFT WINDOWS VISTA ULTIMATE" appendix to the Vista EULA:
6. USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system on the licensed device. If you do so, you may not play or access content or use applications protected by any Microsoft digital, information or enterprise rights management technology or other Microsoft rights management services or use BitLocker. We advise against playing or accessing content or using applications protected by other digital, information or enterprise rights management technology or other rights management services or using full volume disk drive encryption.
IANAL (I am not a lawyer), but it sure seems to me that this clause goes way beyond listening to DRM-protected Windows Audio files (and why anyone would even buy that garbage in the first place is beyond me). Section 6 also appears to block the opening and reading of documents "protected" with Microsoft's "Rights Management Services," which I covered a couple of years ago. Basically, this means that if you want to run a Windows version of Office inside Parallels or VMWare so you can create, read, and work on documents that have DRM'd, you're out of luck. Want to test Windows and DRM (those two great tastes that taste great together)? You gotta buy a new PC!
Note: Another group that's going to suffer under these outrageous restrictions on virtualization? Web developers, who just want to test their work under IE. Gee, thanks, Microsoft!
I saved the best for last. Most people never actually install Windows; instead, they just buy a new PC that has the OS pre-installed (of course, the fact that it's virtually impossible to buy a PC that doesn't have Windows already installed, so that Linux users end up paying the Windows tax, is a major problem, but that's an issue for another column).
But I'll bet that most of my readers are exactly the kinds of people that end up buying retail copies of Windows and installing them on many different machines - or virtual machines, as I discussed above. Windows Activation, introduced with Windows XP, insures that you don't install the same copy of Windows on more than one machine at a time. That's fine - annoying, but fine. But clause 15 of the new Vista EULA - "REASSIGN TO ANOTHER DEVICE" - goes way beyond that.
a. Software Other than Windows Anytime Upgrade. The first user of the software may reassign the license to another device one time. If you reassign the license, that other device becomes the "licensed device."
b. Windows Anytime Upgrade Software. The first user of the software may reassign the license to another device one time, but only if the license terms of the software you upgraded from allows reassignment.
As I read this, you go to the store and buy a copy of Vista, which you install on a PC you had in your office. A year later, another PC becomes available that's a bit more up to date, so you decide to transfer your Vista license to that machine.
You're now finished with that Vista license. Done. Game over, man. Whether you shelled out $199 for Home Basic or broke the bank with the $399 Ultimate makes no difference. You've reassigned the license twice, and that's all that Microsoft allows.
If you listen to pro-Microsoft journo Paul Thurrott (whose protestations of fairness and openness are about as accurate as those I hear from FOX News), this has always been the case: "The Windows XP EULA appears to implicitly allow infinite transfers because it doesn't explicitly explain how many times one might transfer a single copy of XP. As it turns out, infinite transfers wasn't the intention." Ohhhhh! How silly of the thousands and thousands of people who read "You may move the Product to a different Workstation Computer. After the transfer, you must completely remove the Product from the former Workstation Computer," in the Windows XP Professional EULA and then actually took what it said at face value!
C'mon. How stupid does Thurrott - and Microsoft, who fed him this line of bull - think we are? They can attempt to rewrite history all they want, but that doesn't erase the truth: Microsoft is limiting, in a ruthless fashion, what security professionals and other users can do with the operating systems they buy. Ed Bott's, "Get facts, not spin, about Vista's new license" exposes the lies and misperceptions coming from Redmond and its shills for what they are, and I urge you to read his piece. What's the result of Microsoft's actions? Less freedom and much higher costs to end users. And, I'll add, a further lowering of respect for Microsoft.
If you thought that the legal troubles the company faced in the late 90s would perhaps mellow it out, you were wrong. Far from it. The draconian limitations I've discussed could only be enacted by a monopoly unafraid of alienating its users, as it feels they have no other alternative. Microsoft may yet learn, however, that there are limits to what its users will bear.
To paraphrase what my fifth-grade teacher often told his rambunctious class, "Beware the wrath of a patient user base." Security pros have already given Microsoft a deserved black eye over the never-ending string of gaffes and vulnerabilities streaming out of the company. It seems now as though another black eyes and a bloody nose may be coming, along with a final wave goodbye. There comes a point at which corporate hubris causes a fall, and we may be seeing the beginning of that collapse. If so, Microsoft will have no one but itself to blame.
Scott Granneman teaches at Washington University in St. Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Hacking Knoppix, is in stores now.
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus