EULAs, RFID tagging and other Halloween horrors
It is a scary, scary world out there
Letters It is Halloween, so we thought we'd get as scary as we could and head straight for Microsoft's Vista EULA. Security Focus' Scott Granneman took a look inside the new EULA and gave himself quite a fright. We hear the shock turned his hair white (no, not really).
The key issue here for us from a development/QA perspective is that we are entirely dependant on virtual machine for testing. So much so that one wonder how we ever meanaged without it (the obvious answer being 'slowly' and 'with less coverage').
But we'll still have to test ALL of these versions, whether we're legally allowed to run them in VMWare or not. So either the cheapo versions don't get tested, or we have to source whole new machines JUST to sit there with a copies of Vista on it. The prospect of having to dig Ghost out of the cupboard just to be able to revert a testbed to a snapshot is a painful one. It's an unreasonable ask from MS when we're testing our stuff for THEIR operating system.
Having said that, I'm not sure what the Action Pack will allow us, it may be we'll be less restricted than retail licence holders. But not all developers choose to use or can afford MSDN licences.
At the moment, there's nothing but the EULA to stop them using Vista versions however they like, but given MS' penchant for retrofitting piss-poor functionality restrictions, and rights-holders penchant for suing the arse off their customers these days, who'd want to gamble their business on that?
It never ceases to amaze me how Microsoft continually gets away with its hubris when there is the excellent Linux as a valid, valiant alternative to Redmond shenanigans. I still use Windows 98 and hell will freeze over before I install XP, let alone Vista. Sooner or later Microsoft is going to overreach itself, and maybe Vista will be the final straw.
I think you misread the virtualization clause. It says that if the software is installed on the device, you can't run another copy of the software in a virtualized environment. It doesn't say that if you run Parallels you can't run/install the licensed software. It just says you can't use it a second time in a virtualized environment.
The license still sucks.
The license transfer provisions in the Vista EULA make my 'grandfathers axe' style of machine usage rather expensive, I'd have thought. I installed Windows XP on a somewhat arbitrary mix of home brew computer parts some years ago now. I tend to do my upgrades piecemeal.
That hardware box has a different motherboard, CPU, RAM, hard drives, video card and other stray peripheral devices. The case is the same, with a shiny license code affixed, but that too could well change at some point.
With the EULA provisions contained in Vista, at what point does Microsoft consider the license to have been "transferred" to another machine?
never mind virualization, and security pros - what about gamers, and other frequent upgraders?
When does a 'device' stop being the old device, and start being a new one ?
I like section 5 (validation) point d. "You may only obtain updates or upgrades for the software from Microsoft or authorized sources."
So if some group (that hasn't given MS money for authorization) releases security fixes before Microsoft and you wish to use them (cf http://www.theregister.co.uk/2006/10/03/zero-day_ie_fix_encore/ ), not only is this disrecommended, not only would it void your warranty (in as much as a Microsoft warranty is worth anything), but in fact voids your licence to use the software in the first place.
That's not anti-competitive at all I'm sure, cough, cough.
The licence transfer thing used to have another gotcha in it and I bet it still does. If your company changes hands then (as you can't sell the licences on) you need to go and rebuy them again. No-one seems aware of this but if FAST pay you a visit you will find out very expensively.
Microsoft has reached the point where it is difficult to grow market share appreciably - instead, they need to grow revenue per customer and I suspect we'll see increasing restrictive EULAs as part of their effort to do that. On the other hand, it's common knowledge that consumers don't read these things - it's unlikely anyone could understand them without a law degree. If push comes to shove it will be interesting to see if courts will uphold the EULA or if common law expectations of merchantability and fitness for intended use will prevail.
Thanks for shining a spotlight on the issue and raising public awreness.
> How stupid does *** Microsoft, who fed him this line of bull - think we are? Very stupid. Very, very stupid. After all, mankind are more disposed to suffer....
About the virtualization, where's the problem? Virtualization is for pros and business use.
It's for testing, development etc. In that environment people don't tend to use home software (yeah, I know, many do but they're bonkers). So I don't see what the problem really is with this kind of restriction.
But it's nice to see that you're not biased in this article, really...
Mr. Granneman wrote: "And, I'll add, a further lowering of respect for Microsoft."
C'mon, further lowering, is this even possible?
"the fact that it's virtually impossible to buy a PC that doesn't have Windows already installed"
This is not a fact. It is myth and FUD and anti-Microsoft religious raving.
My local computer shop (World of Computers, Milton, Cambridge) will sell you a computer with or without an operating system of your choice, and will even install an operating system you give them when they build your machine. I know that Cambridge is different and special, but it can't be *that* different and special - this must be possible in other places as well ... and if it isn't you can always buy mail order from WoC.
That's not "virtually impossible", a better description would be "standard service from a main supplier to a city of 100,000 people".
We can confirm that both Oxford and Cambridge are *that* different and special.
Great article; here's some free marketing advice for Microsoft: release Vista before Thanksgiving so it can be served as the main course--that's about the only use I can see for this underwhelming makeover of XP.
Monopolies are bad. For us, yes. But also for Microsoft.
The smallpox virus of real choice is spreading across the newly-discovered continent of computing diversity and Microsoft is looking like a native who never got exposed to the virus when young.
Can we expect them to get away with just a few nasty scars, or are they going to die a painful slow death? I don't know, but I do think we should give them an infected blanket..
And on that unsanitary note, we'll ask you to click on the button below, and turn to page two...
Sponsored: Becoming a Pragmatic Security Leader