Surprises Inside Microsoft Vista's EULA, 2006-10-27
Scott Granneman takes a look at some big surprises in Microsoft's Vista EULA that limit what security professionals and others can do with the forthcoming operating system.
“
The draconian limitations I've discussed could only be enacted by a monopoly unafraid of alienating its users, as it feels they have no other alternative. Microsoft may yet learn, however, that there are limits to what its users will bear.
”
It's Autumn in St. Louis, my favorite time of year in Missouri. Coats are getting progressively thicker as the temperature drops, trees are changing their leaves in a final show of brilliant color before their skeletons show, and darkness is starting to scare away the sun a bit earlier every day. Every Thursday night this Autumn you'll find me teaching the latest iteration of a wonderful course at Washington University in St. Louis titled "Technology in Our Changing Society". Once a week my students and I examine a different issue about the point at which technology and social change intersect, and our discussions are as fulfilling as they are knotty. I can't tell you how many times this semester I've heard someone say, "This is a really complicated issue, and I'm not sure yet what I think."
I respect and understand completely what they're saying. After all, when you're wrestling with issues around free speech, biotechnology, identity online, or virtual property, discussions tend to operate in shades of grey instead of black and white. Sometimes issues are a bit more cut and dried, and a student will utter a bon mot that perfectly encapsulates an issue. A long time ago, a high school kid who wasn't that great of a student told the class, after a long discussion about governments and politics, "Well, here's what I've learned: socialism is fair but doesn't really work, while capitalism isn't fair but does work mostly." Not too bad for a 9th grader. More recently, I had the adults in "Technology in Our Changing Society" read both the Windows XP EULA and the GNU General Public License. When I asked them what they thought, one woman said, "The EULA sounds like it was written by a team of lawyers who want to tell me what I can't do, and the GPL sounds like it was written by a human being who wants me to know what I can do." Nice.
The next version of Windows is just around the corner, so the next time we discuss software licensing in my course, the EULA for Vista will be front and center. You can read the Microsoft Vista EULA yourself by going to the official Find License Terms for Software Licensed from Microsoft page and searching for Vista. I know many of you have never bothered to read the EULA - who really wants to, after all? - but take a few minutes and get yourself a copy and read it. I'll wait.
Back? It's bad, ain't it? Real bad. I mean, previous EULAs weren't anything great - either as reading material or in terms of rights granted to end users - but the Vista EULA is horrendous.
Benchmark censorship
Ed Foster has written - with his usual righteous eloquence - a piece on his Gripelog titled "A Vista of Licensed Censorship" that covers several new restrictions in the upcoming Vista EULA. Vista Home now contains this gem:
9. MICROSOFT .NET BENCHMARK TESTING. The software includes one or more components of the .NET Framework 3.0 (".NET Components"). You may conduct internal benchmark testing of those components. You may disclose the results of any benchmark test of those components, provided that you comply with the conditions set forth at http://go.microsoft/fwlink/?LinkID=66406.Foster brings up good points about the inevitable problems that this clause will bring. Microsoft can - and undoubtedly will - change the terms on that web page at any time, thus complicating life for anyone wanting to disclose test results. Worse, another requirement dictates that any benchmarks must "be performed using all performance tuning and best practice guidance set forth in the product documentation and/or on Microsoft's support Web sites," thus forcing testers to use settings that aren't found in the workaday world, potentially distorting results. Foster gives this example, one that should resonate among the readers of this column:
Just by way of example, what about a security researcher who a year or so from now wants to compare the buffer overflow vulnerabilities of the original version of Vista with the inevitable SP1? Under Microsoft's rules, the researcher could not make public the results of the older version of the software. And if you think it highly unlikely Microsoft would actually object to the benchmarks in such circumstances, think again. In 2001 Microsoft came down on an independent lab that was about to go public with performance benchmarks comparing Windows NT and Windows 2000.Beyond the fact that censorship is almost always a bad thing (I'll agree that it's permissible in a very few cases involving national security, but that's about it), software is of such critical importance to people's lives that I can see virtually no reason why any limitations on benchmarking and testing results should ever be allowed to stand.
No virtualization for you!
Right now, consumers and businesses can buy two versions of Windows XP for their desktops: Home and Professional. Let's review the choices they're going to face, including pricing, when Vista rears its head:
- Starter (OEM pricing only)
- Home Basic ($199, or $99 upgrade)
- Home Premium ($239, or $159 upgrade)
- Business ($299, or $199 upgrade)
- Enterprise (OEM pricing only)
- Ultimate ($399, or $259 upgrade)
Story continued on Page 2
