Surprises in Microsoft Vista's EULA

androthi writes "Scott Granneman takes a look at some surprises in Microsoft Vista's EULA that limit what security professionals and others can do with the new operating system. You want to post benchmarking results? Well, Microsoft may now have a say in it. Vista's EULA no longer shows up on Microsoft's software licensing page, but does still exist — also take note of Windows DRM deciding what you can and can not listen to, and Defender deciding and removing what it considers spyware automatically (by default)."

a way around?

[ryanelm (787453)]

I don't 'sign' the EULA when i use a public machine...

What an Awesome Idea!

[Mateo_LeFou (859634)]

If we keep brainstorming great stuff like that, we will be able to do all kinds of awesome stuff, like:

study our own computers' performance.
tell people what we find
share ideas on how to improve them

Before you know it, we'l have "free speech" as I like to call it.

Re:

[Mateo_LeFou (859634)]

Well since they'e not the government (officially), they can't actually ban such. They could impose a condition on whoever clicks through the EULA that heshe is responsible for EULA-violating behavior by anyone who ever uses the machine. In fact I wonder if there's such a condition floating around somewhere...

Re:

[MECC (8478)]

"The more you tighten your grasp, the more star systems will slip through your fingers."

UCITA and EULAs

[Lonewolf666 (259450)]

There is indeed an attempt to make EULAs contractually enforceable, the so called Uniform Computer Information Transactions Act (UCITA).
Wikipedia's article on the subject, http://en.wikipedia.org/wiki/UCITA [wikipedia.org], does however claim the UCITA "has only been passed in two states as of 2004 -- Virginia and Maryland". If you live in one of those, you might be out of luck.
In other jurisdictions, EULAs are probably unenforcable. Wikipedia has another article that covers the US situation:
http://en.wikipedia.org/wiki/Shrinkwrap_license [wikipedia.org].
In Germany, a few years ago Microsoft failed to enforce the EULA that disallowed separate sales of OEM software. The court ruled that an equivalent of the First-sale doctrine http://en.wikipedia.org/wiki/Doctrine_of_first_sal e [wikipedia.org] applied. The EULA that said otherwise was obviously disregarded.

Re:

[mr_matticus (928346)]

"Can you cite case law holding EULAs valid?"
Law is not a permissive pursuit--it's a limiting field. That is, it's legal until it's ruled illegal. Still, if you need examples, ProCD v. Zeidenberg is the de facto standard here. There have been other, smaller cases in a number of states as well. Further, there has been no case that has categorically overturned EULAs.

"More specifically, can you cite case law upholding contractual terms entered into under duress?
In what way are users under duress when

sined, sealed and delivered

[yagu (721525)]

To quote the Buckaroo Bonzai [imdb.com] movie, Microsoft's locked in monopoly is sined, sealed and delivered. The EULA for Vista provides more evidence Microsoft is the 800 lb. guerilla that doesn't care about potential faceoffs on these issues any more. The article seems to think differently:

If you thought that the legal troubles the company faced in the late 90s would perhaps mellow it out, you were wrong. Far from it. The draconian limitations I've discussed could only be enacted by a monopoly unafraid of alienating its users, as it feels they have no other alternative. Microsoft may yet learn, however, that there are limits to what its users will bear. To paraphrase what my fifth-grade teacher often told his rambunctious class, "Beware the wrath of a patient user base." Security pros have already given Microsoft a deserved black eye over the never-ending string of gaffes and vulnerabilities streaming out of the company. It seems now as though another black eyes and a bloody nose may be coming, along with a final wave goodbye. There comes a point at which corporate hubris causes a fall, and we may be seeing the beginning of that collapse. If so, Microsoft will have no one but itself to blame.

I'm not sure how the article's author would see the user base reacting. Pick a different platform? How? At what expense? No, Microsoft has got this one in the bag.

I predicted in the late 90's if Microsoft didn't have to pay real consequences for their business practices, eventually they would be rolling out OSes at any price they wanted and noone would be able to do much about it. This was at a time where hardware dramatically was decreasing in price but Windows, all flavors, continued to sustain an amazingly different cost curve. I predicted eventually:

• Microsoft would put out an OS at around $400
• Their OS would eventually be the largest cost of a new machine

It looks like we're pretty close to both. I'll continue to do my development in my Linux world, but I'm guessing there will be a momentary raised eyebrow with Microsoft's Vista, Vista's EULA with it's almost amazing restrictions (especially compared with already draconian past EULAs) and then business as usual.

Re:

[Mateo_LeFou (859634)]

The only surprise would be if this kind of shit werent in there.

Re:

[CastrTroy (595695)]

I really don't like the whole OEM licensing thing that MS does. IF you buy the $299 dell, then you're basically paying nothing for windows, because the parts cost that much. If MS was forced to set one price for their OS, and make everyone pay that price, then I think we'd see a lot fairer prices. It's not right that someone who buys a new computer from a specific reseller gets a free OS, while those of us who choose to build our own systems, or support smaller companies, or , heaven forbid, just install

Re:

[hawkbug (94280)]

Well, through sites like NewEgg you can get OEM copies of windows. Granted, they are still over $100, but it beats the crap out of paying $300 retail.

Re:

[CastrTroy (595695)]

This is my problem, because I chose to go to a small retailer to by my last computer, I had to pay $CDN 129 for my copy of windows. None of the big resellers (Dell,HP,Lenovo,etc.) offered a computer that had what I wanted, without a ton of extra stuff I didn't. So I ended up paying extra, just because MS decided it could have a better monopoly position by offering cheaper copies of windows to big resellers.

Re:

[frosty_tsm (933163)]

"Given away" might be a bit strong, but yes.

I wonder which happened:
1) OEM companies didn't like that a person could buy off-the-shelf components to make a cheaper, faster, and more reliable machine. They then asked MS to make this more expensive for the user.
2) MS realized that most of their OS sales was to OEM companies, and that they could rip off consumers buying the OS unbundled.

What are we paying for now that we weren't getting 10 years ago? Fancier versions of Media Player (which happen to get wors

Re:

[morgan_greywolf (835522)]

What are we paying for now that we weren't getting 10 years ago?

Spyware, DRM, an OS that requires 1GB of RAM and high-end accelerated 3D graphics, DRM, Trusted Computing, DRM, and plenty of 0-day exploits.

So, in summary, I'd say mostly DRM.

Re:

[hal2814 (725639)]

No, Captain Ron, you said there were GORillas in the jungle, not GUErillas!

Re:

[rsborg (111459)]

800 lb. guerilla

Wow, I'm getting images of a lardy Che Guevara eating peanut butter banana sandwiches [publicradio.org] :-)

They're Idiots

[Khammurabi (962376)]

I'm not sure how the article's author would see the user base reacting. Pick a different platform? How? At what expense? No, Microsoft has got this one in the bag.

I know exactly how the user base will respond: They won't buy it.

Windows XP Professional works fine for me, and as such I've bought my last Microsoft operating system. I will never buy Vista. Microsoft has completely ignored the requests of it's customer pool on this one, and has instead opted for responding with "you'll lump it and like

DirectX maybe not that significant.

[Kadin2048 (468275)]

I'm really not sure of this. The gap between console gaming and PC gaming is getting narrower, and there's really nothing but inertia stopping a console manufacturer from using a keyboard and mouse as input devices instead of a dual-analog type controller.

Consoles have networking and multiplayer and downloadable games, which used to all be hallmarks of the PC ... they also have lower cost of ownership over time (less upgrades).

If the console manufacturers don't make it a pain in the ass to develop games (wh

sined, what and delivered?

[rah1420 (234198)]

OK, mod me off topic.

The movie is Buckaroo Banzai, [imdb.com] not "Buckaroo Bonzai."

And the actual part of the movie that the OP is talking about (the initialization of the Oscillation Overthruster) is "Sined," "Seeled" and Delivered.

Geez. If you're going to quote a cult movie, at least be part of the cult.

John Bigboote? Is that you?

Re:

[LunaticTippy (872397)]

It's Bigbootay!

What a great film.

Re:sined, sealed and delivered

[ClamIAm (926466)]

Yeah, tell me about it. Soon, MS's EULAs will require a paper contract, with a notary cosine. And with every little thing they get away with, they'll get more obtuse. Of course, I feel like I'm going off on a tangent, here...

Re:

[smilindog2000 (907665)]

Sometimes it's easy to predict the future...

As you know, Linux is growing in leaps and bounds. The rate of improvement in both Fedora and Ubuntu (the only two I follow closely) is amazing. The rate of improvement is way beyond anything Microsoft has done in years... But you're still right about Windows dominating, and users forking over the $$ to help them.

There are basically three kinds of users: business users, professional home users, and gamers. The other sub-categories, like us hackers, are tiny in

Re:

[x3nos (773066)]

Ill probably get a downmodded as troll for this, but heh my Karma is good

Viva la Revolucion!

Oh boy

[DurendalMac (736637)]

Defender automatically removing stuff without the user knowing. That's just asking for problems. How long before there's a widespread outbreak of Defender deleting perfectly legitimate software?

Re:

[Dr Caleb (121505)]

I run Distributed.net on all MY home PC's, and Symantec flagged that as malware years ago. I'll bet Defender flags things like Nero as malware, because they could be used for nefaroius purposes that conflict with Media Player 11.

Re:

[CodeMasterPhilzar (978639)]

It would seem to me that is a virus-writer's wet dream... All they need do now is trick Defender into identifying some other parts of your system as spyware... And the snake eats itself... Or some such...

The only winning strategy

[j00r0m4nc3r (959816)]

Is not to play

Moo

[Chacham (981)]

I have the best comment *ever* about this story.

I'll post it as soon as Microsoft oks it.

who cares

[tehwebguy (860335)]

this is awful, but i'm sure few of the people reading this will become vista users anyway.

most of us have probably been bugging our families and friends to try ubuntu or buy a mac for the past few years. i switched to a mac this year and never looked back. there are people with MUCH higher application and compatibility requirements than myself who can switch to linux (or apple)

.net3 is more benchmark friendly then .net2

[TheSunborn (68004)]

Then betchmark clasue for .net is better then it is for .net2. For .net2 it says you are not allowed to post any benchmark at all, unless you have a written accept from Microsoft.

With .net3 you just have to give all sourcecode in your benchmark to microsoft.

Kiss of death for Enterprises

[TedTschopp (244839)]

6. USE WITH VIRTUALIZATION TECHNOLOGIES. You may use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system on the licensed device. If you do so, you may not play or access content or use applications protected by any Microsoft digital, information or enterprise rights management technology or other Microsoft rights management services or use BitLocker. We advise against playing or accessing content or using applications protected by other digital, information

Different EULA for enterprises?

[jhines (82154)]

A different EULA for enterprises, with a higher cost. MS has the margins to cut better deals, and will do so.

Re:

[TedTschopp (244839)]

Well, not every large enterprises cuts deals with Microsoft. Some of these large enterprises tell Microsoft to shove it on the years they don't release products and buy from VARs

I say we encourage them as much as possible...

[cascadefx (174894)]

The more I see Microsoft do this, the more I applaud them. I hope they continue to do more and more of this stuff. I mentioned some of these things in an earlier leaked EULA to my wife and she stated that she'd rather put Linux on our computers than be micro-managed by any software company.

Cool.

Steve, Bill. You and your engineers are doing a great job. Keep it up. Is there any way you could be more restrictive and sell it as consumer choice? If so, do it.

The Benchmarking is for .NET 3.0 only (FUD)

[Trevahaha (874501)]

There are only restrictions involved in posting benchmarks for .NET 3.0 [microsoft.com]. And these restrictions only require that you state what version you were using and the methodology you took. It doesn't have any restrictions on "bad" results or any attempt to stop people from reporting accurate results. They wrote these restrictions to prevent people from testing .NET on a 386 and then JAVA on a 3 GHZ and saying "See JAVA is faster!" and it's similar to the restrictions for .NET 1.1 and 2.0... it's just because it's bundled with Vista that it's now included with the Vista EULA.

Re:

[Trevahaha (874501)]

I did... it does not state that. Please highlight where you think it says Microsoft must approve your results before you publicly post the information. From what I see, it just says you must post all the information in a publicly accessible place (such as a public website). It also says Microsoft reserves the right to re-run the test and publish their benchmarks.
From http://msdn2.microsoft.com/en-us/library/ms973265 . aspx [microsoft.com]

Benchmark Testing, Microsoft .NET Framework
You may conduct internal benchmark

The Last Straw....

[Luscious868 (679143)]

I've been a Microsoft slappy since I first got into computers when I was a kid back in the Windows 3.11 days and Vista will represent the first Microsoft OS that I will not ever, under any circumstances, run on any PC or laptop that I purchase or recommend to anyone else.

I'm sure I'll have to deal with Vista at work at some point, but for me it's Mac's (with Boot Camp and Windows XP for games) on systems I buy or recommend to others from now on. Vista is a joke. All of the coolest features have long since b

Re:

[Carnildo (712617)]

Microsoft seriously jumped the shark with this one.

I think the metaphor you want is "went off the deep end", or maybe "shot themselves in the foot".

I think I'll keep XP-Pro, thanks...

[Big Boss (7354)]

I have legit XP-Pro for my Windows machines. I think I'll just keep that. Vista doesn't seem to offer me anything except idiotic restrictions and high costs. All the end-user features have been stripped out at this point and it's just a big DRM bomb as far as I can tell. No thanks, M$. Perhaps I'll try Linux on the desktop again, it's been working great on my servers.

The iron is hot

[vga_init (589198)]

This is Apple's one chance to release their operating system in a version that is licensed and designed for non Apple machines. Undercut the price of Vista and it's sold.

I know why...

[Soapy One (969149)]

Microsoft doesn't want us posting benchmarks proving that Vista is worthless...it might hurt their sales.

Might as well be hanged for a sheep as for a lamb

[Carnildo (712617)]

After reading the Vista EULA while installing a copy at work for compatibility testing, it became very obvious to me that the only way Vista would make it onto any computer I own is if I were to install a pirated copy of Vista Ultimate with all the anti-piracy features removed. I figure that since there's no way in hell I'm going to comply with the EULA, why follow copyright law, either?

Stupid, tired arguments

[thebdj (768618)]

Where to start...
1. The benchmark testing and posting applies to .NET Framework components. I do not see this being some great ending of benchmarking the Windows OS. Also, the link for further information does not (currently?) work. So, this could just be an issue that isn't an issue at all.
2. This version argument is really tiring. In some ways I see their logic, in other ways I think the six version idea is stupid. Actually, there are more versions of XP then two. Technically, there are four. Windows Media Center Edition and Starter Edition. I imagine Starter Vista will be virtually unseen like XP SE. As for Win MCE, I suppose that would be Home Premium. XP Home = Vista Home, XP Pro = Vista Business. Guess this only leaves two extraneous versions...
3. The Virtualization argument is pointless. How many home users do virtualization? How many business (which do the most virtualization) actually use XP Home licenses? I really think this is a non-issue like #1.
4. The license transfer is more stringent version of the current license transfer. The example they give is a bit weak. At work, if you get a new workstation? I seriously think that corporate licensing will have provisions for this sort of thing. How many people buy their own work computer licenses? Unless you own your own business, not many. Most home users keep a machine for several years. If you assume a home user is on a 3-year replacement cycle (the most common business practice I have found), they will probably only need a single transfer before the new OS is out (though after this, you never know.) Also, how many new PC purchases do not come with a new license?

I by no means am a Microsoft supporter. I have said on multiple occassions that Windows XP would be the last Windows OS I would ever use. I intend on changing my mom to Linux when XP support disappears. I do think that some of these arguments are very bogus though. There are plenty of other reasons to hate Vista, including the evil DRM, more Microsoft monopoly violations, and stupid, half-assed "security" tools.

The Noose Is Tightening

[mpapet (761907)]

Around end-user's necks.

The DRM noose around the average user's neck is being sold like a nice, new necktie. The 32-bit version of Vista will be dropped ASAP in favor of 64-bit locked-by-microsoft-only version. This in turn kills the 32-bit processor.

Then it is only a matter of tightening the noose.

So what? Well, there is no market mechanism for loosening the noose. Therefore, the price of loosening the noose around your neck is made by Microsoft. (A price maker: http://en.wikipedia.org/wiki/Monopoly#Coe [wikipedia.org]

benchmarking

[ltwally (313043)]

"...You want to post benchmarking results? Well, Microsoft may now have a say in it..."

You make it sound as if there is a blanket ban/clause against benchmarking.

FTA:

"MICROSOFT .NET BENCHMARK TESTING. The software includes one or more components of the .NET Framework 3.0 (".NET Components"). You may conduct internal benchmark testing of those components. You may disclose the results of any benchmark test of those components, provided that you comply with the conditions set forth at"

It is clearly st

It looks like

[Z00L00K (682162)]

M$ is creating a scheme so complicated that it's impossible to be able to follow. Next step is probably to include in the EULA that no other operating system may co-exist on the same machine since it *MAY* be used to circumvent the security schemes in Windows.

And even if I indicate that I accept the EULA, what proves that I have understood it?

Anyway - Windows Vista cracks will appear sooner or later. There are always those who see it as a challenge.

What Microsoft seems to forget is that all these copy

My favorite

[fiber_halo (307531)]

My favorite quote from the Vista license is in section 8:

You may not: work around any technical limitations in the software

I guess they are talking about things like intentional limitations such as only installing on one PC. It just cracks me up though.

No virtual DRM == Anti-Macintosh

[h2oliu (38090)]

Ok, call me paranoid, but it seems that the no DRM in a virtual machine component is trying very hard to make it so that people can't use office on a Macintosh. Sure you can pay for Windows, but you can't use office, which is really the only reason to run office on a Mac.

I know there is a Mac version of office. But it doesn't have the VBA components that drive many corporations.

Re:

[99BottlesOfBeerInMyF (813746)]

I know there is a Mac version of office. But it doesn't have the VBA components that drive many corporations.

That's okay. All the companies still paying Office licensing fees and relying on VBA for internal apps will be crushed by the competition in a few years anyway :)

Re:

[truthsearch (249536)]

In fact, if you read XP's, 2000's, and SQL Server's EULAs you'll find many of the same limitations. This isn't new for Microsoft. For at least the last 6 years it's been against the SQL Server EULA to publish benchmark's without Microsoft's approval.

People shouldn't just be getting disgusted today. They should have been reading these EULAs for years.

Re:

[creimer (824291)]

Maybe you didn't see the message [engadget.com] at WWDC 2006:

"I have a personal message from Steve Jobs. Just relax that brain for a while. Let's let the Mac users experience compatibility problems. Tend to your compost pile, your poetry, your art. You can help out on Vista, we can use your help there. Whatever else you've been working on, you can stop now. We went to the Big Island together, lots of karaoke."