Microsoft WGA Phones Home Even When Told No

Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers."

Gibberish

[AmateurCruzer]

Anyone have any insight what exactly they're sending back?

Re:

[NinjaTariq]

I would have thought this kind of thing would be annonymous usage or configuration, simply so that they know how people use it... Though i don't know.

Re:

[Anonymous Coward]

Your comment is not anti-microsoft enough, so it has been bitchslapped.

Re:Gibberish

[Ciggy]

In the UK, at least, it would appear to be in breach of Section 1 of the Computer Misuse Act 1990:

1 -- (1) A person is guilty of an offence if--
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b)the access he intends to secure is unauthorised; and
(c)he knows at the time he causes the computer to perform the function that that is the case.

The data sent home is noted by (a). As the user has expressly not agreed to the WGA EULA, unauthorised access is noted by (b) and (c) - in particular (c) as there was no agreemnt to the EULA; assuming of course that the data sent home is that that would be sent home IFF the EULA had been agreed and WGA installed.

As an aside, the Sony rootkit that installed something even when the EULA or whatever was decined was probably in breach of Section 3 of the same Act - doing "...any act which causes an unauthorised modification of the contents of any computer..." - those discs weren't sold in the UK?

The question is who is the responsible entity for a company: they have programmers that have written the code that does the unauthorised access (are they responsible), or is it their managers (who defined the specs) or the company as a whole (the directors)?

Re:Gibberish

[Rogerborg]

We're not sending anything. Trust us.

Oh, you checked, did you?

Then what we meant to say was... it's nothing to worry about.

Trust us.

Re:

[Opportunist]

I don't trust MS as far as Steve can throw a chair.

Re:

[Cro Magnon]

I dunno, I hear that's pretty far.

Re:Gibberish

[gigne]

I have no idea, but it looks like some sort of unique id.

an image from the now slashdotted page is here, it shows what gets sent to MS

http://img266.imageshack.us/my.php?image=wgahp5.pn g [imageshack.us]

Re:

[TubeSteak]

http://www.heise-security.co.uk/news/86294 [heise-security.co.uk]

There's an english language article about the same packet dump
Some of the data is encrypted, some of it are just acronyms you don't know

In the end, it does not matter.

[WindBourne]

MS owns the software, you do not. It is what you agreed to. MS has always done this and will continue to do more. If they stop in one place it will pop up again. The simple fact is, there is truth in saying that you are owned. Whether it is is by MS or by a cracker (from any number of avenues on the windows platform), you are till owned.

Re:Gibberish

[Anonymous Coward]

The only home software on my computers should have is my home

Sounds like someone set you up the bomb.

the route your kids take to school, of course

[swschrad]

probably all the apps information. naysayer, meet the Business Software Association, also known down around the docks as "the muscle."

can't RTFA because they're slashdotted already.

Re:the route your kids take to school, of course

[DarthChris]

Interesting you say it's slashdotted because I can read it fine.

It's very light on details, however. There is a screenshot from wordpad of the data sent; it's an XML-type document which appears to have pulled a couple of id/hash numbers out of the system registry, e.g. OS version, but no personal info. They can't really get any personal info anyway, since data protection laws here in the UK and other countries would land them in shite, and also I suspect that they have more important things to do than snoop random people's names.

Personally, I think that they're just trying to get an idea of the number of people who won't install it. These people either have pirate copies and know they'll fail validation, or simply are opposed to the idea of their OS phoning home. From a cynical viewpoint, it's important for MS to gauge the reaction to this early so they know how far they can push these sorts of thing without there being a massive backlash.

Re:the route your kids take to school, of course

[lazlo]

So, how hard might it be to generate random but valid data to fill out this XML? And then have a little daemon that does nothing but post it over and over 24/7? "Wow. Looks like a NAT/proxy server with millions of users behind it who really don't like WGA."

Petty, I know, but fun.

Re:

[Dog-Cow]

Don't worry, nothing was sent to Microsoft. We think.

Re:the route your kids take to school, of course

[rben]

I refused to install WGA for a long time for several reasons, not the least was the fact that it was marked in the EULA as BETA software. Why should I be forced to install software that MS admits hasn't been fully tested yet? I have enough problems with MS bugs. Also, I resent the implication that I have to constantly prove that my software was purchased legally. I've always paid for the software I use, even when I was a poor college student.

Most copies of Windows in the U.S. are paid for, because Windows comes installed, by default, on almost every retail machine sold. That alone makes piracy a non-issue in the U.S. However, WGA does give Microsoft a way to shut down every Windows computer connected to the Internet. What a scam. Once they've got everyone using WGA, they can start dictating terms to governments instead of dealing with irritating lawsuits.

Lets say that the kind souls at MS never even think of using WGA as leverage on say, Europe. I still think it's possible for a clever hacker to use WGA to do some real damage. The hacker would have to do some DNS spoofing and probably crack some encryption, but then, that's what these guys do. Whose to say someone might not use WGA to pull off the biggest Denial of Service extortion in history? Perhaps I'm a bit paranoid, but my caution has kept me from ever having one of my computers compromised.

Piracy is a problem, but not nearly as big a problem as MS would have us believe. If people are stealing you blind, you don't make billions of dollars in profits, you lose money. If MS is feeling a pinch lately, it's due to their own foolish policies and assumptions that they would be able to dictate terms to the world forever. Google Apps and Open Source software will, hopefully, eliminate the need to put our computers at risk simply because a company is greedy.

Microsoft seems to believe that if there were no piracy, everyone in the third world who is now stealing their software would pay for it instead. Yeah right. One of the reasons they steal it is because there is no way they could possibly pay for it. If MS ever finds a way to shut down piracy, it will merely hasten the move to Linux in 3rd world countries. Ironically, that will speed the demise of Windows.

Re:the route your kids take to school, of course

[HermMunster]

Foolish is what Ballmer is made of. He claimed to financial analysts that the caution on Vista sales is for at least 2 reasons: 1) corporate pricing was too low, and 2) piracy.

This was stated by him in the past couple days, if not today.

Both are flawed. on item 1. Windows Vista is very expensive. Giving forecasts on certain pricing to corporate is what companies do. They forecast on those prices so that is really a moot point unless corporate just isn't purchasing. Then the low cost would make a difference, as they feel they should have made it higher so that the lack of corporate sales didn't affect the bottom line so much.

On item 2. According to Microsoft pirating is impossible under Vista. Well, even if that is about 3 months outdated it still is an issue that needs to be addressed. What is the average number of pirated installs vs. legit installs of Vista. Are people choosing to pirate instead of purchasing? Is it easy for the average person to pirate Vista and is the future potential of loosing activation worth it to the average user?

The answer to those is unknown so Microsoft can't be using that as a legitimate reason why their forecasts are so far off. Even if it was EASY to pirate Vista (which Microsoft said 3 months ago was impossible) it would have to be much easier than to pirate XP, which although is semi-easy to pirate if you can get the corporate product key or you can snatch a key from some unsuspecting person it is possible to get locked out by virtue of the WGA/WGN spyware programs.

So, essentially it isn't possible to claim that corporate pricing and pirating is the cause of Ballmer's and Microsoft's woes. It has to be something else. That something else, at least to me, is pretty obvious. It is the restrictions on use, the violation of privacy (constantly claiming you are a thief -- incessant checking of your workstation using spyware programs (WGA/WGN)), the high cost to the consumer (parts as well as purchase price of Vista).

When I talk to people, and I do so every day as I own a computer repair shop, I hear that they want nothing to do with Vista. I even have people that bring in the computers they bought with Vista on them to have them wiped and to have XP installed instead. The reasons they give are the same I read about day in and day out on the web. Microsoft accuses them of being a thief, Microsoft is spying on them, the technology in it will interfere, the costs to upgrade are too high, the cost of the OS is excessive, there's no compelling reason to upgrade. Vista is just a pretty interface on top of a massive spyware program.

I'd have to say that Ballmer is very foolish and to try to pawn off on the financial community two very flawed reasons for Vistas lack of success is just pathetic. Microsoft is on a downhill slide. The fact that Linux and OSX just might be made valid viable attractive has to be affecting every thing they do. On top of that they have known for a couple years that Microsoft would not see growth anywhere near what it has seen in the past. I think one could forecast some very serious financial problems with Microsoft in the next couple years and that they need to get people switched over to Vista so they can better control your computer and purchases so that the major stock holders have time to divest themselves and reinvest in other arenas.

Bill Gates and Steve Ballmer are killing Microsoft. Every DRM/CRM implementation makes Windows a lot less attractive to everyone. Every attempt to monitor our use is looked upon as a violation of our privacy (which it is) and is an accusation that we are a thief or will be a thief sometime down the road. When they don't care that they are invading our homes we realize they are too far gone to even consider giving a second chance. When they can use their monopoly power to extort business, other countries, and private citizens then that's the time everyone must look up and say "no". They know they have you by the short ones because they know that i

time to modify the hosts file

[GuyverDH]

notepad %windir%\system32\drivers\etc\hosts

127.0.0.1 genuine.microsoft.com

Re:time to modify the hosts file

[$RANDOMLUSER]

Or use a firewall that checks egress, too. I use one, and find that RealPlayer and Adobe Reader also phone home even when you tell them not to.

Re:time to modify the hosts file

[rainman_bc]

and find that RealPlayer and Adobe Reader also phone home

All the old Macromedia studio products also phone home too...

That means Adobe Dreamweaver etc...

My Firewall is Full of Herons

[spun]

Or use a firewall that checks egress, too.

How does a firewall check female herons [wikipedia.org]?

That is what an egress [tp.org] is, right?

Re:

[penguinstorm]

Does anybody use Adobe Reader anymore? That thing's become so insane I don't even waste time -- I just open things in Preview.app

Is anybody actually surprised that Microsoft is spying on them in ways that they're not disclosing?

Re:

[jackbird]

And both are left in a cloud of dust by Foxit.

Re:

[mrchaotica]

Is there a WRT54G firmware that can do that? I wouldn't trust anything like that running on a Windows host...

Re:

[Technician]

Anybody do installs without a network connected? I wouldn't install any MS OS with a broadband connection live. Is the program silent then? Does it complain that it can't find your connection? MS assumes everyone is online.

Back when Optical Mice first hit the scene, I picked up a MS optical mouse for a machine I was building on my coffee table. I loaded the driver and the install stalled and nagged me because it could not find my network connection. Please configure up your networking or start your dia

Re:time to modify the hosts file

[walt-sjc]

the marvelous Synaptic (Apt) or Yum (rpm) or any other package manager *requires* a live internet connection in order to install any program.

This is 100% false. Those package manager's search internet based repositories by DEFAULT, but it is hardly required. In fact, all my servers point to a local repository so I don't have all 500 servers downloading the same packages over and over.

Re:

[$RANDOMLUSER]

Tiny Personal (I use the older free version on my Win2K box), but you have to understand IP addresses and ports and stuff - it's not for your granny.

Re:

[AmiMoJo]

This probably won`t work. You can`t, for example, redirect Windows Update. The IP address of the server is hard coded into the Update service, and bypasses hosts etc.

If you did it at the router level it would work, but I cant find any info on this. I am betting that the IP info is sent to is not the same one used for the web host.

Doesn't work

[alexhs]

Seems you haven't read the past story about MS bypassing HOSTS file [slashdot.org] for microsoft sites.

Re:Doesn't work

[peragrin]

In MSFT's defense it is a smart move. That way a virus can't modify update.microsoft.com .

The last time i had to set apt-get's update I used the IP address as well.

Re:

[billcopc]

I have to agree with you, the first thing most decently smart people do when their computer acts wonky is update their malware scanner(s) and OS. It is trivial for any malware to finagle with the HOSTS file on a Windows system, which is hidden in such a dumb obscure place (C:\winnt\system32\drivers\etc), a far cry from the self-explanatory /etc/hosts of every other goddamned OS on the planet.

Anyway as I was saying, once a virus takes over the HOSTS file, it could fool the common user into downloading malic

Re:

[QuietLagoon]

Microsoft bypasses the hosts file [securityfocus.com] for their own hosts.

Interesting

[jesusphish]

Yay, I believe RMS's essay on treacherous computing may apply here. Not to start an argument over RMS and his stance with open source and free software. But i believe we should all have the right if you use windows to know what they are sending. I use gnu/linux so i really don't affect me much.

Most people just don't care....

[EmbeddedJanitor]

Sometimes the only way to exercise your rights effectively is to just walk away (as you and I have). Ranting sure does not work. Enough people have yelled from the rooftops of Vista's crapness and MS's evil methods but that will not stop sales. DOJ does not work. MS just ignore them.

The masses are not concerned with threachery, privacy, liberty and other high-browed virtues. Give them a full belly and a reality TV show and they are happy. Take away XP and substitute Vista and they will buy Vista.

Re:

[shoemael]

I use Linux also so I'm not vulnerable to this particular issue, however there are some other "phone home" issues that are cross-platform and totally hidden from most people. Have you ever taken a look at how much information you send to google-analytics.com? You're probably thinking 'None' but you're wrong. I added a firewall rule to log all the connections to google-analytics.com and there are hundreds of them established everyday for me alone (or there were until I decided to drop them all). The amou

Great...

[pchoppin]

... Now you're going to tell me that all Microsoft is in business for is to make money. You're ruining a perfectly good fantasy. Thanks a lot!

Re:Great...

[Catbeller]

That Free Markets religion again. Businesses cannot do anything they like; they are corporations, fictional entities created by license of the people of the country through their government. They are granted super-powers as non-existent individuals, exempting real operators from liablity for their own actions. In return, they hew the line we set for them. They have more responsibilty to the nation that created them other than pleasing shareholders, no matter what propoganda they pump to the contrary. They are not gods. And Microsoft is a monopoly, ruled so by the courts, and is under even more stringent strictures, because they have constantly abused their power in the past to invade and hold new markets.

So, no, making money is not all they have to worry about. Deceit and chicanery should have consequences other than making them more money. And if they need to cheat to win, it might be time to think about a new concept: revoking the corporate license, and reinstituting personal responsibility for their underhanded actions, with civil and criminal penalties.

wall of fire

[mastershake_phd]

Use Zone Alarm or other free firewall, problem solved.

Re:wall of fire

[failure-man]

Do you really think the people who wrote the kernel can't get around all that ZoneAlarm silliness if they want to? They already ignore the hosts file and such for *.microsoft.com.

Re:wall of fire

[Stefanwulf]

Use Zone Alarm or other free firewall, problem solved.

The problem isn't solved, you've simply put a local workaround in place.

Easy enough to deal with

[KC7GR]

From the image in TFA, it looks like they're sending back the Windows version code, and the installation-unique CSID, along with some other stuff that I didn't recognize.

There didn't appear to be any identification of the specific user in there.

It seems to me that it would be easy enough to determine what port WGA is using to send this stuff, and lock down said port at one's firewall. That's the method I'd choose to deal with it (if I were even running anything with WGA installed -- which, thankfully, I'm not).

Re:

[Rogerborg]

Your IP address doesn't identify you? Someone should tell the RIAA that.

Re:Easy enough to deal with

[drinkypoo]

From the image in TFA, it looks like they're sending back the Windows version code, and the installation-unique CSID, along with some other stuff that I didn't recognize. There didn't appear to be any identification of the specific user in there.

so let me get this straight. the ID that identifies your installation is there, and you don't recognize all of the other information, so you concluded that there doesn't be any identification of the user?

Truly, your intellect is astonishing.

Re:

[Slashcrap]

It seems to me that it would be easy enough to determine what port WGA is using to send this stuff, and lock down said port at one's firewall.

Great idea. Except that obviously you can't filter by the source port because that will be almost random. And then you find that they're using Port 80 as the destination port anyway because it's about the only port guaranteed to pass through most firewalls/proxies.

So you filter it by IP address instead, but then find that they're using a huge range of probably Akamize

Re:

[silas_moeckel]

Or you could filter via a layer 7 rule ditching connections to port 80 asking for anything *.microsoft.com there are better filters than early 90's ip proto and port based.

Re:What Port You Ask?

[mpapet]

I have an older version of Kerio's firewall and most recent "phone home" applications do so on port 80. Older apps use custom ports. Kerio's product is very good in this way.

I'm not sure why this is an issue _now_. It's been this way for years starting with Microsoft's MSI installers that phone home to certificate servers and certificate revocation list servers. I have screenshots to prove it should there be any doubt. It should be obvious by now they are slowly paving the way to a PC with their OS th

This is good

[Devir]

While many think this is bad and invasion of privacy, think of it as this:

when we normally click "I DONT Agree" the software does nothing. But if it sends the message back home with statistics of how many dont agree, it tells the software company some people dont agree.

We can argue EULA's till our fingers are raw and bloody, but it doesnt matter if the company in question doesnt read the conversations.

In short, by clicking the Dont agree button and having it sent home to MS we're telling them we dont want that crap on our machines. Maybe (deity willing) MS will start to listen. More companies may adopt that approach and we'll get less and less one sided (retarded) EULA's.

anyone Remember Borland's |"like a book" EULA? Great stuff.

Re:

[MaggieL]

But if it sends the message back home with statistics of how many dont agree, it tells the software company some people dont agree.

I guess "the software company" doesn't read Slashdot, or they'd already know.

Re:This is good

[Lumpy]

So let's have fun.

anyone got a way to dissect it completely so we can write a little app to send maybe 20-30 fake entries a day? now spread that across 100-300 people and microsoft thinks that there is a mass rejection of WGA starting to brew.

on a related note

[jjeffries]

This is kinda old, but some years ago my neighbor got a new Win ME (!!!) machine, and I helped him put in a NIC and put it on our little neighborhood network. I was curious if it was going to phone home, so I had a sniffer running on my router...

The damn thing picked/guessed a valid (NATted) IP address, netmask, and gateway without using DHCP (arp tricks?), and sent a load of mystery packets to an address in a Microsoft IP block. Only then did the computer do the "new device detected" routine, but could not find a driver for the NIC and I had to go fetch one on another machine.

W T F ?

Unfortunately I have since lost the pcap dump.

Moderation: -1, no proof

Re:on a related note

[Slashcrap]

The damn thing picked/guessed a valid (NATted) IP address, netmask, and gateway without using DHCP (arp tricks?)

Did that IP resemble 169.254.x.x by any chance?

But really there's no point trying to find technical explanations when the obvious one is at hand - you can't read a sniffer trace for shit.

Having the ability to install Ethereal does not magically confer on you the ability to interpret the results correctly.

Re:

[jjeffries]

Did that IP resemble 169.254.x.x by any chance?

No, it was a valid, unused rfc1918 address in the correct subnet. MAC address was the one on the card in the computer in question.

My home shorewall box correctly drops 169.254.x.x made-up addresses, and my ISP does not forward traffic from IPs not assigned to it. I know, I configure the routers.

But really there's no point trying to find technical explanations when the obvious one is at hand - you can't read a sniffer trace for shit.

Having the ability to install

Re:on a related note

[AK Marc]

So, you're saying Microsoft has some secret way for it's OS to phone home without a driver for the ethernet card?

Yeah, it's called NE2000. Almost all cards support it. If you don't have the drivers for a card, you can usually force Windows to use generic NE2000 drivers and the card will work. But if it can't identify the card, or identifies it and doesn't have drivers, then it will tell you that it can't install it, even when it knows it can use it just fine with the generic drivers. So yes, I do think it quite plausable that Windows can use a NIC it does not have drivers for. But I wouldn't call NE2000 a secret.

Ok, say Joe Sixpack installs WGA.....

[8127972]

.... is it as simple as going to add and remove programs to uninstall the two components for WGA or does it "break" something when you try to uninstall it? Or worse, does it leave anything behind?

Re:

[J0nne]

You can't uninstall it. You need to find a third-party program to remove it (I don't remember the name of it, but the tool works).

Perfect marriage of technologies?

[Joe Random]

Sounds like a perfect place to use MS speech recgonition:
Computer: "Where do you want to go today?"
You: "Nowhere."
C: "I heard 'Microsoft Validation Site'. Is this correct?"
Y: "No!"
C: "I'm sorry. I heard 'Dear aunt, let's set so double the killer delete all'. Is this correct?"
Y: "NO!!"
C: "I understand. So 'Microsoft Validation Site' was correct. Redirecting now. Thank you for using My Microsoft Live Enterprise Genuine Advantage Ultimate. Have a nice day."

Re:

[account_deleted]

Comment removed based on user account deletion

Answer:

[Overzeetop]

Delist them from the market.

If you really want to punish them, revoke their corporate status.

I detect hypocrisy

[suv4x4]

I can understand people not wanting WGA on their PC-s as it can cause issues on legitimate installations as well, in certain situations.

But sending back a little XML that you denied the EULA? Don't you detect hypocrisy here. You send your "identification" in the form of IP, browser user agent string and what not to virtually any site you visit, without "agreeing" to this every time. Why is nobody whining about this?

Having privacy and right to deny something is cool. But I think some of the most vocal opposition is simply using pirated Windows and not being honest about it.

I don't install WGA on existing (legit) computers as it doesn't help me with anything. I don't have any problem with Microsoft getting my "no" back though. In fact, I *want* them to hear my no.

Re:I detect hypocrisy

[mwillems]

I disagree. When I send my IP to a web site, it is because I have chosen to browse there.

In the WGA example, on the other hand, one chooses NOT to do something, and yet data is sent. That is very different to browsing voluntarily to a web site.

Re:I detect hypocrisy

[Todd Knarr]

Not quite. The Windows Update protocol should be:

1. I connect to Windows Update. They get some identifiable information.
2. Windows Update sends me a list of what's available.
3. I select what I want to install.
4. Windows sends Windows Update a list of what I want to install.
5. Windows Update sends me what I've asked for.

Note that nowhere in there should my computer be sending Windows Update anything about what I haven't asked for. It doesn't need to know that to send me what I did ask for, it's got no business sending that information without telling me it is or giving me the opportunity to say "No.". If Microsoft chooses to collect information it doesn't need, that's it's prerogative but that doesn't give it a "get out of jail free" card to avoid the consequences of that choice.

Report this to "StopBadware.org"

[Animats]

This should be reported to "StopBadware.org". StopBadware.org's definition of badware [stopbadware.org] requires prior consent to send personally identifiable information to a site. This should be enough to put WGA on the Badware list.

Google is now flagging sites that have been identified by StopBadware.

StopBadware is run by law professors from Harvard and Oxford, with assistance from Consumer Reports. StopBadware is effective. They complained about the Jessica Simpson screensaver, which installed spyware in May 2006. The makers of that didn't listen. In October of 2006, a US federal judge shut that outfit down.

Re:Report this to "StopBadware.org"

[Todd Knarr]

I'd argue you're incorrect. As far as IP address goes, my ISP assigns them long-term enough to consider them permanent (typical is 2-3 years between changes) and ties that address directly to my billing information. It's personal information in the same sense my bank account and credit-card account numbers are: they don't in themselves reveal my identity but they're tied uniquely and directly to it and can be used to get it without my knowledge and consent. The computer information is the same: part of what's sent is the GUID assigned to the computer, which is intended to be unique to that computer and which is tied directly to information like my name embedded in word-processing documents and other information available to the same entity receiving the computer information. This is sufficient to let them tie that WGA data directly to my personal identity. At the very least it allows them to identify everything else they have that belongs to me, even if they don't know my name (yet). That's personal enough in my book.

MS knows when you PC is on?

[brunascle]

i've noticed that whenever i try to upgrade to SP2/etc on a new install of XP, it will fail if any other PC using the same CD key is online at that moment. but once i unplug the other PCs, the upgrade works fine.

assuming this isnt a fluke, that really frightmens me, the fact that MS knows when any of my PCs are online.

Looks like

[TwistedSpring]

All this is conjecture, but this is what I'm guessing the elements in the ID block are.

UGD: Not sure. Looks like a UUID.
HDSLN: Hard disk serial
USID: User security identifier (id of logged in user, Microsoft can tell if you're any of the default SIDs like Administrator)
CSID: Computer security identifier

So Microsoft can tell whether you're an admin or not, they know the unique ID of the computer (CSID), your account if you aren't "Administrator" and - perhaps - the hard disk. If UGD turns out to be something that is unique to each individual copy of Windows, then all the people who've ripped it off could find life inconvenient in the future. I'm not sure what the tracking implications are, it depends how many Microsoft products report the HD serial or USID to them.

Re:So?

[sqlrob]

Ethics. If you choose not to install something, it shouldn't do anything.

Re:So?

[DJCacophony]

You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you? So why would you be angry when it does exactly that? Perhaps people need to read the licensing agreements they agree to before agreeing to them, instead of just clicking "yes, I agree" like a madman.

Re:So?

[Rob the Bold]

Perhaps people need to read the licensing agreements they agree to before agreeing to them, instead of just clicking "yes, I agree" like a madman.

Ya, that would fix it. Maybe, just maybe, some of us don't have an army of lawyers at our disposal to determine if what we're clicking on really means what we think it means. It seems to me that it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer. The "madman" here would be anyone who thought that such nonsense was an enforceable contract.

Like the GPL?

[Anonymous Coward]

it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer.

Oh my fucking god.

Have you ever tried to read the GPL?

Re:

[jorgevillalobos]

Have you ever tried to read the GPL?

Unreadable as well. Your point being...

Re:

[BarryJacobsen]

Have you ever tried to read the GPL?

Unreadable as well. Your point being...

Exactly! The GPL is GIVING YOU EXTRA RIGHTS, while EULAs are TAKING THEM AWAY. This may just be me, but I'll allow the verbiage that gives me something extra to be considerably more esoteric than the verbiage that tries to take something away from me.

Re:

[FiloEleven]

But how do you know the difference? The GPL concept is familiar enough to most of us even without having read it, but think back to the arguments over GPL2 vs. GPL3. If you can't easily read the license and you don't read Slashdot, the differences between the versions could go unnoticed, and (from what I gathered reading the discussions here) the differences are enough to potentially bite someone who doesn't know them in the ass.

Clear language is necessary for clear communication. It could be argued that

Re:Like the GPL?

[SirTalon42]

Um... No. The GPL doesn't to take away your rights to distribute a closed source program. You can distribute them all the time. But if you link against a GPL program/lib THEN distribute your program/lib, you would have to follow the GPL. If you don't accept the GPL you have to follow normal copyright law which means you can't distribute it REGARDLESS of your license if you link against it.

The GPL is NOT limiting anyones rights beyond copyright law, you might say its more limiting than the LGPL or modified BSD, but you can't say its more restrictive than no license at all.

Also an EULA is an agreement the end user is supposed to agree to to be able to use the software, the GPL is a copyright license that a distributor must agree to to be legally able to distribute any program that includes/links against GPL code.

Re:Like the GPL?

[senatorpjt]

Although the GPL "forbids" it, it's probably not a copyright violation to link to a library, it's a copyright violation to distribute a library, so if you were to distribute a closed-source program that uses a library, you wouldn't be able to provide the library. This only applies to dynamically linked libraries, obviously. Statically linked libraries are definitely a copyright violation.

This specific case has not been tested in court, but Galoob v. Nintendo seems to set a precedent.

As for the irony, to link to the libraries included with Windows, each user has to have purchased a license for the libraries - by purchasing Windows.

Re:

[Zonk (troll)]

The GPL gives you a right you would otherwise not have. That is, redistributing and modifying the software. All it asks in return is that you give others the same freedoms you received yourself. This is in contrast to the BSD license which would allow you to profit off of the work of others without giving back and denying everyone else the freedom you received. The GPL gives everyone more freedom.

Re:Like the GPL?

[BarryJacobsen]

The GPL isn't about freedom. It's about being selfish in the guise of supporting the community. If you aren't going to profit off the code, you don't want anybody else to be able to either.

Yup, I tend to think of the GPL like that bratty kid on the playground with the ball. Every group of kids had one, the kid who would say "If you don't play by my rules I'm taking my ball and going home".

God I hated that kid.

Odd, as all the other kids are saying "you can play with my ball if you pay me a bunch of money, but it's still my ball, and at any time I can change what you're allowed to do with my ball" and this kid is just saying "if you don't play by my rules of sharing the ball with everyone, I'm taking my ball and going home". I may not like that I have to play by that kids rules, but it's better than playing by his rules and paying him to do so...or going out and making my own ball.

You're just a little bit TOO cynical

[cbreaker]

You could look at it that way, but I think that's kinda a warped view of the GPL.

BSD license is all well and good, but if it wasn't for the GPL there wouldn't be so many people involved in development of GPL software. Your view does have some merit, but not because of selfishness. Novell doesn't want Microsoft to take their code, put it in Windows, and blast Novell away again. Red Hat doesn't want IBM to secretly switch AIX to all Linux code, and sell it for a mint, and never give anything back. So, that's understood, and everyone can feel free to develop the code base without worrying about it. Your payment for being able to use everyone else's work (and saving a lot of money by doing so) is to also release your improvements to everyone else. So your PROFIT is the improvements you get back on the code you wrote.

It should be noted that the big companies pushing Linux actually do turn a bit of a profit, in terms of cash.

The GPL *is* about supporting the community. If a piece of software is community developed, that same community (as well as anyone that uses it) really wants the software to improve. If ACME Corporation wants to use the software in their product, because it would be a LOT cheaper then developing in-house, they'll take it, improve it, and package it with their product. In the meantime, they'll also make their improvements available to everyone else. That's their payment for saving millions in licensing or development. How is this selfish?

If you don't want to release your code under the GPL, then simply don't. If you don't LIKE the GPL, then don't use GPL code, it's as simple as that. Or, are you pissed that you can't just do whatever you want with someone else's work?

The GPL, in fact, does allow a lot more freedom for the code you write then general copyright laws allow for. It's obviously a lot more open then closed-source. Why must you compare it to the BSD license? (Extra Points: If the BSD License worked so well, why did it take the GPL to bring open source software to the forefront? Explain and cite references.)

Re:

[mungtor]

Not all the other kids. The BSD kid is saying the same things that the anti-RIAA people speak of. He's saying:

"Have a copy of my ball. I lose nothing by giving it to you, so have a blast and do whatever you want."

I don't even have a vested interest in the licensing one way or another, but I'm really tired of the GPL zealots touting how "free" their code is.

Re:Like the GPL?

[99BottlesOfBeerInMyF]

The GPL does not grant additional "freedom" no matter how many people repeat the same tired bullshit. It takes away the freedom to use somebody else's code in your proprietary, for profit, application. Unlike the BSD license, for example.

BZZZZT! Wrong! Copyright law takes away the freedom. The GPL restores some of the freedom. Think of it this way. I just wrote some code. Can you use my code in your proprietary, for profit application? No. Why? Because copyright law makes it illegal.

Enter the GPL. The GPL is simply a license that says I'll let you use my code, if you promise certain things to me. It is a trade. I'll grant you certain freedoms that copyright law took away if you do certain things for me as specified in the license.

The GPL isn't about freedom. It's about being selfish in the guise of supporting the community.

No, the GPL is about building communities that share work (what it asks in return for said freedom) in such a way that no one can benefit from the work of others in certain ways without returning some work of their own.

If you aren't going to profit off the code, you don't want anybody else to be able to either.

Most GPL code is written by commercial enterprises for profit. IBM doesn't say they're licensing GPL code for the good of the world, they say they're doing it to maximize shareholder value. It is about making a business deal with any and all comers that they can use your code if you can use theirs and thus all parties benefit. Maybe you've noticed that most of the projects that get a whole lot of code contributed are GPL licensed, not BSD. Do you know why that is? It is because it provides a better return on the investment in the opinion of most companies and for that matter most individual hobbyists. If I spend weeks of my life writing some code, I don't particularly want someone else to sell that code back to me a few years from now. I'd much rather make them a deal that if they add to it they can use my code in exchange for letting me use their additions. There is no such thing as a free lunch buddy.

Re:Like the GPL?

[99BottlesOfBeerInMyF]

The GPL isn't a respond to copyright law. It's entirely dependent on it.

You've failed to demonstrate how those two things are mutually exclusive.

The purpose of the GPL is to make sure source code is redistributed in software releases, so if there were no copyright laws, the GPL would be violated because nobody would have to redistribute that source code.

Nope. The GPL would not be violated if there were no copyright law, because no one would need to abide by the GPL in order to freely copy the code.

Therefore, the GPL takes away the freedom to do whatever you want with the source code you download.

Do you know what "non sequitur" means?

Um, what? You walk through physical matter when your shoes are off?

Just as much as I can legally copy the code in question if it is not GPL'd.

This is one of the most bizarre metaphors I've ever read.

It's not a metaphor, it's an analogy. Are you truly this dense or are you being intentionally obtuse?

The fact shoes let you walk on broken glass has nothing to do with the GPL restricting what you can do with source code.

Shoes grant you the freedom of movement if you happen to be surrounded by broken glass. They, thus, grant you more freedom than you had. The GPL grants you more freedom when you are restricted by copyright law. It grants you more freedom than you have. Shoes don't grant you complete freedom to do anything you want. If you're surrounded by metal bars they don't allow you to walk through them. This does not mean shoes take away freedom. The bars took away the freedom. The GPL does not grant you the freedom to take copyrighted code and close the source. This does not mean it takes away freedom. Copyright law took away the freedom. Do you know understand the analogy and the flaw in you logic it demonstrates now that I've used really small sentences?

You're one to talk, fella.

Yes, I am. I've pointed out several of your logical fallacies. You've pointed out none of mine. Please do elaborate and explain where exactly my logic fails. You do actually know what logic is, right?

You're right, let me just slip my shoes off and walk on out of this jail cell.

I am right. You can't slip off your shoes and walk out of a jail cell in the same way you can't get someone to rescind their GPL licensing of code and suddenly be free to use it without permission. In one case you're stopped by bars, in the other by copyright law. This isn't rocket science friend, you need to revisit your very sloppy thinking.

Re:

[Knuckles]

But from a developer's perspective, the GPL takes away the right to distribute closed-source programs if you, in any way, use an GPL'd product.

Stop the obvious trolling. For the record:

• If you use a GPL'd product, it does not influence your rights to distribute your closed-source program in any way. Or do you think IBM cannot distribute AIX because some web guy they employ edited a photo in the Gimp?
• Even if you include GPL'ed code in your proprietary software and distribute the result, no court will take aw

Re:

[Ph33r th3 g(O)at]

It does no such thing. It declines to grant (not takes away, because you never had it) the right to incorporate GPL'd software into your proprietary, closed-source software. The GPL, in so many words, says "If you want to run this program, that's great. If you want to modify it, close it, and sell it, tough shit-WRITE YOUR OWN CODE."

Comparing that with software that's sold usurping the "right" to call home by means of an obfuscated EULA is the height of disingenuousness.

Re:Like the GPL?

[Knuckles]

AC said: "Have you ever tried to read the GPL?"

The GPL is not a consumer product license. In order to use the software you don't even have to agree to the GPL. Only if you distribute are you bound by its terms, and software distribution is a complicated topic.
Even so, when you compare it to proprietary EULAs, the GPL is entirely readable in its main parts. Furthermore, the GPL is not written in caps as most EULAs are (IMHO this obvious attempt at obfuscation alone should make EULAs unenforceable).

Re:Like the GPL?

[mrchaotica]

1. The GPL is much more understandable than any Microsoft EULA
2. The GPL is a distribution license. If you're doing anything that causes it to apply to you, you're no longer an "average consumer!"

Re:

[T.E.D.]

The GPL is a distribution license. If you're doing anything that causes it to apply to you, you're no longer an "average consumer!"

I'm not trying to pick on you, I've seen something like this said in a couple of places. However, it is simply not true. If it were, then no-one would be able to run the software (as the default in the US is "no rights").

However, it is true that the part of the license that applies to running the software is rather short:
"The act of running the Program is not restricted".

Your po

Re:

[Knuckles]

You should quote the whole sentence:

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted ...

Re:

[rainman_bc]

It seems to me that it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer. The "madman" here would be anyone who thought that such nonsense was an enforceable contract.

The problem here is that courts have ruled on this in the past... At least in Canada, if you have the ability to read you can read the terms of the contract yourself or pay a lawyer to explain it to you.

Not being able to understand a contract is not grounds to get a contract thrown out...

Alt

Re:

[Anonymous Coward]

You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you?

Why yes, I did. And yes, I did agree.

So now, explain what that has to do with me telling WGA to not install, and not agreeing to allow it to send this information, and it sending it anyway. You are aware that contracts do have limits and only apply to the particular transaction, right? If I buy two cars from a dealership and agree to pay $300/mo

Re:So?

[rainman_bc]

You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you? So why would you be angry when it does exactly that? Perhaps people need to read the licensing agreements they agree to before agreeing to them, instead of just clicking "yes, I agree" like a madman.

Okay, despite your trollish comments, I'll bite.

1. WGA != Windows Update. RTFA.
2. Has the validity of an EULA ever been tested? AFAIK, an EULA cannot violate your privacy rights, even if you sign those away. Argue as you like, statute always trumps contracts.
3. Microsoft releases an OS that's broken and tells you the only way they'll fix it is if you'll subject yourself to their privacy terms. Not freaking cool. My copy of Windows is paid for, but that doesn't mean I want them invading my privacy.

Ever installed XP without any service packs? Do you know how many minutes it takes before the machine is pwn3d? IMO that's not a functional OS any more.

Ever tried getting that refund from your hardware manufacturer for the part of your purchase that went to Microsoft? It's a freaking pain in the arse, and one where you have to usually drag a vendor to small claims court to get your money.

Re:

[ari_j]

The difference is that you can directly install a new, fully patched version of Apache. You can't directly install a fully patched version of Windows. Instead, you have to install what you have on CD, which will at best be the most recent service pack not including patches released since then but is more typically an older service pack or the original version of the OS, and then patch it while it is running. When I install, for instance, Debian's 'stable' distribution, I have the option of doing so using

Re:

[Junior J. Junior III]

Nope, I tried reading the agreement, and even that doesn't disable the WGA phone-homing. Back to the drawing board! I'm guessing I'll have to set up a rule on my firewall if I really want to stop this traffic...

Re:

[HermMunster]

Their active x control installation has nothing to do with the WGN installation and the cancellation of it. The "activex" control is just the tool that allows them to invoke the WGA process. Even if you agreed to install it, you didn't agree to let Microsoft (via the cancellation of the installation of a different program) send information about your computer back to their location. When you choose to cancel you choose to NOT allow them to collect and redirect that info to their location. That's the pur

Re:So?

[spun]

You posted a short, one word post with no information content and an inane question in order to get first post. Mods love to bitchslap anyone who does this.

The question "So?" is redundant because it doesn't need to be asked. If you feel this isn't an important issue, explain why you think it isn't important.

Software that sends personal information about you back to its master when you say you don't want to install it is generally considered spyware.

I see your "So?" and raise you a "Because!"

Re:So?

[whargoul]

Yeah, and?

Re:

[Flibz]

Nice response....

Plus, on this occasion I thought "So?" was a reasonable response too.

It's not sending personal information, so I'm assuming it's tracking pirated keys stats or something, for which you can't really blame Them (ooh no, not Them!).

But it's good to bash MS anyway...

Re:So?

[Runefox]

I AM a mod, you insensitive clod!

Re:

[ColdWetDog]

When asked by heise Security, Microsoft merely stated that it collected DATA ton improve the quality OF the WGA for users. Part OF that process, the vendor said, which knowing where the user cancel LED setup. Ton of COUNTs reliably, the GUID is used, though Microsoft says the user is emergency identified. Microsoft says that the OTHER DATA transmitted ton talking moon contain information about the version OF Windows used and the LANGUAGE and more whether the machine is registered in A domain. Microsoft did

Re:Holy cow, this is Bad

[MightyMartian]

I am no lawyer, but this seems very similar if not the same as wiretapping.

You're right. You're no lawyer.

Re:

[Opportunist]

Spyware isn't illegal in most countries. Actually, given the amount of Spyware being used by many not so shady corporations, I'd be surprised if it was.

As long as you are informed (usually in about 100 pages of legalese)...

Re:

[Iphtashu Fitz]

Probably got modded as a troll by somebody who works at/for Microsoft.