More MS EULA Fun

gray code writes: "The Register is reporting that Microsoft has placed an interesting wrinkle in the EULA of WinXP SP1 and Win2k SP3 that asks for the same remote admin rights as the Windows Media Player patch that raised such an uproar. I think I'll be leaving my Win2k box at SP2, thank you very much." Update: 08/04 15:05 GMT by T : Helix150 writes that a separate EULA for W2K's SP3 "contains this nasty bit: 'You may not disclose the results of any benchmark test of the .NET Framework component of the OS Components to any third party without Microsoft's prior written approval.' Hmmm..."

And if they didn't?

Microsoft is required to make this revision in their EULA in order for Automatic Updates to work. If it makes you wary (as if you actually use the OSes) then disable it. Control Panel > Automatic Updates > uncheck Keep My Computer Up to Date. (In Windows XP, the same thing can be found in the System configuration applet of the Control Panel.) Feel free to read the links on that property page to discover what Automatic Updates does, and in newer incarnations, Scheduled Updates.

I believe the fact that this is disablable makes it moot. Such functionality, I think, is almost required for any OS that will play the role of desktop OS. I personally haven't seen the behaviors that take place with Windows 2000 SP3, but Windows XP did alert me the first time it started and before it checked for any updates, permitting me to disable the feature entirely or select from a couple of notification options.

I'm not sure it is acceptable to assume that an end user will actively participate in the maintenance of the software on their system to ensure, above all else, security. Windows had the Windows Update icon sitting in the Start Menu since Windows 98, and it went ignored. As mentioned before, Automatic Updates was released as a part of Windows XP last October. It was also released as an individual update to Windows 2000 over a month ago.

And before we crucify Microsoft alone for including this "heinous" behavior, check Apple. Mac OS has performed automatic updating since Mac OS 9. I don't know about any other software, but I would love to see some form of update checking and/or installation method for servers, especially the variety that are intended to be installed, turned on, and forgotten, like email notifications or schedulable updates. I'd also like to see a move to create a standard through which updates can be propogated for any software. Some software already scan, like Adobe Acrobat Reader, Macromedia ShockWave, and I think QuickTime. If there were one place, maybe things could be more organized and more user friendly.

In any case, justification is pointless. I know people don't like the idea. But, it can be disabled, and if you don't like it, I suggest doing so and updating manually.

Re:And if they didn't?

[Pius+II.]

Bzzzt, wrong. The passage (as quoted from the article) is: "You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer." With the automatic update functionality both in Windows 2000 and in Mac OS, you actively check if there are updates available for your system. This may happen through a cron job (whatever that's called in Windows), but it is your computer that checks. The new passage of the EULA says that _Microsoft_ may check _your_ computer, without your notice, and then "upload" their "fixes". This is, if you haven't noticed, the other way around. The automatic update can be disabled (it is on my working machine), but this? Since you gave _them_ the right to mess around with your computer, I doubt that you can disable this "push update". Furthermore, this may constitute a serious security problem: if MS can upload what they want on your system, some other people could do, too.

Re:And if they didn't?

In order for this to happen, our XP and SP3 computers must be listening on some port... AND inform microsoft of their IP on boot or at some other time. With any decent packetsniffing, it shouldn't be too hard to figure this out...

posting as AC because I just modded parent up ;)

Re:And if they didn't?

How is it that win2k is cheaper? $10,000 for an SQL server? and no, you can't get just anyone to work that. so you still have to pay someone a significant amount of money to admin it.

This must be another M$ person...

Re:And if they didn't?

[WCMI92]

"The issue you microsoft loving moron is the EULA does not say that by turning off the Auto updates they wont do anything to your system..

The EULA gives them TOTAL power of your computer no matter what you do short of taking away any connection between you and them.."

Who's to say that the next version of `Doze won't make IMPOSSIBLE to turn off "auto update", just as they have made it impossible in XP to (without a hack) to turn off or uninstall MS Messenger (which will bug you to get a Passport until you either DO, get rid of it by a hack, or throw a brick into your monitor).

I can see them doing just the same with AutoUpdate. Why not? The new EULA gives them the right.

Microsoft doesn't give a rats ass about patching defects. Indeed, history shows that they generally do so only when dragged into it kicking and screaming, as they have recently by the mounting embarassment and BAD PUBLICITY over their OS's many security holes.

They want everyone running AutoUpdate in the background for these reasons:

1. So they can slip in upgrades to fix embarassing holes without scruitiny (ie, the public knowing about the defect). This will reduce media attention.

2. So that they can slip in updated "activation" and key crap at will.

3. So that they can slip in DRMware whenever they feel like it. That is exactly what the recent Media Player EULA was changed to allow them to do.

Re:And if they didn't?

[WCMI92]

"I'm running windows XP and my MS Messenger never comes on becuase I clicked the setting to have it never come on unless I tell it to. And I did this without any type of "hack", it's in the options."

You can stop it from coming on and being VISIBLE in the system tray, or from bugging you about a Passport. But you can't stop it from loading without a hack.

You can't go into Add/Remove programs and uninstall MS Messenger.

Re:And if they didn't?

[Delphix]

True, and everytime you try to grab your mail with Outlook, Messenger tries to send something out as well...which I have NIS always blocking... I should install Ethereal and find out what it's sending out...

Re:And if they didn't?

[GrenDel+Fuego]

Interesting thought, though.. if they're installing updates automatically, they can't put EULAs into those updates. Does that imply anything concerning the usage of the updated software? (Do you get back the right to reverse-engineer it, for example?)

They can still put EULA's in the updates.

Say you have Windows Media player installed, and they release an update to your machine while you're not looking. The next time you run the program, it can pop up the EULA. You then have the ability to either agree to the new license, or still using Media player.

You'd be losing the ability to stick with the older version with a more acceptable EULA.

Re:And if they didn't?

[dogzilla]

> Gee that was fast, almost seems like u had it
> prepared.

I think it would be incredibly naive of us not to think that Microsoft doesn't have paid shills here on Slahsdot, ready at a moment's notice to spout corporate spin in response to anti-microsoft articles. God knows they've done it before. (I remember reading articles about how MS paid people to post negative messages about OS/2 on the support board on CompuServe)

MS probably doesn't care too much about the die-hard Linux/Unix/Apple folks on these boards, but I'm sure they realize that a lot of tech media tend to....shall we say "borrow" story ideas from here? And they definitely want to start putting their own spin on some of these issues right away. I'd say this is partly why we've been seeing so many rebuttals against the standard "MS sux" line we see so much of on here. (Some of those responses are actually valid - but it's easy to spot the shills: they're the ones who rely on misdirection to obscure the true issues, much like the first poster here has.)

Personally, I can think of few things lower than people who do this kind of thing. This is lying writ large, and selling yourself out in the most public of ways. But then, it's never too hard to finhd people with no self-respect to do your dirty work for you for a few bucks. Witness some of our fine elected representatives.

Re:And if they didn't?

[AJWM]

The only way will be for the client machine to initiate the connection.

Let's assume this is correct.

a.k.a. Automatic Windows Update (or some other memory resident application)

Some other memory resident "application" like the operating system itself, perhaps? Just tie the "call home and check for update" code to something that happens periodically but not too often -- booting, loading an app, opening a file, making a network connection, -- take your choice. Hardly a new concept, Microsoft apps already do this (IE, for example, on startup), but not very stealthily.

Re:And if they didn't?

[stinky+wizzleteats]

Nowhere did I see the Eula state "with or without your consent" either. Stop making stuff up.

Following is an excerpt from the Win2ksp3 supplemental EULA: (text bolded by post author)

The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

I don't know what "automatic" means to you, but according to my understanding of English, it seems to preclude consent.

Yes, it DOES have to do with the Windows Automatic Updates.

Then why is it not a supplemental EULA for auto-update, rather than the operating system patch? That this EULA change was made to the operating system service pack suggests that your interpretation of M$'s intentions are incorrect.

Further interesting is that the excerpt quoted above does NOT appear in the EULA to which you must agree to begin the download, but only in the EULA click box that comes up when you begin installing sp3. The preambles of both statements are identical, clearly demonstrating the intent to deceive the user.

You're assuming too much

[ObviousGuy]

Most people just click OK and are done with it. Microsoft never comes to pick up their first-born. The users just go about their business making money with Windows.

It's really only the people who are afraid of having their warez/MP3 collection deleted or who are pirating Windows itself that are afraid of these remarks in the EULA. Most users are not worried about those things because they have nothing to hide.

Re:You're assuming too much

[11390036]

The EULA states that they have the power to essentially seek & destory digital rights management circumvention techniques....

I don't think they are out to destory a persons personal files.

Why don't you have a look at the EULA itself, then make your judgements.

Knowledge talks, Wisdom listens

Re:You're assuming too much

[Datafage]

Actually, to a great extent, no. The Constitution does not solely restrict the government. If this were true, slavery would be perfectly legal as long as the enslaver was a private party. We certainly do have rights against corporations, not only freedom from slavery but also freedom of privacy and others. Keep that in mind.

Re:You're assuming too much

M$ never comes to pick up the first born? No, they take a limb with each upgrade cycle.

The users just go about their buiness making money with Windows? Hmmm, for most all of the money making parts of an operation there are OS replacements that work just as well. M$ rules the desktop because they support more GAMES than anyone else.

It's really only the people who are afraid of having their warez/MP3 collection deleted or who are pirating Windows itself that are afraid of these remarks in the EULA? Well, you are right that the Warez/MP3 collectin' copyright violators don't want M$ poking around on their computers. You forgot that there are some other folks who don't want M$ poking around too --- anybody who could be working on any product that could compete with any component of the M$ fiefdom for example.

Most users are not worried about those things because they have nothing to hide? Cool, can I come over and look at your checking account statements -- why would you want to hide them -- I promise I won't access your accounts. Can I have someone come on over an catalog your CD collection and then sell the list under the table to Columbia House record scammers?
Each and everytime someone claims that people who have nothing the hide also have nothing to fear, I flash back to the 30's, see the Nazi flag rising, hang my head and realize that the purpose of many people's lives is to plumb the depths of (repeat) stupidity.

Re:You're assuming too much

[Xenographic]

Almost everyone probably has -something- to hide. No, maybe not a porn stash or illegal copies of things, but most people have at least one thing they wouldn't want others to know about. An expectation of privacy isn't really that sinister. Heck, how many of you folks use envelopes instead of the (much cheaper to send) post cards? What? You don't want them all to be able to easily read your mail? Even though most postal carriers would probably never bother? What? You don't want to release your medical history to the world? Even though we often practically force presidential candidates & misc. other politicians to do so?

Besides, complacency isn't the answer. MS isn't currently collecting people's first-born; but reserving the right to would (and should!) raise a few eyebrows. It's not that I think they have sinister intentions right now, it's just that I don't trust them to come up with a way to profit at my expense... something not exactly foreign to them, according the to DOJ...

I don't think that they need that clause in the EULA to do what they want to do; all they need to say is that by using their updating software, you grant them the right to make certain changes to the system for the purpose of installing that software & that if you don't like that, you can just turn it off and prevent it from connecting to MS for updates, but that this may not be a good idea.

BTW, yes it really does bother some people to know that MS has a backdoor on their system, just as much as it would bother them to have sub7, netbus, or BO installed. While we may (think) we know exactly what it's doing, given MS' track record on security, it might as well be BO -- at least you can password protect an installation of that...

Just remember an old legal proverb: only a fool signs a contract because he thinks it's unenforcable.

Somewhat somplistic, aren't you?

[theolein]

I agree that most users never read the EULA anyway, which is their fault, but they might just read it if it were understandable. How about saying no to the EULA box and mailing Microsoft for clarification on what exactly the EULA means? Surely this is within one's rights as a customer, or is it against the law in the USA now (unpatriotic?) to ask to understand what the EULA is requiring of you?

I have no "warez" on my machine or MP3's for that matter, and I do use my Windows machine to "make money" but I don't think I want to allow Microsoft access to my computer for other reasons. The reasons include Microsoft changing the OS to a subscription model without my consent, Microsoft having access to company and private information which would constitue a breach of my and my company's privacy (small company, no corporate versions) and Microsoft modifying the OS to exclude me using competitor's software without warning me in advance.

I think this is a case for the EU commission on privacy and legality of contracts here in Europe. I don't know about the USA though (OI assume that obviously such contracts are legal in the USA).

Re:Way to fast, way to perfect

[mickwd]

Yes, (s)he does.

I would love to see some form of update checking and/or installation method for servers, especially the variety that are intended to be installed, turned on, and forgotten, like email notifications or schedulable updates."

Hmmmmm, so you're experienced at running servers, are you? And you'd love to see some organisation you know little about randomly updating your servers with whatever code they like, whenever they feel like it?

Are security and reliability really your top priorities?

Did you see the .NET clause?

[javajoe99]

Interesting if you saw if:

You may not disclose the results of any benchmark test of the .NET framework component of the OS Components to any thirdparty without Microsoft's prior written approval.

How about that, wonder what they are trying to hide? SP3 must contain some of the .NET framework stuff. I thought it was a seperate download, as it was BETA for W2k. No I know for sure I am not gona install this SP.

Script kiddies' wet dream

[ryanvm]

I think I'll be leaving my Win2k box at SP2, thank you very much.

I don't think the mainstream public really cares about what's in a EULA. Hell, I generally don't either. But just think of the implications of people refusing to install patches and security updates because they're accompanied by EULAs with bizarre "big brother" clauses.

Now, with that said did any of you bother to read the article? Here is the offending text:

"You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer,"

A little sensationalistic to call this "remote admin rights" isn't it? Basically, this just gives them the legal legroom required to make their automatic updates feature work, which is a good thing. It means more patched machines out there - less of that Nimda shit.

Nobody's spying on your MP3 collection. There's nothing to see here, folks.

Re:Script kiddies' wet dream

[nagora]

Basically, this just gives them the legal legroom required to make their automatic updates feature work

It gives legal legroom for full admin rights since vague words like "upgrades or fixes" are a lawyer's wet dream. DRM is an upgrade in MS's view, deleting unauthorised mpegs is a fix to the MPAA. Are you going to argue?

TWW

Re:Forcing a contract is illegal.

Since when did talking about the subject at hand become "offtopic"? He brinks up good points. You may not agree with them. But this doesn't deserve to be "offtopic". The think that the person that rated this message offtopic is "OFFBASE".

Future EULAs

[GreyyGuy]

If this automatically downloads and installs future patches, does this mean that you do not have to agree to any new EULAs? Since you won't be clicking "I agree" on them, do they count?

Here's the real problem - updates without Update

[Animats]

The real question is whether this license allows Microsoft to do things to your machine even if Windows Update is off. (Obviously, you don't want to run Windows Update on any machine doing anything important. Microsoft has slipped up in the past and broken working systems.) One clause of the EULA applies only if Windows Update is on. But the next clause presents a problem:

• The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.

Could this be construed to allow Microsoft to access your machine even with Windows Update off? Corporate users, especially sysadmins, should bring that clause to the attention of their attorneys. It's probably unwise for corporate users to install this update without obtaining legal advice.

Re:But it makes the firewall illegal, no?

[TyZone]

Microsoft has the right to do whatever they want on your computer.

Microsoft claims the right. There is a difference between them claiming it and them actually having it.

Trying to stop them is not only futile but also illegal.

They can put any provision they want into a EULA, and it doesn't mean squat until it's been challenged and upheld in court. Even if some dumb EULA provision is upheld after a court challenge, if you go against it, it's still just a violation of a User Agreement, not a violation of the law. It would be up to Microsoft to go after every single violator that they want punished. They can't get the gummint to enforce their contract except one case at a time.

Re:Remote Admin Rights?

[rseuhs]

This is typical of MSFT-apologists

"It's no big deal, everybody is doing it"

"No, Microsoft is the only who does [nasty things]"

"Then don't use it, geeez."

First of all, even if you only "go with manual updates" Microsoft still has the right to ignore all settings you made and install one update or another (DRM) anyway.

What will you do? Sue them?

Re:But it makes the firewall illegal, no?

[tijsvd]

It would be up to Microsoft to go after every single violator that they want punished

Nope, it would be the other way around. MS can do anything it wants to your computer, just by piggybacking it within some security update. Then it will be up to you to seek justice in court and to prove that EULA is illegal.

Re:But it makes the firewall illegal, no?

[kcbrown]

It seems to me that the EULA means that you're not allowed to block out their requests.

Sure you are.

The law says you have the right to do certain things with the copyrighted works you own, such as make backups for personal use, etc. But the copyright owners don't have an obligation by law to make that possible, and that's exactly the "loophole" they're using against us right now.

Well, we're just applying exactly the same principle to Microsoft: they may have the right to remotely perform installs and upgrades to your system, but you don't have an obligation to make that possible. By putting the appropriate firewalls in place, you're simply not giving them the technological means to do what they have a "right" to do.

Now, I agree that in practice it'll work out such that the big corps like Microsoft will have the right to do whatever they please and you won't have the right to do jack shit, but that's a different discussion...

Re:Slashdot being astroturfed? (offtopic)

Even more likely is that different system clocks are involved and there is some minutes of skew between them.