Slashdot Mirror
Microsoft Sued Over WGA
Hope Thelps writes "The Seattle PI is reporting on a lawsuit being brought against Microsoft in response to their WGA spyware. Groklaw is also covering the story. Although there are a lot of similarities to Sony's rootkit, the actual harm done is less concrete. It'll be interesting to see how this turns out."
Got tired of waiting for this to happen.
Sued by the same moneymonger who sued Sony.
whoopie, M$ loses and donates another $1,000,000.00 worth of software to some high school system or third world country as retribution (at a cost of about 35 cents to the evil empire).
win or lose this will deter Microsoft from using wga to shut down any unlicensed (or otherwise) computers...for a while at least.
In the case of Windows Updates, I would argue that it is even more out of the user's control. For alot of malware, you have to click "yes install" at some point. For Windows Updates, the recommended state is to "automatically download and install in the background." In theory a user could examine each and every update to figure out what they all do, but in practise the actual purpose of each update is heavily obfuscated. Worse yet, in the case of WGA, once you allow it to install (it seems innocent enough at first), it is used against you to force further installations.
Frankly the tactic Microsoft is using in their updates is not ethical. Everyone is told to do their Windows Updates (for security reasons), and Microsoft is exploiting this to slip in some other software that the user does not necessarily need. Worse yet, this software sends back information to Microsoft HQ without user permission. If this does not count as spyware, I don't know what does.
I hope this lawsuit makes Microsoft wake up to the illegitimacy of their tactics.
Is '... in response to their WGA spyware' really necessary? Provide the information and let the readers make up their minds.
How is this different from how people normally get spyware? With the default configuration of your browser you go to some website that you (probably wrongly) trust, and something is installed on your computer without your knowledge. In this case, it's the default configuration of windows, and the "website" is Microsoft. You could argue all you want that you should have turned of ActiveX/not installed flash/used firefox instead of IE, but that doesn't prevent it from being spyware, so how does the fact that this is windows update change anything?
A mouse is a device used to point to the xterm you want to type in
1. WGA communicates with Microsoft HQ. The information transferred may or may not be 'sensitive' but this could be considered an invasion of privacy.
2. Any program that uses up system ressources without performing a task explicitly requested by the user is harmful in the sense that it slows down the computer. This is one of the main complaints with spyware/adware: they slow down your computer for no purpose (or at least no purpose that you, the user, are interested in).
3. WGA appears to effectively give someone else (specifically Microsoft) control over your machine (for instance the recently announced "remote shutoff" function). To the user, a program that limits their control of the computer (and gives someone else more control) is harmful. Note that the argument "but Microsoft would only shut off illegitimate versions of Windows" doesn't make any difference. Even if that's true, there is still a loss of control for the user. This is harmful to the user.
To the same extent that any other piece of so-called "spyware" is harmful (installed in a tricky way; sends info back to some company; wastes CPU cycles and disk space; etc.), WGA should also be considered "harmful."
The problem with WGA is that is not an update, security-patch, or feature upgrade. It does *nothing* for the user, and only installs in order to give Microsoft more control/leverage over your machine. From the user perspective, it is a net negative, hence harmful.
What peeves people so much about WGA is that MS pushed it out as a Critical Update, meaning that all machines with Auto Update install it without prompting. It is undeniably not a critical security update and to make matters worse it phones home. After taking some heat, MS then conceded that the installation of WGA will be optional (if by optional you mean selectively blocking some non-critical updates). It's still being pushed, but you don't have to install it. For those of you with your less than legit copies worried about not receiving updates, you can always download third-party update packs if you don't mind a bit of a delay. Not necessarily a bad thing considering that MS has been known for having to patch their patches. I'm not an MS fan, but not a huge hater. Just a strategically stupid time to ramp up WGA after the whole rootkit fiasco. I'm not an MS fan, but not a huge hater. Just a strategicly stupid time to ramp up WGA after the whole rootkit fiasco.
Comments like these are getting somewhat annoying on Slashdot these days. Everytime Microsoft does something bad or some fault in Windows is found, somebody has to stick their hand up and say "We should all just switch to Linux". As much as I like Linux, this is like saying "we found some minor fault with apples so we should all just eat oranges instead".
Linux is not a viable replacement for Windows in all situations (especially on the desktop), if it were then it would have been coming preinstalled on home machines for a while now. The zealots can make all the excuses they like: "you can play your Windows games with Wine", "ogg's are so much better than mp3's", "nautilus is way easier to use than explorer", etc, but Windows does do many of these things better. The average Joe wants his computer to just work, and while Linux is getting better all the time Windows is still leaps and bounds ahead in many areas. I'm running Fedora Core with Gnome at home (cue "my distro is better" statements). After doing an install I have to do extra work to get proper support for my NVidia card and be able to play mp3's (both of which required using a console). If I run a KDE app it takes about 5 times as long as a Gnome one to load. I understand the reasons for these and other problems (most of which are not directly the fault of Linux), but how do I explain this to Joe Average?
Even though I am capable of setting Linux up as a desktop system (Im doing a Masters in Computer Science), I use WinXP as a desktop system and Linux for working on my Masters. That way I don't have to jump through hoops to play the few games I have, share files over a local network with my flatmate (who is also running XP) and run audio software like Soundforge and Acid. Why should I piss around with configuration files, downloading drivers, crossing my fingers and hoping apps run in Wine or putting up with half-pie open source attempts when Windows does all this flawlessly?
Part of the problem is Microsoft's market share; why should people switch to an unfamiliar Linux environment when they are everyone else they know is already using a perfectly good operating system. The geeks may have a problem with the various DRM features of Windows, but the average Joe (the same guy who thinks downloading Bonzi Buddy is a good idea) doesn't give a shit. I think that whether we like or not, Linux is a geeks operating system and Windows is for all those who just want a computer in their living room for browsing teh interwebs, reading email, watching movies and burning cds. People (in general) aren't going to stop buying Windows and switch to Linux because of this, just like they didn't stop buying Sony CDs after the rootkit fiasco. It doesn't make it right and I would like to see companies like Sony and Microsoft be taken to task properly over shit like this, but I don't see it happening and I certainly don't see Linux being the answer, at least not yet.
In other words, false positives. Also, doesn't it phone home every day or something? You'd think you'd only need to check once.
Want a high quality FOSS RTS game? Try Warzone 2100!
No... you can not change from a Corporate key to a consumer XP key without reinstalling the OS. We installed XP Professional (Corporate version) whenever we had a hard drive crash or virus infection on our office PCs, and frankly (and quite stupidly), did not even hold onto our original installation media or CD Keys for XP Professional ("consumer"). Now, Microsoft is forcing us to purchase Windows XP a second time for all of these workstations through WGA, which *does* make Windows take longer every day to log on, while it displays nagware. Frankly, I am in 100% agreement with the lawsuit. Microsoft didn't disclose squat, and left everyone to believe that this was a "critical update". If downloading a patch from MS website, they did post a link to some "independent" german company certifying that WGA doesn't disclose personally identifying information. It is not too difficult task to identify workstations from their IP address, especially when static. Microsoft must not have heard of Traceroute. So, this is just another crock. Anyhow, we are now just paying Microsoft twice for about 18 of our XP installations. We just can't have our stations slowing down, and telling our users they are running pirated software. Without the original CDs and Keys, we can't prove that we purchased the software already. And unremovable software that takes over your computer places the onus directly on the consumer. It was a remarkably clever way to double-charge us.
They might mod me down troll/redundant, etc, but what the hell!
I ran a Windows/Linux machine and switched to Mac a year and a half ago. Since then, I've never looked back. Specifically, I don't have to deal with a company that has contempt for me and treats me like a criminal. Since OS X will only run on Macs, Apple doesn't have to worry about piracy, license keys, etc. What's more, I can run several Linux distros within the Parallels emulation software.
The only thing that sucks is I'd like to run my old games, but that would require Boot Camp, and with XP I need to register online. If I run Windows, I want to do so offline, full stop.
This space left intentionally blank.
I wouldn't have a problem with WGA if it were flagged as anything other than "critical". This update is not critical in any respect other than Microsoft's bottom line, and this is where Microsoft pisses me off.
If MS wants to make WGA validation required for any updates that add features (WMP 11, DirectX 10, etc), then I'm all for it. They add something to the product, they get to pick the terms under which they make it available to existing users. It's not in line with the free software philosophy, but it is reasonable from any perspective that recognizes private property. In this case, they deliberately add an applet that may drastically affect the operation of the machine through no fault of the user, and they introduce with what I feel is a deceptive inducement. If they threw it under the sections for optional updates with a note that it must be installed before any other optional update, I would blow this article off as random anti-MS zealotry. This is completely contrary to the interests of fair, honest, and clear communication with their end users.
Of course, it merely highlights the fact that clear communication about their products is not a priority, and money is. If this causes enough monetary loss then maybe WGA will lighten up a little (I'd never go so far as to suggest it would go away). Somehow, I have my doubts.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
All that would be true if the software could correctly identify a pirated copy of Windows with zero false positives. Even ignoring the difficulty/impossibility of locking software to hardware without simultaneously allowing for the changes in the hardware that happen through normal use, there's the issue of Microsoft's competence. It's not like they haven't screwed up and locked legitimate customers out of their software before. Sure, there will be a patch (assuming they still support XP when it breaks--otherwise tough luck, buy the upgrade!). Sure, there's a number you can call (ditto). Murphy's law states that the problem will strike when you don't have time to jump through these hoops. So just consider that maybe, just maybe, life would be better for legitimate Windows users if they didn't have to worry about this sort of thing happening someday. Like if, for example, they bought software and the receipt was good enough proof that they weren't pirates.
BUT... step back for a second. Forget the fact that they're a mega-conglomerate. Forget the fact that it's some giant company who you think might be out for world domination, one PC at a time.
Instead, I think of it like this:
You create a piece of software (Those of you who say what about "Sourceforge" or "freshmeat", back off for a few minutes... we're not talking OSS right now, we're talking commercial). You want some level of appreciation. You want to make sure that when people pay the $XXX for the software you made (And let's face it, we're talking a BUSINESS here, not a charity - you'll charge however much is possible, to keep it selling and get as much profit as possible).
You also are not a bumbling idiot, you've used emule, bittorrent, google, and astalavista. You are, or know, that "Guy who has everything" for software. You've needed some minor piece of software, and could find / engineer a crack / keygen for it. You get it for free. If you DO have scruples, you know too many who don't.
So you want to protect your software from the evils of "Oh, I can get it for free". Without protection, a couple days and it's spread around the net. You protect it, congratulations, you've bought yourself a week before a serial / crack is released. SO you lock it down good and tight. And hey, if there's something people without scruples love, it's the idea that "They say we can't, so we'll prove them wrong!". Besides, according to crackers / OSS fanatics / the immoral, ALL software should be free, you should be doing this in your spare time, and hoping that you'll get enough donations to live off of if we don't pay for it! (Wait.... they stole the software, but expect the owner to live off of donations, while they're not paying for it anyways?!).
Solution: You use pre-packaged solutions to lock down your software, good and tight. It runs various checks against files for alteration. It might even dial home when run to make sure it's legit, disabling if not. Hell, I'd do it if I wrote still. Does that make you evil? NO! It means you want to protect your investment (Time, effort, energy, money, employees). But somewhere, somebody out there will find a way to defeat it. You've not bought "infinite protection", instead you've bought another month to come up with a better way of protecting your money (Goal here is to delay it as long as possible. Outright prevention is impossible, but delaying is entirely doable).
So you use software to dial home and verify authenticity, check itself and other files to make sure that they're running and not tampered with, restore each other if necessary, and quite possibly re-confirm that they're authentic from the dial home. Does that make you an evil beast who deserves to die? Hell no.
But wait, it's Microsoft. Oh, SCREW THIS! They're too big, make too much money, they're evil! Need to die. Who the hell do they think they are, trying to protect their stuff? They don't need the extra money, I feel good sticking it to them! Imagine, trying to make people pay for their stuff or make people feel bad for having stolen it.
THE NERVE.
... it's not even funny anymore (and I guess that's why there is a lawsuite). Yes, there have been false positives but I don't think that's the real issue. Especially the new WGA Tray notification is tremendously flawed: - It claims to be an important security update, while it really isn't - Hiding it on Windowsupdate is just a temporary workaround it reappears and claims to be an important update with each and every single of it frequent updates - Once installed it cannot be uninstalled (only manually, you need quite some computer-skills for that) - If you DO install it, the current versions phoned home daily, newer versions will 'only' phone home every day. Why do I have to proove to Microsoft this often, that my legally optained copy of Windows is still legal? I don't remeber agreeing to that when I bought my copy of Windows. - WGATray.exe actually uses quite a lot of ressources and did slow down my system's boot-up time. On every single startup it uses quite some CPU-time to performe its WGA check. - It behaves like spyware! Microsoft doesn't clearly tell it's users on Windowsupdate that this will steal system ressources from them and that it will phone home to Microsoft constantly. Microsoft even calls it an important security update which it clearly is not, pretty much like a lot of other rouge software out there. And Microsoft already plans to make WGA Tray Notifications even more mandatory than they already are (current plans involve that all other WGA-checks will automatically assume your copy of Windows is not genuine if you refuse to install the tray notifications and waste your ressources on that).
Why defend a company that intentionally crashes your computers? It just doesn't make sense. If Linux was written so it automatically crashed based upon the whim of some marketing moron, we'd all avoid Linux, but when Microsoft intentionally crashes systems the idiots come out of the woodwork to defend them. Why defend them?
Maybe Microsoft is secretly paying this lawfirm as way to combat these damn software companies who think they can install whatever they damn well please on peoples machines.
*coughs* AOL *coughs*
So why not, maybe it would cost them less money then to hire this firm and pay them off then create 10 new patchs because of a expliots. Now we could say PI v Microsoft basically making it illegal to not show you software package ingredients. There are laws created all the time by way of the judicial system and I hope this goes all the way to the US Supreme court and becomes federal law.
To me this is a major violation of privacy which is already being deminished away by big brother.
the actual harm done is less concrete
Oh yes it is. I don't understand this thinking. Why, "harm" has to mean something really tangible, like breaking a leg or something ? I think not. The harm here does not cause some physically concievable defect - yet. But thing is, they did not tell the people what this WGA does (i.e. calling home every so often), they just told it when some people have found it out. Ok, I know how EULAs work, and how they probably could prove in court that they have every right to change their software as they see fit, still, when it is about using our computers to send _any_ information to _anyplace_ without asking us first, or if not asking then at least telling us about it, is just outrageous. I don't care what they send, I don't care how much or how small amount of information is in it, I don't care who they send it to, it just should not happen without asking us and letting us approve of disapprove the action.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
99% of what most people want do with a computer these days can be done with a web browser, email client, media player and office suite. All of these exist under Linux, and most end user distributions set the system up well enough that they wouldn't need to hunt around in order to do them. Understand that your useage patterns exceed those of most users. Given your level of experience, Windows may indeed be easier for you. For me, the opposite is true but everyone has their preferred environment. The fact is, most people wouldn't really see much of a difference as long as they were able to use a web browser and send/receive their email.
The reason this question keeps coming up is of course obvious; Microsoft is using their clout to push further restrictions on the consumer. The average Linux distribution is not subject to these restrictions, so it is in fact a way out. I think Microsoft's actions are great myself, as I'd be perfectly happy if it was impossible to install pirated versions of Windows on PCs. Many people will find this not so great however. For them, I'd be more than happy to offer the option of using a completely Free system.
GPL: Free as in will
So what will be the outcome of such a lawsuit? Perhaps MS will pay a fine, the sueing parties will be happy. But if you want to keep using windows, you'll still need the WGA 'critical update'. Worse, I don't think the lawsuit is going to prevent future WGA implementations. Regargdless of the outcome, the next version of windows will have something similar to WGA installed from the start. There will be a parargraph in the licence agreement when you install your (legal or illegal) copy of Vista that the software may be contacting other computers etc etc without explicit user consent etc etc and you hereby agree etc etc. People aren't going to read it, but they'll hit the "I Agree" button. No grounds for a new lawsuit. With windows, you're stuck with WGA. Take it or leave it.
assignment != equality != identity
If you can execute the software on your hardware without taking the action of copying the software into your computer's memory (and remember, copying is the basic right granted to the creator of a work by copyright, hence the name), you might have a point there. As it is, Microsoft grants permission through a license to do the copying that's required to run the software. It's their position that you own a single copy of the software on the physical media it was sold on. The fact that you need to copy it for it to be of any use to you is the whole basis for the EULA.
Now, you may argue that the copying needed to execute software once you've paid for it is noninfringing under Fair Use, and that you're legally free to use the software however you want without a license at all, but I don't think you'll find much case law to back you up at the moment.
You can probably also bet that if courts did start ruling in your favor, Congress would move quickly to close what they'd call "the fair use loophole" once the BSA's lobbyists made a few phone calls.
Don't blame me; I'm never given mod points.
so in other words, in order for them to continue to provide a service to you,
Allowing me to update the software so that it behaves the way I had a reasonable expectation to believe it behaved when I purchased it is arguably not a service. When security flaws allow attackers to take over my computer, one could argue that Microsoft would be negligent by not fixing the flaws.
you must have originally purchased the software i nthe first place?
I DID purchase the software in the first place, thank you very much. But it's a little grating to constantly have Microsoft demanding proof that I did. As another poster said, I don't appreciate being made to feel as though I'm a criminal.
minus problems with false authentication, etc, what's the issue?
It phones home, for one thing. Without telling you it's going to do it.
... So does Spybot(tm) search for this and destroy it yet?
In the mean time, until it does, I use ZoneAlarm to block WGA from having ANY access to the internet. Windows Update is happy 'cause it still sees it on my system and will let me install updates. But that little spyware can't write home... >:) (Well, I hope not at least...)
Seriously, though. It's because of crap like this that I don't have anything mission-critical on my Windows box. I use a Mac for important stuff. My Windows box is for games only, which basically is the only use I personally have for Windows (I'll try WINE later...)
If they own it, they can do anything that they want. Not you. The EULA is not about protecting your rights or even spelling out your rights. It is about protecting MS's rights, wether they are real or not. Like I said elsewhere, I suspect that this will lead to a court case where MS's rights (and all closed source code) will be tested. This case could have some major impact on society (and MS's plans).
I prefer the "u" in honour as it seems to be missing these days.