Recession Turning Software Auditors Into Greedy Traffic Cops

judgecorp writes "As the recession bites, software auditors are cracking down, and some are simply exploiting loopholes and technicalities to meet their targets, according to analyst Forrester. They may be within their rights, but they aren't endearing themselves to users; Steve Ballmer faced weary customers in London last year, and admitted Windows licenses have deliberate 'gotchas.'"

I just don't even open the door

[GNUALMAFUERTE]

I don't use ANY proprietary software at my company. I own a software development company in Argentina. If I get an auditor (Auditions here are done by ARBA, the state-wide equivalent of the IRS in Buenos Aires) I just won't even open the door. Sue me if you want. I use NO privative software, and no one has any right to log in into my servers or workstations (We have ~40 machines at our offices).

Fuck them in the ass.

Re:I just don't even open the door

[Quasar1999]

Some how, in North America, your mentality would be viewed as admission of guilt, and they'd find you guilty of pirating software that quite probably hasn't even been written yet.

We seem to have fallen into a guilty until proven innocent beyond any doubt (no matter how unreasonable) system up here... How's the weather down there? If you guys have cheap internet, I'm willing to emmigrate...

Re:I just don't even open the door

[GNUALMAFUERTE]

I agree with that. Actually, there are many screwed up views on the US about many subjects. Argentina is far from being a paradise. We are a mess in many areas, but we are much more free. I have many friends from the states (Being a coder, you just make friends in all parts of the word), and I hear many talk about the land of the free. Freedom in the US is a scarce value. We are a lot more free down here. You can use drugs without the cops bothering you, People are not suing each other all the time, and you can actually live without a credit card, a bank account, and financial records. You can live in cash, without being chased, and just say 'fuck the government, I want my own little Anarchy". If you leave everyone alone, and don't expect anything from the government, they have no way of bothering you. That's the way I choose. I stay out of their way, and they stay out of mine. Sure, if you are into the game, they will fuck you up. But if you decide to play alone, you stand a chance.

About your questions, the weather is very nice, the place is beautiful (sort of European-looking, but with virtually unlimited natural resources, less people, lots of cheap land, and the best food in the world). About internet access, I'm paying 33 Dollars for unlimited 3G access anywhere in the country [coverage is pretty good, i have signal everywhere, even outside the cities], and 42 Dollars for a 4MB Cablemodem, that works pretty well.

Cheers.

Re:I just don't even open the door

[pclminion]

The civil justice system has NEVER been an "innocent until proven guilty" system. Unlike criminal justice, civil justice is about "preponderance of evidence." Roughly, this means that whoever's case is more impressive, wins. You don't have to prove anything, you just have to be more convincing than the other guy. And if you don't try to defend yourself? You lose by default. This isn't new. It's always been this way.

Re:I just don't even open the door

[Serious+Callers+Only]

Except its stories like this that keep me from using any adobe products and then recommending alternatives for any clients/friends/family when I can.

Exactly. This doesn't come as a surprise given that the quality of their flagship products has been declining steadily over the last 10 years. I've used Photoshop since the 90s. I remember a time when Adobe came out with innovative software which was a pleasure to use. Simple but powerful. Now most days I curse them for some bug, horrible Windows inspired UI, or bullshit Acrobat plugin their astonishingly low quality installers chose to give me without asking. Just the other day I had to manually install their 'Updater' program because it got into an endless loop of download/failed install, of itself! Their software really is low quality nowadays. Feels like quark in the 90's all over again.

Hearing that they are also suing their customers doesn't surprise me, and confirms the feeling that soon I'll be looking for other software to perform image editing tasks which is not user-hostile, overpriced and upgraded regularly just to screw over customers. There is already some of it out there which looks promising for my chosen platform.

What would have been fair to the company in question would be to negotiate payment for the rogue licenses - I'm sure they'd learn their lesson and lock down the computers after that. Asking for millions is just money-grabbing and confirms my declining opinion of that company.

Re:I just don't even open the door

[Trahloc]

I'll bite. It's not that a company is enforcing their IP rights that annoy me. It's the fact that the customer had a multitude of legitimate licenses and then Adobe still goes for the throat. Strong arming your customers into compliance I'm fine with, shiving them in the back is another thing though. If a client makes money off a piece of commercial software then the creator should be paid. We pay almost 20k/mo in licensing so these aren't idle words. But if you fall out of compliance, which is almost impossible NOT to do with the BS EULA's out there the company shouldn't fleece you for all they can get. They should just let you know where you went wrong and help you reach compliance since its their own verbiage in alot of cases that screwed it up to begin with. But this isn't the first story like this I've heard about from Adobe so yes I have a small campaign against them helping direct people towards FOSS alternatives or lower cost 'good enough' applications.

Heck just this morning I directed family away from paying to activate their Office trial that came with their laptop and told them to use OpenOffice instead. Adobe is just one amongst a number of overgrown companies I try not to support.

Re:What rights?

[pclminion]

A motion of discovery ON WHO'S BEHALF? Dude, I WISH it worked like that. I'm curious what the fuck my neighbor keeps doing in his garage at 3:00 in the morning. I'll just go down to the courthouse and get a court order to search his home, right?

Ernie Ball

[bmo]

I'm sure that Sterling Ball over at Ernie Ball (guitar string manufacturer) is sitting with a big grin on his face every time he reads something like this.

For those who forgot:

http://news.cnet.com/2008-1082_3-5065859.htm

In 2000, the Business Software Alliance conducted a raid and subsequent audit at the San Luis Obispo, Calif.-based company that turned up a few dozen unlicensed copies of programs. Ball settled for $65,000, plus $35,000 in legal fees. But by then, the BSA, a trade group that helps enforce copyrights and licensing provisions for major business software makers, had put the company on the evening news and featured it in regional ads warning other businesses to monitor their software licenses. Humiliated by the experience, Ball told his IT department he wanted Microsoft products out of his business within six months. "I said, 'I don't care if we have to buy 10,000 abacuses,'" recalled Ball, who recently addressed the LinuxWorld trade show. "We won't do business with someone who treats us poorly."

Re:Greedy traffic cops?

[LostCluster]

In the town next to the one I sit... there's a old police officer who has a "quota" of traffic fines he needs to collect in the budget. Miss his income number, and he's unemployed. The budget number is public record as and in as a separate line item in the official budget. He's authorized to put up a "Speed Limit 30" sign at any intersection because that's the state law at all intersections marked or not.

Now, on the way out of this town, there's a highway interchange. That's an intersection, but the state highway people don't want you going as slow as 30 miles per hour there... you won't be up to 55 on the short ramp to the highway if you do. So they've rigged this intersections with enough signs that the traffic officer is locked out... if he puts his sign up, it's not properly displayed because it's either blocked from view or too far from the intersection. He still writes tickets there, and if you take him to traffic court you can get it kicked. He's hoping you confess or just send in the check. There's even a state website where you can pay your fine with a credit card.

If enough people do get his tickets kicked, he'll be done.

Castle Doctrine?

My company has guns in the premises (we do some cool stuff for the government).
I just wonder does Castle Doctrine works for companies (California)?

What about this?

[pclminion]

Suppose I'm a healthcare company. Software auditors show up at my door, waving contracts in my face. I let them in. They insist that they must inspect ALL machines running, say, MS Office. Some of these machines contain sensitive health information for ten thousand patients. I have now committed 10,000 willful HIPAA violations, and could go to jail, in theory, for up to 10,000 years (maximum jail time for willful but non-malicious breach is 1 year per instance).

Or what about SarbOx? Any possibilities for violation there?

I think a strong case could be made that if you are a HIPAA covered entity who uses software which is subjects to such agreements, and you abide by the agreements, then you are committing a felony. Thus, using Microsoft software is a felony. QED

Re:What about this?

[cfalcon]

I'm pretty sure you would explain the situation to the auditor, and they would find a way to check that you are in compliance without actually having access to the data you are legally obligated to protect. There are TONS of places that can't just go pushing their data around willy-nilly- some have customer data that personally identifies them. Others are running a classified network. Whatever your cause is, I'm sure they can find some way to verify that you are using their stuff with licenses without, you know, making you go to to JAIL.

Note that these folks will actually come TO you, physically. It isn't like some stupid crap where they think that "user=thief" and they require you to go on the internet and phone home every day.

I'm not defending the BSA and their enforcement regime, just pointing out that they don't behave like subrational drones as companies often do with the general public.

Re:Nor are you a monopolist

[Lemming+Mark]

Heh, that's certainly true too! I've been thinking a lot recently about whether predatory / monopolistic behaviour is *ever* a good idea. It seems to me it's only ever a good plan in the relatively short term. In the end, trying to squash the market under your weight rather than swim in it is always going to result in disloyal customers, faster moving competitors and loss of market position.

I'm not sure there's a way of avoiding the eventual progression of successful company -> bureaucratic monster -> innovation-averse nuisance. But I do think that it's a slide worth fighting, it just needs management to have a *really* good sense of the big picture and can make a case for doing the right thing, as opposed to chasing immediate profits or serving short term investors in the company.

The article was actually nice.

[tjstork]

The submission made you think that Microsoft was being evil, but the article, if you actually read it, really did do the incredible thing of making Ballmer seem like a reasonable, almost likable guy. To wit, we have the same argument about the tax code in the USA. We should just have a flat tax, many people cry out, which makes sense, because, you kind of want everyone working the same number of days per year to satisfy the government. That's fair. But, the devil gets in the details. Rentals don't mind getting rid of the exemption on mortgage interest but want a greater personal deduction. Owners want bigger interest deductions. Married people want their break to be the same as unmarried people and then want additional breaks for kids. Businesses want tax breaks on anything they can get. We actually came fairly close to having a nearly flat tax in the 1980s, but then, even Republicans were arguing to get rid of it. There is never going to be a flat tax, or flat licensing, or anything else. It's just going to get even more complicated. Ironically, even the GPL, which governs something that you don't have to pay for it all, gets longer every year, trying to nail down every possible angle.

So, to summarize, Ballmer actually hit the hammer on the head in the article, people ask for simplification, but really, they want things to be complicated.

Re:The article was actually nice.

[MightyMartian]

B.S. Nobody wants Microsoft licensing to be that complex, except the SAM contractors and other licensing Nazis that Microsoft and a good chunk of the proprietary software world has let loose upon us all.

I had a SAM review last February and March, that started with a letter from a Microsoft "partner" (read: contracted henchman) that, once you got passed the bullshit about them being hear to help me, was clearly a software audit.

I was given 30 days (with an extension if I needed it) to put everything together. That part wasn't too bad. We had largely inherited the licenses from the firm that we had taken over, and it was a bit of a mess. Of our three copies of Server 2003, one was an inherited Small Business Server 2003 OEM edition that I had applied the Transition Pack to to turn into proper Server 2003, one was an OEM copy of Server 2003 R2 bought by us and one was a Server 2003 that we had inherited, purchased through Software Assurance. As well, there were about 15 Office Pro licenses, as well as 13 or 14 Office OEM copies sold with the Dells that we had inherited. On top of that, I had a backup server running Windows 2000 server, plus CALs both purchased by us and by the people we had bought everything from.

I first smelled trouble when they asked me to verify that 22 of our workstations (all running OEM copies of XP) were not running Office (they were running OpenOffice). I found the question more than a little accusatory. Then came the seeming inability for them to count CALs. At one point they had us in the red 15 CALs, despite the fact that I had invoices, both of my purchases and of the previous organization's, showing the CALs. This literally went back and forth for two weeks, until finally I had had enough, and sent off a very angry email to the contractor accusing him and his "team" of severe arithmetic disabilities, and explicitly using the phrase "you are harassing me".

Then, as if unwilling to declare defeat, they came back with a final number of -5 Server 2003 CALs, because, and get this, though I had enough CALs to cover everything, I hadn't bought this 5 CAL pack via Software Assurance, and wasn't permitted to use it as a User CAL on the Server 2003 machine installed via the single copy of Server 2003 bought via Software Assurance. I sent back a very angry letter, CCed to my manager, asking them if they seriously thought that I was going to pay $150 bucks again for CALs I already owned, because I bought them from a reseller as opposed to Software Assurance. I think at that point they got the hint that they weren't going to be getting any money out of us, and sent back a letter saying that as long as I agreed to change them into Device CALs, I'd be in the clear with them.

Now, I guess from one perspective one could say that we got off in the end, we were totally legit. But this probably consumed about $500 to $700 of my wages (my employer's money) on pointless back-and-forths as they tried to probe to find any way to make money off of us.

At this point, we are looking to abandoning Microsoft, and indeed proprietary software wherever we can. It won't be easy, and it won't always be pleasant (though it can't be any worse than the three weeks of hell that happened when we bought new Dell workstations with Vista). We're stuck with Exchange-Outlook for the medium term, but should have enough licenses to cover a small expansion that may be happening in a year. But all the new file servers are running Samba, we're set to expand OpenOffice installs, and while Office 2003 will be around for a while, there will be no upgrades to later versions, save as we replace workstations. The long-term plan is to roll more and more server operations on to open source solutions, with a set goal that when we hit 95% of our Exchange CALs, we will take the plunge and go with an open source groupware solution. I don't anticipate that we will ever be Microsoft free, but we can certainly reduce our footprint, and our exposure to the nonsensical and self-serving whims of Micro

Re:Boy, that's TV Law...

[pclminion]

No, I think what would happen is that they can just look at the OS, without looking at the data running in the OS. Thus, they can get a license count. But, if you won't give them one, then, you could get sued, and be forced to give one, or rather, have some third party or even the local sherriff do the count with the understanding that the HIPAA data is implicitly protected because the exposure is to officers and appointees of the court.

I don't think you understand exactly how draconian the HIPAA statute really is. A HIPAA covered entity may not disclose or allow the possibility of disclosure of protected health information to ANYBODY without the patient's consent. That includes sheriffs, court officers, and the President of the United States. It also includes other HIPAA covered entities! That's right folks, your doctor cannot tell another doctor about you, unless it fits a VERY specific set of circumstances. I've heard horror stories of nurses losing their jobs because they told other nurses vital information about a patient's care, and I'm not talking about gossip in the hallway, I'm talking about perfectly legitimate transfers of information for the patient's benefit. The statute is so broadly worded that you can be fined because you saved a patients life.

You would essentially have to get written consent from all 10,000 patients before anybody who is not themselves a HIPAA covered entity could so much as GLANCE at those machines.

Now you might say, let's just declare ourselves to be HIPAA covered entities, and promise to abide by the law. Except it doesn't work that way. A person cannot choose to become a HIPAA covered entity. You must meet a very specific set of criteria, one of which is that you conduct electronic transactions (either billing or file transmission) regarding health care information. A software auditor simply does not meet the criteria.

HIPAA is widely regarded as one of the most overreaching, destructive laws ever passed, with insane and unintended consequences. By the way, anybody is allowed to file a HIPAA complaint against any covered entity, even if they are not associated with either the patient or the health care provider. In theory, if I knew that some health care company somewhere allowed a BSA audit, I could file complaint against them myself, and OCR would be compelled to investigate it.

You really should read up on HIPAA. It's like a god damned nuclear weapon and it has the entire healthcare industry constantly quaking in their boots.

Re:Easy solution.

[Minwee]

Don't run Windows. "Software auditors" are just about unknown to users of any other platform.

I think you meant "to users of any other platform where the hardware costs less than a car." Oracle, for example, has a long history of auditing its customers and only the most brain damaged among them would run it on Windows.

Has anyone here ever tried reading a license?

[jimicus]

Seriously, anyone?

Part of my job description is making sure the company is up to scratch with their licensing. So I have to read the licenses - and I do.

I have concluded that software licenses are written expressly to trip up customers. Even when they're relatively straightforward, they often contain clauses which would be considered absurd in almost any other commercial contract.

For instance, the only license that allows you to roll out Windows using an imaging system (eg. Ghost) is one of the volume licenses - and for the most part they include a clause which states "You will buy a license for every PC-compatible computer in your organisation". Now you know why so few companies are taking Linux seriously on the desktop. I have no idea how enforceable such a clause would be, but I can't see many companies wanting to challenge Microsoft in court.

Re:Easy solution.

[stephanruby]

What is Red Hat thinking? Written notice? Microsoft doesn't always give notice, that's why its audits are so successful. At least during one incident reported on Slashdot, they didn't give any notice and just showed up with Federal agents and guns.

Re:Easy solution.

[kramerd]

Why is Microsoft Ireland research using pounds instead of euros?

Re:Roasting chestnuts

[cob666]

Ernie Ball does a LOT more then just sell guitars. They have a very good reputation in the music industry for making a good product and (more times than not) a consistent product.

This is a great warning to large companies like Microsoft and Adobe and also the BSA. But unfortunately, not every company is in a position to just drop an OS like Windows because of issues like user training, third party applications, business specific software that is only available for Windows, as well as client and vendor compatibility.

I firmly believe that the BSA (Business Software Alliance) was granted way too much authority by Congress.

Re:What rights?

[tftp]

hey have to show that the person who clicked accept was an authorized representative of the company (employee) and not an unauthorized user or cracker, and it is Windows, so good luck with that!

They don't need to show anything because it is natural and expected that an employee of the company installed some software on company's computers. For example, you seldom need to prove to anyone that you are human.

If you claim that somebody set you up the bomb then *you* need to prove that extraordinary claim. You need to make your evidence available (firewall and Snort logs, virus detection logs, meeting notes where you discussed the breach, etc.) You can't just wave your hand and have it all dismissed, especially if the company used the software on that computer for months or even years.

Re:What rights?

[tftp]

The purpose if the signature is to verify that:

A) The person who the claimant says made the agreement is in fact the person who entered into the agreement

The signature does nothing like that. You need a notary stamp, signature, a record in his book and your thumbprint there to certify your signature.

B) The person who made the agreement was in fact in a postition to make such agreement

The signature does nothing like that. It's up to courts to determine if you had authority to sign a certain document. If I sign a deployment order for the US Army it doesn't make me the President.

If the person who signed it wasn't the defendant or legal representation thereof, no lawsuit.

Unfortunately, if a company owns a computer then it is legally responsible for it, 100%. That applies to any company property, and even to your personal property somewhat.

It doesn't change because you add a computer to the scenario.

True. But consider this. Your company buys 10 tons of grain from a local farmer, and you send him the purchase order signed (with an illegible scratch) by "H. Bark". Your dog is called Happy Bark. The purchase order calls for Net 30, and you don't pay. The farmer sues you, and you point at your dog and say that you didn't sign anything. Can you get away with that?

No, you can't. First of all, you accepted the delivery and made use of the product. That confirms your acceptance of the transaction. Otherwise you'd need to refuse the shipment, or at least contact the seller and attempt to return the product.

Once you accepted and used the product, the farmer's side of the deal is fulfilled and he is right in expecting the money. You, on the other hand, received the product, used it, and you expect to not pay for it? The claim that "your dog did it" will be only seen as further attempt to evade the payment, and you will dig yourself deeper into the hole.

To summarize, a business is responsible for everything that happens to its computers. If a software was installed illegally, you have several vulnerabilities:

a) an employee of the company, acting as an agent of the company, broke the law. The company is responsible for its agents.

b) the computer somehow got illegally installed software. The company proceeded to use that software, for profit and without pay. This demonstrates that the company was aware of the illegal act and supported it by not stopping the violation as soon as it learned about it.

c) even if neither (a) or (b) are sufficiently proven, the business is still at fault for having unlicensed software on your premises and under your control. The fine for that is about twice the retail cost, just what BSA usually charges, and the only evidence required to award that fine is the fact that an illegal software was installed. As I read here, that's what BSA usually aims for, since it's the easiest violation to prove and the smallest fine to pay.