Slashdot Mirror
Recession Turning Software Auditors Into Greedy Traffic Cops
judgecorp writes "As the recession bites, software auditors are cracking down, and some are simply exploiting loopholes and technicalities to meet their targets, according to analyst Forrester. They may be within their rights, but they aren't endearing themselves to users; Steve Ballmer faced weary customers in London last year, and admitted Windows licenses have deliberate 'gotchas.'"
I don't use ANY proprietary software at my company. I own a software development company in Argentina. If I get an auditor (Auditions here are done by ARBA, the state-wide equivalent of the IRS in Buenos Aires) I just won't even open the door. Sue me if you want. I use NO privative software, and no one has any right to log in into my servers or workstations (We have ~40 machines at our offices).
Fuck them in the ass.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
A motion of discovery ON WHO'S BEHALF? Dude, I WISH it worked like that. I'm curious what the fuck my neighbor keeps doing in his garage at 3:00 in the morning. I'll just go down to the courthouse and get a court order to search his home, right?
For those who forgot:
http://news.cnet.com/2008-1082_3-5065859.htm
In the town next to the one I sit... there's a old police officer who has a "quota" of traffic fines he needs to collect in the budget. Miss his income number, and he's unemployed. The budget number is public record as and in as a separate line item in the official budget. He's authorized to put up a "Speed Limit 30" sign at any intersection because that's the state law at all intersections marked or not.
Now, on the way out of this town, there's a highway interchange. That's an intersection, but the state highway people don't want you going as slow as 30 miles per hour there... you won't be up to 55 on the short ramp to the highway if you do. So they've rigged this intersections with enough signs that the traffic officer is locked out... if he puts his sign up, it's not properly displayed because it's either blocked from view or too far from the intersection. He still writes tickets there, and if you take him to traffic court you can get it kicked. He's hoping you confess or just send in the check. There's even a state website where you can pay your fine with a credit card.
If enough people do get his tickets kicked, he'll be done.
Suppose I'm a healthcare company. Software auditors show up at my door, waving contracts in my face. I let them in. They insist that they must inspect ALL machines running, say, MS Office. Some of these machines contain sensitive health information for ten thousand patients. I have now committed 10,000 willful HIPAA violations, and could go to jail, in theory, for up to 10,000 years (maximum jail time for willful but non-malicious breach is 1 year per instance).
Or what about SarbOx? Any possibilities for violation there?
I think a strong case could be made that if you are a HIPAA covered entity who uses software which is subjects to such agreements, and you abide by the agreements, then you are committing a felony. Thus, using Microsoft software is a felony. QED
Heh, that's certainly true too! I've been thinking a lot recently about whether predatory / monopolistic behaviour is *ever* a good idea. It seems to me it's only ever a good plan in the relatively short term. In the end, trying to squash the market under your weight rather than swim in it is always going to result in disloyal customers, faster moving competitors and loss of market position.
I'm not sure there's a way of avoiding the eventual progression of successful company -> bureaucratic monster -> innovation-averse nuisance. But I do think that it's a slide worth fighting, it just needs management to have a *really* good sense of the big picture and can make a case for doing the right thing, as opposed to chasing immediate profits or serving short term investors in the company.
No, I think what would happen is that they can just look at the OS, without looking at the data running in the OS. Thus, they can get a license count. But, if you won't give them one, then, you could get sued, and be forced to give one, or rather, have some third party or even the local sherriff do the count with the understanding that the HIPAA data is implicitly protected because the exposure is to officers and appointees of the court.
I don't think you understand exactly how draconian the HIPAA statute really is. A HIPAA covered entity may not disclose or allow the possibility of disclosure of protected health information to ANYBODY without the patient's consent. That includes sheriffs, court officers, and the President of the United States. It also includes other HIPAA covered entities! That's right folks, your doctor cannot tell another doctor about you, unless it fits a VERY specific set of circumstances. I've heard horror stories of nurses losing their jobs because they told other nurses vital information about a patient's care, and I'm not talking about gossip in the hallway, I'm talking about perfectly legitimate transfers of information for the patient's benefit. The statute is so broadly worded that you can be fined because you saved a patients life.
You would essentially have to get written consent from all 10,000 patients before anybody who is not themselves a HIPAA covered entity could so much as GLANCE at those machines.
Now you might say, let's just declare ourselves to be HIPAA covered entities, and promise to abide by the law. Except it doesn't work that way. A person cannot choose to become a HIPAA covered entity. You must meet a very specific set of criteria, one of which is that you conduct electronic transactions (either billing or file transmission) regarding health care information. A software auditor simply does not meet the criteria.
HIPAA is widely regarded as one of the most overreaching, destructive laws ever passed, with insane and unintended consequences. By the way, anybody is allowed to file a HIPAA complaint against any covered entity, even if they are not associated with either the patient or the health care provider. In theory, if I knew that some health care company somewhere allowed a BSA audit, I could file complaint against them myself, and OCR would be compelled to investigate it.
You really should read up on HIPAA. It's like a god damned nuclear weapon and it has the entire healthcare industry constantly quaking in their boots.
I think you meant "to users of any other platform where the hardware costs less than a car." Oracle, for example, has a long history of auditing its customers and only the most brain damaged among them would run it on Windows.
B.S. Nobody wants Microsoft licensing to be that complex, except the SAM contractors and other licensing Nazis that Microsoft and a good chunk of the proprietary software world has let loose upon us all.
I had a SAM review last February and March, that started with a letter from a Microsoft "partner" (read: contracted henchman) that, once you got passed the bullshit about them being hear to help me, was clearly a software audit.
I was given 30 days (with an extension if I needed it) to put everything together. That part wasn't too bad. We had largely inherited the licenses from the firm that we had taken over, and it was a bit of a mess. Of our three copies of Server 2003, one was an inherited Small Business Server 2003 OEM edition that I had applied the Transition Pack to to turn into proper Server 2003, one was an OEM copy of Server 2003 R2 bought by us and one was a Server 2003 that we had inherited, purchased through Software Assurance. As well, there were about 15 Office Pro licenses, as well as 13 or 14 Office OEM copies sold with the Dells that we had inherited. On top of that, I had a backup server running Windows 2000 server, plus CALs both purchased by us and by the people we had bought everything from.
I first smelled trouble when they asked me to verify that 22 of our workstations (all running OEM copies of XP) were not running Office (they were running OpenOffice). I found the question more than a little accusatory. Then came the seeming inability for them to count CALs. At one point they had us in the red 15 CALs, despite the fact that I had invoices, both of my purchases and of the previous organization's, showing the CALs. This literally went back and forth for two weeks, until finally I had had enough, and sent off a very angry email to the contractor accusing him and his "team" of severe arithmetic disabilities, and explicitly using the phrase "you are harassing me".
Then, as if unwilling to declare defeat, they came back with a final number of -5 Server 2003 CALs, because, and get this, though I had enough CALs to cover everything, I hadn't bought this 5 CAL pack via Software Assurance, and wasn't permitted to use it as a User CAL on the Server 2003 machine installed via the single copy of Server 2003 bought via Software Assurance. I sent back a very angry letter, CCed to my manager, asking them if they seriously thought that I was going to pay $150 bucks again for CALs I already owned, because I bought them from a reseller as opposed to Software Assurance. I think at that point they got the hint that they weren't going to be getting any money out of us, and sent back a letter saying that as long as I agreed to change them into Device CALs, I'd be in the clear with them.
Now, I guess from one perspective one could say that we got off in the end, we were totally legit. But this probably consumed about $500 to $700 of my wages (my employer's money) on pointless back-and-forths as they tried to probe to find any way to make money off of us.
At this point, we are looking to abandoning Microsoft, and indeed proprietary software wherever we can. It won't be easy, and it won't always be pleasant (though it can't be any worse than the three weeks of hell that happened when we bought new Dell workstations with Vista). We're stuck with Exchange-Outlook for the medium term, but should have enough licenses to cover a small expansion that may be happening in a year. But all the new file servers are running Samba, we're set to expand OpenOffice installs, and while Office 2003 will be around for a while, there will be no upgrades to later versions, save as we replace workstations. The long-term plan is to roll more and more server operations on to open source solutions, with a set goal that when we hit 95% of our Exchange CALs, we will take the plunge and go with an open source groupware solution. I don't anticipate that we will ever be Microsoft free, but we can certainly reduce our footprint, and our exposure to the nonsensical and self-serving whims of Micro
The world's burning. Moped Jesus spotted on I50. Details at 11.
Seriously, anyone?
Part of my job description is making sure the company is up to scratch with their licensing. So I have to read the licenses - and I do.
I have concluded that software licenses are written expressly to trip up customers. Even when they're relatively straightforward, they often contain clauses which would be considered absurd in almost any other commercial contract.
For instance, the only license that allows you to roll out Windows using an imaging system (eg. Ghost) is one of the volume licenses - and for the most part they include a clause which states "You will buy a license for every PC-compatible computer in your organisation". Now you know why so few companies are taking Linux seriously on the desktop. I have no idea how enforceable such a clause would be, but I can't see many companies wanting to challenge Microsoft in court.
What is Red Hat thinking? Written notice? Microsoft doesn't always give notice, that's why its audits are so successful. At least during one incident reported on Slashdot, they didn't give any notice and just showed up with Federal agents and guns.
Why is Microsoft Ireland research using pounds instead of euros?
Ernie Ball does a LOT more then just sell guitars. They have a very good reputation in the music industry for making a good product and (more times than not) a consistent product.
This is a great warning to large companies like Microsoft and Adobe and also the BSA. But unfortunately, not every company is in a position to just drop an OS like Windows because of issues like user training, third party applications, business specific software that is only available for Windows, as well as client and vendor compatibility.
I firmly believe that the BSA (Business Software Alliance) was granted way too much authority by Congress.
Do what thou wilt shall be the whole of the Law - Aleister Crowley
hey have to show that the person who clicked accept was an authorized representative of the company (employee) and not an unauthorized user or cracker, and it is Windows, so good luck with that!
They don't need to show anything because it is natural and expected that an employee of the company installed some software on company's computers. For example, you seldom need to prove to anyone that you are human.
If you claim that somebody set you up the bomb then *you* need to prove that extraordinary claim. You need to make your evidence available (firewall and Snort logs, virus detection logs, meeting notes where you discussed the breach, etc.) You can't just wave your hand and have it all dismissed, especially if the company used the software on that computer for months or even years.
The purpose if the signature is to verify that:
A) The person who the claimant says made the agreement is in fact the person who entered into the agreement
The signature does nothing like that. You need a notary stamp, signature, a record in his book and your thumbprint there to certify your signature.
B) The person who made the agreement was in fact in a postition to make such agreement
The signature does nothing like that. It's up to courts to determine if you had authority to sign a certain document. If I sign a deployment order for the US Army it doesn't make me the President.
If the person who signed it wasn't the defendant or legal representation thereof, no lawsuit.
Unfortunately, if a company owns a computer then it is legally responsible for it, 100%. That applies to any company property, and even to your personal property somewhat.
It doesn't change because you add a computer to the scenario.
True. But consider this. Your company buys 10 tons of grain from a local farmer, and you send him the purchase order signed (with an illegible scratch) by "H. Bark". Your dog is called Happy Bark. The purchase order calls for Net 30, and you don't pay. The farmer sues you, and you point at your dog and say that you didn't sign anything. Can you get away with that?
No, you can't. First of all, you accepted the delivery and made use of the product. That confirms your acceptance of the transaction. Otherwise you'd need to refuse the shipment, or at least contact the seller and attempt to return the product.
Once you accepted and used the product, the farmer's side of the deal is fulfilled and he is right in expecting the money. You, on the other hand, received the product, used it, and you expect to not pay for it? The claim that "your dog did it" will be only seen as further attempt to evade the payment, and you will dig yourself deeper into the hole.
To summarize, a business is responsible for everything that happens to its computers. If a software was installed illegally, you have several vulnerabilities:
a) an employee of the company, acting as an agent of the company, broke the law. The company is responsible for its agents.
b) the computer somehow got illegally installed software. The company proceeded to use that software, for profit and without pay. This demonstrates that the company was aware of the illegal act and supported it by not stopping the violation as soon as it learned about it.
c) even if neither (a) or (b) are sufficiently proven, the business is still at fault for having unlicensed software on your premises and under your control. The fine for that is about twice the retail cost, just what BSA usually charges, and the only evidence required to award that fine is the fact that an illegal software was installed. As I read here, that's what BSA usually aims for, since it's the easiest violation to prove and the smallest fine to pay.