Slashdot Mirror
Recession Turning Software Auditors Into Greedy Traffic Cops
judgecorp writes "As the recession bites, software auditors are cracking down, and some are simply exploiting loopholes and technicalities to meet their targets, according to analyst Forrester. They may be within their rights, but they aren't endearing themselves to users; Steve Ballmer faced weary customers in London last year, and admitted Windows licenses have deliberate 'gotchas.'"
(1) Outsource your work to a very large country which dosen't care about IP laws.
(2) Profit!
(1a) Outsource your work to domestic individuals who have the compatible software regardless of license legitimacy.
(2a) Don't shake their hands when you make a deal. Pay'em through some guy meeting them at an Italian restaurant every week. Stop showing up when they fail to deliver.
(3a) Wanna keep your house? 1a and 2a for you unemployed Americans whose baby food money is going towards military ammunition.
I don't use ANY proprietary software at my company. I own a software development company in Argentina. If I get an auditor (Auditions here are done by ARBA, the state-wide equivalent of the IRS in Buenos Aires) I just won't even open the door. Sue me if you want. I use NO privative software, and no one has any right to log in into my servers or workstations (We have ~40 machines at our offices).
Fuck them in the ass.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Don't run Windows. "Software auditors" are just about unknown to users of any other platform.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
They may be within their rights, but they aren't endearing themselves to users; They are not looking for endearment, they are looking for a paycheck.
Home of The Suki Series
They may be within their rights,
What right would that be, exactly? If they're not law enforcement, and they don't have a court order, they have zero "rights." Yes, even if they show up wearing fancy raid jackets to try and look like law enforcement.
I've posted this several times before. If the BSA or any of these other vultures come knocking, they have ABSOLUTELY NO RIGHT TO DO ANYTHING, SEE ANYTHING, TALK TO ANYONE, etc WITHOUT A COURT ORDER. If they have one, that means you're already in the process of being sued, and the first person you should call is your lawyer, and you should ONLY do EXACTLY what the court order requires you to.
Here's the Superbanana Super Guide To BSA Bullshit Shutdown.
If they don't have a court order, don't let them see anything, touch anything, install anything, connect anything. Don't answer any questions. The only information you should give them is your attorney's phone number.
Please help metamoderate.
If "traffic cop" implied "greedy", then there wouldn't be any need for the adjective.
For those who forgot:
http://news.cnet.com/2008-1082_3-5065859.htm
In the town next to the one I sit... there's a old police officer who has a "quota" of traffic fines he needs to collect in the budget. Miss his income number, and he's unemployed. The budget number is public record as and in as a separate line item in the official budget. He's authorized to put up a "Speed Limit 30" sign at any intersection because that's the state law at all intersections marked or not.
Now, on the way out of this town, there's a highway interchange. That's an intersection, but the state highway people don't want you going as slow as 30 miles per hour there... you won't be up to 55 on the short ramp to the highway if you do. So they've rigged this intersections with enough signs that the traffic officer is locked out... if he puts his sign up, it's not properly displayed because it's either blocked from view or too far from the intersection. He still writes tickets there, and if you take him to traffic court you can get it kicked. He's hoping you confess or just send in the check. There's even a state website where you can pay your fine with a credit card.
If enough people do get his tickets kicked, he'll be done.
Julian Heathcote Hobbins, General Counsel for the Federation Against Software Theft (FAST), spoke in defence of the software industry protecting its property rights
Could the guy have a more pretentious name? Really? Julian Heathcote Hobbins? Could that guy have any other job beside going around and telling people they are using the product they bought incorrectly?
IMO this is one place where strong management can make a big difference by taking an explicit position on "Times are tough, we need to collect what revenue we can" vs "We need to preserve a relationship with our customers *and* help them stay in business *and* get ready to capitalise on that good relationship when the economy picks up and we want to sell more stuff". Targets should not be allowed to distract from the bigger picture, which is *serving your customers*. Sure you might have contract terms that give you "the right" to hit your customers with surprise charges in order to help keep your own business afloat but you're not really serving them, you're using them. By the same token, when I go to my local shop they have "the right" to be rude to me - I'm paying for goods, not manners. But then I'd switch purchasing to the other local shop. Everything has a cost.
But what do I know, I'm not a manager! Times are tough, people have to get by somehow.
IIRCC some EULAs give the "authorized representatives" the authority to check your computers.
Good argument for GPL'd software.
Who can screw their customers and expect them to come back for more.
For all intensive purposes
I've always thought that that was "For all intents and purposes."
When you're afraid to download music illegally in your own home, then the terrorists have won!
Suppose I'm a healthcare company. Software auditors show up at my door, waving contracts in my face. I let them in. They insist that they must inspect ALL machines running, say, MS Office. Some of these machines contain sensitive health information for ten thousand patients. I have now committed 10,000 willful HIPAA violations, and could go to jail, in theory, for up to 10,000 years (maximum jail time for willful but non-malicious breach is 1 year per instance).
Or what about SarbOx? Any possibilities for violation there?
I think a strong case could be made that if you are a HIPAA covered entity who uses software which is subjects to such agreements, and you abide by the agreements, then you are committing a felony. Thus, using Microsoft software is a felony. QED
You are forced to have the auditors by agreeing to the licenses to use certain software products.
No, I think what would happen is that they can just look at the OS, without looking at the data running in the OS. Thus, they can get a license count. But, if you won't give them one, then, you could get sued, and be forced to give one, or rather, have some third party or even the local sherriff do the count with the understanding that the HIPAA data is implicitly protected because the exposure is to officers and appointees of the court.
I don't think you understand exactly how draconian the HIPAA statute really is. A HIPAA covered entity may not disclose or allow the possibility of disclosure of protected health information to ANYBODY without the patient's consent. That includes sheriffs, court officers, and the President of the United States. It also includes other HIPAA covered entities! That's right folks, your doctor cannot tell another doctor about you, unless it fits a VERY specific set of circumstances. I've heard horror stories of nurses losing their jobs because they told other nurses vital information about a patient's care, and I'm not talking about gossip in the hallway, I'm talking about perfectly legitimate transfers of information for the patient's benefit. The statute is so broadly worded that you can be fined because you saved a patients life.
You would essentially have to get written consent from all 10,000 patients before anybody who is not themselves a HIPAA covered entity could so much as GLANCE at those machines.
Now you might say, let's just declare ourselves to be HIPAA covered entities, and promise to abide by the law. Except it doesn't work that way. A person cannot choose to become a HIPAA covered entity. You must meet a very specific set of criteria, one of which is that you conduct electronic transactions (either billing or file transmission) regarding health care information. A software auditor simply does not meet the criteria.
HIPAA is widely regarded as one of the most overreaching, destructive laws ever passed, with insane and unintended consequences. By the way, anybody is allowed to file a HIPAA complaint against any covered entity, even if they are not associated with either the patient or the health care provider. In theory, if I knew that some health care company somewhere allowed a BSA audit, I could file complaint against them myself, and OCR would be compelled to investigate it.
You really should read up on HIPAA. It's like a god damned nuclear weapon and it has the entire healthcare industry constantly quaking in their boots.
Then they just come back an hour with a motion of discovery, the constable, and 3 deputies.
And the problem is what, exactly? That's exactly what they SHOULD have to do.
The reason the BSA shows up unannounced is because they're fishing, and hoping to get enough to THEN either threaten you or take you to court. There is no possible good to come, and nothing that will work in your favor, by granting them access.
They've already decided that it's not worth the cost of filing a suit, and in order to get anywhere, they need to have evidence, which they may not have in sufficient quantity. A pissed off sysadmin with a bone to pick is about as credible as a fox in a chicken coop.
The company that says "go fish, assholes" MIGHT see them again with a court order in hand, but it's not likely. The company that says "uuuuuh....okay, come on in" finds themselves in a few weeks threatened with a huge lawsuit, or a "settlement" calculated to be just below what the company could possibly afford...
Please help metamoderate.
Here's a nice old story about a Microsoft software user that got audited, sued, fined and dragged through the press. Apparently they sell guitars. Of course a loss for somebody is naturally a win for somebody else.
Help stamp out iliturcy.
No, I don't think you understand HIPAA very well. It DOES allow for a number of disclosures without patient consent:
To law enforcement
To treating physicians and other clinicians, for public health activities, for health oversight purposes, to protect against personal and material harm
Even for marketing
And a raft of others.
This is not the bogeyman you are looking for.
Faster! Faster! Faster would be better!
Duh. That would be the point, wouldn't it?
B.S. Nobody wants Microsoft licensing to be that complex, except the SAM contractors and other licensing Nazis that Microsoft and a good chunk of the proprietary software world has let loose upon us all.
I had a SAM review last February and March, that started with a letter from a Microsoft "partner" (read: contracted henchman) that, once you got passed the bullshit about them being hear to help me, was clearly a software audit.
I was given 30 days (with an extension if I needed it) to put everything together. That part wasn't too bad. We had largely inherited the licenses from the firm that we had taken over, and it was a bit of a mess. Of our three copies of Server 2003, one was an inherited Small Business Server 2003 OEM edition that I had applied the Transition Pack to to turn into proper Server 2003, one was an OEM copy of Server 2003 R2 bought by us and one was a Server 2003 that we had inherited, purchased through Software Assurance. As well, there were about 15 Office Pro licenses, as well as 13 or 14 Office OEM copies sold with the Dells that we had inherited. On top of that, I had a backup server running Windows 2000 server, plus CALs both purchased by us and by the people we had bought everything from.
I first smelled trouble when they asked me to verify that 22 of our workstations (all running OEM copies of XP) were not running Office (they were running OpenOffice). I found the question more than a little accusatory. Then came the seeming inability for them to count CALs. At one point they had us in the red 15 CALs, despite the fact that I had invoices, both of my purchases and of the previous organization's, showing the CALs. This literally went back and forth for two weeks, until finally I had had enough, and sent off a very angry email to the contractor accusing him and his "team" of severe arithmetic disabilities, and explicitly using the phrase "you are harassing me".
Then, as if unwilling to declare defeat, they came back with a final number of -5 Server 2003 CALs, because, and get this, though I had enough CALs to cover everything, I hadn't bought this 5 CAL pack via Software Assurance, and wasn't permitted to use it as a User CAL on the Server 2003 machine installed via the single copy of Server 2003 bought via Software Assurance. I sent back a very angry letter, CCed to my manager, asking them if they seriously thought that I was going to pay $150 bucks again for CALs I already owned, because I bought them from a reseller as opposed to Software Assurance. I think at that point they got the hint that they weren't going to be getting any money out of us, and sent back a letter saying that as long as I agreed to change them into Device CALs, I'd be in the clear with them.
Now, I guess from one perspective one could say that we got off in the end, we were totally legit. But this probably consumed about $500 to $700 of my wages (my employer's money) on pointless back-and-forths as they tried to probe to find any way to make money off of us.
At this point, we are looking to abandoning Microsoft, and indeed proprietary software wherever we can. It won't be easy, and it won't always be pleasant (though it can't be any worse than the three weeks of hell that happened when we bought new Dell workstations with Vista). We're stuck with Exchange-Outlook for the medium term, but should have enough licenses to cover a small expansion that may be happening in a year. But all the new file servers are running Samba, we're set to expand OpenOffice installs, and while Office 2003 will be around for a while, there will be no upgrades to later versions, save as we replace workstations. The long-term plan is to roll more and more server operations on to open source solutions, with a set goal that when we hit 95% of our Exchange CALs, we will take the plunge and go with an open source groupware solution. I don't anticipate that we will ever be Microsoft free, but we can certainly reduce our footprint, and our exposure to the nonsensical and self-serving whims of Micro
The world's burning. Moped Jesus spotted on I50. Details at 11.
BSA are not law enforcement. They just behave like it sometimes.
Seriously, anyone?
Part of my job description is making sure the company is up to scratch with their licensing. So I have to read the licenses - and I do.
I have concluded that software licenses are written expressly to trip up customers. Even when they're relatively straightforward, they often contain clauses which would be considered absurd in almost any other commercial contract.
For instance, the only license that allows you to roll out Windows using an imaging system (eg. Ghost) is one of the volume licenses - and for the most part they include a clause which states "You will buy a license for every PC-compatible computer in your organisation". Now you know why so few companies are taking Linux seriously on the desktop. I have no idea how enforceable such a clause would be, but I can't see many companies wanting to challenge Microsoft in court.
"Ballmer also suggested that education should be given government stimulus funding to enable young people to gain experience on the computing systems they would meet in the real world."
Seriously Mr B, go fuck yourself. You don't need the money and young people, on the whole, are pretty good at working things out for themselves as they have a "click and see what happens" approach mixed with the ability to ask another kid who knows. Doesn't matter if it's OpenOffice, Office 2007, whatever, if they really want it to do something, they'll find a way. The weak point is quite often the teachers.
Seriously, in the UK you cannot be a teacher without a University degree. A University degree should teach you to analyse a problem, research the problem and apply a solution. In software, this boils down to "I can't do X in program Y", go to Google and type "how do I do X in program Y", click links until you find answer and follow instructions on page. Most of the time they seem incapable of following this simple idea. They'll even come in and as me then watch me hit Google and search for a solution (often the first result returned) but it never dawns on them to do the same themselves next time (and no, support isn't my job). I showed a year 7 how to find something out using the "F1" key and he was amazed, he just didn't know.
The best thing for education, would be for kids to be trained to work stuff out for themselves by teachers who are trained to work stuff out for themselves. This "teaching people to use the software they'll use in the real world" argument is crippling and the seeming inability for people with far higher qualifications than mine to work out even minor problems has seriously dented my faith in the higher education system.
Hmmmmmm..... Deep fried and look like Squirrel.
No, you don't understand HIPAA law.
The first two links you point to are for GOVERNMENTAL entities that allow the sharing of data. And those are for a JUSTIFIABLE BUSINESS NEED. Any of those disclosures are still protected. That is the data that is disclosed still cannot be released to another entity unless it meets the same need requirements for sharing.
The BSA or any of their related entities are not even close to a GOVERNMENTAL agency that would have the authority or even a justifiable business need to access a computer with PHI on it. If I had a court order to allow the search, I'd still only do it under duress and with proper auditing of the audit software to ensure it does what it says it does and not capture data. And even then, I'd only allow a hardcopy report to leave. Or I'll do a manual audit and I'd be doing the clicks and typing and the BSA person can watch and we'd have our corporate attorney present watching both of us.
And even when data is shared, it's only the minimum allowable to be shared. So if there was a share for marketing, the selection of the data would run in one database, the extract would only be names and addresses for the mailings and those would be stored in a unlinked seperate file for the mailing program to produce the output. That's a far cry from allowing the BSA complete access to the computer with the HIPAA data on it.
The laws of the State trump the licence conditions. They can pretend to have these powers but they don't have anything unless a Judge or similar grants it.
Even Ballmer admits that getting rid of Windows simplifies things ;-)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun