Microsoft Media Player "Security Patch" Changes EULA Big Time 771
MobyTurbo writes "In an article on BSD Vault a careful reader posts that in the latest Windows Media Player security patch, the EULA (the "license agreement" you click on) says that you give MS the right to install digital rights management software, and the right to disable any other programs which may circumvent DRM on your computer." So if you want your machine secure,
you also want microsoft to have free reign on your PC.
Not new. (Score:5, Informative)
Yeah, it's bad, and it's always been bad.
It had been noticed by /. readers... (Score:4, Informative)
automatic EULA remover (Score:3, Informative)
Re:automatic EULA remover (Score:4, Informative)
alternatives (Score:2, Informative)
Re:MS/Borg (Score:5, Informative)
Re:Umm, don't use WMP. (Score:2, Informative)
You can't "just say no."
Even if you decide not to use WMP, it's still installed on your system (if you're using 98, 2000, XP); which means that you're still bound by the EULA (the one that was in place when you last installed your OS or updated WMP).
Re:Corporate users can't install that (Score:3, Informative)
I've seen those companies that require you to get IT for every little thing. The usual result-- IT cops a major attitude, nothing gets installed, everything breaks, and no one gets a damned thing done.
PNG packs tighter than TIFF (Score:4, Informative)
I thought it was bad recently when a "Critical" IE6 security path completetly broke the ability to view TIFF images in a browser without hacking the registry by hand.
Actually, it was Microsoft dropping support for Netscape plug-ins such as QuickTime 5 because of a patent dispute.
I maintain a web site that basically sells access to TIFF imaged documents.
Adobe TIFF has three common lossless modes [apple.com]: Apple PackBits (RLE algorithm used in MacPaint and at least one NES game), CCITT Fax (a strange bilevel image codec used by fax machines), and Unisys LZW [burnallgifs.org]. PNG, on the other hand, uses Phil Katz's Deflate (LZSS on a 32 KB window, followed by Huffman coding), which makes smaller files than any of TIFF's three algorithms.
What does TIFF [libtiff.org] do that PNG [libpng.org] doesn't?
Re:So where is the end? (Score:2, Informative)
Re:Not new. (Score:2, Informative)
Re:Easy choice (Score:3, Informative)
If you dont run it (remove it even) how can it be a security risk? Common sense?
As for the adding ms to the hosts file, i was joking.
Re:Not new. (Score:5, Informative)
Re:MS/Borg (Score:3, Informative)
MS DRMOS Palladium -- The Trojan Horse OS (Score:1, Informative)
http://cryptome.org/ms-drm-os.htm
Reviewing the Microsoft DRMOS (Palladium Patent) it became apparent Richard Stallman's short story, The Right to Read is indeed visionary. Below are quotes from the DRMOS patent
and Stallman's Right to Read.
You must read this story:
http://www.gnu.org/philosophy/right-to-re
Although it has been difficult to clearly articulate to the general computer user, it should now be clear the DMCA represents not
only risk to fair use and other such issues, but represents a tool by which new technologies such as the DRMOS can be enforced.
It and other new laws (SSSCA/CBDTPA) are the legal infrustructure required to make the public use these new DRM technologies and
enforce punishment/fines when they are circumvented.
Content from MS DRMOS Patent quoted under the practice of fair use for comment and discussion purposes.
The Content Provider (ISP) must maintain a registry of "subscriber computers". This is the SPA and Central Licensing:
Therefore, the content provider would have to maintain a registry of each subscriber's DRMOS identity or delegate that function to a
trusted third party.
additional components that the provider trusts. Each identity uploaded
is then checked against the list.
Soon, changing your PC's system clock could become illegal:
This alternate embodiment requires a secure time source to be
available on the subscriber computer so the user cannot simply
turn back the system clock on the subscriber computer.
Pay-per-use operating system and components:
As described above, components may be valid only until a specified date
and time, and content may also be licensed only until a certain date and time.
The monotonic counter described earlier can also be used to ensure that the
computer's clock cannot be set backwards to allow the replacement of a
trusted component by an earlier, now untrusted version.
Stallman is right again, DEBUGGING IS NOW ILLEGAL, enforced under Section
1201 of H.R. 2281 (The DMCA):
DRMOS Patent:
An example of one kind of procedure that must be prohibited is loading a
kernel debugger because it would allow the user to make a copy of the
content loaded in memory. If the user of the subscriber computer attempts
to load a kernel debugger into memory, the DRMOS can either 1) refuse
to load the debugger, or 2) renounce its trusted identity and terminate
the trusted application that was accessing the content before loading
the debugger. In the latter case, the memory must also be purged of the
content before the debugger is loaded.
See The Right to Read, Stallman:
There were ways, of course, to get around the SPA and Central Licensing.
They were themselves illegal. Dan had had a classmate in software,
Frank Martucci, who had obtained an illicit debugging tool, and used
it to skip over the copyright monitor code when reading books. But he had
told too many friends about it, and one of them turned him in to the SPA
for a reward (students deep in debt were easily tempted into betrayal).
In 2047, Frank was in prison, not for pirate reading, but for possessing
a debugger.
Dan would later learn that there was a time when anyone could have debugging
tools. There were even free debugging tools available on CD or downloadable
over the net. But ordinary users started using them to bypass copyright
monitors, and eventually a judge ruled that this had become their principal
use in actual practice. This meant they were illegal; the debuggers' developers
were sent to prison.
You can no longer delete specific data from your hard drive:
DRMOS Patent:
For example, the DRMOS can allow the user to delete an entire content file but
not a portion of it. Another example is that the DRMOS can allow the user to
terminate all the threads of execution for a trusted application but not just
a single thread.
Again, debuggers are not permitted:
DRMOS Patent:
Finally, a DRMOS must protect the trusted application itself from tampering.
The DRMOS must not allow other processes to attach to the process executing
the trusted application. When the trusted application is loaded into memory,
the DRMOS must prevent any other process from reading from, or writing to,
the sections of memory allocated to the trusted application without the explicit
permission or cooperation of the trusted application.
Users may not share data:
DRMOS Patent:
Such a facility is used when downloaded content can be accessed only by a particular user. Moreover, if downloaded content is to be accessed only by a particular user and by a particular application, the secret to be stored may be divided into parts, with one part protected by an application-specific key and the other part protected by a user-specific key.
Applied to Stallman's Right to Read. Bear in mind these are e-books and sharing
would be a form of copyright circumvention:
He had to help her--but if he lent her his computer, she might read his books.
Aside from the fact that you could go to prison for many years for letting
someone else read your books, the very idea shocked him at first. Like
everyone, he had been taught since elementary school that sharing books was
nasty and wrong--something that only pirates would do.
The "Key Vault" and trusted third party (Central Authority):
DRMOS Patent:
Once the data is encrypted using the storage keys, there must be a way to
recover the keys when the DRMOS identity changes (as when the operating system
is upgraded to an incompatible version or an unrelated operating system is
installed) or the computer hardware fails. In the exemplary embodiments
described here, the keys are stored off-site in a "key vault" provided by a
trusted third party. In one embodiment, the DRMOS contains the IP addresses
of the key vault providers and the user decides which to use. In another
embodiment, the content provider designates a specific key vault and the DRMOS
enforces the designation. In either embodiment, when the user requests the
restoration of the storage keys, the key vault provider must perform a certain
amount of validation before performing the download.
Your computer cannot be used to copy content:
For example, one property might be that the application cannot be used to copy content. Another example of a property is one that specifies that the application can be used to copy content, but only in analog form at 480P resolution. Yet another example of a property is one that specifies that the application can be used to copy content, but only if explicitly allowed by an accompanying license.
Looks like the MPAA has been engaged in some Retail Politics:
In one embodiment, the access predicate takes the form of a required properties
access control list (ACL) as shown in FIG. 10. The required properties ACL 1000
contains a basic trust level field 1001, which specifies the minimum rights
management functions that must be provided by any application wishing to process
the content. These minimum functions can be established by a trade association,
such as the MPAA (Motion Picture Association of America), or by the DRMOS
vendor.
More Pay-per-view OS functions:
As described briefly above, the license data structure 1100 can limit the number
of times the content can be accessed (usage counter 1101), determine what use
can be made of the content (derivation rights 1103), such as extracting still
shots from a video, or building an endless loop recording from an audio file,
or a time-based expiration counter 1105.
Pay-per-listen feature:
The sublicense rights 1107 can impose more restrictive rights on re-distributed
content than those specified in a license for content downloaded directly from
the original content provider. For example, the license 1100 on a song purchased
directly from the music publisher can permit a song to be freely re-played while
the sublicense rights 1107 require a limit on the number of times the same song
can be re-played when redistributed.
My friend, it's called UCITA (Score:5, Informative)
That is, until they're safely set up inside a UCITA-adopting state.
Why, you ask? What's this UCITA anyway? Not another acronym. I'm too lazy to write another letter. Trying to keep my phone bill down. And I can never keep my boycotts straight once I get to the store.
From the mouth of the beast... [ucitaonline.com]
And on a slightly more ethical tip...
The FSF's writeup [gnu.org]
And the CPSR's writeup [cpsr.org]...
Google will give you more.
Think your EULA's not binding? UCITA gives it all that 100%-All-American Bought and Paid For Congressional Stamp of Approval. Some democracy we have, huh?
-David
Re:Legality of EULA (Score:5, Informative)
The unfortunate state of civilization today is that it is governed by men and not by laws. Thus it doesn't matter whether a EULA (any EULA) is legally binding or not. All that matters is that enough people think they are.
In terms of the law, most EULAs are completely invalid. Exercise of pre-existing rights is considered assent. There is a total lack of consideration. And there is no way to verify that a particular "licensee" has even seen the contract.
In terms of Rule by Fallible Human Beings, EULAs are completely valid if you can get enough people to believe that they are valid. But even if you can't, you can still take them to court and draw out the process to bleed them dry until the give in and settle.
I don't understand how the judicial/legislative system has allowed them to get away with this, whereas credit card companies are screwed on fraudulent online transactions.
The difference is easy. The average person cares about losing money. But the average person is very ignorant about their legal rights with regards to copyrightable materials, especially when it concerns software.
Wait until some large company starts putting the screws to enough people. Then the situation will change. Bankrupt enough grandmas in court for EULA violations, and the public opinion will change.
Re:Security Patches are the getting worse (Score:2, Informative)
Re:extortion (Score:3, Informative)
In the only _real_ law book I've read on the subject, which reads as easy as applied cryptography's first few chapters(seriously, it's very basic the hard shit follows), explains that a contract contains a portion where they must provide something while you must also. Either party fails to provide it's side of the deal the contract is null or goes into despute (court)
No one party can change lines of a contract or edit the final conditions without the users consent (read:signature). Of course clicking YES to the new one _could_ be the same
Here's something from 20 years ago (Score:2, Informative)
by L.J. Kutten
For the past four years; many software companies have been
publicly bemoaning their losses to unauthorized duplication. They
claim for every "legal" copy sold, three or four illegal copies are
eventually distributed. When asked for proof, they do not give it.
Their only evidence is their "private" research (which they will not
submit to third party verification).
While no industry expert denies the existence of unauthorized
duplication, experts differ on whether this duplication actually
deprives a company of profits or sales. Take the following two
examples:
* A 13-year old child possesses unauthorized CP/M versions of dBase
II and Wordstar configured for the Apple II computer. He neither owns
a CP/M card nor a printer. To him, the software is like baseball
cards, the more he "owns" the better; and
* The business person who wants to try out a $800 program to make
sure it will (1) fulfill his needs, or (2) work adequately with his
hardware (perhaps there is a printer conflict). If the software does
not work, the floppy diskette containing it goes back into a pile. If
does work, a legitimate copy is purchased so the user can get support.
Whatever the real extent of the problem, companies are searching
for a solution. Many have adopted a "tear open" license agreement as
their way of handling the problem.
A typical tear open license agreement (also called "shrink wrap"
or "box top") is a one page form attached to the outside of mass
marketed software. On the form is a statement that says "OPENING THIS
PACKAGE INDICATES YOUR ACCEPTANCE OF THE AGREEMENT AND THAT YOU AGREE
TO ABIDE BY ALL THE TERMS AND CONDITIONS SET FORTH." Following the
statement are a set of rules and prohibition which "control" use of
the software. Typical provisions include the following:
1. Warranty disclaimer: The software is sold "AS IS." The
manufacturer totally disclaims any express or implied warranties. If
the software does not work as expected (or at all) that is the buyer's
problem and not the manufacturers;
2 Prohibition against disassembley: The program cannot be
disassembled or patched for any reason; and
3. Prohibition against resale: Under no circumstance can the
original purchaser transfer his ownership interest in the program,
whether it be by sale, lease, rental, or even by gift. If the
purchaser has no further need for the program, it must be destroyed or
returned to the manufacturer.
The software manufacturers claim that by opening the package the
user has agreed to abide by any term found on it. Not surprisingly,
users claim the forms are not worth the paper they are printed on.
Whether or not these agreements are binding is open to question.
There are no cases, at either state or federal level, to interpret
them.
The Problem With Tear Open Agreements
The enforceability of tear open agreements begins with the
proposition that (1) they are binding contracts and (2) the developer
has retained title to each individual copy of the program. The fact
that a developer has claimed they are binding contracts or he has
retained title is unimportant. A court would look at what really
occurred as opposed to what one party calls the transaction.
Are They Binding Contracts? If the license agreement is to be
binding, the manufacturer must be able to prove that both parties
considered it to be part of the contract before the sales transaction
was completed. If the agreement was not known until after the sale
was completed (e.g. the seller got paid and the buyer got the
software), then it is void. Under general principal of contract law,
no party can unilaterally add additional terms to a contract after it
has been accepted.
In a normal retail sales situation, the manufacturer can argue
that the buyer knew or should have known of the license agreement
prior to sale and thus should be bound by it. The trouble with
assumption is that a buyer would claim (1) he had no knowledge of it
and that the vendor did not mention it or (2) that the vendor did
mention it but the buyer told the vendor that he did not consider it
binding. (How many retail sellers would refuse to take the buyer's
money in such a circumstance?)
In mail order sale, the license agreement is almost never
mentioned. The first time the buyer finds out about it is after the
goods have been received. In such cases, the agreement is not worth
the paper it is printed on.
A court would also be bothered by the fact that a tear open
agreement is a contract of adhesion. That is, it is offered to the
buyer on a "take it or leave it" basis. The buyer cannot bargain
about the terms contained in it. The law does not favor adhesion
contracts and they are automatically suspect.
Finally manufacturers must realize that no court will ever
enforce a contract where the buyer pays for software and the
manufacturer, through a tear open contract, does not promise to
deliver anything.
Are They Licenses? There are a number of factors to determine
whether a license (with retained ownership) or a sale of a copy is
involved:
1. Is the license for a limited period?
2. Does the license have to be signed before the software is made
available?
3. Is more than one payment made to the "licensor?"
4. Does the "licensee" have any obligation to return its copy of the
software to the "licensor" if he has no further use of it (i.e. can he
throw it in the trash without liability)?
5. Does the "licensor" have any duties to the "licensee" to make sure
the software even works?
An answer of no to each question would indicate that the parties
really intended the transaction to be an outright sale. This is
clearly seen if you examine the license agreements for minicomputer
and mainframe computer software. These agreements are typically (1)
for a definite period of time, (2) the license agreement must be
signed by all parties prior to delivery of the software, (3) in many
instances the licensee has to pay a yearly royalty/service fee, (4)
the licensor agrees to upkeep and modify the program as necessary, and
(5) the licensee has a duty to return the software after a specified
period.
Other Problems With Tear Open Agreement: Even assuming a court
would find a tear open agreement to be a binding contract or a true
license agreement, there are many other problems that must be
resolved.
Tear open agreements may violate four provisions of Article Two
of the Uniform Commercial Code (the U.C.C.) Article Two codifies the
law of sales and it is the law in every American jurisdiction except
Louisiana.
U.C.C. |2-312 gives a dealer the power to transfer all rights,
including title, to the buyer unless the dealer gives the buyer actual
notice of the limitation. There is nothing to prevent software
manufacturers from contractually requiring its dealers to give this
written notice on their sales forms.
U.C.C. |2-513 gives the buyer the unqualified right, except in
C.O.D. sales, to inspect the goods at any reasonable time and place
before accepting them. The buyer can take the sealed package home,
remove the shrink wrap and test the software to make sure it fulfills
its advertised claims, etc. Given the fact that many software
packages require a minimum of 30-40 hours training to utilize, the
fact that a demonstration package was available or that the buyer
could try the software out a a local store (how many stores would
allow any user to tie up a machine for 35 hours to test one package)
is irrelevant. The buyer has a reasonable time to inspect the goods
and either accept or reject them.
Under U.C.C. |2-201 if the price exceeds $500, the party being
bound by a contract has to sign a writing relating to the contract.
Thus, the buyer pays $501 for a software package and did not sign the
restrictive agreement, then the terms of the agreement do not bind
him.
Many license agreements disclaim all warranties (i.e. the
software is sold "as is" and the manufacturer guarantees nothing).
Under U.C.C. |2-316 this is permissible, except whenever an express
warranty disagrees with a disclaimer, the warranty will prevail. The
law says express warranties are created by instruction manuals,
training guides, use of demonstration models, advertising and the
like. Thus any disclaimer of an express warranty is voidable.
Tear open agreement may also violate various federal and state
consumer protection statutes. It is arguable that the manufacturers
have committed fraud against the buying public in that they encourage
the public to buy their products yet do not advertise their license
restrictions. It is a deceptive trade practice under the Federal
Trade Commission Act (a federal law) to let a transaction look like a
sale when it is not. Many states have similar legislation.
Courts would also be bothered by the fact that the consumer bears
the entire risk of loss. In a U.S. Supreme Court case dealing with
price fixing, the Court said that risk of loss after transfer of
possession weigh heavily in determining whether or not a sale has
taken place. If the buyer bears the entire risk of loss, it strongly
indicates a sale, and not a license took place.
Can a sale later become a license? The license says that
"opening the package" or "using the software" indicates acceptance of
the license terms. Does that mean the buyer did not accept them at
the point of purchase? If so what did he buy? If he did buy it, does
he lose or forfeit some property right upon opening the package. If
so, the manufacturers should realize that the law does not like
forfeitures of any type.
There may be an admission against interest in requiring the buyer
to sign a card acknowledging the validity of the license agreement.
Under the law, a party cannot have contradictory claims. If the
agreement is really self executing, why require the buyer to sign a
card acknowledging its validity unless the manufacturer has its own
doubts about its self execution?
There may be another admission against interest in that many
manufacturers, for income tax purpose, treat the transaction between
themselves and their dealers as sales and not licenses. Similarly, a
court would inquire into whether or not the manufacturer took returns
from its dealers. If it did not, then it indicates a sale took place.
In the same genre, manufacturers fail to control their dealers.
If they really wanted to create binding licenses they could
contractually require their dealers to have the license agreement
signed before delivery of the software. They do not do this. (Too
much trouble they claim.) Instead they exercise almost no control
over dealer's selling practices. Most dealers treat software the same
way they treat hardware. The dealer uses sales forms, invoices and
receipts that imply a sale took place.
A few notes regarding what this lawyer has to say. (Score:2, Informative)
Current-day practice is not to have a "tear-open" agreement, but, instead, the agreement is presented when the user attempts to install the software. The user had no knowledge of the agreement's existence, let alone its terms, when the user paid for the software. By this lawyer's logic, that makes the agreement null and void.
Click-wrap licenses usually tell the reader to return the software to its place of purchase for a full refund, if the user refuses to be bound by it. Unfortunately, the place of purchase will generally not take it back or refund the user, as an understandable matter of policy (they have no way of knowing if you copied the distribution media prior to returning the software). However, this effectively means that the user is forced to either accept the terms of the agreement, or not use the software and let it rot, since they can't get it refunded.
Often, click-wrap licenses state that opening the package constitutes acceptance. However, you didn't even see the license until you attempted to install the software (which obviously happens after opening the package).
Use GDIVX and Tiny Personal Firewall 3 (Score:5, Informative)
GDIVX [divxity.com] runs on XP etc and is better (in my opinion) than the Media Player. There are heaps of players out there.
There is a nice program out there for Windows users called Tiny Personal Firewall [tinysoftware.com]. This wonderful little program is not just a firewall
It has default restrictions available and it sets itself up for standard windows programs like Office, IE, etc.
The cool part: When you install a new program TPF3 not only asks you if you want the program to execute, it also asks you what level of execution to grant. For example: Internet explorer (by default) can ONLY download into the c:\download directory.
So... if I'm on a box with XP I install TPF3 and nothing gets by it. Is your Media player trying to contact the Internet? block it! Is your media player trying to install something? Block it! Easy as that. Give it a go.
Re:extortion (Score:1, Informative)
No, but juridicially, there is no unilateral changing involved, as the 'I agree'-clicker already agreed that the licence can be changed at any time... this is a bilateral agreement.