XP/Vista IGMP Buffer Overflow — Explained 208
HalvarFlake writes "With all the hoopla about the remotely exploitable, kernel-level buffer overflow discussed in today's security bulletin MS08-0001, what is the actual bug that triggers this? The bulletin doesn't give all that much information. This movie (Flash required) goes through the process of examining the 'pre-patch' version of tcpip.sys and comparing it against the 'post-patch' version of tcpip.sys. This comparison yields the actual code that causes the overflow: A mistake in the calculation of the required size in a dynamic allocation."
well gee (Score:5, Funny)
>A mistake in the calculation of the required size in a dynamic allocation
I hope no one else makes this mistake.
Event ID 4226 (Score:5, Informative)
The only good thing is that, while the page hasn't been updated since 2006, the patch seems to work on the new TCPIP.SYS (I just tested it on my own machine).
I realize I'm sort of hijacking the first post, but given how many of us are probably downloading Linux ISOs right now, I figured it's important enough that people wouldn't mind a reminder...
you BINARY PATCH core OS code??? (Score:3, Interesting)
Now, don't get me wrong. I think that's a really cool hack. I admire the effort.
Seriously though, WTF? That's a rootkit technique. Changes of this nature should be made to source code, not binaries. It's way more maintainable and sustainable that way.
Re:you BINARY PATCH core OS code??? (Score:5, Insightful)
Sometimes, if a closed-source vendor isn't going to release an update/fix/tweak, the community has to do what they can to do it. Given what many people use Bittorrent for, I suspect getting a rootkit from this patch is the least of their worries. The rest of us will either just have to trust it, use BT on a non-Windows platform, or deal with the slower speeds.
This does bring up an interesting possibility - rather than completely reimplement Windows through something like ReactOS, or translate the API like WINE, how about replacing components of a real Windows install with F/OSS replacements? Drop in a workalike, but open source tcpip.sys and know where it's coming from.
Re: (Score:2)
This does bring up an interesting possibility - rather than completely reimplement Windows through something like ReactOS, or translate the API like WINE, how about replacing components of a real Windows install with F/OSS replacements? Drop in a workalike, but open source tcpip.sys and know where it's coming from.
Actually WINE and ReactOS both reimplement large sections of Windows in ways that can be used on native Windows too. ReactOS does so more because it reimplements the lower layer where WINE uses emulation - but even in WINE higher-level DLLs are implemented natively. :-))
I wouldn't be surprised if you could use the ReactOS version of tcpip.sys on a real Windows (although you may discover some bugs
Re: (Score:2)
A 'Wine for Windows' or 'ReactOS for Windows' distribution replacing certain Windows DLLs with their free equivalents would be a fun toy and a useful way to get more testing for these two projects. I'd install it at once... uh, on a spare machine...
Re: (Score:2)
Because it means more people would stick to XP and thus the "goal posts" won't move as often or as much.
If things go that way Microsoft might end up like a BIOS vendor
I slave for no Bill Re:you BINARY (Score:2)
Let them release the code for Win98 GPL and see how fast it surpasses Pista!
Re: (Score:2)
Mmmm, mmmm, good! (Score:5, Funny)
But that is the primary reason for
Re: (Score:2)
Rootkit? (Score:5, Informative)
Rootkits use a lot of techniques that are also used by legitimate software. Yes, that patcher (and its patch) does get detected by a few anti-virus programs because worms, like torrents, benefit from being able to connect to more peers. It's not a virus in or of itself, though, plenty of people have checked it out.
> Changes of this nature should be made to source code, not binaries. It's way more maintainable and sustainable that way.
I fully agree, but it's kinda hard to get the source for Microsoft programs. Last I heard, you had to be a big university, pay tons of money, sign NDAs, etc. Besides, this limitation wasn't an accident. It was a deliberate "feature" they put in because they thought it would slow down worms. They're not going to fix it just because people ask.
Re: (Score:2)
Another funny binary patch story -- the patch to get DOOM 3 and Quake 4 to run on Win9x is two bytes [msfn.org]. Seems that only one function name (GlobalMemoryStatus / GlobalMemoryStatusEx) got changed. Replace "Ex" with NULs and the friggin' game runs just fine under 9x.
Forcing an application to only run on certain platforms means you only have to support those platforms. id making those games non-9x could have been a business (or common sense!) decision to save the costs of supporting knackered old 9x boxes.... the way cruft used to build up and lead to stupid problems on 9x was shocking!
Re:Event ID 4226 (Score:5, Informative)
Re:well gee (Score:5, Funny)
Re: (Score:2)
Re:Why Windows 95 and NT 4 are enough (Score:5, Insightful)
The only real reason to "upgrade" something is if you need something more. For business, need should be defined as something that will do a business function that will make money, replace labor, acquire additional business related information of value, etc... It has to do something you truly need. If all you any business need for is a computer that runs a word processor then he has a genuine point. It assumes that there is no other piece of software that serves a valid business need that anyone else might need.
A number of pieces of software have been written that require a later OS that fulfill a number of very valuable ($$$) tasks. Also Win 95 is only stable if you have hardware with extremely good drivers under it, a limited number of processes/programs on top of it, and your continuous up-time requirements are somewhat limited. This makes 95 a long way from being the one-size-fits-all solution. (I have one Win 95B station at my desk just to do drive data recovery and to do a few file tasks that XP doesn't want to let you do...)
Using that same logic there isn't a valid reason for almost anyone to use Vista instead of XP. Plus there is the "Business downside" of the end users having to relearn how to use computers that they already knew how to use.
Vista's big offerings are two fold:
- One is what I call the "raccoon" factor. Give people something bright and shiny and their eyes will roll back in their head as they start to murmur, "Gimme, gimme, gimme..." as you can hear the words, "It is new!" echoing softly in the background. This offers them nothing that is real but it does drive people amazingly hard. Look at the number of people that paid $100+ premiums to have an iPhone in the first week of release. A month later no one including themselves remember that they got their phone early and it certainly didn't pay any dividend for the expense but they will do it again: They are raccoons!
- Two, Vista includes huge DRM underpinnings. After XP was released Bill Gates publicly stated they the next version of Windows wouldn't be an OS but instead it would be a Digital Rights Management Platform. This does nothing for us but does plenty for Mickeysoft and the big media companies. I notice they aren't mentioning that fact any more either!
Basically Microsoft wrote a new OS for themselves instead of us and they made it really visually flashy so the raccoon in all of us will want to roll our eyes back in our head and buy it. The fact that they forgot to put anything we actually need in it has made its adoption really tank. The only real reason they have sold any volume of it is that you almost can't buy a computer without it. To help the process along Microsoft has pushed for new hardware that doesn't have XP driver support and you will start to see programming tools with limited or missing XP support.
We are coming up to a point where we are looking at a future where we could lose control of what is on our own computers! Vista is already trying to decide if you should be able to access your own files that are already on your computer! Take this fact and combine it with the whole limitations being rammed down our throat with HDTV and we are looking at being consumers that are buying things that we have no control over. A computer could easily act as a HDTV 'VCR' because that is an amazingly simple function but we have been forced to buy into a system where that isn't allowed. The only HDTV VCR like devices are subscription ($$) based!
You are being quietly guided into a world where you will tithe endlessly to corporations for simple things that in the past you could buy once and be done with. MS has tried to make the OS subscription based. (tithe) Limited number of play media files are subscription based. (tithe) Buying a cell with an MP3 player in it that you will just replace in a year or two is ano
Re:Why Windows 95 and NT 4 are enough (Score:5, Interesting)
"
Why?
Seriously, what can it do that XP can't? I'm interested.
File tasks are usually (IMHO) much better donw under Linux, which doesn't try to stop you doing anything.
Re:Why Windows 95 and NT 4 are enough (Score:5, Interesting)
Why because with the NT line MSFT broke a lot of other companies networking protocols. So we wouldn't be able to connect to the server, which stores all files and applications.(The win95 machines being not much more than dumb terminals). Windows XP won't work as said server company never made a proper upgrade path for such a configuration. Linux might, but I would need an old school netware guru, and someone with enough knowledge of linux to configure netware inside linux but also Dosbox. As all the applications are Dos based. when this setup was first deployed Linux was at 0.9 something.
Then you have to figure out how to sell it to a computer illiterate cheapskate boss.
Re: (Score:2)
Right, I know sod all about netware, and you still have apps that need the system. Seems a good reason to keep it around to me!
The OP mentioned file ops that I was wondering about, but your situation warrants hanging on to 95 as long as is practical.
Re: (Score:2)
Re: (Score:2)
I'd say "try wine, or maybe DOSBox, on Linux", but I've no idea what their older DX support is like. DOSBox on a later windows *might* work.
Re: (Score:2)
A simple example of Windows stupidity is if you copy a *.lnk file (shortcut) it will look into the file to see where it is pointing to and can alter it. I will use the example of recovering things from a "D" drive to the "C" drive. The co
Re: (Score:3, Informative)
There's no issue with windows systems that may be rooted or infected because the stuff just won't run. What do your low level DOS utils do?
I must mention here, too, that a lot of the tools provided in Linux are intuitive and easy
Re: (Score:2)
Restoring is as easy as dd of=/dev/diskIwanttobackup if=./filetostoreitin
OTOH I recognise I'm unusual in backing up whole disks like that. And it does suck that MS broke back compat in their restore software.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I have tried searching to get a good web reference for it and but when you put in "Digital Rights Management Platform" on a search engine you get a billion hits. It was
Re: (Score:3, Funny)
Re:Why Windows 95 and NT 4 are enough (Score:4, Interesting)
(Not the original AC.)
"Bluto's right. Psychotic, but absolutely right."
- Otter, Animal House
OK, so Win9x wasn't a real OS. It had no security model. That was its unfixable weakness (instability), but that was also part of its salvation.
No network-aware services listening out of the box? No remote-unattended exploits!
And when/if something broke due to the instability - even something as bad as "registry corrupted - don't even fantasize about getting your GUI back", you just booted to DOS, extracted a "good" version of the reigstry from the last five copies in .cab files in C:\WINDOWS\SYSBCKUP, typed a few "ATTRIB" commands (i.e. chmodded it to be writable) and overwrote the "bad" user.dat and system.dat with ones that worked.
The 9x UI wasn't any better/worse than XP or Vista. How many of us took one look at XP's Fisher-Price interface and immediately "downgraded" it to the Win2K look?
Boot speed? My last gaming rig was a Pentium IV, 2.4 GHz, running at 3.2 GHz, 512MB RAM and a 120GB drive, and the fucking thing went from power-on to full-GUI-running-and-no-hard-drive-activity in 15 seconds. There were configuration files you could edit to support 1GB and (by replacing/patching WINDOWS\SYSTEM\IOSUBSYS\ESDI_506.PDR) hard drives over 128GB.
Once upon a time, Linux wasn't ready for the desktop. During those years, Win9x rocked. Crappy multi-user OS? Guilty as charged. Useless for a server? Absolutely. But as a single user OS/program-loader, it was hard to beat. DRM? Product activation? What's that?
Re: (Score:3, Funny)
Tom Smykowski: It was a "Jump to Conclusions" mat. You see, it would be this mat that you would put on the floor... and would have different CONCLUSIONS written on it that you could JUMP TO.
Michael Bolton: That's the worst idea I've ever heard in my life, Tom.
Samir: Yes, this is horrible, this idea.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
However, i would never recommend such an OS to IT admins, an OS with no user separation is a terrible idea in a managed multiuser environment. You want to make sure users can't mess with other users or the system itself.
Re: (Score:2)
or the DOSBox emulator.
That way you don't have to figure out how to get sound working in DOS on anything made after 1997 or so.
Sounds like HowStuffWorks material! (Score:5, Funny)
Re:Sounds like HowStuffWorks material! (Score:4, Interesting)
short audio [microsoft.com] clip with halvar explaining how he analyzes ms patches for differences
-- bookmark me [primadd.net]
Re:Sounds like HowStuffWorks material! (Score:4, Insightful)
There's a little bit of actually understanding the diff in there too. That's sort of the hard part.
It's just a mistake! (Score:5, Funny)
Dang it all. (Score:5, Funny)
Re:Dang it all. (Score:5, Funny)
Re: (Score:2)
Slashvertisment (Score:3, Insightful)
Re:Slashvertisment (Score:5, Insightful)
Slashvertisment used to mean that you were claiming Slashdot was taking money to advertise something as a story. You seem to be using it to refer to anyone who submits their own website to Slashdot. Attention whore? Yes. Slashvertisment? No.
Clever Marketing (Score:2)
Let's get the preliminary stuff out of the way... (Score:3, Interesting)
Everyone should be forced to give up manual memory allocation regardless of the power it can afford.
#include "fucktard_troll.h"
Now that that's done with, I see things like this as an argument in favor of moving stuff off of the CPU and into dedicated hardware. Why should your CPU be tied up with things at this level? The absolutely overwhelming majority of all data on every network uses one of two network layer protocols (IPv4 or IPv6) and one of two transport layer protocols (TCP or UDP). Why shouldn't those four combinations be handled by hardware, so we can leave the computer to run the applications? We already do this with 3d rendering, why not networking?
Re:Let's get the preliminary stuff out of the way. (Score:4, Informative)
Do you have any idea how many millions of ethernet cards have been sold? Are they all going to be made obsolete?
These days CPUs are so fast that the minor overhead of a network driver is negligible, unless you're going to ultra-fast speeds (some high-performance network cards do offload this to hardware).
However, you still could have buffer overflows in the network drivers/firmware.
Re: (Score:3, Insightful)
I don't think anyone advocates softmodems, so why do we tolerate mostly soft network cards.
Re: (Score:3, Informative)
Re: (Score:2)
Or unless it DMAs stuff over, right on top of the kernel...
Re: (Score:2)
Re:Let's get the preliminary stuff out of the way. (Score:4, Interesting)
Re: (Score:2)
Behold, the bright future [wikipedia.org]!
Re: (Score:2)
Re: (Score:2)
Isn't that pretty much what a CPU already does?
Re: (Score:2)
Re:Let's get the preliminary stuff out of the way. (Score:5, Informative)
IPv6 makes some steps towards having simpler hardware handling, but as long as IPv4 is still around, we won't see hardware switching become commonplace.
Re: (Score:3, Informative)
Because TCP and UDP headers aren't of fixed sizes and as such are incredibly difficult to handle in hardware.
UDP headers [wikipedia.org] are always 8 bytes long. TCP headers [wikipedia.org] are indeed not fixed-length, but will always be a multiple of 4 bytes, will always be at least 20 bytes, and there's a field in the first 20 bytes that tells how large the header is. All of this can certainly be interpreted by hardware, but, as usual, it's cheaper to do it in software.
Variarable sized headers/payloads. (Score:2)
Makes one appreciate just
Re: (Score:2)
--jeffk++
Re: (Score:2)
But your point is taken. But, I'm not ever expecting this data format to be subsumed into firmware.
Re:Let's get the preliminary stuff out of the way. (Score:2)
Everyone should be forced to give up manual memory allocation regardless of the power it can afford.
I beg your pardon?? What is it you're suggesting with that respect exactly?
Re: (Score:2)
I think he's suggesting the .NET framework.
Quite what I was afraid I understood. If you're afraid of doing dynamic allocation yourself you shouldn't be allowed to use a real programming language in the first place anyways. I mean seriously, that trend that consists in going "eww, dynamic allocation", "omg, a pointer, what is that thing!?" or even "I wonder how people could live without garbage collection" makes people sound like sissies.
Re: (Score:2)
Re: (Score:2)
I seem to remember assembly programmers saying the same things about high-level languages...
Sure, we might go "wtf do you need exception handlers for? Just write bug-free code!" or even "operator overloading is for pansies", but there's no way you can turn it into making us sound like sissies.
Re:Let's get the preliminary stuff out of the way. (Score:5, Informative)
Re: (Score:2)
I think if you continue your "off course" comments, you'll never stop stating the obvious.
Re:Let's get the preliminary stuff out of the way (Score:4, Insightful)
Besides, networking is something that barely taxes CPU power on every processor made from the Intel Pentium days to this date, unlike 3D acceleration. There's little justification to loose the flexibility provided by running it in software to get a negligible CPU performance increase.
And yes, hardware can be buggy too. There's a shitload of issues with specific hardware that are addressed on their device drivers - again, easier to solve in software than to fix in hardware. Even CPUs suffer from this.
Re: (Score:2)
Yes, let's do just that... (Score:4, Insightful)
Because as we all know, manual memory allocation is hard to understand. Programmers shouldn't have to know basic math, right?
Why don't we just make a language that does it automatically, and then we won't have any problems like this? Right?!
Those of us who cut their teeth on assembly and C look at this and just wonder in wide amazement. A part of us wonders how anyone could be so negligent - but the other part knows how things work in proprietary software shops. (A hint - the management doesn't consider it a bug unless the customer notices it.) Yes, we've all done this before, but the solution isn't to create a language which dumbs down the programmer (Dude - you're writing directly to memory!!! You must be some kind of uber-hacker!!). Rather, there are steps you can take to virtually eliminate this kind of problem:
You know, there was a time when formal methods were taught, when programmers were expected to know how to properly allocate and release memory. When things like calculating the size of the buffer, applying basic math(!) and testing your own code were considered just a part of the programmer's job. Now we're hearing people blame languages for the faults of the programmer.
If I keep going, I suppose I'll start to sound like Bill Cosby. But consider this: the most reliable operating systems to date were built on C (UNIX) and assembly (MVS). If a bunch of old farts (well, perhaps they were young then...) can crank out correct, reliable, fast code without an IDE and a bunch of GUI tools, clearly the language is not to blame.
The old adage still applies: a poor workman blames his tools . Software engineering works, regardless of the implementation language. This isn't a failure of the language or the environment, but rather, failure to do software engineering right:
Re: (Score:2)
buf_size = header_len + packetlen + sizelen + crclen + paddinglen
my_buf = malloc(buf_size)
memcpy(in_buf,my_buf,buf_size)
there's simply a lot more to code than in Ruby. While in theory you can make it as safe, in practice you've simply got 8+ times as much code, checking it for correctness takes a lot longer.
Similarly, in languages like Ruby you can iterate through a collection without loop variables, without writing ye
Re: (Score:3, Informative)
You are right, but if you have to calculate buffer size manually
C:
buf_size = header_len + packetlen + sizelen + crclen + paddinglen
my_buf = malloc(buf_size)
if (null == my_buf)
memcpy(in_buf,my_buf,buf_size)
there's simply a lot more to code than in Ruby. While in theory you can make it as safe, in practice you've simply got 8+ times as much code, checking it for correctness takes a lot longer.
Similarly,
Re:Yes, let's do just that... (Score:5, Insightful)
Or, come to think of it, without supervision.
Re: (Score:2)
But why, specifically, is that code so bad?
Re: (Score:2)
But that's my point. C has too many gotchas like that where the standard library is nearly unusable - scanf is bad, gets is bad, printf with user-controllable strings isn't safe, etc.
Same with C++. Use strings to avoid these problems, but which string library. Which smart pointers? Which resizable array, or associate array library?
Thankfully it's been too many years for me to be more specific.
Re: (Score:2)
While technically you may be correct about the C standard, gcc does indeed provide zero padded arrays:
A dump of the file produces this:
The interesting thing about this code is
Re: (Score:3, Informative)
I was reading through your post and nodding, but then I realised that I just can't agree with your underlying argument. I think this is the part of your post that captures the essence of what I mean:
You know, there was a time when formal methods were taught, when programmers were expected to know how to properly allocate and release memory. When things like calculating the size of the buffer, applying basic math(!) and testing your own code were considered just a part of the programmer's job. Now we're hearing people blame languages for the faults of the programmer.
While this is all true, the problem with this argument is that it fails to account for no-one being perfect. If a certain type of error is known to have occurred a non-zero number of times, and other things being equal the models in a certain programming language make that type of error impossible, then that
Re:Yes, let's do just that... (Score:4, Insightful)
This is a fallacy. By that argument, number theory is simple because arithmetic is easy, and numerical errors in computations should not occur because the people doing them have mastered the atomic operations.
[motherhood and apple pie snipped]
Because, in large part, poor workmen choose inappropriate tools.
It makes no sense to argue assuming a false dichotomy (e.g., "should we use a dynamically typed language with garbage collection, or should we do software engineering?"). The question is how to build robust systems most economically.
To that end, we have to ask two questions:
(1) Does making the programmer responsible for memory allocation lead to errors?
(2) Can taking the responsibility for routine memory allocation out of the programmer's hands create other issues?
The answers are, yes and yes. It all comes down to cost, schedule and results. It is true that there is no system written in Java, Python or Ruby that could not, theoretically, be written with the same or greater quality in C or assembler. It is also true that there are some systems which are written in C or assembler that would be much more difficult, if not impossible to write in Java, although as the years roll in these are fewer.
A few years back I was asked to look at an embedded system that was originally designed for the tracking of shipping containers. It used GPS and short bursts of sat phone comm to phone its position home. The client had an application which required that the positional data be secured from interception, ideally of course perfectly secured, but if the data could be protected for several hours that would be sufficient. It doesn't take much imagination to guess who the ultimate users of this would be and in what four letter country they wished to use it.
The systems in question were programmable, but there was less than 50K of program storage and about 16K of heap/stack RAM we could play with. We did not have the option of altering the hardware in any way other than loading new programming on. The client was pretty sure they weren't going to be able to do it because there wasn't enough space. My conclusion was that while creating a robust protocol given the redundancy of the messages was a challenge, the programing part would be quite feasible in C or assembler. Of course, if I had the option of adding something like a cryptographic java card to the system, the job of creating a robust protocol would have been greatly simplified.
And ultimately, that's what software engineering amounts to: finding ways to greatly simplify what are otherwise dauntingly complicated problems. Yes, it takes more mojo to do it in assembler, but mojo is a resource like any other. Engineering is getting the most done for the least expenditure of resources.
So the answer is that is good engineering to use Java or Python or Ruby where it simplifies your solution. It is good engineering to use C or assembler when they simplify your problem. It is bad engineering to choose a tool because using it proves you have large cojones.
Re: (Score:2)
Because as we all know, manual memory allocation is hard to understand.
For me, memory allocation is dead simple. It's knowing when to free it that's the bear. In trivial cases where malloc() and free() are in the same function, that's a piece of cake. In more involved cases where buffers are working their way through multi-threaded code and it's not immediately clear which function will be the last one to touch a buffer (and therefore responsible for freeing it), it's a freakin' nightmare.
I openly admit that I'm a flawed programmer. When everything's going well, I'm ve
Re: (Score:2)
Re:Let's get the preliminary stuff out of the way. (Score:2, Insightful)
You forgot ICMP. And even if you had remembered it, the bug was in IGMP, which is still not on your list, and would thus need to be implemented in software anyway. Sure, IGMP is not used that much, but it only takes one bad guy to send the packet that takes over your system.
Re:Let's get the preliminary stuff out of the way. (Score:2)
Considering that Firefox crashes whenever I happen to hit the "Insert" key when writing a reply on Slashdot, and randomly otherwise, I'm inclined to agree. Programmers, in general, are apparently incapable of dealing with memory management or bounds checking, so they should just use automation.
Of course simply moving them to Java will just have them do things like starting threads from object constructo
Re: (Score:2)
Re:Let's get the preliminary stuff out of the way. (Score:2)
Write it out in VHDL, get an FPGA, and take the proof of concept to someone with money. Any web server admin with half a brain can see why having your TCP/IP stack in hardware is preferential to software, even if it does replace the ethernet card.
Fantastic!!!
How about http://blogs.technet.com/swi/ (Score:4, Informative)
Windows is open-sores software (Score:3, Funny)
See? And they said without FOSS, this couldn't be done!
Re:Windows is open-sores software (Score:5, Interesting)
The difference is that if it was FOSS, they'd be able to see the comment saying "// this doesn't match the specs but it worked for me in the test I did, so the specs must be wrong."
Re: (Score:2, Interesting)
Re:Windows is open-sores software (Score:4, Insightful)
With FOSS, you know exactly what your rights are.
Re:Windows is open-sores software (Score:4, Insightful)
Please don't write posts like this if you're not going to back them up with reliable sources. Your personal views on the validity of EULAs in whatever jurisdiction you are in don't really count for much if the courts don't agree with you, and in any case are unlikely to be applicable universally.
Re: (Score:2)
Where's your source, which shows retail customers binding themselves to additional terms after the "sale?" A claim that seemingly-purchased items are not actually purchased, is a radical claim that defies common sense. That doesn't mean it's a wrong claim, but it does defy centuries of tradition and law. If someone says that commerce in software works completely different than all other commerce (including that
Re: (Score:2)
I considered not replying to your post, since you're doing exactly the same as the other guy and attempting proof by intimidation. You also seem to be attacking me for a position you have invented and then assumed I hold, despite my post not even hinting at any position on this particular subject. However, if you do care what the law actually says and where it is untested, even obvious places like the "EULA" entry on Wikipedia or a Google search for "eula validity case law" immediately turn up numerous sour
Re: (Score:2)
Retail sales do not bind people to post-sale contracts. Every so often some lobby group claims that their product is different. In the early 1900s it was book publishers. They were specifically ruled against with the 'doctrine of first sale'. The courts specifically stated that the seller loses all rights to the item they sell. First sale [cornell.edu]
It's illegal to sell a product, knowing that you intend to render it inoperative, or not allow it
Re: (Score:2)
Unfortunately, the majority of US courts haven't yet realized the "duress" part of your argument, even though it naturally follows when software is sold, not licensed. As a result, the majority opinion in the US is that if you agree to an EULA, it becomes binding upon you
Re: (Score:2)
However, your are incorrect about the EULAs not being binding. There is a line of cases (starting with ProCD v. Zeidenberg) where EULAs have been found to be legally binding contra
Re: (Score:2)
In any case, I'll speak up in his defense because, in the USA at least, he's right-on about sales. When you purchase an item at retail, you form a contract with the retailer. The manufacturer of the product has no standing to add or modify terms of the contract for sale. In the case of software, if you buy it from a retailer, you own it. The software publisher can't, after the sale, claim that it wasn't really a sale but actually just a license
Re: (Score:3, Interesting)
Also, though its educational purposes are undeniable and it certainly is interesting to say the least, what good is it? It can only be used to make one or
Re:Windows is open-sores software (Score:4, Informative)
despair.com says it best (Score:2, Funny)
Re: (Score:2)
We've already abandoned it for Linux.
I still have (and occasionally use) my server edition license, though.