[3003] in WWW Security List Archive
Re: CryptoAPI 2 - Read before you Click
daemon@ATHENA.MIT.EDU (Peter Rowell)
Thu Sep 19 20:08:49 1996
Date: Thu, 19 Sep 96 15:16:44 PDT
From: peter@thirdeye.com (Peter Rowell)
To: www-security@ns2.rutgers.edu
In-Reply-To: Mail from 'Tom Johnston <tomj@microsoft.com>'
dated: Thu, 19 Sep 1996 09:23:45 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
Tom Johnston <tomj@microsoft.com> made this amazing offer!
> Interested in including cryptography and certificates in your
> applications, but don't want to worry about writing code to implement
> PKCS 7, X.509, ASN.1, or actually write cryptographic routines
> yourself?
> For more information, check out http://www.microsoft.com/intdev/security.
Well, even though that sounded just too good to be true, I thought I'd
go get me some of that Free Cryptographic Software!
But, like my Pappy always said, if it sounds too good to be ...
well I'm sure yours said the same thing.
My Pappy also always told me to read things before I clicked Agree.
(Actually, he was talking about signing things, but a click is as
good as a signature to a blind developer.) So, I read all about
the wonders of PCT 1.0, how it was going to change my life and
improve the security of the world.
I then read the Distribution Authorization Notice (located at
http://pct.microsoft.com/pct10/pct10ref.htm), which said somthing like:
What are the licensing terms?
[ ... ]
Microsoft distributes PCT 1.0 free for both non-commercial and
^^^^^^^^
commercial use. In order get the PCT 1.0 source code itself, you
^^^^^^^^^^^^^^
must first read the and agree to the PCT 1.0 License Agreement
(should you choose to request a copy of PCT 1.0).
and it still sounded pretty much like Free Cryptographic Software to me!
And then I went to http://pct.microsoft.com/pct10/pctregf.htm and read:
In order to download or receive PCT 1.0, you must agree to the
terms of the PCT 1.0 Licensing Agreement by clicking on the
button at the bottom of the page ....
and then I read the - LICENSE AGREEMENT -, and then I was confused!
Because it said:
1. GRANT OF LICENSE. This EULA grants you the following rights:
You may install and use of the server software portion of the
SOFTWARE PRODUCT on computers on which a valid copy of the Microsoft
Internet Information Server has been installed, and install the
client software portion of the SOFTWARE PRODUCT on an unlimited
number of computers or workstations which may then access the
server(s) at your premises solely to evaluate the SOFTWARE PRODUCT,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
test its compatibility with other products and/or provide feedback
to Microsoft.
which doesn't sound very "free ... for commercial use" to me.
They then go on (in section 2, included below) to say a number of
other things, all of which effectively render the "free software"
useless to any commercial firm.
In fact, the Competitve Products paragraph alone is a nice little
minefield for anyone so foolish as to agree to this Agreement, then
decide the software is not what they need and then go do something better.
Either the first page was deliberately misleading so that people would
just blindly click on the "Agree" button (thereby laying the ground
work to be sued by Microsoft at some future date) or there is some
confusion on the part of Microsoft's attorneys about what the security
group was trying to accomplish with this distribution.
Did anyone else read this stuff?
Just wonderin'
Peter
=============================================================================
Peter Rowell, Third Eye Software, Inc., peter@thirdeye.com (707) 829-3793
"Now is the Windows of our disk content." -- Richard v3.0
==========================================================================
2. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.
!> Competitive Products. You may not directly or indirectly use the
!> SOFTWARE PRODUCT or any information about it in the development of
!> any product that is directly competitive with the SOFTWARE PRODUCT.
Environment. You may not use the SOFTWARE PRODUCT in a live
operating environment where it may be relied upon to perform
in the same manner as a commercially released product or with
data that has not been sufficiently backed up.
Limitations on Certain Testing Methods. You may not use the SOFTWARE
PRODUCT for benchmarking or performance testing.
Limitations on Reverse Engineering, Decompilation, and Disassembly.
You may not reverse engineer, decompile, or disassemble the SOFTWARE
PRODUCT, except and only to the extent that such activity is
expressly permitted by applicable law notwithstanding this limitation.
Rental. You may not rent or lease the SOFTWARE PRODUCT.
