Besides the XBOX issue discussed in this thread, I think there is some more relevance to the security industry in it.
While I still have the feeling that in this specific case Microsoft is operating in what I would call the "expected range", I would like to put this into a broader picture: Many say XBOX is the first try/pilot on TCPA, palladium or whatever your favouorite name is. The bottom line is that there is a movement to not let you own the hardware you purchased. I don't see any issue with XBOX in here, because you have the choice to purchase many other solutions without this "design defect". (In fact, I don't consider it to be smart to help make XBOX a commercial success if you dislike TCPA...). HOWEVER, now let's assume we have a Windows "XP" 2005 (Overlonghorn?;)) that implements TCPA. By design, now the VERY SAME should happen. That is you install an operating system which effectively denies you right to use your computer as you want to (ok, it can't stop you from smashing it...). Of course, there are alternatives to Windows on the desktop AND I think they will become more popular as the DRM/TCPA issue moves into the Windows products... BUT in this case I see a big difference. Then it is not an easy choice to avoid this operating system. Even if you manage to use some vuln in that OS that will help you circumvent TCPA, an security update could remove the vuln at any time of Microsoft's discretion. In fact, that alone is again what I would call to be in the "expected range", because a vuln in the security system must be targeted. The question is only if we like to hand over ownership of our machines to the software vendors. And thus it is indeed an interesting question if that can be done via an EULA. As of my understanding, it is much more likely to happen in the US, as the US law system grants you more freedom in what you can agree on in contracts. In Europe, there are many more things that you can NOT do in a contract and I assume may of these restrictions would fit in here (and I don't want to argue which law system is better ;)). The bottom line, I think, is that we must raise awareness on these issue not only in the infosec community but the general public. What I currently see is that Microsoft and other vendors slowly move towards DRM. So slowly, that customers do not really notice which rights they loose. It is well known that many small changes over some time period are often unnoticed while a big change would bring the vendor into trouble. Maybe the XBOX case, as weak as I see it, would make up a good sample... I would also applaud if someone of those being upset would actually try to bring it to court. Remeber, it doesn't help to complain with legal issues. It only helps to file a suit ;) [well, honestly, not in all the cases....] Rainer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
