Modernizing Authentication — What It Takes to Transform Secure Access
The recent uproar over Sony BMG's ''rootkit-like'' software, Microsoft'sWMF defect and such got me thinking about the software on my computers.The audacity of these companies to put such unwanted filth on mycomputers!
But truth be told, I've probably inadvertently allowed them to do so bythe fine print in their End User License Agreement (EULA), right?
So what recourse do I have? That's when I was hit with a ''wouldn't it becool if'' moment that I want to share with you all in the form of an openletter to software producers, whether they be open or closed source,commercial or freeware.
Dear Software Producer:https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
First and foremost, this is my computer, and the data on it belongs tome.
I purchased (or freely and legally downloaded) your software to use on mycomputer. But make no mistake about it... it is my computer and yoursoftware is a digital guest here. As such, I have a few basic and fairrules of conduct I require you to follow. They are as follows:
Your software may be installed in the location(s) I designate andnowhere else. All of the components of your software must remaincompletely visible to me. That also means you may not install anythingwithout my permission, including ''rootkit-type'' software technologiesto hide your software or any component of it, making it difficult for meto remove;
When and if I remove your software, I want to remove every singledigital remnant of it, but not my own data. My computer should beessentially identical before I install your software as after I removeit. Every file, every environment variable, every registry key, etc.,must be removed when I remove your software;
Your software may not open pop-up windows, advertisements, etc.,without my permission. Any and all advertising needs to be ''opt in'' andnot ''opt out'';
My data belongs to me. It is not yours to peruse, include in debugdumps, etc. You will treat my data with the respect a good guest wouldtreat my belongings in my home;
You may not ''phone home''. If you have a requirement to connect tothe mother ship for some reason, then I want to be informed andexplicitly consent to it. And even then, I want to have visibility intoand veto authority over every single byte that goes between your softwareand your company's computers. If I haven't explicitly allowed it, thenconsider it forbidden;
If you have an on-line software registration form to fill out, youmay only provide the information I voluntarily enter for you. You may notprovide any system configuration information, etc., unless you've shownme what you want to send back and I've explicitly approved it;
Updates and security patches are fine (thank you), but I want to befully informed and asked if it's OK to proceed. In the event of asecurity or functionality patch, I want to be provided with detailedinformation on the nature of the problem and how it may impact me beforeI approve its installation. If a patch then causes me grief -- forwhatever reason -- I need to be able to quickly and painlessly uninstallthe patch;
If I choose to not install your patch, I need to be able to easilyisolate and disable the affected component(s) of your software, and youneed to let me know what impact that decision will have on the operationof your software;
When you find out about a security defect in your product, I requiretimely notification of the problem, how it may impact me, what I need todo to protect myself in the interim between my notification and yourproducing a patch, and when I should expect the patch.
In exchange for abiding by these rules of decent and honorable behavior,I agree to use only legally licensed copies of your software incompliance with your customary terms.
This is, after all, my computer and my data.
Now, you're probably thinking I've gone completely nuts. Perhaps you'reright, but are these terms and conditions really all that unreasonable?I don't think they are at all.
If every software producer treated their customers' computers and data asthough their products are in fact guests in the computer, then I firmlybelieve we'd have far fewer security problems.
For starters, Sony BMG would never have considered using ''rootkit''technologies to hide its code. Better still, software developers wouldconsider these terms as they're designing their software, which is likelyto have precluded Microsoft's design flaw in its WMF code. (Executablecode would never have been allowed to be transmitted and run via anarbitrary image file.)
Since we're pretty much forced to live with the vendors' EULAs, then theyshould have to live with ours. I'm reminded of Arlo Guthrie's Alice'sRestaurant. If just one of us takes this letter to our softwarevendors, they'll think he's nuts. But if we all do it, then they may justthink it's some kind of movement. (With due apologies to Arlo...)
I, for one, think it's about time we stand up for our software consumerrights!