Personnal VeriSign

Does not really work, once you have a company with a digital signature, they
can and will be sued. It does not nessecarily mean the plantiff will win,
but enought suits and you are out of business any. Also, the original
suggestion was that the firm see the source, that is opening them up to a
ton of liability if someone clones the software.

Even if it did work, it has problems. Since then the firm which would sign
for anyone would be the cert holder. That means people who say “always
trust software from XXX” will loose all protection (remember the reason
Microsoft did this in the first place was for this class of user) and
disabiling the cert for company XXX since it released a virus means that all
other developers who released under XXX lose.

No it needs to be individual certificates, with some way to decide I trust
Joe but not Harry.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> What liability when the product’s license states (and I quote from my own
> Open Source BSD licenced stuff):
>
> “THIS SOFTWARE IS PROVIDED BY ‘‘AS IS’’ AND ANY
> EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY
> DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
> SERVICES;
> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
> AND
> ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
> THIS
> SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.”
>
> (Sorry from the caps, that’s how the original BSD licence is written).
>
> If you use my software, you agree to must agree to that. So that would
> mean that if you (SourceForge, CodePlex, other OSS sites, commercial
> entity) signed my package, you are not legally bound to anything.
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4668 (20091207)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4668 (20091207)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

xxxxx@gmail.com wrote:

What liability when the product’s license states (and I quote from my own Open Source BSD licenced stuff):

“THIS SOFTWARE IS PROVIDED BY ‘‘AS IS’’ AND ANY
> EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
> WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
> DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY
> DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
> ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
> SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.”
>
> (Sorry from the caps, that’s how the original BSD licence is written).
>
> If you use my software, you agree to must agree to that. So that would mean that if you (SourceForge, CodePlex, other OSS sites, commercial entity) signed my package, you are not legally bound to anything.
>

That’s quite a leap. Disclaimers like that are of questionable value in
protecting YOU, the author, but I don’t see that it does anything at all
to protect someone who signs the package.

If your software is used in a piece of medical equipment and causes
someone personal injury, you can rest assured that you, and anyone who
touched your code, will be dragged into a courtroom.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Disclaimers can be modified to include not only the author, but also the signer. As for how effective they are legaly, I am not a lawyer, I do not know. It depends on the country, anyway. In OSS, this is standard, and I have not heard of a single case agains an OSS developer with such a disclaimer. Why should kernel mode be different as long as it includes the signer?

Don is right though, a single, generic cert doesn’t do. You need to provide an 1:1 mapping between individuals and software. A solution would be:

1. Give certs to everybody (free or not)
2. Require package to be cross signed by the business.

I’m not sure if the system allows for three signatures on a package though.

Yet… (in some states at least) (if I were a US citizen) I could quite
easily buy some of most deadly assault weaponry on the planet as an
individual, but yet I could not buy a software certificate…

nice.

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4668 (20091207) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

If the user is a corp themselves, they can sign your driver with their own
certificate
(and they can sponsor the WQHL signature for drivers than need this)

The problem exisits only when individual developer “targets” individual user
(which, as we know, doesn’t even read warning messages and can’t survive
without guidance of Big Brothers…)

–pa

“Oliver Schneider” wrote in message
news:xxxxx@ntdev…
>> Of course, MS wants individuals to write software for Windows - but not
>> to tamper with the kernel.
>> Kernel is a special place that should be kept sterile and trusted. At
>> least, this is the intention…
> There wasn’t any way for the “lesser” code-signing certificates either
> when I checked last. So even user-mode code-signing is precluded from me
> as an individual.
>
>> There is so much fun and money outside - GUI, internet, facebook, HPC,
>> games. Why at all an individual may want to poke in the kernel? This is
>> suspicious.
> Hehe, got it. Highly suspicious indeed. However, I doubt there are many
> hobbyists in that area anyway, and most of them are probably either
> working with KM code professionally as well or “hobbyists” from
> rootkit.com who wouldn’t go to such lengths to get their code signed and
> their papers scrutinized
>
> // Oliver

> ---------------------------------------------------
> DDKWizard and DDKBUILD: http:
>
> Trunk (potentially unstable) version:
> http:
></http:></http:>

“Pavel A.” wrote in message news:xxxxx@ntdev…
> If the user is a corp themselves, they can sign your driver with their own
> certificate
> (and they can sponsor the WQHL signature for drivers than need this)
>
> The problem exisits only when individual developer “targets” individual
> user
> (which, as we know, doesn’t even read warning messages and can’t survive
> without guidance of Big Brothers…)
>

First most companies I know of would terminate an employee with extreme
prejudice if they signed a piece of software with the corporate cert without
it being well tested and checked. The thought of signing someone elses
software is hardly credibile, since if by accident it got out they are now
sharing the liability.

One common situation is a tool that needs a driver. Consider Mark
Russinovich in the early days, imagine if he would have produced the tools
he did if he had to sign them with a cert from a company from day 1.
Developer tools are a common place many individuals do create drivers, and
many of the developer tools in the past have become well recognized and
used in the corporate IT space. We do need a way to do this and I expect
that it will cost for an individual. The trick is to find a good way to
approach this.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

Information from ESET NOD32 Antivirus, version of virus signature database 4668 (20091207)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

It’s scary that somebody could go to jail if his/her driver BSOD in an surgery room and the patient died.

Don’t know about software but I remember all electronics components I ordered specifically say “Not intended for life supporting/sustaining devices” or such. There are military grade components for military applications. An oscillator used in fighter jet radar is much more expensive than their civilian counterpart. I would think there would be similar regulation for medical devices.

Calvin

That’s quite a leap. Disclaimers like that are of questionable value in
protecting YOU, the author, but I don’t see that it does anything at all
to protect someone who signs the package.

If your software is used in a piece of medical equipment and causes
someone personal injury, you can rest assured that you, and anyone who
touched your code, will be dragged into a courtroom.

–

Quite true.

Every law on the books (at least in the US) means one and only one thing - exactly what the guy in the robe standing in front of you says it means on that particular day. Fortunes are spent trying to get that to come out the way that each side wants - a. k. a. precedent - because us civil law is decidedly not an orthogonal system.

mm

wrote in message news:xxxxx@ntdev…
>

>
> You’re kidding, right?
> I think writing drivers is fun. People find LOTS of things fun, shall we
> tell them that “only professionals need apply” when it comes to writing
> drivers? “Sorry… you can do it at home, in your spare time, using
> completely free tools, and perhaps you’ll learn new things, invent
> something cool, and fill the needs of a small community… but NO, sorry,
> we’re not going to let you because you’re doing it as a HOBBY?” Yeah,
> right. It’s just too dangerous?
>
> Peter
> OSR

No, Peter - obviously I’m speaking only for myself, but for me Windows
drivers is mainly a job.
Though I more like it than not. Writing for embedded applications is more
fun
(more freedom, less artificial restrictions and discipline) to me.

By the way, there are also other hobbies that require certain formalities: a
driver license,
gun license an so on. Some also enjoy making fireworks or are amateur
debug detectives, or surgeons. Who knows.

Regards,
–pa

Ahemm: All “Sea Lawyers” (we need a new category, “Dev Lawyers”) maybe
NTTALK would be a fun place to tilt at this windmill?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Monday, December 07, 2009 3:47 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Personnal VeriSign

wrote in message news:xxxxx@ntdev…
>

>
> You’re kidding, right?
> I think writing drivers is fun. People find LOTS of things fun, shall we
> tell them that “only professionals need apply” when it comes to writing
> drivers? “Sorry… you can do it at home, in your spare time, using
> completely free tools, and perhaps you’ll learn new things, invent
> something cool, and fill the needs of a small community… but NO, sorry,
> we’re not going to let you because you’re doing it as a HOBBY?” Yeah,
> right. It’s just too dangerous?
>
> Peter
> OSR

No, Peter - obviously I’m speaking only for myself, but for me Windows
drivers is mainly a job.
Though I more like it than not. Writing for embedded applications is more
fun
(more freedom, less artificial restrictions and discipline) to me.

By the way, there are also other hobbies that require certain formalities: a

driver license,
gun license an so on. Some also enjoy making fireworks or are amateur
debug detectives, or surgeons. Who knows.

Regards,
–pa

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

And of course, RE “Dev Lawyers” no disrespect (indeed admiration for the
accomplishment) to our favorite and resident Mr. Oney.

Notably, the smartest one of us all for staying the hell out of this mess.

Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David R. Cattley
Sent: Monday, December 07, 2009 4:13 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Personnal VeriSign

Ahemm: All “Sea Lawyers” (we need a new category, “Dev Lawyers”) maybe
NTTALK would be a fun place to tilt at this windmill?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Monday, December 07, 2009 3:47 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Personnal VeriSign

wrote in message news:xxxxx@ntdev…
>

>
> You’re kidding, right?
> I think writing drivers is fun. People find LOTS of things fun, shall we
> tell them that “only professionals need apply” when it comes to writing
> drivers? “Sorry… you can do it at home, in your spare time, using
> completely free tools, and perhaps you’ll learn new things, invent
> something cool, and fill the needs of a small community… but NO, sorry,
> we’re not going to let you because you’re doing it as a HOBBY?” Yeah,
> right. It’s just too dangerous?
>
> Peter
> OSR

No, Peter - obviously I’m speaking only for myself, but for me Windows
drivers is mainly a job.
Though I more like it than not. Writing for embedded applications is more
fun
(more freedom, less artificial restrictions and discipline) to me.

By the way, there are also other hobbies that require certain formalities: a

driver license,
gun license an so on. Some also enjoy making fireworks or are amateur
debug detectives, or surgeons. Who knows.

Regards,
–pa

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

“Don Burn” wrote in message news:xxxxx@ntdev…
> One common situation is a tool that needs a driver. Consider Mark
> Russinovich in the early days, imagine if he would have produced the tools
> he did if he had to sign them with a cert from a company from day 1.

But Russinovich had a company, Sysinternals.

–pa

Pavel A. wrote:

“Don Burn” wrote in message news:xxxxx@ntdev…
>> One common situation is a tool that needs a driver. Consider Mark
>> Russinovich in the early days, imagine if he would have produced the
>> tools he did if he had to sign them with a cert from a company from
>> day 1.
>
> But Russinovich had a company, Sysinternals.

Yes, but he was considered a subversive by many in his early days. That
is, until he was seduced by the Dark Side.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

But not when he first published the tools. In this case they were articles
in Dr. Dobbs, but the basic premise is the same. If someone wants to put
out a tool with a driver, they need it signed which eliminates the
independant developer from releasing tools. Note: even tools without
drivers, it is desirable to sign the package, but there is no way to do it.

I have a couple of tools involving drivers, I have pretty much abandoned
development on, I proved they work for a specific purpose but making them
into general tools is not worth it since I will never distribute them
without a cert.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Pavel A.” wrote in message news:xxxxx@ntdev…
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> One common situation is a tool that needs a driver. Consider Mark
>> Russinovich in the early days, imagine if he would have produced the
>> tools he did if he had to sign them with a cert from a company from day
>> 1.
>
> But Russinovich had a company, Sysinternals.
>
> --pa
>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4668 (20091207)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4668 (20091207)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Don’t forget that when you get a bunch of lawyers involved even simple plain
language can be convoluted to mean anything.

wrote in message news:xxxxx@ntdev…
> That’s quite a leap. Disclaimers like that are of questionable value in
> protecting YOU, the author, but I don’t see that it does anything at all
> to protect someone who signs the package.
>
> If your software is used in a piece of medical equipment and causes
> someone personal injury, you can rest assured that you, and anyone who
> touched your code, will be dragged into a courtroom.
>
> –
>
> Quite true.
>
> Every law on the books (at least in the US) means one and only one thing -
> exactly what the guy in the robe standing in front of you says it means on
> that particular day. Fortunes are spent trying to get that to come out
> the way that each side wants - a. k. a. precedent - because us civil law
> is decidedly not an orthogonal system.
>
>
> mm
>

Maybe he doesn’t do ‘pro bono’. It carries risk for him too since in the
USA lawyers are licensed by state and may not provide services outside those
states where licensed. The states have to find ways to limit competition,
protect their turf, and as a minor side effect keep the unqualified from
doing harm.

“David R. Cattley” wrote in message news:xxxxx@ntdev…
> And of course, RE “Dev Lawyers” no disrespect (indeed admiration for the
> accomplishment) to our favorite and resident Mr. Oney.
>
> Notably, the smartest one of us all for staying the hell out of this mess.
>
> Dave Cattley
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of David R. Cattley
> Sent: Monday, December 07, 2009 4:13 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] Personnal VeriSign
>
> Ahemm: All “Sea Lawyers” (we need a new category, “Dev Lawyers”) maybe
> NTTALK would be a fun place to tilt at this windmill?
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
> Sent: Monday, December 07, 2009 3:47 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Personnal VeriSign
>
> wrote in message news:xxxxx@ntdev…
>>

>>
>> You’re kidding, right?
>> I think writing drivers is fun. People find LOTS of things fun, shall we
>> tell them that “only professionals need apply” when it comes to writing
>> drivers? “Sorry… you can do it at home, in your spare time, using
>> completely free tools, and perhaps you’ll learn new things, invent
>> something cool, and fill the needs of a small community… but NO, sorry,
>> we’re not going to let you because you’re doing it as a HOBBY?” Yeah,
>> right. It’s just too dangerous?
>>
>> Peter
>> OSR
>
> No, Peter - obviously I’m speaking only for myself, but for me Windows
> drivers is mainly a job.
> Though I more like it than not. Writing for embedded applications is more
> fun
> (more freedom, less artificial restrictions and discipline) to me.
>
> By the way, there are also other hobbies that require certain formalities:
> a
>
> driver license,
> gun license an so on. Some also enjoy making fireworks or are amateur
> debug detectives, or surgeons. Who knows.
>
> Regards,
> --pa
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>

David Craig wrote:

Maybe he doesn’t do ‘pro bono’. It carries risk for him too since in the
USA lawyers are licensed by state and may not provide services outside those
states where licensed. The states have to find ways to limit competition,
protect their turf, and as a minor side effect keep the unqualified from
doing harm.

More than that, the legal field is divided into rather narrow
specialties. Walter’s specialty is bankruptcy, not liability or
intellectual property. It would be inappropriate for him to comment
outside of his area of expertise.

Of course, that hasn’t stop the rest of us non-lawyers from commenting…

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

That’s a shame, because OSR is willing to sign 3rd party tools that are distributed free via OSR Online to the driver development community, regardless of the author.

As long as we can review and build the code from source, distribute it via OSR Online (not exclusively even), and we judge it to be of reasonable quality and useful to the driver development community, we’ll sign it with our cert.

I’m quite sure I’ve mentioned that before. We sign Mr. Zezula’s FileSpy tool under those conditions, for example…

Peter
OSR

> games. Why at all an individual may want to poke in the kernel? This is

suspicious.

I think the core reason is DRM - DRM breaking kernel-mode software will carry a digital signature and make the author prosecutable by DMCA.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> gun license an so on. Some also enjoy making fireworks

Oh yes. 100 deaths from amateur firework in Russia recently.

amateur surgeons.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com