Outline · [ Standard ] · Linear+ Microsoft's New Policy: No Patches for Pirates

[optomos]

For those of you who haven’t heard, MS has announced that pirates who steal Windows will no longer be able to download updates beginning February 7th. Thieves will instead be ‘informed’ of their illegal status and offered a variety of ‘carrots’ to purchase Windows legitimately. No word yet on what ‘stick’ might be used, if any, but Microsoft is offering a wide variety of software and service discounts. Unfortunately, the products and services they’ve chosen to push appear to be the ones no one wants or uses, but at least this beats BSA notices and ‘friendly’ lawyer phone calls.

Snarky comments aside, Microsoft deserves credit for adopting an incentive-based approach rather than using any number of considerably more draconian options. Its undoubtedly possible to de-activate Windows XP’s activation status if an illegal install is detected, thus forcing someone with an illicit copy to register immediately (or, if Redmond’s feeling generous, within 30 days). Although the user feedback would’ve been hellish, Microsoft could’ve taken a much tougher stance on the issue of illegal use of their OS, and it’d be hard to argue much on moral or legal grounds. Does anyone using a pirated copy of Windows believe they’ve got any right to download the updates for a product they stole in the first place? Probably not—but history has shown that consumers react very poorly to aggressive, harsh-language from companies trying to cut down on piracy (possibly because they’re pirating? – Ed). Accusing one’s customers of theft apparently isn’t good business even when you are a monopoly and they are thieves; I wonder if SCO ever got that memo?

Even if we grant Microsoft’s right to secure their product from theft and commend the relatively positive way they’re dealing with end-users thus far in this situation, there’s no guarantee this new program will achieve Redmond’s goal of lowering Windows piracy, and it could leave the software giant in an odd position legally. Oddly, Microsoft’s PR release yesterday implies that ‘pirated’ software and ‘counterfeit’ software are essentially the same thing, and presents both in opposition to ‘genuine’ software. The two terms are not synonyms; its not clear if their use as such was deliberately meant to confuse, represents a subtle hint where Redmond will focus this new program, or was simply born out of ignorance. Regardless, we’ll discuss the difference now.

A software pirate is a person who buys a legitimate WindowsXP copy (meaning one shipped by Microsoft) and installs it on an arbitrary number of systems. Key generators are used for Product Activation; product keys are distributed to family and friends. Distribution here is by a CD burner or network. This person has committed piracy—but he’s not a counterfeiter. Alternatively, the pirate may have downloaded an already-illicit copy from a trusted source—but the important point here is that he either purchased it or acquired himself and made copies, giving them to people who knew what they were getting. There’s no commercial activity going on, and personal distribution (and the goals thereof) are limited.

A software counterfeiter acquires a legitimate or trusted illegitimate copy of the OS, just as the pirate does, but from here the two proceed down significantly different paths. A counterfeiting operation will focus on large-scale CD reproduction, will sell those CD’s for a profit, and (often) goes to great pains attempting to appear authentic. This type of operation is much less prevalent in the US than in other nations, but it happens—I’ve twice had customers who thought they’d purchased legitimate copies of Windows, but who had counterfeit copies; it was almost impossible to tell the difference unless you hand-compared a legitimate copy versus the fake one.

Counterfeiting, therefore, is distinct and separate from pirating, and it’s the larger problem. An individual choosing to use a pirated copy of WindowsXP knows (or most of them know) that they have no right to expect support from Microsoft. A business purchasing copies of an OS it thinks are legitimate expects support—and won’t be happy if they’re told they don’t qualify. Microsoft’s arguments regarding ‘quality of experience’ aren’t going to apply to a pirate who steals the official OS version for his own personal use (why would he degrade his own copy, unless Microsoft defines ‘degrade’ by ‘installs Firefox’). A counterfeiting business, however, could have a major interest in making changes to files deep within the OS structure. Microsoft obviously has a direct interest in shutting down this type of abuse, but its not clear the Windows Genuine Advantage program can do so without either significantly limiting user privacy or incorporating drastic new ‘authentication’ technology. If the system is too easy to spoof, the same counterfeiters already stealing the OS will simply incorporate the spoof as well. Stopping software counterfeiting also has a price component Microsoft is slowly recognizing—when copies of Windows sell for $90 in a country where $90 is a month’s wages, people will not buy it through official channels.

Cutting pirates off from all but the most critical security is irrevocably tangled with the issue of what’s more important at Redmond—profits or security? From Jan 1 2004 to the present day, Microsoft released 53 security updates across its product line (assuming I didn’t miss anything on this page). 50 updates were released in 2003, and 9 updates in 2002, for a total of 112 security patches. True, this is dwarfed by the total number of changes and bugs fixed in SP2 but the list of vulnerabilities in a non-patched WindowsXP system is significantly longer than in one that’s kept up to date. Even though Microsoft has said they’ll continue to provide critical updates as ‘free’ downloads to all, this limitation assumes Microsoft will always properly assess a threat and rate it accordingly. If a virus specifically tailored to take advantage of a ‘Moderate’ threat finds a home in illegal copies of the OS, it could wreak havoc. To date, Microsoft has ducked liability for its own security issues, but that defense could collapse if the software manufacturer refuses to offer security updates to all systems running WindowsXP, regardless of their legal status, especially if the owner of said system can demonstrate he thought his OS installation was legally purchased.

According to industry data, 30% of the computers in the US and 90% of those in Asia contain illegal software. While we don’t know how many of those are illegal operating installs, we can assume the percentage is substantial. According to a September 2004 study , there are 258 million Internet users in Asia. If the numbers quoted are accurate, that translates into 232 million Asians running some type of illegal software. If even half of that number includes an illegal OS install, we’re talking 116 million illegal copies of Windows. When considering the possible impact of a virus or worm attacking other systems on the Internet, 116 million unpatched users in just one area isn’t a ‘gap’, it’s a fundamental system breakdown.

Microsoft is in a damned-if-you-do, damned-if-you-don’t situation where security and anti-piracy are concerned. Denying thieves the right to patches and updates could both give traction to Linux and significantly fuel anti-monopolist fires if an outbreak happens on non-protected systems. A major manufacturer whose systems are brought down because his OS wasn’t allowed to update probably won’t meekly accept Microsoft’s “its your fault” response. Initial plans for specific and draconian Product Activation were abandoned when consumers reacted poorly to WindowsXP’s initial implementation, the system as it currently functions isn’t robust enough to actually function effectively as an anti-piracy device. At the same time, consumers have staunchly opposed Microsoft’s attempts to force product updates and auto-install security patches.

There’s nothing wrong with demanding Microsoft promptly patch vulnerabilities, but anyone whose watched the security industry has seen a startlingly-ironic trend. Not only have we seen Microsoft attacked for failing to provide security updates, we’ve also seen them attacked for providing that update—but not forcing people to install it. Of course, the reason Microsoft didn’t (and doesn’t) force product patch installs is because businesses and customers insist on retaining control of their own PC environment. There’s a double standard here the size of a school bus.

The good news in all of this is that Redmond’s decision to offer incentives (even if the incentives suck) is a substantial move in the right direction. Would users accept a stronger / more-invasive privacy system with Longhorn if the OS came with additional discounts or offers on other products? Quite possibly they would, provided the products were right (hint: MS Word, Excel, or both in an Office Light package). Buy Windows Longhorn, get $50 off an Xbox2? Stranger things have happened. The trick for Microsoft will be balancing between their own genuine right to protect themselves from theft and the need to protect the vast number of Microsoft systems and devices that currently use the web.

If I was Microsoft, I’d err decidedly on the side of caution. Yes, it would annoy me—even anger me—that I was giving away further patches and updates to consumers who had deliberately stolen my product, and it would further irk me that companies existed for the sole purpose of fake-packaging supposedly-authentic versions of my products. At the end of the day, however, Microsoft still has forty billion or more in the bank and a long-term healthy outlook. Would I trade some OS sales for improved security? Absolutely.

Source

[lokal]

headlines in a month:

... in related news knoppix downloads have tripled since the microsoft antipiracy mechanism went live.

[ManX]

I hate to beat a dead horse, and at the risk of repeating posts I made here before Windows XP SP2 was released, and before that the original OS, and before that when Product Activation scared the bejeezus out of folks who wanted Office XP, and on and on and on Ad Nauseum...

Chill, people. Within hours of the moment that the mechanism for such an operation becomes known, there will be brilliant (and twisted) minds tearing it apart just to put it back together in such a way that THEY control the results.

This is called hacking 'n cracking, and it has been going on since before I first learned programming - which was on IBM and Honeywell mainframes in 1971.

As a hacker genius I've known most of my 50+ years once noted,

"What Man invents, Man will circumvent".

Try as I might, I haven't been able to prove him wrong even once.
-ManX