Digg this story   Add to del.icio.us  
Weighing Profits against Peril
Mark Rasch, 2004-05-24

Denying XP pirates the SP2 upgrade would hurt the Internet to protect Microsoft's bottom line.

Suppose a car thief drove to the dealership and insisted that they perform brake repairs required by a recall notice, for free, on the stolen car.

Suppose further that the thief did this under cover of anonymity, so the dealership had to fix the car without taking note of the fact that it was stolen. Suppose even further that the car was stolen from the manufacturer itself, and that the repair contained performance enhancements -- better mileage, faster acceleration -- in addition to fixing the brakes.

Should the manufacturer voluntarily provide the services to the thief? Should the manufacturer be required to do so? And if no such repairs are made, should the manufacturer be held in some way accountable when the brakes fail and the car crashes into an innocent bystander?

Substitute "software" for car, and "pirate" for "thief" and you have the situation Microsoft faces as it begins the roll-out of its much anticipated (and much needed) Service Pack 2 (SP2) for Windows XP. The debate is not only about rewarding copyright infringement, but also weighs profits against the need for security for the Internet community as a whole. Unfortunately, Microsoft has adopted a middle ground, intending to give a nod to security, while really attempting to preserve its bottom line.

When initially introduced, Microsoft Windows XP (both personal and professional editions) contained a "feature" called Windows Product Activation (WPA). Activating the software bound the serial number to the individual computer -- supposedly making it copy proof. Of course, this didn't last long, as hackers were soon circulating pirated serial numbers around the Web which would permit them to activate the software without purchasing it. It is not known how many such pirated serial numbers are circulating.

Since the release of Windows XP, there have been dozens of patches released, including a major Service Pack. Some of these were functional -- interoperability, drivers, etc. -- but many of them were security related. The software giant is now preparing SP2: a whopping 80Mb upgrade which will likewise contain significant security enhancements, and will be available for downloading in July.

There have been conflicting reports from Redmond about whether or not Microsoft will support unlicensed versions of Windows XP in upgrading to SP2, or whether pirates will be left out in the cold. It appears that Microsoft initially announced that it would offer the software upgrade to people who used the product irrespective of the status of their license. About a week later, Microsoft apparently reversed course and announced that it would not support unlicensed copies.

The Two Pack Solution
Now the company seems to have settled on a middle ground: the upgrade to Service Pack 2 will be offered to some pirates, it appears, but not those who were unlucky enough to have copied the top 20 or so pirated serial numbers. Microsoft tried this with the release of SP1, but a hack was quickly developed that allowed pirates to install the upgrade anyway.

Assuming the strategy works better this time than it did before, is it a wise, or even a lawful, policy?

First of all, the "half a loaf" strategy is not likely to work well in practice. Either the vast majority of pirates are using the 20 most popular serial numbers, or they aren't. If they are, is it likely that these individuals will now run out and purchase the new OS from Microsoft? I doubt it. More likely, they will either switch to Linux, find a new serial number to reregister their pirated booty, or most likely keep the software unlicensed and unpatched.

If the pirating and use of these 20 serial numbers is such a significant problem, then we can expect that, as a result of Microsoft's decision, there will be a significant number of unpatched systems on the web. If Microsoft is wrong about the prevalence of computers with the dirty 20 serial numbers, then its policy amounts to little more than a gesture.

So what is the harm if we punish the pirates by keeping them from upgrading? The problem lies in the nature of the Internet itself. When a pirate is encouraged not to fix security vulnerabilities (for fear of exposure or retribution, for example) the vulnerability does not get fixed. When this happens, as in the case of the stolen car's brakes, the driver may not be the only one injured.

Imagine if the fire department checked the title of a house before it decided whether or not to extinguish a fire. Of course, all analogies are inherently suspect, and software is not a car or a house. But, as worms and DDoS attacks constantly remind us, the net is only as secure as its weakest link. Unpatched systems allow malicious code to spread or to have a more devastating effect. Given Microsoft's dominant position in the marketplace, perhaps they have an obligation to do more.

To some degree, this debate mirrors the debate in California about whether or not to give undocumented immigrants driver's licenses. It is naïve to assume that by denying those who have violated the law access to these benefits that they will suddenly stop driving. Rather, they will continue to drive outside of the regulatory system, without driver's education, testing, licensing, or insurance, sharply increasing the odds that others will both be injured and uncompensated.

The Internet and its users would be better off with systems patched.

So here is an idea for Microsoft in the future. How about two versions of its upcoming Service Packs: one with only security upgrades, and one with functional and security upgrades. Only the former can be downloaded by all. The latter will be disabled, at least for the pirates Microsoft can detect .



Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us  
Comments Mode:
Weighing Profits against Peril 2004-05-25
Anonymous (1 replies)
Microsoft Shafting 2006-07-08
Anonymous
Weighing Profits against Peril 2004-05-25
Anonymous (2 replies)
Weighing Profits against Peril 2004-05-26
Yvan Boily
Weighing Profits against Peril 2004-05-26
Anonymous
Weighing Profits against Peril 2004-05-25
Anonymous (1 replies)
Weighing Profits against Peril 2004-05-26
Anonymous
Weighing Profits against Peril 2004-05-25
Todd Knarr
Security vs Criminals 2004-05-25
Anonymous (1 replies)
Security vs Criminals 2004-05-26
Anonymous
Weighing Profits against Peril 2004-05-25
Anonymous
Weighing Profits against Peril 2004-05-25
Anonymous (1 replies)
Weighing Profits against Peril 2004-05-26
Anonymous
Weighing Profits against Peril 2004-05-26
Anonymous
Weighing Profits against Peril 2004-05-26
Yvan Boily (1 replies)
Weighing Profits against Peril 2004-06-02
Anonymous
Weighing Profits against Peril 2004-05-26
Anonymous (1 replies)
Weighing Profits against Peril 2004-05-26
Anonymous
Weighing Profits against Peril 2004-05-26
Anonymous
Weighing Profits against Peril 2004-05-26
Anonymous (2 replies)
Weighing Profits against Peril 2004-06-02
Anonymous
Weighing Profits against Peril 2004-05-26
Scott Mace
I got an even better idea: Wipe the drives: 2004-05-26
Penguinisto (3 replies)
Weighing Profits against Peril 2004-05-28
Anonymous
Weighing Profits against Peril 2004-06-01
Anonymous
Double Edged Sword 2004-06-02
Angus


 

Privacy Statement
Copyright 2010, SecurityFocus