Feeds

Should XP pirates get SP2?

MS weighs perils against profits

  • alert
  • submit to reddit

Mobile application security vulnerability report

If Microsoft denies Windows XP pirates access to its SP2 upgrade, the result would hurt the Internet to protect Microsoft's bottom line. Try this analogy: suppose a car thief drove to the dealership and insisted that they perform brake repairs required by a recall notice, for free, on the stolen car.

Suppose further that the thief did this under cover of anonymity, so the dealership had to fix the car without taking note of the fact that it was stolen. Suppose even further that the car was stolen from the manufacturer itself, and that the repair contained performance enhancements - better mileage, faster acceleration - in addition to fixing the brakes.

Should the manufacturer voluntarily provide the services to the thief? Should the manufacturer be required to do so? And if no such repairs are made, should the manufacturer be held in some way accountable when the brakes fail and the car crashes into an innocent bystander?

Substitute "software" for car, and "pirate" for "thief" and you have the situation Microsoft faces as it begins the roll-out of its much-anticipated (and much needed) Service Pack 2 (SP2) for Windows XP. The debate is not only about rewarding copyright infringement, but also weighs profits against the need for security for the Internet community as a whole. Unfortunately, Microsoft has adopted a middle ground, intending to give a nod to security, while really attempting to preserve its bottom line.

When initially introduced, Microsoft Windows XP (both personal and professional editions) contained a "feature" called Windows Product Activation (WPA). Activating the software bound the serial number to the individual computer - supposedly making it copy proof. Of course, this didn't last long, as hackers were soon circulating pirated serial numbers around the Web which would permit them to activate the software without purchasing it. It is not known how many such pirated serial numbers are circulating. Since the release of Windows XP, there have been dozens of patches released, including a major Service Pack. Some of these were functional - interoperability, drivers, etc. - but many of them were security related. The software giant is now preparing SP2: a whopping 80MB upgrade which will likewise contain significant security enhancements, and will be available for downloading in July.

There have been conflicting reports from Redmond about whether or not Microsoft will support unlicensed versions of Windows XP in upgrading to SP2, or whether pirates will be left out in the cold. It appears that Microsoft initially announced that it would offer the software upgrade to people who used the product irrespective of the status of their license. About a week later, Microsoft apparently reversed course and announced that it would not support unlicensed copies.

The Two Pack Solution

Now, the company seems to have settled on a middle ground: the upgrade to Service Pack 2 will be offered to some pirates, it appears, but not those who were unlucky enough to have copied the top 20 or so pirated serial numbers. Microsoft tried this with the release of SP1, but a hack was quickly developed that allowed pirates to install the upgrade anyway.

Assuming the strategy works better this time than it did before, is it a wise, or even a lawful, policy?

First of all, the "half a loaf" strategy is not likely to work well in practice. Either the vast majority of pirates are using the 20 most popular serial numbers, or they aren't. If they are, is it likely that these individuals will now run out and purchase the new OS from Microsoft? I doubt it. More likely, they will either switch to Linux, find a new serial number to reregister their pirated booty, or most likely keep the software unlicensed and unpatched.

If the pirating and use of these 20 serial numbers is such a significant problem, then we can expect that, as a result of Microsoft's decision, there will be a significant number of unpatched systems on the web. If Microsoft is wrong about the prevalence of computers with the dirty 20 serial numbers, then its policy amounts to little more than a gesture.

So what is the harm if we punish the pirates by keeping them from upgrading? The problem lies in the nature of the Internet itself. When a pirate is encouraged not to fix security vulnerabilities (for fear of exposure or retribution, for example) the vulnerability does not get fixed. When this happens, as in the case of the stolen car's brakes, the driver may not be the only one injured.

Imagine if the fire department checked the title of a house before it decided whether or not to extinguish a fire. Of course, all analogies are inherently suspect, and software is not a car or a house. But, as worms and DDoS attacks constantly remind us, the net is only as secure as its weakest link. Unpatched systems allow malicious code to spread or to have a more devastating effect. Given Microsoft's dominant position in the marketplace, perhaps they have an obligation to do more.

To some degree, this debate mirrors the debate in California about whether or not to give undocumented immigrants driver's licenses. It is naïve to assume that by denying those who have violated the law access to these benefits that they will suddenly stop driving. Rather, they will continue to drive outside of the regulatory system, without driver's education, testing, licensing, or insurance, sharply increasing the odds that others will both be injured and uncompensated.

The Internet and its users would be better off with systems patched.

So here is an idea for Microsoft in the future. How about two versions of its upcoming Service Packs: one with only security upgrades, and one with functional and security upgrades. Only the former can be downloaded by all. The latter will be disabled, at least for the pirates Microsoft can detect.

Copyright © 2004, 0

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Good for you, good for Microsoft - here comes WinXP SP2
MS spells it out: pirates can, can't install WinXP Sp2
Microsoft irks ISVs with XP SP2 delay
MS bigs up Windows XP SP2

The Power of One Infographic

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.