Feeds

Should XP pirates get SP2?

MS weighs perils against profits

  • alert
  • submit to reddit

Seven Steps to Software Security

If Microsoft denies Windows XP pirates access to its SP2 upgrade, the result would hurt the Internet to protect Microsoft's bottom line. Try this analogy: suppose a car thief drove to the dealership and insisted that they perform brake repairs required by a recall notice, for free, on the stolen car.

Suppose further that the thief did this under cover of anonymity, so the dealership had to fix the car without taking note of the fact that it was stolen. Suppose even further that the car was stolen from the manufacturer itself, and that the repair contained performance enhancements - better mileage, faster acceleration - in addition to fixing the brakes.

Should the manufacturer voluntarily provide the services to the thief? Should the manufacturer be required to do so? And if no such repairs are made, should the manufacturer be held in some way accountable when the brakes fail and the car crashes into an innocent bystander?

Substitute "software" for car, and "pirate" for "thief" and you have the situation Microsoft faces as it begins the roll-out of its much-anticipated (and much needed) Service Pack 2 (SP2) for Windows XP. The debate is not only about rewarding copyright infringement, but also weighs profits against the need for security for the Internet community as a whole. Unfortunately, Microsoft has adopted a middle ground, intending to give a nod to security, while really attempting to preserve its bottom line.

When initially introduced, Microsoft Windows XP (both personal and professional editions) contained a "feature" called Windows Product Activation (WPA). Activating the software bound the serial number to the individual computer - supposedly making it copy proof. Of course, this didn't last long, as hackers were soon circulating pirated serial numbers around the Web which would permit them to activate the software without purchasing it. It is not known how many such pirated serial numbers are circulating. Since the release of Windows XP, there have been dozens of patches released, including a major Service Pack. Some of these were functional - interoperability, drivers, etc. - but many of them were security related. The software giant is now preparing SP2: a whopping 80MB upgrade which will likewise contain significant security enhancements, and will be available for downloading in July.

There have been conflicting reports from Redmond about whether or not Microsoft will support unlicensed versions of Windows XP in upgrading to SP2, or whether pirates will be left out in the cold. It appears that Microsoft initially announced that it would offer the software upgrade to people who used the product irrespective of the status of their license. About a week later, Microsoft apparently reversed course and announced that it would not support unlicensed copies.

The Two Pack Solution

Now, the company seems to have settled on a middle ground: the upgrade to Service Pack 2 will be offered to some pirates, it appears, but not those who were unlucky enough to have copied the top 20 or so pirated serial numbers. Microsoft tried this with the release of SP1, but a hack was quickly developed that allowed pirates to install the upgrade anyway.

Assuming the strategy works better this time than it did before, is it a wise, or even a lawful, policy?

First of all, the "half a loaf" strategy is not likely to work well in practice. Either the vast majority of pirates are using the 20 most popular serial numbers, or they aren't. If they are, is it likely that these individuals will now run out and purchase the new OS from Microsoft? I doubt it. More likely, they will either switch to Linux, find a new serial number to reregister their pirated booty, or most likely keep the software unlicensed and unpatched.

If the pirating and use of these 20 serial numbers is such a significant problem, then we can expect that, as a result of Microsoft's decision, there will be a significant number of unpatched systems on the web. If Microsoft is wrong about the prevalence of computers with the dirty 20 serial numbers, then its policy amounts to little more than a gesture.

So what is the harm if we punish the pirates by keeping them from upgrading? The problem lies in the nature of the Internet itself. When a pirate is encouraged not to fix security vulnerabilities (for fear of exposure or retribution, for example) the vulnerability does not get fixed. When this happens, as in the case of the stolen car's brakes, the driver may not be the only one injured.

Imagine if the fire department checked the title of a house before it decided whether or not to extinguish a fire. Of course, all analogies are inherently suspect, and software is not a car or a house. But, as worms and DDoS attacks constantly remind us, the net is only as secure as its weakest link. Unpatched systems allow malicious code to spread or to have a more devastating effect. Given Microsoft's dominant position in the marketplace, perhaps they have an obligation to do more.

To some degree, this debate mirrors the debate in California about whether or not to give undocumented immigrants driver's licenses. It is naïve to assume that by denying those who have violated the law access to these benefits that they will suddenly stop driving. Rather, they will continue to drive outside of the regulatory system, without driver's education, testing, licensing, or insurance, sharply increasing the odds that others will both be injured and uncompensated.

The Internet and its users would be better off with systems patched.

So here is an idea for Microsoft in the future. How about two versions of its upcoming Service Packs: one with only security upgrades, and one with functional and security upgrades. Only the former can be downloaded by all. The latter will be disabled, at least for the pirates Microsoft can detect.

Copyright © 2004, 0

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Good for you, good for Microsoft - here comes WinXP SP2
MS spells it out: pirates can, can't install WinXP Sp2
Microsoft irks ISVs with XP SP2 delay
MS bigs up Windows XP SP2

Mobile application security vulnerability report

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.