Feeds

Should XP pirates get SP2?

MS weighs perils against profits

  • alert
  • submit to reddit

Intelligent flash storage arrays

If Microsoft denies Windows XP pirates access to its SP2 upgrade, the result would hurt the Internet to protect Microsoft's bottom line. Try this analogy: suppose a car thief drove to the dealership and insisted that they perform brake repairs required by a recall notice, for free, on the stolen car.

Suppose further that the thief did this under cover of anonymity, so the dealership had to fix the car without taking note of the fact that it was stolen. Suppose even further that the car was stolen from the manufacturer itself, and that the repair contained performance enhancements - better mileage, faster acceleration - in addition to fixing the brakes.

Should the manufacturer voluntarily provide the services to the thief? Should the manufacturer be required to do so? And if no such repairs are made, should the manufacturer be held in some way accountable when the brakes fail and the car crashes into an innocent bystander?

Substitute "software" for car, and "pirate" for "thief" and you have the situation Microsoft faces as it begins the roll-out of its much-anticipated (and much needed) Service Pack 2 (SP2) for Windows XP. The debate is not only about rewarding copyright infringement, but also weighs profits against the need for security for the Internet community as a whole. Unfortunately, Microsoft has adopted a middle ground, intending to give a nod to security, while really attempting to preserve its bottom line.

When initially introduced, Microsoft Windows XP (both personal and professional editions) contained a "feature" called Windows Product Activation (WPA). Activating the software bound the serial number to the individual computer - supposedly making it copy proof. Of course, this didn't last long, as hackers were soon circulating pirated serial numbers around the Web which would permit them to activate the software without purchasing it. It is not known how many such pirated serial numbers are circulating. Since the release of Windows XP, there have been dozens of patches released, including a major Service Pack. Some of these were functional - interoperability, drivers, etc. - but many of them were security related. The software giant is now preparing SP2: a whopping 80MB upgrade which will likewise contain significant security enhancements, and will be available for downloading in July.

There have been conflicting reports from Redmond about whether or not Microsoft will support unlicensed versions of Windows XP in upgrading to SP2, or whether pirates will be left out in the cold. It appears that Microsoft initially announced that it would offer the software upgrade to people who used the product irrespective of the status of their license. About a week later, Microsoft apparently reversed course and announced that it would not support unlicensed copies.

The Two Pack Solution

Now, the company seems to have settled on a middle ground: the upgrade to Service Pack 2 will be offered to some pirates, it appears, but not those who were unlucky enough to have copied the top 20 or so pirated serial numbers. Microsoft tried this with the release of SP1, but a hack was quickly developed that allowed pirates to install the upgrade anyway.

Assuming the strategy works better this time than it did before, is it a wise, or even a lawful, policy?

First of all, the "half a loaf" strategy is not likely to work well in practice. Either the vast majority of pirates are using the 20 most popular serial numbers, or they aren't. If they are, is it likely that these individuals will now run out and purchase the new OS from Microsoft? I doubt it. More likely, they will either switch to Linux, find a new serial number to reregister their pirated booty, or most likely keep the software unlicensed and unpatched.

If the pirating and use of these 20 serial numbers is such a significant problem, then we can expect that, as a result of Microsoft's decision, there will be a significant number of unpatched systems on the web. If Microsoft is wrong about the prevalence of computers with the dirty 20 serial numbers, then its policy amounts to little more than a gesture.

So what is the harm if we punish the pirates by keeping them from upgrading? The problem lies in the nature of the Internet itself. When a pirate is encouraged not to fix security vulnerabilities (for fear of exposure or retribution, for example) the vulnerability does not get fixed. When this happens, as in the case of the stolen car's brakes, the driver may not be the only one injured.

Imagine if the fire department checked the title of a house before it decided whether or not to extinguish a fire. Of course, all analogies are inherently suspect, and software is not a car or a house. But, as worms and DDoS attacks constantly remind us, the net is only as secure as its weakest link. Unpatched systems allow malicious code to spread or to have a more devastating effect. Given Microsoft's dominant position in the marketplace, perhaps they have an obligation to do more.

To some degree, this debate mirrors the debate in California about whether or not to give undocumented immigrants driver's licenses. It is naïve to assume that by denying those who have violated the law access to these benefits that they will suddenly stop driving. Rather, they will continue to drive outside of the regulatory system, without driver's education, testing, licensing, or insurance, sharply increasing the odds that others will both be injured and uncompensated.

The Internet and its users would be better off with systems patched.

So here is an idea for Microsoft in the future. How about two versions of its upcoming Service Packs: one with only security upgrades, and one with functional and security upgrades. Only the former can be downloaded by all. The latter will be disabled, at least for the pirates Microsoft can detect.

Copyright © 2004, 0

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Good for you, good for Microsoft - here comes WinXP SP2
MS spells it out: pirates can, can't install WinXP Sp2
Microsoft irks ISVs with XP SP2 delay
MS bigs up Windows XP SP2

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
Ploppr: The #VultureTRENDING App of the Now
This organic crowd sourced viro- social fertiliser just got REAL
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.