Feeds

Should XP pirates get SP2?

MS weighs perils against profits

  • alert
  • submit to reddit

The essential guide to IT transformation

If Microsoft denies Windows XP pirates access to its SP2 upgrade, the result would hurt the Internet to protect Microsoft's bottom line. Try this analogy: suppose a car thief drove to the dealership and insisted that they perform brake repairs required by a recall notice, for free, on the stolen car.

Suppose further that the thief did this under cover of anonymity, so the dealership had to fix the car without taking note of the fact that it was stolen. Suppose even further that the car was stolen from the manufacturer itself, and that the repair contained performance enhancements - better mileage, faster acceleration - in addition to fixing the brakes.

Should the manufacturer voluntarily provide the services to the thief? Should the manufacturer be required to do so? And if no such repairs are made, should the manufacturer be held in some way accountable when the brakes fail and the car crashes into an innocent bystander?

Substitute "software" for car, and "pirate" for "thief" and you have the situation Microsoft faces as it begins the roll-out of its much-anticipated (and much needed) Service Pack 2 (SP2) for Windows XP. The debate is not only about rewarding copyright infringement, but also weighs profits against the need for security for the Internet community as a whole. Unfortunately, Microsoft has adopted a middle ground, intending to give a nod to security, while really attempting to preserve its bottom line.

When initially introduced, Microsoft Windows XP (both personal and professional editions) contained a "feature" called Windows Product Activation (WPA). Activating the software bound the serial number to the individual computer - supposedly making it copy proof. Of course, this didn't last long, as hackers were soon circulating pirated serial numbers around the Web which would permit them to activate the software without purchasing it. It is not known how many such pirated serial numbers are circulating. Since the release of Windows XP, there have been dozens of patches released, including a major Service Pack. Some of these were functional - interoperability, drivers, etc. - but many of them were security related. The software giant is now preparing SP2: a whopping 80MB upgrade which will likewise contain significant security enhancements, and will be available for downloading in July.

There have been conflicting reports from Redmond about whether or not Microsoft will support unlicensed versions of Windows XP in upgrading to SP2, or whether pirates will be left out in the cold. It appears that Microsoft initially announced that it would offer the software upgrade to people who used the product irrespective of the status of their license. About a week later, Microsoft apparently reversed course and announced that it would not support unlicensed copies.

The Two Pack Solution

Now, the company seems to have settled on a middle ground: the upgrade to Service Pack 2 will be offered to some pirates, it appears, but not those who were unlucky enough to have copied the top 20 or so pirated serial numbers. Microsoft tried this with the release of SP1, but a hack was quickly developed that allowed pirates to install the upgrade anyway.

Assuming the strategy works better this time than it did before, is it a wise, or even a lawful, policy?

First of all, the "half a loaf" strategy is not likely to work well in practice. Either the vast majority of pirates are using the 20 most popular serial numbers, or they aren't. If they are, is it likely that these individuals will now run out and purchase the new OS from Microsoft? I doubt it. More likely, they will either switch to Linux, find a new serial number to reregister their pirated booty, or most likely keep the software unlicensed and unpatched.

If the pirating and use of these 20 serial numbers is such a significant problem, then we can expect that, as a result of Microsoft's decision, there will be a significant number of unpatched systems on the web. If Microsoft is wrong about the prevalence of computers with the dirty 20 serial numbers, then its policy amounts to little more than a gesture.

So what is the harm if we punish the pirates by keeping them from upgrading? The problem lies in the nature of the Internet itself. When a pirate is encouraged not to fix security vulnerabilities (for fear of exposure or retribution, for example) the vulnerability does not get fixed. When this happens, as in the case of the stolen car's brakes, the driver may not be the only one injured.

Imagine if the fire department checked the title of a house before it decided whether or not to extinguish a fire. Of course, all analogies are inherently suspect, and software is not a car or a house. But, as worms and DDoS attacks constantly remind us, the net is only as secure as its weakest link. Unpatched systems allow malicious code to spread or to have a more devastating effect. Given Microsoft's dominant position in the marketplace, perhaps they have an obligation to do more.

To some degree, this debate mirrors the debate in California about whether or not to give undocumented immigrants driver's licenses. It is naïve to assume that by denying those who have violated the law access to these benefits that they will suddenly stop driving. Rather, they will continue to drive outside of the regulatory system, without driver's education, testing, licensing, or insurance, sharply increasing the odds that others will both be injured and uncompensated.

The Internet and its users would be better off with systems patched.

So here is an idea for Microsoft in the future. How about two versions of its upcoming Service Packs: one with only security upgrades, and one with functional and security upgrades. Only the former can be downloaded by all. The latter will be disabled, at least for the pirates Microsoft can detect.

Copyright © 2004, 0

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Good for you, good for Microsoft - here comes WinXP SP2
MS spells it out: pirates can, can't install WinXP Sp2
Microsoft irks ISVs with XP SP2 delay
MS bigs up Windows XP SP2

5 things you didn’t know about cloud backup

More from The Register

next story
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.