Schneier on Security
A blog covering security and security technology.
« Cisco Harasses Security Researcher |
| Dog Poop Girl »
July 29, 2005
Microsoft Permits Pirated Software to Receive Security Patches
Microsoft wants to make pirated software less useful by preventing it from receiving patches and updates. At the same time, it is in everyone's best interest for all software to be more secure: legitimate and pirated. This issue has been percolating for a while, and I've written about it twice before. After much back and forth, Microsoft is going to do the right thing:
From now on, customers looking to get the latest add-ons to Windows will have to verify that their copy of the operating system is legit....
The only exception is for security-related patches. Regardless of whether a system passes the test, security updates will be available to all Windows users via either manual download or automatic update.
Microsoft deserves praise for this.
On the other hand, the system was cracked within 24 hours.
Posted on July 29, 2005 at 11:26 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Oh yes, security is number one.
And they still can't write a working auth. system ? Jeez... there is a great MS add over here in the UK, incidently, which clearly shows the MS engineers struglering with a diagram of the login process... :-)
You know, I don't really care that the system was cracked -- it would have been eventually -- but the manner of it is simply depressing. Did they ever hear of input validation? What about trustworthy computing and code reviews? If this is how they lock down their updates, no wonder they can't make a secure operating system. I mean, at least this could have involved some really arcane hack to trick the system into believing you have a valid key: simply saying "don't even check" is absurd.
There are those who say that DRM must be crackable -- the idea is that if it's too draconian, there will be a backlash, and so the flimsiness of some schemes is deliberate. But if the intent was to allow it to be easily cracked, then why call it "Genuine"? In fact, why prevent updates at all with it -- instead, just run the program, inform the users that they are good or that they are not, and allow the update to downlaod. An informational note would annoy people far less: "I'm sorry, but it appears that your OEM cheated you. Would you like a legitimate copy of your software?"
The authentication system isn't meant to deter individual pirates, it's meant to alert people whose OEMs have placed illegal copies of Windows on their systems. If someone's operating a pirated copy and still has their receipts/etc, they can get a free legit copy of Windows by sending MS that info, or a cheap copy even if they don't have the info about their OEM.
I'm not surprised that Microsoft put out an easily cracked authentication system. That's because, for Microsoft, the optimal amount of piracy is not zero.
It helps Microsoft if most of their customers pay, but if all are forced to pay, those for whom payment is difficult or unaffordable will explore cheaper alternatives, like Linux. It's better for Microsoft if people in the third world run pirated Windows than if they run Linux, because once enough people are running Linux, Microsoft's freedom to manuver will be greatly reduced, and they could continue to bleed customers at the low end.
So letting the customers know they are going to have to pay, but leaving a back door for the people who are highly motivated not to pay, may well be their best strategy.
On the other hand, maybe the crack is just a screwup. In that case, those who screwed up are free to use my argument in their defense. :-)
"no wonder they can't make a secure operating system"
Microsoft employees are some of the best in the world. I have no doubt they could write a secure (desktop) OS from scratch...
But how does that benefit Microsoft's bottom line??
I agree with pndmnm and Joe Buck. This system is designed as a "speedbump" to spot OEM/corporate/small business piracy, so that users can be given a reason to go to the BSA.
Applying this to security updates in addition to add-ons wouldn't increase the benefits of this, and would cause bad PR. Meanwhile software pirates operating in regions where Microsoft tolerates piracy (as a lesser evil than Linux) can continue to get all the updates they need.
I agree with Bruce that the net effect is good (the security of pirated Windows machines indirectly affects all other computers on the Internet), but I'm just not sure that the motivation was all that altruistic.
I don't expect businesses to be altruistic, but to me, this is just a matter of turf-protection and it does not warrant any congratulations. They're trying to get the people who can afford to pay for licenses to pay up, while allowing those who cannot afford to pay for licenses to continue pirating.
Providing security updates to pirated copies of Windows doesn't have to come out of altruism, or even nefarious (preferring piracy to Windows).
Windows is getting a horrendous reputation for being the root cause of a lot of bad stuff. A lot of people know that insecure Windows boxes are behind most of the spam coming into inboxes, behind a lot of the viruses going around, behind DDoS attacks, etc. This hurts Windows' reputation and sales. If providing security updates to pirated copies of Windows costs less than the resulting positive image and corresponding sales boost that Microsoft gets for reducing spam and virus traffic, they'll do it.
I'm sure it wasn't that noble deed. They probably just figured it's better to keep those that would pirate it anyway happy instead of them switching to Linux.
"I'm sure it wasn't that noble deed. They probably just figured it's better to keep those that would pirate it anyway happy instead of them switching to Linux."
I don't need noble. I just need effective.
I think Ari is on the right track, as is Joe. Legit buyers of XP are primarily interested in their ability to get phone support and new whizbang stuff. Since MS has made phone support unusuable that means it's the doodads that people are going to be willing to drop a few bucks to get at. Denying security patches won't motivate purchases and therefor isn't worth the hassle, bad PR and potential repercussions.
Encryption is the tool of the child porn addict, and the terrorist.
"Microsoft employees are some of the best in the world. I have no doubt they could write a secure (desktop) OS from scratch...
"But how does that benefit Microsoft's bottom line??"
Agreed. It's 100% an economic decision.
After reading some of the posts above I am reminded of news related to Thailand, especially after Gates announced that Microsoft would donate large amounts of cash to their government at the same time he accused them of not cracking down hard enough on "piracy":
Once you start looking into the issues, however, it becomes apparent that Linux was chosen by hardware vendors in Thailand as a more competitive option to win access to the Prime Minister's plan for affordable computers (http://www.linuxinsider.com/story/32110.html) as well as to suit a highly-technical and competitive market. But apparently Microsoft is giving hardware vendors a hard time and telling them that if they are selling Linux then they are part of the piracy problem:
"If [HP] were to sell Linux PCs in Asia, they will need to consult Microsoft, that they are not seen to be promoting piracy."
"Agreed. It's 100% an economic decision."
But we may be able to make a change in the environemnt that will change the economic decision.
If there was some way to take money out of microsoft's pocket for every security incident on every PC, we'll be on different playing grounds.
"But we may be able to make a change in the environemnt that will change the economic decision.
"If there was some way to take money out of microsoft's pocket for every security incident on every PC, we'll be on different playing grounds."
Again, I agree. If users could sue Microsoft, or regulations could be a brought to bear, or there wasn't a Monopoly...then we'd have a better chance of fixing this problem.
"It's 100% economic decision"
That's about as broad a statement as you can make. But it doesn't explain why Microsoft decided first to prevent "pirated" versions of Windows from downloading security patches automatically and then they decided to reverse themselves and allow them. These were both economic decisions, no? You were on firmer ground with your original post where you suggest that Microsoft made the "right" decision when they reversed their position.
The eweek article says, "A Microsoft spokesperson stressed expressed concern that users might mistake this issue as a security vulnerability rather than one of piracy."
Um, I'm sorry, but being able to tell a control to simply turn itself off is a security vulnerability. Even if the control itself is stupid. It's not a security vulnerability in Windows; it's a security vulnerability in the WGA system.
"IMO until M$ makes their OS open source and free, they deserve no praise. Every olive branch has its thorns: Amiga, OS/2, Corel Linux, the list goes on."
There's a difference praise and absolution.
"IMO until M$ makes their OS open source and free, they deserve no praise."
Until Ford makes their F-150 open specs and free, they deserve no praise.
Open source doesn't necessarily give you a more secure solution. The problem with Windows is that it gives applications too much access to priveledged mode. Opening up the source would NOT solve that.
And you can hardly blame Microsoft for charging for THEIR product!
Apples and oranges.
"Open source doesn't necessarily give you a more secure solution"
I call bullshit, in most cases it does.
"The problem with Windows is that it gives applications too much access to priveledged mode."
ONE of the MANY problems
"Opening up the source would NOT solve that."
Opening up the source would solve many problems.
"And you can hardly blame Microsoft for charging for THEIR product!"
I will continue to dislike M$ and their closed source OS.
I believe in FOSS.
I believe the philosophy of FOSS should and will eventually spread to other areas in life, leading to communities of people helping each other in all aspects in life.
I believe in humanity, not big corps which gain more and more rights every day vs. the average person's.
Which dream do you contribute to?
"Microsoft deserves praise for this."
It's interesting how MS has sunk to such low depths. When they make an obvious, good decision, people actually attribute it to them for good, instead of simply acknowledging it to be the obvious, logical solution that they would expect from virtually any other company. Just shows what low standards we've come to expect from MS.
"But it doesn't explain why Microsoft decided first to prevent ..."
I believe this is a marketing/spin move.
MS: "Pirates have no right to our product, they have no right to our patches, we will deny them. "
Others: "But your legitimate customers will suffer!"
MS: "We graciously allow pirates to download security updates 'cos we're so concerned about our users."
Others: "Microsoft deserves praise for this."
I believe they intended to allow access all along, they just wanted some extra PR mileage.
I'm surprised that there's been no comment on the privacy invasion aspect on this. Typically I can't find the relevant article now, but the point was that microsoft scans your pc for a variety of information (such as what devices you have connected), most of which is totally irrelevant to determining whether or not your copy of XP is legal.
An alert, anonymous, reader sent this to me:
As already reported in your mailing list, recently Microsoft has started rejecting users with stolen or illegitimately generated
serial numbers from using the www.microsoft.com/update site. Downloads from "Automatic Updates" via the tray bar icon are not affected.
For more information see the article:
A number of Forums have reported a workaround: Simply go the site, get rejected and then in Internet Explorer drill down to Tools/ Internet Options/ Programs / Manage Add-ons and select the Item "Windows Genuine Advantage" from the list. Then select the disable Radio Tab in the settings window on the bottom left and
presto: You can download.
I have tested this and found to my surprise that it works. This is too simple not to suspect some kind of trap or further manipulation on behalf of Microsoft.
"This is too simple not to suspect some kind of trap or further manipulation on behalf of Microsoft."
Or maybe you just give them too much credit. Perhaps the tray bar update team just hasn't gotten the memo yet.
The tray bar update team is unconnected to the start bar update team, which is unconnected to the genuine advantage update team...
I suspect Microsoft don't care about pirates downloading patches, but they _DO_ care about legitimate customers not being able to (false reject is much worse than a false accept).
Imagine the bad PR after some grannies PC got hosed, loosing all her grandkids babypics, because she couldn't download the patches!
It makes sense to have a mechanism that is easy to circumvent, that way your help-desk can get genuine customers back online quickly.
Anyway, it's a monthly patch, which means that they can try again next month. And again the month after that until they have a system in place with the right CER.
How does this stuff work anyway? Can I just use a (pirated?) SUS server as a proxy to prevent authentication?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.