Pirated Windows to Remain Unpatched

From the Associated Press:

Microsoft Corp. plans to severely curtail the ways in which people running pirated copies of its dominant Windows operating system can receive software updates, including security fixes.

The new authentication system, announced Tuesday and due to arrive by midyear, will still allow people with pirated copies of Windows to obtain security fixes, but their options will be limited. The move allows Microsoft to use one of its sharpest weapons -- access to security patches that can prevent viruses, worms and other crippling attacks -- to thwart a costly and meddlesome piracy problem.

I've written about this before. Unpatched Windows systems on the Internet are a security risk to everyone. I understand Microsoft wanting to fight piracy, but reducing the security of its paying customers is not a good way to go about it.

Posted on February 17, 2005 at 8:00 AM • 43 Comments

Comments

GkBoyFebruary 17, 2005 8:58 AM

Microsoft can never seem to find the proper ballance between taking care of its customers, and the bottom line. I am amazed by just how much the average person will take. I suppose I must go educate a few people today, so that I don't have to be outraged alone.

AnonymousFebruary 17, 2005 9:29 AM

They're already politely "giving you the opportunity" to authenticate your Winderz installation when requesting certain new upgrades. I saw this last night whilst installing the latest DirectX release.

What I love is they way they describe the "benefits" of authenticating ...of course, there actually *are* some benefits, like reduced pricing on fee-software they have, but other than those discounts it's much like the grocery stores who try to explain that inspecting your purchases and receipt is to "make sure you paid the right price and got everything you purchased".

Israel TorresFebruary 17, 2005 9:40 AM

Microsoft should really consider terminating the functionality of a pirated Microsoft operating system via the Windows Update subsystem. That would do a couple of things to help themselves out:

1. eliminate skript kiddie windows pirates (aka leeches).

2. strengthen Microsoft authentication (since crackers will be hitting it harder)

3. stop viral/trojan activity from pirated zombies on the internet.

4. Force people to actually buy their product.

Now the self-termination can vary from simply just not allowing the system to boot further until they get a legit copy of windows or legit windows key... all the way to just terminating all functionality in its tcp/ip stack until they get a legit key.

Israel Torres

EricFebruary 17, 2005 10:14 AM

If they used Windows Update to terminate pirated copies, then as soon as it happened to one or two people, news about Windows Update doing so would become widespread and the pirates would simply stop trying to use it.

Likely the only way for such a thing to work is for Microsoft to make a 'patch' that would appear to work properly, then after a long delay, as in several weeks, spontaneously disable the pirated Windows so that, by the time anyone realises that there's something up, the majority have patched already.

Darrel SkubinnaFebruary 17, 2005 10:23 AM

I have to agree with Microsoft on this one. Expecting them to offer support to pirated software owners would be analogous to forcing states or governments to support non-citizens. Both are wrong and redirects effort from who deserves it. Will it raise the security risk, debatable. As long as legal Windows users keep their systems patched and securely configured, minimal problems.

ruidhFebruary 17, 2005 10:30 AM

The liability for MS acidentially disabling a system which is properly licensed is just too great for them to chance trying to disable "pirated" installations. All they have to do is cause a business interruption for a company which has a site license but had a server improperly installed and they could be on the hook for cash no matter what their EULA says.

Israel TorresFebruary 17, 2005 10:58 AM

There isn't anything stopping Microsoft from implementing the Windows Update to be an inherent part of the system (ie. IE). So any time you tried to connect via tcp/ip it would "phone home" first, update itself - at this time check key validity, then allow outbound connections upon authentication. This model would probably serve the typical consumer releases and not anything related to critical system releases. This way when a pirate publishes a key on the internet where it is cached by google it immediately becomes unusable, and so do the systems that are using it. Such a method would blackout pirates (intentional or not (such as those duped by shady pc retailers selling the same copy)) in a matter of months. As for accidental liability Microsoft will make up any lawsuit with the purchases of new licenses after the forced “pirate disabling blackouts.��?

TFebruary 17, 2005 11:04 AM

True, but misleading article. Pirated copies will STILL be able to get security updates directly from Microsoft if they just leave Automatic Updates on, which is the suggested option for users anyway.

Then, everyone is happy. Updates are flowing (and Automatic Updates still allows you to selectively apply updates), and they get to clamp down on pirated copies, since Microsoft is not a charity organization.

Anonymous CowardFebruary 17, 2005 11:33 AM

So if Microsoft decides to limit the value of pirated Windows copies by making them defenseless against viruses and trojans -- wouldn't it be in their interest to SPREAD these things as well?

They could put backdoors in their software, produce fixes beforehand, then publish the vulnerability (so somebody will come up with an exploit within a couple of days). Now all legitimate users would update their system, and pirates would be forced to buy their software.

Krishna E. BeraFebruary 17, 2005 12:00 PM

Re: "unpatched Windows systems are a security risk to everyone"

Given the past record of Microsoft products, federal convictions for unethical/illegal practices and the inherent untrustworthiness of software for which you cannot get the source code, the word unpatched would seem redundant ;)

Even so, this is not really different from the policy of any organization that refuses to support software you did not get from them or that is altered from their distribution. If anything, it reinforces the idea that software should not be treated as a product but rather as a service. Good in the long term, because it moves everyone toward a mindset that supports Free(Libre) Software.

ArikFebruary 17, 2005 12:18 PM

I'm siding with Microsoft on this one, and even with Torres. Microsoft should ensure only paying users can use its OS.

If I were Microsoft I would make sure the computer can only access www.microsoft.com until the users pay or switch key.

Then they can go out of business.

-- Arik

Rich JankowskiFebruary 17, 2005 12:35 PM

This is analogous to disabling stability control and ABS in cars that are stolen, instead of just disabling the ignition.

I think there are a lot of systems out there that because of operation constraints cannot be patched the second that Microsoft releases fixes. By allowing these rogue systems to be infected just increases the risk on these legit systems.

Mark JohnsonFebruary 17, 2005 12:40 PM

If you were a business owner and hundreds of shoplifters walked out of your store with a certain product that was subsequently found to have a critical flaw, would you happily fix the flawed products the shoplifters brought back? This is Microsoft's viewpoint.

From the consumer viewpoint, how would you feel if those certain products, both legally purchased and shoplifted, posed a danger to everyone if left unrepaired? Would you now feel that the business owner from whom the products were stolen was obligated to fix them in the name of public safety?

An interesting quandry.

donFebruary 17, 2005 1:08 PM

The question of "why should we support non-paying users of the OS" is a McGuffin. I don't believe anyone is claiming MS should allow downloads & installs of improvements and enhancements - we're talking about security updates here.

If MS wishes to enforce authentication on downloads of new versions of Media Player, IE, DirectX, MovieMaker, etc, great. That's a limitation that penalizes only the user of that pirate copy of the OS.

By denying installation of security fixes they penalize all the rest of us who have to deal with those infected boxes. Anyone who had to administer an IIS server in the RedAlert heyday saw an impact on their server even if it was patched, just because of the hundreds of infected machines pounding on the server just TRYING to infect it. Legitimate users have to contend for resources against those infected clients.

David MohringFebruary 17, 2005 1:30 PM

http://news.com.com/2100-1023-212942.html

"Gates shed some light on his own hard-nosed business philosophy. "Although about 3 million computers get sold every year in China, but people don't pay for the software," he said. "Someday they will, though. As long as they are going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.""

MosesFebruary 17, 2005 7:08 PM

Think about shutting down someone's computer if they have a pirated copy. What if this person bought their computer from a local computer store and unknowingly recieved a pirated copy. If their computer is shut down you are hurting these people. They are loosing some ability of this computer. These people are just as much a victim as Microsoft and even more so when they start losing fuctionality unexpectedly. I also believe if this was released the hacker/cracker community would work around this issue.

Clifton RoystonFebruary 17, 2005 7:48 PM

"Expecting them to offer support to pirated software owners would be analogous to forcing states or governments to support non-citizens. Both are wrong and redirects effort from who deserves it."

Good analogy, with the reverse conclusion of the one you drew. Public-health officials have known for the past century that it is crucial for the health of citizens that basic health services be available to non-citizens. Making immunization and basic treatment of contagious disease available to non-citizens tends to reduce the chance that citizens will contract a deadly disease. Immunizing and treating them makes citizens safer.


This is the situation that legitimate Windows users, and users of other OSes, face today: every unpatched pirated Microsoft system poses an incremental threat to them when it gets subverted by a worm, virus, or Trojan.

FuzzyFebruary 17, 2005 9:28 PM

I am frankly amazed at all the comments that suggest shutting down the system or blocking network access if the computer is unable to reach a Microsoft address.
I've rarely hear about such a poor idea. It seems to suppose that every computer that uses a TCP/IP intranet is also connected to the Internet. This is a false assumption.
There are many organizations, governmental and commercial which block access to or lack access to the Internet but make extensive use of TCP/IP.
In addition the risks to any consumer in the face of a virus or other malware attack or simple ISP network connectivity problems which causes the inability to reach the Microsoft site might cause a permanent failure in the operating system would be huge.
All these would entail much larger costs to the Microsoft to correct than providing security fixes to anyone at no cost.

Felix DzerzhinskyFebruary 18, 2005 4:46 AM

apt-get update
apt-get upgrade

I removed all of the malware on my pc by installing Ubuntu linux.

Clive RobinsonFebruary 18, 2005 6:38 AM

Although I tend to agree with Israel Torres comments above, ther is one problem...

I know of atleast two people who hav (on my advice) purchased XP Pro not Home to use on their networks at home (Pro works better on a network).

However due to hardware upgrades etc they have had to go back to MS for new keys etc. They have found that they have been treated extreamly badly and in one case MS did not provide a new key (apparently this does not happen to corparates who bulk buy ther XP Pro).

For this reason alone I can understand the temptation for normally law abiding people to get cracked versions of MS OS etc and put them on their upgraded machines.

MS need to sort out the way they do their licencing and authentication before they start becoming draconian on users.

Based on Arik's sugestion users would have to pay each time they changed there hardware marginally, which would appear to be somewhat unfair not just on the user but also on the harware supplier as well.

Also Mark Johnson, has not quite got the point, in several countries you have public liability on manufactured items that requires the manufacture (not the retailer) to correct defects in their products for the protection of others (ie dodgy tires on veichals kill people in other cars).

ALso I suspect that if MS do this you will soon be able to find cracked versions of pre-upgraded MS products (which you can currently buy in some countries) being more and more readily available which obviates Eric's sugestion.

I guess this is one of the reasons MS are so keen on the FritzChip technology.

jayhFebruary 18, 2005 8:23 AM

>>Now the self-termination can vary from simply just not allowing the system to boot further until they get a legit copy of windows or legit windows key

Very bad idea. In addition to the unpatched non legit copies, as soon as reports of this get out, many legit owners will avoid the patch as well, no one wants to take a chance (many people are already uncomfortable with letting the MS website 'examine' their OS in the upgrade process).

As it is, many people have not moved to SP2. One co-worker who had a disastrous failed SP2 upgrade (there is a very messy backout procedure on the MS site) simply refuses to do any further upgrades. How many more people will simply not want to take the chance.

kenanFebruary 18, 2005 9:03 AM

Seems like a conflict of interest. It provides an incentive to continue to release insecure software and then patch.

Israel TorresFebruary 18, 2005 10:06 AM

The idea is not to give users a choice about upgrading their OS. They can choose not to apply patches or service packs, but they cannot choose not to pursue a form of maintenance. Either by Internet or CD, DVD, USB Key, Smart Card Dongle the OS would require to be updated at minimum every 6 months. Obsolete software would stop functioning by design. The same idea that if you don't provide fuel to your automobile the engine will eventually stop providing power for your motion.

The machines that can't go on the Internet really are out of scope since they don't require patching against Internet trojans/virus vulnerability - however they can be checked with a solid-state device as those mentioned above to audit their keys. Again this would be based per release model with the major focus being on consumer copies that have a knack of get �zombified.�

As for millions of people stopping Microsoft usage to make them safer because they feel their privacy invaded... they already have bitten the serpent's fruit, sure they may complain but their addiction to Microsoft is far greater than finding an alternative.

Israel Torres

Stephen DedalusFebruary 18, 2005 11:54 AM

The best-case scenario is that Microsoft is moving toward a business model that they should have embraced some time ago: the Windows Subscription service. The customer pays a monthly or a yearly maintenance fee and is entitled to the latest major release of Windows, fully patched and maintained. Subscriptions can have multiple service levels (analogous to the current Media Center, Pro, and Home flavors) and can be transferred to newer equipment.

Access to fixes and enhancements can be via the Internet or (for a small fee) via quarterly disc shipments (for non-critical updates).
If Redmond makes Windows a moving target (the Install CD loads a core OS and transfers the rest from an update repository) they can recoup the much of the losses from piracy and substantially the real cost of Windows. MMP games, Valve's Steam platform and antivirus products have more or less proven that isolated components of this model can work. Corporate clients have spent the past two years or so building up infrastructure (license servers, SMS update deployment, etc.) that can make this system viable inside the enterprise.

This also goes a long way toward improving security patch compliance. I think many would hate such a system, but it would probably work better than what we have now.

RichardFebruary 18, 2005 11:56 AM

For the person who commented on companies, they don't have to activate their copies of MS apps. You have a volume license agreement that provides you with a corporate key that can be entered as many times as needed for the installs at the site without activation. I know a few people who have bought legit copies of Windows XP only to download the corp version and key so they don't have to keep activating for reinstalls on their personal machine.

However, I am not for MS just stopping the patches for the pirates. I agree they don't need to have the same benefits as paying users, but not patching pirated copies affects everyone including the paying customers.

RichardFebruary 18, 2005 12:09 PM

I just saw Stephen's post on a subscription service. IMO, that would be the fastest way for users to swtich to Linux or OS X. I am not going to pay a company to fix flaws in its product. We have entered into a time where software developers like to release their products ahead of schedule, so they can get something on the shelves to make money knowing full well that down the road is a service pack here and an patch there.

Would you honestly pay for such a service? "You either pay us money or let your computer get compromised."

The comparison to anti-virus subscriptions are different. You are not patching a flaw. The software works. You are upgrading rules which add functionality and increase it's reach. If we were to use this comparison, I would use MS' powertoys maybe as example or the old Plus add-on pack.

Would you pay your carmaker for a part recall? No, I hope not. It's their fault. But if you want to get more mileage out of it, you purchase parts down the road after the old ones lose their function.

pigletFebruary 18, 2005 1:37 PM

This is unrelated but very interesting to read:

"Earlier this week, the dogged Sheila Fraser [Auditor-General of Canada] raised another major security alarm when she reported that the federal government's computer system, which stores the personal information of millions of Canadians, remains vulnerable to hacker and presumably terrorist attack.

She added that only luck has spared Ottawa from a major breach of its computer network; this, despite the fact that the gaping security holes were flagged more than three years ago.
...
What Ottawa has, regrettably, been busy doing is passing draconian laws that increasingly infringe upon the rights and liberties of Canadians in the name of the so-called war on terror."
http://www.thestar.com/NASApp/cs/ContentServer?...

pigletFebruary 18, 2005 1:53 PM

"The idea is not to give users a choice about upgrading their OS. They can choose not to apply patches or service packs, but they cannot choose not to pursue a form of maintenance. ... The same idea that if you don't provide fuel to your automobile the engine will eventually stop providing power for your motion."
This really starts getting odd. When I purchase a software product, my base assumption is still that the product works and is reliable. This isn't always true in reality, but we should be able to expect it.

David FayFebruary 18, 2005 2:06 PM

If I was a typical malware-writer, (yes, I'm stereotyping for the sake of argument) with the kind of hate that most people have towards Microsoft, I would see opportunity in the fact that there will be essentially two versions of Windows now. The patched-up, paid-for versions, and the orphaned pirated version. The fact that there are two versions would allow me to make a virus/worm that distinguished easily between the two.

After all, how much more embarrassing would it be for Microsoft if someone wrote a virus that only infected the updated versions of Windows? News stories would inevitably say "People with unregistered or pirated versions of Windows are not affected by this latest exploit." And yes, it might be a bit harder to find an exploit in the updated version of Windows, but I doubt that it would be too significant of a problem, given that Microsoft have a tendency to combine security fixes and "enhancements" into their updates.

pigletFebruary 18, 2005 2:12 PM

Again, this is unrelated (almost) but will interest many readers:

Unanimous resolution passed by German parliament against EU Council's current proposal for a software patent directive -- European software patent critics celebrate "winning streak" after scoring four parliamentary victories in 16 days -- Concerns over "Microsoft's best friend in the Commission" who will decide on EP's restart request

http://www.nosoftwarepatents.com/

Israel TorresFebruary 18, 2005 3:16 PM

The base assumption is *only* good for the time and day it was released (but not any point in time after). But since software and technology changes with time (progression and adaptation) so should the software (through patching, service packs, and maintenance). We can only expect the software to be viable for a short time (hours, days, months...) before someone with time and resources find vulnerabilities and exploit the software.

Israel Torres

MosesFebruary 18, 2005 3:46 PM

I like the idea of a subscription service. I think in order for this service to work users would have to pay little or nothing to get started with a program. The user agrees for a subscription service for a year, two, three. If I have a MS subscription I would expect the latest and greatest operating system if it is released while I have a current subscription.

NickFebruary 18, 2005 10:05 PM

The thing that could backfire on Microsoft is that there are legitimately free OS's available, and those are getting easier to use all the time.

As MS make it harder to pirate their products, would-be pirates face a choice: shell out for a legitimate copy of Windows, with the associated 'features' like product activation that benefit only MS, and not the end user; or get one of those legitimately free OS's and cope with the learning curve.

If you don't have money, but you do have time, or if you simply don't want those unneeded 'features' of the legal versions of Windows, the free OS option is going to look pretty tempting.

And that's how I think tightening the screws on piracy may backfire on MS - instead of getting pirates to buy Windows, they may cause them to bail out of the Windows environment completely.

Rafael SevillaFebruary 20, 2005 1:49 PM

> If MS wishes to enforce authentication
> on downloads of new versions of Media
> Player, IE, DirectX, MovieMaker, etc,
> great. That's a limitation that
> penalizes only the user of that pirate
> copy of the OS.

Unfortunately, thanks to MS itself, the situation is not that simple. IE is quite possibly the largest vector of spyware and malware today it would seem. They made it an integral part of the OS, and so it has enough power to bollix the whole system at a stroke due to some actual bugs or even ill-conceived "features". Because much computer multimedia tends to come from the Internet these days, vulnerabilities in Media Player tend to translate into remote exploits as well. In the same way, vulnerabilities within Office become network vulnerabilities too, because Office files tend to be traded around by email, as Bruce had once pointed out in an old Crypto-Gram.

Chris BeckeFebruary 22, 2005 3:54 AM

I can't belive that people are promoting the idea that we should pay a subscription fee for our OS.

That just sounds horrible on so many levels - which boil down to two things:
1. I simply object to paying for something and getting an incomplete product.
2. It sets up a situation where there is no incentive to ship quality software in the first place and no incentive to develop new features as there is a guaranteed revenue stream either way.

Basically, I object to the fact that my ownership of a computer would mean that I must work, so I can pay money to MS so they dont have to.

terniFebruary 22, 2005 9:34 PM

"Gates shed some light on his own hard-nosed business philosophy. "Although about 3 million computers get sold every year in China, but people don't pay for the software," he said. "Someday they will, though. As long as they are going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.""

-------------------
myhome:http://www.ptdd.com

Israel TorresFebruary 25, 2005 9:13 AM

Progress ---
"Microsoft is closing a loophole that enabled unscrupulous resellers to use Windows XP product keys that were stolen from large OEMs. The result: customers who purchase Windows on a new PC will not be able to activate, nor reinstall their operating system without first calling Microsoft."
http://www.betanews.com/article/...

Sylvain GalineauFebruary 26, 2005 5:41 PM

Inaccurate rumor-mongering, I'm afraid. Security fixes will be available for all. Some details here.

jzSeptember 9, 2006 1:44 AM

It amazes me how greedy Microsoft is when it comes to stealing money from software pirates. If the pirate worked hard to crack a program, then he/she is entitled to what they have earned without intervention from them. I'd like to see new rules established that protect pirates from being back stabbed by large/greedy companies like Microsoft.

libeNovember 13, 2007 3:33 PM

why bother? Microsfot sucks and it is out there only because they followed illegal practices and because countries are stupidly following "intellectual rights". This world is so screwed up that people who copy a cd are considered thieves, although the CEO of the companies earn billions while others starve to death. That's only because they have a law to gather money. Can't people just say "no" to money-hungry thieves like Gates and his gang?. Imagine a world withourt protection against copying. Imagine if that happened also in music. Less ugly music (only the real artistic one), less ugly software (the open source that works). For a good operating system try linux, knoppix or ubuntu, or debian if u want.

GMFMarch 30, 2009 8:39 AM

Gates' greed is proverbial and the shoddy tactics of his company are also proverbial.Maybe if Gates and Co. priced their product more reasonably there would be less pirating. All PCS running Gates' products should receive any update relating to security, bar none.

kicking koolaidMarch 30, 2009 5:23 PM

The OBVIOUS solution would be to manufacture a product which did NOT represent a threat to an entire community. Are people still buying milk that makes babies sick? Dog food that kills dogs? Sandals that contain chemicals that burn your feet?
No. In a NORMAL market...if you're legitimately sold something which damages you or your property...you get rid of it or pursue a refund and buy something else instead. If Linux and Apple gain ground because a rational population understands how this logic works, the Sloth should be paying attention.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..