Microsoft's Actions Speak Louder Than Words
By Bruce Schneier
May 31, 2004
The security of your computer and network depends on two things: what you do to secure your computer and network, and what everyone else does to secure their computers and networks. It's not enough for you to maintain a secure network. If other people don't maintain their security, we're all more vulnerable to attack. When many unsecure computers are connected to the Internet, worms spread faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. The more unsecure the average computer on the Internet is, the more unsecure your computer is.
It's like malaria: everyone is safer when we all work together to drain the swamps and increase the level of hygiene in our community.
This is the backdrop against which to view Microsoft's Windows XP security upgrade: Service Pack 2 (SP2). SP2 is a major security upgrade. It includes features such as Windows Firewall, an enhanced personal firewall that is turned on by default, better automatic patching and other security improvements.
Initial news stories reported that Microsoft would make this upgrade available to all XP users, both licensed and unlicensed. To me, this was a smart move on Microsoft's part. Think about all the ways the company would benefit. Licensed users would be more secure and happier. Worms that attack Microsoft products would be less virulent, so Microsoft wouldn't look as bad in the press. Microsoft would win, its customers would win and the Internet would win. It's the kind of marketing move about which best-selling books are written.
Then Microsoft said the initial comments were wrong; SP2 would not run on pirated copies of XP. Only legal copies of the software could be secured. This is the wrong decision, for all the same reasons that the initial decision was the correct one.
Of course, Microsoft is within its rights to deny service to pirates. It makes sense for the company to make sure performance or feature upgrades do not run on pirated software. Microsoft wants to deny the benefits of its products to people who haven't paid for them, and entice these people to become licensed users. But security upgrades are different. Microsoft is harming its licensed users by denying security to unlicensed users.
This decision, more than anything else Microsoft has said or done in the past few years, proves to me that security is not the company's first priority. Here was a chance for Microsoft to do the right thing: to put security ahead of profits. Here was a chance to look good in the press and improve security for all its users worldwide. Microsoft says that improving security is the most important thing, but its actions prove otherwise.
SP2 is an important security upgrade to Windows XP, and I hope it is widely installed among licensed XP users. I also hope it is quickly pirated, so unlicensed XP users also can install it. For me to remain secure on the Internet, I need everyone to become more secure. And the more people who install SP2, the more we all benefit.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..