Hand me my waders, it's getting deep in here

• By Mike Gunderloy
• January 26, 2005

I haven't had a good rant here in a while. Fortunately, Microsoft has seen fit to fix that situation by putting out a press release with the title Microsoft to Implement Worldwide Anti-Piracy Initiative. Depending on what you've downloaded (or tried to download) from Microsoft recently, you may have already run across the Windows Genuine Advantage program. Basically, it downloads an ActiveX control to your computer to check and make sure your copy of Windows is legitimate before it lets you have the software that you're trying to download. Today's announcement is that in the second half of 2005, all of the content at the Microsoft Download Center and Windows Update sites will be locked up behind this scheme.

Now, before I start complaining, let's note that I believe in paying for commercial software (though I don't view open source software as a tool of the devil - but that's a topic for another rant). Microsoft can implement whatever anti-piracy measures they want to protect their income stream, and that doesn't bother me. What does bother me is when they choose a mechanism that will (as with previous attempts) inconvenience the honest user and potentially lower their security, while not keeping serious pirates at bay. It also bothers me when they wrap everything up in market-speak instead of saying simply "we're tired of losing money and intend to punish users who didn't pay."

Let's start with the first set of problems. Many of us are understandably wary of letting ActiveX controls on to our computers. There have been numerous security problems with these controls in the past, including controls from Microsoft. So far, the Genuine Windows Advantage stuff has not, as far as I know, been involved in any security problems - but it does increase the attack surface where problems could arise. So that brings some additional threat to users while helping Microsoft - not an even trade.

I haven't dug into the technology being used by Microsoft to verify legitimacy, but you know, it's all ones and zeros. Just as there exist serial number generators for all of those infuriatingly-long serial numbers you need to install software, just as there exist cracks that will get you around online activation, the smart kids with nothing better to do will figure out a way to spoof this as well. Maybe they'll intercept the data stream back and replace it with data that says "this copy of Windows is cool." Maybe they'll figure out how to tell the control that all is well when it isn't. In any case, it'll happen. Pirates will own seemingly-legitimate copies of Windows, and legitimate users will have another hurdle to jump through to use software they've already paid for.

As for market-speak, let me quote a choice section of the press release: "Counterfeit software puts users at risk of receiving an inferior product that may present security risks, be missing code or contain malicious code." C'mon now - can we back that up with some actual examples? Or is that just the same threat that every monopoly product has used in the past? I'll bet the majority - the vast majority - of counterfeit copies of Windows are made simply by duplicating CDs directly from legitimate copies. They're not going to have more or less code than the original. The main (probably only) difference is whether they're installed with a legitimate product key or a pirated one.

I also had to laugh at "Response to the pilot program has far exceeded Microsoft's expectations, with more than 5 million people voluntarily taking part since the program began in September 2004." In other words, more than 5 million people decided to download something, discovered that it was locked up by Windows Genuine Advantage, and then decided that they couldn't fight City Hall.

Ah well - you can't fight the march of progress. I'll probably end up taking one of the machines on my network (all legitimately licensed), letting it go through the Windows Genuine Advantage process, and then doing all of my downloading from that machine. That way I can still use the Microsoft Download Center, and I don't increase the attack surface on every machine. I'll bet I'm not the only one to adopt that strategy.