Hand me my waders, it's getting deep in here
I haven't had a good rant here in a while. Fortunately, Microsoft has seen
fit to fix that situation by putting out a press release with the title Microsoft
to Implement Worldwide Anti-Piracy Initiative. Depending on what you've
downloaded (or tried to download) from Microsoft recently, you may have already
run across the Windows Genuine Advantage program. Basically, it downloads an
ActiveX control to your computer to check and make sure your copy of Windows is
legitimate before it lets you have the software that you're trying to download.
Today's announcement is that in the second half of 2005, all of the content at
the Microsoft Download Center and Windows Update sites will be locked up behind
Now, before I start complaining, let's note that I believe in paying for
commercial software (though I don't view open source software as a tool of the
devil - but that's a topic for another rant). Microsoft can implement whatever
anti-piracy measures they want to protect their income stream, and that doesn't
bother me. What does bother me is when they choose a mechanism that will (as
with previous attempts) inconvenience the honest user and potentially lower
their security, while not keeping serious pirates at bay. It also bothers me
when they wrap everything up in market-speak instead of saying simply "we're
tired of losing money and intend to punish users who didn't pay."
Let's start with the first set of problems. Many of us are understandably
wary of letting ActiveX controls on to our computers. There have been numerous
security problems with these controls in the past, including controls from
Microsoft. So far, the Genuine Windows Advantage stuff has not, as far as I
know, been involved in any security problems - but it does increase the attack
surface where problems could arise. So that brings some additional threat to
users while helping Microsoft - not an even trade.
I haven't dug into the technology being used by Microsoft to verify
legitimacy, but you know, it's all ones and zeros. Just as there exist serial
number generators for all of those infuriatingly-long serial numbers you need to
install software, just as there exist cracks that will get you around online
activation, the smart kids with nothing better to do will figure out a way to
spoof this as well. Maybe they'll intercept the data stream back and replace it
with data that says "this copy of Windows is cool." Maybe they'll figure out how
to tell the control that all is well when it isn't. In any case, it'll happen.
Pirates will own seemingly-legitimate copies of Windows, and legitimate users
will have another hurdle to jump through to use software they've already paid
As for market-speak, let me quote a choice section of the press release:
"Counterfeit software puts users at risk of receiving an inferior product that
may present security risks, be missing code or contain malicious code." C'mon
now - can we back that up with some actual examples? Or is that just the same
threat that every monopoly product has used in the past? I'll bet the majority -
the vast majority - of counterfeit copies of Windows are made simply by
duplicating CDs directly from legitimate copies. They're not going to have more
or less code than the original. The main (probably only) difference is whether
they're installed with a legitimate product key or a pirated one.
I also had to laugh at "Response to the pilot program has far exceeded
Microsoft's expectations, with more than 5 million people voluntarily taking
part since the program began in September 2004." In other words, more than 5
million people decided to download something, discovered that it was locked up
by Windows Genuine Advantage, and then decided that they couldn't fight City
Ah well - you can't fight the march of progress. I'll probably end up taking
one of the machines on my network (all legitimately licensed), letting it go
through the Windows Genuine Advantage process, and then doing all of my
downloading from that machine. That way I can still use the Microsoft Download
Center, and I don't increase the attack surface on every machine. I'll bet I'm
not the only one to adopt that strategy.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.