Anti-Spyware as Anti-Piracy Is Microsoft's anti-malware giveaway part of a master plan to flush out software pirates? By Mark Rasch Jan 17 2005 11:22AM PT http://www.securityfocus.com/columnists/292
With Microsoft's acquisition of anti-spyware maker Giant Software, the company seems well-poised to enter the anti-spyware and anti-virus marketplace. At the very least, in combination with its well-publicized secure computing initiative, and the security upgrades in Windows XP Service Pack 2, Microsoft appears to be taking security more seriously ... Of the company may simply be using its new anti-spyware technology as a ruse for rooting out and eventually destroying unlicensed copies of its operating system. Early last month Microsoft announced that it would permit downloads of a beta version of its anti-spyware software from its website. However, users attempting to download the software are informed that "[t]his download is available to customers running genuine Microsoft Windows. Please click Continue to begin Windows validation." The website then uploads an executable file called "GenuineCheck.exe" to the users computer. The executable presumably scans the OS for the license key, and generates a key code that the user is directed to send to Microsoft. If the key code is for an unlicensed version of the OS, the user is directed to purchase the software online, and is denied the opportunity to download the anti-spyware software. While I am extremely sympathetic to the needs of software companies to fight the multi-billion dollar problem of copyright infringement, I think it is a bad idea to use security as the hook to do so. The same issue came up when Microsoft denied Service Pack 2 to some unlicensed Windows XP users. This can be the electronic equivalent of automatically disengaging the brakes on stolen cars -- sure it will reduce automobile theft (and the sale of stolen vehicles), but at the cost of making everyone less safe. Spyware and keystroke loggers are increasingly serving as tools of identify theft and fraud, and the cost of these crimes are passed to consumers as a whole-- they are not limited to the immediate victims. Viruses, worms and "bots" are used to build DDoS and spam networks. On the Internet, everyone's security is dependent upon everyone else's, so deliberately keeping computers insecure potentially hurts us all. Of course, Microsoft is hardly required to make anti-viral or anti-spyware software, or to give it away for free. Nobody has a right to this software. And I'm not suggesting that Symantec or McAfee has an obligation to give away its products, or to support pirated copies of their anti-viral software with free definition upgrades. But what Microsoft is doing is different. It is requiring that, as a condition precedent to being secure, you must establish that different software -- in this case, your operating system -- be properly licensed. This can be problematic if Microsoft ends up dominating the spyware and anti-viral marketplace the way they have dominated the browser and OS (not to mention the free solitaire and minesweeper) markets. Right now, neither my browser (Internet Explorer), nor my media player (Windows Media Player) nor my Word Processor (MS Word) nor my E-mail server (MS Outlook) disable themselves if my OS is unlicensed. Why only security functionality? A cynic might posit that Microsoft is using genuine concern about security as a mechanism to collect information about piracy. Even if "GenuineCheck.exe" doesn't transmit personal information back to Redmond -- and the company says it doesn't -- it unavoidably communicates the user's IP address, which is easily linked to a consumer's name and address by subpoena. I can envision a situation where a person trying to prevent spyware finds something much, much worse -- a Microsoft lawyer -- on his or her doorstep. If I had more of a conspiratorial bent, I might even think Microsoft deliberately wants to ensure that users of unlicensed software are left unprotected from malware, so that corporate America can use such programs against the pirates. Consider PC World magazine's recent report that Overpeer, a company with close ties to the recording industry, was using Microsoft's intellectual property licensing scheme to spread unwanted adware through peer-to-peer networks. Though I am jaded, I am not yet a cynic, so for now I'll assume that Redmond's goals are less Machiavellian. But security should not be held hostage to other things -- including the laudable goal of preventing piracy. We are either all secure, or we are not. SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
