Hi, Micronetters
Recently we have had automatic updates from Microsoft bite
us bad in
regards to the BFS vs Security Updates. In that light I just
happened to
receive my September issue of PC Today with an article
concerning the
WGA (Windows Genuine Advantage) push by Microsoft. The
following article
further stresses the need for us to not blindly accept
Microsoft when it
comes to updates and workstation security. Please read this
in its
entirety and understand why I am concerned about the
direction we all
seem to be heading, i.e. AD with automatic update push...
(some think I
am paranoid yet with stuff like this I feel I am just being
prudent)
The article can be found at:
Visit this page on the Web at: http://www
.pctoday.com/email.asp?emid=6097
or read it here:
/*Columnists *
October 2006 • Vol.4 Issue 10
Page(s) 24-25 in print issue
/
*Scot’s Take *
*Oh, What A Tangled Web Microsoft Weaves *
/*Scot Finnie*// is Online Editorial Director at
Computerworld and the
author of Scot’s Newsletter (www.scotsnewsletter.com
<http://www.scotsne
wsletter.com>). He’s been a technology journalist for
more than 20 years. Send him feedback at * scot pctoday.com
<mailto:scotpctoday.com>*./
Microsoft’s WGA (Windows Genuine Advantage) is neither
genuine nor an
advantage for buyers of Microsoft’s Windows OS. As one
outspoken Windows
expert wrote to me in a recent email, it’s arguable whether
WGA is
spyware, but it could definitely spawn a new class of
unwanted software
called “revenueware.” That’s exactly what WGA is:
Microsoft’s bid to
eliminate existing counterfeit copies of Windows XP by
requiring end
users to pay up.
So what is WGA? It's software installed on your Windows
computer whose
job is to check that your machine has a valid, authorized,
or “genuine”
copy of Windows as opposed to a version that may be pirated
and resold.
It’s not such a bad thing that Microsoft is trying to
protect itself
from software piracy. The company has a right to protect its
intellectual property. The problem is that WGA doesn’t
really go after
the largest offenders. It goes after end users—you and
me—who are the
unwitting victims of software counterfeiters and pirates.
And while
that’s within the software giant’s rights, I don’t want to
mince words
with this: That’s a stupid policy.
You might, for example, send your computer to a repair shop
and
thereafter it might fail the WGA test. Your PC maker could
accidentally
assign the wrong product ID to your new PC. You might buy a
shrink-wrap
copy of Windows at its retail price and wind up with a
pirated product
ID. Microsoft isn’t going to help you in any of those
situations. You’re
on your own, unless you can turn over a realistic-looking
Windows
forgery to Microsoft. Even then all you get is a discount.
There’s another problem with WGA. Microsoft isn’t promising
that it
won’t accidentally have false positives. Some percentage of
people,
however small, are already being branded by a little program
as having
unauthorized copies of Windows, when in fact that might not
be the case.
When you go after customers the way WGA does, it isn’t fair
to allow
Microsoft to be the sole judge and jury, especially when it
is basing
its judgment on a program’s findings. Microsoft admits that
program
could make mistakes. Of course it could; no software is
perfect.
* Getting A Bad Feeling About This*
Throughout recent months there has been a large, negative
reaction to
WGA. Microsoft has tweaked the software and some of the
legal language
around it in an effort to pull back on WGA’s aggressive
behavior.
Earlier versions were checking for validation reportedly on
a daily
basis. Microsoft has apparently pulled back somewhat on the
frequency
with a newer version of this code, but at this writing,
there are still
overkill issues with the way Microsoft handles WGA.
The worst of these is that Microsoft is still near covertly
releasing
WGA among selections of “critical updates” through Windows
Automatic
Updates, Windows Update, and Microsoft Update. So, even
though WGA is
currently an optional program, it is possible to block the
installation
of the WGA authentication software if you know what you’re
doing. In a
nutshell, don’t let Windows automatically install updates;
always review
individual updates first. When you work this way, you
uncheck the WGA
tool and install true security patches only. (WGA offers no
security
advantage to end users; its only advantage is in helping
Microsoft fight
its software piracy war.) You also need to specify that you
don’t want
to be bugged to install WGA later, otherwise Windows will
ask again.
Odds are that most WinXP users already have WGA running on
their
systems. Microsoft published directions for uninstalling the
most
aggressive, earlier pilot versions of WGA. (The “Arming
Yourself With
WGA Knowledge” sidebar at www.pctoday.com/pctoct06/scot
<http://www.p
ctoday.com/pctoct06/scot> has tips for removing some
WGA
versions.)
* Curiouser & Curiouser*
Microsoft’s crowning moment of idiocy with WGA is
potentially yet to
come (at least as of this writing) Microsoft has considered,
and may
still be considering, making WGA mandatory. There have been
contradictory bits of information released to the press by
Microsoft and
its public relations agency on the point. But Microsoft’s
own WGA FAQ
(at press time) reads: “While the [WGA] program is presently
opt-in, as
it expands later in the year, it may become a requirement
for the
[Automatic Updates] service,”
(www.microsoft.com/genuine/downloads/FAQ.aspx
<http://www.microsoft.com/genuine/downloads/FAQ.aspx>).
How does Microsoft intend to enforce this? Many experienced
users are
finding ways to thwart WGA on the Internet. Although the
majority of
users probably already have WGA running on their machines,
there is an
entrenched group of people—and you can count me among
them—who feel WGA
needs to be fought. How will Microsoft force us to install
this
software? In particular, what will the punishment be if we
don’t install
the software?
The first use of WGA I’m aware of was with the free download
of
Microsoft Anti-Spyware about two years ago. If you didn’t
validate your
Windows ownership with an ActiveX control, Microsoft denied
access to
its beta antispyware utility. That carrot-oriented incentive
was applied
to other Microsoft downloads, too. To me, this was an
acceptable way for
Microsoft to employ WGA. But two more negative incentives
have been
widely bandied about by the press and Microsoft this year.
I recently forced WGA to invoke its wrath on one of my
machines by
setting the system date one month into the future. A WGA
warning box
popped up leading me to the WGA Web site for a validation
scan. As part
of the process, Microsoft downloaded more WGA stuff to my
computer. I
was given this terse warning in a pop-up window:
“If you receive a [WGA] notification, you will be given an
opportunity
to resolve this problem. Only genuine Windows customers are
eligible to
receive Microsoft product support, /select security
upgrades/*, *and
other new features.” (The added emphasis is mine.)
To me, this crosses the line big time. Any notion at all
that Microsoft
would hold users hostage for security updates because its
little WGA
code indicates the user’s machine might not be fully valid
is lunacy.
Security patching should never, ever be withheld to user
PCs. Period.
* Losing Touch With Reality*
Microsoft has never used the term “kill switch” except in
formally
refuting that it would ever “turn off” user computers as a
way to
enforce WGA. To my knowledge the software giant has never
intimated
specifically that it might disable Windows machines to
enforce the use
of WGA validation or to stop the use of Windows
installations it deems
to be pirated.
In June, Microsoft released a statement to several reporters
about one
Windows expert’s claim that a WGA-related WinXP kill switch
might be in
the offing later this year. Microsoft reporter Eric Lai, who
works with
me at /Computerworld/, was a recipient of this message. The
statement
was more interesting for the things it didn't say than the
things it
did. In the statement Microsoft claimed only that it would
never "turn
off" the PCs of users who didn't accept WGA. But what
about blocking
access to Windows in the same way that WPA (Windows Product
Activation)
does? When WPA goes to work, it effectively blocks you from
logging in
to Windows. The machine is still powered on, but you can no
longer use
it. Does it sound like I’m mincing words? Maybe. But don’t
bet the farm
on whether Microsoft might not be mincing them, too.
I can only hope that Microsoft will come to its senses about
its WGA
antipiracy effort and allow it to remain an opt-in program.
If you’re
one of the unlucky ones who gets tagged by WGA, there’s no
way to
appeal. Microsoft is offering ways to pay up that might save
you a
little money. And that’s about it. That’sjust not an
acceptable way to
treat customers.
Respectfully,
Charles
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Charles E. James, P/A II
IST/ASD/Release Management and QA Testing Unit
U. C. Berkeley California
510-642-8440
-----------------------------------------
How hard is it to fool people and hurt them?
Not hard.
How hard is it to inspire people and help them?
More important than outward success
is that personal quality which will,
when developed, produce not only the
perfect external result, but which
will have its real meaning and
value within itself.
-----------------------------------------
------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.
|