BuyMicrosoftGoToJail
http://www.samspublishing.com/articles/printerfriendly.asp?p=30017
Buy Microsoft, Go to Jail? Date: Nov 15, 2002 By Seth Fogie, Cyrus Peikari. Article is provided courtesy of Prentice Hall PTR. Do Microsoft's antipiracy polices go too far? Dr. Cyrus Peikari and Seth Fogie look at the terms of Windows Product Activation (WPA) and its enforcement by Microsoft's Business Software Alliance to see what implications these have for individual rights, the law, and the future survival of Microsoft itself.
For years Microsoft has lived dangerously. By using increasingly invasive consumer-monitoring technology, the company could now be flirting with economic disaster. In fact, Microsoft has recently implemented code that could be considered hostile both to privacy and to human dignity. This article explores these new technologies and their implications for individual rights, for the law, and for the future survival of Microsoft itself.
In this era of grass-roots movement toward open source code and universal standards, Microsoft's invasions of privacy and human dignity, if not rapidly and dramatically reversed, could finally spell the end of the company. For example, we will show that the humiliating terms of Windows Product Activation (WPA) and its terrifying enforcement by Microsoft's Business Software Alliance (BSA) enforcers could finally be enough to push its users to open source operating systems.
Worse, we will demonstrate that Microsoft's use of “Trojaned” service packs are potentially in severe violation of federal privacy standards such as the Health Insurance Portability and Accountability Act (HIPAA). Thus, a network administrator who purchases and deploys Microsoft software could soon possibly find himself or herself facing fines and imprisonment for violating federal law. Even users who are traditionally Microsoft's strongest supporters—including us—could finally be compelled to switch to Linux rather than go to jail to support Microsoft's invasive and potentially illegal technology.
Before we begin, allow us to offer an apology. This article is not meant to criticize any individual, least of all any of the hard-working men and women who program for Microsoft, many of whom are our close personal friends. However, we would not be true friends if we allowed them to rush blindly down the path of destruction. Thus, we respectfully submit these observations as a tool to help further the vital discussion of privacy and information security. Windows Product Activation
Windows Product Activation (WPA) is a controversial antipiracy licensing scheme that was introduced in Windows XP and now includes Windows .NET Server. Retail copies of .NET Server, as well as some copies that are preloaded on OEM-purchased servers, now require activation via the Internet or by telephone. (Volume licensing does not require activation).
Critics have reported several potential problems with WPA. In fact, if Microsoft does not withdraw WPA altogether, .NET Server is likely to be a total market disaster. Rather than suffer such humiliation, the preponderance of administrators who are still loyal to Microsoft will defect en masse to Linux. Privacy and the BSA
As others have pointed out, WPA is also unlikely to be effective as an antipiracy tool. For example, hackers cracked WPA as soon as the first beta was released. Thus, WPA is potentially more useful as a means of scaring legitimate consumers and businesses into keeping up with vendor license demands. However, when viewed in the historical context of Microsoft's oppressive intellectual property persecution, the WPA raises privacy issues of Orwellian proportions.
This history centers on an organization known as the Business Software Alliance (BSA). Despite the impression it has endeavored to attach to the acronym, the BSA, unlike the FBI or CIA, has no law enforcement or government affiliation. It has been described as purely for-profit “hired muscle” used by major software companies such as Microsoft and others to intimidate honest companies.
As an example, the BSA regularly targets one city at a time with “strong arm” tactics. They send an official-looking letter, which reads like an ultimatum, to various tech companies in the target city. The purpose is to trick honest companies into voluntarily submitting to a software audit. Frequently, the ruse works. The unfortunate company, struck with panic over a full BSA “investigation,” self-reports that it cannot find the documentation for all of its software licenses and ends up paying huge sums to the BSA. In fact, the Association of Chartered Certified Accounts in the United Kingdom described the mailing as “heavy-handed and 'questionable.'” It is also very profitable. According to the BSA, more than $75 million in such “fines” has been collected over the last decade.
This city-wide BSA mailing is typically followed by a persistent radio campaign stating that the BSA has “declared war” on the city and warning companies to submit to a voluntary “inspection.” In the same commercial, the BSA seems to coax disgruntled ex-employees to retaliate against their hated ex-boss by reporting them for software license violations—which (incredibly) could be all it takes for the BSA to obtain a police escort and search warrant.
After a company is “audited,” the BSA assesses a “fine” of up to several hundred thousand dollars. The curious part is that most companies are so scared and bewildered by the whole BSA spectacle that they gladly pay without a word of protest.
Thus, WPA could potentially be abused as a tool for targeting honest individuals and companies. After you install .NET Server, Microsoft suddenly has detailed personal information about your system and IP address. From there it could theoretically be hours before the BSA turns up at your door with the local police and a warrant to conduct a search, although there is no evidence that such a policy exists.
Unfortunately, the BSA often dupes honest law enforcement officers into seeking a warrant. Because BSA “officials” wear suits and ties, and use official-sounding terms, they invariably impress local police enough to get them scrambling. Even when presented with the most flimsy pretext of evidence, the poor law enforcement officer is so overwhelmed by the BSA suits that he feels compelled to go along with the charade. Technical Problems with WPA
In addition to the many privacy issues surrounding the WPA, this new technology has created technical nightmares for Microsoft users. To illustrate, take a look at the problems Rob Robinson, a network admin, ran into as he attempted to upgrade a server to Windows XP. What makes Rob's experience unique is that this server was also running Terminal Services (TS).
Rob summarizes his experience with this line: “WPA is unquestionably one of the worst abominations that MS has imposed on its customers.” In short, upgrading his server disabled the TS application. This required Rob to call Microsoft for help. As he puts it, “No one with whom I spoke had the foggiest idea of how one installs TS client licenses and stated that no information was available in their MS databases.” In the end, Microsoft suggested that “the only solution was to format the hard drive, reinstall everything, and thereby gain another 90 days of TS usage.”
Rob still had to call back before the 90 days to get his license number, which was made more difficult by a dead DSL line. Microsoft eventually cut and pasted the 35-alphanumeric-character code from one database to another. All the computers then agreed that there was a working and activated license server.
Rob says that the next step was to enter the 5 x 7 character license pack code. "This was achieved after some fun telephone interaction with the phonetic alphabet," he says. "Our server now said that all was well. We had an activated TS license server and 10 licenses. Unfortunately, Remote Desktop still thought that there was no proper licensing. No amount of license server starts, stops, restarts, or other steps—including a system cold start—would convince the OS that the licensing existed." Rob finally removed TS licensing from the system. The only good news is that administrative Remote Desktop access then was enabled.
From this scenario, it is easy to see the predicament that the WPA places its users in. The typical installation of Windows XP may not present too many issues for the novice user, but this example illustrates the difficulties that more advanced users and administrators may face if they attempt to upgrade to any operating system using the WPA. In the end, Rob was told that any upgrade to his server would require a repeat of the entire formatting and reinstallation process.
What Does WPA Report?
The software company Fully Licensed completely reverse-engineered the WPA process. Remembering the ignominy that befell dear Dimitry Sklyarov at Defcon last year, because of DMCA restrictions we cannot reprint the excellent analysis by Fully Licensed.
However, based on its findings, Fred Langa reported in Information Week that when you register XP software, the OS sends Microsoft a unique 50-digit hash of your machine.
In addition to the software license number, this fingerprint is derived from the following aspects of your system:
CPU serial number *
CPU model number/type *
Amount of RAM in the system *
Graphics adapter hardware ID string *
Hard-drive hardware ID string *
SCSI host hardware ID string (if present) *
Integrated development environment controller hardware ID string *
MAC address of your network adapter *
CD-ROM drive hardware identification string
Whether the system is a dockable unit (for example, a notebook)
Worse, even after the product has been fully registered, WPA “phones home” to Microsoft from time to time. Thus, if you have changed your system components, or if there are problems with the Microsoft central database, your system locks into a reduced-functionality mode. It is unclear what other investigation or action Microsoft takes against you after that. “Trojaned” SP3
While WPA is humiliating, in practice it is no more than one more obstacle for the busy network administrator to overcome. With Service Pack 3 (SP3), using Microsoft products has suddenly become much more sinister.
Any Windows admin knows, understands, and expects that Windows must be patched and updated to ensure that the software is secure. As a result, Microsoft has provided service packs for its operating systems that package multiple security issues into one large patch. Although these service packs have a notorious reputation for causing more problems then they fix, they are nevertheless mandatory for security. Without these service packs, it is almost guaranteed that a system will fall victim to a hacker attack or worm infestation.
Until recently, Microsoft has provided these service packs without invasive monitoring or obvious privacy conflicts. However, with the release of SP3 for Windows 2000, Microsoft is treading dangerous ground. In fact, if you have installed SP3 for Windows 2000, you could be in violation of the security policy of your organization, and you might have even broken federal law.
The problem is found in the User Agreement of the service pack:
The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.
This seemingly innocuous statement opens new possibilities as to what Microsoft can do to you if you install SP3. This addition to the EULA also brings with it a range of potential problems for those businesses and companies that absolutely cannot permit remote access to their computers. For example, the HIPAA act that was mentioned in the introduction is an example of potential violations by Microsoft's EULA.
For example, to be HIPAA compliant, your health-care organization must “reasonably safeguard protected health information from any intentional or unintentional use or disclosure.” However, if SP3 is installed, Microsoft can now access your machines containing safeguarded information, such as confidential medical records. Ironically, however, you must install SP3 to be secure. Thus, every organization that needs to meet HIPAA's regulations must choose the lesser of two evils.
The obvious solution would seem to be to reverse-engineer SP3 to give yourself more control over Windows Update (in fact, this has already been done, and the “patch” is available on the Internet). However, we do not recommend this because it might put you in violation of the abominable Digital Millennium Copyright Act (DMCA). Although the DMCA allows provisions for reverse-engineering for security purposes, the interpretation is still nebulous. Worse, releasing, linking to, or using a third-party ready-made patch could be an even worse violation of the DMCA. Conclusion
Microsoft has spent hundreds of millions of dollars in recent efforts to improve public perception of its security. Unfortunately, its own antipiracy polices are undermining these efforts. The humiliating WPA, the oppressive BSA, and the Trojaned SP3 combine to set the state of Microsoft security several years backward. If Microsoft does not immediately and dramatically reverse its course, it is destined for failure.
© 2006 Pearson Education, Inc. Informit. All rights reserved.
800 East 96th Street Indianapolis, Indiana 46240