Thursday, April 16, 2009

Windows Genuine Advantage is still genuinely bad

By Ryan Russell

Microsoft's system for validating Windows before users can download most updates continues to be a problem for legitimate customers and for Internet security as a whole.

Despite claims of offering better security, Windows Genuine Advantage (WGA) serves only Microsoft's marketing interests — but you can eliminate the need for WGA if you know the trick.

Microsoft has long been considered a marketing bully, but with WGA the company has taken its lack of consideration for its customers to a new low.

Windows Secrets has been tracking the WGA story for years. Editorial director Brian Livingston aptly labeled an earlier version of WGA as "Microsoft spyware" in a June 15, 2006, Top Story.

More recently, Brian remarked in a March 30, 2009, news update that PCs failing WGA validation don't automatically receive all available patches from Microsoft. That spawned a critique from a Microsoft spokeswoman which was printed, along with Brian's response, in technical editor Dennis O'Reilly's Known Issues column on April 2. (There's also an Office Genuine Advantage program, which you hear less about but has the same problems as WGA.)

We all want Windows systems throughout the world to be patched for security problems as soon as fixes are released. As a result of the fuss raised by the articles mentioned above, I decided to take another look at WGA.

Here's what happens if a Windows machine fails WGA validation (or the PC's owner, based on tales of disabled machines, is too frightened to run WGA):

* Automatic Updates. If the machine is configured with Automatic Updates (AU) enabled, Microsoft installs only those security patches that the company rates as "Critical." Security patches rated "Important," "Moderate," and below are not installed by AU, and no other updates of any kind are installed.

* Windows Update and Microsoft Update. Microsoft's on-demand patching programs, known as Windows Update (which updates Windows) and Microsoft Update (which updates Windows and other Microsoft products) will refuse to run.

* Manual downloads. Security patches of all levels of severity can be downloaded manually from various Microsoft Web pages and installed individually, if you know where to look.

The third point is the trick to updating a Windows system, regardless of whether it passes WGA validation or you run WGA at all.

Let's examine how various people and companies are using this method.

How companies patch Windows and avoid WGA

An individual who wants to avoid WGA hassles could visit Microsoft's current security bulletin page and browse every new patch and advisory. However, it's unreasonable to expect average Windows users to read each bulletin and decide which patches to install.

A better solution is to use patch-management (PM) software. Every day, dozens of third-party vendors obtain patches from known locations that Microsoft hosts on the Internet. Once the patches are downloaded by the vendors, their software can push the patches out to PCs on a LAN with no worries about WGA. (Disclosure: The company I work for, BigFix Inc., sells a patch-management product that does this for large enterprises.)

Corporations should install a PM solution that resides on a server and pushes patches to individual PCs across a LAN. Network Computing publishes a Rolling Reviews page that analyzes several major PM applications.

Individual PC users have several options to install all security patches — whether rated "Critical," "Important," or any other level of severity — without WGA hassles. The following are a few examples:

* The Software Patch. You can do without Automatic Updates and Windows Update/Microsoft Update, which can be hamstrung by WGA, by using The Software Patch. This is a free Web service that WS contributing editor Scott Dunn reviewed — along with a handful of other alternative update services — in his Oct. 4, 2007, Top Story.

* Online Software Inspector. My Dec. 18, 2008, column described Secunia.com's Online Software Inspector (OSI). This free service scans your PC on demand. OSI then enumerates the security patches that are needed by your copy of Windows, in addition to patches for dozens of applications from Microsoft and other software vendors.

* Personal Software Inspector. My previous column on OSI also described Secunia's Personal Software Inspector (PSI). This is a free download that you install and run on your PC. At present, its primary purpose is to inform you of security updates for hundreds of applications, and you should run PSI in conjunction with Windows Update or Microsoft Update.

It's beyond the scope of today's article to rate the pros and cons of every patching alternative. I hope to bring you a new review of the latest products and services in the coming weeks.

The third-party services mentioned above are compelled by Microsoft to get Windows patches directly from Microsoft's own servers. That means these services can only install security patches and other updates whose files will install without requiring WGA validation.

Fortunately, almost all Windows security patches (of all severity levels) and many other Microsoft updates install fine — regardless of WGA — if you download the files directly or via a third-party service. Microsoft currently lists on a Genuine Software page a few of its apps that do require WGA, such as Windows Defender, Windows Media Player, and Calculator Plus.

In fairness, Microsoft should get credit for posting all of its security patches (of all levels of severity) on publicly available URLs. At least this policy does provide the files to patch-management professionals who know these locations. By contrast, such firms as Red Hat, Sun, and IBM require contracts and log-in credentials before you can obtain some of these companies' Linux, Solaris, and AIX patches, respectively.

The big question is this: why would Microsoft cripple its consumer patching tools — Windows Update and Microsoft Update — by disabling them if a PC doesn't pass WGA validation? The only logical reason I can think of is because Microsoft wants to push WGA, and denying updates to users is the best stick the company can come up with. I believe this decision is a huge mistake.

Windows Update is a crucial service that must remain free from chicanery, because Windows Update is the default program for on-demand security checkups. In computing, defaults are everything. Windows Update is installed and available in every recent copy of Windows on the planet, whether those machines are correctly licensed or not.

Many people disable Automatic Updates because it's intrusive and has been used in the past to install WGA and other nonsecurity updates. If users can't run Windows Update as an alternative to AU, there's a massive problem on the Internet. The battle against malware is already bad enough, and we don't need anything to make the problem worse. When millions of computers become infected, the attacks from these machines become a problem for you, the paying customer of Microsoft.

DRM exists at the expense of paying customers

Call it what you will: WGA, Digital Rights Management (DRM), anti-piracy, or copy protection. It abuses the hospitality of paying customers in an attempt to thwart those who don't want to pay. I don't object one bit to paying Microsoft for the software I use. I do object to being forced to help a company in futile efforts to combat copyright violators.

Copy-protection harms legitimate users who are inconvenienced at best and forced to cope with nonfunctional software at worst. The bad guys, by contrast, aren't harmed much at all. Pirate operations have the money and time to defeat every copy-protection mechanism. Once pirates have broken a DRM scheme, the unlocked software might be salable for months without the pirates' needing to deal with the protection any further.

Do you dislike having to insert a CD into a drive to update Microsoft Office or play a game? Guess what: users of the pirated versions of those programs generally don't have to deal with that. Only the legitimate buyers are inconvenienced.

I've been analyzing flavors of copy protection since the early 1980s. During those nearly 30 years, it's always been the same. Copy protection primarily hurts legitimate users while giving bad guys merely a short period of entertainment.

I do recognize the gray area between the two extremes. There are many users who might violate a software publisher's copyright if it were convenient to do so. But I still believe that the punishment imposed on a software company's best customers is not worth the tiny impact on the real pirates.

I'm not saying Microsoft has to give away its products for free. I'm saying that a copyright owner's battle against piracy is not my problem, so please quit making my life hard in a vain attempt to resolve your legal issues.

Microsoft's lack of support for its best users, in the name of protecting intellectual property, sometimes reaches absurd levels. A recent example of this is Microsoft's refusal to support its software on virtual machines unless the VM software is Microsoft's own. (You can read the details about this in my blog entry posted April 2.)

Microsoft has gotten really aggressive about license protection. The pendulum needs to swing back in the direction of making things easier for the company's customers.

No comments: