Close

Security Watch

Is 'Genuine Windows Validation' a Good Thing?

Microsoft's latest attempt to curb piracy restricts security patches to only owners of genuine copies of Windows.

Hacking
Microsoft announced it will require " genuine Windows validation " in mid-2005 for anyone running Windows XP or Windows 2000 Professional who attempts to download security patches manually. Users of other operating systems, and those who obtain security patches automatically via enabling Automatic Updates, will be exempt for now. "Genuine Windows validation" involves determining whether or not the operating system has been purchased legally or not. The process, similar to Windows Activation, does not require the consumer to divulge private information to Microsoft.

Some of the media coverage about this speculates that preventing illegal copies of Windows from obtaining patches is going to make for a huge number of compromised systems. This idea is, to say the least, hilarious. It makes the assumption that someone running an illegal copy is more likely to get patches via manual downloads than Automatic Updates. I don't think so!

The problem is that most people don't get any updates at all, whether their installation is legal or not. I see no reason that Microsoft's shareholders should continue to allow illegal copies of Windows to run at all, but no doubt a large number of people who have such copies installed don't even know they've got an illegal OS in the first place. They got it when they bought a cheap PC, or purchased the OS separately from a store that had bogus stock.

No doubt eventually Microsoft will make "genuine Windows validation" mandatory for all security updates, and no doubt there are some who fear that eventuality also. My response to that concern is equally simple—get a legal copy before it happens. If withholding security updates makes for greater compliance with the law, then so be it.

The U.S. Department of Energy apparently accidentally published confidential Homeland Security documents marked "For Official Use Only," and the documents remain visible via Google's Web cache.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Please be sure you've created a properly configured robots.txt file on your Web servers. While it won't prevent confidential documents from being placed on a publicly available server, it is at least one way to prevent such documents from being available in Google's Web cache from now until eternity.

Denial of Service
Cisco IOS has been found to have several vulnerabilities, including:

  • IPv6 Packet Denial of Service
  • Multi Protocol Label Switching (MPLS) Denial of Service
  • Border Gateway Protocol (BGP) Denial of Service

Analysis suggests that the IPv6 and BGP vulnerabilities are highly unlikely to ever be exploited. The MPLS vulnerability does have some potential for attacks, but a MPLS vulnerability last year did not result in attacks.

Malicious Code
The volume of malware variants has significantly increased this month, with more than 2,000 different samples being provided to Wildlist. Despite this increase, nothing appears to be gaining "legs," or spreading significantly.

Human Factors
A new survey by the London's Licensed Taxi Drivers Association reported that almost 5,000 laptops and more than 60,000 mobile phones were left in London's black cabs by passengers over the last six months. Compare this with an August 2001 report for the same area which indicated that 2,900 laptops and 1,300 PDAs were left in the six months prior.

While typically such items are stolen purely for their resale value, one can only imagine the quantity of sensitive and confidential information they contained.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

Reader Comments:

Sat, Oct 27, 2007 Kevin Flynn Encom

Well it's all really stupid. This doesn't change a thing. 1st off, you can just use a validation code from the local software generated by a legitimate system and download what you need for your illegal system. 2nd, There will never be a way to stop piracy and these attempts do two things, make the pirate community try harder and aggrivate what little loyal customer base you may have. It's really bad business. You'd be better off doing a better job of locking up the OS from being stolen and fight the battle there (where the customer can't see or be aggrivated for being pushed in the middle of it) then trying to control the entire planet's interaction with their XP-2K OS at great cost. No matter how successful their efforts to force activation or validation on XP-2K all it takes is one person with a legit copy to share their access and post the needed files on a web directory. I could get ALL of the KB and QB files manually and then zip-rar them to a directory that I let everyone get to. Once it's out it will be distributed immediately worldwide to those who need it... POINTLESS!!!!!! It just makes you look like a really stupid greedy short sighted ASS.

Wed, Nov 23, 2005 Anonymous Anonymous

we got our volume liscense and discs directly from microsoft. they won't validate. microsoft can kiss my @$$ I for one will now use illegal copies for home use and have recomended to my company that we switch to an open source platform.

Wed, Aug 31, 2005 Anonymous Anonymous

You were saying "This idea is, to say the least, hilarious. It makes the assumption that someone running an illegal copy is more likely to get patches via manual downloads than Automatic Updates. I don't think so!"

Let me be the first to tell you that illegal download of updates is still going smooth via manual download. I just did it. Yes, blame China. They suck. They don't pay for OSes. SHOW ME THE MONEY!!!

Wed, Aug 3, 2005 sick of microdick Anonymous

Is it enough that you are held up at the cash register for anything having that waving flag on it? Maybe it is time we all write our congressional representatives and the US government itself for forcing William (i want all the money in the world) Gates to sit on capital hill and finger him in the fashion of Joe Mcarthy and his communist hunt. So, big Bill turns around and gives us all the finger and ha-ha!
Linux is the only saving grace since Apple doesn't know it's core from a hole in the ground.

Wed, Jun 29, 2005 Anonymous Anonymous

Perfect idea. In the future every non genuine will be unsafer than now (without windows update). Microsoft helping people to decide for a GNULinux migration

Sat, Feb 26, 2005 Anonymous Anonymous

The problem with GWV is that it presumes that "Everyone" who purchases a computer or software that contains MS-OS currently is ILLEGAL. It could be Windows 9x-XP. How can such validation happen without making a PROFILE on every user and their machine. To vaidate they probably will as for you Social Security Number so they KNOW that it is YOU who want to Register or get Updates. I have a legal copy but I do not think I should be treated like the enemy to get software updates. Plus all this comes from the wide theft of China and other Countries. Bill wants them to PAY UP. Just think of One-Billion Chinese paying Bill $200US for every copy? I should not have to pay for China thefts. He should be sueing China via International Trade Laws.

Sat, Feb 19, 2005 Anonymous Anonymous

very good, I didn't knew abpout on-line update for free

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above