Is 'Genuine Windows Validation' a Good Thing?
Microsoft's latest attempt to curb piracy restricts security patches to only owners of genuine copies of Windows.
announced it will require "genuine
" in mid-2005 for anyone running Windows XP or
Windows 2000 Professional who attempts to download security patches manually.
Users of other operating systems, and those who obtain security patches automatically
via enabling Automatic Updates, will be exempt for now. "Genuine Windows
validation" involves determining whether or not the operating system has
been purchased legally or not. The process, similar to Windows Activation, does
not require the consumer to divulge private information to Microsoft.
Some of the media coverage about this speculates that preventing illegal copies
of Windows from obtaining patches is going to make for a huge number of compromised
systems. This idea is, to say the least, hilarious. It makes the assumption
that someone running an illegal copy is more likely to get patches via manual
downloads than Automatic Updates. I don't think so!
The problem is that most people don't get any updates at all, whether their
installation is legal or not. I see no reason that Microsoft's shareholders
should continue to allow illegal copies of Windows to run at all, but no doubt
a large number of people who have such copies installed don't even know they've
got an illegal OS in the first place. They got it when they bought a cheap PC,
or purchased the OS separately from a store that had bogus stock.
No doubt eventually Microsoft will make "genuine Windows validation"
mandatory for all security updates, and no doubt there are some who fear that
eventuality also. My response to that concern is equally simple—get a
legal copy before it happens. If withholding security updates makes for greater
compliance with the law, then so be it.
The U.S. Department of Energy apparently accidentally
published confidential Homeland Security documents
marked "For Official Use Only," and the documents remain visible via
Google's Web cache.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Please be sure you've created a properly configured robots.txt
file on your Web servers. While it won't prevent confidential documents from
being placed on a publicly available server, it is at least one way to prevent
such documents from being available in Google's Web cache from now until eternity.
Denial of Service
Cisco IOS has been found to have several vulnerabilities,
- IPv6 Packet Denial of Service
- Multi Protocol Label Switching (MPLS) Denial of Service
- Border Gateway Protocol (BGP) Denial of Service
Analysis suggests that the IPv6 and BGP vulnerabilities are highly unlikely
to ever be exploited. The MPLS vulnerability does have some potential for attacks,
but a MPLS vulnerability last year did not result in attacks.
The volume of malware variants has significantly increased this month, with
more than 2,000 different samples being provided to Wildlist.
Despite this increase, nothing appears to be gaining "legs," or spreading
A new survey by the London's Licensed Taxi Drivers
Association reported that almost 5,000 laptops and more than 60,000 mobile
phones were left in London's black cabs by passengers over the last six months.
Compare this with an August 2001 report for the same area which indicated that
2,900 laptops and 1,300 PDAs were left in the six months prior.
While typically such items are stolen purely for their resale value, one can
only imagine the quantity of sensitive and confidential information they contained.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.