Sunday, 30 January 2005

An "open letter" to Microsoft...

Once again, commenters everywhere are espousing opinions on Microsoft's latest statements regarding the company's plans to disallow updates for pirated copies of Windows (and other software).

We all know taking that position results in one primary problem: Unpatched computers get infected or overrun and then bombard computers of others - making victims of people with valid, paid-for copies of Windows.

I understand Microsoft's position, I disagree with it, and I have a solution.

Patch the pirated computers, "update" the pirated computer's firewall to control two-way traffic, then turn that firewall on. Turn it on all the way. Like as in "nothing-in, nothing-out." Stop all the network traffic on those machines. And put "PIRATED" in all four corners of the screen, like you do with Safe Mode. Heck, for that matter, only allow users to boot into safe mode if it's pirated.

Of course, you could leave open connections to, say, a Microsoft site where people could be allowed something like, oh maybe 30 days to register their software. Give 'em a reduced registration rate maybe. Or maybe not. That's up to you.

Seriously - A significant portion of my job is protecting my company from all those unpatched and out-of-date computers. My time is valuable, and so is the time of many others like me. The ball belongs in your court - Where thousands of people have to spend hours and hours defending networks, you can fix it for all of us in one fell-swoop.

Microsoft's failure to patch problem computers makes for a less-secure Internet. It makes for higher operating costs for my company. It means I am focusing my time on things I need not deal with. It means I'm not focused on more important things that deserve my individual time.

Revenues are important, sure, but so are your customers, and so is wide area network security. This is the one area where revenues might just need to take a back seat. Think about it. Do the right thing.

Drastic? Sure, but healthier than leaving security holes all over the planet.

By not helping your enemies, you hurt your friends. You can't win, but you can make sure the people who are already on your side are taken care of.

Patch that software. Then get 'em with the firewall. Do it. We need you.

And thanks for listening.


P.S. - Is this a little tongue in cheek? Sure it is, somewhat. The idea is to discuss all the options and possibilities, and I think people need to talk more about the option of making it harder for software thiefs, regardless of the PR impact. Talking about it and actually doing it are two very different things, and often useful ideas come out of the conversations about the "fringe" options.

Already several emails and opinions are coming in (keep 'em coming, and you can also use the comments link below), so let me point out a few things...

  • First, I don't think Microsoft is "evil" - and that was not my point. Not even close.
  • Second, I know automatic updates would still work for pirated software under the proposed plan. That's not my concern - apparently there are some idiots who steal software that just don't have the brains or desire to turn it on, for whatever reasons.
  • Third, I'm not freaking out over something that hasn't happened yet. Rather, I am thinking about and commenting on something that's being discussed and in which I have professional interest and experience. Part of my experience is that if you offer opinions before Microsoft takes action, you're more likely to have your opinion count for something, however small. Come to think of it, that's more about the way the world works in general than it is about Microsoft...
  • Fourth, my thoughts are more about Microsoft asserting itself from both the "security-custodian" and "software-seller" roles. Two statements (drastic ones, granted) in one brush stroke.

Mitch Wagner at Security Pipeline has his own opinions on the matter, too. See what other people are writing about the subject with Feedster.

Interesting conversation. What do you think?

Add/Read: Comments [5]
IT Security | Tech
Sunday, 30 January 2005 23:15:50 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by: [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral]

Monday, 31 January 2005 11:59:43 (Pacific Standard Time, UTC-08:00)
It is excellent points that your are making in ths article. It is so true that Microsoft has to look at the bigger picture here and that supporting their customer base and helping them maintain the most secure setting possible.
Monday, 31 January 2005 22:10:10 (Pacific Standard Time, UTC-08:00)
Microsoft _did_ do that back with Windows XP SP1, remember?
Wednesday, 02 February 2005 06:23:17 (Pacific Standard Time, UTC-08:00)
That might have a drastic effect in the 3rd World, specially when Linux is trying to get a foot hold, locking out users might just sway them away from Windows altogether.
Tuesday, 15 February 2005 04:56:40 (Pacific Standard Time, UTC-08:00)
Another imbecile has opened his mouth.

Even as I write this I can scan any network and find atleast one host on any subnet whos machine I will be able to browse and take over.

This is not due to the security holes in Microsoft OS, but due to the poor practice.

Here is the example for you. As soon as Microsoft released SP2, first complaints were heard about limitnig amount of half open TCP sessions to 10, and now users are patching their TCPIP.sys to remove the limit. At the same time they disable the firewall because it's inconvenient, and install some garbage from Agnitum or Zone Labs, which can't even filter all ICMP packets properly!!!

I am myself responsible for the security in my job as Senior Systems Engineer.
When I read the article your whingeing makes me want to throw up.

Apparently you don't like what you are doing, and probably rather spend your time muching muffins and drinking coffee in the meetings all day instead of designing decent perimeter security and implement some form of IDS.

Additionally, it's obviously OK to patch "Free" Linux 24/7, but not OK to patch Windows once a week...


PS Maybe get yourself a PS2 or a game cube instead?

Tuesday, 15 February 2005 11:02:37 (Pacific Standard Time, UTC-08:00)
Hmm, I don't often respond to these kids of comments, but I will make one exception here....

>> Another imbecile has opened his mouth.

Yeah, you sure did...

Oh, so harsh. Also oh-so typical.

I fail to see what patching (or not patching) computers has to do with perimeter security. There's nothing that prevents anyone from good practices in perimeter security based on what I wrote. Your old-skool approach assumes the corporate network is the perimeter, and that it's the one place to focus all your energy. I certainly spend a lot of time there, but personally I think it's ridiculous to say that it's the only way to protect networks. And it's not the only perimeter.

By the way - I never said that Microsoft should actually *do* what I suggested (note the "tongue in cheek" comment toward the end). What I did intend by my comments was to take a look at the whole picture and all the possibilities.

Of course, some people just want to take pot-shots. That's their version of fun and it's what they think they should be doing professionally I guess. Egos everywhere. Whatever, I can deal with that. Funny how the angry egos don't leave real links or real email addresses on their comments, though... Smells like a troll.

For the record: I very much enjoy what I do. I implement perimeter and IDS systems (and a lot more than that) that keep out the worst of bad guys. I was not whining in my post, I was just pointing out one side of what I think is an important debate about who can do what to solve these kinds of problems.

Also - I really don't have any time (or desire) to sit in meetings and eat muffins. I do admit to drinking lots of coffee, but that's because I stay plenty busy, and I drink it on the run. I am - if I may say so myself - pretty darn good at what I do. It's funny that someone would take one weblog entry and draw so many incorrect conclusions.

So much for useful conversation. Leave a real name and email address next time, and perhaps we can converse productively rather than play troll under the bridge.
Comments are closed.