July 05, 2006

Don't Touch That Laptop!

I'm sure all of you have been at least aware of the loss of a laptop from the VA which exposed 26 million (give or take a mil) military personnel to identity theft. But if you thought this would mean the VA would clean up their act and install better safeguards... you'd be wrong.

An effort by the U.S. Department of Veterans Affairs to strengthen the security of its laptop computers after the data breach in May has run into a temporary roadblock: class-action lawsuits that have been filed against the agency, according to VA Secretary Jim Nicholson.

There is your court system in action. You have to love the logic of it all.

Lawyers in one of the cases objected to the VA's plans to update laptop security in cases where adequate protections were not present, he said. "There was a strong letter saying that this would be destroying evidence or tampering with evidence," McLain said. So until the courts rule on the issue, the VA's plans to implement new security measures on laptops are on hold. "It is a delay, not a moratorium," McLain said.

Sorry, but in terms of computer security - a delay is as good as inviting everyone in for a party. You already have a problem that everyone knows about, now you've announced to the world that the VA can't fix the problem until the court says so... why not just have a black tie dinner for hackers and set up a special network for them. I wonder if the clients bringing the suit understood this would happen. Many thanks to the lawyers for putting the data in further jeopardy.

Posted by: Teresa in WebTech at 12:08 PM | Comments (1) | Add Comment
Post contains 280 words, total size 2 kb.

Microsoft, WGA, and Spyware

Piracy of software has been one of those conundrums for nearly as long as anyone has been packaging and selling applications to run on computers. The people who write the software want to get paid for their efforts, not a surprise to anyone who has worked to put food on the table. On the other side you have users who don't always feel the need to pay for a piece of software if someone can give it to them for free. And in the middle you have Microsoft whose software is often pirated, yet charges exorbitant rates for the legal purchases of their software.

It seems that in an effort to make sure that everyone buys "legal" copies of their software, Microsoft has introduced a little thing called WGA or Windows Genuine Advantage Notification tool. Here's what it is supposed to do:

Windows Genuine Advantage includes two main parts: WGA Validation and WGA Notification. Validation checks that an instance of Windows XP is properly licensed, and is required for some Windows updates. If the copy doesn't check out, Notification repeatedly reminds the user to upgrade to a properly licensed version of Windows.

Microsoft maintains that users install the programs only by choice, but once installed, neither is designed to be removable.

As Microsoft admitted this month, Notification also checks back with Microsoft once a day even if the licensing check is successful, something the company hadn't previously made public. Microsoft said the procedure is necessary in case something goes wrong with the program and it needs to be disabled, but has said it will modify Notification to check back only once every two weeks. It said the failure to make public the phone-home behavior was an "oversight."

Checks to see if you have properly licensed copies - while not the end of the world - might be okay as long as it works properly. But once again you have a Microsoft product "phoning home" (in this case sending reports back to Microsoft) even after the tool has determined the system is okay. That is NOT acceptable when customers have not been notified that this will happen.

The fact that they consider it to be a mere "oversight" by not telling people about this feature is, I'm sorry to say, a total boatload of manure! Every few years Microsoft or Real Player or Sony or someone else decides to place secret monitors on users. Whenever they get caught they say -

Oh gee, sorry about that, we didn't know you'd mind!

I call Bullsh*t! This has happened so often they can't possibly expect that customers won't be upset. Yet they keep trying to pull it off.

This kind of monitoring software has led to leaving user systems wide open to attackers because an open channel is necessarily a window for the bad guys to use to get in. It's dangerous.

Yesterday we find out that - oops the WGA tool doesn't always work as advertised. What a shocking surprise. Buggy software would never be an issue now would it?

The rumor started flying that Microsoft intended to use the WGA tool to "turn off" pirated copies of Windows XP...

A ZDNet.com blogger reported earlier in the week on a conversation between a Windows user and a Microsoft support staffer, who allegedly admitted that users who refused to install the WGA update would be given 30 days before their copies of Windows would stop working.

ZDNet.com said that Microsoft refused to deny the report at the time. But later, Microsoft appeared to sing a different tune.

“No, Microsoft antipiracy technologies cannot and will not turn off your computer,” said a spokeswoman with Waggener Edstrom, Microsoft’s public relations firm. “The game is changing for counterfeiters. In Windows Vista, we are making it notably harder and less appealing to use counterfeit software, and we will work to make that a consistent experience with older versions of Windows as well.”

That's right - scare your customers straight - that will win you friends and influence people. So, what's the problem? If you have valid copies of things you should be okay, right? Well, no, not always... apparently it has managed to label legal copies of software as pirated. Microsoft responds thusly:

Through its spokeswoman, Microsoft said that “80% of all WGA validation failures are due to unauthorized use of leaked or stolen volume license keys.”

While they are focusing on the 80% - I'm wondering about the 20% which may not be pirating at all. Think about that - Twenty Percent! That is a huge huge rate of failure on Microsoft's part. Even 5% would push the limit, but 20% is outrageous! This is thousands of people having to jump through hoops to convince Microsoft that they didn't steal anything. It's such a large percentage it boggles the mind.

In the meantime, class action lawsuits have already been filed. Here:

The lawsuit alleges that the program violates consumer protection laws in California and Washington state and laws against spyware -- invasive programs that surreptitiously collect data.

And Here:

The suit alleges WGA is spyware and that Microsoft misled consumers by labeling it as a critical security update. The plaintiffs maintain that Microsoft did not make users aware that WGA frequently contacted its central servers.

"WGA gathers data that can easily identify individual PCs, and WGA can be modified remotely to collect additional information at Microsoft's initiation," according to the filing.

WGA collects a computer's IP address, BIOS data, system version and local language and settings information, the suit says.

Sounds like spyware to me.

So, while I am sympathetic to Microsoft's plight in trying to keep its software from being pirated, this is not the way to do it. I'm not sure there is a good way at the moment. But this overly invasive, tremendously flawed system is very bad indeed. They may end up pushing aggravated customers to other systems which would certainly negate the entire reason for doing this in the first place.

Posted by: Teresa in WebTech at 11:46 AM | Comments (8) | Add Comment
Post contains 1004 words, total size 7 kb.

<< Page 1 of 1 >>
34kb generated in CPU 0.02, elapsed 0.0463 seconds.
68 queries taking 0.0313 seconds, 227 records returned.
Powered by Minx 1.1.6c-pink.