Chicago (IL) - Microsoft’s Windows authentication "Genuine Advantage 1.0" went live about two weeks ago and has experienced a rocky start - the authentication system was cracked a few days after the service was launched and analysts criticized Microsoft to violate security and privacy standards - time to take a step back an have a closer look at what the authentication is all about.
Using not quite legally purchased Windows software on the home computer and selling not quite legal versions of the operating system into dubious channels is getting more complicated with every new security feature Microsoft introduces. The next step in this strategy is Windows Genuine Advantage 1.0 (WGA), a mechanism that creates a unique system ID that depends on hardware components in a computer. Every key is transferred to Microsoft and stored on the device itself and accessed to verify a computer when a user wants to access updates (excluding security updates).
According to David Lazar, Director for Genuine Windows at Microsoft the functionality is very much like the Windows activation itself. "Most of Genuine Advantage is based on the activation technology," Lazar said. While he declined to comment on which hardware components are involved in this process, it is generally assumed that Microsoft uses the same or slightly revised plan of components in a PC of come up with a key. The activation covers the display adapter, SCSI adapter, IDE adapter, network adapter, MAC address, system memory, processor, processor serial number, harddrive, harddrive serial number as well as available peripheral devices such as a DVD drive. Additionally, the activation has a time factor : A maximum of any five hardware components can be exchanged within a 120 day time frame without affecting the validity of the activation.
The amount of information Microsoft collects has raised eyebrows and has been sharply criticized. For example, Carmi Levy, an analyst with Info-Tech Research, believes that Microsoft is sneaking out much more information from a user’s computer than the company needs to. He said that Microsoft collects data on how data moves between the operating system and peripherals such as a printer and potentially could access confidential data. "I am just wondering they really would want to know what moves to the printer," Levy said. We did not go into much detail in our conversation with Lazar, but he said Microsoft would "not be interested in such information" and that he had "never heard" of such data collection mechanisms before.
Also, Lazar said that Microsoft commissioned TÜV-IT, an independent German security auditor to review the firm’s policies and conduct a and a technical audit to determine if the program’s databases, source-code and implementation respect privacy concerns. The organization determined that Microsoft does not collect any personal information or process any data during the validation process that would allow the identification of a user, according to Lazar.
While only Microsoft knows which data really is collected, how it is stored and how it is used, there is little doubt that the company is advancing its anti-piracy strategy a step further into an untested field. "Software vendors are pushing the envelope to see what they can get away with. Microsoft is currently the only company that can launch such a procedure without running the risk of jeopardizing its core business," Levy said. The analysts concern circles around storing and transmitting data from and to PCs inside corporations : "WGA violates one of the most fundamental security rules in the industry. The program is detrimental to SMEs whose networks may be negatively affected by this type of wholesale scanning from the outside. The very real potential exists that companies that are legitimately licensed will have to divert IT staff toward ensuring the validation process is functional, and toward correcting any false-positives than ensue. This is work that is non-value-added, and it pulls resources away from IT’s core focus."
According to Lazar, WGA has been a success beyond expectations so far and apparently has not deterred customers from using Microsoft’s download database. During the 10-month beta phase, more than 45 million users signed up for the non-mandatory program, at a rate of 100,000 to 200,000 new users per day. "We hoped initially for about 20,000 users and an opt-in rate of about five to eight percent - which ended up in a range between 56 to 58 percent instead. Today, the sign-up rate is significantly higher," Lazar said. He declined to reveal how many Windows systems have been assigned unique IDs after the launch of the program in the two weeks after launch.
The fact that Genuine Advantage was hacked with a single line of code a few days after the system went live on July 25, did not leave a big impression with Lazar. "Hackers are a fact of life. It is important to see that particular case does not pose any threat to users. I consider this hack more like ’shoplifting’. Just like someone would steal products from a store." At this time Microsoft does intend to fix this hack, but rather would look to "address it over time," Lazar said.
One may wonder if WGA is really as scary, if Microsoft takes a hack of the program as lightly as Lazar describes. In the end, Microsoft may have a completely different intention : "We will not be able to turn hacker into our friends. WGA is designed to increase awareness of genuine Windows software," he said. "Users are getting more interested in the question whether they are using a legal version of Windows on their PC." Essentially, WGA is not designed to go after individual users, but in smoking out mass-piracy by convincing people to care about a legal Windows version. In this case, caring pays : The company says it offers $450 worth of products, if users agree to participate in the program.
Today WGA applies only to updates for Windows, but not to security upgrades. At this time there are no plans to make WGA mandatory for security updates as well, Lazar said. However, he said that Microsoft may address this issue with a different kind of strategy : "We are thinking of raising awareness for this program. Users with a pirated copy of Windows on their PC may see a note that they do not use a legal Windows."
Even with criticism from analyst and consumer rights groups, Microsoft already may have passed a adoption level of WGA that questions whether such a system is acceptable or not. This technology was certainly not the last one we have seen as piracy is continuing threat for the software industry. Because of this circumstance, firms such as Microsoft may even be forced to take software protection technologies further than today, conceded analyst Levy : "Investors and shareholders are taking precedence here. In the interest of these groups, Microsoft needs to push the bands of what the market finds acceptable." In other words : As long as consumers feel comfortable with mechanisms that slowly approach "big brother" scenarios, we can expect software developers to come up with many more ideas how to protect their product from being copied.