Microsoft is in the Black with the Chinese

Although I am not a complete supporter of the WGA program as it was first implemented, Microsoft's latest tactic to warn Chinese users about using Microsoft software is not completely off base. In the latest coverage of this issue (see yesterday's Financial Times article), it appears that Microsoft is continuing to get a lot of heat for its tactic of changing the desktop appearance to be black when pirated versions of Office or Windows are detected.

It should be noted that the Windows software and the desktop itself remain functional. However, if you are dealing with an uneducated consumer, the desktop background suddenly becoming black could be alarming. The approach is not unlike other vendors we work with who detect that their software has been tampered with (a byproduct of most pirated works) and place a watermark on outputted files (e.g., CAD drawings, simulations, or analysis files) in such a way that if they are distributed you could determine that they were produced using tampered software.

I believe Microsoft simply wanted to alert and educate the Chinese user base on the extent of the Windows piracy problem versus preventing it. However, I would propose an alternative and more direct approach for Microsoft - and one that could be positioned as an added value for the user. This approach would leverage the fact that Windows software has to be tampered with to enable piracy, which allows Microsoft to alert users that the tampered Windows software could be harmful to them (contains malware, doesn't calculate the correct results, etc.).

To implement this Microsoft would continue to detect that the software installed is not valid and then react with notifications and embedded watermarks only when the software is used and in a delayed fashion: tamper alerts could be integrated within the Office software and be triggered by extended use of the functionality.

Tamper alerts could be presented on boot up, when using key features, accessing help, and with automatic updates. By using multistep piracy detection they could also minimize false positives (for example, checking the software image integrity as well as pirated license key -see the Financial Times article's reference to the use of a University of Pennsylvania license key). The reaction logic should activate over time and be associated with fairly significant use of the software (to avoid detection by piracy groups). This should be sufficient to produce the same result without the political backlash associated with the black screen effect. Of course, the detection and reaction logic would need to be integrated carefully and include redundancy to withstand the cracker rework efforts.

-Vic

Tracking the Crackers - A Look at Software Piracy

We worked with eWeek’s Brian Prince this week to demonstrate the trends we have seen with piracy group activity – see his article here. This included a walkthrough of some of the pirate software index sites that we commonly use for customer assessments and have validated through our own experience. Although, the notion of NFO files, top sites, and use of thepiratebay.org is nothing new, there is a lot that can be learned from this data if you know what to look for.

For example, we recently did a detailed analysis for a large CAD vendor that included forensic review of their cracked software. When we created a diagram the crack release activity across their products (see the diagram below), there was a change in piracy group distribution in 2008. It turns out that Lz0 (Linear0) had leveraged a latent vulnerability in the licensing system that allowed them to circumvent the license enforcement in any new release within 4 days of its general availability. Because of this, no other group could beat their release and hence they became the dominant piracy group for that vendor.

 

- Vic 

Targeting the Piracy Groups, the most visible threat on the Internet

We spend a lot of time with ISVs helping to determine the right anti-piracy strategy and where they should spend their time and resources to combat their piracy problem. In terms of technology, we believe that targeting the business users of pirated software is the most direct approach because this is where the true revenue loss is.

However, we are often asked about going after the piracy groups directly:  trying to identify the individuals in the group that are producing the cracked software and prosecuting them. This is typically the reaction of the product management teams when they see the data we collect on the extent of piracy group activity on their specific software titles. 

We can go after the process to produce cracked software with software protection technology, but getting at the members of these organizations is no small feat and (in our opinion) is not a strategy that should be owned by ISVs.

A recent Department of Justice announcement illustrates what it takes to bring one of these groups down. In this case, it was the music piracy group Apocalypse Production Crew (APC). To give you a sense of how hard it is to go after these groups, this DOJ announcement was related to Operation FastLink, an operation that began in April 2004 under Attorney General John Ashcroft and “has resulted in more than 200 search warrants executed in 15 countries.”

I can only imagine the cost and logistics of bringing down these groups. This is why it is best executed by the DOJ with help from ISVs.

- Vic