Can't donate to charity?
Volunteer computer time
or Support SETI!
R&D Sponsorship Center
January 2007

Home Page
Feature Archive
A&I Column Archive
Production Tools
State Marketing Data
US Marketing Data
World Marketing
Service Directory
Quality Assurance
3D Printing

Subscribe to Advertising & Marketing Review!
Contact Ken Custer at 303-277-9840.

Vista Outlook is Troubling

by Glen Emerson Morris
Popular Columns
The Cost of Creativity
When bright ideas cost too much.
Desktop Manufacturing
Hits the Home Market

Someday print any object you need.
Saving Motion, Time & Your Business
Motion time studies can save you money.
A Gold Mine of Data Goes Online
The Statistical Abstract is now online, 1300+ data tables in Excel format, free.
A Process for Quality
How a formal process can improve quality.
Recommended Columns
The Greening of Expectations
It's not a fad, it's critical to our survival.
The Learning Curve to Prosperity
Buckminster Fuller predicted the resource crunch now hitting us. He also gave us the tools to deal with it.

While Microsoft's new operating system Vista offers increased security over XP (which shouldn't be hard), Vista also introduces a significant new vulnerability. In its attempt to combat pirated copies of its software Microsoft has introduced an authentication procedure that will allow Microsoft to disable any Vista OS or Microsoft software it believes to be to be invalid or in any way used contrary to the Microsoft end user license agreement.

While this feature won't make Vista systems more vulnerable to the usual viruses, trojans and rootkits, it will make Vista vulnerable to a far more serious kind of attack, one aimed at disabling Vista computers by the million.

The problem lies in the authentication process. Once you've installed Microsoft Vista or other MS software on your computer, you have 30 days to validate the software with Microsoft, either by Internet or telephone (at your expense), or the software will, as MS puts it, suffer a loss of functionality. In classic Orwellian double speak, Microsoft refers to this, not as copy protection, but as a "feature."

The authentication process is not a one time affair. Vista will periodically contact Microsoft and transmit information including the version, the language and product key of the software, the Internet protocol address of the device, and information derived from the hardware configuration of the device. If Microsoft isn't satisfied with the information, it will disable the software.

It's not going to take a genius to use the Microsoft authentication process to stage an attack on American commerce. The scenario runs like this. Some individual or group will develop trojan or rootkit malware that can be spread widely through the Internet. The malware will be programmed to lay dormant on computers until a certain date, or until it receives a command to active itself. When it activates, the malware will do one of two things. Either it will overwrite the file in the Vista OS that keeps track of the machine ID and software info with incorrect information tricking Microsoft into disabling the software, or worse, and unfortunately more likely, the malware itself will convey the disable command to the Vista OS.

Then as millions of Vista users simultaneously try to re-authenticate their legitimate copies of Vista, the volume of traffic will likely crater Microsoft's servers, and phone lines, too. The recovery process could take weeks, or longer. Corporate IT department's could well find that they had to do a complete OS reinstall for many, possibly every, desktop computer in their company, and it might be days before they could begin trying.

Properly executed, the attack could be devastating to the American economy. Businesses that would be affected would include banks, most e-commerce, and many government agencies, utilities and transportation systems.

For instance, today many utility companies use some version of Windows to handle traffic for their internal networks, and a disruption of those networks could cause brownouts or blackouts for a significant part of the United States. Just this kind of thing happened a few years ago on a regional scale. Malware caused vastly increased traffic on a network a utility used to monitor electrical demand, and readings that should have been reported immediately were delayed by half an hour. When relatively minor things started to go wrong, the utility couldn't respond fast enough and a major blackout resulted.

Another casualty would be the banking system that lets people make purchases, either with their credit card or ATM card. Consumers could always pay with cash of course, but they might not be able to get it from their local ATM machine, and it's also doubtful that there's enough cash in circulation to cover this kind of event.

The primary reason that this hasn't happened already is that most hackers today, from individuals to the Russian mafia, are more interested in making money than causing damage. We can't always count on this to be true, and the Vista authentication vulnerability may actually encourage an attack on commerce.

There are things you can do to prevent this. Most importantly, unless there is a compelling argument for your company to install Vista on any business computer you have, don't install it until the authentication security issue is resolved. At the very least, wait at least a year to see how things go. In the mean time, write Microsoft and tell them that the authentication conditions are unacceptable.

For all their arrogance, Microsoft will listen if enough people complain about their business practices. The initial Vista release limited Vista to two installs, period. Microsoft backed down because enough people howled and they had good reason to. If you replaced your computer every year, your third new computer would require a brand new copy of Vista, and your previous copy of Vista would be history. The same would be true if you bought a new computer and the motherboard failed twice and had to be replaced. The third motherboard would require a new copy of Vista. Something very much like this happened with an early version of QuarkXPress, which limited itself to three installs. A friend of mine had three hard drive failures in one day, and wound up taking several days to get it going again. As a result, she missed her printing deadline and had to pay hundreds of dollars more for a rush job. Quark, of course, wouldn't consider reimbursing her.

Another thing you can and should do is to pressure your representatives at the state and national level to limit the draconian provisions common in many software licenses, especially concerning authentication and the limits on liability. Most software is sold or licensed as is, and damages are limited to the cost of the software regardless of the economic damage the software may cause. It's hard to imagine anyone buying a car on those terms, let alone software your business might depend on, but that's the law, and it will stay the law until enough people complain about it.

Microsoft is putting the American economy at risk just to make sure no one is pirating their software. We just can't afford that kind of risk.

Glen Emerson Morris has worked as a technology consultant for Network Associates, Yahoo!, Ariba, WebMD, Inktomi, Adobe, Apple and Radius, and is the developer of the Advertising & Marketing Review Data CD.

Copyright 1994 - 2010 by Glen Emerson Morris All Rights Reserved

' keywords: Internet advertising, Internet marketing, business, advertising, Internet, marketing. For more advertising and marketing help, news, resources and information visit our Home Page.

Back to top

Economic Indicators
Census 2010
Census Bureau
Health   Labor
Commerce Dept.

It's Time to Let
A Robot
Make Your Sales Pitch!
Roy the Robot
Funded by Kickstarter