June 12th, 2006

Microsoft presses the Stupid button

Posted by Ed Bott @ 8:42 am

Categories: WGA

Tags:

Update 12-August: For a detailed discussion of what you’ll see if WGA flags your copy of Windows as "not genuine," see Busted! What happens when WGA attacks and the accompanying image gallery.

When you’re the Evil Empire, it’s only natural to get a bad rap for everything you do. Microsoft gets bad-mouthed a hundred times a week for things that would be perfectly acceptable coming from anyone else. Given that level of criticism, it’s easy to ignore the times when they’re just completely, egregiously wrong.

The uproar over Microsoft’s new Windows Genuine Advantage authentication software, which is now being pushed onto Windows users’ machines via Windows Update, is one of those occasions. Someone at Microsoft just pushed the Stupid button. And things aren’t going to get better until they stop pushing it.

In a nutshell, here’s what’s happening. Two months ago, Microsoft released an update to its Windows Genuine Advantage authentication system via Windows Update. The WGA code checks your system to see if it’s been properly activated. If the activation is messed up – as it would be if you were using a pirated copy of Windows – you see a message telling you your copy of Windows is “not genuine” and your access to some Microsoft resources is cut off. WGA was originally intended to be part of Microsoft’s carrot-and-stick strategy for reducing piracy. Lawsuits against software pirates are the stick; WGA is the carrot. In theory, after you run the WGA code and prove that your copy of Windows is legit, you get access to cool downloads that aren’t available to Windows users who haven’t jumped through the WGA hoop.

Fellow ZDNet blogger David Berlind has done an excellent job of unpacking the spin from Microsoft’s multiple statements about this situation. For details, see Does Microsoft’s new WGA disclosure fall short? and With WGA, is Microsoft forcing Windows users to install and test pre-release software? Read both those posts and follow the links for the full details of this story.

I’m not all that concerned with the hysteria over the revelation that this app “phones home” to Microsoft. These days, I fully expect that any program I install will have a mechanism for updating itself or accessing help content online. As long as those mechanisms for online access are disclosed during installation and the actual update process isn’t malicious, careless, or deceptive, I have no problem.

No, the problem with Microsoft’s whole WGA program boils down to a simple rule: Do not mess with security. This episode violates that rule in three incredibly stupid ways.

Stupid mistake #1: This update should never have been included with Critical Updates. The Automatic Updates mechanism in Windows XP (and in the upcoming Windows Vista) is supposed to be a delivery vehicle for Critical Updates that fix security flaws in Windows. (From the Microsoft Update FAQ: “Automatic Updates is the easiest, most reliable way to help protect your computer from the latest Internet threats by delivering security updates right to your computer automatically.” [emphasis added]) There is no way, short of the most outrageous spin, that the WGA update can be considered a security update. By delivering a non-security-related update through this mechanism, Microsoft is breaking that promise.

Stupid mistake #2: The new WGA tool is wrong too often. If you’re going to punish your users, you had better be 100% right about identifying the offenders. Sadly, the new WGA code doesn’t come close to reaching this level of performance. A commenter on my blog reports that he’s now getting incessant notifications that his copy of Windows is not genuine. A close business associate of mine reports the same problem. What do they have in common? Both are using notebooks that had to be returned to their manufacturer for service. The repaired notebooks fail the validation process. A quick scan of recent posts at Microsoft’s WGA forum suggets this problem is unfortunately common.

Stupid mistake #3: The user is left high and dry. If you get a notification that WGA failed, what are you supposed to do? I haven’t seen the failure message myself, but my correspondents tell me it doesn’t offer any helpful steps for resolution. Neither does the Genuine Microsoft Software FAQ, which says:

What if my copy of Windows or Office fails the validation process?

See your reseller and ask for genuine Microsoft software, using the report provided during the validation session for support. The report explains why your system was unable to validate and provides instructions for further follow-up.

Oh, great. Have you ever phoned Dell’s support line? The apparently defective WGA tool is about to plunge an unknown number of users into a support nightmare for no good reason.

So what should Microsoft do now? Simple:

They should send a new update that disables and/or removes the WGA tool immediately, until it’s fixed.

They should set up a toll-free hotline that any Windows user can call if they’re experiencing problems with Windows Genuine Activation. (Microsoft already offers toll-free support for anyone who suspects they may be infected with a virus or a worm, so this doesn’t require a new infrastructure.) The agents on this line should have the authority to help a user override WGA problems.

They should apologize, publicly and profusely, for mixing an anti-piracy tool in with security updates and take steps to make sure that it never happens again.

And they should find whoever pushed the Stupid button in this case and put them on telephone support duty for the next six months. That might be an appropriate punishment. 

[Updated 12-June to fix typo.]