toby's Journal: Lauren Weinstein slams Vista Anti-Piracy

From her blog:

There's been a lot of discussion about the anti-piracy features in Microsoft's new "Vista" Windows operating system (see this blog entry for example). I've had a number of very friendly conversations with MS executives regarding the issues surrounding their anti-piracy implementations, and in particular their new ability to functionally "hobble" Vista systems that they believe are pirated.

The more that I've considered this, the increasingly unreasonable and hazardous this functionality appears to be. It turns the assumption of innocence on its head -- you have to take affirmative steps to prove to Microsoft that you're not a pirate if your system appears on their suspect hit list. As we know from Windows XP, there are all sorts of ways that honest consumers can end up with systems that have cloned copies of the OS (often installed by repair depots to replace trashed copies of the original system after disk failures, for example).

Many consumers don't even realize the difference between the hardware and operating system of their computers. Many will ignore the warning messages that MS will send before triggering a system hobble, assuming that the messages don't apply in their cases, or that they're phishing or virus come-ons. The mere existence of the mechanisms to initiate the hobbling may represent an attractive attack vector for destructive hackers, who might well get their jollies by shutting down a few thousand (million?) PCs at a time.

Vast numbers of these computers will be in highly important applications in business, health care, government, and the military. Yes, Microsoft says you're not supposed to use them for critical applications. But we know what the real world looks like, and even the definition of "critical" can be nebulous.

Even more to the point (and this also relates to the data retention issues above) it is extremely problematic to assume that it is even reasonable for individual corporate entities to have total ad hoc, carte blanche authority to make these decisions on their own, decisions that technologically have an enormous and ever increasing impact on individuals and society at large.

I might add that while the new Microsoft anti-piracy systems are of particularly concern, there are other anti-piracy technologies being deployed that carry similar risks, including but not limited to a range of upcoming Digital Rights Management (DRM) systems.

I keep saying "voluntary is best" and I mean it. In all of these topic areas I've discussed, voluntary approaches are always to be preferred. But in our society, a key role of legislation is to help provide mechanisms for "power-sharing" in situations like these, if voluntary and cooperative approaches prove to be failures.

We are all part of this. We can sit on our hands and watch as mute spectators -- or we can get our hands dirty by reaching directly into the innards of the machines -- figuratively speaking -- and helping making sure that these systems serve not only their immediate masters, but also society's requirements as well.

(emph. mine).

2007 could be an interesting year indeed. Government and business should think thrice before taking the Windows risk.