Benlog

security, privacy, transparency.
« Crime and Useful Punishment
The Insanity of Phone Authentication “Security Processes” »

Windows Genuine Advantage: Guilty until Proven Innocent

Filed under: crypto, policy, security — August 27, 2007 @ 1:01 pm

In cryptographic protocols, we talk about “the adversary”, this entity that’s trying to screw up the security goals of your protocol. Applied security folks also talk about adversaries, though they talk more often about “threats” and “threat models.” In any case, there’s some dark, shadowy, evil figure fighting against you. In a well architectured system, one often talks about “secure by default,” which means that, if some specific use case is not specified, then access is denied by default. The system only grants access when it has a positive reason to. A potential adversary doesn’t get the benefit of the doubt. A potential adversary is guilty until proven innocent.

Windows Genuine Advantage is a Windows component that checks in periodically with Microsoft to make sure you’re not using a pirated version of Windows. As many others have noted, given its name, you would think that it is, in fact, an advantage for the user. But its purpose is not to serve the user, its purpose is to serve Microsoft. You, the user, are the potential adversary. Your very own computer, which you’ve just purchased with your hard earned cash, on which you’ve just installed Windows Vista, is going to treat you as guilty until proven innocent. You need to prove that you’re not using a pirated version of Windows.

It’s the same thing as Digital Rights Management, really: you are potentially a copyright infringer, so, by default, you can’t play that song, but if you provide strong proof that you, in fact, paid for the song to be played on this computer, then you can play it.

You are the adversary. You are guilty until proven innocent.

So what happens, if, say, the authentication servers fail? Well, by the natural principles of secure system design, (and as I’ve written before) the default policy is “deny.” Windows can’t contact the WGA servers? You must be a pirate. Apple’s DRM server goes offline? You must be a copyright infringer.

The issue with WGA is not that it’s a poorly designed security system. In fact, it’s a pretty well designed security system. No, the problem is that it’s designed to make you the adversary. If anything goes wrong, you’re not going to get the benefit of the doubt. Because you’re the adversary, and the default policy is “deny.”