Text 19098, 331 rader
Skriven 2006-06-29 15:32:46 av Jeff Guerdat (1:275/311)
Kommentar till en text av Charles Scaglione
Ärende: Re: WGA
===============
A long post copied from Brian Livingston again, including a pointer to
MS' directions to remove WGA. He's a source I trust and doesn't
sensationalize (although his co-editor goes off once in a while).
Without permission:
Dump Windows Update, use alternatives
By Brian Livingston
The Internet interprets Microsoft as damage and routes around it.
My apologies to John Gilmore for tweaking his famous 1993 quote about
censorship. But the above statement just happens to sum up the
alternatives Windows users are adopting ever since Microsoft's "Windows
Genuine Advantage" (WGA) debacle.
It was only a few weeks ago when the Redmond software giant started
quietly auto-installing WGA to Windows machines in the U.S., U.K., and a
few other countries. The code, which qualifies as spyware under any
objective definition, was programmed to contact Microsoft's servers
every 24 hours. Now, after hearing from plenty of outraged customers,
the company back-pedaled on June 27, saying it would release a version
that calls home less often.
That's not really a solution, as I'll explain below. Since that's the
case, the entire affair has given enormous momentum to third-party
products that render Microsoft's Windows Update routine completely
unnecessary.
I'll explain in today's article exactly how you can best deal with WGA.
For those in a hurry, here's a 4-point elevator summary:
1. Turn off Automatic Updates in the Control Panel. Set it to merely
notify you of new patches, not auto-install them.
2. WindizUpdate.com, an independent patch-download system, which I've
been asked about by many readers, is a flawed alternative to Windows
Update that I can't recommend.
3. By contrast, patch-management software that's well-supported, such as
Shavlik's NetChkPro, provides an inexpensive and reliable solution that
far exceeds Windows Update's capabilities.
4. Once your alternative update mechanism is in place, follow the
routine I describe below to uninstall WGA and get it out of your system
for good.
What's so bad about Genuine Advantage?
My last article, in the June 15 newsletter, flatly declared that Windows
Genuine Advantage is Microsoft-sponsored spyware. That story received
the highest reader ranking since we started asking our readers last
January to vote on our articles (4.4 out of 5.0). We also received
almost 200 e-mails, far more than we normally get about any single
topic. Windows users are highly agitated.
I've repeatedly heard terms like "furious" and "livid" to describe how
people felt about Microsoft pushing a piece of marketing spyware through
the company's sacred mechanism for distributing critical security
updates. Perhaps the most deeply offended were the outside professionals
who have defended Microsoft for years against charges that it's an "evil
empire." Microsoft's abuse of its auto-update system to install an
intrusive sales gimmick caused a lot of these faithful ones to rail
against the idea as though personally betrayed.
Without repeating my June 15 article, I'll summarize the bottom line: No
security-minded company or individual can allow a program to stealthily
contact a distant server and morph its behavior at will. This principle
holds just as true for people who think Microsoft is the world's
greatest corporation as it does for those who deeply distrust the
company's motives. (The rule obviously doesn't preclude trusted programs
with specific, known tasks — such as an antivirus utility — from
automatically downloading new signature files.)
Let me emphasize that I'm dead set against the mass piracy of software
or any other creative work. But Windows Genuine Advantage and Windows
Product Activation, which WGA is meant to enforce, have nothing to do
with stopping mass piracy.
As I reported in InfoWorld Magazine way back on Oct. 22 and Oct. 29,
2001, Microsoft deliberately designed Product Activation to be trivial
for pirates to circumvent. Any fly-by-night business can copy a single
file and sell thousands of machines that pass Product Activation
(although the innocent buyers may have trouble validating months or
years later).
The purpose of Product Activation has always been to prevent Mom and Dad
from buying a Windows package, installing one copy on the parents' PC
and another on the kid's PC. Frankly, copyright laws for hundreds of
years have allowed buyers of copyrighted works to make a limited number
of copies exclusively for themselves. If you bought an music album you
liked, you could legally make a copy to play in your car. In the U.S.,
this is known as the "personal use exemption" of the copyright laws or,
more generically, "fair use."
Product Activation isn't aimed at hard-core pirates. Instead, it's part
of a surprisingly powerful, coordinated effort to change the basic
nature of copyright so people can't make any personal copies whatsoever.
The fact that personal-use copies have traditionally been permitted
under copyright laws is illustrated by, of all things, Microsoft Office.
The Product Activation scheme in Office has always explicitly allowed
the buyer to install copies on two different machines. Furthermore,
Office Update — which uses a patch-download mechanism distinct from that
of Windows Update — has never required Genuine Advantage prior to users
downloading security patches for Word, Excel, and the like.
(Secret: Windows' own flavor of Product Activation does allow anyone to
install Windows XP on a different machine, which will then in most cases
successfully validate, about once every six months. Microsoft almost
never mentions this fact.)
By displaying warnings about piracy as often as once a day or even once
an hour, Windows Genuine Advantage has no security benefit but was
solely designed to sell more copies of XP to confused users. WGA was
programmed so any actual pirates (and savvy Windows users) could turn
off the nag screens with a few clicks — but novices would be unlikely to
understand that.
Stopping the guys with the high-speed duplicators should be Microsoft's
top concern. Instead, the Redmond corporation inexplicably targets
fair-use home installations. The marketers behind this presumably hope
to increase gross revenue so Microsoft's share price will get out of the
doldrums. But most home users aren't a ripe market to spend the kind of
money Microsoft wants.
If the company devoted as much time developing innovative products as it
does cooking up ways to prevent personal-use copies, its stock price
wouldn't be half of what it was six years ago.
WindizUpdate.com is not a recommended solution
Many readers in the past few weeks have asked me about WindizUpdate.com.
This Web site, launched in 2005, scans your computer for needed Windows
patches and then displays links to the relevant download locations at
Microsoft.com.
Unfortunately, as promising as this approach may seem, after
investigation I can't recommend this site. Here are a few reasons why:
1. The site installs an unsigned control, which performs the scanning
and reporting function. Without a digital signature, you can't verify
that the control is really from the same people who manage the site itself.
2. The scan process asks several times to read the Registry. If you know
that WindizUpdate is perfectly legitimate, which I have no reason to
doubt, this might be fine. But it's bothersome, while at the same time
it's too risky to click "Always allow this site," which would permit too
many unknown future actions.
3. The site is a part-time hobby with no visible means of support. There
are many fine pieces of software and Web services that are free of
charge. But WindizUpdate is performing a serious security task and
doesn't have a team of programmers that's adequate to develop it, much
less provide technical support if the user base grows.
I called the prime mover behind WindizUpdate, Phil Young, who is based
in Auckland, New Zealand. He's a director of 62nds Solutions Ltd., a
consulting firm with two employees and a few part-time staff on the island.
When asked why WindizUpdate didn't use a digital signature to provide a
verifiable identity for its control, Young replied, "I haven't got the
$400 to spend on the security signing certificate. Because it's a free
site, it's not high on our list of priorities."
I inquired whether the site might become supported by advertising or
voluntary contributions by users. "I have considered putting some ads
on," Young said, "but I dislike sites that have more advertising than
content."
Besides having no digitally signed code, WindizUpdate also lacks the
ability to scan for and deploy Microsoft nonsecurity updates, Office
updates, or security updates for products other than Microsoft's, such
as RealPlayer.
All of the above nonfeatures cause me to advise readers to hold off on
WindizUpdate. As attractive as the idea of a non-Microsoft
patch-management system may be, other companies do a much better job.
One final strike against WindizUpdate is that it has no apparent
uninstall procedure. If you've ever installed a WindizUpdate control, I
recommend removing its components using the manual procedure described
on the site's page entitled Uninstalling.
Shavlik's patcher joins the Security Baseline
It's hard to find objective ratings published within the last 12 months
of patch-management systems that are appropriate for home users as well
as small and medium-sized businesses. That may be due to the fact that
Microsoft has taken some luster off the category by expanding its own
free offerings: Windows Update, the new Microsoft Update (which updates
both Windows and Office apps), Windows Server Update Services, etc.
Based on the reviews by independent test labs shown below, however, I
feel the best home and SMB alternative to Windows Update is currently
HFNetChkPro from Shavlik Technologies. (The name of the product is a
contraction of Hotfix Network Checker Pro.) Effective today, I'm adding
Shavlik's software to my Security Baseline feature, which appears in
every issue, and removing Windows Update/Microsoft Update.
NetChkPro isn't free, but its one-time license fee of $25 per machine is
very reasonable. There's also a 25% annual maintenance fee after the
first year, Eric Schultze, Shavlik's chief security architect, told me
in a telephone interview. But this works out to only about $6 a year — a
good investment if you like your software to remain supported.
Shavlik has been in business for 13 years, has developed award-winning
products, and has a financial base that should be strong enough to
support the growing number of users it's attracting. In addition to
patching Windows and Microsoft Office apps, NetChkPro can auto-deploy
patches for Firefox, Adobe Reader, WinZip, RealPlayer, Macromedia Flash,
and other programs.
NetChkPro is "agentless" patch-management software. That means a
installation on a single PC can scan and deploy patches to as many
machines across a workgroup or domain as you have licenses for. No
"agent" program needs to be installed on each machine that's to be
scanned. In addition, NetChkPro gives back a license for any machine you
haven't deployed patches to for 45 days. That's handy if one machine in
a home or office is retired and a new one takes its place.
The minimum purchase at Shavlik's site is a 5-user license, which
amounts to $125. In my opinion, that's justified for small offices and
home users with several PCs. For home users with only a single PC,
Schultze says a Web service that scans machines remotely will become
available in a couple of months for an affordable monthly fee.
Here are some of the awards I examined when analyzing potential
replacements for Windows Update:
1. Redmond Magazine, a periodical that's independent of Microsoft,
stated flatly, "HFNetChkPro is the best Windows-based agentless
product," in a November 2004 test of seven competing products.
2. SC Magazine, a British publication, in a June 2004 test suite of 10
contenders gave HFNetChkPro its Recommended award. A more recent test in
March 2006 handed the Recommended title to NetChk Protect, a closely
related Shavlik product with added antispyware capabilities.
3. Computer Business Review Online, in a March 2006 review, names no
winners on points but includes NetChkPro in a useful description of 10
competing patch-management solutions.
I'll be looking for additional torture tests of patch-management
programs, now that running Windows Update has become somewhat dangerous
to Windows users. Just as third-party software firewalls and antivirus
programs are widely considered superior to Microsoft's own offerings, I
believe patch management will become a category in which those in the
know demand independent solutions.
If test labs start handing Editors' Choice awards to a product other
than Shavlik's, of course, I won't hesitate to include the new winner in
the Security Baseline when that day comes.
Uninstall Genuine Advantage the official way
One of the clear outcomes of the customer pressures on Microsoft
regarding WGA is the written uninstall procedure MS posted on June 27 in
Knowledge Base article 921914
(http://support.microsoft.com/kb/921914/en-us). WGA had previously been
difficult to remove, with components regenerating themselves as soon as
one was deleted.
I stated in my June 15 article that it was pointless for home users to
try to uninstall WGA if they'd somehow installed it. Even if the Web
rumor mill provided the right steps, removing WGA would at that time
have simply made it impossible for users to get any downloads from
Microsoft, even critical security updates.
With NetChkPro or any decent patch-management solution installed,
however, you can now remove WGA and never worry about using Windows
Update again. Microsoft reportedly will soon allow all comers to once
again receive crucial security patches — but whether the company does or
not won't matter to you. Shavlik and the other top-rated PM firms make
sure the right patches flow to the right machines without any reliance
on Windows Update.
The WGA uninstall process that's now documented in KB 921914 is the same
one that's been described for the past few weeks in several private
blogs and discussion groups on the Web. Now that the procedure has a
place on Microsoft.com, however, I believe it can be followed by Windows
users with confidence.
There are 11 separate steps in the removal process. These include
renaming files, running commands in a character-mode window, and editing
the Registry. (Microsoft could have simply provided an uninstall
utility, of course, but hasn't yet.) I believe even novice users should
be able to follow all 11 steps, if each one is carefully followed.
Note: Two of the three Registry keys that are deleted in step 10 of
Microsoft's procedure are identical, as of this writing. This appears to
be a documentation error — the two relevant lines in the instructions
are simply duplicates of each other.
Watch out for downloads in the night
The change of tone from Microsoft about WGA doesn't mean you can let
your guard down. In a June 8 statement, the company said WGA would be
changed to call home every 14 days instead of every 24 hours. A
subsequent June 27 press release is unclear on this point but emphasizes
that the new WGA will still operate, just not as frequently:
* "It is important to note that WGA Validation still periodically
checks to determine whether the version of Windows is genuine."
Furthermore, I tested Microsoft Update this morning (June 29), and it
still refuses to identify any critical security updates until WGA is
installed. Before showing the needed patches, the service displays the
same deceptive message as before: "Software Upgrade for Some Windows
Components Required." No mention of WGA is made unless you click a tiny
"details" link, and even then no information about WGA's true
functionality is displayed.
Microsoft's statements imply that everything is fine and all of this is
in the best interests of users. What customers around the world want to
hear instead is, "We've canned the people who were responsible for
misusing our critical security mechanism, and we've appointed an
independent board to make sure it can never happen again."
Until then, make sure you don't allow patches 892130 and 905474 — the
two components of WGA — to install themselves. And use the third-party
software listed below in the Security Baseline to ensure you won't wake
up to any unpleasant surprises one day.
I'd like to thank readers John Holden and David Speck, M.D., for being
the first among scores of readers who sent in valuable tips on this
topic. (These two gentlemen are in no way responsible for the views I
express above.) They'll receive gift certificates for a book, CD, or DVD
of their choice for sending us their research.
--- Platinum Xpress/Win/WINServer v3.0pr5a
* Origin: FidoTel & QWK on the Web! www.fidotel.com (1:275/311)
|