Software pirates are getting bolder and more sophisticated according to a new paper from Microsoft on the subject.
The main study discussed in the paper is of 30 medium-sized businesses in the U.K. which were audited by a third-party review agency at Microsoft's behest, something which the paper says happens thousands of times a year. The subset of 30 received additional scrutiny of any counterfeit products detected in the review. Eleven, or 37 percent of the 30, were found to have unknowingly purchased counterfeit Microsoft software, including both Windows and Office. The products they bought were high-quality rip-offs, and you'd have to know what to look for in order to identify it.
The paper focuses on midsize businesses that were trying to be legitimate but failed. It also discusses other studies of consumer and small business problems with pirated software, where the risks seem to be much greater. Consider the recent incident of the Mac botnet that was built with pirated applications distributed on peer-to-peer sites. Obviously things like that happen in the Windows world all the time, and these days people are probably all the more inclined to save some money, or so they think, by ripping off some faceless, wealthy software corporation.
The report describes how the sites that push pirated programs are full of exploits, how the pirated programs themselves (as with the Mac example) have exploits in them, and generally you're taking inordinate risks, even putting morals aside, in getting your software this way.
What can legitimate businesses do? For the medium-size businesses they recommend first buying only from trustworthy sources which you can locate through Chambers of Commerce, BBB or through several Websites they list. Go to Microsoft's How to Tell site to learn what to look for in packaged software. And centralize software procurement so that controls can be standardized. This last idea is especially good for a number of reasons.
Whenever I read about piracy of Windows and Office, especially the unwitting purchase of such products, I wonder how the activation problem is solved. I know there are hacks to get around activation, especially with Windows XP, but the ones I've seen generally involve some overt hacking operations such that you couldn't pass them off as legit products, unless the buyer was really, really credulous. The only way around this is to use a stolen site license; I had the impression these don't last out in the wild very long, but maybe I'm wrong. And maybe they do get canceled and this is one of the risks you run in buying such software.
I guess the reach of the pirated products shouldn't be so surprising. If you search around on eBay and places like it for the lowest price and don't scrutinize the seller all that much it's probably easy to fall for this. In such cases the amount of money you're saving compared to an unambiguously legitimate source is probably small, too small to justify the risk. Involved your company in a licensing dispute or get your systems infected from a dirty pirating site and you easily blow all the money you thought you saved.
It all makes me wonder if the answer isn't somehow to tighten up supply chains and make it so that not every little player on the Internet can sell such software. That would be a shame, since competition does keep prices down. As with so many security problems, we'll have to accept some risk in order to maintain our freedoms.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.