This article can also be found in the Premium Editorial Download "Information Security magazine: Screen test: App-layer controls beef up perimeter firewalls."
Download it now to read this article plus other related content.
Software pirates, eh? Make the scurvy dogs walk the plank, matey! They be fish food in Davy Jones' locker... Arrrgh!"
The salty language is a little thick, but that's the prevailing attitude software vendors and security managers have toward providing patches to users of pirated software. Microsoft, the biggest malware and hacker target, won't allow the use of Windows Update to easily patch pirated copies of Windows. And AV and firewall vendors are famous for hiding patches for undisclosed vulnerabilities in their feature set upgrades and signature updates -- available only to paying customers.
Their disdain makes sense. According to the Business Software Alliance, more than 39 percent of all software is stolen. An IDC study found that every 1 percent of pirated software removes roughly $40 billion and 150,000 jobs from the global economy. Providing those users with security patches is akin to GM honoring extended service warranties for stolen cars.
On the other hand, patching pirated software is similar to needle exchange programs, through which we stem the spread of communicable diseases by giving intravenous drug users safer instruments for their addiction. Though it may not benefit us directly, we save countless dollars in public health care and reduce our chance of contracting deadly illnesses, like hepatitis or AIDS, through direct or incidental contact.
Most reasonable people won't come into contact with a drug addict and be exposed to infection, but you can't say the same with systems running pirated software. The Internet has made our world a closed ecosystem in which we are all connected and share the same risks. Despite our precautions -- firewalls, IDSes and AV -- enterprises are still exposed to common dangers by mobile users who bring laptops in from the wild; consultants, partners and integrators who constantly jack into your LAN; and suppliers and customers who randomly touch your infrastructure with untrusted systems.
It's getting harder to identify friend from foe, especially since friends often install pirated software on their computers. Take, for instance, Data Flow Systems, an engineering firm for wastewater utility companies, which was cited for having unlicensed software from Adobe, Autodesk, Microsoft and Symantec. All it takes is one infected machine to connect to a network segment that isn't properly protected to destroy gigabytes of crucial business data. And the chances of a machine being a malware carrier is exponentially higher if its pirated software isn't patched.
And that's just the people you know. Think about the unknown, random user on the Internet who's running unsecured, unpatched pirated software. Hackers are using them as launch pads for DDoS attacks, and spammers are exploiting them for their open relays. Worse, worms such as Code Red, Klez and BadTrans continue to thrive in cyberspace because unpatched machines provide safe havens. Chances are that a fair number of the machines that hosted MyDoom and brought down SCO Group were running pirated code.
Supporting pirated software doesn't mean having to give up the ship. There's still no reason for software companies to give free upgrades and feature sets to unlicensed users. However, making it easier to get the basic protections all users need is imperative to reduce the background noise of the Internet and nuisance attacks. It won't vanquish miscreants from cyberspace, but it may help keep malware and hackers in check, matey.
About the author:
Lawrence M. Walsh is executive editor of Information Security.
This was first published in March 2004