Monday, October 12, 2009

You're a pirate. And you don't wash your hands.

OK, maybe you're not, and you do. But according to the Business Software Alliance, 41% of all software on personal computers is pirated (link). In the U.S. that figure is around 20%, and higher in the rest of the world.

The funny thing is that this doesn't have to be the case at all. With OpenOffice.org, Firefox, Thunderbird, the GIMP, and other great Open Source packages around, there's no need to pirate software. And commercial software publishers don't want you to use their software if you haven't paid for it.

So stop it.

The main thrust of the report, entitled Software Piracy on the Internet: a Threat to Your Security , is that people who download pirated software are more likely to have malware on their computer.

Well, duh. There are several reasons for that, and you don't need a 28-page report from the BSA to tell you that. Here are a few:

1. They (people who have pirated their software) don't generally apply security updates. This is either because they're afraid of being caught, wary of updates in general because they've been used by vendors in the past as "stealth" installers for new or changed functionality, or because they're locked out thanks to Genuine Advantage.

2. They are more likely to download other things and not be too picky about it. As opposed to your typical Open Source advocate, who is likely to look for the GPL license and source code availability as assurances of the quality and cleanliness of the software, pirates don't care. They're just looking for "free as in beer" programs. As a result, they are uber-suckers.... P.T. Barnum saw them coming over a hundred years ago.

3. A corollary to 2. is that they are less likely to have up-to-date anti-malware software and firewalls in place.

Of course, the report doesn't look much at the reasons, but focuses on the risks. Understandable, since focusing on the reasons would enable you to pirate safely, when in fact you should be discouraged from pirating at all. (I had to smile at one of the "risks" mentioned on page 12 of the report... that of "receiving an incomplete, altered, or trial version of the software". Much like the risk you take when buying a new computer with Microsoft software pre-installed.)

Pages 14 through 17 of the report are case studies exemplifying the nasty things that can be done to you if you're convicted of software piracy. This is followed by what the BSA does or does not support in the ways of laws and enforcement.

Pages 23 and 24 offer common-sense rules entitled "What Consumers Can Do to Protect Themselves". I don't disagree with any of them, but I find that the commentary that accompanies each step is one-dimensional, looking at it from a commercial angle only. Here are the BSA's recommendations along with my own commentary:

Trust Your Instincts. The BSA advises that if a price looks "too good to be true", then it probably is. This rule of thumb applies exclusively to commercial software. The price for many Open Source projects is zero. That's not "too good to be true," it's a new truth that you should be aware of.

Use Software Security Updates. Turn on update notifications, but turn off automatic updates. The problem with automatic updates is that software is changed on your machine without your knowledge. Then, when it comes time to identify malware, your job is made much harder because you can't tell why a core program was recently changed. Definitely, apply patches, and do it in a timely fashion. BUT... examine them first.

Look for a "Trust Mark". Absolutely. But here the BSA is talking about brands, and that limits your choice. Instead, they should be looking at actual trust marks, such as an OSI-approved license. See that mark to the right? That's a trust mark. You won't find it on commercial packages.

Do Your Homework. Google the open-source vendor. Ensure that the source code is in fact available. Take a look at the version number and make sure you're downloading a stable release.

Make Sure It's Authentic. I prefer to download from the project website on SourceForge or other trustworthy "forge" (My own VIC CRM is published on OpenNTF.org). For the ultimate in assurance of authenticity, you can actually compile open source software from source code.

Beware of Back-ups. You never have to worry about this with open source software.

Get the Seller's Address, If Possible. After all, you might want to send him a nice "thank you" for the software.

Understand the Transaction Terms. Look up the license at OSI.org and understand its terms. The first thing to understand is that nobody from the BSA can do to you any of the nasty things they list on pages 14-17 of their report if you use open source software.

Ensure Secure Payment. The BSA have this one 100% right: don't give your payment information unless you are sure you're connected to a secure website. Make sure the internet address begins with "https://", not "http://". Use a modern browser (such as Firefox) that will make it obvious that you're connected securely. Beware "secure" websites that have untrusted security certificates (you'll get a pop-up warning if the certificate is invalid or untrusted.)

0 Comments:

Post a Comment

<< Home