Should Windows XP Be Free?

I guess I'm not the only one in the IT profession who gets the occasional request from friends or acquaintances to "have a look at their PC". Inevitably it's because some weird error message keeps popping up, or they can't connect to the Internet, or their kids have installed something that's broken the OS. You know the way it works - someone says "Oh, Alex works with computers, I'm sure he'll look at it for you...."

I'm quite happy to get involved and help out where I can, and in many cases the fix is not that difficult - though generally it's a lot more time-consuming than expected. Maybe I should have got used to this effect by now. No matter how simple the problem appears at first, you end up spending hours figuring out what's supposed to be installed, deleting all the junk that's accumulated, getting them to find the original disks, and then updating the system. But the result, especially as the PC usually starts up and runs much faster, is extremely satisfying.

The one issue that becomes more and more obvious, as I see the kinds of setup that most non-IT literate users run is that it's no wonder we have problems with viruses and spam. Here in the UK, the government and many professional bodies are already starting to report that the growth of "always-on" broadband (DSL) connections is making the problems much worse - in fact they are now suggesting that it could severely impact commercial and business organizations. Err... does that mean that they don't think it already does?

The problem is that you can now buy a PC from a back-street outfit for around 200 (about US$375), and not much more from the big PC supermarkets. You can guarantee that there are no OS disks with it, and many have old versions of Windows. And even worse, many of the users I come across have inherited machines (usually from their or a friend's teenage kids), and the OS is normally something like Windows 95, Windows 98, or Windows ME.

So I always start the conversation with "You really ought to upgrade to a modern OS that is suitable for use on the Internet today, such as XP". But even an upgrade costs close to 100 (US$175), where you can bet that they paid less than that to buy the PC. Besides which, with no original disks or license, there's no guarantee that an upgrade will work. And as they are inevitably "thinking about buying a new machine which will have XP installed", the cost of buying a copy of XP is hard to justify. So, I usually end up installing some free (downloadable) firewall, trying to persuade them to buy an anti-virus license, and locking down the browser options as best I can.

Yet it's becoming obvious that XP with SP2, fire-walled, automatic updates on, and with a good virus checker running, is really the only safe way to go forward for the "average" user. Yet, unless MS decide to give everyone a free copy of XP (or a really cheap upgrade path) I guess that 90% of these users will continue to act as unwitting spam and virus servers, and agents for DDoS attacks on businesses and organizations around the world. I hear arguments that it's Microsoft's "public duty" to solve the problem, but I can't see that they will consider giving up the earnings from what is probably one of their major income streams. Morally the answer is obvious, and yet commercially it's even more so.

Of course, the question on politicians' lips now is how do they force the poor old ISP to solve the problem? (Typical government thinking is that, after all, it's all the ISP's fault). The latest idea is to get them to block outgoing spam and packets that the user "should not be sending or receiving". But how do they know? Do we really want some corporate or governmental body blocking access and content based on their own arbitrary rules? How would that affect me when I want to VPN into a remote site, accept inbound SMTP, or use some other uncommon TCP/IP protocol? And would it, after all, make any difference to the onslaught of spam and viruses?

What's particularly annoying as far as spam is concerned is the use of spoofed addresses. I've had more than one occassion where my email to someone has been blocked because their (or their mail server's) rules have identified me as a spammer. Considering how I get spam delivered to me that has my own email address spoofed, it's hard to criticise them on this. And I'm sure that my filtering system must occassionaly reject legitimate emails from people who I haven't white-listed, just because spoofed spam messages have been received previously. In fact, it's extremely worrying that email has become a less-than-reliable communications system now, especially as most IT and business professionals have come to depend on it. And there seems to be no sign of things improving in the near future.

The one topic I've been following is the evolution of an email sender verification standard, which I reckon has a good chance of solving this worrying problem - and making it much easier to detect spam. But there seems to be a lot of disagreement about standards and licensing, and it's starting to look like a project that could run and run. The IETF Marid project looks like it might have stalled, and Microsoft's Sender ID Framework has big red warnings about not being publicly implementable at present. Only the POBOX Sender Policy Framework looks to be finished, yet even this has issues. There's a nice summary of the various projects at Computer Business Review, which suggests that generally things are not going as well as expected.

Yes, I know that provision of the server-side detection systems is not easy - yet many large ISPs and organizations are already putting various systems into place. I just want to be able to identify myself now, so that I know recipients can verify emails purporting to come from me. That would be at least half of the problem solved. So come on guys, get your act together and lets have a common standard that we can put into use now - before the government decides to solve the problem for good by making the sending of email chargeable - or even illegal...

On a lighter note, however, I read in the newspaper recently that the Denmark-based company who makes the meat-based product named "Spam" are to spend 2 million relaunching the brand here in England. They seem to think that we need to be re-introduced to it, as sales are disappointingly slow. Spam was originally a US product, introduced more than 60 years ago, but it was through the Monty Python's Flying Circus team - and their famous Spam Song - that it gained its now familiar connection to junk email. So, considering that modern product advertising tends to encompass all kinds of communication media, can we expect to see a flood of Spam spam in the near future?

Email:         Privacy and Acceptable Use Policy