Ed Bott's WGA woes signal the big challenges with virtualization

Although virtualizating desktop computers is an extremely nascent market these days -- largely confined to power users and developers (often one in the same) -- it's only a matter of time before the technology that's wildly successful in server country makes its way to a desktop near you.  Especially now that Intel and AMD are building virtualization capabilities right into their chips.
Written by David Berlind, Inactive

Although virtualizating desktop computers is an extremely nascent market these days -- largely confined to power users and developers (often one in the same) -- it's only a matter of time before the technology that's wildly successful in server country makes its way to a desktop near you.  Especially now that Intel and AMD are building virtualization capabilities right into their chips.  I say this because I'm a fanatical user of VMware Workstation 5 and I have even endured a few sacrifices (a bit of a performance hit and a weird clipboard problem that drives me nuts) in order to get the benefits.

Perhaps the most important benefit -- the one that individuals, businesses, Technically speaking, a copy of Windows has been pirated when the same exact copy of Windows is being used on multiple computers. and IT departments will equally revel in -- is the "high availability" benefit.  To understand this benefit, first, you need to understand a couple of basic items about how virtualization technology works.  First, it takes a single computer and turns it into multiple computers.  No, you don't end up magically spawning new hardware (although you may want to add some additional resources to the computer you're planning to virtualize).  Virtualization takes an existing computer (desktop, notebook, or server) and uses a piece of software called a hypervisor to slice it up into multiple software-based Intel/AMD-compatible computers none of which interfere with each other and all of which are primarily visible to one another the same way any other two computers might normally see each other (over a network). 

These software-based computers are referred to as virtual machines (VM) and once you've used a virtualization product like VMware Workstation to carve a VM out of your existing computer, you can install just about any Intel/AMD-compatible operating system into it.  With most virtualization solutions, there's one copy of an operating system that handles VM administration, management, and other tasks.  This includes things like starting and stopping VMs (the equivalent of pressing the power button on a PC), cloning VMs, allocating resources to them, hosting specific hardware device drivers for all the other VMs (ie: for sound and graphics), or even doing neat things like recording a VM session to a movie. 

Due to technical differences in the way they've implemented VM technology, in VMware parlance, the OS that handles VM administration is referred to as the host OS. In XenSource parlance, it's called the Domain Zero Guest.  Then, the other VMs are called guests.

The PC that I've virtualized using VMware Workstation 5 uses Windows XP as a host, and then has five or six several XP guests.  But I usually only run two guests at a time. Other operating systems can be hosts or guests.  Linux, BSD Unix, and Solaris x86 come to mind.  Each of my VMs is setup to do specific things and I like having VMs so that I can keep those things separate from each other.  One VM, for example, is for work only. Another is where I do all my mail and Web site management for Mashup Camp. A third is for personal stuff like buying and selling on eBay.  In fact, the cool thing about running the first two side by side is that I can run two separate copies of Outlook simultaneously on the same computer.  One is connected to my corporate inbox.  The other is connected to several POP3-compatible inboxes including my Gmail account.

But the thing I love most about how these guests work is that they have no specific hardware dependencies.  Virtualization technologies like VMware and Xen completely isolate their guest VMs from the underlying hardware in such a way that you should be able to easily move VMs from physical computer to another without a hitch.  All you need on both computers is the same virtualization software.  So, technically speaking, now that I just got my Thinkpad T42 back from its second catastrophic failure (the first was the display going blank on me, the second was the hard drive crashing), I should be able to install VMware Workstation on it (or even VMware's free runtime), make copies of any of the VMs that I've been running on my temporary system (making copies or "clones" happens with a single click), move any or all of those copies over to my repaired T42, and start working with them on the repaired Thinkpad as though nothing happened. 

Try a 100 percent transplant of your non-virtual machine to another computer in seconds like that and tell me what happens.  It simply can't be done.  It's impossible.  Now consider the true beauty of this from a high-availability perspective.  Each day, just before you're done working, you press the clone button which creates a mirror image of the VM you spend most of your time with (and the others if you have to).  One day, you wake up, and your computer is busted and needs to be sent out for repair.  Take the mirror image (maybe you saved it to CD, DVD, or even a USB key), copy it to another PC that has the virtualization software on it, and voila! It will be as though you're on your own computer just as you last left it yesterday with everything intact. 

But, there's a hitch which brings us full circle to some of the Windows Genuine Advantage failures that fellow ZDNet blogger Ed Bott has been sharing with us. WGA is a technology that Microsoft uses to technologically identify pirated copies of Windows. Technically speaking, a copy of Windows has been pirated when the same exact copy of Windows -- one that's licensed under a specific and unique license key -- is being used on multiple computers.  To figure out when such piracy is taking place, Microsoft marries each Windows license to the nearly unique thumbprints of the computers they're running on. Until all computers have Trusted Platform Modules (TPMs) in them (a long ways off), there's no perfect system, but Microsoft has a pretty decent algorithm for using a computer's hardware configuration to generate such such a thumbprint. 

Once a specific Windows license and a specific system thumbprint are married to each other, any subsequent mating of that license to other thumbprints (in other words, potentially, other systems) could constitute piracy. Through its End User License Agreement for Windows Genuine Advantage, Microsoft has already put Windows users on warning that they may be denied certain updates that "genuine" copies of Windows are entitled to.  But, as Ed Bott has written, the system has flaws.  Not only are there false-positives, there are what Bott calls false-negatives.

Where do virtual machines come in? Well, there are two scenarios that pose certain licensing challenges when companies like Microsoft use automated validation techniques like those found in WGA.  The first of these has to do with the sort of configuration that I have on my computer.  If for example, between my host (or Domain Zero Guest) operating system and my guest operating system, I end up with multiple copies of Windows, how is that handled from a licensing perspective.  Do I need a separate license for each copy?

The answer used to be yes.  But, as it turns out, in anticipation of this sort of scenario, especially now that Microsoft is giving away its Virtual PC 2004 SP1 solution (competes with VMware Workstation) which in turn will encourage more VM deployments, Microsoft recently relaxed the rules on licensing and is now allowing up to four copies of Windows from the same Windows license per computer. But only for computers that are covered by Microsoft's Software Assurance support program -- a program that is mostly for enterprises. It's a step in the right direction. But in my opinion, Microsoft will need to revisit this policy once virtualization gains popularity with customers that aren't enrolled in the Software Assurance program.  From my point of view, and other users', as long as I'm using one licensed copy of Windows on one computer, I should be able to configure that computer in whatever way makes the most sense to me to get my work done.  Not only does this mean making the "four copy" rule available to customers without Software Assurance, but also, not restricting the number of copies.  As a side note, Microsoft does not discriminate between users of Virtual PC, VMware, or Xen.  The same policy applies no matter which virtualization technology you pick.

On the flip side, I can also see Microsoft's point of view.  For example, using any number of remote control technologies including those that are available right in Windows, a clever person could set up a computer with a whole bunch of VMs and turn a PC into a multi-user minicomputer.  Technically, it's easy to do (and the thought has certainly crossed my mind as a way for me and my family to be able to easily access "our computers" from anywhere).  And detecting when such abuse is taking place would be tricky for Microsoft.  But it also raises the question of how Microsoft plans to keep a lid on things anyway? Since it doesn't discriminate between Virtual PC, Xen, and VMware, how will the WGA technology keep track of when some system is operating outside of the rules? Sure, Microsoft can come out with even more forensic technology but the added complexity just means there's more than can and will go wrong when you consider Bott's anecdotes with today's state of the state.

However, even more problematic than that first scenario (the one that has to do with multiple copies of the same licensed version of Windows on one PC) is the second one where customers are looking to take advantage of the aforementioned high-availability attribute of virtualization.  Taking a VM and moving it from one physical computer another is the same thing as taking a Windows license and moving it from one physical computer to another.  Even though virtualization technologies shield VM guests from the underlying hardware for the sake of device drivers, certain hardware specifics -- ones that contribute to the aforementioned Windows-generated thumbprint -- are still visible to those guests.  For example, processor type.  If WGA is working properly (not always the case per Bott), then, even in the case of virtual machines, the move of a VM from one physical system to another would be trapped. 

In fact, that very thing happened to me when I moved a Windows-based VM guest from an AMD-based system to an Intel-based system.  This scenario introduces even more complexities into a WGA-like system since it seems perfectly reasonable to want to move VMs from one system to another to get your work done, particularly if a system is failed and you're simply using virtualization technology to recover from a fault.  Or even if it has nothing to do with a fault.  Let's say you're going on a trip somewhere and you don't want to haul your computer around with you.  So, you put your entire VM on a USB-key along with virtual machine runtime (in VMware's world, this is called a "player" because you're literally playing the virtual machine the way you'd play a song) and you take your PC with you in your pocket.  But, because of licensing technologies that are largely out of lockstep with technology, you're prevented from doing something that you should be allowed to do.

In the next week or two, I'm going to take a more all-encompassing look at Microsoft's licensing strategy and virtualization will be playing a key role in my prediction (to be explained in that analysis) that Microsoft may have no choice but to completely overhaul its licensing program, moving to something that's much more subscription-based than what Microsoft offers today.

Editorial standards