A while ago, when I was travelling a journalist told me that he never pays for our software as he can easily download a tool to crack Windows XP (he was still running XP). We had an interesting discussion afterwards (besides the fact that he showed me how he steals our goods) about security. He ran a tool with highest privileges and was then proud how Windows worked without a key. I asked him how he could be sure that the tool did not install any backdoor on his machine, while cracking it – and he went kind of pale….
We know of these stories and we know that pirated copies of Windows, which can be downloaded often are coming with pre-installed malware. As you might have heard, we disrupted another botnet last week, which spread through the supply chain: Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain.
This leads for me to another fairly interesting question: Most governments today are relying on Common Criteria certification to evaluate products. However, to me a good product is the result of a good engineering and assembling process. So, when it comes to software, make sure that the development process is designed to lead to "secure" results (e.g. ISO 27034) and having a deeper look into your supply chain generally makes sense if I look at the botnet takedown.