Windows Key Leak Threatens Mass Piracy

lou_soyur writes "A key code for installing Microsoft's Windows Server 2003 has leaked onto the Internet. Rampant piracy sure to follow fears Microsoft, so it's a safe assumption that their lawyers "would scour the Internet looking for the leaked code". The joy of closed source security at work."

Closed source security?

[wing.app]

I don't think leaks have anything to do with whether it is open or closed.

What is it with Slashdot?

[rritterson]

Of course the key was going to be leaked- it was only a matter of time. It's the same way with all key based systems. Microsoft will still make just as much money as ever. (Keys were leaked all the time before product activation anyway) the poster spins this as though this is going to cause mass hysteria and pandemonium. What is meant by "closed source security"? An open source security program would be exceptionally easy to bypass, I'd think, since you'd have direct access to any encryption mechanism used.

Re:What is it with Slashdot?

[davebarz]

An open source security program would be exceptionally easy to bypass, I'd think, since you'd have direct access to any encryption mechanism used.

Knowing the algorithm doesn't really help with any decent encryption since you also have to know any number of other keys in order to deencrypt the data. Of course, if you're still using "A=26,B=25,C=24..." encryption, then you may be on to something, there.

Re:What is it with Slashdot?

[dicka_j]

An open source security program would be exceptionally easy to bypass, I'd think, since you'd have direct access to any encryption mechanism used.

I think you will find that most, if not all strong ecryption algorithms are in the public domain. The algorithm used should be strong enough that the key is required to decode the message, and the knowledge of the algorithm is next to useless.

Do a goole search for say DES, and you will find various articles explaining the implementation of the algorithm, and tripple DES is about as strong as you can get nowdays.

security through obscurity NOT effective security.

Big Freaking Deal

[Jah-Wren+Ryel]

Anybody who needs to run this server edition of windows is going to pay for it and probably buy a support contract to boot. Joe Downloader who decides he wants to run Windows 2003 on his piddly two generation old machine just to show how cool he is would never ever pay for 2003 in the first place, he'd just stick with the XP Home edition that his machine came bundled with.

Mountains out of Molehills, or should that be mothballs in the case of a microsoft losing market dominance?

Re:A single key?

[MortisUmbra]

Erm, no, because as the article ALSO states, the same case was tru for Windows XP, Corp. Vol. license keys were out before the retail package was!

This is absolutely no different for the last....well....five Windows launches.

There has ALWAYS been a key readily available even after WPA. And WPA has never been a problem. Sure SP1 blocked TWO popular keys but do you have any idea how many people have friends in IT depts. with access to keys?

Me, my brother in law, my roomate, his brother, my brother, my brother in laws brother, his friend, my cousin, three of my other friends.

ALL of us have access to different volume license keys.

It's about as safely gaurded a number as you can get, short of plastering them on billboards and busses.

Piracy is good for MS

[AvengerXP]

Each pirated version of Windows running is one less copy of Linux or other variant OSes running. In order of their preferences, 1) Legit MS 2) Pirated MS 3) Alternative OS So they almost approve piracy.

It's not the crypto and this is bad news for OSS

[dmeranda]

Security is only as strong as the weakest part, and I seriously doubt that's with the encryption algorithm here. Remember this system is not designed to protect your computer from outside threats (like SSH, etc), it is to protect the operating system from the user. The threat model and problem being solved are entirely different.

Why attack the encryption algorithm directly? Instead reverse engineer and bypass the parts of the OS that invoke the license checks. Or fool the probes which try to determine your hardware signatures. "Borrow" a key. Or for that matter just be sure to run IIS, as it lets perfect strangers run any applications they want on your computer, it should just as easily let you use your own computer too without any security checks :-)

I do have two important observations though:

1. I suspect this is one of the reasons MS is pushing so hard for TCPA/Palladium or other Distrustful Restrictions Management (DRM, sic) in hardware. That would finally allow Windows to completely distrust the user with a vengeance, as well as a side effect of preventing other choices in OS (look at the X-Box as their prototype of a hardware-enforced monopoly).
2. This is actually bad news for Open Source advocates as it widens the distribution and exposure of this product to people who otherwise may never intend or have the $$ to buy it anyway, futhering their illegal monopolistric grip on the modern world. I for one hate it when people pirate Windows or Office or even Windows Plus, that's one more person that doesn't "feel" the heavy price for using MS software and has no desire to look for other choices. Open Source people would love for more so-called piracy of their products! Perhaps GNU/Linux should require an activation key, maybe that would accelerate its adoption (I'm joking here).

Arrrgggh... Eh ? You're point is...

[MosesJones]

A couple of things

1) Open Security != Open Source

2) Open Source != No Key (PGP ring any bells ?)

So just to clarify

1) If I create an SDA using PGP this is Open Source Software with a key

2) There are closed source security elements that have put their code out for review, including by the Goverment

3) Red Hat give you a key to access their premium rate support.

4) You made a glib comment that hit the MS Bad, OSS good Slashdot button and got modded up

5) This just means there are lots of people on Slashdot who don't understand this either.

Sheesh, you can have key restricted open source software, that is the idea of privacy and security for starters, the whole aim of VPNs etc etc. The issue here is in part _how_ the key (think private key) is issued. What MS want to do is make it simple for volume installers. Now what they could do is supply a bunch of USB keys to these volume suppliers that must be inserted during install. So give them 20, or 30, or whatever ghosting 30 at a time is a reasonable upgrade plan (no-one in a large company goes overnight for a total upgrade).

The issue is 1) Process 2) The nature of the security.

NOT whether its open or closed source.

Product Activation has NOTHING to do with piracy..

[Anita+Coney]

Microsoft keeps arguing that the purpose of Product Activation is to stop piracy. That's ludicrous:

First, weeks before XP was released there was the infamous leaked corporate copy of XP readily available for download in convenient ISO format.

Second, Microsoft stated that anyone using the leaked version of XP would not be able to update to SP1. However, a week before SP1 was released tweaktown.com had figured out and posted a way around it.

Third, now the exact same thing is happening to Windows Server 2003.

Exactly how did Product Activation stop piracy? It didn't. What does it stop? It stops what I call sharing. That's when a friend uses his copy of Windows to upgrade a friend's computer. That is what Product Activation has stopped and nothing more. (I'm not saying that sharing is OK, but it's hardly piracy!)

Maybe Product Activation is also Microsoft's attempt to get the average person used to paying for upgrades. Maybe it is a step in the direction of Palladium, i.e., getting the average person used to the idea that Microsoft controls their PC, and not the other way around. It could be a lot of things, but it is clearly NOT intended to stop real piracy.