Slashdot Mirror
Windows Key Leak Threatens Mass Piracy
lou_soyur writes "A key code for installing Microsoft's Windows Server 2003 has leaked onto the Internet. Rampant piracy sure to follow fears Microsoft, so it's a safe assumption that their lawyers "would scour the Internet looking for the leaked code". The joy of closed source security at work."
bleh. encryption. I mean, what if to use a key, a distribution put something like a modified GPG. and you had to put a key which would translate into a real key that the OS would confirm and install.
(From the article)
Those copies of the software installed using the leaked code "won't be able to install future updates or service packs of access Windows Update," the spokeswoman said.
"They're caught between a rock and a hard place," Cherry said.
It's funny.. she's basically saying "Yes, they can install the retail version BUT they are screwed when all of our security holes and bugs are found." She seems to imply that if you don't update Win2k3 (note this is stated before it is even released!) you are going to have a junky product. Funny stuff.. only Microsoft.
CNN will show detailed maps of when, where and how the US will attack Iraq, but God forbid an article starts out with "The Windows 2003 Serial Key, XP74V-RX7YQ...."
Um, I guess no one here's heard of what MS did with XP SP1.. if you upgraded from XP, and were using a pirated corporate key, you were OK.. but if you tried to do a slipstreamed CD install (that is, with SP1 included on CD, a full install from that CD), you were SOL when you tried the old key. A Friend Of A Friend of mine had some trouble with that himself.. but luckily some smart person had apparently held back some of the corporate keys from wider release, fearing that this might happen, and released the new key as the SP1 key.
Thus, a single keycode getting out isn't THAT much of a piracy threat - it can easily be patched. Now, a KEYGEN, on the other hand...
"Microsoft is banking on the thrice-delayed operating system to increase its penetration into the enterprise. But the stolen codes show the difficulty the company faces in protecting its valuable intellectual property and potential sales from thieves."
So, out of all the pirating going on, do you think that even 1% of it is coming from enterprise customers? I seriously doubt it, and I am sure they do as well.
I think its a "scape goat" tactic to justify expected poor returns on their newest sinking flag ship product.
Bye!
That's not as far fetched as it might seem. You know, when the Russians had their revolution almost thirty percent of the population was required for agriculture. Today, with the changes in technology it's less than a fraction of one percent of the population that actually works in agriculture.
How about this. Under the new regime, we will give higher bandwidth allocations to those who volunteer to operate agricultural machinery.
Are ya with me!
They could have used a timed key (valid only for a couple of weeks). All the machines in that company that leaked the key would have had to be installed (no user prompting, but still requiring internet connection) within the timeout period. If somebody stole the timed key, and re-adjusted their computer time just to get by the install, it would fail, as the computer would still need to connect to a MS-owned server with its own notion of time.
For something this easy (other companies like Symantec provide timed keys) not to be implemented can only be a sign of deliberate action.
"I'll give out (oops! I meant leak out) this free OS. Once people get used to it, then I'll charge a huge amount for all these other softwares and services. And I'll give major parties (i.e. sueable) a chance to get back on the right track by purchasing a valid license."
uhm... hi. My name is _________ and I'VE NEVER PURCHASED A COPY OF WINDOWS IN MY LIFE!
/. story. Most anyone in this community would know where to go to get a windows key if they needed one.
let's see here...
Windows 98, got key from a friend
Windows 98 SE, got key from a friend
Windows ME, got key from a friend, uninstalled the next day
Windows 2000, found a key on an altalavista search
Windows 2000 Server, "borrowed" a key from work
Windows XP Pro, hello mr. corporate no-registration key
Don't get me started on other microsoft products. Office XP has its own registration work-arounds as well.
I'm just surprised this made it to a
I would think this would be expected for any and all releases of software microsoft puts out. Hell, we can get software from my school for so dirt cheap, ($30 for Windows XP Pro) they might as well give it away for free.
"You had this look that of an angel, it was such a bad disguise" --Dishwalla
Okay, I'm seeing a lot of people reply to this post, but they're not making a whole bunch of sense. So in order to clarify things for people who replied, I thought I'd say a few things. First of all, BJH is talking about knowing the encryption mechanism in SSH to crack the communications. If I'm interpreting him correctly, he's saying that with the public key encryption mechanisms that SSH uses, it's not possible to crack the encryption, even if you know the public key and the mechanism (namely because the best known algorithms for figuring the private key are intractable in runtime). So, if Microsoft had any sort of brains about them, they would have used an encryption scheme that would allow them to produce a key, where even if the algorithm is known, it would still take an unreasonable amount of computing power to figure out how to generate one's own keys.
... would microsoft have the dominance it has today?
If people didn't have access to pirated versions of windows since day 1, how many average home users could have afforded it? I'm not talking about the advanced users I'm sure you all are, but the average mum & dad & 2.5 kids that have just bought a computer to write some letters up or send some email. These families use outdated hardware running old prepackaged software until a friend lends them a newer version of windows or msoffice or whatever to remain compatible with work or school. Without this pirated software would these children be exposed to the overpriced software and become reliant on it in later years?
I propose that maybe just maybe, piracy aids microsoft in making the average joe reliant on their product so in later years when they can afford it, they dont even consider any other competitors. After all, as someone has already said, its not the big businesses that give ms their profits using these codes, is it?
Yeah, I'm with you on that one, and it's one of the rare occasions where I'm with Microsoft too. If you're going to use Windows, pay. If you're going to use Windows servers, pay more. And if you use Windows (particularly for business) and think you don't need to pay, you should get your arse kicked.
The more people who are forced to pay, through the nose, for this shit.... the more we will see both a proliferation of open source AND a return to an active and competitive closed source software industry.
Dave
I write a blog now, you should be afraid.
>> The leaked key codes cast an unexpected shadow over the launch of Windows Server 2003 later this month. Microsoft is banking on the thrice-delayed operating system to increase its penetration into the enterprise. But the stolen codes show the difficulty the company faces in protecting its valuable intellectual property and potential sales from thieves.
... fire-up BSA, colect the missing licences, charge as much as they want for new installation and so on.
Microsoft tactics again, nothing else. They currently need to enter the server market and push Linux out of there. So they will try with all means to increase the instaled base of the WinServer 2003 - it doesn't matter with or without licence. Later they will come with BSA and collect the fees, no doubt. The current statement has a double purpose - first to show to the world how much Microsoft is losing on piracy and second to inform the people that they can install Server 2003 without paying. The first one is typical Microsoft FUD - "We are weak, pirates rob us constantly", this will help them also in the monopoly trial. The second one says generally "Hey there is a key on the wild, just get it and install WinServer if you need it"
Are the MS executives stupid enough to beleive that a sysadmin that has received a key for installing a bunch of WinServer-s 2003 will not leak it on the Internet? No, they are smarter than anyone else when it comes to money, just the target is different - to get a maximum number of installations, become monopoly on the server market, and then
The same story is repeating again and again, they can not give WinServer 2003 for free (like InternetExplorer) because the DoJ will nail them immediately, thay can only play the "illegal but free" game and hope that the sysadmins will byte - and may will, especially in the poorer contries. So I beleave the fixed keys are built into the code exactly with the purpose to allow the "widespread piracy". Why does WinXP does not have such fixed keys? MS officials may say "Because it is a client OS, it is not installed in volumes". Bzzzzt - wrong, the clients are usually installed in volumes, the servers are usually 1 to 10 compared to the clients. The answer is because MS has already monopoly on the client side, they do not need new installations, they need money for the existing ones. The server market is different, MS needs "piracy" in order to become the de-facto standard on the server.
What if FSF GPG private key leaked? Would that be nice?
:-) = I am happy
:^) = I am happy with my big nose
C:\> = I am happy with my OS
Posts here seem to suggest that everybody who knows what a keyboard is, can find a Key using nowt but a search engine. So who benefits from the publicity?
Software pirates? They already knew.
People who don't like Microsoft? Good for a laugh for about half a second, I guess...
Microsoft? More people with experience using their servers? Right now if you're a poor student you're likely to know a thing or two about Linux server configuration, especially since you can do it with a box you bought for $20. Or BSD...
Microsoft again? Hey, a media storm for the ingnorant to support this Pallid Big Brother nonsense? Or is that too cynnical..?
No more security patches for Fully paid up NT licences. Hmmm...
You pays your money, and you takes your choice...
apt-get lacks the option "stuffed" It's a feature.
I don't hate them, the sheer speed at which really useful application can be developped in Excel VBA is a breakthrough. (XL97 is just fine, upgrade? Why?) But then Excel has all those unstable algorithms in their stats functions that everybody has known about for years and years...
I've been given X, Gnome & KDE. Now Give me VBA in OOo, Gnumeric or Kspread, & I'll give you Linux, Undisputed king of the office desktop.
Would the lawyers be able to do much if you said "it's the ascii equivalent of the numbers between the xth and yth digits of pi"?
Well, I think you forget one huge fact:
Pirated copies are very important for the distribution of Microsoft products.
There are of course ways to improve security - why still use such general keys? Look at e.g. Mathematica, they have far better protection mechanisms.
I postulate that piracy is tolerated and helpful for Microsoft, they will never try to generally stop it. They have of course their ways to reduce piracy, especially by intimidation and bad conscience.
The more the Microsoft monopoly grows, the more they can pressure and reduce software pirates without losing market share.
You will see: Palladium/TCPA will also not stop piracy.
I would not wonder if Microsoft released this key by themselves..
Of course you realize that Windows "Server" can be used on a workstation.
The only reason to use Worstation versions instead of Server versions, is due to the reduced price of licensing. Those people not paying licensing anyhow, probably don't care.
You are right that serious users won't take a chance on this, but I guarantee you will see numerous unlicensed Windows servers on the internet. Typically used for one-man-shops, porn sites, or any other tiny companies/individuals that don't stand to lose much even if they are caught.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Although I don't have a proof for this, any sequence of numbers can be found in the digits of pi. (obviously some sequences will take much longer to find than others). Thus with a LOT of searching you could find a sequence of numbers that when encoded into characters using ASCII rules (65 as A, 108 as z, ect) correspond exactly to a valid Win2003 Server serial.
"Enough room for even the heaviest geek to make all the changes he wants."
I've read in other forums from hardware geeks who were told by Microsoft that they had to purchase new copies, as they were allegedly changing their hardware too much. They claimed that you could significantly change your hardware three times and still validate by the web. After that you have to start calling, and if you call too much (and there appears to be no precise number) you're eventually out of luck.
I doubt very much these individuals were lying, as they weren't pushing any agenda other than telling their stories.
As someone who's always changing his computer's hardware, I think I'll skip the whole product activation fiasco. I have no desire to ask permission to use my computer! I'll stick with W2K until I'm able to do everything I need on Linux. (And the only thing holding me back is an audio editor is good as Cool Edit Pro!)
If someone says he and his monkey have nothing to hide, they almost certainly do.
If you think this is far fetched, consider that it has already happened for MS Office for OS X. Users who applyied the first service pack found their installations were nobbled if they had been registered using widely know serial numbers.
It would be no more difficult for MS to do the same with Windows 2003 Server. And given the nature of the product and the huge revenue MS see themselves losing, you can expect them to pursue servers using the hacked serial numbers extremely vigourously with prosecutions and raids galore.
Now I wonder how much revenue is *actually* lost as opposed to counting illegal installs and assuming all those equal lost revenue. People who use hacked serial numbers are not those who would be interested in spending $$$$ on the original in the first place.
it wasn't a binary patch in 2000, it involved changing an ini file on the cd ... You had to change a code so it ended in 000 iirc
If it is true that every possible sequence of numbers exists within PI, then why not just take the sequence which corresponds to the cracked Win2003 installer binary?
I can hardly believe that Microsoft would activate millions of installations of Windows 2003 with a single key.
With all the trouble to put a unique identifier on each CD, it seems like it would be little enough hassle to require the user to enter the identifier on the web or over the phone to completely activate the OS. You know, give me your key and I'll give you Your Unique Magic Key.
Didn't they even read the articles about how all DVDs were encrypted with a single key and got liberated in one fell swoop from that fantastic piece of copyright protection when the key was discovered and made public?
My paranoid side says it's all a conspiracy to illustrate the perils of widespread piracy/terrorism/hackers (MS has enough cash to take a hit on the revenue loss) so that TCPA/Palladium gets a more receptive audience with lawmakers and the gullible public at large.
"Provided by the management for your protection."
I understand some of the logic for Microsoft's Product Activation system. I get the whole activation after installation, but what I don't get is the shut-down part. The prog will take a snap-shot of your hardware upon installation. Then if you hardware changes too much it will shut you down. Will the system stay functioning if you make a number of changes over time, or is it just the number of hardware changes that sets it off? Either way, the program will still detect a number of recongized components. So how does it come to the conclusion that it has been pirated? At the risk of anthropomorphizing, until software is installed, it has no awareness. Once it is installed, it becomes aware of the hardware it is installed on. Pirated software is the same way, it is unaware of anything until it is first installed. Then once it is installed, it also becomes aware. All that said, what is the logic that was used when Microsoft decided that if software detects a number of hardware changes, it has been pirated. The best analogy I can think of is a person and their clone. Until you go to an outside source, there both the person and the clone will think they are the original. But Microsoft's deacivation system would be like the original person getting a heart & lung transplant and their immune system decides that they are now a clone. Can anybody explain this to me?
But one thing you find is that a surprising number of stupid authors actually do this (bad psuedocode given here, for effect):
// Annoy user
CorrectKey=GenerateKey(GivenName);
If (!strcmp(GivenKey,CorrectKey)) {
Bitch();
} Else {
PrintRegisteredMessage();
}
Why rewrite the wheel when the author's done all the keygen work for you?
Oh, and reversing many algorithms IS trivial. A certain debugger has a plugin to do it for you, and generates C99 source code along with an analysis - of course, if it's a strong cipher you're trying to reverse, or a cryptographic hash algorithm, the complexity will be 1.0 or close to it, and the program will take millennia to run (but will, eventually, find the answer and is often faster than brute force, though many times only marginally). Pit it against Joe Blogg's shite conventional key system though (what it was designed for - some hot, quick'n'dirty keygen action), and it'll usually hang it out to dry.
My friend develops software. He released a program that used registration keys based on the summation of the ASCII values of the registrant's name, mod something. There was a key generation out on the net within a week! The poor guy didn't have a single user actually purchase the software though :(
Use Public Key cryptography.
You supply me your name and serial number. I MD5 hash those. Then I encrypt the hash using my private key. I return this to you as your registration code.
Your copy of the program takes your name and serial number. It MD5 hashes those. So far, you should have the same result I started with. You then decrypt your registration key to see if it matches. Since you don't have the private encryption key, you cannot generate new registration keys.
Now, some evil terrorist might just patch your program to skip the registration verification process.
So the registration key I give you includes the MD5 hash of your name/serial number, but also includes additional bytes which make up some critical part of the program. This makes it more difficult to circumvent, but still, not impossible.
I'll see your senator, and I'll raise you two judges.
I'm wondering why this does not happen more often!? This seems to be a really big deal for Microsoft, but naively I would think that such keys are leaked to the internet every day. Or are these keys usually heavily guarded as "company secrets"? Are there stiff fines imposed on the companies if their assigned key becomes public knowledge?