Slashdot Mirror
Microsoft Genuine Advantage Cracked
piyush ranjan writes "An Indian researcher has cracked the much-touted "impenetrable" Windows Genuine Advantage of Microsoft. According to Microsoft this service would soon require all Windows users to verify their license before downloading updates."
I love how they say it represents very little threat. I guess we can expect them to save face, but someone must be kicking themselves over this one! "Very little threat" probably translates into millions of copies distributed over P2P networks :)
I store my recipes online (the way nature intended)
Microsoft has the right to restrict product updates to only their paying customers.
However, the installed base is huge and the illegally installed base is also huge. Microsoft, because it is their OS, has a moral responsibility to prevent internet worms and viruses by releasing patches to all users, regardless of the legality of the installation.
Can MS really be held at fault when illegal usage of the OS results in a huge failure of the Internet?
Today, it would be possible to build a damn-near invincible fortress - use granite blocks of a similar size as those for the large stones in Stonehenge as bricks, have them interlock so that shockwaves can be carried non-destructively, and build it as a gigantic geodesic dome so that impacts are tangental and not perpendicular.
This isn't "fool-proof" (fools are way too ingenious) but it would offer a formidable target that would be hard to punch through.
Can you create something analogous in software, where the design is such that the "impact" of an attack is less likely to break through?
Yes. The standard network "firewall" is just an electronic castle, permitting traffic only through controlled gates. A portcullis arrangement (two back-to-back firewalls with a NIDS system in the middle) would provide a stronger fortification, if historic warfare is any guide.
The dome arrangement, where impacts are distributed so that no one component ever takes the brunt of the sttack, would be analogous to using a highly distributed security model, where different components in the model have to validate for the communication to be accepted. That way, exploits in any one component are of no value, unless absolutely identical flaws exist in ALL the components.
Ok, so we've got a system that offers some semblance of security. Can it still do anything, without that security being compromised? After all, anyone can make a 100% secure computer by turning it off.
Depends on how secure you want something. Let's take the key validation that Microsoft wants. What you want is non-duplicatable information. Easy enough - print a 1024-bit "public key" on the packet, which matches a private key on the validating server. Use the key to generate a unique ID, which is copied onto the computer. Any subsequent communication has to match the unique ID and the public key.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Go here and download here.
Agreed. Microsoft could either restrict WGA downloads to only those using IE with ActiveX, or provide an alternative way for browsers to get past WGA. They did, and the simple/most user-friendly way is to get the user to download a program which will generate a key.
There's no way that Microsoft could know that you were running the program on a different machine. It's an inherent weakness of the system, but one Microsoft needed to make to allow non-IE/ActiveX browsers to work with WGA.
I had to activate windows over the phone the other day, because installing SP2 on it broke everything (well, it just didn't like the SIGNED graphics card driver).
It kept hanging while it was starting up so I took all the expansion cards out, including the graphics card and used the onboard. Worked fine, apart from popping up a message saying the hardware had changed dramatically and windows needed to be reactivated. Didn't have time to play with it so I left it a few days. Next time I turned it on I couldn't do anything unleses I activated windows. Ok, I will just activate it over the internet - or I would if it was configured for the network it was connected to. Cancel activation so I can set up the network, nope, can't change network settings unleses I activate windows (even in safe mode). So, do I configure a DHCP server on another machine, or use the activate by phone option? It was a free call, but if I knew how long it was going to take for the auto responder to read out really really long numbers for me to type then I would have just set up a DHCP server.
Genuine Advantage (What kind of name is that? What does it mean? It's not to my advantage to have to prove I paid for Windows every time I need to reinstall) and the like is one of the main reasons I switched to linux for everything but Grand Theft Auto. I refuse to pay ~$100 and then be treated like a theif. I will never pay for windows, in any capacity, again. If that forces me to build my own comptuer every time I upgrade, so be it.
Luckily, these days linux is pretty nice, what with Ubuntu and all. You barely need to think any more when installing, and no annoying registration screens!
Pulp Audio Weekly - Geek News and Reviews
It sometimes amazes me how many crackers do have a conscience about the smaller guys, and how hard it can be to find passwords or cracks to cheap applications.
I almost liken it to the p2p v. itunes thing. When you can find a song for a buck in 30 seconds, compared to attempting to locate one for free over the course of 30 minutes, for many people the $1 method is a lot easier. For lots of people looking for random utilities or programs, when they find something that works, does a job well, and is cheap, they'll plink down the money for it. At least compared to finding a crack over the course of a week that may or may not work.
The smaller guys can also simply change-up the algorithm for the cracked passwords for each release every few weeks, something the big guys can't really do ;D
You're right.. and isn't that the problem? It seems like this vulnerability could be coded into a distribution. Someone illegally distributing Windows CDs can modify the copy so that it (unknown to the user) runs the crack, gets seemingly-legit codes, and uses these to "prove" that it is a genuine copy to the silly purchaser of the illegal product. So basically this undermines the whole point of the Windows Genuine Advantage. The user buys a CD of Windows, and even the windows website agrees that it is a genuine copy... but in fact the user was duped and bought a pirated copy. This lets the "bad guys" make money off of consumers... moreover it means that the "Windows Genuine" seal means nothing... worse, it provides people with a false sense of authentication.
(or maybe there's something I don't understand about the whole process?)
Personally, I don't have a windows computer in my home. I am running several Macs, a Sparc and a Linux machine. The main reason all stems from Microsoft and the way they treat their paying customers like they are stealing something from them.
A friend of mine bought a Gateway computer a couple of years ago with XP Home on it. After installing and uninstalling several pieces of software the system locked and he couldn't get it to "boot." So being the tech savvy friend in the industry he brings the PC to me.
The system is asking for a Microsoft Authentication Code. Ok, whatever. Plug into the switch, get online, enter the Key Code, refuses my request for an Auth Code. *grumble* Call the number provided, get a wonderful automated system that doesn't let me speak to a human. Also refuses to give me an Auth Code. *more grumbling* Call Microsoft Support direct (the first number was given to me by XP when the code gen failed) speak to a human who verifies I have a valid Windows Key Code and then refuses to give me an Auth Code.
Meh?
She proceeds to inform me that as the code is an OEM code from Gateway that I have to call them. *sighs* Ok, I've been dealing with this a couple hours now, with hold times and all, but what the hey. Call Gateway, the representative though friendly, tells me very politely to go screw myself. Seems the system is now out of warranty period, plus since I'm not the actual owner of the system anyway they can not give me any assistance what so ever. Offers the helpful advice to give Microsoft a call.
At this point I pull out an education bulk copy of XP Pro I happened to have purchased, and isn't running on anything else and install Pro in place of Home. Good thing about the bulk site keys, there are thousands of users with the same key legally and honestly. Kill the key and lots of very unhappy people.
My Mac? Drop the CD/DVD in, hold down C, click install, and I'm done. Ahh .... simple. Linux? Same thing, boot the disc, walk through the install dialog, and we're happy. Debian based? apt-get upgrade the entire thing without even a CD. Heck, even Solaris installs and assumes it's legit and doesn't mind. (This was before the whole it's free for you and open now too thing)
Yeah, Microsoft is only going to end up really annoying the hell out of it's legit users. Crackers and 1337 W@r3z P1r@t35 will never be more than mildly inconvenienced. If they are taking the time now to write programs that will let them keygen against binaries on the CD, then they are already spending the time trying to rip the thing off. The problem with a cat burglar is, no matter how many locks on the safe, if the Hope Diamond is inside, they are going to take the time they need to open it.
"Genius may shine aloof and alone, like a star, but goodness is social, and it takes two men and God to make a Brother."
I am waiting for the time when MSFT has all updates and security patches restricted by their WGA initiative. When the next trojan/virus/worm hits the internet that fouls up the Registry, every business worldwide that is chained to MSFT will come to realize that MSFT has become their "silent partner". The Mafia's "protection rackets" of the 1920's and 1930's will look like child's play in comparison to the disruption of business that MSFT will be responsible for. And by the time that realization comes, it will be too late for many businesses -- they will grudgingly pay MSFT whatever is demanded, just in order to stay in business. And Borg Bill will have swept the "World Domination" Monopoly (TM) game.
Must be a slow news day. This story was reported a month ago on May 23, 2005. At cnet, no less; not exactly an obscure news source.c y+check/2100-1002_3-5717127.html
h tml
http://news.com.com/Bypass+found+for+Windows+pira
And it was picked up by others, for example:
http://techrepublic.com.com/2100-1009_11-5717127.
Why is this story making the rounds again?
-- "I never gave these stories much credence." - HAL 9000
Yeah, that's why it is a good idea to have a copy of the corporate install laying around. Even if you're legally licensed to use XP, that activation scheme is problematic. Solution? Install from corp edition CD that doesn't require activation. Probably a technical violation of some obscure license term, but I don't care.
I paid my money, I refuse to be inconvenienced.
Who did what now?
lot of people are buying software and use cracked version EXACTLY because of the fact that all legitimate software puts totally INSANE overhead that only irritates clients and in the end penalize them.
Fifteen years ago, when I was a kid and didn't have any money, I pirated software to have something useful to do with my computer. With the advent of Linux and having a job, I don't steal software any more. (And oddly, I find the software I do buy to be 21st century versions of the same software I used to steal.)
The one "exception" is the only game I have on my Mac. I bought Civilization III for the Mac because I had loved the previous two's complex strategic systems. But Civ III, to avoid software piracy I suppose, required the CD to always be in the computer. Worse, it would often spin the disc constantly.
On my laptop, this meant hardware strain on an expensive to replace unit and lower battery life.
So I downloaded the ISO and just mount it when I want to play. No overhead of spinning discs and low battery life!
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.