Slashdot Mirror
Vista Activation Cracked by Brute Force
Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"
From the article summary:
I don't see how this is possible, or credible speculation even for a company a evil as MS is perceived on slashdot. I'm no MS fanboy, but I've had reasonable "service" from MS on issues of keys to activate my machines under some unusual circumstances.
This may get sticky for MS, but for goodness sake we've got to find better bashing material on MS (and I believe there be plenty) if we want to maintain any street cred. There's no WAY MS won't be giving license keys to legitimate purchasers of XP (especially considering the vast majority are pre-activated shelf-delivered versions).
(Aside: pure speculation on my part, but one of the most glaring weaknesses of this "claim" may be the notion of brute force, and that that is even a possible approach. Most validation handshakes require a reasonable length of time between attempts to circumvent brute force attacks... if it takes one second between attempts for billions of combinations, you're going to eventually be activating an obsolete OS. Further, after 3 or 4 incorrect attempts, any validation scheme worth its salt will quiesce for some longer inconvenient time... requiring a "cooling off" period before one can make further attempts. This story falls under the heading of "I heard someone say they knew someone whose sister's brother has figured out a Vista activation hack..." Sigh.)
All Microsoft has to do is block the IP address that is requesting thousands of activations on separate, invalid keys per second.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project.
I Am My Own Worst Enemy
I guarantee you MSFT will release a patch to reorder license keys or figure out some other solution. If you were the largest software company in the world, and you had a product that was being touted as "more expensive than switching an entire IT department to OSX:, wouldn't you?
-- http://www.criticalassets.com
Seems to me like a great opporunity for a shakedown. "We are sorry, but we cannot help you until we finish an investigation into your software licensing. If you need access you will have to purchase a new copy". They get to play like they are helping by paying a few MS shills to talk about how their cracked license recovery process was quick and painless and they don't understand anyones complaints. Then they get to scare people into walking away and buying new copies!
I don't have problems with any number of copy protection schemes. Granted they can eventually be defeated almost without fail, but it does rais the bar for the effort. PS disc error thing I think was a fairly clever method for example. I don't even really mind CD keys too much, although its irritating as hell to lose whatever they happened to write the code on (Is it too much to ask to print it on the damned disc?). But I absolutely refuse to touch any piece of software that requires some online activation type crap.
The only change I can believe in is what I find in my couch cushions.
Registration of new users is temporary disabled! Try again later.
----- You know you have ego issues when you register a domain in your name.
To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'
Hmmm, I wonder which way Microsoft will go on this one...
This guy's the limit!
Just as I read this article, pandora.com started playing the title cut from David Wilcox's Vista album:
"...and the wide open vista..."
It seems unlikely that MS really screwed up this badly. Even given unfettered access to the key validation, it's trivial to construct a scheme wherein the odds of coming up with even a single valid key are essentially zero. If the scheme includes additional hashing to increase the work required plus a large enough key space, you're simply not going to find one.
Why not actually try to read the article to see how the program works?
as someone who has worked on systems such as these (oh the inhumanity!) we have looked at this particular attack vector. Yes, it is possible. But, when you consider the size of the activation code domain (quadrillions or more of combinations), with the number of legitimate keys (hundreds of millions), and the fact that each request takes some amount of time (a few seconds), it's not too big of a risk. A risk? yes. But there are lots of risks. This is just another one to be put on the list, watched, and mitigated against (as others have said, with blocked IPs and so forth).
Sounds like a great job for a botnet. Distribute the requessts all over the internet. Avoid any IP address limits.
"I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project."
Yes, but does it run under linux :-)
Microsoft has encouraged this obviously illegal tactic by its Vista License:
1) Too many variants
2) Too expensive an upgrade from XP
3) Limitation on which versions run virtualized.
Sadly, for MS, they have not emphasized it can creditably replace a several hundred dollar Nuance Dragon Naturally Speaking install (I know, I've tried both)
it wouldn't suprise anyone if they screwed that up, but it isn't hard to create a key system that makes guessing impractical and generally uncrackable on the key generation side: Just cryptographicly sign random numbers with a private key at MS and verify the resulting registration key with the public key in the program. If the key is much longer than log2 of the number of issued keys, you can try until your grand-grand-grand-children have forgotten you ever existed and not find a real key. That can be circumvented only by disabling the check altogether or by replacing the public key with one to which you know the corresponding private key. But then comes activation and at that point MS can simply check all keys against a database of issued keys. Not only will they be able to find if you're using a key that wouldn't pass offline verification, they will also find if you're using a key which could have been issued but wasn't. You'd have bigger chances winning the lottery and buying a copy of Vista than to find a working key by guessing.
I don't see how this is possible, or credible speculation even for a company a evil as MS...
Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others. They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say. This is the nature of non free software. Your master may take care of you or they may not and those are the conditions you must agree to if you want to use non free software.
They don't trust you. They made the registration key in the first place to restrict the number of computers you can use before you pay them more. When you call and claim your key does not work, they can't tell the difference between you and someone who's shared their key. Once again, this is the nature of non free software.
Friends don't help friends install M$ junk.
Thanks to VMWare and Qemu yes, and that's the best place for it ;-)
Microsoft are fighting an uphill battle here
that kills it's host. Botnet owners would never do anything that stupid.
Friends don't help friends install M$ junk.
really, doesnt this seem like a lot of work to install something that doesnt work as well as what you have now? Just seems silly to bother..
Most enterprises are waiting until SP1 or SP2 before they even contemplate buying Vista. As Ballmer has stated, the Vista ramp will be slow and long.
So for the time being, Microsoft is watching what is going on with activation and feeding a new set of requirements into SP1. These new requirements will make the "easy" validation/registration hacks much harder, even possibly eliminating many of the loopholes. Microsoft is losing a bit of money, but not much. The people that don't buy software... are not much of a revenue stream. These requirements also go to Microsoft legal so they can get to work on making more activities illegal.
Hence, ironically, the only thing hacking Vista is doing is making Microsoft spend more money to change more laws to make all sorts of computer activities into crimes that can be brutally enforced by governments and police forces. By hacking Vista, the only people being helped are at Microsoft while the entire citizenry of the world pays a steep price. And police states are not known to be particularly innovative or supportive of change. So instead of doing anything positive, hacking Vista is merely killing the future.
If you want to work against the tyranny of Microsoft, the only way to do so is to let go of Microsoft and move to an open source system. Microsoft will have a much more serious problem when all the news is about people moving away from Microsoft, not news of how to get the latest Microsoft DRMware/malware/spyware/NWOware on your machine 'for free'.
When will "Annoy Ultimate" be released?
The parent is moderated funny. Well, I have no interest in Vista, but frankly I'd love to activate as many Vista keys as possible in order to make life miserable for anyone using it.
The problem of generated keys and conflict with legit keys isn't new, so we already know what happens. The same existed for XP -- plus the added collison of dishonest OEM's selling one legit serial number to 100 different people who bought their computers with XP preinstalled -- and we already know what Microsoft chose: to not annoy the paying customers. What it did try to do was go after the OEM's who did that, but _not_ after the victims. The victim never had to do more than call an (automated) telephone number and get another key. It's always been that simple.
Yes, there have been some fucktards too historically, but MS was sane about it so far. I'm not saying they're saintly or anything, feel free to still be anti-MS if it makes you feel any better. Just that their sane. Even if you want to see them as some kind of super-willain, well, as super-villains go, MS was the _sane_ kind so far. The kind who's read the evil overlord's list, not the random lunatic kind. It knows when _not_ to do something that would damage itself very quickly.
Look, there are plenty of real reasons to whine about MS, no need to invent bullshit FUD scenarios. That kind of going into bullshit fantasy land, just to have something bad to say about MS, just damages the credibility of the real complaints.
A polar bear is a cartesian bear after a coordinate transform.
They just better not mention anything about Global Thermonuclear War.
I even had mod points, but you were already at +5 Funny (deservedly). I wonder which one, Seti@Home or this WindowsKeyGen@Home, will accumulate more CPU time overall next year...?
I also wonder if vendors are going to simply give up on using 20 or 25-character long activation codes, if they can be brute-forced in a reasonable period of time? Will they be switching to keyfile activation using hardware profile info (NIC ethernet MACs, motherboard/BIOS serial #, hard drive serial #, etc)? That seems to be happening more and more already...
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
we've got to find better bashing material on MS (and I believe there be plenty)
Aargh, maytee, I too believe there be plenty. Ye OS shall be no match fer me sword, ya scallywag!
But I don't see any danger that a cracked key and a legit key would collide in that large a key space. The birthday attack (see wikipedia) tells you the probability of a collision is equivalent to a 12 digit key, which i'd assume must be nearing one in a trillion.
Since the program obviously has some algorithmic test of the key validity. MS blew it by making this space so promiscuously large that a 20,000key/hour guesser could crack it.
Some drink at the fountain of knowledge. Others just gargle.
I just don't believe it. Validation time delays, and long cooling-off periods after too many unsuccessful attempts are such elementary security that I honestly can't believe Microsoft overlooked it.
Maybe maybe maybe one lucky hacker hit the jackpot and scored one key once or something like that.
I don't believe for an instant that a brute-force attack on a 25-digit number is going to score many legitimate activation keys that a) have actually been shipped to real customers and b) have not yet been used. There are only a few billions of people in this great world, and there are an awful lot of 25-digit numbers.
How many brute-force tries were they able to make? Let's say a billion. If they were able to get even one key by brute force in a billion tries, then one-in-a-billion 25-digit numbers must be valid activation keys, or 1^16. If there are ten billion extant copies of Vista, then the chances that a valid key has already been assigned would be one in a million.
So, of every key found by hackers using brute force, only one in a million will collide with an already-issued key.
No, this will not be a customer-relations nightmare for Microsoft, regardless of whether they elect to be nice or nasty when it happens.
"How to Do Nothing," kids activities, back in print!
They don't know who the legitimate customers are. If they just hand out keys to everyone and anyone, what was the point of the system in the first place?
I couldnt find the download. People on Slashdot seems to be unusually confused about how this thing works - even those who claimed to read the article. I didnt find the article/method very confusing, but I dont know enough about Vista to tell if it COULD work or not. Are people confused because someone made something up that can not work? There are other cases where evil people have distributed trojans this way.
Is this a HOAX?
Isn't that by definition, Linux?
Is is possible to create a program that simply activates Vista licenses? -- I mean, without having Vista at all. Just connects to MS and attempts to activate keys, all day long.
It would be like a DOS on the licensing mechanisms.
AND having gone to the site and read through the ENTIRE thread on their forums;
What we have here is a random number/letter guesser. It's basically a VB Script that guesses random numbers and letters in a string that is the same length as a Vista Key, then inserts it into the registry, overwriting the existing Vista key. You use Magic Jellybean to check when the key has changed, and then manually check it against MS's activation service. Really this is little more than a person manually sitting down and making key guesses. This is why it's called a "Brute Force" attack. There is no intelligence (ie: an algorithm) behind the key guesses at all.
That said, because it IS so simple, it's almost impossible for MS to defend against, since they can't just "ban" any keys made by it like they would a traditional algorithmic keygen. Also, there is an improved version of it posted as source on the boards there, so if you want to take a peek at the code you can.
Here is a link to the forum post in question: http://keznews.com/forum/viewtopic.php?t=2634
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
Prepare for a patch which forces a cooling period for local key changes...
From the summary, quoting the article:
Hell of a nice strawman. Nice job.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
i mean... they continue to spread windows...
want the new windows version? dont have 500 euros? well, you can always find serials... just as in lots of computer-games.
or like everybody said "well, wat's the point with hdmi/drm? it will be cracked!"... well, maybe tcpa will teach something, in this case.
i don't think this is the solution. it leads to more piracy and -worse- more windows users.
we'll see when everybody has to pay 300 or more euros for theyr windows copy, 'cause they 1-year warranty has expired and theyr computer "is not working".
microsoft knows this, and of course they permitt this.
and please, don't come out with "nothing can be cracked". there are systems which are not yet cracked, for example final fantasy cd-keys, or guild wars ones (they are games, but that doesn't matter). If someone today buys a computer, it can permitt himself a 5-minute-gprs-or-whatever connection to verify the licence code.
governments sould fine big companies that still permitt this, when there are known systems that are not that easy-crackable. or at least should not permitt to those companies to fine a single user for having used a illegal key...
As I pointed out in the post above the chance of a randomly generated working activation- key colliding with a legitimate keys is probably worse odds than 1 in a trillion. So this will probably never ever happen by chance.
However, chance might not play a role here. Given this colossal stupidity one also assumes they did something dumb like make the decoded keys have some sort of sequential pattern too, so given enough keys one might be able to figure out how to actually generate keys directly. In that case MS will have a problem with the key-collisions with legitimate keys because people could deliberately generate those.
Why would deliberately generating legitimate keys be a good idea for a cracker? Well, if you do generate a random activation key, it will activate the product but Microsoft will also be able to determine that it's one that it did not issue. So the moment vista phones home or you try to do a system update, or install any piece of software from MS that can check the key (e.g. office), microsoft is gonna shut your genuine ass down. On the other hand if you were to generate a key that coincided with a legitimate key, then MS won't know you filtched it. So there's an incentive to see if MS also made the patterns predictable.
You could of course try to live off line. but that level of piracy is not a threat to MS.
All that said my guess is that this is not possible. If I were creating these keys what I woul dhave done would be to use public key encryption. I'd take the integers 1 to 1 billion, and encrypt them with my private. The the Vista copy caries the public decode key. To validate the vista installer decrypts the user supplied key. If it's a number between 1 and billion, you've been validated. MS can now issue up to 1 billion copies of the software with distinct keys.
Some drink at the fountain of knowledge. Others just gargle.
C'mon, let's give'em credit.. their PR isn't as bad as Sony's!
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
You must be new here.
The days of the digital watch are numbered.
If vista is such a piece of crap, why bother trying to pirate it? Also, if the claimed numbers of pirated copies of windows out there are anywhere close to the truth, could the problems those people have be the result of not being able to patch and update their software? Are some people really blaming MS in many cases because their software won't work right when pirated? I ask this because a) some keep saying it is crap, b) I have owned a variety of machines over the years and I never really had the kinds of problems people are complain about (nor have my friends and family) and c) every OS I've used has short comings and annoyances.
Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it.
That may be the case in the US, but in the UK things work slightly differently. If I buy a copy of Vista from a store and it is faulty, for what ever reason, I can return it to the store for a full refund or a replacement. The legalese is "fit for purpose" and "of merchantable quality". Clearly, a copy of vista with an invalid licence key is not fit for purpose.
Incidentally, most of the big shrinkwrap software stores in the UK try to get out of doing this if they can. Just be persistent.
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
Does a chair count as brute force?
Never hoped to see it in this context, thought.
If the problem is "small" just track it and write off the loss.
If the problem is large:
Have people caught up in the duplicate-key mess photograph their Windows Vista packaging with the key showing in the photograph and send it in.
For the related problem of duplicate OEM keys, photograph the machine and mail in the make, model, and serial # of the machine and/or the name of the store you bought the license from. This won't help as much with tracking "manila envelope" licenses as those can be traded willy-nilly before the envelope is opened, but it will help with licenses that are assigned to particular manufacturers.
Give "ownership" to the person with the most convincing photo or purchase history. For the other claimants, if you are nearly 100% sure they are illegitimate sue them or make them provide personal information to get a "new, legal key, on the house" otherwise write off the loss. Pirates aren't as likely as people who think they are legitimate buyers to give out their name and address. If they balk, make a decision: do you want to risk being wrong and wind up in court and lose and get a PR black eye, or do you want to stand by your guns? If you aren't nearly 100% sure, just write it off.
In any case, if you don't immediately activate the product, at least activate it for 30 days while you decide what to do.
Even better - scrap the whole activation thing.
In the future, software will be delivered electronically and every copy will be uniquely watermarked. Yes, you can watermark compiled computer code by inserting NOPs, replacing operations with equivalent operations, etc. Of course this isn't as simple as it sounds as addresses get moved around, but it's doable.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Well, the whole point is that you CANNOT read from the article how exactly the program works. To find that out you'd have to debug the program or read its source code. Anyone with a link to the source code?
I can see a similar discussion being had about Vista. Home use, they're plugging on ... well, the only reason I'm considering it is my favourite game is going DirectX 10. But the cost of a new license if you _don't_ pay microsoft tax is pretty outrageous, so I might just not bother.
However for the 'average corp' the upgrade drive is just ego as suits want the 'newest thingy'.
Thanks to recent developments, linux is just about becoming a viable alternative, as being 'end user friendly'. *shrug* Too many companies are blinkered to the alternatives, but might notice a cost comparison of e.g. 30k users running a well supported linux, vs. 30k users running Vista.
To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"
-1 troll much?
DRM fails for the same reason gun laws fail - the criminals can and will skate around it effortlessly, and the legit users get screwed.
You can get 15 minutes of fame, but you can go down in history for infamy.
It would be nice if people who tell these kinds of stories would name the offending party so that the rest of us can avoid them...
Does this mean that vendors are going to make the pesky product keys even longer? Companies will have to hire data-entry staff just to key them in.
Table-ized A.I.
.. modified the existing VB Script file that was supplied with Vista. More fool MSFT for supplying the code in source form.
http://www.rense.com/general79/wdx1.htm
MS is not stupid. They want this OS to be on all computers. Their goal is world domination. That is why this is happening. It makes Billy happy to have winblows on another machine.
I saw one at a LAN party that had every copy of windows, every copy of office, and a whole bunch of Microsoft products.
You would set it and forget it. It would generate a key, test it and then if it was good put it in a log file, if it was bad it would attempt to generate another.
This kid had a list of probably 1000 WinXp pro keys that had generated just because he was bored.
There are keygens for the last two versions of MS Office and also for Windows XP. This is nothing new.
I work for Microsoft, yeah, really I do, I really cannot believe we shipped with a VB Script file that is part of the ACTIVATION!!! WTH are the Windows and SWI (Secure Windows Initiative - an internal team with focus on security) thinking! Did they actually Threat model this feature? Did it get signed off by the SWI team? WTH are they smoking. This file should not have gotten signed off and should have been in the threat model and added as a TwC Product Studio item. How the hell can anybody take this company seriously. What a fucking joke the Windows and SWI team are. (I'm not on the Windows or SWI team but we have to threat model our features and get signed off by the SWI team). Fucking ass clowns. I wont even purchase our own Vista product at employee pricing, and I really cannot recommend it to anybody. I really hope they do a huge distributed effort to generated a lot of valid keys. Activation is a pain in the arse as we all know and nobody wants it. We cant even get it working right, securing it and then we have the cheek to tell people that they are thieves? Come on.
or Irony or whatever.
If you need the equivalent of a Cray to run Vista, then it's going to be very efficient at Brute Forcing the keys.
I like it.
Once I was a four stone apology. Now I am two separate gorillas.
Someone made an alternate download link available http://www.sendspace.com/file/cy9sjx
Just because the checksum on the key may work, it has to be a key that was actually issued by MS for it to get activated. Lots of trial and error here.
When software licensing was based on the honor system.
Honestly this whole key activation thing seems more hassle than those stupid dongles used to verify your software. They used to plug into the parallel or serial port, now they plug into USB. Why can't we just have that, seems less problematic than the current scheme. Especially when you consider that a $4 dongle won't cut into the profits of a $100 OS as badly as 20 minute tech support calls do (which generally cost a company $30 to $150 each)
“Common sense is not so common.” — Voltaire
As an American, I can tell you that 'fuckwit', 'bastard', 'cunt', 'moron', 'dickhead' and 'shit for brains' are all in common use here in the States. If you really want to sound British, use 'wanker', 'tosser' or 'spanner'. Also, my limited experience with the BBC seems to indicate that 'Bloody Hell' is very popular in ye olde England.
This is too bad. I had hoped that the Winows Vista copy protection was solid. In fact I hope that all MS software copy protection is unbreakable and a pain in the butt. This way people will be forced to look at alternatives. At the moment Windows and other big software packages has the unfair advantage of being an expensive product that you can get for free (by pirating). If that was not possible people would have to consider other options like Linux or cheap shareware. I wrote more about it here: http://eriksrantsandraves.blogspot.com/2007/02/whe n-rolls-royce-cost-less-than-skoda.html
Why I think pirating is imoral and bad for the economy.
I had a MSDN subscription that had already been activated. MS reps passed me off in a circular queue for a couple of weeks, going between their support department sending me back to the reseller, and the reseller sending them back to Microsoft. I had to literally threaten to sue them before they gave me a license key.
I was actually surprised how quickly I got results after I told them that I had decided to file a lawsuit. I was not exactly bluffing, but I also could not have taken it much farther than the initial filing. But I was ready to go to the US Court Of Claims to say that the retailer and Microsoft had together sold me a product which did not work and that both had refused to give me a refund. After certain certified letters reached certain individuals, I got a license key, and for a couple of months afterwards, received occasional calls from Microsoft support folks asking me if my problem was taken care of.
The lessons I learned:
1. Microsoft is in denial about their software security system.
2. Threatening to file a lawsuit against a corporation engenders prompt responses.
-fb Everything not expressly forbidden is now mandatory.
My last XP install lasted two years. It only lasted that long because I just built a new PC and transferred the OS to the new box.
this is really dull now. face facts, vista has shipped, it looks great, and it runs fine. Stop whining kids.
That they include it means nothing. It is pretty certain that, indeed, an EULA doesn't have legal force and can't make you give up rights you normally have. For example:
I work for a state institution which means in a way I am a part of the state. One of the requirements of the job is that I can't sign any contracts for the state. Anything that requires a signature has to be sent to legal (and we have a hell of a legal team). Employees can't agree to contracts directly. We have, on occasion, gotten software that comes with a written agreement. It is sent to the lawyers, almost totally rewritten, then sent back to the company (who is usually quite surprised). However we've been told not to worry about EULAs or click through agreements. We are allowed to just click ok and go on about our business.
Now why do you suppose that is? Well it is because the legal team believes that they have no legal force, and thus there's no problem. I'm going to guess they are right, they have to be very careful about protecting the state against things like that.
So MS can say in their EULA "We reserve the right to take this software away from you at any time," but that doesn't mean a judge will agree. You can still drag them to small claims court (it's quite cheap to file) and argue your case. If a judge agrees with you, they give you your money back.
You must be new here...
www.tdobson.net #### Dare to Dream #### blog.tdobson.net
How long before there is a worm developed which will hammer the Microsoft servers from zombie machines to grab license keys?
This signature is far too complex to have been created by chance.
And yet some companies have intituted the same thing with no anger from users.
Valve managed it, and the rather wonderful prevx malware finder program and SETI@home all require constant contact with home, for example.
The difference is that these systems deliver customer satisfaction because the phone home service is there as part of the service you require or with to participate in. If you decide not to, you can quit and go elsewhere. Most people using windows don't see that they have a choice (yet).
Microsofts problem is that their system is one of guilt assumption. They have it solely to check up on customers, it delivers no added value aspect to the consumer. That they say it does is part of the problem. It is for microsoft alone, it gives nothing back.
No-one cares about microsofts needs, that's human nature, we are all selfish unless giving something away brings a valued return. For them to expect that people would *want* to take part with no benefit to themselves is a pretty hefty misconception.
I find these issues with Vista interesting. I really do have no intention of ever buying it. I tried it with open mind, thinking I might get it if it brought something new I might like, but there was nothing that interested me. I didn't hate it, but saw nothing of use. It's nowhere near as useful as Linux for my needs, and if I feel a need for a commercial OS, well there's OsX.
OsX does interest me quite a bit. I've seen many presentations at conferences that were done with macs, and they look *so* good.
We shouldn't be measuring this in whether or not somebody can use their key if it's been cracked already but merely how many hoops is the average consumer going to have to jump through before MS gives up on the whole "activation key" thing or just "cancel/allows" on a case by case basis
What if someone writes a nice screen saver that constantly generates keys AND runs them past the MS servers? What if some group of people think this is funny and run that software all the time just to mess with MS? Just how often will a key bet part of C set? It's a numbers game, and I don't know just how bad it is, I'm just asking.
Your crusade to stop car/computer analogies is like trying to get unionized American autoworkers to realize they're a big part of their own troubles.
In other words, its just never going to happen.
Mac OS X and Windows XP working side by side to fight back the night.
So in theory, if a hacker learned how authentication worked, he could use a botnet to generate keys and activate them. Over time, you could activate a good percentage of Vista's keys. Granted, it would be a long time, but it could be done.
Boob isn't British though, try git or wanker.
-Charlie
This is absolutely no excuse. If you don't like the product or the price don't buy it. Get a Mac or use Linux instead.
Read the "Surviving the first day of Windows XP".
Quit downloading everything in your email. If you don't recognize the name, delete it.
Don't click "Yes" to every security certificate. You should accept Microsoft's, and that's it.
You don't require new cursors or smiley programs for your emails. The new "Hyper-Exelent Surf 3000 Toolbar by Lucky 88 Company" is not going to make your life easier. Likewise, if you want to know the weather, look outside or in your local paper.
PC Cleaning programs from pop-up ads don't work. Actually, anything advertised on the Internet should be considered fraudulent. (Yes, even "those" pills. They're just bull semen and corn starch.)
Get your programs from sourceforge, not from the first link on Google. Make sure that Spybot and Mike's adblocking are installed on your machine.
The people who write viruses have anti-virus programs to test their work on.
For the sake of whatever god you believe in, get a hardware firewall!
Run ShieldsUP! from grc.com to make sure that you're invisible.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
gets you modded a troll these days.
Throughout this thread there are comments that the authentication mechanism is evil, unnecessary and hurts users.
Just to play devil's advocate, it's not like Microsoft just arbitrarily decided for no particular reason that the authentication tool was a good idea. They make a for-profit commercial product. Lots and lots and LOTS of people are using it without paying. Whether it's copyright infringement or theft, they are faced with a problem - besides obtaining this product for free, all of these "users" will place a drain on Microsoft's support systems (such as bandwidth).
Historically they've simply sucked it up, and let these people continue to leech away, but they've put their foot down. What exactly are their options? Dongles? Cracked almost instantly. Serial number alone? Don't make me laugh. I'm not sure how else they would do this, other than to require that they validate the customers serial number against white and black lists.
If people weren't working so very hard to make this commercial, for-profit product available for free, there would be no need at all for this system. It wouldn't exist.
Microsoft almost certainly sees this system as a necessary evil. If there were a better way, I'll bet they'd at least listen to it.
What this is going to mean is that Microsoft will toughen up WGA, putting more of a squeeze on legitimate users.
..your GPU (ATI or nVidia) to bruteforce search the keyspace. Just the other day, I read this article somewhere where AMD was demoing a teraflop PC. You could generate keys for family and friends and give them out as stocking stuffers for Christmas. I think MS should seriously consider dropping the retail/OEM price to some trivial cost point so nobody pirates Vista (or Office). God forbid somebody brute forces Ubuntu activation keys and the herd moves in that direction.
wow WAHa, lurk moar
I've been doing IT work for only 9 years now. I don't know about anyone else, but I've seen a MAC address conflict on a small network (100 network devices), and the cards were from different manufacturers (IBM and Kingston, from what I remember). When I told a coleague about the conflicts he didn't believe me until he saw it himself, so I don't see product key clashes as impossible or even improbable.
I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users.
I've got a bunch of VM's that can be devoted to the project.
INPUT: raw code, watermarking function, entrophy, signing algorithm and keys
OUTPUT: watermarked code with digital signature
Imagine a world 10 years from now with 100,000,000 million copies of the latest version of Windows, each with the same subset of key files that have been watermarked and signed. Suppose one of those files is cmd.exe. Barring breaking into Microsoft, good luck creating a signed, de-watermarked copy of it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You made this threat while Bush & the Republican dominated Congress was in power, didn't you?
:)
:)
With them in power no court in the land would punish MicroSoft for that. Plus you'd be hauled away as a terrorist. After all, you said 'threatened'.
Just kidding!!! No, really, congrats. Now do the right thing and upgrade to Ubuntu or Fedora.
--- Grow a pair, liberals... stop letting the Republicans bully you!
No operating system has a right to keep phoning home for permission to continue operating.
Why not infict changes in the OS that will bypass this routine?
All code can be bypassed. All code. The problem is finding where the activation checks are.
--- Grow a pair, liberals... stop letting the Republicans bully you!
Last time I saw the info, Vista only allowed 3 activations. I'd kill that in less than a year on any of my machines. More if I had to call a major vendor tech support and their parallel installs fix virtually everything attitudes.
So lets see how your logic works:
You've installed and activated once. (2 remaining)
Someone steals your key, once. (1 remaining)
You take it back by re-activating. (0 left)
Your machine goes toastie. (virus, hd failure, Dell told you to reinstall os, etc). You don't have any activations left. You are screwed. Go buy a new copy of Vista, Billie G goes "Cha-Ching!".
Not exactly viable in the real world, now is it....
This article is total BS. I have no doubt that keys that pass the LOCAL validation can be pretty easily guessed. However, this is irrelevant to the issue of key collision which is all about WGA and validation through MS's servers.
MS can easily keep a second smaller list of the keys that have actually been given out. Then maybe once a day check to see if the key your brute force hack found is a real valid key or just a possible but non-issued key. If so then reset your software to non-genuine.
In short because the real security mechanism is the online verification MS has complete control over throttling requests and monitoring people who try many keys so this worry just doesn't stand up.
If you liked this thought maybe you would find my blog nice too:
Historically they've simply sucked it up, and let these people continue to leech away, but they've put their foot down.
Historically Microsoft has benefitted from the "pirate domain" because it reduced the demand for alternate operating systems. Why buy DR-DOS, OS-2, or BeOS even when they were cheaper than MS-DOS or Windows when you can get "the real thing" for free?
What exactly are their options?
Continue to let some tiny fraction of their immense profits slip through their fingers rather than risk upsetting the punters enough that switching starts to seem like the soft option.
"The person who brute force discovers and uses someone else's code is not the one causing their Copy of Windows to be invalidated. Microsoft is doing that."
These guys are making the choice to cheat other people for their own benefit. They are soley responsible. It's very likely that these same individuals are guilty of other crimes like phishing, identity theft, etc. They probably get a big laugh over the idea that people actually think they're doing it as blow for freedom or somesuch.
The GPL requires no management, nor does any other reasonable license, free, open, or proprietary. The honour system is perfectly functional in all ways for this problem.
LOL. Apple makes some great hardware. Stylish etc. That was the draw. And the Ooooh pretty flashy desktop wiz-bang-ness. I thought I would fall in love. Vista was just a cheap knock-off. I wanted a big display and needed a new PC anyways.
What happens when you hate Finder? Hate iTunes, have no use for the rest of iWhatever was pre-installed? I tried tons of 3rd party alternatives. At this point I'm pissed off. On the Mac it's "Hey man, it just fucking works (or else you are fucked)." It is a lack of configuration options. Little things that maybe I'm a nit-picker but I assumed I'd be able to edit/config somehow someway.
So I setup bootcamp with XP. It's amazing. 2GB RAM and wow is it ever slick on my 24" iMac display. Really incredible as far as XP is concerned. The first funny quirk, well Bootcamp isn't perfect and sometimes Windows locks up on boot. And Power control isn't so hot inside XP. I can't put the screen to sleep. I set the screensaver to go black. And when I woke up it was sitting on the desktop, screensaver was off. I don't know what/how/why, then the whole system was flakey, explorer wasn't repsonding, had to power cycle, keyboard and mouse quit working, etc...
So, now I'm going to try "rEFIt". It will allow a triple boot, XP, OSX, and Linux. Just finished downloading Kubuntu 6.10... I may just use it. But I dunno, not having a seperate display that I can just hit the power button really really sucks! I know it's not all a lost cause yet. I plan to get the Apple dev tools and possibly kick their WM out and just use X11 or Xorg. It would be nice to be able to use both open source apps from a project like fink as well as native OSX type of apps in case I want to on the same Xserver.
But anyways. I'm a switcher. And I'm kind of pissed off. I'm still glad I didn't go to Vista. And if after more tweaking I decide I don't like my Mac, I can still fetch decent money for it on eBay and buy a PC and a seperate LCD. I think of it in sort of a gnome/nautilus sort of way. They're nazi fascists. You don't have a choice in some things. And that's supposed to be a good thing. While XP was temperamental and had crappy security. If you spend enough time tweaking you can get it reasonably secure and stable. And I miss KDE. People say it's too confusing and too many options, etc. just like they said about linux. Yeah maybe it takes some more time and effort to tweak it. But I guess I'm picky because I'm used to having that level of control and tune-ability. I got used to MS for the sake of WinAmp and some stuff like it.
If I have to kick out the OSX WM and run opensource in order to get the level of control to where I can set it up how I like it. Then there was no point switching to OSX to begin with. This is sort of rambling and a little off topic, but not really, since everyone is bitching about MS and Vista and then saying oh buy a Mac or go linux. I dunno yet. But right now I'm leaning towards dual boot linux+XP, or go virtualize with Xen, or go linux and run XP via VMware. In all fairness I still have a lot of learning and experimenting before I give up on OSX. But as things are out of the box. Once the bling bling wears off I don't like it. And most of the apps it ships with I have no use for personally. And Dashboard and all that other stuff eats tons of RAM and the whole system can get sluggish. And I have 2GB, and I'm not upgrading to 3GB total and spending $550+ on a single 2GB module. Anyways. feedback FWIW...
The page you linked to doesn't actually support what you said.
:) But I think we need a link with info that applies to OEM/DSP and retail box keys.
It only talks about volume license users.
Just to clarify your first paragraph: are you saying that a computer with no internet connection which has Windows Home Basic pre-installed by Dell will require a phone call to Microsoft twice a year to keep working?
I understand you're just reporting what you heard at the launch event, so not trying to jump on your case personally.
I find it extremely silly that people object to the word "piracy." It has a specific meaning in context. It does not "demonize" copyright infringement in any way. It's not making any kind of statement. It's just an abbreviation, because "copyright infringement" is a lot of letters. It means the exact same thing. It's not implying anything else.
Objecting to equating copyright infringement with theft makes sense and is important.
Objecting to shorthand slang that is no more negative than the full phrase it stands for is a silly waste of time. (Much like this post I'm making now.)
Sorry folks. But the "Brute force" key generator is a hoax. A fraud. Just another attempt to get people to run a virus-infected file. And lots of people are falling for it.
But don't take my word for it. Download is for yourself. Included in the zip file are:
slmgr.vbs - an (allegedly) modified version of the program used to activate Windows. In reality it does nothing.
keyfinder.exe - supposedly the "Magic JellyBean" key finder but in reality a trojan.
The whole point of this scam is:
1. run slmgr.vbs (which in reality does nothing)
2. wait a few hours
3. run the keyfinder to see if a new key was generated and when you do -- *BAM* you're infected.
Anyone who claims that they generated a new key with this program is a liar and probably in on the scam.
I find it extremely silly that people object to the word "piracy." It has a specific meaning in context. t does not "demonize" copyright infringement in any way.
;)
You are ok with creating a distinction between infringement and theft, but think piracy which, in a lay person's mind, implies theft is ok? I think that is a tad silly.
I think the term piracy is demonization, to the extent that it suggests 'organized criminal activity', which really is the main threat to corporate interests.
ie - a group in china creating counterfeit MS windows discs complete with keys, and holographic stickers is a 'software pirate'.
Installing the copy of Windows XP Home edition that came with your dell into that used PC you got free from work when they upgraded the LAN might be infringement (though it might even be fair use despite the EULA) but it isn't 'software piracy'.
To really overdo it, lumping both those groups into one term and then saying piracy = copyright infringement is somewhat akin to grouping say 'people with brownish skin' and 'fundamentalist islamic extremists' into one group and then equating that with 'terrorists'. And absurd as it is, it happened, and so we end up with completely innocent people in secret prisons facing torture. Don't chew me out yet, because as over-the-top as that is, consider this:
In the world of 'piracy', we end up with computer illiterate elderly women being dragged through the courts on the presumption they owe the recording industry a few hundred million bucks for the remorseless and obscene damage they've dealt to these American mega-corporations.
cheers
*Why* do some people always seem to think that the best way to evaluate Linux is to attempt to install the latest (and most demanding) distros on some old heap of junk they have lying around? When there are LiveCD distros these days, there is NO REASON to not give Linux a whirl on your modern PC that you are currently using to run Windows. None!
Do you seriously think Vista would suck because it would fail to install on your old P3 500 (according to Microsoft, it doesn't meet minimum requirements)? Why the puzzlement that Linux's "latest and greatest" won't work on your crap, when I think you know darned well that Microsoft's "latest and greatest" wouldn't work, either.
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
MSFT has a lot of smart coders, and yet things like this keep happenning. There are probably even many MSFT coders on this message board, dont they absorb some best practices? How is it they never learn?
What's the guess for time 'till trojan?
While I am not a MS fan I do think the statement above could legitimately classified as "fear mongering". Microsoft is a business and one of the functions of a business is to satisfy (or at least look like they are trying to satisfy) their customers. I highly doubt that they would alienate a huge amount of their customer base over a few thousand or hundred thousand illegitimate activations. Doing so would be suicide on their part because it would spark a giant "Oh my god, what if that had been US" within the large business community that Microsoft serves. Large corporate customers would seriously start looking at alternatives because they would see a situation where they might potentially be left out in the cold should they buy a copy of Windows and it's activation has already been used.
This is going to be a bad situation for Microsoft. But it's not going to cause them to tell their customers "screw off".
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
In free society every other agency, government or otherwise needs a legal process be it search warrant or reasonable cause to enter my property and inspect my goods and chattels to see if they are stolen / are licensed.
It has been long determined that "plenty of people like you steal stuff, we're coming in to have a look round" is not sufficient legal grounds and that when agents act otherwise it is called "oppression".
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
just because the old lady is computer illiterate does not excuse her from not being knowledgeable about the law. As I painfully found out, even if a speed limit is not posted on stretches of road you have access(and can exit from) to it can still be enforced and its your fault for not being informed about it.
copyright infringement is a pretty simple concept. if you didn't buy it, its not yours to freely use. While that maxim doesn't encompass every case, it sure as heck covers lots of ground. Now, if the problem is the infringement is being pinned on an elderly lady when a family member actually engaged in the infringement, well, that just sucks. But that is why there is a court system in existence. people get charged with crimes and then declared not guilty all the time. its part of the process.
Now, the real problem I have is with there not being a blanket law saying that if you sue someone and lose you are liable for their legal expenses. What the MPAA and RIAA do is extortion simply because it is cheaper to pay their 3 grand than get a lawyer and attempt to let the legal system work how it was intended to.
First of all, the author admits to never installing Vista, so why does he think that MS is screwed over all of this? He's obviously under the impression that Vista shares the same type of DRM structure of XP. Well, it's a bit different these days...
"If Microsoft decides to revoke that license because of something Pete Pirate did, who is at fault for Microsoft's actions - Pete or Microsoft ?"
Pete, of course. Pete knows that his actions will deny a legitimate user's use of the OS but goes ahead anyway.
"Or to put it another way: If you steal from me, and that makes me so angry that I kill a random bystander, does that make you a murderer ?"
Or to put it yet another way: If you implement a way to protect your IP and some random guy steals your customer's key, does that make you responsible for your customer's inability to run the software?
"Violating software's copyright may or may not be immoral, but in either case it in no way makes the violator responsible for the actions of the party who's copyrights were violated."
I can say something similiar: Protecting your IP may or may not be immoral, but in either case in no way makes the vendor responsible for the actions of an individual who is pirating software.
See these analogies or restatements or our opinions prove nothing.
just because the old lady is computer illiterate does not excuse her from not being knowledgeable about the law.
True.
The difference is that speed limits were written with the intent that it apply even to ignorant drivers, and drivers who exceeded the limit even by accident, and the penalties reflect that. (There are a ton of problems with it, especially as we move to automatic enforcement, so don't get me wrong, I think speeding laws need a complete overhaul, but that's a separate argument.)
With copyright infringment however, this situation wasn't foreseeable; the laws were written mostly to combat organized criminal activity. And they were designed to scale up, so that large scale infringers got hit with massive fines.
It was unthinkable when the law was drafted that a little old lady could be completely unwittingly responsible for 10's of thousands of counts of copyright infringement, or that this could be a common everyday occurrence. Yet its happened and these little out ladies are being targeted with lawsuits that would have been approriate for large scale cd counterfeiting rings. They are entirely inappropriate for unwitting old women.
As for the RIAA/MPAA extortion tactics, they are wrong for TWO reasons. First, as you observed, the legal expenses involved are high, and its much easier to settle than to fight. But ALSO, and more importantly, because the lawsuits being brought against these people are entirely inappropriate in the first place. And with hundreds of thousands of dollars on the line and few precedents the stakes are MUCH too high for the average person to gamble on the courts which must judge you based on the law, not on the appropriateness of the law.
For example, if the law were updated to state that it was illegal for an individual not part of an organized piracy ring to run a p2p app sharing copy protected works without authorization, and the fine was $100, $500, $1000, or $2000 or $5000 depending on the size of the collection and the circumstances, that would be appropriate. If a person was charged, and felt she was innocent, she could fight it. It would be small claims court and wouldn't cost that much. The **AA could still go after large file sharers with punishments high enough to act as real deterrent, but gross miscarriages of justice would be avoided.
Of course, much harsher penalties and laws would still exist for large scale organized criminal piracy.
It's interesting that you propose that hacking Vista will only make Microsoft more evil and cause them to lobby governments to make computer activities illegal and that these new laws will be brutally enforced by a police state.
The interesting part is that you propose open source software as the silver bullet against the tyranny of Microsoft. Using your logic, if the world started moving to OSS in a stampede, wouldn't Microsoft lobby to make OSS illegal? Will we ever see the headline "Microsoft Overturns The GPL!" on slashdot?
Please, enlighten me as to what you seem to think an end user of GPLed binaries is obligated to do.
"being there to enable OTHER programs to work" Is that part of the definition of an OS or what? I got one... is that like a stove allows you to cook food, but you don't actually eat the stove? "eating up network bandwidth and administration resources" You don't possibly manage a network, do you?