Slashdot Mirror
Vista Activation Cracked by Brute Force
Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"
Lots of botnets run on windows ... I wonder if they could be commanded to scan for license keys.
Tom
Someday, I'll have a real sig.
The commentator on the Inquirer Web site is obviously a total boob (trying to use a British-sounding insult). He's cheering theft which in its own right is sleazy. Worse, he seems to be happy that the legitimate and paying Windows Vista customers are going to be at best confused and worst case screwed because some idiot stole their key. I totally don't understand the bizarre perception that software thievs are somehow Robin-hood-like characters. They're the 21st century equivalent of pick-pockets.
I can understand the happiness a little.
If this truely starts to be a problem with legitimate users being bothered by having their keys taken, MS will have to loosen up activation. That would be a benefit to all legitimate users.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
"as someone who has worked on systems such as these (oh the inhumanity!) we have looked at this particular attack vector. Yes, it is possible. But, when you consider the size of the activation code domain (quadrillions or more of combinations), with the number of legitimate keys (hundreds of millions), and the fact that each request takes some amount of time (a few seconds), it's not too big of a risk. A risk? yes. But there are lots of risks. This is just another one to be put on the list, watched, and mitigated against (as others have said, with blocked IPs and so forth)."
Obviously someone else who didn't read either the article OR all the other user comments - no net connection required to generate the keys - the attempts to change the key are done locally; after a successful local key change, submit the new key for activation.
Blocked IPs won't do jack shit for such a scheme.
Also, you're not trying to find a specific key that works, just one of many, so even with a huge wrong-key space, you'll get a favourable collision with a valid key sooner, rather than later. Its like the same-birthday problem.
Or they could NOT loosen up activation, and it would be a hindrance to all legitimate users.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
I don't see how this is possible, or credible speculation even for a company a evil as MS...
Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others. They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say. This is the nature of non free software. Your master may take care of you or they may not and those are the conditions you must agree to if you want to use non free software.
They don't trust you. They made the registration key in the first place to restrict the number of computers you can use before you pay them more. When you call and claim your key does not work, they can't tell the difference between you and someone who's shared their key. Once again, this is the nature of non free software.
Friends don't help friends install M$ junk.
The problem of generated keys and conflict with legit keys isn't new, so we already know what happens. The same existed for XP -- plus the added collison of dishonest OEM's selling one legit serial number to 100 different people who bought their computers with XP preinstalled -- and we already know what Microsoft chose: to not annoy the paying customers. What it did try to do was go after the OEM's who did that, but _not_ after the victims. The victim never had to do more than call an (automated) telephone number and get another key. It's always been that simple.
Yes, there have been some fucktards too historically, but MS was sane about it so far. I'm not saying they're saintly or anything, feel free to still be anti-MS if it makes you feel any better. Just that their sane. Even if you want to see them as some kind of super-willain, well, as super-villains go, MS was the _sane_ kind so far. The kind who's read the evil overlord's list, not the random lunatic kind. It knows when _not_ to do something that would damage itself very quickly.
Look, there are plenty of real reasons to whine about MS, no need to invent bullshit FUD scenarios. That kind of going into bullshit fantasy land, just to have something bad to say about MS, just damages the credibility of the real complaints.
A polar bear is a cartesian bear after a coordinate transform.
The irony is that this is an example where IP theft *is* actually taking the original out of commission.
Unlike duplicating an mp3, here the original copy is no longer usable. It isn't just making another copy for yourself and leaving the original functional.
But the victim is MS or their customers, so it must be ok.
In which case there will be lawsuits and EULA's will be challenged and a companies responsibility to it's consumers will be better defined. Sounds like a win-win scenario here, as much as anything in regards to this can be called a win.
Copyright infringement is not theft. It is immoral of you to deliberately misrepresent the issue by using loaded terminology.
Using Microsoft's services, such as Windows Update, could be considered theft. But that is theft from Microsoft, not from consumers.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
So you imagine he probably works for a non-commercial software company?
Regardless, its copyright infringement, not 'theft' and not 'piracy'. Its really quite simple, theft is when you physically take something that doesn't belong to you. Copyright infringement is, amongst other things, when you make a copy of something you aren't authorized too.
In fact in this case the real issue isn't even copyright infringement. Suppose I use this keygen on legally purchased software. What laws are being broken?
I didn't 'steal' your key, I happened to come up with the same number MS assigned to someone else independantly. Hell, I might have come up with the number before MS, which, if anything, would make it -my- intellectual property; and MS would be infringing my copyright by issueing you "my" key string.
Which is of course absurd.
When it's Microsoft's long costly lawsuit?
Sorry, couldn't resist.
In the end though, this sort of corporate behavior is hugely annoying. Microsoft rose to the top partly because it looked the other way on unlicensed use of it's products, and now that it's the standard, it's trying to lock down. Well, the problem is, now there is a huge group of people who have a vested interest in using that software for free, and there is no way that they're going to beat them using a purely technical solution...Crackers are proving that on a daily basis.
Smarter of them to leave things as they were.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
If I have nothing to hide, you have no reason to search me
If the problem is "small" just track it and write off the loss.
If the problem is large:
Have people caught up in the duplicate-key mess photograph their Windows Vista packaging with the key showing in the photograph and send it in.
For the related problem of duplicate OEM keys, photograph the machine and mail in the make, model, and serial # of the machine and/or the name of the store you bought the license from. This won't help as much with tracking "manila envelope" licenses as those can be traded willy-nilly before the envelope is opened, but it will help with licenses that are assigned to particular manufacturers.
Give "ownership" to the person with the most convincing photo or purchase history. For the other claimants, if you are nearly 100% sure they are illegitimate sue them or make them provide personal information to get a "new, legal key, on the house" otherwise write off the loss. Pirates aren't as likely as people who think they are legitimate buyers to give out their name and address. If they balk, make a decision: do you want to risk being wrong and wind up in court and lose and get a PR black eye, or do you want to stand by your guns? If you aren't nearly 100% sure, just write it off.
In any case, if you don't immediately activate the product, at least activate it for 30 days while you decide what to do.
Even better - scrap the whole activation thing.
In the future, software will be delivered electronically and every copy will be uniquely watermarked. Yes, you can watermark compiled computer code by inserting NOPs, replacing operations with equivalent operations, etc. Of course this isn't as simple as it sounds as addresses get moved around, but it's doable.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The irony is that you think violations of IP is theft.
The person who brute force discovers and uses someone else's code is not the one causing their Copy of Windows to be invalidated. Microsoft is doing that.
This is a very important distinction.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I am *so* glad Linux has evolved to the point it is today. I still have an XP partition and probably will for a while, but why MS expects people to keep putting up with this "phone home" behavior is beyond me. XP still handles ACPI better than Linux, but I'm happy to trade off a little convenience for control of my own machine.
1 in 4 Maine children in struggle with hunger.
And yet some companies have intituted the same thing with no anger from users.
Valve managed it, and the rather wonderful prevx malware finder program and SETI@home all require constant contact with home, for example.
The difference is that these systems deliver customer satisfaction because the phone home service is there as part of the service you require or with to participate in. If you decide not to, you can quit and go elsewhere. Most people using windows don't see that they have a choice (yet).
Microsofts problem is that their system is one of guilt assumption. They have it solely to check up on customers, it delivers no added value aspect to the consumer. That they say it does is part of the problem. It is for microsoft alone, it gives nothing back.
No-one cares about microsofts needs, that's human nature, we are all selfish unless giving something away brings a valued return. For them to expect that people would *want* to take part with no benefit to themselves is a pretty hefty misconception.
I find these issues with Vista interesting. I really do have no intention of ever buying it. I tried it with open mind, thinking I might get it if it brought something new I might like, but there was nothing that interested me. I didn't hate it, but saw nothing of use. It's nowhere near as useful as Linux for my needs, and if I feel a need for a commercial OS, well there's OsX.
OsX does interest me quite a bit. I've seen many presentations at conferences that were done with macs, and they look *so* good.
So wait... Microsoft is requiring you to run a server just to run their fucking operating system? It adds NO value whatsoever to the company using it, yet takes their electricity, time and resources to maintain? Does that sound absolutely asinine to ANYONE else? Wouldn't a CTO/CIO be slightly annoyed at having to allocate extra resources just to run an operating system whose only real function is to allow the real work to get done?
My blog. Good stuff (when I remember to update it). Read it.
Can you imagine the store demanding you go to them or call them and show them your receipt of the products you bought from them? No, I cant imagine that happening ether but this is the way software companies expects you to behave.
http://www.rense.com/general79/wdx1.htm