Slashdot Mirror
Vista Activation Cracked by Brute Force
Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"
Lots of botnets run on windows ... I wonder if they could be commanded to scan for license keys.
Tom
Someday, I'll have a real sig.
The commentator on the Inquirer Web site is obviously a total boob (trying to use a British-sounding insult). He's cheering theft which in its own right is sleazy. Worse, he seems to be happy that the legitimate and paying Windows Vista customers are going to be at best confused and worst case screwed because some idiot stole their key. I totally don't understand the bizarre perception that software thievs are somehow Robin-hood-like characters. They're the 21st century equivalent of pick-pockets.
I can understand the happiness a little.
If this truely starts to be a problem with legitimate users being bothered by having their keys taken, MS will have to loosen up activation. That would be a benefit to all legitimate users.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
"as someone who has worked on systems such as these (oh the inhumanity!) we have looked at this particular attack vector. Yes, it is possible. But, when you consider the size of the activation code domain (quadrillions or more of combinations), with the number of legitimate keys (hundreds of millions), and the fact that each request takes some amount of time (a few seconds), it's not too big of a risk. A risk? yes. But there are lots of risks. This is just another one to be put on the list, watched, and mitigated against (as others have said, with blocked IPs and so forth)."
Obviously someone else who didn't read either the article OR all the other user comments - no net connection required to generate the keys - the attempts to change the key are done locally; after a successful local key change, submit the new key for activation.
Blocked IPs won't do jack shit for such a scheme.
Also, you're not trying to find a specific key that works, just one of many, so even with a huge wrong-key space, you'll get a favourable collision with a valid key sooner, rather than later. Its like the same-birthday problem.
Or they could NOT loosen up activation, and it would be a hindrance to all legitimate users.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
I don't see how this is possible, or credible speculation even for a company a evil as MS...
Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others. They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say. This is the nature of non free software. Your master may take care of you or they may not and those are the conditions you must agree to if you want to use non free software.
They don't trust you. They made the registration key in the first place to restrict the number of computers you can use before you pay them more. When you call and claim your key does not work, they can't tell the difference between you and someone who's shared their key. Once again, this is the nature of non free software.
Friends don't help friends install M$ junk.
The problem of generated keys and conflict with legit keys isn't new, so we already know what happens. The same existed for XP -- plus the added collison of dishonest OEM's selling one legit serial number to 100 different people who bought their computers with XP preinstalled -- and we already know what Microsoft chose: to not annoy the paying customers. What it did try to do was go after the OEM's who did that, but _not_ after the victims. The victim never had to do more than call an (automated) telephone number and get another key. It's always been that simple.
Yes, there have been some fucktards too historically, but MS was sane about it so far. I'm not saying they're saintly or anything, feel free to still be anti-MS if it makes you feel any better. Just that their sane. Even if you want to see them as some kind of super-willain, well, as super-villains go, MS was the _sane_ kind so far. The kind who's read the evil overlord's list, not the random lunatic kind. It knows when _not_ to do something that would damage itself very quickly.
Look, there are plenty of real reasons to whine about MS, no need to invent bullshit FUD scenarios. That kind of going into bullshit fantasy land, just to have something bad to say about MS, just damages the credibility of the real complaints.
A polar bear is a cartesian bear after a coordinate transform.
The irony is that this is an example where IP theft *is* actually taking the original out of commission.
Unlike duplicating an mp3, here the original copy is no longer usable. It isn't just making another copy for yourself and leaving the original functional.
But the victim is MS or their customers, so it must be ok.
In which case there will be lawsuits and EULA's will be challenged and a companies responsibility to it's consumers will be better defined. Sounds like a win-win scenario here, as much as anything in regards to this can be called a win.
Copyright infringement is not theft. It is immoral of you to deliberately misrepresent the issue by using loaded terminology.
Using Microsoft's services, such as Windows Update, could be considered theft. But that is theft from Microsoft, not from consumers.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
So you imagine he probably works for a non-commercial software company?
Regardless, its copyright infringement, not 'theft' and not 'piracy'. Its really quite simple, theft is when you physically take something that doesn't belong to you. Copyright infringement is, amongst other things, when you make a copy of something you aren't authorized too.
In fact in this case the real issue isn't even copyright infringement. Suppose I use this keygen on legally purchased software. What laws are being broken?
I didn't 'steal' your key, I happened to come up with the same number MS assigned to someone else independantly. Hell, I might have come up with the number before MS, which, if anything, would make it -my- intellectual property; and MS would be infringing my copyright by issueing you "my" key string.
Which is of course absurd.
When it's Microsoft's long costly lawsuit?
Sorry, couldn't resist.
In the end though, this sort of corporate behavior is hugely annoying. Microsoft rose to the top partly because it looked the other way on unlicensed use of it's products, and now that it's the standard, it's trying to lock down. Well, the problem is, now there is a huge group of people who have a vested interest in using that software for free, and there is no way that they're going to beat them using a purely technical solution...Crackers are proving that on a daily basis.
Smarter of them to leave things as they were.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
If I have nothing to hide, you have no reason to search me
The irony is that you think violations of IP is theft.
The person who brute force discovers and uses someone else's code is not the one causing their Copy of Windows to be invalidated. Microsoft is doing that.
This is a very important distinction.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I am *so* glad Linux has evolved to the point it is today. I still have an XP partition and probably will for a while, but why MS expects people to keep putting up with this "phone home" behavior is beyond me. XP still handles ACPI better than Linux, but I'm happy to trade off a little convenience for control of my own machine.
1 in 4 Maine children in struggle with hunger.
So wait... Microsoft is requiring you to run a server just to run their fucking operating system? It adds NO value whatsoever to the company using it, yet takes their electricity, time and resources to maintain? Does that sound absolutely asinine to ANYONE else? Wouldn't a CTO/CIO be slightly annoyed at having to allocate extra resources just to run an operating system whose only real function is to allow the real work to get done?
My blog. Good stuff (when I remember to update it). Read it.