Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Activation Cracked by Brute Force

Posted by Zonk on from the disturbance-in-the-force dept.

Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"

4 of 470 comments (clear)

  1. Really? by gadzook33 · · Score: 0, Redundant

    It seems unlikely that MS really screwed up this badly. Even given unfettered access to the key validation, it's trivial to construct a scheme wherein the odds of coming up with even a single valid key are essentially zero. If the scheme includes additional hashing to increase the work required plus a large enough key space, you're simply not going to find one.

  2. Many collisions with legit keys? I doubt it. by dpbsmith · · Score: 0, Redundant

    I just don't believe it. Validation time delays, and long cooling-off periods after too many unsuccessful attempts are such elementary security that I honestly can't believe Microsoft overlooked it.

    Maybe maybe maybe one lucky hacker hit the jackpot and scored one key once or something like that.

    I don't believe for an instant that a brute-force attack on a 25-digit number is going to score many legitimate activation keys that a) have actually been shipped to real customers and b) have not yet been used. There are only a few billions of people in this great world, and there are an awful lot of 25-digit numbers.

    How many brute-force tries were they able to make? Let's say a billion. If they were able to get even one key by brute force in a billion tries, then one-in-a-billion 25-digit numbers must be valid activation keys, or 1^16. If there are ten billion extant copies of Vista, then the chances that a valid key has already been assigned would be one in a million.

    So, of every key found by hackers using brute force, only one in a million will collide with an already-issued key.

    No, this will not be a customer-relations nightmare for Microsoft, regardless of whether they elect to be nice or nasty when it happens.

    --

    "How to Do Nothing," kids activities, back in print!

  3. Re:Er... by uberjoe · · Score: 0, Redundant

    Why not actually try to read the article to see how the program works?

    I wonder who the hell thought this should be modded funny...

    You must be new here.

    --

    The days of the digital watch are numbered.

  4. Re:MS would owe at least the key by clontzman · · Score: 0, Redundant

    No, it's theft. If you guess at the barcode for a Ticketmaster "print at home" ticket to successfully hijack one I purchased and use it to get into the show before I can scan mine in, you've stolen my ticket. How's this any different?