Slashdot Mirror
Vista Activation Cracked by Brute Force
Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"
From the article summary:
I don't see how this is possible, or credible speculation even for a company a evil as MS is perceived on slashdot. I'm no MS fanboy, but I've had reasonable "service" from MS on issues of keys to activate my machines under some unusual circumstances.
This may get sticky for MS, but for goodness sake we've got to find better bashing material on MS (and I believe there be plenty) if we want to maintain any street cred. There's no WAY MS won't be giving license keys to legitimate purchasers of XP (especially considering the vast majority are pre-activated shelf-delivered versions).
(Aside: pure speculation on my part, but one of the most glaring weaknesses of this "claim" may be the notion of brute force, and that that is even a possible approach. Most validation handshakes require a reasonable length of time between attempts to circumvent brute force attacks... if it takes one second between attempts for billions of combinations, you're going to eventually be activating an obsolete OS. Further, after 3 or 4 incorrect attempts, any validation scheme worth its salt will quiesce for some longer inconvenient time... requiring a "cooling off" period before one can make further attempts. This story falls under the heading of "I heard someone say they knew someone whose sister's brother has figured out a Vista activation hack..." Sigh.)
All Microsoft has to do is block the IP address that is requesting thousands of activations on separate, invalid keys per second.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project.
I Am My Own Worst Enemy
I guarantee you MSFT will release a patch to reorder license keys or figure out some other solution. If you were the largest software company in the world, and you had a product that was being touted as "more expensive than switching an entire IT department to OSX:, wouldn't you?
-- http://www.criticalassets.com
Seems to me like a great opporunity for a shakedown. "We are sorry, but we cannot help you until we finish an investigation into your software licensing. If you need access you will have to purchase a new copy". They get to play like they are helping by paying a few MS shills to talk about how their cracked license recovery process was quick and painless and they don't understand anyones complaints. Then they get to scare people into walking away and buying new copies!
I don't have problems with any number of copy protection schemes. Granted they can eventually be defeated almost without fail, but it does rais the bar for the effort. PS disc error thing I think was a fairly clever method for example. I don't even really mind CD keys too much, although its irritating as hell to lose whatever they happened to write the code on (Is it too much to ask to print it on the damned disc?). But I absolutely refuse to touch any piece of software that requires some online activation type crap.
The only change I can believe in is what I find in my couch cushions.
Registration of new users is temporary disabled! Try again later.
----- You know you have ego issues when you register a domain in your name.
To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'
Hmmm, I wonder which way Microsoft will go on this one...
This guy's the limit!
Just as I read this article, pandora.com started playing the title cut from David Wilcox's Vista album:
"...and the wide open vista..."
Why not actually try to read the article to see how the program works?
"I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project."
Yes, but does it run under linux :-)
Microsoft has encouraged this obviously illegal tactic by its Vista License:
1) Too many variants
2) Too expensive an upgrade from XP
3) Limitation on which versions run virtualized.
Sadly, for MS, they have not emphasized it can creditably replace a several hundred dollar Nuance Dragon Naturally Speaking install (I know, I've tried both)
Apparerntly, you have not looked at the actual article, though.
it wouldn't suprise anyone if they screwed that up, but it isn't hard to create a key system that makes guessing impractical and generally uncrackable on the key generation side: Just cryptographicly sign random numbers with a private key at MS and verify the resulting registration key with the public key in the program. If the key is much longer than log2 of the number of issued keys, you can try until your grand-grand-grand-children have forgotten you ever existed and not find a real key. That can be circumvented only by disabling the check altogether or by replacing the public key with one to which you know the corresponding private key. But then comes activation and at that point MS can simply check all keys against a database of issued keys. Not only will they be able to find if you're using a key that wouldn't pass offline verification, they will also find if you're using a key which could have been issued but wasn't. You'd have bigger chances winning the lottery and buying a copy of Vista than to find a working key by guessing.
Looking at the size of the Windows market, I would bet that the size of the legitimate keyspace is much larger than "hundreds of millions", probably by several orders of magnitude. It has to be large in order for this brute force search to work.
"as someone who has worked on systems such as these (oh the inhumanity!) we have looked at this particular attack vector. Yes, it is possible. But, when you consider the size of the activation code domain (quadrillions or more of combinations), with the number of legitimate keys (hundreds of millions), and the fact that each request takes some amount of time (a few seconds), it's not too big of a risk. A risk? yes. But there are lots of risks. This is just another one to be put on the list, watched, and mitigated against (as others have said, with blocked IPs and so forth)."
Obviously someone else who didn't read either the article OR all the other user comments - no net connection required to generate the keys - the attempts to change the key are done locally; after a successful local key change, submit the new key for activation.
Blocked IPs won't do jack shit for such a scheme.
Also, you're not trying to find a specific key that works, just one of many, so even with a huge wrong-key space, you'll get a favourable collision with a valid key sooner, rather than later. Its like the same-birthday problem.
I don't see how this is possible, or credible speculation even for a company a evil as MS...
Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others. They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say. This is the nature of non free software. Your master may take care of you or they may not and those are the conditions you must agree to if you want to use non free software.
They don't trust you. They made the registration key in the first place to restrict the number of computers you can use before you pay them more. When you call and claim your key does not work, they can't tell the difference between you and someone who's shared their key. Once again, this is the nature of non free software.
Friends don't help friends install M$ junk.
that kills it's host. Botnet owners would never do anything that stupid.
Friends don't help friends install M$ junk.
I would bet that the size of the legitimate keyspace is much larger than "hundreds of millions", probably by several orders of magnitude
Several orders of magnitude? Are you suggesting that there are as many Vista keys as stars in the sky? I don't think this term means what you think it means.
Dedicated Cthulhu Cultist since 4523 BC.
I did read the article. I didn't go to the site the article points to because I would need to create a login. But, if I read the article and take it at face value, it clearly talks about taking the key that has been 'cracked', and the using it to activate, by which the author means try to activate it against MSFTs servers. Why else does the author talk about the legitimate customers being pissed? If this attack required no connection with MSFT, then there is no issue with the legit customers. Their key will work too.
Just getting the key doesn't solve the problem. You have to get the key, and then get the other side of the pair that goes along with it. Of course, that could be brute forced as well, as I think you're saying. BUT that's not what the author is talking about.
When will "Annoy Ultimate" be released?
The problem of generated keys and conflict with legit keys isn't new, so we already know what happens. The same existed for XP -- plus the added collison of dishonest OEM's selling one legit serial number to 100 different people who bought their computers with XP preinstalled -- and we already know what Microsoft chose: to not annoy the paying customers. What it did try to do was go after the OEM's who did that, but _not_ after the victims. The victim never had to do more than call an (automated) telephone number and get another key. It's always been that simple.
Yes, there have been some fucktards too historically, but MS was sane about it so far. I'm not saying they're saintly or anything, feel free to still be anti-MS if it makes you feel any better. Just that their sane. Even if you want to see them as some kind of super-willain, well, as super-villains go, MS was the _sane_ kind so far. The kind who's read the evil overlord's list, not the random lunatic kind. It knows when _not_ to do something that would damage itself very quickly.
Look, there are plenty of real reasons to whine about MS, no need to invent bullshit FUD scenarios. That kind of going into bullshit fantasy land, just to have something bad to say about MS, just damages the credibility of the real complaints.
A polar bear is a cartesian bear after a coordinate transform.
They just better not mention anything about Global Thermonuclear War.
OK
I stand corrected. I just found the like you're talking about. It's all client side.
Not much you can do about that.
Though, regarding those comments about affecting other legitimate users of Vista: it shouldn't affect them.
I even had mod points, but you were already at +5 Funny (deservedly). I wonder which one, Seti@Home or this WindowsKeyGen@Home, will accumulate more CPU time overall next year...?
I also wonder if vendors are going to simply give up on using 20 or 25-character long activation codes, if they can be brute-forced in a reasonable period of time? Will they be switching to keyfile activation using hardware profile info (NIC ethernet MACs, motherboard/BIOS serial #, hard drive serial #, etc)? That seems to be happening more and more already...
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
we've got to find better bashing material on MS (and I believe there be plenty)
Aargh, maytee, I too believe there be plenty. Ye OS shall be no match fer me sword, ya scallywag!
But I don't see any danger that a cracked key and a legit key would collide in that large a key space. The birthday attack (see wikipedia) tells you the probability of a collision is equivalent to a 12 digit key, which i'd assume must be nearing one in a trillion.
Since the program obviously has some algorithmic test of the key validity. MS blew it by making this space so promiscuously large that a 20,000key/hour guesser could crack it.
Some drink at the fountain of knowledge. Others just gargle.
Why on earth not? Let's say several could be around five or so. So that's five orders of magnitude, 100,000. So do you really maintain that it's not possible to have 10,000,000 x 100,000 = 1,000,000,000,000 (1 x 10^12) keys? I don't the nature of the Vista licence key, but if they're using 25 alphanumerics that's 35^25 possible keys. That's a big number, c. 4 x 10^38 - now I doubt anyone here knows the ratio of valid keys to possible keys, but I dare say that 1 x 10^12 would fit in...
;-)
So what it come down to is that by attempting to expose someone else's ignorance you merely display your own.
And I'm sure someone else is about to say roughly the same about me, any time now
Oh arse
They don't know who the legitimate customers are. If they just hand out keys to everyone and anyone, what was the point of the system in the first place?
I couldnt find the download. People on Slashdot seems to be unusually confused about how this thing works - even those who claimed to read the article. I didnt find the article/method very confusing, but I dont know enough about Vista to tell if it COULD work or not. Are people confused because someone made something up that can not work? There are other cases where evil people have distributed trojans this way.
Is this a HOAX?
Is is possible to create a program that simply activates Vista licenses? -- I mean, without having Vista at all. Just connects to MS and attempts to activate keys, all day long.
It would be like a DOS on the licensing mechanisms.
No one said it can't be done. But, with the brute force required, it's just a risk to be managed. Nothing more, nothing less.
AND having gone to the site and read through the ENTIRE thread on their forums;
What we have here is a random number/letter guesser. It's basically a VB Script that guesses random numbers and letters in a string that is the same length as a Vista Key, then inserts it into the registry, overwriting the existing Vista key. You use Magic Jellybean to check when the key has changed, and then manually check it against MS's activation service. Really this is little more than a person manually sitting down and making key guesses. This is why it's called a "Brute Force" attack. There is no intelligence (ie: an algorithm) behind the key guesses at all.
That said, because it IS so simple, it's almost impossible for MS to defend against, since they can't just "ban" any keys made by it like they would a traditional algorithmic keygen. Also, there is an improved version of it posted as source on the boards there, so if you want to take a peek at the code you can.
Here is a link to the forum post in question: http://keznews.com/forum/viewtopic.php?t=2634
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
Prepare for a patch which forces a cooling period for local key changes...
I'll give you 1 order of magnitude more, into the low billions of valid keys.
And my definition of valid is very specific. Valid means to me: the key is internally valid, meaning it passes its own checksum logic and the OS thinks so (which doesn't imply a successful activation), AND a key that is actually on one of MSFTs activation servers and could be activated.
There's no reason for there to be any more valid keys (using this definition), then the amount of vista that MSFT expects to ship in the next year or so.
Do you really think they expect to sell 100's of billions of copies of vista in the next year or so? That's a stretch, even for Ballmer.
more than 30 billion years for one valid key ...presuming they didnt find a qualified (yet brute force) way to guess keys...
Remember the DVD-crack long ago. The key was 40 bits, but for different reasons the key was in practice just 26 bits. Knowing a bit about the encryption made it possible to not search all keys and a DVD could be read within seconds, not years.
From the summary, quoting the article:
Hell of a nice strawman. Nice job.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
I agree with you but I fail to see how it can be similar to the "same-birthday problem". Did you make a mistake or do you know something about how to search for keys that I dont know about?
As I pointed out in the post above the chance of a randomly generated working activation- key colliding with a legitimate keys is probably worse odds than 1 in a trillion. So this will probably never ever happen by chance.
However, chance might not play a role here. Given this colossal stupidity one also assumes they did something dumb like make the decoded keys have some sort of sequential pattern too, so given enough keys one might be able to figure out how to actually generate keys directly. In that case MS will have a problem with the key-collisions with legitimate keys because people could deliberately generate those.
Why would deliberately generating legitimate keys be a good idea for a cracker? Well, if you do generate a random activation key, it will activate the product but Microsoft will also be able to determine that it's one that it did not issue. So the moment vista phones home or you try to do a system update, or install any piece of software from MS that can check the key (e.g. office), microsoft is gonna shut your genuine ass down. On the other hand if you were to generate a key that coincided with a legitimate key, then MS won't know you filtched it. So there's an incentive to see if MS also made the patterns predictable.
You could of course try to live off line. but that level of piracy is not a threat to MS.
All that said my guess is that this is not possible. If I were creating these keys what I woul dhave done would be to use public key encryption. I'd take the integers 1 to 1 billion, and encrypt them with my private. The the Vista copy caries the public decode key. To validate the vista installer decrypts the user supplied key. If it's a number between 1 and billion, you've been validated. MS can now issue up to 1 billion copies of the software with distinct keys.
Some drink at the fountain of knowledge. Others just gargle.
C'mon, let's give'em credit.. their PR isn't as bad as Sony's!
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it.
That may be the case in the US, but in the UK things work slightly differently. If I buy a copy of Vista from a store and it is faulty, for what ever reason, I can return it to the store for a full refund or a replacement. The legalese is "fit for purpose" and "of merchantable quality". Clearly, a copy of vista with an invalid licence key is not fit for purpose.
Incidentally, most of the big shrinkwrap software stores in the UK try to get out of doing this if they can. Just be persistent.
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
Never hoped to see it in this context, thought.
If the problem is "small" just track it and write off the loss.
If the problem is large:
Have people caught up in the duplicate-key mess photograph their Windows Vista packaging with the key showing in the photograph and send it in.
For the related problem of duplicate OEM keys, photograph the machine and mail in the make, model, and serial # of the machine and/or the name of the store you bought the license from. This won't help as much with tracking "manila envelope" licenses as those can be traded willy-nilly before the envelope is opened, but it will help with licenses that are assigned to particular manufacturers.
Give "ownership" to the person with the most convincing photo or purchase history. For the other claimants, if you are nearly 100% sure they are illegitimate sue them or make them provide personal information to get a "new, legal key, on the house" otherwise write off the loss. Pirates aren't as likely as people who think they are legitimate buyers to give out their name and address. If they balk, make a decision: do you want to risk being wrong and wind up in court and lose and get a PR black eye, or do you want to stand by your guns? If you aren't nearly 100% sure, just write it off.
In any case, if you don't immediately activate the product, at least activate it for 30 days while you decide what to do.
Even better - scrap the whole activation thing.
In the future, software will be delivered electronically and every copy will be uniquely watermarked. Yes, you can watermark compiled computer code by inserting NOPs, replacing operations with equivalent operations, etc. Of course this isn't as simple as it sounds as addresses get moved around, but it's doable.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I can see a similar discussion being had about Vista. Home use, they're plugging on ... well, the only reason I'm considering it is my favourite game is going DirectX 10. But the cost of a new license if you _don't_ pay microsoft tax is pretty outrageous, so I might just not bother.
However for the 'average corp' the upgrade drive is just ego as suits want the 'newest thingy'.
Thanks to recent developments, linux is just about becoming a viable alternative, as being 'end user friendly'. *shrug* Too many companies are blinkered to the alternatives, but might notice a cost comparison of e.g. 30k users running a well supported linux, vs. 30k users running Vista.
It would be nice if people who tell these kinds of stories would name the offending party so that the rest of us can avoid them...
Does this mean that vendors are going to make the pesky product keys even longer? Companies will have to hire data-entry staff just to key them in.
Table-ized A.I.
.. modified the existing VB Script file that was supplied with Vista. More fool MSFT for supplying the code in source form.
http://www.rense.com/general79/wdx1.htm
I saw one at a LAN party that had every copy of windows, every copy of office, and a whole bunch of Microsoft products.
You would set it and forget it. It would generate a key, test it and then if it was good put it in a log file, if it was bad it would attempt to generate another.
This kid had a list of probably 1000 WinXp pro keys that had generated just because he was bored.
There are keygens for the last two versions of MS Office and also for Windows XP. This is nothing new.
Perhaps the math works out to a point but that doesn't make it sound. Why would MS put out a trillion license for something that probably will never go over a couple of billion (tops).
Or are you claiming that MS is purposely leaving itself open to having keys that are easier to hack by going way over the number they'll ever likely need?
If your math makes more sense to you than this logic please tell me you don't work in either a security intensive or data storage intensive position.
BTW: not to be overbearing about my point but you'll also note that the original sentiment was "hundreds of millions", not 10 million. So by your logic that would make it 10^13 as a minimum. Assume that the number is 500 million. that leave a hugh area of potential sales vs. working license. You're just asking to be hacked at that point.
Dedicated Cthulhu Cultist since 4523 BC.
or Irony or whatever.
If you need the equivalent of a Cray to run Vista, then it's going to be very efficient at Brute Forcing the keys.
I like it.
Once I was a four stone apology. Now I am two separate gorillas.
Someone made an alternate download link available http://www.sendspace.com/file/cy9sjx
Just because the checksum on the key may work, it has to be a key that was actually issued by MS for it to get activated. Lots of trial and error here.
Do you really think they expect to sell 100's of billions of copies of vista in the next year or so?
Well, have you seen Aero? It looks fantastic!
sic transit gloria mundi
When software licensing was based on the honor system.
Honestly this whole key activation thing seems more hassle than those stupid dongles used to verify your software. They used to plug into the parallel or serial port, now they plug into USB. Why can't we just have that, seems less problematic than the current scheme. Especially when you consider that a $4 dongle won't cut into the profits of a $100 OS as badly as 20 minute tech support calls do (which generally cost a company $30 to $150 each)
“Common sense is not so common.” — Voltaire
As an American, I can tell you that 'fuckwit', 'bastard', 'cunt', 'moron', 'dickhead' and 'shit for brains' are all in common use here in the States. If you really want to sound British, use 'wanker', 'tosser' or 'spanner'. Also, my limited experience with the BBC seems to indicate that 'Bloody Hell' is very popular in ye olde England.
This is too bad. I had hoped that the Winows Vista copy protection was solid. In fact I hope that all MS software copy protection is unbreakable and a pain in the butt. This way people will be forced to look at alternatives. At the moment Windows and other big software packages has the unfair advantage of being an expensive product that you can get for free (by pirating). If that was not possible people would have to consider other options like Linux or cheap shareware. I wrote more about it here: http://eriksrantsandraves.blogspot.com/2007/02/whe n-rolls-royce-cost-less-than-skoda.html
Why I think pirating is imoral and bad for the economy.
I had a MSDN subscription that had already been activated. MS reps passed me off in a circular queue for a couple of weeks, going between their support department sending me back to the reseller, and the reseller sending them back to Microsoft. I had to literally threaten to sue them before they gave me a license key.
I was actually surprised how quickly I got results after I told them that I had decided to file a lawsuit. I was not exactly bluffing, but I also could not have taken it much farther than the initial filing. But I was ready to go to the US Court Of Claims to say that the retailer and Microsoft had together sold me a product which did not work and that both had refused to give me a refund. After certain certified letters reached certain individuals, I got a license key, and for a couple of months afterwards, received occasional calls from Microsoft support folks asking me if my problem was taken care of.
The lessons I learned:
1. Microsoft is in denial about their software security system.
2. Threatening to file a lawsuit against a corporation engenders prompt responses.
-fb Everything not expressly forbidden is now mandatory.
Perhaps the math works out to a point but that doesn't make it sound. Why would MS put out a trillion license for something that probably will never go over a couple of billion (tops).
Because 10^12 / 10^38 still leaves them with a factor of 10^26 redundancy. Only 1 in 10^26 keys valid ought to be enough to prevent this attack from being feasible.
But clearly it isn't, so they've actually got more than 10^12 valid licenses, for some bizarre reason.
That they include it means nothing. It is pretty certain that, indeed, an EULA doesn't have legal force and can't make you give up rights you normally have. For example:
I work for a state institution which means in a way I am a part of the state. One of the requirements of the job is that I can't sign any contracts for the state. Anything that requires a signature has to be sent to legal (and we have a hell of a legal team). Employees can't agree to contracts directly. We have, on occasion, gotten software that comes with a written agreement. It is sent to the lawyers, almost totally rewritten, then sent back to the company (who is usually quite surprised). However we've been told not to worry about EULAs or click through agreements. We are allowed to just click ok and go on about our business.
Now why do you suppose that is? Well it is because the legal team believes that they have no legal force, and thus there's no problem. I'm going to guess they are right, they have to be very careful about protecting the state against things like that.
So MS can say in their EULA "We reserve the right to take this software away from you at any time," but that doesn't mean a judge will agree. You can still drag them to small claims court (it's quite cheap to file) and argue your case. If a judge agrees with you, they give you your money back.
You must be new here...
www.tdobson.net #### Dare to Dream #### blog.tdobson.net
I could see it affecting legit users, in the same way that the "same birthdya paradox" at first seems unlikely. With 100 million users, there are going to be some clashes, and some unhappy (ok, unhappier :-) users.
Activation doesn't stop the pirates, it just inconveniences the legit customers.
Are you a brute?
How long before there is a worm developed which will hammer the Microsoft servers from zombie machines to grab license keys?
This signature is far too complex to have been created by chance.
... except that the key doesn't have to be already issued to be valid - it just has to match one that would be generated by Microsofts' algorithm.
How do you think all those keygens work?
BTW - Since we're weeding out keys that wouldn't be generated by the authentication algorythm, the keyspace is much smaller than the 25-char limit ... so collisions aren't just likely, they're inevitable.
Its like generating hash values for phrase lookup tables. a 32-bit unsigned crc (+4 billion) will not work for even a million phrases - you'll get lots of collisions (yes, I've tested this).
Now consider - you don't care about the 99.999...% who don't collide ... in a large enough population, even a small percentage is a big problem.
And yet some companies have intituted the same thing with no anger from users.
Valve managed it, and the rather wonderful prevx malware finder program and SETI@home all require constant contact with home, for example.
The difference is that these systems deliver customer satisfaction because the phone home service is there as part of the service you require or with to participate in. If you decide not to, you can quit and go elsewhere. Most people using windows don't see that they have a choice (yet).
Microsofts problem is that their system is one of guilt assumption. They have it solely to check up on customers, it delivers no added value aspect to the consumer. That they say it does is part of the problem. It is for microsoft alone, it gives nothing back.
No-one cares about microsofts needs, that's human nature, we are all selfish unless giving something away brings a valued return. For them to expect that people would *want* to take part with no benefit to themselves is a pretty hefty misconception.
I find these issues with Vista interesting. I really do have no intention of ever buying it. I tried it with open mind, thinking I might get it if it brought something new I might like, but there was nothing that interested me. I didn't hate it, but saw nothing of use. It's nowhere near as useful as Linux for my needs, and if I feel a need for a commercial OS, well there's OsX.
OsX does interest me quite a bit. I've seen many presentations at conferences that were done with macs, and they look *so* good.
We shouldn't be measuring this in whether or not somebody can use their key if it's been cracked already but merely how many hoops is the average consumer going to have to jump through before MS gives up on the whole "activation key" thing or just "cancel/allows" on a case by case basis
Your crusade to stop car/computer analogies is like trying to get unionized American autoworkers to realize they're a big part of their own troubles.
In other words, its just never going to happen.
Mac OS X and Windows XP working side by side to fight back the night.
I'm up for a joke :) I'm too lazy to code it, though...
My blog. Good stuff (when I remember to update it). Read it.
So in theory, if a hacker learned how authentication worked, he could use a botnet to generate keys and activate them. Over time, you could activate a good percentage of Vista's keys. Granted, it would be a long time, but it could be done.
Boob isn't British though, try git or wanker.
-Charlie
This is absolutely no excuse. If you don't like the product or the price don't buy it. Get a Mac or use Linux instead.
with a 25 decimal key, to find a collision would require something on the order of a trillion tries. If the key space is alpha numberic then more. if the key space is heavily (and predictably) shorterned by patterns in the keys (like alternating letters and numbers or checksums, date codes, special activation sets..), then the number could be less. This number also depends modestly on how many keys are issued, so figure that extimate is withing a factor of 1000 of the work load
Some drink at the fountain of knowledge. Others just gargle.
I agree. The only time I had to re-install XP was when my hard drive died. (I couldn't even get my slack box to read it)
BAN BPL! Keep the radio spectrum free fro
Read the "Surviving the first day of Windows XP".
Quit downloading everything in your email. If you don't recognize the name, delete it.
Don't click "Yes" to every security certificate. You should accept Microsoft's, and that's it.
You don't require new cursors or smiley programs for your emails. The new "Hyper-Exelent Surf 3000 Toolbar by Lucky 88 Company" is not going to make your life easier. Likewise, if you want to know the weather, look outside or in your local paper.
PC Cleaning programs from pop-up ads don't work. Actually, anything advertised on the Internet should be considered fraudulent. (Yes, even "those" pills. They're just bull semen and corn starch.)
Get your programs from sourceforge, not from the first link on Google. Make sure that Spybot and Mike's adblocking are installed on your machine.
The people who write viruses have anti-virus programs to test their work on.
For the sake of whatever god you believe in, get a hardware firewall!
Run ShieldsUP! from grc.com to make sure that you're invisible.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
only on the weekends.... =P
Throughout this thread there are comments that the authentication mechanism is evil, unnecessary and hurts users.
Just to play devil's advocate, it's not like Microsoft just arbitrarily decided for no particular reason that the authentication tool was a good idea. They make a for-profit commercial product. Lots and lots and LOTS of people are using it without paying. Whether it's copyright infringement or theft, they are faced with a problem - besides obtaining this product for free, all of these "users" will place a drain on Microsoft's support systems (such as bandwidth).
Historically they've simply sucked it up, and let these people continue to leech away, but they've put their foot down. What exactly are their options? Dongles? Cracked almost instantly. Serial number alone? Don't make me laugh. I'm not sure how else they would do this, other than to require that they validate the customers serial number against white and black lists.
If people weren't working so very hard to make this commercial, for-profit product available for free, there would be no need at all for this system. It wouldn't exist.
Microsoft almost certainly sees this system as a necessary evil. If there were a better way, I'll bet they'd at least listen to it.
The idea behind brute-forcing is your algorithm doesn't have to be smart. They can just keep trying combinations on the local machine until one gets accepted, and submit it as the new key. Who cares if it takes a month or two if the machine can go on and do other stuff at the same time? Of course, if you have a botnet kicking around ...
I've been doing IT work for only 9 years now. I don't know about anyone else, but I've seen a MAC address conflict on a small network (100 network devices), and the cards were from different manufacturers (IBM and Kingston, from what I remember). When I told a coleague about the conflicts he didn't believe me until he saw it himself, so I don't see product key clashes as impossible or even improbable.
Its not a question of haw many valid keys Microsoft issued, as far as brute-forcing is concerned. All that is required is a sequence of leters and numbers that hashes to the same result when the activation code checks it. You don't have to get the "right" key - any sequence that gives the same result is "good enough" and will activate. For example, if "BBBBB CCCCC DDDDD EEEEE FFFFF" hashes to the same value as "12345 67890 12345 67890 12345", they're one and the same, as far as activation is concerned.
Brute-forcing IS feasible for small strings - and 25 is a small string.
INPUT: raw code, watermarking function, entrophy, signing algorithm and keys
OUTPUT: watermarked code with digital signature
Imagine a world 10 years from now with 100,000,000 million copies of the latest version of Windows, each with the same subset of key files that have been watermarked and signed. Suppose one of those files is cmd.exe. Barring breaking into Microsoft, good luck creating a signed, de-watermarked copy of it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You made this threat while Bush & the Republican dominated Congress was in power, didn't you?
:)
:)
With them in power no court in the land would punish MicroSoft for that. Plus you'd be hauled away as a terrorist. After all, you said 'threatened'.
Just kidding!!! No, really, congrats. Now do the right thing and upgrade to Ubuntu or Fedora.
--- Grow a pair, liberals... stop letting the Republicans bully you!
No operating system has a right to keep phoning home for permission to continue operating.
Why not infict changes in the OS that will bypass this routine?
All code can be bypassed. All code. The problem is finding where the activation checks are.
--- Grow a pair, liberals... stop letting the Republicans bully you!
This article is total BS. I have no doubt that keys that pass the LOCAL validation can be pretty easily guessed. However, this is irrelevant to the issue of key collision which is all about WGA and validation through MS's servers.
MS can easily keep a second smaller list of the keys that have actually been given out. Then maybe once a day check to see if the key your brute force hack found is a real valid key or just a possible but non-issued key. If so then reset your software to non-genuine.
In short because the real security mechanism is the online verification MS has complete control over throttling requests and monitoring people who try many keys so this worry just doesn't stand up.
If you liked this thought maybe you would find my blog nice too:
Historically they've simply sucked it up, and let these people continue to leech away, but they've put their foot down.
Historically Microsoft has benefitted from the "pirate domain" because it reduced the demand for alternate operating systems. Why buy DR-DOS, OS-2, or BeOS even when they were cheaper than MS-DOS or Windows when you can get "the real thing" for free?
What exactly are their options?
Continue to let some tiny fraction of their immense profits slip through their fingers rather than risk upsetting the punters enough that switching starts to seem like the soft option.
"The person who brute force discovers and uses someone else's code is not the one causing their Copy of Windows to be invalidated. Microsoft is doing that."
These guys are making the choice to cheat other people for their own benefit. They are soley responsible. It's very likely that these same individuals are guilty of other crimes like phishing, identity theft, etc. They probably get a big laugh over the idea that people actually think they're doing it as blow for freedom or somesuch.
The GPL requires no management, nor does any other reasonable license, free, open, or proprietary. The honour system is perfectly functional in all ways for this problem.
The page you linked to doesn't actually support what you said.
:) But I think we need a link with info that applies to OEM/DSP and retail box keys.
It only talks about volume license users.
Just to clarify your first paragraph: are you saying that a computer with no internet connection which has Windows Home Basic pre-installed by Dell will require a phone call to Microsoft twice a year to keep working?
I understand you're just reporting what you heard at the launch event, so not trying to jump on your case personally.
I find it extremely silly that people object to the word "piracy." It has a specific meaning in context. It does not "demonize" copyright infringement in any way. It's not making any kind of statement. It's just an abbreviation, because "copyright infringement" is a lot of letters. It means the exact same thing. It's not implying anything else.
Objecting to equating copyright infringement with theft makes sense and is important.
Objecting to shorthand slang that is no more negative than the full phrase it stands for is a silly waste of time. (Much like this post I'm making now.)
I find it extremely silly that people object to the word "piracy." It has a specific meaning in context. t does not "demonize" copyright infringement in any way.
;)
You are ok with creating a distinction between infringement and theft, but think piracy which, in a lay person's mind, implies theft is ok? I think that is a tad silly.
I think the term piracy is demonization, to the extent that it suggests 'organized criminal activity', which really is the main threat to corporate interests.
ie - a group in china creating counterfeit MS windows discs complete with keys, and holographic stickers is a 'software pirate'.
Installing the copy of Windows XP Home edition that came with your dell into that used PC you got free from work when they upgraded the LAN might be infringement (though it might even be fair use despite the EULA) but it isn't 'software piracy'.
To really overdo it, lumping both those groups into one term and then saying piracy = copyright infringement is somewhat akin to grouping say 'people with brownish skin' and 'fundamentalist islamic extremists' into one group and then equating that with 'terrorists'. And absurd as it is, it happened, and so we end up with completely innocent people in secret prisons facing torture. Don't chew me out yet, because as over-the-top as that is, consider this:
In the world of 'piracy', we end up with computer illiterate elderly women being dragged through the courts on the presumption they owe the recording industry a few hundred million bucks for the remorseless and obscene damage they've dealt to these American mega-corporations.
cheers
*Why* do some people always seem to think that the best way to evaluate Linux is to attempt to install the latest (and most demanding) distros on some old heap of junk they have lying around? When there are LiveCD distros these days, there is NO REASON to not give Linux a whirl on your modern PC that you are currently using to run Windows. None!
Do you seriously think Vista would suck because it would fail to install on your old P3 500 (according to Microsoft, it doesn't meet minimum requirements)? Why the puzzlement that Linux's "latest and greatest" won't work on your crap, when I think you know darned well that Microsoft's "latest and greatest" wouldn't work, either.
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
MSFT has a lot of smart coders, and yet things like this keep happenning. There are probably even many MSFT coders on this message board, dont they absorb some best practices? How is it they never learn?
What's the guess for time 'till trojan?
While I am not a MS fan I do think the statement above could legitimately classified as "fear mongering". Microsoft is a business and one of the functions of a business is to satisfy (or at least look like they are trying to satisfy) their customers. I highly doubt that they would alienate a huge amount of their customer base over a few thousand or hundred thousand illegitimate activations. Doing so would be suicide on their part because it would spark a giant "Oh my god, what if that had been US" within the large business community that Microsoft serves. Large corporate customers would seriously start looking at alternatives because they would see a situation where they might potentially be left out in the cold should they buy a copy of Windows and it's activation has already been used.
This is going to be a bad situation for Microsoft. But it's not going to cause them to tell their customers "screw off".
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
In free society every other agency, government or otherwise needs a legal process be it search warrant or reasonable cause to enter my property and inspect my goods and chattels to see if they are stolen / are licensed.
It has been long determined that "plenty of people like you steal stuff, we're coming in to have a look round" is not sufficient legal grounds and that when agents act otherwise it is called "oppression".
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
just because the old lady is computer illiterate does not excuse her from not being knowledgeable about the law. As I painfully found out, even if a speed limit is not posted on stretches of road you have access(and can exit from) to it can still be enforced and its your fault for not being informed about it.
copyright infringement is a pretty simple concept. if you didn't buy it, its not yours to freely use. While that maxim doesn't encompass every case, it sure as heck covers lots of ground. Now, if the problem is the infringement is being pinned on an elderly lady when a family member actually engaged in the infringement, well, that just sucks. But that is why there is a court system in existence. people get charged with crimes and then declared not guilty all the time. its part of the process.
Now, the real problem I have is with there not being a blanket law saying that if you sue someone and lose you are liable for their legal expenses. What the MPAA and RIAA do is extortion simply because it is cheaper to pay their 3 grand than get a lawyer and attempt to let the legal system work how it was intended to.
"If Microsoft decides to revoke that license because of something Pete Pirate did, who is at fault for Microsoft's actions - Pete or Microsoft ?"
Pete, of course. Pete knows that his actions will deny a legitimate user's use of the OS but goes ahead anyway.
"Or to put it another way: If you steal from me, and that makes me so angry that I kill a random bystander, does that make you a murderer ?"
Or to put it yet another way: If you implement a way to protect your IP and some random guy steals your customer's key, does that make you responsible for your customer's inability to run the software?
"Violating software's copyright may or may not be immoral, but in either case it in no way makes the violator responsible for the actions of the party who's copyrights were violated."
I can say something similiar: Protecting your IP may or may not be immoral, but in either case in no way makes the vendor responsible for the actions of an individual who is pirating software.
See these analogies or restatements or our opinions prove nothing.
just because the old lady is computer illiterate does not excuse her from not being knowledgeable about the law.
True.
The difference is that speed limits were written with the intent that it apply even to ignorant drivers, and drivers who exceeded the limit even by accident, and the penalties reflect that. (There are a ton of problems with it, especially as we move to automatic enforcement, so don't get me wrong, I think speeding laws need a complete overhaul, but that's a separate argument.)
With copyright infringment however, this situation wasn't foreseeable; the laws were written mostly to combat organized criminal activity. And they were designed to scale up, so that large scale infringers got hit with massive fines.
It was unthinkable when the law was drafted that a little old lady could be completely unwittingly responsible for 10's of thousands of counts of copyright infringement, or that this could be a common everyday occurrence. Yet its happened and these little out ladies are being targeted with lawsuits that would have been approriate for large scale cd counterfeiting rings. They are entirely inappropriate for unwitting old women.
As for the RIAA/MPAA extortion tactics, they are wrong for TWO reasons. First, as you observed, the legal expenses involved are high, and its much easier to settle than to fight. But ALSO, and more importantly, because the lawsuits being brought against these people are entirely inappropriate in the first place. And with hundreds of thousands of dollars on the line and few precedents the stakes are MUCH too high for the average person to gamble on the courts which must judge you based on the law, not on the appropriateness of the law.
For example, if the law were updated to state that it was illegal for an individual not part of an organized piracy ring to run a p2p app sharing copy protected works without authorization, and the fine was $100, $500, $1000, or $2000 or $5000 depending on the size of the collection and the circumstances, that would be appropriate. If a person was charged, and felt she was innocent, she could fight it. It would be small claims court and wouldn't cost that much. The **AA could still go after large file sharers with punishments high enough to act as real deterrent, but gross miscarriages of justice would be avoided.
Of course, much harsher penalties and laws would still exist for large scale organized criminal piracy.
It's interesting that you propose that hacking Vista will only make Microsoft more evil and cause them to lobby governments to make computer activities illegal and that these new laws will be brutally enforced by a police state.
The interesting part is that you propose open source software as the silver bullet against the tyranny of Microsoft. Using your logic, if the world started moving to OSS in a stampede, wouldn't Microsoft lobby to make OSS illegal? Will we ever see the headline "Microsoft Overturns The GPL!" on slashdot?
Please, enlighten me as to what you seem to think an end user of GPLed binaries is obligated to do.
"being there to enable OTHER programs to work" Is that part of the definition of an OS or what? I got one... is that like a stove allows you to cook food, but you don't actually eat the stove? "eating up network bandwidth and administration resources" You don't possibly manage a network, do you?