Vista Activation Cracked by Brute Force

← Back to Stories (view on slashdot.org)

Vista Activation Cracked by Brute Force

Posted by Zonk on Friday March 2, 2007 @03:02AM from the disturbance-in-the-force dept.

Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"

93 of 470 comments (clear)

MS would owe at least the key by yagu · 2007-03-02 03:04 · Score: 5, Interesting

From the article summary:
To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'

I don't see how this is possible, or credible speculation even for a company a evil as MS is perceived on slashdot. I'm no MS fanboy, but I've had reasonable "service" from MS on issues of keys to activate my machines under some unusual circumstances.
This may get sticky for MS, but for goodness sake we've got to find better bashing material on MS (and I believe there be plenty) if we want to maintain any street cred. There's no WAY MS won't be giving license keys to legitimate purchasers of XP (especially considering the vast majority are pre-activated shelf-delivered versions).
(Aside: pure speculation on my part, but one of the most glaring weaknesses of this "claim" may be the notion of brute force, and that that is even a possible approach. Most validation handshakes require a reasonable length of time between attempts to circumvent brute force attacks... if it takes one second between attempts for billions of combinations, you're going to eventually be activating an obsolete OS. Further, after 3 or 4 incorrect attempts, any validation scheme worth its salt will quiesce for some longer inconvenient time... requiring a "cooling off" period before one can make further attempts. This story falls under the heading of "I heard someone say they knew someone whose sister's brother has figured out a Vista activation hack..." Sigh.)
1. Re:MS would owe at least the key by DJCacophony · 2007-03-02 03:07 · Score: 5, Interesting
  
  Any customer who gets their key "stolen" by this program can just take it back - Vista comes with several activations on the same key. Once the customer uses the key, the previous user of it will eventually be required to re-activate.
  
  --
  Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
2. Re:MS would owe at least the key by Anonymous Coward · 2007-03-02 03:08 · Score: 3, Informative
  
  It seems that this technique doesn't test against the microsoft server, but can tell if a key is valid on the local computer, which would actually be news.
3. Re:MS would owe at least the key by notaprguy · 2007-03-02 03:18 · Score: 5, Insightful
  
  The commentator on the Inquirer Web site is obviously a total boob (trying to use a British-sounding insult). He's cheering theft which in its own right is sleazy. Worse, he seems to be happy that the legitimate and paying Windows Vista customers are going to be at best confused and worst case screwed because some idiot stole their key. I totally don't understand the bizarre perception that software thievs are somehow Robin-hood-like characters. They're the 21st century equivalent of pick-pockets.
4. Re:MS would owe at least the key by mwvdlee · 2007-03-02 03:26 · Score: 4, Insightful
  
  I can understand the happiness a little.
  
  If this truely starts to be a problem with legitimate users being bothered by having their keys taken, MS will have to loosen up activation. That would be a benefit to all legitimate users.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
5. Re:MS would owe at least the key by leuk_he · 2007-03-02 03:29 · Score: 2, Interesting
  
  I bet...
  
  This is not a brute force hacker, but just a database of some key with a fancy interface on top that pretends to be calculation just just updates a progress bar. The database will release some key after some hours of "calculation". Users notice that the (enterprise?) key is accepted and tell it works. MS will notice some volume keys are used too often wan will block them at the next wga update (and the next service pack)
  
  Since MS cannot simply extract the leaked keys form the database they have a harder time to block them.
  
  Note that theinquirer article is mostly speculation based on what the program claims to do, not on facts.... just as my writing here is.
6. Re:MS would owe at least the key by DJCacophony · 2007-03-02 03:32 · Score: 5, Insightful
  
  Or they could NOT loosen up activation, and it would be a hindrance to all legitimate users.
  
  --
  Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
7. Re:MS would owe at least the key by rednuhter · 2007-03-02 03:33 · Score: 2, Insightful
  
  No, he hopes that by showing the weakness of the activation system that we will no longer be cursed by having to use it.
  He hopes that by affecting existing/legit users that the issue will be brought to task sooner rather than later.
  
  --
  ERR 411[Max number of witty sigs reached]
8. Re:MS would owe at least the key by Zontar_Thing_From_Ve · 2007-03-02 03:34 · Score: 5, Interesting
  
  I don't see how this is possible, or credible speculation even for a company a evil as MS is perceived on slashdot. I'm no MS fanboy, but I've had reasonable "service" from MS on issues of keys to activate my machines under some unusual circumstances.
  
  This may get sticky for MS, but for goodness sake we've got to find better bashing material on MS (and I believe there be plenty) if we want to maintain any street cred. There's no WAY MS won't be giving license keys to legitimate purchasers of XP (especially considering the vast majority are pre-activated shelf-delivered versions).
  
  I think you're probably right. However, all companies in similar situations don't act this way. A few years ago I bought a Russian-English translation program for my PC. I got the best one on the market. I didn't use it a lot, but it was useful to me for quick translations from Russian to English for email. At the time I didn't know Russian as well as I do now and while I could do translations by hand, it took a very long time. It was certainly worth the money to have a computer program do it for me in a few seconds and then I could double check the weird parts and re-translate those myself. It turned what might be a 2 hour translation job at the time into a 10 minute job at worse. A year or so later I had a catastrophic Windows failure and had to do a destructive reinstall. Although I had a valid license key for the translation program, it wouldn't work after the reinstall. The vendor told me their keys are valid for one use only and although I explained that I had bought the product (and they knew I had) and had to do a reinstall of Windows, I got basically "Too bad. So sad. Here's a 10% discount off our lowest price." in response, which still meant I had to buy the product at pretty close to it's normal value. I sucked it up and did that and installed my new key. However, I was very angry because I realized that to the software vendor if I needed a new key I was probably a thief and if I wanted another key, I was going to have to pay for it. After another year or so, guess what? Yep, I had to do another destructive reinstall of Windows. I decided not to rebuy the software. The babelfish translator, which is free, is not as good, but my Russian had improved a lot and I had less real use for a computer translation program. For as little as I needed to use one, babelfish was good enough. However, the vendor of the translation program has lost me forever as a customer because they weren't willing to give me the benefit of the doubt about my problem and my choice was either to buy a new key or live without the program. Their attitude was "If you need a new key, you're a thief". Since then a guy on a forum told me the magic needed to make old keys work on a reinstall, but I've never bothered with it.
9. Re:MS would owe at least the key by catch23 · 2007-03-02 03:36 · Score: 3, Interesting
  
  Unfortunately most of the users of their new operating system will eventually be corporate users. And I'm fairly sure the company is not going to put up with re-activation every few days because a bunch of users in China are stealing their keys. So either the company will ditch the new operating system (bad for microsoft), deal with it (a serious pain for the company), or ask microsoft for a pre-activated key that cannot be reactivated (more trouble for microsoft but saves everyone's butt).
10. Re:MS would owe at least the key by ednopantz · 2007-03-02 03:40 · Score: 5, Funny
  
  The slashbots are excited because this, *this* will be the thing that makes people go to desktop Linux.
  
  Nobody will upgrade to XP--er.... Nobody will upgrade to Vista because of activation.
  
  Yes! 199-, er...
  2003, er....
  
  2007 WILL BE THE YEAR FOR DESKTOP LINUX!!!
11. Re:MS would owe at least the key by Anonymous Coward · 2007-03-02 03:41 · Score: 2, Informative
  
  And if that is true, then perhaps collecting enough valid keys could lead to discovering the actual 'validation function' and removing the need for brute force. Huh? They've got the validation function, that's how this works.
  
  The problem is that it's one-way and reversing it is mathematically hard, so it's easier just to try a scatter-gun approach.
12. Re:MS would owe at least the key by ergo98 · 2007-03-02 03:42 · Score: 2, Interesting
  
  Once the customer uses the key, the previous user of it will eventually be required to re-activate.
  
  Once Vista sets the activated flag, does it actually check for revocation of activation at some prescribed interval?
13. Re:MS would owe at least the key by des09 · 2007-03-02 03:44 · Score: 3, Interesting
  
  Normally, I'd agree without comment, but this case does resemble theft more than most piracy in that the "victim" loses the ability to use the software they [purchased|licensed].
  
  --
  .sigless since 2003
14. Re:MS would owe at least the key by ednopantz · 2007-03-02 03:45 · Score: 5, Insightful
  
  The irony is that this is an example where IP theft *is* actually taking the original out of commission.
  
  Unlike duplicating an mp3, here the original copy is no longer usable. It isn't just making another copy for yourself and leaving the original functional.
  
  But the victim is MS or their customers, so it must be ok.
15. Re:MS would owe at least the key by GIL_Dude · 2007-03-02 03:48 · Score: 4, Informative
  
  Business users (at least large ones) won't be using Retail media on many machines. Since this is a crack for retail there would be no effect on people using MAK or KMS validations as the majority of corporations would be doing. (Yes, I know that for those few corps that want to use Ultimate on some of their machines this could be an issue because Ultimate requires retail activation). However for VL (Business and Enterprise versions) MAK and KMS would be unaffected.
16. Re:MS would owe at least the key by Anonymous+Conrad · 2007-03-02 03:48 · Score: 4, Informative
  This is not a brute force hacker, but just a database of some key with a fancy interface on top that pretends to be calculation just just updates a progress bar. The database will release some key after some hours of "calculation". Users notice that the (enterprise?) key is accepted and tell it works. MS will notice some volume keys are used too often wan will block them at the next wga update (and the next service pack) No, that's not how new the volume license system works. There's two classes of volume license key for Vista:
  
  Multiple Activation Key - will only work a limited number of times
  
  Key Management Services - requires a local license server that maintains the count of keys used and communicates with Microsoft
  
  neither of which will work with your scheme.
17. Re:MS would owe at least the key by DJCacophony · 2007-03-02 03:50 · Score: 4, Informative
  
  Yes, I believe it is every six months, as that is the interval by which Windows Vista retail must be re-activated anyways.
  
  --
  Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
18. Re:MS would owe at least the key by orderb13 · 2007-03-02 03:51 · Score: 5, Insightful
  
  In which case there will be lawsuits and EULA's will be challenged and a companies responsibility to it's consumers will be better defined. Sounds like a win-win scenario here, as much as anything in regards to this can be called a win.
19. Re:MS would owe at least the key by cswiger2005 · 2007-03-02 03:53 · Score: 4, Informative
  
  Once Vista sets the activated flag, does it actually check for revocation of activation at some prescribed interval?
  Why, yes. Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update. In practice under XP, this happens every month to every few months. Depending on your settings and whatever the future might bring, it might well be the case that machines will be checking for updates & possibly re-validating themselves every week.
  
  --
  "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
20. Re:MS would owe at least the key by Lord+Ender · 2007-03-02 03:59 · Score: 4, Insightful
  
  Copyright infringement is not theft. It is immoral of you to deliberately misrepresent the issue by using loaded terminology.
  
  Using Microsoft's services, such as Windows Update, could be considered theft. But that is theft from Microsoft, not from consumers.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
21. Re:MS would owe at least the key by vux984 · 2007-03-02 04:00 · Score: 5, Insightful
  
  So you imagine he probably works for a non-commercial software company?
  
  Regardless, its copyright infringement, not 'theft' and not 'piracy'. Its really quite simple, theft is when you physically take something that doesn't belong to you. Copyright infringement is, amongst other things, when you make a copy of something you aren't authorized too.
  
  In fact in this case the real issue isn't even copyright infringement. Suppose I use this keygen on legally purchased software. What laws are being broken?
  
  I didn't 'steal' your key, I happened to come up with the same number MS assigned to someone else independantly. Hell, I might have come up with the number before MS, which, if anything, would make it -my- intellectual property; and MS would be infringing my copyright by issueing you "my" key string.
  
  Which is of course absurd.
22. Re:MS would owe at least the key by CmdrGravy · 2007-03-02 04:01 · Score: 5, Funny
  
  I'm not sure boob is really typically British insult, I have a German friend with the same trouble who believes that the word ignoramus is in common enough use to pass himself off as a native although he is sadly mistaken in this.
  
  For future reference you could try using words like:
  
  Fuckwit, wanker, bastard, fuckhead, tosser, cunt, spanner, moron, dickhead or even shit for brains.
  
  For example:
  
  "The commentator on the Inquirer Web site is obviously a total fucking wanker. The fuckwit is cheering theft which is in its own right sleazy. Worse, the cretin seems to be happy that the legitimate and paying Windows Vista customers are going to be at best confused and worst case screwed because some idiot stole their key. What a fucking cock !"
  
  I must admit I probably have the same problem in my belief that most Scottish people curse each other by calling them sassenachs.
23. Re:MS would owe at least the key by Brian+Gordon · 2007-03-02 04:05 · Score: 3, Interesting
  
  What is peoples' problem that they can't undertand that "I did it for fun and experience" is a valid reason for an exploit?
24. Re:MS would owe at least the key by Brian+Gordon · 2007-03-02 04:08 · Score: 5, Informative
  
  Since it's a vbscript the code is wide open. Look for yourself, this is a legitimate brute forcer.
25. Re:MS would owe at least the key by SatanicPuppy · 2007-03-02 04:09 · Score: 5, Insightful
  
  When it's Microsoft's long costly lawsuit?
  
  Sorry, couldn't resist.
  
  In the end though, this sort of corporate behavior is hugely annoying. Microsoft rose to the top partly because it looked the other way on unlicensed use of it's products, and now that it's the standard, it's trying to lock down. Well, the problem is, now there is a huge group of people who have a vested interest in using that software for free, and there is no way that they're going to beat them using a purely technical solution...Crackers are proving that on a daily basis.
  
  Smarter of them to leave things as they were.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
26. Re:MS would owe at least the key by VJ42 · 2007-03-02 04:14 · Score: 5, Insightful
  
  How is a long, costly lawsuit a winning scenario? It's a winning scenario for the lawyers...
  
  --
  If I have nothing to hide, you have no reason to search me
27. Re:MS would owe at least the key by Anonymous Coward · 2007-03-02 04:15 · Score: 2, Funny
  
  "Any customer who gets their key "stolen" by this program can just take it back - Vista comes with several activations on the same key. Once the customer uses the key, the previous user of it will eventually be required to re-activate."
  
  Someone else is using your activation key: Cancel or Allow?
28. Re:MS would owe at least the key by mike2R · 2007-03-02 04:25 · Score: 2, Insightful
  
  Unless you nicked a box set from a shop, then you haven't taken any goods - ie not theft, it's a civil offence of copyright infringment.
  
  I agree it's a nitpick and not a justification for copying Vista, but it is a llegitimate response to the "Copyright is Theft" slogan.
  
  --
  This sig all sigs devours
29. Re:MS would owe at least the key by drinkypoo · 2007-03-02 04:34 · Score: 2, Insightful
  
  Copyright Infringement might not be theft but its illegal. Also when you steal a key thats not copyright infringement thats stealing because only one copy can be used, so you basically stole someones copy of it.
  
  No, you didn't. By punching a number into a dialog box you don't take their key. Microsoft, in fact, takes away their right to use their purchased software.
  
  The system is stupid and broken. The fact that I can go read a number off your PC, then come home and use it to invalidate your Windows installation is an example of Windows being broken as designed.
  
  Unless I come into your house and remove the sticker from your computer, no theft is occurring.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
30. Re:MS would owe at least the key by brouski · 2007-03-02 04:35 · Score: 2, Insightful
  
  For anyone else interested in a primer to good British swearing, watch some cooking shows with Gordon Ramsay. He pretty much runs the gamut.
  
  --
  Proud member of the American Non Sequitur Society. We might not make much sense, but boy do we love pizza!
31. Re:MS would owe at least the key by drinkypoo · 2007-03-02 04:36 · Score: 5, Insightful
  
  The irony is that this is an example where IP theft *is* actually taking the original out of commission.
  
  The irony is that you think violations of IP is theft.
  
  The person who brute force discovers and uses someone else's code is not the one causing their Copy of Windows to be invalidated. Microsoft is doing that.
  
  This is a very important distinction.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
32. Re:MS would owe at least the key by AlHunt · 2007-03-02 04:38 · Score: 4, Insightful
  
  Why, yes. Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update.
  
  I am *so* glad Linux has evolved to the point it is today. I still have an XP partition and probably will for a while, but why MS expects people to keep putting up with this "phone home" behavior is beyond me. XP still handles ACPI better than Linux, but I'm happy to trade off a little convenience for control of my own machine.
  
  --
  1 in 4 Maine children in struggle with hunger.
33. Re:MS would owe at least the key by JackMeyhoff · 2007-03-02 04:55 · Score: 2, Insightful
  
  Every 6 months I have to explain myself and prove my innocense? I'm glad I wont be purchasing Fista. Do OEM keys need activating? On previous Windows editions they did not require activation as that would piss off OEM customers no end.
  
  --
  http://www.rense.com/general79/wdx1.htm
34. Re:MS would owe at least the key by ednopantz · 2007-03-02 04:57 · Score: 2, Insightful
  
  The irony is that you think violations of IP is theft.
  Not so much ironic as subscribing to a different value system.
  
  Ironic would be someone who pirates windows freaking out because somebody violated the GPL. Which happens all the time here.
  
  The person who brute force discovers and uses someone else's code is not the one causing their Copy of Windows to be invalidated. Microsoft is doing that.
  This is a very important distinction..
  
  Exactly, like when I used your card number to order all that stuff. It wasn't me who took the money from your account, it was the bank. I just typed in some numbers. Why are you so upset? Credit Card numbers are information and information wants to be free. How could anyone be upset about that?
35. Re:MS would owe at least the key by PPGMD · 2007-03-02 05:01 · Score: 2, Insightful
  
  Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update. In practice under XP, this happens every month to every few months.
  The only time that Windows XP checks to see if the key is valid is if you go through WGA. Nothing forces you to go through WGA, you can still apply the patches manually.
  I still don't understand why people get upset with a company periodically checking to see if your install is valid. They have been doing it for years with Business Software. Now because of increasing amounts of piracy companies like Microsoft who make most of their money from the OS itself have to do it for their software.
  And don't tell me that piracy isn't out of hand. On here people brag like they achieved some victory against Microsoft when they pirate Windows. Go to any Asian country, or heck even China Town and you will see racks of pirated software. Piracy is all around us.
  Microsoft's attempt to curb it aren't quite as annoying as most people think. You simply forget for every whore story there are 100 or more people that had no issue, the people that speak up are the ones that had issues with the software. Even then I doubt the claims made by many, I found in the fews cases where I had a with activation a 5-10 minutes phone call to Microsoft's activation line fixed things right up.
  I am sure that I am going to take a hit for this, but Vista isn't the pile of evil that people make it out to be. I personally find it a pretty good OS, though it will be 6 months to a year before I switch. Driver companies and software companies need to release updates so things work smoothly.
36. Re:MS would owe at least the key by volvo64 · 2007-03-02 05:04 · Score: 2, Funny
  
  | Yes, I believe it is every six months, as that is the interval by which Windows Vista retail must be re-activated anyways.
  Don't you mean re-installed?
37. Re:MS would owe at least the key by Danga · 2007-03-02 05:42 · Score: 2, Interesting
  
  but why MS expects people to keep putting up with this "phone home" behavior is beyond me... but I'm happy to trade off a little convenience for control of my own machine.
  
  MS phoning home to check if the OS is pirated does not seem like some huge big deal to me. I mean if they have a list of KNOWN pirated keys then it is their right to be able to check for those keys if you want to be able to access the windows update webpage (which is one place I think the validation occurs but I could be wrong). It isn't really losing control either because I think it asks you before it does the checking, I know last night on my laptop a thing popped up asking to click through to validate and it was painless. If you call that losing control you are crazy IMO. If you are that paranoid then either don't install Windows in the first place, setup your firewall to block everything to Redmond, or don't connect the machine to the internet.
  
  Is the reason you don't want to "put up with this phone home behavior" because your copy of Windows is pirated?
  
  I am *so* glad Linux has evolved to the point it is today.
  Linux definitely has gotten better over the years but for me the biggest reason keeping me using Windows and not going Linux exlusively is games and the ease of installing new hardware. I have almost never had a problem installing new hardware on Windows XP Pro which I can't say the same thing for linux. Getting some things to work on linux is just a huge headache. My latest problem with linux was last month when I decided to download the latest Fedora ISO to install on an old P3 500 box I had sitting in the closet. Guess what? It couldn't even get more than about 20 seconds into the installation process! It got to a certain point checking the hardware if I remember correctly and just froze. I thought about digging up my old Red Hat discs I have somewhere that I have installed on the same machine sometime in the past but then ran out of time. Linux isn't to the point yet where I can dump Windows completely, it has A LOT of work left.
  
  --
  Hey, there is only one Return and it's not of the King, it's of the Jedi.
38. Re:MS would owe at least the key by Taelron · 2007-03-02 05:55 · Score: 3, Informative
  
  Not according to Microsoft... According to their speakers at the MS Vista launch event, even the Home and Ultimate versions need to call Microsoft every 180 days to verify their key.
  
  The buisness users can purchase an "Activation server" they maintain in house and can configure their workstations to call it to verify they have legit keys. The Activation server in house still has to call Microsoft every 180 days to verify all the license information it has.
  
  The in house Activation server came about because of Government and Private organizations that want to have unconnected secured networks. Though the "Activation Server" needing to call MS every few months can result in a "potential breach" or extra wasted IT staff hours as you call the phone number to manually activate again...
  
  Another option you have, though Microsoft claims that they did not enable it in Vista, as Volume License keys will be used in house only and no longer shipped out to customers, are the MAK license options in their Volume license 2.0 program. But as I said, MS claimed at their launch day event they will not be shipping any such versions of Vista...
  
  http://www.microsoft.com/technet/windowsvista/plan /faq.mspx
39. Re:MS would owe at least the key by PitaBred · 2007-03-02 06:15 · Score: 4, Insightful
  
  So wait... Microsoft is requiring you to run a server just to run their fucking operating system? It adds NO value whatsoever to the company using it, yet takes their electricity, time and resources to maintain? Does that sound absolutely asinine to ANYONE else? Wouldn't a CTO/CIO be slightly annoyed at having to allocate extra resources just to run an operating system whose only real function is to allow the real work to get done?
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
40. Re:MS would owe at least the key by PitaBred · 2007-03-02 06:19 · Score: 2, Informative
  
  Some necessary things DO require WGA. I just installed a patch to make my work laptop hibernate correctly, because I recently upgraded it to 2GB of RAM. I had to go through the WGA check on their web page to download that patch. It's ONLY "security" related patches that are sent out regardless of WGA status.
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
41. Re:MS would owe at least the key by deathy_epl+ccs · 2007-03-02 06:22 · Score: 3, Informative
  
  So wait... Microsoft is requiring you to run a server just to run their fucking operating system? It adds NO value whatsoever to the company using it, yet takes their electricity, time and resources to maintain? Does that sound absolutely asinine to ANYONE else? Wouldn't a CTO/CIO be slightly annoyed at having to allocate extra resources just to run an operating system whose only real function is to allow the real work to get done?
  Your assumption here seems to stand on rather shaky ground, though... I'm sure that you can run more services than just the authentication mechanism - I would expect that you'd probably want to run the license authentication service on your domain controller or something similar, unless you're in a really gigantic shop.
42. Re:MS would owe at least the key by Dragonslicer · 2007-03-02 06:42 · Score: 2, Insightful
  
  Just because it isn't federal law, that doesn't mean it isn't illegal. And just because you aren't taking physical property, that doesn't mean it isn't theft. Look into your state's laws regarding Theft of Services. Whether or not using an illegitimate Windows key falls under theft of services may be debatable, but the oft-repeated statement that "it isn't theft if the other person doesn't lose a physical object" is not true in all states.
43. Re:MS would owe at least the key by deathy_epl+ccs · 2007-03-02 06:54 · Score: 4, Informative
  
  How is it any different than needing a corporate license server for Autocad, or Rational, or any of the other software commonly licensed this way on the corporate level? It's not like these license servers are terribly difficult to maintain.
  
  I think you imagine the maintenance to be a lot harder than it really is. Maintaining a single license server has, in my experience, been easier than maintaining hundreds of keys individually.
44. Re:MS would owe at least the key by PitaBred · 2007-03-02 07:15 · Score: 3, Interesting
  
  But those programs you listed actually DO something tangible contributing to the business, rather than just being there to enable OTHER programs to work. If AutoCAD license were essentially forced on companies, then I'd be upset in the same way. But now to just get basic "turn my computer on and use it to run other programs" functionality, you now need yet another service (or perhaps entire server) eating up network bandwidth and administration resources, because they're the de-facto standard due to monopolistic tendencies?
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
45. Re:MS would owe at least the key by JackMeyhoff · 2007-03-02 07:16 · Score: 3, Insightful
  
  Can you imagine the store demanding you go to them or call them and show them your receipt of the products you bought from them? No, I cant imagine that happening ether but this is the way software companies expects you to behave.
  
  --
  http://www.rense.com/general79/wdx1.htm
46. Re:MS would owe at least the key by ergo98 · 2007-03-02 07:24 · Score: 2, Insightful
  Now because of increasing amounts of piracy companies like Microsoft who make most of their money from the OS itself have to do it for their software.
  
  Increasing amounts of piracy?
  
  I don't buy it.
  
  Here's an academic exercise: Calculate Microsoft's marketshare over the past 15 years, and the relative size of the market each year. Compare that with Microsoft's operating system gross revenue. I haven't actually done this myself, but I'm very confident in the result of such an analysis.
  
  What you're going to find is that the gross revenue has been grossly outpacing actual deployed copies.
  
  Piracy isn't increasing at all — in fact I'd say the opposite, and point out that 10 years ago everyone and their brother ran a pirate version of Windows &| DOS, and among small businesses the license compliance was atrocious. Now I don't know a single person who didn't pay the Microsoft tax when they bought a PC, and almost no-one actually buys retail or does upgrades. Among small businesses, paranoia about the jackboot-squadrons has made casual piracy a huge no no — however the demand for Microsoft to pump up the revenue in a period when customers have largely lost interest is making them monetize a previously unexploited market.
  
  Look the other way, with limited or no protections
  Gain massive marketshare because few actually paid hundreds for Windows 3.11 et all
  Wait, while emitting involuntary evil cackling
  Start enabling WGA, Activation, and legal threats to monetize marketshare.
  Even bigger profit, or at least something to make up the difference when other channels start declining
47. Re:MS would owe at least the key by drinkypoo · 2007-03-02 09:07 · Score: 3, Interesting
  
  The irony is that you think violations of IP is theft.
  Not so much ironic as subscribing to a different value system.
  
  Unless you subscribe to a different dictionary, this is really quite irrelevant. Copyright infringement is not theft. It is copyright infringement. We have a whole separate area of law to address it specifically because they are not the same thing.
  
  Ironic would be someone who pirates windows freaking out because somebody violated the GPL. Which happens all the time here.
  
  Well, I agree with that assertion, anyway.
  
  The person who brute force discovers and uses someone else's code is not the one causing their Copy of Windows to be invalidated. Microsoft is doing that. This is a very important distinction..
  Exactly, like when I used your card number to order all that stuff. It wasn't me who took the money from your account, it was the bank. I just typed in some numbers. Why are you so upset? Credit Card numbers are information and information wants to be free. How could anyone be upset about that?
  
  Heh heh. Information wants to be free. Yeah, and my car wants to go fast.
  
  Seriously though, I don't feel that the two situations are analogous. If I intentionally used your specific registration code to invalidate your copy of windows, well, I'm still not stealing anything. I am taking an action that indirectly causes Microsoft to invalidate your copy of windows. I agree that doing that intentionally would be wrong, but I don't agree that it is theft.
  
  For one thing, you are still the owner of the copy of windows, or if you believe the bullshit that the computer industry attempts to push on you, the licensor. I am not. Therefore Microsoft is illegally terminating your right to use the software (whether you are in legal fact an owner or a licensor.) The fact that Microsoft would take an additional use of your key (which, as should have been obvious after the Windows XP Key generator, can be brute-forced) as a sign that you have broken the EULA or otherwise no longer have the right to use the software is the problem here.
  
  In addition, there are legitimate reasons to use a key which is not your own. You could have legally purchased the software but no longer have box or manuals (do you even get any manuals?) and you may not even have the disc - it could have been destroyed. You are still the legal licensor, under the "licensee" way of thinking. You are still entitled to run the software, but lack the means to do so without generating another key. Microsoft, however, prevents you from using the software for which you have paid. So, you might consider generating a key so that you can use the product. If Microsoft then chooses to invalidate someone else's copy of Windows, how is that my fault?
  
  You're acting like Microsoft is reasonable and I am unreasonable. But what's reasonable about invalidating your copy of windows just because someone else has the same key? Once, the EDD made me use a fake social security number because some mexican (I'm a quarter mexican, not that you could ever tell by looking at me) was using mine to evade taxes. That meant that my history was lost, and a new account was started for me. Was that right? But that guy had no real choice; the US has been taking gigantic shits on Mexico and helping to preserve the utterly corrupt status quo for many, many years now, because if we don't have mexicans to pick fruit and veggies, you'll be paying four bucks for a head of iceberg lettuce and sixty bucks for a bottle of crappy wine. So in order to feed his family he came here, and in order to work he used my SSN. Was the EDD's response justified? That poor field workin' dude didn't use my SSN in order to cause me hardship, but it happened anyway - but not because of him, because of the ridiculous response from the EDD.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
48. Re:MS would owe at least the key by toddestan · 2007-03-02 12:48 · Score: 2, Insightful
  
  How is it any different than needing a corporate license server for Autocad, or Rational, or any of the other software commonly licensed this way on the corporate level? It's not like these license servers are terribly difficult to maintain.
  
  It's different becaues with programs like Autocad, you generally don't have all your users of the software using it at the same time. Thus, the license server allows the company to save some money buy only buying the number of licenses they think they will need at any one time and having people "check out" the license from the server when they start the application, instead of buying a license for every computer that needs the software. On the other hand, most corporate PCs are going to be running Windows all the time, so the number of licenses is going to equal the number of PC's anyway. Thus, the server doesn't save the company any money by letting them get by with less licenses.
49. Re:MS would owe at least the key by AnyThingButWindows · 2007-03-02 18:21 · Score: 2, Insightful
  
  Purchasing hundreds, or thousands of dollars worth of hardware just to maintain 'SOME COMPANY's' licensing scheme seems pretty damn stupid to me. Why would any company in their right mind, spend that much money to maintain another company's so called 'anti piracy efforts'. Why can't microsoft pony up their OWN cash to maintain their OWN problems. Everyone knows they have the money. Sorry, but forking over money to protect someone elses delusional 'anti-priacy-scheme', that I might not even agree with in the first place is is not a solution. Microsoft needs to tackle their own problems instead of trying to get others to do so. Not even an wild animal would imprison itself, why would a human?
  
  The entire idea is right out of 1984. If you object to that idea and want to mod this down, then good luck with your 10 minute hate.
  
  --
  When government fears the people, there is liberty. When the people fear the government, there is tyranny. - Jefferson
Easy Fix by DJCacophony · 2007-03-02 03:04 · Score: 2, Insightful

All Microsoft has to do is block the IP address that is requesting thousands of activations on separate, invalid keys per second.

--
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
1. Re:Easy Fix by tomstdenis · 2007-03-02 03:06 · Score: 4, Insightful
  
  Lots of botnets run on windows ... I wonder if they could be commanded to scan for license keys.
  
  Tom
  
  --
  Someday, I'll have a real sig.
2. Re:Easy Fix by Brian+Gordon · 2007-03-02 03:07 · Score: 4, Informative
  
  I think the program actually tries the keys on its own algorithm, and when it finds a valid one it tells you to submit it to microsoft.
3. Re:Easy Fix by richy+freeway · 2007-03-02 03:12 · Score: 3, Informative
  
  You're right. You have to monitor your Vista key to see if it's changed, using the Jellybean Keyfinder. When you spot it's changed you have to manually attempt an activation. If it fails then you leave it running longer until the key changes again, then retry activation. Repeat until activation succeeds.
4. Re:Easy Fix by Odiumjunkie · 2007-03-02 03:15 · Score: 5, Informative
  
  > All Microsoft has to do is block the IP address that is requesting thousands of activations on > separate, invalid keys per second. RTFA. That's nothing like how this works. The actual activation part is totally manual, only the key generation is automated. You can generate keys without any kind of network connectivity.
5. Re:Easy Fix by another_fanboy · 2007-03-02 03:30 · Score: 2, Funny
  
  Imagine a Beowulf Cluster of These!
  Windows boxes or botnets? I for one would be frightened of either.
6. Re:Easy Fix by NSIM · 2007-03-02 04:08 · Score: 4, Insightful
  
  Lots of botnets run on windows ... I wonder if they could be commanded to scan for license keys.
  That's actually a pretty scary thought, it's not hard to determine the install key used from an application running on the OS (there are several utilities out there today.) A botnet could e designed to get the install key and send it back to someone who could maintain a database of valid keys. This probably true for just about any application or OS that uses an install key, to be honest I'm surprised somebody hasn't already done this to XP or Office.
7. Re:Easy Fix by kv9 · 2007-03-02 04:10 · Score: 2, Funny
  
  Imagine a Beowulf Cluster of These!
  imagine a beowulf cluster of cheese!
  
  --
  Stop Computers/Cars Analogies on S
8. Re:Easy Fix by dintech · 2007-03-02 04:51 · Score: 4, Funny
  
  Nice, you invented the concept of thievery@home. I imagine a print out of lots of vista keys with "wow!" written at the side of one...
Sounds like a distributed computing project to me by nizo · 2007-03-02 03:07 · Score: 5, Funny

I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project.

--
I Am My Own Worst Enemy
relax by ohzero · 2007-03-02 03:07 · Score: 5, Funny

I guarantee you MSFT will release a patch to reorder license keys or figure out some other solution. If you were the largest software company in the world, and you had a product that was being touted as "more expensive than switching an entire IT department to OSX:, wouldn't you?

--
-- http://www.criticalassets.com
tough questions by gEvil+(beta) · 2007-03-02 03:11 · Score: 3, Funny

To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'

Hmmm, I wonder which way Microsoft will go on this one...

--
This guy's the limit!
Ironically... by jejones · 2007-03-02 03:11 · Score: 4, Funny

Just as I read this article, pandora.com started playing the title cut from David Wilcox's Vista album:

"...and the wide open vista..."
Re:Er... by Goaway · 2007-03-02 03:14 · Score: 4, Funny

Why not actually try to read the article to see how the program works?
Re:Sounds like a distributed computing project to by Anonymous Coward · 2007-03-02 03:21 · Score: 2, Funny

It could be called the "annoy Microsoft Windows Users at home" project.
AMWUAH project has been renamed "Vista" for consumers' sakes.
Re:Sounds like a distributed computing project to by tomhudson · 2007-03-02 03:22 · Score: 4, Funny

"I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project."
Yes, but does it run under linux :-)
Re:Not too big of a deal by tomhudson · 2007-03-02 03:29 · Score: 5, Insightful

"as someone who has worked on systems such as these (oh the inhumanity!) we have looked at this particular attack vector. Yes, it is possible. But, when you consider the size of the activation code domain (quadrillions or more of combinations), with the number of legitimate keys (hundreds of millions), and the fact that each request takes some amount of time (a few seconds), it's not too big of a risk. A risk? yes. But there are lots of risks. This is just another one to be put on the list, watched, and mitigated against (as others have said, with blocked IPs and so forth)."
Obviously someone else who didn't read either the article OR all the other user comments - no net connection required to generate the keys - the attempts to change the key are done locally; after a successful local key change, submit the new key for activation.
Blocked IPs won't do jack shit for such a scheme.
Also, you're not trying to find a specific key that works, just one of many, so even with a huge wrong-key space, you'll get a favourable collision with a valid key sooner, rather than later. Its like the same-birthday problem.
Welcome to the non free world. by twitter · 2007-03-02 03:34 · Score: 4, Insightful

I don't see how this is possible, or credible speculation even for a company a evil as MS...

Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others. They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say. This is the nature of non free software. Your master may take care of you or they may not and those are the conditions you must agree to if you want to use non free software.

They don't trust you. They made the registration key in the first place to restrict the number of computers you can use before you pay them more. When you call and claim your key does not work, they can't tell the difference between you and someone who's shared their key. Once again, this is the nature of non free software.

--
Friends don't help friends install M$ junk.
1. Re:Welcome to the non free world. by Like2Byte · 2007-03-02 04:29 · Score: 2, Interesting
  
  You have two choices when you purchase anything M$, return the package unopened for a full refund or use it.
  
  A while ago I purchased a new computer that I pieced together from OTS parts in a FRY's store in Indy, IN. Well, after their PC people informed me that certain parts would work with other certain parts, after I took it home and assembled it, it didn't work. They gave me wrong memory, wrong power supply, etc... It was a huge screwup. I accept responsibilty for not doing my own homework on the specific parts for the system; but, there was no *WAY* I was going to keep the system after listening to their recommendations and it not work.
  
  FRY's reluctantly took back all their parts. However, there was one they fought me over. The opened package of Windows XP Professional. Their Customer Service manager fought tooth and nail with me on why they shouldn't take it back and why I told them they *will*. I bickered with them for almost an hour on this one issue. I did not back down one inch. I won.
  
  I got my money back and they got the opened package back. When you're right, you're right. It's as plain as that. Reach the right people, show them why their process/procedure is FUBAR and you will more than likely receive the correct response.
  
  However, I wouldn't place bet's that I could do it again.
2. Re:Welcome to the non free world. by DoofusOfDeath · 2007-03-02 04:41 · Score: 2, Insightful
  
  They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say.
  
  Don't you even feel a little silly about mis-characterizing the attitude of MS employees that way? Even non-evil software companies strive for some limit on their liability and responsibility, because it's just really hard to get complex software to always work. If you were subject to constant lawsuits, you'd be sunk.
  
  It's true the EULAs are written in the vendors' best interests, and that shrink-wrap licenses should be unenforcible, and that retail software should be subject to fitness-for-purpose laws. But to characterize the MS people as swaggering a$$holes wearing jack-boots and refusing to look up from their lavish meal while you beg before them on your knees is just, well, silly.
3. Re:Welcome to the non free world. by julesh · 2007-03-02 05:15 · Score: 4, Informative
  
  Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others.
  
  There's this little thing called an implied warranty of fitness for a particular purpose. When you buy something -- anything -- unless it has large letters on the outside of the box saying that it doesn't work, it comes with one. It states that, basically, if you use the product for the purpose for which it is marketed (i.e., with software, try to run it on a computer), it will perform that purpose to at least a basic level.
  
  It is not legally possible for MS's EULA to disclaim this warranty, it's a basic right that you get when you buy something.
  
  When you buy something that doesn't meet this warranty, you're entitled to a full refund. Whether you've opened the package or not.
it is useless by WARM3CH · 2007-03-02 03:41 · Score: 5, Informative

It seems that this technique doesn't test against the microsoft server, but can tell if a key is valid on the local computer, which would actually be news.
This is not really that important if a key is validated in a local computer or not. Any key needs to be finally validated by the servers: Out of all possible valid keys that pass the validation on a local computer, only very very tiny number of them are actually keys that have been (or will be) issued by Microsoft. Think of it like this: with 25 symbols for the keys you have a huge huge search space A. Now, this program finds the keys that are valid according to the magic formula that Vista validation system uses. All these keys form a very very tiny subset of A, called B. However, the set of keys that Microsoft has already issued (or will ever issue), set C, is only very very tiny subset of B. This program finds random keys in the B but to actually validate Vista with them, user has to contact Microsoft's servers to see if the key are part of the C or not. This is where the whole things breaks down next to being totally useless. (this is the same story with the CD-Keys of the mutli-player games...)
Except we know already what happens by Moraelin · 2007-03-02 03:42 · Score: 5, Insightful

The problem of generated keys and conflict with legit keys isn't new, so we already know what happens. The same existed for XP -- plus the added collison of dishonest OEM's selling one legit serial number to 100 different people who bought their computers with XP preinstalled -- and we already know what Microsoft chose: to not annoy the paying customers. What it did try to do was go after the OEM's who did that, but _not_ after the victims. The victim never had to do more than call an (automated) telephone number and get another key. It's always been that simple.

Yes, there have been some fucktards too historically, but MS was sane about it so far. I'm not saying they're saintly or anything, feel free to still be anti-MS if it makes you feel any better. Just that their sane. Even if you want to see them as some kind of super-willain, well, as super-villains go, MS was the _sane_ kind so far. The kind who's read the evil overlord's list, not the random lunatic kind. It knows when _not_ to do something that would damage itself very quickly.

Look, there are plenty of real reasons to whine about MS, no need to invent bullshit FUD scenarios. That kind of going into bullshit fantasy land, just to have something bad to say about MS, just damages the credibility of the real complaints.

--
A polar bear is a cartesian bear after a coordinate transform.
1. Re:Except we know already what happens by db32 · 2007-03-02 04:03 · Score: 2, Insightful
  
  1. I have called them for problems with keys. Sometimes they hand a new key over the phone like its nothing, sometimes its flaming hoops of death and hours on hold. Hit or miss with that, but as to be expected from any large corporation that has gone through so many hoops to assume their customers are all criminals.
  2. I'm not saying its some supervillian plan, I am saying this is the kind of horse shit that comes out of large money hungry beurocratic organizations. It's not really MS specific.
  3. I think their product is a tolerable product for some things (right tool for the job stuff). I despise their business practices because the only reason their product IS a tolerable product for some things is because they successfully violated so many laws to make it the defacto standard. They are not innovative, the people who typically think they are have only ever been exposed to MS products and don't realize that the vast majority of the shit they do are poor 'embrace and extend' bastardizations of good ideas that came from other places.
  
  Ultimately, they are a very large beurocratic money hungry organization with a piss poor track record of behaving ethically. They aren't the only organization like this, but they certainly are one of the biggest. In the meantime I am going to laugh at their horrible mistakes, their losing lawsuits, and the other nonsense monkey boy puts out. Their products are getting worse and they are less of a software giant and more of a comedy club these days anyways. "developers developers developers developers" "fuckign kill google!". I hope chair tossing becomes an olympic sport soon too.
  
  --
  The only change I can believe in is what I find in my couch cushions.
Re:Not too big of a deal by tomknight · 2007-03-02 03:51 · Score: 2

Why on earth not? Let's say several could be around five or so. So that's five orders of magnitude, 100,000. So do you really maintain that it's not possible to have 10,000,000 x 100,000 = 1,000,000,000,000 (1 x 10^12) keys? I don't the nature of the Vista licence key, but if they're using 25 alphanumerics that's 35^25 possible keys. That's a big number, c. 4 x 10^38 - now I doubt anyone here knows the ratio of valid keys to possible keys, but I dare say that 1 x 10^12 would fit in...

So what it come down to is that by attempting to expose someone else's ignorance you merely display your own.

And I'm sure someone else is about to say roughly the same about me, any time now ;-)

--
Oh arse
Is this a HOAX? by Zo0ok · 2007-03-02 03:56 · Score: 2, Interesting

I couldnt find the download. People on Slashdot seems to be unusually confused about how this thing works - even those who claimed to read the article. I didnt find the article/method very confusing, but I dont know enough about Vista to tell if it COULD work or not. Are people confused because someone made something up that can not work? There are other cases where evil people have distributed trojans this way.

Is this a HOAX?
This has me curious... by jvkjvk · 2007-03-02 04:01 · Score: 2, Interesting

Is is possible to create a program that simply activates Vista licenses? -- I mean, without having Vista at all. Just connects to MS and attempts to activate keys, all day long.

It would be like a DOS on the licensing mechanisms.
Having RTFA... by d3ac0n · 2007-03-02 04:04 · Score: 4, Informative

AND having gone to the site and read through the ENTIRE thread on their forums;

What we have here is a random number/letter guesser. It's basically a VB Script that guesses random numbers and letters in a string that is the same length as a Vista Key, then inserts it into the registry, overwriting the existing Vista key. You use Magic Jellybean to check when the key has changed, and then manually check it against MS's activation service. Really this is little more than a person manually sitting down and making key guesses. This is why it's called a "Brute Force" attack. There is no intelligence (ie: an algorithm) behind the key guesses at all.

That said, because it IS so simple, it's almost impossible for MS to defend against, since they can't just "ban" any keys made by it like they would a traditional algorithmic keygen. Also, there is an improved version of it posted as source on the boards there, so if you want to take a peek at the code you can.

Here is a link to the forum post in question: http://keznews.com/forum/viewtopic.php?t=2634

--
Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
1. Re:Having RTFA... by Abalamahalamatandra · 2007-03-02 05:21 · Score: 2, Interesting
  
  It gets better...
  
  The improved version is a nice rewrite of the routine in question that drops some letters (obvious candidates for a number to letter mixup like "ell" and "ess") and moves some assignments outside the loop - now it's generating 100K+ keys in 16 minutes on an X2 4200+ processor! And saving them to a file as well.
  
  Things like this are definitely proof that Microsoft simply DOES NOT UNDERSTAND security in any way shape or form. Firstly, having something this important even be available as a VBScript function is positively hilarious, and secondly, not inserting delays in the product key validation routine to foil brute-force attempts is a seriously n00b error.
Re:Predatory Pricing by eck011219 · 2007-03-02 04:12 · Score: 2, Insightful

Whoa, now, let's not get carried away. I know this is Slashdot, but you're suggesting that Microsoft is responsible for other people's illegal actions just because of certain aspects of its products are confusing or inconvenient? That's hardly a compelling defense -- it's the corporate version of "stop hitting yourself."

--
It is pitch black. You are likely to be eaten by a grue.
Actually this crack won't help most people.. by goombah99 · 2007-03-02 04:16 · Score: 5, Interesting

One poster on the crack forum wrote "5 hours and i got 3 legit keys." at 20K/hour that's only 100,000 tries or 33,000 per key. So apparently despite having a 25 digit key space, Microsoft's algorithmic validity check allows 1 in every 33,000 keys. What where they thinking?
As I pointed out in the post above the chance of a randomly generated working activation- key colliding with a legitimate keys is probably worse odds than 1 in a trillion. So this will probably never ever happen by chance.
However, chance might not play a role here. Given this colossal stupidity one also assumes they did something dumb like make the decoded keys have some sort of sequential pattern too, so given enough keys one might be able to figure out how to actually generate keys directly. In that case MS will have a problem with the key-collisions with legitimate keys because people could deliberately generate those.
Why would deliberately generating legitimate keys be a good idea for a cracker? Well, if you do generate a random activation key, it will activate the product but Microsoft will also be able to determine that it's one that it did not issue. So the moment vista phones home or you try to do a system update, or install any piece of software from MS that can check the key (e.g. office), microsoft is gonna shut your genuine ass down. On the other hand if you were to generate a key that coincided with a legitimate key, then MS won't know you filtched it. So there's an incentive to see if MS also made the patterns predictable.
You could of course try to live off line. but that level of piracy is not a threat to MS.
All that said my guess is that this is not possible. If I were creating these keys what I woul dhave done would be to use public key encryption. I'd take the integers 1 to 1 billion, and encrypt them with my private. The the Vista copy caries the public decode key. To validate the vista installer decrypts the user supplied key. If it's a number between 1 and billion, you've been validated. MS can now issue up to 1 billion copies of the software with distinct keys.

--
Some drink at the fountain of knowledge. Others just gargle.
PR's not *that* bad... by AceJohnny · 2007-03-02 04:16 · Score: 2, Funny

"tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing."

C'mon, let's give'em credit.. their PR isn't as bad as Sony's!

--
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
Not in the UK by Toby_Tyke · 2007-03-02 04:20 · Score: 4, Informative

Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it.

That may be the case in the US, but in the UK things work slightly differently. If I buy a copy of Vista from a store and it is faulty, for what ever reason, I can return it to the store for a full refund or a replacement. The legalese is "fit for purpose" and "of merchantable quality". Clearly, a copy of vista with an invalid licence key is not fit for purpose.

Incidentally, most of the big shrinkwrap software stores in the UK try to get out of doing this if they can. Just be persistent.

--
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
Ways for MS to handle the problem, seriously by davidwr · 2007-03-02 04:22 · Score: 3, Insightful

If the problem is "small" just track it and write off the loss.

If the problem is large:
Have people caught up in the duplicate-key mess photograph their Windows Vista packaging with the key showing in the photograph and send it in.

For the related problem of duplicate OEM keys, photograph the machine and mail in the make, model, and serial # of the machine and/or the name of the store you bought the license from. This won't help as much with tracking "manila envelope" licenses as those can be traded willy-nilly before the envelope is opened, but it will help with licenses that are assigned to particular manufacturers.

Give "ownership" to the person with the most convincing photo or purchase history. For the other claimants, if you are nearly 100% sure they are illegitimate sue them or make them provide personal information to get a "new, legal key, on the house" otherwise write off the loss. Pirates aren't as likely as people who think they are legitimate buyers to give out their name and address. If they balk, make a decision: do you want to risk being wrong and wind up in court and lose and get a PR black eye, or do you want to stand by your guns? If you aren't nearly 100% sure, just write it off.

In any case, if you don't immediately activate the product, at least activate it for 30 days while you decide what to do.

Even better - scrap the whole activation thing.

In the future, software will be delivered electronically and every copy will be uniquely watermarked. Yes, you can watermark compiled computer code by inserting NOPs, replacing operations with equivalent operations, etc. Of course this isn't as simple as it sounds as addresses get moved around, but it's doable.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Looooooong keys? by Tablizer · 2007-03-02 04:39 · Score: 2, Funny

Does this mean that vendors are going to make the pesky product keys even longer? Companies will have to hire data-entry staff just to key them in.

--
Table-ized A.I.
Brute force Crack by gyranthir · 2007-03-02 04:59 · Score: 3, Informative

There is a brute force algorithm crack for every Microsoft product I have ever seen.
I saw one at a LAN party that had every copy of windows, every copy of office, and a whole bunch of Microsoft products.
You would set it and forget it. It would generate a key, test it and then if it was good put it in a log file, if it was bad it would attempt to generate another.
This kid had a list of probably 1000 WinXp pro keys that had generated just because he was bored.
This is Poetic Justice by thewils · 2007-03-02 05:07 · Score: 2, Funny

or Irony or whatever.

If you need the equivalent of a Cray to run Vista, then it's going to be very efficient at Brute Forcing the keys.

I like it.

--
Once I was a four stone apology. Now I am two separate gorillas.
Also worth nothing... by thanksforthecrabs · 2007-03-02 05:20 · Score: 2, Interesting

Just because the checksum on the key may work, it has to be a key that was actually issued by MS for it to get activated. Lots of trial and error here.
What makes you think an EULA has legal force? by Sycraft-fu · 2007-03-02 05:41 · Score: 4, Interesting

That they include it means nothing. It is pretty certain that, indeed, an EULA doesn't have legal force and can't make you give up rights you normally have. For example:

I work for a state institution which means in a way I am a part of the state. One of the requirements of the job is that I can't sign any contracts for the state. Anything that requires a signature has to be sent to legal (and we have a hell of a legal team). Employees can't agree to contracts directly. We have, on occasion, gotten software that comes with a written agreement. It is sent to the lawyers, almost totally rewritten, then sent back to the company (who is usually quite surprised). However we've been told not to worry about EULAs or click through agreements. We are allowed to just click ok and go on about our business.

Now why do you suppose that is? Well it is because the legal team believes that they have no legal force, and thus there's no problem. I'm going to guess they are right, they have to be very careful about protecting the state against things like that.

So MS can say in their EULA "We reserve the right to take this software away from you at any time," but that doesn't mean a judge will agree. You can still drag them to small claims court (it's quite cheap to file) and argue your case. If a judge agrees with you, they give you your money back.
Re:Er... by Virgil+Tibbs · 2007-03-02 05:42 · Score: 2, Funny

You must be new here...

--
www.tdobson.net #### Dare to Dream #### blog.tdobson.net
Re:Predatory Pricing by Virgil+Tibbs · 2007-03-02 05:45 · Score: 2, Insightful

1) Too many variants

and your saying *nix has what? 2 varients?
*nix home & *nix professional?
lets be realistic, varients is not the problem; its features and compatability which is.

--
www.tdobson.net #### Dare to Dream #### blog.tdobson.net
phoning home by rucs_hack · 2007-03-02 06:04 · Score: 3, Insightful

And yet some companies have intituted the same thing with no anger from users.

Valve managed it, and the rather wonderful prevx malware finder program and SETI@home all require constant contact with home, for example.

The difference is that these systems deliver customer satisfaction because the phone home service is there as part of the service you require or with to participate in. If you decide not to, you can quit and go elsewhere. Most people using windows don't see that they have a choice (yet).

Microsofts problem is that their system is one of guilt assumption. They have it solely to check up on customers, it delivers no added value aspect to the consumer. That they say it does is part of the problem. It is for microsoft alone, it gives nothing back.

No-one cares about microsofts needs, that's human nature, we are all selfish unless giving something away brings a valued return. For them to expect that people would *want* to take part with no benefit to themselves is a pretty hefty misconception.

I find these issues with Vista interesting. I really do have no intention of ever buying it. I tried it with open mind, thinking I might get it if it brought something new I might like, but there was nothing that interested me. I didn't hate it, but saw nothing of use. It's nowhere near as useful as Linux for my needs, and if I feel a need for a commercial OS, well there's OsX.

OsX does interest me quite a bit. I've seen many presentations at conferences that were done with macs, and they look *so* good.
Sit down, son. (I might have known your mother) by Beardo+the+Bearded · 2007-03-02 07:03 · Score: 3, Informative

Read the "Surviving the first day of Windows XP".

Quit downloading everything in your email. If you don't recognize the name, delete it.

Don't click "Yes" to every security certificate. You should accept Microsoft's, and that's it.

You don't require new cursors or smiley programs for your emails. The new "Hyper-Exelent Surf 3000 Toolbar by Lucky 88 Company" is not going to make your life easier. Likewise, if you want to know the weather, look outside or in your local paper.

PC Cleaning programs from pop-up ads don't work. Actually, anything advertised on the Internet should be considered fraudulent. (Yes, even "those" pills. They're just bull semen and corn starch.)

Get your programs from sourceforge, not from the first link on Google. Make sure that Spybot and Mike's adblocking are installed on your machine.

The people who write viruses have anti-virus programs to test their work on.

For the sake of whatever god you believe in, get a hardware firewall!

Run ShieldsUP! from grc.com to make sure that you're invisible.

--

---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.