Does MS barcoding of Windows licences make piracy easier?

The announcement sounded tough, but execution? Null points, we fear...

  • alert
  • submit to reddit

HP ProLiant Gen8: Integrated lifecycle automation

Microsoft's plan to reduce Windows documentation to a barcode was formulated as yet another move to stamp out piracy, but it's beginning to look horribly like one of those cunning plans that do precisely the opposite of what was intended. The unique IDs don't seem very unique at all, the method of software distribution in at least some cases is less secure than was previously the case, and the unlock code is easy to filch.

It beggars belief that a company that gets so het up about people stealing its software could goof like this, but really, that's what it looks like, folks.

The scheme as originally planned in February sounded secure enough. Microsoft introduced it as part of the announcement of a package of antipiracy measures for Windows 2000, and in the intervening period has been quietly rolling the system out across the rest of the product line. The shipping version, however, seems somewhat flakier than the announced one.

The February release says: "all PCs purchased with Windows 2000 software preinstalled should include a new Certificate of Authenticity (COA) label attached to the system in an easy-to-find location. The OEM COA label has a copper, holographic, interwoven thread revealing the words "Microsoft" and "Genuine" and the product name as well as a unique product key in the center of the label. When the label is tilted in the light, a Microsoft logo changes color between gold and silver."

The nature and quality of the production stickers seems to vary. Some HP stickers have those little slashes that make them fall apart when you try to remove them, whereas several people who've contacted us say the stickers "practically fall off by themselves." This turns out to be a particular problem in education. Says one reader: "I support literally thousands of school districts (and all their systems from 486s to PIIIs and Macs) in the area. Needless to say, when the stickers started appearing on the outside of the cases, I was not happy. The ability of students to steal the numbers, or more drastically, the stickers, was very apparent. Since one copy of Windows2000 is usually around $100, this means one kid, with 10 minutes of alone time (not hard) can steal $3,000 from the school by peeling stickers from a 30-system lab."

This of course wouldn't be a problem if the product key was "unique," as the Microsoft announcement said. But it would seem that it isn't. In the case of Dell machines at least, it seems to be possible to use the recovery CD to install Windows 2000 on an older Dell machine, using the product key for a new Dell machine in order to make it run. This, if we understand the strictures about encryption in the new OEM agreements, is by Microsoft's definition all Dell's fault - but does that mean Dell is in breach of its OEM licence? Aha...

It's possible that Microsoft intended security to be increased by the use of a two-stage system, but if that was the case, it doesn't seem to have worked. The product key is essentially no more and no less secure than the previous product key system, but it has the major new vulnerability of visibility introduced. Any old product key used to work, but in order to get one you'd have to hunt around for a book with an old style COA on it, rather than just read it or grab it off the side of a PC.

The new style recovery CD, however, seems to make matters much worse, from Microsoft's point of view. The Dell Dimension version seems to be pretty much the equivalent of an OEM version of Win2k that'll install on unformatted media, with the addition of a DOS routine that checks to see if it's a Dell PC it's being installed on. This might turn out to be relatively simple to hack, but even if it's not it means it's a lot easier for one licence to be pirated onto many Dell machines. We're sure this can't be what Microsoft intended. It's also worth noting that, excluding the DOS checker routine, this is a vanilla copy of Win2k - all of the Dell-specific drivers come on a second CD, so if the routine's hackable, it's a serious aid to software pirates wanting to produce full copies of Win2k.

Previous Microsoft stabs at controlling piracy, paradoxically, have been more secure in operation. Old style recovery CDs required you to boot from CD, at which point the contents of the hard drive would be vaped and an image of the factory installed configuration would be squirted onto it. Not terribly friendly for users, but as the CD was generally encrypted, and would only run on a specific model of machine, it wasn't a lot of use for pirates. Machines that didn't come with CDs but had the distribution files on the hard disk were also a hassle for users (you vape your hard drive, you're cooked), but they were more secure too.

Even if the .CAB files weren't encrypted you'd still have to get them off the hard drive, whereas now all you apparently need do is walk off with the recovery CD and the product key. Work in progress? We think so... * ®

* A footnote for the paranoid. A version of the Compaq sticker says: "Microsoft Windows 98 Second Edition End User licensed for one operating system only." We're inclined to think whoever devised the wording was linguistically challenged, rather than believing it means what it says. But if anybody out there can prove that Compaq machines are now licensed only to run Windows, we'd love to hear from you.

Related story:
MS Windows licences shrink to barcodes - unique IDs here we come?

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.