Does MS barcoding of Windows licences make piracy easier?

The announcement sounded tough, but execution? Null points, we fear...

  • alert
  • submit to reddit

Boost IT visibility and business value

Microsoft's plan to reduce Windows documentation to a barcode was formulated as yet another move to stamp out piracy, but it's beginning to look horribly like one of those cunning plans that do precisely the opposite of what was intended. The unique IDs don't seem very unique at all, the method of software distribution in at least some cases is less secure than was previously the case, and the unlock code is easy to filch.

It beggars belief that a company that gets so het up about people stealing its software could goof like this, but really, that's what it looks like, folks.

The scheme as originally planned in February sounded secure enough. Microsoft introduced it as part of the announcement of a package of antipiracy measures for Windows 2000, and in the intervening period has been quietly rolling the system out across the rest of the product line. The shipping version, however, seems somewhat flakier than the announced one.

The February release says: "all PCs purchased with Windows 2000 software preinstalled should include a new Certificate of Authenticity (COA) label attached to the system in an easy-to-find location. The OEM COA label has a copper, holographic, interwoven thread revealing the words "Microsoft" and "Genuine" and the product name as well as a unique product key in the center of the label. When the label is tilted in the light, a Microsoft logo changes color between gold and silver."

The nature and quality of the production stickers seems to vary. Some HP stickers have those little slashes that make them fall apart when you try to remove them, whereas several people who've contacted us say the stickers "practically fall off by themselves." This turns out to be a particular problem in education. Says one reader: "I support literally thousands of school districts (and all their systems from 486s to PIIIs and Macs) in the area. Needless to say, when the stickers started appearing on the outside of the cases, I was not happy. The ability of students to steal the numbers, or more drastically, the stickers, was very apparent. Since one copy of Windows2000 is usually around $100, this means one kid, with 10 minutes of alone time (not hard) can steal $3,000 from the school by peeling stickers from a 30-system lab."

This of course wouldn't be a problem if the product key was "unique," as the Microsoft announcement said. But it would seem that it isn't. In the case of Dell machines at least, it seems to be possible to use the recovery CD to install Windows 2000 on an older Dell machine, using the product key for a new Dell machine in order to make it run. This, if we understand the strictures about encryption in the new OEM agreements, is by Microsoft's definition all Dell's fault - but does that mean Dell is in breach of its OEM licence? Aha...

It's possible that Microsoft intended security to be increased by the use of a two-stage system, but if that was the case, it doesn't seem to have worked. The product key is essentially no more and no less secure than the previous product key system, but it has the major new vulnerability of visibility introduced. Any old product key used to work, but in order to get one you'd have to hunt around for a book with an old style COA on it, rather than just read it or grab it off the side of a PC.

The new style recovery CD, however, seems to make matters much worse, from Microsoft's point of view. The Dell Dimension version seems to be pretty much the equivalent of an OEM version of Win2k that'll install on unformatted media, with the addition of a DOS routine that checks to see if it's a Dell PC it's being installed on. This might turn out to be relatively simple to hack, but even if it's not it means it's a lot easier for one licence to be pirated onto many Dell machines. We're sure this can't be what Microsoft intended. It's also worth noting that, excluding the DOS checker routine, this is a vanilla copy of Win2k - all of the Dell-specific drivers come on a second CD, so if the routine's hackable, it's a serious aid to software pirates wanting to produce full copies of Win2k.

Previous Microsoft stabs at controlling piracy, paradoxically, have been more secure in operation. Old style recovery CDs required you to boot from CD, at which point the contents of the hard drive would be vaped and an image of the factory installed configuration would be squirted onto it. Not terribly friendly for users, but as the CD was generally encrypted, and would only run on a specific model of machine, it wasn't a lot of use for pirates. Machines that didn't come with CDs but had the distribution files on the hard disk were also a hassle for users (you vape your hard drive, you're cooked), but they were more secure too.

Even if the .CAB files weren't encrypted you'd still have to get them off the hard drive, whereas now all you apparently need do is walk off with the recovery CD and the product key. Work in progress? We think so... * ®

* A footnote for the paranoid. A version of the Compaq sticker says: "Microsoft Windows 98 Second Edition End User licensed for one operating system only." We're inclined to think whoever devised the wording was linguistically challenged, rather than believing it means what it says. But if anybody out there can prove that Compaq machines are now licensed only to run Windows, we'd love to hear from you.

Related story:
MS Windows licences shrink to barcodes - unique IDs here we come?

Boost IT visibility and business value

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft refuses to nip 'Windows 9' unzip lip slip
Look at the shiny Windows 8.1, why can't you people talk about 8.1, sobs an exec somewhere
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Linux Foundation says many Linux admins and engineers are certifiable
Floats exam program to help IT employers lock up talent
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?