Does MS barcoding of Windows licences make piracy easier?

The announcement sounded tough, but execution? Null points, we fear...

Microsoft's plan to reduce Windows documentation to a barcode was formulated as yet another move to stamp out piracy, but it's beginning to look horribly like one of those cunning plans that do precisely the opposite of what was intended. The unique IDs don't seem very unique at all, the method of software distribution in at least some cases is less secure than was previously the case, and the unlock code is easy to filch.

It beggars belief that a company that gets so het up about people stealing its software could goof like this, but really, that's what it looks like, folks.

The scheme as originally planned in February sounded secure enough. Microsoft introduced it as part of the announcement of a package of antipiracy measures for Windows 2000, and in the intervening period has been quietly rolling the system out across the rest of the product line. The shipping version, however, seems somewhat flakier than the announced one.

The February release says: "all PCs purchased with Windows 2000 software preinstalled should include a new Certificate of Authenticity (COA) label attached to the system in an easy-to-find location. The OEM COA label has a copper, holographic, interwoven thread revealing the words "Microsoft" and "Genuine" and the product name as well as a unique product key in the center of the label. When the label is tilted in the light, a Microsoft logo changes color between gold and silver."

The nature and quality of the production stickers seems to vary. Some HP stickers have those little slashes that make them fall apart when you try to remove them, whereas several people who've contacted us say the stickers "practically fall off by themselves." This turns out to be a particular problem in education. Says one reader: "I support literally thousands of school districts (and all their systems from 486s to PIIIs and Macs) in the area. Needless to say, when the stickers started appearing on the outside of the cases, I was not happy. The ability of students to steal the numbers, or more drastically, the stickers, was very apparent. Since one copy of Windows2000 is usually around $100, this means one kid, with 10 minutes of alone time (not hard) can steal $3,000 from the school by peeling stickers from a 30-system lab."

This of course wouldn't be a problem if the product key was "unique," as the Microsoft announcement said. But it would seem that it isn't. In the case of Dell machines at least, it seems to be possible to use the recovery CD to install Windows 2000 on an older Dell machine, using the product key for a new Dell machine in order to make it run. This, if we understand the strictures about encryption in the new OEM agreements, is by Microsoft's definition all Dell's fault - but does that mean Dell is in breach of its OEM licence? Aha...

It's possible that Microsoft intended security to be increased by the use of a two-stage system, but if that was the case, it doesn't seem to have worked. The product key is essentially no more and no less secure than the previous product key system, but it has the major new vulnerability of visibility introduced. Any old product key used to work, but in order to get one you'd have to hunt around for a book with an old style COA on it, rather than just read it or grab it off the side of a PC.

The new style recovery CD, however, seems to make matters much worse, from Microsoft's point of view. The Dell Dimension version seems to be pretty much the equivalent of an OEM version of Win2k that'll install on unformatted media, with the addition of a DOS routine that checks to see if it's a Dell PC it's being installed on. This might turn out to be relatively simple to hack, but even if it's not it means it's a lot easier for one licence to be pirated onto many Dell machines. We're sure this can't be what Microsoft intended. It's also worth noting that, excluding the DOS checker routine, this is a vanilla copy of Win2k - all of the Dell-specific drivers come on a second CD, so if the routine's hackable, it's a serious aid to software pirates wanting to produce full copies of Win2k.

Previous Microsoft stabs at controlling piracy, paradoxically, have been more secure in operation. Old style recovery CDs required you to boot from CD, at which point the contents of the hard drive would be vaped and an image of the factory installed configuration would be squirted onto it. Not terribly friendly for users, but as the CD was generally encrypted, and would only run on a specific model of machine, it wasn't a lot of use for pirates. Machines that didn't come with CDs but had the distribution files on the hard disk were also a hassle for users (you vape your hard drive, you're cooked), but they were more secure too.

Even if the .CAB files weren't encrypted you'd still have to get them off the hard drive, whereas now all you apparently need do is walk off with the recovery CD and the product key. Work in progress? We think so... * ®

* A footnote for the paranoid. A version of the Compaq sticker says: "Microsoft Windows 98 Second Edition End User licensed for one operating system only." We're inclined to think whoever devised the wording was linguistically challenged, rather than believing it means what it says. But if anybody out there can prove that Compaq machines are now licensed only to run Windows, we'd love to hear from you.

Related story:
MS Windows licences shrink to barcodes - unique IDs here we come?

Sponsored: Today’s most dangerous security threats