Feeds

Does MS barcoding of Windows licences make piracy easier?

The announcement sounded tough, but execution? Null points, we fear...

  • alert
  • submit to reddit

Business security measures using SSL

Microsoft's plan to reduce Windows documentation to a barcode was formulated as yet another move to stamp out piracy, but it's beginning to look horribly like one of those cunning plans that do precisely the opposite of what was intended. The unique IDs don't seem very unique at all, the method of software distribution in at least some cases is less secure than was previously the case, and the unlock code is easy to filch.

It beggars belief that a company that gets so het up about people stealing its software could goof like this, but really, that's what it looks like, folks.

The scheme as originally planned in February sounded secure enough. Microsoft introduced it as part of the announcement of a package of antipiracy measures for Windows 2000, and in the intervening period has been quietly rolling the system out across the rest of the product line. The shipping version, however, seems somewhat flakier than the announced one.

The February release says: "all PCs purchased with Windows 2000 software preinstalled should include a new Certificate of Authenticity (COA) label attached to the system in an easy-to-find location. The OEM COA label has a copper, holographic, interwoven thread revealing the words "Microsoft" and "Genuine" and the product name as well as a unique product key in the center of the label. When the label is tilted in the light, a Microsoft logo changes color between gold and silver."

The nature and quality of the production stickers seems to vary. Some HP stickers have those little slashes that make them fall apart when you try to remove them, whereas several people who've contacted us say the stickers "practically fall off by themselves." This turns out to be a particular problem in education. Says one reader: "I support literally thousands of school districts (and all their systems from 486s to PIIIs and Macs) in the area. Needless to say, when the stickers started appearing on the outside of the cases, I was not happy. The ability of students to steal the numbers, or more drastically, the stickers, was very apparent. Since one copy of Windows2000 is usually around $100, this means one kid, with 10 minutes of alone time (not hard) can steal $3,000 from the school by peeling stickers from a 30-system lab."

This of course wouldn't be a problem if the product key was "unique," as the Microsoft announcement said. But it would seem that it isn't. In the case of Dell machines at least, it seems to be possible to use the recovery CD to install Windows 2000 on an older Dell machine, using the product key for a new Dell machine in order to make it run. This, if we understand the strictures about encryption in the new OEM agreements, is by Microsoft's definition all Dell's fault - but does that mean Dell is in breach of its OEM licence? Aha...

It's possible that Microsoft intended security to be increased by the use of a two-stage system, but if that was the case, it doesn't seem to have worked. The product key is essentially no more and no less secure than the previous product key system, but it has the major new vulnerability of visibility introduced. Any old product key used to work, but in order to get one you'd have to hunt around for a book with an old style COA on it, rather than just read it or grab it off the side of a PC.

The new style recovery CD, however, seems to make matters much worse, from Microsoft's point of view. The Dell Dimension version seems to be pretty much the equivalent of an OEM version of Win2k that'll install on unformatted media, with the addition of a DOS routine that checks to see if it's a Dell PC it's being installed on. This might turn out to be relatively simple to hack, but even if it's not it means it's a lot easier for one licence to be pirated onto many Dell machines. We're sure this can't be what Microsoft intended. It's also worth noting that, excluding the DOS checker routine, this is a vanilla copy of Win2k - all of the Dell-specific drivers come on a second CD, so if the routine's hackable, it's a serious aid to software pirates wanting to produce full copies of Win2k.

Previous Microsoft stabs at controlling piracy, paradoxically, have been more secure in operation. Old style recovery CDs required you to boot from CD, at which point the contents of the hard drive would be vaped and an image of the factory installed configuration would be squirted onto it. Not terribly friendly for users, but as the CD was generally encrypted, and would only run on a specific model of machine, it wasn't a lot of use for pirates. Machines that didn't come with CDs but had the distribution files on the hard disk were also a hassle for users (you vape your hard drive, you're cooked), but they were more secure too.

Even if the .CAB files weren't encrypted you'd still have to get them off the hard drive, whereas now all you apparently need do is walk off with the recovery CD and the product key. Work in progress? We think so... * ®

* A footnote for the paranoid. A version of the Compaq sticker says: "Microsoft Windows 98 Second Edition End User licensed for one operating system only." We're inclined to think whoever devised the wording was linguistically challenged, rather than believing it means what it says. But if anybody out there can prove that Compaq machines are now licensed only to run Windows, we'd love to hear from you.

Related story:
MS Windows licences shrink to barcodes - unique IDs here we come?

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.