Feeds

How MS might vape invalidated WinXP systems

The Office 2000 SP1 precedent

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Microsoft's product activation process doesn't know who you are, and is, says the company, entirely anonymous. So if you try to activate with an invalid product key, or after you've done a little cracking you're using an invalid key, there isn't actually anything Microsoft can do about you - or is there?

But it's been pointed out to us that Microsoft has a mechanism for getting you to zero your own key, and that it has used it in the past. We refer you to Microsoft support article Q255503, "OFF2000: Program Quits Immediately After Starting When SR-1/SR-1a Update Is Applied".

The symptoms? "When you start one of the Microsoft Office programs listed at the beginning of this article after you apply the Microsoft Office SR-1/SR-1a Update, the program quits immediately after it starts."

The cause? "Office was installed by using a CD key that begins with GC6J3." The article further explains: "If the product CD Key begins with GC6J3, the Product Key is not valid in Microsoft Office 2000 SR-1/SR-1a. Contact the reseller of your Office product to obtain a valid product CD key, or purchase a valid Microsoft Office 2000 product."

That, plain and simple, is Microsoft telling you that you installed Office 2000 with a product key that has been compromised, and that as part of the service pack update Microsoft has invalidated the key. Microsoft has therefore used product updates at least this once to plant a bomb in installations that may or may not have been warezed.

As it happens, our informant's installation was genuine - a review copy of O2K issued by Microsoft itself. Suspicious characters, reviewers, and indubitably any special reviewers' series of product keys would generate a sizable number of 'casually copied' installations using the same key. But zeroing the range also zaps the people who didn't pass the software around, and means they have to go argue the toss with their reseller and Microsoft to get a new key.

How would this work with product activation? Because the XP system validates individual keys online, Microsoft shouldn't find it necessary either to assign specific classes of key to specific sales channels, or to zero whole ranges of keys. In that sense it could be implemented so that it was fairer than the O2K bomb, because your stuff would only stop working if you'd been careless with your key, somebody had stolen you key, or you yourself had used a dodgy key you found on the web. Microsoft would still want to keep track of the channels and territories compromised keys went into, if only to confirm what everybody already knows about journalists, students, tech support people... almost everybody, actually. But it wouldn't be necessary, from an invalidation point of view.

Next we have to consider who Microsoft would go for, and how hard it would go for them. Both of these would seem to us to be on a sliding scale - if you take the office copy home and run it there, you're possibly licensed as a second installation anyway, but Microsoft isn't likely to dump on you if you've got four copies going at once because the rest of your family is also using the software.

The claim published in HardOCP last week that "it is only when a PID is trying to be cleared on several hundred/thousand configurations that Microsoft would even care" isn't plausible, however. One of the areas where Microsoft perceives major revenue loss is small business. Here, there are plenty of companies running, say, 20 installations on a single product key. The "several hundred/thousand" level would miss these people entirely, and would certainly miss all "casual copying." So it seems more probable that even if Microsoft doesn't set the level at 20 or below, it will crank it down towards this once it's sure the system is running properly.

And how pervasive will the mechanism be? That's a tough one. Microsoft has specifically stated that there will be no 'phone home,' and that once your product is activated, that's it, the end of the process. But to what extent would that apply if your product was activated with a key which later became compromised? Would Microsoft zero it, as it did with O2K? And if it were prepared to do that, how far beyond major service releases would it go?

The automated check for updates system in WinXP certainly provides a ready mechanism for Microsoft to distribute validation updates along with other updates, but how often might it do that? And how often would it have to happen before you'd call it a 'phone home'?

Again, if Microsoft intends to use Windows Update as a mechanism for zeroing invalidated licences, it's unlikely to do so extensively at the start. It'll need to test the system out carefully, making sure it doesn't whack great swathes of innocents, and it also isn't going to want to scare people away from Windows Update - it wants them to like this, desperately. But in the long term, there's an inevitable logic to the screws being tightened. It's in the spirit of .NET and the rental model, and regular invalidation of compromised licences is already a stated component of Microsoft's secure digital music model. ®

Related links:
MS on how you managed to vape O2K
WinXP product activation: is MS only kidding?

3 Big data security analytics techniques

More from The Register

next story
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
Plus: iThings and desktops at risk of NEW SSL attack flaw
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Apple inaugurates free OS X beta program for world+dog
Prerelease software now open to anyone, not just developers – as long as you keep quiet
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.