How MS might vape invalidated WinXP systems
The Office 2000 SP1 precedent
Microsoft's product activation process doesn't know who you are, and is, says the company, entirely anonymous. So if you try to activate with an invalid product key, or after you've done a little cracking you're using an invalid key, there isn't actually anything Microsoft can do about you - or is there?
But it's been pointed out to us that Microsoft has a mechanism for getting you to zero your own key, and that it has used it in the past. We refer you to Microsoft support article Q255503, "OFF2000: Program Quits Immediately After Starting When SR-1/SR-1a Update Is Applied".
The symptoms? "When you start one of the Microsoft Office programs listed at the beginning of this article after you apply the Microsoft Office SR-1/SR-1a Update, the program quits immediately after it starts."
The cause? "Office was installed by using a CD key that begins with GC6J3." The article further explains: "If the product CD Key begins with GC6J3, the Product Key is not valid in Microsoft Office 2000 SR-1/SR-1a. Contact the reseller of your Office product to obtain a valid product CD key, or purchase a valid Microsoft Office 2000 product."
That, plain and simple, is Microsoft telling you that you installed Office 2000 with a product key that has been compromised, and that as part of the service pack update Microsoft has invalidated the key. Microsoft has therefore used product updates at least this once to plant a bomb in installations that may or may not have been warezed.
As it happens, our informant's installation was genuine - a review copy of O2K issued by Microsoft itself. Suspicious characters, reviewers, and indubitably any special reviewers' series of product keys would generate a sizable number of 'casually copied' installations using the same key. But zeroing the range also zaps the people who didn't pass the software around, and means they have to go argue the toss with their reseller and Microsoft to get a new key.
How would this work with product activation? Because the XP system validates individual keys online, Microsoft shouldn't find it necessary either to assign specific classes of key to specific sales channels, or to zero whole ranges of keys. In that sense it could be implemented so that it was fairer than the O2K bomb, because your stuff would only stop working if you'd been careless with your key, somebody had stolen you key, or you yourself had used a dodgy key you found on the web. Microsoft would still want to keep track of the channels and territories compromised keys went into, if only to confirm what everybody already knows about journalists, students, tech support people... almost everybody, actually. But it wouldn't be necessary, from an invalidation point of view.
Next we have to consider who Microsoft would go for, and how hard it would go for them. Both of these would seem to us to be on a sliding scale - if you take the office copy home and run it there, you're possibly licensed as a second installation anyway, but Microsoft isn't likely to dump on you if you've got four copies going at once because the rest of your family is also using the software.
The claim published in HardOCP last week that "it is only when a PID is trying to be cleared on several hundred/thousand configurations that Microsoft would even care" isn't plausible, however. One of the areas where Microsoft perceives major revenue loss is small business. Here, there are plenty of companies running, say, 20 installations on a single product key. The "several hundred/thousand" level would miss these people entirely, and would certainly miss all "casual copying." So it seems more probable that even if Microsoft doesn't set the level at 20 or below, it will crank it down towards this once it's sure the system is running properly.
And how pervasive will the mechanism be? That's a tough one. Microsoft has specifically stated that there will be no 'phone home,' and that once your product is activated, that's it, the end of the process. But to what extent would that apply if your product was activated with a key which later became compromised? Would Microsoft zero it, as it did with O2K? And if it were prepared to do that, how far beyond major service releases would it go?
The automated check for updates system in WinXP certainly provides a ready mechanism for Microsoft to distribute validation updates along with other updates, but how often might it do that? And how often would it have to happen before you'd call it a 'phone home'?
Again, if Microsoft intends to use Windows Update as a mechanism for zeroing invalidated licences, it's unlikely to do so extensively at the start. It'll need to test the system out carefully, making sure it doesn't whack great swathes of innocents, and it also isn't going to want to scare people away from Windows Update - it wants them to like this, desperately. But in the long term, there's an inevitable logic to the screws being tightened. It's in the spirit of .NET and the rental model, and regular invalidation of compromised licences is already a stated component of Microsoft's secure digital music model. ®
Sponsored: Today’s most dangerous security threats