Feeds

How MS might vape invalidated WinXP systems

The Office 2000 SP1 precedent

  • alert
  • submit to reddit

The Power of One Brief: Top reasons to choose HP BladeSystem

Microsoft's product activation process doesn't know who you are, and is, says the company, entirely anonymous. So if you try to activate with an invalid product key, or after you've done a little cracking you're using an invalid key, there isn't actually anything Microsoft can do about you - or is there?

But it's been pointed out to us that Microsoft has a mechanism for getting you to zero your own key, and that it has used it in the past. We refer you to Microsoft support article Q255503, "OFF2000: Program Quits Immediately After Starting When SR-1/SR-1a Update Is Applied".

The symptoms? "When you start one of the Microsoft Office programs listed at the beginning of this article after you apply the Microsoft Office SR-1/SR-1a Update, the program quits immediately after it starts."

The cause? "Office was installed by using a CD key that begins with GC6J3." The article further explains: "If the product CD Key begins with GC6J3, the Product Key is not valid in Microsoft Office 2000 SR-1/SR-1a. Contact the reseller of your Office product to obtain a valid product CD key, or purchase a valid Microsoft Office 2000 product."

That, plain and simple, is Microsoft telling you that you installed Office 2000 with a product key that has been compromised, and that as part of the service pack update Microsoft has invalidated the key. Microsoft has therefore used product updates at least this once to plant a bomb in installations that may or may not have been warezed.

As it happens, our informant's installation was genuine - a review copy of O2K issued by Microsoft itself. Suspicious characters, reviewers, and indubitably any special reviewers' series of product keys would generate a sizable number of 'casually copied' installations using the same key. But zeroing the range also zaps the people who didn't pass the software around, and means they have to go argue the toss with their reseller and Microsoft to get a new key.

How would this work with product activation? Because the XP system validates individual keys online, Microsoft shouldn't find it necessary either to assign specific classes of key to specific sales channels, or to zero whole ranges of keys. In that sense it could be implemented so that it was fairer than the O2K bomb, because your stuff would only stop working if you'd been careless with your key, somebody had stolen you key, or you yourself had used a dodgy key you found on the web. Microsoft would still want to keep track of the channels and territories compromised keys went into, if only to confirm what everybody already knows about journalists, students, tech support people... almost everybody, actually. But it wouldn't be necessary, from an invalidation point of view.

Next we have to consider who Microsoft would go for, and how hard it would go for them. Both of these would seem to us to be on a sliding scale - if you take the office copy home and run it there, you're possibly licensed as a second installation anyway, but Microsoft isn't likely to dump on you if you've got four copies going at once because the rest of your family is also using the software.

The claim published in HardOCP last week that "it is only when a PID is trying to be cleared on several hundred/thousand configurations that Microsoft would even care" isn't plausible, however. One of the areas where Microsoft perceives major revenue loss is small business. Here, there are plenty of companies running, say, 20 installations on a single product key. The "several hundred/thousand" level would miss these people entirely, and would certainly miss all "casual copying." So it seems more probable that even if Microsoft doesn't set the level at 20 or below, it will crank it down towards this once it's sure the system is running properly.

And how pervasive will the mechanism be? That's a tough one. Microsoft has specifically stated that there will be no 'phone home,' and that once your product is activated, that's it, the end of the process. But to what extent would that apply if your product was activated with a key which later became compromised? Would Microsoft zero it, as it did with O2K? And if it were prepared to do that, how far beyond major service releases would it go?

The automated check for updates system in WinXP certainly provides a ready mechanism for Microsoft to distribute validation updates along with other updates, but how often might it do that? And how often would it have to happen before you'd call it a 'phone home'?

Again, if Microsoft intends to use Windows Update as a mechanism for zeroing invalidated licences, it's unlikely to do so extensively at the start. It'll need to test the system out carefully, making sure it doesn't whack great swathes of innocents, and it also isn't going to want to scare people away from Windows Update - it wants them to like this, desperately. But in the long term, there's an inevitable logic to the screws being tightened. It's in the spirit of .NET and the rental model, and regular invalidation of compromised licences is already a stated component of Microsoft's secure digital music model. ®

Related links:
MS on how you managed to vape O2K
WinXP product activation: is MS only kidding?

The Essential Guide to IT Transformation

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.