Feeds

How MS might vape invalidated WinXP systems

The Office 2000 SP1 precedent

  • alert
  • submit to reddit

Website security in corporate America

Microsoft's product activation process doesn't know who you are, and is, says the company, entirely anonymous. So if you try to activate with an invalid product key, or after you've done a little cracking you're using an invalid key, there isn't actually anything Microsoft can do about you - or is there?

But it's been pointed out to us that Microsoft has a mechanism for getting you to zero your own key, and that it has used it in the past. We refer you to Microsoft support article Q255503, "OFF2000: Program Quits Immediately After Starting When SR-1/SR-1a Update Is Applied".

The symptoms? "When you start one of the Microsoft Office programs listed at the beginning of this article after you apply the Microsoft Office SR-1/SR-1a Update, the program quits immediately after it starts."

The cause? "Office was installed by using a CD key that begins with GC6J3." The article further explains: "If the product CD Key begins with GC6J3, the Product Key is not valid in Microsoft Office 2000 SR-1/SR-1a. Contact the reseller of your Office product to obtain a valid product CD key, or purchase a valid Microsoft Office 2000 product."

That, plain and simple, is Microsoft telling you that you installed Office 2000 with a product key that has been compromised, and that as part of the service pack update Microsoft has invalidated the key. Microsoft has therefore used product updates at least this once to plant a bomb in installations that may or may not have been warezed.

As it happens, our informant's installation was genuine - a review copy of O2K issued by Microsoft itself. Suspicious characters, reviewers, and indubitably any special reviewers' series of product keys would generate a sizable number of 'casually copied' installations using the same key. But zeroing the range also zaps the people who didn't pass the software around, and means they have to go argue the toss with their reseller and Microsoft to get a new key.

How would this work with product activation? Because the XP system validates individual keys online, Microsoft shouldn't find it necessary either to assign specific classes of key to specific sales channels, or to zero whole ranges of keys. In that sense it could be implemented so that it was fairer than the O2K bomb, because your stuff would only stop working if you'd been careless with your key, somebody had stolen you key, or you yourself had used a dodgy key you found on the web. Microsoft would still want to keep track of the channels and territories compromised keys went into, if only to confirm what everybody already knows about journalists, students, tech support people... almost everybody, actually. But it wouldn't be necessary, from an invalidation point of view.

Next we have to consider who Microsoft would go for, and how hard it would go for them. Both of these would seem to us to be on a sliding scale - if you take the office copy home and run it there, you're possibly licensed as a second installation anyway, but Microsoft isn't likely to dump on you if you've got four copies going at once because the rest of your family is also using the software.

The claim published in HardOCP last week that "it is only when a PID is trying to be cleared on several hundred/thousand configurations that Microsoft would even care" isn't plausible, however. One of the areas where Microsoft perceives major revenue loss is small business. Here, there are plenty of companies running, say, 20 installations on a single product key. The "several hundred/thousand" level would miss these people entirely, and would certainly miss all "casual copying." So it seems more probable that even if Microsoft doesn't set the level at 20 or below, it will crank it down towards this once it's sure the system is running properly.

And how pervasive will the mechanism be? That's a tough one. Microsoft has specifically stated that there will be no 'phone home,' and that once your product is activated, that's it, the end of the process. But to what extent would that apply if your product was activated with a key which later became compromised? Would Microsoft zero it, as it did with O2K? And if it were prepared to do that, how far beyond major service releases would it go?

The automated check for updates system in WinXP certainly provides a ready mechanism for Microsoft to distribute validation updates along with other updates, but how often might it do that? And how often would it have to happen before you'd call it a 'phone home'?

Again, if Microsoft intends to use Windows Update as a mechanism for zeroing invalidated licences, it's unlikely to do so extensively at the start. It'll need to test the system out carefully, making sure it doesn't whack great swathes of innocents, and it also isn't going to want to scare people away from Windows Update - it wants them to like this, desperately. But in the long term, there's an inevitable logic to the screws being tightened. It's in the spirit of .NET and the rental model, and regular invalidation of compromised licences is already a stated component of Microsoft's secure digital music model. ®

Related links:
MS on how you managed to vape O2K
WinXP product activation: is MS only kidding?

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.