WinXP protection: it's the .NET, stupid

And the latest leak is calling itself 'RC1'...

  • alert
  • submit to reddit

Website security in corporate America

In the past few days another WinXP build, 2474, has leaked out onto IRC, and this time it's acquired an "RC1" tag. Numerous claims have been made that Microsoft's latest protection for product activation has been cracked. According to The Register's sources, however, this is not true - they insist that the current alleged cracks are simply a case of the crackers having managed to confuse themselves.

How so? According to a posting on Winbeta by "Epyx" (who has also been in touch with The Register), the file in the recent WinXP builds that crackers are currently getting excited about is a blind alley. He says: "oobeutil.js is a Javascript file that controls which XML pages are displayed during the activation process. Because the most critical parts of activation are based on the server side, you can't use oobeutil.js to fool the server into giving you something (i.e. a root certificate) that you aren't entitled to."

The claimed crack we were sent last week, he says, switched around the errorlevels pertaining to "SUCCESS" and "USED_PID" - the latter is given when a product key that has been used too many times has been blocked. "Because the crack made you replace oobeutil.js with the hacked version, the following dialog screens get screwed up. This confused the #crackxp people... When it should be telling you that activation is successful ('SUCCESS'), it is actually telling you that 'your key has been used too many times' ('USED_PID'). THen they tell you to try again, and this time it returns a different errorlevel which announces correctly that you are already activated."

But actually, as that product was already activated by the few people who used the escaped key before Microsoft slammed the door on it, the hooky copies people are using it on now will cease to function 14 days after they try.

Makes sense to us. Another person we've heard from, "AD," says that despite claims to the contrary there has been "no crack out for XP as of this date," and that the protection lies somewhere other than in the JavaScript and the previous favourite, winlogon.exe. "I can tell you definitely there is a way around the 14 days, and I have found it, and I can say Microsoft has become a bit more clever, but not impossible."

A crack for the 14 day timeout certainly is being circulated at the moment, but AD argues that the real protection involves the digital signatures we covered here last week. "Everything is digitally signed, but having to break various signatures to get around the protection is not the way, there is another way." Which he's not telling us right now.

But what's interesting is the extent to which the recent leaked builds signpost the direction Microsoft is taking with product activation. Signed files, server-based authentication and certificates start to take us towards a decidedly .NET environment.

Rationally, what Microsoft is doing now is surely testing these mechanisms and their integrity, and so far that seems to be working. The volumes the system currently has to deal with won't be anything like what they'll have to handle when WinXP ships, but then with Office XP out, and using a similar system, at the end of this month, there'll be an opportunity for more of a live battle test.

What Microsoft hasn't done so far, it would appear, is produce a sufficiently secure system that stops activation being, effectively, optional. Previous efforts by the crackers convinced the system it had been activated when it hadn't (maybe AD's getting excessively philosophical when he says this isn't an XP crack), while the most recent (assuming it works) simply stops the system ceasing to function if it's not activated in the first 14 days.

Obviously if XP ships without something fiendishly tougher in the box, then activation will remain optional - although even if you circumvent it on a paid for copy you should note that the current licence Ts & Cs say you do not have a licence if you do not activate the product in the approved way. More likely, breachable protection would be of some interest to the warez community, but when the product actually ships it'll have there'll surely be unlocked corporate editions around, as is the case with OXP, so these are the ones they're going to warez. And cracking the activation will be largely an intellectual exercise.

So what's the big deal? Maybe it's anticipation of what's coming next. Currently Microsoft is presenting activation as a simple, one-time, non privacy-infringing exercise. And indeed, currently it is, and finding out how to not use it with a legitimate copy looks like it might be just plain cussed.

But look at all of the damned nagware parallels that already exist in the world (and note in passing that most of the biggest atrocities aren't foisted on us by Microsoft). You buy the product, and at indeterminate intervals, or even every time you use it, up pops the register now box, and it's usually none to simple to find out how you switch it off. These are registration processes, while product activation and registration are two separate things. (Well, not entirely - in the official 2462 beta 2 code it's very easy to be tricked into checking the register box while you're activating, and funnily enough, you're then filling in the usual data boxes. Microsoft should note that this cheesy stunt has been noted.)

Like everybody else, Microsoft does want that data, and although it's not directly using product activation to get it, in this rev PA is certainly going to be a mechanism for vastly increasing the percentage of registered users Redmond is going to get. Other mechanisms such as certificates, signed files and the beefed-up Windows Update will also substantially increase the amount of information exchanged between WinXP clients and Microsoft servers. So maybe the whole deal is designed to get the maximum number of people possible used to this, and maybe there's a thought in Redmond that this could be so successful that there won't be any real need to make it absolutely compulsory. Or maybe not..? ®

Related stories:
Cracked or not? WinXP protection war hots up

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.