Feeds

MS turns up heat on warezed WinXP copies

Cut off their update supply...

  • alert
  • submit to reddit

Security for virtualized datacentres

The beta of Service Pack 1 for Windows XP has now shipped to testers and, as previously advertised, it declines to install if you're using a leaked WinXP licence key. But - again as previously advertised - it doesn't deactivate your installation, just stops you applying the service pack.

But a sharp-eyed reader of Neowin.net has spotted what appears to be an escalation of the role of product activation. The privacy statement now says "To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. This information includes: Operating-system version number and Product Identification number... The Product Identification number is collected to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update."

So far, people using copies of Windows XP that have been activated using one of the leaked keys have had no trouble getting patches and updates because Windows Update didn't check the validity of their licence. But as Microsoft is clearly stating that licence information is now being gathered by Windows Update, and that a "validly licensed copy of Windows ensures that you will receive on-going updates," then it seems pretty logical to presume that an invalidly licensed copy of Windows ensures that you won't.

It should be a pretty simple matter for Microsoft to add keys that it knows have been leaked to a blocking list, and then to deny access to Windows Update to people using them. Many of these keys are, obviously, being used by people who've warezed XP, but there's also a reasonably large number of software professionals and refuseniks who have used them even though they have a legitimately bought version of XP. This can be for several reasons - they might have to do a lot of hardware testing, involving multiple reinstalls of the software, they might view activation as unecessary aggravation, or they might see it as a privacy thing. Most of them are probably just ornery, and quite a few of them are, er, Microsoft beta testers. Note however that if you use an invalid key to circumvent product activation you do not, in Microsoft's view, have a validly licensed installation even if you paid full whack for the software. That's what it says in the EULA, folks.

Blocking the leaked keys however isn't likely to get Microsoft very far, because people determined not to use a legitimate key can simply use one of the KeyGen routines to produce a working key. This appears to be impossible to block right now, because the keys produced do seem to be indistinguishable from 'proper' keys, to the extent that they are, sort of, proper keys. In theory this could be stopped if Microsoft had a list of all of the keys it had actually issued, but it probably hasn't, and it'd be a tricky thing to keep up to date.

As far as Windows Update is concerned, it also still seems possible to use the corporate version of Windows Update to download your selected patches and updates without having your ID checked. At the moment corporate Windows Update is also claiming it checks your OS and product identification number, but as it's still perfectly feasible to download a WinXP critical update with a Win2k machine (we just did), it's not entirely clear to us where that gets Microsoft. It may be the case that the site collects licensing information if you're running XP and declines to serve you if it's a dodgy copy. But as the message is on the corporate site, again we have a clear statement of intent. ®

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.