Feeds

MS planning to tackle leaked WinXP keys with SP1?

Mass zeroing of corporate keys mooted

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Microsoft may be readying the next escalation in the Product Activation wars for the release of WinXP Service Pack 1, according to a report at BetaONE. The site claims that Microsoft has done a rewrite of the way corporate product activation keys are generated, and that although this feature is currently switched off in the SP1 beta, it'll be unleashed when SP1 goes live, the idea being to ambush all of the people using leaked corporate XP Professional keys.

BetaONE says that the existence of the rewritten code can be verified if SP1 is applied to XP via a "slipstreamed" or integrated install, i.e. using a central distribution folder to update workstations on a network. This is how the people who've been issued corporate keys would likely do it, hence it seems a logical place to attack leaked corporate keys. The site says it tried 75 keys under these circumstances, and none of them worked. This is considerably more than the one that Microsoft casually said would be blocked by SP1 earlier this year.

The slipstream install patches the key-generating DLLs rather than replacing them, which means it won't be possible simply to slipstream a non-corporate version of XP then apply the corporate files. File version numbers and signatures are also checked, which will impede the crackers further. The new system does not have any effect on slipstreamed installs on non-corporate versions of XP with legal keys, so BetaONE concludes that the new key generation system is only being applied to corporate versions.

So where does this get Microsoft? If it really does go with this kind of procedure with SP1, a fair distance at something of a price. Considerable effort was expended by the warez community on circumventing WPA in XP, but although they succeeded via several routes, these were really just harmless heroics from Microsoft's point of view. The real problem has been leaked corporate keys that can just be applied to a standard XP distribution (as opposed to a patched one). These are used by pirates, by what Microsoft terms casual copiers, and by large numbers of techies who want to avoid the hassle of reactivation when they've changed too much hardware.

If Microsoft therefore tightened up on the protection applied to non-corporate copies while doing nothing about the corporate ones, it could conceivably find itself in the bizarre situation where there were more installations using leaked corporate keys than ones that had been activated via the approved procedure. It's clearly untenable, so either you pull WPA or you tighten up on corp.

The procedure BetaONE envisages (and it's about the only one we can see would have an effect) is that all corporate customers will be issued with new keys that are recognised by the new code in SP1. So if that's correct, all current corporate keys are dead, the luckless corporate techies will likely get somewhat irritated about having to reactivate, but hey, activation with a corporate key is supposed to be trivially easy, right?

The new key generation system may be more difficult to get round than the last one; indeed, if it isn't, there isn't a lot of point in Microsoft implementing it. That, however, is not the problem. Microsoft's difficulties arise not from people actually cracking the key system but from corporate keys leaking, so no matter how good the system, if a key is leakable, it gets circumvented.

So, Microsoft not being stupid (perversely, persistently irritating yes, stupid no), there has to be another shoe. Some sabre-rattling to discourage customers from leaking might have some effect, but as the company can't even stop its own people leaking betas, we think not a massive one. Sure, Microsoft can threaten legal action against companies whose keys escape, but how do the companies stop them escaping? Many of the people at the sharp end of deploying these keys don't even like their employers, so they should care if the firm gets whacked for an additional 20,000 licence fees.

Inexorably, one is drawn to phoning home as the real shoe two. The EULAs are being amended so that Microsoft reserves the right to check the validity of machines' licences, which means the company will be able to check online for leaked keys, and take what it deems appropriate action. Checking via Windows Update would allow the identification of corporate keys that had leaked out of the corporate market, and this could be followed up with the owner of the key. It wouldn't have an effect on the new "owners" of the key of course unless Microsoft decided to remote-bomb suspect installations on a regular basis, rather than just whacking them at Service Pack stage.

Microsoft would need a tightening up of the corporate auditing procedure to go alongside this, but its auditing procedures get ever-tighter anyway. If at some point in the future Windows client machines always wanted to either check in with a licence server system on the Web or with one on the corporate network that Microsoft itself could check with, then businesses using pirate software would be a lot easier to track, and they're a better source of low-hanging revenue fruit than playground copiers anyway.

There is however one last snaggette to the system we've just been roughing out. If there is no change to the key system used for non-corporate copies, then the easy workaround becomes key generation rather than a leaked corporate key. There are several pieces of software available on the Web that produce keys that seem to be recognised by Microsoft's WPA system as valid. So next, Microsoft will surely have to deal with that aspect of the compromised key system. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.