Feeds

MS planning to tackle leaked WinXP keys with SP1?

Mass zeroing of corporate keys mooted

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

Microsoft may be readying the next escalation in the Product Activation wars for the release of WinXP Service Pack 1, according to a report at BetaONE. The site claims that Microsoft has done a rewrite of the way corporate product activation keys are generated, and that although this feature is currently switched off in the SP1 beta, it'll be unleashed when SP1 goes live, the idea being to ambush all of the people using leaked corporate XP Professional keys.

BetaONE says that the existence of the rewritten code can be verified if SP1 is applied to XP via a "slipstreamed" or integrated install, i.e. using a central distribution folder to update workstations on a network. This is how the people who've been issued corporate keys would likely do it, hence it seems a logical place to attack leaked corporate keys. The site says it tried 75 keys under these circumstances, and none of them worked. This is considerably more than the one that Microsoft casually said would be blocked by SP1 earlier this year.

The slipstream install patches the key-generating DLLs rather than replacing them, which means it won't be possible simply to slipstream a non-corporate version of XP then apply the corporate files. File version numbers and signatures are also checked, which will impede the crackers further. The new system does not have any effect on slipstreamed installs on non-corporate versions of XP with legal keys, so BetaONE concludes that the new key generation system is only being applied to corporate versions.

So where does this get Microsoft? If it really does go with this kind of procedure with SP1, a fair distance at something of a price. Considerable effort was expended by the warez community on circumventing WPA in XP, but although they succeeded via several routes, these were really just harmless heroics from Microsoft's point of view. The real problem has been leaked corporate keys that can just be applied to a standard XP distribution (as opposed to a patched one). These are used by pirates, by what Microsoft terms casual copiers, and by large numbers of techies who want to avoid the hassle of reactivation when they've changed too much hardware.

If Microsoft therefore tightened up on the protection applied to non-corporate copies while doing nothing about the corporate ones, it could conceivably find itself in the bizarre situation where there were more installations using leaked corporate keys than ones that had been activated via the approved procedure. It's clearly untenable, so either you pull WPA or you tighten up on corp.

The procedure BetaONE envisages (and it's about the only one we can see would have an effect) is that all corporate customers will be issued with new keys that are recognised by the new code in SP1. So if that's correct, all current corporate keys are dead, the luckless corporate techies will likely get somewhat irritated about having to reactivate, but hey, activation with a corporate key is supposed to be trivially easy, right?

The new key generation system may be more difficult to get round than the last one; indeed, if it isn't, there isn't a lot of point in Microsoft implementing it. That, however, is not the problem. Microsoft's difficulties arise not from people actually cracking the key system but from corporate keys leaking, so no matter how good the system, if a key is leakable, it gets circumvented.

So, Microsoft not being stupid (perversely, persistently irritating yes, stupid no), there has to be another shoe. Some sabre-rattling to discourage customers from leaking might have some effect, but as the company can't even stop its own people leaking betas, we think not a massive one. Sure, Microsoft can threaten legal action against companies whose keys escape, but how do the companies stop them escaping? Many of the people at the sharp end of deploying these keys don't even like their employers, so they should care if the firm gets whacked for an additional 20,000 licence fees.

Inexorably, one is drawn to phoning home as the real shoe two. The EULAs are being amended so that Microsoft reserves the right to check the validity of machines' licences, which means the company will be able to check online for leaked keys, and take what it deems appropriate action. Checking via Windows Update would allow the identification of corporate keys that had leaked out of the corporate market, and this could be followed up with the owner of the key. It wouldn't have an effect on the new "owners" of the key of course unless Microsoft decided to remote-bomb suspect installations on a regular basis, rather than just whacking them at Service Pack stage.

Microsoft would need a tightening up of the corporate auditing procedure to go alongside this, but its auditing procedures get ever-tighter anyway. If at some point in the future Windows client machines always wanted to either check in with a licence server system on the Web or with one on the corporate network that Microsoft itself could check with, then businesses using pirate software would be a lot easier to track, and they're a better source of low-hanging revenue fruit than playground copiers anyway.

There is however one last snaggette to the system we've just been roughing out. If there is no change to the key system used for non-corporate copies, then the easy workaround becomes key generation rather than a leaked corporate key. There are several pieces of software available on the Web that produce keys that seem to be recognised by Microsoft's WPA system as valid. So next, Microsoft will surely have to deal with that aspect of the compromised key system. ®

Boost IT visibility and business value

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.