Feeds

MS planning to tackle leaked WinXP keys with SP1?

Mass zeroing of corporate keys mooted

  • alert
  • submit to reddit

3 Big data security analytics techniques

Microsoft may be readying the next escalation in the Product Activation wars for the release of WinXP Service Pack 1, according to a report at BetaONE. The site claims that Microsoft has done a rewrite of the way corporate product activation keys are generated, and that although this feature is currently switched off in the SP1 beta, it'll be unleashed when SP1 goes live, the idea being to ambush all of the people using leaked corporate XP Professional keys.

BetaONE says that the existence of the rewritten code can be verified if SP1 is applied to XP via a "slipstreamed" or integrated install, i.e. using a central distribution folder to update workstations on a network. This is how the people who've been issued corporate keys would likely do it, hence it seems a logical place to attack leaked corporate keys. The site says it tried 75 keys under these circumstances, and none of them worked. This is considerably more than the one that Microsoft casually said would be blocked by SP1 earlier this year.

The slipstream install patches the key-generating DLLs rather than replacing them, which means it won't be possible simply to slipstream a non-corporate version of XP then apply the corporate files. File version numbers and signatures are also checked, which will impede the crackers further. The new system does not have any effect on slipstreamed installs on non-corporate versions of XP with legal keys, so BetaONE concludes that the new key generation system is only being applied to corporate versions.

So where does this get Microsoft? If it really does go with this kind of procedure with SP1, a fair distance at something of a price. Considerable effort was expended by the warez community on circumventing WPA in XP, but although they succeeded via several routes, these were really just harmless heroics from Microsoft's point of view. The real problem has been leaked corporate keys that can just be applied to a standard XP distribution (as opposed to a patched one). These are used by pirates, by what Microsoft terms casual copiers, and by large numbers of techies who want to avoid the hassle of reactivation when they've changed too much hardware.

If Microsoft therefore tightened up on the protection applied to non-corporate copies while doing nothing about the corporate ones, it could conceivably find itself in the bizarre situation where there were more installations using leaked corporate keys than ones that had been activated via the approved procedure. It's clearly untenable, so either you pull WPA or you tighten up on corp.

The procedure BetaONE envisages (and it's about the only one we can see would have an effect) is that all corporate customers will be issued with new keys that are recognised by the new code in SP1. So if that's correct, all current corporate keys are dead, the luckless corporate techies will likely get somewhat irritated about having to reactivate, but hey, activation with a corporate key is supposed to be trivially easy, right?

The new key generation system may be more difficult to get round than the last one; indeed, if it isn't, there isn't a lot of point in Microsoft implementing it. That, however, is not the problem. Microsoft's difficulties arise not from people actually cracking the key system but from corporate keys leaking, so no matter how good the system, if a key is leakable, it gets circumvented.

So, Microsoft not being stupid (perversely, persistently irritating yes, stupid no), there has to be another shoe. Some sabre-rattling to discourage customers from leaking might have some effect, but as the company can't even stop its own people leaking betas, we think not a massive one. Sure, Microsoft can threaten legal action against companies whose keys escape, but how do the companies stop them escaping? Many of the people at the sharp end of deploying these keys don't even like their employers, so they should care if the firm gets whacked for an additional 20,000 licence fees.

Inexorably, one is drawn to phoning home as the real shoe two. The EULAs are being amended so that Microsoft reserves the right to check the validity of machines' licences, which means the company will be able to check online for leaked keys, and take what it deems appropriate action. Checking via Windows Update would allow the identification of corporate keys that had leaked out of the corporate market, and this could be followed up with the owner of the key. It wouldn't have an effect on the new "owners" of the key of course unless Microsoft decided to remote-bomb suspect installations on a regular basis, rather than just whacking them at Service Pack stage.

Microsoft would need a tightening up of the corporate auditing procedure to go alongside this, but its auditing procedures get ever-tighter anyway. If at some point in the future Windows client machines always wanted to either check in with a licence server system on the Web or with one on the corporate network that Microsoft itself could check with, then businesses using pirate software would be a lot easier to track, and they're a better source of low-hanging revenue fruit than playground copiers anyway.

There is however one last snaggette to the system we've just been roughing out. If there is no change to the key system used for non-corporate copies, then the easy workaround becomes key generation rather than a leaked corporate key. There are several pieces of software available on the Web that produce keys that seem to be recognised by Microsoft's WPA system as valid. So next, Microsoft will surely have to deal with that aspect of the compromised key system. ®

SANS - Survey on application security programs

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.