WinXP Product Activation decoded and analysed
German outfit goes public with the truth and the proof
German techies Fully Licensed GmbH claim - convincingly - to have unravelled the Windows Product Activation (WPA) system used in the latest versions of Microsoft software, including Office XP and Windows XP. The bottom line, according to the company, is that WPA is not particularly intrusive, does not invade anybody's privacy, and is a lot more forgiving of hardware changes than has been speculated.
That speculation is, as Fully Licensed points out, entirely Microsoft's fault, as the company has been intentionally vague about the precise nature of the sending and checking carried out. As Fully Licensed says: "The current public discussion of Windows Product Activation (WPA) is characterized by uncertainty and speculation. In this paper we supply the technical details of WPA - as implemented in Windows XP - that Microsoft should have published long ago."
Fully Licensed, incidentally, supports WPA. Says managing director and CTO Thomas Lopatic: "Software piracy is still a major problem for all software companies. And we think that [Microsoft's] interest in raising the bar for software pirates is absolutely justified."
The company analysed WPA as shipped in WinXP RC1, and found that ten hardware components are used to generate the "individual" hardware ID for the machine XP is installed on. "However, due to the method employed to generate the hardware ID, it is very likely that many hardware configurations result in the same ID. Consequently, determining the actual hardware configuration corresponding to a given hardware ID is an infeasible task. In addition to the hardware ID only information derived from the product key - a kind of serial number accompanying each distributed copy of Windows XP - is transmitted."
So Microsoft does not have any mechanism for finding out what hardware you're running. From the WPA process, anyway. The hardware checked is as follows: Serial number of system volume; NIC MAC address; CDROM; graphics adapter; CPU; hard drive; SCSI adapter; IDE controller; processor model; RAM size. There's also a check to see if the hardware is dockable or not. The company reckons that there's likely to be duplication in the components (i.e. different products might produce the same ID), and that the system is pretty forgiving.
You're only likely to have to repeat the activation process and get a new unlock key if you change more than three of these components, and if you're using a portable in conjunction with a docking station, it's effectively a lot more flexible than that.
The information transmitted, the company says, is "completely innocuous", consisting solely of the hardware ID (which can't be used to identify specific hardware) and the product key that comes with XP. Of itself the system is therefore no threat. WPA does however take us closer to Microsoft's goal of chaining a particular piece of software to a particular piece of hardware, making it easier for the company to claim the Microsoft tax every time you buy a new machine. Fully Licensed doesn't cover that part of the deal, but obviously if you install, say, Office XP on one machine then you want to use it on an entirely new machine when you upgrade, you're going to have to call up Microsoft and get permission. The Register reckons it's therefore still objectionable from that point of view.
Nor does Fully Licensed cover other aspects of 'generation XP' that have the effect of garnering information about you and your hardware. There is, for example, a deal of checking of the local configuration already present in Windows Update, and the automated bug-reporting in XP potentially gives Microsoft far more information than you'd conceive of being sent via WPA. This latter system kicks in when your machine has a problem, but only sometimes, frequently not when you had a big problem you're personally well aware of, rather more frequently when you didn't even notice a problem at all.
The intention of this system is positive - Microsoft reckons that if people can send fully detailed bug reports just by clicking OK, it'll be able analyse them in volume, to zero in on major problems with its software a lot faster than in the past, and be far more effective in prioritising fixes. But although you get the option of not sending this and of inspecting what's going to be sent, it's practically impossible to understand what's being sent - quite a bit of information about local configuration, however, will certainly be in it, so it's likely a lot of people will click on no.
But Fully Licensed set out solely to analyse the WPA process, and it seems to have done a fairly thorough job of this. In addition to the analysis of the hardware identifier, it's also done a deconstruct of the product key itself, explaining how the important part is buried inside the printed product key, and which components are likely to be checks (to allow for the call centre operative typing it in wrong, for example). It's not clear whether or not this information will be of any help to people who might have a need to generate product keys (no, we don't know why they'd want to do that either). But Fully Licensed probably would not have published the info if this was the case.
In addition to the results of its analysis, the company has also made XPDec, a command line utility that can be used to verify the information, available for download along with the source code for XPDec. It notes that "we have removed an important cryptographic key from the XPDec source [so] recompiling the source code will fail to produce a working executable."
Sponsored: Becoming a Pragmatic Security Leader