Security Of Windows/Office XP Activation Code?

merodach asks: "In pondering the next versions of Windows and Office (XP), the wonderful save-us-from-ourselves product activation, and MS's repeated public blunders with security I began to wonder about the security around the activation code, itself. Specifically, I was wondering how it would impact my job as an IT Consultant with regards to Melissa-type viruses and trojans which might: surreptitiously use the transmission code to send sensitive info to competitors/enemies of my customer; and (assuming that the software checks this periodically) change the activation info and damage/destroy the ability to repair that info (in short order rendering an entire network useless). As I don't have access to the beta versions or the code I was wondering if anybody in the Slashdot community would be able to list or explain what, if any, precautions are being taken on this." As it happens, TechRepublic has an article about this very subject. Thanks to Deecyl for the link.

Activation codes

The article asks:

OK, if product activation isn't the answer, then what is? Imagine you're running the Windows or Office business at Microsoft-how do you keep your product from being stolen without inconveniencing your customers or holding their PCs hostage? I'll take the best suggestions and pass them along to Microsoft.

Here's a simple approach. Cut deals with all of the hardware manufacturers so that they are forced to purchase a copy of Windows for each machine they sell, whether or not the user wants it. This way, Microsoft will receive automatic license payments on probably 95% of all PCs manufactured, leaving only the 5% or less of PCs that are built from scratch vulnerable to Windows piracy.

Oh wait ... they're already doing that.

Don't have to wait

Well, hopefully with the increasing demand for something reasonably priced for him to use, the OSS community will port some of free word processing programs over to winblowz.

Check out OpenOffice [openoffice.org] (formerly Star Office). They treat Win32 as a primary platform (along with Solaris and Linux) and its starting to look preaty spiffy and stable. Still a bit left to do (ie. Its still beta, so its more stable than MS Office, but doesn't have all the neat templates yet ::grin::).

Once its hit General Availability, I'm sure people are going to work on/improve the MS Office compatability filters, and when Joe-Six-Pack needs to get his home office suite, he'll either borrow a CD from his "Techie Friend" (amazing how much this happens), or he'll shell over a VASTLY smaller number of $$ for a copy of OpenOffice on the retail stores... put out but Sun or someone else.

Re:Reinstalling WON'T require activation?

>>The activation code is based on your MAC address

Um, No.

I'm on the beta for this, and I lurk the private MS newsgroups. They started a newsgroup just to discuss Product Activation once the flamewars spread into the other groups, drowning out the other discussions. In that newsgroup, 99.995% of the posts are, if anything, more vitriolic and staunchly opposed to the idea of product activiation than the posts I have read here...

So naturally, once MS shipped code that really needed to be activated, the first thing most folks did was try and figure out what hardware changes trigger the system activation. It turns out to be more complex than just the MAC address, rather it works off of a combination of some motherboard identification, hard drive ID, and the Mac address. (I would bet that if you have a CPU with a GUID, then it uses that, too.) You can actually change out a lot of this stuff and not have the reactivation trigger.

Besides that, apparently (I read this over at the Register) [theregister.co.uk] the cracks are painfully easy to implement, so it's really not going to solve the problem.

will only hurt themselves

I agree, this can only be bad for microsoft. They have based their whole corporate stratagy on market share and actually have benefitted from a certain leve of piracy. Each time someone pirated a copy in the past from a friend they contributed to the demise of OS/2 and MACOS and the rise of windows. Sure they didn't pay for Windows but they still supported the platform by buying other software that only worked on Windows.
I guess that they (MS) think that they've got everone hooked now and that they can safely tighten things and collect their money now.
This just seems like a perfect oportunity for GNU/Linux to start building market share. As it gets harder to get Windows it will get easier to chose Linux. It will be interesting to see what happens in the next couple of years.

Reinstalling WON'T require activation?

From the TechRepublic article:

Every time you reinstall Windows, you'll need a new code.
R. Kinner is already prepared to join a class action lawsuit against Microsoft: "If I, as a home user, am forced over the course of a year to reinstall XP five times, and MS refuses me a sixth code, they are the ones breaking the commerce contract that was begun when I purchased the software." Call off the lawyers! You can reinstall Windows or Office XP an unlimited number of times on the same hardware. The activation will be automatic.

This has to be bullshit. If I reformat and reinstall, how could Office possibly know that I already have an activation code? Where, exactly, is Office storing the activation code? On the hard drive I just formatted?

Ditto if I upgrade the hard drive. Am I missing something here?

me like activation code

Now when I ask for my refund on windows, won't it be easy to verify that I've never used that installation and am entitled to the refund? Or perhaps it's already activated by the OEM when they installed windows.

All your event [openschedule.org] are belong to us.

Hardware 'fingerprint' has been tried, failed

This sort of scheme has been tried and failed, for two reasons-

1. It's too easy to fake the 'system id' number, or just trick the code that checks it.
2. It is too easy to accidentally do something that changes the number, causing the software to fail.

The hardware fingerprint is generally the MAC of the primary ethernet card (in a system with ethernet). So if you change your primary network card, the fingerprint changes.

This can be a major problem on laptops. My laptop did not come with onboard ethernet, and I switch out the PCMCIA ethernet card on a regular basis, plus each of my docking stations has an ethernet interface with it's own unique MAC.

It's often very easy to change the MAC on an ethernet card, but if you have two machines on the same network segment with the same MAC, strange things happen.

Re:Reinstalling WON'T require activation?

It's not storing the code at all. Go up one paragraph in the article from the paragraph you quoted. It specifically says that the code is generated based on the hardware in your system. Unless you swapped out hardware as part of your format-and-reinstall, the code that is generated after the reinstall will be identical to the one that was generated before the reinstall.

Re:Reinstalling WON'T require activation?

This has to be bullshit. If I reformat and reinstall, how could Office possibly know that I already have an activation code? Where, exactly, is Office storing the activation code? On the hard drive I just formatted? Easy, you still get a licensing code with your CD, that unique code get registered in thier computer along with your activation code generated based on your hardware. This means You can't lose your licensing code like I tend to, the box I am on now was installed with a legal copy, but durring one of MS's famous crashes I couldn't find the license number *I had just moved*, so I borrowed my roommates. The two big problems I have with this, and noone has seemed to bring up is this. 1. If corporations don't have to worry about this what stops me from getting my "big corp" sysadmin buddie to lend me a copy of there CD. 2. and even worse, if my machine will check into there central server fronm time to time what happens if it is down? We all know MS server products are stable, yeah right. Maybe they plan to run this server off of BSD like hotmail. When this server is down by crash, DOS Attack, or Squirrel chewing through the fiber cable are we out of luck, or even if my DSL line is down that day can I not use my computer till it comes back up? Just a little bit ago all of MSs Servers were down for a few days due to a DNS problem (or so they say)imagine if it was you desktops time to check in durring this outage, yikes.Plus does anyone else see this as a new world record in the making, most popular server for DOS attacks, just thing about the ripe target this will be.

Re:Activation code won't change anything

Crackers are responsible for very little of the vast majority of piracy. The vast majority is casual, where most people don't even realize they're breaking the law ("Hey jim, can I borrow your Office CD for a few minutes?").

But there's a serious question about how much this kind of piracy is actually costing Microsoft. Do you really think that every person who borrows an Office CD from work to install it on his home computer would really buy the full cost package from Microsoft anyway? I sure don't. I sincerely question whether this will actually be a money maker for MS in the long run. Discouraging casual copying won't actually increase sales very much (for the reason stated above), while the increased hassle of dealing with the copy protection scheme will make more people question the practicality of buying overpriced MS products. This will be particularly true unless there's an easier way of dealing with the copy controls for large businesses with huge numbers of PCs to manage. Just think about what dealing with all of those damn licenses will do to Microsoft's vaunted TCO.

Nothing to worry about!

According to the article, "a Microsoft spokesman assured [the author]" that mundane upgrades wouldn't cause a problem. Whew! We can all rest easy, because we know a Microsoft spokesman would never mislead a member of the press....

Intel

Does anyone know if Intel has 're-enabled' the UID in its CPUs in the P4?

Wouldnt it be nice if they could track exact CPUs....

What a fiasco this is going to be...

OEM Pre-registration

Actually, OEMs will automatically pre-register your copy of Windows XP and/or Office XP with Microsoft. Now, the question is which OEM are you talking about? I'm sure the Mom & Pop down the street computer shop probably won't pre-register unless Microsoft forces the issue and threatens them with legal action. On the other the OEM's that are in bed with Microsoft (Dell, Compaq, etc.) will definitely pre-register.

However... a lot of this really doesn't matter because the big OEM's (Dell, Compaq, HP, etc.) don't give you a copy of your OS media these days. Now you only get a recovery CD that restores your system to the original factory condition. Microsoft completely snuck that under the radar and no one ever said anything.

It may be a pain to return your software... but you can't return a restore CD. Why would Microsoft want a copy of a restore CD that is only good for your computer? So, I guess you won't be able to ask for a refund on Windows because you won't actually have a copy of Windows.

Re:Activation code won't change anything

Crackers are responsible for very little of the vast majority of piracy. The vast majority is casual, where most people don't even realize they're breaking the law ("Hey jim, can I borrow your Office CD for a few minutes?").

Sure, any protection will be cracked almost immediately, but very few people (compared to the people that use Office) will know how to get those cracks, or will be scared that MS will know that they've cracked it. (That's the real purpose, to scare people into complying, not whether the damn thing works or not).

Professional pirates will find ways to defeat it, and there isn't a lot any company can do about that.

This is a lot like putting locks on your doors. Any professional thief can bypass them. They even sell machines to do it automatically for people to use with little to no skill, but it keeps the vast majority of people from just walking in and taking what they want.

Re:Activation code won't change anything

I actually tried to post this as an AskSlashdot a couple weeks ago, but apparently I'm not important enough to actually have a front page story, but in any case, here's my $.02:

A simple fact remains for most home users: They aren't going to pay $500 so that lil' Johnny can make prettier school reports. What happens currently is that they borrow the copy from work, bring it home, and they have it for free. Problem solved. Now, they aren't going to be able to do that because it's going to be easier for M$ to track the software, and thus companies will be less willing to look the other way when employees borrow a copy. What's left for Joe-Six-Pack to do? Well, hopefully with the increasing demand for something reasonably priced for him to use, the OSS community will port some of free word processing programs over to winblowz. Give them a couple weeks using it, watch lil' Johnny create an 'A' report with it, and next thing you know, Joe-Six-Pack is at the water cooler telling his buddies how "this OSS shit ain't all that bad.. and it's FREE!" That's how you get into the home market people. M$ is going to lead the average user to us by disgusting them and making it harder and harder for them to use the crap they push.

Here's to a properous future!

$man microsoft