Dvorak on Windows Genuine Advantage

PadRacerExtreme writes "Vista includes the much maligned 'Genuine Advantage' layer inside, which ensures that your copy of the OS is legit. If you're running a non-validated copy you get no upgrades, no security protection, nothing. That's all well and good, but what happens if a cracker tweaks that Genuine Advantage layer for its own good? Dvorak sees a huge problem, just waiting to happen. What's the vulnerability?" From the article: "I suspect the policeman [WGA] will actually be hacked before the OS. It might actually be easier for the pirates to create a fake cop that constantly authenticates fake versions of Vista than it will be to create a Vista imitation that can pretend to be a legitimate version. There is some irony to that idea. But that's none of my concern. I'm more worried about some joker creating a virus or exploit that turns the good cop into a bad cop, and I can only imagine the destruction and hassle that will ensue."

Sadly

[Null Perception]

Dvorak's forecast of the future is often wrong.

Low-hanging fruits

[overshoot]

It's always easier to make something do what it's supposed to do (even when it shouldn't) than it is to make it do something it's not designed for.

For instance, chainsaws are designed to cut off limbs. Tree, human, what's the difference?

WGA and successors are designed to disable Microsoft systems. OK, I'm sure that there are those who appreciate the help.

I'm going to start working...

[jizziknight]

... on a virus right now that effectively shuts down any Vista computer by causing WGA to always detect the OS as a pirated copy.

Actually, for some reason, I had never thought of this before. You probably wouldn't really even have to mess with WGA all that much, just change whatever it's checking to see if the OS is valid. Not sure how easy that would be, but considering the number of false positives that are cropping up on XP, it should be quite doable.

Re:Sadly

[DynamoJoe]

I agree (his Mac columns are stellar examples of rectocranial insertion syndrome), but in this case I bet he's got a point. Which is kind of a bummer. I mean, it's Dvorak, leader of the clueless.

Re:Sadly

[TobyRush]

Dvorak's forecast of the future is often wrong.

I agree with you, and I generally can't stand even reading his articles... but he's probably got a pretty safe prediction with this one. It seems that those who say "It'll probably be hacked" are seldom disproven.

WGA is the system blackbox ..

[rs232]

Why don't they make Vista out of the same stuff that WGA is made of, that way you wouldn't have any security issues.

Doubt this is possible

[MobyDisk]

Server certificates are the basis for SSL, SSH, HTTPS, etc. AFAIK, nobody can make a fake policeman without faking Microsoft's certificate. I don't think Dvorak's scenario is reasonable.

Re:Low-hanging fruits

[dsanfte]

That's not the point. The point is that Microsoft has designed their OS with a single point of failure, and to top it all off, if anyone were to exploit that point of failure, the deafening ring of poetic justice would be heard the world over.

WGA is a key to every Windows box on the planet and a giant club with which to beat Microsoft over the head if it's every hacked, and you can bet that's not going to go unnoticed by those with the capability to pull this off. It would be the hack of the freaking century.

Re:Sadly

[nuckin futs]

every so often he gets something right. if you spray enough bullets on a target, you'll hit it sooner or later. He basically does the same thing, shooting in the dark and hoping to hit the target.

Re:Sadly

[Artifakt]

For once, John has gotten it right, even making a more detailed prediction than just "it'll probably be hacked". There are two good reasons (from a black hat perspective) to crack WGA:

1. Make a bootleg copy look authentic.
2. Make an authentic copy look bootleg.

Figureing out how to do one means you have done at least 80-90% of the work to figure out the other. That's essentially twice the normal incentive to crack a Microsoft product. #1 has an obvious financial incentive, but #2 may have one too, if the cracker is willing to consider extortion or similar modes of funding. If the cracker is doing it just to spite MS and/or MS users, the same double whammy applies.

Re:Doubt this is possible

[FellowConspirator]

No need to fake the certificate, just tweak WGA to check versus a bogus certificate, or check a bogus creddential against the valid certificate. Either event will flag the system as invalid and the functionality will disable appropriately.

Faking the certificate would only be necessary for falsifying updates and so on. I'm actually surprised you haven't seen more malware through auto-update attacks for Windows, though I suspect those clever enough to do it are perhaps clever enough not to have that detected. It's decidedly trickier than fooling WGA into thinking a machine has an invalid copy of the OS.

Re:The day the spam stopped

[Phisbut]

Whihc brings me to another question. What happens when the WGA cop is triggered. Your machine still functions right? you just can't get updates or fixes for vulnerabilities....

If I recall correctely, you have 30 days to authenticate or the WGA cop disables everything except IE. "Everything" probably includes the ability to be a spam-bot, but I'm still not sure.

I particularly like this bit:

[Old Man Kensey]

"I do not even want to think of the consequences of Vista turning itself off in enterprise situations such as airline reservations or a hospital full of patients on life support. A serious collapse of the authentication network that could not be fixed without sending out discs or one-by-one-downloads will end up in the courts, and you can be certain that the shrink-wrap license agreement that holds Microsoft blameless will be tossed out as bogus."

1. Patients on life support? Is this the new "it's for the chilllldren!" in the software industry? Hospitals and life-support systems seem to come up really often when validation scenarios like this are discussed, yet, I have never, EVER heard of a patient dying because Windows crashed. I suspect this might be due to medical equipment manufacturers not quite being dumber than a bag of hammers and therefore not using Windows in life-critical situations.
   
2. I bet you anything there is a clause in the EULA that says something like "this software is not to be used in life support equipment, nuclear power plants, or other life-critical systems."
   
3. I further bet you that in the unlikely event some cosmically stupid company actually built life-critical systems around Windows Vista and it caused loss of life, that company, not Microsoft, would be held 100% liable for a) not doing due diligence on whether or not their off-the-shelf components were suitable for the intended purpose and b) being dumber than the aforementioned bag of hammers. The EULA wouldn't need to be held enforceable per se, the court would merely need to find that they ought to have read the EULA and from it derived knowledge that Vista should not be used for certain purposes.

Re:Sadly

[RKBA]

1. Make a bootleg copy look authentic.
2. Make an authentic copy look bootleg.

I think it would be far easier to patch WGA in order to make it FAIL authentication than it would be to make a counterfeit Windows version PASS authentication, because of the cryptography involved (ie; probably all that would be required to make it fail would be to patch a conditional jump instruction in the executable code, but cracking the cryptography involved to pass authentication would be virtually impossible).

honestly...when online validation began...

[Anonymous Coward]

i wondered how long it would be before someone either wrote a daemon to handle the task, or even better for some laymens, wrote simple firmware for a cheap home router/firewall that would intercept and handle these requests automatically...when we started seeing l*nksys ports of linux, i thought for sure someone would take those ports to the next level.

Actually no

[tkrotchko]

The upgrade market for PC's is very small. Those days were long ago when Windows 3.1 and Windows 95 were the hot OS. There's no incentive to pay $200 for a copy of an OS when $500 gets you a whole new machine with a copy already installed.

XP installs are almost all OEM copies, Vista will be the same way. The only people it affects are white box PC's (which are rare these days). Every PC that comes from a name vendor already has a license for Windows, which makes me wonder who the target is for these WGA activation patches.

Really?

[east coast]

What's even more unreliable and short sighted than WGA?

Dvorak!

This man is a looney but the second he says something people want to hear they chant his name like he's the new Moses leading you guys out of Egypt? Come on now. Get real.

Any other time 90% of the comments are "Dvo-crack is teh r3tard" but now everyone's all "Maybe this will mean Linux will meet the masses". I've been hearing this for years. Every week or so a new "Microsoft killer" is announced here... I'm sorry but everytime one of these come up we keep hearing that it's the straw that's going to break the camels back but I'm still just not seeing it.

Re:Reducing Illegal Copies?

[businessnerd]

I think the main problem is not that Microsoft (or anyone) wants to prevent/stop priacy. They have every right to. The problem is how they go about doing this. Basically, they are shooting themselves in the feet and are assuming their customers are guilty until proven innocent (see any parallels here to the RI/MPAA?). The way you deal with piracy is to address the demand for piracy. People are always going to pirate/counterfeit almost everything that's not already free (beer and speech). Look at the market for counterfeit merchandise. So what drives more people to use priated software or buy counterfeit goods? Price is a good starting place. Windows is DAMN expensive, and for those don't see Mac or Linux as an option (pussies) it's essential. So you get a cracked version. Just like the fashion obsessed MUST have a Louis Viton or Prada handbag, but can't afford it, so they buy the knock-off and hope no one notices. Second, you can go after the criminals without inconveniencing your customers. All you have to do is search for the distributers and shut them down/prosecute. There is no need for Microsoft to stay one step a head of the hacker's latest exploit, all they have to do (or the police have to do) is stay one step ahead of the latest ditribution methods. You find a site hosting cracked copies of XP, you have the ISP shut it down, you track who put it up, you prosecute. But like I said earlier, you have to address the demand as well. Microsoft really needs to lower the price. Afterall, they've already told you that you NEED Windows and that there is no substitute. If XP only cost $50, more people would buy it legitimately because they can afford it, less reason for them to knowingly break the law to get it.

Now since I mentioned it, let's look at the digital music industry parallel. Given that I'm a cheap bastard and don't want to pay for my music downloads, I'm not ready to stop downloading pirated music (Although I do buy CD's still). Others (lots of Slashdotters) however, object morally to the DRM that infests all of the legit music downloads. They don't have the freedom to do what you want with the music like you do with CD's and mp3's. Hackers are still cracking the DRM and will continue to do so no matter how much DRM you put in. Solution, don't give people a reason to pirate it. Sell mp3's, no AAC or WMA. The people will explore ways of using/sharing/whatever the music that no one ever thought of and further advance the way we handle media.

Jerry's Final Word: Stop treating the consumers like two cent whores out to make a quick buck and screw you over! Most of us dont' want to break the law, but if you push us beyond reasonable means, you better be ready to accept the consequences.

Re:Sadly

[IAmTheDave]

Anti-piracy measures only annoy legitimate customers and thwart 14 year old morons

• DRM measures only annoy legitimate customers and confuse the masses
• REAL ID measures only annoy law-abiding citizens and do nothing to stop terrorists
• New passport requirements only put law-abiding citizens at risk and do nothing to stop terrorists
• Anti-gun laws only annoy legitimate customers and don't stop criminals and murderers

I could list about 20 more, but I'm tired of this. Almost any measure or law that reduces the rights/privacy of normal citizens do nothing to thwart (for more than a day or two) those who would pirate, steal, kill, etc. Yet we march on to the same tune, never ever learning from the lessons of the past.

So who's really surprised by WGA? Guess I'll have to head on over to astalavista.box.sk to download a copy of the WGA crack, just in case MS one day decides my copy of Vista is no longer legitimate.

Re:Validating

[Anonymous Coward]

That's exactly it. Simply hook in and mess with whatever process Windows uses to send the authentication message. The message will be different than what it should be, so whatever Microsoft's WGA server sends back won't match the box. Instant disabling. We already know it's possible to hook into Windows DLLs in a way that is transparent to software running on the box (see the Sony root-kit, and various copy-protection methods used on games), so it's just a matter of time until someone creates a hook that disrupts the WGA process, and distributes that hook with a worm.

The work-around for Microsoft is to have a particular response that means 'Authentic' no matter what. They can tell their server to send that for a few weeks, and everybody gets their patches and the problem is fixed. (Until the next hacker hooks in.) The problem with the fixed, 'Authentic' response is that once someone discovers it, they can redirect their WGA traffic to a server somewhere that sends that response no matter what. They may not be able to get their updates without manually downloading them, but that's not going to stop people for long (if at all).

Two big issues with his doom and gloom scenario:

[araemo]

Two big problems with his proposed scenario:

#1: After vista 'detects' that your version is not legit, it gives you 30 days to fix that before actually shutting down.

#2: "Once a virus that makes the cop refuse to authenticate Vista hits the Net, then how can the problem be fixed? By definition and the way I see it, this will be an impossibility."

Well, while a small # of users will already be effected, I see something that prevents vista from being upgraded by paying customers is one of the few things that could convince MS to patch out-of-cycle. Fix the bug in WGA and release it after a couple days of QA.

Re:Sadly

[wtansill]

#1 has an obvious financial incentive, but #2 may have one too, if the cracker is willing to consider extortion or similar modes of funding. If the cracker is doing it just to spite MS and/or MS users, the same double whammy applies.

Personally I think we should write a thank-you note to Gates and Balmer on this one. Think about it -- for years people have warned about issues ranging from monopoly abuse to the dangers of a "software monoculture", yet nothing really has changed (even after the DOJ antitrust "win"). Now we have the prospect of MS figurativly slitting its own throat with this foolishness. If Dvorak's fears are realized, this could be just the thing to push the public at large over the edge in terms of consciousness-raising.

Re:Forbidding Vistas: Windows licensing disserves

[zlogic]

Uhm, perhaps they're meaning "You may not hack Vista Home Basic (or whatever the cheapest version is named) into Vista Ultimate by changing a registry key".

Re:Sadly

[bzipitidoo]

Don't say that too loudly, as that comment fits the Slashdot community all too well. People who live in glass houses....

A lot of people have WGA wrong, and are commenting based on old info. At first, WGA did indeed prevent people from downloading security updates. That is no longer true as of sometime around March this year. MS came to their senses on that one, and now the validation is only needed to get fixes that are not security related. Not allowing security updates until validation made worse the chicken and egg problem in which a system could not download patches over the Internet until it'd been patched to prevent it from being pwned the instant it was hooked up to the Internet. Before WGA spoiled things, I worked around that problem by downloading the patches under Knoppix, or by having a CD full of patches that I'd downloaded and burned in Linux. Now that MS has relented, I can once again use Linux to help support Windows.

I hope Vista serves to further highlight fundamental problems with security. Ever since 9/11, there's been even more push for more security, a lot of people talking as if security was pure unadulterated goodness and as if there's no such thing as too much security, and a lot of bad security and abuse of security. Witness such things as confiscation of nail clippers and bottles of shampoo by airport security. When security becomes security for MS or the entertainment industry against evil pirates, that's not security for our benefit anymore however much MS tries to spin it so with such things as the "Advantage" part of the WGA name. Where's a Genuine Advantage program for software we write? When security gets perverted to mean "security for MS profits" and most definitely not "security for users against losing what they've paid for", people notice. When file format lock in gets justified with security, as in "preventing unauthorized programs from accessing and corrupting your valuable data" as if OpenOffice was written by a bunch of irresponsible hackers, that can give security a bad name. When "I can't tell you that for security reasons" is used as a cover for "I don't want to bother finding an answer", security is looking bad. A lot of Windows users have already tentatively decided they're going to stick with XP, because, ironically, they don't trust MS's intentions. So much for security increasing trust.

Re:Forbidding Vistas: Windows licensing disserves

[zlogic]

Bugs are not technical limitations. Converting a cheaper version into a more expensive is. Hacking a non-administrator account into full-access is.
Hell, I think that they may be referring to "don't try to run Vista RC2 after the beta license expires". Or "don't try to install drivers that are known to cause crashes and are forbidden to be installed".

Dvorak just likes to talk about stuff

[sonixtwo]

On 10/9 on a This Week in Tech podcast (http://www.twit.tv/72), Dvorak said that Google will never buy YouTube. I haven't listened to it yet, but in this weeks podcast, I think he talks about it (http://www.twit.tv/twit73.

Re:I particularly like this bit:

[mstone]

---- I bet you anything there is a clause in the EULA that says something like "this software is not to be used in life support equipment, nuclear power plants, or other life-critical systems."

Even if it is, that doesn't automatically take Wintel machines out of the loop.

A friend of mine develops industrial control systems, many of which are life-safety critical. The actual devices are controlled by PLCs, which are pretty damned bulletproof, but the control and monitoring software runs on Wintel machines. A Windows crash won't automatically wipe out the ammonia generating facility (where they heat natural gas to something like 5000* at 1500 atmospheres and then react it with superheated steam -- the walls of the control facility are 4' thick), but it will kill your ability to monitor the process, meaning you still have to hit the Big Red Button if you can't get the control interface back online within a reasonable time.

On a similar line, the Wintel machines in a hospital don't have to be running the life-support systems, they can just be storing all the patient records that doctors need to make diagnoses, set prescriptions, schedule treatments, and so on. A person who dies because the doctors couldn't get the necessary information in a timely manner is just as dead as the person who dies because the Machine That Goes 'Ping' BSOD'd at the wrong time. At an individual level, that doesn't generate much noise, but if someone dies because a major hospital's entire network goes down, the press will be on it like stink on sewage.

And while I'm sure Microsoft's legal team has already written the company an escape clause for just such situations (hell, they barely guarantee that there's a working CD inside the box), that won't stop someone who's just lost lots of money and face from suing anyway. At worst, they'll end up just as badly screwed as they were going in, and there's always a chance they might be able to win something. Besides, the court victory for Microsoft would be hollow, compared to the cost of the PR disaster and subsequent log-rolling to keep or win future contracts for large Vista installations.

Re:Sadly

[Artifakt]

1. You may well be right, in which case change my 80% estimate of the work involved to something lower as you see fit, but only one way. My point still stands the other way - the more it is hard to crack WGA for the purposes of making a counterfeit pass, the more it is positively trivial to go ahead and figure out how to make legitimate copies fail while you're at it.
2. If it really is that "virtually impossible" to make counterfeits pass, someone who fails at it may well decide to use what they have learned trying to do the reverse attack in compensation. If their motive is either money or spite, they can still succeed with the easier attack.
3. People sometimes get beaten after flashing loads of cash in cheap dives. People also sometimes get beaten after makeing disparaging comments about other people's mothers. So... What's it do to the overall chance of a beating if you enter the cheap dive and loudly announce you are carrying enough cash to buy everyone on the block's mother? Microsoft is giving lots of black hat types with lots of different motives an incentive to target this particular code, agreed?