Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Businesses Security

Vista Activation Cracked by Brute Force 470

Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"
This discussion has been archived. No new comments can be posted.

Vista Activation Cracked by Brute Force

Comments Filter:
  • by yagu ( 721525 ) * <yayagu.gmail@com> on Friday March 02, 2007 @10:04AM (#18206662) Journal

    From the article summary:

    To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'

    I don't see how this is possible, or credible speculation even for a company a evil as MS is perceived on slashdot. I'm no MS fanboy, but I've had reasonable "service" from MS on issues of keys to activate my machines under some unusual circumstances.

    This may get sticky for MS, but for goodness sake we've got to find better bashing material on MS (and I believe there be plenty) if we want to maintain any street cred. There's no WAY MS won't be giving license keys to legitimate purchasers of XP (especially considering the vast majority are pre-activated shelf-delivered versions).

    (Aside: pure speculation on my part, but one of the most glaring weaknesses of this "claim" may be the notion of brute force, and that that is even a possible approach. Most validation handshakes require a reasonable length of time between attempts to circumvent brute force attacks... if it takes one second between attempts for billions of combinations, you're going to eventually be activating an obsolete OS. Further, after 3 or 4 incorrect attempts, any validation scheme worth its salt will quiesce for some longer inconvenient time... requiring a "cooling off" period before one can make further attempts. This story falls under the heading of "I heard someone say they knew someone whose sister's brother has figured out a Vista activation hack..." Sigh.)

    • by DJCacophony ( 832334 ) <v0dka@myg0tELIOT.com minus poet> on Friday March 02, 2007 @10:07AM (#18206692) Homepage
      Any customer who gets their key "stolen" by this program can just take it back - Vista comes with several activations on the same key. Once the customer uses the key, the previous user of it will eventually be required to re-activate.
      • by catch23 ( 97972 ) on Friday March 02, 2007 @10:36AM (#18207020)
        Unfortunately most of the users of their new operating system will eventually be corporate users. And I'm fairly sure the company is not going to put up with re-activation every few days because a bunch of users in China are stealing their keys. So either the company will ditch the new operating system (bad for microsoft), deal with it (a serious pain for the company), or ask microsoft for a pre-activated key that cannot be reactivated (more trouble for microsoft but saves everyone's butt).
        • by GIL_Dude ( 850471 ) on Friday March 02, 2007 @10:48AM (#18207204) Homepage
          Business users (at least large ones) won't be using Retail media on many machines. Since this is a crack for retail there would be no effect on people using MAK or KMS validations as the majority of corporations would be doing. (Yes, I know that for those few corps that want to use Ultimate on some of their machines this could be an issue because Ultimate requires retail activation). However for VL (Business and Enterprise versions) MAK and KMS would be unaffected.
      • Re: (Score:2, Interesting)

        by ergo98 ( 9391 )

        Once the customer uses the key, the previous user of it will eventually be required to re-activate.

        Once Vista sets the activated flag, does it actually check for revocation of activation at some prescribed interval?
        • by DJCacophony ( 832334 ) <v0dka@myg0tELIOT.com minus poet> on Friday March 02, 2007 @10:50AM (#18207232) Homepage
          Yes, I believe it is every six months, as that is the interval by which Windows Vista retail must be re-activated anyways.
          • Re: (Score:3, Insightful)

            Can you imagine the store demanding you go to them or call them and show them your receipt of the products you bought from them? No, I cant imagine that happening ether but this is the way software companies expects you to behave.
        • by cswiger2005 ( 905744 ) <cswiger@mac.com> on Friday March 02, 2007 @10:53AM (#18207276) Homepage

          Once Vista sets the activated flag, does it actually check for revocation of activation at some prescribed interval?

          Why, yes. Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update. In practice under XP, this happens every month to every few months. Depending on your settings and whatever the future might bring, it might well be the case that machines will be checking for updates & possibly re-validating themselves every week.

          • by AlHunt ( 982887 ) on Friday March 02, 2007 @11:38AM (#18207856) Homepage Journal

            Why, yes. Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update.

            I am *so* glad Linux has evolved to the point it is today. I still have an XP partition and probably will for a while, but why MS expects people to keep putting up with this "phone home" behavior is beyond me. XP still handles ACPI better than Linux, but I'm happy to trade off a little convenience for control of my own machine.
            • Re: (Score:3, Interesting)

              by Danga ( 307709 )
              but why MS expects people to keep putting up with this "phone home" behavior is beyond me... but I'm happy to trade off a little convenience for control of my own machine.

              MS phoning home to check if the OS is pirated does not seem like some huge big deal to me. I mean if they have a list of KNOWN pirated keys then it is their right to be able to check for those keys if you want to be able to access the windows update webpage (which is one place I think the validation occurs but I could be wrong). It isn't
            • phoning home (Score:4, Insightful)

              by rucs_hack ( 784150 ) on Friday March 02, 2007 @01:04PM (#18208922)
              And yet some companies have intituted the same thing with no anger from users.

              Valve managed it, and the rather wonderful prevx malware finder program and SETI@home all require constant contact with home, for example.

              The difference is that these systems deliver customer satisfaction because the phone home service is there as part of the service you require or with to participate in. If you decide not to, you can quit and go elsewhere. Most people using windows don't see that they have a choice (yet).

              Microsofts problem is that their system is one of guilt assumption. They have it solely to check up on customers, it delivers no added value aspect to the consumer. That they say it does is part of the problem. It is for microsoft alone, it gives nothing back.

              No-one cares about microsofts needs, that's human nature, we are all selfish unless giving something away brings a valued return. For them to expect that people would *want* to take part with no benefit to themselves is a pretty hefty misconception.

              I find these issues with Vista interesting. I really do have no intention of ever buying it. I tried it with open mind, thinking I might get it if it brought something new I might like, but there was nothing that interested me. I didn't hate it, but saw nothing of use. It's nowhere near as useful as Linux for my needs, and if I feel a need for a commercial OS, well there's OsX.

              OsX does interest me quite a bit. I've seen many presentations at conferences that were done with macs, and they look *so* good.
          • Re: (Score:3, Insightful)

            by PPGMD ( 679725 )
            Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update. In practice under XP, this happens every month to every few months.

            The only time that Windows XP checks to see if the key is valid is if you go through WGA. Nothing forces you to go through WGA, you can still apply the patches manually.

            I still don't understand why people get upset with a company periodically checking to see if your i

            • Re: (Score:3, Informative)

              by PitaBred ( 632671 )
              Some necessary things DO require WGA. I just installed a patch to make my work laptop hibernate correctly, because I recently upgraded it to 2GB of RAM. I had to go through the WGA check on their web page to download that patch. It's ONLY "security" related patches that are sent out regardless of WGA status.
    • Re: (Score:3, Informative)

      by Anonymous Coward
      It seems that this technique doesn't test against the microsoft server, but can tell if a key is valid on the local computer, which would actually be news.
      • it is useless (Score:5, Informative)

        by WARM3CH ( 662028 ) on Friday March 02, 2007 @10:41AM (#18207094)

        It seems that this technique doesn't test against the microsoft server, but can tell if a key is valid on the local computer, which would actually be news.
        This is not really that important if a key is validated in a local computer or not. Any key needs to be finally validated by the servers: Out of all possible valid keys that pass the validation on a local computer, only very very tiny number of them are actually keys that have been (or will be) issued by Microsoft. Think of it like this: with 25 symbols for the keys you have a huge huge search space A. Now, this program finds the keys that are valid according to the magic formula that Vista validation system uses. All these keys form a very very tiny subset of A, called B. However, the set of keys that Microsoft has already issued (or will ever issue), set C, is only very very tiny subset of B. This program finds random keys in the B but to actually validate Vista with them, user has to contact Microsoft's servers to see if the key are part of the C or not. This is where the whole things breaks down next to being totally useless. (this is the same story with the CD-Keys of the mutli-player games...)
    • by notaprguy ( 906128 ) * on Friday March 02, 2007 @10:18AM (#18206826) Journal
      The commentator on the Inquirer Web site is obviously a total boob (trying to use a British-sounding insult). He's cheering theft which in its own right is sleazy. Worse, he seems to be happy that the legitimate and paying Windows Vista customers are going to be at best confused and worst case screwed because some idiot stole their key. I totally don't understand the bizarre perception that software thievs are somehow Robin-hood-like characters. They're the 21st century equivalent of pick-pockets.
      • by mwvdlee ( 775178 ) on Friday March 02, 2007 @10:26AM (#18206912) Homepage
        I can understand the happiness a little.

        If this truely starts to be a problem with legitimate users being bothered by having their keys taken, MS will have to loosen up activation. That would be a benefit to all legitimate users.
      • Re: (Score:3, Insightful)

        by rednuhter ( 516649 )
        No, he hopes that by showing the weakness of the activation system that we will no longer be cursed by having to use it.
        He hopes that by affecting existing/legit users that the issue will be brought to task sooner rather than later.
      • by cyclop ( 780354 )
        There is no one like a software thief. There may be someone that shares software with his neighbours, by copying it, but it is not what I'd call strictly "theft". More "disregarding copyright limits".
        • Re: (Score:3, Interesting)

          by des09 ( 263929 )
          Normally, I'd agree without comment, but this case does resemble theft more than most piracy in that the "victim" loses the ability to use the software they [purchased|licensed].
          • by cyclop ( 780354 )

            Right, in this particular case it's much like theft. However it's MS that actively sets up a mechanism such as to make it theft, not the nature of software copying itself.

            Indeed who is copying Vista by using keys that are then inactivated are directly harming an innocent user just like them, so I agree in this case is an ethically disputable behaviour. But it's MS that built this kind of moral blackmail (with concrete and arguably sensible motivations, I agree).

      • by Lord Ender ( 156273 ) on Friday March 02, 2007 @10:59AM (#18207348) Homepage
        Copyright infringement is not theft. It is immoral of you to deliberately misrepresent the issue by using loaded terminology.

        Using Microsoft's services, such as Windows Update, could be considered theft. But that is theft from Microsoft, not from consumers.
      • by CmdrGravy ( 645153 ) on Friday March 02, 2007 @11:01AM (#18207378) Homepage
        I'm not sure boob is really typically British insult, I have a German friend with the same trouble who believes that the word ignoramus is in common enough use to pass himself off as a native although he is sadly mistaken in this.

        For future reference you could try using words like:

        Fuckwit, wanker, bastard, fuckhead, tosser, cunt, spanner, moron, dickhead or even shit for brains.

        For example:

        "The commentator on the Inquirer Web site is obviously a total fucking wanker. The fuckwit is cheering theft which is in its own right sleazy. Worse, the cretin seems to be happy that the legitimate and paying Windows Vista customers are going to be at best confused and worst case screwed because some idiot stole their key. What a fucking cock !"

        I must admit I probably have the same problem in my belief that most Scottish people curse each other by calling them sassenachs.
      • >a total boob

        If you`re wanting to sound british call him a `tit` - although a boob is a breast it`s not really
        an insult. You could of said he `made a boob` if he F`cked something up...

    • Re: (Score:2, Interesting)

      by leuk_he ( 194174 )
      I bet...

      This is not a brute force hacker, but just a database of some key with a fancy interface on top that pretends to be calculation just just updates a progress bar. The database will release some key after some hours of "calculation". Users notice that the (enterprise?) key is accepted and tell it works. MS will notice some volume keys are used too often wan will block them at the next wga update (and the next service pack)

      Since MS cannot simply extract the leaked keys form the database they have a har
    • by twitter ( 104583 ) on Friday March 02, 2007 @10:34AM (#18206992) Homepage Journal

      I don't see how this is possible, or credible speculation even for a company a evil as MS...

      Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others. They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say. This is the nature of non free software. Your master may take care of you or they may not and those are the conditions you must agree to if you want to use non free software.

      They don't trust you. They made the registration key in the first place to restrict the number of computers you can use before you pay them more. When you call and claim your key does not work, they can't tell the difference between you and someone who's shared their key. Once again, this is the nature of non free software.

      • Not in the UK (Score:5, Informative)

        by Toby_Tyke ( 797359 ) on Friday March 02, 2007 @11:20AM (#18207618) Journal
        Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it.

        That may be the case in the US, but in the UK things work slightly differently. If I buy a copy of Vista from a store and it is faulty, for what ever reason, I can return it to the store for a full refund or a replacement. The legalese is "fit for purpose" and "of merchantable quality". Clearly, a copy of vista with an invalid licence key is not fit for purpose.

        Incidentally, most of the big shrinkwrap software stores in the UK try to get out of doing this if they can. Just be persistent.
      • Re: (Score:3, Interesting)

        by Like2Byte ( 542992 )

        You have two choices when you purchase anything M$, return the package unopened for a full refund or use it.

        A while ago I purchased a new computer that I pieced together from OTS parts in a FRY's store in Indy, IN. Well, after their PC people informed me that certain parts would work with other certain parts, after I took it home and assembled it, it didn't work. They gave me wrong memory, wrong power supply, etc... It was a huge screwup. I accept responsibilty for not doing my own homework on the specific

      • Re: (Score:3, Insightful)

        They regard anything they do beyond the EULA a favor for which you should be grateful, just like they regard anything their software ever does for you. They think you should be so grateful that you do as they say.

        Don't you even feel a little silly about mis-characterizing the attitude of MS employees that way? Even non-evil software companies strive for some limit on their liability and responsibility, because it's just really hard to get complex software to always work. If you were subject to constant

      • by julesh ( 229690 ) on Friday March 02, 2007 @12:15PM (#18208256)
        Sorry, that's their EULA. You have two choices when you purchase anything M$, return the package unopened for a full refund or use it. They do not and can not promise it will work and they are not responsible for the actions of others.

        There's this little thing called an implied warranty of fitness for a particular purpose. When you buy something -- anything -- unless it has large letters on the outside of the box saying that it doesn't work, it comes with one. It states that, basically, if you use the product for the purpose for which it is marketed (i.e., with software, try to run it on a computer), it will perform that purpose to at least a basic level.

        It is not legally possible for MS's EULA to disclaim this warranty, it's a basic right that you get when you buy something.

        When you buy something that doesn't meet this warranty, you're entitled to a full refund. Whether you've opened the package or not.
      • by Sycraft-fu ( 314770 ) on Friday March 02, 2007 @12:41PM (#18208596)
        That they include it means nothing. It is pretty certain that, indeed, an EULA doesn't have legal force and can't make you give up rights you normally have. For example:

        I work for a state institution which means in a way I am a part of the state. One of the requirements of the job is that I can't sign any contracts for the state. Anything that requires a signature has to be sent to legal (and we have a hell of a legal team). Employees can't agree to contracts directly. We have, on occasion, gotten software that comes with a written agreement. It is sent to the lawyers, almost totally rewritten, then sent back to the company (who is usually quite surprised). However we've been told not to worry about EULAs or click through agreements. We are allowed to just click ok and go on about our business.

        Now why do you suppose that is? Well it is because the legal team believes that they have no legal force, and thus there's no problem. I'm going to guess they are right, they have to be very careful about protecting the state against things like that.

        So MS can say in their EULA "We reserve the right to take this software away from you at any time," but that doesn't mean a judge will agree. You can still drag them to small claims court (it's quite cheap to file) and argue your case. If a judge agrees with you, they give you your money back.
    • by Zontar_Thing_From_Ve ( 949321 ) on Friday March 02, 2007 @10:34AM (#18207002)
      I don't see how this is possible, or credible speculation even for a company a evil as MS is perceived on slashdot. I'm no MS fanboy, but I've had reasonable "service" from MS on issues of keys to activate my machines under some unusual circumstances.

      This may get sticky for MS, but for goodness sake we've got to find better bashing material on MS (and I believe there be plenty) if we want to maintain any street cred. There's no WAY MS won't be giving license keys to legitimate purchasers of XP (especially considering the vast majority are pre-activated shelf-delivered versions).


      I think you're probably right. However, all companies in similar situations don't act this way. A few years ago I bought a Russian-English translation program for my PC. I got the best one on the market. I didn't use it a lot, but it was useful to me for quick translations from Russian to English for email. At the time I didn't know Russian as well as I do now and while I could do translations by hand, it took a very long time. It was certainly worth the money to have a computer program do it for me in a few seconds and then I could double check the weird parts and re-translate those myself. It turned what might be a 2 hour translation job at the time into a 10 minute job at worse. A year or so later I had a catastrophic Windows failure and had to do a destructive reinstall. Although I had a valid license key for the translation program, it wouldn't work after the reinstall. The vendor told me their keys are valid for one use only and although I explained that I had bought the product (and they knew I had) and had to do a reinstall of Windows, I got basically "Too bad. So sad. Here's a 10% discount off our lowest price." in response, which still meant I had to buy the product at pretty close to it's normal value. I sucked it up and did that and installed my new key. However, I was very angry because I realized that to the software vendor if I needed a new key I was probably a thief and if I wanted another key, I was going to have to pay for it. After another year or so, guess what? Yep, I had to do another destructive reinstall of Windows. I decided not to rebuy the software. The babelfish translator, which is free, is not as good, but my Russian had improved a lot and I had less real use for a computer translation program. For as little as I needed to use one, babelfish was good enough. However, the vendor of the translation program has lost me forever as a customer because they weren't willing to give me the benefit of the doubt about my problem and my choice was either to buy a new key or live without the program. Their attitude was "If you need a new key, you're a thief". Since then a guy on a forum told me the magic needed to make old keys work on a reinstall, but I've never bothered with it.
    • by ednopantz ( 467288 ) on Friday March 02, 2007 @10:40AM (#18207078)
      The slashbots are excited because this, *this* will be the thing that makes people go to desktop Linux.

      Nobody will upgrade to XP--er.... Nobody will upgrade to Vista because of activation.

      Yes! 199-, er...
      2003, er....

      2007 WILL BE THE YEAR FOR DESKTOP LINUX!!!
    • They don't know who the legitimate customers are. If they just hand out keys to everyone and anyone, what was the point of the system in the first place?
  • Easy Fix (Score:2, Insightful)

    by DJCacophony ( 832334 )
    All Microsoft has to do is block the IP address that is requesting thousands of activations on separate, invalid keys per second.
    • Re:Easy Fix (Score:5, Insightful)

      by tomstdenis ( 446163 ) <tomstdenis.gmail@com> on Friday March 02, 2007 @10:06AM (#18206680) Homepage
      Lots of botnets run on windows ... I wonder if they could be commanded to scan for license keys.

      Tom
      • Re:Easy Fix (Score:5, Insightful)

        by NSIM ( 953498 ) on Friday March 02, 2007 @11:08AM (#18207478)

        Lots of botnets run on windows ... I wonder if they could be commanded to scan for license keys.
        That's actually a pretty scary thought, it's not hard to determine the install key used from an application running on the OS (there are several utilities out there today.) A botnet could e designed to get the install key and send it back to someone who could maintain a database of valid keys. This probably true for just about any application or OS that uses an install key, to be honest I'm surprised somebody hasn't already done this to XP or Office.
      • Re:Easy Fix (Score:4, Funny)

        by dintech ( 998802 ) on Friday March 02, 2007 @11:51AM (#18207972)
        Nice, you invented the concept of thievery@home. I imagine a print out of lots of vista keys with "wow!" written at the side of one...
    • Re:Easy Fix (Score:4, Informative)

      by Brian Gordon ( 987471 ) on Friday March 02, 2007 @10:07AM (#18206698)
      I think the program actually tries the keys on its own algorithm, and when it finds a valid one it tells you to submit it to microsoft.
      • Re: (Score:3, Informative)

        You're right. You have to monitor your Vista key to see if it's changed, using the Jellybean Keyfinder. When you spot it's changed you have to manually attempt an activation. If it fails then you leave it running longer until the key changes again, then retry activation. Repeat until activation succeeds.
    • Re:Easy Fix (Score:5, Informative)

      by Odiumjunkie ( 926074 ) on Friday March 02, 2007 @10:15AM (#18206780) Journal
      > All Microsoft has to do is block the IP address that is requesting thousands of activations on > separate, invalid keys per second. RTFA. That's nothing like how this works. The actual activation part is totally manual, only the key generation is automated. You can generate keys without any kind of network connectivity.
  • by nizo ( 81281 ) * on Friday March 02, 2007 @10:07AM (#18206694) Homepage Journal
    I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project.
    • by Anonymous Coward

      It could be called the "annoy Microsoft Windows Users at home" project.
      AMWUAH project has been renamed "Vista" for consumers' sakes.
    • "I can see it now: thousands of computers worldwide activating keys, just to make life miserable for Microsoft and users. It could be called the "annoy Microsoft Windows Users at home" project."

      Yes, but does it run under linux :-)

    • that kills it's host. Botnet owners would never do anything that stupid.

    • I even had mod points, but you were already at +5 Funny (deservedly). I wonder which one, Seti@Home or this WindowsKeyGen@Home, will accumulate more CPU time overall next year...?

      I also wonder if vendors are going to simply give up on using 20 or 25-character long activation codes, if they can be brute-forced in a reasonable period of time? Will they be switching to keyfile activation using hardware profile info (NIC ethernet MACs, motherboard/BIOS serial #, hard drive serial #, etc)? That seems to be ha
    • The keys are nominally 25 digits long. It can try 10,000 keys every 30 minutes. Even if there is some checksum redundancy in the key itself 25 digits, especially if they include alpha characters, is a huge key space. I would have guessed that only a teeny tiny fraction of the key space was allowed but apparently not!

      But I don't see any danger that a cracked key and a legit key would collide in that large a key space. The birthday attack (see wikipedia) tells you the probability of a collision is equ

      • by goombah99 ( 560566 ) on Friday March 02, 2007 @11:16AM (#18207580)
        One poster on the crack forum wrote "5 hours and i got 3 legit keys." at 20K/hour that's only 100,000 tries or 33,000 per key. So apparently despite having a 25 digit key space, Microsoft's algorithmic validity check allows 1 in every 33,000 keys. What where they thinking?

        As I pointed out in the post above the chance of a randomly generated working activation- key colliding with a legitimate keys is probably worse odds than 1 in a trillion. So this will probably never ever happen by chance.

        However, chance might not play a role here. Given this colossal stupidity one also assumes they did something dumb like make the decoded keys have some sort of sequential pattern too, so given enough keys one might be able to figure out how to actually generate keys directly. In that case MS will have a problem with the key-collisions with legitimate keys because people could deliberately generate those.

        Why would deliberately generating legitimate keys be a good idea for a cracker? Well, if you do generate a random activation key, it will activate the product but Microsoft will also be able to determine that it's one that it did not issue. So the moment vista phones home or you try to do a system update, or install any piece of software from MS that can check the key (e.g. office), microsoft is gonna shut your genuine ass down. On the other hand if you were to generate a key that coincided with a legitimate key, then MS won't know you filtched it. So there's an incentive to see if MS also made the patterns predictable.

        You could of course try to live off line. but that level of piracy is not a threat to MS.

        All that said my guess is that this is not possible. If I were creating these keys what I woul dhave done would be to use public key encryption. I'd take the integers 1 to 1 billion, and encrypt them with my private. The the Vista copy caries the public decode key. To validate the vista installer decrypts the user supplied key. If it's a number between 1 and billion, you've been validated. MS can now issue up to 1 billion copies of the software with distinct keys.

  • relax (Score:5, Funny)

    by ohzero ( 525786 ) <onemillioninchange AT yahoo DOT com> on Friday March 02, 2007 @10:07AM (#18206696) Homepage Journal
    I guarantee you MSFT will release a patch to reorder license keys or figure out some other solution. If you were the largest software company in the world, and you had a product that was being touted as "more expensive than switching an entire IT department to OSX:, wouldn't you?
  • Registration of new users is temporary disabled! Try again later.
  • by gEvil (beta) ( 945888 ) on Friday March 02, 2007 @10:11AM (#18206738)
    To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'

    Hmmm, I wonder which way Microsoft will go on this one...
  • by jejones ( 115979 ) on Friday March 02, 2007 @10:11AM (#18206742) Journal
    Just as I read this article, pandora.com started playing the title cut from David Wilcox's Vista album:

    "...and the wide open vista..."
  • Is this a HOAX? (Score:3, Interesting)

    by Zo0ok ( 209803 ) on Friday March 02, 2007 @10:56AM (#18207314) Homepage
    I couldnt find the download. People on Slashdot seems to be unusually confused about how this thing works - even those who claimed to read the article. I didnt find the article/method very confusing, but I dont know enough about Vista to tell if it COULD work or not. Are people confused because someone made something up that can not work? There are other cases where evil people have distributed trojans this way.

    Is this a HOAX?
  • by jvkjvk ( 102057 )
    Is is possible to create a program that simply activates Vista licenses? -- I mean, without having Vista at all. Just connects to MS and attempts to activate keys, all day long.

    It would be like a DOS on the licensing mechanisms.
  • Having RTFA... (Score:5, Informative)

    by d3ac0n ( 715594 ) on Friday March 02, 2007 @11:04AM (#18207412)
    AND having gone to the site and read through the ENTIRE thread on their forums;

    What we have here is a random number/letter guesser. It's basically a VB Script that guesses random numbers and letters in a string that is the same length as a Vista Key, then inserts it into the registry, overwriting the existing Vista key. You use Magic Jellybean to check when the key has changed, and then manually check it against MS's activation service. Really this is little more than a person manually sitting down and making key guesses. This is why it's called a "Brute Force" attack. There is no intelligence (ie: an algorithm) behind the key guesses at all.

    That said, because it IS so simple, it's almost impossible for MS to defend against, since they can't just "ban" any keys made by it like they would a traditional algorithmic keygen. Also, there is an improved version of it posted as source on the boards there, so if you want to take a peek at the code you can.

    Here is a link to the forum post in question: http://keznews.com/forum/viewtopic.php?t=2634 [keznews.com]
  • by AceJohnny ( 253840 ) <jlargentaye@gmail. c o m> on Friday March 02, 2007 @11:16AM (#18207584) Journal

    "tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing."

    C'mon, let's give'em credit.. their PR isn't as bad as Sony's!
  • by davidwr ( 791652 ) on Friday March 02, 2007 @11:22AM (#18207646) Homepage Journal
    If the problem is "small" just track it and write off the loss.

    If the problem is large:
    Have people caught up in the duplicate-key mess photograph their Windows Vista packaging with the key showing in the photograph and send it in.

    For the related problem of duplicate OEM keys, photograph the machine and mail in the make, model, and serial # of the machine and/or the name of the store you bought the license from. This won't help as much with tracking "manila envelope" licenses as those can be traded willy-nilly before the envelope is opened, but it will help with licenses that are assigned to particular manufacturers.

    Give "ownership" to the person with the most convincing photo or purchase history. For the other claimants, if you are nearly 100% sure they are illegitimate sue them or make them provide personal information to get a "new, legal key, on the house" otherwise write off the loss. Pirates aren't as likely as people who think they are legitimate buyers to give out their name and address. If they balk, make a decision: do you want to risk being wrong and wind up in court and lose and get a PR black eye, or do you want to stand by your guns? If you aren't nearly 100% sure, just write it off.

    In any case, if you don't immediately activate the product, at least activate it for 30 days while you decide what to do.

    Even better - scrap the whole activation thing.

    In the future, software will be delivered electronically and every copy will be uniquely watermarked. Yes, you can watermark compiled computer code by inserting NOPs, replacing operations with equivalent operations, etc. Of course this isn't as simple as it sounds as addresses get moved around, but it's doable.
  • Brute force Crack (Score:3, Informative)

    by gyranthir ( 995837 ) on Friday March 02, 2007 @11:59AM (#18208048)
    There is a brute force algorithm crack for every Microsoft product I have ever seen.

    I saw one at a LAN party that had every copy of windows, every copy of office, and a whole bunch of Microsoft products.

    You would set it and forget it. It would generate a key, test it and then if it was good put it in a log file, if it was bad it would attempt to generate another.

    This kid had a list of probably 1000 WinXp pro keys that had generated just because he was bored.

  • by thewils ( 463314 ) on Friday March 02, 2007 @12:07PM (#18208132) Journal
    or Irony or whatever.

    If you need the equivalent of a Cray to run Vista, then it's going to be very efficient at Brute Forcing the keys.

    I like it.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...