Windows key leak threatens mass piracy

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

http://news.com.com/2100-1009-995879.html

By Joe Wilcox 
Staff Writer, CNET News.com
April 7, 2003
 
A key code for installing Microsoft's Windows Server 2003 has leaked 
onto the Internet, a loss that could lead to widespread piracy of the 
software. 

A Microsoft representative confirmed the leak late Monday and said 
Microsoft was investigating the matter. The leak comes more than two 
weeks before the software's scheduled release on April 24. 

The leaked code appears to be from a Microsoft corporate customer that 
subscribes to one of the company's volume-licensing programs, the 
representative said. Rumors circulating on enthusiast Web sites, such 
as Neowin and WinBeta, identified the leak as a 3-in-1 code, meaning 
that it would work with three different versions of Windows Server 
2003.

The Microsoft representative made clear that the company will scour 
the Internet looking for the leaked code. "Our legal department works 
aggressively on that kind of thing," the representative said. Stolen 
codes are often traded with the software, typically on Web sites, 
newsgroups or Internet Relay Chat (IRC).

The leaked code casts an unexpected shadow over the launch of Windows 
Server 2003. Microsoft is banking on the thrice-delayed operating 
system to increase its penetration into the enterprise market. But the 
stolen code show the difficulty the company faces in protecting its 
valuable intellectual property and potential sales from thieves.

The use of the code is a two-step process and it is the second one 
that will cause Microsoft the most problems, analysts say. The code is 
first used to install the software and is then used to activate the 
software with Microsoft via the Internet. 

With the release of Office XP in May 2001 and Windows XP about six 
months later, Microsoft added a piracy-fighting tool known as product 
activation. Before then, businesses or consumers needed a key code to 
install Microsoft software, and the process stopped there. Product 
activation took it a step further. The computer would need to contact 
Microsoft over the Internet. The hardware configuration and license 
information would be collected and associated together in an anonymous 
database. 

The process essentially locked the activation code to hardware, in 
theory, preventing the key from being used to install the software 
onto another computer. Microsoft banked on the process for reducing 
widespread piracy of its Windows products. For example, the Redmond, 
Wash.-based company estimates that about half the copies of Office in 
use worldwide are pirated.

But Microsoft's piracy-fighting tool has a potential flaw. For 
convenience, subscribers to Microsoft's volume-licensing program are 
issued keys that do not need activation. This makes it easier for 
businesses to quickly install the same software on many computers at 
the same time, without the laborious process of activation for each 
and every one. Should a code leak onto the Internet, as it has with 
Windows Server 2003, the single code can be used to install an 
unlimited number copies of the software.

"That's the problem with this technology, you have to keep those keys 
safely guarded," said Michael Cherry, an analyst with market 
researcher Directions on Microsoft. Cherry said the leak could have 
happened any number of ways. "It could even have been a disgruntled 
employee," he speculated. 

Microsoft could not confirm which Windows Server 2003 versions the 
code unlocks.

There is little Microsoft can do to stop the pirated software from 
spreading; the best it can do is contain the damage. Two 
volume-license code keys also leaked out ahead of the release of 
Windows XP, but the company was essentially powerless to respond. 

With the release of Windows XP Service Pack 1, the first collection of 
bug and security fixes for the operating system, Microsoft put a lock 
on software installed with the stolen codes. Service Pack 1 would not 
install on pirated versions, but Microsoft offered no mechanism for 
turning off pirated copies. The company estimates that 90 percent of 
Windows XP piracy can be traced back to those two codes.

A Microsoft representative said there is no Windows Server 2003 
mechanism for disabling software identified as having been installed 
using a stolen code. In theory, such a mechanism might be capable of 
disabling software during a routine update with one of Microsoft's Web 
servers.

Those copies of the software installed using the leaked code "won't be 
able to install future updates or service packs of access Windows 
Update," the representative said.

"They're caught between a rock and a hard place," Cherry said.

Software piracy is not just a Microsoft problem. Washington-based 
Business Software Alliance estimates that 25 percent of software used 
in the United States is pirated. West Virginia, Mississippi and 
Wyoming have the biggest problems, with piracy rates of 47 percent or 
more. Meanwhile, the worldwide piracy rate increased for the second 
year in a row. The software alliance estimates that 40 percent of 
software in use worldwide is pirated. China, Indonesia, Nicaragua, 
Pakistan, Russia, Thailand, Ukraine and Vietnam had piracy rates of 78 
percent or more.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.