An interesting turnabout took place over last weekend when Microsoft Corp. posted on its Product Support Services Web site a detailed knowledge base article that provides step-by-step instructions on how to change volume-licensed product keys for Windows XP.
But the move, which started as a customer service to help users legitimately change keys, could actually serve as a blueprint of sorts for hackers to access XP keys, some said.
Unlike consumer customers, Microsoft, of Redmond, Wash., provides XP to volume-licensed customers with keys that unlock re-quested applications and validate their installations. But shortly after XPs release last fall, hackers seized on a method of accessing such keys to open their pirated versions of the operating system.
The company moved to stave off those pirates with an update, Service Pack 1, that swapped compromised keys for more secure keys, and validated installations.
Microsoft posted its latest information on changing keys to reflect changes made to Service Pack One. But by releasing the information, the company has opened a window of opportunity for pirates to engage in a process of trial and error to find valid Windows product keys via leaks or key generators. Adding insult to injury, the software giant included sample scripts to automate the process of changing keys.
The practice of restricting the copying of CD keys took on the form of product activation with the release of Windows XP last fall, when the controversial technology first made its debut. Product activation limits the frequency of installations and balks at significant changes to PCs.
Users complained about possible privacy concerns and limited flexibility toward modifying their PCs while Microsoft maintained that it would stand by the practice of enforcing activation to dissuade piracy – after slightly liberalizing its settings. Corporate and other volume license customers dodged the bullet altogether, and were not required to activate given the nightmare scenario of an organization-wide upgrade.
The technique Microsoft provides closely resembles one published by a Windows enthusiast site in early September.
And a source within the company confirmed that a similar article was notated as Microsoft-only in the past, and that it was not to be revealed to everyday customers under any circumstances.
Microsoft spokesperson Allen Nieman said the move to post the steps online was based on cost and efficiency. “Customers who are licensed for Windows XP may have a legit need to change a key so we published the steps in lieu of them having to call us at support,” he said. “It cuts down on support costs and the customer is happy with being able to find the information they need online.”
He also suggested that customers who do unwittingly find themselves with a pirated key – for any reason – contact Microsofts anti-piracy department.
Although Microsoft has admitted that IP technologies such as activation will eventually be broken, it has continued to push the gauntlet back as far as it possibly can with existing technology. Windows XP Service Pack one performs a virtual background check on a desktops product key to validate the installation – cross listing keys with a list of rogue digits. This adds some more weight to enforcing licensing via activation. The information contained within the support article relegates these recent advances taken against piracy to a speed bump.
One Windows enthusiast Website posted a link to the knowledge base stating, “Feel free to peruse the page and a hearty congrats are in order for the prompt pro-active way the boys at M$ got on the bandwagon (of software piracy).”
Initially, the Service Pack created a dilemma for thousands of unauthorized users who wished to upgrade their systems to code that embodied a year of developments in security and bug fixes. Concessions to the Department of Justice that hide Windows components are also included in the release.
Service Pack One also includes an unaccounted number of security enhancements uncovered as the result of the companys trustworthy computing initiative, aimed at making Microsoft products dramatically more secure. It was also intended to thwart pirates. However, it does not fulfill either of those goals entirely.
Some fixes included in the Service Pack have yet to be made public – let alone have a standalone hotfix – making the service pack a true critical update. Microsofts Jim Cullinan told eWeek that the company prefers to strike a balance with disclosure since many users do not readily apply security updates.
Microsoft claims that undocumented fixes are sometimes the best avenue to secure Windows. Often, hackers use information in security bulletins to construct rogue applications to strike unwitting users.