Yersterday we posted about a bypass that was dicovered to defeat Windows Genuine Advantage Check and asked Microsoft to respond to these findings.
Below is an email response I received from Jed Rose, an expert community leader at Microsoft.
View: Yesterdays Article: Bypass found for Windows piracy check
Below is an email response I received from Jed Rose, an expert community leader at Microsoft.
As software pirates have become increasingly sophisticated, Microsoft has sought to keep a step ahead of them by introducing more advanced solutions, such as WGA. With WGA, Microsoft seeks to balance the needs of easily providing its customers the updates they need while differentiating the value of genuine Windows software from counterfeit software. We expected that counterfeiters would try a number of methods to circumvent the safeguards provided by WGA, so this isn’t a surprise. But to be clear this attempt represents very little threat to Microsoft or its customers because the code generated by the validation tool expires quickly, so it would be very difficult to share. Continued in Read more
View: Yesterdays Article: Bypass found for Windows piracy check
It is important to note that this issue is not a security vulnerability or a hack that puts customers at any risk, nor is it a vulnerability in the activeX control WGA uses to determine if a customer is running genuine Windows. This is simply an issue of users taking a validation code from a genuine copy of Windows and using it on a non-genuine copy of Windows. The threat is similar to that posed by the illegal distribution of software burned to CDs.
Of course a counterfeiter could use this method to steal software for themselves, but because the code expires quickly, it would be useless to share the code with any other users.
Q: Who would benefit from this practice?
A: This method of counterfeiting is only an option for relatively sophisticated users who are running both a genuine version of Windows (from which they would take the code) and a non-genuine version (to which they would apply it). This method only applies to the Download Center, where customers would need to know exactly what to look for, and not Windows Update or the Automatic Updates feature that most customers use.
Q: How does the code expire?
A: Microsoft “hashes” the PID returned from the validation tool (genuinecheck.exe) with a Microsoft.com timeserver time code that is checked by the page logic on the Download Center, which means the code is only valid for a short period of time.
Q: Does Microsoft have plans to change or improve WGA validation to address this vulnerability?
A: With WGA, Microsoft seeks to balance the need to make downloads easily available for customers, while trying to safeguard our IP from counterfeiters. In striking this balance, Microsoft will defer to the needs of its customers to validate their computers as easily as possible so that they can receive the updates they need to stay secure. Furthermore, because the code generated by the validation tool expires so quickly, we don’t perceive this as an issue significant enough to outweigh our customers’ needs for hassle-free downloads.
I have yet to see a person that steals validation codes to get around WGA. Besides, most of Microsoft's downloads allow you to bypass the validation process (but point out a download to me if this isn't the case).
http://www.microsoft.com/windowsxp/using/digitalphotography/photostory/default.mspx
Both of these are true. Unless the downloads come with encryption that render them usable on systems that pass the WGA check, this entire scheme won't work.
Exactly, m$ should open their eyes. If it is made by human, human can break the code, it's that simple
cryptography (properly impleneted) and specifically public-key crypto doesnt need broken its simple jumped around. making cryptography (properly impleneted) and specifically public-key crypto worthless
The timestamps are valid for at least several minutes--with such a large userbase m$ is always boasting about, it would be easy to cook up such a site. In fact, I considered it, for awhile: My Rant, but I ended up having better things to do.
WGA is just one more way to annoy the users. I vote set up a bugmenot-like site that enables keycode swapping. Microsoft even provides a no-nonsense tool to generate the keys
-l0
Every microsoft download, prior to the WGA, lists the filename of the file as well as the file size (and if im not mistaken, the MD5 hash).
All you need to do is take that filename and search for it over at www.filemirrors.com and a link will appear for direct downloading from microsoft. No WGA needed.
I mean if you use a VLK version of XP pro, to which there's a million+1 keygens for that even let you select your PID, WGA thinks that your copy is legit. Most pirated versions of XP are the VLK editions because they don't need to be activated, so all Microsoft is really doing here is making it slightly more inconvenient for legit users. I mean if someone wanted to bypass the WGA protection, It's a hell of a lot easier to just install a VLK than it is to find a legit copy of XP and copy over some file....
That is...or so I've been told >_>
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.