Robert McLaws: Windows Edition

Blogging about Windows since before Vista became a bad word

Vista Brute Force Crack Steals From Consumers, NOT Microsoft

It seems that people are really desperate NOT to pay for Windows. It seems that someone who was "just testing his VBScripting skills" has posted a routine that attempts to activate a pirated copy of Windows Vista by brute force. That means that the script increments through methodically generated keys, and attempts to pass it on to Microsoft's activation servers for validation. If it fails, the generator moves on to the next one, until it finds a valid key. The author says this process can take anywhere from 2 hours to two days. UPDATE: Adrian explains how it works here.

Here's the problem with this, folks. Previous Windows cracks have used leaked corporate activations keys to unlock Windows, which only really hurts Microsoft. This method actively steals a valid Product Key from Microsoft customers, because most keys can only be activated once. Think about that for a second. What if your mom just got home from laying down $150 for Windows Vista Home Premium, only to get it home and install it, and find out that their key has already been activated. Now, Microsoft doesn't get hurt, because the key has been paid for. But now your mom is branded a pirate, and has to go through a giant hassle to get a new legitimate key.

Please, don't be an a$$hole use this method of activating Vista. It's one thing if your target is Microsoft, it's quite another if your target is an unsuspecting consumer who shelled out their hard-earned money to upgrade their home computing experience. And Microsoft, I hope you can shut this one down, for your customers' sakes.

PostTypeIcon
39,650 Views

Comments

  • Bob Jones said:

    More evidence pirates are selfish, whiny, generation x, concerned only with themselves ... we should lock them up for this crime, they'll have plenty of time to think about themselves in the big house.

    March 2, 2007 1:10 PM
  • Brian said:

    Seems like it'd be pretty easy to shut down by identifying multiple invalid requests coming in to the activation servers from the same IP at a quick pace.  I don't think this will work for too long.

    March 2, 2007 1:16 PM
  • Brian said:

    Seems like it'd be pretty easy to shut down by identifying multiple invalid requests coming in to the activation servers from the same IP at a quick pace.  I don't think this will work for too long.

    March 2, 2007 1:22 PM
  • Sascha said:

    No offense, but the people who use this brute force key generator will not care a bit about what you just said above. Most probably they won't even be reading this.

    However, Microsoft should easily be able to fix this, since it should surely pop up in their logs if the same IP or computer ID (or whatever unique identifier they generate for activation) tries to activate over and over and over again with different keys. If you simply limit the number of activation attempts you can shut this down. Even somebody's mom should be able to enter the activation key right in 3-10 attempts. If you are still afraid to lock out legitimate users limit the number of activation attempts per day, so that the time it would take to run this hack successfully becomes unreasonably long. These workarounds are low hanging fruits and can easily and quickly be implemented.

    And maybe Microsoft will leave this open just long enough to collect a nice number of log files with the hundreds (thousands? tens of thousands?) of people who were stupid enough to try this and think they wouldn't get caught.

    March 2, 2007 3:00 PM
  • Some clarification - this brute force technique does not hammer the Microsoft activation servers but uses Vista's own key validation routines to validate keys.  Keys processed by this scheme may or may not be able to be activated.

    As to whether this is stealing from customers, it depends.  A 25 character product key offers a LOT of possibilities (about 167 bits worth if my maths is right) so there's a lot of scope there.  Even if the key pool for Vista is, say 100,000,000 keys, that's a drop in the ocean.  The chances of running across your Mom's key is pretty small, although not zero.

    http://blogs.zdnet.com/hardware/?p=296

    March 2, 2007 3:27 PM
  • Gotcha, on the clarification. Now about the "your mom" analugy, the point was only to personalize an otherwise impersonal act. I understand the math of it all. But if 25,000 people get 3 valid keys each... that's a lot of potential victims.

    March 2, 2007 3:32 PM
  • Tim said:

    I'm not sure I understand...  If a person buys a Vista box off the shelf and then it turns out that somone brute forced their exact key, that means they are out of luck?

    That makes no sense to me.  What's the purpose of all those holograms and heat activated ink that Microsoft has been using all these years?  

    In other words, none of that matters... whoever uses the key first is the rightful owner, even if it is a jerk who stole it and doesn't even have anything to back it up.  That's plain wrong and those consumers are being victimized by Microsoft who is unwilling to stand by their legitmate customers, not the guy who cracked their stupid code.

    March 2, 2007 10:35 PM
  • Dude . . . it was a hoax! The article refers to the KezNews posting, but there was "more" if you kept reading.

    http://keznews.com/forum/viewtopic.php?t=2782

    March 2, 2007 10:58 PM
  • VistaJuice said:

    Last couple of days there's been a big fuss about a relatively easy way to crack Vista's activation. I waited a bit before posting about it here, but after reading Robert McLaw's article in which he really explains nicely what...

    March 3, 2007 12:04 AM
  • peconi said:

    Great read, hoax or not - if such thing is ever to surface - people should know that they should not use it and for what reasons.

    There is always a known, legal way of extending the trial of any version of Vista to up to 120 days: http://www.vistajuice.com/2007/02/are_you_running_vista_as_a_30.php

    Thanks Robert.

    Petar

    www.VistaJuice.com

    March 3, 2007 12:13 AM
  • nanana said:

    This will also hurt Microsoft.. I have NO clue why you say it will NOT hurt them.. if this gets evan more like it has already this is a Good thing for every windows users.. this might just force Microsoft to remove WGA/WPA.. and if not I'm sure there will be a Lawsuite on Microsofts hands to force Microsoft to remove WGA/WPA.. so get your facts right...

    March 3, 2007 12:58 AM
  • nanana said:

    ----------Start Quote-----------

    Blake Handler said:Dude . . . it was a hoax! The article refers to the KezNews posting, but there was "more" if you kept reading.

    http://keznews.com/forum/viewtopic.php?t=2782

    ----------End Quote-----------

    This is NOT a hoax he only put that there to keep himself safe from any legal action from microsoft if they ever put one on him..

    I have tested this just to TEST it out and I can tell you its NOT a hoax..

    March 3, 2007 1:04 AM
  • DosFreak said:

    "This will also hurt Microsoft.. I have NO clue why you say it will NOT hurt them.. if this gets evan more like it has already this is a Good thing for every windows users.. this might just force Microsoft to remove WGA/WPA.. and if not I'm sure there will be a Lawsuite on Microsofts hands to force Microsoft to remove WGA/WPA.. so get your facts right..."

    Agreed. It would be nice to see a project similar to SETI of this. The thought of millions of PC's brute forcing vista activation keys gives me a warm fuzzy.

    March 3, 2007 7:36 AM
  • Elliott Back said:

    The funny thing is that this is a hoax:  'Everyone who said they got a key is probably lying or mistaken!'"  There's a new /. article:  http://it.slashdot.org/article.pl?sid=07/03/03/1339209&from=rss

    March 3, 2007 9:19 AM
  • vinny said:

    microsoft will eventually make pay per use software where you will need to swipe your credit card to get access to "your" computer. stop being used as a propaganda tool and realise that we need to resist their corporate policy EVERY WAY WE CAN. so we inconvenience a few people who will need to call customer support about their invalid key. so what. People will be a lot more inconvenienced if we allow microsoft to continue to stifle our rights with license agreements and fees.

    March 3, 2007 10:22 AM
  • Sheesh this won't go away . . . so now there's this video showing someone "using" the crack . . .so is it a hoax? The author says so -- Microsoft say's their Auth Servers are "smarter" than that. So watch this yourself.

    http://youtube.com/watch?v=5smOzWU2XGY

    March 4, 2007 1:02 AM
  • Simon said:

    The znet link no longer works.

    March 4, 2007 3:47 PM
  • March 5, 2007 3:10 AM
  • gertrude said:

    One way in which this whole issue will hurt Microsoft is that it will be, for a proportion of users, the straw that broke the camel's back and finally provided the impetus for a move to Linux.

    I've had enough of being at the mercy of the whims of MS and the pirates - I've installed Linux and am finding it a viable alternative this time round.

    It's not a straightforward changeover and it does involve effort, research, practise and confusion. It's still not viable for 100% of users. But the dangerous thing for MS is that now in 2007, a very healthy number of non-geeks are just about able to carry on most all of their originally Windows-based tasks, in Linux, without a virtual certainty of at some stage, hitting a brick wall and having to return to Bill's creation.

    March 6, 2007 3:37 PM
  • March 9, 2007 8:06 PM
  • Koga said:

    I think at this point people are only doing it for the principle of the thing. Most people dont like the fact that you buy the software, it is yours, but it comes with all sorts of bugs and everytime you change something you have to ask microsofts permission to keep using the software you paid $200 for. In addition microsoft owns every bit of the OS industry. The government stepped in and gave them a slap on the wrist. Not it seems the hackers said "fine if you arnt going to fix them we will not buy it." Since microsoft is really the only real choice they are simply choosing not to buy a product and doing the only other choice they have.

    That being said, I still use XP and I find the system builders edition of vista very attractive for when I upgrade. Especially the three pack. My only problem is that I have 32bit and 64bit systems so the 3 pack will not help at the moment. If microsoft opens up their stuff a little bit and brings the price back down to just under $100 for a full install there will be a lot less theives.

    March 19, 2007 9:58 AM
  • Vista Brute Force Crack Steals From Consumers, NOT Microsoft - Robert McLaws: Windows Edition

    September 13, 2014 9:36 AM