From: InfoSec News (isnc4i.org)
Date: Fri Apr 11 2003 - 01:35:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Aj Effin Reznor <ajreznor.com>

http://news.com.com/2100-1009-995879.html

By Joe Wilcox
Staff Writer, CNET News.com
April 7, 2003
 
A key code for installing Microsoft's Windows Server 2003 has leaked
onto the Internet, a loss that could lead to widespread piracy of the
software.

A Microsoft representative confirmed the leak late Monday and said
Microsoft was investigating the matter. The leak comes more than two
weeks before the software's scheduled release on April 24.

The leaked code appears to be from a Microsoft corporate customer that
subscribes to one of the company's volume-licensing programs, the
representative said. Rumors circulating on enthusiast Web sites, such
as Neowin and WinBeta, identified the leak as a 3-in-1 code, meaning
that it would work with three different versions of Windows Server
2003.

The Microsoft representative made clear that the company will scour
the Internet looking for the leaked code. "Our legal department works
aggressively on that kind of thing," the representative said. Stolen
codes are often traded with the software, typically on Web sites,
newsgroups or Internet Relay Chat (IRC).

The leaked code casts an unexpected shadow over the launch of Windows
Server 2003. Microsoft is banking on the thrice-delayed operating
system to increase its penetration into the enterprise market. But the
stolen code show the difficulty the company faces in protecting its
valuable intellectual property and potential sales from thieves.

The use of the code is a two-step process and it is the second one
that will cause Microsoft the most problems, analysts say. The code is
first used to install the software and is then used to activate the
software with Microsoft via the Internet.

With the release of Office XP in May 2001 and Windows XP about six
months later, Microsoft added a piracy-fighting tool known as product
activation. Before then, businesses or consumers needed a key code to
install Microsoft software, and the process stopped there. Product
activation took it a step further. The computer would need to contact
Microsoft over the Internet. The hardware configuration and license
information would be collected and associated together in an anonymous
database.

The process essentially locked the activation code to hardware, in
theory, preventing the key from being used to install the software
onto another computer. Microsoft banked on the process for reducing
widespread piracy of its Windows products. For example, the Redmond,
Wash.-based company estimates that about half the copies of Office in
use worldwide are pirated.

But Microsoft's piracy-fighting tool has a potential flaw. For
convenience, subscribers to Microsoft's volume-licensing program are
issued keys that do not need activation. This makes it easier for
businesses to quickly install the same software on many computers at
the same time, without the laborious process of activation for each
and every one. Should a code leak onto the Internet, as it has with
Windows Server 2003, the single code can be used to install an
unlimited number copies of the software.

"That's the problem with this technology, you have to keep those keys
safely guarded," said Michael Cherry, an analyst with market
researcher Directions on Microsoft. Cherry said the leak could have
happened any number of ways. "It could even have been a disgruntled
employee," he speculated.

Microsoft could not confirm which Windows Server 2003 versions the
code unlocks.

There is little Microsoft can do to stop the pirated software from
spreading; the best it can do is contain the damage. Two
volume-license code keys also leaked out ahead of the release of
Windows XP, but the company was essentially powerless to respond.

With the release of Windows XP Service Pack 1, the first collection of
bug and security fixes for the operating system, Microsoft put a lock
on software installed with the stolen codes. Service Pack 1 would not
install on pirated versions, but Microsoft offered no mechanism for
turning off pirated copies. The company estimates that 90 percent of
Windows XP piracy can be traced back to those two codes.

A Microsoft representative said there is no Windows Server 2003
mechanism for disabling software identified as having been installed
using a stolen code. In theory, such a mechanism might be capable of
disabling software during a routine update with one of Microsoft's Web
servers.

Those copies of the software installed using the leaked code "won't be
able to install future updates or service packs of access Windows
Update," the representative said.

"They're caught between a rock and a hard place," Cherry said.

Software piracy is not just a Microsoft problem. Washington-based
Business Software Alliance estimates that 25 percent of software used
in the United States is pirated. West Virginia, Mississippi and
Wyoming have the biggest problems, with piracy rates of 47 percent or
more. Meanwhile, the worldwide piracy rate increased for the second
year in a row. The software alliance estimates that 40 percent of
software in use worldwide is pirated. China, Indonesia, Nicaragua,
Pakistan, Russia, Thailand, Ukraine and Vietnam had piracy rates of 78
percent or more.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]