April 16th, 2007

Posting your Microsoft license keys to Web not the brightest thing to do

Posted by David Berlind @ 7:03 am

Categories: General, Legal, Security, Software Infrastructure, Vista

Tags:

Via Digg, it appears as though users of Belarc's Free Personal PC Auditing tool — a tool which amongst other things, extracts and displays the license information (including activation keys) for Microsoft software — are using it do something a bit unusual. They're posting the tool's audit results for their own systems to the Web. On the last scan of Google for the unique signature of a Belarc report, more than 100 people had posted their license data to the Web.

As long as the integrity of Microsoft's Windows Genuine Advantage program — an anti-piracy program designed to prevent Microsoft's operating systems and software from being installed on more devices (or virtual machines) than Microsoft's policies allow –  remains uncompromised, publicizing your license information is probably a bad idea. After all, if someone else gets a hold of the information and "burns" whatever number of activations you have left, it could create some challenges for you later if you need to reactivate your software. 

On the other hand, should Microsoft's Windows Genuine Advantage program ever get compromised to the point that it's so ineffective that Microsoft shuts it down, then, does it matter? At least in the context of anti-piracy? If you analyze one of the reports, you can see that it extracts an extraordinary amount of information and I'm wondering if, given enough of these reports on the Web, might there be enough data out there for some creative programmer to reverse engineer Microsoft's algorithm for generating keys.

Keep in mind that that algorithm is probably randomized to the point that it can't be reverse engineered. On the other hand, should a significant number of people start publishing their key data to the Web, it wouldn't be the first time a group of people tried to compromise the integrity of Microsoft's Windows Genuine Advantage program. Microsoft keeps close vigil over publicized hacks to its coveted Windows Genuine Advantage program (they crop up all the time). Should any of the hacks pose a real threat, Microsoft will surely reprioritize its resources to address the problem. Just last week, in responding to a BIOS hack that can fool WGA, Microsoft senior product manager Alex Kochis wrote on his blog:

….we focus on hacks that pose threats to our customers, partners and products.  It's worth noting we also prioritize our responses, because not every attempt deserves the same level of response. Our goal isn't to stop every "mad scientist" that's on a mission to hack Windows.  Our first goal is to disrupt the business model of organized counterfeiters and protect users from becoming unknowing victims. This means focusing on responding to hacks that are scalable and can easily be commercialized, thereby making victims out of well-intentioned customers.