News Vista activation cracked by brute force

[Da Dego]

http://www.bit-tech.net/news/2007/03...y_brute_force/

Oh, wait, I own a legal copy....

[hotdog]

Can't wait to see how this is going to unfold. Yes, I will definitely be waiting for the dust to settle before I buy Vista.

[Buzzons]

It also says its a very dirty, and long arduous task.. anyone can do this for any key, its just too much effort for most.

Plus, the file has been popping up on a few sites, but differing in sizes so just would like to put a warning out -- it may have been bound with a backdoor/rootkit on some sites.

[DeX]

This is very silly of microsoft. Keys should only be validated server side that way they can see how many attempts each person makes at activation and make brute force attacks impossible. Oh dear.

[samkiller42]

I certainly dont want to be a Microsoft Customer representative when the calls start flooding in, if they flood in that is, this could prove pretty costly to MS.

Sam

[Buzzons]

how can you validate it server side???? what happens if i do not have the internet???

this is the case with 99% of ALL key software, it is not just MS, so I dont really see how its such a big thing.

[randosome]

LMFAO - just LMFAO this is going to be an interesting few months

[Ramble]

You do validate server-side in Vista...

[Cobalt]

"Sometimes you just build an angry mouse, who takes a very big sledgehammer to your very delicate, Rube Goldberg-esque trap."

This is my favourite line of 2007 so far. So true.

[Buzzons]

so lets just go down the list of apps you can crack just by entering a key that cost more than Vista

3DS Max
XSI Softimage
Maya
Adobe Creative Suit

all can be cracked with a keygen.. and this is basically a long winded way of getting a keygen.. omg !! SUCH NEWS!!

oh wait... no its not.

[TomH]

Serves them right, tbqh

[sinizterguy]

Vista activation is not having a good time is it ?

[keir]

So if someone buys a proper copy, takes it home and cant register ( 'coz it has been too many times ) Then calls MS, they wont be able to to anything?

[Kipman725]

25 characters in a few hours!?!?!? normaly that would take months

Although I have only cracked passwords upto 14 characters alpha numeric with symbols that took about 1 month per pass using john the ripper under ubuntu 5.1 on an athlon 2600+ with 1gb of ram.

[sinizterguy]

Quote:

Originally Posted by keir

So if someone buys a proper copy, takes it home and cant register ( 'coz it has been too many times ) Then calls MS, they wont be able to to anything?

Make sure you buying it on a credit card then. Might be the only way to get your money back.

Personally, I dont think that they will screw their customers over like that.

[flabber]

Quote:

Originally Posted by sinizterguy

Vista activation is not having a good time is it ?

Correction; Vista isn't having a good time, period.

To be honest though, I couldn't help myself but laughing my rear off. Even though I know this is pretty serious, and that people who buy the OS and find that they can't even register it is pretty bad. But the way Bit-Tech has written it, it seems like Microsoft is really falling on their own big mouths here, hehehe.

Safest Windows ever! Best security in Windows ever! No virusses for Vista!
....

pewPEWpew! Byebye to all the bigtalk, hello to reality.
Sorry Microsoft, but if you are trying to get us to believe you're doing a good job, make sure you actually áre doing a good job. We'll talk about playing suck-up after that

Too bad though... with the first screenshots of Vista I was actually excited. But the more I hear about Vista, the more it seems like hot air, wrapped in a nice XP-compatible skin

[Firehed]

Heh, can't pretend we didn't see it coming. Although if that's fully cracked, then how cracked is the version that... err, nevermind.

It does sound fast for a key of that length... ~808,281,277,460,000,000,000,000,000,000,000,000,0 00 possibilities assuming any character can be one of thirty-six things (which obviously it can't since then any random typing would be a valid key, so they must know quite a bit about the structure)

[mclean007]

Quote:

Originally Posted by sinizterguy

Make sure you buying it on a credit card then. Might be the only way to get your money back.

Personally, I dont think that they will screw their customers over like that.

No way. First of all, there's a little thing called consumer rights - if you buy something that doesn't work as advertised, you have a right to a replacement or full refund. So MS can't sit back and do nothing if legitimate copies are being declined for authorisation because some clown has already stumbled on that key. Secondly, the PR fallout would be IMMENSE. MS' name would be dirt (even moreso than it is already - at least people currently generally trust MS, even if they don't like it).

Quote:

Originally Posted by DeX

This is very silly of microsoft. Keys should only be validated server side that way they can see how many attempts each person makes at activation and make brute force attacks impossible. Oh dear.

AFAIK they do, but as I understand it, this crack works by churning through keys until it finds one that MS has authorised for use on a legit copy (i.e. it finds a key which is already in circulation on the licence certificate of a genuine copy of Vista). Not much they can do to stop it tbh, short of a full recall and reissue with longer keys. I'd like to see how much that would cost them.

Realistically, if this starts to become a problem, they're just going to have to relax the licensing restrictions, in order to keep the legit purchasers who get stung (who could number MANY when this crack gets known in the wider world) from turning up at Redmond with pitchforks and flaming torches.

Quote:

Originally Posted by Kipman725

25 characters in a few hours!?!?!? normaly that would take months

Although I have only cracked passwords upto 14 characters alpha numeric with symbols that took about 1 month per pass using john the ripper under ubuntu 5.1 on an athlon 2600+ with 1gb of ram.

Yeah, but remember MS will have MILLIONS of legit codes in circulation, and probably a great many more pre-authorised on licences ready to go out. There are many possible solutions to this particular brute force.

I guess one semi-solution is to limit the number of activation requests serviced in a given time by each IP address - e.g. no more than 5 goes in a 1 hour period for any IP address. This would slow down the brute force something chronic (though I guess you could in principle use a distributed attempt from a botnet to spread the requests over many IPs), but would still allow for a couple of typos in the key, or for the (rare) situation where an IP leased to one person who has used it to activate his copy of Vista is then dropped and immediately re-leased to a second person who also needs to activate.

EDIT: I guess the point is that ANY activation / copy protection will eventually be broken, given enough effort, and MS' software will always attract that kind of effort. The best MS can hope to do is inconvenience the hackers enough that for the majority of people it isn't worth the hassle of working through the crack just to save a few £$€

[Buzzons]

you know you can do this on XP as well? and 2k3 and ME and 2k ...

[CyberSol]

to bad vista isn't worth cracking...
much less buying.