Well, Thats The End Of Vista Serial System

[Bozo Galora]

http://theinquirer.net/default.aspx?article=37941

I saw this early today on the net (hours before theinquirer got it), a guy just fooling around practicing with javascript used some code to look for working serials by using brute force - like a password hack that uses various dictionaries to try different words until one opens the door.
Immediately, I knew this would be big, especially since many were jumping up and down in ecstacy that it actually worked.

The method is out there in cyberspace, so as far as I can see, the current serial input system must be altered or even totally trashed to stop this somehow.


But then again, what the hell do I know?

 

[Tegeril]

This'll be hilarious when the stars align and a legit key has already been activated by the brute force method.

 

[magomago]

soo...why couldn't people brute force windows xp?

what i don't get is people get excited that someone can brute force keys?

I don't get it...what makes this so special vs any other brute method?

 

[jedisponge]

The Inquirer practices such great, impartial journalism.

While I find some of their early news on products still in development interesting (though not always accurate), I just find it hard to take them so seriously.

 

[Bremen]

Originally posted by: Tegeril
This'll be hilarious when the stars align and a legit key has already been activated by the brute force method.

Sensationalism at its best. They're using 25 digit keys, chances of duplicating a legit key are slim to none.

 

[Aberforth]

its very difficult to brute 25 digit key (unless you have super computer). someone lock this topic, it feels inappropriate because sooner of later someone will post "IT WORKED!!". Always buy legit and be legit no matter what.

 

[beer]

I'm skeptical of anyone that 'cracks' anything with JavaScript.

That article is so bad I would stab the author with a nail file.

 

[JEDIYoda]

Originally posted by: Bozo Galora
http://theinquirer.net/default.aspx?article=37941

I saw this early today on the net (hours before theinquirer got it), a guy just fooling around practicing with javascript used some code to look for working serials by using brute force - like a password hack that uses various dictionaries to try different words until one opens the door.
Immediately, I knew this would be big, especially since many were jumping up and down in ecstacy that it actually worked.

The method is out there in cyberspace, so as far as I can see, the current serial input system must be altered or even totally trashed to stop this somehow.


But then again, what the hell do I know?

-- good question...let me answer that....believing anything the Inquierer post just goes to prve there is a sucker born everyday!!

 

[drag]

Personally I like the Inquirer.
You know why?
Because they aren't trying to pretend to be anything they are not. It's just tabloid computer news. They publish rumors and are biased, but they don't try to hide it with nice language, good editing, and name dropping.

There are hell of a lot of publications that pretend to be all responsable with high levels of integrity and trick people into beleiving what they are saying.. like Fox News, ZDnet, CNN, or the New York Times. So a more honest approach
is nice.

And who cares about the lagnuage the person used to do the brute force attack? If this is true it just goes to show that the most wealthy and most profitable software maker on the face of the Earth can't make a activation sceme that stands up to web scripter's attacks.

 

[Kadarin]

Heh.. This reminds me of the time I was working at this company back in '99 when a coworker was stuck on the license key screen on the Win98 install. He'd lost the key he was going to use. "Watch this," I said, and I randomly entered keys into the fields. I think he about fell over when it actually worked...

 

[Sunner]

Originally posted by: Astaroth33
Heh.. This reminds me of the time I was working at this company back in '99 when a coworker was stuck on the license key screen on the Win98 install. He'd lost the key he was going to use. "Watch this," I said, and I randomly entered keys into the fields. I think he about fell over when it actually worked...

Who can forget the good ole 040-1111111... type codes

Oh and Drag, I never thought of it that way, though personally I prefer The Register, I just love their style of writing

 

[Bozo Galora]

Originally posted by: JEDIYoda

But then again, what the hell do I know?

-- good question...let me answer that....believing anything the Inquierer post just goes to prve there is a sucker born everyday!! [/quote]

You see I dont post anymore on AT (havent posted in GH in a month so far) because of the few choice nasty a-holes that force me to be nasty back to them - then paradoxically I am criticised as being nasty to THEM

I HAVE in fact posted a few in Motherboards, as kind of a thank you to those guys alerting me about Clubit.com/DS3 whilst I was lurking there.

And if you dont think Mr. Yodaturd isnt gratuitously nasty - just search his posts.

However, this was way too good not to post. I just had to do it.

Note that Mr. Yodaturd called me a sucker because I believe theinquirer, when in fact I mentioned that I had already investigated long before The Inquirer piped in. But per usual - this thread has been twisted around into being a referendum on theinq - not addressing the fact that working windows serials CAN be generated with a little 284KB javascript. Its all over the bittorrent sites.

If you dont believe it - thats your problem, not mine.

 

[drag]

Originally posted by: Sunner

Originally posted by: Astaroth33
Heh.. This reminds me of the time I was working at this company back in '99 when a coworker was stuck on the license key screen on the Win98 install. He'd lost the key he was going to use. "Watch this," I said, and I randomly entered keys into the fields. I think he about fell over when it actually worked...

Who can forget the good ole 040-1111111... type codes

Oh and Drag, I never thought of it that way, though personally I prefer The Register, I just love their style of writing

All they have to do is keep posting BOFH and I'll love them for it.

 

[Markbnj]

But per usual - this thread has been twisted around into being a referendum on theinq - not addressing the fact that working windows serials CAN be generated with a little 284KB javascript. Its all over the bittorrent sites.

You could generate working serials with any little bit of code you cared to write to do it, as long as you were willing to wait long enough.

Edit: actually bothered to read the theinq piece... when did they start accepting submissions from fourteen year-old script kiddies?

 

[fyleow]

..

 

[oldman420]

this will just add to the problem.

 

[Bozo Galora]

There are lots of "get arounds" for activating Vista.
Lots and lots that the totally uninformed boy scouts here are blissfully unaware of.
Like the "timer stop" - Vistall install gives you 30 days "tryout period" before demanding activation, even if you enter no serial at all. TS just freezes the 30 day countdown - it stays stuck at a certain date and time in the future. Another sub version of this is to set the 30 day expiration at year 2099.

But MS is blaming below expectation initial sales of Vista on piracy (yeah, right). And they have indicated that they are going to increase protection levels. The TS exploit could be easily defeated.

But generating a new fully functional working Vista key is a knife in the heart of the whole registration scheme. People are reporting getting a key in ONE HOUR! Others - nothing in 10 hours.

Is that so hard of a concept to understand???
That is why I so foolishly posted this subject here.
And since it is kind of a dicey subject for the AT forums, I added the Inq link ONLY to show it is already a public subject by a well known widely visited PC website.

I have 25 computers used in my business. What if I set them all to run the script at night and on weekends - like folding at home?? How many keys would I generate in a day? A week? A year??

I could afford to buy Vista business for all my PC - so I dont need this. And its a fatal policy to run pirated software in a public concern. You just dont do it - the liability is just too high.

But I wouldnt use Vista even if they gave it away for free. Its a 5 year $6,000,000.000 failure. Gates should step down, since he obviously doesnt know how to successfully control his company. Maybe he should move to Africa, since that seems to occupy most of his time anyway.

And oh yeah - they are now saying that by Monday they will have a polished up GUI version of the script - and guys much smarter than the originator are going to jump in on this - all over the world, 24 hours a day, 7 days a week.

Nyuk Nyuk Nyuk

 

[Tegeril]

Originally posted by: Bremen

Originally posted by: Tegeril
This'll be hilarious when the stars align and a legit key has already been activated by the brute force method.

Sensationalism at its best. They're using 25 digit keys, chances of duplicating a legit key are slim to none.

Hi, welcome to reading for comprehension. I'd imagine that multiple stars aligning is a rather uncommon thing, kind of like the chances of duplicating a 25 digit key.

 

[Shawn]

eh, it's easier to just use the activation crack. don't see what the big deal is about this.

 

[Stumps]

Originally posted by: Shawn
eh, it's easier to just use the activation crack. don't see what the big deal is about this.

It means you get a "legitimate" product key, no need to avoid any of the WGA BS...

 

[fyleow]

..

 

[tcsenter]

Microsoft has basically reduced the burden for activation and WGA to practically nothing (lower than XP) so as to prevent a flood of activation problems as it tries to deal (i.e. damage control) with all the other bug reports, installation problems, broken applications, and all that. This will change. Enjoy your free Vista while it lasts.

This is exactly what happened when Microsoft was publicly testing its Legit Check scheme on select downloads and Windows Update. The 'Legit Check' bypass script that was touted widely as a hack was not by any means a 'hack', it was actually a work-around that Microsoft itself implemented for those who were 'having trouble' with the Legit Check control.

The first couple weeks that the Legit Check went live, there was a link on the Legit Check page that asked 'having trouble viewing and/or downloading' (paraphrased)? When you clicked on that link, it gave the user some tips to follow such as clearing their temporary internet files, reloading the page, re-installing the Legit Check control, and the usual suspects. At the conclusion of these tips, there was a second link that read 'Still having trouble?'

Guess what happened when you clicked that second link? You got it, Legit Check was completely bypassed using the exact same script that was disseminated around the net and portrayed by sites like the Register as a 'hack'. lol!

Microsoft intentionally lowered the burden for activation and its being spun as some 'blow' to Microsoft's activation technology.

 

[Markbnj]

Originally posted by: Tegeril

Originally posted by: Bremen

Originally posted by: Tegeril
This'll be hilarious when the stars align and a legit key has already been activated by the brute force method.

Sensationalism at its best. They're using 25 digit keys, chances of duplicating a legit key are slim to none.

Hi, welcome to reading for comprehension. I'd imagine that multiple stars aligning is a rather uncommon thing, kind of like the chances of duplicating a 25 digit key.

No, because the stars align regularly, in entirely predictable patterns driven by the forces at play, whereas generating a working key using random guesses into a large population is... well, random.

For Bozo, your chortling is premature. Windows activation keys are not simple free-passes to whomever manages to get their hands on one. Increasingly (but probably not yet perfectly) they are tied to the transaction that created them. All this kind of attack will do is spur MS to further ensure that they can track every key back to the dollars they received in return for it, at activation time.

Grats.

 

[thescreensavers]

IT is fake.

Heres the Artical


But me thinks the creator of the keygen is saying this for legal reasons

 

[RebateMonger]

A while back some of us discussed the mathematics of the MS Activation Keys. Here's a ROUGH look, give or take a few zillion....

If you allow numbers 1 to 9 and allow 21 alphabetic characters (disallowing a few alpha characters like "O"), then there's something like 1e+36 possible combinations in a 25-digit Key.

If you can guess 2 billion times a second (2GHz), then it'd take 1e+20 YEARS to check ALL possible Keys. If Microsoft allows a billion "legal" Keys, then it'd take 1e+11 years to find all the "good ones", and 100 years to guess a single good one.

This all assumes complete Key randomness, which may not be true. And it assumes that Vista will allow you to input 2 billion Keys per second.

Am I severely mis-calculating something? Microsoft's choice to continue with XP's 25-digit Key shows that they think that 25-digits is adequately complex.