Microsoft Tools to Combat Vista PiracyBy Peter Galli | Posted 2006-10-04 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
A new software protection platform targets Vista and Longhorn piracy in an attempt to give Microsoft's channel partners a level-playing field.
Microsoft will unveil Oct. 4 a new software protection platform and accompanying technologies that it plans to incorporate into a variety of products, starting with Windows Vista and Windows Server Longhorn, in hopes of combating piracy.
The new technologies will be included in all of Vista versions, and over time every Microsoft product will use the platform to some extent, Cori Hartje, director of Microsoft's Genuine Software Initiative, told eWEEK.
The hope inside Microsoft is that these new technologies will make it harder for people to pirate Windows Vista and help ensure that its channel partners have a level-playing field.
"Today, with such an easy way to copy and counterfeit Windows XP, those channel partners don't really have a level playing field to sell legitimate copies of the software. We are very optimistic that this will make a dent in Vista piracy and counterfeiting," she said.
Among the new activation technologies that will be found in Vista and Longhorn Server is Volume Activation 2.0., which represents a big change for how those enterprise volume customers activate their software, Thomas Lindeman, senior product manager for Microsoft's Software Protection Platform, told eWEEK.
"With Windows XP, the volume-licensing keys could easily be stolen and leaked as they are in clear text and in the registry on everyone's computer. Customers told us that we needed to help them protect that key, so now the keys are going to be encrypted and kept in a trusted store," he said.
Roger Kay, president of research group Endpoint Technologies Associates, told eWEEK that Microsoft's assertion of its right to control the kernel is key to warding off hackers.
"Apple does it," he said. "Why not Microsoft? By not allowing anything to run at the same privilege level as the kernel, and by shutting down the kernel if anything messes with it, Microsoft is fielding a much more robust system than it did with XP, which allowed all kinds of kernel modifications by software partners and, by extension, hackers."
Lindeman added that future Microsoft products such as Office 14, SQL Server and Exchange are already planning to use this platform, whether just for code protection, digital distribution or volume.
But he stressed that there will be no cross-checking whatsoever of other software on a person's hardware, and there will be no reporting back to Microsoft or validating any other software except for Windows Vista.
In fact, the Redmond, Wash., company undertook a public disclosure with a third party who audited the traffic and data that went back and forth during activation so that it could prove there was no personally identifiable information there, he said.
Next Page: Two kinds of volume-license key services.
Microsoft is planning to offer customers a choice of two kinds of volume-license key services: the volume-license KMS (key-management service) and MAK (Multiple Activation Keys).
The KMS option is hosted by the user and thus does not need to talk to Microsoft. It brings a single key controlled by an IT professional that is encrypted and found on a single machine; each of the machines inside the enterprise talk to that KMS service at least twice a year, Lindeman said.
The MAK option applies to those companies with users who do not connect to the network at least twice a year or who have a small laboratory of less than 25 users. This multiple activation key activates one time onlyMicrosoft's new Volume Activation Management tool will help with proxy activation, he said.
This would apply, say, in a lab with 1,000 machines and where a KMS is not installed. "They obviously do not want to call Microsoft up 1,000 times, and so they can run this tool on a single machine," he said.
"It will talk to those 1,000 machines and harvest the hardware identity data from them. That single proxy machine will then talk to Microsoft, get the activation identities back for all the machines, and then shoot this out to those machines and activate them. Customers can also use this method to activate their entire organization," Lindeman said.
Endpoint's Kay believes that these new technologies will ease the burden on IT administrators by allowing them to either administer the activation/validation themselves or have Microsoft do it.
"It will help them to know that every client that validates properly has a kernel with integrity," he said. "It represents a first-level health check. Also, they don't need to worry about rogue machines from ex-employees wandering around because they'll go dead after six months."
Lindeman agreed, saying customers who had been testing Volume Activation 2.0 liked the fact that the machines talked to the KMS regularly, as this helped them with the problem of computers disappearing from the network and enabled them to see whether they had been tampered with.
"The anti-tampering checks that happen every time you talk to KMS helps make sure that the copies of Windows are genuine and not tampered with, which brings added security. We are also provided management tools like a MOM pack, and we have SMS integration to help customers create reports that they can use to monitor the health of the system," he said.
According to Lindeman, these tools are in no way related to billing and Microsoft will not know how many computers are activated. "These tools are optional, and we provided them to meet the needs of customers who wanted help with reporting," he said.
There will also be open APIs and WMI interfaces on all the machines so that third-party tools can query the store and find out what software is on the machine and what the activation state is.
Asked about the issue of false positives, which is an issue with Windows XP and the WGA (Windows Genuine Advantage) program, Hartje said the WGA and Software Protection Program have common goals of protecting consumers but are fundamentally different technologies and the issues and complaints would not be the same, she said.
Customers could call into the support center if they experienced an issue, she said, but as the technology was checking at the time of activation to make sure this was a genuine product, "we expect a reduction in those types of issues. I am sure there will be issues and we will address them as they occur, but it's hard for us to know right now what the future will be," she said.
Asked if he thought there would be a reduction in issues for customers with this new technology, Kay said it is hard to say as that depends on how well it actually works. But he does feel that casual piracy will diminish fairly significantly.
Microsoft has been working with its TAP (Technology Adoption Program) customers and others for more than a year, and much of that feedback has led to things like the proxy activation option and the MOM pack, according to Lindeman.
Next Page: KMS inside Microsoft.
It is also being used inside Microsoft, where there is a single KMS service and one backup that activate all the machines on its network. "It's an invisible process for end users, and it's a very lightweight service of 200 bytes that go back and forth between KMS and the client and we could do about 25,000 activations in an hour if we had to," he said.
There have been no reported issues with the activation process itself, which has been thoroughly tested, Lindeman said, but one issue is that many enterprise customers cannot run client-based or beta software in their data center. When Vista ships at RTM, all that will be available is KMS support on the Windows client and the Longhorn server beta.
But, some six months after RTM, Microsoft will have KMS support on Windows Server 2003. Those who are affected by this will have to get a waiver from their IT organization, use MAK activation or even OEM activated machines, he said. "That has been the roughest thing we have gone through, and we just couldn't get that worked on in time," he said.
Microsoft is also making a comprehensive deployment guide for all this available online Oct. 4, Hartje said, adding that this guide will help volume-license customers use the right key distribution methodology upfront.
"It only takes a few minutes to set up the key management services in an environment and is very straightforward. We give lots of examples on how to do this as well as scripts to tell end users how to do it," she said. "We have covered all the parameters that the IT professional will need. After this is in place, the end customer won't have to do anything. It will be transparent."
Customers in a retail or volume environment will have to activate their product within 30 days, during which time the product will be fully functional, albeit with repeated reminders to activate.
Failing that, the product moves to reduced functionality mode, but the key can be entered at any time and the product would then revert to regular mode.
It will also be validated every time software updates are required and, if the software is found not to be genuine at a later date, genuine add-ons like the Aero user interface, Windows Defender and
"At the end of 30 days, the machine will move into reduced functionality mode for validation, and users will only get an hour of reduced experience Internet access before being logged off. They will then have to log on again before getting another hour of Internet access," she said.
Check out eWEEK.com's for Microsoft and Windows news, views and analysis.