Windows Product Activation and Piracy, Crypto & Hackers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I know that face! Thanks for sharing this! If you have any comments, questions, or suggestions on stuff to cover in Part 2, please let me know!

👍︎︎ 10 👤︎︎ u/daveplreddit 📅︎︎ Jan 16 2021 🗫︎ replies
Captions
hey i'm dave welcome to my shop i'm dave plummer a retired operating systems engineer from microsoft going all the way back to the ms-dos and windows 95 days i was a developer on and the dev manager for the first version of windows product activation love it or hate it well who am i kidding nobody loves product activation not even my own mom but maybe just maybe by the time i'm done telling you the secret history of windows product activation you at least won't hate it it's a tall order but let's see if i can convince you [Music] now before i try to convince you that windows product activation was a good idea and before i explain how it all works i have to rule out one group of folks right off the top the unabashed pirates if you don't think anyone should pay for their software then of course the answer should be to use one of the fine alternatives such as linux but if you want need or just plain old prefer a commercial alternative like microsoft windows then you'll have to grab me that people should legally and ethically pay the price if they're going to actually use commercial software you can argue that it's too expensive or that you prefer open source or whatever but the one thing you can't do is then to just steal commercial software and then say protection is also pointless as i would if nothing else make you a hypocrite so let's take a quick look at how activation works and why i wrote it that way well i along with little hell from some very smart friends friends with fanciful and exotic names like chalar karan and chris with a k each individual copy of windows comes with a license for that copy that license is represented by a certificate of authenticity or koa and the license comes with a unique id that identifies it called the product id or pid the pid is then salted and encrypted and signed and out pops a product key the 25-digit code that we've all come to know you enter that code and windows breaks it apart into its constituent elements and can validate that it's at least the real code and for what product if it all checks out you can then evaluate windows for some period of time that that key specifies after that you must activate it in most cases though each version can decide to allow evaluation without a key even for at least up to 30 days is typical activating a license means that your computer connects to microsoft and reports two things your unique product license code better known as the product id and a hardware id that describes your computer microsoft marries those two codes together signs and blesses them cryptographically and you're all set every time your pc boots it looks at your hardware and if the hardware still matches the hardware id then it knows that the license that you hold is still valid clearly the pc has to record and know a number of other important facts here like when the evaluation period actually began otherwise you could just keep resetting the evaluation period starting over each time and thereby evaluate windows forever so of course i had to guard against things like that you can assume then that windows knows and records the date of your first use this is one of the very few things that might have actually been worth hiding because if it's 2003 and you or me where would you put it where would you store this date maybe in a few unused bits of the file allocation tables then the cluster slack of the system32 folder entry perhaps you could shift two values in the partition table and then use a delta between them as the real value you could be really sinister and that's the problem whatever it is that i chose to do had to work on a billion weird unseen machines literally that's about how many windows machines would eventually run this code and it's supposed to work on all of them so to put it more succinctly where would you store such an important date without breaking anything without accidentally stomping on information that anyone else is storing or hiding but still do it in a way that prevents people from erasing it or altering it what did i do how did i solve it what's the secret where is it stored how is it protected settle down kids i'll tell you i just put it in the registry it's really it's that simple for the last 25 years the in-service day for every one of a billion windows machines is the date recorded in the windows registry but it's got to be protected somehow right and so then you think yeah and the system could be really clever and you could hook the registry apis and hide it by lying about whether it's even there and the enumeration could just skip over it and so on if so you've gone off somewhere that i chose never to go i did not want the layer of obfuscation on my own machine or anybody else's i was not going to rootkit the machine out from under its owner for me both psychologically and practically as a developer i wanted to know that the machine was never lying to the user and so everything about activation is in plain sight if you know where to look there's never any deception but what would that mean to root kit the machine if you went that way technically i wouldn't even need to do that as i could just modify the actual windows operating system but a root kit is like a man in the middle attack that can inspect modify or even change any system call you happen to make or its results and it could lie obfuscate hide cheat or do whatever it wanted because it has total control of the machine at that point i can store things in a plain text file called sequel backslash wpa.text and then just have the file system pretend it wasn't even there unless it was me asking simple and easy well until you put the drive in an old machine which is a great example of how for every complex problem there is a solution which is simple elegant and doesn't quite solve the problem for good reason however nobody wants to run a system like that people want to trust their computers and they don't want them flaky and weird and they don't want them lying and root gitted and so on so that's why i just put it in the windows registry like a normal piece of information and i don't even remember if it's encrypted at best i exported with 255 or something to just simply make it harder to search for because there's only tiny value in hiding stuff like that anyway the important part is that you can't just delete or reset the data because it's in a read-only register key now hold on for a moment because there are potentially thousands of windows developers watching around the world saying what a read-only register key there's no such thing but of course there is because i invented it just for wpa and added it to the kernel just for that very purpose how does it work well you know what happens if i say too much for now the part you care about is that the system knows the date when the trial period began and the system protects that date how does the activation process actually work you punch in that long string of about 25 characters and somehow over the internet the computer activates the license associated with that code if your code is invalid or the license is counterfeit or the license has already been used on too many other computers the activation attempt will fail your trial period will not be extended and at least back in the windows xp days your system would be largely useless without a license at the end of the trial period the system's a little softer now and i think you just get a scarlet letter of sorts on the desktop shaming you for stealing the software but the protection is still there even if they're not flexing it if you do successfully activate that activation is done in such a way that it is bound to both a time period and to your current hardware this is one of the biggest challenges of wpa and one of the bigger technical hurdles that i faced in developing it your hardware has to be able to change a little bit over time because unlike a cell phone people upgrade their computers one component at a time sometimes some ram here an ssd there and we decided that we would not force a user to reactivate for minor changes but what constitutes a minor change well that's something i actually had to codify in the software every time the system starts up it does a hardware inventory and then compares it to the hardware id stored with the activated license if the hardware matches and the license is valid you're on your way and once you were logged in that was the only gateway we never looked at your activation status again so far as i can remember and thus there were no performance yet in terms of cpu or working set later on the current system does appear to check before allowing you to personalize your system so it seems to at least check overall activation status at some point one aspect that i think is cool and that i'm kind of proud of is that if your hardware drifts over time because components have changed rather than just failing your pc can then check with the activation servers which can then in turn silently bless those changes thus you're allowed some number of certain types of hardware changes but it's at the discretion of the backend the servers at microsoft i know my new 3970x is running a windows key that i had retired from a copy i had previously activated on an imac of all things but since a couple of years had elapsed and the imac was back in os x land i was able to activate it on a completely different system you should always read your license agreement to make sure that that's actually a valid thing to do but otherwise it's entirely up to the backend servers you might imagine that's pretty simple you just pipe lspci into a file and upload that as an inventory of your hardware and you're half done but remember one of the requirements we set out for ourselves was that people didn't have to be online maybe we would do it differently today but at the turn of the millennium it wasn't a given that every computer could be connected to the net some computers would have to be activated over the telephone you can make the online web activation as robust and impregnable as you like but the phone activation is always going to limit the amount of information that can go back and forth and so will always be an attack vector and likely the easiest one for hackers to target telephone activation essentially uses the human being as a modem the system gives the users a few bits which they send to microsoft either by reading them aloud or punching them into a touch tone or a keyboard and then microsoft sends a few bits back in the form of a sequence in numbers that cryptographically secure sequence called the confirmation id is what the user in turn gives back to the windows system in order to activate it but clearly the amount of data is low here we're talking about the little boxes numbers you read over the phone and the response string that comes back and that's it and the human isn't going to do more than about 25 letters and i bet even that felt like too many if you've had to do it if you assume about 7 bits per letter that's about 20 bytes total oh and that 20 bytes has to include whatever is needed to be cryptographically secure as well because there's no out-of-band channel here only what the user does over the phone with the operator so you can see there's only really a tiny amount of bandwidth available here to the programmer not only could you activate a computer over the internet or by phone you could even do it by mail at least in theory but given the tiny amount of space which is available in order to do it how does the computer communicate its inventory of hardware components to the server so the server can determine whether or not too much change has actually happened too soon well that's the beauty of what's known as the hardware id or h-width the hardware id contains all the information needed about your system so that decisions can be made while still being small enough that it can be encoded into an alphanumeric string that you enter into a form or read over the phone worst case let's imagine you're the new me defining a hardware id for a modern pc how many bits does it take to store the memory size certainly a 64-bit long would hold it but you don't even have 64-bits total let alone for the memory size so as the engineer responsible you might reasonably decide that there are really only about four classes of ramp size too small just right a little extra and really big that takes up only two bits but if someone goes from 16 meg to 64 meg you'd still detect it then you do similar things for the rest of the types of hardware in the system like you can't waste space on the entire mac id but you could certainly include a small hash of the mac id and detect whenever the mac id changes let's say that as a user you activate a valid windows license in march that summer not only do you upgrade your ram in the computer but you also put in a new network card and a new cpu for good measure it's still the same motherboard in the same case and same power supply and everything else is the same so to you it's the same computer just upgraded but windows is going to see all of those changes and probably decide that it's outside some threshold and contact the clearinghouse and ask for guidance some of the elegance of the system is that all of the grace or lack thereof is at the behest of the back end the client is dumb when it comes to policy and doesn't make any of the big tough decisions the only decision it makes is to decide whether enough has changed that i have to check and see whether the license is still valid otherwise it's just the messenger and sends the current hardware id and license id up to the clear house these days i have no idea what microsoft communicates to or from the server about your machine you could check your license agreement i'm sure it details what they're allowed to do very clearly but in terms of product activation so far as i'm aware at least back in my day it was limited to those very few bits that are available in the hardware id there was no skullduggery in anti-piracy because the client isn't part of the trust system it's a smaller attack surface hacking the client still leaves the activation decision up to the back end now of course you could lie about the hardware id but since the license was signed and blessed by the clearinghouse as a matched pair it won't match the hardware that's actually present in the system and so the system could detect at a later date that the license was not intended for the machine that it's now running on multiple layers are possible and it's a continuing philosophy we have defense in depth it's something i've also tried to teach my three teenage sons no single layer is impregnable when it comes to defense due to possible failures one is none and you cannot rely on a single technology that's why i've reminded them that if they're going out with a girl they should use two types of protection seat belts and airbags because defense and depth on the road is important as well with a few rare exceptions we did not believe in security through obfuscation we relied on digital certificates and large hashes so that as long as the code itself was not breached we then knew authoritatively that the microsoft backend servers had authorized a license for a particular system but if you could attack the code that did the checks all bets were off so how to protect the code naturally the code is encrypted let's just say that it's very hard to even attempt to debug and if you do it will know what you're up to and that's all i have to say about that this all begs one important question then which is how much pain and angst the software vendors should be able to put their honest users through in order to ensure compliance with a software license and to confirm that software has been paid for because once you've paid for the software why should you have to prove anything to anybody more than once you know you've paid it's their problem if they can't figure it out or remember it without unduly inconveniencing you as far as i'm concerned and i took that attitude with me when i was going into the wpa experience obviously the ideal situation is a completely transparent licensing verification mechanism that the user is never even aware of in a very tightly controlled ecosystem like the apple app store it's possible to ensure almost total compliance with very little friction or pain but that comes at the price of the ecosystem being very closed and tightly monitored every iphone has a unique id and every user signs in with their unique apple id that makes checking and enforcement pretty much trivial windows users however don't have unique ids and they like to open up their pcs add memory change drives change gpus even cpus from time to time even the motherboard is fair game in an enthusiast pc and no one is interested in a world where you have to jailbreak your pc in order to make such changes but if you change the motherboard cpu ram network card and so on at what point is it a new pc this brings to mind the ancient thought experiment of the ship of theseus imagine a wooden sailing ship which lasts for the ages but in which every single board and component has eventually been replaced over the service life of the vessel the ship has the same form and the same name the same appearance but is it still the same ship if literally everything about it is now different let's assume for a moment that the license allows for it should the license enforcement actually support that case and if so how does it not confuse it with an entirely different pc especially when a company like dell could make thousands of copies of an almost identical pc configuration what could you look at in that case well i suppose mac id which is of course easy to spoof and cpu id but nobody even turns that on so you have boot volume serial number perhaps and time stamp of the first booth and so on but it's never going to be right every time like it or not you're really talking about heuristics not hard and fast rules and so right off the bat it becomes clear that with a windows pc there is no perfect answer no matter what set of heuristics and rules you use to try to determine whether or not a machine is changed enough to no longer be the same machine you're going to be wrong occasionally and that means either licenses will be unfairly reused or much much worse legitimate users will be unfairly inconvenienced and that's one thing i couldn't accept and why there are so many ways to escalate around activation with a phone call all this goes to prove that licensing enforcement on a windows pc is simply a lot more difficult than it is on a closed system like an iphone but does that mean you shouldn't even therefore attempt it i can't speak for everyone on the licensing team but i think my perspective was that as long as it was a very rare for a person to have to reactivate and as long as a human agent was always available to make a veto override and grant the license in the worst case anyway it was okay as long as it was a truly rare event but let's say you're flying across the ocean you're up in virgin atlantic first class cabin as usual and you pull out your laptop to discover that for some incalculable reason it is decided that it now needs to be reactivated as long as you have access to the wi-fi connection you're still fine even worse case the seat back phone that nobody ever uses could be used to activate it eventually however the dubs went out over the hawks i was technically a hawk because i supported disabling certain features if your system wasn't licensed others only wanted an ag reminder somewhere along the way it looks like they changed it such that personalization is impossible until you activate and you get a banner nagging if you try to evaluate forever it's a compromise like a shot at a moving target that you know will land somewhere near the bullseye but rarely right on it you can get close but you'll never get it right every time the law of large numbers guarantees it software licensing was a little like that we always knew it would be hacked eventually like if you've watched the microsoft bob episode then you know that the bios locking was designed to be large to download once it was hacked and therefore annoying to pirate but by no means impossible if you really wanted it you were going to get it and product activation was unlikely to stop a determined pirate in the end and to my surprise that's the biggest knock against it many argue that because it's not a panacea against piracy and because it can sometimes be subverted it's therefore pointless at all times let me pick an arbitrary number let's say it stops the 90 of piracy that is casual or accidental yet the 10 of determined pirates could still get their booty perhaps the more elite pirates might be able to outwit activation whereas the mom and pop store with three computers is forced to pay is that fair i think it still is if you stop system builders from reusing licenses on multiple machines does it matter that someone who's willing to shim their bios can run an oem license on a retail box should you not enforce any licensing because you can't do it perfectly in every case i'm going to have a student of president eisenhower he in turn was a big fan of general george s patton and one of patton's favorite sayings and one that i've adopted as my own is that the perfect is the enemy of the good waging a war was not about perfection it was about doing the best that you could in the shortest time that you possibly can now software has nothing to do with armed conflict but getting a few hundred developers mustered on a singular goal of shipping an operating system by a particular date could be a little bit like coordinating the logistics of a military maneuver and eisenhower later carried patton's advice over into a civilian life as president as well in other words if you ask patton about licensed enforcement he'd probably say dave you've got to do the very best you can and not worry about it that it's not perfect then he'd probably slap me for being a so it's hard to know which parts of his advice are actually still valid today but one thing is clear he got a lot done and he got it done in a hurry my team and i didn't begin working on product activation until quite late in the xp product cycle and it took some heroics to ship it on time some developers suffer from not invented hear syndrome or become obsessed with rewriting everything that they touch in their own image not me call it lazy or call it smart but i'd borrow code and technology from anywhere internal that i could find it so windows product activation uses a lot of tech from the folks in office and from microsoft research it was this dog determination to actually get it done and ship in time for xp combined with the complicated technologies involved that led to one of my highest ever review scores in those days at microsoft you were ranked one to five for all practical purposes nobody got it won 2.5 was really bad 3.0 was average 3.5 was good 4.0 was great 4.5 was epic and very rare and legend held that 5.0 were only awarded by special dispensation of bill gates himself and that there could only be one per year per category when review time came around i knew i'd done pretty well for once so i was expecting a good score but even i was shocked when they told me they were putting in for a 5.0 which i didn't even believe existed at the time but last a week or two later like the highlander there can be only one and bill decided that it was not my time my review score came back pushed down to a 4-5 a still excellent score that edged my lifetime average just nicely over 4.0 so i was happy with that and the promotion that came along with it but still it would have been a better story with a 5.0 but i never got one more on that in the upcoming microsoft employee reviews episode speaking of which we haven't even got to crypto yet and i'm way over time already so i'm gonna have to split some of these stories off into another episode as well so if you're not already subscribed i'd be very pleased if you considered doing so as it lets me know that this episode was going in the right direction then i'll make more like it and you'll be notified when i do it so it's a win-win besides i'm not selling anything i don't have any patreons i'm just in this for the subs and likes so please do leave me one of each before you go before i make the next episode i would really appreciate if you leave me a comment with an indication of what you want to know more about both in terms of activation in particular and windows development in general even if i didn't work on that part odds are i know who did and can dig up some interesting dirt i'm pretty active in the comments so please do leave me a note thanks for joining me here today out in the shop in the meantime in between time i hope to see you next time here in dave's garage this little chair will be waiting for one of you and a rocking chair for another who likes to rock and a big armchair for two more to curl up in all next time on dave's garage
Info
Channel: Dave's Garage
Views: 154,738
Rating: 4.940454 out of 5
Keywords: windows war stories, windows product activation, activation, davepl, windows 10, product key, insider stories, task manager, source code, WPA, anti-piracy, piracy, Copy protection, windows 7, windows 8, find windows 10 product key, crack, serial number
Id: FpKNFCFABp0
Channel Id: undefined
Length: 21min 23sec (1283 seconds)
Published: Sat Jan 16 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.