Everything you always wanted to know about Windows Product Activation

Last week I explained why Microsoft’s changes to Windows Product Activation (WPA), which take effect today, are no big deal for most Windows users.

Sadly, the FUD about this issue is spreading through the Internet without much regard for the underlying facts. In addition to Betanews and Slashdot, the story has been picked up by eWeek, CNET News.com, eHomeUpgrade, Microsoft Monitor, WinInsider, InfoWorld, and countless others. The general consensus is that “customers who find themselves reinstalling Windows XP should be ready for a headache,” as CNET put it. Fortunately, that conventional wisdom is wrong.

Trying to make sense of the ins and outs of Windows licensing can be difficult even for someone who makes a living as a Windows expert, so it’s understandable that a reporter trying to write a 200–word story on a tight deadline would get confused. WPA is a complex technology. By the time you finish this article, you’ll understand it a lot better.

Continue reading “Everything you always wanted to know about Windows Product Activation” →

Dwight Silverman gets it

At last, someone who understands how Windows Product Activation works.

There’s an RSS feed now, too. (Not full text, but it’s a start.)

More on product activation

If you’re a visitor from Betanews or Slashdot (see specific comments here) looking for my post on product activation, click here.

There’s a remarkable amount of misinformation on this topic, just as there was when WPA was introduced in 2001. That temperst turned out to be a FUD-filled non-issue, and I predict this one will too.

If you want to comment, go to my original post, please.

More FUD about activation

This little bit of nonsense from Mac-centric freelance writer Ian Betteridge plopped into my RSS reader this morning: Activation becomes more annoying.

My eWeek colleague Mary Jo Foley takes a look at Microsoft’s decision to change Windows activation so that you will have no longer be able to activate via the Internet if you’re using a PC from one of the major vendors. While I can understand Microsoft’s reasons for this, it makes activation just slightly more irritating…

Which is followed by the familiar “get a Mac” coda.

Sounds horrible, doesn’t it? Oh, but wait. What Mr. Betteridge doesn’t know, because he isn’t really a Windows specialist, is that if you buy a new computer from one of these “major vendors,” you don’t have to activate it. The system manufacturer activates your copy of Windows when the computer is built. You can reinstall the operating system on that computer using the original Windows XP CD as many times as you want, with no activation required. You would need to call for activation only if one of the following circumstances were true:

You were trying to use the original installation CD on a different computer than the one it was purchased with. (That would be a violation of the license agreement, and that is the whole point of this change.)
You upgraded the system BIOS with a flash that didn’t include the System Locked Pre-installation information.
You replaced the motherboard with one from a different manufacturer that did not include the same BIOS.
You substantially changed the computer by replacing multiple components simultaneously. (A couple minor upgrades won’t do it; assuming the motherboard is from the same manufacturer, you would need to replace practically every other internal component to trigger this so-called out-of-tolerance condition.)
Your system has been infected by a virus that replaced the contents of the BIOS. (I can’t remember the last time I heard of one of these appearing outside of a virus-testing lab, and if you get a BIOS-level virus you have much bigger problems than activation.)

If one of these conditions is true, you will need to call a toll-free number to activate your installation. I’ve done this a few times and can report that the process typically takes less than 10 minutes. But most people who buy a computer from Dell or Gateway or HP or another of the world’s top 20 PC makers will never encounter the need to activate.

Back in 2001, when Windows XP was still in beta, I remember reading predictions that Windows Product Activation would be such an incovenience that it would result in catastrophic failure for the new OS. That didn’t happen. In fact, can you even remember the last time you thought about product activation? For most people, most of the time, it’s simply a non-issue. And that’s what this change will mean: nothing.

Update: Dell’s Web site offers a very clear explanation of the differences in activation between a retail copy (which requires Windows Product Activation) and an OEM copy that uses the System Locked Preinstallation technology. Although the specifics of this explanation apply to PowerEdge servers running Windows Server 2003, the exact same technology is used for Windows XP installations. I’ve highlighted the relevant section:

The Windows Server 2003 OS must be activated after installation. An OS installed manually using a Microsoft retail CD is activated through Windows Product Activation (WPA), which requires each installation of the OS to be activated either online or by phone through a Microsoft License Server clearinghouse.

The Windows Server 2003 CD that ships with PowerEdge servers has a built-in anti-piracy technology known as System Locked Preinstallation (SLP). The SLP feature enables administrators to bind the OS to a system’s specific hardware so that activating Windows Server 2003 is not necessary. When an SLP-enabled CD is used to install the OS, administrators need not type in a unique product key.

Because SLP-enabled CDs are designed only for clean installations of Windows Server 2003, administrators installing the OS using the CD should also boot from it. SLP is not supported while running setup.exe or winnt32.exe, because these executable files run from within an existing Windows environment.

An SLP implementation is transparent to the end user, without any noticeable difference from a manual installation using retail media. However, the SLP process works only on supported PowerEdge servers that ship with Windows Server 2003. In addition, any tampering with the SLP-enabled CD automatically invokes WPA. The SLP-enabled CD is available only for 32-bit versions of Windows Server 2003, not 64-bit versions.

This technology is available to all OEMs and is very widely used.

Update: I have posted a very detailed follow-up on the changes in Windows Product Activation and what it means for you.

Why was Media Player updated?

Updated March 2…

eWeek is out with a news story headlined “Microsoft Updates Media Player to Thwart Spyware Threat”. As far as I can tell, this story is almost completely inaccurate.

Microsoft Corp. has released an update for its flagship Windows Media Player to protect users from a known threat of spyware infection.

Microsoft said the update … installs two components on end users’ computers and will add “additional integrity checks to the DRM [digital rights management] system.”

The company made no mention of a spyware infection, but a spokesperson confirmed the new version of the player was released after Microsoft confirmed that malicious hackers were using the copy-protection mechanism to install spyware, adware, dialers and computer viruses on unsuspecting PC users.

The article refers to the Update for Windows Media Digital Rights Management-enabled players (WindowsMedia-KB891122–x86). I’m still testing, but I see nothing in the KB article that documents this fix that would indicate there is any protection for users. It appears that the spokesperson is in error and the reporter simply accepted the inaccurate statement.

To make matters more confusing, an update to Windows Media Player 10 was also released this week, without any documentation of what was changed. Yesterday, Ed Oswald at BetaNews talked with a Microsoft spokesperson who said that this update was the promised fix to the spyware/adware issue:

Microsoft on Wednesday issued an updated Windows Media Player 10 to correct a potential security issue that could allow an attacker to mislead users into downloading malware or viruses instead of a license to playback DRM content.

A spokesperson for Microsoft confirmed that the new WMP release, marked build 3802, was the promised update to take care of issues related to the player’s digital rights management functions.

Needless to say, at least one of these stories is just plain wrong, and I strongly suspect that both are wrong.

CNET News.com has a slightly expanded story that contains similar assertions:

The Redmond, Wash., giant on Tuesday introduced an update to its Windows Media Player, which included changes aimed at blocking the Japanese hackers’ work, as well as a security update.

[…]

The new update also addresses a problem exposed a month ago, in which the Media Player and its digital rights management software could be used to show ads–or even to lure unsuspecting Web surfers into downloading harmful software onto their hard drives, security researchers said.

The process exploited a feature of the Media Player content protection, which allows protected files to pop up a Web page with information about a video or song license. In such a case, that page could be loaded with automatic spyware download mechanisms, Spanish security company Panda Software said.

The new update to the Media Player software contains a setting that allows consumers to request that they be notified any time their computer is going onto the Internet to obtain a content license. By default, this option will be turned off, but computer users can turn it on, Caulton said.

I’ve installed the Digital Rights update on a test PC and compared its options to those on a computer without the update. I can’t find any option in Windows Media Player 10 that matches the description in this story. If it’s there, it’s well hidden. It may be that the option is only available in Windows Media Player 9, but I’ll need to do further testing to see whether that’s the case.

[Update: In a comment to this post, Ben Edelman notes that he has tested the patch with WMP9 and found that it does not change the behavior observed before installing the patch. Ben’s comment includes links to a screen shot and a video of his results showing exactly how the exploit can deceive a naive user. Warning: The end of the video contains explicit sexual content that some viewers may find offensive.]

[Update, March 2: For a follow-up on this story, see “How to Fumble a Security Update.”]

Dear Microsoft, what’s in this new Media Player version?

Dear Microsoft,

When you release a new update to Windows Media Player 10 like the one that mysteriously appeared in the Microsoft Download Center yesterday, it would be nice if you also included some documentation on what sort of changes are included. I noticed a “Music Assistant” flash past as the install proceeded, and the new version number is 3802. But it would be really, really nice if I knew a few more details.

Thanks for listening.

Will new Microsoft add-ons trigger new antitrust charges? No.

In a comment on another post , Thomas Brock asks:

So… Will these additions to AV services, the anti-spyware services, the media playsforsure services and the internet and desktop search services add to the monopoly charges?

Short answer: No. Everything Microsoft does with Windows has to be cleared by the Department of Justice. That was one of the terms of the original antitrust settlement. Reasonable (and not-so-reasonable) people may disagree over how fair that settlement was, but the DOJ holds the cards and they get veto power over lots of decisions. You can also be certain that any decision to add a feature has already been reviewed by a room full of lawyers.

My personal opinion is that security features belong in the operating system. Internet connectivity and Web browsing tools are an essential part of any computer operating system today. Forcing Microsoft to maintain an environment where users must purchase add-on products so that they can safely use core features of the operating system is just wrong.

Search capability belongs in the OS as well. In fact, it’s always been there; it just hasn’t been implemented well. If other people can do it better, more power to them. That’s been the model so far for alternative browsers, and it seems to be working just fine. Firefox has been downloaded 25 million times, mostly by people using Internet Explorer. There’s nothing in Windows that keeps me from downloading, installing, or using Firefox. This is a great example of a product that does a better job than Windows and is deservedly reaping success.

Update: Symantec’s CEO, John Thompson, seems to agree, according to these remarks from yesterday’s RSA conference, as published in the seattlepi.com Microsoft Blog:

On whether Symantec would raise antitrust objections over Microsoft’s decision to offer free anti-spyware protection to Windows users: “I’d rather fight Microsoft in the marketplace because we’re convinced we can whup ’em. So this is not about showing up in Washington or whining on someone’s doorstep about what Microsoft can or might do. To the extent that they violate the position of prominence that they have, be assured that we’ll be watching, but whining in Washington about press releases or pointing to left field by Bill and his team, I mean, of what value is that?”

Not to mention that the complaint would go nowhere.

More stuff I saw at DEMO

Here are a few interesting products I saw yesterday at DEMO.

Cloudmark (formerly SpamNet) showed off a browser add-on called SafetyBar for Internet Explorer. It’s a logical extension of their SafetyBar for Outlook and Outlook Express, which uses a community-based filtering system to very effectively block spam and viruses. The idea behind the SafetyBar for IE is simple: You install the add-in, which puts a new toolbar in the IE window (sorry, this product doesn’t work with Firefox). Every time you visit a Web site you can rate it as safe or unsafe. Meanwhile, an entire community of other Cloudmark users are doing the same. If you receive an e-mail with a link to a Web site that’s “phishing” for personal information, chances are the site has already been rated unsafe, which means you’ll see a warning message when you click the link. My take? It’s still a reactive process. This sort of checking should be done at the ISP level, and it shouldn’t be up to the user to install yet another piece of security software. I’m also concerned that the overhead of checking URLs against the Cloudmark database will slow down browsing.

Photoleap showed off a very interesting free application that solves some of the inherent problems with sharing digital photos. E-mail is a terrible way to share photos, especially hi-res copies of multiple images. Online services add an unnecessary layer of complexity. Photoleap (available in Windows and Mac versions) lets you open what looks like an ordinary e-mail window and drag in a bunch of photos. You add the recipients’ addresses and your message and click Send. The program converts the photos into thumbnails and sends a link to the recipient, who can then install Photoleap to pick up the full assortment of pictures you sent. I definitely want to try this one out. The free version limits photos to 2 megapixels and 25 photos per message and also displays ads in a sidebar. If you want to send or receive larger photos or send more than 25 at a time (and get rid of those pesky ads), pay $29 for the Plus version. You can try the Plus version free for 30 days.

Photoleap

Teleo has a new voice-over-IP service that gives you a personal phone number for $4.95 a month and the opportunity to make free PC-to-PC calls and receive unlimited calls from anyone (with or without a PC) or send calls to any number (including land lines) for a pretty low cost. Generally, the cost was very low – in the 2–cents-a-minute range for outbound calls from the U.S. to land lines in Europe. I haven’t been tempted by the Skype hype, but this one sounds like a tremendous deal. (Update: Stuart Henshall has a longer evaluation of Teleo and calls it “a real winner.” I found the link via his Skype Journal.)

I’ll have more later today.

IE is about to get a major update

I was as surprised as anyone to see today’s announcement that Microsoft is getting ready to release a new version of Internet Explorer.

Gates announced Internet Explorer 7.0, designed to add new levels of security to Windows XP SP2 while maintaining the level of extensibility and compatibility that customers have come to expect. Internet Explorer 7.0 will also provide even stronger defenses against phishing, malicious software and spyware. The beta release is scheduled to be available this summer.

In other news, Microsoft also announced that the personal version of Microsoft AntiSpyware will be available free to all licensed Windows customers. Well, Windows 2000, Windows XP, and Windows Server 2003, anyway. That’s a very good call.

Protect yourself at hotspots

The Security Mentor has some interesting comments on the Windows Firewall that’s included with Windows XP SP2. He notes that, unlike the Internet Connection Firewall in SP1 and earlier, the Windows Firewall assumes that you want to trust all computers on your local network:

So the built-in Windows firewall hides file and print sharing from the Internet at large but makes them completely available to your local area network. That way you can share a printer with your wife but keep your files safe(r) from strangers on the Internet.

Q: You’re about to point out a catch, aren’t you?

Yes.

What happens when you’re at a coffee shop?

The whole coffee shop is one local area network. The firewall is going to assume that since all the other customers are on the same local network that it can trust them.

Ah, but the designers of the Windows Firewall were clever enough to plan for that scenario. The next time you’re out and about with your WiFi-equipped notebook and decide to connect to a wireless network, do this first:

Click Start, and then click Control Panel.
Double-click the Windows Firewall icon. (If you’re using the Category view of Control Panel, click Security Center and then click the Windows Firewall icon at the bottom of the dialog box.)
On the General tab of the Windows Firewall dialog box, make sure On is selected and then click to select the Don’t allow exceptions check box.
Click OK. Traffic from all local network sources is now blocked.

Win_firewall

Remember to clear this check box when you get back to your trusted network.