This morning as I was checking my feeds while standing in line waiting for coffee I saw a few headlines about a reported brute force attack on product keys for Windows Vista. The attack randomly searches for legit keys. This is called a brute force attack because there really isn’t much intelligence involved and the goal is to just randomly cycle through key after key after key until a legit one is found. One report indicates that the script written to perform this attack goes through about a thousand keys every half an hour; frankly, that’s a pretty slow brute force attack.
In one of the forums I was scanning this morning, there was a question brought up: assuming the attack were successful (and this hasn’t been confirmed yet), what would happen if a key that was hit upon was also the same key in use by a legitimate customer? Really, this would boil down to a customer service issue and we would work to make sure that our customers are taken care of. Having said this personally I think it’s unlikely that this would happen as our product activation servers perform a more rigorous analysis of the keys that are sent up for activation than the local key logic does. For this reason producing keys that will ultimately activate is less likely than just hitting upon one that will pass the local logic. But if anyone does hear of a report of a legit customer being refused a product activation on a genuine key please let us know.
We’re looking more deeply into this issue now and I’ll post more info soon.