Other than knowing Microsoft is very opposed to having its products pirated, it’s somewhat rare to learn how Microsoft uses suspicious product activation patterns to determine pirated products. Yet a complaint (pdf) Microsoft filed a in a U.S. District Court in Seattle, Washington, gives us some insight into how the company’s cyberforensic team identifies suspicious activation patterns.
In 2014, there were several examples of what we normally hear in regard to Microsoft fighting piracy. Microsoft released a white paper titled “The Link Between Pirated Software and Cybersecurity Breaches: How Malware in Pirated Software is Costing the World Billions” (pdf). Microsoft also joined efforts with attorney generals in Louisiana and Oklahoma in order to tackle overseas software piracy such as has been rampant in China. At the start of December, Microsoft Germany cracked down on deceptive sales of products keys for Windows and Office by blocking 50,000 license keys. The keys to activate products had been included in “temporary licenses for trial versions or OEM licenses that had been sold illegally.”
Although Microsoft claims not to know the “true identities” of the defendants pirating its software, it knows the IP address, 22.214.171.124, and that the alleged pirates are using AT&T as an ISP.
The new complaint filed (pdf) in federal court explains, “A Microsoft product key is a 25-character alphanumeric string generated by Microsoft and provided to customers and OEMs.” The product key and “other technical information” about a device are generally transmitted to activation servers located in Tukwila, Washington.
Original Equipment Manufacturer (OEM) distribution channels include the sub-channels of the Commercial OEM channel (COEM) and the Direct OEM channel (DOEM). Microsoft wrote that COEMs use “individual product keys to install and activate software” on PCs. DOEMs use “either a master key to install Windows software (as in the case with Windows 7) or a separate file generated from Microsoft to install and activate Windows software (as in the case with Windows 8) for each device.”
Microsoft said it launched the Microsoft Cyber Center to combat the piracy of its software. Microsoft cybercrime “cyberforensic” methods include analyzing “product key activation data voluntarily provided by users when they active Microsoft software, including the IP address from which a given product key is activated.” Voluntarily seems like an odd wording, considering you must enter a product key to activate Microsoft’s software as 'genuine.'
Nevertheless, Microsoft wrote:
Cyberforensics allows Microsoft to analyze billions of activations of Microsoft software and identify activation patterns and characteristics that make it more likely than not that the IP address associated with the activations is an address through which pirated software is being activated.
It’s not spelled out how many times pirated copies of Windows 7 and Office 2010 were activated in order to gain Microsoft’s displeasure and legal attention, but the complaint added:
On information and belief, Defendants have activated numerous copies of Windows 7 and Office 2010 with product keys that have the following characteristics:
a) Product keys known to have been stolen from Microsoft’s supply chain;
b) DOEM product keys impermissibly used in the COEM and/or refurbisher channel; and
c) Product keys of various types used more times than is authorized by the applicable software license.
Microsoft settled 3,265 software piracy cases across 19 U.S. states and 42 countries in 2013; it primarily went after big dog companies that were redirecting “money saved by using pirated software to hire employees and to expand their facilities and their research and development efforts.” The new complaint (pdf) also does not appear to be going after individuals using pirated copies of Windows and Office, but after a person or persons continually activating Windows 7 and Office 2010.
It seems likely Microsoft is gunning for someone selling computers loaded with pirated Microsoft products. Microsoft wrote, “Defendants’ activities are likely to lead the public to conclude, incorrectly, that the infringing materials that Defendants are advertising, marketing, installing, offering, and/or distributing originate with or are authorized by Microsoft, thereby harming Microsoft, its licensees, and the public.”
Microsoft wants the defendants unmasked and for them to pay for the pirated software as well as hand over any “illegally received money and profits in the form of bank accounts, real property, or personal property that can be located and traced.”
As Torrent Freak pointed out, Microsoft CEO Satya Nadella previously claimed Microsoft has always had “freemium” software, otherwise known as piracy; but sometimes using the product can turns pirates into paying customers.
Lastly in Microsoft news, Kevin Turner, Chief Operating Officer at Microsoft, said the company wants “Windows 10 on billions of devices,” but despite previous speculation, don’t count on Microsoft releasing Windows for free.