BIOS Locking: More Intrusive Than WPA
Amid all the uproar over Microsoft's product activation feature in XP, no one seems to be concerned about another intursive technology: BIOS-locking.
July 18, 2001
My recent columns about Windows Product Activation (WPA) have generated a lot of reader feedback, and I want to address some of the most common concerns. I promise this column will be my last word on the subject—at least until Windows XP goes into general availability on October 25.
Quite a few folks asked whether I had seen the WPA report from the German company Fully Licensed GmbH, although none of them expressed an opinion about the report's conclusions. The report doesn't discuss whether WPA is a good idea; the company simply reverse-engineered the WPA process to determine whether the activation process reported any information back to Microsoft that could be considered a security or privacy violation. The report concluded that the information that WPA passes to Microsoft is innocuous. You can read the report here and judge for yourself.
I asked Microsoft for a reaction to the Fully Licensed report and received the following response:
Microsoft has no problem with the report or its publication.
We [Microsoft] were given some advance notice of this report's pending publication and have reviewed it. It's a report on some well-engineered work.
The contents and conclusions don't surprise us. The conclusions, in fact, support many of the statements we have made already about product activation: We respect users' privacy, and the vast majority of users will never have to reactivate once they activate initially.
The report is largely accurate technically, but it also contains some errors. The errors, in our opinion, do not affect the report's conclusions.
We will not pass judgment on the technical details of the report.
There is no security issue here. Companies and individuals research, decompile, and review our code all the time. There is nothing in the report that can aid hackers.
I've also had more personal experience with WPA since I wrote my first column on the topic; I installed Windows XP Release Candidate 1 (RC1) on my primary desktop and ran into quite a few problems, most of which I've resolved. But in the course of resolving those problems, I tried quite a few things, including reinstalling the OS, adding hard disks and memory, switching video cards, and making low-level changes using the Recovery Console (RC). Nothing I did required me to reactivate the OS until I moved the hard disks and video card to an almost-identical machine (same manufacturer, same system BIOS) but about a year newer (so the system probably had other changes that weren't obvious). This move caused Windows XP and Office XP to require reactivation.
I faced the Office XP reactivation with some trepidation because my last experience with the Office XP activation center was less than sterling. This time, the reactivation process went smoothly. I called the center and explained that I had upgraded my system hardware and that Office XP reported that the hardware had changed significantly. The customer service representative asked me for the product code and then gave me the new activation key. The entire process took less than 5 minutes. Keep in mind that if you have a corporate license, no reactivation of either Windows XP or Office XP is required.
Frankly, I'm not sure why the user community is screaming about Microsoft's product activation policy; it doesn’t seem that the company is doing anything all that heinous. Personally, I think that BIOS-locking the OS is a far more intrusive action.
If you're not familiar with BIOS-locking, it works like this: The copy of Windows 2000 (or XP or Windows Me) that you receive with your new computer is locked to that computer vendor's BIOS. The OS won't install on a computer from a different vendor. I heard about this problem from some folks who had bought new desktop computers with Win2K preinstalled, then decided to put their old copies of Windows 98SE on the new desktop machines so they could play games. This approach left them with what they thought were bought-and-paid-for copies of Win2K Pro that they could use. Many of them tried to install the OS on their notebook computers, only to find that the OS wouldn't install.
I wrote about the BIOS-locking problem when I first heard about it, but users didn't seem to care that they couldn't use a legally owned and licensed copy of the OS on any computer they chose. But when Microsoft attempts to add an antipiracy measure to prevent casual copying of the OS—a measure that will affect only a small percentage of the user base—everybody from the Wall Street Journal on down hops on the Microsoft-bashing bandwagon. Yes, some concerns about product activation are valid, but the vitriol that has appeared over product activation seems way out of proportion.
About the Author
You May Also Like