Get the top HN stories in your inbox every day.
Tepix
ryx
Yep. This seems to be the most overlooked part of the article, although maybe the most interesting.
Unfortunately not for anyone who has activated the auto-update feature on his/her Xbox, as the latest system software version seems to include a higher kernel version than supported by the collateral-damage exploit.
38
Exactly why you should never, ever, enable auto update, for anything. Too often it ends up breaking something or patching something you don't want patched. It allows a profit seeking company to enable or disable software functionality on your device, regardless if it's in your interest.
indrora
It should be noted that unless you've modified an Xbox One, from what I understand you cannot stop it from auto updating unless you permanently disconnect it from the internet (which will cause your licenses to eventually expire, in the year timespan or so), new launch games won't run (they're tied to a minimum version of the OS).
thot_experiment
Yup, 100%. My golden rule of computers is:
If it's working right now, an update can only cause it to break. The best case scenario is that it still works. Why would your roll the dice?
appendix-rock
Absurd. There are benefits to enabling auto-updating (security, etc). One should weigh up the costs / benefits oneself and make a call based on that. As usual, such absolutist guidance is hyperbolic.
HeavyStorm
Yeah, never ever make sure you are patched against hackers who can exploit your devices...
newdee
Nobody should follow this advice. Not least because you (the person giving it) wouldn’t have to live with the consequences of following it, but mostly because it’s idiotic.
simonjgreen
Total tangent, but extremely interested in the use of the Yen/Yuan sign as a footnote marker. Is there some history here I’ve overlooked or is this just arbitrary?
Tepix
Haha - i was looking for ¹, ² or § but couldn‘t find them on my german ipad onscreen keyboard, so i improvised.
pbhjpbhj
Interesting that you'd use "Section", "§", as a reference marker. Asterisk (*), and dagger (†) are common reference markers in British English, but not the section sign, aka "silcrow".
Is that a common usage /auf Deutsch/? Such use is listed on the Wikipedia page, but it's a use I don't ever recall having seen before.
quectophoton
I usually do it like this[1], if that helps.
[1]: Borrowing syntax from Markdown.
AStonesThrow
I learned BASIC programming on a VIC-20, and I typed in so many "A$, B$, C$", for decades thereafter I pronounced "$" as "string" ("A-string, B-string", etc); it got weird as I discussed Perl scripts with coworkers...
petabyt
So many memories just flooded my brain of using § for Minecraft Pocket edition...
bratwurst3000
you have tp hold a key longer and then there it is. i think it was „s“
bewaretheirs
I've not seen it used this way before but it is similar enough to the dagger and double-dagger symbols that the intent to use it as a footnote marker is clear.
undefined
undefined
nicolas_t
Now I just wish this could give me a license to install the Lego Boost for Windows 10 app that used to be on the windows store until 2020...
From my understanding, if you have the license, then you can still download it but it's not available for new users.
throwaway9858
try https://store.rg-adguard.net/ to download the app, and then either keyhole to license it or just unpacking it and installing it in developer mode.
nicolas_t
Thanks a lot, I didn't know this worked.
layer8
Maybe you could use this instead: https://en.scratch-wiki.info/wiki/LEGO_BOOST_Extension
nicolas_t
I tried that and it'll be great when my kid is older but the Lego Boost app has some kind of gamification built in that's honestly pretty sweet and is a good gateway I think.
Right now, I'm using an android emulator to be able to run the app on a laptop (we don't have tablets) but it's a janky experience compared to a native windows app.
layer8
If I read this correctly, Microsoft will be able to reduce the applicability of the temporary-license signing key, meaning that you probably won’t be able to generate permanent licenses for long.
throwaway48476
Can this be used to enable the HEVC extension without a M$ account? It's so frustrating they can't license the patents as a lump sum.
e4m2
You don't need this exploit. You could use a media player that doesn't need MS codec packs, but assuming this is not an option:
1. Go to https://store.rg-adguard.net.
2. Paste in https://apps.microsoft.com/detail/9n4wgh0z6vhq.
3. Change ring to "Retail".
4. Download the file with an "appxbundle" extension.
5. Install it (might need to enable developer mode for this step; don't remember).
Stagnant
The links to download the official microsoft signed HEVC installers can actually also be found at massgrave.dev[0] It truly is an awesome resource.
0: https://massgrave.dev/unsupported_products_activation#hevc-v...
throwaway48476
Awesome
dist-epoch
You don't need to pay. You just need the direct link
ms-windows-store://pdp?productId=9N4WGH0Z6VHQ
ms-windows-store://pdp?productId=9PMMSR1CGPWG
ms-windows-store://pdp?productid=9MVZQVXJBQ9V
ms-windows-store://pdp?productid=9N4D0MSMP0PT
ms-windows-store://pdp?productid=9N95Q1ZZPMH4
Alifatisk
How do you get the direct link?
dist-epoch
I got them from reddit: https://old.reddit.com/r/Windows10/comments/j58y6f/no_longer...
There are many articles with this workaround. Funny how it still works, almost 4 years later. This is not an accident, MS knows what it's doing.
Rinzler89
Why would you need it? HEVC codec ships with the driver package from your GPU vendor.
esperent
This hasn't been my experience. Nvidia + Intel GPU drivers are installed but I still can't play HEVC with the default windows media player. MPC Black works fine though, and probably VLC too.
deeth_starr_v
This is my experience also. VLC does work as it has its own HEVC
RockRobotRock
Why didn’t that work for me? I have an nvidia gpu
libertine
This sort of thing over decades has been the best distribution and communication channel for Windows.
23B1
Does not apply to most other software.
libertine
Yes, but I think it works exceptionally for other software, like games!
One example that stands out was the hacking/modding scene of the GTA Vice City with Multi Theft Auto, and even GTA SA, which gained a massive player base that would have never experienced the game and created emotional bonds with it. I can't prove this of course, but I bet a huge portion of the GTA V success was from users who played a moded version of the game in the past "for free".
Another example is the Adobe Suite, like Photoshop, and Illustrator, which allowed many people to become proficient with the Adobe tools and be part of a qualified workforce using that same suite of tools. A lot of these professionals from low-income countries would never had access to these tools otherwise in their formative years.
Price is a barrier to entry for many users who wouldn't have paid for the software.
gjsman-1000
Very nice utopian ideals, but wrong.
Take World of Goo. Very popular game. Released in 2008; got a sequel in 2024. Why so long for a sequel? In part, because when they experimented with a DRM-free release, they had a piracy rate of over 90%. Can you prove that's lost sales? No. Would any reasonable person say that is lost sales? Absolutely.
https://arstechnica.com/gaming/2008/11/acrying-shame-world-o...
Ever wonder why mobile games failed, and why every mobile game is seemingly full of ads? The Android piracy rate is enormous (over 60%); and freemium allows money to be earned while denting piracy rates. Let's not forget also why Nintendo went after Yuzu - over 1 million illegal downloads of Tears of the Kingdom before the game even launched. How many do you think paid afterwards?
And before anyone quotes the one or two studies showing an increase in sales from piracy; that ignores the 30+ studies showing a moderate to severe sales impact from piracy, that we also have. Nobody talks about those though, because that's a rather unpopular conclusion. However, you can't pick and choose studies to show it is a good thing.
23B1
> Price is a barrier to entry for many users who wouldn't have paid for the software.
This is what demos, student licenses, etc. are for. I don't care what your justification is, property theft is wrong.
Jerrrrrrry
ironically, I will be using un-ironically to play Guitar Hero games that I have the physically discs to, on retail hardware, that has the games installed, but not "licensed" to play without physical tethering of the disc in the failed DVD drive.
The double irony is that, even if it works, I may not be able to read my own game-saves since the Console's own public key is on the revocation list. I could sidestep this by resigning the CON files with the default value, 0.
The triple irony may be forthcoming yet. this all looks very familiar indeed.
fuckin brilliant
Jerrrrrrry
ecosystem of xml > tlv > null-terminated strings / utf16 for user input make an off by one error anywhere or unverified* malicious user input in the house of cards of technical debt in any MS ecosystem collapse into minefield of privilege escalation, RCE, etc horizontal pivots...not trivial, however.
this bug is essentially a retro-active pivoting platform for the lucky day you combine unsanitized input and context escape.
seems like just trivial digital sticker-swapping, but MS over-leveraging its successes, refusal to break things (to maintain backwards compatibility, and it's own technical debt..), mean that some mistakes, however trivial, yet affecting, are immortalized
thund
In case your antivirus is censoring the page: https://archive.is/90XGW
nixosbestos
Clip has been around longer than the Xbox One though?
AshamedCaptain
After reading the article, and specially the remarks about this engine being copy-pasted from the Xbox DRM engine , does anyone still believe that Pluton, also copy-pasted from the Xbox, is about end user security? And not totally about MS finally having enforceable DRM on PCs?
Oh and by the way Pluton is now on the latest batch of Intel laptop chips. And has been on AMDs for a while. How soon until Windows requires it?
heraldgeezer
>does anyone still believe that Pluton, also copy-pasted from the Xbox, is about end user security?
I never did. The worst part is explaining it to people drinking the MS coolaid. I'm an MS admin so people at work love Win11, Intune etc all that max lockdown shit. To me that's not what Windows is about, for me Windows is excellent because of the admin tools and backwards compatibility. But hey that's just me.
Proton will be another TPM thing, introduce it, wait 5 years, then mandate it. They have time.
rkagerer
> But hey that's just me.
There are more of us out there!
4ggr0
There are literally dozens of us!
criddell
Another TPM thing? What problem do you have with the TPM?
1oooqooq
TPM end game is to have identity tied to a device on pcs, just like the monopolies already have on Android and IOS.
you know how google and apple dropped actual totp 2nd factor for their own accounts and force you to sign on another device to confirm signing on new devices? same thing.
botanical
Hundreds of millions of perfectly good PCs are going to be end-of-life due to this.
heraldgeezer
It being a Win11 requirement. It failing and triggering Bitlocker on our machines. It's just shit :) No I don't have another solution. Let me complain.
a1o
The TPM thing that got hacked the other day?
dist-epoch
People have been saying that for more than 10 years now, since the TPM was introduced.
Yet you can still install Linux on PCs sold with Windows, you can still install third party software on Windows not from a Store, you can still watch pirated movies downloaded from torrents.
You can even run an unregistered/unpaid version of Windows if you don't mind that it will not let you change the desktop background image.
nulld3v
Or you can recognize that app/game developers are starting to require Secure Boot enforcement if you want to continue to use their apps or play their games.
RIOT requires users to enable TPM-enforced Secure Boot starting with Windows 11 to play Valorant: https://support-valorant.riotgames.com/hc/en-us/articles/100...
dist-epoch
Let me tell you a secret: it's because the gamers are demanding that. The game companies couldn't care less if there are cheaters in the game, but it's the players which put huge pressure on the game companies to detect and ban cheaters.
dfox
One thing that I do not understand is how an app can determine whether secure boot is enabled in any kind of secure way. The TPM and Secure boot system is not designed for that.
lupusreal
If it's software your job requires, that's one thing. But games? Just play different games, or get a different hobby. You have a choice so exercise it.
jnwatson
And why is that? It isn't for DRM (the game is free). It is for anti-cheat, and it is great.
The libertarian maximalist i-can-do-what-i-want-with-my-computer ignore the many use cases where I want to trust something about someone else's computer, and trusted computing enables those use cases.
dangus
People who are concerned about this should realize: Microsoft will never create a situation where alternative operating systems can’t be installed. They already went through the antitrust ringer on that issue. They don’t even control what hardware vendors do for the most part.
This requirement will only hit multiplayer games where cheating and security threats are rampant.
Also, if you have a PC with secure boot enabled, there are popular Linux distributions like Ubuntu that have a signed key. Or, you can add a signing key to the firmware, depending on your hardware. And of course, most commercially available PCs will let you disable secure boot entirely.
(Most multiplayer games with anti-cheat software don’t really work on Linux anyway.)
ineptech
People will keep saying it, because that ratchet only seems to go one way. Consumer access to general purpose computing is something we take for granted, but every year it seems like there's a bit less of it, and once we lose it we will never get it back.
croes
And Windows PCs are still not safe.
So either way it fails it's purpose
layer8
More accurately, unbreakable security as enabled by hardware TPMs also enables unbreakable vendor lock-in like we have with iOS. Pick your poison.
dist-epoch
Most Windows PCs have Secure Boot enabled the many have the drives encrypted with Bitlocker.
pbhjpbhj
Yes, and Microsoft will still have regular "accidents" where they wipe out your ability to boot your Linux install, oh oopsy.
They should be prosecuted for that shit.
beeboobaa3
For now. It's not ubiquitous enough yet. Games are already starting to require secure boot, the rest will follow in a few years.
heraldgeezer
For now. The cogs will turn slowly towards our demise.
dgellow
I may be naive, but I still do. Skepticism is warranted, yet outright dismissal based on conjecture is its own brand of fallacious reasoning. Can Microsoft potentially benefit? Certainly. But that doesn't negate the possibility of genuine user security motivations and benefits for end users
exe34
> Can Microsoft potentially benefit? Certainly. But that doesn't negate the possibility of genuine user security motivations and benefits for end users
it's important to ask which one of the motivations will allow them to lock users down and ask for ongoing rent. one of these two will, and that's what will always drive the decision.
undefined
loeg
> As it turns out, data after the signature block isnt checked at all... and it can even override data that came before it. Whenever two blocks of the same type are stored together, the last one overrides all the others before it. So, if we want to change any license data, we can just make a block for it and put it after the signature block!
Amazing.
Dwedit
I wonder if this is the worst cryptography blunder since Nintendo Wii using 'strncmp' to validate a hash (which stops after the first matching 00 byte)
bri3d
This "check the block signature and then read another one" bug is incredibly common. I'd say it's one of the top 5 bugs I see in Validating Things. Other examples of places I've seen this recently include some variants of VW AG infotainment systems (mostly MIB2 High, I think), but it's kind of everywhere (as was the `strncmp-a-hash` method of validating an RSA-PKCS#1.5 signature).
This is probably the most egregious/impactful manifestation of it, though, especially if it applies to Xbox.
mdaniel
> This "check the block signature and then read another one" bug is incredibly common
I don't have links handy, but Android fell prey to this bug twice checking .apk signatures due to .zip files having duplicated copies of the manifest
undefined
thrownawaysz
MAS (which is also hosted on Github) is the perfect example of Microsoft not caring about end user piracy. Just use it.
indrora
In the long run, pirated copies of Windows are noise level: The vast majority of people are going to get a license via an OEM (which survives reinstallation), businesses aren't going to risk running unlicensed windows machines (especially if they're paying for it elsewhere) and have easy means to acquire OEM licensed machines that are supported by the OEM for parts & service, and people who run an up to date but pirate-licensed copy of Windows are at least running an up to date version instead of sitting on an EOL copy that is barely getting security updates.
Allowing piracy at that level is actively safer in the long run.
hakfoo
I suppose the other aspect is the gradual death of the white-box PC shop.
The large OEMs have contracts to pay 9 cents per license.
They'll never crack the individual enthusiast building his own PC from Newegg parts and installing a hack, but he's small potatoes.
But back in the day, there there was a fair chance your local midsize business, government, university, didn't necessarily buy from Dell or HP-- they bidded out a few hundred PCs to a local shop, which had both the motivation and technical knowledge to use the same license key on each one, and the scale where it could represent significant lost revenue.
Introducing activation was probably a significant sabotage for them. Although I'd suspect the stick on license certificate was almost as big a deal in that regard.
a1o
I have no idea how to get access to LTSC Windows without it. I have bought Windows PRO keys in case someone asks one day, but as a person, I really don't know how to get the not annoying Windows that is available for companies.
miles
I did a little writeup[1] back in 2018 about how to acquire Windows 10 LTSC as an individual. It was only around $300, which included the required four additional CALs.
By way of comparison, Windows 11 Pro is $200[2].
[1] https://tinyapps.org/blog/201811300700_windows_10_ltsc.html
[2] https://www.microsoft.com/en-us/d/windows-11-pro/dg7gmgf0d8h...
IG_Semmelweiss
Thank you for this
olyjohn
The pro keys won't cover you if someone asks. You're not licensed for LTSC and you can't have it without an enterprise agreement. It's still piracy. you might as well have not even paid for the pro keys.
therein
It could still help with a jury of his peers.
thrownawaysz
I once went down this rabbithole ("I use LTSC for years might as well buy a legit copy finally") and... it was almost impossible. You need to buy at least 5 licenses through volume licensing but you also have to be a business (can't buy it as a natural person). Then there were some other thing about standalone version, upgrade, subscription etc.
So yeah LTSC was never meant to be available for single desktop users at home yet it's best version of Windows available.
stepupmakeup
Last year, a Microsoft support representative even used it on a customer's computer.
https://news.ycombinator.com/item?id=38295819
https://www.bleepingcomputer.com/news/security/microsoft-sup...
nicman23
more like the license process is so bad that they dont bother to go after them
SV_BubbleTime
>the license process is so bad that they dont bother to go after them
For a person, yes go for it they won’t bother.
For a company… we have had some annoying MS audits. So how everything has to be retail WITH the cards. I have a stack ready for our next audit if it ever happens again.
nicman23
sorry with cards? what do you mean?
sneak
There is ultimately no way to get a good license process on consumer PCs. The owner and operator of the hardware is also the adversary. It’s like DRM for video and other content: you are giving the ciphertext and the keys to the attacker. It’s only a matter of time until it is broken.
diggan
Maybe it's beneficial for Microsoft that solutions like that are FOSS so they can more easily inspect the code for prevention purposes in the future?
npteljes
Instead I think that they let people use it unauthorized, so that Windows is even more entrenched. Same with what Adobe did with Photoshop. These companies are lucky that their product gets home and office use as well, because they can let the noncommercial use slide, and just squeeze the office users more.
It's more of a business move, than a technical move. Microsoft has plenty of capable people, they don't need such software to be FOSS to successfully inspect it.
fallingsquirrel
I think Microsoft is just purposefully lax about enforcing their own trademarks on their own properties. It could be due to organizational memory of their antitrust case. It could be to avoid bad publicity (like the recent spat where youtube took down a video teaching people how to use adblockers).
Another example of this: the leaked Windows source code is available straight from GitHub.
undefined
a1o
Does anyone knows a good way to activate MS Office on macOS ? Doesn't matter how many times I buy the thing it eventually forgets the license and calling Microsoft Support usually doesn't result in anything. One day Office starts complaining that it's not activated and then it eventually locks me out of it. It would be nice if the Office license on macOS actually worked but if there's an easy solution for activation I wouldn't look back.
ravetcofx
Alternative answer, Use LibreOffice
a1o
I use it too, but I need MS Office itself because of weird Azure plugin that makes documents in OneDrive that only open in MS Office.
undefined
Get the top HN stories in your inbox every day.
So, just stating the obvious, you can now (¥) download all xbox games directly from the microsoft store for free? I.e. the xbox is - for now - as completely hacked as the PS Vita?
(¥) you might have to figure out some details