While setting up a new server recently, I found that I had the necessary hardware but lacked a Windows Server 2003 license. A discount company on the Web was asking $600 for a copy of Windows 2003 Standard Edition—ouch. Ah, but wait, here in my Inbox was an email message advertising discount software. Couldn’t hurt to open it up and take a look, right? Wow, an “OEM” copy of Windows 2003 for only $69!

Hey, wait a minute. That’s too good to be true. But there are surely sufficient numbers of these guys hawking such deals that it can’t be entirely illegal, right?

Next, I visit the OEM software site, and it looks legitimate. Heck, most of the words are even spelled correctly. And there’s an FAQ page that explains why the stuff is so cheap: Because it’s downloaded software, I needn’t pay for packaging. Nor do I get phone support from the vendor.

But, hey, even Microsoft sends Windows 2003 in just a little cardboard box with a plastic spacer. Inside are two Release 2 (R2) CDs and a piece of paper with the printed license. This packaging costs Microsoft hundreds of dollars? And even Microsoft doesn’t give free phone support for Windows 2003—it never has. Something sure smells fishy, doesn’t it?

Time to find out, I thought. So, I called Bonnie MacNaughton, manager of Microsoft’s US Anti-Piracy Enforcement team, to see whether my suspicions are valid. Sadly, they are.

I asked her, “How do those OEM software guys sell that software so cheaply?” “Simple,” she said. “It’s either stolen, counterfeit, or a violation of a license.” To understand what she means, let’s get into some software sales basics. In the 30-plus years I’ve been using software, vendors have struggled with software piracy. Back in the mid-1990s, Microsoft first tried to slow down pirates with the notion of a product ID or, as it was later renamed, a product key. These are those irritating 25-character codes you’ve probably typed into your computer to make your copy of Windows 2003, Windows XP, or Microsoft Office work.

Unfortunately, on top of being irritating, the codes also weren’t very effective at stopping software piracy. You could, for example, install as many copies of Windows 2000 with a given product code as you liked, although not legally; no software stopped you from reusing a product code. In 2001, Microsoft upped the ante with Product Activation, a tool that irritates us further but makes it a lot harder to reuse product keys. Trying to use the same XP or Windows 2003 product key on two machines won’t work: You have to buy another copy of XP or Windows 2003.

But these Web-based OEM sales guys all seem to have software and product keys that work. Doesn’t that mean they’re selling legitimate software? Nope. As Bonnie said, it’s either theft, counterfeiting, or license violation.

A piece of software contains two components that are vital to the honest buyer \[...\] the actual bits that make up the software and the product key that activates the software. Each component can essentially be subject to theft, counterfeit, or license violation. So how do the bad guys do it, and how can you smell a rat?

The first way to determine whether a piece of software is legitimate is to study how the bits are packaged. Microsoft protects its bits by putting them on discs that are physically distinctive; for example, you might see a hologram on the disk. Silk-screened or handwritten disks should be a tip-off to a counterfeit copy. (That’s not necessarily true for software that ships with a piece of hardware, such as a copy of an OS shipped with a computer.)

Further, as far as I know, software vendors such as Microsoft don’t permit dealers to sell software such as Windows 2003 or XP as simple downloads. Some illicit vendors, however, do offer honest-to-God Microsoft installation CDs—either physically stolen in transit or originating from a computer manufacturer’s warehouse, whether as small as Bob’s Basement PCs or as large as Dell. How would Microsoft detect copies like these? The company would use its second line of piracy defense, those irritating product keys. The product key—the second antitheft component—is that 25-character code you must type into that new copy of XP. Each character can be just about any letter or numeral (except 1, 5, 0, a, e, i, o, u, l, n, s, or z), and even though letters aren’t case-sensitive, there are a very large number of possible product codes—about three decillion, if I recall my number names correctly. Clearly, Microsoft doesn’t expect to sell that many copies of XP, so why such a long key? Although there are many possible 25-character-long strings of digits and letters, Microsoft uses a mathematical algorithm that disqualifies the vast majority of those possible strings so as to make it essentially impossible to install XP with a made-up product key rather than a Microsoft-created key.

How do you know if you’d been sold a stolen product key? The first time you try to use it, a stolen product key will let you install the software but not activate it. In other words, by the time you realize you’ve purchased a bum copy, the bad guys will already have your money. And guess what your chances of getting a refund are? On top of that, you’ve now essentially given your credit card and identity information to an organized crime operation—the “OEM software” outfit—and that software doesn’t seem like such a good deal after all...