Schneier on Security
A blog covering security and security technology.
« Criminals Stealing Cars by Calling Tow Trucks |
| Full Body Scanners »
March 9, 2011
Malware as Job Security
A programmer installed malware into the Whack-a-Mole arcade game as a form of job security.
It didn't work.
Posted on March 9, 2011 at 6:38 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Presumably not actually a "virus". Can't imagine why 'Whac-a-mole' (sic) machines would need to be networked...
It seems like the article rather extremely misuses the word "virus" for a simple countdown...
Poor use of the term virus, as already highlighted. The correct term would have been a "bomb", but I guess that would have opened a whole other can of journalistic worms.
But, but, but...he'll get job security in the prison laundromat, or license-plate factory.
"Virus" aside, there's plenty of reason to network the game console, to aid maintenance. It's installed on customer premises; it contains software and hardware with moving parts; it's public-facing.
To attach such game consoles to a network might also be required by law in some countries because the government wants to know how much money you make.
It is not the first time someone has thought about such behaviour in one way or another.
Some years ago in the UK a consultant who had supplied a bespoke program to a client put a simple "stop working afcter Xdate unless Ytrue" in case the client decided to not pay (which based on previous behaviour was quite likley).
Well the client did not pay, so the programer never set Y to true and after day X the program duly stopped working.
Now the client instead of paying screamed blue murder and the programer was prosecuted and found guilty by the judge under the UK's Computer Missuse Act.
Apparently it is ok for a company to effectivly steal from you by not paying as this is a mear "tort" or civil offense for which there is a legal remedyl (no matter how expensive or ineffective it is). Where as simply putting an end date in your program (without making it explicit in the contract) to stop the person who has effectivly stolen your work from using it, is not a civil offense but a criminal offense and of you go to jail (at the expense of the taxpayer).
This is called extortion, not "offense against intellectual property," wtf?
However, I don't see how Clive's case is valid: the guy wasn't paid, so he repossessed the goods sold but not paid for.
It would have worked if he hadn't blabbed about what he had done. Which seems kind of stupid for someone who went to such lengths to do it secretly in the first place. Reminds me of Bradley Manning doing the same too.
@John re "I don't see how Clive's case is valid"
Unfortunately this seems to be the way justice on this matter goes across the globe. There was a not dissimilar case in Russia recently. The programmer had it stated clearly in the license that SW can't be used beyond the license end date. He didn't say, however, that the program started to display only part of the data after one year since this expiration date. The programmer was found guilty of producing *malware* (because, you see, this program was "explicitly created with purpose to deny users acces to data", the data in question being the accounting data this program was intended to process). Nevermind that the program was illegally used for year after the license has expired, before this "selective display" countermeasure has triggered.
@Clive Robinson and other commenters
You case is about a seller who repossessed his goods without authorization. If I went into your house and took your TV set, or if I disabled that set from a distance, because you did not pay, that is also not allowed.
A sale is final after delivery of the goods. Getting paid is something you have to arrange by a different avenue. The goods simply are not yours anymore to take.
Playing judge in your own case is not considered legal.
The lesson in Clive's example is simple: make it clear to the customer in the contract of sale that until they pay in full they are using demonstration software that will expire x days after first use.
The consultant's problem is that he was not forthcoming about his plans to ensure payment.
"However, I don't see how Clive's case is valid: the guy wasn't paid, so he repossessed the goods sold but not paid for".
Saddly not true in the way you think.
Section 3 of the CMUA1990 deals with unautherised access to data etc and is very very broadly scoped (way to broadly for many people as well as the later 3a update which is even worse)
Anyway the bare bones (you can search on the Internet for more info)
Alfred Whittaker MD of AAS Managment systems was found guilty at Scunthorpe Magistrates Court under section 3 of the Computer missues act when it was shown he had put a time lock into software supplied to Protech Formulations. Mr Whittaker was given a conditional discharge (which is effectivly the minimum sentance that the Magistrates could give).
The case all hung on the fact that Mr Whittaker admitted what he had done but could not show (for obvious reasons) that Protech had agreed to the software modification (time lock) that subsiquently denied Protech Formulations access to "their data" thus his actions where "unautherised" and fell within the scope of section three.
Protech Formulation's unsuported claim was that the reason they had not paid was that the software did not "perform".
Acording to some people he would not have been guilty if the software had been licenced as opposed to sold, or if he had put an enforcable cease to use clause in the contract of sale thus Protech could not have claimed they where unaware and thus the "crown" could not have claimed unautherised.
It caused quite a bit of concern at the time because if you think about it nearly all software is "unautherised" unless the software source is included in the contract....
Somehow, when you buy digital things as a consumer you have no rights at all. I suspect that if the time lock had been on consumer software there would have been no case.
About 10 years ago (probably longer), there was a big stink about updating US law to explicitly allow what Clive described. This was being done on the state level (I assume because people have some idea who there congresscum are and what they are doing, no such problem for state legislators). As far as I know, Maryland passed such a law (software written in Maryland can have such triggers), but the movement died afterwards. I have no idea if Maryland ever quietly changed the law (they were noisily trying to "beat Virginia into the future").
The guy must have thought job security was a legitimate case of security too 8-)
Which kinda brings up again the issue of Sony removing the "Other OS"-option from PS3 consoles and their quest against those who found and published its master key.
@bruce "didn't work"
" actually told two people at the company he'd done it, but it took months of technical work to prove."
Well it worked for a time. Is it sucess for the same level as Ronnie Biggs? Probably not.
But it's still legal for companies to sell printers that stop printing after a number of uses to force users to buy a new one (or pay for a useless technical check), or lightbulb made to last only 1000 hours...
So, if the contract you sign with a "service provider" states that the service will be removed if payment is not made, that makes it legal for the residential utility providers to "turn-off" (remove) service if they don't receive payment?
I guess that makes it different than the "removal" of software services by those planted logic bombs, since that outcome was not agreed to in the contract.
"If they hadn't of discovered that they had the virus installed in the equipment, they wouldn't have known why their machines were failing," said Cpt. Steve Aldrich, Holly Hill Police Department.
Um, ya think?
("hadn't of" Arrrghh.)
That is why my software is specifically leased and both the documentation and the messages state that any tampering with files and registry items may result in a license breakage.
Two weeks before the end of the lease period, nag messages are displayed during program start-up, warning of the end of the lease term.
> A sale is final after delivery of the goods. Getting paid is something you have to arrange by a different avenue. The goods simply are not yours anymore to take.
Really? Cause there are people who repossess goods. Cars, airplanes, etc. They often sorta break in to do so, and the law doesn't seem to much mind.
@Steven Hoober: Not quite the same thing.
People usually buy cars and houses with secured loans, meaning that they have something (like a car or house) that's forfeit to the lender if they default on the loan. This is a separate agreement, not a sale, that explicitly says somebody can come and repossess your car or foreclose on your house if you don't pay.
A sale typically doesn't have a contract with a repossession clause, although I suppose it could have one. Frequently sales are conducted with no formality other than the exchange of stuff and payment, and all other possible conditions depend on applicable law.
Planned obsolescence, in the way you're referring to it, is a myth. If someone created an affordable lightbuld that could last 20 years they would become wealthy very quickly. Now, selling cheap products cheaply? Sure, it happens all the time, because we're more willing to spend $50 on a printer that will last a short period of time rather than 10X that amount for a longer-lasting product.
On topic, date-limited software? Sure, my antivirus company happily sells it to me every year.
Following the trail, i hope.
1. EULAs could support such a time scheme? Microsoft could say that Windows 7 is kaput after 2013. It will no longer work, period.
2. Sony took away the other o/s option. But I remember they installed a rootkit that customers didn't agree to. Maybe..
Those pesky EULAs, and bugs/features built in. You could do almost anything if you document it. (wink to @Clive). How many times have you opened a box of software to read the EULA and it says upon opening box you bought it?
I just dealt with a system that was using dos3.1. try propriatary system upgrading to windows 7 from that. old school, again. ;) click, click, command line, where is that damn book!!!
Always wondered why the kilobuck throttle control module on each of our Volvos died after the warranty period expired...
Well, we're well off topic so let me tell you what I have been dealing with the darndest thing in the past few days: an old fashioned, paper, chain letter. Had a lottery ticket attached. You copied it and sent it to friends, with more tickets and you get back some large number of lottery tickets.
Thing was, many people -- especially the younger ones -- had never seen such a thing and it seemed like a little harmless fun. And trying to explain why it was bad and what a pyramid scheme was and so on was very difficult.
Anyway, it's made me realize that these good people need hardening off.
"I just dealt with a system that was using dos3.1 try propriatary system upgrading to windows 7 from that. old school, again"
Dos 3.1 I remeber it well also GemOS and CP/M (anybody remember what "PIP PUN:=RDR:" did?).
Though I also have to put my hand up and admit I'm still using a quadruple boot MS-Dos 6.x-Win 3.11 / NT4 / 2000 / Debian (nearly latest version ;) box for doing some programing / support of some "command line utilities". And for one customer I have an OS2/2 box which has two 5.25" floppies to boot into Dos and "Windows 2" oh and an Apple][ with MS CP/M card and those single sided 180K 5.25 floppies... The C compiler I use is a hand cut version of "small C" with part built libraries from the Plauger code in his Standard C book (and for some reason I remember William "pong-n-go" Gates getting his panties in a wad and wobbling like a weebil over people using "his" basic...).
I kid you not when I say support, there are still ancient and most definatly obsolete boxes running in the labs of a certain well known French Telecoms company and there's atleast one bank with IBM's OS2 still clunking along. Mind you the box I lusted after back then was the NEXT Cube who remebers those, when you still had to clunk along on vaxen...
"Mind you the box I lusted after back then was the NEXT Cube who remebers those, when you still had to clunk along on vaxen..."
There was a solitary NEXT Cube in the C.S. department when I was an undergrad. It was kept in a locked lab, along with the department's Transmeta box, and other goodies, to prevent the VAX and SunOS addled hoi polloi from soiling them.
Yes, I remember seeing a demo of a NeXT cube back in University; I'd grown up with Apple ][ in school and started programming on an IBM mainframe, connecting to it via an IBM thermal paper terminal with an acoustic coupled modem. (Having an uncle who works for a University helped back in the mid-70s.)
Back more on topic, this reminds me of a discussion around the lunchroom back when I was briefly working in telecom. Apparently one of the customer service techs had discovered a potential ground loop issue in one of the racks, and decided to use it sort of like this. He would go in, 'fix' the problem, and then leave the equipment in a state where it would probably fail again several days later when high call volumes stressed the vulnerable rack, and he would get called in again.
Needless to say, once he was caught, he was fired. Not only was he obviously untrustworthy, but this sort of thing makes the equipment supplier look bad. As for how he was caught, I believe he fell into the category of 'idiots who think they're so brilliant that they can't help bragging about it'... though there had been some suspicion already. (This was 20 years ago, so details are fuzzy.)
re: penalties for theft vs. malware
The less we understand something, the more we fear it (I'm sure I've read that somewhere :-)
Computer security is much harder to understand than "take something you don't own", hence it generates more fear and therefore harsher penalties.
"hence it generates more fear and therefore harsher penalties."
I think it might be the other way around.
In a "permisso society", something that is not illegal is allowable thus technically legal, but might well be a significant nuisance.
Some people may try to stop the nuisance by using other legislation that may well be used inappropriatly (and judges sometimes so direct).
Eventually the legislators catch up and new legislation is produced.
People who were doing something that was legal may not stop doing it now it's illegal as they have a vested interest in continuing. So they change slightly so as to be on the borderline of legal/illegal.
Which side of thhe line they are on and by how far is for the prosecuters and courts to decide they used to call it "setting a precedent" under "case law".
Now judges usually try to be impartial but they have little or no knowledge of the problem domain. So they base their decision on "the evidence presented".
Now back some time ago it was recognised that there was an issue with this and the state generaly picked up both the defence and prosecution costs so that the evidence presented to the judge was as fair as it could be.
Not so any longer. The prosecution therefor go all out to overwhelm the judge in any way they can whilst also taking "pre action" to "strip the defendant of their rights" by using other legislation such as in the UK "The Proceads of Crime Act".
Thus the "state" uses it's "overwhelming power" to raise as much fear as possible to scare people as far away from the borderline as possible.
We have seen any number of miscarages of justice since Tony Blair and Lord Falconer made the changes to UK legislation to strip defendents of their age old rights, but few have or ever will be corrected.
Sometimes the person who has been striped of their rights by the likes of the Proceeds of Crime Act gets help from proffessionals "in the public good" because the proffessionals are so incensed by particularly bad cases of injustice.
However the state has a habit of using it's overwhelming powers to get revenge, which is why we so rarely see proffessionals acting on their honour principles.
Oh and the proceads of crime act those that use it to strip rights get one fifth of any assets recovered so "no incentive" there then to abuse the legislation.....
It's the writer of Stuxnet!
Clive: I had - or rather the company I was working for at the time - had one of the first Radio Shack Model I's. I later bought one for myself. 48K and an audio cassette drive for data storage! Who would ever need more? :-)
I also peered through the window of one of the first three or four microcomputer stores in the US - The Real Oregon Computer Company in Eugene, Oregon - a few days before it opened for business. When it opened, I got to mess with Processor Tech, Altairs, etc.
Shortly after I was working on a RCA 301 - 30,000 pounds of hardware (the floor of the building where it was housed had to be reinforced to support it) with 40K of core (REAL MAGNETIC CORES!) memory and 9 tape drives.
Later I graduated to IBM System/32 and System/34 and RPG.
Later I worked on Radio Shack Model IIs.
Later I owned an Atari 520ST. I even almost landed a job as the online spokesperson for Atari since I was host of the Atari conference on The Well.
All of which I hope is now burning in hell compared to my AMD Phenom quad-core with 4GB of RAM and 2TB of disk running OpenSUSE 11.3.
On topic, it would seem that any law that prohibits stopping a program from working if not paid for would be applicable to most of the "shareware" out there.
Which term is a misnomer in my view - it's merely commercial software with a trial use. REAL "shareware" back in the day rarely crippled or caused the program to stop working. REAL shareware relied on the honor system. And it worked for several shareware authors who ended up going commercial because they made so much money from their shareware they could afford to set up a company and start producing a real commercial product. Anyone remember PC-File?
You lot go back a long way, its hard to find even the components of NEXT Cube and vaxen used now days, still like them but then there wasn't much options back then. :)
"You lot go back a long way"
Yup, in my case even further than Bruce (but don't tell him that, he's of an age when men get touchy about such things, I know I did ;)
@ Richard Steven Hack,
"REAL"shareware" back in the day rarely crippled or caused the program to stop working."
I remember the change do you remember "nagware" as it became called.
Then there was "adware" now it's all "malware"...
Here's a thought for you, "how much did your first computer cost you?"
Not in dollars but as a percentage of the gross average income at the time?
My first computers I built myself and they were compleatly self designed and not cheap to put it mildly, to save cost I designed a "1 bit wide" CPU using NAND gates and D type latches and a couple of 8bit shift registers. The ROM of the state machine was two 0.1" copper strip matrix boards (Veroboard) programed by soldering in 1N4148 signal diodes. The "input device" was a rotary telephone dial (pulse) and six push buttons, the output a hacked up neon "nixi tube" display from a broken frequency counter the number of times I got a belt of the display power supply I cant remember but it was a lot. The hight of it's hardware acheivment was to multiply two nine bit numbers using a Nand gate as a one bit multipler and 4bit counters as the adders. It's height of software acheivment was to play a few simple tunes and act as an octal calculator, due to lack of mind boggalingly expensive memory.
The first "proper CPU chip" kit I bought was the SC/MP 1 (effectionatly called "the scamp" or "scampie") and the memory was measured in bits not bytes and not even close to a kilobit, it was a great deal of money at the time.
The first fully built computer I bought (and still own) cost the equivalent of a quater of a years money or about one fifteenth the cost of a house, and even then I got discount because the company I bought it from I worked for part time repairing both mechanical terminals and the new fangaled VDU's...
The first "proffesional mainframe" I worked on was designed (supposadly) in the UK and had an operating system called "george" I still have part of it's 'core store' around somewhere with tiny almost to small to see ferrite rings with the matrix and sense wires in different colour 40AWG enamaled copper wire. We used to have an "officialy sanctioned" AM radio to aid in program debugging and the mag tape decs had huge five foot high 18inch wide inch thick machined aluminium plates onto which the capstans motors belt drives heads and amps were built. The whole thing was a scrap merchants dream especialy as there must have been getting on for a pound or two of gold in it.
"Really? Cause there are people who repossess goods. Cars, airplanes, etc. They often sorta break in to do so, and the law doesn't seem to much mind. "
Indeed, and those people are the money lenders from which the "owners" have borrowed the money to buy these products. And in the small print in that lending agreement it is stated that the buyers granted them the right to repossess the product if they fail their payments.
You are free to sign any contract and sign away (almost) any right you have under the law.
@clive, yep we're old to remember things like programming with punch cards. (shudder) remember to number them.
A municipality is having to do a major upgrade to IT. Why? They can't find enough cobol programmers......I have heard horror stories from california. ie. PLCs, proprietary control software from a company that is bankrupt, no source code, parts unavailable, and system breaking. (I like software safes for customers)
Back to topic, what he did was shady, and stupid. If you want to be indispensible try working and helping others. I may be polyanna but I think things even out over the long run. Good will goes a long way. Oh, and read the documentation, proposals, contracts, etc. very, very carefully.
"There was a mole in the Whack-a-Mole company!"
Hey, it's Whac-a-malware!
Clive: "Here's a thought for you, "how much did your first computer cost you?" Not in dollars but as a percentage of the gross average income at the time?"
My gross income is...well, gross, it's so low. So EVERY computer I buy is like buying a house to me.
The problem here was that unless the guy told people at the company that he was the only one who could fix the machines, they could just go on cutting his pay and/or replace him with another tech. So he was in a Catch-22 situation.
There's probably some kind of complex zero-knowledge protocol whereby you can prove you're the only one who can fix something without admitting that you're the one who pre-broke it in the first place.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.