Entries Tagged "spyware"

Page 9 of 9

Blizzard Entertainment Uses Spyware to Verify EULA Compliance

Scary:

I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes—the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the ‘warden client’—its written like shellcode in that it’s position independent. It is downloaded on the fly from Blizzard’s servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL’s using a ToolHelp API call. It reads information from every DLL loaded in the ‘world of warcraft’ executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of ‘banning hashes’—if you match something in their list, I suspect you will get banned. …

Next, warden opens every process running on your computer. … I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can’t blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called ‘privacy’ and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

EDITED TO ADD: Blizzard responds. See also here. Several commenters say that this is no big deal. I think that a program that does all of this without the knowledge or consent of the user is a big deal. This is a program designed to spy on the user and report back to Blizzard. It’s pretty benign, but the next company who does this may be less so. It definitely counts as spyware.

EDITED TO ADD: This is a great post by EFF on the topic.

EDITED TO ADD: BBC has an article on the topic.

Posted on October 13, 2005 at 2:11 PM

Trusted Computing Best Practices

The Trusted Computing Group (TCG) is an industry consortium that is trying to build more secure computers. They have a lot of members, although the board of directors consists of Microsoft, Sony, AMD, Intel, IBM, SUN, HP, and two smaller companies who are voted on in a rotating basis.

The basic idea is that you build a computer from the ground up securely, with a core hardware “root of trust” called a Trusted Platform Module (TPM). Applications can run securely on the computer, can communicate with other applications and their owners securely, and can be sure that no untrusted applications have access to their data or code.

This sounds great, but it’s a double-edged sword. The same system that prevents worms and viruses from running on your computer might also stop you from using any legitimate software that your hardware or operating system vendor simply doesn’t like. The same system that protects spyware from accessing your data files might also stop you from copying audio and video files. The same system that ensures that all the patches you download are legitimate might also prevent you from, well, doing pretty much anything.

(Ross Anderson has an excellent FAQ on the topic. I wrote about it back when Microsoft called it Palladium.)

In May, the Trusted Computing Group published a best practices document: “Design, Implementation, and Usage Principles for TPM-Based Platforms.” Written for users and implementers of TCG technology, the document tries to draw a line between good uses and bad uses of this technology.

The principles that TCG believes underlie the effective, useful, and acceptable design, implementation, and use of TCG technologies are the following:

  • Security: TCG-enabled components should achieve controlled access to designated critical secured data and should reliably measure and report the system’s security properties. The reporting mechanism should be fully under the owner’s control.
  • Privacy: TCG-enabled components should be designed and implemented with privacy in mind and adhere to the letter and spirit of all relevant guidelines, laws, and regulations. This includes, but is not limited to, the OECD Guidelines, the Fair Information Practices, and the European Union Data Protection Directive (95/46/EC).
  • Interoperability: Implementations and deployments of TCG specifications should facilitate interoperability. Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.
  • Portability of data: Deployment should support established principles and practices of data ownership.
  • Controllability: Each owner should have effective choice and control over the use and operation of the TCG-enabled capabilities that belong to them; their participation must be opt-in. Subsequently, any user should be able to reliably disable the TCG functionality in a way that does not violate the owner’s policy.
  • Ease-of-use: The nontechnical user should find the TCG-enabled capabilities comprehensible and usable.

It’s basically a good document, although there are some valid criticisms. I like that the document clearly states that coercive use of the technology—forcing people to use digital rights management systems, for example, are inappropriate:

The use of coercion to effectively force the use of the TPM capabilities is not an appropriate use of the TCG technology.

I like that the document tries to protect user privacy:

All implementations of TCG-enabled components should ensure that the TCG technology is not inappropriately used for data aggregation of personal information/

I wish that interoperability were more strongly enforced. The language has too much wiggle room for companies to break interoperability under the guise of security:

Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.

That sounds good, but what does “security” mean in that context? Security of the user against malicious code? Security of big media against people copying music and videos? Security of software vendors against competition? The big problem with TCG technology is that it can be used to further all three of these “security” goals, and this document is where “security” should be better defined.

Complaints aside, it’s a good document and we should all hope that companies follow it. Compliance is totally voluntary, but it’s the kind of document that governments and large corporations can point to and demand that vendors follow.

But there’s something fishy going on. Microsoft is doing its best to stall the document, and to ensure that it doesn’t apply to Vista (formerly known as Longhorn), Microsoft’s next-generation operating system.

The document was first written in the fall of 2003, and went through the standard review process in early 2004. Microsoft delayed the adoption and publication of the document, demanding more review. Eventually the document was published in June of this year (with a May date on the cover).

Meanwhile, the TCG built a purely software version of the specification: Trusted Network Connect (TNC). Basically, it’s a TCG system without a TPM.

The best practices document doesn’t apply to TNC, because Microsoft (as a member of the TCG board of directors) blocked it. The excuse is that the document hadn’t been written with software-only applications in mind, so it shouldn’t apply to software-only TCG systems.

This is absurd. The document outlines best practices for how the system is used. There’s nothing in it about how the system works internally. There’s nothing unique to hardware-based systems, nothing that would be different for software-only systems. You can go through the document yourself and replace all references to “TPM” or “hardware” with “software” (or, better yet, “hardware or software”) in five minutes. There are about a dozen changes, and none of them make any meaningful difference.

The only reason I can think of for all this Machiavellian maneuvering is that the TCG board of directors is making sure that the document doesn’t apply to Vista. If the document isn’t published until after Vista is released, then obviously it doesn’t apply.

Near as I can tell, no one is following this story. No one is asking why TCG best practices apply to hardware-based systems if they’re writing software-only specifications. No one is asking why the document doesn’t apply to all TCG systems, since it’s obviously written without any particular technology in mind. And no one is asking why the TCG is delaying the adoption of any software best practices.

I believe the reason is Microsoft and Vista, but clearly there’s some investigative reporting to be done.

(A version of this essay previously appeared on CNet’s News.com and ZDNet.)

EDITED TO ADD: This comment completely misses my point. Which is odd; I thought I was pretty clear.

EDITED TO ADD: There is a thread on Slashdot on the topic.

EDITED TO ADD: The Sydney Morning Herald republished this essay. Also “The Age.”

Posted on August 31, 2005 at 8:27 AMView Comments

The Kutztown 13

Thirteen Pennsylvania high-school kids—Kutztown 13—are being charged with felonies:

They’re being called the Kutztown 13—a group of high schoolers charged with felonies for bypassing security with school-issued laptops, downloading forbidden internet goodies and using monitoring software to spy on district administrators.

The students, their families and outraged supporters say authorities are overreacting, punishing the kids not for any heinous behavior—no malicious acts are alleged—but rather because they outsmarted the district’s technology workers….

The trouble began last fall after the district issued some 600 Apple iBook laptops to every student at the high school about 50 miles northwest of Philadelphia. The computers were loaded with a filtering program that limited Internet access. They also had software that let administrators see what students were viewing on their screens.

But those barriers proved easily surmountable: The administrative password that allowed students to reconfigure computers and obtain unrestricted Internet access was easy to obtain. A shortened version of the school’s street address, the password was taped to the backs of the computers.

The password got passed around and students began downloading such forbidden programs as the popular iChat instant-messaging tool.

At least one student viewed pornography. Some students also turned off the remote monitoring function and turned the tables on their elders_ using it to view administrators’ own computer screens.

There’s more to the story, though. Here’s some good commentary on the issue:

What the parents don’t mention—but the school did in a press release—is that it wasn’t as if the school came down with the Hammer of God out of nowhere.

These kids were caught and punished for doing this stuff, and their parents informed.

Over and over.

Quoth the release:

“Unfortunately, after repeated warnings and disciplinary actions, a few students continued to misuse the school-issued laptops to varying degrees. The disciplinary actions included detentions, in-school suspensions, loss of Internet access, and loss of computer privileges. After each disciplinary action, parents received either written notification or telephone calls.”

What was the parents’ reaction those disciplinary actions? Some of them complained that—despite signing a document agreeing to the acceptable use policy—the kids should be able to do whatever they wanted to with the free machines.

“We signed it, but we didn’t mean it”?

Yes, the kids should be punished. No, a felony comviction is not the way to punish them.

The problem is that the punishment doesn’t fit the crime. Breaking the rules is what kids do. Society needs to deal with that, yes, but it needs to deal with that in a way that doesn’t ruin lives. Deterrence is critical if we are to ever have a lawful society on the internet, but deterrence has to come from rational prosecution. This simply isn’t rational.

EDITED TO ADD (2 Sep): It seems that charges have been dropped.

Posted on August 22, 2005 at 6:56 AMView Comments

Redefining Spyware

The problem with spyware is that it can be in the eye of the beholder. There are companies that decry the general problem, but have their own software report back to a central server.

This kind of thing can result in a conflict of interest: “Spyware is spyware only if I don’t have a corporate interest in it.” Here’s the most recent example:

Microsoft’s Windows AntiSpyware application is no longer flagging adware products from Claria Corp. as a threat to PC users.

Less than a week after published reports of acquisition talks between Microsoft Corp. and the Redwood City, Calif.-based distributor of the controversial Gator ad-serving software, security researchers have discovered that Microsoft has quietly downgraded its Claria detections.

If you’re a user of AntiSpyware, you can fix this. Claria’s spyware is now flagged as “Ignore” by default, but you can still change the action to “Quarantine” or “Remove.” I recommend “Remove.”

Edited to add: Actually, I recommend using a different anti-spyware program.

Posted on July 14, 2005 at 5:05 PMView Comments

1 7 8 9

Sidebar photo of Bruce Schneier by Joe MacInnis.