Saturday, November 05, 2005
Russinovich and a Blizzard of Threats
I was telling my sons, avid players of Blizzard’s World of Warcraft, all about the Sony BMG fiasco in which the Digital Rights Management (DRM) software Sony uses from First 4 Internet for copy-protecting its CDs employs rootkit technology, the same technology criminals use to hide their nefarious activities on hijacked systems.
They weren’t too familiar with rootkits, but I was surprised to discover that they both were already aware of the situation (thanks to a high-school science teacher in Friday’s class). In addition, my one son mentioned that he suspected a connection with Blizzard’s Warden, the euphemistic name given by World of Warcraft enthusiasts for the controversial program Blizzard uses to detect cheaters. That program scans the systems of players ostensibly to detect files used to cheat on the game. (In case you’re interested, a strong case can be made that Blizzard is using spyware that is every bit as alarming as what Sony has done with copy-protection – see 4.5 million copies of EULA-compliant spyware, 5-Oct-2005).
I didn’t really get the connection my son suspected at the time, but since then I’ve discovered that there is a strong likelihood of an actual connection. (It was Mark Russinovich’s follow-up blog More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home that gave the link to the following World of Warcraft story.)
Yesterday, The Register published an article entitled World of Warcraft hackers using Sony BMG rootkit. In that article, the author claims that anonymous World of Warcraft hackers have confirmed that they can use the Sony BMG rootkit to hide from the Warden simply by adding the prefix “$sys$” to file names used to cheat on the game. The article was copyrighted by SecurityFocus but doesn’t indicate who the author is nor does it reveal the names or proof that the World of Warcraft anti-cheat system is actually being thwarted by these unnamed hackers.
Mark Russinovich makes another point that has prompted me to investigate the “phoning home” system in greater detail. I can’t name names yet until I’ve done the research, but I suspect some commercial software companies are using similar technology to “phone home” whenever an unauthorized user starts up a copy of their application.
In the network I manage, we’ve seen software behaviour which led us to suspect the application was "phoning home". We were curious as to how the vendors accomplished their goal. We suspect that every time the application is loaded, an ID is transferred over an Internet connection to the vendor's database. The database then checks that ID against its records and counts the numbers of sessions currently open against that ID number. Then, if the number exceeds the number of the license agreement, the user is contacted immediately and notified that he/she is attempting to use the software illegitimately. The program then aborts loading.
I don’t have a problem with requiring users to purchase licensed copies of software. But I do dispute the right of a software vendor to “phone home” and keep track of application sessions if that behaviour is not explicitly part of the end user license agreement (EULA).
In the case of Sony, despite their protestations that "phoning home" doesn’t happen at all, Russinovich has confirmed that the DRM software Sony uses does check to see if there are any updates for the album art and lyrics. But Sony could theoretically be using the technology for other, less legitimate purposes.
It makes you wonder what else vendors might be doing on your computer? Perhaps more importantly, what kind of legal protection can we expect from our governments to prevent and prosecute vendors guilty of this kind of behaviour?