Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Anti-piracy backdoors in software ethical?

By inspire in News
Thu Apr 20, 2000 at 12:56:51 PM EST
Tags: Security (all tags)
Security

About a week ago, it was discovered that the Dansie shopping cart had a security hole (to quote an overused cliche) the Titanic could've sailed through. The author claims it to be a "copyright protection features that poses NO security risk..."

The backdoor allows the author of the software, with the correct password (hidden by a trivial security scheme), to execute commands as the webserver user on any of the software user's servers.

Reports can be found on BugTraq.

My comments follow...


Claims of backdoors in software are not new (see the recent articles on the MS IIS4 fiasco on Slashdot). Nor is copy protection. But what do you get when you mix them together, and throw in security through obscurity and draconian licensing issues for good measure?

A fine mess.

What is clear to me is the dishonesty in which the software author has acted. Whilst his intentions may have been benign, inserting backdoors in programs tends to breed mistrust between the developers and the users. Users of software have the right to know exactly what the software is capable of, and exactly what level of control that external parties have over their computers once the software is installed.

Whilst copy protection has never really worked (people have said that the only use for copy protection is to prevent legitimate users from using their software effectively, whilst pirates will inevitably crack even sophisticated CP schemes), the developers of commercial software also have some sort of right to protect their intellectual property.

Whilst OSS is a good model of a developer-user relationship, obviously not all software can be developed under such a license. So, how does a software developer protect their IP effectively (and lets face it, stricter licenses are not effective), without violating the rights of the users?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Slashdot
o Dansie shopping cart
o BugTraq
o MS IIS4 fiasco
o security through obscurity
o draconian licensing issues
o not effective
o Also by inspire


Display: Sort:
Anti-piracy backdoors in software ethical? | 23 comments (23 topical, editorial, 0 hidden)
There has been a recent upsurge in ... (none / 0) (#2)
by hattig on Thu Apr 20, 2000 at 12:21:17 PM EST

hattig voted 1 on this story.

There has been a recent upsurge in software including email facilities built-in. Each bit of software has a unique ID on or supplied with the CD-ROM media. When the software is used, if it detects a net connection it will send an email off with certain details (computer name, IP address, software version & ID etc) to the company that made the software. If more than one email comes through with the same ID then the company knows that it has been pirated. Not much they can do about it though :-) it allows them to collect proper statistics about the extent of piracy.

Re: There has been a recent upsurge in ... (3.00 / 1) (#11)
by nicktamm on Thu Apr 20, 2000 at 02:18:33 PM EST

And it also allows them to lose many customers when it is discovered that they are doing this.

Thats one of the problems with this sort of copy protection: if you tell customers about it, they then know what to look for if they are planning to pirate it, if you don't tell them it will get discovered (and probably by pirates anyway who will just go and disable it) and you will be considered one of the most evil and unethical companies/programmers ever to write a piece of software.

Everytime a company that has been doing this has been discovered, message boards have been full of reactions such as "I'll never buy anything from them again!" and other such money-losing bad PR. Even the little guys get the same reaction. Recently a program came out for BeOS that would send a piece of email when it was run to the author, and as soon as the problem was reported, sites such as benews.com were full of user comments claiming that nobody would buy anything from the author again as he had lost the communities trust by stealing personal private information. This couldn't have been a reaction to the fear that a mega-corporation was stealing personal information as this was the guy's first piece of software he was selling (I think) and he couldn't have sold more than 100 copies.

All that the emails contained were a number and, IIRC, some information on the computer's hardware. It doesn't matter how innocent the information in the email is. All that needs to be heard is that you are sending email back to the mothership and instantly you have a PR nightmare on your hands. They are cataloging our addresses to sell to spammers! They're invading our privacy, and no matter how small of an invasion it is, it is still an invasion! etc.

So the moral of this story is that any unannounced copy-protection scheme tends to fail in this manner. Admittedly, the backdoor in the shopping cart is MUCH WORSE, especially if an "e-commerce" site is stupid enough to store credit cards on the same server as this script.

Hmm, how about this as a method of copy-protection: why not use meta tags and use the search engines to find people who aren't paying for use of your scripts? Its easy to change the meta tags, but there must be some way to work information based on the serial number or something into the output page and make that information being passed back (such as through a form) critical to the continued operation of the script.
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org
[ Parent ]

A good point. ... (none / 0) (#5)
by ishbak on Thu Apr 20, 2000 at 12:27:53 PM EST

ishbak voted 1 on this story.

A good point.

It's a question of trust, I think. ... (none / 0) (#3)
by marlowe on Thu Apr 20, 2000 at 12:39:31 PM EST

marlowe voted 1 on this story.

It's a question of trust, I think. Do you believe that our software vendor has your best interests at heart? The neat thing about open source is this sort of question doesn't come up.
-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --

I was with it till the 5th use of "... (2.00 / 1) (#4)
by bgp4 on Thu Apr 20, 2000 at 12:51:38 PM EST

bgp4 voted 0 on this story.

I was with it till the 5th use of "whilst"
May all your salads be eaten out of black hats

Re: I was with it till the 5th use of "... (none / 0) (#6)
by pretzelgod on Thu Apr 20, 2000 at 12:59:39 PM EST

Hmm, that's odd. He only said "whilst" four times. :)

-- 
Ever heard of the School of the Americas?


[ Parent ]
Re: I was with it till the 5th use of "... (none / 0) (#8)
by inspire on Thu Apr 20, 2000 at 01:10:09 PM EST

Whilst. There :)
--
What is the helix?
[ Parent ]
If the author fully disclosed that ... (none / 0) (#1)
by joeyo on Thu Apr 20, 2000 at 12:52:17 PM EST

joeyo voted 1 on this story.

If the author fully disclosed that he had placed the backdoor in there then I am not opposed to it. It may still be a really Stupid Idea, but not one which is inherrently unethical. If he kept that fact hidden though.....

--
"Give me enough variables to work with, and I can probably do away with the notion of human free will." -- demi

What actually surprised me... (3.50 / 2) (#7)
by inspire on Thu Apr 20, 2000 at 01:09:30 PM EST

Was the fact that the "encryption" routines were so trivial. It is a simple letter substitution code that anyone moderately familiar with perl could figure out...

tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;

Whats also interesting (although I dont know how much faith to put in this) is the fact that their web site has been defaced before, with an interesting computer security message.
--
What is the helix?

Another interesting approach. (none / 0) (#9)
by inspire on Thu Apr 20, 2000 at 01:21:59 PM EST

Another interesting approach I've found with copy protection and piracy issues is with the popular CD-mastering and copying tool, CDRWIN.

Apparently, if the program detects that the user has entered a stolen serial number, it will accept it quietly, but randomly insert errors into the CDs being burnt, resulting in a coaster.

I'm not too sure I approve of this kind of "punitive" method. The program self-disabling is fine with me, but when you get into the territory of silently breaking things in a user's computer, that is where questions of a programs jurisdiction comes in. Should a CD copying tool be allowed to usurp an internet connection to report back to "home base" quietly?

For now the sensible answer seems to be for the program to disable itself with a warning notice, like what normally happens to expired evaluation programs. Anything else (especially involving data damage, or punitive financial damage to a user) is potential lawsuit territory should one of your routines be insufficiently bug-checked.
--
What is the helix?

Re: Anti-piracy backdoors in software ethical? (2.50 / 2) (#10)
by analog on Thu Apr 20, 2000 at 01:31:29 PM EST

Wow. I hope I read that Deja post wrong. Am I correct that the script emailed the author when it was installed, then the author accessed the machine it was running on and erased it through a backdoor routine? That's not copy protection; that's a trojan. If I bought a piece of software that did that, it would be the last time I did business with that particular company.

This is also a good illustration of the 'licensed, not bought' loophole that software companies love to exploit. This type of activity plays fast and loose with consumer protection laws, but since software isn't bought, it's exempt from most of them.

I also have a problem with the figures trotted about regarding what 'piracy' costs the software industry. The companies releasing the figures almost never say how they were arrived at, and studies done by independent agencies show that a) there are far fewer unauthorized copies of various pieces of software in existence than claimed by the companies (not to say that there aren't a lot), and b) most of the people using unauthorized software would just stop using those programs if they were unable to obtain unauthorized copies; they wouldn't buy them. So the actual loss to the software companies is much smaller than they claim, and quite possibly insignificant.

It doesn't make unauthorized use of software right, but if you've got to exaggerate the figures to support your position, it's a weak position to begin with.

Re: Anti-piracy backdoors in software ethical? (none / 0) (#15)
by rusty on Thu Apr 20, 2000 at 04:31:17 PM EST

Am I correct that the script emailed the author when it was installed, then the author accessed the machine it was running on and erased it through a backdoor routine?

Jesus H Christ. That's illegal intrusion. If someone did that to my box, and I knew who it was, I'd sue their ass so quick...

____
Not the real rusty
[ Parent ]

Re: Anti-piracy backdoors in software ethical? (none / 0) (#12)
by auntfloyd on Thu Apr 20, 2000 at 02:39:05 PM EST

Won't UCITA legalize this practice?  I seem to recall that it allows software
vendors to remotely disable software, presumably in the case that the user's
don't pay up or something.

But there's a lot of room for abuse (obviously), and it seems that true back
doors aren't all that far off.

--- auntfloyd
Re: Anti-piracy backdoors in software ethical? (none / 0) (#13)
by akiraRat on Thu Apr 20, 2000 at 02:47:02 PM EST

I am surprized such backdoors are not discovered earier. Perl programs are not usually distrubuted as binaries, and I would imagine the author would distrubute in source format, which would let the user view the code. Any securty problems would easily be indentified.

Re: Anti-piracy backdoors in software ethical? (none / 0) (#14)
by nicktamm on Thu Apr 20, 2000 at 03:11:15 PM EST

It was distributed as source code, but I guess a couple of factors contributed to its slow discovery.
First off, it was aimed at people who didn't know Perl and was apparently easy enough to setup that you wouldn't need to hire somebody who might know Perl or even general security practices. This backdoor was discovered by someone who was hired to install it and ended up looking at it and finding the backdoor pretty quickly.
Secondly, the parts that did this were apparently encrypted (although not well) in the source code, and everything was a mess to read (no line breaks, and there were messages about licenses throughout it).
Of course, judging from the attrition.org mirror of their site from inspire's message, somebody did find out about this quite awhile ago.
On a side note, I guess their web site is back up, and I noticed that they are offering a patch which "fixes all security problems". I wonder if they are considering this deliberate back door a "security problem" (they've said before it isn't), and if it is fixed in the patch. Also, at least they don't say the script is secure or even safe to run on your server on the features page :)
Nick Tamm nick-k5@echorequest.net http://www.nicktamm.org
[ Parent ]
Professionalism on the web... (5.00 / 1) (#16)
by rusty on Thu Apr 20, 2000 at 04:39:25 PM EST

Looking at their page, I have to say that there's no way in hell I would use anything these people put out. I wouldn't have even downloaded it and looked at the code. Why? Simply because of the look of their site.

This may seem superficial, but in my experience, quality of web design is directly proportional to competence. The "plain gray page" look is popular in unix/linux circles, and that is always reassuring to me-- if someone's distributing their software on a simple, gray page they probably have more important things to do than fool with HTML (like, for example, writing good software). And if the site looks professional and put together, I am usually also reassured, that this is a respectable organization with people on staff who understand web technologies.

But the Dansie page lies in that hideous middle gorund of 1996-era web design. It's ugly as hell, and screams that these people know enough to be dangerous, but not enough to be competent. I have to say, they "hellishly ugly page" metric has served me pretty well up to now. I'd like to hear if anyone else uses this rule of thumb...

And yes, I know there are counter-examples (Larry's page leaps to mind), but that's the way rules of thumb work...

____
Not the real rusty

Re: Professionalism on the web... or lack thereof (none / 0) (#17)
by Pelorat on Thu Apr 20, 2000 at 07:25:21 PM EST

If they were distributing a non-Internet-related product, it might not be so bad... but this guy is claiming to be a site designer?? Ugh.

Have you seen his 'satisfied customers' websites? I almost feel kinda sorry for those people.. almost.

[ Parent ]

Re: Professionalism on the web... (none / 0) (#20)
by Inferno on Thu Apr 20, 2000 at 09:40:23 PM EST

Anyone who trusts a company with that kind of website deserves whatever they get... It's like walking into a store made from old rusty tin and rotting wood, and expecting to get a quality product.

[ Parent ]
Re: Professionalism on the web... (none / 0) (#21)
by Notromda on Thu Apr 20, 2000 at 10:59:39 PM EST

I agree... When I see sites that look like this, I never click through to the sub pages. I wonder if they've ever looked through their server logs to find traffic flows. I'll bet that there aren't any - the entry page is usually the exit page.

I'll stick with minivend, thank you... :)

[ Parent ]

Re: Professionalism on the web... (none / 0) (#22)
by rusty on Fri Apr 21, 2000 at 02:55:55 AM EST

I'll stick with minivend, thank you... :)

Oh my God. Have you ever looked at the minivend source? I spent a week hacking on that once, and ended up throwing my hands up in despair, and swearing I would never go near that nightmare again. MiniVend is basically a lot of hacks, patches, and kludges on top of Vend, which was a hack itself. If you know any perl, I seriously urge you to look at the source of that thing-- it's scary.

Maybe you should look at Open Merchant from OpenSales. :-)

____
Not the real rusty
[ Parent ]

Re: Minivend Source (none / 0) (#23)
by Notromda on Fri Apr 21, 2000 at 10:51:58 AM EST

Yeah, the source is scary.... :) But it't pretty powerfull. I'll take a look Open Merchant, though...

[ Parent ]
Re: Anti-piracy backdoors in software ethical? (none / 0) (#18)
by FlinkDelDinky on Thu Apr 20, 2000 at 08:04:04 PM EST

I heard about this before and it really scared me. If he'd disclosed that he had a verfication system like this, then I've got no problem.

I don't know what to call this but it sounds illegal. Kind of like malpractice. Say one thing and do another.

I understand that people wan't to protect their IP and I've got no problem with that. But I don't think you can violate the "implead" trust with the customer. I've got no problem with disclosed backdoors (or what have you). But I wouldn't buy one (I'd just pay Rusty to code it up for me :-).

Re: Anti-piracy backdoors in software ethical? (none / 0) (#19)
by shepd on Thu Apr 20, 2000 at 09:18:55 PM EST

If you look at it the same way I do, it IS illegal.

Imagine if you got cable TV installed.	You let the installer guy in to install
the cable.  But that is all you want him to do (obviously).  But, instead he
pilfers through your wallet for your personal information, and copies it down. 
Next he takes a set of your house keys, and pushes them into plasticene, ready
to be copied.  And, for the final touch, he finishes his cable installing job,
says bye, and leaves without one word as to his alterior activities.  Also, he
carefully cleans up anything he has messed about with so that you can't easily
tell he stole your info and keys.

Sounds like a burglar?	So what is the maker of this software?	EXACTLY THE
SAME.


[ Parent ]
Anti-piracy backdoors in software ethical? | 23 comments (23 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!