Mark's Sysinternals Blog

Monday, February 06, 2006

Using Rootkits to Defeat Digital Rights Management

The Sony rootkit debacle highlighted the use of rootkits to prevent pirates and authors of CD burning, ripping, and emulation utilities from circumventing Digital Rights Management (DRM) restrictions on access to copyrighted content. It’s therefore ironic, though not surprising, that several CD burning and disc emulation utilities are also using rootkits, though the technology is being used in the opposite way: to prevent DRM software from enforcing copy restrictions.

Because PC game CDs and DVDs do not need to be compatible with set-top players software vendors can store data on media in unorthodox ways that require software support to read it. Attempts to make a copy of such media without the aid of the software results in a scrambled version and the software has DRM measures to detect and foil unauthorized copying.

CD burning and emulation software companies owe a significant amount of their sales to customers that want to store games on their hard drives. The legitimate claim for doing this is that it enables fast, cached access to the game., though it is well known that this is also used to make illegal copies of games to share with friends - so content-protected CDs and DVDs present a challenge the companies can’t ignore. One way to deal with the problem is to re-engineer the software that interprets the data stored on the media, but that approach requires enormous and on-going resources dedicated to deciphering changes and enhancements made to the encoding schemes.

An easier approach is to fool game DRM software into thinking its reading data for playing a game from its original CD rather than from an on-disk copy. DRM software uses a number of techniques to try to defeat that trick, but a straightforward one is simply to detect if CD emulation software is present on the system and if so, if the game is being run from an on-disk emulated copy. That’s where rootkits come in. Two of the most popular CD emulation utilities are Alcohol and Daemon Tools and they both use rootkits.

Alcohol advertises itself as enabling you “to make a duplicate back-up to recordable media of nearly all your expensive Game/Software/DVD titles, and/or an image that can be mounted and run from any one of Alcohol's virtual drives”. When you run a RootkitRevealer scan of a system on which Alcohol is installed you see several discrepancies:

The first two are data mismatches whereas the last one is a key that’s hidden from Windows. A data mismatch occurs when RootkitRevealer obtains a different value from a Registry API than it sees when it looks at the raw Registry data where the value resides. When you view either of the values in Regedit they appear to be composed of sequences of space characters:

Why would Alcohol want to use data mismatching rather than the typical cloaking technique to hide the value altogether? The values in question are located in HKLM\Software\Classes\Installer\Products and HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall and both areas are where applications store information for use by the Windows Add/Remove Programs (ARP) utility. ARP uses the ProductName value in an application’s Products key as the name it displays in its list of installed applications so an empty value implies that we should see a product with no name in the list. However, a quick look shows that there are no missing names and we know that the value is associated with Alcohol, but it shows up in the list:

Using Regmon to capture a Registry activity trace of ARP, which as a Control Panel applet is implemented as a DLL hosted by Rundll32.exe, confirms that ARP reads displayed Alcohol text from the mismatched ProductName value whereas Regedit sees only empty data for the same value:

The other mismatched value behaves the same way and it’s my guess that Alcohol masquerades strings that identifies its presence on a system from anything but ARP in order to avoid detection by DRM software like that included in games that disable themselves in the presence of CD/DVD copy and emulation software. There are many other signs DRM software can use to sense Alcohol’s presence, but the Alcohol developers likely discovered that a check of installed products is or was the most commonly used.

The remaining RootkitRevealer discrepancy is the cloaked Jgdd40 key in the Config subkey of the Vax347s driver. Alcohol must include a device driver that presents phantom devices to Windows in order to create virtual CD and DVD devices and Vax347s is the driver that fills that role. An easy way to see inside a cloaked Registry key is to open the parent of the inaccessible key in Regedit, choose Export from the File menu and select Registry Hive Files from the format drop down. Then copy the file to a different system, launch Regedit, navigate to HKLM, and choose Load Hive in the File menu. The name you enter for the key is up to you. When you follow the steps on the cloaked key you see a single value, Ujdew, within it:

The contents are binary data, but my guess is that it describes the volumes that the driver virtualizes. Game DRM software that is Alcohol-aware would be unable to determine whether the volume from which it was executing was on a real device or one that was emulated. Evidence that supports this theory lies in Jdgg40’s parent key, Config, which also contains a single value named Ujdew, but with slightly different contents than the one that’s hidden. The second value is almost certainly a decoy to throw off DRM developers that determined that it at one time contained virtual drive mappings:

Alcohol, like Sony’s rootkit, uses system call hooking to intercept Registry APIs and manipulate their behavior. This memory dump of the Windows kernel-mode system call table contains addresses that fall outside of the kernel image, the telltale sign of a system-call hook:

The addresses correspond to Registry-related system calls and the debugger confirms that the addresses lie in a second Alcohol driver, Vax347b, that’s responsible for the cloaking:

On a system with Daemon Tools installed RootkitRevealer reports the presence of a single discrepancy:

An interesting aspect of Daemon Tools’s rootkit is that it doesn’t cloak the presence of the key listed, but rather denies access even to RootkitRevealer, which should be able to open any key regardless of the key’s security. Following the same steps I described earlier for gaining access to off-limit keys unveils the key’s contents:

Paralleling the Alcohol example, the key is part of Daemon Tools’ virtual device driver and appears to contain configuration information, implying that Daemon Tools hides the key to fool game anti-emulation software by preventing it from finding a way to distinguish virtual volumes from real ones.

There’s no proof that Alcohol and Daemon Tools use rootkits to evade DRM, but the evidence is compelling. If they do their usage is clearly unethical and even potentially runs afoul of the US Digital Millennium Copyright Act (DMCA). In any case, there’s no reason for these products, or any product as I’ve stated previously, to employ rootkit techniques.

[2/7/06: Clarification: when I say "their usage is celarly unethical" I'm not referring to users of the products, but to the utilities themselves being designed to circumvent DRM. I've previously defined rootkits and explained their risks.]

Speaking of rootkits, here’s an amusing video of a song named Patch Me Up by the North Sydney band Rootkit.

posted by Mark Russinovich @ 9:27 AM

Comments:

Leaving aside the DMCA (which doesn't apply outside the US anyway), I don't see what's unethical about enabling the user to exercise their fair use rights. If hiding from agressive DRM is the best or only way round it, and since it's clearly being done with the users' consent, what's the problem?

How else would you defeat schemes like this?

# posted by Anonymous : 10:24 AM, February 06, 2006

So Daemon Tools actively hide from other programs, right ?

So any program (DRM!) which tries to actively detect Daemon Tools using any mean is effectively violating the DMCA itself...

:)

# posted by Anonymous : 10:46 AM, February 06, 2006

DMCA prohibits circumvention of copy protection. DRM detecting Daemon Tools is not an attempt to evade copy protection, its trying to enforce it.

# posted by Mark Russinovich : 10:53 AM, February 06, 2006

Any chance that they could be doing anything other than just defeating DRM?

# posted by Josh : 11:34 AM, February 06, 2006

I use Daemon Tools routinely for perfectly legitimate reasons. I find it jolly handy when mastering CDs to mount them in Daemon Tools first for checking rather than wasting time burning a CD-RW (I try not to use CD-R media if I can help it; I dislike waste).

That said, Daemon Tools seems to have gained in popularity more on the strength of its utility in letting impoverished gamers play their, ahem, "backup" copies of games, than on the strength of its perfectly useful, and legal, applications. This is a shame, frankly, because it's an extremely useful program, and I wouldn't like to see it disappear just because some good-for-nothings figured it'd be better to "borrow" their mate's copy of a game instead of buying it themselves.

I don't know the development history of Daemon Tools, but I do wonder which came first, the detection of Daemon Tools by other software, or the cloaking techniques to evade such detection. If the latter, then one might indeed wonder what the motivation was in creating Daemon Tools in the first place.

# posted by Alex Morris : 11:59 AM, February 06, 2006

I'm an Alcohol 120% user, I find it invaluable to both make backup copies of my kids games, the kids, if using the original CDs will destroy them and then the game will no longer be installable (we "trickle down" PCs to the kids every 6 months or so) or in some extreme cases can't even be played. Before I started doing this I bought some games twice, or in one case, three times. (luckily the games get cheaper as they get older so the game I paid $50 for the first time only cost me $20 the last)

Recently I also started using Virtual CD technology so the kids don't even have to handle copies of CDs, which also improves the performance of the games (the kids PCs, being "tricled down" are sub 1000Mhz P3s and worse), though I just use the MS Virtual CD Control panel to mount ISOs I created with Alcohol.

Interestingly, for most games the MS Virtual CD control virtual CD drives work, but some (such as Flight Simulator 2004) won't work, where they will work with an Alcohol virtual CD if I install a trial version of Alcohol 52% and use it instead of the MS Virtual CD control.

So it appears that Alcohol's use of rootkit techonlogy is effective, I don't see how it's unethical (though it probably does violate the DMCA (AKA the wholesale sellout of consumer rights by our government to the "copyright cartel") they aren't a U.S. company AFAIK and aren't subject to U.S. law). As a consumer I'm thrilled that they have figured out a way to defeat the copy protection & DRM which seeks to infringe upon MY fair use rights.

I'm well aware that there are people using this technology for nonlegal & unethical purposes, but I also firmly believe that for every person who uses software like Alcohol to make or run an illegal copy of software there are ten more who are prevented from legally using software they paid good money for thanks to the DRM & Copy Protection.

# posted by Robert Aitchison : 12:22 PM, February 06, 2006

I fail to see how it is unethical. If a person copies a game they do not own, and uses that technology to allow them to use it, that is unethical. They employed a variety of technologies to achieve their goal, but it was their actions that were unethical, not the application nor its creators. CD burners also have significant infringing uses, does that make them also unethical?

It is not like the program stealthily intrudes onto your system; you choose to install it, knowing its purpose. And, if you are doing a non-infringing use (you own said DRM protected application), then it could hardly be called unethical, no more so then removing the Sony rootkit from your machine would be.

Whether or not the DMCA is violated is irrelevant to ethics; it is a piece of legislation meant to enhance copyright holders power; violating it may be illegal(in the US), but not necessarily unethical. Again, circumventing DRM on things you own and have fair-use to is an ideal example.

# posted by Paul Kierstead : 12:46 PM, February 06, 2006

# posted by Mark Russinovich : 1:13 PM, February 06, 2006

But until they decided to try to remove our fair-use rights, there was no need to circumvent. And so it goes 'round and 'round. It is the markets way to of trying to sort things out in the absence of sensible social structures (i.e. laws).

# posted by Paul Kierstead : 1:24 PM, February 06, 2006

Interesting reporting on Alcohol 120%, Mark, given what the author claims here:

http://forum.alcohol-soft.com/index.php?showtopic=21957

# posted by Anonymous : 2:06 PM, February 06, 2006

"There are no security issues with these hooks, they are used primarily to protect our own registry, future versions of the software will introduce less hooks and versions of Windows 2003 and over will have no hooks."

What they mean is that the hooks protect their own Registry keys from view by applications they want to hide from. Their reference to doing away with the hooks on Server 2003 infers that they will use the Registry callback mechanism (new to Server 2003) instead of system-call hooking for the same purpose. They never acknowledge using a rootkit nor do they say they won't use one in the future.

# posted by Mark Russinovich : 2:33 PM, February 06, 2006

The vendors in this case aren't acting unilaterally; they're helping the user to act. The difference is that these products are explicit that circumventing restrictions is part of their feature set.

It seems you don't approve of circumventing DRM, or promoting such circumvention in general - if that's the case, then why? Surely the machine's owner should be able to decide what their own computer does?

# posted by Anonymous : 2:47 PM, February 06, 2006

Might also be very interesting to take a look into the Starforce Copy-protection.

# posted by Anonymous : 2:56 PM, February 06, 2006

If Mark thinks that Daemon tools is unethical because it bypasses DRM, he should remember that DRM is already illegal in many European countries because it violates the fair use rights granted by law.

See for example: http://www.mcelhearn.com/article.php?story=20060120111212217

Which is worse ? Major publishers selling illegaly DRMed products or companies offering software workarounds for said DRM ?

# posted by Anonymous : 3:35 PM, February 06, 2006

It's common for "copy protection" schemes in games to search for Daemon Tools on the system and fail to run if it's installed.

More specifically, I spent a good deal of time trying to figure out why a game I had just purchased was crashing to desktop without an error message -- patched to latest version, retail CD in drive, no circumvention attempted or even planned but happening to run on the same system Daemon Tools was installed on.

That's when I learned that these copy protection systems incorporate "blacklists" of programs and that the companies using these systems have no problem dictating what software I may have on my system next to their game.

This scheme had nothing to do with detecting an attempt to circumvent copy protection. The software was on my system for legit purposes (mounting .ISO images for testing). That was years ago, and these companies are still doing it (although now at least they usually make mention of it in their technical support FAQs). So perhaps one would more appropriately call shenanigans on the companies intentionally breaking their software to give utilities on my system a bad name; the Daemon Tools behavior is necessary and encouraged by its users.

(BTW: kudos for sysinternals.com and your technical articles -- they've bailed me out on more than a couple of visits and provided interesting reading the others)

# posted by Anonymous : 3:38 PM, February 06, 2006

Copy protection and huge number of bad sectors on the CDs can make the CD drive slow (the best case scenario) and unresponsive.
Alcohol+DaemonTools help to solve the problem.

# posted by Anonymous : 3:47 PM, February 06, 2006

Wow... Can we get back to the rootkit discussion? Personally, I am of the mind that a rootkit is a rootkit. In my mind there is no difference between a good rootkit and a bad rootkit.

If a vendor, or an individual has written software that manipulates my operating system in a way to hide aspects of my system from me then it has crossed the line. A rootkit seems to me to be an easy way out for vendors. There must be 'cleaner' and therefore better ways to accomplish the same goal.

I am in charge of my computer, nobody else (hopefully).
:-)

# posted by Anonymous : 3:48 PM, February 06, 2006

"It seems you don't approve of circumventing DRM, or promoting such circumvention in general - if that's the case, then why? Surely the machine's owner should be able to decide what their own computer does?"

The argument that "it's not the tools, it's how you use them" doesn't really fly here. It's one thing to empower users with software that helps them get fair use out of media they have bought. But if the product contains functionality solely placed there to bypass DRM technology, then what exactly is the point?

# posted by Wes : 3:59 PM, February 06, 2006

Mark,

Sorry, but you're just wrong on this one. Cirumventing protections in order to exercise my Fair Use rights is perfectly ethical. I have virtually all my games copied to my hard drive and use Daemon Tools to switch between them. All these games are bought and paid for. There's no legitimate ethical issues about this at all, they're simply enabling me to exercise my legitimate rights.

Now, it may indeed be illegal, but nobody said that the law and what is right had to match one another.

# posted by Otto : 4:02 PM, February 06, 2006

The third rulemaking proceeding under DMCA section 1201 is currently in progress. Specifically, some of the comments deal specifically with privacy and security issues that arise with the use of rootkits. (check out the second requested exemption in Comment #2)

Compyright.gov Comments Page

Also, check out an article released by the eff...addressing the DMCA as an area controlled by the industry.

Eff DMCA Rulemaking Broken (Warning PDF ahead)

# posted by tyrrell : 4:04 PM, February 06, 2006

Alcohol seems to be used very much lately for these kind of actions

# posted by Ivan Minic : 4:10 PM, February 06, 2006

What I view as unethical, even if it isn't illegal, is software vendors unilaterally taking licensing, fair use and DRM issues into their own hands by implementing features that promote the general circumvention of DRM.

So what's the alternative? The DRM & Copy Protection is there to inhibit the exercise of fair use rights (and to a much lesser extent, to prevent piracy), the DMCA is there to make sure it's all perfectly legal (the DMCA is worth every penny they paid for it) what am I as a consumer supposed to do?

If you ask the copyright cartel I'm just supposed to bend over, take it like a man and ask for more, this is sadly what most consumers do.

There's always the "vote with your wallet" option but with DRM & copy protection nearly universal that's not a terribly practical solution.

As for the sftware vendors, (i.e. Alcohol), they are just filling a need as any company would, I'm sure that their use of rootkit technology was an answer to copy protection software that sought to detect it (I'd bet that older versions of Alcohol did not utilize rootkit technology). The copyright cartel are hardly "playing fair" (even if they do have the law on their side), why shouldn't companies like Alcohol be able to adapt to be able to continue to meet their customers needs.

It sounds like you are arguing that we (consumers) should not be able to get past DRM & Copy Protection for legal fair use protected purposes, or that companies should not provide tools to help us do this, just because there are otther people who would use the same tools for illegal purposes.

# posted by Robert Aitchison : 4:17 PM, February 06, 2006

Otto - Mark didn't say the use of the two tools was potentially unethical, but that their use of rootkits - esp. if used to circumvent DRM - was.

# posted by Wes : 4:19 PM, February 06, 2006

So is there another way for a company like Alcohol to prevent their detection other than through use of rootkit methods?

# posted by Robert Aitchison : 4:42 PM, February 06, 2006

First, I say that I support the circumvention of DRM in all cases. Unless the parties to the DRM have signed a contract mandating the use of DRM, I find the use of DRM unconscionable, because it unfairly impinges on fair use rights. Moreover, the contract in question would be a civil matter. Any action taken after circumventing DRM is already covered by copyright law.
Anyway, the problems with this software are:
- Is the user suitably informed that a rootkit is installed?
- Does the rootkit expose security problems?
I wonder if it would be possible to ask the software in question not to hide form certain processes, or only hide from from certian processes?

# posted by Anonymous : 5:08 PM, February 06, 2006

The following letter is my PERSONAL VIEW of this
article and the motivation behind it: it does in
NO way reflect the opinion of The Daemon Tools Team,
it is only the opinion of a member, however, I
will not post totally anonym to let you know that
I read your article and that I find your comments
interesting.

Apart from the technical correctness, I find it
interesting how can someone mention "DMCA" (funny,
as if the whole world live in USA!) and on the
other hand publish internal mechanisms of other
peoples software. I'm not sure, but to me it seems
like reverse engineering, although
we do not even think about lawyers here. Yes, Mr.
Russinovich, try that with other vendors and you
will see the difference. That doesn't mean
necessarily that we accept his behaviour, to me
this guy is "prey water and drink wine". Some
people seems to be "ethical more equal" then others,
seems to be entitled to use any method while others
only defend themselfes and get bashed for that
reason.

Well, yes, the technical description is in fact
not untrue.

What worries me the most is that Mark Russinovich,
whom we always respected as a honorable person,
did never contacted us to talk about our intentions
nor does he ever contacted anyone of our team.

While I have big respect for his work, it seems one
here lacks at least what I would call "honorable
behaviour, good attitude" or whatever you want to
call it.

In my personal opinion(!) it seems to me that Mark
Russinovich is hardly defending the DRM-Lobby, so
his comments about DRM and DaemonTools are under-
standable (from his point of view).

Yes, DaemonTools use Rootkit-Technology. But:
We never tried to "hide" that fact from the users.
And you must AGREE to install our software. We
are not interested in personal data. And you have
the nerves and mention DT/Alcohol and Sonys rootkit
in the same phrase? My gosh!
For what reasons? Do we harm someone here? Only because
Mr. Russinovich sees no deeper reason behind it it
makes DaemonTools a bad application which harms the user?

Do you really think we designed this for fun? I think
everyone can imagine why we had no other choice. For
gods sake, some posters here doesn't believe any word
that is written only because it is from a very honorable
person. And again: I can even understand his thoughts,
he support copyprotections, lobbyism and dmca, tcpa and
drm. Good, thats an opinion and we respect that, but I
find it really strange that without proper reason some-
one try to destruct our reputation and that without even
one single notice to US!

If there's one thing I dislike it is when without
SECURITY-reasons type in a complete articel to discredit
the DaemonTools Team.

Moreover I want to add that we always react and do not
pro-actively implement functions (hooks, if you like),
but instead often have to react to even make an
uninstallation of DaemonTools unneccessary - even if
the user plays from original!!! Imagine that, I'm pretty
sure that this behaviour alone is not fully legal, but
again, that is my opinion and you are entitled to have
your own. You are welcome to show us your new vdrive-
design which makes all this possible without RK-technology
only to satisfy some "I'm pissed off by this technology"-
guy!

I'm really curious about the next articles from Mark,
it's sad that such an intelligent person isn't even
able to write some lines to get in touch with the
authors. If something is unethical, than it is THIS
behaviour and nothing else. Apart from that in most
countries emulation is legal. At the end of the day,
our drive is nothing more or less then a hardware-drive
in a software-form. There are MORE then enough ways to
prevent piracy, f.e. serial-numbers to only mention ONE.
Now go ahead and bash against the other vdrives as well!

I really hope that in the future this is again a site
that is more neutral and Mark doesn't fight the war
for Sony and everyone else who think that all the power
should be in publishers hand and doesn't care a shit
about the users

One day, when DT is gone, maybe Mr. Russinovich will
find out what it means when noone stand in front for
your rights. But then, it seems that he doesn't care
about that rights anyway. To sum it up, the whole article
is written to discredit us. It is a shame in my point of
view. To me here someone is pissed off by reasons I can't
imagine, maybe because his "uberleet" rootkit revealer wasn't
able to open the key or whatever.

however, this is my personal view of things! Now at least
we both had our 15 minutes of fame, correct? If you
want a more serious discussion, you are welcome to contact
me by email, which is locutus@daemon-tools.cc

with best regards
LocutusofBorg

# posted by Anonymous : 5:19 PM, February 06, 2006

Thank you, Mark, for revealing this information. But I think the characterization of Daemon Tools as a tool popular with game stealers is way, way off base.

I have used Daemon Tools to keep CDs out of the hands of small children; I learned how to do so from other parents who have sucessfully done the same thing. It's a common problem these days.

On the other claw, I know a total of *ZERO* people who use Daemon Tools to illegally play games they didn't buy. It is a poor tool for this purpose when "cracked" games that do not require the overhead of Daemon Tools are easily available.

Every "evil game stealer" I ever met runs cracked software. Only legitimate software owners use Daemon Tools. Don't know about Alcohol, never heard of it before now.

# posted by Anonymous : 5:21 PM, February 06, 2006

# posted by Anonymous : 5:34 PM, February 06, 2006

Comparing this software to Sony's rootkit is not a good analogy in my opinion. I laud your efforts to show what this software does, but in the end, it comes down to the fact that the writers of these two pieces of software are NOT trying to fool their customer base into installing unwanted software. they also are NOT comprimising their users systems in such a way as to open the gaping $sys$ hole that sony's rootkit has unleashed on unsuspecting CD/PC owners around the world. These pieces of software are in fact most likley written this way to enable their users to have a CHOICE that DRM enabled Games/CD's try to deny them. Whereas the sony rootkit was attempting to deny their users just this same choice, and infecting their computer with malware, opening security holes, and possibly even defecting their hardware. This is not in any way the same class of software

# posted by Anonymous : 5:41 PM, February 06, 2006

It's interesting what the authors say on that forum page (this one: http://forum.alcohol-soft.com/index.php?showtopic=21957)

The present hooks do not interfere in anyway with other software applications

Of course, that's just rubbish. System hook - by definition - affect the whole system, including other applications.

they are used primarily to protect our own registry

Protect from what, exactly? They say "nor has it claimed to backup DRM media." but they didn't say what they're protecting their registry from.

And anyone who says: "There are no security issues with these hooks" is probably kidding themselves.

# posted by Anonymous : 5:54 PM, February 06, 2006

Fair use is enshrined in law already.

DRM has no consideration of fair use.

If people are pirating software, whether using Daemon Tools or Alcohol or not, they are already breaking the law, irrespective of DRM.

# posted by Anonymous : 5:59 PM, February 06, 2006

Mark suggests that Alcohol uses a rootkit to hide the existence of Alcohol on a computer. It seems strange that they would go to such lengths to install a rootkit to hide themselves, when the application leaves so many other tell-tale signs of its existence.

MyUninstaller (http://www.nirsoft.net/utils/myuninst.html) admittedly can't pick up the name of the Alcohol record, but it can read the Alcohol website. Furthermore Alcohol leaves keys in the standard "software" sections of the registry.

Any application that desires to pick up Alcohol's existence is not going to be put off by an inability to pick up the exact name from the uninstall section of the registry. What could be the purpose of such a half-hearted approach?

# posted by Anonymous : 6:10 PM, February 06, 2006

Mark is not saying that these products are at the same level as the Sony rootkit. Again, the fact that these vendors are using rootkits is the issue at hand, not the 'degree of badness' of these rootkits.

Are we really arguing that some rootkits are ok because the rootkits allow me to do something that is convenient (like bypassing DRM)? Just because the rootkit is convenient for you doesn't mean that the rootkit is 'good'.

# posted by Anonymous : 6:18 PM, February 06, 2006

I also can't believe people are attempting to justify this as "ethical" because their kids might destroy the CDs. I'd say the solution to that one is to teach your damn kids to not destroy your stuff, not to encourage or fund the development of programs designed explicitly to enable software piracy!

Easier said than done, try explaining to your typical 6 year old how it's important to always put CDs away in their case when they are done using them and let me know how that works out.

Almost any tool that has legitimate, lawful purposes can be (and is) used for unlawful purposes as well. Prescription Durgs, Bolt Cutters, Spray Paint, pocket knives, gasoline, the list is endless. It's unreasonable to condemn a product because some people use it for illegal purposes, if that line of think had flown in 1984 we wouldn't have the VCR or DVD recorder, or perhaps even the Personal Computer today.

I pay good money, ofthen times more than $50 for a piece of software, it's my right to make a copy of that software for backup purposes, the copyright cartel does everything in it's power to prevent me from exercising that right, I'll use any tool that will help me do what I have the right to do.

# posted by Robert Aitchison : 6:22 PM, February 06, 2006

# posted by Anonymous : 6:23 PM, February 06, 2006

Wow, I can't believe people are attempting to defend this behaviour as "exercising my fair use rights".

Fair use is a part of a delicate balance struck between copyright holders and society. Note - *balance* is the operative term here. The needs of people are traded off against each other to try and keep things fair.

There *IS* no fair use when DRM is involved. DRM completly unbalances the copyright equation in the favor of hte copyright holder. You have essentially stated that your belief is taht *NO* fair use rights is the appropriate balance.

I also can't believe people are attempting to justify this as "ethical" because their kids might destroy the CDs. I'd say the solution to that one is to teach your damn kids to not destroy your stuff, not to encourage or fund the development of programs designed explicitly to enable software piracy!

That's not your call. These people have a fair use right to make backup copies, and it is not reasonable to expect them to have to buy copies over and over again of the same thing. I have a license, I should be able to use the software. PERIOD. You may thing that it's best to tell people with 5 year olds that they should shoulder more expense just so a business can rape them for more profit, I for one thing the supreme court was correct in setting a reasonable balance between copyright holders and they users of copyrighted material. If the business steals those rights form you by making them impossible to exercise, you are well within your rights to stand up for yourself, and set about reaquiring those capabilities the businesses *stole* from you.

Period.

# posted by Soulcatcher : 6:48 PM, February 06, 2006

You sell allot of guns in America which isn't only used on a test court. Obviously you do not have a problem with some objects beefing sold which can harm others interest.

I find this quite amusing even though i do see that this is a little different. However it is compareable and may the big differences be that the gun industry is quite powerful and rich.....

# posted by Anonymous : 7:07 PM, February 06, 2006

This is NOT actually about DRM. This is about companies using Rootkits in order to perform some function. The fact that these vendors are using rootkits for various reasons (possibly to circumvent DRM. Mark NEVER said that this is definitely why they are using rootkits) is almost irrelevant.

Rootkits are bad! Why is this even being argued?

This u=has turned into a political discussion about DRM when I thought the point was to discuss the tecxhnical aspects of the rootkits.
Oh well...

Mark, please keep up the good work!

# posted by ThisAJoke : 7:11 PM, February 06, 2006

I love how people are saying Rootkits are bad and evil almost as if they were spawned from the depths of hell itself to wreak havoc on humanity. Like some kind of demonic entity (rootkit) that posseses said computer and then beats you to death while your sleeping.

I mean come on, im not going to pretend i understand the full implications and inner workings of rootkits and their effects yet i understand enough, and all this good/bad rootkit shite doesnt hold. They are an inherent part of computer systems which can be invoked by programming and can be used in certain ways for certain ways to certain ends no more no less no good rootkits no bad rootkits

I install daemon-tools to carry out a specific function aslong as far as im concerned it does this incredibly well and i shall continue to use it. To be fair this discussion has barely even touched the surface of rootkits and seems to be more a debate on DRM, DMCA, ethics and piracy.

# posted by Anonymous : 7:45 PM, February 06, 2006

There's a simple difference between Daemon Tools and Sony. Daemon Tools is using a rootkit to fool software. Sony was using a rootkit to fool people. It's the same with the whole class of software that people typically call "spyware" whether it's spying or not. The outrage comes from people being surprised that some surrepticious software was installed without your knowledge.

Daemon Tools were installed with the knowledge of the computer owner, and when they use rootkit technology it's done to achieve some feature that the software claims to have. People are certainly welcome to argue the moral issues associated with "fooling" other software on your system, but the rootkit in this case isn't trying to fool the user.

# posted by Anonymous : 7:46 PM, February 06, 2006

Sorry Mark, I have to side with EFF on this one. DRM does nothing for the consumer. Take Windows XP Product Activation as an example. A warez group releases the corporate edition with no activation required. Now every legitmate paying customer has to put up with Product Activation and the people who didn't pay for it don't. If PA becomes damaged, it locks you out of the operating system.

Want someone to go after? Go after the people distributing the copyrighted goods, not the people that buy the products.

After your article on Sony and them using a rootkit to DEFEND DRM, who the heck would want to deal with DRM software from this point forward? Aren't you encouraging people NOT to use DRM enabled products after the Sony fiasco?

# posted by Adam Leinss : 8:09 PM, February 06, 2006

I agree with the DaemonTools Team member, especially about Mark's lack of courtesy and proper notice.

This is the third time in recent months Mark has reversed another developer's product and blasted it to the world from his popular site.

No regard is given for the consequences to others by Mr. Russinovich. Rather, he uses his talent and training to belittle and berate others.

Mark didn't like it when a buffer overflow was discovered in Process Explorer, and announced "0-day" on Security Focus. Yet he exposes other developers to the same situation.

This is shameful and well below any responsible developers creed.

# posted by C0D3R : 8:15 PM, February 06, 2006

I found Daemon Tools while downloading (legitimately) DVD ISO images from Microsoft's MSDN site. MSDN recommended the use of Daemon Tools to mount their ISO images. Although they did say they don't offer support for the tool :)

# posted by Anonymous : 8:39 PM, February 06, 2006

"There is absolutely no question that the company behind Alcohol 120% makes money out of game pirates illegally stealing other peoples work."

There is also no question that gun manufacturers make money out of criminals who rob, hold hostage, injure, and kill other people. But who is responsible, the gun maker, or the criminal?

# posted by Anonymous : 8:42 PM, February 06, 2006

First off I think Mark's definition of "Rootkit" is wrong. To me a rootkit is something that allows an attacker to gain undeserved rights on my machine. If *I* install something like alcohol on *my* machine and *I* intended to install it, it is an "Operating System Extension". If somebody else installs it on my machine through subterfuge it's a "rootkit".

And once we strip the prejudicial word of "rootkit" off of this situation we have a scene that's been repeated 1000 times in this industry: Company A creates a product that interoperates with Company B's product. Company B tries to break Company A's product. Company A fixes their product. Lather, Rinse, Repeat.

Reminds me of when we were doing OS/2 support of Win32c. MS would release a new patch level that broke OS/2 support. Boca would fix it. MS would release another patch level. It continued until the effort being expended in Boca exceeded the value of playing catch-up.

# posted by Anonymous : 8:46 PM, February 06, 2006

Wes:
But if the product contains functionality solely placed there to bypass DRM technology, then what exactly is the point?

That is precisely the point. The DRM must be circumvented in order to exercise my fair use rights to make backup copies, or to copy the media onto my hard drive and use it from there. Without that functionality, it would not work.

The software authors have designed their protections to specifically target programs like Daemon Tools and thus prevent me from using the software in the way I see fit. Sure I could stick the disc in every time I wanted to play, but that's inconvienent and difficult in my case.

Mark didn't say the use of the two tools was potentially unethical, but that their use of rootkits - esp. if used to circumvent DRM - was.

The use of rootkit tech. is not in any way unethical. It's done this way for a very specific reason, to hide from software protections which specifically target it. The fact of the matter is that there are some game protections out there which will not even run if they detect Daemon Tools or Alcohol 120% on the machine. Even if you're not using those to bypass their protections! This rootkit is a defense against that sort of thing, restoring compatibility. Who are the game makers to say what software I can and cannot have on my machine? I PAID for their freakin' game! They do NOT have the right to determine how I use that game or anything else.

They have the right to prevent me from copying the game insofar as sharing that game with other people. But they've gone beyond that right, and now create their games such that the games fail to work if I have software that they see as "bad" on my machine? Screw *that*.

I know that Daemon Tools/Alcohol 120% uses rootkit-like technology. They don't hide the fact, they admit it. It was intentional. And I welcome it. More power to 'em.

A hammer can build a house or it can crack your skull open. A baseball bat can hit a ball or it can beat a man to death.

Creating a tool is not unethical. Use of that tool can be, but the tool itself is just a tool.

# posted by Otto : 8:46 PM, February 06, 2006

# posted by Anonymous : 8:59 PM, February 06, 2006

To quote an above poster:
"There is absolutely no question that the company behind Alcohol 120% makes money out of game pirates illegally stealing other peoples work."

To be fair, I think it's a safe assumption that people who are trying to "illegally pirate" video games, are not going to draw the line just there. They will also "illegally pirate" the very same software (eg Alcohol) they use for the games.

Translation: People who don't pay for video games, aren't going to pay for the software either.

So you can't say they are making money by condoning piracy, as people pirating will likely not be paying them either.

An interesting discussion none the less. :)

# posted by Anonymous : 10:42 PM, February 06, 2006

This seems like a rather loose definition of the word "rootkit". After all, Neither Alcohol nor Daemon Tools hides its presence from the user, only from a few other pieces of software., and they both provide uninstallers.

I think the real issue here is whether it's ethical for software publishers to try to dictate what software an end user can install alongside their own. I think there would be an entirely different reaction on the part of some posters here if, for example, Microsoft used the same detection techniques to prevent MS Office from running on a machine that also had OpenOffice installed (on the grounds that it "circumvents" the need for Office by reading its file formats).

# posted by packrat : 10:46 PM, February 06, 2006

I read thru all the comments (not an easy task). I want to say that not everyone lives in USA so its kind of pointless bringing out their laws. I use DT in test environment. It has nothign to do with games, i just find that application small, useful and easy to use. I couldnt care less what peeps in USA do or what laws prohibit the use of emulation software, actually i dislike the the country, but thats my opinion. Do/use whatever you like there but consider this - USA is not the only country on earth, so if something is illegal there doesnt mean its illegal everywhere. I hate that "i am your farther and you will do as i say" attitude.
My best to DT team.

happy european

# posted by Anonymous : 1:42 AM, February 07, 2006

It also says in the license agreement..

License conditions
No part of the software or the manual may be multiplied, disseminated or processed in any way without the written consent of Alcohol Soft.

Would that mean you actually broke the law also making this post or is that ok as its freedom of speech?

# posted by Anonymous : 1:47 AM, February 07, 2006

Rootkits like Sony's DRM, Norton's now-removed rootkit, and malware rootkits are used with the intent to hide from users. Alcohol's and Daemon Tool's rootkits are used to hide from other programs, and hide nothing from users.

The problem you have here is that, just like any other tool dating back to the stick, these tools have legitimate uses. You've got people (lots of them) using them for things completely unrelated to making copies of games. And you have games with copy protection that sense whether these specific applications are installed, and will prevent themselves from running if they are.

That is hostile behavior, and punishes legitimate customers. You use Alcohol or Daemon Tools for purely legitimate reasons, and you buy a game for $40 to $60, break the seals, install it on your system, and it not only refuses to run, but it fails to inform you why it won't run! You are typically unable to return the opened game, so you've just been burned for $40 to $60.

When you realize that the sort of customer that uses Alcohol or Daemon Tools legitimately won't have any idea why their legitimately purchased games won't run on their systems, that puts a whole new light on the matter, doesn't it?

# posted by Anonymous : 2:54 AM, February 07, 2006

I wish I had known about these programs in the past! I used to work with severely handicapped kids (both physically and mentally handicapped). While I could teach most of them to use a mouse (and those that couldn't used a special switch interface), none of them could effectively locate a cd, figure out which side was up, and load it into a computer. Sadly, many educational software vendors utilize DRM techniques which require the insertion of a CD. The goal of most Severely Handicapped education programs is to make the children as independent as possible, and the prescence of this kind of DRM assured that these kids would never be able to play a game without an adult coming over to set it up, and to switch games meant having to get an adult to help.

Needless to say, the kids preffered the games that did not require a CD to be inserted.

# posted by Luke The Obscure : 3:06 AM, February 07, 2006

It's interesting to see user reactions to this - when it was the case of Sony and their rootkit, almost everyone cried foul and wanted Sony's head on a pike for insidious rootkit behaviour and violations of the DMCA etc.

Here Mark presents an analysis of DT and Alcohol, and opinion seems to sway more to the 'no, that's fair use'. To me, if we're going to berate rootkits and their use by companies / software developers, then we should view them all in the same way. That is, in this case, either Sony's rootkit was 'fair use' or DT etc. should be tarred with the same brush as Sony were.

But I could be way wrong.

# posted by Anonymous : 3:38 AM, February 07, 2006

Let's get to the definition of "root kit": A "root kit" allows the "attacker" to secretly attain/maintain "root" on a system: "root" meaning privileges he/she shouldn't have. Sony's software was a classic root kit. Sony software secretly got/maintained privileges on a user's system that it should not have had, and which could not be uninstalled. DT and Alcohol ARE NOT ROOTKITS AT ALL. Yes, they hide from Windows, but (1) they do not hide from the USER (They CAN be totally un-installed at will) and (2) they do not have privileges that the user doesn't want them to have, and (3) they are not installed in secret.

They are only Rootkits if you consider WINDOWS to be the owner of my box, and me subject to windows's wishes. I consider MYSELF to be the owner of my box, and MY wishes should be observed at all times. Tricking Windows does not mean that you have "rooted" my box if I asked you to trick windows for me.

# posted by Bob Neumann : 3:44 AM, February 07, 2006

How funny is "Patch Me Up"!? Especially the bearded Steve Wozniak guy!

# posted by Anonymous : 3:55 AM, February 07, 2006

The following observations:

1: Sony - Installed rootkit - and not just rootkit, but sloppy, security-vulnerable programming.

2: DT/A-120% - includes rootkit technology to evade detection from publishers who don't want it on my machine alongside their precious software.

and to pick another example:

3: Starforce - includes system level driver in effect when game isn't even playing.

So someone might well ask what's the difference? Well, 1 and 3 did things I didn't want and in 3's case I wasn't even warned about.

2 also used rootkit technology - to evade detection from 1 and 3.

If the publishers of 1 and 3 would mind their own damn business, and realise that my installing their software on my system should not mean surrendering part of said system, then 2 wouldn't even be necessary.

When publishers get a grasp of the fact that my PC belongs to ME - and that if I want to use DT/A120% to mount backups of my games so the kids don't ruin yet another copy of the Sims2 - and that they won't detect said software and force me to uninstall it, then DT/A120% can go about their business without this hack.

On the box of most software you buy there is a system requirements section. Nowhere on anything I've seen so far does it say "System nonrequirements: warning, if you want to play this, you may have to uninstall some legitimately purchased and valid software".

Publishers should wake up to the fact that our buying their wares (not 'warez') is not some sort of holy privilege, out of gratitude for which we should give up a portion of our systems.

Incidentally, I think LoB's reaction if indeed it was him, was over the top. Try not to take it so personally, and crack on with the fantastic DT releases. :)

And keep at it Mark, good work as always.

# posted by Anonymous : 4:27 AM, February 07, 2006

"There’s no proof that Alcohol and Daemon Tools use rootkits to evade DRM, but the evidence is compelling. If they do their usage is clearly unethical and even potentially runs afoul of the US Digital Millennium Copyright Act (DMCA). In any case, there’s no reason for these products, or any product as I’ve stated previously, to employ rootkit techniques."
Mark, I am no expert and I applaude the expertise that has brought us so many wonderful sysinternals products. Please correct me if I'm wrong, but doesn't rootkitrevealer itself employ rootkit techniques in order to hide itself from the rootkits that it seeks to reveal? In the case of discovering Sony's infamous rootkit, which itself was a form of DRM, then does not rootkitrevealer evade the DRM in this instance by revealing it and spurring or "inducing" its removal ? So if rootkitrevealer uses rootkits to "evade" the Sony DRM, which clearly was a good thing to do, how can you insinuate that "the evidence is compelling" that Daemon Tools and Alcohol 120% are "clearly unethical" and even potentially runs afoul of DMCA...without feeling like a hypocrite? For saying that Mark you belong in the "clearly unethical" category along with Sony and a lot of politicians...IMHO

# posted by booboo : 4:29 AM, February 07, 2006

Clarification: when I say "their usage is celarly unethical" I'm referring not users of the products, but to the utilities themselves being designed to circumvent DRM. I've previously defined rootkits and explained their risks.

# posted by Mark Russinovich : 5:47 AM, February 07, 2006

"Clarification: when I say "their usage is celarly unethical" I'm referring not users of the products, but to the utilities themselves being designed to circumvent DRM. I've previously defined rootkits and explained their risks."

That's nice, but it doesn't address the main point - legally purchased games, with a cd in the drive, not running when Daemon Tools is installed for legal purposes. There is no DRM being circumvented, just overzealous copy protection.

# posted by James : 6:01 AM, February 07, 2006

This post is ridiculous. Mark, the community loves you, but this really isn't the same thing as Sony's rootkit problem was.

There are hundreds of programs (Microsoft and otherwise, including your own) that are rootkits if the litmus test is simply installing hooks in the system call table. Hell, this makes IIS a rootkit for installing its own system call table.

Plus, if you want to get DCMA about it, you just violated it too...

# posted by Anonymous : 6:34 AM, February 07, 2006

1. Please read my definition of rootkits (published two posts ago)

2. Please read the DMCA (link in this post)

# posted by Mark Russinovich : 6:43 AM, February 07, 2006

In my opinion the most important difference between DaemonTools/Alcohol and the Sony Rootkit is that it's removeable by the average user.

DMCA prohibits circumvention of copy protection, yes, but from what I have observed in the last years most of these so called "copy protections" are no real protection against copying. Instead they tend to become more and more annoying and restrictive to the paying customer, who hasn't done anything wrong. The Alpha-DVD protection is a good example for this.

It might not be legal to circumvent such technologies, but as long as someone pays for Movies/Software and doesn't redistribute it, I have no moral objections against DRM circumvention.

I can understand the rights holders motive, but not their actions. It's a difficult subject and I don't know how to solve it. But punishing the paying customer way more than the "pirate" isn't the solution.

# posted by Anonymous : 7:37 AM, February 07, 2006

The matter is : can someone with bad intentions be able to use the DT/Alc rootkit to hide itself, or some part of its code?
Even if it is "only" registry keys, the answer is...yes.

If one use some trick to hide itself or some part of itself, whatever the use of the product or the first intention of the designer, then a bad guy can use this design to hide himself.

I aggree with Mark: whatever the intentions of the rootkit' designer, it put everyone at risk

# posted by Anonymous : 7:58 AM, February 07, 2006

Mark

Are you able to advise whether StarForce is unloaded the moment you run their removal tool, or is it only unloaded post-reboot?

I notice that the drivers that came with TrackMania Nations didn't require me to reboot to enable them, so perhaps they also unload upon request, and the reboot is only necessary to tidy up the files?

Thanks if so

# posted by Anonymous : 8:09 AM, February 07, 2006

Mark, thank you for you work with discovering the Sony Rootkit and thank you Sysinternals for great free utilities.

I am sad to see some of your conclusions in this article, especially "...there’s no reason for these products, or any product as I’ve stated previously, to employ rootkit techniques.".

Many comments here are from honest frustrated users that have spent money purchasing software that deprives them their fair rights of use.

Had you contacted DT or had you discussed this issue with a few consumers you would have realised this.... but then you would not have been able to write this piece of provocative (sensational?) journalism.

# posted by David Kaspar : 8:21 AM, February 07, 2006

Since DT and Alcohol have been mentioned, how about making comments on acudata sheriff software and security gurus eEye.com?

The DoD has an enterprise license to install and use eEye’s flagship Retina product. Any person in the DoD can download and install Retina.

However, Retina uses some Acudata Sheriff (http://www.sheriff-software.com/) module to assumingly protect license information. This assumption was made by the repeated access of Retina to the acudata key when using Regmon.

Running RootkitRealer shows the data mismatch between the API and raw hive data for one of the Acudata keys.

Comments?

# posted by Anonymous : 8:22 AM, February 07, 2006

Anon wrote:
"In my opinion the most important difference between DaemonTools/Alcohol and the Sony Rootkit is that it's removeable by the average user."

The latest Daemon Tools doesn't uninstall the "SPTD driver". This driver is apparently preventing any kernel mode debugger from running and therefor makes a system it is installed on incompatible with some other tools.

Mark, maybe you could investigate this SPTD driver some more?

# posted by Anonymous : 8:49 AM, February 07, 2006

Let's get one thing straight.
It's my OS and my PC. If I want to install a product that alters the way that OS functions that is my perogative.

So long as Alcohol/Daemon Tools disclose what they are doing and allow the user to completely uninstall the software it is completely ethical and acceptable.

The Sony rootkit installed without the user's consent or knowledge, hid its presence on the system, and could not be easily removed. It also kept user's from using their PCs as they saw fit.

Alcohol & Daemon tools do the exact opposite - they liberate the user of the PC. I am the owner of the hardware and software. Yes, I said owner of the software. Money was exchanged and I OWN THAT COPY.

I do not give a flying rat turd about EULAs and other such consumer ripoff horse crap. I will alter, break, mangle and use that copy that I absolutely own any way I see fit. Do I have the right to distribute that software or use the software without paying for a copy? No, of course not.

I realize that some bonehead laws in the US may say otherwise. Oh well, I guess I'm a criminal then, take me away. But your going to need a pretty big jail to hold the tens of millions of citizens who feel the same way as I do (know anybody that actually reads or cares about the EULA? Anybody? One single person?).

DRM wants ownership of all hardware and software to be transferred to copyright holders. That's the only way it will ever work and that is why it is wrong. Computers are a big part of our lives and we have the absolute right to control our property, particularly a device which controls access to our private information.

IANAL and I don't know if Daemon Tools is doing something technically criminal or not. But it is not unethical because it is done with the permission of the owner in order to allow the owner to exercise their property rights. If it is criminal, then the law needs to be changed because any law that criminalizes huge chunks of the population is ultimately unenforceable in any meaningful sense. Instead, it becomes a tool for oppression of liberties e.g. the "war on drugs".

# posted by Anonymous : 9:23 AM, February 07, 2006

Essentially the article ends with the "clarification" that these two software (and most probably various others) are built explicitly to evade DRM and thus illegal.

Regardless of the technology used.

Obviously you'll get "off-topic answers" about people claiming their rigths to "fair use".

# posted by Sebastien Caisse : 9:33 AM, February 07, 2006

Now this is an interesting discussion. I can only imagine what mr. Russinovich thinks now, since the same people who cheered him for finding out about the Sony Rootkit are now throwing rocks at him...

And for what, finding out about a rootkit that another software installs on your computer that has a potential to do you harm ? What has changed, since the XCP -case was very much the same ?

And don't give me any crap about authorisations to install. The sony program did ask you to sign an EULA. This EULA failed to mention the fact that it installs a piece of software that's hidden, but read the DaemonTools EULA, find any reference to rootkits there ? Well, me neither.

This whole ruckus brings to mind the rants of a certain Seth Finkelstein about libertarians. You know of whom I speak, the ones always whining about rights to do whatever you damn well please. Well, here's news for you, the moment you click, "I agree" on an EULA, you've exercised you're right to do whatever you damn well please, and given up all those rights. Your choice people...

Had mr. Russinovich discovered another rootkit from a big bad multinational company, he would've been cheered and celebrated. Now that it's found in a software that people use to break the LAW and steal products, he is criticized for it. I'm sure I'm not the only one seeing the irony in this situation.

And here's the disclaimer: I'm a poor student from Finland, I don't own a single pirated product and I've never downloaded a single song from the internet.

My sympathies to mr. Russinovich, you're doing a good job no matter what some people say.

# posted by Jukkis : 10:14 AM, February 07, 2006

Mark, I understand your clarification but it still brings me back to a previous, unanswered question:

How might DT or Alcohol accomplish the same goal, (preventing their detection by copy protection/DRM software) without the use of "rootkit" methods?

# posted by Robert Aitchison : 10:33 AM, February 07, 2006

Had mr. Russinovich discovered another rootkit from a big bad multinational company, he would've been cheered and celebrated. Now that it's found in a software that people use to break the LAW and steal products, he is criticized for it. I'm sure I'm not the only one seeing the irony in this situation.

As has already been pointed out on numerous occasions in the comments here the major difference is what the products do. The primary purpose of products like Alcohol or DT are too allow consumers to exercise their own legal rights over content that they have paid for where DRM or copy protection software tries to prevent it. Yes it's true that some users (I'd suspect a small minority of the total user base) will also use these same tools for illegal purposes.

That doesn't make them any more responsible for the illegal actions any more than a company like RIDGID should be held respoinsible for what some people do with their bolt cutters.

# posted by Robert Aitchison : 10:49 AM, February 07, 2006

I've read a lot of opinions here. Some qualified, and others not. I wonder. How many of you have contacted your lawmaker, and given them your thoughts?
Either for or against, it doesn't do much to change the situation if you just gripe in a forum which has no impact on local, state, and federal laws.

# posted by Anonymous : 12:10 PM, February 07, 2006

The most important point is that this rootkit-like usage may be a danger if others figure out how to exploit it.

I'm no expert on this but CAN others exploit what these programs do?

If "no," then there is no harm and my use of them to make completely ethical copies of software I purchased legally is okay and should not be criticized. (Well, writers of the immoral "law" called the DMCA will criticize it but screw them!)

If "yes," then we do have a problem and Alcohol Soft and DT should be roundly criticized and, perhaps, sued, for putting my machine at risk - perhaps.

But I don't see the second as the answer. I knew they were doing sneaky things to my computer when I installed this stuff in the first place and I am okay with it because I use it to do something that is Fair Use. No, I don't distribute my copies or sell them or anything. That would truly be illegal. I keep it and use it so my originals don't get messed up as has happened to me and many others in the past. Perfectly reasonable by any normal and proper sense of the term.

# posted by Anonymous : 12:37 PM, February 07, 2006

I've read a lot of opinions here. Some qualified, and others not. I wonder. How many of you have contacted your lawmaker, and given them your thoughts?

This is a good point, speaking only for myself I can tell you that I have written my state & federal representatives on numerous occasions regarding & related to DRM, the DMCA, this includes my opposition to the Broadcast flag, which is another attempt by the copyright cartel to buy tailor made legislation designed to impede fair use.

I've also joined and donated to the Electronic Frontier Foundation which is pretty much the only organization out there standing up for the digital rights of consumers in the United States.

I cannot recommend strongly enough that anyone who doesn't want to just sit back and watch our rights be eroded and destroyed should do the same.

# posted by Robert Aitchison : 1:09 PM, February 07, 2006

Why should any software on my computer care what else I use? Since Windows does not offer a proper way to do it, is there any other way to completely emulate a CD drive without a rootkit? If not, this might be a legitimate reason for rootkit-like behavior. It might be better, if the emulator allowed me to chose only the programs it needs to hide its present from.

And there is a reason for me to circumvent the copy protection of two games I own (in fact, I bought two copies to be able to play with a friend) -- do you have any idea how noisy the build-in CD drive of my notebook is? I do not want to use any CD in there except for installing. If I just forget the CD in the drive, it or the drive might get damaged being carried around. Virtual CDs are handy.

Anyhow, I take Mark's point. Is there any new attack vector because of Daemon Tools? That is an interesting question.

I do not understand why anyone attacks Mark for his point that these programs modify Windows at a point where you do not want it to be modified (in general).

LocutusofBorg totally overreacts. Why should Mark contact them? If they do not want this published, it would be worrying. Of course they circumvent copy-protection. How ethical this is for different uses, anyone may decide for themselves.

# posted by Anonymous : 2:32 PM, February 07, 2006

Let's get one thing straight. It's my OS and my PC. If I want to install a product that alters the way that OS functions that is my perogative.

You forgot one itty bitty thing ... Do Daemon Tools and Alcohol 120% inform the user that a rootkit will be installed? I haven't used the former, but I know that the latter does not.

Better to stick with the phrase "informed prerogative"

# posted by Anonymous : 4:28 PM, February 07, 2006

If *I* install something like alcohol on *my* machine and *I* intended to install it, it is an "Operating System Extension". If somebody else installs it on my machine through subterfuge it's a "rootkit".

This is nonsense. A rootkit by any other name is a rootkit. But in any case, when you install Alcohol 120%, do you know that you are installing a rootkit in the first place?

# posted by Anonymous : 4:40 PM, February 07, 2006

This is nonsense. A rootkit by any other name is a rootkit. But in any case, when you install Alcohol 120%, do you know that you are installing a rootkit in the first place?

I'll tell you this, I was well aware that Alcohol uses techniques to hide it's presence from the copy protection software that sought to impede my exercise of my fair use rights, this is one of the reasons I decided to purchase Alcohol over CloneCD. No there wasn't a big warning that said "Danger (Will Robinson) this software installs a _rootkit_ (oh noes - my megahurtz has been stoled)" but obviously it had to be something outside the normal windows APIs in order to be halfway effective at serving it's purpose.

Had there been a specific working mentioning the term "rootkit", even if it made you type "I agree to the installation of this "rootkit"" I know it wouldn't have stopped me from installing.

# posted by Robert Aitchison : 5:37 PM, February 07, 2006

Personally, I think it unethical for companies to take copyright into their own hands through DRM that often goes far beyond the rights assigned to them by copyright. For example, in the case of games and software Title 17, Chapter 1, Section 117 say it's not an infringement to make a copy of software for archival purposes.

The DRM employed to "protect" their content usually only ends up hurting legit users while doing little to stop actual pirates. The Sony XCP and MediaMax debacal show these companies aren't above installing DRM even when consumer declines.

Deamon Tools is like a crowbar, both have their legal and illegal uses, but to ban them because of potential for illegal uses is nothing short of foolish. Not allowing software to be detected by DRM is hardly a circumvention.

# posted by Anonymous : 5:58 PM, February 07, 2006

Danger (Will Robinson) this software installs a _rootkit_ (oh noes - my megahurtz has been stoled)

Be sarcastic all you want, but kernel hooks--some would argue invariably--introduce performance, security, stability, and compatibility issues.

I, for one, want nothing to do with them.

# posted by Anonymous : 8:49 PM, February 07, 2006

Mark – In your original Sony blog you wrote “While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet.”

Have you been able to form a strong opinion on the right balance since then?

Do you feel DRM software that scans the ARP and then decides to disable itself because it doesn’t like the software I’m running as within this balance?

# posted by Anonymous : 10:22 PM, February 07, 2006

"DMCA prohibits circumvention of copy protection, yes, but from what I have observed in the last years most of these so called "copy protections" are no real protection against copying."

Most DVD-ROM (not DVD-video) protections now effectively prevent successful copies due to the limitations of DVD-writers as compared to CD-writers (i.e. DVD writes have no raw writing mode).

The only way to make a working backup of a protected DVD-ROM is by using emulation software like Daemon Tools - and that is explicitly unlawful circumventiom of copy protection methods as defined by the DMCA (and European Union laws). That might be the reason why the authors of Daemon Tools and Alcohol 120% hide in anonymity.

# posted by Anonymous : 3:46 AM, February 08, 2006

An excellent article yet again. Just a shame you had to tarnish Daemon Tool's reputation by implying it's use is comparable to that of Sony's.

Perhaps you should next aim your sights on the Starforce copy protection system. An invasive, buggy protection system that may render hardware inaccessible. Much better to critise poorly written software, something with Alcohol and DT's certainly are not :)

# posted by Anonymous : 8:46 AM, February 08, 2006

BTW you all do know that Alcohol uses DT's virtual cd driver right?

# posted by Anonymous : 8:49 AM, February 08, 2006

The only way to make a working backup of a protected DVD-ROM is by using emulation software like Daemon Tools

For the record, this statement is inaccurate. There are other ways around the protection--namely software that strips CSS protection in real-time (but doesn't do emulation).

# posted by Anonymous : 10:07 AM, February 08, 2006

The legitimate claim for doing this is that it enables fast, cached access to the game., though it is well known that this is also used to make illegal copies of games to share with friends

True, virtual CD software is without doubt used to enable piracy. But as other comments have pointed out, it is also used for protecting the investment of legitimate customers. CDs and DVDs are fragile, especially if handled by children.

I believe that the copyright law in most countries allow for backup copies, so when DRM removes this ability many users feel that products like Daemontools and Alcohol should be legitimate even though they likely violate the DMCA and similar laws like the european EUCD.

I am however a bit saddened by the fact that most comments here seem to defend Daemontools' and Alcohol's use of cloaking/rootkit methods. As Mark explained in his January 15 post, the use of rootkits - for whatever purpose - has serious consequences. If the operating system is modified so that it doesn't report truthfully about the state of the system, it can't be trusted or verified.

# posted by LarsG : 10:46 AM, February 08, 2006

There must be other ways to "fight" overzealous copyright protection schemes. I do not accept rootkits as an appropriate solution, nor do I agree with the restrictions placed on my fair use of software. As a software developer and avid computer user I understand both sides of this issue, but I'd like real solutions not blanket DRM enforcements or rootkit workarounds.

I also have trouble understanding how most software is licensed _only_ for a single machine or a single user. There are legitimate reasons for requiring multiple licenses but in most cases I'm not likely to buy two copies of games/apps so I can install a copy on my box and another on my kids', especially since we're never playing/using them simultaneously! I think this should also be considered under fair use, but to be safe for now I try to purchase/use software without these restricitons.

If software companies really want to enforce their own standards on use they can without the rediculous copy protection schemes we have now. Look at Microsoft and two of the most popular gaming companies Blizzard and Valve. All three companies have started requiring an online activation for at least some of their products as well as requiring compatibility updates to continue using all of the software's capabilities. Alternatively Microsoft offers a phone activation option for Windows if you cannot connect to the internet. All three of these companies have solved a significant portion of their piracy issues and restricted fair use legitimately by making a product for which consumers are willing to accept the restrictions!

I think this is a better answer for copyright owners in most cases. Make your software good/popular enough to justify the added "inconvenience" of authentication. Better still (as the gaming community is discovering) make the purchasing process part of authentication and let ppl copy and distribute the software as much as they like!!

We will never be able to prevent digital piracy completely, but it's ridiculous to infringe on EVERYONE'S rights in order to _maybe_ hamper the few who do pirate. I think Intuit learned this lesson, to some extent, a few years back when it issued TurboTax with CD-R disabling software!

# posted by Anonymous : 1:56 PM, February 08, 2006

EUCD isn't active, in all europeans countries and could be partially rewrite in the differents countries...
So today, daemon tools isn't illegal here...DMCA, is an american law.

Forgive the general "circumvention of copy protection." which is not worldwide...
Ok Rootkit could expose to a security concern. (But probably not so easely than in the sony case, in this case)
A lot of people waiting for yours comments Mark:
- How to do a legal backup of software today with the actual protections?
- What can do a software maker, if an other software maker seek is presence, in order to allow the use or not. Even if nothing bad (or illegal) was done with the first software?

And a last one about dmca, for europeans like me who don't know exactly the details. What about the compliance of a software like "NTFSDOS Professional v4.01" which allow an intruder to access to ntfs partitions? Is'nt it a security concern?

# posted by Anonymous : 5:16 PM, February 08, 2006

WES SAID: "The argument that "it's not the tools, it's how you use them" doesn't really fly here. It's one thing to empower users with software that helps them get fair use out of media they have bought. But if the product contains functionality solely placed there to bypass DRM technology, then what exactly is the point?"

Consider those that bypass technology in order to compensate for hardware that does not comply with copy protection and DRM schemas. Buying new hardware is an option, however with the number of different protective measures currently used and in development, perhaps all hardware will not be compatible with all protective measures. This puts the onus on the end user, generally not technically inclined enough to understand the technology in the first place, to determine if their hardware is compatible. In most instances a game manufacture does not put the exact method of copy protection used and therefore the user has to purchase the software, take it home, install it and see that it won't work and will either be required to update or upgrade hardware to ensure functionality or be out the cost of the game. The use of software to bypass this for personal use is acceptable to me and is not unethical as long as they destroy the images or backup media when getting rid of the game.

What I view as unethical is the use of DRM to restrict the users right to create a backup duplicate of their media. The battle was fought in the 80's over Macrovision, and it was eventually conceded that you could create a duplicate of the media by means of a macro-scrubber provided that the duplicate copy was destroyed when the user no longer had the original media - in short, you could create a backup of your media and keep it as long as you owned the original media. The DMCA, with heads firmly in their buttocks, is undoing this quickly. Either the end-user should be able to create a duplicate of their media or the distribution firm should be held responsible for providing a backup media to the end user, free of charge, should the original media become corrupt.

Piracy has been here since mankind first chiseled out it's first rock carving. It is only because of Mitch "RIAAtard" Bainwell and other advocates that this topic has received a new light. I find it wholly distasteful and, yes, unethical that DRM should be implemented at all without the end user being able to legitimately create a duplicate of their media, whether that is a video game, a music CD, a DVD or a book.

In the US the line of logic goes: "Innocent until proved guilty", correct? DRM and the DMCA's endorsement of DRM reverses that; it assumes the end user is guilty and therefore measures should be enforced to limit the end users ability to break the law. Period. It places all individuals in the criminal pile and makes no concession for the honest. If technology exists to counter this debaucherous behavior, whether it contains rootkit technology or not, should not be the issue - the issue should be to modify the way DRM is used and the DMCA itself. Punish the pirates, hence the guilty, and allow the rest of the world to legitimately use the media they purchased as they see fit.

Luckily, Canadians don't suffer being labeled as criminals on a whole, and I am thankful that I can use this kind of technology to defeat those who would call me such.

# posted by Anonymous : 6:21 PM, February 08, 2006

I find it wholly distasteful and, yes, unethical that DRM should be implemented at all without the end user being able to legitimately create a duplicate of their media, whether that is a video game, a music CD, a DVD or a book.

It should be noted that (IIRC) even the reviled Sony DRM allowed you to create duplicates of the media. Rootkits and unbelievably sloppy coding aside, its failing is that it set a limit on how many copies you could make, and that limit was far too low to be useful. I never play my original CDs unless I absolutely have to, so to me the ability to make as many back-up copies as I deem necessary is essential and one of the reasons I will not buy copy-restricted CDs. In other words, if there's going to be a limit, it needs to be so high that it is functionally useless as a "casual piracy" prevention measure, which is the only reason to have it in the first place.

Well, here's news for you, the moment you click, "I agree" on an EULA, you've exercised you're right to do whatever you damn well please, and given up all those rights. Your choice people...

This is specious reasoning. Consumers as a whole have every right to demand that there are certain strings that simply cannot be attached to the products they buy. Unfortunately, this issue hasn't been examined carefully enough as it applies to EULAs, and right now there's far too heavy a leaning in favor of an industry that seems to be crying that the sky is falling while actively seeking to make their products more and more susceptible to the "better than the original" flaw.

To the subject of the blog post, I can't say I agree that the use of rootkits to circumvent DRM is unethical, seeing as I find DRM itself to be inherently unethical. I believe in the industry's right to protect their copyright, but they already have the measure they need to do so. It's called "copyright law." The notion that so-called casual piracy is responsible for the claimed decline in CD sales is a swiss-cheese argument that I could fill several pages debunking.

However, I certainly agree that the use of rootkit technology to any purpose should be avoided if at all possible, though Mark has already said the reasons why better than I could.

# posted by Anonymous : 8:58 AM, February 09, 2006

Well, here's news for you, the moment you click, "I agree" on an EULA, you've exercised you're right to do whatever you damn well please, and given up all those rights. Your choice people...

Not really. No matter what you agree to in the EULA, they still can't violate your other rights guaranteed by law.

Anyways, I'd have to agree with what Mark stated that rootkits are inherently dangerous. It's forunate that these kits aren't riddled with holes like Sony's rootkit was, but the bottom-line is that they change the way your OS operates. Because of this, it's entirley possible that future programs could be incompatible with your changed system, and you would have no idea why.

I applaud the efforts of DT and Alcohol in aiding consumers to bypass unethical and unlawful DRM, but there must be a way that doesn't involve rootkits. (Preferably by proving many of the mentioned DRM schemes which blacklist prgrams to be illegal :) )

# posted by Anonymous : 12:17 PM, February 09, 2006

I just read the article with a reference from a dvd back-up site and tried to understand what the deal was with the rootkits, DRM, DMCA and lots of other stuff.
Sadly I have neither the time nor the ability to comprehend the whole situation about rootkits trying to sneak up to my system but I do know that I always need a mounting tool like DaemonTools in any PC environment I work and every now and then will also use it to get rid of DRMed software and totally be content with it.
I do not have kids or wobbly hands but I know that a single scratch can make my software useless so I try to make working copy on the harddrive and not touch the CD again. And again trying to find a particular CD among thousands of them in PC Lab or home is annoying and I'd give my freedom of knowing what's running backside in my PC gladly. Then again knowing that it will run before could be a plus too.
Maybe the author of DT will add that the software has to install a rootkit to my PC in the next version and will be doing that in favor of my fair use rights could be the topping on the cake. I fear a good tool like DT might be forced to go offline because it is believed to facilitate software piracy in the end just like a cople of other great programs and I will be forced to download a hacked version of the software out of somewhere cause I have lost another option to back up the software I own.

# posted by kahveisteyen : 2:22 PM, February 09, 2006

Mark, I was with you and thought you were doing fine right up till the end, when you made the ethics statement. You never should have made any judgements on morality, because such a statement requires more analysis even than you did on the technical side of the issue - as is evidenced by the resulting replies. Analysis that you failed to do.

And some people have wondered why the replies have been predominantly about the ethics, and not the rootkit.

Also, the "the USA is not the world" comments are almost entirely worthless. Mark lives in the US. Of course his comments regarding legality will not necessarily apply elsewhere in the world. That's a given.

Going back to the rootkit thing, what I would like to know is, quoth Mark:

"In any case, there’s no reason for these products, or any product as I’ve stated previously, to employ rootkit techniques."

Is there any other way for Alcohol 120% and DaemonTools to do what they currently do now - which is to say, bypass DRM and software that breaks upon detection of the two aforementioned programs? It's not a rhetorical question; I don't know the answer.

If the answer is no, then I think Mark's statement that there is no reason for any program to employ those techniques is demonstrably false.

If the answer is yes, there is a better, safe, less questionable way, then those two companies likely should have used it.

But I don't have enough technical knowledge to judge either way.

For what it's worth, I do not think that the intentional bypassing of DRM is unethical, as I do not think DRM is ethical. But a lot has been said on that from that standpoint already in the comments.

Mark, if you're going to keep that statement in your post, I think you should put some effort into the explanation of why it is unethical, because currently, it's lacking.

# posted by Cymbaline : 12:53 PM, February 10, 2006

For what it's worth, I do not think that the intentional bypassing of DRM is unethical, as I do not think DRM is ethical. But a lot has been said on that from that standpoint already in the comments.

There is nothing unethical about companies like Napster using DRM to enforce a licensing model in which the licensor is virtually guaranteed to outlast the license and offers free replacement if the media goes bad (e.g. month-to-month music rentals). If I go to a store and buy an off-the-shelf product, however, my license is perpetual. Putting DRM on products will (unless the DRM is cracked) make it impossible for people to be assured of receiving the full use of the product to which they are entitled (even if the vendor offers free replacement today, there's no way to guarantee they'll do so 50 years from now). Unless such restrictions are clearly disclosed prior to purchase, imposing them via DRM or other means is unethical.

# posted by supercat : 5:25 PM, February 10, 2006

Rootkits are bad eh! - Well as I'm sure Mark is quite aware, manipulating data and bypassing calls is how Windows works in the first place. Microsoft has written thousands of DLL/OCX/VBX/COM/EXE/SYS etc files that watch other system calls and based upon response perform a task a different way than they would normally.
Aside from Mark's definition of rootkit I don’t see all such coding as evil or unethical, to me these are programming methods and are all over the place in Windows.

What, only Microsoft can write such files? If Company X writes buggy code that makes Windows or other Microsoft software crash then Microsoft having no control of other vendors writes their code to watch Company X's software and prevents the crash (hmmm... just the same as these methods are doing) so you’re saying that Microsoft is unethical too since they didn't tell you that there are rootkits in Windows written by them, or you're just saying that anything Microsoft does in there OS is fine and then anyone else that modifies it is unethical?

If you took 100 programmers and put them all in a room and had them write a routine to handle a specific task (without any templates or other includes) I'm sure that you would have about at least 20+ different ways of performing the task. Well as I see it DT/A are employing such programming methods as required to make their software complete the given task. Because you don’t personally like how it is being performed does not in and of itself make it unethical or poor programming just as I would not claim how Microsoft codes some of their code as unethical. Did someone appoint you as the judge of what is good and what is bad programming methods?

As for the statement about ethics; well that is a very big subject. What some Countries and Individuals deem unethical in one area does not always match what others from another Country/Individual feel. So I would have to assume that is "your opinion" and you don’t speak for the entire World (at least that's my opinion).

I think you’re an intelligent individual and based on laws in the US you have the right to voice your "opinion" but that is all it is, an opinion. I don’t see you as any certified "expert" on the subject of ethics. If you support the DMCA that’s okay but you don’t need to denigrate others for not supporting it. Especially since it does not apply to about 5 ½ billion people around the World.

As for the question asked by some here that you continue to elude or just plain not answer. No, there currently is no other safe, good method for DT/A to write their code to be effective at bypassing these other programs on the Windows platform.

# posted by AdvancedSetup : 5:35 PM, February 10, 2006

I think there is bigger picture here that, if we become to wrapped up in the rootkit issue, may become lost. The software under the microscope in this article was written by people who live in countries with their own laws, outside the United States. Therefore, the measures they have taken to protect their legal right to fair use, while extreme, are necessary if the DRM and copy protection software becomes onerous in their application of limitations. Attempts to disable legitimate software before enabling the user to play a game must be legally questionable, especially when no reference is ever made on the outside packaging to such measures. As other posters have said, there is a very limited return option once the CD is in your CD-ROM!

I am firmly of the opinion that the only mistake made here is the lack of an advisory notice that this software uses this kind of cloaking. Once that is addressed, I believe there is no tangible argument that there is anything on par with the Sony issue.

# posted by Anonymous : 8:54 PM, February 10, 2006

Daemon clearly states on install that it's installing an SPTD that conflicts with kernel debugging and may cause instability, though I don't think it mentions "rootkit" at all. If you need to uninstall it the package is on their site:

http://www.daemon-tools.cc/dtcc/download.php?mode=Download&id=87

by calling "sptdinst_x86.exe remove". Hopefully future versions will correct the "bug" that it isn't uninstalled by default.

It concerns me that the arms race in emulators vs drm is entering the rootkit stage. If both are willing to do this, what's next? Hooking dozens or hundreds of APIs? Overwriting critical OS files with patched versions? How far will each side go to defeat the other?

# posted by Anonymous : 2:33 AM, February 11, 2006

Just a note for those who ramble on about circumventing digital restriction management being unethical:

Companies who try to enforce three years of prison for the crime of playing a dvd on linux or for reparing a CD that is protected against access to the contents, companies who try to enforce a surveillence system for ISPs and internet users similar to what George Orwell imagined, who force a debate about it to take place a few days before christmas, with like 60 out of 533 deputies present, have proven undoubtedly and incontestably that they do not want moral/ethics to be taken into account when discussing what could be done against them.

It's a pity that my recording of that debate has only worked for the first few hours due to a horrible mistake on my side (accidently disabled wave-out input for capturing and didn't notice it), but I can assure you, if you have only followed news or reports about it, and have not seen the debate itself p.e. via live-stream (yes, france is that modern), then you can hardly be aware of what has been going on there. I think it was the first political discussion I have ever really followed, but I'm glad I did, even until around 12:30am on Dec 21, 22 and 23.

Not only do those companies try to influence legislation in an egregious way, they also continue to ramble on about damages due to piracy (a famous case was when a french guy downloaded stuff he couldn't have bought in france, and yet the french movie industry claimed there had been damages for them), but yet punish anyone buying stuff with a one-minute-trailer about piracy on DVDs that you cannot skip, with rootkits on CDs that intentionally prevent you from repairing your system in safe mode (Sony), with means of which the only purpose is to reduce playback quality on any kind of players (EMI with CDS200).

The german copyright has even intentionally been written in a way that allows any interpretation because "it is illegal to circumvent _effective_ means of access control...". At the moment, only heise.de is daring to take on them, no one else seems to feel financially capable of doing so. Basicly, the music and movie industry continues to send out "Abmahnungen", with imaginery damage allegations, with the fee for receiving this warning typically being 5% of those imaginary damage claims, to be payed by the attacked (unless being financially capable to start a lawsuit against that 'warning'). Typical imaginary damage claims are 100.000€ and 250.000€ for example for a link to allofmp3 or slysoft.

Unethical or not, I don't care anymore. Those companies have gone way too far, and I really hope the french project of a download 'flatrate' passes, just to see the CEOs of those companies getting a face like Boooo in DBZ. I would never have imagined that one day you would need to know french to see what is really going on.

# posted by Alexander Noé : 9:19 AM, February 11, 2006

"Fair Use" does not exist as a legal concept or court determined precedent outside of the US so trying to separate the DMCA from "Fair Use" and vice versa isn't a sustainable position. You end up using terms that have no basis in fact.

# posted by Anonymous : 10:59 AM, February 11, 2006

Oh, but it does... it's just not worded like that in terms ;)
Anyway, all this ethics stuff aside (i totally agree with Mr.Noé above) i'm missing a thorough discussion on the assumed security risks of this registry key cloaking (which IMHO should be the prime topic here - interesting that it isn't ;) How could malware exploit the (i guess quite specific) cloaking of f.e. the SPTD driver's cfg key? I'm no expert on stuff like that, but i just fail to see a suitable possibility to exploit that assuming (for a reason) that the software doing this is in no way written badly enough to leave gaping holes like f.e. XCP does. It's just not comparable IMHO.
And one should not just say 'Rootkits are bad - period' ... i do NOT run around yelling 'Kernel-mode DRM drivers are bad - period' even though their total frag-up-dis-system count, compared with rootkits, with me thats something like 4:0 by now...

# posted by Anonymous : 7:13 AM, February 12, 2006

"LocutusofBorg totally overreacts. Why should Mark contact them?"

Probably besause he knows since months, that symantec has a rootkit as he said:

"I learned of the cloaking several months again when users of our RootkitRevealer rootkit detection tool sent us log files asking whether their was evidence of malware (others have posted logs in the Sysinternals forums). A little research showed that it was generally known that SystemWorks creates NPROTECT directories that show up as “false-positives” in RootkitRevealer scans."

But doesn't say something about this before

"I contacted Symantec and they quickly agreed to remove the cloaking altogether."

Despite this rootkit could be use as easely as the sony one. Mark doesn't care to much about our security in this case...
(Are you ready to publish that Mark? Not sure...). Could you explain us why a function to hide one specific key which could not be easely use by somebody else is called a "Rootkit" (you know you will hurt them) and that for symantec, this is "rootkit-like" and you doesn't publish about that before it is ok for symantec. (Another point of the concern, is that you give a tool that allow malicious people to find this norton rootkit, and that could have allow this people to exploit this hide folders)
Then you're Expert, do you really believe that a guy good enough too exploit the DT or alcohol so-called rootkit hasn't enough knowledge to write his own rootkit independent of any other software?

# posted by Anonymous : 3:04 PM, February 12, 2006

AdvancedSetup said>>>

Rootkits are bad eh! - Well as I'm sure Mark is quite aware, manipulating data and bypassing calls is how Windows works in the first place. Microsoft has written thousands of DLL/OCX/VBX/COM/EXE/SYS etc files that watch other system calls and based upon response perform a task a different way than they would normally.
Aside from Mark's definition of rootkit I don’t see all such coding as evil or unethical, to me these are programming methods and are all over the place in Windows.

I think your are mixing up things. What these rootkits/DT use are a special undocumented kernel patch. No Microsoft program, I know, uses this.
Even microsoft encourge everyone not to use these types off patches.
In this document they say that everyone should avoid kernel patches, and contact mircosoft if they can't find any other way to solve their problem. Microsoft - Kernel patching
Also these types of kernel patched/hooks can only be performed in a kernel driver eg. *.sys files.

# posted by Bitcoach : 2:41 AM, February 13, 2006

# posted by Bitcoach : 2:42 AM, February 13, 2006

I think any system hook is a bad practice, making system less secure, stable and compatible. Any software using those should warn user before installation of system being modified. (including Sony, DT and StarForce) No exception in this case.

Reverse engineering SW to reveal such hidden (!) system modify is IMHO fair-use, because you have a right to know what (type) software you are running. Actually to do R.E. just to make sure the before-install information is correct should be a legal right for any user. Misusing results of such R.E. is different issue.

I think any user of software, which does agree with EULA has to follow that agreement unless it is ruled out in court as invalid.
This means you are not entitled to play back-up copy of your games even if you really bough them.
There's no easy legal way around it, the "fair-use" may and may not work in court. (destroyed CD = why don't you ask vendor for replacement instead of circumventing protection?, etc...)

I can hear now "so what should we do?".
The answer is really easy. Do not *USE* such software.
I mean USE, not only BUY. By using software you are telling it's worth of it, and thus you are confirming the vendor's idea, that they are doing a good job. Even if you are using pirated copy to not support his wallet, you are still supporting him.

That's the point where this issue began, if people would not buy/use sw with weird EULA statement, vendors would have to take a step back to provide better conditions for user to have a succesfull product.

Circumventing DRM and copy protection, even under "fair-use" feeling, is just a short-term solution, keeping the root of the problem alive.

Make sure you use only software which is worth of it (either has no DRM, or is worth of obeying DRM).
Make sure you let vendors of not-worth SW know, why you don't want to use their current version of product.
Inform other people, what they agreed to, and why you think it's not worth to use some "popular" SW in current state.

Are there too few people minding DRM and copy protections, so their refusal will not harm vendors?
So, bad luck.. learn to live without such SW ... or learn to be a pirate.
But do not present things like by-passing copy protection scheme as a "solution". It's not. It's just making the agony of this whole DRM, SW patent, (C), etc.. stuff longer. And putting yourself into jeopardy of breaking some law/agreement.

# posted by Ped : 8:03 AM, February 13, 2006

If bypassing DRM is ethical or even legal (I think it is ethical and should be legal) is really beside the point here.

The point is that rootkit (or rootkit-like, if you like that one better) technology ALWAYS poses security and stability risks.

On the other hand, think about the aforementioned blacklists incorporated by DRM-Software. Those are sadly a fact of life.

Now, think about a user trying to get some copy-protected software (B) to run on a computer with some CD-Imaging software (A) already installed. What are his options ?
1. Uninstall A to run B (reinstalling it as needed and hoping the uninstaller doesn't leave traces of A)
2. Forego using B
3. Complain to the vendors of A and B.
4. Use some imaging software that isn't detected by B.

Now take a wild guess what this customer and the developers of such a blacklisted tool will do ;-).

In fact, my persional opinion is that the real problem is (again) the DRM-Software telling me which software I may or may not use on a computer. THIS should be outlawed.

The second major problem is the DMCA and similar laws in other countries: I completely agree that copying intellectual property of others without permission should be illegal. But guess what - The copyright already does that! Additionally outlawing tools that can help circumventing copy-protection is a bit undifferentiated (at least), since it doesn't even take into account legitimate ways to use that software. If I were a US citizen and had the money, I'd really like to sue all producers of forensic and data-recovery software for violation of the DMCA and wait how long the former lobbyists will take to have it changed :-P.

# posted by Dirk Hoffmann : 8:38 AM, February 13, 2006

Some of you might find this Wired News article interesting. Mark gets mentioned here as well.

The article is "The Rootkit of All Evil" at:
http://www.wired.com/wired/archive/14.02/posts.html?pg=5

# posted by webdonkey : 9:46 AM, February 13, 2006

A bit long but worth reading:

http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf

# posted by Anonymous : 10:15 AM, February 14, 2006

Mark you said [2/7/06: Clarification: when I say "their usage is celarly unethical" I'm not referring to users of the products, but to the utilities themselves being designed to circumvent DRM. I've previously defined rootkits and explained their risks.]

I wish, as others have expressed, for you to give more explanation to your clarification.

You appear to expressly exclude commenting on whether or not you view users attempts at circumventing DRM as being or not being ethical, which has been a main theme of many comments, and limit what you see as being 'celarly unethical' (sic) to the purposeful development of tools by software developers to circumvent DRM, irrespective of the means that they might use to achieve that end, rootkit or not, hence you label Daemon Tools' anti-DRM tactics as being unethical.

Putting rootkit usage and their security risks aside for the moment, do you think building software tools that defeat DRM is always unethical? Where are the limits or boundries that make Daemon Tools enter into the clearly unethical category? Do you think their use of anti-DRM was clearly unethical because they tried to prevent certain DRMed software from detecting Daemon Tools' existance? Or was it because you believe they tried to build a tool that would enable copying to work against the wishes of the DRMed software owners? Or was it because you feel they built a tool that used anti-DRM techniques that might create security weaknesses on the host system? Or was it because you feel that built a tool that was designed to further the aims of software pirates? As you can see, you clarification, as far as I am concerned is far from clear ... and you will have to excuse my muddled comprehension if you think I just have not been reading your comment carefully enough, as I must confess that after some consideration I definately do not have a clear idea of what you meant by 'celarly unethical' (sic). Could you please give us some more clear explanations?

Thank you in advance if you find time to respond.

Doublezz doublezz@ kalogrea.edu.gr

# posted by Doublezz : 3:09 PM, February 14, 2006

Circumventing DRM is unethical. Period.

It's like this.. there are people who provide their content with DRM. Maybe it's against fair-use, maybe it's against law, but they DO IT.

If YOU *USE* their product, you are either accepting the DRM, or circumventing it, thus you are breaking their way of viewing rights.

Why do you expect THEM to not break YOUR RIGHTS, if you break theirs?! (The fact who's REALLY breaking rights is not important in this case, it's about showing respect and about demanding a respect. By circumventing the DRM you are just showing you are not worth of respecting YOUR rights, at least that's how THEY will FEEL, and ACT!)

The only proper solution is to *IGNORE* such products. Do not buy devices supporting DRM, do not watch new movies if they are released at format which is not suiting your taste. Do not watch the pirated copy, that will render you vulnerable. Both in court with DMCA on your neck, and in marketing campaings by recognizing the product and knowing it, which is BAD BAD BAD and supports their reasoning.

I'm not against daemon tools, that's a great piece of software with lot of legal use. But do not use it to circumvent protections.

Simply ignore those products using protection schemes beyond your "fair-use" feel, and use the spared free time for things which are feeling good to you.

All of YOU circumventing protections under "fair-use" feel are just fooling yourself, and you are allowing those things to spread into the world.

With this mistake you will allow them to spread the next version of DRM, than another one, and in the end they will use method strong enough to be not broken by ordinary people within months/years.
That's the point where you will be unable to watch pirated movies/games and you will start to wonder where your "fair-use" rights went, but that will be TOO LATE. Your so called "fair-use" right will be weeping in your anus at that point, too deep to be brought back into life.

You have been warned.

# posted by Ped : 4:15 AM, February 15, 2006

I will not pretend that I have never pirated a game, or that I have never used Daemon tools to pirate a game.

Every game I have pirated but actually played - I have purchased. Sometimes multiple copies - usually because I lose or damage my CDs...
(as an additional counterpoint - outside of MMOs I have not yet purchased a single game I couln't not first crack to work without its DRM).

Actually I game at work (its flexible where I work that way. networked games are viewed - outside of work hours - as teambuilding).

I therefore use tools like daemon tools to ensure that I can run my games from my PCs... while my orignal CDs stay safe at home.

What irks me are both the destabilizing and security effects of the DRM and anti-DRM tools I am forced to install.

# posted by Chris : 6:53 AM, February 15, 2006

If Alcohol and/or Daemon Tools are unethical, then how about the bitchy StarForce, which increase the instability of the OS by quite amount?

# posted by Anonymous : 12:03 PM, February 15, 2006

Ethical for user: User knows the functionality it is installing
Unethical for users: User do not know what is installed on their machines

Ethical for DRM vendors: protect their interests
Unethical for DRM vendors: try to circumvent their scheme

There is a clear conflict of interest there. And the ethical point is very relative.

I think Mark mentionned it is unethical regarding the DRM vendors.

However for a user I do not see any ethical problem. The users know the functionality they are installing.

Mark could you specify the context and point of view for your "ethical" qualificative?

# posted by Anonymous : 6:35 AM, February 16, 2006

To: Bitcoach

Well the link you provided has little bearing on Microsoft's history where they have indeed patched the Kernel many ways both documented and undocumented over the years.

Because they now take a new stance with 64Bit and the upcoming Vista (which hopefully will make all of this RootKit stuff mute) does not change their history of so doing.

# posted by AdvancedSetup : 12:37 PM, February 16, 2006

@Ped : 4:15 AM, February 15, 2006
You seem to have a very nonstandard idea of what "rights" are. The fact that a person or company has a particular (possibly self-serving) view of what their rights are has no bearing on what rights they actually have under the law. In this case, the right of Fair Use is part of the law (in the United States, anyway). It has been upheld and confirmed by numerous court decisions, and is not subject to arbitrary re-interpretation by corporate or personal interests. That's what makes it a right, and not a privilege. The use of DRM to suppress the exercise of fair use rights is clearly a violation of those rights. To your credit, you did acknowledge that in your last post. However, you then go on to argue that, notwithstanding this violation, it is unethical for a consumer to stand up for and enforce their right of fair use, because such action breaks the company's way of viewing their rights. The problem I have with your argument is this: it is irrelevant how a company (or anyone else) views their rights. Showing respect and demanding respect, as you put it, have no bearing here. What matters is how the law defines those rights. No amount of "viewing" allows a company to enforce their will on a consumer in a manner inconsistent with the law, and it is never unethical to stand up for your rights under the law.

# posted by packrat : 10:02 PM, February 16, 2006

Anyone pirating software renounce their right to comment on its function or anything it does to other software. However when buying software you expect to be able to use it. Sometimes this means you have to modify your system to fit specific requirements that the manufacturer states. This may or may not include a specific version of Microsoft Windows or DirectX, a supported graphics card or almost anything else. What this list of things do not include, I deem not neccesary for the use of the product. If the list includes the removal of Daemon Tools and Alcohol from the system then its not their problem when you cannot use their software for this reason. What the EULA states on the matter is not important since its not its purpose. If it is not made apparent when the purchase is made then they have not sold what they advertise.

You would think that a software company is obligated to sell what they advertise. I expect any and all hidden requirements to be eliminated or supplied by the manufacturer. Otherwise mine and every other copy of that software should be returned and refunded. What amaze me is that another company is left to correct what the first fail to produce and if this is made by the same rogue coding is not an ethical problem unless there is a known better way.

The enemy of this "war" is not the pirates, its the buyers. No righteous man would turn pirate in a righteous world.

# posted by Anonymous : 8:54 AM, February 17, 2006

A few years ago, I tried a product called CloneCD. It probably was some kind of disc duplication tool judging by the name, but the point is that I uninstalled it and forgot all about it.

Until I bought Battlefield 2. The game refused to run at first. Thanks to regmon, it dawned on me that it was checking for the presence of various registry keys. Although CloneCD had removed itself from HKLM, its settings remained under HKCU. Conclusion: I was obviously running with a virtual CD/DVD drive and the game refused to launch.

Oh, great joy. The user either runs regmon, or is faced with a complete reinstallation of Windows (unless the user happens to think of creating a new user account). All because he wants to run a legally purchased game.

I fully understand why products like Daemon tools are cloaked. They are left with no choice.

One of the bastard DRMs even caused Windows to fail loading half my device drivers. (thanks MacroVision)

BTW: Why are games all that different from "normal" software? Why doesn't MS Office, Adobe PhotoShop or other expensive software packages require that I keep a physical CD around for the purpose of loading their products? Why do I have to keep a stack of game CDs next to my computer in case my trigger finger itches?

# posted by Rune : 3:03 PM, February 17, 2006

@packrat:

very short quote:
"However, you then go on to argue that, notwithstanding this violation, it is unethical for a consumer to stand up for and enforce their right of fair use"

Certainly a valid argument.
Just to clear my point of view:
I think the consumer should NOT enforce his right by circumventing DRM.

He should instead return the product to vendor and take back refund, or go up to court to force vendor to circumvent the DRM for him!

The DIY solution looks like a bad way to me. Altough it does work right now, and it allows you to use the product within "fair-use" right, it's still supporting those obscene protection schemes, and it will allow those vendors to use even more aggresive approarch in future.

I know it's difficult to resist, or to go the great length of court trial just to get the same result as simple Daemon Tools installation to circumvent the DRM / copy protection, but in the end you are hurting yourself, and it will cost you even more later, to finally fight for your right appropriately.

# posted by Ped : 5:42 AM, February 20, 2006

I use DT as recommended by the MSDN Universal download site to mount CD/DVDs. I code for a living and and DT is a great "Free" tool. If there is a rootkit installed then a disclaimer would be nice.

Copy protection requiring the CD in the tray are outdated anyway. Doesn't matter if you have a bogus mounted image or a bogus burned CD. Pirates will find the loophole. The Valve/Steam model is the only way round it.

CodeMonkey666

# posted by Anonymous : 2:41 PM, February 20, 2006

@Ped:

Okay, I see your point, and in an ideal world your approach might work. Unfortunately, we don't live in an ideal world. We live in a world where appeasing software vendors who employ DRM (by not bypassing it) will only encourage them to use more, and more restrictive, DRM systems. Not bypassing the DRM will only make them think that it is an effective way of controlling consumers, and they will expand their usage of it.

If every consumer affected by DRM could afford the cost of a court case, then that might be an effective way to fight back. As things stand, filing a lawsuit is prohibitively expensive for most people. The only way left to stand up for our rights is to bypass the DRM and publicize the methods for doing so.

You also mentioned returning software for a refund after finding it unusable. It would be nice if this were possible. Where I live, however, it is impossible to return software that has been opened. Vendors simply won't accept the return once the shrink-wrap has been broken. Maybe things are different where you are. If so, you're lucky. :)

# posted by packrat : 11:17 AM, February 23, 2006

My computer is not the place where DRM and anti-DRM rootkits have to fights her battle - only to contaminate and damage my system more after every round.

CD/DVD images made for use with Daemon Tools or other CD/DVD emulation software is a total waste of harddisk space. Every one i known use instead no CD/DVD patches, even the legal owner.

And a question to all user with little kids. Have you made a backup of your Hardware. No?
Don't you know kids can destroy CD/DVDs. Why you are sure they don't destroy your Keyboard, Mouse or 500 Dollar Flatscreen Monitor?

If you do not like DRM-Stuff don't buy it.

# posted by Anonymous : 6:39 AM, February 24, 2006

A very interesting article and discussion indeed and one which raises several points:

Definition of a rootkit
Rootkits originated in the Unix world where their purpose was to gain root access - stealth features were added to make removal difficult and allow an attacker to maintain such access.

Mark Russinovich has extended this definition to cover any program that makes changes to the OS to conceal itself. This certainly makes for simplicity and such concealment (as used by Sony's DRM) should be condemned since it does involve deception of users.

However in the case of Daemon Tools/Alcohol 120, the programs are still visible to and removeable by users - their rootkit feature is solely to conceal themselves from other software. This may be a subtle difference, but one that should be recognised.

Legitimacy of Daemon Tools/Alcohol's technique
As others have reported, an increasing amount of software (games especially) attempt to disable CD-emulators (along with CD-burning software). As such, the "rootkit" methods used are more a form of self-defence. Having programs waging such a digital turf war can have negative results, so this certainly is worthy of investigation - but the blame should be placed first and foremost on those software publishers who feel it their right to attempt disabling other programs.

However the authors of Daemon Tools/Alcohol 120 should consider making this feature an option which users can choose to enable. Not everyone will need it, so giving users the ability to "opt out" would allow them to claim the moral high ground more convincingly (as well as passing any legal obligations or consequences onto the user).

Legality under the DMCA
Several statements above highlight a possible breach of the DMCA by Daemon Tools/Alcohol 120. It should be borne in mind that the DMCA covers copy-protection systems - the CD-checking software used (SafeDisc, StarForce, etc) does include measures to frustrate copying, but the CD-check itself is not a copy protection mechanism. Whether a judge would consider that a valid defence however is an open point.

Circumvention of CD-Checks
Some posters have challenged those who seek to bypass CD-checks, labelling them as "pirates". It should be noted that CD-checks pose many problems to legitimate purchasers including making games more onerous to play (especially for laptop users with ring-mounted CD/DVD drives who wish to use their software away from home), an increased risk to the original media (CDs are easy to scratch and a barely-visible scratch can still render several sectors unreadable), artificial limitations on OS compatibility (StarForce-protected games require a special patch to work on 64-bit Windows while Linux users may find such checks preventing the use of Wine or Cedega) and conflicts with other software or hardware (security software may flag some actions by CD-checks as possible malware activity while StarForce has been accused of degrading performance with several CD/DVD-writers). As such, there are valid reasons to bypass CD-checks though purchasers should strongly consider boycotting software that is overly stringent - but do tell the publishers why also!

# posted by Paranoid2000 : 4:36 PM, February 26, 2006

This is how I found Daemon Tools and why I used it. I bought Command and Conquer Collection at Walmart for my 7 year old son. It came with a demo of Command and Conquer Generals. My son liked the Generals demo more then the other games in the collection and I promised him I would buy the game for him. When I when to Walmart again they did not have Generals, they only had Command and Conquer the 1st Decade which included all the games in the Collection version and General (not the demo) on DVD. I bought it forgetting the my son's hand me down computer only had a CD player, not a DVD player. My son is not allowed to play on my business computer. Anyways I located tools to make and image of the DVD, transfered to son's computer and used Daemon Tools to mount the image. Unfortunately that did not work. The game detects Daemon Tools and refuses to run. I quick search on the Internet provided another tool which temporarily removes Daemon Tools registry values so the game cannot detect it. Problem solved. Son happy I am happy and EA got more money since now I have 2 copy of every game exect Generals. Unethical? Maybe, but I did pay for everything. This is the one and only time I ever need or used Daemon Tools. Unlike Sony, I knew what I was installing.

# posted by Anonymous : 8:42 AM, March 14, 2006

Mark,
I'd like to ask you, what you mean about some strange situation with Starforce protected game (Winter challenge):
1. I launch IRP tracker (OSR-online tools) for devices /Device/Tcp, Device/Ip, Device/NetBT
2. When game with Starforce protection began disk checking, I found many IRP from ame image to that devices (more exactly, /Device/Tcp, /Device/Ip, /Device/NetBT_Tcp_Ip_xx)
3. All IRPs has image name: WinterApp.exe (this is game application name)
4. I mean, what Starforce drivers could make any activity in my system, involves network activity from kernel mode without any control from my side?
5. I mean, any malicious software could use that drivers for any reason, include hacking or backdooring on my system?
6. Protection Technologies (StarForce authors) place on their website information, what you, Mark, checked Starforce environment and found it "rootkit-free" - but I mean, you could'nt check it at "runtime".
7. More over, my system has a ntoskrnl.exe errors at disk checking time (I mean, SwapContext function hooking) - I checked it by memory dump obtaining at disk checking time and then "!chkimg !nt -d" command launching with WinDbg and complete memory dump (obtained at disk checking time by CtrlScrLockScrLock technique)

Anyway, thank you for your state-of-art working!
Eugene

# posted by Anonymous : 5:30 AM, March 15, 2006

Regmon is targeted by shareware/demo programs such as Guitar Pro - www.guitar-pro.com and the process is killed if found running (the window titles are checked). I've only seen this technique with viruses, and i do not think it's the right way to do it.
I've written about this at http://guitardaily.blogspot.com
If this will become "just another feature" of demo install kits, what next? sending the user data to their servers after the demo expired?

# posted by Serg : 11:30 AM, March 20, 2006

Just pay for the software / movie / gizmo. If you are unwilling to pay then there is no point in having a discussion on ethics. If you have a legitimate reason for using software that can only function by blocking out other software, then I see no reason why your conscience shouldn't prevail.

# posted by Anonymous : 9:08 AM, March 21, 2006

According to CDFreaks, the StarForce system forces a reboot w/out prompting when it detects something that it deems "innapropriate".

http://www.cdfreaks.com/news/13212

Pretty nasty...

# posted by Eric D. Burdo : 1:40 PM, March 21, 2006

@eric d. burdo,

Better said, according to a user of Futuremark forums. And I read so much things from this "kind" of users.

CDFreaks is only reporting these news.

# posted by Anonymous : 10:50 PM, March 21, 2006

Better said, acording to a Futuremark forums user. I have read too much assertions like this from this "kind" of people.

CDFreaks was only reporting these news.

So I'd really appreciate a comment from Starforce team refuting this statement.

Thanks.

# posted by Memento : 10:57 PM, March 21, 2006

Screw DRM and its developers. Although I don't pirate software, I feel like downloading current hits (games), making copies of them and giving them out to my friends, lest they BUY them. I would do that only out of spite. How the F@ck do they think they are? Today they crash your computer without giving you a chance to save your work. What's next, steal our CC numbers and charge us for having DT or A100% installed?

# posted by Anonymous : 7:37 PM, March 22, 2006

I think its pretty clear from the posts of the more technically proficient users that Mr. Russinovich is simply redefinig the term "root kit" in order to smear Daemon Tools and Alcohol with the same opprobrium that Sony justly earned by their use of an actual rootkit (to answer one user's question, Alcohol is a German company; not all software developers are American, just the overwhelming majority).

I don't pretend to know what Mr. Russinovich's motives are in doing this but I find it interesting that a company in the pocket of StarForce is citing his article to defend StarForce's malware (http://www.onlinesecurity-on.com/protect.phtml?c=55)

I have Alcohol 52% installed and I use it to play all my games on virtual drives. The games move a good deal faster and there are no pauses while data has to be pulled off the disk (tho' to be fair, some games, like Quake4 only require the disc to be in the drive; the entire game is installed onto the hdd. After much frustration I was finally able to mount Q4 in Alcohol by using Blindwrite to make ISO image; anyone else having trouble I recommend using vso-soft's excellent product).

The guy that said: [quote]I also can't believe people are attempting to justify this as "ethical" because their kids might destroy the CDs. I'd say the solution to that one is to teach your damn kids to not destroy your stuff, not to encourage or fund the development of programs designed explicitly to enable software piracy![/quote] obviously does NOT have children. I HAVE to make back up copies of my kids DVDs and games or they wouldn't last five days. And why should I have to continually by more and more copies. If you ever have kids you'll quickly learn that they do NOT think the way we do. Their mind work in different ways. They really can't comprehend the value of small 120mm plastic discs.

Regarding DRM and FairUse, the American Federal courts have been trying their damndest to avoid reconciling the DMCA with Fair Use. They don't want to touch it and their avoidance is, imo, a passive signal to Congress to clean up the mess before SCOTUS has to step in and fix the matter with a sledgehammer instead of the nuances capable with the legislative process.

While the DMCA does only apply within US borders, many EU countries are passing laws that are even [i]more[/i] draconian than the DMCA. The French legislature recently did so, though the bill turned out not to be as bad as its first readings had lead many to fear.

The EU itself is contemplating legsilation that would make the DMCA look benign. Citizens of EU countries stand up this monstrous supergovernment and shut this down.

As for piracy, its idiotic to suppose that Daemon or Alcohol contributes to it (or Blindwrite or CloneCD, et al).

blaming them for the occasional case where someone makes a copy and passed it along to his buddy is like blaming a firearms manufacturer for murder or the automobile industry for drunken driving.

Whatever the technology, there's always some schnook who's going to mis-use it.

Finally, I followed the Mr. Russinovich's screenshots and looked in my registry. Even though I have Alcohol 52% installed (and the ONLY difference between 52% and 120% is that the latter has optical burning capabilities) I could FIND NOT A SINGLE THING HE ALLEDGES TO HAVE FOUND. It simply is NOT there. If I could I would post my own screenshots to demonstrate.

The fact is: DRM is a joke. It doesn't work. It treats law-abiding citizens as criminals. If we're going to try and "prevent" piracy this way, then lets hook a breathalyzer to every automobile so that you have to take Blood Alcohol Level test before your car will start.

DRM fans if you think things through logically you'll see how farcical and insulting DRM really is.

There's also the fact that EVERY DRM system has been broken, usually within days of its general release, if not [i]before[/i] it hits the market.

There are far too many unlayable fifteen year old geeks with nothing to do in their spare time than to crack Rights Destruction Technology.

Power to them! The faster and sooner every Rights Destruction scheme is cracked, the sooner DRM will disappear.

But let's face it. DRM has nothing to do with "copy protection" its really the first step in implementing a system to charge us for every time we play a game or watch a DVD or watch a TV show taped , Tivo's or burned to DVD.

We all know where this is going. Professional pirates aren't slowed down for a minute by "DRM"--any more than dope smugglers are slowed down by Customs and the DEA.

# posted by Anonymous : 2:23 PM, March 31, 2006

i believe its a non-issue

alcohol and d-tools both are installed by the user, have a visible systray icon, and do nothing other than their stated functions

drm on the other hand, installs without user consent or knowledge (eula's are not contracts, there is no consideration since you pay for the product and agree to the contract before you are allowed to see it)

here's my objective list of unethical behaviors a program can have:

installs drivers, especially at high privilege levels

does not have an uninstall entry in add/remove

uses rootkits or other cloaking techniques

installs without user knowledge or approval

runs without user knowledge or approval

interferes with functioning of computer

of course my meaning of user approval is the user explicitly approved of it, not something buried in a eula that says "we may install additional software"

my meaning of knowledge is the user knows it is there, what it does, and how it works (ie starforce isnt user knowledge, since it's only indication of operation is a popup on game execution, but it runs all the time)

# posted by Anonymous : 4:06 PM, April 02, 2006

I say "If you can't join'em, beat'em!"

I say REVOLUTION! I wonder if I'll get Sued or worse, imprisoned for life under the DCMA if I have copyrighted materials tatooed on my back, lol.

# posted by 4thepeoplebythegov : 4:28 PM, April 03, 2006

Mark's work is appreciated and he as a person will be held high by many but at the end of the day he is still human and all human make mistakes (in regard to revealing internals of other people's software without their prior consent and other ethical issues raised).

It's hard to synthetize all the reader comments but some of them contain valuable information and clarifications.

I fully agree that if we bash Sony and the likes for their rootkits then we should bash DT and Alcohol as well but there is a chicken and the egg issue here that many seem to miss.

If Sony and the others hadn't used rootkits then I'm pretty sure Alcohol and DT wouldn't have needed to either.

We should start bashing DT and Alcohol for using rootkits when legal copies of such protected material can be made without using rootkits (not necessarily when such material stops using rootkits itself - that's silly); in other words, when there is indeed no reason to employ rootkit techniques - which in this case no one has yet proved nor provided a no-rootkit alternative.

If employing rootkits is the only currently available method to make a legal backup of such a protected material then (in contrast to Mark's "... there is no reason ...") that is perfectly reasonable (called for, actually) and legal and it will hold in any court.

Nevertheless, a very interesting read (for me, more than the blog entry itself - no offense Mark)

# posted by Bogdan : 5:33 AM, April 06, 2006

You say the developers don't have to use cloaking, but provide no example of an alternative approach. And obviously circumventing DRM can be "unethical", but that's sort of the point. You're unclear on whether the problem in ethics stems from using "rootkit-like" behavior or the technology itself, but, either way, users of these programs know they are adding a virtual drive with all kinds of emulation and that this is not a trivial affair.

# posted by Anonymous : 10:36 AM, April 09, 2006

Wow!!! Better said, according to a user of Futuremark forums. And I read so much things from this "kind" of users.

# posted by slav75 : 5:18 AM, April 12, 2006

Wow!!! Better said, according to a user of Futuremark forums. And I read so much things from this "kind" of users.

# posted by slav75 : 5:23 AM, April 12, 2006

Mark, I respect the hell out of your technical prowess, but you're simply dead wrong on the ethical issues.

As a device driver writer for XP myself, I can easily say that your skill and knowledge blow mine out of the water. When I worked for Microsoft doing blue screen analysis (this was pre-OCA), we used to refer Fortune 500 customers to your tools to discover what files or registry keys were being hit. So big props to you for that.

But Mark, on the DRM issue, you're missing the point. While Alcohol and D-Tools may very well be illegal under the DMCA (IANAL) they are far, far from unethical if they're used in non-infringing ways. Don't force the legitimate users (non-DRM'ed ISO's and Fair Use uses) to pay for the crimes of the few.

I've had to write a device driver myself just to shield my system from the ill effects of others' poorly-written or overly-invasive software -- Blizzard's Warden (evil bastard software scans all your window titles to make sure they're "acceptable") and Starforce's rootkit comes to mind. Fortunately I never contracted Sony's rootkit, and since I'll never buy another Sony product, I hopefully never will.

In the end, the question is: who owns my computer -- me or the "content providers?"

Yes, it's illegal -- and more importantly, unethical -- to copy someone else's software without paying for it. But while it may be illegal to ask for total control of your own computer even if this makes the content providers nervous, it can hardly be called unethical.

[By the way, discussing the ethics of programs like Alcohol and D-Tools is a COMPLETELY DIFFERENT discussion from technical discussions; the programs may be poorly written but still ethical, and vice versa. Note also that your reverse-engineering of parts of Alcohol/D-Tools may itself have run afoul of the DMCA. How's that for a conundrum?]

You're a very smart man, Mark, and I respect you for that. But on the philosophical front, you're wrong.

# posted by Anonymous : 5:18 PM, April 14, 2006

Anonymous @ 6:39 AM, February 24, 2006 said

"And a question to all user with little kids. Have you made a backup of your Hardware. No?
Don't you know kids can destroy CD/DVDs. Why you are sure they don't destroy your Keyboard, Mouse or 500 Dollar Flatscreen Monitor?"

- First of all, I do not buy the most expensive hardware, in the contrary, they get the cheapest possible.
- Second. I've seen how kids bang their fists onto the keyboards and you still can use them. Try throwing a CD across the room...
- Third Kids handle the cd's as they handle a football or any ogher toy. CD's aren't made to withstand that handling.

"If you do not like DRM-Stuff don't buy it."

I'm going to make everything in my power to remove the DRM on the media to be able to do what *I* want with my purchase, not what some unknown bastard thinks is right. He doesn't know how my environment looks like, and how I want to use it.

StarForce is an example. I couldn't use the game, because SF didn't aprove that I had 6 hard disks and two DVD-ROM/RW in my system. So Ig went out and found a SF-killer so I could play the game, which I *wanted* to play. The "Don't buy it" option is in many situations unavailable as one wants the content, but without the cripple-ware!

# posted by Anonymous : 6:45 AM, April 16, 2006

What want to know and what I have not seen asked is this. With the Sony Rootkit deal, performance was effected, security was effected and un-install was very difficult.

Is Daemon Tools and Alcohol the same way?

# posted by Anonymous : 12:03 PM, April 17, 2006

Might be off the subject at this point as I only read the first two or three feet at the top, but:

I would have to say that Daemon tools is a perfectly ethical program in and of itself. As an MSDN subscriber, sometimes I don't want to wait for MS to get my DVDs to me for the monthly cycle. When a new Vista release comes out, I download it and install it to a VM within a couple days. Burning that image to a cd/dvd that I will throw out in 2-3 months is stupid and wasteful and only serves to muck up the environment. It therefore makes perfect sense to use Daemon.

Now I buy a game that won't run because I purchased Daemon tools for legitimate uses.

How is that DRM protecting the game company's IP?

I'm sure they'd love it if I bought a new computer just to play games on, but frankly I don't have room for more computers at home. My kvm switch is full.

At this point, the game DRM software is infringing on my rights and preventing me from getting use out of something I paid for, either the game itself, or the full benefits of my MSDN subscription and Daemon.

It's been said before that this DRM garbage only prevents legitimate users from using the software. It would appear that that is true, if I buy certain games.

Is it ethical for Daemon tools to hide? As a paying customer of Daemon tools, (yes, I sent them some money. I use DT too often to have kept using it shareware forever.) I would REQUIRE them to build in a hiding feature, simply so that I could get work done on my Fastest PC and also still be able to play purchased games.

Gotta come down clearly on the "It's ethical to hide" side of the argument.

# posted by Bob : 11:27 AM, April 20, 2006

A gun is capable of doing harm or good (protecting your family or murdering someone) and I guarantee I can leave a gun lying in the middle of the road and it's not going to get up and kill someone by itself. It takes a person to pull the trigger and NOT the gun by itself. Same with software. You may be able to use it for illegal reasons but you can also use it for legal one's as well.

When are people going to wake up and understand that it is NOT the software doing the illegal acts but the people using it. It's the same thing again and again, people not being held accountable for their own actions but instead, making up any and every excuse that it was the software that made them do it.

There are legal reasons to use Daemon Tools and Alcohol as well so I can understand why the creators of Alcohol have decided to "hide" it's drivers the way that they do. They do it because of other programs telling us how we should use the legal software that is installed on our systems.

# posted by Anonymous : 11:43 PM, April 21, 2006

"On the other claw, I know a total of *ZERO* people who use Daemon Tools to illegally play games they didn't buy. It is a poor tool for this purpose when "cracked" games that do not require the overhead of Daemon Tools are easily available."

On the otherhand, I don't know of anyone who uses Daemon Tools to mount legitimate copies of anything, including games and software. Seems it's not what you know, but who you know.

# posted by Anonymous : 12:35 PM, April 23, 2006

Long story short; Ethics has little to do with it; as the DRM publishers at first tried to transparently install this virus on our systems called drm. "Virus: A program which upon execution does something other than what is intended or reasonably expected."
DRM on a software game.. taking blacklists of other software to not work with. Correct me if I'm wrong; but I'm sure if this was legal microsoft wouldn't be in the anti-trust suit over and over no? :) Point is they're discriminating upon legitimate and ethical uses of DRM circumvention which is #1 unwanted #2 non-effective. They need to change their busniess models. MMO's for example, where the software is irrellivant as you can't play without an account/monthly fee.

I've actually had starforce lock up and crash my OS I was running. While loading my virus scanner.. BSOD every time.. used a starforce removal tool .. hasn't happened since.

The DMCA is a joke. a Law is only a law if it can be enforced.
mp3's .. illegal.. copying a dvd.. vhs cassette.. illegal. -normal- people have done atleast one of these things; laws are novel but if you can't enforce them what's the point.

The distributers should take this into consideration and stop putting the own-ness on the consumer for their revenue-loss. Sad matter of the fact is with all the DRM.. pirated versions of legit software usually run smoother/faster than an actual purchased copy due to drm/bad sectors ect.

# posted by Anonymous : 4:50 AM, May 19, 2006

Overkill is the word I'd use to describe this mess. Personally I'm getting down right sick of it all.

I used to be able to buy a game and play the damn thing right away. This newest version of Starforce (which also uses a rootkit) takes a bloody minute to verify the game medium (which makes my Dell laptop DVD drive moan and grind in the process - in ways it wasn't obviously designed to). Then every developer and publisher has to spew out their company logo... intro movie... and viola, two to five minutes later you can play the game. This is unacceptable IMHO.

While I'm no expert, I suspect that eventually the hackers out there will break the copy protection to pretty much every game. So all DRM is really accomplishing here is screwing over legitimate owners. There's a point in time when things are just going over the line and we have crossed that line with the use of rootkits. Whether it's daemon tools or starforce, enough is enough. At the rate this war between hackers and copy protection software is evolving we're going to be looking at games that take 30 minute to load/validate while secretly installing their own rootkit operating system.

In the end, the legitimate customer is the one that takes the brunt of it.

# posted by Greg R. : 10:36 PM, May 20, 2006

I dont need daemon tools to copy games, I just download the pre-cracked versions on bitorrent.

I use daemon tools for the games i own (bought), I have 1 game with 6 cds, switching cds by hand gets annoying...

DMCA is a stupid american law that removes rights of americans (poor them)

DRM Copy protection is a removal of rights, ordinary consumers get frustrated with the restrictions while the the people like me (who they want to stop) just get around them ez and we dont even need daemon tools to do that.

I have much respect for all the work that you do at system internals and i think the term rootkit is misleading in this context as the purpose of a rootkit is to obtain control of your computer, not give it back to you.

Please understand what the pirates acctually do before you critize a legitimate and valuable tool.

# posted by Anonymous : 12:33 PM, June 09, 2006

Wow... I hate to be a jerk, but the pure ignorance of basic computer security displayed in this thread is out of control.

I really dont care if you want to defend to the death your right to pirate games and music (oh, I mean "backup"). Of course the fact that nearly all of you are in no way satisfied by DRM systems which ALLOW you to make limited backup copies to your PC and/or portable device (nearly all DRM schemes allow this - and THIS is called "fair use"), prove your hypocrisy. But go ahead, keep arguing and rationalizing. In the end, it really wont amount to anything more than noise.

What I cannot let go, however, is this ridiculously flexible definition of a "root kit" msny of you seen to have fixed in your heads for some reason. A root kit has a real definition which Mark was nice enough to take the time to write up. Lots of you need to learn how to acknowledge that someone knows a LOT more than you about something (MarkR, for example) and that not EVERYTHING is "opinion". I know Google has produced lots of arm chair geniuses, but have you all gotten so lazy now that even "Google research" is too hard?!

ROOT KIT HAS A DEFINITION (Google it!). What Mark has described Alcohol and Daemon Tools doing FITS THE DEFINITION.

Personally, I dont care about any of this beyond the computer science and, more specifically, the computer security, aspects.

INTENT does NOT matter. A non-destructive virus isnt suddenly "not really a virus".

These things have REAL definitions people. How can you possibly expect to intelligently contribute to a technology debate when you refuse to build a foundation of basic knowledge.

I also have to take a parting shot at the Europeans. Every time someone on the Internet mentions a US law, it isnt a direct assault on your ego and cultural identity, mmmmay? I mean arent YOU people also sick of your own hypersensitive, insecure, whining over EVERYTHING that has ANYTHING to do with the USA?

I dont think Mark was implying through his *gasp* mention of USDMCA that the WORLD IS UNDER THE FASCIST CONTROL OF THE EVIL US!!! Or that the USA IS YOUR FATHER!!! I think he's just addressing the HUGE numbers of his fellow countrymen who read his site and reminding him that there IS a local law here. If it doesnt apply to you, then why is it such an assault on your psyche? When did Europe develop this pathetic continent wide complex?

# posted by Anonymous : 10:25 PM, June 27, 2006

Wow very impressive argument going on here.

In my occasional search for tweaking my pc I ran across these musings.

I am a user and I admit to being an occasional abuser.

I do use Alcohol to mount an image of my legally purchased favorite game and I use another program to defeat the emulation detection.

My copy of Alcohol is stolen. Sigh, I am a thief. It is a very old copy and does'nt include the database to defeat newer protections but I only use it to mount images so that does'nt matter to me anyway. My applogies to the Alcohol devs but it is an outlawed program in the US and I can't legally buy it anyway.

I'm not as technical as all of you and alot of the wizardry goes over my head. But I'll make this statement. I see nothing wrong with my being able to mount images of software I have purchased. And there certainly seem to be other ways for the manufacturers to keep me from stealing rather then emulation detectors. Having a proper cd key to play a game seems to be the easiest. Yes cd keys can be stolen but going that route usually is'nt worth the trouble. You generslly have a limited time with a particular key til it is discovered and you get cut off.
Yes I have experimented and found this to be the case. And maybe it's just me but if you do obtain a cd key to play an image and later on purchase the software legally it usually screws up your "new" installation and makes your now legal game unplayable. So it just is'nt worth it to me. It's too much of a hassle to backtrack and try to remove every little instance of a piece of software in the registry and such in order to facilitate a legal install.

Question and answer time.

Can this software be used to steal?
Yes it can. But I don't think it is as widespread as we are left to believe.

Have I ever stolen?
Yes a couple of times but I learned that it was'nt worth the effort.

Is it wrong to steal?
Yes

Do I know the difference between right and wrong?
Yes I do.

Do I own what I have worked hard to earn my money and purchase?
Absolutely

Do I have the right to do what I wish with my belongings?
Yes

Does the industry have to right to make it difficult for me to steal?
Duh, if they did'nt imagine what a world we would live in.

Do I own a gun.
Yes

Have I shot anyone?
Nope

Can my gun kill someone?
Yup

Does my gun have a registered serial number by which it can be tracked?
Yes

# posted by Anonymous : 11:37 PM, July 04, 2006

"Oh what a tangled web we weave, when first we practice to deceive." -Sir Walter Scott

Which brings me to:

"There is nothing new under the sun." Ecclesiastes 1:9-14

Another thought:

Maybe Sony (et.al.) would be better off going after the Chinese firms that rip M(B?)illions of copies instead of blackmailing eight year olds giving away dozens.

# posted by Anonymous : 2:56 PM, July 10, 2006

New versions of daemon tools no longer patch the kernel on x64 OSs, due to KB914784 wich prevent such behaviour.

# posted by Anonymous : 7:37 PM, July 13, 2006

Mark's Sysinternals Blog

Using Rootkits to Defeat Digital Rights Management

RSS Feed

Index

Recent Posts

Archives

Other Blogs