Slashdot Mirror
TurboTax DRM Writes to Your Boot Sector?!
ltwally writes "As reported on Slashdot (amongst other sites) recently, the latest version of TurboTax is laden with DRM software. Even worse, however, is that it apparently writes to your hard drive's boot-sector , as reported at Extreme Tech here. As I'm sure most Slashdotters already know, the boot-sector is often times used for silly things like boot-loaders and such. "
What smartarse decided to put registration data in such a volatile place such as the MBR. Heck, any program that performs low-level operations on your hard disk should be banned, because of the risks involved with writing blindly onto one area. Turbotax are treading shallow water, especially after their licencing 'policy'
TurboTax's DRM software only modifies sector 33 of your boot-sector. Basically what this means is that for Windows only users, you're safe.
If, however, you use other boot-loaders or "alternative" OS's, you might be in for an unpleasant surprise as things suddenly stop booting. YIKES!.
Anyhoo.. just thought that I'd point out that any of you that just have to run TurboTax should be "safe" unless you run something non-M$.
/dev/random
Anybody know if this can be used with VMWare? DO virutalised IDE disks conform all the way down to these unused sectors?
Correct me if I'm wrong but most apps in NT4/2k/XP aren't allowed direct write access to disks or even hardware. Does this only affect win98 boxes?
Only the State obtains its revenue by coercion. - Murray Rothbard
The install instructions for TurboTax state that it will not install correctly with a virus checker enabled. Now we know why.
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
3DS Max like to keep it's registration information in the boot-sector and of course it's ONLY compatible with the Windows bootloaders.. This means that if you have a dual-boot system with Linux using GRUB to boot Windows, the moment you register 3DS Max from within your Windows install, your bootloader will be practically wiped out. If you reinstall the bootloader again, 3DS MAX will complain that you have to re-register and obviously, if you do so, your bootloader will be wiped yet again.
All in all, pretty painless as well as free...:)
But that's not all. Recently The Register ran a story which talked about how a stolen tablet PC had been traced over the net. The security software installed on this notebook (Computrace) supposedly "involves a tamper resistant agent that resides on the hard disk of PCs. Even formatting a drive will not erase this agent."
Now, I for one doubt those claims (Partition Magic would surely be able to zap the software, and the software wouldn't run if Linux was installed etc) but if it is true then who knows what else could be written to inaccessible (by the user at least) parts of the hard-disk?
It gets worse. The Computrace software creates a backdoor in your system which allows Computrace (and anyone else who figures out how to use it) to silently delete files from your drive). It also uses cloaking software which "is silent and invisible and will not be detected by looking at the disk directory or running a utility that examines RAM."
Claims are also made that it can worm its way through firewalls. Big claims indeed (perhaps too big without some clarification... the devil's in the details) but if this software is sold to the public by a private firm, what the heck could Government departments install on our computers to track what we do?
Sorry, but my karma just ran over your dogma.
This annoying DRM junk does not involve the boot sector. According to the actual article (which I actually read), they found it writing to track 0, sector 33.
Track 0, sector 0 is the boot sector. The partition table is stored in this sector. The rest of track 0 (sectors 1 through 63) is not officially used, so some DRM systems like to stash data there.
What makes this annoying is when you try to install another DRM-enabled product that also wants to write in the same place; after you install the second program, the first one will accuse you of being a pirate, and it will refuse to run anymore. Since there is no standard for using this space, its easy for two DRM systems to conflict with each other.
If there were a standard for using that space, presumably the DRM authors wouldn't want to use it! After all, someone would write a utility that showed you what programs were using that space, and for what... and then it wouldn't be obscure, and so it wouldn't be "secure" anymore. Feh.
I won't ever buy programs that pull stunts like this.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Erm, ya.
It's farking TAX software, it's not CAD, it's not 3D animation or video editing. It's for doing TAXES.
It's like installing a sophisticated electronic ignition interlock system in a Yugo or something. Why bother?
It's this sort of thing that permanently alienates me on a product. I will NEVER buy a product that uses low-level writes on my system for copy protection purposes, especially if they try and keep it secret.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
Well, I know my girlfriend's parents bought TurboTax this year, and definitely used it. They also tend to be pretty concerned about digital privacy and such like this - I'm sure they'd be interested in getting it off their machine For one untrained in the ways of the boot track, how might I go about removing it? I've played with the MBR and such, and even had a virus infect my boot record before, but what's the proper method for removing this thing? Assembly? ;)
Do the virus scanners catch this? If so, can they restore an untouched copy of the boot track?
I was disapointed with TurboTax2002's installation as well. There are two viable options, it seems.
1) www.turbotax.com you can do all your taxes on the web, with seemingly full functionality of the turbotax CD package. There are different levels that you can access, from very basic (and therefore cheapest) to full-featured. Also, if your income is under 27k (i believe) you can use turbotax on the web for FREE. You'll have to look for the link on their site for that. turbotax on the web does both federal and state and files electronically with option to print.
2) Taxcut from H.R.Block. Their software seems to be aimed as a full replacement for Intuit's, and it does appear to work. I still haven't had time to sit down and run through the different filing scenarios and see if TaxCut was as effective as TurboTax, but it looks solid.
By the way, I totally understand why Intuit is instituting this draconian measure, even if it pisses me off as a user. Tax software, unlike just about any other software, has a useful life of 4 and a half months (you wouldn't use it earlier than Jan 1st, and probably not later than April 15th) and infact, it's something you use exactly once. So unlike most other software, there's absolutely no chance that you'll "use it, love it, buy it eventually". Nor can Intuit compensate for piracy by jacking up the price, because there's only so much that people would pay for this software, since:
(1) It's something you use once, so you won't pay for it as much as you'd pay for an office suite you can use, potentially, for half a decade.
(2) You won't pay more than you perceive it will save you in tax returns.
Meanwhile, each year means tons of development for Intuit, with the ever-changing tax code. So it's absolutely imperative for them to make sure people pay for their software rather than have 10 people use the same CD to do their taxes or jus sharing the shit on Kazaa.
And yeah, to be honest it may be worth putting up with. If TaxCut proves to not be flexible enough for what I need to do ( a lot of contractual work, etc. Not a simple W-2 scenario ) then I'll bite the bullet and buy TurboTax, boot sector be damned.
Ecce Europa - Web Design for Business
Anyone knows if TaxCut makers are known for some dishonest practices. They bought CompuServe and tried to push it to people who came to H&R block. Hmmm...
1.) I just happen to have an inspiron 7500 with no screen (hinges broke off). Works fine when hooked to a CRT, though.
2.) It came with a Win98 license that I retained, but never used (it was a GNU/Linux box).
3.) Install legal copy of Win98
4.) Install copy of TurboTax
5.) Do taxes
6.) Pass laptop around to family and friends, who hook it up to their monitors and printers, but (as per the license) it is only installed on ONE machine. (The machine just happens to move around a lot...)
When I first heard about DRM on turbo tax, I got depressed and sent "whine-mail" on their website. One Joyce, from the Intuit "Executive Response Team" replied, and I responded again. I still haven't heard back:
r m=1&DocID=836r m=1
Joyce,
Thanks for the response -- let me tell you a little bit about my April 15,
2002:
The time - about 11:00 PM. I've completed my 1040 and related forms using
TurboTax on my main Windows 2000 computer (I have a home network, with
several computers connecting to the internet through a common router to a
cable modem). I go through the steps to file electronically, but
experience repeated failures, with a couple of different error
messages. I get on the live chat support and finally get through to an
attendant. I get some advice, then try again to no avail. Returning to
support I describe my setup a bit more. When the attendant learns that I
have a home network, he/she says that I'm more or less on my own. I try
making many different changes to the configuration of the Win2k computer,
including dialing up to the internet straight through a modem. No dice,
and no time to wait for another chat session with support.
The time is about 11:45 (and my blood pressure is rising
fast...). I uninstall TurboTax from the Win2k computer and install it on
my daughter's Win98 computer, transferring the
tax data file across the network. About 11:55, I try electronic filing
again, and it works! Without remembering or wishing to burden you with
the details, let me assure you that it appeared to be a Win2k related
problem, or at least a problem with the network set-up on the Win2k
machine. Blood pressure goes down, and I put the whole thing behind me.
Running that scenario again with product activation lands me in the
emergency room. I do appreciate the note, and I'm going to start my 2002
taxes soon. I'll revisit the product activation issue then.
Josh
On Mon, 3 Feb 2003, JoyceC Support - [snip] wrote:
> Dear Mr. Hamilton,
>
> Thank you for your E-mail to Intuit. My name is Joyce with Intuit's
> Executive Response Team. I would like to respond to your concerns about
> using our product. By working with our customers, it is our intent to
> establish clear, identifiable solutions to your questions and concerns.
> First and foremost, I am sorry for the delay in responding to your comments.
> Second, I gather you are giving up on TurboTax because of concerns with the
> product activation this year.
>
> Let me share some facts about our product activation:
>
> * TurboTax 2002 includes a product activation process that ensures
> TurboTax is used in accordance with the TurboTax software license and
> services agreement.
>
> * Product activation ties printing and filing from the TurboTax
> federal product to a single computer, preventing unlicensed use of the
> product.
>
> * Privacy was a key consideration when implementing the Product
> Activation technology in TurboTax. Product activation is completely
> anonymous -- no personal information is transmitted to Intuit.
>
> * Product activation transfers nothing but a Product Key and Request
> Code. The Key and Code key are matched together and a confirmation is sent
> from Intuit that activates TurboTax on your computer.
>
> * Product activation does not monitor any activities on your computer
> nor will it prevent you from using your CD-R or CD-RW drives.
>
> * The functionality that manages the TurboTax product activation
> (Macrovision SafeCast(r)) can be deleted from your computer when you are
> done using TurboTax. The uninstall utility is available on our support site
> at
> http://www.turbotaxsupport.com/default.asp?platfo
>
> I hope this information answers your questions. If you would like to get
> more information about product activation, please see the Product Activation
> page at http://www.turbotaxsupport.com/default.asp?platfo
>
> &docid=815. You are a valued customer and your opinion matters. If I can
> answer any additional concerns that you may have, please let me know.
>
> Joyce
> Executive Response Team
> Intuit. Inc.
> [snip]
>
>
> In response to the following E-mail received:
>
> I'm sad to hear about your product activation scheme. I will not buy
> TurboTax this year (as I have for many years so far) because of it. What's
> depressing for me is that I think the product is so good, otherwise - that
> is, without the product activation, I would be 100% certain to buy and use
> TurboTax, but with it, I'm 100% certain *not* to.
who's moderating the meta-moderators?
Can they legally shut down this discussion on slashdot just because we are talking about the intimate details of 'track 0, sector 33'? Now that we know this, the protection scheme is broken, anyone can write a crack for this program that simply writes the appropriate data on sector 33.
--jeff++
ipv6 is my vpn
But he never implied that he wanted to sue them. Only that he puts them in a position where they refuse to pay for damage caused by a function of their software that they were well aware of, but haven't bothered to inform the public of.
The point is, you make a media case out of the company and in light of a well informed marketplace, hope that people will see this software as dangerous and refuse to use it on that basis, especially when they clearly refuse to pay for damage that they clearly caused.
And EULA's aren't the impenetrable blanket they might appear to be. Yes, we can use them to avoid getting sued because some overlooked bug did something undesireable. But as far as I know, a contract that involves illegal activity is not a legal contract. And as long as initiating the spread of a dangerous virus is considered illegal (and judging by the arrests and convictions to that effect, I'm going to assume it is), the only thing a virus writer would have to do to exempt themselves from prosecution would be to include a EULA along with the virus that somehow the victim would agree to. Nobody reads them anyway, so the virus would still spread just as rapidly.
Writing to the boot sector is dangerous, and application software has NO reason to do so. As far as I'm concerned, make a public spectacle out of them. Let the public realize that in the name of DRM some software companies are doing inherently dangerous things, and let other software companies know that this type of activity will not be tolerated.
-Restil
Play with my webcams and lights here
Sure, if your return is complex enough - you really have no business trying to use tax software for "beginners" to get it done.
In my experience, as your tax situation gets more complex, TurboTax starts asking questions and prompting for information that you don't really know the correct answers to. (Perhaps they need figures from a particular statement or form you're not even aware you have, for example?)
On the other hand, I still think these packages are great for the average person. Quite a few friends of mine pay someone to do their taxes each year, and it's primarily out of irrational fear of taxes. Basically, they're afraid they'll make a mistake and it will cost them dearly later on. That, or they're convinced the
H & R Block guy" will really get them more money back than TurboTax or Tax Edge.
Since my own return is usually pretty straightforward, I always use tax software to file. It's cheaper than paying an accountant, and I'm pretty confident the computer will do the math correctly. Not to mention, I *know* how it ended up with the results it got. I feel a little more informed about the whole process if I can see my refund or amount owed changing as I enter my figures.
The IRS (and state tax boards) should really provide tax forms in XML format. Furthermore, tax laws are a good place to start translating fuzzy legal language into clear mathematical and programmatic rules, and those rules should not be coded up by a bunch of private companies, they should be supplied by the IRS. Then, the function of tax software would be to be a user interface to the IRS-supplied XML forms and rules.
If you haven't figured it out already, you have just been handed the chance to clobber TurboTax. This is like Coke adding broccoli flavoring to their cola. Offer TaxCut at 50% off to everyone that used TurboTax last year.
Also make sure you don't do the same as Intuit, and you just might be able to corner the tax software market.
here's a lot of hype going around about the copy protection scheme in Turbotax. Much of it is overblown. But even ignoring the hype, Intuit has blown it big time.