02
Feb 2013
33 Comments

Tinkering with uncertified Play To devices on Windows 8

Microsoft supports a feature in Windows called Play To that allows you to stream music, video, and photos from your computer to TVs or speakers on your home network. But anyone who has tried using Play To knows it can be an extremely frustrating experience, thanks in part to brittle OEM implementations of the underlying Digital Living Network Alliance (DLNA) spec.

As part of its continuing DLNA compliance push, Windows 8 now requires that Play To devices be certified before use in the new Windows Store application model. (But not via desktop applications.) That is, an uncertified device will not appear in the Devices charm from a Windows Store app (e.g. Video). But for those of us geeks with flaky sort-of-working DLNA devices, we’re out of luck.

Or were, anyway.

As part of a Powershell learning experience, I wrote a script that suspends the aforementioned checks in Windows 8 and offers facilities to generate the required device metadata. Here’s a quick run through:

  1. Read the readme, just in case.
  2. Download the latest playto-tools script + dependencies from my repository.
  3. Open an administrative instance of Powershell, in the directory holding all the downloaded files.
  4. Dot source the script. (. .\playto-tools.ps1)
  5. Call Suspend-CertifiedDeviceChecks to patch the Device Property Manager to accept unsigned metadata.
  6. Call Get-MediaRenderers to list the media renderers on your network. You need to grab the hardware ID of the device you wish to enable Play To for.
  7. Pass this hardware ID (and the -Install switch) to New-DeviceMetadata to generate and install metadata into the Device Metadata Store.

In my case, I was testing with one device and was able to string everything together:

New-DeviceMetadata (Get-MediaRenderers | Select -First 1 -exp HardwareID) -Install

Alternatively, you could boot Windows in test mode… but that’s gross and affects a lot of components.)

This is a “FAST PUBLISH” article. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may not be fully described, include typographical errors and/or be revised at any time without notice.

 
25
Jan 2013
4 Comments

Sorry, Seth Rosenblatt.

As some may be aware, I’ve been complaining recently on Twitter about CNET Download.com illegally bundling and hosting Geosense for Windows — software I own the copyright to. I sent a DMCA notice to CBS Interactive’s designated copyright agent per procedure on 1/20/2013 to no effect. The downloads were still live as of earlier today.

So as part of my usual knee-jerk response, I took to Twitter to complain.

Unfortunately, CNET senior editor Seth Rosenblatt subsequently showed up in my timeline with trigger word “CNET” and, well, all hell broke loose. And upset that Seth — the guy that “can kick your ass from here to Tienanmen” – would demand an apology for indirectly calling him an asshole garnered a diamond-class “Go fuck yourself” tweet from me.

But Seth isn’t responsible for CNET Download.com listings. Hell, I don’t even know the guy. And despite the barrage of senseless hate coming from my direction, he helped me get in touch with someone who was and my issue was mostly resolved in less than an hour.

I was unprofessional. I was an asshole. I let my emotions impede cognitive function.

I’m sorry Seth and Twitterverse, it won’t happen again.

 
16
Jan 2013
7 Comments

InstallMonetizer quietly starts editing website, privacy policy (update 3)

In what’s clearly a response to recent criticism (and probably a phone call from Y Combinator’s Paul Graham), InstallMonetizer made changes to its privacy policy moments ago. The change is a half-baked attempt to clear up whether information collected by its junkware installers is personally identifiable or not. Oddly, they missed the contradictory language and typos throughout and didn’t bother to up the revision number (currently sitting at v3) or notify anyone about the change. It is, after all, “your responsibility to review [the] policy periodically.”

Totally worth $500,000.

Before:

[...] We gather personally identifiable and may include information regarding your geo-location, ip address, operating system, language setting and information regarding whether recommended advertiser software has been accepted, downloaded, installed and any reason for failure installing. None of his information is personally identifiable.

After:

[...] We gather non personally identifiable aggregate data and may include information regarding your geo-location, ip address, operating system, language setting and information regarding whether recommended advertiser software has been accepted, downloaded, installed and any reason for failure installing. None of his information is personally identifiable.


Update 1 (01/17/2013 5PM PST):

More edits are in, featuring typo cleanup and the addition of an odd open-source exclusion…:

Before:

[...] You hereby warrant and undertake:
a) To bundle the co-bundle only within your Installer.

After:

[...] You hereby warrant and undertake:
a) To bundle the co-bundle code only within software legally owned by you. Open-source software is a community product and you may not use our co-bundles with it.

… along with new information about MAC address PII gathered by its software:

Before:

[...] THE INFORMATION WE COLLECT AND WHY:
Cookies- When you visit our site we insert a cookie into your browser. Cookies are used to help us understand our users and our product activity. This data may include storing user preferences, website activity, usage and other information.

[...] Consumers Receiving Product Recommendations- We review the consumer’s pc for existing software. This is done to provide the consumer an advertiser software which they currently do not have installed on their computer. This information is not stored in order to maintain consumer’s privacy. We gather non personally identifiable aggregate data and may include information regarding your geo-location, ip address, operating system, language setting and information regarding whether recommended advertiser software has been accepted, downloaded, installed and any reason for failure installing. None of his information is personally identifiable.

After:

[...] THE INFORMATION WE COLLECT AND WHY:
Cookies- When you visit our site we insert a cookie into your browser. Cookies are used to help us understand our users and our product activity. This data may include storing user preferences, website activity, usage and other information. This information is never shared with third parties.

[...] Consumers Receiving Product Recommendations- We review the consumer’s pc for existing software. This is done to provide the consumer an advertiser software which they currently do not have installed on their computer. This information is not stored in order to maintain consumer’s privacy. We gather non personally identifiable aggregate data and may include information regarding your geo-location, ip address, MAC address (MD5 hashed for security), operating system, language setting and information regarding whether recommended advertiser software has been accepted, downloaded, installed and any reason for failure installing. None of his information is personally identifiable. This information is never shared with third parties.


Update 2 (01/17/2013 7PM PST):

Looks like the website as a whole is starting to change. One of InstallMonetizer’s “advisors” was removed from the front page — Microsoft’s Arjun Bedit. (The data is still present in the HTML, with a display:none CSS style.) I edited the post title to reflect this.

Removed:

arjun_bedi


Update 3 (01/20/2013 3:47AM PST):

I found a few copies of InstallMonetizer bundles out on the Internet and can confirm that MAC address information is sent in the clear. So much for hashing MAC address information per the new privacy policy:

We gather non personally identifiable aggregate data and may include information regarding your geo-location, ip address, MAC address (MD5 hashed for security), operating system, language setting and information [...]

2013-01-200350061240[1]

These could be older bundles but the privacy policy must reflect all versions of InstallMonetizer code out there…

 
15
Jan 2013
3 Comments

A knee-jerk, cursory analysis of InstallMonetizer

This post is in response to Long Zheng’s thoughts on a recent Y Combinator funding round for shovelware provider InstallMonetizer.

InstallMonetizer, in short, is garbageware that wraps a piece of software and provides offers during install. Yeah, you know those offers that try to trick you into clicking I Agree. What sets InstallMonetizer apart from the others, like OpenCandy, is err… higher revenues, strict publisher acceptance criteria, and InstallBurst technology whatever that is…

… oh, and the personal information trove ready for sale to the highest bidder. What personal information? Check out the third iteration of this scary typo-laden privacy policy for the scoop:

[...]

Consumers Receiving Product Recommendations- We review the consumer’s pc for existing software. This is done to provide the consumer an advertiser software which they currently do not have installed on their computer. This information is not stored in order to maintain consumer’s privacy. We gather personally identifiable and may include information regarding your geo-location, ip address, operating system, language setting and information regarding whether recommended advertiser software has been accepted, downloaded, installed and any reason for failure installing. None of his information is personally identifiable.

HOW WE SHARE INFORMATION:
Protection of InstallMonetizer and Others- We may share your Personal Information and other information if we have a good faith belief that it is required to (1) comply with law, regulation, subpoena or court order ; (2) detect, prevent or otherwise address fraud, security or technical issues; (3) enforce the provisions of this Privacy Policy and/or any other agreements between you and InstallMonetizer, including investigation of potential violations thereof; or (4) protect against harm to the rights, property or safety of InstallMonetizer, its visitors, users and/or the public.

Business Transfers- If InstallMonetizer or substantially all of its assets were acquired, or in the unlikely event that InstallMonetizer goes out of business or enters bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. Accordingly, we may transfer or assign all the information we have collected as part of a merger, acquisition, sale or other change of control. You acknowledge that such transfers may occur, and that any acquirer may continue to use your Personal Information and other information as set forth in this policy.

With Your Consent- Except as set forth above, we will only share your Personal Information with third parties with your prior consent.

Whether you consider your location on this Earth personal is debatable — hell, even the lawyers at InstallMonetizer interchangeably call this information personal and non-personal. But look, don’t worry man. They perform security audits n’ shit:

INFORMATION SECURITY:
We endeavor to take security measures to guard against unauthorized access to the systems where we store your data. This includes internal reviews of our data collection, storage, and processing practices and security measures and physical security measures. However, despite the measures we take we cannot warrant the security of any information provided to us. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.

Interestingly, there is no trace of that “highest level of encryption commercially available” boilerplate found in other products and services. So, to determine if they at least encrypt login data I registered for an account and clicked “Forgot my Password”. After filling out their form, I got this back:

2013-01-15063228160[1]

Not only do they not encrypt my login data, they route it through a third party mailer. Yikes.

There’s also the recent InstallMonetizer “advertiser” infections… but I don’t have the strength to go on. I’ll just end here.

 
07
Dec 2012
9 Comments

Dissecting the //build/ Badge (Part 2)

A little under a month ago, I dissolved Paul Thurrott’s //build/ badge to reveal an embedded NFC integrated circuit (IC). But I had to stop short of actually reading its data due to the lack of a proper NFC reader. (Windows Phone 8 doesn’t give you raw NFC access.) I purchased an ACS ACR122T and after weeks of waiting and experimenting I can now complete the story.

So, let’s start off with a correction. In Part 1, I incorrectly guessed that the IC was a MIFARE Ultralight. Turns out, it’s an older MIFARE Classic 1K complete with key-based security. But before I wrote the IC off as encrypted and inaccessible, I learned that these ICs were compromised back in 2008 — with a card-only attack following in early 2009.

Let’s take a brief moment to talk about these keys.

Without getting too technical, these NFC ICs have chunks of data. Each chunk of data can be secured via a pair of keys — A and B. Each of these keys can be used separately to access the data it protects. (For example, you may give a read-only key A to conference vendors, while maintaining the read-write key B for administrative purposes.)

Back to the badge.

Without access to an authorized //build/ badge reader, I had to use a software implementation (mfcuk) of the card-only attack I mentioned earlier to recover keys A and B. After weeks of painfully fiddling with the timings of the attack, I successfully recovered key B on one chunk of data. (I then made quick work of the rest of the keys/chunks using another attack [mfoc].)

Key A was recovered but isn’t worth sharing because it appears to be unique per badge. (Tested with two badges.) Key A is usually programmed as a read-only key — presumably for vendors on the conference floor. But given its uniqueness I’m confused as to how vendors would obtain a valid key at scan time. Perhaps the readers were networked to a key management system? Or maybe Key A is computed at runtime using a mash of the badge unique ID and a shared secret? Or maybe there’s a handful of keys per attendee group (e.g. media, student, presenter). What do you think?

Key B is static, thankfully. On two badges I examined, Key B was given write permissions card-wide. So I named it The //build/ Badge Administrative Key. That key is f4a9ef2afc6d.

Using the Badge Administrative Key, I dumped out the entire //build/ badge. Surprisingly, it’s not empty! It contains the following information:

  • Two sets of identifiers(?) (6 digit, 4 digit) (e.g. 756552, 1269)
  • Badge Full Name
  • Badge Title
  • Full address
  • Phone number
  • Email address
  • Affiliation label, if applicable (e.g. Media)

So if you’re planning to toss the badge into the trash, you may want first wipe the IC. An alternate solution involves hammering the shit out of the badge. But if you’re a developer looking to dip into NFC, you may want to salvage the tag and format it to NDEF specs so you have something Windows Phone compatible to play with.

Regardless, case closed. Oh, and Paul — Sorry about your badge, bro.