SafeCast Fails To Protect,

By Brett Glass  |  Posted 2003-02-10 Print this article Print

At First"> Next, we tested the DRM by installing the product on some additional machines. Since wed already activated it on one machine, we expected the software to "phone home," discover that it had been activated on one machine already, and work only in its "trial" mode on the others. For our first test, we chose a virtually identical XP machine and followed the same installation procedure as we had for the first. We expected the product to fail to install, or run only in "trial" mode.
Much to our surprise, however, we found exactly the opposite. Not only did the program install, but it activated 100%, giving us full access to all features -- including printing of our return. As far as we could tell, the DRM wasnt working.
At first, we speculated that SafeCast had been fooled by the similarity of the two machines; after all, their hardware was identical and their drives had been "Ghosted" from the same disk image. So, we took the TurboTax CD over to a very different machine: A much older Pentium II 400MHz box running Windows 98SE. Again, we were surprised to see that the program activated, ran, and printed returns without any impediments whatsoever. Intuit Admits Early DRM Problems: Intuit told us two things when we discussed this problem with them. First, Intuits servers record the dates and times of each activation. The product key from our store-bought copy, they said, had first been used in early December (a few weeks before we made our purchase at Sams Club), and then three more times when we installed it on machines in the lab. The fact that someone had used the key in early December brought to mind a new product activation question: What if the DRM had worked? Clearly in our case, it was not working. But what if someone had bought the software, installed it, and then returned it to the dealer?  The subsequent purchaser would have been out of luck. This poses a serious problem for both retailers and customers. A shopkeeper has no way to check whether the key has been used, and a legitimate customer could be shut out of using a product that they (or in this case I) had legally purchased. Unless, of course, that customer called Intuit to resolve his or her legitimacy, and was able to obtain a new key. Probably not the best thing to try to accomplish on the evening of April 15th. Despite the fact that our key had already been used, we were able to use it again on every machine we tried. And this wasnt an isolated case; some ExtremeTech readers, in our discussion forums and via e-mail, have claimed that theyd done the same thing. How could this be? Intuit told us that early versions of the program -- in particular, ones that were sold at retail late in 2002 -- had non-working DRM. Still, we wondered, why couldnt the server recognize duplicate keys, and just refuse the installation? Intuits spokesperson replied that there were "instructions" in the product key that allowed it to activate the product any number of times, making this impossible. This technically implausible explanation caused us to scratch our heads. "Instructions" in the 18-digit product key? Servers that just couldnt be programmed to say "no" when the same key came in a second time? We were baffled.

Brett Glass has more than 20 years of experience designing, building,writing about, and crash-testing computer hardware and software. (A born'power user,' he often stresses products beyond their limits simply bytrying to use them.) A consultant, author, and programmer based inLaramie, Wyoming, Brett obtained his Bachelor of Science degree inElectrical Engineering from the Case Institute of Technology and his MSEEfrom Stanford. He plans networks, builds and configures servers, outlinestechnical strategies, designs embedded systems, hacks UNIX, and writeshighly optimized assembly language.

During his rather eclectic career, Brett has written portions of the codeand/or documentation for such widely varied products as Borland's Pascal'toolboxes' and compilers, Living Videotext's ThinkTank, Cisco Systemsrouters and terminal servers, Earthstation diskless workstations, andTexas Instruments' TMS380 Token Ring networking chipset. His articleshave appeared in nearly every major computer industry publication.

When he's not writing, consulting, speaking, or cruising the Web insearch of adventure, he may be playing the Ashbory bass, teachingInternet courses for LARIAT (Laramie's community network and Internetusers' group), cooking up a storm, or enjoying 'extreme'-ly spicy ethnicfood.

To mail Brett, visit his Web form.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel