Turbo Tax: Sector 33 Naughtiness

In Part 2 of our exhaustive testing, we reveal everything we uncovered, including details of what went wrong, and (surprisingly) what didn't.

In Part 1, we laid out some of the reasons why we suspected problems with Intuits implementation of digital rights management with its Turbo Tax problem, and explored some of the issues that surfaced during installation. Now lets look closely at what happens when you actually try to use the product.

After installing TurboTax, we allowed the program to update itself across the Internet, and then prepared a simple TurboTax return for a Ms. Nona Yerbizness, from New Yawk, NY. We connected to the laser printer on the local network and printed the tax return to ensure that the entire process, from creation to printing, worked as expected.

As it turns out, Im a graduate of H&R Blocks tax preparation courses, and so I gave the return a quick once over – it looked just fine. We then shut down TurboTax and began our "post mortem" investigation of the machines state.

In Part 1, we described the various software products we installed to instrument the PC to determine and changes or problems. One of those, InCtrl5, is designed to detect any system changes that occur during software installation or any other process.

The programs inventory of changes to the system during our brief test was huge -- more than 280K when output as a plain text file. If you really want to look at that file, you can access it here.

Nearly all of the registry and file system changes identified were made by TurboTax and C-Dilla/SafeCast. Note that InCtrl5 also recorded the screen shots wed saved and the drivers and registry entries added when we installed our Lexmark Optra network printer.

It wasnt hard to recognize the files that were added by the SafeCast/C-Dilla software, since most had file names beginning with the characters "CD". On our XP test machines, SafeCast was installed as a Windows "service," or privileged background task. Whether or not TurboTax was running, this task was always present, and -- according to the system -- taking up 1.4 MB of memory, along with other resources, including CPU cycles, hard disk space and bandwidth, and other system resources allocated on behalf of the background task, or "daemon".

Windows 98 Installation: On a Windows 98SE box we used later in our tests, the software didnt stay resident but instead loaded itself as a VXD (a "virtual device driver") when TurboTax was started. Because we had allowed TurboTax to fetch Intuits latest updates during the installation, the uninstaller for the "SafeCast Shared Components" was available to us through the Control Panels "Add/Remove Programs" applet. However, if you activate the product by phone, you wont get the uninstaller unless you later connect to the Internet for an update (a good idea, since the update contains fixes that might affect the accuracy of your return) or download the uninstaller separately from Intuits website.

Macrovision Responds: We wondered why the DRM remains task-resident full-time on XP, rather than simply loading and unloading like with Windows 98SE. According to Macrovision, SafeCast "wakes up" every so often and increments counters in some of the product files. If those counters are out of synch, the software assumes that part of the product has been copied from one disk to another, and refuses to grant you access.

This technique wont work, however, if you copy both the license files and the program files at the same time – so the software also uses other measures to try to detect when this happens.

Macrovision further states that the software runs as a "daemon" under XP, so that it can perform operations that require administrator privileges. This happens even if the user running TurboTax lacks privileged access to the system.

When we asked Macrovision why the resident SafeCast task took up so much room, Macrovisions Michael Glass told us that its because the SafeCast code is "treated to several layers of obfuscation and internal scrambling, to keep it from being reverse engineered."

"As youve seen," said Glass, "this bloats it considerably. But the process wouldnt do much good if it could easily be hacked."

Were a bit uncomfortable with this explanation, since it implies that SafeCast relies on "security by obscurity" (which, ultimately, is not good security at all). Were also skeptical that the relatively simple constraints imposed by the TurboTax software – even with the obfuscation -- would take up so much room.

Could something more nefarious than the simple restraints we encountered be lurking inside the code? We uncovered no evidence to imply that, but still, were suspicious. So we decided to continue with our tests and check for such behavior later.