[JeffZPgh]

I remember seeing some posts about the Office v.X "anti-piracy" features...I decided to do some poking around (mostly using 'tcpdump' from the commandline while running Office on two machines), and determined that this is what' s actually taking place:

- an Office app gets launched
- Office broadcasts to the local network (192.168.1.255 in my case) via UDP, looking for machines listening on port 2222
- if such a host is found, it answers, and the local machine reconnects to that host via tcp on a port in the 3K range (3075 when I was monitoring it)
- a message is received by the local machine describing the copy of Office running on the remote machine
- if the license keys match, the local copy of Office informs the user that "Joe Balls is running this licensed copy of Office. The application will now exit."

That's all that's going on. I've read a lot of misinformation on this, so I thought I'd clear it up.

Jeff

[michaelb]

What does disabling those ports achieve...?

[RichardS]

And, of course, it's fairly trivial to set up ipfw to deny all UDP broadcasts on port 2222, so any other copies of office will never respond. Problem Solved.

As much as I dislike piracy, for home users (like me) who have several different macs, buying multiple copies of the same software (especially at such a price) just isn't an option. One is enough.

Although I have to admit, Office X is looking *very* nice (:

[Norm1985]

Wow, so you get a copy off a friend or download a copy of Office and use it on your own personal computer, but if you want to use your legitamit copy on multiple computers you can't? Great...

[mr_sonicblue]

It's the same way with Windows XP. People who buy a legitimate copy of XP can't install it on multiple machines because of the Product Activation. But, people looking to fully steal it can simply "aquire" the Corporate edition, which lacks the WPA.

[cpt kangarooski]

I wouldn't advocate piracy, but as a user, I get to determine what resources are doled out to apps. If I want to deny some or all of the network to a particular app, I will; I don't really care what the programmers wanted.

Sadly, the developers are better at getting awful laws passed that would restrict this, so it is not enough to adopt a 'I can always get around it' attitude. We'll have to actually make our voices heard, and put developers back in their place as subordinate to users.

[michaelb]

Originally posted by mr_sonicblue:
<STRONG>It's the same way with Windows XP. People who buy a legitimate copy of XP can't install it on multiple machines because of the Product Activation. But, people looking to fully steal it can simply "aquire" the Corporate edition, which lacks the WPA.</STRONG>

Is there a "Corporate" edition as well as "Home" and "Professional?"

And Product Activation is not in it like the other two?

But I thought corporate customers were up in arms because of Microsoft's plans for a subscription model, where product activation allowed them to "turn the water off" if they didn't pay up?
��� http://news.cnet.com/news/0-1003-200...ml?tag=rltdnws

"Through the product activation feature introduced with Office XP and Windows XP, Microsoft would have the capability of turning off software when companies failed to pay under a subscription program. "

I'm confused now. Outside 15-year-olds' bedrooms, and countries like Malaysia, corporations are the places where piracy is most rampant, and damaging to Microsoft, and what the BSA was formed to crack down on.
�
�
(Not that this has anything to do with Office v. X which does look like it's shaping up to be a good product. And it can't have its water cut off at M$'s whim!)
���
���
��

[ 10-28-2001: Message edited by: michaelb ]

[mr_sonicblue]

Originally posted by michaelb:
<STRONG>Is there a "Corporate" edition as well as "Home" and "Professional?"

And Product Activation is not in it like the other two?</STRONG>

The copy I've seen is "Windows XP Professional, Corporate Edition." And, as far as I can tell, it's identical to regular professional, except the WPA *is* missing. But, regardless if this is what Microsoft gives out in a volume license or not, this is what's going around to everyone that wants a free copy of XP.

Edit: I think corporations *should* pay for all the required licenses. But, I also agree with them that recent Microsoft licensing practices are ridiculous.

[ 10-28-2001: Message edited by: mr_sonicblue ]

[michaelb]

Thanks for the info.

Interesting to see how M$ will deal with this distribution.

Maybe Service Pack 1 could checksum the activation routines and disable anything non-valid.

Oh well, times like these make me glad to be an honest Mac user!

[mr_sonicblue]

Anyways, back to the original topic. If anyone wanted to, for any reason, stop outgoing udp traffic on specific port, try this in the Terminal:

sudo ipfw add deny udp from any to any &lt;port number&gt;

So, for example, if you wanted to stop port 2222:

sudo ipfw add deny udp from any to any 2222

But, I don't know why anyone would want to do such a thing.

[dogzilla]

Is there a way to get ipfw to deny outgoing access on an application-by-application basis? I mention this because I can already foresee that the next version of MS Office won't use a special port, but will rather use port 80 for its communications.

[BatmanPPC]

Originally posted by dogzilla:
<STRONG>Is there a way to get ipfw to deny outgoing access on an application-by-application basis? I mention this because I can already foresee that the next version of MS Office won't use a special port, but will rather use port 80 for its communications.</STRONG>

Doubt it since everything happen on the packet level.

[JeffZPgh]

Originally posted by dogzilla:
<STRONG>Is there a way to get ipfw to deny outgoing access on an application-by-application basis? I mention this because I can already foresee that the next version of MS Office won't use a special port, but will rather use port 80 for its communications.</STRONG>

No way that I can think of. All ipfw knows about are individual incoming or outgoing packets, not what application created them or might receive them.

[mr_sonicblue]

I don't think they could use port 80 considering it would interfere with or be interfered by any running web servers. AFAIK, only one app can listen on a given port at a given time.

[ducasi]

Hi,

By discussing how to get around a copy protection system, haven't you all broken the DCMA?

Just wondering....

[JeffZPgh]

Originally posted by ducasi:
<STRONG>Hi,

By discussing how to get around a copy protection system, haven't you all broken the DCMA?

Just wondering....</STRONG>

I described what an application does when it runs on my machine...what others do with that information is up to them.

Jeff

[Gregory]

Even MicroMat does some disabling licenses. I order TTPro 3.0 and then cancelled my order. They still shipped it. when I tried to apply the 3.01 update, it disabled my copy from ever working. I could go back to 3.0 but none of the updates.

I bought TTPro 3 thinking it had to have some support (even last fall) for the upcoming (I thought) Mac OS X (even though just PB).

I saw one magazine where everyone was using one copy of Quark, Illustrator, etc. when I was free lance tech support. I almost walked out and refused to help them with their problems. And that was 12 yrs ago.

But I don't like Microsoft's new Passport registration system, an INSECURE web page to setup name, address, userid, pswd, phone(s) and more - and NO lock security. A central database for all personal AND financial, and software licenses.

Having one CD that can be installed on any machine with a site license was what users wanted and made sense. Network installs.

The old mainframe model of monthly and yearly fees and controlling how many users were supported just needed to find a way on client/server - and today it stretches out across the entire internet it seems.

No privacy.

[PKPKPKPK]

Originally posted by mr_sonicblue:
<STRONG>I don't think they could use port 80 considering it would interfere with or be interfered by any running web servers. AFAIK, only one app can listen on a given port at a given time.</STRONG>

You are correct. :-) Only one program can bind a port at a time.

[PKPKPKPK]

Originally posted by JeffZPgh:
<STRONG>

No way that I can think of. All ipfw knows about are individual incoming or outgoing packets, not what application created them or might receive them.</STRONG>

Well, if you're concerned about this, and you don't run a web-browser for your family to browse within your house, you could disable all internal to internal web traffic. :-)

On the other hand, I think this scenario is highly unlikely. In the end, keeping an idea on broadcast packets should give you all the information you need. It would be unbelievably inefficient if any application sent 254 requests for software compliance each time you started some application. Instead, one broadcast packet is sent. And you're more than within your rights, as a system administrator, to limit what traffic is being sent ( infecting :-) ) your network.

- Patrick

[theolein]

Something is wrong with the port numbers here that Office uses to check licences over the net. Over on macosx.com they stated that it uses a random port each time it starts so using ipfw for just two ports won't help. The thing is if it using random ports on startup it means that it is listening on a fixed port since you can't listen on random ports unless they have a range of 2xxx and 3xxx ports that they listen on (You can find out by running office a few times with tcpflow running). If this is the case you can block that range of ports.

[PKPKPKPK]

Originally posted by mr_sonicblue:
<STRONG>Anyways, back to the original topic. If anyone wanted to, for any reason, stop outgoing udp traffic on specific port, try this in the Terminal:

sudo ipfw add deny udp from any to any &lt;port number&gt;

So, for example, if you wanted to stop port 2222:

sudo ipfw add deny udp from any to any 2222

But, I don't know why anyone would want to do such a thing. </STRONG>

I think you probably would wish only to block broadcast traffic on port 2222, outgoing. It is possible, however unlikely that you might write some nice little UDP program that wants to bind port 2222 down the road, and listen on your IP address, and you spend hours and hours wondering why it won't work... But probably not :-)

[oranjdisc]

Okay, so, let's cut to the chase with this...

You know there are going to be copies of Office v.X floating around Hotline, Carracho, and on CD-Rs between "friends." It's inevitable. With that, what does this network activity amount to? Does it send your IP, your name, your registered number, etc, etc, off to Microsoft?

I'm simply curious what the deal is going to be with this, since it seems pretty new, and could cause all kinds of craziness.

[PKPKPKPK]

If there are copies of it floating around, then you could figure it all out, by getting one (if they exist), and running tcpdump from the terminal. Then, watch your packets on your local.network.ip.255, and see what you see. There's no reason to suspect that it is cleartext communication, so there may be no way to really know for sure. But I disagree with it leading to craziness. It is essentially harmless.

[JeffZPgh]

Originally posted by oranjdisc:
<STRONG>Okay, so, let's cut to the chase with this...

You know there are going to be copies of Office v.X floating around Hotline, Carracho, and on CD-Rs between "friends." It's inevitable. With that, what does this network activity amount to? Does it send your IP, your name, your registered number, etc, etc, off to Microsoft?

I'm simply curious what the deal is going to be with this, since it seems pretty new, and could cause all kinds of craziness.</STRONG>

This suspicion is what led to my original post! No, there's no secret communication going off to any site outside your local net. All Office does is follow the steps I outlined in my original message.

theolein:
Then the post on macosx.com is wrong, plain and simple. That's another reason I made this post (and on MacNN vs. there, where misinformation and "gimme some new kewl Terminal hacks" posts run rampant). Think about it - the initial broadcast could not possibly be to a 'random' port. There must be a standard listening port (which is the UDP 2222 referenced above) that each copy of Office binds to, else no other copy would ever be able to find another running one. It's the next step, where communication between the local and remote copies of Office gets established, where they move to a TCP port that doesn't seem to be consistent each time (the port in the 3XXX range).

As for filtering out these broadcast packets being a violation of any license...let me point out that doing this is in no way modifying Office itself; it's modifying your machine so that these broadcast requests get thrown away. Hacking Office itself to stop it from making the requests would probably be a different story.

Bottom line is, I decide what traffic goes out over my network, not a word processor.

Jeff

[NeilCharter]

I'm actually surprised that M$ hasn't tried this before, especially considering that Adobe has had this copyright protection for years now.

My issue with having to buy multiple copies of a program just to run it on a number of computers is the cost. Even with licensing agreements that depts have at UC Berkeley, a Photoshop license would cost $150. For the 8 machines in the lab, that would be $1200.

I'm sure that many will argue that these software companies have invested a lot into developing the programs and they deserved to be paid for their use. You can't really argue with that.

However, I think that having the option to by additional licenses at significantly reduced rates would bring in more money for these companies than at the present and also allow cost-conscious users the ability to run software legally.

For example we will be upgrading to Office X and it will cost us about $200. I would be happy to pay for additional licenses if it cost around $50 per machine. For the other 7 machines that would be around $350 extra M$ would receive from us.

This approach seems reasonable to me and would be appreciated by the end-users.

Neil

[DNA man]

Originally posted by mr_sonicblue:
<STRONG>Anyways, back to the original topic. If anyone wanted to, for any reason, stop outgoing udp traffic on specific port, try this in the Terminal:

sudo ipfw add deny udp from any to any &lt;port number&gt;

So, for example, if you wanted to stop port 2222:

sudo ipfw add deny udp from any to any 2222

But, I don't know why anyone would want to do such a thing. </STRONG>

Sorry for the dumb question, but this applies to both OS8.6 on ward and OSX?

[mr_sonicblue]

Originally posted by DNA man:
<STRONG>Sorry for the dumb question, but this applies to both OS8.6 on ward and OSX?</STRONG>

No, this applies only to OS X. The ipfw command configures the kernel firewall that OS X inherited from BSD.

[dtc]

Did you like NOT read all the posts above or something?

Originally posted by oranjdisc:
<STRONG>Okay, so, let's cut to the chase with this...

You know there are going to be copies of Office v.X floating around Hotline, Carracho, and on CD-Rs between "friends." It's inevitable. With that, what does this network activity amount to? Does it send your IP, your name, your registered number, etc, etc, off to Microsoft?

I'm simply curious what the deal is going to be with this, since it seems pretty new, and could cause all kinds of craziness.</STRONG>

[Eug]

Why is everyone assuming that only one version of the CD-key will be available? I suspect that as soon as illicit copies of v.X Office hit the net in large numbers, along will come numerous different CD keys. To use those would be far simpler than worrying about blocking ports, etc. for the average person.

By the way, Win XP Corporate has no lame reactivation requirement as people have said.

[ 10-30-2001: Message edited by: Eug ]

[DNA man]

Originally posted by mr_sonicblue:
<STRONG>

No, this applies only to OS X. The ipfw command configures the kernel firewall that OS X inherited from BSD.</STRONG>

What would you do if you wished to produce the same result in OS 8.6 or OS9.x for M$ office or Adobe products. Just wondering. It's the joy of knowing that makes me want to find out.

[ 10-30-2001: Message edited by: DNA man ]

[malvolio]

If you want to block a specific port in OS 8.6 or 9.x, you will need to install a firewall such as Norton Personal Firewall (formerly DoorStop).
It's been awhile since I ran OS 9 for any length of time, so I don't remember whether you can configure NPF to close a specific port to outgoing data, but it's worth a try.


[ 10-30-2001: Message edited by: malvolio ]

[ 10-30-2001: Message edited by: malvolio ]

[C.J. Moof]

Adobe and Quark products broadcast themselves over Appletalk. If you ran a pure IP network, I don't think they'd see concurrent uses on a serial number, but I've never proven this.

Get a copy of the chooser extension whosthere and you'll see every SN of Photoshop and Quark on your LAN

[udecker]

Originally posted by mr_sonicblue:
<STRONG>Anyways, back to the original topic. If anyone wanted to, for any reason, stop outgoing udp traffic on specific port, try this in the Terminal:

sudo ipfw add deny udp from any to any &lt;port number&gt;

So, for example, if you wanted to stop port 2222:

sudo ipfw add deny udp from any to any 2222

But, I don't know why anyone would want to do such a thing. </STRONG>

thanks... but does this sort of configuration continue after each subsequent reboot, or is this a "this boot only" option?

-uD

[iSore]

As to the question of if NPF can be configured to block individual ports from outgoing traffic, IIRC, the answer is no. It's a breeze to do using NetBarrier 2.x (& maybe earlier versions - I can't recall), however.

[ 11-23-2001: Message edited by: iSore ]

[iSore]

By the way, if enough people begin doing this how long do you suppose MS will take to piggybacking the check onto, let's say, IE? It's becoming a more and more prevalent tactic used by spyware applications, so as to hide the outgoing data from whatever security measures one may have taken.

(Anyone here familiar with the Flaming Lips' song "Evil Will Prevail"? )

[ 11-22-2001: Message edited by: iSore ]

[The Dude]

Originally posted by iSore:
<STRONG>By the way, if enough people begin doing this how long do you suppose MS will take to piggybacking the check onto, let's say, IE? It's becoming a more and more prevalent tactic used by spyware applications, so as to hide the outgoing data from whatever security measures one may have taken.

(Anyone here familiar with the Flaming Lips' song "Evil Will Prevail"? )

[ 11-22-2001: Message edited by: iSore ]</STRONG>

And there will always be people to counteract all the measures M$ takes to prevent piracy of any sort.

It's just a big fancy, expensive cat and mouse game.

[iSore]

Which gives hope to those of us who are aware of such matters. But we aren't a huge demographic. For the balance of online computer users, true privacy is goin' out the window.

PS
I'd love to be wrong about this.

[SMacTech]

Originally posted by C.J. Moof:
<STRONG>Adobe and Quark products broadcast themselves over Appletalk. If you ran a pure IP network, I don't think they'd see concurrent uses on a serial number, but I've never proven this.

Get a copy of the chooser extension whosthere and you'll see every SN of Photoshop and Quark on your LAN</STRONG>

Yes, it is true that if your turn off AppleTalk, Quark and Adobe products will not see each other.

[timster]

Originally posted by PKPKPKPK:
<STRONG>

You are correct. :-) Only one program can bind a port at a time.</STRONG>

Not to mention that port 80 (along with all low numbered ports) are privileged, and that would require Office to run as root if it wanted to grab port 80 for itself. I doubt MS would try that, because that would then require anyone to authenticate with admin privileges before they could launch Office.

-tim

[RoofusPennymore]

Originally posted by mr_sonicblue:
<STRONG>Anyways, back to the original topic. If anyone wanted to, for any reason, stop outgoing udp traffic on specific port, try this in the Terminal:

sudo ipfw add deny udp from any to any &lt;port number&gt;

So, for example, if you wanted to stop port 2222:

sudo ipfw add deny udp from any to any 2222

But, I don't know why anyone would want to do such a thing. </STRONG>

Pardon my poor knowledge of OSX. This seems like something you have to "turn on" each time you start your computer.

[malvolio]

Nope, you have created a new rule for your firewall, and it'll stay there through logouts, shutdowns and whatever, until you remove it.

[Homer1946]

Originally posted by malvolio:
<STRONG>Nope, you have created a new rule for your firewall, and it'll stay there through logouts, shutdowns and whatever, until you remove it.
</STRONG>

Would entering a rule such as this interfere with the operation of gNAT, it does this just extend the firewall?

-R

[SecretAgentX]

Originally posted by iSore:
<STRONG>By the way, if enough people begin doing this how long do you suppose MS will take to piggybacking the check onto, let's say, IE? It's becoming a more and more prevalent tactic used by spyware applications, so as to hide the outgoing data from whatever security measures one may have taken.

(Anyone here familiar with the Flaming Lips' song "Evil Will Prevail"? )

[ 11-22-2001: Message edited by: iSore ]</STRONG>

Simple fix: use an alternative browser application�

[zpincus]

Originally posted by malvolio:
<STRONG>Nope, you have created a new rule for your firewall, and it'll stay there through logouts, shutdowns and whatever, until you remove it.
</STRONG>

This is false (as far as I know). It will persist through logouts, and *perhaps* dropping to single-user mode and then back via "shutdown", but any time the kernel needs to be re-loaded, the firewall rules go poof.

The firewall has no "rules" cache anywhere -- it's all in RAM. Every BSD-ish UNIX I know requires that the firewall be re-initialized with rules at each restart. That's why The Moose's Apprentice, Firewalk, and BrickHouse all need to install items in the startup items folder for the firewall to persist. Just having the rules in /etc/ipfw/conf isn't enough -- each restart, you need to tell the kernel to load those rules.

Fortunatley, there are plenty of tips about how to create system startup items if you want to automate this.

[theolein]

Originally posted by DNA man:
<STRONG>

What would you do if you wished to produce the same result in OS 8.6 or OS9.x for M$ office or Adobe products. Just wondering. It's the joy of knowing that makes me want to find out.

[ 10-30-2001: Message edited by: DNA man ]</STRONG>

http://freaky.staticusers.net/network.shtml

incognito.sit.hqx

[JeffZPgh]

Originally posted by zpincus:
<STRONG>

This is false (as far as I know). It will persist through logouts, and *perhaps* dropping to single-user mode and then back via "shutdown", but any time the kernel needs to be re-loaded, the firewall rules go poof.

The firewall has no "rules" cache anywhere -- it's all in RAM. Every BSD-ish UNIX I know requires that the firewall be re-initialized with rules at each restart. That's why The Moose's Apprentice, Firewalk, and BrickHouse all need to install items in the startup items folder for the firewall to persist. Just having the rules in /etc/ipfw/conf isn't enough -- each restart, you need to tell the kernel to load those rules.

Fortunatley, there are plenty of tips about how to create system startup items if you want to automate this.</STRONG>

Yup. Here's such a tip: put the command in a file called /etc/ipfw.conf and then (as root) edit /etc/rc. Add a line like
/sbin/ipfw /etc/ipfw.conf
to the file near the bottom, but above the "exit 0" statement.

Now you're good to go between reboots.

Jeff

[mr_sonicblue]

Off to OS X - Software wid'cha...

Office X hangs for me only (but always) when I am still logged in to my dial-uo ISP. I have never had to configure a firewall, but have looked at Brickhouse. Is there a setting you can pass on to me that will eliminate the hang-on-quit?

Thank you!

-- John Rafter ([email protected])

[Brazuca]

Originally posted by &lt;jrafter&gt;:
<STRONG>Office X hangs for me only (but always) when I am still logged in to my dial-uo ISP. I have never had to configure a firewall, but have looked at Brickhouse. Is there a setting you can pass on to me that will eliminate the hang-on-quit?

Thank you!

-- John Rafter ([email protected])</STRONG>

I"ve had the same annoying problem. I never exactly figured out what it was, but based on what I was doing my intuition tells me that MS apps (including IE) were trying to communicate somehow but couldn't get a network connection. That or the lookupd deamon was acting up again (the bane of my existence )
I recently removed my airport card and noticed that a lot of my net problems are gone. &lt;shrug&gt;

[JellyBeen]

Guess this is off topic but, when quiting EntourageX or Word X do any of you get these apps hanging when you quit?
I quit the app and it takes like a minute for it to quit. Any of you?