The legality of PGS (Pretty Good Security), infinite rearms and other windows tools

Discussion in 'other security issues & news' started by wearetheborg, Sep 4, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Part of MS EULA that was posted in a forum:
    Now, PGS is away of implementing SRP that is present in Pro; so isnt that "working around technical limitations"?
    If PGS is on the up and up; then is also windows 7 "infinite rearms" (which allows win 7 to be used forever without a lisence) also on the up and up (it basically involves changing some registery settings in some order)?

    There are also commercial software that extend the functionality of the OS. At what point does it become illegal? Or is it the case that any modifications we do to the registery etc are 100% fine?
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    About PGS

    When a software company provides an editor for one of its main steering tables (the registry) and publishes the settings themselves of the effects of group policy, it is not a work around of the OS technical limitations. It is just a work around for not having a GUI interface which they make available in the PRO/Ultimate versions (the Group Policy Editor).


    Previous Bufferzone Free version (V2.x)
    The GUI has greyed some options, but the program uses XML steering tables. XML usually follows a certain logic. By simply changing some values (with trial on error) i was able to use the firewall, virtualise any application, use the Comodo like unknown programs and script auto virtualisation. This becomes tricky since teh authors intended to hide them, but due to lazy programming they did only block the GUI enforced changes of the XML steering tables, but did not filter out the XML settings (so changing it manually made it a full version, with no yearly fee). I mailed the authors. I did not get nasty emails, instead they changed their free version.

    Since Microsoft does not accept any legal responsibility when you hack the registry manually, so in most countries the coin flips the other side (either you take responsibility and you can sue people hacking it, or you deny legal responsibilty and can't sue people changing it). In the PGS case, microsoft even provides a registry editor, so that makes it a more feable case in any court I assume. The guys from Bufferzone could make a point, but in stead they provided a new version (to much chances they woud not win the case, since XML is an open standard, and it problably would not add to their reputation that a nono could hack the freeware version to a full working version).

    So it is grey area on which most lawyers would like to bill a lot of hours, but the result of the company involved would be very uncertain (so only would benefit the law firms).
     
  3. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Where can I find this publishing?
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Let me get one thing out of the way real quick: Rearm is NOT legal and never will be. If Microsoft hasn't fixed this little hack yet, they will (that doesn't mean it won't happen again of course). About PGS, I don't see how it could truly be "illegal", nor how Microsoft would really go after anyone for it. All it does is add a feature missing from certain Windows versions. Well, if that is illegal, there are a LOT of apps out there that are illegal as well that add functions Microsoft left out. I don't see them being hauled into court yet. To be very honest, Microsoft is a bit stupid for leaving out things like SRP/AppLocker from some versions. These are security features, good security features, and in this day and age, there is absolutely no excuse to cheat their users out of the security of their OS. Being greedy and making people pay extra for features is a bit different than this.

    All that being said, it is what it is. I honestly doubt Microsoft cares about PGS, nor do I think anyone would be idiotic enough to report them to Microsoft.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've wondered about this also. Since Microsoft removed the UI for SRP in some downscale Windows versions, and since I believe this was done on purpose, I believe that Microsoft doesn't want users of downscale Windows versions to have access to SRP. I'm not a lawyer though, so I won't publicly opine on legality.

    For those concerned, an alternate is to use a HIPS that provides similar functionality. I've written a guide about using Comodo Internet Security as an anti-executable.
     
  6. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    How would you argue that infinite rearms are not legal (AFAIK, 3 rearms are on the up and up, as its via a simple command); and PGS is? From the POV of Windows Home Premium, you have to pay to use SRP; and you have to pay to use Windows Home Premium itself. PGS defeats the "paying" and so does rearm.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    From a security point of view, I can easily argue. With Rearms, you are intentionally altering/bypassing activation measures. In other words, you are cracking Windows. With PGS, you're simply using a 3rd party program to ADD a feature/function. Look at it this way, think about all of the "Make XP look/act like Vista/7" apps that have been around for so long. They add features that you'd only have otherwise if you went out and bought Vista/7. You're not breaking anything, you're not hacking anything. It's not a crack, and, as far as I know, PGS doesn't even work EXACTLY like the built-in SRP.

    So, you tell me, which would be worse legally, hacking the OS so you never have to register, or adding a security measure in that, quite frankly, should have been accessible to ALL Windows users, and COULD have prevented a lot of the attacks that have shown up?
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Then, I could also assume that, for instance, Internet Explorer 8 InPrivate Filtering is only to be enabled when opening the browser? There's a registry hack to make it always enabled. Even Microsoft made it of public knowledge. I even think that's how people got the hack, in the first place.

    The same for InPrivate Browsing. You can always start it in that mode by applying -private after the iexplore.exe in the shortcut.

    So, is Microsoft itself breaking the rules?

    Another example:

    SpywareBlaster sets killbits in Registry. There isn't an UI for users to do it, in Windows, is there? No. SpywareBlaster sort of hacks into it, right?

    There are a lot of examples.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Is Microsoft itself that allows rearming to, at least, 1 year, legally! It's the O.S itself that allows it. So, this is implicit in the EULA. The O.S comes as it is, and if it allows rearming, then no is breaking any laws. No need to be a lawyer to know this. No hacking, cracking, whatever you like to call it.
     
  10. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I completely agree that SRP should have been made available to all, but it is Microsofts prerogative to charge more for it. I also agree that infinite rearming is worse.

    But that is not the question, the issue here is that if one is legal, the other should be as well. And conversely, if one is illegal, the other should be as well. It may be less illegal (whatever that means); but still illegal.

    Infinite rearms dont break the system, MS can disable them anytime (I presume), and its not equivalent (in the strict sense) to using a hacked lisence.
     
  11. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I thought it was only for 120 days (3 rearms)?


    I do remember seeing some trick to extend it to one year; and how the author claimed it was legal (after someone from MS made it clear he was not happy about it)...
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I KIND of agree, but infinite rearm was NOT what Microsoft was thinking, lol. And yes, Wearetheborg, it is supposed to be 3 (somewhere I read 4 actually) rearms for 120 days.

    Edit: P.S, a lot of things are "technically legal", but as we all know, get the right lawyer on the wrong side and it won't matter.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, European Union made them be good with Internet Explorer (by making Microsoft give other options to users!), I'm pretty sure they would also make them behave with these matters, considering the EULA my O.S has mentions that I'm restricted to do what the version I have allows. So, if I'm allowed to do the rearms, because the O.S allows it within the version restrictions, then it is not illegal.

    The EULA makes it possible, and then Microsoft complains about it?
     
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If M$ so decided that creating/modifying registry values that are publicly published by themselves is against the law, then so be it.

    If they are that greedy, then so be it.

    If they tell me to stop hosting PGS, then so be it.

    They cannot stop reg files from being merged, so I don't know what they really would hope to achieve anyway.

    If it ever comes to that, where they publish what the registry values are, how they work, and then spaz out when someone uses those values in a way that they don't like, and do something such as tell me to destroy PGS or stop hosting it, well, so be it.

    But..

    I will officially be done using the M$ platform. I will not support it. I will not buy it. I won't tell or help anyone else, again, ever. If they choose to stoop that low, then I will, on principle, consider them a greed driven monopoly that deserves other peoples money and time, but not mine.

    That is ~ Snipped as per TOS ~ to do something like that. Having more security is something they should want more of, especially since it is built in, and since I have never recieved a red cent for anything I have done for them that they should have in the first place.

    Like I say, if they want to, so be it. I am quite certain I can find better things to do in life than continue my hobby of beta testing the M$ Winbloze OS's. Maybe I will start doing some PIC programming, something I have always wanted to do anyway.

    Good day.

    Sul.
     
    Last edited by a moderator: Sep 4, 2010
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    It quite simple really. M$ themselves published the registry keys that are used, and all the values needed.

    The CreateProcess() method always looks at the SAFER registry keys when a process is created. It does this in every version. Regardless of whether the group policy has any SRP settings, those registry keys are examined and if they contain a valid value, they are used.

    You can create your own key or use a .reg file to do so.

    I have no idea if I am allowed to modify the registry. I guess I should not because I don't want to do something that I am not allowed. Matter of fact, when I create a tool that writes to the registry or something like win.ini, I am tampering with thier product, and likely voiding the EULA as I have now modified it.

    I think I should stop using M$ products right now for fear they will come after me. I think perhaps I will dig out my Commodore64 and hex edit some files to feel better.

    Sul.
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Sully, as I mentioned, many others would fall before you. Even Microsoft would fall before [...]

    I gave two examples: Internet Explorer 8 InPrivate Filtering and InPrivate Browsing.

    Then, I also gave the example of SpywareBlaster, which among other things, offers a mean to set kill-bits, by hacking to the Registry. SpywareDoctor also does it.

    SRP is possible to deploy in versions that do not have Group Policy, by hacking the registry. The difference is that you've provided a GUI for such. That's it.

    The same for SAFE-Admin, which you'll only providing an easier way for what the O.S already allows to do.

    You're not developing anything that is/will make the O.S behave differently than what it allows to do.

    One stupid example: The HOSTS file, which according to this part
    no one would be able to modify, right? Because, you'd be limited to what it is already! :D OMG! What a blessing world, uh? :)
    No laws are being broke here.

    Edit: I guess we wouldn't be able to install software either?
     
  17. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Ugh, Sully, didnt mean to ~ Snipped as per TOS ~, or pick on PGS...it was chosen just as an example.

    (BTW where are the registery value info publshed?)

    As a side effect, I wanted to find out if discussing the details of the infinite rearm trick (or even 1 year rearm trick) is OK to discuss on wilders :D

    Often, forums have a policy that such and such should not be discussed as it is against EULA (eg, on notebook review forums, the opinion (of the few people that replied) was that PGS was violating EULA, not that they have any authority).

    This is actually a very core issue --- what can the user do with the OS?

    In linux, I can pretty much do anything, hack the OS, change the kernel, whatever, its fine. These windows restrictions are alien to me.


     
    Last edited by a moderator: Sep 4, 2010
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    No, I didn't take it personally. The very idea that they tell you how to do it and then would tell you you cannot do it, is, well, it is madness. Two faced and forked tongued.

    Doesn't sit well with me, if you know what I mean.

    Here is a good resource. Use the find feature and search for xp pro and xp home. They publish this and don't make one mention of anything but XP.

    http://technet.microsoft.com/en-us/library/bb457006.aspx

    Sul.
     
    Last edited by a moderator: Sep 4, 2010
  19. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Thanks for the technet link!...now for something fun:
    http://en.wikipedia.org/wiki/United_States_v._Microsoft
     
    Last edited: Sep 4, 2010
  20. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Sully, if you got into trouble for modifying the registry, they'd have to go after every program made for Windows. I think what we can take away from this is that if Microsoft leaves in the ability to do something, without resorting to reverse engineering or some other sort of undesirable method, it SHOULD be fair game...yes, even Infinite Rearms. If it really only takes changing some registry keys that are openly accessible to a user, then it's fair, EULA or not. In reality, if Microsofts' EULA was strictly enforced, I don't think you'd be able to do anything with the OS at all, including installing programs of any kind.

    @Wearetheborg: Good quotes, that shows just how MS operates. Then again, I have serious doubts they are alone in that.
     
  21. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Exactly
    Nothing. The whole topic is pointless and was baited as weatherborg admits. Just substitute PGS (Pretty Good Security), with pretty much any app.
     
  22. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Errr the topic was NOT pointless; I am trying to understand EULA of MS; the topic is about some fundamental issues.
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    The EULA is typical legalese made up by lawyers instead of Microsoft. As said before, Microsoft CAN'T enforce the EULA to the fullest because you'd just have an OS. Programs couldn't install, the registry would have to be locked from users. I'd be surprised if Microsoft knew every word of their EULA. There's no "fundamental issues", they simply just can't enforce that entire EULA.
     
  24. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I think this is a good discussion....and hopefully no one here would mind me sharing my opinion here...albeit the fact that I'm neither a lawyer nor an affiliation of the Microsoft Corporation in any way.

    First of all, you may want to refer to this site here for more information as to what the "technical limitations" actually refer to..

    www.microsoftvolumelicensing.com/userights/TechLimit.aspx.

    From what I understand, the only difference is that the higher editions of Windows (namely Professional and Ultimate or Enterprise) included the Group Policy Editor as a front-end GUI to access the SRP feature (and a few others) whereas in the lower editions of Windows, the SRP feature is 'hidden' and inaccessible unless users have the technical knowledge to use the registry editor to make the changes and achieve the functionality.

    Although the unavailability of the Group Policy Editor may be argued/seen as a "technical" limitation imposed on customers of lower editions of Windows, namely because it is a selling point for customers intending to purchase a license for the higher editions of Windows (which may also include other added benefits), that doesn't mean PGS is a form of work-around to it.

    PGS merely exists as an easier-to-use GUI method to achieve the SRP functionality compared to the manual work. It does not serve as a full clone of Group Policy Editor. Therefore, the argument that PGS is a "workaround to technical limitations" isn't valid in my opinion.

    =======================================================

    As for the re-arm trick, the fact is it's legal provided it's done within the limitations of the re-arm trick itself....that is you're allowed to use it up to 3 times only. That fact has been established pretty well on various credible technology sites...and Microsoft has confirmed that it's legal to do so. An example would be this article:

    Windows 7 will run 120 days for free, Microsoft confirms

    The issue here is the "unlimited" re-arm trick which uses a loophole that's available in the registry of Windows 7 only (Vista doesn't have the loophole). It involves deleting a particular registry key outside of the Windows environment to 'reset the re-arm count back to 4'...therefore tricking Windows into thinking that a re-arm has never been done before.

    The problem here is individuals on the web differ in their thinking - whether this is legal or not or whether this is simply a 'grey area' matter. Some people argue that it's legal as it doesn't bypass Windows activation, doesn't "reverse engineer, decompile or disassemble the software" and claim that it's still a trial after all (people could have achieved the same thing by doing the normal legal re-arm for 3 times and then do a complete re-install of the OS on the PC - ultimately using a trial Windows for unlimited period of time) Others argue that it's illegal as it bypasses the "3 times only" limitation of the legal re-arm trick provided by Microsoft...

    I can say nothing more on the 'unlimited re-arm' issue as you'd have to judge for yourself whether it's legal or not. Furthermore, I don't wish to be mistaken as developing this thread into a piracy thread - I'm not here to for that. I'd be mad to do so since I am a Moderator of another tech forum myself and therefore, I know the rules and I respect the moderators of this forum or any other tech forum...

    Feel free to continue the flow of discussion....and please don't get offended if you think I've made a mistake or said something wrong.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Every permanent change to the file system (the registry is a database stored in files) involves changing some bits on the storage medium. Some bit changes are clearly legal. Some bit changes are clearly not legal. Then there are gray areas. So that fact that one is merely changing bits isn't the deciding factor in legality.

    Thought experiment:
    Let's suppose Microsoft foolishly determined the Windows version by reading a single registry value -1=Home, 2=Professional, etc. - and that everything else is exactly the same upon installation of any version, except for this one registry value. Let's suppose that Windows checks this registry value in determining what features are allowed, what user interface elements are shown, etc. Would one be legally entitled to upgrade one's Windows version by changing this registry value?
     
Loading...
Thread Status:
Not open for further replies.