CueCat CRQ software review and experimentation.

Keeping my information well... MINE!:

Set up bogus E-mail address and was able to aquire my registration # in advance by signing up online.  This was done using the Anonymizer web site ( http://www.anonymizer.com ) and filling out more bogus information that did however mesh with the e-mail address that I was using.  I don't think this is important really, but it may make my detection during these experiments a bit harder. We can only hope.

Theroy:
 If the CueCat is declawed (read: disabling the serial #) it should still be usable with the CueCat software.  This should also allow a user to use two different CueCats with the same registration #. We will also have to test to see if allowing the MFC updater application talk to the server affects the interoperability of the wands (IE: a software patch that records the validity or a change in the wand's serial number). We will also test to see if the serial # within the registry can be altered and if the program will still function. It's a bit unlikely that this will work, however the attempt will be made.

Exclusions:
  I am not going to perform any experiments with the TV interface. Frankly, if you choose to do this it's at your own risk. I wouldn't trust DC to be any less intrusive on this matter.

Preliminary setup:
  I have created a valid E-mail account for use as a 'spam sink' and as a tool for masking my identity.
  I aquired a registration # in advance as mentioned above. Which I will use to activate my CueCat software.
  I have aquired 2 CueCats of the same model and pcb revision and marked them #1 and #2.
  I have also created an image of my boot drive using Norton Ghost that does not include any of the CueCat software. This should eliminate the possibility of any registry artifacts being left behind by the included software.
  Test scans will be done from the following sources: The Terry Pratchett book 'Lords and Ladies' (has both ISBN & UPC codes), The Radio Shack 2001 catalog, and the box of my Beast Machines 'Nightscream' toy. (UPC)

Test 1: Standard setup
  In this test, I will install the software 'stock' with wand#2 preinstalled.  I will then shut down and install wand#1 and see what happens.
   The install is pretty straightforward, but does require a reboot of the PC for changes to occur. Changes include a CueCat system tray and desktop icon. The program then asks which browser I wish to be the default (In my case, Netscape 4.74, IE 5.5, or Opera 4.02) I have chosen Netscape. The next prompt is if you wish to get your code online or enter your code. Since I already have a code, I copied and pasted it in.  It also makes the note that you need to enter your user name (name) and email address exactly as it was in your E-mail that they sent. I neglected to copy these things and used a best guess and it accepted my registration and says that I was added successfully. To what I wonder? 
  The first scan caused Zone alarm to go off because CRQ wants to talk with the server now. Then another program called MFC updater wanted to talk as well. I decided to deny that request to see what happens. After scanning the ISBN of the Terry Pratchett book, I was sent to the Harper Collins web site. I tried to rescan since the Cue thought I had given it a CueCat # for some reason.  The program then locked up at that point. I killed the application and re-ran it. This time scanning the UPC on the back of the book. This put me at the same site. Also the MFC updater complained again about it needing to talk to the outside world. I denied it that privledge. It does add another permutation to my report though.
  Next the UPC from my Beast Machines Nightscrem toy. This resulted in no complaints from Zone Alarm and I was placed on the main Hasbro site.
  Lastly the Radio Shack catalog, I chose the Phonograph styli on pa. 195 of their 2001 catalog. Getting it to read in was a bit more difficult, mostly due to the smaller target presented compared to the other test items I'm using. The result is as expected; Netscape brought up the catalog of phonograph styli.

   This is how the application is _supposed_ to work with the exception of me preventing it from aquireing updates.

Test 2: Stock setup with different wnd attached

Now I'll reboot with wand #1 installed.  Thus providing the server and software with different firmware info.

Terry Pratchett ISBN: OK
Terry Pratchett UPC: OK
Nightscream UPC: OK
Radio Shack Cue: OK

Conclusion: The unaltered software works independent of unmodified wands.

Side query: I have some Japanese Transformers packaging, namely a Beast Wars Neo v/s pack, what happens if I scan its UPC code in?

  Interesting, It brings me to a form asking me to describe the item and to suggest a URL _for_ them. Also interesting is that any info I submit "... becomes the sole property of Digital:Convergence Corporation and may not be used in any other way except by Digital:Convergence."  I hope I'm misunderstanding this peice of boilerplate when I think that they are telling me that the UPC I scanned in for them belongs to them only now? I 
hope I'm wrong here.

Test 3: Stock install that allows the MFC Updater to talk to the server 
        using the wand the software initally saw during installation.

  I plugged wand#2 back in and will allow the MFC application to 'chat' with its home server. This will serve as a test to see if at the moment of this writing to see if there is a code patch that kills 'declawed' wands. 

  To get the process going, I scanned in the UPC from the Terry Pratchett book again and the MFC updater made 2 requests to talk with the server. The following should work, but just to be sure I'll rescan the Radio Shack catalog and the Nightscream package.

When I tried to scan in Nightscream's UPC the machine became unstable. I'm not sure if that's related to the MFC getting the update it wanted or if someone managed to attack my machine with a netBIOS packet (which occured during my connection) and made ZoneAlarm lose it mind or if it was something goofy with Netscape. I'll reboot and see what happens.

Nightscream UPC: Even after a reboot, the MFC updater wants to talk to the outside world I'll allow it for this and future sessions. It works.
Radio Shack CUE: OK

  Now we switch wands again to see if the other one works.

Test 4: Stock install that allows the MFC Updater to talk to the server   
        using alternate wand.
Terry Pratchett ISBN: OK
Terry Pratchett UPC: OK
Nightscream UPC: OK
Radio Shack Cue: OK

Conclusion: The MFC Updater does not affect the use of different unmodified wands at this time.

Now the fun begins, as we see what happens when we hack the registry and give the registration # some modifications.  First of all the Privacy Foundation saved me some work by specifying where the key lived and identified the registration # key for me.

Test 5: Changing the registration # within the Windows registry.

  Since we have determined that the software works independently of unmodified wands, it is fairly sound to conclude that either wand can be used for testing at this point. Since wand#1 is currently plugged in, that will be used during this testing phase. I will reboot the machine between changes to insure that the registry changes take effect. I know that probably isn't required but this shall be my method.

  First of all, I am going to back up the chunck of registry that will be modified to have something to backtrack to.

  It's pretty clear that this registration code is checked every time that CRQ runs. If an invalid code is found, it simply prompts you to either enter the code again or get a new one. I am not a crypto person and have _NO_ idea where to start as far as an algorythm goes.

Conclusion: while you can view your registration # within the registry, you cannot change it to be all 0s or Zs for example. Guessing at a key generation method is way beyond my scope of know-how.

  The next question is what happens if you 'declaw' (read: modify) the wand hardware.

Test 6: 'Declaw' Wand #1 and see if the software still works.

  All I am going to do is cut a trace to the memory chip that holds the serial number. Many thanks to: Michael Guslick for his extensive info on the wand hardware. After making the change I'll reboot and run the same tests as mentioned above.

  The declaw process appears to be successful. Man, I gouged that trace a bit too much, but no apparant harm done. An easy way to test is to just fire up DOS mode and scan some barcodes to see what serial number string it reports. Another option is to kill the CRQ aplication completely and fire up a text editor and monitor the output on your screen after you scan something in. Also, I verified the Caps-lock bug that these scanners have; if you hit caps lock it will invert the case of the scans it reports as well. And now the tests:

Terry Pratchett ISBN: OK
Terry Pratchett UPC: OK
Nightscream UPC: OK
Radio Shack CUE: OK; It could not find Radioshack.com on the first try; I'm not sure what happened there, but a second try yeilded success.

Conclusion: The 'declawed' wand works flawlessly in comparison to the one with a serial number in firmware.

Final Thoughts:
  It's a pretty cute toy actually. Unfortunately, the intrusiveness of the application coupled with their most unfriendly legal department makes me say that you should NOT install this and use liberally. If you do choose to do so, provide enough misleading information to slow down this potentially high speed market profiling engine. To put it another way: Marketing deparments and businesses that sell information about your buying habits and preferences will like the target-market potential of this tool. You may not like the extra junk mail and spam you get from it.
