Some Clarity about the Devil Mountain Software Clarity Suite

Superfetch is an adaptive memory caching technique that pre-allocates large amounts of system memory as cache and pre-loads modules of frequently used applications into it so that they don't have to be executed and loaded from disk storage on demand.

Being a dynamic caching system, it is able to load and unload these services in order to balance its performance as needed. Superfetch is certainly not a new memory management methodology. Other operating systems such as Linux use similar pre-loading caching techniques, such as with KDE 4.x (and starting in certain versions of 3.5) which preloads essential system libraries into RAM in order to speed application loading.

As a result of Devil Mountain Software's claims attributed to their CTO's "Craig Barth", ZDNet wanted to know who this Craig Barth individual was, what sort of software DMS actually published, and were its benchmarking and performance optimization services actually valid, et cetera.

As part of this group investigation into the company's background, we decided also to look at Devil Mountain Software's product itself, DMS Clarity suite, which until this weekend was also distributed by IDG Publications, in partnership with Devil Mountain Software, as Windows Sentinel and Windows Pulse.

Based on our investigations conducted over the February 19, 2010 weekend, the binaries distributed by InfoWorld as "Windows Sentinel" and Devil Mountain Software as XPNet were identical. For our testing purposes, we used the Windows Sentinel version distributed by InfoWorld.

The Infoworld version of DMS Clarity is identical to the DMS distributed version on the XPNET.COM site.

The InfoWorld version, dubbed Windows Sentinel, which was available for download until the 21st of February, 2010, required giving out 13 separate pieces of personal information for registration. As of today, the XPNet.com version requires 3 pieces of personal information to register for a free 3 system account on exo.performance.network.

Each version installed two services into the Windows registry, one a collector agent and the other a tracker agent.

The Windows services which DMS Clarity Installs.

The software installer creates two separate registry references in \HKEY_LOCAL_MACHINE\System\CurrentControlSet\services for the CWFTRACKER and CWFUPLOAD services/executables, as well as multiple references in the registry for the supporting DLL files as well as a Microsoft Access database which stores the collection data. All application files are installed in the Program Files (x86)\Clarity Framework\Tracker\Bin directory.

During the collection process, DMS Clarity is designed to report telemetry back to the Devil Mountain Software mother-ship, a web server with an IP address of 66.115.28.220 which is hosted at Real Effects, a Dania Beach, Florida based company which uses Continental Broadband Florida, Inc DBA WebUnited as its ISP.

A thorough portscan of the machine using the Open Source NMAP tool indicates that the Devil Mountain Software Clarity9 collection server, a Windows 2003 Server SP1 or SP2 system running IIS 6.0, has ports 80, 443 as well as 1003 (a possible exploit used by BackDoor 2.0x) and 3389 (Terminal Services) open.

That this system has port 3389 open on its extranet interface is alarming in and of itself because we feel this is extremely bad security practice, potentially opening the system up to brute force attacks and remote access to the system by unauthorized users.

Over a 48-hour period starting Saturday morning, February 20, we had the InfoWorld version of the Clarity Suite installed on a test virtual machine running under Windows 2008 Server R2 Hyper-V (64-bit Windows 7 Ultimate Edition, 4GB RAM guest OS) running fluid dynamics and SETI@Home calculations using the Open Source BOINC client using 100 percent of the system's CPU cycles and approximately 35 percent of system memory.

The collector and reporting software was observed using the Open Source Wireshark software communicating entirely over port 80 to Devil Mountain's primary server, which has an IP address of 66.115.28.220 (xpnet.com). As previously stated, this server functions as XPNet's web site as well as the metrics login portal for its customers.

Wireshark trace of DMS Clarity Suite IP activity.

Never at any time during this period of heavy load over a 48 hour period did this system communicate with the collector server over TCP port 443, Secure HTTP (SHTTP). The only packets we saw with Wireshark communicate over TCP port 443 were to Microsoft's Update, Doctor Watson and Windows Defender update servers, and BOINC's job processing transactions for upload and download.

The content of the packets sent over port 80 to Devil Mountain's server consisted of what appears to be a simple ACK/NACK heartbeat constantly sent by the VM to the remote web server which includes its hostname for identification, in this case WIN7-VM. We are not sure why no metrics were sent to Devil Mountain but it is possible that the company suspended collection operations over the February 20 weekend. [EDIT: During late evening Eastern Time February 22nd, Devil Mountain resumed collection operations, and began to collect data on port 443, see below]

[EDIT: Randall C. Kennedy has responded why his server was not collecting data during the 48 hour period. The test VM has been uploading data on port 443 since his re-enablement of the service late on February 22nd.

[EDIT: Feb 23, 2010, from ZDNet Windows columnist Ed Bott, who performed testing in parallel to mine: In a post at his exo.blog today, Kennedy claims the SSL errors we report here and in our original post were an “isolated incident,” that began on Saturday when InfoWorld pulled the plug on his software. Our testing directly contradicts Kennedy’s assertion, which is based on the assumption that we registered the DMS software for the first time on Saturday.

Our testing of the Clarity Framework Tracker software actually began on Thursday, February 18, one day before InfoWorld claims to have begun questioning Kennedy over his misdeeds. We used an account that was first registered at XPNet several years ago and observed all traffic going out on port 80. Our testing on Saturday was performed using a clean installation of the software, downloaded directly from InfoWorld’s site on a separate test machine in a separate geographic location.]

It is the conclusion of the ZDNet investigative team that we do not believe that the DMS Clarity software has a malicious purpose. Rather, it doesn't seem to do anything other than what any number of WMI-based performance metric gathering and aggregating products do which access the Windows performance counters. Large and medium-sized organizations already use these tools today, such as VMWare Capacity Planner and PlateSpin Recon, which are used for capacity planning virtual infrastructure implementations for server/VDI consolidation and optimization.

Additionally, traditional agent-based performance monitoring tools such asHP Performance Manager/GlancePlus, IBM's Tivoli Monitoring for Microsoft Applictions suite (Usual Disclosure: IBM is my full-time employer) as well as Microsoft's own Systems Center are mature products sold by trusted Tier 1 technology vendors that will accomplish everything that DMS Clarity does, without the worry of the questionable ethical behavior of a software vendor that can use these offsite-hosted metrics against you in public view if you challenge their expertise.

If you're a small IT shop which cannot afford some of these enterprise grade tools, there are Open Source alternatives such as Nagios (and its excellent commercial derivatives such as Hyperic) which can be used for WMI performance monitoring aggregation as well, with none of the worry of Devil Mountain Software's ethical baggage.

Have you installed and used the DMS Clarity Suite? Talk Back and Let Me Know.

Disclaimer: The postings and opinions on this blog are my own and don’t necessarily represent IBM’s positions, strategies or opinions.