76 comments

[ 2.8 ms ] story [ 172 ms ] thread
I am curious what the piracy rates are for this game vs actual sales, because I am having a hard time justifying investing that much effort into what they did.
I wonder if the publisher even knew, or could ever know. It's presumably hard* to work out the counterfactual - how many more sales would have been made in the absence of the crack/keygen being available.

They do mention that they kept seeing repeated personal information being used on registration, but also that the cracked version was changed to use a different activation server. Confusing.

*or even impossible

What's the background exactly?

As I read it, they had a function to grab various bits of data from a specific machine that was linked to a specific cracker. Did it misfire and started to pilfer data from other unrelated machines?

Edit - for the record, the original post title was somehing like "Flightsimlabs attempts to explain their password-stealing DRM malware".

As I understand it, it decompressed the offending code onto legitimate users' systems, where it was detected by antivirus software. The presence of this software at all, rather than whether or not it was executed, is the core of the issue, I believe.
Can anyone chime in on the legality of this? I understand the thought process behind doing this, however, I'm struggling to see how what they've done can possibly be legal?
I don’t know about the US, but in Germany it would be very illegal.
It'd be very illegal in the US as well.
They infected all of their users with malware. Users they believed were pirates had usernames and passwords stolen, while legitimate users have been exposed to the risk of the malware. For the pirates, while they broke the law, this company has broken the law by unlawfully obtaining their credentials and using those credentials to impersonate them in various services. Many steps in this process are illegal in the countries in which this dev operates.
Various bits of data = Chrome password database.
Here's a Reddit thread discussing the malware: https://www.reddit.com/r/flightsim/comments/7yh4zu/fslabs_a3...

I'm shocked that the company admitted to doing this.

Admitting to the crime is a form of damage control. Someone with a clue figured out what was going on, spoke to the lawyers, and determined that the penalties, if any, would be harsher if they wait for a trial before admitting guilt.

That's all it was. They are in a lot of trouble, potentially, and it will be interesting to see how this plays out. I am hoping that charges will be pressed, because this is not the first time developers have "booby trapped" pirated software, but it could be the last if justice is served.

All for their DRM scheme.

I still find it interesting how many people don’t realize that generosity could be a valuable part of your product. That growing the industry as a whole may be more important than getting back at people who weren’t going to buy your product anyhow.

I can see generosity working for a single developer but you are not going to build Electronic Arts with donations alone.
Whats wrong with that? Electronic Arts is a cancer on the gaming industry.
Wouldn’t it require one of the users of the pirated version to fill a complaint? If the software wasn’t doing anything nefarious to regular users, just had potentially dangerous code sitting in a dll in a directory, it is hard to justify any damage. Kind of like if I had a function to format the C drive in one of my binaries. It never gets executed but would I be liable for having that function in a binary I distributed.
Yes and it's a safe bet that was going to happen. Since they admitted to it, maybe people will let it go. I would suggest it depends on how much damage was done to real users. There could be a class action.

It would be ironic if a bunch of pirates sued a software developer and won.

Just to be clear, nobody should let it go. Everyone needs to be taught right from wrong in their lives. Publishing malware is always wrong.

> Admitting to the crime is a form of damage control. Someone with a clue figured out what was going on, spoke to the lawyers, and determined that the penalties, if any, would be harsher if they wait for a trial before admitting guilt.

I don't think so. I'd guess a lawyer would've told them to get rid of the feature, delete all collected passwords, never use any of it in the future and most importantly, don't admit to anything. It's rare that a lawyer advises you to admit to a crime. Before they admitted to it no one even knew if they ever used the collected data.

The Chrome password database is a bit more than "various bits of data", more like "important personal data"
I wonder if they realise just how illegal their actions are, and that they've fully confessed to breaking the law?

They should have at least sought legal advice before trying to do what they did, but failing that at least sought it before posting this message.

To be honest, it doesn't really sound illegal to me. Detecting fraud and collecting additional data when it is detected doesn't sound unreasonable or unusual - as long as it is specified in the privacy policy anyway.

That being said, I'd be very interested to learn more about why it would be illegal. Could you elaborate/source?

Apart from stealing passwords which is definitely misuse of computing resources?
The link doesn't mention extraction of passwords
The story is that the bundle contains a piece of software that uses elevated privileges gained through the installer to extract passwords from Google Chrome, and then ships that data back to mothership. I am not sure how that’s not stealing passwords but I am open to interesting arguments supporting the negative.

The publisher pinky-swears that they only steal passwords from bad people. That is not an interesting argument to me.

The post kind of dances around exactly what 'information' was exfiltrated from the targeted user, but it's pretty clear from a close reading that it has to have included his Chrome passwords.

  unfortunately we could not be able to enter the registration-only web sites he was using to provide this information to other pirates.

  We found ... that the particular cracker had used Chrome to contact our servers so we decided to capture his information directly

  .. to dump that cracker's information needed for us to gain access to those illicit web sites

  this method worked, in fact, and we were able to receive this information
This all followed by screenshots from the "registration-only web sites" they could not previously reach.

Also, at least one of the initial reddit reports which set off this whole thing was due to A/V software detecting an executable file included in the installer (which was dropped but not executed on all user installs) as "Chrome Password Dump" malware.

Edit: The earliest responses about this from FSLabs seem to confirm that they were running the password dumps on anyone who was using known pirated serials; it looks safe to say that the linked post is overstating how targeted their actions actually were.

  This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals.
If they truly believe that they have any hope of using any information thus gathered to aid them in their 'legal battles' against crackers and pirates, this is one deeply confused company.
(comment deleted)
First, context: the original reddit thread [1] that kicked this off indicated that this malware included was intended to extract passwords from Chrome ("Chrome Password Dump") and that it was active and likely had the needed permissions as the installer would generally be run with administrative level access rights. So the issues are that malware was placed onto users' systems at all, its capabilities, whether and to what extent data was exfiltrated, and how any exfiltrated data was stored or used.

In terms of jurisdiction, the company seems to be incorporated out of Delaware (though I may have mis-searched there), but employs EU nationals residing in the EU. At least one of them seems to be in England, and thus subject to at least both the Computer Misuse Act of 1990 and the Data Protection Act of 1998, which in turn ties in more generally to the 1995 EU Data Protection Directive (which has further been implemented in other countries). Multiple levels of their actions would definitely fall under the CMA and if they actually gathered anything the DPA would kick in also. All of the actions they are known to have performed and may have performed are illegal in most first world jurisdictions. You cannot install malware even if it's not used. It's extra offense to use it, worse to take any data off, to store that data, and further to use it in anyway. Vigilantism is not generally considered at all acceptable by developed governments worldwide.

In the USA, precedent for this sort of thing appears to exist already in the form of major examples like the 2005 Sony BMG rootkit situation. Sony's malware prompted actions at the state and federal levels as well as multiple class action lawsuits. The FTC brought charges under Section 5a of the Federal Trade Commission Act and Sony was forced to settle. The FTC chair at the time stated that "Installations of secret software that create security risks are intrusive and unlawful." [2]

Really, this sort of thing is just crazy dumb to even attempt in this day in age, it's genuinely surprising that developers could still think that it wouldn't open them up to massive potential trouble particularly in the EU. That's not to say anyone will necessarily go after them, as always that's a matter of discretion at the governmental level and at the civil level whether anyone cares to devote the resources to it, but there is plenty of cause to at least make a go of it and it's not clear that they recognize that. Legitimate developers just don't install malware on peoples' computers, period. That they may be bad people isn't any defense at all. Furthermore, bugs of course can happen. Even if it's not intended to be activated, it may do so, or may open the way to later malicious use by a 3rd party. The original developer who was responsible for it being there can be expected to be liable.

Surreptitious actions in general should be a real red flag: if you have to hide it from your users and it affects anything but your own software, think twice. Then think three or four more times after that too. EULAs (or any contract in general) cannot overrule higher level non-exempted law requirements and will not provide protection against civil or criminal enforcement.

-----

1: https://www.reddit.com/r/flightsim/comments/7yh4zu/fslabs_a3...

2: https://web.archive.org/web/20070929111043/https://www.consu...

They should go the FB/Goog route and claim it was a bug.
Which is probably what a legal counsel would've advised them to do. Get rid of the "feature" without admitting to what it actually did. Would've been much harder to prove how they used it without them admitting to it.
Would that hold water? A file was added to the installer which has clearly nefarious purposes. As well the output produced by running that file was caught by another executable and sent home. Pretty hard to say that this wasn't intentional. Even if you would claim it was bundled erroneously, why would that be part of your code base anyway? It has no legitimate use there.
-> Is it illegal? Is it coverable by a EULA?

Aren't most DRM invasive by their very nature?

I'm not actually suggesting it's a good idea, but we need more facts than just blanket "oh yeah, it's illegal." How? What statutes? What countries? etc

Previously: https://news.ycombinator.com/item?id=16412541

It sounds like they distributed a tool that goes through your Chrome saved passwords database and if the installer thinks you're a pirate, it sends credentials from that database back to the author. The author is now saying they used credentials they learned from this to break into a private website to learn more about how their DRM was being bypassed.

This seems so incredibly illegal, I can't believe they admitted that this is what they're doing.

IANAL. While the entire scheme looks to be clearly unethical, the only part that strikes me as illegal was the use of credentials to log into the online forums/services.
IANAL but AFAIK stealing data, even without using it, is illegal per se in the EU, where this company is based: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELE...
IANAL but, assuming taking the data happens after the user agrees to the license, there is no stealing of data.
So if I put some small text into a 100 page EULA that says I may break into your house and take whatever I can carry, then I only have to make you click-through and I'm all set? Awesome.

Unfortunately for me, things don't work that way. For most of Europe at least, you'd be perfectly justified in treating my 100 page EULA like the garbage it is and basically ignore everything in it that isn't already prescribed by law anyway.

Your example is not persuasive. There are perfectly enforceable EULAs that contain terms potentially far in excess of the value of your home and all of its contents. And there are enforceable EULAs that contain rather onerous audit provisions. And in this case, it is hard to see the comparison to physical action.

I am not familiar with the flight sim license in question, but there are a number of general terms it might contain that would allow for the collection behavior. Telemetry, anti-piracy, anti-cheat, audit, fitness of purpose, and many other provisions could cover this particular behavior.

Further, if their claims are to be believed, they only initiated this action against a someone in already in breach of contract, so the law isn't going to protect the pirate anyway.

Again, I think the company's behavior is unethical - they should have contacted law enforcement. But illegal? That is not at all clear.

EULAs are not generally enforceable nor legally binding at least in Europe. I personally have acknowledgment in a legal dispute that parts of even a signed contract were void and invalid because they were considered an EULA (AGB).
No, click through EULAs are not always enforceable. But generally, EULAs are certainly a valid and enforceable form of contract throughout Europe - how else would things work, if not through a contract describing an agreement with the end user to license the software, i.e. an EULA?
An individually negotiated agreement that fulfills all the legal requirements of a contract is a valid way to ensure enforceability.

But just repeating a part in many contracts is enough to make a court say that it is not individually negotiated and is therefore treated differently (AGB in German).

A seemingly endless text wall with non-negotiabile terms that is considered agreed to by a click on "I have read this and agree to it" might only be binding to very limited extent, if at all.

In my contract I mentioned a part was considered invalid because it was an issue that cannot be agreed to in an AGB, and the part was considered to be sufficiently AGB-like.

To give another scenario, someone offers me a proprietary software. I don't know the terms and condition but I know that I need to pay for it. I then pay and receive the software. Upon starting it, it presents me with terms and conditions I need to agree to. In this scenario, the terms and conditions in the software are entirely void because the contract was established when the software was exchanged for money and the terms were not agreed to at that point. Only what is agreed to when the contract was established counts. If the software doesn't work for the intended purpose, I am free to modify it such that it does.

Sure, that's right, and my point was pretty much the same; any EULA that the end user is forced to or has to accept automatically is invalid, such as click-though or shrink-wrap licensing. It's really just the terminology, since EULA has a much wider meaning here, I think.
IANAL but I don't think a SW license can have the provision where they say that they will take all your Chrome passwords without your consent and transmit them over a non-secured connection [1], and still be considered legal, at least in the EU. Some protections and rights can't be waived in a private contract, even if both parties agree[2].

[1] https://www.fidusinfosec.com/fslabs-flight-simulation-labs-d...

[2] https://en.wikipedia.org/wiki/Data_Protection_Directive#Prin...

Clicking a checkbox is no legally binding agreement.

Parts in a contract can be void even if agreed by both sides.

They're claiming that they're pirates, i.e. that there is no valid licence that they would've accepted.

In that scenario, the user has committed copyright infringement (i.e. it can/should result in a civil claim and a fine). If what is claimed has happened (the company used the passwords retrieved from pirates' computers to access private websites of those pirates), then the company employees who took and used their passwords have committed a crime (i.e. it can/should result in arrests and jail time). Many of the things that police can and will do in an investigation are crimes if you do try to do it yourself. The fact that your target seems to have committed a crime doesn't justify crimes against them; and they are innocent until proven guilty.

Those acts aren't comparable; what the company seems to have done is on a much higher level of illegality than software copyright infringement.

Put it this way, if Microsoft or Facebook or Google or Apple released an update which squirreled away your stored Chrome passwords and uploaded them, there'd be a torch-and-pitchfork mob out for their blood. It would be totally unacceptable for a big player to act like this and being a smaller player doesn't grant any free passes.
One illegal part is sufficient. I agree that the other parts might be debatable, but the actual use of stolen credentials has clearly crossed every line. If they had passed this information on to a police investigation that then would've used this with a warrant, then this might maybe work (the admissibility of evidence gotten this way is tricky - maybe it is, since it's not the authorities that obtained it illegally), but if they themselves used those credentials, then I hope that the employee who did it understands that "boss told me to do it" isn't a sufficient defense in criminal prosecution.

I mean, the apology seems legit and it's not that likely that anyone will press charges, but it still is a quite stupid risk that they've taken. In many cases "hack-back" may seem a practical alternative, but it's not, because it tends to be absolutely illegal (well, perhaps not if you're in NSA or something). Hopefully this case will be sufficient warning for others.

Never trusted browser saved passwords. One of the first things I disable after I install a browser. Also disable saving form data
Why? I mean, what could ever go wrong with storing highly sensitive credentials, form data, and usage history in the same app that automatically and promiscuously downloads and executes code from the internet?
Even if you don't save passwords in Chrome, malware can still keylog you, or steal your password from whatever other password database you use.
That's what hardware-backed crypto protects against. Passwords on their own is a bad security practice.

A tiny dedicated computer like Tomu[0] that fits into your computer, that provides authentication (and similar cryptographic functionality), with inpedentent input (touch) to receive manual ACKs and output (led) to provide feedback, with no other functionality, is a cheap, reasonably safe, and convenient solution. Maybe unlock it on boot (and after timeout) with a password/PIN for good measure.

[0] https://www.crowdsupply.com/sutajio-kosagi/tomu

This sort of thing is awesome in theory, but in practice it kinda sucks, and will continue sucking until it becomes a first-class feature in the eyes of browser and desktop environment developers.

Currently I'm using Chrome backed by KWallet backed by PGP key on a YubiKey 4. Upon launching Chrome I have to authenticate with/touch the Yubikey to unlock my session, which is spiffy, but after that seemingly random pages (even in an incognito window) will prompt Chrome to unlock my keychain. The Yubikey will flash, indicating something wants access to it, but I have no indication of what that something is. If I ignore the flashing, eventually a KWallet window pops up complaining about being unable to use the GPG key.

What you are describing is a specific scenario based on specific solutions. I see multiple things going wrong there.

Chrome shouldn't access your credentials without telling you what it's used for. Chrome shouldn't expose cryptographic identities in incognito mode. The Yubikey's output is vague.

What can we learn from that?

Chrome has shortcomings in this domain. Just one monochrome LED is maybe not enough output to give reasonable feedback.

My online banking security system is called chipTAN and uses a small, monochrome, low-res display to give essential information for what is being processed which I need to acknowledge. That works well, but is also a single-purpose solution.

For identification on the internet, a solution based on GPG seems reasonable. Imagine a small display that shows the receiver you are identifiying to, the identity you are using, and for how long the identification is valid, and then you can acknowledge that.

That only works if the website you're logging into supports it. I highly doubt thewingmen.info or avolatvolavitdescendit.com support that (they don't even have https!). Also it requires your browser to support it.

And even then, malware can still just steal your cookies.

I sort of appreciate the creativity here, though it's blatantly creepy and uncomfortable for a software vendor to be pushing updates with single-user-targeting functionality, in particular, to say nothing of the spyware issue itself.
I wonder if they are in fact shooting themselves in the foot in their fight against this cracker.

Aren’t there laws that basically invalidate evidence gathered by illegal means?

and even if there weren't, is it worth it to face legal consequences of your actions, just to stop some hacker? I mean they are a small shop - albeit highly respected in the flight sim community - if this ends up in court, it could be game over for them.
In the US, there are laws that invalidate evidence gathered by the government through illegal means. This simply does not apply to private entities.
Releasing DRM-free is a thing if you want to respect your users, instead of insulting them.
What I don't understand from their explanation is why they had to do this at all -- if they could identify the bogus serial numbers, then why not just block those serial numbers from registering?
Might have been a whack a mole situation where the crackers have figured out how to make key and they know how to switch them easily whenever you invalidate one.
Yes the article says that pirates were not only generating keys but patching the software to validate against their own servers.
So maybe stop wasting effort of a clearly lost battle and instead spend it on making your product so brilliant people will be begging you to take their money?
Because simulator addon developers - especially flight sim addon developers - are barking mad and have views on piracy that would make Jack Valenti blush.
If anything this is just going to want to make the crackers keep cracking their releases even more, because one thing they certainly love is a good challenge, and these "bomb-like" features would appeal to them greatly.

(Long-retired cracker, no longer active in the scene but still fights from time to time. ;-)

would be funny if the pirate sues these guys for hacking and puts them in jail
That is a very possible outcome, especially as several of the actors involved are based in the EU.
If they are in the US, anybody on whose PC this ran, including the Cracker, can probably get them all thrown in jail for CFAA violations.
Gotta say, on reading this I went "They did what?!". This raised my eyebrows so much, I'm fairly certain they're now lost somewhere in my hairline. In the US, at least, I'm fairly certain they've broken more than a few laws. Kudos to them for admitting it, entirely; I guess that would be the only hope they'd have of ever re-gaining any sort of trust with their install base, but they'd be equally smart to find a lawyer[0].

I get that a lot of time and effort goes into developing a product and it's really frustrating when you find out that your product is being pirated. I can't imagine if I'd happened upon a whole community sprung up around pirating my product; they had to be incredibly angry and this likely led to this terrible idea. And no matter how often you repeat to yourself that "piracy does not represent lost sales", when you've poured your time into something -- time that you hope will make you a nice living, time that you took away from your family or other enjoyable pursuits -- you tend to get really angry when you find out there are people that think it's perfectly OK for you to work for free.

I like to repeat the mantra that "piracy does not equate to lost sales" and tell myself that those wouldn't be paying customers anyway, or they're not my real target audience, or that it speaks to the popularity of the product if someone went to the trouble to crack it. And I'm a believer that effort spent on DRM is wasted (especially efforts like this). It's not entirely, true, of course. I always think back to the story I read a few years ago about the TCP/IP stack that nearly every DOS PC used -- a piece of shareware that, at the time, was probably the most popular piece of shareware in existence. I'm sure I, like many, didn't even think to pay for it and operated under the assumption that large corporations were probably using it and the developer was probably using $20 as kindling by now when in reality I think he netted somewhere in the thousands of dollars for his efforts.

At the same time,... well... this.

This is exactly what happens when you focus on piracy so hard. Developer time is a finite resource and this company wasted that time developing a piece of DRM that is indistinguishable from malware. It succeeded in not stopping the pirates, not catching the pirates, angering their paying customers, easily exposing them to civil legal issues and possibly exposing them to criminal legal issues. That little bit of wasted developer effort could very well end the company that made this product in a way that piracy probably never would have. Assuming their customers like the product and would like it to continue to exist, this company basically did everything in their power to not serve their customers.

To be clear, I'm not completely against purchase verification in software products. If it's light-weight, and doesn't get in my way as a customer, it's fine (i.e. provide the ID/password used when it was purchased with a fallback to an offline serial number ... asked one time and never again). I get it. A small road block is enough to keep my mom or dad from grabbing a copy that a friend attached to their e-mail. Heck, in the case of my mom or dad, they may not even realize that it's not a free product if it doesn't ask for some form of verification. I don't mind how Steam works or how the variety of stores handle these sorts of things. If your DRM effort goes any beyond this, it's wasted effort. You're not going to stop a determined pirate even (especially?) if the product your selling is an anti-piracy product. Just don't. Don't waste the effort. It's never worth it.

Even as I write this I'm still amazed. I get frustrated when I upgrade my CPU/memory...

from the headline I thought it was about the Iranian airplane that crashed