Slashdot Mirror
Arrests For Selling Poison-Ware In Spain
An anonymous reader writes "Spain's FBI equivalent has arrested the management of a software company (Google translation; Spanish original) for selling custom software to small and medium-sized businesses with 'controlled errors' that resulted in the software bombing on a predetermined date. They would then charge for fixing the problem and press the client into buying a maintenance contract. More than 1,000 clients were affected."
Sooo, they were following the Micro$oft business model then?
I hope they throw the book at them. They're basically holding their customers hostage.
And i made some decent money undoing their damage. Donno why the customer never bothered to press charges.
---- Booth was a patriot ----
Some of us, regrettably, have seen business practices not entirely dissimilar to this in places we've worked. "I found a bug that could cause our really important software service to crash" "Don't fix it - wait until someone on a service contract reports it". Sigh.
For every problem, there is at least one solution that is simple, neat, and wrong.
Don't kid yourelves, Spain is as Commie as those red Chinese and those dirty Russians.
Why didn't I think of that?
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
[Planned obsolescence] has been happening for generations, where have you been?
It's not always ENTIRELY shenanigans.
For instance: The "design lifetime" in the auto industry is not just about selling another car. It's also about not spending a lot of extra money making, say, the transmission good for 750,000 miles when several other major systems are going to go out at a small fraction of that time. (When you're making several million units a year, saving a nickel each adds up to enough to hire two more full-time engineers to figure out how to do it.)
Making mechanical parts that last can be tough and costly. (And half a century ago it was a lot tougher, without the major advances in materials science since then.) If you design all the parts to last for at least some design lifetime and not much longer you can accumulate a lot of savings. If some major system was going to unavoidably fail shortly after that design lifetime anyhow, having the rest not good for much longer doesn't appreciably affect the utility of the vehicle for the consumer. But the cost savings can be used to lower the price (and grab market share, for a net profit increase) - which DOES help him out significantly.
The ideal in the limit is the "Preacher's marvelous one-horse shay, which lasted a hundred years and all fell apart on the very same day."
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
In the US, the corporation, not the people, would be charged with a crime. And then they'd settle with the Government for a fine and no admission of wrongdoing.
It sounds like Spain out-justiced the US this time around.
Hang on, isn't that a good thing, because it's creating 'more work'?
[/sarcasm]
When will some people start to realize that efficiency is all about reducing jobs, instead of creating them... sigh.
Why OpalCalc is the best Windows calc
(Subject line says it all.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This is merely a subscription business model.
It's much like what Microsoft has been pushing through their software licensing extortion^H^H^H^H^H^H^H^H^H contracts.
--
BMO
It was a feature :-).
I'm here for the experience, not the Hyperbole.
I live here in Spain and this doesn't surprise me. Meanwhile, back on the ranch, I'm surprised someone managed to program something so reliable they had to code in a time-bomb to make the software fail!
:-)
Spanish coders did that!
I'm proud
(English ex-pat)
The article does not name the software company. Two of our main competitors timebomb their software - though it is written into the contracts, so its essentially above board. Still, I'd like to get a company name so that we can publish something to our customer base about this...
some cars have oil change light that only dealer can trun off. But there are other laws that stop the them going to far.
Just wait for the AIR force to get shut off and then this carp will die fast and some may go hidden jail.
These guys should be hung in the public square especially the technicians that re-wrote the software to fail again after the "fix"
I've worked in a few places that have basically been held hostage with 'support' contracts for their shoddy products. They prey on total lack of knowledge and short term thinking.
I recall identifying some changes that would reduce the need for the ongoing support and having such a company cost them unrealistically so as to price it out of our reach.
They then resumed gouging us for UI changes that I probably could have done myself.
Any business has to weigh priorities. If you are spending your time fixing bug X, then that means either bug Y or feature Z is not being done.
Just because you know bug X exists does not mean it is more important than bug Y or feature Z, especially if no customers have reported it occurring.
Of course this all depends on the nature of the bug and what you mean by "crash".
Seriously if I were going to do something like this no one would have any idea, you wouldn't be able to convince the company paying for it that it was me exploiting known issue, let alone a court of law.
The folks at the obfuscated C contest would like to point out that just because you see the source doesn't mean you'll easily be able to figure out what it's doing.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
Hey, you didn't expect it to keep working forever did you?
The folks at the obfuscated C contest would like to point out that just because you see the source doesn't mean you'll easily be able to figure out what it's doing.
True.
But it's a lot easier than with a closed source program with the code owned by the crooks.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Sounds like Eliot Carver from Tomorrow Never Dies.
I just hope they don't try to start a war between Britain and China.
How often does anything that looks like an obfuscated C contest entry actually get committed to a repository ?
It's pretty sad when it's easier to intentionally put bugs into software than it is to keep them out. What's worse is that no one is quite sure which is the better business model...
How often does anything that looks like an obfuscated C contest entry actually get committed to a repository ?
Check out any project on SourceForge that is written in Perl. :)
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
How often does anything that looks like an obfuscated C contest entry actually get committed to a repository ?
If it's obfuscated well enough, you don't really know. That's the whole point.
Unless the vendor is working on the software in its obfuscated form rather than using a processor to generate it, they would still be violating the GPL if all they released was the obfuscated source code.
From the text of the GPL:
If you're breaking software on purpose, with management approval, and would presumably like to hide the logic behind the bug, an obfuscated state machine is the way to go...
After all, I am strangely colored.
somewhere an oldbeard chuckles to himself and navigates onward.
How often does anything that looks like an obfuscated C contest entry actually get committed to a repository ?
It happens all the time where I work. I maintain some old code written by an old hacker (he's got a credit in the K&R book!) Shit like this is not uncommon:
*(&z + z) |= ~tqq + m ? u9 >> 2: 741 | w & 0x8F ? ~(~t11) : foo
... also, I can kill you with my brain.
Adobe's ColdFusion kind of does such by not renewing the Java "trusted" certificate for older versions such that a warning pops up when using Java widgets from those versions. It's not a show-stopper because it's only a warning dialog, but it essentially forces an upgrade for serious businesses who don't want nag screens for their clients.
Table-ized A.I.
Sure. And who, exactly, is going to contribute to an open source project written intentionally obfuscated? Nobody. Then the project gets the reputation of being shoddy, and nobody uses it.
Or, there's also the "we'll just rewrite this little obfuscation and fork it" scenario.
Open Source thrives on its quality and dies from crap like this. People don't contribute to dead projects: they fork them or reimplement them.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
It's a very, very slim margin. You would have to have enormously talented programmers to be able to restrict errors to "controlled errors" while programming in such an obfuscated way, and you'd have to be more talented than the people trying to debug your code. To hide the error effectively, obfuscating a small amount of code would make the error obvious, but obfuscating large swaths of code would make the code unmaintainable.
Even then, if you can view the source, you can usually make some kind of judgement call as to whether or not the code is deliberately obfuscated or not.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
It's amazing how greed feeds on itself like an addiction. They could have fleeced a dozen or so companies and kept under the radar. Instead they moved on up bigger, wider, and bolder so much so that the risk of getting caught became almost a certainty. Enron and Madoff are also examples of this.
Table-ized A.I.
you have to wonder how many other companies like this there are out there?
In principle there should not be too many as you need to rely on your staff conspiring with you; and its a stupid crime which leaves undeniable evidence on with every customer which can be used to hang you later; as we might find out with apple and bricking un-jailed iphones.
But then they have been successfully doing this for 10 years, so you do need to wonder. Good business model until you get caught (:
Was it like Anti virus 2006,2007,2008,2009, 2010 etc. etc.? Nothing like a fake flash scan to make a layperson worry and fork over the cash.
Even major software companies have errors in their software that behave the same..........
pretty sure you don't know the difference between obfuscated and disguised
I'm highly impressed at how good Google's translation of the article is! I don't know Spanish myself, but I do know English and, despite minor errors, it's readable, grammatical, and not filled with Spanish words!
Kudos Google! Well done! Now get to work on Asian languages!
I wonder which programmer should be more worried, the one who can't read the above, or the one who can.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Manager: Why is it programmer that all our software keeps failing? The customers are demanding a solution even if they have to pay it. Can't you just write code that works?
Programmer: Eh...
Manager: Mind you, it is a good thing it failed we can really use the income.
Programmer: eh?
Manager: It is almost perfect, we sell them code, then half a year later they got to come in to get it serviced. Like a timebomb goes of ensuring future profits.
Programmer: Ah! Yeah, that is it sir. It is like your car needing to be serviced by the dealer. Guaranteed continued income. That is why the software fails, not because I suck at all sir but because I was thinking of the future!
Manager: Good job, here is a raise that gives you a salary when counted for actual working hours is less then a cleaner gets.
Programmer: Thank you sir, you are to kind sir.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Wait a moment. Can you imagine who are you talking about?
A spanish "software" company who based their business on fooling customers. I don't think they're so smart.
Software bombing on a certain date, just so you can charge for "fixing" it is evil.
But that assumes that the software was paid for to start with.
I remember my father adding just this "feature" to the software
of a difficult client that only requested feature upon feature
but had a track record of being months late with their payments
(not very nice if you have a family to feed!)
When the payment was once again long overdue, the client was
faced with a friendly dialog stating that the software was
not paid for yet, and that it would only be re-activated after
payment in full. The payment cleared less than 24 hours later.
It probably would have held up in court, too.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
One (opensource) company I worked for knew there were critial bugs in its software (like computing errors in its accounting software, data loss under any load > than 1 person, ...) but we employees were forbidden to fix any bug that was not obvious to potential buyers until someone paid to fix them. I don't say you can't sell a software with bugs, but how is it different to intentionally leave them in, knowing the customers will hit them someday, than to put them in intentionally with a timer? And guess what? Said company which was a small startup 5 years ago is now a multi-million dollar company... Sad world...
~(~t11) -> that's the same as t11... You might want to teach your hacker about pointless code.
You can pay your fine by giving away expensive licenses to your software to people who wouldn't have bought it in the first place?
FRA: STFU GTFO
Here in the US, not only is it not illegal to do that, but several companies hold patents on different ways of doing that. It seems to be heavily encouraged to ass-rape every customer you have ever had here, but there is actually a place where this is not so!!?!?!? EGADS!
Where is the mod rating for "scary"? Also,
Try looking at nvidia's X11 "nv" ~open source~ driver...
Not really. I'd bet my bottom dollar, that none of the clients involved would have the expertise required to check the source. The thing about software for businesses (whether it's Open or Proprietary), 99% of the customers buy it to solve a business requirement. As long as they trust the supplier, can get support when required, & the software works reasonably well, then there isn't much thought put into the workings of the program.
Loops that escape upon some condition are, by defition, not infinite.
What if that condition is the power switch? Perfectly plausible for a microcontroller.
Like all pain, suffering is a signal that something isn't right
First of all: No Spanish worker will call his boss "sir". That's very much anti-Spanish. Just to give you an example: a recent unofficial competition asked Spanish people to come up with lyrics for the Spanish national Anthem (which is lyric-less). One of the candidates had the following text:
"Un jefe muy cabrón / soy un buen español"
Which translates to:
"A very bastard boss / I'm a good Spanish citizen"
Also, we use expletives when giving/receiving bad news. They are solely lacking on your text.
It seems like, if you were a company that did this and were taken to court over it, you'd use the "How is this different from the Y2K?" defense? ;-/
I'd like to point out that the fact that perl allows this kind of aberration doesn't mean it enforces or promotes it.
In fact, that code (or a very similar one) can be written in other languages, such as ruby.
This just points out that the programmer in question had serious issues in understanding fundamental concepts such as maintainability, and was more interested in amusing himself than in doing a professional job.
The credit on K&R doesn't mean a thing if you program like that on a day-to-day basis.
A friend of mine works for a company that sells software to a government department a central African country (I want to keep the details vague to avoid incrimination). After completing the contract and delivering the software, reps arrived one day and simply stated "We're not going to pay full price for the software - we're not making as much money out of it as we thought we would." This country does not have much of a justice system to appeal to if you don't have a politician in your pocket, so my friend's company intentionally released code to make the system stop working if the payments are late. AFAIK that fixed the problem.
I'm just curios if these companies were perhaps faced with a similar situation...
You can create obfuscated but maintainable code by using an obfuscating transpiler. You work on code with all of the comments, meaningful variable names and maintainable structures. The transpiler removes as much of that as possible before compiling any code you'll have to release the source for.
Please cite which automakers these are so I can avoid them. The owner's manual for my GM-made car documents how to turn off the light.
Gamingmuseum.com: Give your 3D accelerator a rest.
OK, but how do they deal with the problem of the code looking obfuscated? I mean, there's no point to code nobody will use, right?
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
I'd like to call shenanigans on that one. Every car I've owned (GM, VW, Honda, Ford) has pointed out in the owner's manual in clear text how to turn the light off. Usually, you push some button or series of buttons that will turn that light off.
It's a little wrong to say a tomato is a vegetable. It's a lot wrong to say it's a suspension bridge.
A PHB tells Dilbert to tweak the software they sell so blah blah blah.
Almost another case of life imitating art.
and that won't actually effect anything at all, pretty much the same as the y2k bug really wouldn't have effected anything either.
Y2K effected a free OS upgrade for me!
But otherwise, no, it didn't affect much at all.
Anyway, why the new term "poison-ware"? Isn't this what we used to call a "logic bomb"?
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
> First, if it's really open source someone else could have fixed it...
It's a small step to say "We have the technology, we can fix it".
It's a much bigger leap to actually fix it. Not many mom-and-pop stores have the resources to fix their POS (point of sale) software, for instance.
The amazing, awesome, fantastic thing, though, is that yes, you have the *right* to fix free/open source software without involvement of the source company.
Note that "Open Source" by itself is not a panacea; there exist licenses that let you view the source code - but that's all. I recall Microsoft coming up with a "look but don't touch" license for their libraries, some time back.
I'm not sure I agree in practice. If someone wants to hide a well placed bug in sourcecode (like that forum one a while back), it can be a lot easier to find it by reading through the machine code produced -- Let your compile de-obfuscate it into something your cpu can understand, and often times it becomes easier for you to understand as well.
Of course you can obfuscate asm too, but I would expect from a shop like this that there would be a very clear call to the get date function (which you can easily detect being imported and see everywhere it is called), and then a conditional jump that you could patch up in a few minutes of working with it in IDA.