Would You Tell People How To Crack Your Software?

An anonymous reader writes "Fed up with piracy and the availability of cracked versions of his software, Cobalt Strike developer Raphael Mudge wrote a blog post telling people how to crack his software. Some gifts are poisoned, and Raphael goes into deep detail about how to backdoor his software and use it to distribute malware. Will this increase piracy of his software, or will it discourage would-be pirates from downloading cracked versions?"

Tongue in cheek

[amicusNYCL]

There are also several .sl files. These are Sleep files. Sleep is a simple scripting language I’ve worked on since 2002. I write in Sleep because I’m very efficient with it.

For the aspiring cracker, Sleep is a welcome sight. Its files do not ship in a compiled form. They’re available as plaintext inside of the application archive. A plaintext file requires a special tool, called a text editor, to change its content. I recommend notepad.exe or pico. Linux hackers may use WINE to run notepad.exe. Type:

wine notepad.exe

Well done, sir.

Re:Tongue in cheek

[amicusNYCL]

It's obvious why he is giving these directions - he is showing people how to add malware to his software so that any cracked software of his is suspect.

Re:Tongue in cheek

[sexconker]

It's obvious why he is giving these directions - he is showing people how to add malware to his software so that any cracked software of his is suspect.

Anyone who could crack the software without his help would be fully capable of injecting malware into it.
His instructions have no effect on the odds of malware being in the cracked copy you download. You'll still download from the first place that has a working release, and that'll still be from one of the "scene" groups, and it'll still be clean.

Re:Tongue in cheek

[girlintraining]

All cracked software is suspect. But then, so's the unmodified software.

But here's the thing... it's usually less risky than the DRM, phone home, internet activation required, now with extra advertisements hardcoded to a server... using internet explorer in a window with 'trusted' site permissions able to handout javascript-laden malware. Please. I'll take the pirate stuff any day of the week, because the groups that do it are small enough that reputation matters; It's their only currency.

A large corporation can just claim "oh noes! piracy destroyed my business!" and get a fat handout and a pile of FBI agents with orders to beat people in their homes until money falls out. Reputation is not a concern for them. Ergo, neither is quality. Pirates on the other hand... release a single malware-infested item and the forums fill up with complaints, and that group never gets any respect again.

Bittorrent also ensures, at the protocol level, that everything downloaded matches what was uploaded. http downloads are less secure. And digital signatures on executables, like what Microsoft does? It's been proven, many times over, that the only thing that means is you paid them a stipend to get a key. They don't check to see if what you made and signed is legit or not... and many antivirus/antimalware solutions, including Microsoft's own... will skip heuristic matching if the executable is signed.

So really... you're less likely to get malware from a piece of pirated software off some torrent site than you are just browsing for porn. It's a grossly exaggerated threat. Just like what this guy is saying; "Here, hack my software!"

Okay. Nice publicity stunt. Even Bill Gates said if you're gonna pirate, he hopes you'll pirate Microsoft... it's a sign of a software's usefulness.

Re:Tongue in cheek

[brit74]

I'll take the pirate stuff any day of the week, because the groups that do it are small enough that reputation matters; It's their only currency.

Yeah, because the *reputation* of the software companies doesn't matter at all. (roll eyes)

A large corporation can just claim "oh noes! piracy destroyed my business!" and get a fat handout and a pile of FBI agents with orders to beat people in their homes until money falls out.

What a load of crap. A fat handout? Do you have any clue at all what you're talking about? Prove it by showing some instances of the government giving money to companies because of claimed losses due to piracy. What a load of crap. I can't think of any companies that have made a bunch of money by "beating people in their homes until money falls out". You're seriously in fantasy land with this one. But, hey, whatever fantasy makes you feel good about pirating other people's hard work without paying a dime. You're a real hero. The world owes you everything for free.

Pirates on the other hand... release a single malware-infested item and the forums fill up with complaints, and that group never gets any respect again.

Yeah, because real companies can release a malware-infested piece of software and suffer no consequences. Give me a break.

Bittorrent also ensures, at the protocol level, that everything downloaded matches what was uploaded.

Oh, so if a malware infested piece of software is uploaded, Bittorrent will make sure you're downloading the same malware-infested software that someone uploaded? That's reassuring.

Even Bill Gates said if you're gonna pirate, he hopes you'll pirate Microsoft... it's a sign of a software's usefulness.

Bill Gates prefers you pirate his software over someone elses because it helps block other people out of the market. If you're trained on Microsoft software, you're more likely to buy it in the future than if you learned some other piece of software. It's good for blocking other people out of the market (and it's most useful if you're a monopoly or nearly a monopoly) because if helps prevent other companies from getting a foot in the door.

Re:Tongue in cheek

[PhxBlue]

Yeah, because the *reputation* of the software companies doesn't matter at all. (roll eyes)

Sometimes the pirate group's reputation is better than the software company's.

Re:Tongue in cheek

[retchdog]

Yes, obviously.

The point is to make that possibility crystal clear to end-users to influence them to use the legit version. As such, this is basically a humorously self-deprecating form of FUD.

Re:Tongue in cheek

[amicusNYCL]

So really... you're less likely to get malware from a piece of pirated software off some torrent site than you are just browsing for porn. It's a grossly exaggerated threat.

I'm not so sure about that. I watch a lot of porn.

Even so, regardless of how likely it is, when you're downloading pirated software you are basically executing unknown code from an unknown source. Porn infections at least require a vulnerability to exploit. Hell, the very nature of pirated software means that it has been modified with unknown code by someone with no accountability who is demonstrably willing to break the law. There are plenty of shady actors who see warez as a legitimate infection vector and wouldn't think twice about wrapping a popular application up with a nice payload and distributing it across their botnet to make it look like it has 100 different seeders.

Re:Tongue in cheek

[girlintraining]

Even so, regardless of how likely it is, when you're downloading pirated software you are basically executing unknown code from an unknown source.

The same can be said of any compiled, closed-source code. And corporations in the past have intentionally placed malware onto their official distributions; Such as the sony rootkit fiasco. Trusting someone just because they wear a suit and say they're your friend isn't much of a guarantee.

...been modified with unknown code by someone with no accountability who is demonstrably willing to break the law.

There's very little accountability to corporations anymore these days. Class action lawsuits were thrown away. The average person doesn't have any real access to the courts -- it's a David v. Goliath situation. And new laws are passed limiting liability all the time. Massive oil spill? We'll fine you a day's wages. Banks too big to fail? Too big to jail too. And saying that someone's untrustworthy because they break the law is a questionable stance to take at best;

You ever speed in your car? Ever j-walk? The laws are so terribly complex that you can rest assured you're a criminal. The only person who didn't commit a felony this week is the guy in a coma in the hospital. There are laws on the book that say that eating a salmon that's too long is a felony. There's laws saying you can't violate the laws "of any other country". Even the crazy ones. Even the ones we're currently bombing. And just in IT, there's the computer fraud and abuse act, that is so vaguely worded that basically touching a computer could constitute 'unauthorized access'. People have gone to jail... for providing a URL to a website under that. So if you want to say "willing to break the law" means anything... okay then, but it doesn't count for anything to me or for most people. We're all criminals... it's just not all of us have been caught yet. And if that's not enough evidence for you... consider that we have the highest rate of incarceration of any country on Earth, we lead by almost double per capita, and that margin is growing. And it disproportionately affects the poor and non-whites.

here are plenty of shady actors who see warez as a legitimate infection vector and wouldn't think twice about wrapping a popular application up with a nice payload and distributing it across their botnet to make it look like it has 100 different seeders.

Perhaps. But many bittorrent sites have reputation services; And people talk to each other. Read the comments. Watch the forums. Yes, it requires a little more work -- and that doesn't mean someone can't still pull one over on you. But I've never downloaded a piece of software from a torrent site that ever turned a positive; and I scan everything. I go back and scan it months later... and I have a variety of IDS systems, firewalls, etc., to monitor for rogue traffic. If they ever did put a bot dropper into a package I downloaded... it's never talked to anything on the internet. Or tried.

I can't say the same for a default install of Windows XP or Windows 7.

Re:Tongue in cheek

[0111+1110]

With one or two small/inexpensive exceptions the last time I paid for software was in the 90s and I possess quite a bit of the stuff. Gotta fill up my 23 TB of hard drive space with something after all.

If we are relying on virus scans as you do then I have only been infected with viruses maybe once in the past 15-20 years IIRC from USB keys and internet cafes. The negative results from these viruses have been exactly zero. Nothing bad happened to me. Despite what you think torrenting software does not mean you will be infected with malware, at least not malware obvious enough to be picked up by a virus scanner.

But don't take my word for it. Go ahead and download 100 cracked applications from TPB and use some common sense. That is act like a technical person who actually wants to avoid being infected. Scan everything at virustotal and run any keygens within sandboxie if you can. Download from the most popular torrents ideally from uploaders with skulls at TPB. Do this from within a virtual machine if you are concerned about the risk which really is minimal. Again, assuming we are talking about stuff that will be picked up by the corporate scanners.

Whenever I run windows I pretty much assume I have undetectable malware running. If you run windows and you don't assume that you are naive. At the very least I assume that a quality keylogger is running at all times hoping for CC numbers and passwords actually useful for identity theft.

Anything with outbound connections may be picked up because like any non-idiot running windows I monitor those. However there may be subtle outbound communications that even the best commercial firewalls won't see. No doubt all of non-free firewalls are backdoored by the NSA and may allow certain types of communications to be ignored. Unless it's using up a lot of my bandwidth I don't really care because I don't enter any senstive information on a super-insecure OS like Windows and most of the actually harmful apps are just looking for information, not trying to format your hardrive or delete a bunch of files. That sort of stuff is so 1980s.

So how is it that I manage to live with all of this scary and yet undetectable malware? I don't enter any information while running windows that I would not want professional thieves to have. I don't type passwords that I care about, that is ones intended to actually protect something from anyone. I don't enter credit card numbers. Ever. For any reason. I assume everything I type is being monitored by a very clever app that thieves pay thousands for as a way to make a living.

Nowadays the vast majority of malware is either adware whose authors are generally kind enough to make you well aware of almost immediately or financially motivated network software whose sole aim in life is to steal credit card numbers and passwords.

This idea of yours that routinely using cracked/keygenned software virtually guarantees infection with obvious, detectable with virus scanners, malware is naive and ignorant. It's Fantasyland.

And BTW if you think that entering sensitive data in Windows is secure just because you don't pirate software let me laugh at you for a while. That is a false sense of security you are feeling.

As you may have surmised I run Linux when I want to do things like make online purchases or check email or use online banking or log into sites that I feel are worth protecting with secure passphrases or long random passwords. Windows is mainly useful for games and apps with no decent Linux equivalent. It's not useful for doing anything that requires privacy.

Linux isn't immune to attack of course, but it's in a different league from Windows even when you don't pirate apps and use all of the best security software. I also do my best to avoid installing any Linux apps that allow remote connections to my machine and I do run a firewall that monitors for any such connections nonetheless. I still run my browser with noscript, adblock, betterprivacy, ghostery, and secret agent. It would be nice if it were completely sandboxed as well. Just in case.

He's clearly joking around...

[Assmasher]

...and laughing at the technically clueless who think he's being serious.

Well done by the way.

Re:He's clearly joking around...

[Jane+Q.+Public]

"He's clearly joking around... and laughing at the technically clueless who think he's being serious."

True. But even if you ignore that, I think the Slashdotters here who thought he was serious have missed the big point.

If you sell your software for $2500 for limited-time use, your software is going to get cracked. Period.

Study after study after study, for at least the last 13 years, have shown that if users think your software is is both useful and reasonably priced, it will sell. End of story. Yes, there will be downloading but that would happen anyway.

Bottom line: downloading (Not "piracy". Downloading is not piracy.) is simply not a real, significant problem. It is BLAMED for problems, by copyright trolls and programmers who overvalue their product. But it has never proven to really, significantly, affect the bottom line for what the market thinks is useful, reasonably priced software. If anything, it has shown to lead to more sales.

Re:He's clearly joking around...

[Intrepid+imaginaut]

It only takes one technically competent user with a chip on their shoulder, or who believes they are sticking it to the man/men not living in their parents' basement at age 42, or thinks one dollar is too high, and it's out on the torrents. This is without even considering others who will crack software and install malware because a botnet actually brings in money for them. So thanks much to all the pirated software dowloaders, you're part of why the internet is a spammy sewer and sites can be held hostage by DDOSes.

What, you thought all or even the majority of the zombies came from people clicking email attachments?

A little Pyrrhic there.

[Valdrax]

Telling people how to "crack" your software and add malware is a great idea for poisoning the well on cracked copies and a wonderfully spiteful bit of snark, but he takes it a bit too far by telling people how to give themselves a free license with simple tools using clean version from his own site, at which point they are totally free to stop. (Oh, it's a violation of your license, he points out, but what pirate cares?)

I mean, if this involved something that could more properly be termed an exploit than a simple config file change, that would raise the bar to something that only scary "hackers" can do, leaving you at their unethical mercies if you get a cracked version, but this is kind of shooting himself in the foot.

Re:A little Pyrrhic there.

[Valdrax]

A great idea might be to corrupt save games after some point. Let them get halfway into it then corrupt all save games. Make sure your support team knows you are doing this and corrupt all the files in some very obvious way like changing them text files about the harm piracy does to gaming.

Oh, you mean like EarthBound did? It did all that and so much more: Nag screens, unbearable enemy encounter levels, and after slogging through the whole game it freezes at the final boss and deletes your save too. Epic spite.

Here's a few of the funnier ones. And then there's the supremely ironic one that Game Dev Tycoon added.

Viral Marketing Campaign. Literally.

[stewsters]

He's doing this to raise attention. For every 10 people who pirate it, someone will actually buy it.

Re:Viral Marketing Campaign. Literally.

[Seumas]

If he really wants to get more people to buy his software, he should sell it on his website.

I know it really pisses *me* off when I want to go to a site and buy a piece of software and not only don't they give me an option for it, but they make me fill out a form, email them, and wait around for a response to even get a price. Is it any wonder there might be a chunk of people who say "fuck it, I'll just go download it and use it immediately", when you put hurdles up and can't even tell someone the price up front? (I suspect people then assume the price will be too high for them to even remotely pay for -- kind of like Photoshop).

Not saying it is justified or that changing that would solve everything, but it sure would likely help a bit.

Export restrictions

[TheP4st]

This is what I got when I went to download the trial of Cobalt Strike:

Due to United States export control requirements, we can not make Cobalt Strike available for download to your country yet. Please accept our apologies--we're very actively working on this.

IIt's likely that a fair amount of those using cracked versions are doing so as they cannot get a legitimate copy without jumping through hoops and potentially end up on all kinds of watchlists in the process, that make his move of detailing on how to backdoor the software for malware distribution a bit of an asshat move.

It would be something to consider...

[mlts]

I believe in having a relatively small speed bump and keeping DRM to a minimum. For an application, just enough to make keygens [1] useless and require the app's executable to be patched, even if it is just a simple item that gets commented out. This breaks the signature of the program, and anyone pirating it will be at obvious risk of an added payload.

For games, I'd just have a multiplayer mode/library for easily downloaded levels/maps/etc. To access it, a valid key is needed and if two keys (assuming each key is one license) are used, the newer one will not be allowed on. Since this is handled by the server, modified clients are not an issue. Yes, one can always mirror/emulate the server's functionality, but it is a big enough barrier to get people to consider buying a key. Closest game to this was Neverwinter 1 which ditched the CD protection fairly early on.

[1]: Embed a public key in the program, and the key would include the licensing info with a netpgp signature.

Re:Oh, damnit... I've been trolled.

[Zironic]

It probably is that simple for a very simple reason. His target audience isn't really poor kids that just want to try out hacking, he's selling the licences for 2.5k a pop/year so he's obviously targeting companies, companies that would rather not crack the copies regardless of how easy it is because of legal liabilities.

Different Mudge

[langelgjm]

The author's name is Raphael Mudge, but Mudge from L0pht is a different person named Peiter Zatko.

Re:Would I?

[davester666]

Raphael just wants to be backdoored, in deep detail.