Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malwarebytes Offers Pirates Its Premium Antimalware Product For Free

Posted by samzenpus on from the our-bad dept.

An anonymous reader writes: If you have a cracked or pirated version of Malwarebytes Anti-Malware (MBAM) product the company has debuted an Amnesty program for you. Venturebeat reports: "If you pirated Malwarebytes Anti-Malware, purchased a counterfeit version of the software, or are having problems with your key in general, the company is offering a free replacement key." CEO Marcin Kleczynski explained the program and his statement reads in part: "When I started Malwarebytes, I absolutely had no idea how successful we would be today. I am extremely grateful for all of the support from everyone and how fast we’ve grown. That being said, I picked a very insecure license key algorithm and as such, generating a pirated key was, and is, very simple.

The problem with pirated keys is that they may collide with a legitimate key just by the sheer numbers. For example, Larry may generate a pirated key that matches the exact key that I already bought. Yes, this is silly, and yes, this is literally the first thing a professional software company thinks of when building license key generation, but when you think you’re building a product for just a few people you don’t hash out these details.

Now we’ve grown up, and we’ve got a new licensing system that we’ve rolled out in stages. The only problem is that we have millions of users that we’ve sold keys to, or a reseller has sold keys to, or we’ve given out keys to without keeping track. It is a mess, and you as a consumer have every right to be upset.

57 of 111 comments (clear)

  1. How stupid could someone be? by xxxJonBoyxxx · · Score: 1

    >> cracked or pirated version of Malwarebytes Anti-Malware

    Really? Could anyone on SlashDot really be this dumb?

    1. Re:How stupid could someone be? by xxxJonBoyxxx · · Score: 1

      On second thought, it looks like the AV company is staffed with idiots.

      >> keys is that they may collide with a legitimate key just by the sheer numbers...when you think you’re building a product for just a few people you don’t hash out these details...

      C'mon guys. Your wrote your own clue in the summary. (Starts with "h" rhymes with "trash"...)

    2. Re:How stupid could someone be? by sexconker · · Score: 2

      Hash collisions happen.
      The real solution is to NOT use a generation algorithm for keys. Generate strings, then approve only those you actually sell and distribute.
      Software installation/runtime checks locally against the generation algorithm, allowing for offline installations, bundled installers, old version installs, use in 50 years after all the servers are gone, etc.
      Updates ask for your key and the server decides if it's valid (an approved string that hasn't been used by thousands of PCs across the net).
      Allow manual updates from pre-downloaded files for offline use, use after the servers are gone, bundled installers, etc. If you want to be nice, allow anyone to download these updates, perhaps after some time period, or perhaps only when the software is EOL.

    3. Re: How stupid could someone be? by corychristison · · Score: 2

      To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.

      This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.

      On update you validate both the key, and the installation ID.

      In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.

    4. Re:How stupid could someone be? by Anonymous Coward · · Score: 1

      Have you read slashdot commentary lately?

    5. Re:How stupid could someone be? by Mashiki · · Score: 1

      On second thought, it looks like the AV company is staffed with idiots.

      Yeah that pretty much sums it up. I have a legit copy through work and it gave me the 'blahblahblah ur a pr8' bit the other day.

      --
      Om, nomnomnom...
    6. Re:How stupid could someone be? by tlhIngan · · Score: 1

      The real solution is to NOT use a generation algorithm for keys. Generate strings, then approve only those you actually sell and distribute.

      Hash collisions will eventually happen. I believe Windows XP suffered from it where the sheer number of installations has meant that there was a good chance a keygen will also make a valid key that's already been issued. Sure you are blocking a good chunk of them at the beginning, but eventually a keygen will stumble upon a valid key that you DID issue.

      I believe it also happened to a widely pirated game - the end result was legitimate users were getting locked out because the publisher created a huge list of keys (and the server checked it was issued!), and the keygen created keys on the list as well, so pirates could play the game, while the key was sitting in the box on the shelf at Best Buy. User comes around and boom, key is used.

      To expand on this... you should also generate an "Installation ID" upon validation, stored server and client side along with the key.

      This prevents users from trying to activate the key on more than one system, and allows you to offer controlled multi-system installs if you so choose.

      On update you validate both the key, and the installation ID.

      In the event a user needs to move the software to another install, you can contact the licensing dept and revoke the previous installation ID.

      The problem with that is users hate calling for support, and how long are you going to maintain it?

      I mean, great, you do this. Now you'll have to handle calls from people calling about a 10 year old version they need moved to a new PC. And forget about offering in-system deregistration because most users, by the time they install it, the old installation is gone - either hard drive died, got corrupted, etc., and there is no way to deregister the key.

      So either you have to deal with users who call to move their 10 year old copy of software (no longer supported) to new PCs (and hell no they will not pay to upgrade) even though it's no longer in production, supported, and bugfixes stopped 5 years ago, or you will end up with a really pissed off user.

      You also have to remember we're talking about $20 pieces of software. If it was a $500 piece of software then maybe you'll have more diligent users who will tolerate phoning software support, but likely not.

      For something like Malwarebyte's product, since it's online only, it's easy to check keys since it will have to get updates always.

    7. Re: How stupid could someone be? by jarfil · · Score: 2

      To further expand on this... keep talking, meanwhile as a client I'll be looking for software with none of that crap.

    8. Re:How stupid could someone be? by mwvdlee · · Score: 1

      Generation algorithms for software license keys is fine.
      Simple generated keys stop casual sharing of licenses. Nothing stops dedicated hackers.
      Why invest time and money in a very expensive license key system when all you're doing is providing the hackers with a more interresting challenge.
      The problem here isn't generating keys, it's the relatively high chance of colission; it's badly generating keys.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    9. Re: How stupid could someone be? by AmiMoJo · · Score: 2

      Please don't try to limit the number of installs. It breaks horribly when you try to do a re-install, or move to a new PC, or run in a VM. The nature of this software is that techs will often install it on customer's PCs, clean them and then remove it.

      Install counters are evil.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re: How stupid could someone be? by corychristison · · Score: 1

      Really depends on the nature of the software, I guess. For Malwarebytes it probably isn't the best idea, but at the same time it could easily de-reg the install ID upon uninstall.

      There are various ways to do it. My example was one such way, that is all. There is no one-size-fits-all.

  2. It's a great idea by the_Bionic_lemming · · Score: 2

    It's a good marketing move - most people just download the free version and scan. Problems fixed so they won't buy it for the bells and whistles - now they'll get lots of people to try the bells and whistles and might retain future revenue.

    It's better than them canceling the free version and make it pay only for revenue.

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  3. Re:Hardware Locking by sexconker · · Score: 2, Informative

    Burned-in MACs? My nForce 2 motherboard's NIC (the nVidia one, not the Realtek one) has a MAC that's user-definable in BIOS.

  4. Re:Hardware Locking by idbeholda · · Score: 1

    If total overhead increase of 200KB for compiled application size, and ~3-5MB memory overhead for non-invasive DRM is a joke, then yes. But not as much as MS extending support until 2024 to allow for the "migration to .NET". At that point, I'll have moved onto other things.

  5. Re:Hardware Locking by idbeholda · · Score: 1, Informative

    CLI = Command Line Interface.

  6. Re:Hardware Locking by sexconker · · Score: 1

    If total overhead increase of 200KB for compiled application size, and ~3-5MB memory overhead for non-invasive DRM is a joke, then yes. But not as much as MS extending support until 2024 to allow for the "migration to .NET". At that point, I'll have moved onto other things.

    Hopefully you move onto something you understand.
    Do you REALLY think you're the first person to think they've got good DRM?

  7. Re:Hardware Locking by vidarlo · · Score: 1

    Yeah, nearly. I didn't say it was FULLY crackproof, but you have to know what you're doing in order to bypass it. Which is why server authentication is BUILT IN. So, unless you've got a direct proof-of-concept exploit, such as faking burned in MAC address codes, along with simple bios info (which amazingly, can be brought up via windows commandline), I would make the educated guess that you're upset in regards to me further maintaining already solid code which someone else can build on.

    Or what happends if the software is modified, with a neat little jump instruction where it wants to run the verification? Or what if you just write an API wrapper that gives the desired input?

    --
    Assembling etherkillers for fun an profit
  8. Re:Hardware Locking by idbeholda · · Score: 1

    Look, if you're upset that it's written in VB6, fine, whatever. Unless you've actually got something like a direct proof of concept exploit, you have nothing to bring to the table. As for other things, I'm well aware of my own skillsets and limitations. That's why I don't just limit myself to programming. Unfortunately, I would have to make a moderately (un)educated guess that the extent of your interest in this discussion is simply to bitch because you can.

  9. Re:Hardware Locking by idbeholda · · Score: 1

    Also, you might want to look into this, since it doesn't exist. https://en.wikipedia.org/wiki/...

  10. Re:Hardware Locking by idbeholda · · Score: 1

    That's generally the idea to bypass most types of DRM. External/Internal patching is not a new thing. However, even disassemblers still have problems with truly decompiling P-Code, since most of the internal routines are technically "undocumented" and have been for quite some time. More than that, code obfuscation techniques aren't new either, and by definition, anything can be cracked. It just depends on how much work you want to put into it.

    As for an API wrapper, considering that most of the code is a direct result of CLI scripting, the actual workaround would be to modify/fake batch scripts on the fly. The only way to do that is to either rewrite portions from the source code itself, or do an internal jump/patch (internal or external, doesn't really matter), which defeats the purpose anyway.

  11. Re:Hardware Locking by vidarlo · · Score: 4, Informative
    We're upset because you're peddling snakeoil. Here is an excercept generating the hardware ID:
    If Dir("gethwi.bat") "" Then Kill "gethwi.bat"
    Open "gethwi.bat" For Append As #1
    Print #1, "w32tm /stripchart /computer:us.pool.ntp.org /dataonly /samples:5 >gtime.dat"
    Print #1, "systeminfo >gsys.dat"
    Print #1, "getmac >gmac.dat"
    Print #1, "exit"
    Close #1
    Shell "gethwi.bat", vbHide

    You use this information to generate an ID. But you don't even hash it with a one way hash, which means it's possible to forge a reply to give an desired result. A good one way hash would at least make that impossible. It is also not scaling very well - you will need a lot of support for pissed customers who changed parts of their computer or changed timezone.

    Furthermore, you do no authentication of the answer from the server. Anyone can send the response, and be accepted. You do not have any security. It would be trivial either remove your DRM by jumping over it, or supplying the very wrong values. A race condition would also work - overwriting the gsys.dat, gtime.dat, gmac.dat before your program reads it. Or simply replacing the code snippet above with a batch file which state echo "Desired values..." > gsys.dat.

    So take an evening, think about how you can bypass your system. Try my suggestions. Fire up an debugger, and have a look at the software.

    --
    Assembling etherkillers for fun an profit
  12. Re:Hardware Locking by idbeholda · · Score: 1

    3/10 - Ctrl + Mouse Scrollwheel = Zoom in/out.

  13. Re:Hardware Locking by idbeholda · · Score: 1

    I'm glad you left the rest of the source code out that generates the inital hardware spec. If someone wants to add additional layers of modified hashing they can. The stuff you're complaining that's lacking is already in there. Each system will generate a unique 24-digit hardware ID code.

    QED

  14. Re:Hardware Locking by idbeholda · · Score: 1

    As is every other piece of DRM. Nothing is crackproof, which is why I used the term "(nearly)". With this type of DRM, the more important part is to make sure the authentication server isn't easily compromised.

  15. Re:Hardware Locking by idbeholda · · Score: 1

    Yep, that would be for checking individual expiration dates for different modules, if the developer is going to use it to manage software content. That's what it's for.

  16. Re:Hardware Locking by idbeholda · · Score: 1

    Unfortunately, no, due to the NDA I signed with a previous company I worked for. The entire software archive they had totaled around 2.5GB, which with this, along with rewriting major parts of their main application, reduced the total disk space requirements down to 398MB. And instead of having 20+ keys (in some cases 150+ keys) for each user and application, each user ended up only having 1 key to deal with.

    The only reason they didn't implement the new system was because they were "afraid they would somehow screw things up making new user accounts", despite the fact that a 5 year old can handle the server-side/administrative end, along with documentation. I wouldn't put it up if I knew it wasn't fully functional. So as far as I'm concerned, their source code is something I'm not giving out. The code I developed, however, is a different matter. If they don't use it, then it's mine. Plain and simple.

  17. Re:Hardware Locking by idbeholda · · Score: 1

    Ah. The target vector would be emulating not only the server, but the actual files that are distributed FROM the server itself. When the user would access their profile (autoloading from 24-digit HWID, based off of hardware identification), the data that dictates expiration dates, hardware codes, modules, modulenames, etc, is where secondary encryption comes into play. Even emulating server side authentication using VMs is a lot more difficult than it would seem, since the actual content HAS to be copied in order for the crack to actually work. This is well above the skill level of most seasoned devs, so again, the weakest point would be the security of said authentication server. It's not crackproof, but it's extremely difficult to actually work around, even using external patching and disassembly. During my tenure at said company, I did months worth of testing, debugging, cracking, etc, to make sure that altering the compiled code would NOT be a simple cakewalk like other applications that are easily vulnerable to an external patching crack. Internal disassembly, once compiled, obfuscated, and compressed isn't exactly anyone's idea of a fun ride at a waterpark.

    The reason I left wasn't because I peddled some kind of snake oil, the code works. I gave several live demonstrations in-house, and for their costumer base. The reason I left was because I suffered a secondary fracture to a knee that had been fractured at a different location less than 10 years ago, which was due to negligence on the part of the company and the property management. Not exactly something one can just bounce back from. However, that's really beside the point.

  18. Re:Hardware Locking by idbeholda · · Score: 1

    Less than 2 years ago*

  19. Re:Hardware Locking by idbeholda · · Score: 1

    There doesn't need to be, but in order for that to actually work, you have to know the exact make of another user's computer, along with the resulting hardware ID code. It can be done, but it's not as easy as you think.

  20. Fair is Fair? by digitaljc · · Score: 1

    So let's see if I have this right. With this initiative pirates get free product while customers are charged for the same product? Score: Pirates 1 / Customers 0 I say they expand the initiative to include providing existing customers with a free 1 year license extension and 1 year free to new customers. In that way, everyone can fairly enjoy the same benefits while being properly exposed to the premium product.

    1. Re:Fair is Fair? by nhat11 · · Score: 1

      Pretty much, I have almost no incentive to buy the product if I can pirate it then get it for free

  21. Re:Hardware Locking by idbeholda · · Score: 1

    They call said company, give them the old hardware ID code, then the new hardware ID code. From there, the administrative side takes less than 5 minutes to do, which the old profile is copied to the new server-side hardware identifier, and the appropriate adjustments are made to the encrypted profile. They restart the application, and the software automagically works. As I said earlier, a 5 year old could do it.

  22. Re:Hardware Locking by idbeholda · · Score: 1

    Also, they would need to know the following 1) Another client's hardware ID 2) location of every module/software they plan on downloading while directory views on the server are disabled. The cracking part is a lot easier said than done.

  23. Re:Hardware Locking by idbeholda · · Score: 1

    That goes without saying.

  24. Re:Hardware Locking by idbeholda · · Score: 1

    The whole point of the recipe is for the developer to make the cake. That's what software development is. As for the padlock metaphor NOTHING is crackproof, and I never claimed that it was anyway.

  25. Reddit by kidsizedcoffin · · Score: 1

    Several months ago after one of the Internet large password breaches the company offered several "forever" codes on Reddit as a gesture of goodwill. Amazingly enough those are now coming up as these suspicious licenses now. I suppose you can't complain about something you got for free, even if it wasn't pirated. I have another year of the license now before it expires instead of lifetime.

  26. Re:Hardware Locking by idbeholda · · Score: 1

    If they do, then there's a bigger problem to worry about, and it's not DRM.

  27. Re:Hardware Locking by idbeholda · · Score: 1

    I understand why you'd want the cake without having to bake it. I get that, I really do. But the point is, IDGAF either way. I'm not the one wanting the pre-baked cake, and if I did, much like yourself, I'd go to the store and buy one. If someone wants me to bake that cake for them, well, cough up some cash and make the adventure worth my time.

  28. Re:Hardware Locking by thegarbz · · Score: 1

    Many MACs are adjustable in the drivers.

    And yet some are not and are hardcoded. I.e. The Surface Pro series has a MAC that isn't adjustable. The registry hacks don't work because the registry keys don't exist and if you use some software to spoof the MAC you end up in a BSOD loop.

  29. Re:Hardware Locking by mwvdlee · · Score: 1

    Can I move my license over to new hardware without having to rely on the software vendor's cooperation?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  30. Re:Hardware Locking by mwvdlee · · Score: 1

    Also, how well does your system stand up to NOP?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  31. Snake oil product vendors by ruir · · Score: 1

    offer free license key. Colour me impressed and dully excited. (disclaimer nothing against the particular vendor)

  32. Re:Tried It Out.... by KGIII · · Score: 1

    I have used their service in the past but I never bought their program. I did some debugging and definitions work with a security company as a lark and have free access to their software. Anyhow, it took a minute to find a code online which I entered (use the ID too) and it offered me a free key after that. It was pretty painless. I will give their monitoring service a try on this laptop and see how it works out. I often do not use real-time AV anyhow.

    --
    "So long and thanks for all the fish."
  33. Re:Windohs you say?! by clickclickdrone · · Score: 1

    They all run Linux servers, big difference. Makes perfect sense there. Desktop, for most people, not so much.

    --
    I want a list of atrocities done in your name - Recoil
  34. Re:Hardware Locking (BIN SPAM) by Anonymous Coward · · Score: 1

    It's pretty easy to lock down these things via hardware.

    NOP
    NOP
    NOP

    In fact,

    cough (me think he protest overly so) "to be frank", "to be honest" (trust me, that warm feeling is not me pissing in your pocket, in fact...)

    I have a working model that's (theoretically) infinitely scale-able

    So much for the fact. The "theoretically" taketh away the impossible "infinitely"....

    on any given server, ignoring file number restraints from the hosting provider.

    tl;dr? rhetoric + sophism + bullshit = pure_weasel

    http://www.tot-ltd.con/WMSDK.h...

    FTFY

    Now stop spamming and fuck off back to Intertubes Worriers where you belong. Surely they need more of your fake malware products more than /. readers? (Erick - that is you isn't it? Your self-promotion is almost as good as your ability to fall down fire-stairs when trying to skive off work.)

  35. Re:Hardware Locking by goose-incarnated · · Score: 1

    You haven't answer AC's question - do you have some software that uses this, so we can have a crack at writing a... uh, crack :-) Hell, just package something off of github, put the executable on your site and even I'll have a bash neutering the software.

    --
    I'm a minority race. Save your vitriol for white people.
  36. Re:Hardware Locking by goose-incarnated · · Score: 1

    If total overhead increase of 200KB for compiled application size, and ~3-5MB memory overhead for non-invasive DRM is a joke, then yes. But not as much as MS extending support until 2024 to allow for the "migration to .NET". At that point, I'll have moved onto other things.

    Hopefully you move onto something you understand. Do you REALLY think you're the first person to think they've got good DRM?

    He's been repeatedly asked for an executable we can have a bash at, and he's refused (apparently it's too much work). I've seen this on usenet waaaay too many times in the 90's. Some new aspiring unsung-encrypting-genius will pop up on comp.programming (or similar) and boast about their encryption algorithm without giving any details about it. Suffice to say someone usually managed to decode their ciphertext within a few hours.

    This appears to be more of the same - at least the usenet newbies had the grace to provide something that we could attempt to crack; this poster, as sincere as he sounds, doesn't even want the free crack-testing that we are offering, so yes, he probably *does* think that he's come up with a DRM solution that is better than anything that came before.

    --
    I'm a minority race. Save your vitriol for white people.
  37. A software company showing respect for customers? by Kevin108 · · Score: 1

    Damned if this isn't a first. I've never needed a licensed version of their software, but the transparency, respect, and benefit of the doubt they are giving users of their software, both paid and otherwise, truly impresses me. As such, I will be happy to purchase a license the next time I need their software.

    --

    It's a perfect time for being wasted.
    A perfect time to watch the stars.
    - Burden Brothers, "Beautiful Night"
  38. Re:Hardware Locking by omnichad · · Score: 1

    I can read it just fine - but it does appear to be designed for much lower DPI screens (1024x768 @ 17"). So the design is probably over a decade old.

    Do you know how zoom works?

  39. Only on slashdot.. by kuzb · · Score: 1

    ..would people shit on someone for acknowledging a problem, admitting fault, and then moving to fix it in a way that benefits not just the consumer, but everyone else too.

    --
    BeauHD. Worst editor since kdawson.
  40. Re:OK so how do I fix this? by crypticedge · · Score: 2

    Short answer is no. Long answer is yes.

    Some versions of the crypto viruses have the keys released so you can decrypt. Others do not. If you know how to google, you know how to find out what version it is and if it's been released. If you've got cryptolocker it's simple.

  41. Re:Hardware Locking by sexconker · · Score: 1

    There is no "Windows CLI". I even told you that when I said "(Hint - there is no such thing.)".
    Windows is a GUI. Windows does not have a CLI. The CLI you are referring to is a faked, extended DOS environment (to various degrees of fakeness depending on your version and bitness of Windows, cmd.exe vs. command.com, etc. ).
    It is not Windows. Windows has PowerShell now, but it's not a core part of the OS.
    In short, Windows does NOT have a true CLI.

  42. Re:Hardware Locking by sexconker · · Score: 1

    command.com and cmd.exe are different, both are NOT DOS, and both are NOT Windows.
    PowerShell isn't a core part of Windows (yet) and doesn't have anywhere near the coverage necessary to be a true CLI.

    These things may be CLIs, but they are not "Windows CLI". There is no "Windows CLI". idbeholda has no idea what he's doing. He seems to think running pulling some strings from some cmd.exe commands let him create strong, hardware-locking DRM.

  43. Re:Hardware Locking by omnichad · · Score: 1

    The only thing required to make either one a "true" CLI is that there be a command line that lets you interface with things. It does not have to be a core piece of the OS to fit the definition. Otherwise, you could say that Linux distros don't have a true GUI.

  44. Re:Hardware Locking by idbeholda · · Score: 1

    https://en.wikipedia.org/wiki/...

  45. Re:Hardware Locking by idbeholda · · Score: 1

    It's actually about 6 years old. Eventually, I'll get around to changing it to a different theme/style.

  46. Fishy by sentiblue · · Score: 1

    I just have a feeling this "free" version will do things like Superfish on Lenovo... stealing info, or gathering non-private data to boost their advertising campaign....