Slashdot Mirror
Flight Sim Company Embeds Malware To Steal Pirates' Passwords (torrentfreak.com)
TorrentFreak: Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure. Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.
That's probably naughty, but hilarious.
I hope they get finger-cuff banged by simultaneous lawsuits and hacking.
WTF idiot company
That's what I do with everything. Pirate it, install on a box I don't care about. If I like it, I buy it since it's easier than trying to patch a pirated copy and I don't need to worry about security.
USB dongles still are a thing. The compiler I was using needed one.
There are ways to lock down software without resorting to installing a password stealer on all your customer's computers and promising only to run it if a certain set of keys is entered.
Which is insane. I mean the PCI card was the dongle. What good with their software do anyone without the hardware? I've seen this sort of idiocy in the science instrumentation niche also. They sell a half a million dollar instrument and then require a dongle. Insane. But I guess everyone wants to cash checks.
I remember many years ago I purchased The Sims for my wife. The install wouldn't work. I called tech support and they told me that it sounded like what happens when someone removed a pirated version and tried to install the official copy. I just said Yeah, that's what I did. They seemed to appreciate my honesty and willingness to pay for it and helped me clear the registry of the offending entries that let me install the legit copy.
I have to wonder how they intend to use illegally obtained information in a court case without getting the case thrown out.
I mean, they installed hacking tools on someone's computer, and then the judge has to trust they didn't plant the evidence?
-=This sig has nothing to do with my comment. Move along now=-
Two wrongs don't make a right.
But cross me, and I'll CUT you!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Exactly. That's why I install bombs in all the cars I sell. If the car is started without the original key, it blows up! What could POSSIBLY go wrong?
That's to keep out clones. Without the dongle the Chinese would have gray market PCI cards for cheap.
Attempting to combat piracy with stupidity probably won't work, but ya never know so, hey! Let's try it!!
Just got to wonder how much of this is happening and has not been discovered as yet?
Talk to Microsoft about that one, back in the mid to late 90's a rumor went out about MS doing mass delete on illegal installs. To the point where sales in China started to hit new high's. Personally, I don't see an issue with the mass delete, crash the system with a bad dll but taking passwords, that seems wrong.
if you see me, smile and say hello.
Or worse, the activation process is so cumbersome that you pirate as a workaround, despite having paid for it.
This is a situation where corporations are conveniently not people. So no one person will truly be held accountable.
If a company is so desperate to protect their content, USB dongles are not that expensive ($7 for a Senselock Clave2 model that is OS agnostic and does not need drivers), and are quite secure, even allowing CPU tasks to be executed on the hardware. That, or go with the latest Windows DRM which is going to get some updates because of the recent break.
DRM is not necessary. Companies should be spending their time and energy making a decent, robust product and build themselves a good reputation. Pirates will pirate no matter what.
"âoe[T]here are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products."
All others gave us explicit permission to all usernames and passwords entered in the the computer. It's in our EULA your honor, we committed no crime.
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
FBI/CIA job as real pilots pay for sims.
So it's some punk kid who thinks it's fun to crash planes or it's the people who don't need to learn how to land.
Let's see which distribution of the game fixes the bug (i.e. eliminates or disables the malware) the fastest: the next pirate version of the game, or the one that you buy from the lawful publishers?
I predict that pirates will perform the maintenance faster. And then the lesson being taught to this game's players will be: remember to pirate instead of buying.
But maybe my prediction is wrong. The game publisher is going to need to be amazingly fast in order to prevent sending the "you should pirate" message.
All this aside, does is strike anyone as weird that people pirate software? I'm fine with pirating media (e.g. every single movie and TV show that I watch; what's gonna happen, maybe someone will exploit a buffer overflow in a popular player?) but I would be terrified to download and execute binaries from random strangers. Yes, I did that back in the 1980s, but that's because about all I was risking was the contents of a single floppy. Once we got hard disks (and shitty OSes that don't sandbox processes very well) it seems like malware would have totally killed off software privacy. I'm amazed we're having this conversation in 2018 rather than, say, 1988.
Comment removed based on user account deletion
True. Just knowing it's there makes that computer a lot more vulnerable to getting nailed
Or the DRM is screwing with your system so you get the pirate patch to kill the DRM so things go back to normal.
I seem to recall that was just a myth. Though for a long time Microsoft didn't raise a fuss about pirate copies of their OS because that meant people were running their stuff instead of somebody elses. That did eventually change, but it sure as heck helped them penetrate the market to record levels.
I finally paid for a legit DAW (at the cost of a few hundred pounds) last year after 20 years of using a copy of it only to find that the legit version is every bit as buggy as the torrented version. Wish I hadn't bothered.
Or make their clone so it doesn't require that in the first place.
> You copy some electrons harmlessly therefor you deserve your real world information stolen, potentially to real harm.
News flash, but piracy doesn't harm anyone. It's either people that wouldn't have paid anyway, and thus not a loss, or people that use piracy as a demo and end up paying BECAUSE of it.
That's true for some people but clearly not true for everyone; clearly not true for the majority of people either. I know lots of people who pirate material to avoid having to pay. Not many people PAY for something they have already. And, even if that were to occur isn't it up to the owner of that intellectual property to decide?
If you stole a TV set from Walmart and told the cops you were going to go back and pay for it later if you liked it you wouldn't get much sympathy. Or if you snuck into a cinema and went into a room and watched a movie you wouldn't get much sympathy if you told the cops you were going to pay for the movie if you liked it.
If you can't afford to buy a game, movie, or album... go without. Don't steal. There is actually lots of free content out there that is legitimately free and legally available for you to consume. Seek that out instead.
"That's the way to do it" - Punch
Actually it is illegal in both the USA and many other countries as well.
As to the sony rootkit, it was in a gray area of the law, so it would take somebody with more lawyers they can throw than sony can to win that kind of lawsuit.
EA's DRM is so screwed up and invasive, it's been known to cause hardware such as optical drives to quit working.
"That's the way to do it" - Punch
My 10 year old spent some of his money on a download of Cuphead from the Windows store a few months ago when it came out (so paid full price). After a Windows update it stopped working completely, crashing out shortly after the splash screen. After an hour or two of trying to debug this, I found the torrented repack worked just fine, and he has been using that since. Not sure what the lesson there is.
They will attempt to extort first and seek an out-of-court settlement a la the RIAA / MPAA through their hired lawyer brigade once they've ID'd the "pirates." Much easier and cheaper than actual litigation, where they'd have little chance of success for the reason you cite, among others.
Don't steal.
I agree with everything you said... minus that. I don't like seeing copyright infringement described as stealing. It is certainly depriving a copyright holder of revenue you may or may not have given them... But you have stolen nothing from them. You have breached their statutory rights to control copies of something they made. There was no theft.
I admire your honesty. Hell, I like you. You can come over to my house and fuck my sister.
I had to crack a legitimately bought copy of GTA IV because of the steam+windows live+social club idiocy.
Make this an "undamaging part of the software" you provide to someone who isn't a commoner (banks, pharma, The Mouse, etc) and see how long it takes before a judge says your shit "accessed stuff".
That's pretty much all it takes to weaponize the CFAA, if you can afford it.
Whether or not someone pays (your backpedaling at the end) for a Licensed Measuring Stick Operator doesn't change the height.
But you have stolen nothing from them.
Using this argument, the flight sim company has not stolen any usernames or passwords. No problem?
It is illegal in many/most countries. What they did would be "maybe" borderline grey if they had been upfront and telling people what they are installing, Harvesting private details from a computer system you do not have permission too is a criminal offense in most of the world. The Sony rootkit fiasco predated many of those laws, if they tried that now that would be well and truly fucked!
So a civil copyright violation is met with committing a felony under the computer fraud and abuse act?
Embed the dongle on the card. That's all you have to do. The software reads the license key off the card and operates appropriately.
We have USB analyzers and other hardware where the license was embedded in the hardware itself. This mean it could be moved between people's computers and used as needed. When you bought a software upgrade, you ran a program and it programmed the nice license into the hardware, and was available to everyone who used that hardware.
Better yet, without the device attached, the software worked in view-only mode so you can work on saved captured while someone else is debugging.
And sometimes, it makes no sense - if the software works with a specific piece of hardware, so be in, drop all the dongles and other crap because the software and that piece of hardware go together - one is useless without the other. Heck, it's also far easier to convince people to add support if you toss in hardware support as well - I bought your half million dollar piece of equipment, you bet I will buy extra warranty for it, then just bury the software support in that.
It annoys me to no end, especially how electronics EDA tools all use FlexLM or something and getting the right combination just right is annoying.
some pirates are upset that somebody tried to hack them?
Sounds to me like actual paying customers are upset, not Somalis trying to eke a living.
only EXECUTED on systems running stolen software
That would explain all the AV flags it caused.
Do not run to the police for somebody trespassing on your lawn when you are a serial killer/robber.
But do run to the police if, while trespassing, you see a murder.
STOP PIRATING OTHER PEOPLE'S STUFF. Become a civilized human being.
These are not connected.
The only reason normal users of tech are continually facing DRM and other garbage is that people like these whining crybaby jerks are stealing stuff.
That's not the case. If nothing else, normal users of tech historically paid a certain amount for software and used a certain amount of software and those amounts were never the same.
But apart from that, software copyright infringement does not justify rootkits, system damaging DRM or indeed, hacking peoples passwords.
There's no excuse for spending enormous amouts of time and energy cracking software and hacking passwords
It's fun!
and then distributing the hacks/passwords.
..and you get major kudos.
Most of the people doing this can easily afford to buy the software they are stealing, but they just prefer to spend a thousand dollars on a new iPhone
Wait. Either they can afford it, and buy an iPhone, or they can not in fact afford it, on account of their limited resources being otherwise allocated.
Get your story straight here, please.
As a rule of thumb: if you can afford a gaming rig, you can afford to buy your games.
My commiserations on the chainsaw accident that must've taken both of your thumbs.
I've written software for a living. I've also had people infringe on my copyright for that software. They're still alive; some things just aren't worth giving a shit about.
Pro-Tip: They didn't.
It's all about blackmail.
And you *know* the answer is nobody. The crime was committed by a corporation, and not against a politician.
I think we've pushed this "anyone can grow up to be president" thing too far.
Well, from what I do recall, it was a specific Chinese language pack that got the thumping. But you might be right it was about 20 years or so ago. I guess you can say MS gave away the drugs for free to establish market share.
if you see me, smile and say hello.
Breached? That's an asshole word for theft. No, you cunt, it's not a breach.
These people should go to prison for criminal hacking. In many penal codes what they did is at least one order of magnitude worse than piracy.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
No. It was because 300 million unpatched systems could bring down the Internet. They didn't want infected zombie armies. Such things happened on smaller scale and this is a big reason why Win 10 is forcing updates. Way more machines, more horsepower and bandwidth would be an Internet apocalypse if a sizable portion was infected or running known exploitable windows.
Who installed what? The person at the keyboard did, not the company.
The lesson is you and your son have been had, taken advantage of by a system intent on deceiving you.
The chief underlying problem here is proprietary (non-free, user-subjugating) software. Software you're not allowed to run, inspect, modify, or share (also known as 'software freedom'). Proprietary software is licensed and distributed to keep you from running the program despite doing normal maintenance, software meant to keep you from treating your friends as friends by sharing a copy, inspecting the program to see what it does, and distributed to prevent you from modifying your copy the program should you wish to for any reason.
I experienced something quite similar with the Commodore 64: A video game called Elite on the C-64 had an anti-copying scheme so clumsy and prone to problems it drove me to understand what was really going on. Today we'd properly call this DRM—digital restrictions management (expanded that way because I take the side of the user class, not the publisher class) which was only visited upon those who obtained their copy of the program in a way the publisher found acceptable. Typically this meant buying a copy, but I later came to understand some copies were distributed gratis. The packaged game came with media, a manual, and a flat plastic device with a see-through window. The device could be bent so it resembled a table like an inverted letter "U". On starting the game, the user was shown some blocky image that looked incomprehensible. When the plastic device was folded, placed on the monitor at the proper distance (via the "legs" of the device), and peered through one could see the blocky image turn into something readable. If I recall correctly, the readable image was a page number reference in the manual one was expected to look up and type in the proper word to get past this stage of the loading program.
After I did this a couple of times it dawned on me that those who engage in filesharing and treating friends like friends (sometimes propagandistically called "pirates") never have to put up with this. Only the people who used the publisher-distributed copy did. And most of those users had paid for this treatment.
Those who shared copies were doing us all a favor: they let us try programs before buying a copy, they let us run copies that didn't have what we now call DRM; the anti-copying code had been stripped away. They let us have copies that one could copy in an ordinary fashion, no need for special copiers (such as "nibblers", or any copier that knew how to get past the errors which were deliberately added to the disk to defeat the standard file and disk copiers). There was no need to work around the issue by using audio tapes instead of disks (since audio tapes didn't have copy-prevention added to the media). These so-called "pirates" were doing us a service, a service I might have paid for if offered the opportunity to pay a publisher for a headache-free copy of the program.
Later I obtained a memory snapshotting cartridge called "Isepic" which let me make my own copy of the RAM-resident portion of the game. Isepic produced a copy which loaded faster, never prompted me for the manual lookup, and played identically to the other copy loaded from the distributor's media (no surprise there, it was the same code being loaded into memory). I never loaded the distributor's media again. But this got me to thinking about all the other programs (not just games) that treated the users this way across all the computers I had used. And I began to realize that this was a scam perpetrated on the people who treated the publishers the best. We were literally exchanging our money for being treated badly. And this harm pushed on the users was indiscriminate, just like the flight simulator company did here.
There was one more issue to wrestle with: proprietary software. This was an issue even the filesha
Digital Citizen
So in summary: 1) FlightSimLabs just destroyed their company by intentionally inserting malware into a product they were charging for. 2) FSL was asked on their forums about it when various antivirus programs identified their product as malware. They responded by saying "turn off your AV software." 3) FSL transmitted the material over an open HTTP stream. 4) The server that they have stored this stolen information on is itself secured in a very piss-poor manner. (RDP is open for God's sake.) 5) As this was intentional, and not a mere "bug," it can theoretically be prosecuted in the U.S. as a felony. (Read: Quality time in Federal pound-me-in-the-ass prtison.) 6) Even if merely incompetent, their failure to secure the data they stole is itself criminal in the EU. 7) I guarantee you that they cannot prove that at no time was any of their unencrypted HTTP steams intercepted, NOR can they prove that their obviously insecure server was not comproimised, meaning: 8) How do we know that this wasn't intentional to steal information and go sell to identity thieves? They charge $100 by identity theft. https://www.fidusinfosec.com/f... Oh, where did I get #8? That's the only logical reason they would have stolen the data in the first place. It doesn't do shit for piracy. I hope these assclowns have a good lawyer.
Scenario: I legitimately purchase the software. Months later, I for some reason have to reinstall the package. I can't easily find the email with the serial key in it, so I quickly google and get a pirated SN. I place the pirated SN in. The software works. Later, I find out that because I put that particular SN in, FSL has stolen personal and sensitive material off of my machine, transmitted it in clear across the Internet, and dumped it on an insecure server for no legitimate reason. Maybe you could argue I violated the DMCA in a minor way, but the software authors violated the CFAA in a major 20-year-prison felony way.
I hope they don't have a good lawyer and are utterly destroyed.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
How about identity theft? You still have an identity so therefore it's merely "identity breach"?
Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.
If any individual was found to be installing this kind of malware on remote computers, they would be charged with all kinds of computer hacking crimes, just as a start.
Where's the criminal charges? This company needs to be made example of, this kind of behavior is utterly unacceptable.
As to the sony rootkit, it was in a gray area of the law, so it would take somebody with more lawyers they can throw than sony can to win that kind of lawsuit.
This is utterly not a grey area. This is clearly an attempt to commit fraud, identity theft, and intrusion into a remote computer without permission. Every single person in that company who had anything to do with this needs to be dragged in to criminal court and charged with numerous felonies.
Completely unacceptable. No company should be allowed to get away with this. This company needs to be made example of.
This is one of those rare instances where I actually wish I was a lawyer with prosecutor-powers, I'd charge head first into this and rip that company to shreds.
By that stupid "logic" the is no such thing as malware, as nothing is automatically installed. Even the malicious code which runs malware is only run because you authorized your browser or operating system to run it.
People agreed to run the company's software. The malware they never agreed to. Thus it's blatantly illegal.
And no - they can't make it legal by adding a few lines to the EULA. The EULA does not take precedence over computer crime law.
No sympathy here. Some of these flightsim developers have some of the most absurd anti-piracy practices and forum rule requirements which would make privacy advocates head spin *cough* PMDG *cough*. Complain and they ban you. It's almost as bad as some of these HAM software tool developers who ban you from ever using their software again for saying anything bad about them.
Don't steal.
I agree with everything you said... minus that. I don't like seeing copyright infringement described as stealing.
But you see copying passwords as stealing? Odd.
Of course news about a fake are Fake News.
I'm not sure about your baby day care institutions. Even if these institutions accomplish lower recidivism levels in former inmates that yours do, they're still prisons. And Greece is the Florida of Europe anyway. They won't be as progressive as you might think. They were running notorious prison islands as late as in the 1970s.
Ezekiel 23:20
Anti-piracy measures work to turn the last category into sales, but don't help your bottom line for any of the other things. These people are the only ones where piracy hurts sales, but they're a minority (at least according to the academic studies that I've read). The big problem for most companies in these markets is that they regard reducing piracy as a goal, when their aim should be to increase sales. Would you rather sell 1,000 copies and have no pirates, or sell a million copies and have ten million pirated versions in circulation? The music industry finally learned this, and saw a big increase in sales once they allowed Apple and Amazon to sell DRM-free downloads.
I am TheRaven on Soylent News
I'm not sure about software, but a Harvard study a few years ago found a strong correlation between music purchase and music piracy: i.e. the people that pirated the most music also bought the most music.
I am TheRaven on Soylent News
Putting words in peoples' mouths? Odd.
Of course that isn't theft. The name is catchy and a lot easier to say than what it technically is. Catchy names stick. Theft has a legal meaning, and to call copyright infringement theft just further muddies up the conversation.
They haven't stolen any passwords. They have most certainly committed some form of fraud. You will not see them charged with theft. Just like a copyright infringement case isn't brought as theft.
Just because my argument is simply insisting on using the correct words doesn't mean it's no problem. That's disingenuous of you to claim.
Only to the illiterate. Please go educate yourself. We've got enough of you dragging down our average IQ.
specifically harvest bank info and use it to transfer funds equal to the purchase price to my company. Plus any applicable taxes. Then I'd send them an email telling them not to worry, we corrected the accounting oversight that resulted in them ending up with a bad serial number. Oh, and that as a courtesy we waived the service fee. What service fee you ask? It doesn't matter, we waived it. Stop worrying so much.
If you stole a TV set from Walmart and told the cops you were going to go back and pay for it later if you liked it you wouldn't get much sympathy... Don't steal.
Except in this case walmart still have their TV and when they do sell it (a copy of it at least) they can still spin off and sell essentially infinitely more copies with next to no additional production cost.
I don't really disagree with what you're saying but don't label illegal copying as stealing because while similar on the surface they really aren't the same thing.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Breached isn't an anything word for theft.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
(though the most recent one by the EU found that cinema sales in the first week of a summer blockbuster release were the exception).
You mean the things that make hundreds of millions in a weekend? Cry me a river.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Putting words in peoples' mouths? Odd.
I wasn't commenting on your words, but on what you deliberately omitted to say. Even.
Of course news about a fake are Fake News.
There were two hypotheses regarding this that I remember. The first was that pirated copies make it easier for people to determine that the film is actually crap and so not worth paying money to see: if you know someone who has pirated it and they tell you to avoid it, you might. The second was that a load of people much prefer watching films at home, but will go to the cinema for a hyped thing if that's the only way of seeing it. I don't have much sympathy with either: depending on limited knowledge to sell a crappy product and imposing artificial scarcity on a particular distribution chain are not things that should be encouraged.
I am TheRaven on Soylent News
There have been a bunch of studies that show that piracy doesn't harm sales
That's really an impossible thing to prove. I think there has been a lot of coincidental evidence with music that that might be the case but not with other formats unless I've missed it.
Music is different than movies or games though as you tend to listen to it many times over many years. A movie you may only watch once or twice, games, you'll probably play a lot to begin with, but once you've completed it, most won't go back to it. Music is probably re-consumed more than any other digital media and may be the exception. Fewer people are going to buy for a game they've played through- but music, due to the nature of how we consume it, someone might go back and buy.
Nonetheless, even if piracy HELPED sales- that doesn't change the fact that the rights of the owner of that digital media were violated. Someone illegally took their content without paying (without their consent).
"That's the way to do it" - Punch
I don't really disagree with what you're saying but don't label illegal copying as stealing because while similar on the surface they really aren't the same thing.
I won't disagree that there are subtle differences between the two; but it is still theft in my (and many people's) mind. You are "stealing" potential revenue from the company. The difference is the theft is intangible rather than tangible.
Whether you call it theft or not is semantics really; language interpretation.
"That's the way to do it" - Punch
QAnon? Does the Q stand for quack?
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
I deliberately omitted saying that I see copying passwords as stealing? I think you over-thought that one, chief.
I deliberately omitted saying that I see copying passwords as stealing? I think you over-thought that one, chief.
And you didn't think at all, heh? Yeah, easier that way.
Of course news about a fake are Fake News.
You can prove these pirates were poor Somalis?
For that comment alone you just demonstrated your lack of qualifications for this conversation.
Meaningless snark to disguise no civilized answer.
..with this one confirming it.
You fail to understand my points. I can't be arsed putting them into words of one syllable; I don't trust you to understand them even then.
You also haven't justified illegal hacking against alleged pirates, so you're a miserable failure on all fronts. oops.
Note to FlightSimLabs management: Just because you broke the law does not make it legal for your prison cellmate to assrape you.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
That's disingenuous of you to claim.
I replied to your argument that you disagreed with the OP. If the only argument you had was with the word "stolen", then it was specious. I assume you intended something more substantial, and that's why I ASKED (see the question mark?) if you thought it was "no problem".
Didn't disagree with OP, just objected to incorrect word use.
I assumed your question mark was rhetorical. That's my bad. I apologize for assuming you were just being an ass.
You operate a lot off of assumption. Your poor life must be fraught with constant mistakes.
Gee, all tha talk and you still haven't said that copying passwords isn't stealing. Which is all it takes to prove me wrong. But I'm not because you can't do that, right?
Of course news about a fake are Fake News.
I thought that was implicit. Copying passwords is not stealing. You could call it hacking, unlawful access of a omputer system, invasion of privacy, hell- maybe even copyright infringement. Any use of said password would certainly be fraud. But no, copying a password is not stealing. You have deprived them of nothing. If the word stealing can be so malleable as to include the copying of something that someone owns, we may as well go all out and call it burglary. Password burglary. Even worse sounding.
In case I wasn't clear, I'll repeat it- copying a password is not stealing, any more than plagiarism is.
Sorry, saying it's actually burglary but stealing is the opposite of proving me wrong, it's going deeper in.
Of course news about a fake are Fake News.
No, it was demonstrating the absurdity of the argument to begin with.