>In a nutshell, FlightSimLabs installed a password dumper onto ALL users’ machines, whether they were pirates or not, but then only activated the password-stealing module when it determined that specific ‘pirate’ serial numbers had been used which matched those on FlightSimLabs’ servers.
We installed spyware on your PC, but trust us, we didn't use it, we only used it on the people we didn't like...
>“This method has already successfully provided information that we’re going to use in our ongoing legal battles against such criminals,” Kalamaras revealed.
We're going to introduce documents into a legal process that were obtained through illegal means and hope we don't get counter-sued.
It looks like once again, a gaming company has decided to stop working on making games, and start working on a convoluted game of cat and mouse with unemployed anonymous nerds. What could go wrong...
I do understand the need to fight piracy, but breaking into my house, plundering through my stuff, taking photocopies of my files/ID/passwod/etc, is not the right way to do this (in my book).
At least they were smart enough to make this AV-proof. One of my favorite lines is: "please disable your AV while XYZ application is installed". I do understand that some applications require access to files/registry keys/etc, but this means they've done a crappy work on building the thing, and they cut corners by asking us to compromise our security for their lack of due process. Random example [1].
I'm pretty sure that piracy does have a huge impact on sales for niche addons and games like that. The client base is very very small and anything that is not absolutely perfect quality does not get sold these days (seriously, look at the quality and effort that has gone into some PMDG planes or the ixeg 737, it's astounding). Small client base plus very good quality equals, everyone must pay their share for the product to be viable.
That being said, what FSLabs did is of course inexcusable.
That really doesn't change the argument surrounding piracy - the contention is that piracy doesn't displace sales. If that's true, it is literally not effecting whether everyone is paying their share. The people who pirated it simply were never going to pay for it whether they play it or not.
I tend to agree with you though, if you make a game that requires incredible attention to detail, hugely time intensive modelling work, and know that the target market is a tiny niche then maybe the product is just not viable.
>The people who pirated it simply were never going to pay for it whether they play it or not.
I hear this argument a lot but can't see how it possibly be correct. Sure, not everyone who pirates would buy instead but at least some people would (it probably is a small percentage, but it is not zero).
One can imagine that the effect of those few is amplified for titles with high costs per unit.
If you consider this you also have to consider people who pirate a game and then decide to buy it later when they get the money or they realize that it's worth the price. It happened to me on several occasions.
There's also the "photoshop effect", where piracy helps ensure that the application remains the de-facto standard. Admittedly this is less applicable for games but it might help with 3rd party controller support, modding community etc...
In the context of niche games with pricey DLCs, I now have a significant collection of TS2018 DLCs. If I was not able to "try out" that game a few years ago in a less than legal fashion, I likely never would have gotten into it in the first place. I have a similar trend with books; on several occasions I've ended up owning (legally) the entire work of some author, simply because a friend gave me their copy of a book.
I also believe that in the age of Steam specials, refunds, etc, people who pirate your game are not "lost sales". They are usually doing it because their appetite for games outstrips their budget, and they were highly unlikely to pay for it in the first place. But there is a significant chance may convert to a paying customer, or at least market the game by word of mouth.
I’ll add my anecdote here. I haven’t pirated a game in ten years, but when I was a student, I pirated most of my games. Almost all of the ones that I played for more than a few days, I now own legally. Some of these games, I’ve become a big fan of the series and buy all new games (I pirated the original Witcher game for example, I now own it, the collectors edition of the second, the third game and am eagerly awaiting basically any game the developer releases. While it’s likely I would have eventually played The Witcher 3 anyway given how successful it was, I’d likely have missed the Witcher 2 and probably wouldn’t be such a blind fanboy of anything CDPR release)
I also regularly NOT buy games (but nowadays also don’t pirate them, in the past I might have) if they hnave intrusive DRM
"Sure, not everyone who pirates would buy instead but at least some people would (it probably is a small percentage, but it is not zero)."
If we've already start speculating, such part might be offset by people like me, who tend to buy games only they like. I often pirated new game just to see if it's worth buying. And I've recently bought most of games on GOG I had played as pirate versions when I was a poor teenager, even though I barely play computer games anymore.
You have to take into account additional arguments, like the time you'll be spending implementing effective DRM will cost you more than any sales you're actually running the risk of losing, may degrade the experience of your legitimate customer base, etc.
The key is imagine. We have no means by which to estimate the proposed loss in the future when it happens. Talking about such a "loss" is irrational, at best. It matters not if someone pirates software. If someone is pirating your software, and you care deeply about it, your model for making money is probably off.
>I hear this argument a lot but can't see how it possibly be correct. Sure, not everyone who pirates would buy instead but at least some people would (it probably is a small percentage, but it is not zero).
Consider that for lack of a demo, or other scenario, people who pirate the game but end up purchasing it later. Sure, not all pirates would buy the game they've pirated, but at least some people would (it probably is a small percentage, but it is not zero).
>One can imagine that the effect of those few is amplified for titles with high costs per unit.
I would argue mainstream titles would make up that difference through volume of pirated copies though.
Piracy isn't a non-issue, but it's just not a dire threat either. Decades of video game piracy has demonstrated that.
>I would argue mainstream titles would make up that difference through volume of pirated copies though.
Averages don't mean that the small development house with the high cost per unit product doesn't go out of business when a small percentage of those who would have bought their product pirate it instead.
I think there may be some nuance to this, however. What you're saying is known to be to true at the macro level, but it may be more complicated at the micro level. For instance, it's well known that games companies aren't too fussed about games getting cracked after the launch window. The availability of a crack may not reduce your spend on video games, but it may reduce your spend on specific video games. This situation is made much much worse if your product is expensive, like this one is, and meant to make money over a long period rather than a short launch period.
None of this excuses them, but I do wonder about how the piracy data actually pans out for small, expensive shops like this.
My impression is (based on what I've seen with music plugins and heard from plugin developers, which tend to be also produced by small shops) that piracy data does matter a fair bit if you don't do anything about it.
Nonetheless, several plugin companies do seem to be able to nicely balance the ability to protect their software, while avoiding arduous copy protection methods. The method I think seems to work best is a combination "honey pot + time bomb" type method, where you provide an "easy" method for the pirates to "crack" and get on the usual sites, while also including a more difficult to reverse engineer that activates at some point later. (This kind of nudges those who kind of use piracy to "try and buy" but sometimes, er, need a bit of motivation to actually purchase the product. Even people who can afford the software and make a pretty decent living with the product have been caught with pirated plugins in interviews (https://torrentfreak.com/avicii-and-other-djs-produce-hits-u...).
You definitely don't need to include malware to protect your product.
> My impression is (based on what I've seen with music plugins and heard from plugin developers, which tend to be also produced by small shops) that piracy data does matter a fair bit if you don't do anything about it.
The problem is nobody really knows that because it's nearly impossible to do a controlled experiment for this.
What happens in practice is that a company's first product is unprofitable. So they go back and make significant improvements, spend five times as much on marketing, and add anti-piracy code. Then the new version is more profitable.
The people who want the solution to have been the anti-piracy code credit it with the improvement, but there is no way to know if it was that or the product improvements, or the marketing, or more favorable market conditions at the time of the second launch, or the fact that the same marketing effort now produces 50% more customers because there is now an existing user base (including the pirates) who are easier to convert because they're familiar with the previous version, etc.
To actually know the answer you would need a statistically valid sample of product launches where the determination of whether anti-piracy measures are taken is made at random. But as far as I'm aware no one has ever attempted this, and the choice to use anti-piracy measures has to be randomized or you could trivially be measuring the wrong thing, e.g. larger products with more resources are both more successful and more often include anti-piracy measures but the causation is reversed.
So nobody really knows the answer and it's all just wild speculation.
What I've heard developers notice is a sharp drop in sales the instant a product is put on the torrent sites (eg, there's a clear "before" and "after" pattern). I also know that there's one plugin developer (u-He) who has posted that the "time bomb" method he uses does drive sales the instant those "time bombs" go off. (https://www.kvraudio.com/forum/viewtopic.php?p=5762973#p5763...). Of course, I only know little bits I hear from developers here and there -- the small shops are the ones that probably have the nitty gritty data details.
The impression I get is that coding some degree of protection is worth it, as long as the protection does not impact the user experience that much (and judging from what I see, this is quite possible). There's no excuse however for emulating the warez guys and bundling malware with your software... there's smarter ways to protect products.
> What I've heard developers notice is a sharp drop in sales the instant a product is put on the torrent sites (eg, there's a clear "before" and "after" pattern).
That still doesn't really tell you the answer though. The hypothesis is that pirates can be converted to users, but that doesn't necessarily happen immediately.
Suppose the product hits the piracy sites and 100,000 people download it. 5000 of them would have bought it, so you "lost" 5000 sales right away and you have your dip. But then over the course of the next year or two 7000 of those pirates realize they like the product and go on to buy it.
That's definitely a thing that happens, the question is what the real numbers are and whether they balance.
> I also know that there's one plugin developer (u-He) who has posted that the "time bomb" method he uses does drive sales the instant those "time bombs" go off.
Same problem here. Obviously you're going to get an uptick when the timer expires. But suppose you timebomb 100,000 people and as a result you immediately get 4000 sales, but then 96,000 people stop using your software. If 7000 of the 100,000 would eventually have paid you anyway, now you've just kicked 3000 of them out.
Mmm... that sort of hypothesis can't really be quantified, unfortunately, without surveying all your customers whether they bought their software due to a previous pirated copy (and getting honest answers).
I don't think the number is zero, as seen in this thread. But overall I don't think humans are that altruistic. :) This is probably particularly true for user-oriented niche software (like the software in question, premium flight sim DLC). Some software in the past (eg Adobe Photoshop) that was marketed primarily for businesses possibly benefited a little from consumers pirating it, but again, that "benefit" is hard to quantify as well.
The reason I like the "time bomb" approach though is that I think it gives a bit of a "push" to anyone who is actually using your product extensively. If they aren't using your product enough to care to pay for it, it's probably not a big deal if they stop using your software. If the "time bomb" is at a reasonable period, I have serious doubts that they'd suddenly decide n months later (with no time bomb) that it's all of a sudden worth it to pay for software the have for "free".
I don't think niche products unfortunately can do what mass market products are doing these days... which is switching business models towards ones where piracy can be controlled a bit more or is less of a big deal. (Freemium / DLC, cloud-based, subscription-based, etc.) In fact the only alternative model I see for niche is the Kickstarter one where the consumers themselves front the initial business costs (which can work out for consumers sometimes, and not work out other times).
On the threshold to professionality, there is a big difference in general "computer knowledge" between makers of audio plugins and makers of flight sim add-ons. For every former demoscener working on DSP plugins you will find a former model plane collector in the flight sim space, with a skillset only marginally updated. I've been on the fringe of both scenes at different points in my life and it does not surprise me at all that one of them is so much better at picking the right battles with piracy than the other.
That argument is bullshit, frankly. Before the advent of CD-Burners and Napster, you found a way to buy a CD if you really wanted it. Everyone had their own copy of an album. A select few would make cassette tape copies, but you were never satisfied with that.
I've seen numerous people who could absolutely afford games, stealing them. Hacked Xbox's filled with every game imaginable. These people would have bought some of these if they couldn't steal them, without a doubt. Would they have just gave up video games? No way. So, it absolutely displaces sales.
The reason why your comment is being downvoted is because of your ignorance, because you're trying to float widespread piracy as a recent phenomena and it's not. You just don't know your history.
Before CD-RW lots of games were available on floppy disk, which were simple to copy. And even without a CD-RW you could copy the data off the CD. Perhaps you don't know about no-CD cracks? They were everywhere. There were plenty of ways to pirate CD based games without a CD-RW. It might seem difficult or complicated compared to 2018, but only if you didn't live through those times. At the time that's the way it was, and it was relatively easy.
>Everyone had their own copy of an album. A select few would make cassette tape copies, but you were never satisfied with that.
Forgive me, I never say this, but it's appropriate in this case: LOL
The EU study does not say what the pro-piracy crowd wants it to say.
The study only looks out the count of games and not the dollar amount spent. A non-pirate who buys a $60 game and all the DLC and microtransactions is counted the same as a pirate who buys one $0.99 steam sale game. It does say that sales for blockbuster movies are heavily impacted by piracy.
I don't see your point. I haven't pirated a game in over 15 years (basically since I started working), and I buy some games at full price and tons of games at dollar sales or humble bundles. The thing is that the ones I don't buy at full price are the ones I would never even entertain playing at full price, and statistically I rarely even play them after getting 5 of them in a bundle.
What that means is that those games can have <$15 from me, or nothing. $60 was never on the table. And the games I buy at launch others won't bother with at full price.
The only difference between me and the pirate in your example is that the pirate hypothetically would have bought "some" games at full price if piracy wasn't available, like I do. But that's not an assumption you can naturally make. Some people just don't care about playing games when they're new.
I'm just as inclined to assume that a pirate only buying bargain games would have the same legal consumption without piracy.
Beyond convenience and honesty, my thinking about pirated software is that in a world where malware and viruses are prevalent, the last thing I would do on earth is to execute some dodgy cracking utility or game from some random torrent website, unless it is in an airtight and up to date VM.
I've downloaded and played dozen of pirated games, but I've been lucky enough to never have a problem. Or at least I never realized I had malware on my PC :-|
For my part, it was not a lack of money, but rather ease of getting the game (when I was directly given an ISO) or because I don't want to wait for a sale, but the game still seems too expensive. I ended up buying two of them (KotOR on a sale and transistor full-price). But now I have a big enough library and I have less time to play, so it's not as appealing as before (and I also have more to lose on my computer).
Forget about counter-sued, this is a criminals matter.
One for which you can earn hard time. Even if you don't use the spyware. I wouldn't dare work for a company that did this.
Copyright violation is merely a civil matter, cracking a serial number generator is not even copyright violation. Breaking DRM is still illegal, but that's all. I'm not even sure we've established that's it's illegal to distribute information on how to crack DRM. Certainly, not in all jurisdictions.
It is illegal. Actually, in most of Europe unauthorized access to computer system is a criminal offense that might lead to jailtime, while downloading pirate movie/game is a small wrongdoing that nets you fine (unless it's for profit, large scale operation). And that's access only, distributing malware and stealing personal data are two more, separate criminal offenses. So basically that's shooting a boy who has tried to steal an apple in a crowded market.
Exactly my thought - this sounds like a criminal matter, not a civil one.
It's the same reason you don't try to brick someone's computer even if you can prove with certainty that they were, say, cheating and griefing on your game's multiplayer. None of that matters, it would still be a crime.
Their announcement yesterday[0] is barely half an apology.
The only mistake they're admitting to is that their malware ran on all installations, when they meant for it to only run on pirates computers. Or that they got caught doing it.
There's no recognition that collecting this data from [innocent until proven guilty] "pirates" was wrong. There's no confession of what they did with the data they collected, but I can only imagine it amounts to a serious infringement of global Computer Misuse Acts.
Just because you think somebody didn't pay for your software doesn't give you carte blanche to anything on their computer. Again, that is almost certainly a criminal offence.
Also, just because the pirate broke the law doesn’t mean that stealing their passwords or otherwise doing something nefarious isn’t equally or more illegal.
The last time I checked, it's not okay to commit a felony in the pursuit of a felon. I can't imagine this underwent anything close to a legal review before it was implemented. Did they honestly think they'd get the pirates credentials, then authenticate with the pirates accounts in an attempt to uncover their real identity and not understand that crosses some major ethical and legal boundaries? I don't think it would be an exaggeration to say that their 'solution' was in itself criminal.
Only police are allowed to commit what would normally be crimes in the act of pursuing criminals, and even then these cases are limited. The only exception I can think of for normal people is self defense, which is not always legal.
Why didn't they just build a bogey binary and seed that to the torrent sites?
I've wondered why copyright holders don't do this more in general. I've seen a few cases where a downloaded movie for example just gets borked towards the end ... presumed it was deliberate and surely some form of a deterrent!
When my shareware was pirated and posted on torrent sites, but had a fairly low number of seeds, I forked transmission and changed the source to give out bad checksums, so that downloaders would never see their downloads complete. I figured I would run this on a bunch of computers and become the top seeds and peers and ensure that few downloads ever finished.
It did not take long for me to realize how crazy I was being over this. My time was better spent improving the software and focusing on customers who would pay.
I would like to see the incompetent hackers who can reverse engineer and break non-trivial copy protection. I'm sure they exist, but I would imagine there's not an "incredible" amount meeting said criteria.
Oh and thank you for hiding a loaded gun into your clients PCs. Now all a black hat needs #todo is to find a a way to activate said gun with not much effort since it already has its hooks in.
Disclaimer: I don't know the exact implementation, but this stinks from every angle you approach this.
And when somebody complained that anti-virus detected their malware they said it's false positive and they recommend to disable the AV: https://i.imgur.com/GTSPLDE.png
I work at a games company, I get that hackers take up an enormous amount of developer work but reading this article made my jaw hit the floor. This couldn't have been a single developer making the decision. There must have been multiple levels of management involved and no-one saw the legal or moral issues?
To make matters worse, the additional statement at the bottom of the article they outright admit they used the tool and it wasn't a mistake:
>We found through the IP addresses tracked that the particular cracker had used Chrome to contact our servers so we decided to capture his information directly
I think it's a small shop, probably only a few developers working there. That said, it's likely everyone knew about this. Not sure if that can get employees into trouble in case of a criminal investigation (installing malware on computers without the user's knowledge is likely illegal even if you don't use it).
A professional standards body can reign in those excesses from the bottom up, just as it does for so many other fields of endeavor. The top is always going to demand what they can get away with.
How so? Are you suggesting that the guys at the top are going to suddenly start caring about these things because there is a standards body that their employees belong to which says so? Or are you saying that the employees are going to refuse to do things that contradict code maintained by the standards body? Or are you saying that employers will care that a software developer doesn't belong to a standards body and won't hire those that aren't?
How so? Are you suggesting that the guys at the top are going to suddenly start caring about these things because there is a standards body that their employees belong to which says so? Or are you saying that the employees are going to refuse to do things that contradict code maintained by the standards body?
The second, leading to the first, which then naturally leds to the third. The AMA, APA, and many others operate this way. Very effectively. Journals need to buy in, schools do, and eventually employers and licensing bodies.
This is not really a new concept, just new for the increasingly unacceptable Wild West or software. Software is not a frontier anymore, it’s the biggest thing going, in our medical devices, cars, banks, etc. it is time to grow up.
They probably think too highly of themselves and rationalized that two wrongs make a right (doing something bad is OK so long as its against bad people) passed down by upper management. At some point down the line, they probably figured they could just install in on all machines to save them some effort of having just 1 version of the software.
But they've really dug themselves a hole though. Reading the article indicates this wasn't just a 1-off decision, but a multi-level decision made by several people over a long time frame. That all of this was premeditated and well thought out / given enough consideration to go ahead and install a backdoor on all their PCs.
In any case, this is also why I don't save any passwords via chrome. Its not secure at all for storing passwords, so long as you have access to the localdb, you have a vulnerability.
Little trick for finding a company’s legal jurisdiction: see who they are in their privacy policy or terms of services. The lack of these policies is a red flag. The forum where the CEO makes his statement raises this red flag [1].
The CEO’s LinkedIn Page says he is Greek. “Flight Sim Labs” produces no hits in the Athenian corporate registry [2]. I did find a Flight Sim Limited in the U.K., but registered to a different person [3]. This British Flight Sim Ltd was formed about a month ago.
TL; DR Consider whether you, or customers like you, have legal recourse before executing someone’s blob.
The privacy policy [4] does not appear to be linked from the homepage, but you can reach it through search. It's devoid of any meaningful content, though.
The company appears to be a shell registered in Cyprus [5]. The address on an older SSL certificate [6] matches the one in the registry.
As they accepted payments through paypal, it'll be easy for law enforcement to track down the owner. PayPal is very cooperative in these cases (as any bank). A shell company won't help them if someone knows where they have their office. The criminal offence isn't against the company anyway, it'll be against natural persons working for the company.
But the worst that can happen for them short term is that PayPal (and credit card vendors if they use them) block their account if they get too many charge backs as a result of that.
> We found through the IP addresses tracked that the particular cracker had used Chrome to contact our servers so we decided to capture his information directly
The issue is that IP/computer != single person. If they dump and steal the Chrome credentials of the computers using pirated serials, they are most probably stealing the credentials of law-abiding partners, parents, siblings, children, etc. who also use that computer. Which is, of course, illegal.
In fact, probably more serious offence than copyright infringement, if these credentials are related to protected information such as financials, healthcare, etc.
No, the problem is that even copyright-infringing people enjoy the protection of the law, and that it's illegal to distribute malware.
Also note that receiving a pirated copy is not a crime in most jurisdictions I know, just a civil law injury. Stealing their passwords, however, is a crime.
Also as far as I can see he was just cracking it to build a serial generator...
I'm not sure that's even illegal to distribute, since there is no copyright violation. There are some places that forbid breaking DRM, but telling other people how to break DRM is even weaker.
This brings up a thought I've had lately: The endgame of IPv6 -let's say, 100% adoption, and the retirement of IPv4- will be IPv6=single device, no? I would think that ends (in however many years it takes to get there) what little anonymity IPv4 currently provides.
In principle the situation isn't that different from IPv4. A device on an IPv6 network can cycle through a series of random "temporary addresses" which it generates itself, without contacting a DHCP server. Someone who gets your IPv6 address can track it down to a specific network, but there's no record of which device on that network initiated it, similar to IPv4+NAT.
(A couple of caveats. One is that attackers can still correlate different connections within a short period of time, between temporary address rotations. Another is that temporary address support is broken on some Windows versions, so you may be leaking your MAC address all over the ace without knowing it.)
While this is true (although most IPv6 devices rotate addresses by default) the fact remains that a single device != single person, and this is legally a very important distinction.
OK, so what were they going to do with the evil cracker's passwords.... steal from him? I'm no lawyer but how in the hell is this not a felony? They intentionally distributed malware that steals passwords. Jesus christ, some people, man... some people...
Not only that, but such any "evidence" acquired by this route would surely be inadmissible. You aren't allowed to break the law just because you think someone else might have done it first.
FYI there are only some countries where evidence is inadmissible solely because it is aquired illegaly (eg in the United States, but not most of Europe AFAIK). Not that I in any way condone what this company have done.
Even in the US, the exclusionary rule only protects you against illegal evidence acquisition by the government. If a private party illegally gathers evidence against you (without any government prompting), that is admissible. See for instance Burdeau v. McDowell [1]. Another interesting case on this topic is Sackler v. Sackler [2], where the New York State Court of Appeals held that evidence illegally gathered by private investigators (working for one of the divorcing spouses) was admissible in divorce proceedings.
That's true. However, using credentials harvested in this way is almost certainly going to constitute unauthorised access of a computer system and a breach of the Computer Misuse Act.
By giving the same malware to all their customers??? And all those people are supposed to just take their word for it that they didn't use it on everyone else? This is about as non-frivolous as a lawsuit can get. if I'm the customers of this product I would sue them into the ground, there's no way they take this to court. And with that public statement they made flat-out admitting to it's use that's evidence at this studio's boss' criminal proceedings. What kind of goddamned morons OK the use of a tactic like this?
Reading the linked articles above it says they used it to get into an invite-only site to figure out exactly who the cracker was. They don't say exactly why they want to do that.
I remember in 7th grade i de compiled the client of a private server version of a popular video game for a learning experience.
When sifting through the files i found a method called 'fillHDD' which would recursively create files to fill your HD. I imagine this method was called when people were caught cheating.
That's possible, but it's also possible that it was there for testing: run a test function that fills up the HD and try to save a game in order to make sure that game-saving errors show up properly.
This reads like an article you'd encounter on The Onion.
>“[T]here are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.
Ok, so I guess there's no malware in the official downloads then.
>“Test.exe is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product,”
Well, nevermind then.
>“This method has already successfully provided information that we’re going to use in our ongoing legal battles against such criminals,”
That's easily the stupidest thing I've read this week. Are they so oblivious to how legal systems work that it didn't even occur to them to consult a lawyer before attempting to distribute malware and steal people's information?
Aside from this being a terrible decision on their part alltogether, why did they bundle malware? It means that legitimate customers get a program installed that at least potentially shows up as malware. That in itself is bad enough.
This is a desktop program, if they wanted to perform something bad on a condition, why not just code it in their own program? The chrome browser history and password db could just be decrypted and uploaded, for example. It's exactly the same thing and just as bad, but at least they didn't install third party malware that shows up in AV, at their paying customers. It's also MUCH easier to deny since at the legitimate users there is neither any suspicious signature, nor any suspicious network activity.
What happens when your key is simply stolen and posted online? They think that grants them the right to spy on all your passwords.
Where is the company, Flight Sim Labs Ltd., registered? It's difficult to find an address. They also removed info from their About page. From their posts it looks like they might be in the Netherlands.
Anyway, I'll contact the FBI and local authorities about this if I can find out what jurisdiction they're in and I hope others do the same. This crap is absolutely unacceptable.
If the company cause the malware to be installed in your country, eg by bundling it with customer software for customers in your country, then the corresponding jurisdiction is almost certainly your own country.
There's a history of extradition to USA from UK for relatively minor unauthorised access; this seems pretty major in comparison.
I don't understand what the use of anti-piracy measures is. Most pirates are those who won't pay for the software anyway. If an AAA game doesn't get cracked, most people would simply get another cracked game and play it.
So companies aren't getting anything from anti-piracy measures. Rather, they are wasting time and money on implementing these measures.
If I were to make a software, I'd keep it DRM free. Maybe I'll give occassional discounts to attract people who won't pay otherwise, but that's it.
Yes, but that leaves a lot in the hands of the market. That terrifies anyone with their ass on the line. Also, deliberately not drm'ing your product could be seen in some legal situations as failing to protect your IP, making seeking damages more difficult when wronged.
But business pressures aside, I do avoid DRM encumbered products and I direct my clients to as well in most cases. You ARE hurting your bottom line with DRM.
Why people do have to do it? Some companies install spyware, other companies install a lot of 3rd party crap, DRMs that slow down games for paying users, don't support Linux platform despite promises...
Pirates will always be one step ahead, you can make a game with good user/buyer experience like CD-Project or great customer support - Darkwood [1] and make it win-win for literally everyone, or lose at some point.
The first thing that needs to be done is criminally charge the company. If their CEO goes to jail, corporate people will be more reserved about distributing malware.
As far as isolating software, there are a few possibilities, but sandboxing doen't always work. VMs are the way to go for now, but they're not foolproof either, and they come with a myriad of downsides.
Running apps in a sandbox should be the default behaviour for any OS by now. No app should have the privileges to access any file by default, except for files that are either created or owned by that app & user.
Sharing files between apps should be done as an opt-in basis, with explicit permission by the user, either file-by-file or per group of files.
That doesn't work so well when the app is some snazzy file manager or back-up tool. Of course the OS ought to provide good enough tools that users don't need to install dodgy apps for such things but sadly the attitude nowadays seems to be "there's an app for that", even if you only want to do some trivial file conversion. Unless the OS is Debian, in which case the OS includes a gazillion different tools for transforming PDFs, a big helping of astronomical data, and several alternative kitchen sink implementations.
that would work with "some snazzy file manager" or back-up tool, you just have to give the app partial/full file-system access with a big fat warning, or it has to use the OS's file manager to access the files. The OS then decides whether to query the user, or use previously configured settings (like the trivial file conversion example below)
"Trivial file conversion" tool can be implemented the same. The app tells the OS "hey, I want some files to convert" and the OS either grants access to a set of files/folders, or queries the user which file(s) (s)he wants to provide. IE the "open file" modal is the only window to accessing files. You can think of it like the HTML5 File upload & Drag/drop APIs, but a bit extended & more user-friendly.
Obviously smart engineers can think this through for longer than 3 minutes like I just did, and come up with better/user friendlier/safer solutions. But it breaks all backwards compatibility in almost any desktop OS
So what? At least only my snazzy file manager and media player get access to /sdcard - they still can't access other application's data to dump my browser credentials or modify those applications binaries to behave differently, the most harm they can do is delete my downloaded TV and pictures.
Only my backup tool gets root and can access other application's data - random trash games I download or even if I were to install them from pirated sources are unable to do that.
It's a vast improvement at the very least, even if not a perfect one.
There should be some very good definition for "App". I expect xz(1) to to be able to read any file I give to it (% xz myfile).
I would however expect chromium to only modify stuff in ~/.config/chromium ~/Downloads and be able to read only the libs it needs in /lib. But what about if I need to render an HTML page that's in ~/git/my.blog/index.html?
OpenBSD did some great things with pledge(2)[0] but truly fine-grained control like SELinux, AppArmor have met only limited success because of how complex they are to setup.
Like bad actors in the internet ad industry (not sure if any good ones are left) giving people a good reason to run adblockers, they just did the same for the game industry.
Although I'm not sure what people are going to do. Run pirated copies with the malware removed?
(Which reminds me: when I ran a jailbroken iPhone years ago I had a fix for a PDF exploit much sooner than people having to wait for Apple to fix it, making running a jailbroken phone more secure (at that time).)
I run all my games in a virtual machine (Linux KVM with GPU passthrough).
In my case, the gaming VM is shared by all windows games, but with some extra effort it is possible to isolate each game in a separate VM. (What comes to mind is using qemu qcow2 format for the base windows image, plus a snapshot file for each game installation)
I am not sure if it is that bad. If your Linux partition is some file system unknown to Windows (like ext3), it'd be very hard to come by from a running Windows image (at least for Win7, where I had problems doing this).
You can either run Steam sandboxed which in turn will sandbox all the games it runs, or you have to do a bit of finagling if you want to individually sandbox your games.
It works well enough for most applications and games although I have had issues at times; for example with firefox installs. Using portable version of apps will make it easier in such situations.
It is mostly trial and error fiddling with the level on f restrictions you want while not breaking apps. In my case, i have a template profile of permissions, most of which are for restricting access to personal/confidential files/folders like Documents, Browser profiles, etc. Instead of blocking access outright though , i usually make the files/folders write-only..
So, for example the other day i wanted to download a 60fps video from youtube, and the only practical option was to use an adware ridden java downloader.. So i just downloaded it created a new sandbox (based on the template sandbox) for the app, installed it (i recall i had some minor kinks in the install process but managed to get it to work in the end). After i was done with it , i deleted the sandbox and i was off on my way without having to worry if the application had left some unsavoury bits on my system..
edit: I might add that a key advantage of Sandboxie as opposed to other solutions like VMs is that afaik, Sandboxie mostly works by intercepting API calls to the underlying OS.. This maybe more leaky than a VM, but it is also much more lightweight, and as a consequence it has given me good performance for stuff like games, etc.
Fair enough. It does not seem to have undergone the level of scrutiny that one would hope for. But for me it seems to make sense to trust one app rather than having to individually trust the dozens of random apps i encounter day-to-day use.
I am pasting an example i gave in a reply to another comment :
"So for example the other day i wanted to download a 60fps video from youtube, and the only practical option was to use and adware ridden java downloader.. So i just downloaded it, created a new sandbox (based on the template sandbox) for the app, installed it (i recall i had some minor kinks in the install process but managed to get it to work in the end); after i was done with it , i deleted the sandbox, and i was off on my way without having to worry if the application had left some unsavoury bits on my system.."
edit: It seems Sandboxie was acquired by Sophos, so now you have to decide whether you trust Sophos or not.
I keep my PS4 offline, and any way my point was that by gaming on my PS4 instead of on my computer I avoid running potential malware on the same hardware where I keep sensitive information.
Even if my PS4 was online it still only has gaming related data on it.
A second full (probably expensive) computer that can't be used for anything except gaming is not something many people can afford, and security should not be for the rich.
Plus I would imagine that most gaming will require entering passwords at some point, whether that's into Steam, Origin, signing into humblebundle.com/etc.
It always comes down to "You have nothing to fear if you have nothing to hide", "Just trust us and our ability to keep off free-riders"
Once again I really would like to stop giving admin-privileges to any windows-app that I would like to use... but otherwise, I couldn´t do anything with this piece of hardware :)
Next time when making a pirate game that gets pirated, add a routine to use the pirate's webcam for a mugshot and use that mugshot throughout the pirate game for the baddies.
Just a thought.
Not OK. Private enterprises should not be engaging in this kind of espionage against criminals. In meatspace, this is why there are police. Why don't we have cyberpolice?
When is the last time you had theft resolved by local police? I never have. My local police don't even have the resources to collect security system footage from adjacent properties. Even if they did, they told me their job is to gather evidence for criminal charges not help me get my stuff back. Hire a private detective. Hire a private security firm. Do it yourself, because no else is going to do it for you unless you pay them to.
I am a flight sim enthusiast. I have joysticks, a track-IR setup, a VR headset and a dedicated space for such simulation games.
Let me say loudly that I will never download any software from flightsimlabs.com anymore and that any copy of their software I might have had has been nuked to hell.
The second you admit to adding a keylogger to your software is the second I lose all trust in you.
Just don't let an application to connect to the Internet unless you actually want it to (i.e. I would only allow the browser, the SSH client and the messenger). Good news this policy is rather easy to implement on Windows (Sphinx Windows 10 Firewall Control and many alternative application firewalls), Mac (Little Snitch) and Android (DroidWall, XPrivacy). Bad news it seems quite hard to implement on GNU/Linux desktops (I don't know about any practical solutions).
Brave new world. The new model to enforce compliance - steal valuable customer info which will be used to make the customer's life hell if he/she does not comply. Pre-emptive hostage taking as a security model?
Anyone else wondering why they had to use a cheap "test.exe" that is flagged by malware websites instead of embedding the code (possibly write it from scratch) into their binary?
>we have his name available upon request of any authorities"
When someone is stealing from me, or causing harm to my business and my clients using my products, damaging my reputation, then I go to the Police, I don't wait for them to read an article on torrentfreak.com or the comments section in HN (which I think any security angency worth its salt must have an eye in here too).
The conclusion of this article seems to directly contradict that company’s statement, while using the joining clause “in other words”. Seriously, go back and read that with some skepticism. This is obviously a hit piece with no journalistic integrity.
Some user downloaded an illegal copy that had malware and is trying to blame the company, when that malware doesn’t appear for legitimate copies. Don’t want malware? Don’t steal software hat could have been tampered with.
The malware was included within every installation and supposedly deleted only after a legitimate software key was installed thereafter. So, regardless of whether you pirated the software, it was indeed installed on your system without your consent.
Erm from what I'm reading it sure looks like they included what is practically a trojan in their software that only got activated when a pirated copy was detected. Obviously exposing their users to a whole set of new security attack surface.
