FSLabs' A320 installer seems to include a Chrome password extraction tool •...

If you got this, I’d start changing all of my passwords!

3 Likes

Some scrolling through the thread revealed that FSLabs included this tool to get personal information from people who are using “pirated” keys. They are saying that legit customers are not harmed at all.
Also, they are now offering an installer without that part.

Using a password extractor against pirates is ethically questionable, to say the least. Also, what if due to some mistake an actual customer would be targeted? Not unthinkable

6 Likes

It’s an interesting dust-up for sure. To my untrained eye, reading their statement, it sounds like the software is designed to steal passwords IF and only IF the user tries to install their product with a known pirated key. While I understand their intention with that…it does seem like answering a crime with a crime is it not? I hate it for the users and developers both. Poor decision that overshadows what might otherwise be a fantastic product. I’d be curious what @fearlessfrog thinks about the technique they were using, and how vulnerable it was to being used in a way that was unintended by the developers.

"We were made aware there is a reddit thread started tonight regarding our latest installer and how a tool is included in it, that indescriminantly dumps Chrome passwords. That is not correct information - in fact, the reddit thread was posted by a person who is not our customer and has somehow obtained our installer without purchasing.

I’d like to shed some light on what is actually going on.

1) First of all - there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.

2) There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.

3) If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. “Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).

This method has already successfully provided information that we’re going to use in our ongoing legal battles against such criminals.

We will be happy to provide further information to ensure that no customer feels threatened by our security measures - we assure you that there is nothing in our products that would ever damage the trust you have placed in our company by being our customer."

6 Likes

Daoh, think I’ll skip this title, not that I store passwords anywhere but LastPass. I’m sure that their Airbus is amazing, but the ends don’t justify the means, IMO.

:popcorn:

1 Like

Shaaaady. I’d be done with them as a customer if it was me.

Interesting that they don’t state that this is a new ‘security system’. I wonder if it was also included in previous offerings but nobody noticed?

This makes me… uncomfortable…

Sounds like a really dodgy deal for all users.

Oh boy… looks like it made it to Rock Paper Shotgun…

2 Likes

Talk about a questionable practice. Honestly, even as a legit user I would not trust them in any way. If a developer is willing to include malware by design, then how can they be morally trusted with the ability to nab all my passwords and other potential sensitive information and what would stop them using it against me?

something something mafia movie.

Yeah, just saw that - thanks. How odd, or rather definitely one of those ‘what were they thinking?’ sort of things. With a quick read through the reddit thread and the RPS article, some thoughts:

  • The statement ‘It can not harm paying customers’ is logically the same as a software developer saying ‘Our software has no bugs - it’s impossible’. It might be true, or even very likely, but Murphy’s law and all that, then the consequences of an installer bug (sending all your Chrome web history usernames/passwords to a company) seems prohibitively high to mess around that way.

  • People in reddit etc often say things like ‘Did they check with their legal department?’. A quick look in LinkedIn shows that it is a 3 person outfit. They are pretty much amateurs, who specialize in a niche of building complex aircraft modules - it doesn’t legitimize what they were thinking, but it does sort of explain it, i.e. they might have some really odd views and have no idea what the laws are around this. Hint: of course it’s illegal, and of course any direct evidence of this would be inadmissible anyway.

  • In terms of what they were trying to do, I think most people missed the real reason. They were wanting username/passwords for things like private torrent sites. That would allow them to join illegal downloads, gather IPs of the leechers and/or poison the seed. Either that, or they thought they might get lucky and grab a facebook or gmail uid/password and then identify people like that and then ban them. Either way, not a smart way to enforce your digital rights as a legitimate company.

  • Piracy of low-volume high-cost specialist software does impact tiny companies like these. I personally don’t think this is a good way to combat that at all, but it at least explains their motivations. It’s very hard to explain to people who lose money directly to people stealing installs etc that the best way to combat this is with a better overall customer experience for the purchaser (patches, online content etc) rather than playing whack-a-mole with Captain Barbossa, especially where sometimes you end up accidentally hitting paying customers with a worse experience.

  • In a big picture way it is a microcosm example how tiny companies in a niche field end up sort of hating their customers. There is a big trust deficit in that the thinking isn’t about selling more product by being better or increasing the size of their market, it’s the thinking that there is a big section of the customer base that are basically thieves, and efforts to punish or pursue them are worth dev time. In flight sims there is a bit of the ‘we tolerate the stupid customer’ impression you get, that isn’t unique in the niche, but is a bit of a recurring theme. A lot of it is just the weird bubble these amateur outfits have to operate in, as both supplier and customer (flightsim customers are really high maintenance PITA types, avoid!) that have spent years sniping and bickering - I guess sort of like a bad marriage that no-one wants out of. :slight_smile:

Anyway, the temporary bad press windstorm will probably prevent others from trying out this idea.

3 Likes

I get wanting to stop piracy.

I hope they get that they are essentially pirating.

Not wanting to throw FSLabs under the bus, let’s hope that it was a well intended oversight.

/rant mode engaged
Still, there seems to be a disconnect sometimes between vendors and what are acceptable cybersecurity practices. Case in point, one of our clients engaged Dell Secure Works as an security service provider (SSP). Even though we had taken great pains to prevent cybersecurity incidents at multiple levers, I thought fine. Another set of eyes watching the gate would probably be a good thing. Then was shocked to find that they required Java installed in order to access their management portal! Are you kidding me?

And the way the banks and software publishers encourage the very behavior that they are supposed to prevent, like sending emails with embedded links to URLs that are either not owned by them or not their main domain. I know how to check domain ownership, but I bet that the average computer user either does not know how, or can’t be bothered. We make it easy for the bad guys.

And when installing software, there is an instruction to disable endpoint protection. Not I.
/rant mode disabled

1 Like

Ah…that was what I was really wondering. I didn’t figure it was cost effective at all for them to go after individuals in countries spread around the globe to try to prosecute someone. But I hadn’t thought that they were just probably after the method the files were getting passed around. If they were willing to snag passwords, I would guess they would also purposely upload a malware version of their files to those sites that would probably destroy people’s computer (or ransomware…?). Man…what an ugly face it puts on that company.

That one always gets me. Whether it is my legit credit card company or my credit union…I don’t know why they’d ever send an e-mail with a link. And I’m a skeptic…so I can only imagine how many people fall for scams like that.

Speaking of scams, we got an interesting e-mail from our Chief Pilot a few days ago detailing another scam. Apparently one of the crews was staying in a hotel and got a call from the front desk asking them for their credit card because they had forgotten to run it for “incidentals”. The pilot was suspicious about giving his credit card # over the phone. The guy on the other end threatened to have security throw him out of the hotel. Of course, when he went down to the lobby to provide the CC information, there was no need for it. The call had come from either another room or outside the hotel. I found that one to be a pretty crafty one.

Wouldn’t providing multiple patches/upgrades over a short span that included a serial checker against all known pirated copies allow for developers to constantly hassle pirates? I would think that would work…but I’m not a software developer. :smiley:

1 Like

This is why most hotels don’t have an open line in and you have to go through the frontdesk to reach a room, by providing a correct room number and name. So perhaps he’s being scammed by someone he knows or vaguely met? Or perhaps the hotel has no such scheme going on.

1 Like

European hotels nearly always seem to use the front desk route, while US hotels don’t tend to. It’s a weird cultural difference.

Having worked at the other end of the spectrum (a large multinational console game publisher), it’s interesting see how a smaller dev looks at the piracy issue. When you’re cranking out 100K units of a particular product on physical media, the issue is a lot different.

I can certainly sympathize with the dev wanting people to pay for their product, but I think they missed the forest for a weed here. I’m be very surprised if they lost more then a few dozen sales at most for pirated copies of the software vs the potential fallout from this mess. The number of folks who are into FS’ing enough to want a study sim of an A320 for FSX or P3D is low. The folks getting copies off of a pirate site, are probably not your client base. Is it possible that maybe a couple of folks would have? Sure anythings possible, but this isn’t the newest edition of CoD or whatever pirating hotness is out there.

1 Like

The other school of thought is that rather than hassle the pirates, use the patches and upgrades to improve the continued experience for the paying customer… The thinking is that often people stealing the software weren’t going to buy it anyway, so effort it nearly always worth in spending time growing nice carrots rather than spending that time sharpening sticks.

DRM will probably always be needed for casual piracy, but beyond that the best way to combat it is to build products people love and then keep rewarding the people that pay. Everything else wasn’t a lost sale, but more someone that might never have paid anyway.

4 Likes

DRM or not, an exe to hack your passwords is unacceptable IMO. How about an exe to delete the install or something if they detect pirated serials?

The trouble is then if they go down the destructive road then if any others get accidentally caught in the cross-fire. It’s like on one hand they say ‘it’s beta software, you should expect bugs’ but then say ‘this installer is 100% infallible, it’s impossible for us to make a mistake detecting pirate serial numbers, no bugs!’. It sort of erodes trust as well.

Probably the most enjoyable DRM solution I remember was in ‘Game Dev Tycoon’.

It would play as normal, but if it detected piracy (i.e. a known bad serial number etc) then it wouldn’t let the player know, but gradually make the game impossible to win. Each game you released in the sim would get hit by a growing piracy problem, so your profits would be hit. Eventually it would bankrupt your games company. The developer even went as far as uploading the ‘bad version’ to pirate sites and then let people discover what happened themselves.

The support forums were hilarious, i.e. ‘This game is impossible, I keep going broke!’ to which the indie developer would reply ‘Yes, it’s tough, isn’t it?’. Some of the pirates then started to ask for sim-DRM to be allowed on the games they published in-game to combat this problem. :slight_smile:

4 Likes