
Flight Sim Company Embeds Malware to Steal Pirates’ Passwords - unhammer
https://torrentfreak.com/flight-sim-company-embeds-malware-to-steal-pirates-passwords-180219/
======
detaro
previously:
[https://news.ycombinator.com/item?id=16412541](https://news.ycombinator.com/item?id=16412541)
and
[https://news.ycombinator.com/item?id=16416401](https://news.ycombinator.com/item?id=16416401)

------
slivym
>In a nutshell, FlightSimLabs installed a password dumper onto ALL users’
machines, whether they were pirates or not, but then only activated the
password-stealing module when it determined that specific ‘pirate’ serial
numbers had been used which matched those on FlightSimLabs’ servers.

We installed spyware on your PC, but trust us, we didn't use it, we only used
it on the people we didn't like...

>“This method has already successfully provided information that we’re going
to use in our ongoing legal battles against such criminals,” Kalamaras
revealed.

We're going to introduce documents into a legal process that were obtained
through illegal means and hope we don't get counter-sued.

It looks like once again, a gaming company has decided to stop working on
making games, and start working on a convoluted game of cat and mouse with
unemployed anonymous nerds. What could go wrong...

~~~
moviuro
> We installed spyware on your PC, but trust us, we didn't use it, we only
> used it on the people we didn't like...

 _And, yes, your AV is showing a false positive ;)_ [0]

Also, piracy doesn't seem to have a huge impact (if any) on sales[1]

[0] [https://www.fidusinfosec.com/wp-
content/uploads/2018/02/Oct-...](https://www.fidusinfosec.com/wp-
content/uploads/2018/02/Oct-2017.png) , from
[https://www.fidusinfosec.com/fslabs-flight-simulation-
labs-d...](https://www.fidusinfosec.com/fslabs-flight-simulation-labs-
dropping-malware-to-combat-piracy/)

[1] [https://juliareda.eu/2017/09/secret-copyright-
infringement-s...](https://juliareda.eu/2017/09/secret-copyright-infringement-
study/) [https://juliareda.eu/wp-
content/uploads/2017/09/displacement...](https://juliareda.eu/wp-
content/uploads/2017/09/displacement_study.pdf) see page 79 for games

~~~
ravingraven
I'm pretty sure that piracy does have a huge impact on sales for niche addons
and games like that. The client base is very very small and anything that is
not absolutely perfect quality does not get sold these days (seriously, look
at the quality and effort that has gone into some PMDG planes or the ixeg 737,
it's astounding). Small client base plus very good quality equals, everyone
must pay their share for the product to be viable.

That being said, what FSLabs did is of course inexcusable.

~~~
slivym
That really doesn't change the argument surrounding piracy - the contention is
that piracy doesn't displace sales. If that's true, it is literally not
effecting whether everyone is paying their share. The people who pirated it
simply were never going to pay for it whether they play it or not.

I tend to agree with you though, if you make a game that requires incredible
attention to detail, hugely time intensive modelling work, and know that the
target market is a tiny niche then maybe the product is just not viable.

~~~
ravingraven
>The people who pirated it simply were never going to pay for it whether they
play it or not.

I hear this argument a lot but can't see how it possibly be correct. Sure, not
_everyone_ who pirates would buy instead but at least _some_ people would (it
probably is a small percentage, but it is not zero).

One can imagine that the effect of those few is amplified for titles with high
costs per unit.

~~~
simias
If you consider this you also have to consider people who pirate a game and
then decide to buy it later when they get the money or they realize that it's
worth the price. It happened to me on several occasions.

There's also the "photoshop effect", where piracy helps ensure that the
application remains the de-facto standard. Admittedly this is less applicable
for games but it might help with 3rd party controller support, modding
community etc...

~~~
danielbarla
In the context of niche games with pricey DLCs, I now have a significant
collection of TS2018 DLCs. If I was not able to "try out" that game a few
years ago in a less than legal fashion, I likely never would have gotten into
it in the first place. I have a similar trend with books; on several occasions
I've ended up owning (legally) the entire work of some author, simply because
a friend gave me their copy of a book.

I also believe that in the age of Steam specials, refunds, etc, people who
pirate your game are not "lost sales". They are usually doing it because their
appetite for games outstrips their budget, and they were highly unlikely to
pay for it in the first place. But there is a significant chance may convert
to a paying customer, or at least market the game by word of mouth.

------
oliwarner
Their announcement yesterday[0] is barely half an apology.

The only mistake they're admitting to is that their malware ran on all
installations, when they meant for it to only run on pirates computers. Or
that they got caught doing it.

There's no recognition that collecting this data from [innocent until proven
guilty] "pirates" was wrong. There's no confession of what they did with the
data they collected, but I can only imagine it amounts to a serious
infringement of global Computer Misuse Acts.

Just because you think somebody didn't pay for your software doesn't give you
carte blanche to anything on their computer. Again, that is almost certainly a
criminal offence.

[0]
[https://forums.flightsimlabs.com/index.php?/announcement/11-...](https://forums.flightsimlabs.com/index.php?/announcement/11-a320-x-drm-
what-happened/)

~~~
dkersten
Also, just because the pirate broke the law doesn’t mean that stealing their
passwords or otherwise doing something nefarious isn’t equally or more
illegal.

~~~
patcheudor
The last time I checked, it's not okay to commit a felony in the pursuit of a
felon. I can't imagine this underwent anything close to a legal review before
it was implemented. Did they honestly think they'd get the pirates
credentials, then authenticate with the pirates accounts in an attempt to
uncover their real identity and not understand that crosses some major ethical
and legal boundaries? I don't think it would be an exaggeration to say that
their 'solution' was in itself criminal.

~~~
Wohlf
Only police are allowed to commit what would normally be crimes in the act of
pursuing criminals, and even then these cases are limited. The only exception
I can think of for normal people is self defense, which is not always legal.

~~~
gnode
There's also the concept of a citizen's arrest. Although I doubt this can be
broadened to include vigilantism by malware.

------
aclelland
I work at a games company, I get that hackers take up an enormous amount of
developer work but reading this article made my jaw hit the floor. This
couldn't have been a single developer making the decision. There must have
been multiple levels of management involved and no-one saw the legal or moral
issues?

To make matters worse, the additional statement at the bottom of the article
they outright admit they used the tool and it wasn't a mistake:

>We found through the IP addresses tracked that the particular cracker had
used Chrome to contact our servers so we decided to capture his information
directly

~~~
aerique
Nevertheless a developer will be scapegoated.

~~~
detaro
Bit hard to sell after a manager already made a public statement defending the
practice.

------
JumpCrisscross
Little trick for finding a company’s legal jurisdiction: see who they are in
their privacy policy or terms of services. The lack of these policies is a red
flag. The forum where the CEO makes his statement raises this red flag [1].

The CEO’s LinkedIn Page says he is Greek. “Flight Sim Labs” produces no hits
in the Athenian corporate registry [2]. I did find a Flight Sim Limited in the
U.K., but registered to a different person [3]. This British Flight Sim Ltd
was formed about a month ago.

TL; DR Consider whether you, or customers like you, have legal recourse before
executing someone’s blob.

[1]
[https://forums.flightsimlabs.com/index.php?/announcement/11-...](https://forums.flightsimlabs.com/index.php?/announcement/11-a320-x-drm-
what-happened/)

[2]
[http://www.acci.gr/acci/shared/index.jsp](http://www.acci.gr/acci/shared/index.jsp)

[3]
[https://beta.companieshouse.gov.uk/company/11142081/officers](https://beta.companieshouse.gov.uk/company/11142081/officers)

~~~
ckastner
The privacy policy [4] does not appear to be linked from the homepage, but you
can reach it through search. It's devoid of any meaningful content, though.

The company appears to be a shell registered in Cyprus [5]. The address on an
older SSL certificate [6] matches the one in the registry.

[4] [http://www.flightsimlabs.com/index.php/privacy-
policy/](http://www.flightsimlabs.com/index.php/privacy-policy/)

[5]
[https://efiling.drcor.mcit.gov.cy/DrcorPublic/SearchForm.asp...](https://efiling.drcor.mcit.gov.cy/DrcorPublic/SearchForm.aspx?sc=0)
(search for "flight", 2nd page. Can't link to it directly, apparently)

[6] [http://www.herdprotect.com/signer-flight-sim-labs-
ltd-020d17...](http://www.herdprotect.com/signer-flight-sim-labs-
ltd-020d1789c5d944369ac8a5d647cf84c5.aspx) (link fixed, sorry)

~~~
dx034
As they accepted payments through paypal, it'll be easy for law enforcement to
track down the owner. PayPal is very cooperative in these cases (as any bank).
A shell company won't help them if someone knows where they have their office.
The criminal offence isn't against the company anyway, it'll be against
natural persons working for the company.

But the worst that can happen for them short term is that PayPal (and credit
card vendors if they use them) block their account if they get too many charge
backs as a result of that.

~~~
gnode
> The criminal offence isn't against the company anyway, it'll be against
> natural persons working for the company.

What makes you sure of this? Corporations can be criminally prosecuted, at
least in the United States and the United Kingdom.

------
JorgeGT
> We found through the IP addresses tracked that the particular cracker had
> used Chrome to contact our servers so we decided to capture his information
> directly

The issue is that IP/computer != single person. If they dump and steal the
Chrome credentials of the computers using pirated serials, they are most
probably stealing the credentials of law-abiding partners, parents, siblings,
children, etc. who also use that computer. Which is, of course, illegal.

In fact, probably more serious offence than copyright infringement, if these
credentials are related to protected information such as financials,
healthcare, etc.

~~~
24gttghh
>The issue is that IP/computer != single person.

This brings up a thought I've had lately: The endgame of IPv6 -let's say, 100%
adoption, and the retirement of IPv4- will be IPv6=single device, no? I would
think that ends (in however many years it takes to get there) what little
anonymity IPv4 currently provides.

~~~
teraflop
In principle the situation isn't that different from IPv4. A device on an IPv6
network can cycle through a series of random "temporary addresses" which it
generates itself, without contacting a DHCP server. Someone who gets your IPv6
address can track it down to a specific network, but there's no record of
which device on that network initiated it, similar to IPv4+NAT.

(A couple of caveats. One is that attackers can still correlate different
connections within a short period of time, between temporary address
rotations. Another is that temporary address support is broken on some Windows
versions, so you may be leaking your MAC address all over the ace without
knowing it.)

~~~
24gttghh
I think my idea was that IPv6 easily _could_ be permanent per device as the
address space is so enormous, for now :)

------
stryk
OK, so what were they going to do with the evil cracker's passwords.... steal
from him? I'm no lawyer but how in the hell is this not a felony? They
intentionally distributed malware that steals passwords. Jesus christ, some
people, man... some people...

~~~
michaelt

      OK, so what were they going to do with the evil
      cracker's passwords.... steal from him?
    

Presumably get access to invitation-only torrent sites? To distribute more
malware / gather IP addresses for prosecution?

~~~
squarefoot
Get their Paypal credentials and pay for the game using fake purchases?

~~~
chrisper
And then get shutdown by PayPal for violating the ToS by transferring money
into your own account unauthorized. How would that help?

------
skate22
I remember in 7th grade i de compiled the client of a private server version
of a popular video game for a learning experience.

When sifting through the files i found a method called 'fillHDD' which would
recursively create files to fill your HD. I imagine this method was called
when people were caught cheating.

~~~
zbentley
That's possible, but it's also possible that it was there for testing: run a
test function that fills up the HD and try to save a game in order to make
sure that game-saving errors show up properly.

~~~
skate22
This was for an mmorpg, all the state data for a player was stored server
side, but this was a client side function

------
Shengbo
This reads like an article you'd encounter on The Onion.

>“[T]here are no tools used to reveal any sensitive information of any
customer who has legitimately purchased our products. We all realize that you
put a lot of trust in our products and this would be contrary to what we
believe.

Ok, so I guess there's no malware in the official downloads then.

>“Test.exe is part of the DRM and is only targeted against specific pirate
copies of copyrighted software obtained illegally. That program is only
extracted temporarily and is never under any circumstances used in legitimate
copies of the product,”

Well, nevermind then.

>“This method has already successfully provided information that we’re going
to use in our ongoing legal battles against such criminals,”

That's easily the stupidest thing I've read this week. Are they so oblivious
to how legal systems work that it didn't even occur to them to consult a
lawyer before attempting to distribute malware and steal people's information?

------
alkonaut
Aside from this being a terrible decision on their part alltogether, why did
they _bundle_ malware? It means that legitimate customers get a program
installed that at least potentially shows up as malware. That in itself is bad
enough.

This is a desktop program, if they wanted to perform something bad on a
condition, why not just code it in their own program? The chrome browser
history and password db could just be decrypted and uploaded, for example.
It's exactly the same thing and just as bad, but at least they didn't install
third party malware that shows up in AV, at their paying customers. It's also
MUCH easier to deny since at the legitimate users there is neither any
suspicious signature, nor any suspicious network activity.

------
yAnonymous
What happens when your key is simply stolen and posted online? They think that
grants them the right to spy on all your passwords.

Where is the company, Flight Sim Labs Ltd., registered? It's difficult to find
an address. They also removed info from their About page. From their posts it
looks like they might be in the Netherlands.

Anyway, I'll contact the FBI and local authorities about this if I can find
out what jurisdiction they're in and I hope others do the same. This crap is
absolutely unacceptable.

~~~
pbhjpbhj
If the company cause the malware to be installed in your country, eg by
bundling it with customer software for customers in your country, then the
corresponding jurisdiction is almost certainly your own country.

There's a history of extradition to USA from UK for relatively minor
unauthorised access; this seems pretty major in comparison.

------
RandomCSGeek
I don't understand what the use of anti-piracy measures is. Most pirates are
those who won't pay for the software anyway. If an AAA game doesn't get
cracked, most people would simply get another cracked game and play it.

So companies aren't getting anything from anti-piracy measures. Rather, they
are wasting time and money on implementing these measures.

If I were to make a software, I'd keep it DRM free. Maybe I'll give
occassional discounts to attract people who won't pay otherwise, but that's
it.

~~~
nugi
Yes, but that leaves a lot in the hands of the market. That terrifies anyone
with their ass on the line. Also, deliberately not drm'ing your product could
be seen in some legal situations as failing to protect your IP, making seeking
damages more difficult when wronged.

But business pressures aside, I do avoid DRM encumbered products and I direct
my clients to as well in most cases. You ARE hurting your bottom line with
DRM.

------
moviuro
So... stop trusting the game industry, I guess?

We probably should run our games in containers. Anyone got an idea about how
to do this? Isolate Steam/Origin/Games into their own little sandbox

~~~
tobyhinloopen
Look at Android & iOS. They know how it is done.

Running apps in a sandbox should be the default behaviour for any OS by now.
No app should have the privileges to access any file by default, except for
files that are either created or owned by that app & user.

Sharing files between apps should be done as an opt-in basis, with explicit
permission by the user, either file-by-file or per group of files.

~~~
bloak
That doesn't work so well when the app is some snazzy file manager or back-up
tool. Of course the OS ought to provide good enough tools that users don't
need to install dodgy apps for such things but sadly the attitude nowadays
seems to be "there's an app for that", even if you only want to do some
trivial file conversion. Unless the OS is Debian, in which case the OS
includes a gazillion different tools for transforming PDFs, a big helping of
astronomical data, and several alternative kitchen sink implementations.

~~~
tobyhinloopen
that would work with "some snazzy file manager" or back-up tool, you just have
to give the app partial/full file-system access with a big fat warning, or it
has to use the OS's file manager to access the files. The OS then decides
whether to query the user, or use previously configured settings (like the
trivial file conversion example below)

"Trivial file conversion" tool can be implemented the same. The app tells the
OS "hey, I want some files to convert" and the OS either grants access to a
set of files/folders, or queries the user which file(s) (s)he wants to
provide. IE the "open file" modal is the only window to accessing files. You
can think of it like the HTML5 File upload & Drag/drop APIs, but a bit
extended & more user-friendly.

Obviously smart engineers can think this through for longer than 3 minutes
like I just did, and come up with better/user friendlier/safer solutions. But
it breaks all backwards compatibility in almost any desktop OS

------
dod9er
It always comes down to "You have nothing to fear if you have nothing to
hide", "Just trust us and our ability to keep off free-riders" Once again I
really would like to stop giving admin-privileges to any windows-app that I
would like to use... but otherwise, I couldn´t do anything with this piece of
hardware :)

~~~
mnw21cam
The kicker is that it doesn't actually need admin privileges to read your
chrome password store.

~~~
gruez
How's that surprising? If chrome can do it without admin permissions, why
can't any other program? There's no sandbox for win32 programs.

------
TomK32
Next time when making a pirate game that gets pirated, add a routine to use
the pirate's webcam for a mugshot and use that mugshot throughout the pirate
game for the baddies. Just a thought.

~~~
skjerns
You know that good hackers are wearing balaclavas!

~~~
TomK32
Thankfully there's some research on this [https://hackaday.com/2017/04/01/ask-
hackaday-which-balaclava...](https://hackaday.com/2017/04/01/ask-hackaday-
which-balaclava-is-best-for-hacking/)

------
titzer
Not OK. Private enterprises should not be engaging in this kind of espionage
against criminals. In meatspace, this is why there are police. Why don't we
have cyberpolice?

~~~
JumpCrisscross
> _Why don 't we have cyberpolice?_

Most law enforcement agencies have e-crimes, digital crimes, Internet crimes,
_et cetera_ divisions.

~~~
titzer
I've never dealt with the police regarding e-crimes. Do they have capable
detectives in this area? I bet it varies widely.

------
Raphmedia
I am a flight sim enthusiast. I have joysticks, a track-IR setup, a VR headset
and a dedicated space for such simulation games.

Let me say loudly that I will never download any software from
flightsimlabs.com anymore and that any copy of their software I might have had
has been nuked to hell.

The second you admit to adding a keylogger to your software is the second I
lose all trust in you.

------
qwerty456127
Just don't let an application to connect to the Internet unless you actually
want it to (i.e. I would only allow the browser, the SSH client and the
messenger). Good news this policy is rather easy to implement on Windows
(Sphinx Windows 10 Firewall Control and many alternative application
firewalls), Mac (Little Snitch) and Android (DroidWall, XPrivacy). Bad news it
seems quite hard to implement on GNU/Linux desktops (I don't know about any
practical solutions).

------
DC-3
For whatever reason, Flight Sim companies are some of the most customer-
hostile software companies out there.

~~~
chrisper
Yep. You also better never criticize them.

I pretty much left the flight sim community because it's so toxic and full of
these weird companies

------
bawana
Brave new world. The new model to enforce compliance - steal valuable customer
info which will be used to make the customer's life hell if he/she does not
comply. Pre-emptive hostage taking as a security model?

------
rootlocus
Anyone else wondering why they had to use a cheap "test.exe" that is flagged
by malware websites instead of embedding the code (possibly write it from
scratch) into their binary?

------
kseifried
I have requested a CVE for this, due to unsafe password storage (CWE-256).

~~~
kseifried
Ah it got a CVE yesterday:

[http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-7259](http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-7259)

------
HenryBemis
>we have his name available upon request of any authorities"

When someone is stealing from me, or causing harm to my business and my
clients using my products, damaging my reputation, then I go to the Police, I
don't wait for them to read an article on torrentfreak.com or the comments
section in HN (which I think any security angency worth its salt must have an
eye in here too).

I'm going to help them out!!!!!

Hey FSLabs people!!!

FBI website is [https://www.fbi.gov/contact-us/](https://www.fbi.gov/contact-
us/) (these guys know their e-crime stuffs, they can help you out!)

Lefteris Kalamaras is definitely Greek, so..
[http://police.gr/](http://police.gr/) (I hear they got a decent e-crime
fighting unit over there)

(don't say I never did anything for you FSLabs, and NO I don't want a free
copy of your game on my PC)

------
ashelmire
The conclusion of this article seems to directly contradict that company’s
statement, while using the joining clause “in other words”. Seriously, go back
and read that with some skepticism. This is obviously a hit piece with no
journalistic integrity.

Some user downloaded an illegal copy that had malware and is trying to blame
the company, when that malware doesn’t appear for legitimate copies. Don’t
want malware? Don’t steal software hat could have been tampered with.

~~~
Nicksil
The malware was included within every installation and supposedly deleted only
after a legitimate software key was installed thereafter. So, regardless of
whether you pirated the software, it was indeed installed on your system
without your consent.

