
A320-X DRM: What happened - marklyon
https://forums.flightsimlabs.com/index.php?/announcement/11-a320-x-drm-what-happened/
======
kevinday
Previously:
[https://news.ycombinator.com/item?id=16412541](https://news.ycombinator.com/item?id=16412541)

It sounds like they distributed a tool that goes through your Chrome saved
passwords database and if the installer thinks you're a pirate, it sends
credentials from that database back to the author. The author is now saying
they used credentials they learned from this to break into a private website
to learn more about how their DRM was being bypassed.

This seems so incredibly illegal, I can't believe they admitted that this is
what they're doing.

~~~
ams6110
Never trusted browser saved passwords. One of the first things I disable after
I install a browser. Also disable saving form data

~~~
Buge
Even if you don't save passwords in Chrome, malware can still keylog you, or
steal your password from whatever other password database you use.

~~~
madez
That's what hardware-backed crypto protects against. Passwords on their own is
a bad security practice.

A tiny dedicated computer like Tomu[0] that fits into your computer, that
provides authentication (and similar cryptographic functionality), with
inpedentent input (touch) to receive manual ACKs and output (led) to provide
feedback, with no other functionality, is a cheap, reasonably safe, and
convenient solution. Maybe unlock it on boot (and after timeout) with a
password/PIN for good measure.

[0] [https://www.crowdsupply.com/sutajio-
kosagi/tomu](https://www.crowdsupply.com/sutajio-kosagi/tomu)

~~~
subway
This sort of thing is awesome in theory, but in practice it kinda sucks, and
will continue sucking until it becomes a first-class feature in the eyes of
browser and desktop environment developers.

Currently I'm using Chrome backed by KWallet backed by PGP key on a YubiKey 4.
Upon launching Chrome I have to authenticate with/touch the Yubikey to unlock
my session, which is spiffy, but after that seemingly random pages (even in an
incognito window) will prompt Chrome to unlock my keychain. The Yubikey will
flash, indicating _something_ wants access to it, but I have no indication of
what that something is. If I ignore the flashing, eventually a KWallet window
pops up complaining about being unable to use the GPG key.

~~~
madez
What you are describing is a specific scenario based on specific solutions. I
see multiple things going wrong there.

Chrome shouldn't access your credentials without telling you what it's used
for. Chrome shouldn't expose cryptographic identities in incognito mode. The
Yubikey's output is vague.

What can we learn from that?

Chrome has shortcomings in this domain. Just one monochrome LED is maybe not
enough output to give reasonable feedback.

My online banking security system is called chipTAN and uses a small,
monochrome, low-res display to give essential information for what is being
processed which I need to acknowledge. That works well, but is also a single-
purpose solution.

For identification on the internet, a solution based on GPG seems reasonable.
Imagine a small display that shows the receiver you are identifiying to, the
identity you are using, and for how long the identification is valid, and then
you can acknowledge that.

------
Twirrim
I wonder if they realise just how _illegal_ their actions are, and that
they've fully confessed to breaking the law?

They should have at least sought legal advice before trying to do what they
did, but failing that at least sought it before posting this message.

~~~
retox
They should go the FB/Goog route and claim it was a bug.

~~~
chopin
Would that hold water? A file was added to the installer which has clearly
nefarious purposes. As well the output produced by running that file was
caught by another executable and sent home. Pretty hard to say that this
wasn't intentional. Even if you would claim it was bundled erroneously, why
would that be part of your code base anyway? It has no legitimate use there.

------
paraxisi
Sent base64'd to a non-secure endpoint with open RDP... ouch.

[https://www.fidusinfosec.com/fslabs-flight-simulation-
labs-d...](https://www.fidusinfosec.com/fslabs-flight-simulation-labs-
dropping-malware-to-combat-piracy/)

------
userbinator
If anything this is just going to want to make the crackers keep cracking
their releases even more, because one thing they certainly love is a good
challenge, and these "bomb-like" features would appeal to them greatly.

(Long-retired cracker, no longer active in the scene but still fights from
time to time. ;-)

------
eps
What's the background exactly?

As I read it, they had a function to grab various bits of data from a specific
machine that was linked to a specific cracker. Did it misfire and started to
pilfer data from other unrelated machines?

Edit - for the record, the original post title was somehing like
"Flightsimlabs attempts to explain their password-stealing DRM malware".

~~~
marklyon
Here's a Reddit thread discussing the malware:
[https://www.reddit.com/r/flightsim/comments/7yh4zu/fslabs_a3...](https://www.reddit.com/r/flightsim/comments/7yh4zu/fslabs_a320_installer_seems_to_include_a_chrome/)

I'm shocked that the company admitted to doing this.

~~~
originalsimba
Admitting to the crime is a form of damage control. Someone with a clue
figured out what was going on, spoke to the lawyers, and determined that the
penalties, if any, would be harsher if they wait for a trial before admitting
guilt.

That's all it was. They are in a lot of trouble, potentially, and it will be
interesting to see how this plays out. I am hoping that charges will be
pressed, because this is not the first time developers have "booby trapped"
pirated software, but it could be the last if justice is served.

~~~
SlowRobotAhead
All for their DRM scheme.

I still find it interesting how many people don’t realize that generosity
could be a valuable part of your product. That growing the industry as a whole
may be more important than getting back at people who weren’t going to buy
your product anyhow.

~~~
cm2187
I can see generosity working for a single developer but you are not going to
build Electronic Arts with donations alone.

~~~
originalsimba
Whats wrong with that? Electronic Arts is a cancer on the gaming industry.

------
ocdtrekkie
I sort of appreciate the creativity here, though it's blatantly creepy and
uncomfortable for a software vendor to be pushing updates with single-user-
targeting functionality, in particular, to say nothing of the spyware issue
itself.

~~~
anilakar
Ham Radio Deluxe blacklisted one user for writing a critical review, then
blackmailed him to remove the review in exchange for lifting the ban:
[https://www.theregister.co.uk/2016/12/21/amateur_radio_fans_...](https://www.theregister.co.uk/2016/12/21/amateur_radio_fans_drop_hammer_on_hrds_blacklist/)

------
Johnny555
What I don't understand from their explanation is why they had to do this at
all -- if they could identify the bogus serial numbers, then why not just
block those serial numbers from registering?

~~~
jandrese
Might have been a whack a mole situation where the crackers have figured out
how to make key and they know how to switch them easily whenever you
invalidate one.

~~~
TylerE
So maybe stop wasting effort of a clearly lost battle and instead spend it on
making your product so brilliant people will be begging you to take their
money?

------
k_sze
I wonder if they are in fact shooting themselves in the foot in their fight
against this cracker.

Aren’t there laws that basically invalidate evidence gathered by illegal
means?

~~~
cjensen
In the US, there are laws that invalidate evidence gathered by _the
government_ through illegal means. This simply does not apply to private
entities.

------
cptskippy
I am curious what the piracy rates are for this game vs actual sales, because
I am having a hard time justifying investing that much effort into what they
did.

~~~
tomalpha
I wonder if the publisher even knew, or could ever know. It's presumably hard*
to work out the counterfactual - how many more sales would have been made in
the absence of the crack/keygen being available.

They do mention that they kept seeing repeated personal information being used
on registration, but also that the cracked version was changed to use a
different activation server. Confusing.

*or even impossible

------
mdip
Gotta say, on reading this I went _" They did what?!"_. This raised my
eyebrows so much, I'm fairly certain they're now lost somewhere in my
hairline. In the US, at least, I'm fairly certain they've broken more than a
few laws. Kudos to them for admitting it, entirely; I guess that would be the
only hope they'd have of ever re-gaining any sort of trust with their install
base, but they'd be equally smart to find a lawyer[0].

I get that a _lot_ of time and effort goes into developing a product and it's
_really_ frustrating when you find out that your product is being pirated. I
can't imagine if I'd happened upon a whole community sprung up around pirating
my product; they had to be incredibly angry and this likely led to this
terrible idea. And no matter how often you repeat to yourself that "piracy
does not represent lost sales", when you've poured your time into something --
time that you hope will make you a nice living, time that you took away from
your family or other enjoyable pursuits -- you tend to get _really angry_ when
you find out there are people that think it's perfectly OK for you to work for
free.

I like to repeat the mantra that "piracy does not equate to lost sales" and
tell myself that those wouldn't be paying customers anyway, or they're not my
real target audience, or that it speaks to the popularity of the product if
someone went to the trouble to crack it. And I'm a believer that effort spent
on DRM is wasted (especially efforts like this). It's not entirely, true, of
course. I always think back to the story I read a few years ago about the
TCP/IP stack that nearly every DOS PC used -- a piece of shareware that, at
the time, was probably the most popular piece of shareware in existence. I'm
sure I, like many, didn't even think to pay for it and operated under the
assumption that large corporations were probably using it and the developer
was probably using $20 as kindling by now when in reality I think he netted
somewhere in the _thousands_ of dollars for his efforts.

At the same time,... well... _this_.

 _This_ is exactly what happens when you focus on piracy so hard. Developer
time is a finite resource and this company wasted that time developing a piece
of DRM that is indistinguishable from malware. It succeeded in _not_ stopping
the pirates, _not_ catching the pirates, angering their _paying_ customers,
easily exposing them to civil legal issues and possibly exposing them to
criminal legal issues. That little bit of wasted developer effort could very
well _end_ the company that made this product in a way that piracy probably
never would have. Assuming their customers _like_ the product and would like
it to continue to exist, this company basically did everything in their power
to _not_ serve their customers.

To be clear, I'm not completely against purchase verification in software
products. If it's light-weight, and doesn't get in my way as a customer, it's
fine (i.e. provide the ID/password used when it was purchased with a fallback
to an offline serial number ... asked _one time_ and _never again_ ). I get
it. A small road block is enough to keep my mom or dad from grabbing a copy
that a friend attached to their e-mail. Heck, in the case of my mom or dad,
they may not even _realize_ that it's not a free product if it _doesn 't_ ask
for some form of verification. I don't mind how Steam works or how the variety
of stores handle these sorts of things. If your DRM effort goes any beyond
this, it's wasted effort. You're not going to stop a determined pirate even
(especially?) if the product your selling _is an anti-piracy product_. Just
don't. Don't waste the effort. It's _never_ worth it.

Even as I write this I'm still _amazed_. I get frustrated when I upgrade my
CPU/memory/GPU and _Office_ won't run without some extra steps. I can't
_imagine_ if step #2, after falsely identifying me as a pirate, was "send a
bunch of personal data to the authors"[1] so they can turn me in to the
authorities. Pro-DRM folks like to equate piracy with theft, so I'll make an
equally poor analogy and say that'd be like if I purchased bed sheets at Wal-
Mart, and the processor in those sheets[2] decided I stole them, so they
started sending the GPS location of my house along with pictures of my bedroom
to corporate so that they could turn that information over to the police.

[0] Sure wouldn't be difficult to compare this with any other piece of malware
in its behavior, but IANAL.

[1] And yes, I realize that they've stated that they're looking for specific
information from a specific pirate that they consider to be the _source_ of
the problem, but including that payload in the installer makes me question the
truth of this statement. I don't have any reason to dis-believe them,
especially considering they've basically written up a post admitting to a
bunch of activity that may very well be illegal in nature, but having no way
to verify that they are telling the truth, or that there isn't a circumstance
that could false-positive flag someone who _isn 't_ that very specific case, I
will err on the side of assuming the worst in this case.

[2] I laughed when I wrote that, then I thought ... there's probably already
sheets with processors in them. If there isn't, there will be. Shortly
followed by the first case of DDoS by IoT bed-sheets.

------
supergirl
would be funny if the pirate sues these guys for hacking and puts them in jail

~~~
duncan_bayne
That is a very possible outcome, especially as several of the actors involved
are based in the EU.

------
dmitrygr
If they are in the US, anybody on whose PC this ran, including the Cracker,
can probably get them all thrown in jail for CFAA violations.

------
shmerl
Releasing DRM-free is a thing if you want to respect your users, instead of
insulting them.

------
kseifried
This now has the identifier: [http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-7259](http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-7259)

------
singularity2001
from the headline I thought it was about the Iranian airplane that crashed

