Hacker News new | past | comments | ask | show | jobs | submit login
New Mac ransomware spreading through piracy (malwarebytes.com)
389 points by 1915cb1f 4 days ago | hide | favorite | 343 comments

Apple puts so much pressure on security, shouldn't it be possible to block ransomware somehow on the OS level, possibly on all platforms?

I mean not many apps need to modify millions of files on all drives including network drives and dongles... It should be fairly easy to spot, something like:

1. If xxx wants to modify more than 50 files in 24 hours go to 2.

2. If some of the files were modified more than a week ago or if the files are in directories across multiple drives go to 3.

3. If some of the files are images/documents it's a no go, prompt user to accept and list the affected files.

I'd love something like this for my Synology, it's connected to my Macbook as a network drive and I store my backups there, if anything modifies these files without my knowledge I'm doomed. I need to access some of my backups on daily basis so it's kinda hard to disconnect te drive all the time :/

Windows 10 has just what you describe: https://www.bleepingcomputer.com/news/microsoft/how-to-enabl...

Of course, bad guys still can 1) create encrypted copy and delete originals instead of modifying files in place; 2) disable protection alongside with A/V and proceed as usual; and my favorite 3) rely on built-in disk encryption mechanisms and simply overwrite encryption keys & salts.

> 2) disable protection alongside with A/V and proceed as usual

How would the malware do that? I've looked into this and with Windows 10 1903 onward, Tamper Protection is enabled by default. [1]

I have yet to find a programmatic method to disable Tamper Protection (which is a prerequisite to disable Defender). I've tried regedit (permission denied), GPO, and all other manner of PowerShell thuggery, but I have not succeeded. In the end, I scripted extracting and editing the registry hive offline (outside the VM) to disable Tamper Protection.

Unless the malware has a way to open the Settings app and toggle Tamper Protection in the UI as if they were a user, I can't think of any way they could disable it unless they exploit a known weakness in Defender or a third-party anti-virus program (entirely possible).

[1] https://docs.microsoft.com/en-us/windows/security/threat-pro...

Tamper protection is really meant for enterprise. Disabling it is exactly as hard as gaining privilege escalation. It is harder to achieve in AD (of course attackers gain lateral movement opportunities instead, but that's a different story), so Tamper protection makes sense there as an additional "security in depth" layer. At home where the logged in user is likely an admin already (even if "protected" by run as / UAC), tamper protection doesn't really add much apart from breaking existing exploit kits and requiring attackers to invest into new ones.

That seems like something different - macOS already protects access to stuff like the Documents and Photos folders, etc out of the box (you have to give permission on first run, everyone complained that macOS has turned into Vista).

But if you thought the app was good and granted it access and it then goes wild...

> Windows 10 has just what you describe [link]

I've looked into this, but it feels limited to me. It's all or nothing. I can't have App1 only access Documents and App2 only access Pictures. Once I give any one app access to the "protected folders", it has access to all the protected folders.

You should check out Qubes OS. https://www.qubes-os.org/

All applications run inside a VM, and you set up different VMs for different tasks. The windows are all composited onto one seamless desktop environment, with the colour of the window decorations telling you which VM it's in. You can copy and paste between the VMs with a special keyboard shortcut, and you can manually copy files between them as well, but otherwise they have no access to each other.

If you open some ransomware in one VM, it can't touch (or read, or know of the existence of) any of the data in other VMs.

How is usability? It’s a very appealing model but it sounds confusing

It's great at what it does. Much more useful than I expected, feels more thought out than some commercial alternatives.

XEN Virtualization with their custom X-passthrough driver is super fast as well. No hardware acceleration of course, but it didn't feel choppy at all. As long as you have enough RAM (I'd say 16GB at least), it works pretty much like bare metal (even though there are several VMs running in background at all times for network, fw, usb, etc), way faster than Spice, VNC, RDP or Virtualbox (talking about UI not number crunching).

That's what I've been wondering too, especially now when more and more applications are starting to use hardware graphics acceleration.

I used it briefly but found interacting with weird USB devices (mainly Arduino and RTL-SDR) slightly too annoying.

Yes, it's does not give you SELinux/seccomp level of granularity. But then again, there is a slight chance that users might actually understand what it's for and how to use it, unlike SELinux/seccomp.

In practice though, if you're a power user you probably won't run shady binaries, and if you do - nothing will protect you from them as your user is likely a member of administrative group / wheel and you use sudo/su/doas somewhat regularly. While if you're worried about protecting your employees/family members, just making sure they are not part of the same admin groups and enforcing basic Software Restriction Policy / AppLocker / SELinux / RBAC will be enough to protect against 99% threats out there.

I agree that SELinux is much too complex for "regular people".

However, the issue I see with this approach is that the default location for saving pretty much everything on Windows is the Documents folder. So I think most people would just blindly agree to give access to this folder.

Most malware comes from apps people wilfully install, so they would probably grant them access to the folders because they would want to use them.

The approach I like best is what MacOS does, where you have to approve access to a specific folder. The drawback of the MacOS implementation is that I cannot define specific folders I want protected (say .ssh).

I agree, at least an option to have more granularity would be a good thing. Maybe the upcoming changes to Android/iOS permission models will solve the problem of UI/UX and this will finally become fashionable.

However, there is also a question of properly enforcing granular per-process restrictions (without breaking backwards compatibility). It's not a trivial task, there are plenty of corner cases: race conditions, symlinks, alternate data streams, process hollowing... I don't expect any implementation to be full-proof in the first decade.

The first thing that happened when I enabled this, is that VMWare Workstation (a signed app that passes smartscreen stuff) was denied access to its data folder in the documents folder. No notification from Windows.

Not a good first impression, and I don't really want to learn the file access patterns of all the things I use.

Just quickly thinking of where there might be a lot of images/documents modified quickly: web browser cache, photo management software, antivirus software.

I think it'd be easier to isolate applications and data like Cubes OS instead of trying to create a universal rule set.


There's a fantastic free tool called RansomWhere by Objective-See that I use to monitor the rapid creation of encrypted files on my Mac. It notifies me from time to time during installation processes that something possibly malicious is going on.

Link: https://objective-see.com/products/ransomwhere.html

Is there anything like this for Windows, where most ransomware thrives?

This is why offline backups are important. Ransomware can't do anything with a drive that isn't running. Having an external hard drive that you need to physically plug and unplug once/twice/etc a week might sound inconvenient, but it solves your potential issue.

Are there any versions of malware that sit and wait for several months so that once you have it in your backups it sits and waits for you to save over your old back up and then starts it’s thing? Then if you restore from that backup you have the malware sitting waiting again to start.

How would that work? If it didn't encrypt your active storage, then the backups wouldn't be encrypted either, right? Or would it somehow interfere with the backups, making you think the backup's OK when it actually is just garbage and then encrypt your active drive when no more usable backups exist?

I guess that's one reason why if you don't try restoring from you backups it's as good as not having any...

Can that be worked around by having extra backups with only non executable files? Like txt, png, cpp (but without compiling and running)?

I have a vague memory of ransomware that waited for one to mount external disks yes, but not as advanced as they ones you mentioned


- External drive with a bootable backup (Carbon Copy Cloner)

- Network drive with automagical Time Machine backups

- Offsite versioned backups (for example Backblaze)

"Pride goes before destruction, and a haughty spirit before a fall", but I'd be surprised if I ever will lose a file like this.

The current macOS already has great ransomware protections in the form of per-app, per-directory file access permissions.

Don’t let apps access “files on external volumes” or “files on removable media” or whatever it calls it on the popup when an app first tries to access those.

Consider replicating your Synology to a cloud service. Ransomware isn't your only risk here, burglary or fire could also leave you without your backups.

Read only filesystem snapshots (that can be restored quickly) are the best way to prevent ransomware IMPO. The snapshots can't be over-written or modified and the user can restore them whenever they like.

You may want to consider archiving some of those backups to an external drive that is only hooked up to store new data maybe? Or maybe theres something you can do for the network drive

Append-only external disk, is there sth like that?

And one flips a hardware switch to start overwriting from the beginning, if disk full

I think a network based one in theory should be capable of doing so with the right OS / configuration, but not sure about a hardware based one


This is the acronym I saw on HN somewhere though, WORM.

Edit: Upon further research its kind of annoying that this isn't more common for NAS / cloud storage solutions. I think some like Dropbox do keep revisions on the other hand.

Syncthing can save revisions, and is open source -- I remember now


Lots of config options

Just out of curiosity, can you clarify on "I need to access some of my backups on daily basis"?

Time Machine (I don't know if that is what they are talking about, but it's an example) is designed to be used daily as well as in case your laptop explodes. Opening Time Machine allows you to go back and see every version of a file as long as your backup drive was connected when you saved it.

So each NPM\YARN install will fail... We need an API that we can extend as much as we want...

> each NPM\YARN install will fail

No -- that only writes to sub dirs

Has anyone tested whether this can be detected with RansomWhere? https://objective-see.com/products/ransomwhere.html

It's a program that warns me whenever programs are locking files. In practice it's a minor annoyance when using brew or pip. Similarly, Oversight tells me when my camera and mic are being used. https://objective-see.com/products/oversight.html It's a minor annoyance whenever I have a video call and plug in a microphone. But it's "for my protection", and sometimes can be useful to know whether it's really my sound settings that are the problem, or that my headphones are unplugged. These two also seem more trustworthy than anti-virus for Mac, because they don't claim to keep me safe, just warn me when there's a problem.

Yes, RansomWhere detects it. The Objective-See folks did their own analysis of this ransomware: https://objective-see.com/blog/blog_0x59.html

I'd be very curious to audit the codebase for the tools you mentioned.

I'd be very curious to read your review!

Exactly this. Been wondering the same thing myself.

I don’t understand how people dare to run executables downloaded from a pirate site...

> I don’t understand how people dare to run executables downloaded from a pirate site...

Pirate sites have reputations the same as anybody. The more reputable ones actively remove spam and malware.

So it's kind of like saying, I don't understand how people dare to run executables downloaded through the internet. Depends a lot on where on the internet you downloaded it.

Very much this. Decades ago, when I couldn’t justify the cost of software, I generally knew what places I could trust, and what places might be more sketchy, and what places were guaranteed to infect my system. The cracking scene was very competitive, and any place that messed with the final binary would get blacklisted, making it very hard to get zero day releases from various groups.

I have no idea what the landscape looks like today, and I’d be reluctant to run anything outside a vm, since I no longer know where the reputable sources are, but I’m sure there are still private trackers and discord servers where you could trust every link.

There’s no such thing as a private Discord. It’s not end to end encrypted, and all Discord “servers” are actually just Discord hosting accounts (and hosted by Discord), so they can always read 100% of everything.

They happily ban users for sharing the wrong links, and have banned entire instances for discussing anticheating technology.

I'm on several private torrent sites and I still wont run software out of a VM. The problem is the users are trusted but unless they packaged the crack themselves they don't even know if there is malware bundled in. Its easy to verify that audio or a book is high quality but verifying software is next to impossible.

Software on private torrent sites comes straight from the scene, who treat their hobby pretty seriously.

Exactly. Scene groups are tight knit and very professional.

Unless you piss them off and become their target

If it's not a 0day tracker they usually unpack the scene files and repackage them so you don't have the split archive files. It wouldn't be hard to slip something in in this process.

One of the things I miss in Windows 10 I don't have on Ubuntu is 'Windows Sandbox'. It's great for testing software out. It loads pretty much instantly.

There are so many ways to escape Firejail, that no one should seriously rely (solely) on it for security. Please, just use proper virtualization for trying shady software/suspected malware.

If you are going that route you are better of with LXC or Docker. IIRC LXC is part of the 20.04 install.

Or use Vagrant if you want better security.


Is there such software for macOS?

I don’t think anyone has packaged this up, although the tools are there.

This is 100%. I'm not sure, however, that I even trust PDFs these days. Somewhat paranoid there are zero days on libgen, etc.

Sure, PDF is a bit hairy. But you also can choose to not use Acrobat Reader. If you use e.g. Preview (macOS) or Evince (Linux) then I would wager that it’s not exactly trivial to get remote code execution. (Most probably possible though, but it would probably take some work.)

Here's a tip: the safest way to open sketchy pdf is through PDF.js that's used in browsers as it relies on the same JS sandbox you use to browse net all day. Other than that - open documents in a VM (with reverting to the previous snapshot after viewing the file) or install Qubes where this is default behaviour.

> Somewhat paranoid there are zero days on libgen, etc.

Do you have an alternative to trusting them?

Which are the most reputable sites?

If you're looking for free software the best site I know of is debian.org, though if you use Windows or Mac you might want to check out firefox.com, libreoffice.org and gimp.org.

I downloaded the free version of Word from libreoffice.org and it's much harder to use than the paid CD-ROM from Best Buy, so I think that's only a nerfed trial of Word. Same with the Photoshop from gimp.org.

The unpaid WinZip still works great though.

Just use 7-zip instead: https://www.7-zip.org/

Free, open-source, and much faster.

I realized there were a free WinZip just after I bought my WinRar license

Winrar’s UI is quite a bit better though, isn’t it?

I dunno, I think they just took word 98 and changed the name, I mean it looks the same. It doesn't even have a ribbon. How am I supposed to find the icons I use to do things without it? There's some menus but they're full of text and kinda scary to be honest.

It only takes a few minutes of use and comparison to understand that today's LibreOffice doesn't even come close to touching the level of polish and user-friendliness of Word 98 (Mac) or Word 97 (Windows).

I'm guessing this whole section of the thread went over a few people's heads....hn always does have a bit of a problem detecting ironic sarcasm...

I wasn't being sarcastic. I still use Word 97 for writing, because in Word 97, it always takes me two keystrokes to save a new document (Ctrl+S, Enter), whlie in LibreOffice it is an exercise in frustration, because every new document is titled Untitled 1, and that causes a problem when I've already saved Untitled 1.

This is just one example of a basic feature, used on a regular basis, which has obviously been tested thoroughly by the Office 97 developers, but has seemingly barely received any attention from LibreOffice.

I use a very basic laptop, and through the wonders of virtualization have a Windows ME VM with Office 97 on it, and it runs just as fast as LibreOffice does natively, if not faster. In a VM, being used for an hour or two at a time, Win ME has no stability issues.

Win ME came with IE 5.5, and I eventually upgraded it to 6.0. Because I built my site to be compatible with both, I can easily copy and paste what I wrote into my blog. Office 97 and IE 6.0 support Unicode well enough that I can do all this in two different character sets.

I rarely print anything, and I'd probably still use LibreOffice for that. But if I really wanted to, I could probably figure out how to print, too.

The Win 9x series is remembered for being unstable and crashy, but I think it's also a marvel of engineering and UI design. And when you take away malware, random utilities, registry decay, hardware malfunctions, and so on, it's a comfortable, almost typewriter-like experience.

Whoops my bad. I was reading all the other comments here in response to this and I responded to yours. I can't disagree. Older versions of word were a lot more stable than newer versions.

About the Ctrl-s thing, maybe it's specific to windows, I use libre office on linux and have for years and Ctrl-s on a new document has always brought up the save-as dialog for me.

Either way, I'd rather use an older version of word or libreoffice over new versions of office.

I grew up using older windows, I don't really remember it being overly good or bad, it just kind of was. I remember lots of crashes, but used to do a lot of things I probably shouldn't have been and I do remember it working for everything I tried to do so I don't really have any complaints really. I don't really have any fond nostalgia either though to be honest.

I stopped using windows entirely outside work over a decade ago so none of it really matters all that much to me.

>About the Ctrl-s thing, maybe it's specific to windows, I use libre office on linux and have for years and Ctrl-s on a new document has always brought up the save-as dialog for me.

I'm using LibreOffice on Fedora, and I've used it on Mac and Windows too.

Yes, it brings up the Save As dialog, but the name is not pre-filled with an intelligent choice.

In Office 97, it typically pre-fills the suggested file name with the first line of the file. If that's not available, it tries to think of something else.

But never does it ever suggest a file name that is either invalid or would overwrite an existing file.

It ensures that the suggested filename is not too long, and doesn't contain unacceptable characters.

If there's already a file with the first name it thinks of, it appends a number, so that you don't accidentally overwrite an existing file.

In case you don't care about the filename, and just want to save the document, you are never forced to change the default, and it always works.

Many of my files begin with "I'm ..." and sometimes the best that Word 97 can come up with is "I7.doc".

Well, that "I7.doc" is a whole lot better than LibreOffice's "Untitled 1", which will overwrite the last "Untitled 1" it already had me save.

After how many years of development is LibreOffice still not smart enough to do any of these things?

Surely, LibreOffice today has been in development longer and by more people than Office 97 had been in '97?

What is the cause of this unfortunate circumstance?

>Yes, it brings up the Save As dialog, but the name is not pre-filled with an intelligent choice.

No, but it's usually helpfully preselected so a single keystroke, changes the name.

>Many of my files begin with "I'm ..." and sometimes the best that Word 97 can come up with is "I7.doc".

>Well, that "I7.doc" is a whole lot better than LibreOffice's "Untitled 1", which will overwrite the last "Untitled 1" it already had me save.

Personally, I dislike that feature of word because typically I do not want my files saved by the first thing i've written and yes I care about file names and take the time to name things sensibly and even put them in related folders.

Also, it should automatically detect an untitled1 and enumerate to untitled2 if untitled1 exists, again this is how it's always worked for me. So your file overwriting example seems a tad dubious to me.

I have to be honest, of all the gripes i've heard, this one's just a bit ridiculous. The save feature works exactly as it should. A program should allow me to choose a name for a file or choose a reasonable generic default, not decide what it thinks I want.

If I see an untitled1.doc around, I know I forgot to rename a file and I investigate, if I see I7.doc or a my name is.doc, I dunno what the hell it is. Maybe it's something I forgot to rename, maybe it's something I wrote before and forgot about, who knows?

>Personally, I dislike that feature of word because typically I do not want my files saved by the first thing i've written and yes I care about file names and take the time to name things sensibly and even put them in related folders.

Then you can rename it?

>Also, it should automatically detect an untitled1 and enumerate to untitled2 if untitled1 exists, again this is how it's always worked for me. So your file overwriting example seems a tad dubious to me.

But it doesn't! That's what my complaint is about! Do you think I'm just making it up?

>I have to be honest, of all the gripes i've heard, this one's just a bit ridiculous. The save feature works exactly as it should. A program should allow me to choose a name for a file or choose a reasonable generic default, not decide what it thinks I want.

To me, this reads as, "I read your text, but I don't think your problem is real, because I think it should work differently."

I think you should do a deep examination into how you relate and communicate with people, because you spent this whole thread invalidating what I'm saying and telling me the problems I'm describing in detail are not real problems.

You've given me the impression of being an insensitive and careless person.

And yet I've seen more than one thread comment say the humanities and media literacy are "not worth teaching"

yeah but their spreadsheet blows the pants off of whatever garbage macOS trys to pass off as an Excel replacement.

the libreoffice spreadsheet is very good. i think it's psychic sometimes, knowing what i want to do.

macOS, being an operating system does not have spreadsheet. If you looking for a spreadsheet on macOS, Microsoft Office is available and provides Excel.

To be fair, Numbers/Pages/Keynote, as well as Garageband and iMovie are not a part of macOS. Yes, they come preinstalled with a new Mac, but if you do a clean installaction, they will be missing. You will have to reinstall them from App Store.

And sadly, both Word 98 and Word 2019 (any platform) are still far behind Word 5.1 (Mac; 1992).

The tabbed ribbons are called Notebookbar in LibreOffice.

Notebookbar?? Now that's a silly name isn't it? Not at all catchy like 'ribbon'. Ribbon just rolls off your tongue. Just how am I supposed to explain to grandma what a notebookbar is??

I mean just look at these instructions


I can't make heads or tails of this...first I gotta switch layouts?? Then I gotta go to view and turn notebook bar mode on? Then i've gotta choose between tabbed, contextual groups or contextual single bar...nope no siree this is why piracy's just not for me.

These knockoffs are always so complicated, why can't they be simple like the official certified word? And shiny and jazzy lookin'? I know ya get what ya pay for, but how hard would it be to slap some bezels and rounded edges on there? Maybe some 3d transitions?

Well it's open source, so if there are features you want you could contribute to the project.

And being open source, the project won't have the same luxuries in terms of user-testing and iterative improvement of things as trivial as a 'shiny' UI. Again, if you have the time, you could help them out.

Apparently my comments were just too believable....yes siree. Guess I shoulda known better.

Heh dammit. Dragged under by a troll.

Ah well: play stupid games, win stupid prizes.

It's because they distribute the versions that work offline instead of uploading all your personal information to the vendors. The free software distributors are very privacy conscious.

How does being offline have absolutely anything to do with their terrible UI?

I know we're having a laugh directing the would-be pirates to where they can get "free software" from, but you already know the answer to your question, right?

Online proprietary software sells you to advertisers for money, or locks you into an ecosystem so they can sell you to other third parties, and they use some of that money to fund development.

With free software you either have to improve it yourself (the source code is on the internet) or give them money so they can hire someone to do it (they all have donation links). If you're dissatisfied with the user interface, have you tried doing the things that cause it to be improved?

If you're unhappy that people don't like free software, have you tried donating more money and contributing more to those projects so that they'll improve and people will like them more?

Yes. The overall result was for the software to improve to such an extent that it now overwhelmingly dominates the markets for servers, embedded devices and utility programs (e.g. zip, encryption, file transfer) and is the basis for the most commonly used smartphone operating system and browser. It has also caused alternatives to Office and Photoshop, while not perfect, to exist.

Rome wasn't built in a day, as they say.

Again, this has nothing to do with software being always online or not.

Great looking software existed long before the rise of everything being always online.

> Again, this has nothing to do with software being always online or not.

Only if by "nothing to do with" you ignore that it is the method by which development is funded.

> Great looking software existed long before the rise of everything being always online.

At which time you had to pay a lot of money for it. If everybody gave the same money to free software developers, they'd have plenty of resources to build interfaces that are more to your satisfaction.

Your entire premise is flawed imo.

>If everybody gave the same money to free software developers, they'd have plenty of resources to build interfaces that are more to your satisfaction.

You're just arguing to pay for software, but in a more roundabout way. And again, great looking software existed far before the popularity rise in always-online.

the why do i have to “download” my document in libreoffice if i want to keep it?

Wouldn't getfedora.org be a better address than Debian as they don't include any proprietary software in their default repositories?

The main issue being discussed here has to do with proprietary software...

I took the "free software" to mean free as in freedom and not free as in beer. I think this is what the parent meant by mentioning various FOSS projects.

This list is a pretty good place to start. https://github.com/Igglybuff/awesome-piracy

There’s an awesome list for everything these days…

I recommend the Github link that 100 gave, and also the various related subreddits.

You're unlikely to get a direct answer because... Well you don't talk about fight club. But if you watch the subreddits a bit you'll get a much better idea of where to start, how to get invites to private trackers, etc.

Reputable piracy site, the irony, so now we also have digital pirates, buccaneers, and corsairs.

Not much of an irony as far as I can see. There are a lot of people out there who are willing to break some rules but not others and that applies to piracy sites as well. Some years ago some of the websites were really active on this and crappy torrents used to be downvoted to oblivion.


I don't remember when PirateBay or other Warez sites first appeared, but they have been around for at least 20 years. I remember people were even using Blogspot to promote their wares/z with links to RG, FS, DF, etc.

I know and trust(?) the results of Virustotal, and I tell all my clients that when in doubt, drop that bad (?) boy in VT and let it scan it.

Sorry if this seems tangential and anecdotal, it's just an interesting part of home computing history and I lived through a bit of it growing up in the 80s and 90s.

Way back when, we had usenet, telnet and gopher, and local BBS's would sometimes have a private stash of cough shareware.

Prior to usenet etc being easily accessible to people outside of educational institutions (the majority of the 80s), it was more common to share programs via "sneakernet" on floppy disk as well, these would often contain a text document that would say what other programs were available and some clues on how to obtain them, but usually it was just a viral spread among friends and acquaintances.

Cracked software would often include intro screens and trainers, the intros sometimes included animations and catchy music to showcase the elite skills of the cracking crew and build reputation, and often they improved the software so it would load more quickly, unlock hidden functionality, or give you infinite lives etc. This spawned the DemoScene, which still exists today unrelated to piracy but historically rooted in the 80s cracking scene.

Here's a compilation of crack intros from 86 to 89 - https://www.youtube.com/watch?v=SFqBkSJOYOQ (skip to 11:40 and you'll see an advert for "cleveland cracking service" with a phone number for an example of how stuff got around before internet was common)

Essentially even back in the 80s and 90s there were the serious crews trying to demonstrate their awesomeness and generate rep, and dumb kids like me naively sharing "free stuff" we were given on disks because we had no idea what things like copyright and licensing even were, let alone stopping to consider whether the stuff we were loading onto our machines had any malicious intentions.

So I'd say that the idea of building reputation and trust in regards to piracy "crews" has a long history going back even further than 20 years, well before the web was common in homes, and I'm at least aware of early to mid 80s cracktro / intro scene materials so perhaps ~35-40 years is a good guess?

> I tell all my clients that when in doubt, drop that bad (?) boy in VT and let it scan it.

Who are your clients? Are you aware that everything that's uploaded to VT becomes public? As in full file contents, not just metadata & scan results. There's no harm in uploading .exe's there, but you should at least warn them not to upload private documents.

Also, VT results are trash for anything new so "all green" doesn't necessarily mean you're safe to run stuff if it also happens to be the first time VT has seen the file. It's not even the VT's fault, AV's suck and everybody knows it. The value of VT is that once something gets detected people can go back in time and look for other incidents that had flown under the radar previously.

Thank you for writing this (for all to see). I suggest this for "funky" files, for files of unknown/uncertain origin. Not every company has a strong IT/Sec team, with dedicated process and awareness training so that staff can forward funky emails to someone. Also, many companies rely on little or no spam filtering (if Gmail catches it, well done.. if not.. grace for impact!)

Yes they have, and I never trusted any of them.

Not running pirate software is the only valid path for security.

Sometimes I trust pirated software more than the original thing I was trying to install ;)

Depends, after all pirate software >= original contents.

> The more reputable ones actively remove spam and malware...

...that aren't there own.

You've never been a part of a trusted community before?

rutracker isn't some fly-by-night random tracker, it's a well established site in Russia, and the admins have been extremely communicative with users throughout virtually every governmental upset.

To add some context, try to imagine if the classic western trackers had prominent links like this, for example, what.cd.

Looking at the thread, the early posts correctly identified it as malware before the malwarebytes report, and even noted that the link itself violated the application post rules.

It's good for malwarebytes to report that this exists, but they're focusing on the wrong parts, imho.

The hash files to identify the affected file should have been the first part, then the explanation. A bit of google translate would have shown that already, rutracker users are calling to delete the thread.

but they're focusing on the wrong parts, imho

AV/anti-"malware" has always meant "pro-corporations/pro-copyright/pro-establishment", ever since they started detecting completely clean keygens and cracks as well as "hacking tools" and demoscene productions.

There is sometimes truth, like this article, but there is also a lot of FUD --- IMHO to herd users into giving up personal discretion and instead adopting centralised trust.

> they started detecting completely clean keygens and cracks as well as "hacking tools" and demoscene productions.

AFAIK this is usually a side effect of self-unpacking compressed executables, as produced by EXE packers. They have a property that's been useful to malware authors: they obfuscate the code. To de-obfuscate, you have to unpack, which some anti-virus vendors actually do for executables produced by common compression tools like UPX. For certain types of demoscene productions, however, a popular tool like UPX won't do if you can shave another few bytes using a more obscure packer that AV software are unlikely to have unpackers for. Once malware authors start using those same packers you'll get false positives based on signatures that are likely common to all software using them.

No, because they're flagged as "hacking tools" explicitly -they're not being misidentified.

How do AV software identify these "signatures"? Does it look for known strings, or does it do something smarter with some sort of behavior matching?

Usually both. They check known malware signatures and also look for suspicious behavior.

> what.cd

Little angel gone too soon.

Red is pretty good.

The best thing about redacted (and what, and oink before it) for me really is access to people with amazing musical taste. Most music these days is accessible for free in one way or another, but the curation in some of the collages is truly priceless.

Rutracker, or torrents.ru, has been full of malware-infected trash for the last 15 years. It's anything but a trusted community

>I don’t understand how people dare to run executables downloaded from a pirate site...

But do you understand people who dare to run executables from 'proper-company' site? It's closed source, you have no idea what you are running, isn't it? As long as it's not free software in terms of FSF there is not guarantee what so ever that it's not harmful or even worse intentionally harmful.

How about this one from SONY, that didn't even ask user to run? https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...

or this one Amazon remotely deletes book from kindle: https://www.nytimes.com/2009/07/18/technology/companies/18am...

With companies, there's an incentive structure that usually makes it pretty obvious whether they have an interest to do really shady stuff on your PC. For "proper" companies that have established customer bases and a legit revenue model, they have an incentive to not screw everyone over and lose their trust. That's just good management. Of course, management often screws this up and then we get (justifiably) outraged HN posts.

For pirated software the incentive structures are also clear, and usually point towards "yeah if given the chance they'll take everything from my HDD and make a run for it."

I'm all for FOSS everything, but running a company-distributed binaries is very different from pirated ones, and I agree with GP that it baffles me someone would do the latter.

>For "proper" companies that have established customer bases and a legit revenue model, they have an incentive to not screw everyone over and lose their trust.

It also depends on what company means by "not screw everyone over" Right now many companies consider practices as 'OK' while I am coming from the times when most of those modern activities considered to be virus or malware. So for me it doesn't really matter whether you have malware installed by a virus or it's hidden deeply in EULA which you can't reject partially anyway.

Oh I'm not trying to defend these practices in the least. But at least there is some mechanism (public outrage) there to make them think about it. That these mechanisms seem to fail and we need proper regulation is a different matter. Also in a lot of cases it's not really clear which tangible monetary benefit companies get from spying on their customers. Many cases seem to be managerial paranoia (Just in case the customers pirate!) or "because we can."

Pirating and re-packaging software for torrent is also a non-negligible amount of work, and with no revenue stream besides bundling the apps with malware. So it's quite a different incentive structure still.

> But do you understand people who dare to run executables from 'proper-company' site? It's closed source, you have no idea what you are running, isn't it? As long as it's not free software in terms of FSF there is not guarantee what so ever that it's not harmful or even worse intentionally harmful.

You'll have to trust somebody at some point.

Do you trust the company who designed your Ethernet chip? Do you trust the person who wrote the firmware for it? If not, go and design your own network chip. Otherwise, there's no guarantee it won't spy on you.

You'll also want to write your own compiler that you'll then use to build the operating system you intend to run. You won't just go download some Linux .iso to install, would you? After all, there's no guarantee it's not been manipulated by those who offer it on their website.

>You'll have to trust somebody at some point.

No, I do not have to. I can choose to, but I don't have to! That is the core of the issue.If I 'have to' then I don't. I prefer checking and facts, not delusions.

>Do you trust the company who designed your Ethernet chip?

No, I don't and we shouldn't. I evaluate chances and we should track network activity with diff. hardware on diff. chipsets from diff. manufacturers.

>Do you trust the person who wrote the firmware for it?

No, I don't and we shouldn't as it's insane to do so.

>If not, go and design your own network chip.

There are other means to overcome this: encryption. But yes, you right, we should make open source network chip. Agree. I certainly plan to design it.

>Otherwise, there's no guarantee it won't spy on you. That is correct, I agree with you.

>You'll also want to write your own compiler.

Yes, that is correct. I want and I am writing it right now. There is also an option of GNU c/c++ compiler available (GCC) https://gcc.gnu.org

>that you'll then use to build the operating system you intend to run.

This is how you build a proper GNU/Linux system worth some degree of your trust.

>You won't just go download some Linux .iso to install, would you? After all, there's no guarantee it's not been manipulated by those who offer it on their website.

Exactly. Or it can be modified on the way, while you download it. For the later you can check hash sums published by a site who respects user freedom and cares about own reputation.

>You'll have to trust somebody at some point.

Again I do not have to, but I can choose to trust with some degree to Richard Stallman and people sharing his views. https://www.youtube.com/watch?v=n9YDz-Iwgyw

I have some trouble trusting FSF since he was removed from the position due to false accusations for saying (!) just saying things, which he actually didn't say if you read carefully. Speak about respect of freedom of speech.


To trust the system we should have trust worthy components with open sourced designs starting from CPU and every chip installed and ending with each software running. That is the only way!

There's no guarantees what you're getting even if it's open source, unless you read and understand the source code :)

The set of computer users who a) have the knowledge to do security code review and b) have the time to review the programs they run is, I would expect, fairly small.

> There's no guarantees what you're getting even if it's open source, unless you read and understand the source code :)

Obligatory reference to Reflections on trusting trust [1]

[1] https://dl.acm.org/doi/10.1145/358198.358210

>The set of computer users who a) have the knowledge to do security code review and b) have the time to review the programs they run is, I would expect, fairly small.

Even a small number of those who understands can make a huge noise, because if comment is well grounded, it spreads exponentially by people who do not need to understand all the details.

And frankly how much those who understand you really need for each project? The thing is, if you are worried you can always look, which is not the case if you have nowhere to look.

Also expert is not always required just to see there is no brutal obvious harm intent, which covers a lot of cases

There are a number of cases, even with just bugs, which won't be deliberately hidden (unlike malicious software) where critical security issues have gone unnoticed in major open source software packages for year (e.g. shellshock).

Then you have the fact that if it's deliberately malicious things can be hidden such that even experienced code reviewers (who are not plentiful) could be fooled. A good example of this is the underhanded C contest http://www.underhanded-c.org/_page_id_2.html .

Sure an open source user may catch malicious behaviour, but then security researchers find malicious behaviour in closed source software pretty regularly via reverse engineering or binary analysis.

This isn't an anti-open source thing, it's a reflection that open source often isn't much of a signal of safety, unless further work has been done and continues to be done on a regular basis.

Still a reputation to lose, generally speaking.

I have also never seen anybody who made this argument verify their free software by looking at sources before compiling.

Exactly. Even if I would use only 100% FOSS software, I would not have the time to read all the source code of the whole stack, from the device drivers to the kernel and up to the source code of the web browser, etc etc.

and neither of those are ransomware. do you understand the difference?

>do you understand the difference?

Let's take a File System for a second as example. If you wrote your personal data on some disk drive and then to read this drive you need let's say Mac/Win because it's a closed format. And Mac/Win cost money. How it differs from ransomware then? Sure you have more time to decide, usually more than 3 days and it costs a bit less, but is it much of a difference there? Probaly a choice to start using it, but is it really a choice? In many cases it's not really. So back to your point, I understand it, but do you?

It's how kids get into multimedia content creation using real tools without paying real money

It's how I did. Now I'm a professional frontend developer with adequate Adobe skills and a license paid for by the company that frequently come in handy on the job.

license paid for by the company that frequently come in handy on the job.

...and now you know why Adobe products are so easy to pirate. Young pirates turn into loyal product users and customers.

Didn't this also use to be the case with MS Windows and MS Office? I always thought they were so easy to crack, and Microsoft was so prone to turn a blind eye to pirate copies at home, because this led to employees familiar with their products at the office. And they did go after pirated software at the office.

It's almost as if pirating software for home users doesn't have the negative impact the big corporations would make you believe.

Microsoft gives everything for free to students, except office.

Check with your university. This shall includes hundreds of software, all editions of Windows both 32 bits and 64bits, as well as all editions of Visual Studio Ultimate, plus databases and other tools.

Yes, in later years, through my university this turned out to be the case. But it wasn't the case at first in my country.

They were easy to pirate up until CS6, nothing more than a keygen (or pregenerated key) and a couple blocks in /etc/hosts.

After that they really cracked down on piracy, and at the same time offer the CC subscription decently cheap (50$ a month) that honestly the risk of malware isn't worth it any more.

So one can pay $700 a year to Adobe or pay 1-2 month of student rent for that year. I'd say Adobe is pushing hard for piracy trying to get blood from a stone (students).

$50/month is the full price for the most complete bundle. Adobe has a student price at a lower rate that I can't be bothered to look up just as you couldn't be bother to look up before making your comment.

And even the 50$ - that's about the price of getting wasted once a month which most students can afford. The key difference between CS and CC is that you don't have to up-front hundreds/thousands of dollars.

More like they eventually join mid-size plus companies which Adobe tracks down to make them pay for their photoshop (if they detect it on a company network they will reach out). Or they simply just pay for it because they can and/or are professional/law abiding people.

Adobe doesn't spend copyright enforcement time on individuals much.

Me too. I distinctly remember the warez group editing the startup image of PS 6, which had the code name Venus in Furs. Apparently that was 20 years ago!

Anyhow, I know that much of my early software license transgressions resulted in actual software licenses.

This is a hidden downside of having proprietary defacto monopolies in tech. As long as the Adobe suite is the default in digital content creation, piracy is the default gateway to that profession. I don't care about Adobe's loss, as they pretty much encourage the status quo, I do however care about all the people risking their digital life's integrity for this. Since it's "this is how you do it", many non-tech people are not even aware of the potential fallout. It's the same for even more problematic scenarios, e.g. students using cracked Matlab, SPSS, ... executables to crunch real study data at home.

Yes, digital responsibility is ignored by those using cracked software, but really you can't ignore factual constraints and the economic situation, when talking about who's to blame.

The grandparents used alt.binary.* to get software

Ouch... a little too close to the truth here.

That’s still going strong actually and a really convenient way to download things.

It was really true back in the day, not so now. You can get e.g. Davinci Resolve for free and it as real of a tool as it gets.

Beats paying for the software they can't afford, and it causes no issue 99% of the time...

It's a cost/benefit analysis... Billions of people in the developing world rely on pirated software, for one...

Heck, even in large parts of Europe, at some point there would be much fewer graphic designers today e.g. if they couldn't pirate Photoshop when they were young and non-pro (and no, Gimp wouldn't be of much use, they want to learn on the industry standard)...

> Billions of people in the developing world rely on pirated software, for one...

And it shows in their systems. I know a few people with extensive travel experience in Africa and most of them, despite being decidedly non-technical, came back with essentially the same story: "if you absolutely have to bring a laptop, don't ever connect it to something that has a data line"

I agree Creative Suite is way too expensive (at one point it was 3000 euros!)

But for students Adobe was basically giving it away :) I remember getting a CD for 15 guilders at the time at the university. Which was around 5 euros.

Back in the days when I couldn't afford proprietary software and didn't use Linux yet, I often downloaded torrents even for free software because the download was 20 times faster and you didn't have to fill out web forms and give away one of your throw-away email addresses to get the content. The crackers also often fixed bugs the developers refused to fix and removed annoying nag screens.

To be honest, when I had to upgrade my Windows machine last year, I really regretted the fact that I've gone fully legit with VST plugins. It took me more than a week to deregister and reregister all the horrible proprietary DRM schemes those companies are using. That would have taken less than a day if I had used cracked versions.

VST are particularly nasty for a reason though, because when they have a signature sound widespread usage by freeloaders will actively ruin that sound for those who paid. Exclusivity is a feature, the inverse of network effect.

Is there something like a "steam for VST"? Maybe it should exist, to ease the DRM pain for legitimate customers.

>VST are particularly nasty for a reason though, because when they have a signature sound widespread usage by freeloaders will actively ruin that sound for those who paid.

Nobody really cares if you use the same presets. There were countless top-10 hits with the same handful of DX7, M1, JV-1080, etc presets.

Nowadays, there are so many VSTs and they have so many presets, that nobody can keep track anyway, even if you do use their presets.

And of course you can always program your own patches on most VSTs, alter presets with layers of effects, etc...

That's definitely something studios all over the world would greatly benefit from. Right now, they're just trying to never ever change the machine that runs those plugins unless they absolutely must.

Although there are a few larger DRM "alliances", for some reason manufacturers have not yet been able to agree on a common DRM and package management system. Currently every larger company and a number of smaller ones want to push their own plugin management system.

VSTs are a mess anyway, there are only few hosts who are able to scan all of them correctly without crashing (and these do it by separating the process that crashes from the rest of the host).

Kind of! Check out Splice[0]

[0] https://splice.com/

I doubt 99% of casual listeners would recognize a VST in a song they like or even know what a VST is. I can kinda see where you're coming from, but I wouldn't go as far as to say the sound gets ruined (or even devalued) for those who paid, just because more users use a certain effect.

I don't pirate much any more, but in high school and college I was very much a digital hoarder. I ran plenty of pirated software and from what I remember never had any problems whatsoever with malicious software (that I was aware of). Of course you need to know what you're doing, same as downloading software from anywhere else.

> Of course you need to know what you're doing

No one knows what they are doing. Unless you are decompiling and reverse engineering the whole thing you are mostly just blindly trusting its safe. Even on trusted sites people share stuff from other sites not knowing its infected.

There's something to be said for the sites that only shared scene releases from groups with a reputation to protect. Maybe in the future, trusted groups can cryptographically sign their releases to avoid tampering and minimize the amount of trust necessary.

They have been for decades! Most scene releases that are packed will include an SFV file that contains the checksums of each of the package files so that you can check the file integrity.

Obviously those can be repacked and faked so you'd have to check multiple sources to ensure you get a genuine release, but yeah the scene groups are as usual way ahead of everyone else.

I meant signatures, not checksums. A signature chain would avoid the repackaging problem if the signer's public key was distributed out-of-band. Groups and distributors alike could add their own signatures to create multiple possible trust boundaries.

I think the scene groups are a traditional bunch that in some respects are years behind because of it. I remember in maybe 2005 I'd still download releases that were split into floppy sized RAR files. Possibly, this tradition carried on for so long because the scene was so keen to shame groups that didn't package like everyone else. I don't know how it is now but I'm hoping they got over splitting releases.

My guess is that the OP means knowing where you download from. In a way it's like the fabled "web of trust". Reputable warez groups didn't distribute software with viruses.

Like the OP, back in the day I used to have plenty of pirated software (mostly games) and never had a problem with viruses (at least, not that I knew or had any noticeable effects). The threat complexity is probably way worse these days and I wouldn't risk it. Plus, of course, I support games by paying for them :)

I mean, the RuTracker thread identified it as malicious long before this report ever came out. A few people running sandbox tools, firewalls and host based IDS tools will catch pretty much all malware quickly based on behavior alone.

I used to swear by Outpost Firewall as it was able to do things like detect applications adding to startup, injecting into other processes, gaining raw disk access, reading your browser profile for passwords, communicating with any unexpected hosts, etc. This is enough to rapidly identify most malware packaged with pirated software immediately. This isn't some advanced targeted attack, it's a script kiddie packing ransomware, password dumpers like iStealer, RATs like DarkComet, etc. The kind of thing these tools are designed to detect.

I skimmed the blog post. It seems disingenuous to not say the original thread already people saying it is [shitty] malware.

I’m on my phone so can’t search better, but couldn’t find it at rutracker from a quick search. Not sure if it will be available via some archive.

It’s important to realize that’s true also when you’ve paid for the software and got it directly from the source:

Sony has a root kit included, Zoom had a web server that could be exploited (at least) to then on your camera.

That’s just off the top of my head.

It's also true most of the time when using open source software.

“Most” Depends if you weight by installs, sources, or packages.

I don’t remember malware on Debian, Ubuntu, Fedora or Arch’s repository (put there by maintainers like the examples I gave above, or by a hack). And definitely not Gentoo.

But you are right. The bottom line is, you shouldn’t trust that which you cannot verify; but with open source, you have much more ability to verify (but it’s not a panacea - you run to many lines of code to verify yourself, it’s not clear anyone trustworthy verified it all, and there also the “reflections on trusting trust” argument)

Sure. All I meant is you cannot just download and install anything and everything without using your judgement.

My judgement says not to execute programs I can't read the source to or hold the publisher legally accountable for.

But you don’t read the source to most things, no? Nor do most people.

Isn’t that why things like heartbleed took two years before being found out? I presume some people using the vulnerable OpenSSL versions felt similar to you.

Being open source does not ensure software is bug free but its highly highly likely to not be malicious. Usually malware authors don't actually write software, they tack it on to other peoples software or write stuff that doesn't do anything useful at all. Not once have I ever heard of malware making its way in to the debian repos.

The worst I have seen is xscreensaver embedding a message in the code to complain about the old version a year after release.

How old are you? Malware is much worse nowadays thanks to Bitcoin monetization and more networked sensitive data.

The world has changed pretty substantially from my teenage days when I'd happily run pirated software. Back in the day viruses and malware would either screw with your computer in amusing and reversible ways (so long as you had a good backup), or spam you with popup ads. Maybe they'd relay spam mail for a while until you noticed your internet connection was useless and run a virus scan.

The damage malware can do now is so much deeper - encrypting all your files, which then gets synchronised out through the tool you were using for backups automatically, before holding them to ransom. Then it turns your light bulbs into DDoS nodes to spread that to people across the internet, and probably you won't notice because you're on a fast enough connection for that to fly under the radar.

I don't know when you went through your youthful piracy phase, but I know that when I did, malware was still mostly a shits'n'giggles affair. Worst case you'd get nudged a little closer to that long overdue clean slate reinstall. That landscape has changed dramatically, it's an industry now.

I'd trust the average pirate to not crap all over my computer a lot more than I'd trust the average corporate software release nowadays. The former actually has to care about their reputation...

Depends on the site, some repacks are probably nicer than the average DRM dump from ubisoft.

Similarly, a cracked version of Photoshop probably installs less junk than a legal version of Photoshop.

It's a wonder it isn't spreading through open source packages.

There is a de-drm tool that I used to use which packages some other open source. For whatever reason, I always assume people who package up software are careful about what they're packaging up, but no, as it turned out this project is not careful at all. It shouldn't have been surprising but it was.

(I ended up writing my own tool. I de-drm on principle; I don't mind buying stuff, I am deeply offended when that stuff vanishes out from under me because of deliberate obsolescence and/or shutdown. Buying DRM-free is not always an option.)

Do you have a solution for ebook dedrm? I've been struggling to automate my flow recently!

edit: fix the autocorrect

Apprentice Elf. Though it appears to be broken on Catalina. I will need to have a look at it, I think, when I get a chance.

We simply need better sandboxing, and on by default. In a way it’s also usable for normal people.

Mac has the sandbox runner, with a configuration file. However it’s deprecated, and difficult to create.

Also, not even Facebook signs all their apps.

It’s funny, bc everybody is kicking and yelling against the AppStore, and the process. But it’s the only thing protecting everybody from misuse

iOS App Store? Were there any [major] issues with jailbroken iPhones running cracked apps? Especially before when jailbreaking and pirating iOS apps was a bigger portion of users and culture.

It was and is a small number of people regardless. I’m not sure if that’s going to be the “reason” nothing happened. If so, it doesn’t seem like that can conclude protection from misuse.

From the standpoint of malware writers, the users are one Office 20XX or Adobe CC 20XX away to installing the latest 'free trial' until they search for that fake keygen.exe or 'cracked full version' and it starts encrypting their work.

Adobe and Microsoft are the most targeted by malware writers unsurprisingly.

Not only that, Little Snitch of all things. I can understand if people downloaded pirated a game or word or photoshop (before they went all cloud). Little snitch is literally for the ones who are paranoid about these things in the first place

You could say the same thing about every business that has installed Zoom.

Zoom is free so you're the product.

No it's not, the business product had the exact same spyware-like behaviour issues acting up after you'd uninstall it on MacOS. They had to push an entire mac security update just for that fix.

I knew a dude who loved to click on ads. All of them. He thought it was fun to see all the garbage people try to peddle to you. Even after I explained to him that ads can be sketchy and lead to you collecting malware.

In particular, I don't understand how people use pirated security software (which Little Snitch basically is). If you're going to have to trust something, it's that.

You mean like a batch file with a vlc shortcut icon. I accidentally run those all the time. My eyesight sucks and win10 accessibility is dogshit.

Ive done similar on mac too.

It's not just that it was an executable. The real issue is that Little Snitch is distributed as a pkg (not that that's the developers' fault, as there's no way to implement the app's functionality with just a simple app). But distributing it as a pkg that requires installation with an admin password is how the malware takes hold of a user's computer. AFAIK it is always safe to open an app you download from the web (although the app may not respect your privacy).

> The real issue is that Little Snitch is distributed as a pkg (not that that's the developers' fault, as there's no way to implement the app's functionality with just a simple app).

In Big Sur, it might be.

> AFAIK it is always safe to open an app you download from the web (although the app may not respect your privacy).

Apps can still encrypt your disk this way.

Does apple not throw up a permission dialog whenever an app tries to access just about any part of your filesystem? Like this:


I could be wrong, maybe it's only for certain kinds of apps.

That’s for all apps, but only for specific parts of the filesystem, so there’s still plenty of room for apps to cause havoc by messing with everything else.

This is separate from the older sandboxing feature that’s designed to fully isolate apps from the rest of the system, which is mandatory for Mac App Store apps but opt-in for other apps.

Mandatory for new Mac App Store apps

>FAIK it is always safe to open an app you download from the web

No its not various ways to break out of sandboxes exist.

And you don't even know that the app is sandboxed!

The real issue is people are trying to steal it and getting fooled by a malicious site.

Download the program from the developer and run the keygen in a VM and copy over the license.

Very few keygens these days, there used to be a 100% safe way of getting the full Adobe Suite back in the CS6 days.

Now everything is subscription based fully you have to replace the license system within most major software.

So I'm told.

If they give you the keygen…

Probably not much riskier then using the mobile app stores if you have a good source.

it is getting like that. it's been mostly good up til the present time. you know, there are 'scenes', trusted crackers and communities, users giving 'thumbs up' etc. but this ransomware trend is a bit scary.

Because they simply cannot afford the software, they often do not have an alternative.

I've been pirating since I was 11 years old. I have never once gotten a virus or malware. I have, however, gotten a virus from a random website that popped up on the front page of google.

some people like to live dangerously.

Or. Like the world we live in, there's massive inequality and some people just don't have "I comment on hackernews" levels of money

If you're gonna pirate, at least do a checksum or something.

Against what?

Against the cracked copy, of course, to make sure the DRM really has been removed. You don't want to get nasty surprises and accidentally install PACE or another Sony rootkit...

How would you know if he cracked copy you’re comparing against didn’t already have something nasty in it?

You wouldn't, I was joking. Sorry, I shouldn't have done thas, I was in "Reddit mode" and forgot that discussions are more sincere on HN.

Ha, I didn't catch the joke. Guess it seemed too much like genuine advice…

checksum can tell you if there is a difference but not what caused it.

I don’t understand how people dare to run executables downloaded from app stores..

Not just children.

They ought to be punishmed by forcing them to play Cataclysm DDA without the wiki.

I don’t understand how people dare to run anything but free and open-source software. Proprietary software tends to have malicious features. The point is with a proprietary program, when the users don't have the source code, we can never tell. So you must consider every proprietary program as potential malware.

I don’t understand how people dare to run anything but software they have written themselves. Open source software sounds good, but I don’t review each line of code myself, so we can never tell. So you must consider every program you didn’t write or review line by line as potential malware.

I don’t understand how people dare run software at all. Everyone knows software has bugs, and what if it does something you didn’t want it to do?

There are backdoored binaries for FOSS projects (filezilla comes to mind), and well-behaved proprietary programs.

Play stupid games, win stupid prizes.

If you cannot afford Little Snitch or don't want to pay for it or just prefer open source, install LuLu. It's a free and open source alternative to LS application firewall. [1] You can install it through Homebrew or download binaries manually [2].

[1] https://github.com/objective-see/LuLu

[2] https://objective-see.com/products/lulu.html

Am I the only one who uses piracy to explore new technologies? For example, I pirated ZBrush and spent about a month learning it. At that point I felt I had invested enough time / gained enough skills to justify buying a full license, if I ever need to do more 3D modeling.

I had the same experience with Visual Studio back in the day (aka Visual C++ 6.0; fond memories...), and of course photoshop.

It’s a stupid game, but quite a personal growth vector.

This is why a lot of software houses don't come down too hard on individual pirates -- they often become your fans and they might result in business in the future. It's like selling concerts and merch as a musician.

Since software dev isn't the domain of lifelong nerds anymore I don't think most folk are as understanding or knowledgeable about the positives of piracy (or related issues around software freedom or the economic properties of digital data), hence your unfortunate downvotes.

It's a shame... there are many of us who would not be where we are today, as productive, value-creating citizens, without having learned our trade with pirated software.

Exactly. I remember begging my mom for Visual C++ 6.0 from eBay for $60 whole dollars when I was like 12, because I had heard that’s what real gamedevs use, and I was determined to become a real gamedev. It’s weird... you can trace that moment to present, and her saying “yes” or “no” would have dramatically changed my economic outcome.

Piracy is a wonderful equalizer in that regard. Companies have every right to come down on piracy, but it often works against you if your software is a tool.

What did she say? Don't leave us hanging...

She said yes :) I owe a lot to that decision. It's also helped me understand what "privilege" is – many, many parents would have been like "no, now go do your homework." (I wasn't a very good student.)

But, for example, Visual Studio 2003 Architect Edition was so expensive that I think it was a few thousand dollars at the time. Piracy enabled me to learn that, too. And surprise surprise, when I got into the gamedev industry, that was what they used.

From Microsoft's standpoint, it was nothing but benefit: in addition to adding +1 productive programmer to the world, the piracy also caused me to become something of a Microsoft evangelist, similar to Carmack. It helped me appreciate a good IDE back before Webstorm made it a reality for Javascript.

Of course, that eventually led to discovering Emacs (or rather being forced to learn it due to a twist of fortune) and then evolving into my bearded open-source devil form... Now if only there were an Emacs equivalent for 3D modeling and music, I'd be happy as a clam. Blender is great, but it just can't compete with ZBrush.

EDIT: By the way, I was delighted to discover that Photopea (https://www.photopea.com/) is a completely free, browser-based alternative to Photoshop. It has almost an identical UI, and it does 100% of what I need out of photoshop. We've been paying the $35/mo creative suite license, but I imagine lots of people still pirate it.

If you're wanting desktop software, Affinity[0] sells one-time-purchase licenses for their Photo, Designer, and Publisher software. I've never used Photoshop/Illustrator and generally do rather light work when I do need to edit/design, but I've been very happy with my purchase. Each license is $50, and the recently went on sale for $25 (but that's over now).

[0]: https://affinity.serif.com

I can't speak for the Photoshop -> Photo transition since that's never really been my thing, but if you've been using CS professionally for any length of time then going from Illustrator + InDesign to Designer + Publisher take some significant muscle memory retraining. I've been gradually switching over for the last ~6 months but I still have to reach for Ai or Id if there's a really time-sensitive task.

The amount of subconscious automation that goes into making you really proficient at using some tool becomes very obvious when you try to use a different one.

(I cracked those back in high school and then purchased them because they were so good…)

Exactly what I did.

I got Borland c from a friend. Later on I got watcom c from crazybytes. And then visual C++.

A lot of my learning (game dev) was of course the demo scene, and x2ftp from Oulu in Finland.

Another huge step was me going to the bookstore, secretively reading game programming books, and copying code on a piece of paper. Those books were unaffordable for me at the time, and the store guy told me to stop a few times.

My parents had stable jobs, but weren't super well off when I was a kid; but one thing that I only really appreciated in retrospect was that they gave me an effectively unlimited budget for books. They'd give me suggestions and buy me books that they thought would be worthwhile reads, but they'd also buy whatever fantasy/sci-fi books I asked for. Thankfully for my parents' wallets, I did spend a lot of time at our town library.

>Blender is great, but it just can't compete with ZBrush

Could you elaborate on that? I assume you're more on the 'dabbles in it for fun' side, but I can't think of any missing features for that kind of usage besides polypainting which is available as a WIP patch.

There are lots of free software alternatives to commercial tools. They are usually worse but not by that much. The difficulty of learning them is actually a nice challenge.

Why did you need the architect edition though?

Probably didn't, but most pirated software includes the highest end options. The last pirated version of CS6 I saw was the ultimate edition (or some such), and the last pirated version of ableton I saw was the full suite.

Note: I use Affinity instead of photoshop, and I've had an ableton license since v6, but I keep an occasional eye on the pirate scene. I owe many of my skills to pirated software, and could therefore afford to buy software when I became a professional.

This is why free student packs are super valuable. Students typically have little to no money and can't afford to buy expensive software. So the company gives you a temporary free copy so that once you have a job in the field your learning you can afford actually afford to buy it.

> [...] there are many of us who would not be where we are today, as productive, value-creating citizens, without having learned our trade with pirated software.

Agreed. I learned to program with GW-BASIC which if I remember correctly was included in a (pirated) copy of MS-DOS. Then I graduated to pirated Turbo C and Borland C++, and (I think) only then to the genuinely free DJGPP (a port of GCC for DOS).

If it weren't for pirated software, I wouldn't be a programmer today.

>It's a shame... there are many of us who would not be where we are today, as productive, value-creating citizens, without having learned our trade with pirated software.

I imagine Adobe has managed to keep a lot of mindshare for Photoshop simply by how widely it is pirated. If pirating Photoshop was absolutely impossible, there'd probably be a lot more Gimp users in this world.

That's one of the benefits of the subscription model that gets a lot of hate on here. You can try things easily without pirating and exposing yourself to malware.

Piracy is still piracy, regardless of your personal feelings about the value of your own use case. You’re taking something that is not yours for taking.

If we are clear about terminology it’s less misleading. Unauthorized use of software downloaded from the internet is copyright infringement, not “piracy”.

It is similar to making a xerox copy of a book obtained from the library, recording a rented video on a new videocassette tape, making an unauthorized recording at a music concert, or typing code you found in Numerical Recipes into your own open source project.

It is not at all similar to boarding a ship and robbing the passengers.

That may be the case, but much of the "piracy is justified" crowd seems to rely on an "ends-justify-the-means" approach to suggest that piracy is great. If everyone pirated software (or if even a significant portion of people did), it'd be much harder to make money off of building software. I say this as someone who has pirated plenty of software in my life. I just didn't delude myself into thinking that I wasn't doing something wrong.

I'm having a dejavu but literally everyone who justifies piracy does it for the benefit of those who are dependent on it. People who have money don't care and just use the most convenient option.

This analogy really doesn't work, because taking something deprives someone of something they would've otherwise had. If you have the means to buy a piece of software and pirate instead to save money, then sure, I think you can make a case that it is 'taking'. When you're pirating something that you would've never been able to buy, who are you depriving of anything? I guess you're depriving those who have the means to buy that software of the exclusivity of their position, but is that something that they get to 'own'?

depriving those who have the means to buy that software of the exclusivity of their position

I'm gradually realizing that this probably plays a larger effect in society than we think. Like the ancient parable of the prodigal son, whose faithful brother was jealous that the rebel was celebrated in the end. Maybe it also plays out in lifelong CS devotees vs. CS-for- the-money people -- the nerds might feel that they have "earned" CS more, and the dayjob folks might not appreciate the depth of understanding that comes from the dedication of the lifelong devotees?

At a moral absolutist standpoint: yea, absolutely. Whether it's harmful or not, the intent is still to avoid paying for what you got, which is pretty straightforward.

For almost any other positions: it's murkier. If you take a berry off a bush on public property... what's the morality? Or growing from private property overhanging public that's just dropping fruit and the owners are either not present or clearly allowing fruit to drop? It's theirs, they absolutely could harvest it, but they're not and it's clearly implied that is not going to change. Now what?

Yes that's still further towards harmless than you can likely argue software piracy is (... ignoring the network effects of everyone knowing how to use X because everyone pirated it, or I could probably come up with others), but my point is that strict black and white separations have dividing lines and breaking points. Whether there is black or white somewhere isn't really useful to anyone, it's where you draw the line.

You are exactly right. And I'm surprised people are talking about it here cavalierly. I wouldn't hire someone who brags openly on forums about stealing software.

Copyright infringement isn't the same as stealing. I'm saying this as someone who can't recall ever using unlicensed software.

Ask your colleagues. If you work around computers chances are that piracy is how a lot of them was able to start using them.

Here's the difference: People who stole software, but agree it's wrong have a moral compass. Those who try to rationalize it don't.

As developer myself, I rather use demo versions when available.

ZBrush is $40/month. Makes me sad you can’t afford that.

$500/year is a nontrivial amount of money anywhere, but especially in many countries outside the U.S.

In this thread though we are talking about someone’s experience using piracy to spend a month learning something. $40 seems like a reasonable alternative to that.

Oh, thank goodness! You're right, it's $40/mo now for ZBrush 2020. ZBrush 3 and earlier was $895 with no monthly option, which is great for CAD professionals but out of reach of hobbyists. I'm glad they have an option now; thanks for pointing this out.

(I'm surprised you're getting beat up for this sentiment. $40 is definitely below the threshold of "purchase on a whim and try to learn it for a month." FL Studio was another great one at $99. Still, I'm sympathetic to people who simply can't afford it – children especially.)

40 bucks a month is a huge amount of money for most of the world's population.

I appreciate the foss alternative, but at the same time it seems downloading binaries manually is also part of the “problem”.

It matters a lot what site binaries are downloaded from, and a lot of average users don’t really understand the difference.

I suppose as long as a human decision is involved there is room for error.

Wonder if this can be solved without going 100% down the app store path.

Arch aur has never let me down.... Linux package managers in general. Curated content, secondary and tertiary content of varying levels of risk. Most high risk activities hidden behind a knowledge gap, yet still available. It is a superior system to directly downloading binaries from random websites, if not only having a single access point increases security.

I second the recommendation of Lulu. It's such a useful, well-built tool. I use it daily, and it's eye-opening to see all the questionable network requests leaking data.

Looks like changes will need to be made for LuLu to work on Big Sur: https://github.com/objective-see/LuLu/issues/183

Little Snitch is becoming much, much less useful with in-app DNS-over-HTTPS resolvers. They really need to provide a local DNS/DoH-to-DoH proxy function so they can sniff the traffic without forcing the user to switch off DoH entitely.

Doesn’t LS let you block internet access per app per domain? At that level of control why would dns resolution bypass matter when I can still block the app from talking to any arbitrary IP?

For this reason I disabled DNS over HTTPS in Firefox. How much protection and what kind of protection does DNS over HTTPS give you?

I never understood why objective-see releases all these useful things individually. Surely a comprehensive app that had all the functions would be better?

I vehemently disagree! Monolith apps are the worst; a single app should focus on doing one thing well.

Let's say I already own and use Little Snitch for monitoring traffic, but I want to install RansomWhere to detect malware. Do I get rid of Little Snitch even though I prefer it, or do I deal with having duplicate software on my machine?

I've seen some programs that are excessively modular. You can always go too far in the other direction.

Some open source projects can be compromised and the artifacts can be malicious. It has happened many times.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact