A320-X DRM: What happened

marklyon | 116 points

Previously: https://news.ycombinator.com/item?id=16412541

It sounds like they distributed a tool that goes through your Chrome saved passwords database and if the installer thinks you're a pirate, it sends credentials from that database back to the author. The author is now saying they used credentials they learned from this to break into a private website to learn more about how their DRM was being bypassed.

This seems so incredibly illegal, I can't believe they admitted that this is what they're doing.

kevinday | 6 years ago

I wonder if they realise just how illegal their actions are, and that they've fully confessed to breaking the law?

They should have at least sought legal advice before trying to do what they did, but failing that at least sought it before posting this message.

Twirrim | 6 years ago

Sent base64'd to a non-secure endpoint with open RDP... ouch.

https://www.fidusinfosec.com/fslabs-flight-simulation-labs-d...

paraxisi | 6 years ago

If anything this is just going to want to make the crackers keep cracking their releases even more, because one thing they certainly love is a good challenge, and these "bomb-like" features would appeal to them greatly.

(Long-retired cracker, no longer active in the scene but still fights from time to time. ;-)

userbinator | 6 years ago

What's the background exactly?

As I read it, they had a function to grab various bits of data from a specific machine that was linked to a specific cracker. Did it misfire and started to pilfer data from other unrelated machines?

Edit - for the record, the original post title was somehing like "Flightsimlabs attempts to explain their password-stealing DRM malware".

eps | 6 years ago

I sort of appreciate the creativity here, though it's blatantly creepy and uncomfortable for a software vendor to be pushing updates with single-user-targeting functionality, in particular, to say nothing of the spyware issue itself.

ocdtrekkie | 6 years ago

What I don't understand from their explanation is why they had to do this at all -- if they could identify the bogus serial numbers, then why not just block those serial numbers from registering?

Johnny555 | 6 years ago

I wonder if they are in fact shooting themselves in the foot in their fight against this cracker.

Aren’t there laws that basically invalidate evidence gathered by illegal means?

k_sze | 6 years ago

I am curious what the piracy rates are for this game vs actual sales, because I am having a hard time justifying investing that much effort into what they did.

cptskippy | 6 years ago

Gotta say, on reading this I went "They did what?!". This raised my eyebrows so much, I'm fairly certain they're now lost somewhere in my hairline. In the US, at least, I'm fairly certain they've broken more than a few laws. Kudos to them for admitting it, entirely; I guess that would be the only hope they'd have of ever re-gaining any sort of trust with their install base, but they'd be equally smart to find a lawyer[0].

I get that a lot of time and effort goes into developing a product and it's really frustrating when you find out that your product is being pirated. I can't imagine if I'd happened upon a whole community sprung up around pirating my product; they had to be incredibly angry and this likely led to this terrible idea. And no matter how often you repeat to yourself that "piracy does not represent lost sales", when you've poured your time into something -- time that you hope will make you a nice living, time that you took away from your family or other enjoyable pursuits -- you tend to get really angry when you find out there are people that think it's perfectly OK for you to work for free.

I like to repeat the mantra that "piracy does not equate to lost sales" and tell myself that those wouldn't be paying customers anyway, or they're not my real target audience, or that it speaks to the popularity of the product if someone went to the trouble to crack it. And I'm a believer that effort spent on DRM is wasted (especially efforts like this). It's not entirely, true, of course. I always think back to the story I read a few years ago about the TCP/IP stack that nearly every DOS PC used -- a piece of shareware that, at the time, was probably the most popular piece of shareware in existence. I'm sure I, like many, didn't even think to pay for it and operated under the assumption that large corporations were probably using it and the developer was probably using $20 as kindling by now when in reality I think he netted somewhere in the thousands of dollars for his efforts.

At the same time,... well... this.

This is exactly what happens when you focus on piracy so hard. Developer time is a finite resource and this company wasted that time developing a piece of DRM that is indistinguishable from malware. It succeeded in not stopping the pirates, not catching the pirates, angering their paying customers, easily exposing them to civil legal issues and possibly exposing them to criminal legal issues. That little bit of wasted developer effort could very well end the company that made this product in a way that piracy probably never would have. Assuming their customers like the product and would like it to continue to exist, this company basically did everything in their power to not serve their customers.

To be clear, I'm not completely against purchase verification in software products. If it's light-weight, and doesn't get in my way as a customer, it's fine (i.e. provide the ID/password used when it was purchased with a fallback to an offline serial number ... asked one time and never again). I get it. A small road block is enough to keep my mom or dad from grabbing a copy that a friend attached to their e-mail. Heck, in the case of my mom or dad, they may not even realize that it's not a free product if it doesn't ask for some form of verification. I don't mind how Steam works or how the variety of stores handle these sorts of things. If your DRM effort goes any beyond this, it's wasted effort. You're not going to stop a determined pirate even (especially?) if the product your selling is an anti-piracy product. Just don't. Don't waste the effort. It's never worth it.

Even as I write this I'm still amazed. I get frustrated when I upgrade my CPU/memory/GPU and Office won't run without some extra steps. I can't imagine if step #2, after falsely identifying me as a pirate, was "send a bunch of personal data to the authors"[1] so they can turn me in to the authorities. Pro-DRM folks like to equate piracy with theft, so I'll make an equally poor analogy and say that'd be like if I purchased bed sheets at Wal-Mart, and the processor in those sheets[2] decided I stole them, so they started sending the GPS location of my house along with pictures of my bedroom to corporate so that they could turn that information over to the police.

[0] Sure wouldn't be difficult to compare this with any other piece of malware in its behavior, but IANAL.

[1] And yes, I realize that they've stated that they're looking for specific information from a specific pirate that they consider to be the source of the problem, but including that payload in the installer makes me question the truth of this statement. I don't have any reason to dis-believe them, especially considering they've basically written up a post admitting to a bunch of activity that may very well be illegal in nature, but having no way to verify that they are telling the truth, or that there isn't a circumstance that could false-positive flag someone who isn't that very specific case, I will err on the side of assuming the worst in this case.

[2] I laughed when I wrote that, then I thought ... there's probably already sheets with processors in them. If there isn't, there will be. Shortly followed by the first case of DDoS by IoT bed-sheets.

mdip | 6 years ago

would be funny if the pirate sues these guys for hacking and puts them in jail

supergirl | 6 years ago

If they are in the US, anybody on whose PC this ran, including the Cracker, can probably get them all thrown in jail for CFAA violations.

dmitrygr | 6 years ago

Releasing DRM-free is a thing if you want to respect your users, instead of insulting them.

shmerl | 6 years ago

from the headline I thought it was about the Iranian airplane that crashed

singularity2001 | 6 years ago