Idiots...
How in the world did they think this would end in any way positive to them?
A Chrome password dump tool found in the latest update from Microsoft's Flight Simulator Add-On wrangler, Flight Sim Labs, has virtual pilots up in arms. The download featured updates to the Airbus A320 model including improvements to the engine crank and flare mode logic and, er... a password harvester for Chrome. Noted in a …
Cant find the article, but their CEO / Lead Developer Lefteris has actually been pulled up on this previously and is alluded to in the main subredit that this all kicked off in
https://www.reddit.com/r/flightsim/comments/7yh4zu/fslabs_a320_installer_seems_to_include_a_chrome/
This is stupidity on so many levels, the relevant Arstecnica article seems a bit more in depth
https://arstechnica.com/gaming/2018/02/flight-sim-devs-say-hidden-password-dump-tool-was-used-to-fight-pirates/
From the Arstechnica link..
""This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals,""
Wow, just....wow. Admission of guilt for computer misuse?
OMG, it gets worse..
"Using this method, Kalamaras writes, the FSLabs team was able to "dump that cracker's information needed for us to gain access to those illicit websites, so we could then forward the information to proper legal authorities." What he and his team found, he writes, was "an entire web of operations" dedicated to pirating multiple flight simulators"
So they also breached other websites with this guys' stolen details? Man they are fucked.
Catching cunts who are ripping off other people's hard work.
Okay, not much sympathy for the pirates either. But if I suspect you're growing drugs and break into your house to check, then I'm still guilty of breaking and entering. Maybe if I had good reason and turned out to be right I'd get off lightly. If I start breaking into all the neighbourhood houses 'just to check' I'm guilty of breaking and entering and being a maniac.
"Everyone in this thread seems to be pretty relaxed about people's work being ripped off."
If someone broke into my house just to see if I had some of their stuff I would expect criminal charges to be laid against them.
They may have started out trying to protect their legitimate interests, but they have no right to sacrifice mine. So no sympathy for them.
@LewisRage
I wasn't saying that they don't have a right to protect their profits; I was pointing out that their 'good intentions' were not altruistic; they just wanted to make sure people weren't using their products without paying and that goal is nowhere near sufficient justification for what they did.
As I have said at every opportunity in previous comments, I am not a supporter of those who violate copyright and I have little sympathy for them.
BUT, I do not believe that violating copyright is so serious and grave a threat to society that deploying malware and spyware is justified in order to stop it.
Compare this to cases where the FBI have performed similar actions (i.e. installed malware/spyware) to catch people involved in a child-porn ring. THAT situation is serious and a genuine threat to the most vulnerable among us but even then these powers are a step to far in many people's minds.
My point, again, is simply that, if there is some line beyond which the ends justify these means, this situation does not even come close to reaching that mark.
Installing malware/spyware on someone else's computer is a far greater offence than running some software without paying.
@mosw has summed it up perfectly.
@Aladdin Sane
The developer's end goal might seem worthy when you phrase it a certain way - e.g.: to stop people distributing cracking tools for their software - but, more simply, the goal is to protect their profit.
That's what all DRM is, after all.
Looking at this specific case, it seems apparent that, while the behaviour of the cracker(s) is clearly illegal, the closed, 'in group' nature of the distribution (of the cracking tools) implies that the damage could not have been overly large.
Of course, the software itself is relatively niche but still, this cracking operation seems to be available only to a select few and not anyone who just searches online for "give me tha free warez!!!"
What we have here is a classic case of a digital company believing that they have some intrinsic right to do whatever it takes to make sure everyone is paying them.
In this case, they massively over-reached given the likely scope of the problem but the point is that this kind of behaviour is inherently poor form (ignoring the legality) and crosses a line (distributing spyware) that shouldn't be crossed no matter the motivation.
Even Blizzard have installed spyware in World of Warcraft. Anyone remember the whole spat over "Warden"? Admittedly I think that was to catch hackers and bots rather than DRM feature, but what a sledge-hammer to crack a nut?
I think the lesson here is - if you think you have a piracy or DRM issue then you'd better lawyer up before you even start coding your solution. Developers have to start putting privacy first before guarding their intellectual property and it shouldn't take a grey suit to keep your morale compass pointing in the right direction, but if that's what it takes.
I swear the speccy twats think they're god and can code what they like and put whatever they want on anyone's computers. Utter wuckfits! Let them feel the wrath of GDPR.
German Democratic People's Republic ? Guards with dogs and machine guns, judges with instructions as to the outcome of the trial, prisons with very bad reputations ?
Google says it is a European directive, that doesn't have the same dissuasive power. It only frightens the bean-counters.
"Google says it is a European directive, that doesn't have the same dissuasive power. It only frightens the bean-counters."
Except that an approved and enacted European Directive means that each member has to enact into law the said Directive. It only sounds like guidance, but in fact it is the law. The guidance bit can seem deceptive in terms of force of law, but the term "guidance" is to direct EU member governments on what is needed in law so there may be some variations locally but the meat of the directive is actual law across the EU, Google is well aware of the situation. They have lawyers experienced in dealing with the EU and EU law.
Fun (well, tedious, but important) fact about the GDPR, it is an EU regulation, and applies directly in member states without having to be transcribed into national law. You're right a directive has to be enacted by member states; the previous Data Protection Directive became the Data Protection Act in the UK. The advantage of a regulation is things are harmonised, IANAL, but I guess disadvantages are it being more difficult to integrate them with existing national law (legislation may still be required) and people worrying about sovereignty.
It sounds like Greece doesn't currently have any such legislation, though, and in general legislation isn't retroactive in effect. If that's the case, they only have to worry about the GDPR if they were still shipping this after Greece put it into effect in law, which is going to take at least a year or so I would assume.
@Uffish
It's more than just bean counters who're worried by the GDPR, in the UK (when it comes into law in May), company directors can be personally prosecuted, as well as the company itself.
It's funny how much suits will suddenly start to worry about other people's data when they can actually go to prison/be fined over it.
@AC
"Even Blizzard . . ."
You mean Blizzard, the company that insisted that their two flagship non-MMO properties - Diablo and Starcraft - would require constant online connectivity to even play single player?
The problem - as you have identified - is really the elevation of DRM and "intellectual property protection"* above the privacy of the customer and their control over their own computer.
Software companies will continue doing this unless either their ability to do so is restricted by legislation or the community - en masse - stops buying their products. I don't which is less likely. Certainly there is no will by governments for the former and the massive acceptance of platforms like Steam shows there is apparently no will by consumers to do the latter.
* - The term 'intellectual property protection' is not really accurate, however; what they are attempting to protect is their PROFIT. Protecting you intellectual property is covered by patents and trademarks and so forth - someone running a copy of your software does harm your 'intellectual property' - just your (potential) profits.
Imagine how many meetings etc this was discussed in. All those consultations, tweaks, updates and chats about it.
No one involved thought that helping themselves to user passwords would be either a bad thing or illegal?
Boggles the mind,
That or it's techbro "no mere mortal is as clever as *us*! Right bro?" stupidity.
Better warm up the legal department, lawsuits are going to fly.
Just goes to show, stupid people can be overachievers too.
It also highlights a common industry deficiency. Many developer interviews find time for trivia ("what is a closure?") that can be looked up in 5 seconds but completely fail to inquire about fundamentals like knowledge of the Computer Misuse Act and Data Protection Act etc. It's like hiring an architect based on his knowledge of the aesthetics of post-modernism and forgetting to ask if he's ever heard of building regulations and planning permission.
Certain apps, including some games, get installed inside one of my VMs which do NOT have network access except when _I_ say. Yes, there can be a performance hit, and some apps refuse to install in the VM at all, but I can live with the lower performance and I can live without the refuseniks. Flight Sim X dates from 2006. Given the improvement in hardware since then, despite Spectre/Meltdown, I can get very nice performance in the VM. As the VMs in question aren't supposed to connect to any network except on _my_ say-so, I don't install web browsers on them. IE and/or Edge will be there, of course, but I don't use either, so I don't care. I don't usually use Chrome. Firefox, yes. Safari, yes. Opera, yes. Vivaldi, yes. Chrome, no. And I don't store passwords, etc., on the VMs, because I don't connect to networks on those VMs and therefore I don't need passwords. What would happen if I had installed this 'package' would have been that I'd have spotted it trying to call home, and failing, and I'd have yanked the 'package' so fast that there'd have been Cherenkov radiation.
Be paranoid. They _are_ out to get you.
Chrome, eh?
Wasn't there some brouhaha about Google digging in its heels and flatly refusing the requests of many of their customers to include a master password and encrypted password store like Firefox has? Something about the Google guy throwing a fit, telling the people that demanding something doesn't mean they get it, so stop asking and STFU? Something about Google saying that there is no value in a master password setup, and that their customers who think otherwise are wrong?
These are Google's feelings: "We understand that many of you want a master password for your saved passwords in Google Chrome. ... Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption. ... Please know that your security is our highest priority, and our decision not to implement the master password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit."
Apparently 'malware is somehow present on your PC' doesn't count because one type of malware is a keylogger, and therefore giving all malware access to your Chrome passwords is acceptable.
I seem to recall Sony had a bright idea of installing malware on everyone's' computers to protect their "IP".
That didn't work out so well and we have only got less enthusiastic about that sort of thing. A/V software has got better and nowin-nofee lawyers have got more numerous.
Was this just more arrogance than usual or just more extreme stupidity than normal?
I can remember friends of mine having issues ripping CDs. I thought it was odd, as I wasn't having any problems at all.
It was only a little later when I realised I'd gotten into the habit of holding the Shift key down when sticking a CD into the drive (to avoid annoying autorun programs), that it had become muscle memory. So I'd by accident, avoided installing Sony's 'software' from the CD, and the disks copied/ripped just fine for me!
Android developers, and ad-targeting firms seem to think that grabbing as much as they can off your device is fair game.
Don't be surprised at the many ad-brokers that slurp your exact location and account info, even if you have location services switched off. Many also grab a list of all your installed apps, and all sorts of other stuff that in aggregate could be used to identify you - and other stuff than frankly they have no business slurping. This equally applies to "respected" companies, and apps which are paid for, and contain no adverts (*analytics* cough)
Just go to any of the ad companies websites - they proudly boast about it.
But back to our industry in general..... How has this happened? A few years ago, if any software phoned home to do anything other than download updates or join a multi-player game etc. there would be hell to pay.
The tracking is actually the main reason I've rebelled against ads. TV companies have no analytics. - Web advertisers can get precise viewing counts and times - they should have been grateful for that. Common-domain ad-serving is JUST to get around the privacy protections in the cookie specification... So why is it deemed ok to do it?
Sorry, got a bit sidetracked in my rant there!
"Android developers, and ad-targeting firms seem to think that grabbing as much as they can off your device is fair game."
Anyone here do dev work on Android apps? Does the Google Play Store report back failed installs when a uses clicks NO to the overarching permissions requested?
It is concerning how much data apps can extract, either directly or as part of the analytics framework, without triggering a request for permission.
Don't use Android without xposed+xprivacy!
I don't suppose it is any different with ios though?
@FuzzyWuzzys
No idea why you got downvoted, but you are spot on. If an individual does this to a company, if they get caught they go to court because a Police complaint is made and it's taken seriously. All it should take is one single complaint to the Police over this case and investigation should start. But you know it won't happen, If, and it's a big if, there is enough of an outcry, then maybe some government department might be persuaded to start some sort of weak investigation and wrists might be slapped, maybe a small fine.
They can install what they like, capture they like, apologise and it's all good.
I would not be so sure. Depends who deals with this. If they pissed off a flight sim fan who happens to be a lawyer or work in CPS they may be up to a very unpleasant experience. Unfortunately as with many other things the only exemption to "we, in the UK, have one of the best legal system money can buy" is when you are dealing with members of said system.
Of course the fact that they sniffed passwords from innocent people's PC's too is fine, sure they won't mind at all - because <insert bad phrase>
Its malware however you look at it. Trust is built up slowly but lost in an instant.
Does this affect those who play flight sim through Steam too ?