The short version is that they included an executable in their installer that when run would extract passwords saved in Chrome and presumably phone them home. Their reasoning was that this was purely for DRM reasons. They claim that this password stealing tool would not run for legit/valid serial keys.
This was only discovered by someone on reddit recently, and since this has been public the developers have claimed they’ve removed the password stealing malware from their installer. They have again made statements saying that this tool was only used against pirated copies of their software. Not once have they apologized and their users for the most part don’t seem to care.
That's quite a claim. But it wouldn't matter if they did apologize. No apology would take away the malware or cause this publisher to have not used the secrecy of proprietary software (and the implicit trust all of their users had in the publisher) to not do what they did.
Too bad for the users who obtained copies (regardless of how) that this claim is utterly unverifiable and ultimately up to the dictates of an organization that already misrepresented its aim to its users -- I'll bet that people who got a copy thought they were getting a flight simulator, not a credentials copier. There's no reason to trust that they're not lying now. And what if FlightSimLabs (or some organization they trust to hold data) inadvertently leaked sensitive information? That's the trouble with trusting organizations to hold sensitive data; they can end up contributing to harm even if they don't intend to do so, or do so accidentally purely by way of making bad decisions about whether to hold the data in the first place and also by bad design of where and how to store the sensitive data.
Proprietary software hides malware (see https://www.gnu.org/proprietary/proprietary.html for lots of examples), users deserve software freedom (the freedom to run, inspect, modify, and share published software), and users deserve to control their own computers. And this DRM was indiscriminate (as most DRM is): it was installed on all users of the affected program, including on the copies distributed in the manner FlightSimLabs wanted.
"10 extremely determined people want to steal my intellectual property! I'll go miles out of my way to design this in such a way that 1,000 people have a crappy experience to slow down the 10 people who want to be pirates!"
Vendor makes a shitty product
Pirates find a workaround, pirate shitty product anyway
Vendor makes shitty product even shittier for all 1,000 people to agin try to stop the same 10 determined pirates
Under this approach, you really only want to make pirating the software just a little bit less convenient than paying for the software for most users. Because most potential pirates aren't determined attackers, they're just regular folks who are every bit as lazy and strapped for time as everyone else, and therefore won't bother to spend a few minutes keying in credit card information if they don't have to.
It's sort of analogous to turnstiles at train stations. Virtually anyone can go around or under them if they want to, but that's not the point. The point is that hopping a turnstile is just a bit more of a hassle than fishing your transit card out of your purse. Just enough more that most people would rather do that.
I don't think it's even that it's more hassle, it's just a reminder of how things are meant to work. Most people will do the right thing voluntarily once their attention's been brought to it. Sort of like the courtesy lock on a bathroom stall - it's not to physically prevent entry, it's just to indicate that entry would be impolite.
Those pirates provide a good service to the legitimate owners as well ;)
Those 10 determined people/pirates go off and put the cracked software (or the serials) up for download for the "not so determined" pirates who just want to download a cracked version (or serial) that works. Those don't have the skills (and willpower) to do the work needed to crack software.
Those, however, aren't 10 people: the ratio of cracker to "not so determined pirate" is an important part of the puzzle. Perhaps 1000 people will get the cracked version. I don't know, but the 1-to-many relationship is quite obvious from a distribution system such as BT or Mega.
I'm not trying to justify DRM (and certainly not what these guys have been up to), but your presentation makes it look like measures such as these are trying to fight a super-minority of folks (ie 10 out of 1000, or about 1%), when reality is most likely very different.
I have an app on the Mac App Store (I won't spam you with the download link since it's irrelevant to the discussion and I'm not here to fish for downloads) with analytics that report that many "purchase attempts" fail with a strange error (ie not a cancellation by the user, not a problem reaching servers, etc), and I have no other choice but to imagine that these are from people who are trying to pirate my app. And it's nowhere near a 1% fraction.
In my previous company, we'd have server side verification of receipts (per Apple rules), and about an hour after we'd release our software, we'd see a torrent of verification failures in our logs.
Software piracy is quite widespread and is an issue that we shouldn't gloss over. Still, I wouldn't condone what these guys seem to have been doing.
As a side comment on style, you could have made your point without saying "Vendor makes a shitty product" as there is no need to denigrate products that vendors make in such a generalized manner. You'll be taken more seriously if you can adopt a more balanced stance.
The first essentially boils down to the well studied psychological phenomena of Loss Aversion, which is what you refer to and purely emotional, the feeling of "someone is TAKING my work!" It has been very well studied that humans in general have a strong natural tendency to prefer to avoid losses vs thinking about gains, and in fact the psychological power of losses can be vastly more (2x+) vs gains. This phenomena is used extensively in marketing and other areas involving behavioral economics. It is not usually logical, and particularly not in the case of IP infringement where the emotional response fails to consider both that there is no actual loss and that IP itself is not a natural construct and imposes societal costs. Nevertheless, it's definitely powerful and it fuels some of the emotional outrage many honestly feel at infringement, even if it's not merely illogical but outright economically self-destructive (they spend more on DRM and cause more pain to legitimate customers and in turn drive them away then they ever get back).
A second, purely greed one, comes down to controlling power. A lot of big publishers/organizations in particular saw (and still see) DRM as a way to extract far more money and rent seeking through extreme personalized spatial and temporal slicing of IP licenses. Basically, a much more extreme version of what the music and movie industries saw with the various format transitions (tape to CD to online, VHS/DVD/Blu-ray/online). Those were enormously lucrative since they could simply take existing IP and repackage it and sell it all over again, repeatedly. Their golden vision for DRM was payments not just for formats but everything. A different fee to play in each car, in each player, per units of time, every new bit of hardware, etc. Fundamentally DRM represents arbitrary control beyond the bounds of law, and that control can be used for a lot more then merely preventing infringement. Fortunately this vision was at least partially thwarted, but it'll be an eternal battle as lots of money will always be on the table here.
The third most arguably legitimate use is an extremely time-limited-then-eliminated application for the kinds of major entertainment IPs that experience extreme reverse J-curve demand patterns. Ie., a majority of total lifetime demand may come in the first few days/weeks/months before exponential falloff and a move into low long tail territory. This can simultaneously represent the time when costs are highest too, due to factors like simultaneous online resource demands and (in the case of video games) ongoing development work/support engagement. For movies and video games your numbers (10 vs 1000) are backwards or worse, an enormous number of people will pirate if it's convenient enough. But these are very low effort, casual pirates, not dedicated ones, and they also are time pressured. They aren't fundamentally unwilling to pay for whatever it is either if they have to because they want it right then to be part of the cultural zeitgeist and experience the social networking at its peak period.
In this last situation, limited time DRM can be a practical choice in some cases. If it's cheap enough it only needs to last a month or two, or even just a few weeks, to generate significant economic return. Then it can be completely removed for the long tail as the entertainment IP gets into sale territory, which may bring in some more people who care and eliminate ongoing support costs as well as ensuring that all existing owners will not experience problems as the publisher attention winds down.
Of course, getting rid of it there promptly is key and something that publishers too often ignore (or they're actually looking towards #2, and hoping to monetize it in other ways with the aid of ongoing control). In principle though this is relatively innocuous, since the biggest practical problem with DRM is in the longer term. If for example it was mandated by law that all DRM had to be removed within 6-12 months of an IP launch it wouldn't be ideal and there'd still be moral concerns and arguments but it might be a practical compromise too given the realities of human psychology.
The problem is that the recent examples of games not being cracked on release (like the latest Tomb Raider) does not fit with your reasoning, since they did not have sales number above the norm.
Then I'd wait for the support emails to come in with people complaining about that crash/error...
Typical how the pirate support requests were always the most rude and impolite :-)
How do you know the main executable doesn't do the same thing? How is trusting them not to run this .exe different from trusting them not to secretly implement this functionality in the actual program?
Once a company pulls shit like this, they are dead to me, and they should be dead to everyone else as well.
Edit: FSLabs_A320X_P3D_v2.0.1.215.exe also has it present
Trying to fight piracy by using evil and criminal methods is the wrong approach. There's an old saying "Two wrongs don't make a right".
Never touch any program this company has released, there is a high risk of malware.
I want to believe that this was slipped in by a small rogue group within FSL, and that its not something everyone approved of...
[0] https://www.linkedin.com/search/results/index/?keywords=Flig....
Of course, this helps you very little when the malware is running under your user account and uses DPAPI calls to decrypt the passwords.
But none of that is going to help against an attacker with the same permissions.
But as you pointed out, another process with the same privileges can decrypt it making it pretty pointless in both cases. Only way to securely do it is to prompt the user for a decryption key each time they open the browser which has usability issues but Firefox offers it via the Master Password functionality.
[0] https://msdn.microsoft.com/en-us/library/windows/desktop/aa3...
