[taylorexpander]

I thought I’d share this here to spread more attention to the practices of FlightSimLabs, a flight simulator software shop.

The short version is that they included an executable in their installer that when run would extract passwords saved in Chrome and presumably phone them home. Their reasoning was that this was purely for DRM reasons. They claim that this password stealing tool would not run for legit/valid serial keys.

This was only discovered by someone on reddit recently, and since this has been public the developers have claimed they’ve removed the password stealing malware from their installer. They have again made statements saying that this tool was only used against pirated copies of their software. Not once have they apologized and their users for the most part don’t seem to care.

[Digital-Citizen]

> They have again made statements saying that this tool was only used against pirated copies of their software.

That's quite a claim. But it wouldn't matter if they did apologize. No apology would take away the malware or cause this publisher to have not used the secrecy of proprietary software (and the implicit trust all of their users had in the publisher) to not do what they did.

Too bad for the users who obtained copies (regardless of how) that this claim is utterly unverifiable and ultimately up to the dictates of an organization that already misrepresented its aim to its users -- I'll bet that people who got a copy thought they were getting a flight simulator, not a credentials copier. There's no reason to trust that they're not lying now. And what if FlightSimLabs (or some organization they trust to hold data) inadvertently leaked sensitive information? That's the trouble with trusting organizations to hold sensitive data; they can end up contributing to harm even if they don't intend to do so, or do so accidentally purely by way of making bad decisions about whether to hold the data in the first place and also by bad design of where and how to store the sensitive data.

Proprietary software hides malware (see https://www.gnu.org/proprietary/proprietary.html for lots of examples), users deserve software freedom (the freedom to run, inspect, modify, and share published software), and users deserve to control their own computers. And this DRM was indiscriminate (as most DRM is): it was installed on all users of the affected program, including on the copies distributed in the manner FlightSimLabs wanted.

[toomanybeersies]

So basically "you broke the law, so we'll break the law"?

[kees99]

Unfortunately, this sort of attitude is not unheard of among proprietary software vendors - see for example FTDI bricking your hardware if they think it's counterfeit:

https://news.ycombinator.com/item?id=8493849

[alyandon]

And as a side effect to that story - I recently needed to purchase a USB to RS232 adapter to program a router and I went explicitly out of my way to make sure the adapter I purchased didn't use an FTDI chip.

FTDI is a name I won't be forgetting anytime soon.

[IntronExon]

Wouldn’t that be downright illegal? Moreover, someone bricking my hardware would inspire me to forcefully return said “brick” to them, through their nearest window.

[draugadrotten]

Wouldn’t that be downright illegal? Moreover, someone breaking my windows would inspire me to forcefully discuss said behaviour with them, with their nearest brick.

[IntronExon]

Totally illegal, but while I would feel like tossing something through their window, I would never do it. If only this company had as much of a moral compass!

[mariuolo]

> FTDI bricking your hardware if they think it's counterfeit

It's not quite the same thing. Their driver does things that work with the original hardware.

If a different chip uses the same USB ID, they're asking for trouble.

(of course good faith is unlikely in this case)

[arkades]

Actually, it’s “we suspect you may have broken the law, so we’ll break the law.” A distinction no one seems to be hammering on, but that I think makes what they did much, much worse.

[dx034]

Not even sure if users broke the law. Just using a 3rd party cracked software doesn't necessarily violate laws (at least no criminal offence). The distributors and crackers clearly violated laws but any user with a cracked serial number was targeted. That also included people who might've received the number against payment from someone else and thought they had a genuine copy.