back to article Flight Simulator's DRM fighter nosedives into Chrome's cache

A Chrome password dump tool found in the latest update from Microsoft's Flight Simulator Add-On wrangler, Flight Sim Labs, has virtual pilots up in arms. The download featured updates to the Airbus A320 model including improvements to the engine crank and flare mode logic and, er... a password harvester for Chrome. Noted in a …

  1. imanidiot Silver badge

    Idiots...

    How in the world did they think this would end in any way positive to them?

    1. Anonymous Coward
      Anonymous Coward

      Re: Idiots...

      All that time spent on flight sim must have left them with their head in the clouds

      1. Anonymous Coward
        Anonymous Coward

        Re: Idiots...

        Yes, but to fly there you need an IFR - Installed Files Responsibility - clearance...

        1. m0rt

          Re: Idiots...

          Well they are coming back down with a bump.

        2. dmacleo

          Re: Idiots...

          he heh

          or CAT5

          cunts actually tried 5hit

    2. ThomH

      Re: Idiots...

      I suspect that whomever was tasked with adding the thing to the installer was pretty vocal that it would not end up being a good thing, but a middle manager had overheard something that sounded similar in Starbucks and that was the end of that decision-making process.

      1. IneptAdept

        Re: Idiots...

        Cant find the article, but their CEO / Lead Developer Lefteris has actually been pulled up on this previously and is alluded to in the main subredit that this all kicked off in

        https://www.reddit.com/r/flightsim/comments/7yh4zu/fslabs_a320_installer_seems_to_include_a_chrome/

        This is stupidity on so many levels, the relevant Arstecnica article seems a bit more in depth

        https://arstechnica.com/gaming/2018/02/flight-sim-devs-say-hidden-password-dump-tool-was-used-to-fight-pirates/

        1. Sir Runcible Spoon

          Re: Idiots...

          From the Arstechnica link..

          ""This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals,""

          Wow, just....wow. Admission of guilt for computer misuse?

          OMG, it gets worse..

          "Using this method, Kalamaras writes, the FSLabs team was able to "dump that cracker's information needed for us to gain access to those illicit websites, so we could then forward the information to proper legal authorities." What he and his team found, he writes, was "an entire web of operations" dedicated to pirating multiple flight simulators"

          So they also breached other websites with this guys' stolen details? Man they are fucked.

    3. Anonymous Coward
      Anonymous Coward

      Re: Idiots...

      They assumed no one would discover it.

      Error......

  2. Aladdin Sane

    The path to hell

    is paved with good intentions.

    1. TonyJ

      Re: The path to hell

      "...is paved with good intentions..."

      What good intentions?

      1. LewisRage

        Re: The path to hell

        Catching cunts who are ripping off other people's hard work.

        1. ibmalone

          Re: The path to hell

          Catching cunts who are ripping off other people's hard work.

          Okay, not much sympathy for the pirates either. But if I suspect you're growing drugs and break into your house to check, then I'm still guilty of breaking and entering. Maybe if I had good reason and turned out to be right I'd get off lightly. If I start breaking into all the neighbourhood houses 'just to check' I'm guilty of breaking and entering and being a maniac.

      2. LewisRage

        Re: The path to hell

        "Catching cunts who are ripping off other people's hard work."

        nine thumbs down

        "What good intentions?"

        34 Thumbs up.

        Everyone in this thread seems to be pretty relaxed about people's work being ripped off.

        1. mosw

          Re: The path to hell

          "Everyone in this thread seems to be pretty relaxed about people's work being ripped off."

          If someone broke into my house just to see if I had some of their stuff I would expect criminal charges to be laid against them.

          They may have started out trying to protect their legitimate interests, but they have no right to sacrifice mine. So no sympathy for them.

        2. dan1980

          Re: The path to hell

          @LewisRage

          I wasn't saying that they don't have a right to protect their profits; I was pointing out that their 'good intentions' were not altruistic; they just wanted to make sure people weren't using their products without paying and that goal is nowhere near sufficient justification for what they did.

          As I have said at every opportunity in previous comments, I am not a supporter of those who violate copyright and I have little sympathy for them.

          BUT, I do not believe that violating copyright is so serious and grave a threat to society that deploying malware and spyware is justified in order to stop it.

          Compare this to cases where the FBI have performed similar actions (i.e. installed malware/spyware) to catch people involved in a child-porn ring. THAT situation is serious and a genuine threat to the most vulnerable among us but even then these powers are a step to far in many people's minds.

          My point, again, is simply that, if there is some line beyond which the ends justify these means, this situation does not even come close to reaching that mark.

          Installing malware/spyware on someone else's computer is a far greater offence than running some software without paying.

          @mosw has summed it up perfectly.

    2. dan1980

      Re: The path to hell

      @Aladdin Sane

      The developer's end goal might seem worthy when you phrase it a certain way - e.g.: to stop people distributing cracking tools for their software - but, more simply, the goal is to protect their profit.

      That's what all DRM is, after all.

      Looking at this specific case, it seems apparent that, while the behaviour of the cracker(s) is clearly illegal, the closed, 'in group' nature of the distribution (of the cracking tools) implies that the damage could not have been overly large.

      Of course, the software itself is relatively niche but still, this cracking operation seems to be available only to a select few and not anyone who just searches online for "give me tha free warez!!!"

      What we have here is a classic case of a digital company believing that they have some intrinsic right to do whatever it takes to make sure everyone is paying them.

      In this case, they massively over-reached given the likely scope of the problem but the point is that this kind of behaviour is inherently poor form (ignoring the legality) and crosses a line (distributing spyware) that shouldn't be crossed no matter the motivation.

      1. LewisRage
        FAIL

        Re: The path to hell

        @dan1980

        "but, more simply, the goal is to protect their profit."

        What complete bastards. How dare they etc etc.

        Everyone working in the digital world should be working for free and living off the generosity of the community.

        Two thumbs up for you too. Shocking

  3. ibmalone

    Refunds? This is the kind of thing people get extradited for.

  4. Anonymous Coward
    Anonymous Coward

    They're not first and won't be the last.

    Even Blizzard have installed spyware in World of Warcraft. Anyone remember the whole spat over "Warden"? Admittedly I think that was to catch hackers and bots rather than DRM feature, but what a sledge-hammer to crack a nut?

    I think the lesson here is - if you think you have a piracy or DRM issue then you'd better lawyer up before you even start coding your solution. Developers have to start putting privacy first before guarding their intellectual property and it shouldn't take a grey suit to keep your morale compass pointing in the right direction, but if that's what it takes.

    I swear the speccy twats think they're god and can code what they like and put whatever they want on anyone's computers. Utter wuckfits! Let them feel the wrath of GDPR.

    1. Uffish

      Re: They're not first and won't be the last.

      German Democratic People's Republic ? Guards with dogs and machine guns, judges with instructions as to the outcome of the trial, prisons with very bad reputations ?

      Google says it is a European directive, that doesn't have the same dissuasive power. It only frightens the bean-counters.

      1. John Brown (no body) Silver badge

        Re: They're not first and won't be the last.

        "Google says it is a European directive, that doesn't have the same dissuasive power. It only frightens the bean-counters."

        Except that an approved and enacted European Directive means that each member has to enact into law the said Directive. It only sounds like guidance, but in fact it is the law. The guidance bit can seem deceptive in terms of force of law, but the term "guidance" is to direct EU member governments on what is needed in law so there may be some variations locally but the meat of the directive is actual law across the EU, Google is well aware of the situation. They have lawyers experienced in dealing with the EU and EU law.

        1. ibmalone

          Re: They're not first and won't be the last.

          Fun (well, tedious, but important) fact about the GDPR, it is an EU regulation, and applies directly in member states without having to be transcribed into national law. You're right a directive has to be enacted by member states; the previous Data Protection Directive became the Data Protection Act in the UK. The advantage of a regulation is things are harmonised, IANAL, but I guess disadvantages are it being more difficult to integrate them with existing national law (legislation may still be required) and people worrying about sovereignty.

          1. joeldillon

            Re: They're not first and won't be the last.

            It sounds like Greece doesn't currently have any such legislation, though, and in general legislation isn't retroactive in effect. If that's the case, they only have to worry about the GDPR if they were still shipping this after Greece put it into effect in law, which is going to take at least a year or so I would assume.

      2. phuzz Silver badge

        Re: They're not first and won't be the last.

        @Uffish

        It's more than just bean counters who're worried by the GDPR, in the UK (when it comes into law in May), company directors can be personally prosecuted, as well as the company itself.

        It's funny how much suits will suddenly start to worry about other people's data when they can actually go to prison/be fined over it.

    2. dan1980

      Re: They're not first and won't be the last.

      @AC

      "Even Blizzard . . ."

      You mean Blizzard, the company that insisted that their two flagship non-MMO properties - Diablo and Starcraft - would require constant online connectivity to even play single player?

      The problem - as you have identified - is really the elevation of DRM and "intellectual property protection"* above the privacy of the customer and their control over their own computer.

      Software companies will continue doing this unless either their ability to do so is restricted by legislation or the community - en masse - stops buying their products. I don't which is less likely. Certainly there is no will by governments for the former and the massive acceptance of platforms like Steam shows there is apparently no will by consumers to do the latter.

      * - The term 'intellectual property protection' is not really accurate, however; what they are attempting to protect is their PROFIT. Protecting you intellectual property is covered by patents and trademarks and so forth - someone running a copy of your software does harm your 'intellectual property' - just your (potential) profits.

  5. rmason

    Unreal

    Imagine how many meetings etc this was discussed in. All those consultations, tweaks, updates and chats about it.

    No one involved thought that helping themselves to user passwords would be either a bad thing or illegal?

    Boggles the mind,

    That or it's techbro "no mere mortal is as clever as *us*! Right bro?" stupidity.

    1. Lysenko

      Re: Unreal

      That or it's techbro "no mere mortal is as clever as *us*! Right bro?" stupidity.

      This smells more like a veteran of the "Home taping is killing music" era who hasn't quite reached retirement age yet. I mean, it isn't even a (<cough>Sony</cough>) rootkit.

    2. TheProf

      Re: Unreal

      Boggles the mind

      Surely you mean Biggles the mind.

      1. BebopWeBop

        Re: Unreal

        Bertie did try.

        1. Sir Runcible Spoon
          Facepalm

          Re: Unreal

          I wonder if they were inspired by the US hyperbole around 'hacking back'.

  6. Anonymous Coward
    Anonymous Coward

    Better warm up the legal department, lawsuits are going to fly.

    Just goes to show, stupid people can be overachievers too.

    1. Lysenko

      Better warm up the legal department, lawsuits are going to fly.

      Just goes to show, stupid people can be overachievers too.

      It also highlights a common industry deficiency. Many developer interviews find time for trivia ("what is a closure?") that can be looked up in 5 seconds but completely fail to inquire about fundamentals like knowledge of the Computer Misuse Act and Data Protection Act etc. It's like hiring an architect based on his knowledge of the aesthetics of post-modernism and forgetting to ask if he's ever heard of building regulations and planning permission.

    2. Anonymous Blowhard

      "Better warm up the legal department, lawsuits are going to fly"

      Maybe they can practise on "Microsoft Lawsuit Simulator" first...

  7. James O'Shea

    and some say that I'm paranoid

    Certain apps, including some games, get installed inside one of my VMs which do NOT have network access except when _I_ say. Yes, there can be a performance hit, and some apps refuse to install in the VM at all, but I can live with the lower performance and I can live without the refuseniks. Flight Sim X dates from 2006. Given the improvement in hardware since then, despite Spectre/Meltdown, I can get very nice performance in the VM. As the VMs in question aren't supposed to connect to any network except on _my_ say-so, I don't install web browsers on them. IE and/or Edge will be there, of course, but I don't use either, so I don't care. I don't usually use Chrome. Firefox, yes. Safari, yes. Opera, yes. Vivaldi, yes. Chrome, no. And I don't store passwords, etc., on the VMs, because I don't connect to networks on those VMs and therefore I don't need passwords. What would happen if I had installed this 'package' would have been that I'd have spotted it trying to call home, and failing, and I'd have yanked the 'package' so fast that there'd have been Cherenkov radiation.

    Be paranoid. They _are_ out to get you.

  8. mark l 2 Silver badge
    Trollface

    According to Flight Sims Labs pirates only use Chrome for a browser. I am sure freetards everywhere are no switching to Firefox and Edge.

  9. 0laf
    FAIL

    Lol

    "We're really sorry you spotted the password snaffling malware in our product. But be reassured were weren't hacked at all we really really meant to do it. Mmmmkay".

  10. Updraft102

    Chrome, eh?

    Wasn't there some brouhaha about Google digging in its heels and flatly refusing the requests of many of their customers to include a master password and encrypted password store like Firefox has? Something about the Google guy throwing a fit, telling the people that demanding something doesn't mean they get it, so stop asking and STFU? Something about Google saying that there is no value in a master password setup, and that their customers who think otherwise are wrong?

    1. ThomH

      These are Google's feelings: "We understand that many of you want a master password for your saved passwords in Google Chrome. ... Currently, the best method for protecting your saved passwords is to lock your computer whenever you step away from it, even for a short period of time. We encrypt your saved passwords on your hard disk. To access these passwords, someone would either need to log in as you or circumvent the encryption. ... Please know that your security is our highest priority, and our decision not to implement the master password feature is based on our belief that it creates a false sense of security instead of actually providing a strong security benefit."

      Apparently 'malware is somehow present on your PC' doesn't count because one type of malware is a keylogger, and therefore giving all malware access to your Chrome passwords is acceptable.

      1. Anonymous Coward
        Anonymous Coward

        Is that out of date? Last time I went into the password manager in Chrome I had to enter my account password for the show button to work.

  11. Anonymous Coward
    Anonymous Coward

    The first virus EVER was a DRM tool.

    Never forget that.

    1. 0laf
      Headmaster

      Re: The first virus EVER was a DRM tool.

      IBM PC virus, yes.

    2. Boothy

      Re: The first virus EVER was a DRM tool.

      The first computer virus was around 1970, early DRM didn't turn up till the mid 80s.

      1. PhilBuk

        Re: The first virus EVER was a DRM tool.

        The first virus ran on an Apple ][. First exploitation of the autorun feature on diskette-based programs.

        Phil.

        1. Anonymous Coward
          Anonymous Coward

          Re: The first virus EVER was a DRM tool.

          Apple ][ was launched in 77, first computer virus was Creeper, written in 71, and spread via ARPANET.

          Quite a nice write up here: https://www.quora.com/Who-created-the-first-computer-virus

  12. Spanners Silver badge
    FAIL

    Have they forgotten about Sony?

    I seem to recall Sony had a bright idea of installing malware on everyone's' computers to protect their "IP".

    That didn't work out so well and we have only got less enthusiastic about that sort of thing. A/V software has got better and nowin-nofee lawyers have got more numerous.

    Was this just more arrogance than usual or just more extreme stupidity than normal?

    1. Anonymous Coward
      Anonymous Coward

      Re: Have they forgotten about Sony?

      I can remember friends of mine having issues ripping CDs. I thought it was odd, as I wasn't having any problems at all.

      It was only a little later when I realised I'd gotten into the habit of holding the Shift key down when sticking a CD into the drive (to avoid annoying autorun programs), that it had become muscle memory. So I'd by accident, avoided installing Sony's 'software' from the CD, and the disks copied/ripped just fine for me!

    2. Sam Therapy

      Re: Have they forgotten about Sony?

      Yup, that was my first thought, too.

  13. Jamie Jones Silver badge
    Flame

    They are probably Android developers as well

    Android developers, and ad-targeting firms seem to think that grabbing as much as they can off your device is fair game.

    Don't be surprised at the many ad-brokers that slurp your exact location and account info, even if you have location services switched off. Many also grab a list of all your installed apps, and all sorts of other stuff that in aggregate could be used to identify you - and other stuff than frankly they have no business slurping. This equally applies to "respected" companies, and apps which are paid for, and contain no adverts (*analytics* cough)

    Just go to any of the ad companies websites - they proudly boast about it.

    But back to our industry in general..... How has this happened? A few years ago, if any software phoned home to do anything other than download updates or join a multi-player game etc. there would be hell to pay.

    The tracking is actually the main reason I've rebelled against ads. TV companies have no analytics. - Web advertisers can get precise viewing counts and times - they should have been grateful for that. Common-domain ad-serving is JUST to get around the privacy protections in the cookie specification... So why is it deemed ok to do it?

    Sorry, got a bit sidetracked in my rant there!

    1. John Brown (no body) Silver badge

      Re: They are probably Android developers as well

      "Android developers, and ad-targeting firms seem to think that grabbing as much as they can off your device is fair game."

      Anyone here do dev work on Android apps? Does the Google Play Store report back failed installs when a uses clicks NO to the overarching permissions requested?

    2. dubious

      Re: They are probably Android developers as well

      It is concerning how much data apps can extract, either directly or as part of the analytics framework, without triggering a request for permission.

      Don't use Android without xposed+xprivacy!

      I don't suppose it is any different with ios though?

  14. IneptAdept

    Oh and also not sending the passwords in encrypted format.. Bastards

    https://www.fidusinfosec.com/fslabs-flight-simulation-labs-dropping-malware-to-combat-piracy/

    An update from a pentest company that describes that the passwords are sent in plaintext to their heztner hosted server

  15. Anonymous Coward
    Anonymous Coward

    After this farce the last thing they'll be worrying about is piracy....

    a) no one in their right mind will ever buy or install anything from them again

    b) they may well end up in court.

    1. Anonymous Coward
      Anonymous Coward

      Actually the pirated version, assuming from a, ehem, reputable ripping group, is probably safer than the official version, as all the malware/DRM would have been removed or bypassed as part of their packaging.

    2. Mayday
      Mushroom

      Indeed

      I have a pretty good Prepar3d based flight sim setup. It is rather helpful for my current level of flight training.

      Now I have not, and as from now I never will, purchase a product from these clowns ever.

  16. FuzzyWuzzys
    Facepalm

    They'll get away with it...you wouldn't!

    They can install what they like, capture they like, apologise and it's all good. If you did this, your feet wouldn't touch the ground before you'd be in front of the beak!

    1. John Brown (no body) Silver badge

      Re: They'll get away with it...you wouldn't!

      @FuzzyWuzzys

      No idea why you got downvoted, but you are spot on. If an individual does this to a company, if they get caught they go to court because a Police complaint is made and it's taken seriously. All it should take is one single complaint to the Police over this case and investigation should start. But you know it won't happen, If, and it's a big if, there is enough of an outcry, then maybe some government department might be persuaded to start some sort of weak investigation and wrists might be slapped, maybe a small fine.

    2. Voland's right hand Silver badge

      Re: They'll get away with it...you wouldn't!

      They can install what they like, capture they like, apologise and it's all good.

      I would not be so sure. Depends who deals with this. If they pissed off a flight sim fan who happens to be a lawyer or work in CPS they may be up to a very unpleasant experience. Unfortunately as with many other things the only exemption to "we, in the UK, have one of the best legal system money can buy" is when you are dealing with members of said system.

  17. Anonymous South African Coward Bronze badge

    Mind. Boggle.

  18. TrumpSlurp the Troll
    Alien

    All your passwords

    Are belong to us.

  19. Dwarf

    Blunt weapon

    Of course the fact that they sniffed passwords from innocent people's PC's too is fine, sure they won't mind at all - because <insert bad phrase>

    Its malware however you look at it. Trust is built up slowly but lost in an instant.

    Does this affect those who play flight sim through Steam too ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Blunt weapon

      They did, as far as it has been described, not sniff passwords from all users.

      Flight Simulator in itself was not affected. It was the installer of the FSLabs products, which are FS Addons.

  20. Rob Crawford

    Crucify them

    Well that's about all I have to add really

  21. Anonymous Coward
    Anonymous Coward

    Has anyone reported them to the FAA?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like