Sophos Cloud Optix
How far should a software company be able to go to protect its products from piracy?
Not, one would assume, as far as deploying a Chrome password capture tool in its downloads. Yet this was the extraordinary accusation levelled at Flight Sim Labs (FSLabs) last weekend by a perplexed Reddit user.
The company makes flight simulation mods, one of which – an Airbus A320X add-on for Lockheed Martin’s pro-level Prepar3D – was setting off antivirus security software during installation.
As the user suspected – subsequently confirmed by pen-testing company Fidus Information Security – the offending file, test.exe, was an executable for something called SecurityXploded. Explains Fidus:
The command line-based tool allows users to extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format.
Under pressure, FSLabs quickly owned up to what it was doing and, moreover, why it was doing it.
According to founder and CEO, Lefteris Kalamaras, the tool captured passwords but not indiscriminately (FSLabs’ emphasis):
There are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products.
The tool only activated if the user had installed the software using a pirated serial number believed to be circulating on the internet.
That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product.
It was so narrowly targeted, in fact, that the whole scheme was intended to gather evidence against a single individual believed to be circulating license keys for FSLabs’ software.
The company has since set out its side of events in more detail, which hasn’t stopped its behaviour going down badly.
With the Reddit negativity into the red zone, the company then backtracked, uploading a new version of the installer with the problem test.exe removed.
Legitimate action to stop pirates ripping off software or digital rights management (DRM) overreach?
This is easily answered: installing a tool designed to capture user data without consent, however narrowly configured, is hard to justify, ethically or technically.
Even ignoring the hypothetical possibility of misuse of such a capability, Fidus discovered the routine was designed to send data across an unencrypted HTTP channel encoded in nothing more secure than Base64.
The company appears to have been using the tool for months, having reportedly admitted in a forum post that users should turn off their antivirus in case test.exe set it off. This was, and is, bad advice that unnecessarily exposes customers to risk.
Undocumented DRM has a history of leading to trouble when customers find out about it – just ask Sony BMG, hauled over the coals in 2005 for using CD protection that behaved like a rootkit.
As with Sony before it, FSLabs should have asked themselves how it would look if its users ever found it, what legal and regulatory bodies might do if they found it, and what hay criminals might make with it if they found it.
It’s the usual story – it may be alright whilst only the selling company knows how to use the back door, but if criminals find out how to access it, then your security is shot.
I agree, but I really think this stems beyond “alright if the company kept it to themselves” (to the backdoor argument). They sought to steal credentials to other websites (saw that he was using Chrome, so they used a hack to expose Chrome saved sites u/n and p/w in clear text and send them over HTTP with basic encoding back to the company) so they could try to identify the culprit. This is the equivalent of a company trying to steal your login to your credit card company so they could prove you made certain purchases. Reprehensible as far as I’m concerned.
Even after you read their full explanation, what they were doing was illegal no doubt. They claim they were only after the specific “cracker’s” information, but really that would be impossible to know. Anyone who used that serial number/username combination could have been at risk (legality as to installing pirated software aside), and then credentials for other websites not owned by or affiliated with the vendor in question were stolen from the user’s machine so that they could gain illegal access to these websites they believed contained the information related to the pirated copies, and they’ve admitted they were successful along with screenshots proving this.
In my opinion, this is a clear case of “two wrongs don’t make a right”. I don’t condone software piracy in any way, but stealing user credentials in an attempt to gain illegal access 3rd party websites is inexcusable under any circumstances. I hope something more than a slap on the wrist comes from this, honestly.
Two wrongs do not make a right. Increasing the risks to legitimate users in order to catch an illegitimate user is never justified. It is a similar issue to having backdoors in encryption. Bad, and with unintended consequences.
Some of us have been worrying about security since 1978, probably before you even knew what it was. Not the best tag line for the author. And certainly LONG before 2003.
I should also think this action would violate the 1986 Computer Fraud and Abuse Act, as well as numerous state laws.
Some of us have been worrying since 1977, even!
The statement’s intended self-satire clearly didn’t come across, which is why it’s been removed.
I’m still upset about Sony BMG. People should have gone to prison for that. To add insult to injury, they never actually released a removal tool for their rootkit.
[Sony] never actually released a removal tool for their rootkit
Would you have trusted it?
“I’m sorry, Bryan. I’m afraid I can’t do that. This DRM mission is too important for me to allow you to jeopardise it.”
okay Hal
FSLabs should have asked themselves how it would look if its users ever found it
My Dad’s got a great line that echoes that sentiment:
When in doubt, consider if it were printed in the newspaper; that usually answers your question.
Seriously? All that effort to “catch” the “bad guy”? Why not just block the offending serial number or come up with a more innovative way to licence the product? There is a way to only allow one user of a product per serial number.
I guess they wanted to identify him in order to stop him at a higher level (e.g. a court case) than just stopping him from using the software. In other words, they actually wanted him to keep on using it… but dig himself a hole.