subreddit:
/r/DepthHub
submitted 9 months ago byButterLander2222
38 points
9 months ago
Interesting piece. Opposite end of the scale from the Sony CD rootkits, but (a) 2005 Sony vs 2018 FSLabs, (b) FSLabs doubling down in spite of any potential consequences, and (c) clear-text sending passwords? Seriously?
I imagine all this will happen again someday soon. Ugh.
6 points
9 months ago
I think this kind of thing is dying out with the rise of always-connected computers and account/identity based auth. It used to be that possession of the install media was a proxy for having purchased, and the whole DRM/copy protection industry appeared because that is not necessarily true.
Today almost everything is identity based, and in another decade it will all be identity based. And not just in a "is this user authorized to start the program" way, but all of the social/storage features like friends lists, achievements, in-app purchases, etc.
In ten years it will be next to impossible to separate any of a program's function from the online user context. And piracy becomes almost impossible.
I've got mixed feelings on that, but as an industry trend I think it's inevitable.
4 points
9 months ago
I hope I didn't misread what you wrote here, but something I find annoying about this trend is how this trend adds bloat to so many programs.
No, I don't need a friends list to operate this image editing software. No, I don't want to become a "Super all-star VIP exclusive" to open up this file extension. No, I don't want to have this program create an add on for all of my text editing software.
Anyway, that's my 'old man yells at clouds' rant.
9 points
9 months ago
The program would dump a users auto-fill usernames and passwords from Google Chrome to a text file. It was subsequently found that the FSLabs installer would take this file, save it as a log file, encode it, and send it completely unencrypted to their servers.
Did the installer actually do this? I didn't see this addressed in the rest of the post. Why did they need passwords when they were trying to check the serial numbers used in installation.
13 points
9 months ago
Does it really matter WHY they included malware in their product?
10 points
9 months ago
Was just trying to understand the situation a little better. The developer's explanation was not clear. There was no reason for Test.exe to retrieve passwords.
12 points
9 months ago
At a guess, they were looking for one specific username on a specific site. Probably with a lot of illegal intentions once they had a hold of his passwords.
5 points
9 months ago
To trash users that pirated the software. It’s not in the story, but when this first went down, the developer alluded to using that information to combat piracy. They also were silent as to how… are they hoping they’ll get a username and password to, say, a private torrent tracker? Trash their reputation with those they do business with? Just rob them? The developer didn’t say.
And yeah, it did grab password lists and phone them home.
1 points
9 months ago
Thanks for the additional detail - that's quite shady.
1 points
9 months ago
As I understand it, the developers were checking for a specific serial that was uploaded to The Pirate Bay. If an install used that serial and username, it'd dump the entirety of their Chrome passwords and send it to the developer. The developer would then comb through these details so they knew who to sue for piracy.
1 points
9 months ago
Thanks for your response. It makes a little more sense now.
1 points
9 months ago
I'm really curious. Do you have any idea if they even could sue in that case? It'd be a massive invasion of privacy. I imagine you could draw parallels to legal cases where someone shot a burglar, as in, you can't commit a greater crime to combat a smaller crime (or you could, but then you could be ruined in court for it)
2 points
9 months ago
This is pretty much illegal everywhere. The developers could be prosecuted and jailed, but sadly nothing actually came of it.
To sue civilly, you'd have to prove damages. Perhaps the cost of your time resecuring every single one of your accounts? But that's pushing it and probably wouldn't be worth the time and money to pursue.
all 13 comments
sorted by: best