Jump to content

DRM issues


Lefteris Kalamaras

Recommended Posts

Lefteris Kalamaras

I am continuing the old thread here and will repeat what I said in our statement, as it's important for us.

I want to reiterate and reaffirm that we as a company and as flight simmers would never do anything to knowingly violate the trust that you have placed in us by not only buying our products but supporting them and FlightSimLabs.

While the majority of our customers understand that the fight against piracy is a difficult and ongoing battle that sometimes requires drastic measures, we realize that a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part.  It is for this reason we have uploaded an updated installer that does not include the DRM check file in question.

I want to thank you all for voicing your concerns in a considerate manner on our forums.

  • Thanks 2
Link to post
David Norfolk

Least you guys changed the installers. As a paying customer I fear nothing. But would it be worth installing the new update anyway?

Link to post
Liam Giles
1 minute ago, Lefteris Kalamaras said:

I want to reiterate and reaffirm that we as a company and as flight simmers would never do anything to knowingly violate the trust that you have placed in us by not only buying our products but supporting them and FlightSimLabs.

Surely the fact you treated every single customer as a potential pirate caused some internal red flags when you thought about implementation? That's where you've lost my trust. Your systems treated me as a pirate until I could prove otherwise.

2 minutes ago, Lefteris Kalamaras said:

While the majority of our customers understand that the fight against piracy is a difficult and ongoing battle that sometimes requires drastic measures...

No it doesn't. This is not an acceptable excuse. It does not require drastic measures, it requires smarter approaches and techniques. Hindsight is always 20/20 but internally you could have done a better solution, just by sitting down and thinking about it.  

  • Like 5
Link to post
Lefteris Kalamaras
Just now, Liam Giles said:

Surely the fact you treated every single customer as a potential pirate caused some internal red flags when you thought about implementation? That's where you've lost my trust. Your systems treated me as a pirate until I could prove otherwise.

No it doesn't. This is not an acceptable excuse. It does not require drastic measures, it requires smarter approaches and techniques. Hindsight is always 20/20 but internally you could have done a better solution, just by sitting down and thinking about it.  

I appreciate you voicing this concern. While technically the installer extracted the file temporarily, we didn't treat you as a potential pirate as there was absolutely no action taken at any time.

We are looking at alternative methods as you said.

  • Thanks 1
  • Haha 2
Link to post
Michael Ackermann

How strange the world has become. Pirates steal products, and those who get stolen from have to defend themselves. 

Has been stated more than once now, nothing gets done if you have a valid serial number. There is no reason not to trust that. 

I`ll keep 231 installed, and go flying A320 :-)

  • Like 7
  • Thanks 2
  • Haha 1
Link to post
Kyle Wilford

I think the biggest issue is what if your systems have a fault and then thinks everyone has an illegal copy and then your systems implement this virus... what cost will that have an effect and how would you guys pay your customers to have this fixed? Last thing I want is my $4k computer system gone due to a tech fault and let’s be honest mistakes can happen and even the most fall proof systems can have faults... 

I love my bus and will continue to fly it but I have some doubt and it’s a little worrying and I have v230 and have no faults and those that have v231 do. 

  • Like 1
Link to post
Tony Williams
12 minutes ago, Lefteris Kalamaras said:

we didn't treat you as a potential pirate as there was absolutely no action taken at any time

Lefteris, I'm somewhat uncomfortable with the fact that I'm about to defend pirates, but it doesn't really matter that this tool wasn't run for those of us with legitimate copies. A mistake in the build, a bad interaction with a remote service, any number of things could cause this tool to be wrongly run in a future installer – not because you're malicious, but by accident. Do you have automated tests which are run on each installer to verify that there is no possible way the malware could be run?

There's a reason why people who distribute and benefit from malware typically go to jail if they're caught: there are laws against it. In the UK for example, accessing data on someone's machine without consent is a violation of the Computer Misuse Act – 12 months in jail. Distributing tools (malware) for this purpose is another offence – another 12 months. I don't think FSL is a British company, but many EU countries, Canada, and the US have similar laws. Storing someone's private information without authorisation is definitely a violation of the incoming (EU-wide) GDPR – up to 20 million euro fine.

I understand you wanting to catch pirates, but trying to prevent a criminal act by committing one yourself is absurd. Flag the serial number as invalid and simply close the installer. You'll have a harder time punishing pirates but at least you won't be breaking the law yourself. That there are beta testers (staff?) still excusing this makes it more difficult to trust FSLabs in the future.

  • Like 10
Link to post
Stuart Campbell

You have sent out a new installer without the DRM you say. But how can we be sure of that. That is up to you to prove otherwise. 

But surely the damage has been done. Why send out a new installer when people have already updated? What is the purpose of just downloading what we already have on our system?

That's just like giving a baby a biscuit. He/ she wanting a different one. But you give her the same biscuit the second time around

Link to post
Markus Bendel

@Lefteris Kalamaras

Thank you for opening a new thread. I don't really understand why you deleted one of my posts in the other thread before locking it though.

You distributed malware. That is simple and the truth. It really doesn't matter if you execute a file or just extract it to a temporary folder, where it gets deleted after the check. Even if there wasn't the tiniest chance that something could go wrong with the verification and a legit copy gets flagged, it is illegal and immoral to put it there in the first place.

I don't want an apology, a refund or anything like this from you guys at FSL. What got lost is my faith and my trust in you, it's just simple like that as well. I can only try to advise you to change some policies at FSL, become more transparent with everything (not necessarily post release dates but progress reports etc.), to do a better job when it comes to fixes for your product (more frequent updates and hotfixes etc.) and to improve your support in general.

All of this to restore the trust that's been lost today.

Thanks

  • Like 13
  • Thanks 1
Link to post
Matthew Webb
21 minutes ago, Stuart Campbell said:

You have sent out a new installer without the DRM you say. But how can we be sure of that. That is up to you to prove otherwise. 

But surely the damage has been done. Why send out a new installer when people have already updated? What is the purpose of just downloading what we already have on our system?

That's just like giving a baby a biscuit. He/ she wanting a different one. But you give her the same biscuit the second time around

A chill pill, a biscuit,  and a read of the actual issue might help. 

They have stated that if you have a legit serial number, the old installer didn't install or execute the software.  At worst it copied the software to a temp location, then deleted it without it being accessed (standard practice with installers).  So if you had a legit key, you never had the biscuit to begin with.

The new installers don't have the software -  period. 

I won't bother downloading it.  I have a legit key and that kind of code is in my browsers, Keepass, etc anyway.

  • Thanks 1
Link to post
Lefteris Kalamaras
13 minutes ago, Stuart Campbell said:

You have sent out a new installer without the DRM you say. But how can we be sure of that. That is up to you to prove otherwise. 

But surely the damage has been done. Why send out a new installer when people have already updated? What is the purpose of just downloading what we already have on our system?

That's just like giving a baby a biscuit. He/ she wanting a different one. But you give her the same biscuit the second time around

Hi Stuart,

the new installer does not contain the DRM. You're welcome to test the installer and see what it extracts.

As far as updates - we have more coming, along with a fix for an issue people are noticing with the initial popup screen where settings might sometimes not be stored. We are already testing this update and we'll release it as soon as we're comfortable it works as advertised now.

  • Like 3
  • Thanks 2
Link to post
Tarik Dosdogru

Hi, i still don´t get 1 thing. at every point during the install one has to enter the email and the serien number,which are sent via internet to the developer. if you have some obvious hacked or wrong numbers, why don´t you implement a routine that simply blocks the install for those users?  and still there´s no answer why and for what you need to read out passwords which is illegal? maybe you answer this question and people may calm down a bit...

explanation might help instead of just renewing the installer which many people already have updated the last days...also there are many people that might not be active here in the forum...and don´t check daily.

Link to post
Lefteris Kalamaras
3 minutes ago, Zsolt Monostori said:

Removing posts does not help gaining back the reputation lost. Mine was deleted as well. 

Zsolt,

I didn't delete your post to hide anything you said, but there were threads flying around which quoted other threads.

At this point, I can only repeat what I said in my post at the top. I am hoping that you will also download the new installer as you were one of the people who originally complained quite vocally about performance and I do think that you should find such performance to be improved after 232.

Link to post
Peer Strickler

Everybody feeling they are not affected by the password extraction tool because they are paying customers, not pirates, should consider the following (and so should have FSLabs):

  • There is no guarantee that the FSLabs installers and pirate checks are error free. They might falsely attack you by error.
  • There is no guarantee that FSLabs servers are safe. No server is. If they are compromised, the hacker will be delighted to flag ever serial as pirated and collect passwords of every user running the installer from that point on.
  • There is no guarantee that there will never be a malicious or just angry FSLabs employee that will flag legit serials as pirated just to harm FSLabs.
  • Your legit serial number may become pirated without you even knowing it: Just as a few examples, you serial might get stolen from your PC by malware, it might get stolen from the payment service or shop you used to buy the serial, it might get stolen directly from FSLabs, it might get stolen during transmission to you, from your backups, from your Email-provider.

In any of the above cases, which are just a very few examples, legit customers will have their security seriously and irrevocably destroyed once they run the installer again. Once your passwords are uploaded to FSLabs, they are compromised.

It is shocking that people still do not understand this.

  • Like 9
Link to post
Zsolt Monostori
Just now, Matthew Webb said:

A chill pill, a biscuit,  an a read of the actual issue might help. 

They have stated that if you have a legit serial number, the old installer didn't install or execute the software.  At worst it copied the software to a temp location, then deleted it without it being accessed. 

The new installers don't have the software -  period.  So if you had a legit key, you never had the biscuit to begin with.

This is nothing but a statement. Proof? How do you know it's not there or no harm was ever done, no personal information was ever stolen? Trust? Sorry, not anymore. Likewise we weren't advised beforehand, the EULA does not refer to such ways of installation either. The activity only surfaced itself after being exposed by - ironically - a pirate. If it doesn't happen, we all would still carry a malware on our computers. No need to explain it away. 

Nevertheless the product is great after the 4.2 update but should someone else deliver similar quality products in the future I will certainly give my hard earned money to those who do not treat me as a potential criminal. 

  • Like 1
Link to post
Michael O'Halloran

Whilst i understand FSLabs trying to protect their product and with me completely against piracy. There is one thing that frustrates me with this. Unless i've missed it through all the statements so far, Why is it so hard to apologise? 

  • Like 2
Link to post
Khoa Nguyen

So after reading all the comments, basically about the test.exe file. If someone shares his her PC with others, and someone in that group enters a blacklisted serial then all of the private information stored in Chrome of everyone on that PC would be sent to FSLabs and fslabs while trying to find who is the pirate was, can basically access to all those accounts information ? :blink:

  • Like 2
Link to post
Matthew Webb
5 minutes ago, Zsolt Monostori said:

to those who do not treat me as a potential criminal. 

So they should have no validation in the installers at all?

This will be my last post on this topic. :)  I got a plane to fly. :) 

  • Thanks 1
Link to post
Jouka Ahponen
7 minutes ago, Peer Strickler said:

Everybody feeling they are not affected by the password extraction tool because they are paying customers, not pirates, should consider the following (and so should have FSLabs):

Right now I don’t see point of discussing those in future tense. Fslabs removed the malware, hence all of the cases you listed will not happen in the future through that software.

The thing now is that it was there, and luckily now it seems like it was found and put in the public before any of the possible scenarios you listed above happened. It was a major security flaw by fslabs and hopefully they have learnt their lesson now when it comes to the security of legit customers.

 

Link to post
Lefteris Kalamaras
7 minutes ago, Kyle Wilford said:

@Lefteris Kalamaras does v230 have this issue as I managed to download v230 prior to it being blocked and my PC is currently packed up being prepared to move interstate. 

 

Kyle,

we updated the installer to v232, I recommend that you use this one if you have any concerns. We also made some unrelated fixes that went into 231, so I'd invite you to do that anyway.

  • Like 1
Link to post
Peer Strickler
6 minutes ago, Jouka Ahponen said:

Right now I don’t see point of discussing those in future. Fslabs removed the malware, hence all of the cases will not happen in the future through that software.

The thing now is that it was there, and luckily now it seems like it was found and put in the public before any of the possible scenarios you listed above happened. It was a major security flaw by fslabs and hopefully they have learnt their lesson now when it fomes to the security of legit customers.

 

First, I think it is very important to come to a fair evaluation of what FSLabs did until recently. This will determine what FSLabs and other companies will do in the future.

Second, not every customer will be aware that there is a new, malware free, installer.

PS: And how on earth do you know none of the mentioned scenarios happened already? FSLabs might not even know (or choose not to share).

Link to post
Jouka Ahponen
7 minutes ago, Kyle Wilford said:

@Lefteris Kalamaras does v230 have this issue as I managed to download v230 prior to it being blocked and my PC is currently packed up being prepared to move interstate. 

 

It seems like all versions before v232 can have this issue. Only ”safe” installation build is v232.

Link to post
Tarik Dosdogru

can the developer gurantee that if i have a legal serial number and installed via the mailware infected intaller, there is no need to install again via the new one? if the test.exe is never executd why do you guys still recommend the new installer???

Link to post
Kyle Wilford
3 minutes ago, Jouka Ahponen said:

It seems like all versions before v232 can have this issue. Only ”safe” installation build is v232.

Yea my computer is packed for at least 3-4 weeks hopefully they don’t have a breach and my computer is stuffed. 

Link to post
Lefteris Kalamaras
Just now, Tarik Dosdogru said:

can the developer gurantee that if i have a legal serial number and installed via the mailware infected intaller, there is no need to install again via the new one? if the test.exe is never executd why do you guys still recommend the new installer???

We don't - we simply say that if *you* feel uncomfortable with the old one, you should use the new one. Nothing will actually affect legit customers in 230 or elsewhere.

  • Like 1
Link to post
Jouka Ahponen
8 minutes ago, Peer Strickler said:

First, I think it is very important to come to a fair evaluation of what FSLabs did until recently. This will determine what FSLabs and other companies will do in the future.

Second, not every customer will be aware that there is a new, malware free, installer.

That is true. However I think there is already enough rumors and speculation of what could’ve happened. Your concerns are of course legit, nothing out from them. However as of now looking into future I am pretty sure fslabs will never ever introduce such a software in their installer and also take much deeper look into the security of legit customers.

Keeping all the products up to date is responsibility of the customer. I do understand that not everyone follows this topic. However, so far when it comes to removing the actual issue, fslabs has done everything they were asked. Now it’s up to customer that they update their product.

Secondly, if you have already run the installer the malware software should already be deleted from your system. Of course when it comes to data nothing is ever deleted completely from harddrive, just the path to the file is removed. Therefore the mistake has already really happened. It doesn’t matter if you update on 232 or keep using 231. Only difference is that one had a malware on installation while the other one does not.

Link to post
Pawel Chadaj

Lefteris, so tell us why and what for you need to read pirates private passwords? Its also illegal as well as piracy is. Thats ridiculous. There are many others options while fighting piracy.

  • Like 2
Link to post
Peer Strickler
1 minute ago, Jouka Ahponen said:

That is true. However I think there is already enough rumirs and speculation of what could’ve happened. Your concerns are of course legit, nothing out from them. However as of now looking into future I am pretty sure fslabs will never ever introduce such a software in their installer and also take much deeper look into the security of legit customers.

Keeping all the products up to date is responsibility of the customer. I do understand that not everyone follows this topic. However, so far when it comes to removing the actual issue, fslabs has done everything they were asked. Now it’s up to customer that they update their product.

Secondly, if you have already run the installer the malware software should already be deleted from your system. Of course when it comes to data nothing is ever deleted completely from harddrive, just the path to the file is removed. Therefore the mistake has already really happened. It doesn’t matter if you update on 232 or keep using 231. Only difference is that one had a malware on installation while the other one does not.

What "could have happened" might have already happened. FSLabs might not even know (or choose not to share).

Customers not aware of a new installer may still run the previous installers with the malware during re-installation. I personally did this more than once during a new system setup.

FSLabs is not the first company to try this, and still it happened again. Therefore, I think it is very important to not simply "forget and move on".

  • Like 1
Link to post
Kyle Wilford

V232 apparently no livery’s work even with correct fltsim.cfg files as I have re worked them for v4.2 and everyone that has installed v231 and v232 can not get them to work. 

Link to post
Jouka Ahponen
5 minutes ago, Peer Strickler said:

What "could have happened" might have already happened. FSLabs might not even know (or choose not to share).

Customers not aware of a new installer may still run the previous installers with the malware during re-installation. I personally did this more than once during a new system setup.

FSLabs is not the first company to try this, and still it happened again. Therefore, I think it is very important to not simply "forget and move on".

I am definitely trying to say ’forget and move on’. Don’t get me wrong please. I am concerned as well on the security of such malware entering our system. However as of now, it has already happened unfortunately and as of now fslabs has made all the changes they can to remove such malware from entering our system. It’s now on customer’s reaponsibility to check for the latest installers. I do not defend fslabs on the actions they have taken on previous installers.

When it comes to possible misuse before this all came through we just have to trust the word of fslabs for now. And it’s especially hard on times like these.

Link to post
LukeGorman

I just wanted to say, I do enjoy the products FSLabs has to offer.

I only wrote the article I did to address some issues so I don't have to repeat myself over and over to various people as to my concerns with the DRM yesterday.

I'm not sure what else you could have done besides removing the file from the installers, so thank you for at least understanding and doing something about it.

Link to post
Peer Strickler
1 minute ago, Jouka Ahponen said:

I am definitely trying to say ’forget and move on’. Don’t get me wrong please. I am concerned as well on the security of such malware entering our system. However as of now, it has already happened unfortunately and as of now fslabs has made all the changes they can to remove such malware from entering our system. It’s now on customer’s reaponsibility to check for the latest installers. I do not defend fslabs on the actions they have taken. Many customers have lost trust and trust is hard to gain back. 

I don't think FSLabs actively informed all their customers about the possible security breach and danger they are in as they should have.

Link to post
Samarian Good
41 minutes ago, Huy Khoa Nguyen said:

So after reading all the comments, basically about the test.exe file. If someone shares his her PC with others, and someone in that group enters a blacklisted serial then all of the private information stored in Chrome of everyone on that PC would be sent to FSLabs and fslabs while trying to find who is the pirate was, can basically access to all those accounts information ? :blink:

This is also my concern. As already I mentioned in an earlier thread (before it was locked):


“Let’s say that the pirate is a 12 year-old teen in a six-person family. One computer is in use. Have the passwords (incl bank accounts etc) of all members of the family been collected? It is hardly a program to identify who is the pirate and hardly the whole program is even written by fslabs.”


I am not a customer and in any form to defend piracy. Fortunately many companies have already developed effective DRM. But using malmware in preventing piracy is not the right way. Not even close to it. As said fslabs may have collected a lot of personal data also from people who have not been able to know their computers are contaminated (read the example I wrote). This is obviously a crime in a first place. Not to mention that test.exe may not always work as planned (there are many different scenarios in this thread as an example).
 

Edited by Samarian Good
quotation corrected
  • Like 3
Link to post
Pawel Chadaj
1 minute ago, FakeDRM said:

I've refunded all my purchases until they remove the Password stealer from their apps.

Really advise you guy's to do the same. Let them know we won't accept it that they steal our passwords.

How can i make them to block my serial number and get refund?

Link to post
Frank McKeown

I'm quite shocked by this development. I understand that years of work have gone into the A320 and those who worked on it deserve to be paid. As a genuine customer I want to see FSLabs thrive so that we can enjoy future products. All that said, a major breach of trust has occurred. This is not a case of having nothing to hide means nothing to fear. There are principles and trust involved. Principled people refuse to use pirated software, but distributing malware in order to detect piracy makes the software producers no better.

I have not downloaded the update yet as I am away from home. I hope that the version at the esellerate download service does not have this malware, as I will be downloading at the weekend.

Some people may think that software companies covertly installing software that has the ability to collect usernames and passwords that are stored on their computers is acceptable, but they can only speak for themselves. I for one do not. I fully understand that piracy is theft, but as Tony Wills has stated, there are other potential crimes.

All in all, I feel that FSLabs have delivered a great product and has gone the extra mile by adding effects to the latest update, but to be honest I am really pissed off. I paid for my product in good faith and FSLAbs have no right to do what they did. I'm not sure how I feel about FSLabs now. This wasn't just a silly little lapse in judgement. You got caught FSLabs.

 

  • Like 3
Link to post
billchen0014

Can you confirm that ALL new installers will NOT include code that can potentially expose HIGHLY SENSITIVE information such as bank passwords? DRM is necessary in these day and age for sure, however NO legitimate company should ever even think about stealing user data WITHOUT CONSENT let alone implementing code that has that capability in each and every copy of their software even if it only impacts pirates. Such risk should not be afforded onto users and an apology should be prompt before FSLABS reputation is in tatters as a company that toys with it's users browser passwords and treats privacy of its users as merely a way of securing revenue.

  • Like 1
Link to post
O_l_i_v_e_rM_a_e_r_t_e_n_s

Lefteris and team,

 

I am shaking my head in disbelief ... There had been a discussion about the alleged use of Aerosoft modeling in the FSL A320-X virtual cockpit and now ... this?!?

 

I am a FSX user but this makes me wonder about your business practice in general.

  • Like 3
Link to post
Zsolt Monostori
2 minutes ago, O_l_i_v_e_rM_a_e_r_t_e_n_s said:

Lefteris and team,

 

I am shaking my head in disbelief ... There had been a discussion about the alleged use of Aerosoft modeling in the FSL A320-X virtual cockpit and now ... this?!?

 

I am a FSX user but this makes me wonder about your business practice in general.

Exactly this came to my mind earlier.

Link to post
  • Lefteris Kalamaras locked this topic
Guest
This topic is now closed to further replies.
×
×
  • Create New...