So you're admitting that the others should be downvoted? :P

Whatever dude. If you want to justify why every single one of my posts should be downvoted regardless of content, have at it. This forum is just ripe full of people bullying others with contrary opinions. Harassment runs wild and certain people play holier than thou went they are a substantial part of the problem.

GoG itself is so completely incompetent when it comes to running a forum. The whole reputation system, has been a mistake from the beginning but GoG is too clueless to remove it. They only have themselves to blame for the strife caused by it. And don't get me started on all the jerks who like to tell people how "rep doesn't matter" when it has caused many of the problems on this forum.

Only so long as the police didn't tell the thief or suggest that the thief do the thieving. They can act on illegally obtained information so long as they aren't directly involved in illegally obtaining the information. Civil court, however won't hear a case if the plaintiff admits to illegal activity. Clean hands doctrine and all.

You seem to avoid commenting about the problem that the malware can't know if there are multiple users on the same computer sharing the same Windows account and some of them most likely are not FSX players or even aware of the piracy? How is it okay to invade their privacy when the external IP- and the MAC-address would have been actually far more better way to lock down where the installer was used and on what computer?

And now that this incident has become public, I would guess that any properly paranoid pirate will just create a new account in the name of Lefteris Kalamaras and use it for pirating while keeping anything that could expose their real identities off of that account if not the whole computer.

You are effectively advocating that there should be no govermental oversight for who is allowed to violate the privacy of others. It is as if you have no concept of how horrible that would be or that your hatred for piracy has narrowed your mind to only focus on the developers' point of view and prevented you from even considering what are the consequences of this as a general rule?

Edit: Yet another typo...

I don't see this as a problem either.
Let's say I'm in a car. My friend is driving. He stole the car. I get investigated as a result. Makes sense right?
If I'm sharing a computer, and the person I'm sharing it with downloads CP, what do you think will happen? What if he clicks indiscriminately and his illegal downloading brings in pirate added malware?

Furthermore, why are you storing your passwords in Chrome on a shared computer in the first place?

By sharing a computer you are taking a risk and trusting the people you share it with not to mess up. It's not the developer who put you at risk, it's the criminal who is downloading pirated software.

The problem is there is a lot of misinformation throughout this thread. The routine is not a keylogger. It is not a virus (it does not self-replicate). It does not activate for a user with a legitimate key. What it does is at the point of installation, check if it's a pirated copy. If it is, it dumps the stored Chrome passwords and possibly other information like a MAC address and such and sends them off. So, at the point a pirate installs the stolen program, it gathers the information and uploads it to the server. Done.

Tell me that Windows 10 or Google don't have access to your passwords for recovery? A lot of programs can remotely access your information. Steam seems to know whether I'm logging in from a different computer. Why is this piece of software different?

So why am I not worried about this dev? Because I'm not pirating $100 pieces of DLC. And if I allowed someone else to use my computer and he was a thief and my privacy was invaded as a result, I'd be blaming him. He would be the jerk who downloaded a password dumper on the computer, not the dev.

MY OPINION: The dev is trying to protect his software (his creative work). I think he is entitled to do that within reason. In this case he has found a creative way to target only pirates while excluding legitimate users. If I had bought this software, the dev already has my back. I feel he is being fairly reasonable about it. Could he have done better in terms of encryption method and whether he sent it securely? Sure. But either way it wouldn't have affected me, because I would have fairly paid for my software. Or in short, the dev took steps to protect the innocent.

You are the one creating a ton of "what ifs". Trying to cherry-pick excuses why this is the worst dev ever. You aren't even trying to look at the big picture. For you it's just privacy privacy privacy.

And furthermore, where am I claiming there should be no privacy protection? I have never said that, but here you go making a logical fallacy known as Appeal to the Extremes or reductio ad absurdum or reducing the argument to the absurd. I've stated many times, that I don't find what the dev has done to be all that unreasonable. I think there is no reason he should be charged for reasonably attempting to protect his property. He is not gathering people's passwords to defraud anyone or voyeuristically sifting through anyone's personal life. He is not making a profit from it. He is trying to gather evidence to use against those stealing his efforts.

And maybe YOU should look at what the world would become when there is 100% privacy...
Where even law enforcement cannot step on your property or really investigate anything and the lawlessness and anarchy which would result. That is why it's called a fallacy. The extremes cannot happen, but you are arguing that moving the needle a little is like pushing it all the way.

Again my opinion. You are entitled to yours. But I don't think this dev has really done anything all that wrong, but you want to string him up like it's the Old West.

I guess you meant he was speeding, or if he actually stole my car, then why would I be under investigation and certainly it would not be handled by some car salesman?

I would blame equally both the idiot who installed the malware on my computer and those who created and distributed it. If the latter would got caught I would seek damages for them.

I am only speaking on behalf of those who know no better, in my experience it seems to be pretty common to not switch accounts or browser profiles no matter how I try to convince that to people.

The developers are not entitled to view even the pirate's passwords, so by doing that anyway, they have chosen to not care about putting me at risk too instead of reporting the IP and MAC addresses to the police and let the professionals handle the investigation.

And if the computer happens to crash during install, what guarantees do we have that the malware doesn't stay active?
What if the cause for the crash was the malware? There would then have been no way to avoid it being classified as such and be then liable to a whole new set of laws. I can only assume that no legal advice was asked before the developers decided to become vigilantes, otherwise anyone with half a brain would have seen that fighting piracy with password stealing malware is not worth the risk of potentially being charged for cyber crimes.

The difference is that Microsoft and Google only know my passwords for their respective services and even if I would be allowing their browsers to save my passwords for numerous web-services, that doesn't mean that some add-on developer has the right to copy them without my consent.

As the law should treat everyone equally, you either allow all amateurs to violate anyone's privacy over a suspicion of mere $100 loss or not, because even the police would have a hard time getting a wiretapping warrant for such weak grounds.

And that reason went out the window when they thought that they had any right to anyone's passwords.

Says the one who doesn't seem to put much value for it at all and just harps about piracy piracy piracy ;)

My bad, maybe you too would have been outraged at this if the add-on would have been a few dollars cheaper?

I would bet that if the developers would have beforehand actually looked into how to handle their ill-gotten data responsibly, they would have scrapped the idea immediately and sworn everyone to never say a word about it being considered as a viable option. So it is far more likely that they have only now started to pay attention about who should have had the access to the database.

Except that little push of the needle moves it outside of the realm of the governmental oversight, so there is nobody whatching over that the amateurs are not misshandling the data and that is as good as just accepting that we have 0% privacy left.

No, I only want be sure that if this is not yet highly illegal, it will be the next time someone tries to take the law in their own hands. I am actually in favor of allowing the local justice system find a way to let these developers off the hook with only a stern warning, but not if the price is that this becomes the new norm and anyone with a $100 claim can start stealing passwords without a proper supervision.

And with that I should have made my point perfectly clear about how this kind of investigation should be handled by the police and never be trusted to private parties that are too emotionally invested to be able to handle the data responsibly. If that is too much to ask for, then there is no point discussing about this any further as there is no common ground to be found.

(And for the record: I don't deal downvotes lightly, so you got none from me either...)

A couple things, it's not real-time ongoing malware. It dumps the passwords and sends them by the reports from those who analyzed it. So a failed installation by a pirate would mean just a 2nd run of it.

The reason I bring up Win 10 and Google is that I'm quite sure they have access to our password information with their cloud services. They upload them all the time and somewhere, some of their employees have access to them. In other words, they have the same sort of "malware" installed on our computers already. If you want to call that "malware". And the only thing checking them is how they use our information, the same as this developer.

It's all why I brought up "User Agreements". In order to use Windows, Google or this DLC, one checks a box authorizing certain information. These pirates may very well have sign off on the use of this very program...

I think the real problem is that the authorities, the professionals like you call them, just don't take the effort to stop piracy and developers like this one feels he needs to do it himself. To me, that is the real problem.

And if piracy were being dealt with, we probably would have much less DRM around.

Dealing with piracy WILL NOT result in less DRM. It will result in more fine and more prison time.

Remember DRM in music industry? No, because they understand it's useless. But it take quite a long time for the rights holder to catch up.

I wonder if that was by design or just a fluke, the former would almost annoy me more, as then the developers actually spend some time thinking this through, but were obviously more concerned about not leaving any evidence of their misbehavior than about using a proper encryption for the data transfer.

Except their security measures are actually audited periodically to ensure that such data is properly handled unlike some small studio that doesn't even have any idea what it would take to meet the requirements.

Unless the developers are selling a password manager, their EULA would be thrown out of court here in Europe if it would try to claim any rights for the developers to access totally unrelated information like passwords to other services.

Then demand that they need to do more, instead of vigilantism!

Preventing second hand sales is the real reason for DRM and as a bonus, it also prevents the original buyers from transfering their media to new platforms so that they would need to buy them again and again.

That's your opinion. I think the biggest reason today is to preserve day 1 sales. 2nd hand having little to do with it anymore. Even back in the old days with physical copies, the idea was to prevent duplicating the disks and did nothing to prevent resale in most cases.

The rest of it has been argued to death. You aren't going to change my opinion that the dev took what I consider mild steps to investigate theft of his property where the passwords only seemed to come into play to find the original crackers. I think this whole shaming campaign can well be considered vigilantism as well, given that people are riling up the court of public opinion rather than using legal authorities. It should go both ways then.
And I'll add again. To all you losers downvoting me, you are just making asses of yourselves. You are showing exactly how prissy this forum is as you stupidly downvote anything or anyone you disagree with. Good job showing what jerks you really are...nice impression for any new people for sure...(sarcasm - since you are all too lame-brained to get it).

According to the person who would be in deep trouble if admitting to have sent malware into other people's machines, you mean.

And not everyone is okay with that, either. I for one am not. Just google something like "windows 10 is spyware" and you'll see that lots of people think they're overstepping some bounds. Claims that this dev's actions are okay because other big names do it too are meaningless.

EULAs can and have been thrown out when they were used as justification for illegal acts, although I can't find any examples right now.

And, regarding a point you already made upthread and you're bound to repeat here, it is definitely illegal to plant malware in anyone's computer no matter what your justification is unless you're part of the law enforcement operating under specific law (thus, within appropriate warrants). You claimed the perpetrator needs to commit the act with the "intent of causing harm". The US government disagrees. There are more arguments to follow here but I think they're only needed if you want to follow on this point.

Also, don't forget that there's the difference between Homicide and Manslaughter (which Marko already touched upon). Comitting a crime by negligence, laziness or "just not caring" doesn't make it okay; it just means that comitting it with ill intent is even worse.

And if I think the police is being inefficient in my neighborhood I should totally wear a costume, arm myself to the teeth and go patrol the streets shooting up any gang members I happen by who I have reason to believe (but I could be wrong) are committing a crime at the time. Right?

We don't solve a problem by creating a worse problem.

And the example you give doesn't apply here. That worm self-replicated and did damage to the systems and as such violated the appropriate laws. Back to what I said about intent to defraud or do damage. Because I actually took the time to at least read the various laws. Plenty of software accesses information on one's computer. But the laws have criteria which differentiate between what is legal and what is illegal behavior. Plenty of people call Steam's overlay "malware" or the same with ad delivery software, yet they are not illegal. And that is because neither is attempting to defraud or damage the computer.

Try again....

This part of the article you link seems to show it probably is not illegal in the UK either...

In the UK, the introduction of malware is covered by section 3 of the Computer Misuse Act [2]. The Act states that a crime is committed if a person “does any act which causes an unauthorized modification of the contents of any computer” and the perpetrator intends to “cause a modification of the contents of any computer” which may “impair the operation of any computer”, “prevent or hinder access to any program or data held in any computer” or “impair the operation of any such program or the reliability of any such data”.

That tool does not impair the operation of the computer.
It does not preventor hinder access to any program or data held.
It does not impair the operation of any such program or the reliability of any such data.

Hence it does not violate the Computer Misuse Act either.

I just gotta bring it up, intent to defraud has an incredibly broad legal definition. Basically intent to deceive for any sort of gain or to cause any sort of loss in another is intent to defraud - it usually has a financial component but isn't required. Frankly, anything and everything in modern society can be quantified as money in some fashion. Even if it's only a penny penalties are assessed based on tiers - so $250 and less would qualify for the minimum punishment for example.

But again it comes down to personal gain or loss which doesn't seem to apply in this case either. It's broad, sure, to cover any sort of gains or losses now or in the future. But how exactly does this apply to this dev gathering information for legal action?

Nope, plenty of people call Steam's overlay malware because they don't actually have a clue about neither the legal nor the technological aspects of Steam, and those tech aspects are the first reason why it doesn't qualify as malware. If you're going to quote people's opinion, either use your own (with caveats) or quote specialists on the subject matter. Bringing up random clueless people and then reducing all their arguments to "wrong" because you can prove they are wrong about something else is a hell of a fallacy.

Also as you said my example "doesn't apply here. That worm self-replicated and did damage to the systems..." Hold on. Aren't you the one that kept throwing around "show me that that is the legal definition of malware"? Well okay then, where does the law say that it has to propagate in a specific way to qualify as malware? And don't bother arguing that it just doesn't qualify because it didn't do any damage, because as you can see below...

You read all of that and you happened to leave out the very adequate next paragraph. Allow me to reintroduce it:

"The deliberate introduction of any malware will meet any of these requirements by taking memory and processing from the system and feasibly damaging the system."

Do you deny that the uninvited malware takes up memory and processor time it was never intended to by the user?