The funny thing is this will, as always with drm, is that this will only affect paying customers. Hackers will just dump this out as fast as any drm and the game will run far better. Paying customers will get a sub par experience, possible system integrity failure, fraud etc. All for wanting to support the developer and provide them with some money. *slow clapping* well done that company.

How do you know the malware doesn't have a bug that would cause it to, under the right circumstances, affect legitimate copies played in the officially sanctioned manner?

Well that's the hole point here :D We are going back to the drm discussion where people that actually BOUGHT the game, might have issues running the game, (or like in this extreme case) they get Malware on their machine, while pirates won't probably have much trouble, to simply cut that part out, re-pack it and upload the new version without the keylogger..

If there is a way to stop people from BUYING your game, this is actually a pretty damn good way.

Actually, he says that it's incorrect information that the installer includes a tool that indiscriminately dumps Chrome passwords, and then adds that there are no tools used to reveal any sensitive information of any customer who has legitimately purchased their products.

Reads to me like he admits that there is a mechanism in there that does collect sensitive information, but insists that it affects only those that have a non-purchased copy.

What is unclear is if this thing only targets Chrome, or other browsers as well. What's mind-boggling is that they run this by their legal department/lawyer, and they said it's a perfectly fine and legal thing to do. Also, if said legal department/lawyer told them that they can use any info acquired via this method in a legal process, they need to get some additional legal advice.

Yeah, what I was getting at is there's really no information on exactly what this DRM measure does. But it sure looks like it's a deep dive into idiocy on the devs' part.

One wonders if they even bothered consulting a legal team. I'd think legal would have an aneurysm at even the suggestion of something like this.

He doesn't seem to refute that it does collect sensitive information, especially with how he kind of boasts that it has netted them results, i.e. identified people, and seems more concerned with convincing his paying customers that it's not their information.

But agreed on the last bit, looks like all the virtual flying has clouded his mind.


On second read, he kind of seems to worry about potential legal action from their paying customers, and makes quite the effort to reassure them that their rights haven't been infringed upon, and that he's unaware of the broader legal implications of what they did.
Heck, alone the fact that he made that post with that specific wording on their public forum suggests that they didn't get legal advice.

This counts as wiretapping, which is illegal in some states. My guess is, their home office is in one of those states.
And this is more evidence to my theory. What they don't realize i that it doesn't quite work that way. Even if you have a clause (and most do) that disputes are to be handled according to the law of X, that doesn't mean all states (let alone States) will agree.

These people would benefit from looking into the whole CPUID discussion.

I really hope this goes to court, the law needs a clear precedent that this isn't ok.

Be careful what you wish for...
Not that I agree with his actions, but...

If this goes to court, in front of a jury...person X has pirated a piece of software which phones home and reveals his identity. How likely do you think a jury is to take the pirate's side? What if the software developer compares it to a Lo-Jack? Precedent's can work the other way too.

Then there is the doctrine of clean hands. Just like a drug user can't sue to get his money back from a bad drug buy, I doubt the pirate can sue over illegally downloading software which reveals his identity by claiming it invaded his privacy.

The problem is that if there is no specific law which governs this, then a precedence would be created one way or another.

Unless this somehow impairs a legal purchaser, I wouldn't be so certain the court would rule the way so many of you think.

Might I suggest FlightGear instead?

Why would pirates sue the developers when legit customers can argue that the devs can't guarantee that their code doesn't have any bugs that could cause false positives?

Shouldn't this be a criminal case anyway, making a class action lawsuit the least of the developer's worries?

I'm a little annoyed that Malwarebytes is calling the file clean:

https://www.virustotal.com/#/file/60641eef00a7498a62ac7686e656dad6e8f700cb4803a8a149707b2c4a3a09c9/detection

Interesting read about what the text.exe file is doing:

https://www.fidusinfosec.com/fslabs-flight-simulation-labs-dropping-malware-to-combat-piracy/

Do note the mention that the file being sent back to the company is only base64 encrypted.

edit: And sent to a server that is fairly open to the net.

You can't sue someone for "not being able to guarantee that there won't be any false positives". DRM would be illegal if this was the case (you can't rule out false positives with DRM either). That's like saying someone should go to jail because he can't guarantee that he won't become a murderer...

I'm not a lawyer, but I think we're talking about two independet cases here. One is software piracy (copyright infringement) and the other is the use of malware (whatever the legal term for this is). The fact that someone got the malware by pirating games doesn't change the fact that the dev "hacked" someone else's computer to get his data. You can't break the law just because the person you're going after broke another law.

I was actually suggesting legit customers may take it to court, after all the dev still placed malware on their system. I'm not sure it has to have run for that to be a big deal.
Also this.