Would You Tell People How To Crack Your Software? 129
An anonymous reader writes "Fed up with piracy and the availability of cracked versions of his software, Cobalt Strike developer Raphael Mudge wrote a blog post telling people how to crack his software. Some gifts are poisoned, and Raphael goes into deep detail about how to backdoor his software and use it to distribute malware. Will this increase piracy of his software, or will it discourage would-be pirates from downloading cracked versions?"
Viral Marketing Campaign. Literally. (Score:4, Insightful)
Export restrictions (Score:3, Insightful)
Due to United States export control requirements, we can not make Cobalt Strike available for download to your country yet. Please accept our apologies--we're very actively working on this.
IIt's likely that a fair amount of those using cracked versions are doing so as they cannot get a legitimate copy without jumping through hoops and potentially end up on all kinds of watchlists in the process, that make his move of detailing on how to backdoor the software for malware distribution a bit of an asshat move.
It would be something to consider... (Score:5, Insightful)
I believe in having a relatively small speed bump and keeping DRM to a minimum. For an application, just enough to make keygens [1] useless and require the app's executable to be patched, even if it is just a simple item that gets commented out. This breaks the signature of the program, and anyone pirating it will be at obvious risk of an added payload.
For games, I'd just have a multiplayer mode/library for easily downloaded levels/maps/etc. To access it, a valid key is needed and if two keys (assuming each key is one license) are used, the newer one will not be allowed on. Since this is handled by the server, modified clients are not an issue. Yes, one can always mirror/emulate the server's functionality, but it is a big enough barrier to get people to consider buying a key. Closest game to this was Neverwinter 1 which ditched the CD protection fairly early on.
[1]: Embed a public key in the program, and the key would include the licensing info with a netpgp signature.
Re:Tongue in cheek (Score:4, Insightful)
All cracked software is suspect. But then, so's the unmodified software.
But here's the thing... it's usually less risky than the DRM, phone home, internet activation required, now with extra advertisements hardcoded to a server... using internet explorer in a window with 'trusted' site permissions able to handout javascript-laden malware. Please. I'll take the pirate stuff any day of the week, because the groups that do it are small enough that reputation matters; It's their only currency.
A large corporation can just claim "oh noes! piracy destroyed my business!" and get a fat handout and a pile of FBI agents with orders to beat people in their homes until money falls out. Reputation is not a concern for them. Ergo, neither is quality. Pirates on the other hand... release a single malware-infested item and the forums fill up with complaints, and that group never gets any respect again.
Bittorrent also ensures, at the protocol level, that everything downloaded matches what was uploaded. http downloads are less secure. And digital signatures on executables, like what Microsoft does? It's been proven, many times over, that the only thing that means is you paid them a stipend to get a key. They don't check to see if what you made and signed is legit or not... and many antivirus/antimalware solutions, including Microsoft's own... will skip heuristic matching if the executable is signed.
So really... you're less likely to get malware from a piece of pirated software off some torrent site than you are just browsing for porn. It's a grossly exaggerated threat. Just like what this guy is saying; "Here, hack my software!"
Okay. Nice publicity stunt. Even Bill Gates said if you're gonna pirate, he hopes you'll pirate Microsoft... it's a sign of a software's usefulness.
Re:Oh, damnit... I've been trolled. (Score:5, Insightful)
It probably is that simple for a very simple reason. His target audience isn't really poor kids that just want to try out hacking, he's selling the licences for 2.5k a pop/year so he's obviously targeting companies, companies that would rather not crack the copies regardless of how easy it is because of legal liabilities.
Re:He's clearly joking around... (Score:4, Insightful)
"He's clearly joking around... and laughing at the technically clueless who think he's being serious."
True. But even if you ignore that, I think the Slashdotters here who thought he was serious have missed the big point.
If you sell your software for $2500 for limited-time use, your software is going to get cracked. Period.
Study after study after study, for at least the last 13 years, have shown that if users think your software is is both useful and reasonably priced, it will sell. End of story. Yes, there will be downloading but that would happen anyway.
Bottom line: downloading (Not "piracy". Downloading is not piracy.) is simply not a real, significant problem. It is BLAMED for problems, by copyright trolls and programmers who overvalue their product. But it has never proven to really, significantly, affect the bottom line for what the market thinks is useful, reasonably priced software. If anything, it has shown to lead to more sales.
Re:Tongue in cheek (Score:5, Insightful)
I'll take the pirate stuff any day of the week, because the groups that do it are small enough that reputation matters; It's their only currency.
Yeah, because the *reputation* of the software companies doesn't matter at all. (roll eyes)
A large corporation can just claim "oh noes! piracy destroyed my business!" and get a fat handout and a pile of FBI agents with orders to beat people in their homes until money falls out.
What a load of crap. A fat handout? Do you have any clue at all what you're talking about? Prove it by showing some instances of the government giving money to companies because of claimed losses due to piracy. What a load of crap. I can't think of any companies that have made a bunch of money by "beating people in their homes until money falls out". You're seriously in fantasy land with this one. But, hey, whatever fantasy makes you feel good about pirating other people's hard work without paying a dime. You're a real hero. The world owes you everything for free.
Pirates on the other hand... release a single malware-infested item and the forums fill up with complaints, and that group never gets any respect again.
Yeah, because real companies can release a malware-infested piece of software and suffer no consequences. Give me a break.
Bittorrent also ensures, at the protocol level, that everything downloaded matches what was uploaded.
Oh, so if a malware infested piece of software is uploaded, Bittorrent will make sure you're downloading the same malware-infested software that someone uploaded? That's reassuring.
Even Bill Gates said if you're gonna pirate, he hopes you'll pirate Microsoft... it's a sign of a software's usefulness.
Bill Gates prefers you pirate his software over someone elses because it helps block other people out of the market. If you're trained on Microsoft software, you're more likely to buy it in the future than if you learned some other piece of software. It's good for blocking other people out of the market (and it's most useful if you're a monopoly or nearly a monopoly) because if helps prevent other companies from getting a foot in the door.
That cartoon on his web site (Score:2, Insightful)
The top button is buttoned, but the other two are loose and yet... the buttons are still in there. What's up with that? I don't read anime/manga. Is it a common visual metaphor or something?
Re:Tongue in cheek (Score:5, Insightful)
Yes, obviously.
The point is to make that possibility crystal clear to end-users to influence them to use the legit version. As such, this is basically a humorously self-deprecating form of FUD.
Re:Tongue in cheek (Score:5, Insightful)
So really... you're less likely to get malware from a piece of pirated software off some torrent site than you are just browsing for porn. It's a grossly exaggerated threat.
I'm not so sure about that. I watch a lot of porn.
Even so, regardless of how likely it is, when you're downloading pirated software you are basically executing unknown code from an unknown source. Porn infections at least require a vulnerability to exploit. Hell, the very nature of pirated software means that it has been modified with unknown code by someone with no accountability who is demonstrably willing to break the law. There are plenty of shady actors who see warez as a legitimate infection vector and wouldn't think twice about wrapping a popular application up with a nice payload and distributing it across their botnet to make it look like it has 100 different seeders.
Re:Tongue in cheek (Score:4, Insightful)
Even so, regardless of how likely it is, when you're downloading pirated software you are basically executing unknown code from an unknown source.
The same can be said of any compiled, closed-source code. And corporations in the past have intentionally placed malware onto their official distributions; Such as the sony rootkit fiasco. Trusting someone just because they wear a suit and say they're your friend isn't much of a guarantee.
...been modified with unknown code by someone with no accountability who is demonstrably willing to break the law.
There's very little accountability to corporations anymore these days. Class action lawsuits were thrown away. The average person doesn't have any real access to the courts -- it's a David v. Goliath situation. And new laws are passed limiting liability all the time. Massive oil spill? We'll fine you a day's wages. Banks too big to fail? Too big to jail too. And saying that someone's untrustworthy because they break the law is a questionable stance to take at best;
You ever speed in your car? Ever j-walk? The laws are so terribly complex that you can rest assured you're a criminal. The only person who didn't commit a felony this week is the guy in a coma in the hospital. There are laws on the book that say that eating a salmon that's too long is a felony. There's laws saying you can't violate the laws "of any other country". Even the crazy ones. Even the ones we're currently bombing. And just in IT, there's the computer fraud and abuse act, that is so vaguely worded that basically touching a computer could constitute 'unauthorized access'. People have gone to jail... for providing a URL to a website under that. So if you want to say "willing to break the law" means anything... okay then, but it doesn't count for anything to me or for most people. We're all criminals... it's just not all of us have been caught yet. And if that's not enough evidence for you... consider that we have the highest rate of incarceration of any country on Earth, we lead by almost double per capita, and that margin is growing. And it disproportionately affects the poor and non-whites.
here are plenty of shady actors who see warez as a legitimate infection vector and wouldn't think twice about wrapping a popular application up with a nice payload and distributing it across their botnet to make it look like it has 100 different seeders.
Perhaps. But many bittorrent sites have reputation services; And people talk to each other. Read the comments. Watch the forums. Yes, it requires a little more work -- and that doesn't mean someone can't still pull one over on you. But I've never downloaded a piece of software from a torrent site that ever turned a positive; and I scan everything. I go back and scan it months later... and I have a variety of IDS systems, firewalls, etc., to monitor for rogue traffic. If they ever did put a bot dropper into a package I downloaded... it's never talked to anything on the internet. Or tried.
I can't say the same for a default install of Windows XP or Windows 7.