Sign in to follow this  
Guest ovavp

SquawkWin: The Community's First Trojan Horse?

Recommended Posts

Help AVSIM continue to serve you!
Please donate today!

Good investigation! On the other hand was their work done on a good intention or did they have something bad in mind?THis investigation shows how serious this hobby has become. Good luck and thanks for your attention to this software!Edit: Just read the statement that the groups does not reveal their real names. Bit suspicious if you have developed such a good software...

Share this post


Link to post

Hmm, actually it seems to be an interesting software. I don't think they are so bad. I don't want to believe that a group developed such a hard software just to get users passwords. Maybe they really have a good explanation.As they are now removed the strange behaviours, I am quite interested in trying out their software and checking out the new features, like smooth airplane movement, ICAO Flightplan, easier private messaging and so on.They are currently saying that IVAO has approved their software too... Lets hope that VATSIM approves it, then I will say THANK YOU!

Share this post


Link to post

Well, in any case, I surely appreciate AVSIM's efforts to ensure that this new software was on the up-and-up. It took time and effort to put together this report and I thank you, Matt and team, for doing what most of us would be too lazy to do. I think you've protected a lot of us in the last 2 days. I'm no conspiracy theorist, but I think that one reason for getting passwords would be to hack other's systems since a lot of users use the same password for a lot of their applications. By appearing out of nowhere and releasing this program, trojans and all, it's interesting to think what they might try to do with that info. But, then again, I could be way off. In any case, I thank you AVSIM team for your initiative to forewarn the community. ;-)

Share this post


Link to post

Great Work! I have another peice of software that makes a version check (AVCTuner) in relation to FS. I am sure they are "OK", but it just makes me nerveous!Wilson HinesUAL006VHQCCSenior Vice President, Corporate Communicationshttp://virtual.united.com --------------------------------------Proficiencies: PSS 747,777, A32x, CS 727,PMDG 737-700---------------------------------------FS2002|ActiveSky|FSRealTime|FSBuild2|FSNav|Jep SimCharts2|ACLoaderhttp://www.precisionmanuals.com/images/forum/checkcapt.jpghttp://heavylhc.com/images/av/anna.jpg

Share this post


Link to post

Well they have not introduced themselves the best way. But i also think that labeling this as trojan horse and throwing it to the bin is not the best way to act.First of all we dont know what their intentions were.Also is known that VATSIM and IVAO are not very helpful to third party developers who want to contribute to the community if they dont go by the rules, and im talking here about code review and open source restrictions. I think that software can be tested without violating the developer intelectual rights, and this has proven it.Maybe they were seeking user support for aproval and the best way they found out to do it was letting users see how good/bad the software is. But dont take me wrong, the attitude of the sun team will take them nowhere. i wish they would change the manners with which they act and that things could straighten out, for the benefit of the community. We need a good explanation from them. At the very most only pilot identification is needed for any kind of statistics or whatever they wanted to do with that info. i also dont beleive the debugging excuse, if you put stuff in for debug, you get it out at release.On a side note, i also wish that virtual networks would be lighter on third party developers/contributors. Currently pilots are in a very poor situation and not because there havent been any alternate options.Jaime.

Share this post


Link to post

I second that: Very good and thorough examination of data. Further I agree that it does indeed seem a bit dodgy not to reveal names of the developers if you want to take credit for software that supposedly is just that great! I am also very curious how the SunTeam developers think they can totally skip any explanation as to the transmittal of user credentials. In a strange universe, you could argue that it is nice for the developers to have the credentials of the clients but never, NEVER, without the explicit approval of the users. From reading the post on their forum, I seem to see traces of the last software glitch on IVAO that ultimately caused FPI to be created.

Share this post


Link to post

Wilson:AVC Tuner is OK. Its been submitted to and approved for use on VATSIM. You can see the complete list of approved software (as far as VATSIM is concerned) by going to the main VATSIM website at:http://vatsim.netclicking on Member Services in the left frame and selecting Document Library and Approved Software. You'll find AVC Tuner and all other approved programs listed there.

Share this post


Link to post

Hi Jaime, I don't really think we disagree much, but there are some cardinal points that I want to make reading your post:1) I actually do think it is indeed a trojan horse. You may also choose to call it spyware...2) It may be that neither IVAO nor VATSIM are being helpful (in the eyes of the developers). However, remember that both networks have dedicated teams to do development on the inside and that any thirdparty software will have to be checked to be validated agains network regulations.3) I am not sure that either network require open sources. To my understanding, they do not make the source code available to the public, so it is not really open source. There are further legal technicalities to open source that I do not remember, but I believe I know enough to say that neither network require open source. Also, is it not really a problem to protect the IP rights of the developer. I imagine that the developer of, let's say, AVCTuner has all the IP rights reserved. Just my $0.02,Pitsburgh

Share this post


Link to post

What an interesting and thorough analysis...I guess the only thing that the sun team needs to do now is to answer a very simple question: Why?Why encrypt the person's id and password and pass it back to their server? Does it serve any 'beta testing' purpose? I really can't think of any good reason, but I'm keeping an open mind...

Share this post


Link to post

I applaud those at AVSIM, IVAO, and VATSIM for taking such swift and decisive action to help protect the virtual flying and controlling community. I have no doubt that had you not moved so swiftly, at some point in time, there would have been a very serious possibility of 'damage' to those using the software. What kind of 'damage' I do not know...but my 'gut' tells that it would have come at some point.I also know this...- I don't like ANYONE doing 'identity theft' at all. Tell me this is what you are going to do and give me the chance to decide on my own whether I do or do not want to use the software or your services.- I don't like it when a 'corporation' has the principals remain nameless. The 'cloak and dagger' type of stuff is best left for James Bond Movies.- Good, stable and trustworthy products take time to develop. It is even more so I think when the products are offered for free. Frankly, it is my humble opinion that we should allow those who would use their talents and time to create a free product for us to use the time they need to get it right.My opinions are my own and not the reflection of any other group or affiliations I might have...Neal

Share this post


Link to post

Hello Pitsburgh,From a technical point of view, it may be called trojan horse, spyware, etc...What i dont know is if they wanted user passwords for something bad. Of course, in that state it cannot be recommended for none one to use it, and it may be prohibited on IVAO and VATSIM. I fully understand that. But could you tell me, is there any course of action these developers could take so the community can benefit from its software, or is it all lost now?Regarding VATSIM & IVAO, this thread should not be oriented toward them. But let me say i would like that things could be more transparent between and within them, because some decisions taken are not all that clear that were for the benefit of the user, at least for me.why FPI software was not approved? we could all made an effort and now we would have one more option.Jaime.

Share this post


Link to post

>They are currently saying that IVAO has approved their>software too... Lets hope that VATSIM approves it, then I will>say THANK YOU!Actually, IVAO has not appoved their software. I received a copy of a post on the IVAO forum from a member of that organization, which says in part, "but this team didn't contacted (sic) IVAO or didn't make any contact with the NA/ANA before the release of SqWin", and the post is signed by the IVAO Executive Director.The fact that they were so quick to remove a portion of obviously malicious code makes you wonder, what did they put in in it's place?Greg Phelan

Share this post


Link to post

Nice report guys, some good stuff you dug up. I

Share this post


Link to post

Same here. Only reason I can think of is to use the CIDs and passwords in order to retrieve user accounts (which by VATSIM and probably IVAO regulations are required to contain valid email addresses) and sell them to spammers (or start a spam operation themselves) and/or ID thiefs.There's big money in such lists, even tenthousand known good addresses can fetch thousands of dollars (if not tens of thousands) per sale and they may sell hundreds such lists.

Share this post


Link to post

yes it does sound interesting and had it been released through VATSIM as an approved client I'd have used it.But as it is I won't touch it even though the creators now claim it's clean (after all, didn't they claim it was "just a version check" before when the allegations first were made?).

Share this post


Link to post

Hi again Jaime, First of all, let me stress that I have no affiliation with either network (VATSIM, IVAO or FPI) other than flying online (primarily on VATSIM, though I have tried all of them) once in a blue moon. So, I have no management responsibilities and the points I make are solely my own (and those who tend to agree with me :-)). To answer your first question (and remarking that the policy of secretly collecting data is actually strictly illegal in most countries. There better be a damn good explanation for this if you ask me. Debugging purposes is not valid -- I am a developer myself professionally) I think the developers of SquawkWin really have two options: Either complying with the rules of an existing network or make their own network. If they choose the latter, I think their chances of success has been severely hampered by the collection of user credentials. So, no, I don't think all is lost now. I just think these people will have to mature up and start answering questions. To a certain point I agree with you that a bit more clarity would be nice on some networks. I seem to recall that the formation of FPI was due to conflict between the team that developed the FPI software and the development team of that specific network the software was originally developed for. If my memory serves me right, one of the reasons for the split between the developers and that network was over access to source codes (forgive me if I remember wrongly. I know that there were also other details involved). On the other hand, the providers of these networks give us a service of a certain "guaranteed" quality, so they provide the rules. Hope this clarifies a bit, :-wavePittsburgh

Share this post


Link to post

Oh I never knew that.Matt can you verify in the latest release that they have indeed removed this 'feature'?

Share this post


Link to post

A very big THANK YOU goes out to everyone at Avsim and everyone else who brought this issue to light. I did not use this software nor will I ever but it is very nice to know that there is someone out there that is looking out for us. If this does not warrant a donation to Avsim, I don't know what does! :-) As for the Sun Team, or whatever you are, to me there is no valid reason for you to gather a user's name and password, none, you have stepped over the line and unless you provide a more reasonable explanation, that includes coming out of the closet and revealing your identities, I am going to consider you a less than desirable element. Granted this is not stealing from people's bank accounts or anything but you have invaded people's security and who knows what you where going to do with that information. To quote a friend of mine "Come forward with the truth or be cast down". It is very sad that someone has actually stepped over the line in our hobby, I hope that the intentions where benign but I really wonder in this case.Philip Olsonhttp://www.precisionmanuals.com/images/forum/supporter.jpg

Share this post


Link to post

If they indeed removed the spy function in the software, then I cant see any reason why we as users should have to wait for "god knows" how long until we can fly online with something not developed for the use with FS98.With the humble respect to all developers out there. If the "Sun team" developed SquawkWin in no time, what have Vatsim and IVAO spend there time on ? I'm not a developer, so I have to ask, am only interesting in a software that works on my computer and with FS2004, I really don't care who

Share this post


Link to post

Guys I wouldn't use it IF they took away this password stealing code. Its still outlawed by Vatsim and IVAO and using it is IMMEADIATE grounds for suspension.

Share this post


Link to post

Besides of all thoughts, and idea's, I wonder what the harm is in haven all those ID's and passwords.Imagine having this database, what on earth would you do with it?Fly online with random userid's? so and what cares?Sell to spam firms? maybe hacking in AVSIM's database will have more use, and even then you have a 14895 registered members, not much on those millions of emails in the world.I dont see any real security problem, only an real moral problem.And thats where the problem lays. If they are smart, then they reveal their identity, and make a good statement today!Btw, the too slow SB release just ingnites these kind of things.EDIT:I cannot give them the benefit od the doubt after studying Matts investigation. Why on earth would have programmers do such a hasle to encrypt testing data? Thats the question!And the answer is...Johan----http://www.people.zeelandnet.nl/johd

Share this post


Link to post

Hi all.......I am not a computer wizz just a user and simmer. Just as I am a user of e-mail and internet. I like most get about 100 junk mails a day from two accounts without any requests for them from me, so where is this leading?...my data must be being transmitted without my knowledge and spammers hitting me with junk. Anonymous developers who take my data without my knowledge and use it for some advantage to themselves are the pits of the software world. If your software is so good then why should you be allowed some shortcut into someone elses system for testing without approval. Aviation generally is about procedures for everyones safety, so if there is a procedure for getting the software onto Vatsim or Ivao then use it, get approval then we can applaud it. Luckily i didn't download the software so have no axe to grind, I only use Vatsim for my VA online flying and have never not been able to fly due to software restrictions so in conclusion, if there is new software out there for online simming then let it be tested and approved by the networks that have also worked damn hard to get their systems free of junk and if it is deemed to be good enough then let it win on its merits.John Calleja (user and simmer) no proffesional associations with Vatsim or Ivao

Share this post


Link to post

Hi Andreas, I agree that the wait for SB3 is becomming a bit long. However, I would seriously question what "no time" means. I am sure that quality, stability etc all cost resources and take time. I am not so sure that I would want something that has been developed in no time to mess up my experience while on final approach. Also, I think that those people that develop software for the various networks are doing this as a spare time thing giving their free time to us.Thanks,Pittsburgh

Share this post


Link to post

Hi All,I would like to say that speaking only about the software functionality (not the trojan stuff), it is a very good idea to use P2P technology to increase the refresh rate of AI into the sim without increasing the servers job.Regarding the network software approval rules, I must say that it's not so easy that it seems to be :1) - I'm now the developper of SquawkBox 3 for Fly!2 initially coded by Lefteris Kalamaras. I've been accepted as a developper in VATSIM dev org with the help of Lefteris. Then the SquawkBox V 3.1 (that does not have any modification of the server protocol ;-) ) has been approved by Richard Critz and I released it on Avsim lib. But if you have a look to the official approved pilot software list, you won't see it :-( Does that mean that it's an illegal software ?2) - I've tried several time to have some contact with IVAO pilot software team leader to be included in their dev rules, but I didn't received any answer from them. I hope that the reason is not because the Fly! 2 community is quite small now ! It's good to think that MSFS, X-plane, Fly! and other simmers can fly together in the same sky.Then what can I do ?- roland -* AirFeedback 1.0 ** DragPoder 1.0 ** SquawkBox 3.1 * - For Fly! II -

Share this post


Link to post
Guest
This topic is now closed to further replies.
Sign in to follow this