SquawkWin: The Community's First Trojan Horse?

[Guest Matt Johnson]

The full investigation is located here: http://www.avsim.com/pages/0804/squawkwin/Please use this thread to discuss any points arising from the article.

[fspaan 1]

Good investigation! On the other hand was their work done on a good intention or did they have something bad in mind?THis investigation shows how serious this hobby has become. Good luck and thanks for your attention to this software!Edit: Just read the statement that the groups does not reveal their real names. Bit suspicious if you have developed such a good software...

[Guest georg]

Hmm, actually it seems to be an interesting software. I don't think they are so bad. I don't want to believe that a group developed such a hard software just to get users passwords. Maybe they really have a good explanation.As they are now removed the strange behaviours, I am quite interested in trying out their software and checking out the new features, like smooth airplane movement, ICAO Flightplan, easier private messaging and so on.They are currently saying that IVAO has approved their software too... Lets hope that VATSIM approves it, then I will say THANK YOU!

[rightseat 277]

Well, in any case, I surely appreciate AVSIM's efforts to ensure that this new software was on the up-and-up. It took time and effort to put together this report and I thank you, Matt and team, for doing what most of us would be too lazy to do. I think you've protected a lot of us in the last 2 days. I'm no conspiracy theorist, but I think that one reason for getting passwords would be to hack other's systems since a lot of users use the same password for a lot of their applications. By appearing out of nowhere and releasing this program, trojans and all, it's interesting to think what they might try to do with that info. But, then again, I could be way off. In any case, I thank you AVSIM team for your initiative to forewarn the community. ;-)

[Guest SIX]

Great Work! I have another peice of software that makes a version check (AVCTuner) in relation to FS. I am sure they are "OK", but it just makes me nerveous!Wilson HinesUAL006VHQCCSenior Vice President, Corporate Communicationshttp://virtual.united.com --------------------------------------Proficiencies: PSS 747,777, A32x, CS 727,PMDG 737-700---------------------------------------FS2002|ActiveSky|FSRealTime|FSBuild2|FSNav|Jep SimCharts2|ACLoaderhttp://www.precisionmanuals.com/images/forum/checkcapt.jpghttp://heavylhc.com/images/av/anna.jpg

[Guest jacaru]

Well they have not introduced themselves the best way. But i also think that labeling this as trojan horse and throwing it to the bin is not the best way to act.First of all we dont know what their intentions were.Also is known that VATSIM and IVAO are not very helpful to third party developers who want to contribute to the community if they dont go by the rules, and im talking here about code review and open source restrictions. I think that software can be tested without violating the developer intelectual rights, and this has proven it.Maybe they were seeking user support for aproval and the best way they found out to do it was letting users see how good/bad the software is. But dont take me wrong, the attitude of the sun team will take them nowhere. i wish they would change the manners with which they act and that things could straighten out, for the benefit of the community. We need a good explanation from them. At the very most only pilot identification is needed for any kind of statistics or whatever they wanted to do with that info. i also dont beleive the debugging excuse, if you put stuff in for debug, you get it out at release.On a side note, i also wish that virtual networks would be lighter on third party developers/contributors. Currently pilots are in a very poor situation and not because there havent been any alternate options.Jaime.

[Guest PittsburghII]

I second that: Very good and thorough examination of data. Further I agree that it does indeed seem a bit dodgy not to reveal names of the developers if you want to take credit for software that supposedly is just that great! I am also very curious how the SunTeam developers think they can totally skip any explanation as to the transmittal of user credentials. In a strange universe, you could argue that it is nice for the developers to have the credentials of the clients but never, NEVER, without the explicit approval of the users. From reading the post on their forum, I seem to see traces of the last software glitch on IVAO that ultimately caused FPI to be created.

[George_M 0]

Wilson:AVC Tuner is OK. Its been submitted to and approved for use on VATSIM. You can see the complete list of approved software (as far as VATSIM is concerned) by going to the main VATSIM website at:http://vatsim.netclicking on Member Services in the left frame and selecting Document Library and Approved Software. You'll find AVC Tuner and all other approved programs listed there.

[Guest PittsburghII]

Hi Jaime, I don't really think we disagree much, but there are some cardinal points that I want to make reading your post:1) I actually do think it is indeed a trojan horse. You may also choose to call it spyware...2) It may be that neither IVAO nor VATSIM are being helpful (in the eyes of the developers). However, remember that both networks have dedicated teams to do development on the inside and that any thirdparty software will have to be checked to be validated agains network regulations.3) I am not sure that either network require open sources. To my understanding, they do not make the source code available to the public, so it is not really open source. There are further legal technicalities to open source that I do not remember, but I believe I know enough to say that neither network require open source. Also, is it not really a problem to protect the IP rights of the developer. I imagine that the developer of, let's say, AVCTuner has all the IP rights reserved. Just my $0.02,Pitsburgh

[jeffyen 0]

What an interesting and thorough analysis...I guess the only thing that the sun team needs to do now is to answer a very simple question: Why?Why encrypt the person's id and password and pass it back to their server? Does it serve any 'beta testing' purpose? I really can't think of any good reason, but I'm keeping an open mind...

[Guest NealT]

I applaud those at AVSIM, IVAO, and VATSIM for taking such swift and decisive action to help protect the virtual flying and controlling community. I have no doubt that had you not moved so swiftly, at some point in time, there would have been a very serious possibility of 'damage' to those using the software. What kind of 'damage' I do not know...but my 'gut' tells that it would have come at some point.I also know this...- I don't like ANYONE doing 'identity theft' at all. Tell me this is what you are going to do and give me the chance to decide on my own whether I do or do not want to use the software or your services.- I don't like it when a 'corporation' has the principals remain nameless. The 'cloak and dagger' type of stuff is best left for James Bond Movies.- Good, stable and trustworthy products take time to develop. It is even more so I think when the products are offered for free. Frankly, it is my humble opinion that we should allow those who would use their talents and time to create a free product for us to use the time they need to get it right.My opinions are my own and not the reflection of any other group or affiliations I might have...Neal

[Guest jacaru]

Hello Pitsburgh,From a technical point of view, it may be called trojan horse, spyware, etc...What i dont know is if they wanted user passwords for something bad. Of course, in that state it cannot be recommended for none one to use it, and it may be prohibited on IVAO and VATSIM. I fully understand that. But could you tell me, is there any course of action these developers could take so the community can benefit from its software, or is it all lost now?Regarding VATSIM & IVAO, this thread should not be oriented toward them. But let me say i would like that things could be more transparent between and within them, because some decisions taken are not all that clear that were for the benefit of the user, at least for me.why FPI software was not approved? we could all made an effort and now we would have one more option.Jaime.

[Guest gregphelan]

>They are currently saying that IVAO has approved their>software too... Lets hope that VATSIM approves it, then I will>say THANK YOU!Actually, IVAO has not appoved their software. I received a copy of a post on the IVAO forum from a member of that organization, which says in part, "but this team didn't contacted (sic) IVAO or didn't make any contact with the NA/ANA before the release of SqWin", and the post is signed by the IVAO Executive Director.The fact that they were so quick to remove a portion of obviously malicious code makes you wonder, what did they put in in it's place?Greg Phelan

[Guest ben_hewitt]

Nice report guys, some good stuff you dug up. I

[Guest]

Same here. Only reason I can think of is to use the CIDs and passwords in order to retrieve user accounts (which by VATSIM and probably IVAO regulations are required to contain valid email addresses) and sell them to spammers (or start a spam operation themselves) and/or ID thiefs.There's big money in such lists, even tenthousand known good addresses can fetch thousands of dollars (if not tens of thousands) per sale and they may sell hundreds such lists.