SquawkWin: The Community's First Trojan Horse?

[jeffyen 0]

>>Do you think programmers will resort to developing such a detailed programme just to take your CID/VID and associated password??There are far simpler ways to do it.You're right, probably not. Then again, it'll indeed be a very simple way if the malicious intent is present and the detective work didn't manage to catch anything. And them suddenly one day, boom! something bad happens, security's been compromised, and no one will know what actually causes it. That question is equal to "Do you think programmers will spend all their time hunched at their desktops to come out with a virus that doesn't do anything really bad but just spams people and shuts down networks?" The answer is clearly yes, happens all the time, and it's illegal. For example, virus catchers spend their time pouring over source code to determine the payload of viruses; they are truly detailed programs. I'm not saying that's exactly what's happening, but that is a distinct possibility.>>Carelessness is not equal to maliciousnessSure. But initial carelessness followed by hittingback/evation strongly suggests the latter, you think not? At the very least, due diligence requires us to have that at the back of our minds.

[Guest]

they NEVER admitted they did anything wrong.Instead they claim to have removed the "version check" (which wasn't the issue anyway) which they had previously denied was even there.Nowhere have they given any indication as to why they were stealing user account data, nor any apologies nor have they said they've removed the malicious code.And even if they had, most people are now awake and won't trust them at their word to not have put something else in instead.Without a complete analysis of their code and runtimes both I'd not trust anything from them at this stage.SB Relay doesn't phone home, neither does AVC or SB.SB Relay is just that, a relay that passes data between FS and SB.SB and AVC connect only to VATSIM or IVAO servers and not to some 3rd party machine.Carelessness indeed is not malice, but denying you ever were careless and spreading false statements about the legitimacy of using the software point strongly to malicious intent.Whether they were planning to do more with the gathered information than satisfy their own curiosity I don't know or care, the very fact that they went to such lengths to get the information in the first place tells me there was more at stake in their operation than just finding out how many people were using their software and that they hoped to gain some financial reward from the stolen data (either from spammers, identity theft, or some other illegal enterprise).

[Guest PittsburghII]

No, indeed carelessness is not equal to maliciousness. That is absolutely true. However, as programs become more and more complex and involved, carelessness costs an ever increasing price. And yes, there may be simpler ways of getting my credentials, but I do think that the more disguised these methods are the longer they will go undetected (think of the reason that the AVSIM team started the whole investigation: Due to some claims made by the SunTeam that they would otherwise have no basis for unless they had access to information they were not supposed to have). Whether or not you are happy with the current networks is not really an issue here. Also if you are unhappy with the claimed closedness of the networks. If you don't like it, what is stopping you from developing a completely open source, open protocol etc. network? I, for myself, do not think of it as a big hassle of connecting SBRelay, SB and AVC...Pittsburgh

[Guest babua]

I think I've been bad at communicating..1.No one is denying the effort of avsim. It was class act! But it's not as serious as it was meant out to be-there was a huge amount of sensationalism involved-my opinion2.It was an oversight on the part of the programmers to keep the version control utility unchanged-I know that.3. Programmers, like may other programmers will vouch for, are high on IQ and low on EQ so their behaviour, response and actions have been hopelessly immature, especially when they speak a foreign language and are "translated"-No body is denying or protecting them on that. They should have apologised, declared their name and like good old men told the whole story here-they have not done it because their EQ i think are still at juvenile level.4. Online community suffers if networks become proprietory and restrictive. We criticize microsoft but do not think twice when we do the same. This is the crux. If the version control was removed now networks should test it and give us a go ahead and not ask the developer for source code or ask him/force him to customize the s/w that it works only for one particular network.We are an online community and at one extreme we have innovative developers who "steal" our details and at the other end we have networks who take away from us the enjoyment by curtailing innovation. As an online community we must balance both....Thats all I meant to communicate-It does us no good to toe a particular line!!

[Guest Philip Olson]

One thing that I find interesting is that no matter how many times the Sun Team is asked what they were going to do with the passwords, they do not answer, all they do is insult those who ask. I want to know why, it is not wrong for me to want to know this but yet they are acting in exactly the same way as those that they accuse of killing their software. For the Sun Team to act in any manner other than honesty and humility is a stupid move since it obviously implies guilt, right or wrong. In my opinion anyone that defends the stealing of someone's password, no matter what it is for, is either completely naive about the dangers that can occur when this happens, or has some agenda. Most of the defense of the Sun Team makes no sense to a rational person, things like "who cares if there is one more piece of spyware on my computer" are the mutterings of fools since anyone with a modicum of intelligence will protect themselves as much as possible. It could be that these are people, even kids, that don't have anything on their computer that is of value or do things like shop or bank online but most of us do and with the popularity of identity theft these days you would have to be an utter fool to excuse any software that collects personal data, of any sort. While there may be problems with the current systems it is a sad truth that you will have to play by their rules, that is life and if you do not like it then create your own network. I am not defending the current networks but that is how life works, right or wrong, there is not a whole lot that anyone can do about it so by somehow blaming them for this mess does not jive. Working with people to change the status quo works, attacking them and demanding change on your terms does not. It is utter arrogance or childishness to think that acting in this manner will achieve something positive. In my opinion the Sun Team has acted in a completely questionable way through this entire affair, logically there is no defending what they did and especially they way that they have responded to it. If it was an honest mistake why did they deny it, then attack people, then change the code, then continue to attack people? Some people have asked the simple question "why were you collecting the passwords?", and to this day no answer has been given except for snide remarks, people this is not good. I understand the need for better software but you will never gain the respect or trust of anyone acting like that. If this was a mistake by the Sun Team all they would have to do is show some humility and answer the questions but they don't, that is a real concern for me. I am sorry that this happened, it sounds like maybe this could have become a great piece of software, from what some have said, but I doubt that it will see the light of day now since most rational people can not trust it anymore, not so much because of it collecting passwords but because of the way the Sun Team reacted to being caught. It is just too bad that they, and some of their defenders, could not see that most people take this kind of thing seriously and need to be able to trust that their software is not collecting personal data. I know that this has caused a bigger problem for the flight sim community too, trust, now people are going to question if they can trust what they download and that is very sad. Too bad the trust that has existed for so many years was ruined so quickly and the people that did it don't really seem to care. Sad situation all the way around!Philip Olsonhttp://www.precisionmanuals.com/images/forum/supporter.jpg

[Guest jacaru]

>> we have the underdog appearing to be 'bullied' (far from the truth, >> but an easy thing to subscribe to)Equally easy is just accusing the sunteam of whatever you want. We are just a bunch of people expressing opinions, and your is not more valid than mines or others just because you say so.>>I'm asking you: WHY in the name of God would any of us EVER trust >>ANYTHING coming from them in the future?>>I've puzzled over this myself too.Who should decide what programs i run on my computer as long as they not harm anybody. You or me? Respect everybody reasons even if you dont understand them.It is as obvious that the sunteam did not act the correct way as is obvious that there is a clear problem with the software development for virtual online pilots. I posted this in the sunteam forum, take a look:Lets see in which points do you not agree here:1. The server should be stronger against bad clients on the network.2. There should be a open protocol specification common for all networks or an API provided to cover this protocol.2. Each network could extend this protocol with its particular features, but these should not be required for common operations.Would this situation be desirable? Yes.Are we moving toward this? No.Are we moving in the oppiosite direction? Yes.Can this be achieved without inter-network collaboration? No.Are different networks collaborating? No.Why? I dont know.Jaime.

[Guest jacaru]

>>No - NOT EVERYBODY realized that it was an "Oversight". It's too late >>for THAT excuse. And strangely, it comes from a group who claims that >>they have the best and the mosyt professional team. Poor and lame >>"tail between hind legs excuse". No, we don't buy that either.And who decides Squakwin is not good enough for the community? who has to forgive the SunTeam? You? VATSIM? IVAO?I think its each user decision.Now, if each network decides to ban squakwin just because they don like the sun team, they dont know who they are, did not meet the code reviewal requirement or because the things they did wrong, proven the software qualifies for use and does not disturb the network whatsoever (and remember this verifications wouldnt be so hard to do if IVAO, VATSIM, FPI provided to developers a framework to work with instead of competing in a selfish manner between them) it sucks.They can do it, its their networks, but not on the behalf of the community. i dont feel represented by any of them since they take their decisions on their own and this decisions are made in the best cases based on what they think its better for the community. But they make their mistakes as it clear that we are not heading in the right direction.This is my opinion, im not against anybody.Jaime.

[Guest jacaru]

> Whether or not you are happy with the current networks is not>really an issue here. Also if you are unhappy with the claimed>closedness of the networks. If you don't like it, what is>stopping you from developing a completely open source, open>protocol etc. network? I, for myself, do not think of it as a>big hassle of connecting SBRelay, SB and AVC...>>PittsburghI wouldnt ask for so much. I would only ask for a community not based on independant organizations that each go their way but on organizations that while keeping its independency in aspects where competence its healthy would also collaborate together in those aspects which is better to do so in behalf of the community as a whole.When the users lose all the influence they had in decisions which affect the community (right where we are heading now) and when only responses we get if you want this do it yourself, thats when i dont like.The fact that you are happy with how things are now doesnt mean you shouldnt hear other people proposals or opinions, and help them while you can.And i dont think this is the first time this is brought up, so i might not be the only one that thinks like these.If all you can tell me is that we are on our own then i wont bother discussing any more with you.Jaime.

[Guest PittsburghII]

Don't discuss with me then. And also, stop putting words in my mouth that were never there, neither implicitly nor explicitly! Where on earth do you see that I am opposed to hear other peoples opinions or listen to their proposals? All I argued was that just being unhappy with the way things are presently, does not give anybody, neither developer nor supporter, the right, morally or legally, to go about and ###### information that they are not allowed to get!Whether you like it or not, if you dislike the way things work on either network, all you have the right to do is to influence things according to the agreements you signed when you initially enrolled. This, by the way, applies also in society at large. I guess (or rather hope) you realize that.Pittsburgh.

[jeffyen 0]

Jaime, you seem to be a reasonable person, but I think you're missing the point here. The point is not whether the current system is good or bad, or whether it can be improved, or whether open source is good or not. These are all important points, but they are peripheral issues.What matters is that here we have a team who already are highly suspicious, whose intentions are not known. This has got nothing to do with the points in the previous paragraph; they are 2 different matters altogether.I'm also very interested in how come you're not more wary; imagine a person going into your house to take something (by mistake or not), surely you'll want to be more wary instead of thinking no more bad things can happen and inviting the person back for some coffee? >>Why? I dont know.I don't know too. I'm not sure whether your suggestions are good or bad either. But that's another story for another day...

[Guest jacaru]

>Don't discuss with me then. And also, stop putting words in>my mouth that were never there, neither implicitly nor>explicitly! Where on earth do you see that I am opposed to>hear other peoples opinions or listen to their proposals? All>I argued was that just being unhappy with the way things are>presently, does not give anybody, neither developer nor>supporter, the right, morally or legally, to go about and>###### information that they are not allowed to get!>>Whether you like it or not, if you dislike the way things work>on either network, all you have the right to do is to>influence things according to the agreements you signed when>you initially enrolled. This, by the way, applies also in>society at large. I guess (or rather hope) you realize that.>>Pittsburgh.Sorry, i didnt mean you but the people that make decisions.We already know the sunteam did wrong. Im not justifying them.And the agreenments dont let the user change anything. The problems existing in my opinion do not happen only within organizations, but also beyond them. I mean, if we think IVAO & VATSIM should collaborate a tad bit more, how can we make that happen?Jaime.

[Guest jacaru]

>Jaime, you seem to be a reasonable person, but I think you're>missing the point here. The point is not whether the current>system is good or bad, or whether it can be improved, or>whether open source is good or not. These are all important>points, but they are peripheral issues.>>What matters is that here we have a team who already are>highly suspicious, whose intentions are not known. This has>got nothing to do with the points in the previous>paragraph; they are 2 different matters altogether.I took the opportunitty to discuss this because of what has happenned. I mean, theres a lot of anger here and a lot of people wanting the heads of the sunteam rolling. They did wrong, and they have the opportunity to explain and to correct. And for me, they will always have that opportunity. And theres nothing more to say about this. If their software continues to do this strange things people wont use it. Full stop. I dont want to know who they are, i dont want to accuse them of anything, im only interested on the evolution of their software, it will speak for them. >>I'm also very interested in how come you're not more wary;>imagine a person going into your house to take something (by>mistake or not), surely you'll want to be more wary instead of>thinking no more bad things can happen and inviting the person>back for some coffee?>Im not wary because i know a lot of people will have a close look at the software and that it wont enter the community if there is something strange with it. And theres no need of code reviewal for this. It has been proven, and they did have to correct the program. And it happens with every piece of software, if it has spyware or malicious code, it gets noticed and people dont use it. The code review thing its good but not realistic. i would like all the software produced had to go through a code review but in that case we would be still in the 80's. I sincerely think there are a lot of other means of securing the network that will benefit all.>>>Why? I dont know.>I don't know too. I'm not sure whether your suggestions are>good or bad either. But that's another story for another>day...I think it related. If the networks collaborated to ease the collaboration of third parties developments things such as this wouldnt happen.Jaime.

[jeffyen 0]

>>i would like all the software produced had to go through a code review but in that case we would be still in the 80's. I sincerely think there are a lot of other means of securing the network that will benefit all.I agree with you that in most cases, it might not be necessary to go through a thorough code review. However, this is not something that we have any right to decide. The reason is that vatsim is not obligated whatsoever to provide us with this service. They don't have to do it, period. It is simply a gift. It's freeware. Yes, people can suggest things and so on, but the service does not owe the users anything, and vice versa. So they have a right to their own rules and whatever measures necessary to ensure the network's integrity.Since there is some (very justified) suspicion with the new client, surely any responsible administrator would want to tear the source code apart (with the necessary NDA agreed) to see if everything is working as it should (much like how a antivirus person working at Symantec pours through a suspected new virus they've received). Any less would really be irresponsible on their part, I feel. They have a responsibility to those who've placed their trust in their network and would guard that trust to the best of their ability. I think that's a very reasonable thing to do. And if I were supernova team, and if I know that this is just an unfortunate mistake, obviously I don't mind submitting it for review, it's the least I could do after inconveniencing so many people already. And yes, at least I'll reveal who I am, and explain myself. :)

[Guest Thomas Nyheim]

Actually, if you take the time and climb the ranks, you could make a difference. I think that if you came up with constructive ideas (not just; we want better server software), you have a better chance of being heard ( keep in mind that the people in the top of VATSIM/IVAO doesn't read the forums often, so that is not a good place to speak your mind if you want to be heard by them). Thomas NyheimChief Pilot, UVAVA-Director/Events NY-ARTCC

[Guest rcarlson123]

>I think everybody realized by now it was an oversight on>their part and they rectified their mistake. Did they have>malicious intent? Do you think programmers will resort to>developing such a detailed programme just to take your CID/VID>and associated password??There are far simpler ways to do it.We don't know if they had malicious intent. We don't know their intent at all. That fact is at the very core of the issue. They have not come forward to tell us why they collected our passwords. They tried to make us believe it was part of a version check. They lied, covered their tracks, passed the buck, pointed fingers, and even accused VATSIM of orchestrating some grand conspiracy against them.Personally, I doubt their intent was malicious. I believe it was just a simple mistake. However, they claim to be experienced developers, and as a developer myself, I can say that a simple mistake that results in people's passwords being transmitted to a third party, is a major amateur blunder. Whether or not that password has any real value outside of VATSIM is completely irrelevant. The only point of relevance is that they made this huge (yet simple) mistake, and tried to cover it up. We have no reason to trust them, and every reason to distrust them.>Let me ask you a question in return? Are you happy with the SB>Relay, SB, AVC and the associated harangue to connect? That>PID/VID you have is just for this purpose to make your online>flying better!! or are you happy as an online flyer that the>community is becoming closed and proprietory by the day!!!Yes, I'm happy with SB2 and the required support programs. I use them every day. I love flying on VATSIM, and the fact that I have to start a few small programs to do so is of no consequence to me. None. I'll be happy when SB3 comes out, not because it means I won't have to start SBRelay and AVC, but because it will provide smoother movement of aircraft around me.>Carelessness is not equal to maliciousnessNo, but either one gives cause for distrust. If you were a mountain climber, and your climbing partner was proven to be careless, would you willingly continue to put your life in his hands? I sure wouldn't. If you did, you'd have a death wish. Same thing, albeit on a smaller scale: if your software developer was proven to be careless, would you continue to trust his software? I wouldn't.