Downie’s Anti-Piracy Scare Tactic
It is being reported on Reddit that Downie 4 (a video downloader app developed by Charlie Monroe Software) contains code for a popup that claims to have deleted random files on the computer as a ‘punishment’ for allegedly using a pirated/cracked version.
Here’s what it looked like.
During this time, I was receiving reports from people running cracked versions of my apps and it was hurtful to me and my efforts. I’ve always tried to contact those users and try to convince them to use a genuine version. Many of such users do not see the effort behind the development and that it is (in the early years) matter of survival for the company.
There were, however, users running cracked versions of Downie that used fake email addresses for their reports and even included insults in their messages. Unfortunately, my mind came up with the idea that Downie would include a list these email addresses and would show a message to these users. In what you can call lack of judgement, I’ve included a message that suggested that Downie may have deleted random files, appended with a “Or am I kidding?” question. It was meant in jest (though it was very irresponsible of me) – I would never dare touch the user’s files, no matter whether genuine or cracked version. This is a line I would never cross, whether you believe it or not.
Years have gone by and I haven’t touched this code with this message in many many years now. It was a mistake ever adding it, but it was there and I simply did not think about it anymore. If a thief keeps passing your house and you set up a booby trap and the thief stops coming around, it is entirely possible that you just forget to remove the booby trap until a visiting friend falls in.
Unfortunately, one user entered the email address 1@1.com into Downie as their email address. This email address was used in one such fake-email report. This user, however, was using a genuine version, but unfortunately, the booby trap was triggered.
Piracy is a real problem. Not only do you lose revenue (some would never pay, but some would), but part of your limited time is spent troubleshooting with users who will not pay and whose support issue may in fact have been caused by whatever was done to crack the app. On the other hand, any kind of countermeasure could accidentally ensnare a genuine customer. I believe Downie’s developer that no actual harm was ever intended, but obviously even empty threats (or jokes that might be interpreted as such) are a mistake.
Previously:
8 Comments RSS · Twitter · Mastodon
I remember when a developer of (pre-Android pre-iPhone) phone software in Japan got mad about piracy and put a trap in their app to blow the whistle on pirated copies. But it was badly programmed, and triggered on every installed version, legit or pirate. The app went into your address book and sent a text message to every contact, "I am a pirate." The developer (quite rightfully) got an extremely bad reputation for abusing security privileges. That must have been 20 years ago.
I made an app that, back when it was shareware, called the user a big dumb butt if it caught them using a pirated serial number. I think more developers would benefit from taking that approach.
I get that the piracy is totally frustrating. It's classy of them to admit that they were wrong including that message. Exiting with a message that the application is pirated seems fair (as long as there are no frequent false positives).
More generally, this shows again that we should expect nothing less than Mac apps outside the app store to be sandboxed as well (except for select system utilities). Even if a developer is not malicious, an app could be exploited in other ways (e.g. security vulnerabilities). Sandboxing would stop intentionally or accidentally malicious apps in their tracks.
Love both Downie and its sister app Permute, so this bizarre lapse of judgment is disheartening to see if it brings any long-term harm to either. If this was my first introduction to them, I’d never give them a second look. Just an insanely bad idea.
Downie reads the user's system email addresses (all of them) from com.apple.mail.plist for piracy verification, not a good workflow.
The apology is worthless when Charlie called people reporting this behavior liars, on twitter, until some responded with proof.
https://app.warp.dev/block/Op589kzTPVnakMQHw1Eur3 <-- code snippet
from another:
//--
It seems like he then enumerates all of your email addresses used in Mail.app using the following AppleScript:
tell application "Mail"
email addresses of every account
end tell
They also read
~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail.plist
and enumerate the EmailAddresses key to grab emails that way too."
---//
@Dan I guess you are referring to this? The blog post explains the e-mail stuff and says it is dead code (not sure whether that’s true) and that Downie no longer has access to read the file due to SIP (true).
Unpopular rant ahead.
OK, thanks. I promise never to purchase Downie, regardless of the praise it gets.
Because I'm sorry but rationalisations of the form "The ends justify the means, because of piracy, and you must be a hypocrite if you accept that piracy is a problem" will never be acceptable. Treat your customer like an irredeemable pirate by default, not interested. In this bargain, it is I, the customer, who gets the benefits of this transaction. If you find that this makes your product unviable, you must approach the problem in a way that makes it less likely to happen, e.g. pricing, nagware, longer unrestricted periods, bundling—anything, but making it necessary to pirate. I know that's unfair, but treating customers as suspects is more unfair and I don't put up with that.
Full disclosure: speaking, BTW, also as a former pirate of software that I absolutely depended on and that was completely unaffordable to me at the time. Piracy is a social problem, even though some pirates are complete arseholes, and needs to be dealt with as such.
Man (many, many) years ago, one of the very first Mac viruses was called nVIR. The first variants of it reproduced, but didn't actually cause harm and were pretty easy to remove. As a consequence, though, you needed to reinstall all of your software.
Someone I met remarked that a virus that made you remove your software and reinstall from (legitimate) sources was just the sort of thing he could see a publisher deliberately releasing, to kill all the pirated copies of their stuff.
I *hope* he was kidding...