Sued by Altium - Don't Do What I Did!

[AndyBeez]

When you run altium it doesn't work unless your license is validated by the Alitum server, and it tell you in the software whether it's legit or not.
Doesn't this imply that Altium have approved the license for use?
This is not hacked software that bypasses the Altium server check or something, right?

Hacked software often strips validation routines, such as pawning a conditional in the byte code from an equals to, to a not equals to. Vis: If not has a valid membership card then eat for free. Hackers also strip phone home addresses, often routing to localhost if another bypass mechanism is not available. So why then did the Altium server still legitimatise this phoney copy? Because it was a legitimate unabridged pirate copy?

Maybe Altiums keygen was nothing more than a weak hashing or, a DES crypt with private keys visible as strings in the binary? Or did (oops) Altium expose their keys to the world wide web due to a misconfiguration? Whatever, someone with a specific interest in Altium - why not Adobe Photoshop - spent time and effort attracting an interest from a very small community and, built a money laundering pathway.

And on this pathway, I again ask the OP if they can remember the BTC transaction id TXID, as their payment will be forever visible on a blockchain explorer. What other wallet history did/does the scammer's wallet have? Becuase this is where Altium's legal circus should be directing their enforcement effort.

[Black Phoenix]

And on this pathway, I again ask the OP if they can remember the BTC transaction id TXID, as their payment will be forever visible on a blockchain explorer. What other wallet history did/does the scammer's wallet have? Becuase this is where Altium's legal circus should be directing their enforcement effort.

True, but why lose man time amd money following a lead that could result in not being able to enforce a fine or a criminal conviction (some living in Russia or China for example) when they can go easily to who was caught with the pirate key and ask him to pay?

Clearly as this situation developed, it was way easier to get what they wanted this way.

[envisionelec]

And on this pathway, I again ask the OP if they can remember the BTC transaction id TXID, as their payment will be forever visible on a blockchain explorer. What other wallet history did/does the scammer's wallet have? Becuase this is where Altium's legal circus should be directing their enforcement effort.

ALL possibilities were exhausted.

[tszaboo]

We can thank the OP for sharing the story to serve as a warning to anyone else who thought this might be a good idea to do.

Lesson here is that if you bring your own computer to any corporate network be careful about what you let into the internet or tunnel your way out of there before going into the internet.

Probably the same will happen when you are delivering the results as the consultant. The same information is saved to your project file, when they open it at the corporate network, it checks if the computers creating the files had a legitimate license. Computer name for example is clearly displayed on the schematic properties.

[JohnG]

For example, science is admissible in court, but strictly in the form of a witness testifying to such (or related material doing the same: affidavits, briefs, etc.).  Two witnesses can give perfectly contradictory "scientific" evidence (on, according to science, "well proven" subjects), and this is perfectly consistent from a legal standpoint.  Whereas in science, such a contradiction would be, at best, paradoxical, and more likely simply out-and-out false.  But in law, such contradictions are simply unresolved allegations.  Any points the parties do not contest, or consent to, or agree upon; and which the judge has not dismissed -- are left to be proven in a court, in front of a jury of peers -- if taken this far, it is left up to the common man to decide which points are legal fact and which are not.  (Scary, huh?!)

Tim

AFAIK your are completely correct on this.  And totally scary.  This is the feedstock of the current wave of ambulance chasers going after Roundup here in the US.  There is still some scientific dispute about whether Roundup is the primary culprit in a family of diseases, but after a single jury of 12 non-scientists decided that Roundup is the cause it is now legally an established fact.

I would say that this situation is not so simple. I do not know about Roundup in particular, so I am not referring to this. However, I have a close relative who worked on these sorts of cases for a number of years, and got to learn some interesting things. There are many other things that sway juries in these cases that don't make it to the general public: These include proprietary scientific data that was never published, business discussions regarding funding external entities (generally universities and associated professors) and reviews and suggested edits before publication of data, including leaving out unfavorable data. In addition, there are a surprising number of outright incriminating communications about burying undesirable scientific results. Juries do not need much scientific training to handle the latter, but these are also part of the evidence that must be weighed.

Also, at least in medical and biological sciences, scientific publications are really poor quality compared to engineering and physics, for example. It is a recognized crisis, in fact, with two main concerns: inability to replicate studies, and a paucity of negative studies.

John

[jpanhalt]

An exception to the laxity of introducing conflicting science is "Judicial Notice."  For example, if an attorney tried to present a "flat Earth" expert, the judge might take judicial notice that the Earth is roughly a sphere.

https://www.law.cornell.edu/wex/judicial_notice#:~:text=Judicial%20notice%20is%20used%20by,evidence

[envisionelec]

Probably the same will happen when you are delivering the results as the consultant. The same information is saved to your project file, when they open it at the corporate network, it checks if the computers creating the files had a legitimate license. Computer name for example is clearly displayed on the schematic properties.

Interesting point, but I had two customers that each had Altium in-house and no problems or suspicions arose.

The exhibition provided by Altium contained the License Name, IP address, WiFi Location (if available), MAC and the activation code. And it was the activation code that I found on a list of “cracked” activations when I Googled them.

You know that feeling when your heart sinks into your stomach on learning bad news? That was the feeling. 

[T3sl4co1l]

We can thank the OP for sharing the story to serve as a warning to anyone else who thought this might be a good idea to do.

Lesson here is that if you bring your own computer to any corporate network be careful about what you let into the internet or tunnel your way out of there before going into the internet.

Probably the same will happen when you are delivering the results as the consultant. The same information is saved to your project file, when they open it at the corporate network, it checks if the computers creating the files had a legitimate license. Computer name for example is clearly displayed on the schematic properties.

Really?  Under which keys?

Everything in a PrjPcb looks pretty stock, there's identifying information like paths and printers sure, but not the kind of stuff you're talking about.  At least that I can see at a glance.  (For those unaware, it's just a [section] ... key=value formatted file, plain text.  So, any such data has to be stored similarly.)

Not sure if the same is true of SchDocs as they're binary, but they also largely encapsulate ASCII plaintext, by the look of it anyway, so it wouldn't surprise me if the same kind of key-value sets might be present, including for such data.  (I say that despite the obvious value of obfuscating such data with some manner of binary encoding; there doesn't look to be any blocks of such present.)

Tim

[ajawamnet]

I'm curious whether they can provide a written statement of proof of legitimate ownership.  Or title if you will.  Would a salesperson have the legal authority to issue such a statement?  A manager?  Their legal side?

When you run altium it doesn't work unless your license is validated by the Alitum server, and it tell you in the software whether it's legit or not.
Doesn't this imply that Altium have approved the license for use?

This is not hacked software that bypasses the Altium server check or something, right?

A Standalone license does not do that.  In my installations when I sniff on my switch's mirror port, I see no traffic to altium.  In the Preferences - Network I shut all of that off and it seems to work - no network interaction with anything...  If you have a standalone license, get a netgear that you can make a port mirror all traffic, and run wireshark or some other packet sniffer..

 In fact, a lot of our installs are behind one way transfers so there's no way any traffic can get down to the low/black segment.  For other installs that have internet access, we are not allowed to use things like Altium or Cadence's on line crap since it's not ITAR.  Altium even mentions this in their tech notes

https://www.altium.com/trust-faqs

where:
"At present, Altium 365 does not have official government certifications and is not ITAR compliant."

There's a reason we use standalone licenses...

[PlainName]

I'm curious whether they can provide a written statement of proof of legitimate ownership.

I'm sure they could, but the more appropriate question is whether it would be in their interest to do so, and I think it's pretty clear that they would consider it not to be.

[thm_w]

Hacked software often strips validation routines, such as pawning a conditional in the byte code from an equals to, to a not equals to. Vis: If not has a valid membership card then eat for free. Hackers also strip phone home addresses, often routing to localhost if another bypass mechanism is not available. So why then did the Altium server still legitimatise this phoney copy? Because it was a legitimate unabridged pirate copy?

Maybe Altiums keygen was nothing more than a weak hashing or, a DES crypt with private keys visible as strings in the binary? Or did (oops) Altium expose their keys to the world wide web due to a misconfiguration? Whatever, someone with a specific interest in Altium - why not Adobe Photoshop - spent time and effort attracting an interest from a very small community and, built a money laundering pathway.

There are a few pirate Altium licenses, same ones for 10+ years?, but, it also includes instructions to copy a dll "shfolder.dll" to the Altium installation.
The included "keygen" is simply a way to change the text details of the existing license alf (to display "licensed to xx company name" like OP refers to), it will not let you generate new keys.
So if OP had been given custom installer files, you'd think it wouldn't work without the dll (I have no idea what that dll actually does though), and you'd think updates wouldn't work.

If you attempt to use the online features with the widely available crack, do they work? I don't know if someone is willing to risk it to find out.. As I mentioned above, kind of stupid but also devious, if Altium is purposefully allowing these very well known copied licenses to access their online features/365, etc.

Probably too late to check at this point, but, maybe OP can recall if it was one of the following keys:

[Bud]

.. I found a seller on a forum who claimed to be selling the assets of a large contract manufacturer located in or near Poland.

That may point to Ukraine as the source. Altium has/had a development team there. Could had been a corrupt developer or a  pimp from one of local forums where leaked keys were floating which you were not aware about.

[Microdoser]

The confidence came when the seller sent me screen shots of my company information on the AD license page.

So I guess the moral is, if you are concerned your copy of Altium might not be legit, is to make sure your information is not on the AD license page.

[envisionelec]

There are a few pirate Altium licenses, same ones for 10+ years?, but, it also includes instructions to copy a dll "shfolder.dll" to the Altium installation.
The included "keygen" is simply a way to change the text details of the existing license alf (to display "licensed to xx company name" like OP refers to), it will not let you generate new keys.
So if OP had been given custom installer files, you'd think it wouldn't work without the dll (I have no idea what that dll actually does though), and you'd think updates wouldn't work.

If you attempt to use the online features with the widely available crack, do they work? I don't know if someone is willing to risk it to find out.. As I mentioned above, kind of stupid but also devious, if Altium is purposefully allowing these very well known copied licenses to access their online features/365, etc.

Probably too late to check at this point, but, maybe OP can recall if it was one of the following keys:

The activation code is in that list and as I have stated earlier in the thread, I did quite a bit of reconnaissance work but stopped short of trying to download a pirated version to test it. Your explanation seems the most plausible.

[envisionelec]

The confidence came when the seller sent me screen shots of my company information on the AD license page.

So I guess the moral is, if you are concerned your copy of Altium might not be legit, is to make sure your information is not on the AD license page.

I’m not understanding what you’re trying to say. My company name appears on the License page in Altium just as it did with the pirated copy. I could not tell a difference and still cannot.

[thm_w]

The activation code is in that list and as I have stated earlier in the thread, I did quite a bit of reconnaissance work but stopped short of trying to download a pirated version to test it. Your explanation seems the most plausible.

So that is interesting if it works without the shfolder.dll crack, presumably once AD goes online it activates.
Says that Altium is knowingly providing online services to widely available pirated license keys.

Its in their best interests for them to keep these keys valid, for whatever reasons. Speculation in the past has always been to not make software too hard to crack, to promote wider use. But this also helps with tracking.

I’m not understanding what you’re trying to say. My company name appears on the License page in Altium just as it did with the pirated copy. I could not tell a difference and still cannot.

I think their point was that the company name on the license should be the person that sold it to you. Of course, its all completely meaningless as you know now.

.. I found a seller on a forum who claimed to be selling the assets of a large contract manufacturer located in or near Poland.

That may point to Ukraine as the source. Altium has/had a development team there. Could had been a corrupt developer or a  pimp from one of local forums where leaked keys were floating which you were not aware about.

Anyone can just google and find these keys. They've been widely known for over 5 years.
But sure, original source was likely some leak or hack.

[envisionelec]

I think their point was that the company name on the license should be the person that sold it to you. Of course, its all completely meaningless as you know now..

I see. I interpreted it as a successful license transfer at the time.

[JohnG]

FWIW (free, you get what you pay for, blah blah, etc.), in other areas of the law, knowingly allowing someone to commit a crime, or violate a contract, means that you have given permission for that activity and as a result any future case you file in court or otherwise try to prosecute can become much weaker.  Trademarks are one example.

So, the longer they knowingly wait to prosecute, the thinner the ice gets, so to speak, because at some point they are allowing it to happen. A risky strategy on Altium's part, perhaps? Someday they will hit someone who is itching for a fight or feels that they have little to lose.

It seems to me is that this kind of activity is certainly going to alienate some portion of the userbase. I know for sure that if I were a consultant or independent business and absolutely needed Altium, I would save every scrap of info I ever got from Altium and ask them for written clarification on every little thing in their contract that I didn't understand. It puts the ball in their court, so to speak.

It's a shame, really. I wish they spent the money on making the tool better. I mean, engineers seem to be cheaper than lawyers these days. They are probably run by some pinhead MBA at this point...

[CatalinaWOW]

One theory about this type of behavior is they want to hook newbies and others on the SW.  Big companies know that few on this category can or will pay big bucks for the software.  But given the large investment in learning the UI will pay up when they "go pro".

This exactly fits the OPs experience.  I'm not a lawyer so have no ideà if the delay in this case puts them on thin ice, but would love to see a good lawyer pursue this defense.

[PlainName]

I don't think it is a defence. They could say that it took some time to notice in the first place, and then they took some time to be sure they weren't going to cut off a real customer, and then took some time to find somewhere to send the cease and desist (the alleged end user details may well be fake, but the clients network has a company with an actual address to which the letter can be sent).

[JohnG]

It is a defense, just a very difficult one to implement. It comes down to what is considered a reasonable time. This could be argued in court, but a common big company strategy is to scare people away from doing this. So, they can argue all those things, and it is difficult to prove what is reasonable or not. However, I have seen at least one company try these things and lose. They got too greedy. It just doesn't happen very often, and there may be agreements to remain quiet as part of the settlement.

[nctnico]

It is a defense, just a very difficult one to implement. It comes down to what is considered a reasonable time. This could be argued in court, but a common big company strategy is to scare people away from doing this. So, they can argue all those things, and it is difficult to prove what is reasonable or not. However, I have seen at least one company try these things and lose. They got too greedy. It just doesn't happen very often, and there may be agreements to remain quiet as part of the settlement.

Agreed. Letting somebody use a pirated copy for a prolonged period, equals to allowing someone to continue. You could even argue that Altium's behaviour has maximised the damage for the OP instead of taking immediate action. Perhaps the OP can reveal some details about the time that has passed between Altium identifiying him and taking action. If that is more than several months, then a defense based on allowing the situation to continue can be succesfull (depending on the law system).

[envisionelec]

Perhaps the OP can reveal some details about the time that has passed between Altium identifiying him and taking action. If that is more than several months, then a defense based on allowing the situation to continue can be succesfull (depending on the law system).

3.5 years. From October 2018 through April 2022.

It was and remains a very part time role for me - less than 10 hours a week.

[mikeselectricstuff]

One potentially interesting legal aspect - Altium are the only ones who can say whether or not a license is genuine, but they could hardly be seen to be impartial in court, so it effectively boils down to your word against theirs, with the onus on them to prove the case.. 

[ajb]

One theory about this type of behavior is they want to hook newbies and others on the SW.  Big companies know that few on this category can or will pay big bucks for the software.  But given the large investment in learning the UI will pay up when they "go pro".

Eh, maybe, but the simpler explanation is just prioritization of legal resources.  Somebody designing hobby PCBs at home for fun using a pirated version is a) less likely to have the resources to buy a license in the first place, let alone be able to pay license fees + penalties if legal action is taken b) less likely to be *profiting* from the pirated software and c) part of a very large number of people in similar circumstances.  Since a larger company is more likely to have money to put towards legit licenses as well as penalties (and may have multiple pirated licenses), be risk averse enough to want to be resolve the issue quickly (if only to cover their own asses), be profiting from the use of the pirated software the return on the expenditure of resources is much better for going after them. 

That doesn't mean that Altium couldn't have been a little more understanding in dealing with the OP, and especially that they shouldn't have left them hanging for so long without resolving the situation one way or another, but if you can't go after every single pirate license it's just plain sensible to go after the bigger fish that are more likely to cave to your demands.  It's possible that whatever tools they use for monitoring the license checks don't even bother raising an alert if that license check comes from a residential ISP IP or a coffee shop or whatever, and only pings their enforcement team when it resolves to a commercial location.

IANAL, but I don't think the 'you didn't sue me for X time therefore you can never sue me ever' argument holds any legal weight. I certainly know that a lot of licensing agreements I've seen have a specific clause saying something to the effect that failure to take action against any particular violation of the agreement is not a waiver of the right to take action against that or any other violation at any future point in time. 

All that said, it certainly does suck that the OP had to go through all of this, and that Altium weren't more understanding and responsive about it.