Vengeance Producer Suite - AVENGER - 1.8.5 the main thread

[Norrin_Radd]

No kidding, eh. Seems like this is some virtual dongle, which I am actually not okay with. I might have to investigate a refund, because this was sprung on me only on the activation page. Not only should you not open ports light heartedly, you shouldn't just accept superfluous failure points be encoded in to software you are purchasing when you have done nothing wrong and just shelled out a fair amount of money.

Not sure why Avenger has to continue being more and more convoluted. It's my all time favourite VST open in every project, but it is slowly being turned against me. I am only just barely okay with physical dongles. But a virtual one is something I cannot abide by. I get you want to stave off pirates, but I am a legit paying customer who is seriously being turned away. If I need to use this thing to access the expansion I just bought it's a deal breaker.

I might have to even make a video about this instead of a review of the expansion. This is honestly how Skynet gets started.

[Caine123]

the problem with opening specific ports is its safety. of course someone could use it to get on the system etc. but im not an expert in it safety. still i would be VERY cautious with opening ports!

[SLiC]

Is CodeMeter what Reason uses? There are a lot of Reason users right, surely it must be OK?

I am not particularly happy having another app running in the background (as I already use ilok and elicencer), but ultimately its working not realy and hassle once you set it up....certainly mot enough of an issue to make me give up using Avenger

[Norrin_Radd]

I will still use Avenger. I just wont buy any more expansions if this is the path forward. A line has to be drawn somewhere, and I am starting to get extremely motivated to call this out.

I also find it really disrespectful to not inform buyers until the registration page. No sir, I don't care for this at all.

[Hanz Meyzer]

AFAIK, you can disable the webadmin component later, it runs fine without (you need a full/root accessible macos for that, not crippled apple shit). You will have to trust this company blindly and the codemeter vendor, too.

As I understand it, it works like this:

You visit the register page, and it contains javascript code that locally (127.0.0.1 / localhost) communicates with the installed codemeter driver thing (maybe node.js based or so). Which private or system information are spread to the developer is not clear. It could be anything, since codemeter runs with root rights:

Bildschirmfoto 2019-12-18 um 14.04.49.png

So I would highly recommend you to block these ports 100%. Still it can leak data thru the localhost connection to the javascript of the webpage, and then your browser can submit it to anywhere thru normal browser ports/connections, since the browser usually is allowed to transmit data. I might do a data analysis later, because now I am curious.

Obviously the codemeter root service is pretty active all the time, so it does something all the time. There are like ~45 reactivations each second.

[Norrin_Radd]

I would love some additional data on this, if you can find any. I am actually pretty committed to creating a video about this now. My channel isn't enormous, but this is actually something I am very passionate about. Personal privacy and security. We give and we give and we give, and they just keep taking. This is not the path forward, for me, at least.

[Norrin_Radd]

I would love a chance for the developer to respond here soon. Maybe I have the wrong idea, or maybe there are alternative options available. But right now, this has me seeing red.

[Caine123]

thanks Norrin for taking responsibility, the best way to get a response is to write support.

[Caine123]

i just checked and it seems iLOK and elicenser dont need special ports but authorize via standard port 443? can anyone confirm?

[Hanz Meyzer]

Ok, here is some additional info: It seems to transmit no data usually, but once you go to register page and click "manage licenses", it transfers so far a pretty tiny amount of 1KB data (mac activity monitor is great btw. ):

Bildschirmfoto 2019-12-18 um 14.17.55.png

Using the free network traffic sniffer tool Wireshark and selecting loopback device (localhost self communication), I see the following kind of communication:
- "wibu" websocket access
- It communicates with m v1.cmwebsocket.wibu.com
- It runs commands thru the websocket like: ListDongles (pending, success)
- Then it transfers info about the webpage (register.vps-avenger...)
- Then "ListCmActLicenses", license containers "keilwerth audio"
- A lot of very small messages in between, I guess connection status messages

Bildschirmfoto 2019-12-18 um 14.42.48.png

So it looks like here only the license info indeed is transferred, rudimentary.

The interesting part would be, what happens in the moment you activate a computer. This moment should be recorded with Wireshark on loopback device (after deactivated webadmin).

My conclusions:
- It does not seem to transfer a lot of data, at least on the initial list licenses page
- Still it could transfer more data to localhost javascript, as soon you visit such a webpage.
- Blocking all internet access for it completely is highly recommended. It will work anyway, thru localhost/loopback/javascript connection
- It should not run as root, since this is a security flaw
- You will have to trust at least two companies. On the other side, some info has to be transmitted, and an "allow network" requester does not help at all.
- Disable the webadmin component manually after installation of codemeter driver, if you couldn't do so in the component selection, it is not required.
- codemeter got reputation because of Propellerheads using it
- It is unlikely they would transmit any private data.

[Caine123]

Ok, here is some additional info: It seems to transmit no data usually, but once you go to register page and click "manage licenses", it transfers so far a pretty tiny amount of 1KB data (mac activity monitor is great btw. ):
Bildschirmfoto 2019-12-18 um 14.17.55.png

Using the free network traffic sniffer tool Wireshark and selecting loopback device (localhost self communication), I see the following kind of communication:
- "wibu" websocket access
- It communicates with m v1.cmwebsocket.wibu.com
- It runs commands thru the websocket like: ListDongles (pending, success)
- Then it transfers info about the webpage (register.vps-avenger...)
- Then "ListCmActLicenses", license containers "keilwerth audio"
- A lot of very small messages in between, I guess connection status messages
Bildschirmfoto 2019-12-18 um 14.42.48.png

So it looks like here only the license info indeed is transferred, rudimentary.

The interesting part would be, what happens in the moment you activate a computer. This moment should be recorded with Wireshark on loopback device (after deactivated webadmin).

My conclusions:
- It does not seem to transfer a lot of data, at least on the initial list licenses page
- Still it could transfer more data to localhost javascript, as soon you visit such a webpage.
- Blocking all internet access for it completely is highly recommended. It will work anyway, thru localhost/loopback/javascript connection
- It should not run as root, since this is a legal/security flaw
- You will have to trust at least two companies blindly

thanks a lot!
i will analyze it at home further.

[Norrin_Radd]

Wow! That's some excellent security sleuthing. I remember Wireshark from Data Communications class many moons ago . Never was very good at it, despite it being my major.

The blindly trusting two companies is where my red flags get raised. I don't inherently believe these companies are nefarious, I just see it as a vulnerability and a bad practice going forward. I would REALLY like to see VST developers move away from this practice, because it can only weaken our systems, not strengthen them. If there is a problem with piracy, this seems like the nuclear solution.

Why not just go with iLok?

You seem to know a lot more of this stuff than I do. Can you help me understand why I am okay (begrudgingly so) with physical dongles like iLok and eLicenser, but the software one raises a red flag? Do I have to do any blind trusting with the physical dongles?

[Hanz Meyzer]

Yeah, but actually you have to trust a bunch of companies nowadays, yes it is not secure, but sadly very normal (e.g. you trust Apple, Microsoft, Google all the time, even without knowing etc). The standards are super low.

Thanks, but I am not a network expert either, it is a very interesting topic though, the tools are easy to use (at least on macos), and I think really knowing is better than believing

The ilok software is the same intrusive as codemeter (so far only speculation without in-depth analysis), as far as I can tell, because:
- It also runs a root system service permanently (which doesn't normal communicate):

Bildschirmfoto 2019-12-18 um 15.06.04.png

- Then it runs the ilok license manager software locally, with root rights
- It also could transfer anything from your computer
- It uses lot less CPU, so it is better optimized (only one reactivation per second)

The WIBU guys are more clever here, using this localhost loopback javascript construction, they prevent firewall alerts at the user (like with ilok), but still can get full access of any data. So it can be considered as some smart trick to circumvent firewalls. And normally people feel safe in a browser, too, not knowing it could communicate to localhost using javascript.

[Ryan99]

I would love a chance for the developer to respond here soon. Maybe I have the wrong idea, or maybe there are alternative options available. But right now, this has me seeing red.

The developer responded many times for a long time, but after neverding bashing on every decision VPS made, he left the building.

[billybong]

His job was done. Godspeed oh mighty warrior.