Harassment: ASML licensing (partial)

Wed, Feb 19, 2025 ❝The licensing mechanism (still?) used by ASML.❞

Contents

I decided to make this my first post after the introduction, because ASML has been an integral part of a coordinated long-term harassment that has been going on for 20 years. For 5+ years afterwards, I have tried to make things work, while having to deal with persistent, continuous harassment, abuse, and threats about supposed “bad things” I did. I don’t mean “someone remarks something nasty or points at something”. I mean persistent, continuous actions both on-line and off-line, continuously exposing me to obvious misrepresented situations and facts in order to attack me.

There is clearly no intention to get anything resolved, and given the way I was treated, it has become clear there never was one to begin with.

Introduction

I leave the detailed introduction to how I found this code for another post. In short, there were bugs that were blocking my team and probably most other teams, immediately during the introduction. When I say blocking, I mean: that team recently integrated the existing applications of the department in a single framework, then introduced the licensing, and then the application didn’t start at all anymore, for multiple members of multiple development teams. I submitted 3 patches and discussed with that – then newly-formed – team. I looked into surrounding code to figure out whether I was thorough in my fixes, and then noticed sha1.

Now, however hard it is to believe that this mechanism is actually employed, there is/was an accompanying ADEL-document (ADELlicense?), ASML XML-based document format of some standardized kind. Although it would be an amusing and entertaining fake, I know of no indicators that make me think it was. I mentioned in one of X/Twitter threads, that the timing of the introduction of the licensing mechanism was such that I’m not quite sure if there was any protection at all for this logic. The obfuscation, when first introduced, was fundamentally broken by bad configuration and most likely bad understanding by the people who introduced this originally. (I will also leave this to another blog-post. Don’t bother looking up the X/Twitter threads, they’re “unavailable due to a processing failure”.)

Problems/criticism

So, for a variety of reasons, I got “attacked”, i.e. multiple references concerning the licensing, during my time there. I did not know this was a problem at first, or even at all.

1. Licensing-code was in no way separated or isolated from the rest of the (same) code-base. (One colleague emphasized very clearly that there were other logic that were separated in their own modules, in a separate repository with access control for specific employees. Furthermore he mentioned that it was probably an insignificant piece of logic and he wondered why it even was separated in the first place.)

2. Colleague already noted that the licensing isn’t that much of an issue given the continuous maintenance needed which would require continued support from ASML anyways. It would essentially be a reason “not to cheat” in the first place.

3. The licensing mechanism may have already been leaked because of lack of obfuscation.

4. The licensing mechanism consists of a mechanism only. There were no techniques employed to introduce a “secret” component which was protected with very restricted access. (See Kerckhoffs’s principle.) The whole mechanism is shipped in every release of the application.

5. 8 Years have passed by now, so plenty of time to fix the issue, if they actually care.

6. Colleagues claiming that ASML was too “incompetent” to properly manage actual secrets and key-pairs. Well to be fair they were probably referring to the level of chaos due to size and growth of the company. This became a topic later during (attempted) introduction of TLS on network communication with the server-component also developed within these departments.

7. Some attempts to try and “lure” me into looking into that isolated intellectual property (IP) module, which I dismissed. I have/had no special interest, no “excessive” “curiosity”. I think they planned to make the point that I was being too curious. I wasn’t. I was trying to fix their mess. I tried to point out the risks with the way things were worked right now.

8. There is no excuse in trying to turn this around into a malicious activity: I had to help colleagues debug the issues due to the application suddenly no longer running, not even showing any screens. And in doing so I fixed the issues and sent the patches. There is an email conversation outlining the patches and circumstances. I got attacked later, despite having done nothing but assist my team members and the “problem”-team that introduced the bugs in the first place.

9. As mentioned in X/Twitter threads (“unavailable due to processing failure”) before, no proper priority was given to obfuscation and protection. Without going in detail here, marketing-department did (tried) initially. As soon as a broken configuration was delivered, priority evaporated. I fixed and improved on the protection in time lost due to excessively long compile-times (~ 1.5 hours for full build when I first started there), etc., but never got any priority to optimize the protections where possible. (Note that I got attacked for 5+ years for being an “incompetent asshole”, while the incompetent piece-of-shit who couldn’t deliver a proper configuration after multiple sprints, gets the credit.)

10. FWIW, I tried to get attention to the risks of the licensing and the obfuscation, but it wasn’t a problem that is easily fixed or changed. (That is, considering all products.) This is obviously mostly a matter of willingness, because the product did not have licensing before, so they could always have chosen to implement a proper mechanism, and they could also have decided to drop it for the risks it already incorporated. (Note that I signaled about this when the development code had just dropped and it blocked dev-teams on their development work.)

11. According to stories from colleagues, there was, supposedly, already awareness of reverse engineering efforts by customers, so the licensing mechanism was at risk as soon as it was introduced.

12. I was only at ASML for a matter of months when this shitshow started. So if anything, if there were any complaints and this is part of the excuses for attacking me, any communication, alignment and/or collaboration would have been appropriate.

13. There was no “secret” unknown value that was somewhere hidden away and injected at the last moment. The whole thing was there to read.

14. I wonder, have some suspicion, that the PO of that team (the PO later got adversarial in another capacity), probably made some mistakes during the licensing’s introduction. Maybe they did introduce licensing before proper obfuscation and this became the first stumbling block why other departments got involved. I do not recall hearing of any such causation, but in terms of timing it is very possible. However, judging by the senior of that team at the time, I am sure he would have thought about the way it was introduced.

15. There was some vague mention of another department being “displeased” about these findings, or about me having knowledge of, raising concerns or voicing opinions on these findings. (I don’t actually know.)

Now, it is also worth noting that the reason this information was memorable in the first place, is that due to issues with the mechanism it became memorable. And due to the persistent attacks and harassment, the licensing became one of the points of attention, because I was attacked on those (and many others). (And due to the stupid response over my attempt at clarification, the attacks became more evident and confirmed. More on this further down.)

There were never any “intentions” other than raising the concerns and the circumstances in which the licensing was a risk.

Attacks/distrust for voicing opinions

So it seems extremely likely, given the way I was treated and the responses both at the time and afterwards, that there people were “displeased” for voicing my responses and pointing out the risks on the licensing mechanisms and its short-comings.

There are a few matters important here:

1. The obfuscation was most likely not present, or present in far from optimal form, due to the broken introduction.
2. I pointed out the various risks with the mechanism.
3. I was told, that it is far from ideal to take development laptops (i.e. with the source code-base) to customers. However, developers do need to visit customer sites for troubleshooting novel work, running experiments, and debugging edge-cases in cases where no information (or very sparingly) is allowed to be taken out of customer buildings. Supposedly, there had been instances of “incidents” where a laptop was withheld at the customer site for periods of time.
4. I asked if there was a mechanism or tool to generate, for example, 1-day licenses such that we don’t have to take the development laptops or development licenses onto these customer sites. These are very sensible, trivial, obvious solutions that are virtually effortless to achieve. The mention of creating or working with such 1-day licenses to mitigate risks was already “problematic”.

All in all, I get a lot of attacks for making important observations, pointing out risks and trying to mitigate issues before they become a problem. I have been under constant attack for this and other “reasons” ever since.

Characteristics (general)

These are note-worthy characteristics of the licensing mechanism. Note that I write this from memory and the sparse notes I made at the peak of this full-blown harassment campaign. Some people seem to think full-on harassment and abuse is funny. I don’t. (I never possessed or saw any documents regarding the licensing mechanism.)

I will note this down in two stages of detail, in order to expose the coarser information first.

• The mechanism consists of two layers of input: the outer layer containing customer information, the inner layer containing product details bound to a customer-specific context.
• Given the use of SHA1, the risk of length-extension attacks is present and not actively mitigated.
• The separator isn’t a special case, meaning that user input can influence the separation of fields during the computation of checksum.
• Empty fields are allowed.
• When I was exploring malicious inputs, I noticed that the end-date of the license occurs before the start-date. Combining this with user-input of the separator, one can thus shift dates during computation.
• A customer ID is part of the outer layer, with 0 being dedicated to development. 0 is protected by a far more idiotic mechanism than the licensing-mechanism itself. That “check” is even easier to discover and satisfy.
• IIRC, at a later time, identifiers were introduced (or at least started to be used) to indicate allowed/enabled features.

Characteristics (detail)

Available soon

Clarification and follow-up

It isn’t exactly clear to me why, but it is absolutely clear that my findings, the concerns and problems I raised, and the solutions I proposed or enquired about, were not well received. There have been vague indirect indications, but there has never been proper communication on this. Given that I was attacked over so many other false reasons, it is hard to get any clear reading on this. However, the common denominator is that everything is rephrased and reframed as malicious, I couldn’t do a single thing right, and I’ve had to deal with a ridiculous amount of crap. They essentially let a bunch of liars and psychopaths just make up any arbitrary stories and I get attacked over them with no opportunity for (proper) discourse.

Now, I’ll take the liberty to skip a significant part of a long story, and continue a few years later. I am under constant attack, people clearly have bad intentions. It has become evident that the many actions taken during my time at ASML were taken with the specific intent to attack me. In hind-sight with very obviously related follow-up actions taken by a bunch of the same people, malicious intent becomes a lot more evident. Everything I recognize is based on maliciously twisted facts. I try to get things clarified, so I tried explaining the situation and circumstances of this, i.e. why I got to looking into the licensing in the first place. And also that, during third part of the assignment at ASML, I moved into that team that managed the licensing, so my work continued there in improving and extending mentioned framework.

The response to these explanations, is to start the occasional harassment with a well-timed helicoper flying over. As I mentioned in the introduction, any and all attempts to clarify, that resulted in me not being the bad guy, got dismissed as “petty excuses”. And then these kinds of shitty actions were taken. Attempts at getting things clarified basically got no attention. There essentially only was some result after I had written some 8+ X/Twitter threads (now inaccessible due to “processing failure”) and then also followed up with a mention of Intel, which was relevant for a project done with the second team. (Again, plenty of other stories to tell.)

At one point, I tried contacting ASML over some very specific accusation and asked to relay a message to an employee with a question, and even relaying a question was too much to ask. Given some ridiculous concern over privacy. Now, the thing is, I didn’t even ask him for any details. I simply asked him to relay the message himself. There was never any concern for privacy. He could’ve relayed the message and my name, such that said employee could decide on the proper follow-up action.

Essentially, there was no discourse. Everyone was apparently pretty satisfied with the state of liberally applied harassment and abuse, well .., except for me. So much of my time was stolen based on needless, pointless harassment and abuse, that it is worth it to document this.

Conclusion

I don’t release this because I think it will “enable” their customers. There isn’t much point in that as machines break down too, so any customer will rely on periodic support from ASML anyways. There would be benefit for software-only products, though limited. I write this because the mechanism is faulty by design, and is abused as an excuse to attack me for years. There is a concerted effort to threaten and attack me. So, according to this same misguided sense of “justice” I have to respond in kind. As noted in the introduction, I was stupid. I didn’t. Every attack was many times over initiated by others.

This is topic is one of many “incidents”, such that there is no way that all the attacks are due to one or two “cranky colleagues”. Given the insane amount of effort I have already spent trying to get anything resolved, which utterly failed. The amount of crap I’ve had to deal with based on blatantly false accusations and twisted intentions is completely ridiculous. Every other word got maliciously twisted to attack me and many people were involved. It has to stop somewhere. Any previous attempts, which were significantly milder in comparison got virtually ignored and the attacks continued.

The benefit of making this public knowledge, is that ASML and others, have one less shitty excuse for abuse over such a poorly designed algorithm for these practices.

Changelog

This article will receive updates, if necessary.

• 2025-02-19 Initial, incomplete version.