Harassment: ASML, licensing (complete)

Sat, Mar 29, 2025 ❝The licensing mechanism (still?) used by ASML.❞

Contents

NOTE/CLARIFICATION the decision to make this information public did not come lightly. I have been under continuous, persistent attacks for 6 years (not counting the harassment and abusive practices at work), with no ability to any sensible form of communication, no resolution, no discourse, constant harassment and abusive behavior. There are numerous human rights violations and completely regard for any (sensible) rules of civilized society. I had, repeatedly, for years warned and set boundaries. Everything got ignored. Eventually, with the publishing of UX “Trojan horse” story, I set a deadline and also –with some slight delay for consideration– scheduled the post for the full licensing information, and announced the deadline. I have been transparent about all of this. They continued to completely disregard my human rights and any recognition of civilized society. The deadline passed. This post became public. Let me be clear about this: I feel absolutely zero shame, guilt or responsibility for exposing this information. Every option for resolution and reasonable treatment had long been exhausted. They chose this route (at the very least) 8 years ago.

Abstract

I decided to make this my first post after the introduction, because ASML has been an integral part of coordinated long-term harassment that has been going on for 20 years. For 6+ years afterwards, I have tried to make things work, while having to deal with persistent, continuous harassment, abuse, and threats about supposed “bad things” I did. Things I never did or never did wrong, that were grossly misrepresented, that were made up, or were malicious fabricated from independent events. I don’t mean “someone remarks something nasty or points at something”. I mean persistent, continuous actions both on-line and off-line, continuously exposing me to obvious misrepresented situations and facts in order to attack me.

There is clearly no intention to get anything resolved, and given the way I was treated, it has become clear there never was one to begin with.

Introduction

I leave the detailed introduction to how I found this code for another post. In short, there were bugs that were blocking my team and probably most other teams, immediately during the introduction. When I say blocking, I mean: that team recently integrated the existing applications of the department in a single framework, then introduced the licensing, and then the application didn’t start at all anymore, for multiple members of multiple development teams. I submitted 3 patches and discussed with that – then newly-formed – team. I looked into surrounding code to figure out whether I was thorough in my fixes, and then noticed sha1.

Now, however hard it is to believe that this mechanism is actually employed, there is/was an accompanying ADEL-document (ADELlicense?), ASML XML-based document format of some standardized kind. Although it would be an amusing and entertaining fake, I know of no indicators that make me think it was. I mentioned in one of X/Twitter threads, that the timing of the introduction of the licensing mechanism was such that I’m not quite sure if there was any protection at all for this logic. The obfuscation, when first introduced, was fundamentally broken by bad configuration and most likely bad understanding by the people who introduced this originally. (I will also leave this to another blog-post. Don’t bother looking up the X/Twitter threads, they’re “unavailable due to a processing failure”.)

Problems/criticism

So, for a variety of reasons, I got “attacked”, i.e. multiple references concerning the licensing, during my time there. I did not know this was a problem at first, or even at all.

1. Licensing-code was in no way separated or isolated from the rest of the (same) code-base. (One colleague emphasized very clearly that there were other logic that were separated in their own modules, in a separate repository with access control for specific employees. Furthermore he mentioned that it was probably an insignificant piece of logic and he wondered why it even was separated in the first place.)

2. Colleague already noted that the licensing isn’t that much of an issue given the continuous maintenance needed which would require continued support from ASML anyways. It would essentially be a reason “not to cheat” in the first place.

3. The licensing mechanism may have already been leaked because of lack of obfuscation. (Even with the obfuscation, there is a distinct chance there was a massive violation of policy.)

4. The licensing mechanism consists of a mechanism only. There were no techniques employed to introduce a “secret” component which was protected with very restricted access. (See Kerckhoffs’s principle.) The whole mechanism is shipped in every release of the application.

5. 8 Years have passed by now, so plenty of time to fix the issue, if they actually care.

6. Colleagues claiming that ASML was too “incompetent” to properly manage actual secrets and key-pairs. Well to be fair they were probably referring to the level of chaos due to size and growth of the company. This became a topic later during (attempted) introduction of TLS on network communication with the server-component also developed within these departments.

7. Some attempts to try and “lure” me into looking into that isolated intellectual property (IP) module, which I dismissed. I have/had no special interest, no “excessive” “curiosity”. I think they planned to make the point that I was being too curious. I wasn’t. I was trying to fix their mess. I tried to point out the risks with the way things were worked right now.

8. There is no excuse in trying to turn this around into a malicious activity: I had to help colleagues debug the issues due to the application suddenly no longer running, not even showing any screens. And in doing so I fixed the issues and sent the patches. There is an email conversation outlining the patches and circumstances. I got attacked later, despite having done nothing but assist my team members and the “problem”-team that introduced the bugs in the first place.

9. As mentioned in X/Twitter threads (“unavailable due to processing failure”) before, no proper priority was given to obfuscation and protection. Without going in detail here, marketing-department did (tried) initially. As soon as a broken configuration was delivered, priority evaporated. I fixed and improved on the protection in time lost due to excessively long compile-times (~ 1.5 hours for full build when I first started there), etc., but never got any priority to optimize the protections where possible. (Note that I got attacked for 5+ years for being an “incompetent asshole”, while the incompetent piece-of-shit who couldn’t deliver a proper configuration after multiple sprints, gets the credit.)

10. FWIW, I tried to get attention to the risks of the licensing and the obfuscation, but it wasn’t a problem that is easily fixed or changed. (That is, considering all products.) This is obviously mostly a matter of willingness, because the product did not have licensing before, so they could always have chosen to implement a proper mechanism, and they could also have decided to drop it for the risks it already incorporated. (Note that I signaled about this when the development code had just dropped and it blocked dev-teams on their development work.)

11. According to stories from colleagues, there was, supposedly, already awareness of reverse engineering efforts by customers, so the licensing mechanism was at risk as soon as it was introduced.

12. I was only at ASML for a matter of months when this shitshow started. So if anything, if there were any complaints and this is part of the excuses for attacking me, any communication, alignment and/or collaboration would have been appropriate.

13. There was no “secret” unknown value that was somewhere hidden away and injected at the last moment. The whole thing was there to read.

14. I wonder, have some suspicion, that the PO of that team (the PO later got adversarial in another capacity), probably made some mistakes during the licensing’s introduction. Maybe they did introduce licensing before proper obfuscation and this became the first stumbling block why other departments got involved. I do not recall hearing of any such causation, but in terms of timing it is very possible. However, judging by the senior of that team at the time, I am sure he would have thought about the way it was introduced.

15. There was some vague mention of another department being “displeased” about these findings, or about me having knowledge of, raising concerns or voicing opinions on these findings. (I don’t actually know.)

Now, it is also worth noting that the reason this information was memorable in the first place, is that due to issues with the mechanism it became memorable. And due to the persistent attacks and harassment, the licensing became one of the points of attention, because I was attacked on those (and many others). And due to the stupid response over my attempt at clarification, the attacks became more evident and confirmed.

There were never any “intentions” other than raising the concerns and the circumstances in which the licensing was a risk.

Attacks/distrust for voicing opinions

So it seems extremely likely, given the way I was treated and the responses both at the time and afterwards, that there people were “displeased” for voicing my responses and pointing out the risks on the licensing mechanisms and its short-comings.

There are a few matters important here:

1. The obfuscation was most likely not present, or present in far from optimal form, due to the broken introduction.
2. I pointed out the various risks with the mechanism.
3. I was told, that it is far from ideal to take development laptops (i.e. with the source code-base) to customers. However, developers do need to visit customer sites for troubleshooting novel work, running experiments, and debugging edge-cases in cases where no information (or very sparingly) is allowed to be taken out of customer buildings. Supposedly, there had been instances of “incidents” where a laptop was withheld at the customer site for periods of time.
4. I asked if there was a mechanism or tool to generate, for example, 1-day licenses such that we don’t have to take the development laptops or development licenses onto these customer sites. These are very sensible, trivial, obvious solutions that are virtually effortless to achieve. The mention of creating or working with such 1-day licenses to mitigate risks was already “problematic”.

All in all, I get a lot of attacks for making important observations, pointing out risks and trying to mitigate issues before they become a problem. I have been under constant attack for this and other “reasons” ever since.

Characteristics (general)

These are note-worthy characteristics of the licensing mechanism. Note that I write this from memory and the sparse notes I made at the peak of this full-blown harassment campaign. Some people seem to think full-on harassment and abuse is funny. I don’t. (I never possessed or saw any documents regarding the licensing mechanism.)

I will note this down in two stages of detail, in order to expose the coarser information first.

• The mechanism consists of two layers of input: the outer layer containing customer information, the inner layer containing product details bound to a customer-specific context.
• Given the use of SHA1, the risk of length-extension attacks is present and not actively mitigated.
• The separator isn’t a special case, meaning that user input can influence the separation of fields during the computation of checksum.
• Empty fields are allowed.
• When I was exploring malicious inputs, I noticed that the end-date of the license occurs before the start-date. Combining this with user-input of the separator, one can thus shift dates during computation.
• A customer ID is part of the outer layer, with 0 being dedicated to development. 0 is protected by a far more idiotic mechanism than the licensing-mechanism itself. That “check” is even easier to discover and satisfy.
• At a later time, identifiers were introduced (or at least started to be used) to indicate allowed/enabled features.

Characteristics (detail)

So, let’s discuss some of the missing details on the licensing.

The licensing mechanism:

• mechanism: SHA-1 checksum
• separator: ;
• prefix: CAFEBABE (not sure whether it was used as hexadecimal value or string)
• Hash-calculation reliably follows the contents and (mostly) order of the license file format. (ADELlicense or something like that) Variable input taken from the various XML fields.
  Essentially:
  • customer_prefix = sha1(<prefix>, <separator>, <outer-field>, <separator>, <outer-field>, ...)
  • product_checksum = sha1(<customer_prefix>, <separator>, <inner-field>, <separator>, <inner-field>, ...)) for any inner section present.
• I’m not sure whether the separator after the prefix/context is needed.
• Nested layers:
  • outer layer prefixed “context-value” prefix,
  • inner layer prefixed with hash-value from outer layer. (inner layer may repeat any number of times, but this should be evident from the XML file.)
• outer layer: general information, customer/company information.
• inner layer: specific machine/software information concerning license grants.
• additionally, there was room for feature-toggles that would enable or disable certain parts of the over-all application, for example to expose experimental or exclusive tools available only to certain customers. (These were added at a later time.) There is also an “wildcard” feature-toggle, with some predictable ID probably 0, that only works on licenses with the developer ID.

Issues: (from what I remember)

• characters in the input fields are not escaped, so ; is a valid character.
• I remember the license data’s end-date is processed before the start-date. This gives some opportunity of using ; to shift the license end-date to become the start-date.
• the developer license (id 0) grants unlimited time, unlimited options, and is guarded by “pinging to an 172.x.x.x (something) ip-address”:
  Again, the design neglects to use some variant of an asymmetric secret, or anything sensible really, to make this robust. Anyone who is even remotely interested can notice this “surprising behavior” and even just adding an entry to the hosts file would suffice.

Now, from what you can already tell, this information isn’t exact. I wrote this down from memory, because I had to suffer through multiple years of persistent, continuous attacks already. But, I can tell you that there is sufficient detail that anyone who wants to know the specifics can essentially brute-force the rest. Or, they have leads to look up the specifics in the decompiled application. I am certain that anyone who can benefit from this, is able to make use of the information. Or maybe they can’t because they long ago figured it out.

THE CENTRAL ISSUE here is not my acting. I pointed out and fixed numerous issues. The code was not (and later not properly) protected. The code, if evidently it was that sensitive, was not (properly) isolated. That is, I am assuming, in good faith, that the licensing isn’t blatantly used as an excuse to “justify” (excuse) blatant abuse and violation of human rights. The way the company acted on the supposed extremely sensitive urgent matter does not reflect in the faulty design. The issue is NOT a lack of straight-forward communication and discussion about whatever is the matter. There is a literal, traceable email-thread of my conversation with the developer of the other team in which these issues are discussed and patches sent. The issue is the blatant abuse of “supposedly company sensitive information” that is shown in no other way than threats, and that I am suddenly, without understanding or provocation, being attacked over. The issue is the massive prejudice against me for no reason other than countless lies and a sickening attitude to pervert any and every good intention.

One of my “actions” at the time was to point out that I was uncomfortable taking a developer-license to customers during things like short-term trials/experiments, and wondered if there was an option to get a short, e.g. half-day or 1-day, license. I discussed options on whether such a tool existed. (Note that 1-day or 0.5-day licenses would be a huge pain-in-the-ass when abused on massive scale by a customer, but not an issue for one-off use by developer or Customer Support employee visiting a customer site.) I also speculated whether the sales/licensing (or whichever department it is) might be contacted for such 1-day licenses. This was always treated with “disapproving comments” and irritation. I subsequently get these implied threats such as “the sales/licensing department does not like it if other people know about the licensing”.

Note that it was easy enough to just discuss these things, given that there were serious concerns. They could have taken this as a sign that the code should be isolated. Especially, given the rumors I was told, that customers would most likely be decompiling every releases. They could take it as a sign that there is something significantly wrong with the design. They could’ve taken it as a sign that maybe that wasn’t the right licensing mechanism to introduce in a new application that had every freedom to implement any mechanism they wanted, because it was in no way bound to any previous system. The application is a stand-alone application that on occasion interacts with hardware but more often simply produces the proper ADEL-documents (XML-based specified documents).

Clarification and follow-up

I get extremely strongly implied accusations of searching for company sensitive data simply because I noticed that the code did problematic things as I was solving the botched introduction. As I mentioned before, and unlike ASML wants you to believe: there was no (not a single) effort to “gather documents” or “search for secrets” or whatever other sick bullshit these people come up with. Let me be clear: I did NOT steal or keep even a single document. (Of course, I exclude the typical bureaucratic documents that are involved on occasion that involve me.) I disposed of everything in the proper way. I did NOT look for any “sensitive information”. They fucked up time and again and make one hell of a shitshow of it all. If (notice how the if indicates a hypothetical situation) I had bad intentions, I could have trivially copied the symmetric encryption key for the protected documents. 16 Bytes doesn’t take a lot of effort. I didn’t. I could also have taken a copy of that department’s complete code-base. I didn’t. Even for the repositories that I did not have access to, there were always the precompiled packages that need to be downloaded in order to compile the release-builds of the application.

It isn’t exactly clear to me why, but it is absolutely clear that my findings, the concerns and problems I raised, and the solutions I proposed or enquired about, were not well received. There have been vague indirect indications, but there has never been proper communication on this. Given that I was attacked over so many other false reasons, it is hard to get any clear reading on this. However, the common denominator is that everything is rephrased and reframed as malicious, I couldn’t do a single thing right, and I’ve had to deal with a ridiculous amount of crap. They essentially let a bunch of liars and psychopaths just make up any arbitrary stories and I get attacked over them with no opportunity for (proper) discourse.

Now, I’ll take the liberty to skip a significant part of a long story, and continue a few years later. I am under constant attack, people clearly have bad intentions. It has become evident that the many actions taken during my time at ASML were taken with the specific intent to attack me. In hind-sight with very obviously related follow-up actions taken by a bunch of the same people, malicious intent becomes a lot more evident. Everything I recognize is based on maliciously twisted facts. I try to get things clarified, so I tried explaining the situation and circumstances of this, i.e. why I got to looking into the licensing in the first place. And also that, during third part of the assignment at ASML, I moved into that team that managed the licensing, so my work continued there in improving and extending mentioned framework.

The response to these explanations, is to start the occasional harassment with a well-timed helicoper flying over. As I mentioned in the introduction, any and all attempts to clarify, that resulted in me not being the bad guy, got dismissed as “petty excuses”. Let me rephrase that: every inconvenient truth was dismissed as an excuse. And then these kinds of shitty actions were taken. Attempts at getting things clarified basically got no attention. There essentially only was some result after I had written some 8+ X/Twitter threads (now inaccessible due a surprisingly convenient “processing failure”) and then also followed up with a mention of Intel, which was relevant for a project done with the second team. (Again, plenty of other stories to tell.)

At one point, I tried contacting ASML over some very specific accusation and asked to relay a message to an employee with a question, and even relaying a question was too much to ask. Given some ridiculous concern over privacy. Now, the thing is, I didn’t even ask him for any details. I simply asked him to relay the message himself. To be clear: 1.) relay a textual message, 2.) to an employee I have had direct contact and conversations with, 3.) to my knowledge, am in good standing with, 4.) to ask for reliable, first-hand information directly from the source, 5.) to try and get confirmation that there is no truth to some of the hundreds of false accusations. 6.) I essentially ask for information about me. And 7.) I ask in direct communication with ASML, so even if I was deceived and or outright fooled on many, many other occasions, this would simply clarify the matter. 8.) There was never any concern for privacy. He could’ve relayed the message and my name, such that said employee could decide on the proper follow-up action. This is ASML directly acting against me for an extremely reasonable request.

Essentially, there was no discourse. Everyone was apparently pretty satisfied with the state of liberally applied harassment and abuse, well .., except for me. So much of my time was stolen based on needless, pointless harassment and abuse, that it is worth it to document this.

Conclusion

I don’t release this because I think it will “enable” their customers. There isn’t much point in that as machines break down too, so any customer will rely on periodic support from ASML anyways. There would be benefit for software-only products, though limited. I write this because the mechanism is faulty by design, and is abused as an excuse to attack me for years. There is a concerted effort to threaten and attack me. So, according to this same misguided sense of “justice” I have to respond in kind. As noted in the introduction, I was stupid. I didn’t. Every attack was many times over initiated by others.

This is topic is one of many “incidents”, such that there is no way that all the attacks are due to one or two “cranky colleagues”. Given the insane amount of effort I have already spent trying to get anything resolved, which utterly failed. The amount of crap I’ve had to deal with based on blatantly false accusations and twisted intentions is completely ridiculous. Every other word got maliciously twisted to attack me and many people were involved. It has to stop somewhere. Any previous attempts, which were significantly milder in comparison got virtually ignored and the attacks continued.

The benefit of making this public knowledge, is that ASML and others, have one less shitty excuse for abuse over such a poorly designed algorithm for these practices.

Changelog

This article will receive updates, if necessary.

• 2025-04-02 Added note/clarification concerning my motivation to post full details.
• 2025-03-29 Completed version with more details.
• 2025-03-04 Tweaks and clarification.
• 2025-02-19 Initial, incomplete version.