Experienced Points: Impossible (to beat) DRM

By Shamus
on Apr 23, 2010
Filed under:
Column

This week’s column is about how the Ubisoft copy protection could actually be made powerful enough to keep the pirates at bay for months. Their latest system lasted only six weeks or so, but a better designed system could have endured a lot longer.

Adding a bit to what I said in the column:

Typically a server responds to the client. You run your World of Warcraft client, connect to the server, and then your client will send a request, “Hey, I just showed up in the Goldshire and I need to know what characters are here.” The server then sends you this data. It’s a request / response system that’s fairly easy to reverse engineer. If you’re trying to write your own server, you look at what the client sends and see what the server sends back. Then you make your version of the server do the same thing.

But you could make the process really, really difficult to track by simply making the client a passive recipient of data. The client would just send actions about where the player is standing or what they’re doing, and the server sends the client data without prompting. The server sees you get near Goldshire, then waits several seconds, then sends you the info on the town. It’s pretty easy to figure out a situation like this one, but as the data becomes more crucial to the game and the responses become more obtuse, it becomes harder for the cracker to know what their copycat server should send, and when. Tracking something fast-paced and chaotic like combat would be a nightmare.

The mantra of security people is “obscurity is not security”, which is true only if you need your data to be safe “forever”. If you’re guarding against reverse-engineering a remote system and if you only care about the first few months, then it possible to make a very very safe system. Think of it this way: All of the scripting data of the game is on the server side. Dude A standing here, item B here, door C opens with key D, etc. Somebody – probably a small team of people – spent months setting up those scripts. You need them for the game to work. The cracker can either replicate all of the work done by the original artists, or he can play the game and every possible scenario in it to harvest the data from the server.

(Reading the above, I think I duplicated some of the points I made in the article. I apologize for that. This was a 2,000 word concept that I foolishly tried to cram into a 1,000 word column, and it think the clarity suffered for it. Looking back, I should have split this into a two parter. Fool!)

Anyway: DRM is bad. Boo hoo, pout pout. Etc.

Enjoyed this post? Please share!


A Hundred!16116 comments. Quick! Add another to see if this message changes!

From the Archives:

  1. Tohron says:

    I was thinking about how to make a better DRM system, and had an idea – instead of relying solely on internet servers, have the data exist both on servers AND encrypted on the game disk. That way, you wouldn’t even need internet to play, and if the servers go down, there’s always an alternative.

    A big question is how difficult you could make it to locate the data on the disk – at minimum, you could force the cracker to include the entire encrypted archives in the download, thus making the pirated version much larger. But I wonder if there’s a way to put information on the disk using non-standard file formats, so that the cracked would have difficulty just finding the encrypted archive in the first place. Thoughts?

    • silver Harloe says:

      Pirates download whole DVDs all the time — in direct bit images rather than “something understood by the current filesystem.” What you’re talking about would not work.

    • Kdansky says:

      Would totally not work. A few gigabytes more or less do not matter in the least, and if the data is on your disk, it can be decrypted rather easily, no matter how good your encryption is.

    • Binks says:

      “AND encrypted on the game disk”

      And how does the game decrypt it? How are you going to keep the user’s from reverse engineering that process? Encryption doesn’t work when the party you’re hiding data from and the one you’re revealing data to are the same person.

      • Tohron says:

        The idea is that the game is calling tiny parts of the encrypted file for various individual game events – for added difficulty – have it randomly determine which tiny part of the file it calls for those events. The idea is that the download will have to be bloated with all of the encrypted files on the disk, otherwise, the game won’t run whenever the game attempts to access one of those tiny parts of the file.

        It seems that making something difficult to find on the disk is out – what about using a special kind of game disk, which would be difficult/expensive for a pirate to obtain, and having the game require that the encrypted files be on such a special disk type?

        • Jarenth says:

          The old standard counter-DRM points applies here as well, I think: making it harder for pirates to play is also going to make it harder for paying consumers to play. If you use a a “special kind of game disk, which would be difficult/expensive for a pirate to obtain“, won’t a disc of this kind also be hard for consumers to obtain?

          Just trying to see if I understand what you’re trying to say.

        • someRandomDood says:

          Already been done – the suggestions you make are from early forms of DRM, well and truly cracked. I’m not well up on these things, so don’t have the full details correct, but I think one of the recent DRM systems encrypt the main game executable, so it’s decrypted as it gets loaded to memory.
          An older DRM system did some strange things outside the proper parameters for a cd-rom drive (*some-color*-book standard for cd-roms, I can’t be bothered to look up the correct term). Made effectively “bad-sectors” and put data in there, and I think some tried to use data areas outside the normal specification, but within the capability of most drives to read. Note the phrase “most drives”. If a drive was made strictly to standard, then it would not be able to read the data, and the genuine user could not use the disk. There are also rumours that this type of scheme actually damaged the disk drives, as the devices were being asked to perform outside spec.
          In short, please stop thinking further about how to screw the genuine paying customers – we have enough evil people in the world already.

    • eri says:

      So uh, in that case, what’s the point? If you already have the data and can play offline, what the heck is the point in making the player download it? Is this some strange optional setup where you can choose to have super-evil DRM instead of just regular-evil?

  2. silver Harloe says:

    I prefer the version of that security motto I heard first: “Security By Obscurity Isn’t.”

    Anyway, Ubisoft isn’t (and probably won’t be) offering this, but what if the constant connection was actually netting you something? Like single-player action in a world that would take you 100 DVDs to download, dealing with NPCs, economic and weather models that take a small network of computers, each of which would make yours look like a joke, to run their AI? Kind of like an MMO that revolved around you.

    • Moridin says:

      Someone would need to make all that content. Meaning that the profit margins would go way down or the prices would go way up.

      • silver Harloe says:

        Well, my numbers were exaggerated, but my point was: is there some way this “gotta have a continuous connection” could be done to the benefit, rather than the detriment, of the players?

        The question has been indirectly raised by Mr Young before, when he referred to the difference between two companies offering the same basic thing (I think at the time it was DLC or something) but one was posing it as a “screw pirates” move and one was posing it as a “look at this awesome new thing we’re giving the players” move. I’m just wondering what it would take to make Ubisoft’s scheme come off in the second light (not that Ubisoft cares, since they’ve already decided everyone is a criminal, but someone who has players at heart might be interested)

        • Jarenth says:

          Well, regardless or whether or not this can be done (I’m sure someone can figure something out) there’s still the fact that if you’re forcing people to be online to play a single player game, you’re going to alienate people who can’t be online all the time.

  3. krellen says:

    I’m not sure what sort of award “being best at being stupid” really is.

    Perhaps a marketing degree?

  4. B.J. says:

    I am no fan of DRM, but I was secretly sort of hoping Ubisoft’s system would really work and prove me wrong. That way publishers would no longer have any excuse for neglecting the PC market. It just sucks that these are the lengths they feel they need to go to to protect their investments.

  5. Tizzy says:

    “Not every download is a lost sale.” That’s undoubtedly one of the most fundamental aspect of the DRM debate, and I don’t think it comes up nearly often enough. I don’t know to what extent the powers that be are aware of the distinction but ignoring it actively, or if they are simply buying their own hype.

    Businesses these days like to present themselves as very data driven: in that case, this would be a fairly conclusive experiment. I’m not holding my breath though: people are very good at ignoring the data when they don’t like the story the data tells.

    • eri says:

      If anything, I feel like DRM is a promise to shareholders. Executives in the games industry seem more on the ball than in other industries – they have access to hard data on piracy and they must be aware of its impact, and DRM’s ineffectiveness in the long term. However, if you’re releasing a game on PC, saying that you’re going to include some super-effective DRM to “eliminate” piracy is great for boosting investor confidence in the short term.

      • SolkaTruesilver says:

        Amen to that. I really wonder how much of the DRM debate is aimed at management responsibilties rather than actual wordiness of piracy.

        A company management cannot tell his investors: we know there is a problem, but as opposed to our competitor, we won’t do anything about it because we believe it would undermine sales.

        Any management acting like that would be under high monitoring by all investors, and probably kicked out. It all comes down to the line of business I study in: risk management. You have to pinpoint all risk that threathen your business (this one is strategic), and do something about it. Inaction is not an option. And the icin on the cake is: sales lost to piracy is such a blurry and opaque strategic risk, as we ignore the exact consequence, there is no way of properly evaluate the effectiveness of the Risk Management decision. So,they cannot be proven to do wrong, and look like they know what they are doing

  6. Raygereio says:

    Cracking is fun and exciting now because the cracker can get the game a day or two before release and have it cracked before launch.

    Considering the two times that I preordered a game, I recieved it before the launchdate I’d say that point is moot.
    Maybe that used to be it, but nowadays I think cracking is more about one of two things: having a free game, or being able to play your game without DRM related issues (from having to put your disc in the drive to securom breaking windows explorer).

    • Mari says:

      That may be true of consumers of cracked games but Shamus is talking about the people who actually do the cracking. The ones who had to cloak and dagger their way into pre-release copies and spend days working encoding schemes to break the encryption, occasionally even having to go so far as to play the DRM-riddled game to get key components for decryption.

      I can’t speak for modern crackers but back in the day it was, as much as anything, about the challenge involved. Why do people climb Mt. Everest? Because it’s there. Why crack a server/game/piece of software? Because it’s there. There’s this nifty information sitting in a closed room somewhere. What will it take to get the doors open? Ideally, the info at the end of the “game” would be worth the work involved but it wasn’t necessary because the real game was cracking it in the first place.

      *shrug* Makes me wonder at times if the solution isn’t to just hand over the keys or leave the software unlocked in the first place. I guess it wouldn’t stop piracy but it would stop the crackers. And really, DRM isn’t stopping piracy either, right?

      • Jabor says:

        Note that unencumbered stuff like Stardock’s software tends to be hard to find on torrents – quite honestly, Galactic Civilizations II lasted just as long as the Ubi DRM before it actually became available to Average Joe Pirate, and you know that Stardock spent a whole lot less on DRM for it.

      • eri says:

        This is a good point. A lot of those cracking groups do their work simply out of enjoyment – it’s about the challenge, not about the end goal of getting a free game. Many of them actually have agents within the manufacturing industry to get early copies of games to them, and the majority of game releases/cracks are actually created by private groups, shared only internally, and then leaked to public torrents shortly after. Cracking culture is pretty complicated and there’s a lot of competition between groups as I understand it – they all try to come out with the “best” release, sometimes going as far to include mods and fixes for bugs along with the software itself.

    • Jordi says:

      I think the cracker is the person doing the cracking (not the pirate who makes use of the cracker’s work). It seems likely to me that crackers actually do do it for the challenge (and maybe because they want to bring free, DRM-free games to other people) and that in order to practice their “craft” they themselves are actually buying the DRM-infested game.
      If they just want to play the game free and without hassle, they are better of waiting for someone else to crack it.

    • Daemian Lucifer says:

      Crackers are mostly based in countries where cracked games are being sold legally,so doing the actual cracking isnt that much about challenge,its about money(well,duh).Sure,there are those that do it just so they can,but those take their time,they dont try to steal the original code before it gets released,they dont work day and night just to beat that deadline.

      And as pc games are in ever greater decline,more and more of these groups focus on consoles,which become ever easier to crack.Yes,assassins creed 2 managed to go 6 weeks without a fully working crack on pc,but the day it was released for xbox,there was a pirate version floating around the web.So the almighty uncrackable consoles drm became easier to break than pc drm.Yay developers!

      • Blackbird71 says:

        Except that those who are in it for the money are much less likely to release their cracked version to the internet for free.

        For the ones who are releasing free cracks, it is most often about the challenge/fun/bragging rights, as they are not making anything off of those cracks.

  7. 1d30 says:

    They could always use the Threshhold Pledge System.

    1: Determine how much extra money they think they will lose to piracy.
    2: Require an extra pledge from the community equal to that amount before production will begin. Pledges must be $10 or more. All pledgers get added to a mailing list that gives weekly teaser info, interviews, and concept art.
    3: Produce the game, cashing in on the paycheck, and releasing the game for normal sale without DRM.

    Certainly some people will wait and get a pirated copy later. If this really becomes a problem, and actual 6-week sales diminish in this scheme, increase the pledge required until finally you demand the full expected 6-week sales before you even begin coding and then release it for free distribution.

    This is fine, and may be preferable, and is effectively a pre-order. But if we’re not careful, it could end up with game companies producing barely-good-enough games just because the paycheck is fixed regardless of how good it is. This would cause a reputation hit, though, making that game company less able to draw in high pledge threshholds.

    Also, this ultimate pledge scheme prevents a game company from producing the next World of Warcraft, as it cannot make more money than the initial pledge threshhold no matter how popular it is. But such an excellent game will greatly increase the future maximum pledge threshholds for that company. Effectively the company needs to earn its ability to generate revenue by producing great games.

    Of course, this requires that they take an honest look at how much revenue they actually lose to piracy, not just how much extra revenue they might get if every pirate bought a copy.

    Doing business based on theoretical profits is what got Enron in trouble, among other things.

      • silver Harloe says:

        Extortion is when you threaten bad things unless you get moneys.

        Since you don’t already have my next theoretical game X, you lose nothing if I never make it. So it can’t be extortion if I “threaten” to never make it – you stand to lose nothing if I “carry out my threat.”

        What 1d30 is talking about is more like pledging or patronage. It’s only extortion if you assume I _have_ to make games and I _have_ to let you play them (in which case you’re losing my future slave labor if I do nothing).

        [actually, I don’t make games at all, it was just easier to write from the perspective of the game developer briefly]

        • Nalano says:

          “Pay us up front before we’ve even released our game or we’ll release it with annoying, destructive DRM.”

          That’s extortion.

          How is this concept hard for you?

          • silver Harloe says:

            you missed this phrase in original posters comment:
            “before production will begin”

            insults never, ever, ever add anything useful to debate.

            • Jarenth says:

              While it isn’t technically extortion, it does sort of feel like it. It would depend on how far the company would go.

              “Here’s some trailers, concept art and screenshots from our awesome new game. You like this game, don’t you? Now pay us money up front or we won’t even start on making it!”

              • silver Harloe says:

                Restaurants don’t make your meal til you pay for it :)

                Anyway, back to the 1d30’s post. When I read it, I saw this:

                “We need 2 million bucks to make a game. We could get a loan from a major publisher, but you know that they’ll treat it like a business product and thus saddle it with DRM and force us to make a bunch of “sameness” decisions to ensure they get their money back. Or we could get it in donations from you guys. If we don’t get the money, we can’t afford to make the game and have to go get real jobs instead.”

                This phrasing is semantically equivalent to 1d30’s idea, but hopefully makes it more clear why I don’t see extortion here.
                It’s not holding something that you have earned back from you unless you pay them. It’s asking you to pay them for the next year of their lives so they can make something for you.

                • silver Harloe says:

                  Note that I am not advocating or decrying the system, just responding to the concept of saying “the Threshold Pledge System is the same as Extortion.”

                • Jarenth says:

                  Most restaurants I’ve gone to present me with the bill áfter I’ve eaten. ;)

                  Also: game development is a risky business. There’s no guarantee a game I’ve payed the Fee for is actually ever going to be released. All I know is that it certainly won’t happen if I don’t pay up; what happens after that is up to the ineffable machinations of the free market.

                • Nalano says:

                  Two things:

                  Fast food restaurants make you pay before you eat.

                  Real restaurants hand you the bill after you finish. Guess we know where you eat now.

                  Also, I am not an investor. I am a customer. If they want me to invest in something they haven’t yet made, they’d better allow me to sue them if and when they don’t live up to my expectations.

                  Anything else is extortion.

                • silver Harloe says:

                  Ever try to not pay at a real restaurant? They have the courtesy to present the bill afterward, but they have your promise of payment. (Still with the insults? They still don’t add anything to any debate, ever. ever ever.)

                  They say “we need X amount of money to make a game, otherwise we can’t afford to make a game.” If you don’t send them money, no problem. They don’t make a game if everyone agrees with you. If you DO send them money, it’s because you’ve decided to change your mind about the customer/investor thing. Again, if you don’t, no problem – if you choose to be “a customer not an investor,” that’s your choice and no one is making you send money anywhere. How is that extortion? They aren’t withholding anything you have a right to.

                  Ah, “if I send them money and they don’t make the game, or I don’t like the game, I want to be able to sue.” Well, odds are the contract you’d enter would prevent such a law suit, but, then, You Simply Do Not Have To Enter Such a Contract. The people who do choose to enter recognize the risk. It’s the same as paying for a concert – based on the band’s reputation, I figure I’m in for a good show, but if they’re off that night, I don’t get to sue. It was a risk, I took it voluntarily. You obviously don’t want to take that risk. So, … don’t. No problem. No one is threatening you or taking anything away from you if you don’t choose to risk anything.

                  Quoting the abstract of the article 1d30 linked to:

                  “An amount of money is set as the goal or threshold to reach for the specified purpose and interested individuals will pitch in, keeping the donation in an escrow fund. When the threshold is reached, the contributions are retired from the escrow fund and a contract is formed so that the collective good is supplied. …

                  Sometimes contributions are refunded to the donors if the threshold amount is not reached as of some expiration date, and no contract is signed: this variation is known as an assurance contract. Contributions to an assurance contract may also be collected as pledges which are only called-in when the threshold is reached.”

                • Jarenth says:

                  This restaurant analogy is getting too complicated for its own good.

                  Ah well. I still don’t like the idea, but I don’t feel I have much more to add, and at the end of the day everyone has a right to their own opinion. So let’s just agree to disagree. ;)

                • Daemian Lucifer says:

                  While I dont really support this system,I still am going to defend it with a much better analogy:

                  A concert.You pay in advance,then you get to the concert to listen to the band(or a single musician)playing.They can suck,sure,but you wont get your money back.You can get your money back only if they lie(dont show up,cut the concert short,etc),but if they preform inadequate,tough luck.Yes,you invest into that concert,no you dont get any money in return.Same here:You invest into some entertainment in the future,and as long as the game comes out in time,the developer has fulfilled its end of the deal.The game may suck,but thats beside the point.Only if they dont deliver on time can you attempt to get your money back.

                • Nalano says:

                  I didn’t invest in their rehearsals. I didn’t commission their songwriting. I didn’t lease their instruments, nor rent their space. It is their risk whether I show up or not.

                  They were musicians before I came about. They had a set list before I showed up. They would produce a gig whether or not I existed. I do not owe them money to become musicians or even to play near to me. I only owe them for the gig they play that I attend, and I will pay them then.

                  I do not provide capital. I am merely providing its benefits. Surely you as much as anybody else can see the difference between a investor and a customer?

                • Daemian Lucifer says:

                  All that youve said works for popular bands,but not for starting ones.Ones that rent instruments from the place they are playing at,and that can only profit if money made from tickets goes over the price for leasing space and instruments.

                  And that about rehearsals and songwriting,well you dont pay for education and ideas of game developers either.Also,if this is an established studio,you dont pay for their hardware and software either.You pay just for the game itself,which is the equivalent of just that single concert youve bought the ticket for.

                  Just because you pay for something before it is made,doesnt make you an investor.I have paid for my apartment before it was finished,and while it gave me lots of benefits(lower price,choosing room layout,ceiling height,electrical installation paths,etc),it still didnt gain me any money after the building was finished.All Ive got was an apartment.I was never an investor,I was a customer.

                • Blackbird71 says:

                  Sorry, the concert analogy doesn’t hold up, mainly because you’re comparing a one time live performance to a physical product. It would be more like a band saying “hey, we want to make an album, we haven’t written any of the songs yet or anything, but if you send us money now, then in a few years we’ll release it and send you a CD.” Add to this that there are no guarantees that the band will still be together by the time the album is finished, the lead singer could decide he wants to go solo or something, or the band itself could just dissolve, and your money would have already been spent, so could not be refunded.

                  This is the type of thing that a well established and popular band might be able to get away with, but there is no way that a new group with no reputation could even think of trying it without getting laughed at.

                • Daemian Lucifer says:

                  Fine,then replace the “concert ticket”,with “season pass”,and its the same thing(considering how future games will probably follow ubisofts example,and thus will only be playable as long as the servers last).

                • Blackbird71 says:

                  “Season pass” still doesn’t hold – you’re implying a system where you pay up front for a performance of content that has already been created, whereas in this model, you’re actually being asked for cash up front before anything has even been written, you are paying an intangible idea that may or may not ever come to fruition. That is a speculative investment, not a purchase.

                • Daemian Lucifer says:

                  Songs are just part of the whole concert experience.And sometimes(with inventive bands)every concert will be different.So when you buy the season pass you dont buy attendance for something already planned,but for something existing only in someones head,and is yet to be realized.Is that a speculative investment then?And how will you know if a band has everything planned in advance when you buy the season pass?What if they decide to plan everything a day after you buy the pass?Would you be an investor then,and someone buying it the next day a customer?

    • ehlijen says:

      I would completely ignore any company that did this. Computer game quality is too hit and miss for me to ever consider bying one again until after I’ve obtained some idea of how much I’ll probably like it.

      Even preordering is on the verge of gambling as far as I’m concerned.

    • Primogenitor says:

      Telltale games already works on a similar basis; you buy the series up front, and get each episode as its released.

      I think the system you describe is almost as offensive to the consumer as hard-core DRM though…

      • Nalano says:

        I hate this.

        Tell Tale Games needs to understand that I am a customer, not an investor. If I invest in their game I want monetary profits back, damnit.

        • krellen says:

          Investment is not always about profit. It’s very possible to “invest” in something that never returns your investment monetarily, but instead returns something else.

          Companies can, and do, exist for purpose other than profit.

  8. Yar Kramer says:

    I once had an idea for a “DRM system” which, rather than making the game completely fail or whatever upon detection of a pirated system, simply interrupted a key cutscene to Rickroll the player.

    Or another idea where the game would suddenly double the speed of boss fights and replace the boss music with the Benny Hill theme. Then someone pointed out that some people might actually find this fun, so I decided to just make the Benny Hill one a legitimate unlockable, and the DRM would merely make it unplayably fast.

    Not that I’m stupid enough to invest in any pirate-detection-system more complex or programming-intensive than asking the player nicely.

    • Veylon says:

      Earthbound for the Super Nintendo had this. There would be several times as many battles and the game would crash on the last battle and all your saves would be wiped out. I’m not sure, exactly, how a ROM would know it’s being played on an emulator and not a real SNES, though.

    • Gresman says:

      I think “Settlers 3” had something like this going on. If the game thought you had a pirated copy all the mines just produced pigs. This meant that you couldn’t play the game properly because you didn’t prduce the right ressources for your colony. But there was a “minor” problem: This system often thought a legit copy of the game was a pirated one. So even with such a system legit customers get screwed.

      just as a sidenote: I think this game was also published by UBI.

  9. Octal says:

    Typo alert: “it’s” not “it” in “it possible to make a very very safe system”.

  10. mewse says:

    Their DRM held for six weeks; that’s far longer than any game’s initial sales spike.

    If you understand that the point of DRM is to stop piracy during the first few weeks (when the vast majority of sales are made), then Ubisoft has succeeded in a way that very few DRM schemes ever have in the past.

    I mean, most of the games I’ve worked on have been up on torrent sites even before the physical discs reached store shelves.

    The real question is: now that the pirates have figured out how this DRM works, will the next game using this scheme be cracked faster, or will every game using this scheme have six weeks of protected sales?

    • acronix says:

      Crackers will evolve, as any organism do if you set them a challenge. If the challenge doesn´t evolve too, then the organism will eventually overcome it.
      Still, developers will be able to get at least a couple of other games with the “six weeks of unpiracy”.

    • eri says:

      Remember Splinter Cell: Chaos Theory, anyone? Another one by Ubisoft, except it used Starforce. The DRM on that game lasted over a year if I remember correctly, though once people figured out how to get past Starforce it wasn’t very formidable anymore and most of the industry dropped it due to problems it could cause.

    • Merle says:

      It may have stopped them from being pirated for six weeks, but it’s also stopped them from getting any of my money for those same six weeks. And most likely the next six weeks after that, and after that…

      So…way to go, Ubisoft.

  11. TehShrike says:

    I don’t remember where I was originally linked to it (it may have been on this site), but I’m reminded of the Batman DRM.

  12. Irridium says:

    I’m curious to see how much money they made and how many copies they sold.

    I highly doubt it broke 1 million sold, and I doubt Ubisoft made much of a profit, if at all. Further add in the costs of the DRM and maintaining the servers, and you have yourself a perfect recipe for throwing away money.

    I wish publishers could get it through their thick skulls that piracy isn’t something that can be solved with some program.

  13. SatansBestBuddy says:

    Your DRM dream set-up assumes there will be just one guy working on cracking the game, and that won’t always be the case.

    The internet has done a lot for the world, and one of it’s major uses is being able to quickly coordinate large groups of people on specific tasks.

    So, sure, one guy working on trying to find every single script in the game could be at it for months, but what about 10 people? 20 people? 50?

    Get a large enough group of experienced hackers working together, and even the most complicated DRM won’t last more than a week.

    • Nidokoenig says:

      Absolutely. A few years ago, I bought a game called Spectrobes for the DS, which had a nifty system of unlocking items and monsters with promotional cards by tapping the screen through holoes in the card, or just by tapping where the holes would be if you had the card. After looking on Gamefaqs for known combinations, I suggested a way to divide up the work of checking all possible combinations and we had all 5280 checked within a week and got some sweet loot, which is pretty good going considering we were just a bunch of idiots doing it for a laugh. Then we found out that the secret monsters we were after would be online downloads.

      So, maybe a better way to stop crackers is to make DRM simple and mildly amusing to circumvent, so that everyone can do it for a laugh and then maybe buy the game properly when they get sick of the minigame, by which time the crackers won’t be seeding the torrents anymore, possibly.

  14. Zak McKracken says:

    In order to crack a server-based DRM system, I don’t think you need to reverse engineer it and program a new one. There are two other ways:
    – Get hold of the server software and modify it so it’ll run locally
    – Modify your copy of the game so the original server will still treat it like a legitimate one.

    There are maybe more than that, but making the server part more complex doesn’t increase security beyond a certain point (at which the two alternatives are less work than rewriting the server code). Also, doing that will also increase the amount of CPU time the server will have to dedicate to an individual person playing the game. Which costs money. Or might choke some games if the server is overloaded. The former will certainly interest game companies, with the latter I’m not so sure. Oh, increasing server load will also reduce the time until the servers will be shut off, which is reducing the value of the game.

    Unless noone notices early enough …

    • whitehelm says:

      The first example you gave requires that the cracker get a hold of the server code, which could be stopped by the company simply not giving it out to anyone (and suing anyone who does for quite a bit of money). The second can be stopped by the company downloading the new crack and modifying the server so it doesn’t work. Whoever made the original crack would have to keep modifying it and re-releasing it, which is a lot of work for them to do.

  15. Factoid says:

    I still contend that this isn’t “unbreakable DRM”….it’s a single player MMO.

    I was occasionally willing to tolerate online activation, and I’m OK with steam because it has its own benefits, but holding half my game hostage by hosting parts of it online is a bridge I won’t cross.

  16. Mark says:

    Not to mix subjects, Shamus, but I think you just invented procedurally-generated challenge-response DRM. If you’re quick, you can patent it so no one else can use it! For once, software patents can do some good in the world.

    Also, my head just exploded.

  17. Daemian Lucifer says:

    The longest non-cracked game that I know of was twilight of the arnor.Expansion to galactic civilization 2 that managed to go 4 months without a crack.That alone shows how useful drm really is.

    And this system ubisoft used isnt really selling games anymore,its renting.And its stupidly implemented.If you rent something for flat 60$ and then run the servers for a few years,youll lose money.What they shouldve done was give out games for 5$ or something,then charge you every month.Yes,thats what mmos are doing,but it can work for single player games as well.Instead of having people buy your games,then go out of your way to run servers for a few years,make them rent your game,and run the servers as long as they pay you to run them.And when that becomes too expensive,shut the servers down,and offer anyone still interested an option to buy the full game for some more money.And really,would people be this outraged if they knew in advance that they arent buying the game but renting it,and that theyll be able to buy it only after this renting time expires?Honesty attracts customers,it has been proven time and time again.

    • BeamSplashX says:

      The problem with this lies in the fact that a lot of games like AC2 will only last for one or two rental periods. If companies think hidden stuff is critical to going beyond that, they might start coming at sites like GameFAQs with torches and pitchforks.

      • Daemian Lucifer says:

        That just means the developers would have to focus on making replayable games,and that is a good thing.Not to mention that companies focus so much on dlcs these days,which is another way to prolong this period.Then you wont have to buy the dlcs,youll get them for free,but youll have to pay for another month in order to play it.

        Also,it can be tweaked to work,by making those two months give you the 60$ games are being sold for now(for example,make it so that each day of playing is worth 1$,and you have to pay in advance for at least 2 weeks).And this way you can turn pirates into customers because while most of them dont want to shell out 60$ for a game theyll throw away later,theyd easilly give 5$ for a disk they can later give to some of their friends wholl happily pay the rent to play the game.So while one person might not play the game for more than a month or two,youll get a few persons sharing one disk and each of them paying for a month or two.Just make it so that while it can easily be shared among computers,you need to pay subscription for each computer separately.

  18. Volatar says:

    Why does The Escapist put a word limit on you anyways? They are an ONLINE magazine. They have no space limits. You NEED those 2000 words so often Shamus :)

  19. T-Boy says:

    You know what this means, right.

    They’ll try to break the server.

  20. Samuel Erikson says:

    The key problem here is that it didn’t last six weeks, it lasted maybe one or two. The new crack just eliminates the need for a fake server.

  21. eri says:

    If we want to make changes, we can’t focus on imposing stricter and stricter laws and punishments – that won’t get us anywhere. Punishment for crime never really works very well as a deterrent, because almost everyone who commits a crime does it with the expectation that they’ll get away with it no matter how strict the punishment is, and chances are they feel justified in doing it as well. Punishing people via the justice system and other restrictive methods is not a wholly effective means of protecting society or any of its cultural artifacts. While some apparatus is necessary in order to guarantee that there’s a backup in case the system fails, you can’t rely on it, and it certainly won’t solve the roots of your problems.

    This “punish everyone” mentality be seen pretty clearly in the United States: there is are intense, and usually baseless, movements pushing for crackdowns on youth crime, or drugs, or immigrants, or people from the Middle East, or whatever the current moral panic is. Always, the call is for more punishment and never for proper education and institutional/societal reform. Youth crime has been consistently dropping for the last two decades, and yet I can tell you it has little to do with the fact that they’re sentencing them as adults.

    The biggest problem with piracy doesn’t actually come from the act of pirating itself. Piracy is merely a manifestation of ideological beliefs we hold as peoples. Internet culture in particular has made it not just tolerable to pirate software, music, and other intellectual property, but it has also made it socially acceptable and even expected for the majority of people of the younger generations. This ideology has to be supplanted with one that values art and culture not as something to be consumed, but something that should be treasured, and one that treats artists as valuable contributors to our intellectual and social environments.

    • Veylon says:

      Pirates pirate, first and foremost, because it’s free; they get something for nothing. It’s hard to argue with a deal like that!

      The ideology comes afterwards to justify the act so they don’t have to feel guilty. The DRM reinforces the ideology by transforming the victims into villains, making the pirates feel like armchair robin hoods by “sticking it to the man” and engaging in acts of rebellion against a caricatured oppressive monolithic entity.

      What the companies need to do is kill the DRM and work to swing societal pressure against the pirates. They can’t play the starving artist card when they’re constantly pulling out the heavy artillery.

      • Danath says:

        Pretty much exactly it. In fact, pirates seem to get MORE active about pirating something the more actively a company claims they have locked it down with DRM. Just look at the debacles with Spore and Modern Warefare.

        Light simple DRM is the way to go, a good old CD check was fine, if you lost your CD? It was never the companies fault, it was up to you to make backups or take care of your physical media, the company owed you nothing. Plus it was more annoying on pirates than what they have to do now, a 3 meg crack patch, bam, game is free to play.

        With a CD check with some information located on the CD/DVD? They actually had to use an emulator, and download/load an ISO into it, or burn their own DVD’s. It was more punishing than what they do now, AND just as effective.

      • someRandomDood says:

        I disagree. So far, I have bought all my games, but the way DRM is going, I feel that I may have to start pirating, just so that I do not encourage the further encroachment of DRM. The more the big corps restrict the ability to play, the more the pressure I feel to stop giving them money. I want to reward the teams providing good games, but I do *not* want to reward those companies who treat customers like thieves, and whose games are not guaranteed to last one month past the time they feel it costs too much to maintain the servers to support a *single* player game.

        • Blackbird71 says:

          This is still the wrong approach.

          If a company uses a DRM system you object to, and you buy the game anyway, yes, you are proving that they can get away with this DRM and still make money.

          However, if you turn to piracy over DRM, the company will still not get the message, they will simply point at the pirate numbers and claim it as justification for the DRM, and they’ll just make it even nastier the next time.

          Honestly, the best approach to companies that deal in this sort of DRM is just to ignore them. Don’t buy the games, don’t pirate the games, don’t play the games. I don’t think that there can be a more condemning review of a game(or DRM system on the game) than “it’s so bad, even the pirates won’t touch it.”

  22. Crackers these days make money from what they are doing (via the click through advertisements and such). Piracy is a huge parasitical business.

    Daemian Lucifer had it right, above.

    But crack prevention is very similar to cheat prevention for RTS games.

  23. Ramsus says:

    I have the feeling that if companies did that kind of thing a lot the people who crack games would just find other ways to get to that information instead of doing it the way they do now. Like for example having some weird program that plays the game at high speeds and just runs through every possible thing it could make the player do. Or maybe they’d start hacking into servers? Who knows. I just doubt they would sit there doing the same old thing while the big slow moving behemoths that are companies moved forwards.

  24. Danath says:

    Shamus has just suggested that games use the MMO formula.

    That’s all, theres nothing new or innovative here, just keep all the important data/scripting on the servers, and send out all the information that the clients need, without the clients HAVING any of that information. It’s decryptable sure, but it takes a long long time to crack and put together any kind of “working” final copy due to most of the important information not being hosted by the user.

    This sucks, in an MMO sure, but I hate this kind of approach for my single player games, which I play when I don’t HAVE internet, a phenomenon more common than you might think. People on my network DLing? Single player. Connection issues? Single player. I can no longer do this if the information is being held on these servers, and that’s why this is a really, really, really bad solution.

  25. Athan says:

    Let’s not forget that if a company does try this complicated “depending on what order you do things in you need/get sent different data” scheme there are *bound* to be bugs in any implementation.

    So, as well as needing a continuous connection to play the game chances are *some* players will run into a new class of bug that prevents them completing the game at all (at least for that particular play-through).

  26. Nalano says:

    Sounds like “cloud” gaming.

    The concept is abhorrent to me. I’m sure all companies would love to just have a direct connection to my credit card info, regardless of whether or what they produce and when, how or even if I partake in their product.

    Sorry, did I say “product?” I meant “license,” abridged, qualified and revocable at any time.

    Somehow the right to free enterprise became a moral obligation for consumerism. However, I’m not in the habit of allowing purveyors with such unvarnished, abject hostility to their patrons to have their cake and eat it too.

  27. […] to figure out how to use the server referral loop the previous cracks depended on. Shamus Young suggests to Ubisoft that they go one further: Don’t put just some content online, make all content online, making […]

  28. Simon says:

    One thing I think everyone must also take into consideration when considering DRM is the actual DRM industry itself, not the technical sides. Consider the Sony CD Rootkit fiasco. Ultimately, Sony fobbed the whole mess off to the “third party” who implemented the DRM, but why did it go to the third party in the first place? It is because who people who ran that company had commercial/personal ties to the Sony executives making the decision.

    A game publisher executive will not have his job forever. Corporate officers at higher levels move around from company to company. They need someplace to move to. The game industry is now around long enough for for secondary businesses like distribution, DRM, marketing, etc to be firmly established. Executives rotate between these companies. They give the DRM contract to their DRM buddies to keep a door open for such them they want to work there.

    Killing off DRM isn’t about proving it doesn’t work or is a waste of money. It isn’t a waste of money to the people making the decisions. It is opening doors for them to ensure future profitable employment when they are done and dusted in this “computer game thingy” they never cared about in the first place besides being “just another business to manage”.

    DRM will have to evolve and keep changing, not to be harder to crack (it becomes this way “naturally”) but to have selling points over existing DRM solutions, so to allow the business to prosper and keep people investing in them. We want to tone down or beat DRM? We need to beat an entire business sector.

    Unrelated: Ubisoft lost my business once years ago with the Starforce mess. After several years of good behavior, I finally started buying their stuff again. Now this… I’ve given them up forever. Just sc**w them already.

  29. Draconis Ravenus says:

    I’ve got it! Ubisoft should just add some sort of input fields when you first start the game. Fields that will prompt you to look at certain pages of the printed manual, which will come with the game, of course.

    So it might ask you “What is the 3rd word of paragraph 3 on page 45?” And then you’d pull out the printed manual – which of course comes with the game – and find the answer!

    No more of this pinging and receiving server requests.

    Fooooooolproof!

    • Vipermagi says:

      I bet all pirate copies will include the answer to this question, or exclude the question in the first place.

      • eri says:

        I think you missed the joke. This was a common copy protection scheme used during the DOS gaming days, along with things like decoder rings, monitor overlays, etc.

    • Primogenitor says:

      This would mean printing a decently sized paper manual (possibly with an anti-scanning watermark of some kind). Or maybe even two discs of paper with holes in them! That would be far too expensive!

    • Jarenth says:

      Of course, if Ubisoft ever made a game with a scheme like this, the manual would come cuffed to an angry pitbull, and you’d have to make manual checks every ten minutes.

      • Draconis Ravenus says:

        That would be pretty cruel, and I’d not be shocked if they went that route.

        The crux of my original joke, though, was that Ubisoft recently announced they’re discontinuing their printed paper manuals. So it would be great, because they’d ask you to look it up in the manual, only you’d realize you don’t have one! So then you’d have to quit or minimize your game to open the digital manual, but realize the manual has ITS OWN DRM protection to make sure hackers couldn’t just download it.

        So the manual would have a field where it would ask you a question, like: “Load the game and go to Town A on the map. Go thirty paces west of the maple tree on the library’s lawn, and then 15 paces south. Turn 45 degrees clockwise. What are the color of the drapes you can see through the window of the house now in front of you?”

        Diabolical!

        • Jarenth says:

          I posit that an angry pitbull cuffed to a paper manual is a much more effective form of DRM than anything that you can attach to a PDF. Especially if the pitbull is trained to attack every time he sees a recording device of sorts.

          …I was originally going to make a joke similar to what you said above, but I found I couldn’t really have it make any sense. Good to see that won’t be deterring Ubisoft in the future, though.

          • Draconis Ravenus says:

            I yield to your point. But ONLY if the pitbull is trained to attack every time you try to play a non-Ubisoft game, since they can’t check if those other games are pirated; the only way to REALLY be sure is if the pitbull denies access. Also, it should be trained to eat blank cd/dvd spools on sight.

  30. Josh R says:

    One solution I see, is implement this DRM at release date, then once it has been cracked, remove the DRM from all copies with a patch.
    The store version now has less DRM and the people who were opposed to the drm in the first place can buy it, and even if it is cracked again, there’s not much point as it was already out there.

    • eri says:

      The problem is that a) there is no real financial incentive for the company to do so and b) you’re assuming that the company is going to keep perfect working copies of the “clean” game files, and that it’s going to keep some people around to issue them in an update. It doesn’t work that way. Usually even before a game has shipped, most of the personnel have moved on to other projects, and anyone left over tends to be in the QA business just in case there are any major issues that come up.

    • Athan says:

      … and the people who were opposed to the drm in the first place can buy it…

      Except if they really feel strongly about the DRM they won’t, as this can be seen as still encouraging such.

      For me to buy any Ubisoft product now they’d have to remove all such DRM from all current and past games, plus ‘promise’ to never do it again in future games. Even then I’m not sure I’d trust them given inevitable changes of management.

  31. equinox216 says:

    Clearly game manufacturers have missed an important, high demand niche for online play: head-to-head DRM-cracking games. I mean, they’re MAKING them already; they’ve just neglected to market it as a feature.

  32. LOLdependent says:

    Sight, Shamus, where are your video game reviews where you analised every aspect of that game?And the acid critics of DRM and the way video game industry exploits its customers (the paying ones)?
    Now there’s “pirates suck, I know how to beat’em” and pointless questions like “how long is wow” and rants about some other things I don’t care about and the videos of ME where there are simply too many times when I can’t understand what you guys’re saying and evend the comics that you make for “the escapist” are about video games I don’t know or care about.
    I know it’s your site, and that I’m not forced to go here but I need to say “what attracted my toward this site has gone”.Only the let’s play interests me right know.

  33. Mephane says:

    Then the killing blow: Make the various triggers dependent on branching player behavior. If you kill A before B, then the server will send you one thing. If you perform action C before doing the main quest, then this key NPC is moved from one location to the other. If the pirate server doesn’t respond with the right data, then the game can fail silently in a lot of annoying ways. The boss you’re supposed to fight won’t show up, a door won’t open, or you won’t get a key item you need to progress.

    Considering how full of bugs modern games are, it is probably an incredibly bad idea to purposely put code into a game to make it fail. It’s bad enough when failing without the intention. Now have that “silently failing game” DRM system be buggy, too, and sometimes kick in even on a legit copy…

    I guess “clever” businessmen are already planning something like this anyway. Let’s just hope they fail quick and hard with this scheme, too.

    P.S.: It is amazing how far humans can go in order to purposely make otherwise good things a total mess. You don’t bother writing good code without some memory leaks, recurring crashes or savegame destroying bugs. Hell no! You even invent new ways of making the whole thing worse, slower, more complicated, more buggy and all that for no measurable benefit on any level whatsoever. So many things done by humans, including but not limited to video games, could have been so great if not for some guys thinking they can slightly increase their profits by with actions absolutely detrimental to the work.

    In the case of video games, the pile of games which are well-designed on a game design level, but an absolute catastrophe on the technical (including DRM) level, is growing larger and larger…

    /facepalm

    • Jeff says:

      This idea won’t work. (The one you quoted.)

      It’s been done before. What happened? It had an entirely undeserved reputation for being a buggy failure, and almost nobody bought it. As a product, it failed spectacularly.

      However, the game itself wasn’t actually buggy – the “bugs” were deliberate code that they had put in so that pirates would have problems. Unfortunately for them, they didn’t reveal that until the game was already known for being crappy, and of course once it was known that was circumvented as well.

  34. Jeff says:

    Hey Shamus, in terms of how effective it was…

    Speaking as someone who used to download games (no money) and now doesn’t do it any more (I think I’ve spent about $300 bucks in the last few months) but still keeps an eye out, AC2 was “cracked”, sort of, on 0-Day.

    What happened was that they could only do it in bits and pieces, exactly as the link you posted said. So, if I wanted to (which I don’t, since I never bothered with AC), I could have played by the third day about 30% of the game. There were issues with certain scene/location transitions, and the failure of some things to load. It was certainly playable for about 10 hours when I had checked that close to release.

  35. randy says:

    The biggest problem we have is the number of FUCKING IDIOTS buying Assassin’s Creed 2, Modern Warfare 2, StarCraft 2, etc in drows. They’re validating all that is against PC gaming: extreme DRM, online forever, no LAN, no dedicated servers, no modding, no mapping, no nothing!.

    If we keep following this path, soon the PC will be just another console. Thank god the indies will still be there, and most of us still have a big catalog of games to play.

    And now, the map pack for MW2, $15, and is already rising to the Top Sales of Steam. The horizon has changed. The average PC gamer now has an empty place where his brain used to be.

    God, I hate this industry, and the morons that buy from it without a fucking shred of judgement.

    • Zeta Kai says:

      1) Swearing does not enhance one’s argument. It may make an argument more entertaining (or not, in this case), but not more effective. Please refrain from needless swearing.

      2) The PC market has been diminishing steadily for years now, & is near collapse. Emulating the console market may be the only thing that can save it. Even if that last sentence isn’t true, & making the PC market more like the consoles isn’t the answer, it at least looks like a sound idea to the gaming companies, & makes a compelling argument. It’s hard to argue against sales figures, & the console numbers consistently dwarf those of PC versions.

  36. Steve C says:

    DRM systems that hold back data then send it on demand are offloading the $ cost of copyright protection to the consumer. Transmitting bytes from one end of the world to the other is not free. That is a cost that is borne entirely by the consumer.

    I’m in a rural area without DSL. I have to pay per megabyte. I feel the pinch in my wallet of every unnecessary bit transferred. Schemes like Ubisoft’s are not only morally reprehensible but they are also financially impossible. I can’t spend $100 for an hour’s gaming.

    You have an unlimited internet connection so you don’t think it applies to you? Wrong. Your ISP has costs and it passes them onto it’s customers regardless of the service plan. It applies to everyone. This DRM inserts inefficiencies into the system and we have to pay for it.

  37. Dev Null says:

    What you didn’t mention in the EP article is whether the DRM working for the critical first 6 weeks had any effect at all. We’ve all known for years that the industry’s whining about every piracy being a lost sale was nonsense, but did it do anything noticeable at all? Because that would make it the first (that I’m aware of) hard evidence one way or the other about how much sales are lost to piracy, and _that_ would be interesting…

One Trackback

  1. By Gaming « Big Smoke on Sat Apr 24, 2010 at 3:00 am

    […] to figure out how to use the server referral loop the previous cracks depended on. Shamus Young suggests to Ubisoft that they go one further: Don’t put just some content online, make all content online, making […]

Leave a Reply

Comments are moderated and may not be posted immediately. Required fields are marked *

*
*

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun.

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>