Copy-Protection (was: Downloadable Games are Important)

[Topagae]

"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."

[PyTom]

Anyhow, more specifically, my suggestion is to hide a unique secret with every copy of a game you sell, and pair with it that key(/pad), given only to the person you sell the game to. Thus, a user would use their key to unlock their game.

But what would prevent the user from giving that secret to other people? That's the difference between traditional crypto and copy-protection.

As I implied earlier, I know exactly who's leaking my games, but there's a limit to what I can do with that information.

Anyonymous and easily-cancelled credit cards sure make this problem hard, don't they? I wonder if it would be possible to require something like a paypal verified address before selling a game, or if that would reduce the market too much.

As a question to the various commercial people out there, what does your sales profile look like, over time? How much of your sales are in the first few months, versus months or years later?

[Topagae]

"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."

[papillon]

How much of your sales are in the first few months, versus months or years later?

Release is certainly a spike that tends to trail off, but there are other spikes when you do something that gets more attention. Most of us are not that amazing at marketing, so little things cause more dramatic fluctuation than they would for massive budget games that have sunk as much as possible into pre-launch buildup. Getting mentioned on some other high-traffic site or having a big sale could be as big or bigger a spike than the release.

[jack_norton]

As a question to the various commercial people out there, what does your sales profile look like, over time? How much of your sales are in the first few months, versus months or years later?

Depends on game type. In general, what papillon said. However more complex games (RPG, simulations, etc) keep selling for longer time than "simple" VNs (from what I can observe in those few years I made them).

[Crocosquirrel]

Philc, maker of Poser tools, does something similar for his applications: He has a proggie that he feeds the name/address/etc into, and pops a key back out that goes to the customer in a registration email. In the one case where one such app was found on a torrent site, he tracked the individual down who's license it was, and entered into... Aggressive Negotiations with the offender. All was settled without further incident, but I have yet to see an unlocked version back up on the pirate sites.

What he's thinking *can* be done, but it would take an extraordinary effort on our parts to make it work.

That said, once it does, it appears to be effective.

[Topagae]

"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."

[Crocosquirrel]

All right, as amended: It would be difficult to do by yourself, as Philc has done. Distribution sites notwithstanding. I don't as yet do any business with the distribution sites, so I was missing that part of the equation.

[Topagae]

"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."

[Crocosquirrel]

Also true, depending on just how secure he wants to be. That said, I'm not a pro, and nor do I generally expect that most of us here are either. I could be wrong, however.

[Topagae]

"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."

[Crocosquirrel]

Originally, I put the idea out there as a possibility, if someone has the skills to do it. I don't, and no one I know off the top of my head does either, with the exception of the individual I mentioned. If there are the people that know how here, or could work it out, the idea is there, and hopefully they'll be kind enough to share with the rest of us.

So far as nitpicking, I don't make assumptions about any group of people if I can help it.

[Jake]

Originally, I put the idea out there as a possibility, if someone has the skills to do it. I don't, and no one I know off the top of my head does either, with the exception of the individual I mentioned. If there are the people that know how here, or could work it out, the idea is there, and hopefully they'll be kind enough to share with the rest of us. :)

I have the skills to do it, and as a professional programmer I can assure you that anyone who would put something like this into production after they only spent an afternoon on it is a prize idiot. It's not a hugely technically difficult problem, but the nature of it demands that you make absolutely sure that you've not cocked up anywhere, or all your effort is for naught.

(Off the top of my head, I'd suggest that a public/private key pair used to sign a document with the personal information on, to be validated by the program using the public key, would be the obvious approach. The personal data is thus part of the 'key' that unlocks the software, and if it's altered it doesn't work anymore. You can get off-the-shelf software for the public/private key crypto part, even.)



But part of being a professional software engineer is being able to recognise the flaws in a design or implementation, and this idea has some obvious ones.
Firstly, how do you guarantee that the name and address the client gave you are correct? It's practically speaking impossible. You can't rely on the email address, because those are disposable. You can't ask the payment processor, because - leaving aside that it's not impossible to pay for things mostly anonymously - a bank or even PayPal are not going to be that amenable to some random Internet software nobody asking for their clients' personal information. Even if you could reliably trace - say - a credit card to a person, it's still not entirely reliable because people get their credit card details stolen all the time.
Secondly, how do you deal with the kid who loses the flash drive with his serial/cert/whatever on? The guy who finds it puts it up on the web, you see it and presume it's the kid and go after him - then what? If he protests that he didn't do it, do you ignore him? 'Cause that's exactly what a pirate would do, right...?
Thirdly, all this is largely moot anyway, because the decision on whether or not to run is made by the bit of software you're sending to the customer. So the hacker doesn't need to provide a valid certificate proving that he has the right to run your software - he just needs to get into the code and change it so it doesn't even ask for a certificate. Analogy? You've bought a shiny new TV and reinforced the front door with sixteen locks, but the thief just needs to put a brick through your window. If your software is really worth stealing, then someone will do this pretty quickly, and there's only so much you can do about it.

So I haven't done anything like this, and I most likely won't ever do anything like this, because it seems to me it's largely a waste of time.

[PyTom]

One problem with DRM is that it's fundamentally security by obscurity - in a way real security is not. That being said, I do have an idea for copy protection in which the game-maker could "turn off" copies of the game that have been posted publicly.

I'd like to try to strike a balance where active game-makers can get some degree of protection, at least from casual copying. At the same time, I personally find it important that copies become/remain playable once the creators stop actively selling them - if they don't, then we start running into cultural preservation issues.

[Topagae]

"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."