DRM: The Programmers View

I make my living as a software developer, and this confuses people when they hear me bashing DRM. They are perplexed by the fact that someone who writes software may be so vehemently opposed to copyright protection tools. After all, most musicians, movie makers and book authors seem to support the idea. These tools protect their work from evil pirates who would otherwise download it for free. Whenever I say something critical of DRM schemes they dig out this old chestnut:

Luke, how would you feel if someone pirated your own software?

I’d feel peachy keen actually. My software can’t be pirated because I give it away for free most of the time. The commercial stuff I write, is done on salary or via contract. In other words, I get paid for my software as a service to a given company. Whether or not that software gets pirated or not, does not affect my pay. You see, I removed myself from that equation by refusing to develop and sell commercial products directly to the customer.

This of course doesn’t mean I do not understand their mindset. If I chose too develop and sell a commercial application it would be tempting to try to build in some anti piracy measures. In fact, if you are a small startup and you are selling directly to you users via digital download, this sort of thing may even work.

Some time ago I wrote about Amy Builder and how it’s product remains uncrackable years after the release mostly due to the fact that it is a niche product. Still, I must wonder whether or not this is working for them. You see, their previous version was easily cracked widely available on file sharing websites. Thanks to that fact they have quickly built a critical mass of users.

Now they have a yet to be cracked version, but also a very large user base. A lot of former pirates who are returning to the tabletop gaming hobby may try to find a cracked version, fail and actually buy the product in the end remembering how much they liked it in the past. This means that piracy may have actually helped them in the long run.

But of course the Army Builder is a small application that uses a fairly simple anti-piracy measures. They are complex enough to deter inexperienced crackers, but the application is not notable enough to warrant attention of the big time scene folks who would rather spend their time on popular commercial games or applications. This scheme works for Army Builder because it is a tool designed for a small group of customers: people who play tabletop battle games.

As soon as you gain mainstream popularity you automatically show up on the radar of the more competent crackers. Sooner or later someone will break your copy protection scheme. At that point you can do one of two things:

  1. Re-write the copy protection code and re-release
  2. Ignore it

If you choose the former option, you are going to get yourself into a constant battle between you and the crackers. Each time they crack it, you will analyze their crack, go back to the drawing board and try to outsmart them, fool them and get the upper hand. And then they will crack it again.

Eventually you will realize that you are spending more time writing the copy protection code, obfuscating it and creating traps and red herrings for a potential cracker, than actually maintaining the application itself. I’ve seen this happening, and you really don’t want to do this to yourself as a developer. The only way to win this, is to make your application code so complex, and so tightly coupled with the copy protection code that it ceases to be cost effective to crack it. It will never be cracker proof, but you can at some point get it to be such a headache that it’s just not worth cracking. If the difficulty of the crack far exceeds the glory that can be gained out of it, most people will just give up and leave it alone. But if you get to that point you will realize that:

  1. Your application is now a nightmare to maintain
  2. If you count lines of code, those that deal with copy protection will outnumber everything else
  3. You can no longer normally debug your app
  4. Your sales numbers didn’t change at all
  5. Legit customers are angry because the copy protection code interferes with their normal operation
  6. Pirates are happily running the last cracked version and there are whole communities online devoted towards porting the new contend to that outdated release

Trying to fight with pirates is probably a really great way to develop an ulcer, and experience a genuine mental breakdown.

Of course most of the software these days is not written by lone developers. It is created in teams which must work together and be able to read the code. This means that obfuscation, memory traps and all kinds of clever things that could trip up a potential cracker as he steps through the code in a debugger can’t be used. The code must be readable, maintainable and testable.

So we get to this weird situation where copy protection is now a feature that is created separately from the main product itself. More often than not it is an off-the-shelf product of some sort – like the industry standard SecuROM. And because it is a separate product it is loosely coupled with the application itself. What does that mean?

  1. Firstly, it means that the two products must be integrated – which may take a lot of work, and introduce certain amount of friction in places where the two must interface with each other
  2. Secondly, loose coupling means that the cracker’s job is easier. With a completely custom solution you can litter main application code with your copy protection checks. Anyone wishing to crack it, must then find every single one. With a ready-made solution, a cracker simply must find the spot in the code where the DRM gives control back to the main app and then create some sort of a workaround.
  3. Thirdly, it allows the crackers to specialize. They can go out and study how SecuROM works and become really good at disarming it. Then when you release your app, it they will know exactly what to do to strip it down of DRM.

So you see, being a developer only reinforces my feelings about DRM. Yes, I can put myself in the shoes of a poor downtrodden programmer who is starving because evil pirates stole his code. I can also put myself in the shoes of a cracker who can’t wait to start stripping DRM from a brand new video game. I can see both sides of the coin, and I can tell that DRM is a dead end.

Everyone who paid attention in their computer security or a cryptography class back in college knows this. A working, un-crackable DRM is impossible to create. It is the computer science version of the perpetual motion machine. In fact, you know that anyone trying to create a perpetum mobile is a crackpot who is simply ignoring the laws of physics. Similarly, anyone working on DRM is a crackpot ignoring everything that was ever written about cryptography.

Yup, I said it. No sane, self respecting computer scientist will ever want to work on a DRM related project. Not unless he has to. Who develops DRM then? Well, there is probably a handful of talented crazies who think that their idea can actually work and a lot of people who simply don’t know it can’t. DRM is written by either insane, misguided programmers or talentless hacks. Unsurprisingly, most of DRM products are not only ineffective but also badly written.

Adding DRM to your product, is really equivalent to smearing it with shit. This is why most of modern DRM products has all these issues. This is why I need to run Fallout 3 as administrator under Vista. This is why I had to disable and remove all my emulation tools to even install it.

This is why I hate it. There is nothing hypocritical about it. As a programmer I would never actually want to get into the copy protection war and I would never want to expose my customers to the steaming pile of shit that is SecuROM. Sure, I’d probably not be happy to find out that people are using my software without paying for it. But I’ve been in this industry long enough to know there is nothing that I can do about it. I can’t stop people from pirating my work – it’s just impossible. Trying to accomplish it will only make an ass out of me, alienate my customers and frustrate me even more. The only way to win this battle is not to fight at all.

I said it before, and I’ll say it again: a single CD-check is usually enough to deter casual piracy and sharing between friends and neighbors. And sadly, you can never even hope to accomplish more than that. Or rather, you can hope – but it won’t mean you will ever be successful at it.

This entry was posted in programming and tagged , . Bookmark the permalink.

10 Responses to DRM: The Programmers View

  1. dawn SWITZERLAND Mozilla Linux says:

    You mean “the latter option” (re-write the copy protection mechanism), I think. What is your policy on pointing out mistakes ? Comments or email ?

    Reply  |  Quote
  2. Steve CANADA Mozilla Firefox Windows Terminalist says:

    I, like everyone, hate DRM-polluted software. If I buy a game, I won’t install it – I will download the cracked version and use that. So, in that way, I have supported the developers who created the game, but have given a virtual “up yours” to the DRMers. Though, I won’t touch an EA game (SIMS3, Spores) at all. Cracked or not.

    Reply  |  Quote
  3. Zel FRANCE Mozilla Firefox Windows Terminalist says:

    I agree with you, DRMs can work but on small enough projects that experienced crackers won’t notice or bother. What seems to work for now is the online account approach, but while this is easily justified for a MMO (along with server-side storage of your progress, to prevent piracy cheating), it’s much harder to do for single player games. EA somewhat tried it with Mass Effect and Spore, but thankfully turned back. I guess the next step would have been to store your savegames online and make them accessible only if you successfully log-in to your account…

    Reply  |  Quote
  4. As a Programmer i just have to congratulate for writing another great article… but still there are some small points where i must point out some things where you go wrong.

    At first: its not impossible to write the “perfect” DRM.. not because there is one way how you could prevent every theorethicall possible crack… just because you _could_ get to a point where noone wants to bring the effort in cracking your DRM.
    So from this point of view you allready archieved this on your own. Big Products can of course try to archieve this on multiple ways… one is beeing that crappy that noone wants the product anyway. ;-)

    another thing i just feel the need to point out: I think there is another pretty good working copy-protection out there, keeping everyone from creating hundreds of copies and giving them to theyer friends for free.

    Its called “pressing your Data onto DVD9” and is simply to expensive to create dozens of copies.
    Still you can copy images and give them away via torrent or harddrive.. but you wont keep some hundred harddrives for lending them your friends and data-transfer over internet is still pretty expensive in time and money.

    So i think this propably would be enough without cripling your product.

    Reply  |  Quote
  5. IceBrain PORTUGAL Mozilla Firefox Ubuntu Linux Terminalist says:

    “At first: its not impossible to write the “perfect” DRM..”

    That’s like saying it’s possible to build a perpetual motion device: just build one that noone wants to turn on.
    DRM depends on giving the customer the encrypted contents AND the key to decrypt them and hoping they’ll never use them together :|

    As for “pressing onto DVD9”, how does that protect anything? People will just use a couple of single layer DVDs instead of one.

    PS: Why does WordPress requires Javascript to post comments? Bad wordpress!

    Reply  |  Quote
  6. road UNITED STATES Google Chrome Windows says:

    i think nearly all software will eventually move online (into the ‘cloud’). partly because it has advantages and partly because it makes it much easier for software manufacturers to charge for access. it kind of annoys me because i see many products incrementally integrating online-features into their software so that eventually they can make these features “essential” and thus require all users to pay a yearly fee for access. this, to me, is one of the major annoyances of commercial software: the need to constantly grow and add new features. most software products (e.g. OS, Office software, tools, media players, etc) eventually achieve perfection — they acquire all of the features that one would expect from such an application. after that point, open-source software stays good for decades, and commercial software gets worse with every version because the manufacturers need to convince people to upgrade. this is yet another advantage (from the perspective of the software-makers) to put all software online so that there aren’t “old” versions of the software around, but everyone has to pay the same yearly fee to use your cloud-software.

    Luke is right, though, that light-DRM is probably sufficient for everything outside the mainstream.

    Reply  |  Quote
  7. Alphast NETHERLANDS Mozilla Firefox Windows Terminalist says:

    On a lighter note, but precisely on topic, the studio CR Project RED decided to release a patch removing the DRM of their latest game: The Witcher. It will be online tomorrow on the server of the game studio. With some new content too, if I understood well (my Polish is non-existant and their English can be rusty).

    Reply  |  Quote
  8. @IceBrain: of course its like this.. but if noone ever starts the device it could not fail :D

    The Problem with DVD9 is: if you want to seperate the Data over multiple DVDs, then you are back to either cracking the CD-Check, using virtual Drives and Images or even telling your friends how to merge those DVDs on your own.
    Everything is perfectly possible, but imho it raises the bar to copy this piece of software a lot higher then the default-inclusion of SecurRom or something similar does.
    The efford to download a Crack is imho not compareable to the effort of slicing the DVD9 into parts of the right size and telling your friends how they should use these.

    Reply  |  Quote
  9. Luke Maciak UNITED STATES Mozilla Firefox Ubuntu Linux Terminalist says:

    @Dr. Azrael Tod: Ok, here is the thing – downloading 8GB over a torrent is not a big thing these days. A lot of people have FIOS these days. :) I see torrents this big all the time now and no one seems to be complaining.

    Most people don’t burn CD’s/DVD’s anymore. They mount the images with Demon Tools or Alcochol.

    Also, I see a lot of games that are distributed as rips rather than disk images. In other words all you get is a huge .rar (or bunch of smaller ones) file and a batch script (that you run at your own peril). The script adds all the registry settings, while the rars contain the actual game files that the cracker collected after performing the installation on your system. Often such a package is trimmed down for size by removing foreign language audio files or unnecessary cinematics.

    Some of these are actually made using pre-release beta or RC versions that were leaked by the testers. So the crackers can often circumvent the whole DVD9 thing.

    But again, that’s only for big companies. When you are small, niche product then yes – something like this will definitely help.

    Reply  |  Quote
  10. @Luke Maciak: and still there is the point that if your game is distributet via torrent and your users are going to download it anyways, there will be a way they can do this.
    So what i believe is: the only thing you can do is reducing the people who copy it from your sold versions.

    Reply  |  Quote

Leave a Reply

Your email address will not be published. Required fields are marked *