The video game industry's best-of-class DRM is routinely cracked in less than 24 hours

Originally published at: https://boingboing.net/2017/10/19/denuvo.html

…

Also important to discuss or bring up is that there are instances where DRM can cripple the functionality of a game. It can cause the game to run worse or require a game to be online 24/7 even though it does not have any gameplay features that need a connection. Breaking the DRM and getting rid of it can allow certain gamers to be able to have the game run as intended or better than intended. So breaking the DRM isn’t necessarily always about piracy.

I always buy my games and would never advocate for piracy, but if i were to buy something that was hobbled by DRM i would be quite upset.

What! Gasp- splutter!

I’m unconvinced by the “many eyes” argument for open source. Yeah, I get it, in theory everybody can review the code. In practice–which is what counts–I’m not sure how much of an advantage (if any) you actually get. How many OpenSSH vulnerabilities have been found over the years? And I know the OpenSSH folks are both conscientious and motivated to be secure.

Having said that, DRM is terrible. I once downloaded the cracked version of Civ in order to play the version that I had purchased. It kept telling me that the legally purchased CD or DVD that I had in the drive was invalid or missing and prevented me from playing the damn thing. I think the issue was that the DRM couldn’t properly validate the disc when the optical drive was hot; if I booted the laptop cold it would often work properly.

Pain in the ass, though. I nearly gave up on the series after that.

I wonder if this pushes their value proposition below their cost? Basically if the publisher didn’t sell enough extra copies to pay the Denuvo bill will they skip it in the future? Or does Denuvo still guarantee X days uncracked or your money back?

While I doubt this is the end of DRM, it is probably going to give publishers pause in the future.

Security through obscurity does not work because then every piece of software becomes a ticking timebomb, hiding vulnerabilities. Open source is not perfect but it incentivizes people to review the code and make sure it works as intended. Either way in my post i’m not advocating for open source, i’m advocating for no DRM.

Oddly, Humble Bundle is giving away Civ 3 Complete.

Steam DRM, though.

I think we’re pretty much agreed there. I should have stressed that my open source rant was addressed to this “doctorow” fellow.

As someone in the industry (and whose parent company once made DRM solutions), if it’s not getting cracked, you’re not making something worth cracking. Case in point: DivX, the pay-per-view DVD competitor. Never cracked; not worth cracking.

In the case of newer versions of that company’s software (since I’m long gone), I hear that it’s not been cracked in many versions. It’s also been many versions since they added a feature that was useful to their customers. Year over year, they lose customers, and year over year they raise prices to maintain the same level of revenue. It’s clear they are going to drive it into the ground, and just end of life it once they can’t make any more money. I am glad I no longer work there; I’ve done quite well being an expert on that software suite and underlying tech.

I bought the latest South Park game on Steam. Along with Steam’s own DRM, it’s also covered by uPlay and Denuvo to stop other people who haven’t paid for the game playing it. After I send this reply, I’m going to go check around the usual torrent sites to find a copy I can play with the DRM disabled. When the decision-making process leans in favour of using pirate releases (possible malware, possible legal action) over the official release (possible privacy issues, buggy DRM) you know it’s time to admit that this is all just a futile exercise in security theatre.

EDIT: Found it. The malware it was infected with was far easier to remove than Denuvo, too.

This is something I’ve become aware of where I work, too, although on the customer end of things. The organization for which I work has purchased add-on tools for Microsoft Office from third-party vendors. This seemed like a great solution at first – the tools improved our workflow and we didn’t have to build or maintain them ourselves. The tools were never perfect but we assumed they would improve. The vendor would maintain them, right?

That’s just a delusion, though. We were thinking of some sort of ideal situation, kind of like the IBM man in the grey suit. These vendors never had any intention of doing anything like that. They aren’t improving the tools we’ve bought from them. They aren’t even maintaining them. Their developers are working on new tools. When the tool we’re using dies because Office is updated or whatever, the solution is that we can buy their new tools.

So many companies and/or industries have adopted this business model that focuses purely on acquiring new customers. Phones, for sure. Banking. Anything that is a website, basically. “How many users signed up this month?” But there are no new customers, just recycled customers. It’s just a circle-jerk, businesses trying to look good on paper and nothing else. Happy investors! Sheesh.

Okay, so, yeah – lots of other possible reasonable causes for this crappy situation but even if we take that kind of thing into account, the smallest amount of this sort of disingenuous behavior that is likely to be going on still represents a great big pile of bullshit.

Man. I haven’t even touched on the worst aspects of this old company. They were one of the founders of the “Compliance shakedown” model. Basically:

1. Make DRM that prevents piracy, but doesn’t implement the actual license restrictions defined in the EULA (in this case, each unique user of the software on the machine requires a unique license, but is allowed to use the software without any visible detriment).
2. Run period reports from the DRM layer phoning home on how many users are using each activated endpoint.
3. Come back after a year or two and demand “True Up” fees for each extra user that looked like they used the software.

What a racket. There’s more that’s even more shady, but I don’t want to give away what company I used to work for.

DRM (and it’s ancestor, copy-prevention) has always been a useless thing to keep legitimate customers from using their legally acquired products. a perfect example is the old Commodore 64- since the disk drives were ‘intellegent’ (i.e., had their own on-board processor, ROM and RAM), companies did some really interesting things to keep people from making bit-copies of the disks. Some of those tricks were pretty awesome, at least from a technical point of view.

Windows 10 locks out the DRM software on their own older games like Age of Mythology. (No, I don’t want to play it on Steam. I want to play the copy that I own!) The game should run fine, it’s the DRM that’s brittle.

DRM does not lock out people who don’t want to pay for a product, it mainly inconveniences and even hinders people who legitimately paid for it. If anything the people who download stuff with the DRM disabled are often getting a better product. This is quite evident in pirated movies, legit ones can often have unskippable trailers or warning screens, menu animations, etc. while burned movies just cut straight to the chase.

Interestingly enough from what I’ve heard from gamedevs the DRM serves its purpose as is. All they want is a couple of days, even just the first day, because that’s where all the sales that really matter are. If someone doesn’t buy your game at or near launch they’re just going to wait until the next steam sale where they get it at a deep discount anyway, and digital distribution doesn’t work like stores do where the store paid full price for your game that they later sold cheap, afaik.

Except, you can’t be sure it doesn’t have malware in it.

This is how a lot of companies end up with Chinese clones of their products.

Pirate games at your own risk. But don’t ever pirate software for your workplace. It’s crazy how often that happens, and often just because someone’s boss doesn’t want to pay for a copy of something useful that costs ten bucks.

Depends on where you get your copies. Back when i was downloading software i used a site that was pretty thorough in checking for malware, but then again… i don’t pirate stuff anymore so it’s a non-issue for me. If given a chance i would much rather buy my products so i don’t have to worry about that kind of stuff.

That is so shady it could probably be used to prepare Mercury for safe human habitation.

Especially since the corporate customers who are the usual targets for that are the ones who are comparatively unwilling to try even lightweight cracking attempts; but invariably have trouble keeping track of how many installs there are(to the point where inventory and license management bolt-ons are an actual product category).

Virtually anything strong enough that IT can say “nope, compliance issue, can’t do that” is effectively as strong as anything else; and something that actually tells the admin where the other seats are currently in use makes pinning the order for more licenses on the right department easier.

The only way you can be sure that there’s no malware in it is to step through the whole damn thing with a disassembler. Running a few AV programs feels thorough, but it isn’t. Every so often, a researcher will take a huge variety of malware and run it through every major AV program, and no combination yields 100% coverage–although usually the top 2 or 3 combined can get into the mid-to-high 80th percentile. The odds are better, but you’re still playing with fire. Like I say, the consequences are lower on your home system–just don’t bank or shop on your gaming PC, right?

Of course, there’s no 100% guarantee that the vendor isn’t shipping infected files themselves, but it’s much more rare compared with pirating software.