A perspective on DRM

[pcchen]

Why? The total number of pirates is certainly likely to increase. But why would the piracy rate?

It's sort of an economy thing. Normally, when your customer base is small, you are more likely to focus on those who can easily afford your products, and you will price it accordingly. When you starting to broaden your customer base, the "average income" of your customer base will go down, and therefore piracy rate is likely to go up.

So you're saying, that the worse the quality of your product, the more money you'll make off it? And what about marketing? That would work counter-productive as well.

In absolute terms you are still more likely to make more money with better products, but in relative terms it's probably not worth the effort, up to a certain point (which may change depends on the product).

 

[KimB]

It's sort of an economy thing. Normally, when your customer base is small, you are more likely to focus on those who can easily afford your products, and you will price it accordingly. When you starting to broaden your customer base, the "average income" of your customer base will go down, and therefore piracy rate is likely to go up.

I think you're approaching this from a professional applications perspective. Most of us are approaching it from a games perspective. There are many, many ways to expand your customer base, and developers who seek to do so should naturally explore the effects of various ways of doing so.

With games, for instance, one way that some developers/publishers have taken to expand their customer base is to draw in people who were not previously gamers. This tends to significantly increase the number of paying customers if successful, because people who are not already gamers are highly, highly unlikely to be savvy enough to know the ins and outs of software piracy.

In absolute terms you are still more likely to make more money with better products, but in relative terms it's probably not worth the effort, up to a certain point (which may change depends on the product).

I think you mean beyond a certain point. Obviously it's not going to be worth the effort when you're talking about expanding your product into an area where the marginal increase in sales will be low compared to the cost. This is why, for instance, you're not going to see many game developers catering to the Chinese market.

 

[Mintmaster]

That's not the point. The point is that once you get to selling of pirated products, you have people making their living off of piracy. This is a fundamentally different scenario from people just doing it in their spare time. When people are making a living on something, they are much more likely to actively promote it.

In the age of the internet and P2P this is a moot point. Active promotion doesn't matter, because if it's out there to be downloaded then people can find it. I don't think enforcement will be able to work much longer in suppressing the searchability of pirated software.

And the result? Fewer people make pirateable products for the Chinese market.

And you're okay with that? The Chinese market is huge. Piracy almost killed the entertainment industry within this closed system. What are the studios there going to do, sell Chinese movies to the US?

Just imagine if this happened to the western world, which is very much one entity. Heck, imagine if happened to just the US. If that market disappeared, it would cripple the entertainment industry.

The funny thing is that you are almost making the case for DRM product with that statement, because the whole point of it is that now you have a non-pirateable product.

 

[KimB]

In the age of the internet and P2P this is a moot point. Active promotion doesn't matter, because if it's out there to be downloaded then people can find it. I don't think enforcement will be able to work much longer in suppressing the searchability of pirated software.

If people don't know about something, they aren't going to do it.

And you're okay with that? The Chinese market is huge. Piracy almost killed the entertainment industry within this closed system. What are the studios there going to do, sell Chinese movies to the US?

Well, as far as I'm concerned, that's their problem to deal with. We don't have any such issues, and even in a worst-case scenario for US or European movies/games/music, there are still many significant sources of revenue that are insulated from piracy. With movies, the theater experience is something that many people won't trade for a quick download. With music, the bands make the majority of their money from tours anyway. With games, the worst that can happen is games shift towards games that are either primarily online or with at least minimal online services, as well as to consoles.

The funny thing is that you are almost making the case for DRM product with that statement, because the whole point of it is that now you have a non-pirateable product.

There is no such thing as a fully DRM-locked product, though. The only way to come even close is through online services, and those are just fine as long as they are a way of adding value instead of a way to restrict the users' rights to the software they buy.

The problem, again, is that many of the DRM moves that companies have made have been in a direction that actually makes it more convenient for the pirates. And that's not only asinine, but downright idiotic.

 

[Richard]

Well, as far as I'm concerned, that's their problem to deal with. We don't have any such issues, and even in a worst-case scenario for US or European movies/games/music, there are still many significant sources of revenue that are insulated from piracy. With movies, the theater experience is something that many people won't trade for a quick download. With music, the bands make the majority of their money from tours anyway. With games, the worst that can happen is games shift towards games that are either primarily online or with at least minimal online services, as well as to consoles.

While I agree with you on music and movies, you seem to be okay with the worst case for games. I don't want to get a console and I like single player games. I'm certain I'm not the only one.

 

[KimB]

While I agree with you on music and movies, you seem to be okay with the worst case for games. I don't want to get a console and I like single player games. I'm certain I'm not the only one.

Well, I'm a big fan of single-player PC games as well. But all this means is that the games that will survive will be those with online-activated content, in a worst-case scenario. For example, take Galactic Civilizations, where purchasing the game means the ability to use their online updating tools which allow easy updates to the latest versions, updates which frequently add excellent new content.

 

[pcchen]

I think you're approaching this from a professional applications perspective. Most of us are approaching it from a games perspective. There are many, many ways to expand your customer base, and developers who seek to do so should naturally explore the effects of various ways of doing so.

With games, for instance, one way that some developers/publishers have taken to expand their customer base is to draw in people who were not previously gamers. This tends to significantly increase the number of paying customers if successful, because people who are not already gamers are highly, highly unlikely to be savvy enough to know the ins and outs of software piracy.

I don't think gamers are necessarily different. For example, considering Wii, which is considered to be exploring the new customer base of "casual gamers." Yet its games was pirated in Taiwan. Modded Wii consoles are extremely common, many stores even sell them pre-modded. When my sister told her friends that none of our consoles are modded and we don't have pirated games, their reaction is disbelieve. On the other hand, Playstation 3 is the least pirated console here, because of the difficulties in copying the disc.

Therefore, I think in general this is still correct. Unless when you are expanding your customer base, you are reaching higher ground (the richer people), you are going to face higher piracy rate.

Anyway, I think it's clear that PC games need a very good DRM platform. Personally I prefer net based platform, like Steam, or Stardock's system. Although some people have their distrust in net based platform, and maybe a physical media based DRM should be used. I still think it's the best if games can provide a selection between the two systems for customers to choose. However, physical media based checks are still very fragile (even net based platforms are fragile too, for example, Steam can be cracked too).

 

[KimB]

I don't think gamers are necessarily different. For example, considering Wii, which is considered to be exploring the new customer base of "casual gamers." Yet its games was pirated in Taiwan. Modded Wii consoles are extremely common, many stores even sell them pre-modded. When my sister told her friends that none of our consoles are modded and we don't have pirated games, their reaction is disbelieve. On the other hand, Playstation 3 is the least pirated console here, because of the difficulties in copying the disc.

Again, remember, we're talking about marginal piracy, not absolute. You argued that spreading into new markets increases the percentage of games pirated. I argued that that depends entirely upon which direction you move. I see no reason to believe that Wii games are pirated any more on a percent basis due to the Wii appealing to a broader audience. But it's no surprise at all to me that in a market rife with piracy, it would be a major system, given that the Wii itself is the fastest selling console of all time.

Anyway, I think it's clear that PC games need a very good DRM platform. Personally I prefer net based platform, like Steam, or Stardock's system. Although some people have their distrust in net based platform, and maybe a physical media based DRM should be used. I still think it's the best if games can provide a selection between the two systems for customers to choose. However, physical media based checks are still very fragile (even net based platforms are fragile too, for example, Steam can be cracked too).

As long as they're limited to only checking the DRM when accessing online services, I think that sort of thing is excellent.

 

[Frank]

The only uncrackable DRM in the practical sense is using an RSA variant and having the CPU directly executing the encrypted stream. The downside of that is, that the decryption will use much more CPU power than the execution...

But everything you can think of to make the workload easier for the CPU (like, use RSA to download a fast symmetric key) makes it pirateable.

 

[pcchen]

The only uncrackable DRM in the practical sense is using an RSA variant and having the CPU directly executing the encrypted stream. The downside of that is, that the decryption will use much more CPU power than the execution...

But everything you can think of to make the workload easier for the CPU (like, use RSA to download a fast symmetric key) makes it pirateable.

Actually, using RSA to decode the key won't make it pirateable. The RSA decoding can be performed inside the CPU, which does not need to be very fast. The key is stored inside the CPU so you won't be able to retrieve it. Actually, using RSA to encode/decode large amount of data is potentially dangerous, which could make your secret key vulnerable to some attacks.

 

[Frank]

Actually, using RSA to decode the key won't make it pirateable. The RSA decoding can be performed inside the CPU, which does not need to be very fast. The key is stored inside the CPU so you won't be able to retrieve it. Actually, using RSA to encode/decode large amount of data is potentially dangerous, which could make your secret key vulnerable to some attacks.

Yes, but symmetric keys are much less secure, because if someone cracks it through any means and publishes the key, it can be decoded everywhere.

 

[pcchen]

Yes, but symmetric keys are much less secure, because if someone cracks it through any means and publishes the key, it can be decoded everywhere.

Well, public keys are even worse. If a public key is cracked, then everything associated with that key are compromised. Also, symmetric ciphers are generally more secure than public key ciphers. For example, we know that a working quantum computer can destroy RSA, but a working quantum computer would only be able to reduce the key length of a symmetric cipher by half. Reducing from 256 bits to 128 bits is impressive, but it won't make it more "crackable."

 

[KimB]

The only uncrackable DRM in the practical sense is using an RSA variant and having the CPU directly executing the encrypted stream. The downside of that is, that the decryption will use much more CPU power than the execution...

But everything you can think of to make the workload easier for the CPU (like, use RSA to download a fast symmetric key) makes it pirateable.

I don't buy it. There's always a way to crack these things. The only really uncrackable (or nearly so) setup is a pay-to-play online game.

 

[pcchen]

I don't buy it. There's always a way to crack these things. The only really uncrackable (or nearly so) setup is a pay-to-play online game.

Of course, in theory there are no "uncrackable" things. But there are many different ways to make it extremely difficult to crack. For example, if Blu-ray does not need to be played on a PC, it would be extremely difficult to crack AACS (previous AACS cracks are based on vulnerabilities on PC Blu-ray softwares).

When we say "it's difficult to crack" usually means that it requires expensive equipments to do so. Then it will be much easier to trace the origin of the crack and stop it from doing so.

 

[Frank]

Well, public keys are even worse. If a public key is cracked, then everything associated with that key are compromised. Also, symmetric ciphers are generally more secure than public key ciphers. For example, we know that a working quantum computer can destroy RSA, but a working quantum computer would only be able to reduce the key length of a symmetric cipher by half. Reducing from 256 bits to 128 bits is impressive, but it won't make it more "crackable."

Yes, I agree. But, if you only use RSA with large keys (2048 bits+) and store the private key in the CPU, you have to crack it for each individual computer. While, if you crack the symmetric key once, you can decrypt all instances everywhere.

The first requires lots of processing power for each individual crack, the second only requires that processing power once for everyone.

 

[Frank]

I don't buy it. There's always a way to crack these things. The only really uncrackable (or nearly so) setup is a pay-to-play online game.

RSA requires negociating a personal key for every user. So, essentially it's a security model based on individual, online content (the content being the required key to decrypt it on your computer). And each key is unique and won't work for any other computer.

 

[pcchen]

Yes, I agree. But, if you only use RSA with large keys (2048 bits+) and store the private key in the CPU, you have to crack it for each individual computer. While, if you crack the symmetric key once, you can decrypt all instances everywhere.

In this case, it would only work for some kind of downloadable contents, because it's impossible to manufacture a disc with all possible keys. There are over 100 million x86 CPU sold each year.

In this model, the CPU would hide its private key, but keep its public key available. When the user wants to buy something, the public key is send to the store, and the store encrypt the game executable with the public key so the user's CPU will be able to run it in "trusted mode."

However, in this model it wouldn't be necessary to encrypt the entire executable with RSA. It's good enough to encrypt the executable with a random generated symmetric key, then encrypt the key with the CPU's public key. Therefore, each executable still have different keys.

For this to work with pre-pressed media, the executable will have to encrypted with a single key, and the user will have to "activate" his/her copy by sending the CPU's public key to the game publisher, and the game publisher will encrypt the single key with the CPU's public key and send it back to the user. This model will be vulnerable to possible crack. Although, with 128 bits AES it's very unlikely that even a single crack is possible.

 

[KimB]

RSA requires negociating a personal key for every user. So, essentially it's a security model based on individual, online content (the content being the required key to decrypt it on your computer). And each key is unique and won't work for any other computer.

Presumably software will always be deployed in fixed formats that are identical no matter who buys them. So all I need to do to pirate a game A is pretend I'm pirate X who has already managed to get into their game and shared that information with everybody else.

 

[V3]

Presumably software will always be deployed in fixed formats that are identical no matter who buys them. So all I need to do to pirate a game A is pretend I'm pirate X who has already managed to get into their game and shared that information with everybody else.

But can't they encrypt the software for individual ?

 

[pcchen]

They can encrypt the software with different keys for each individual if it's an online sales model (but this is not really helping much because a pirate only needs to compromise one key to decrypt the whole thing). Or, they can use only one key, but require the user to "activate" the product with his/her CPU's public key. Since each product can have different keys, a compromised key only lead to public decryption of a single product. Actually, the game developer can easily change the key in a patch, so even if a key is compromised, new patches should still be secure.