"Protecting Content" feature request

[Rob Ainscough]

There are various methods currently being used in an attempt for content providers to protect their content from illegal duplication and/or theft ... these methods are cumbersome, sometimes ineffective, sometimes intrusive, and increase development costs and waste development time that could be put to better use such as providing more content at lower prices to end users.

I'd like to request a content protection process that is more sophisticated and built into the core that involves encrypting all content BGLs, FX, DDS, and all the various assets that make up add-on content. I don't want to go into too many details but it needs to be a process that requires internet connection and does NOT house any seeding information on a client's local PC in order to be able to decrypt content.

It should require content providers/developers to obtain a CA EV code signing certifications (EV have a 2-4 week vetting process) and encryption happens at the point of distribution. This ensures that files are encrypted uniquely on a per user, per product basis using PC finger print along with other seeds as needed (to be specified) so as to be rendered useless if copied to another PC or distributed illegally. CA code signing EV's do cost a little more $600/yr or so but they guaranteed developer/company background checks which are much more involved than just company address verification.

The number of files to be encrypted can be designated by the developer with a flag ... to address any performance issues around decryption a developer could elect to apply to only a few key files (enough to render the product useless).

Since the decryption keys come from server side and are required in order to decrypt the encrypted deployed files any attempt at circumvention would not allow the decryption to happen and hence render them useless.

It also ensures transparent implementation minimizing end user impact (login being the only requirement which the user can elect to be "automatic" once the purchase/account is established so it's only a one time process for a user). So future purchases are seamless with no user interaction required.

This can of course be optional and specific to each developer and/or content provider since it's happening at point of distribution ... for those that want to distribute freeware and/or not interested in copy protection. It's not a required process but an option developers can subscribe to if desired.

Cheers, Rob.

[Simbol]

+1,

I raised this question before in terms the protection of effects as these are delivered in plain text.

The amount of effort to protect our content is becoming so cumbersome that it is increasing developing time by a considerable amount of time, and it is very arguable if such techniques / tricks would be really effective against latest piracy techniques and instead our efforts can become counterproductive towards the product usage, user experience, ability to provide support and many others variables.

Cyber crime is getting worse and it is not a problem that is going to go away any soon, hopefully we could design together better defenses which would help everybody to keep all intellectual property safe.

Kind Regards,
Raul

[jabloomf1230]

Hey Rob, you can protect your content by doing the same thing that FSDT does with GSX2. They use COUATL (a Python interpreter) to encrypt and decrypt their MDL files. This adds considerably to the overall simulation overhead and I doubt that many other developers would do this. A similar process is used by SODE, but most SODE developers have opted to not use the encryption approach as again, it does impact performance.

All that said, it would not surprise me to see MS implement such protections for its upcoming flight sim.

[Simbol]

Hey Rob, you can protect your content by doing the same thing that FSDT does with GSX2. They use COUATL (a Python interpreter) to encrypt and decrypt their MDL files. This adds considerably to the overall simulation overhead and I doubt that many other developers would do this. A similar process is used by SODE, but most SODE developers have opted to not use the encryption approach as again, it does impact performance.

All that said, it would not surprise me to see MS implement such protections for its upcoming flight sim.

Unfortunately this approach does not help with .BGL files, so you cannot protect any scenery with this technique.

It doesn't work either for textures, effects, simobject.cfg files, etc. in hence why FSDT .cfg files and textures are widely exposed inside your P3D ecosystem, have a look and you will see.

R.

[Rob Ainscough]

Yeah, unfortunately that only works with MDL, there is a lot of other content that needs to be protected. Theft problem appears to be more prolific than ever before after I ran a quick search and found a bottomless pit of websites ... easy to shutdown the US sites, but not so easy to shutdown sites outside the US.

If the encryption happens at the time of deployment then it would render copying of files to another computer useless. No key is stored on the local machine. The code that actually makes the product work is not housed locally, it's a web service and it's not just a matter of preventing the web service call with an EXE hack ... the servicing code required is delivered by the web service. So hacking the EXE to remove the web service connection or check is pointless. Anyway, not going to get into too many details for obvious reasons but so far TLS 1.3 has not been compromised and those typically attempting to compromise TLS are usually at the government sponsored level and aren't looking for flight simulator add-ons :)

Developers can then decide on the number of deployments per licensed user with the usual process of formal requests to reset after X number of installs for those users that experience hardware issues or forget to deactivate the license. It certainly can be man transparent to honest users and that's the objective ... but it would be great if LM or MS housed the web service(s) the core that requires them.

Cheers, Rob.

[EllipticCurve]

There isn't any point.

Numerous studies have shown that DRM doesn't work, and doesn't affect rates of piracy (or rather, doesn't affect sales).

If someone is stealing work, then those people just won't bother to buy your product in the first place.

Will it stop casual copying? Yes, but it won't increase sales (the thing you want).

DRM won't stop a determined attacker. They'll rip the content straight out of memory if necessary. Remember, you do not control the end-user computer, so preventing determined attacks is absolutely impossible.

It's a waste of money and time even trying.

Make products people really want. Even pirates will buy software occasionally when they see how good it is.

[Rob Ainscough]

EllipticCurve,

DRM is effective and has been effective for many software products over the decades. A company I used to work for (not Lockheed Martin) recovered 33% of what would have been stolen revenue ... which is the difference between being solvent and not solvent. I'm not at liberty to discuss how my development teams was able to recover 33% for obvious reasons.

DRM has nothing to do with "Make products people really want.", it's about deterring and/or preventing theft.

Your post is on the very edge of advocating software theft and is in violation of the terms of Lockheed Martin's website that you agreed to when you signed up. As such, I strongly recommend you proceed with caution on this topic and remember that Lockheed Martin is a national defense contractor for the United States government and takes software theft very seriously.

Cheers, Rob.

[EllipticCurve]

Your post is on the very edge of advocating software theft and is in violation of the terms of Lockheed Martin's website that you agreed to when you signed up.

How so? I'm not advocating anyone steals anything. I'm saying that incorporating DRM is a waste of time and effort. There are many academic research papers on this very topic.

The biggest "noise makers" in this arena were the music/movie industries. They were the subject of the research. The research does not support the position that DRM prevents copyright infringement, or conversely, increases sales.

My personal position as a developer is I do not care if you pirate my software. You probably wouldn't have bought it anyway, and if you like it enough, maybe you will. If nothing else, you're free PR. :)

Is it really worth me chasing a pirate for $40 when lawyers will cost many times that? Not really. Not to mention the time involved.

[EllipticCurve]

It's an interesting topic. You should do some reading:

Forbes article: https://www.forbes.com/sites/danielnyeg ... kt-on-drm/

MIT Technology Review - Inside the Sony rootkit scandal: https://www.technologyreview.com/s/4057 ... e-scandal/

[Rob Ainscough]

I'm a software engineer that has sold to the real world for several decades, I know the numbers, I don't need to read anything ... we (developers) spend 5% on DRM to gain 33% in recovered revenue for a net gain of 28%.

I know what hackernoon is, I know what elliptic curve cryptography bitcoin is ... again, this is in YOUR best interest to not pursue advocating piracy/theft. Last warning, review the terms of this website, you agreed to them.

Rob.

[EllipticCurve]

this is in YOUR best interest to not pursue advocating piracy/theft. Last warning

Again, where am I supporting theft of anything? I'm not. I'm just putting forward an argument you don't like, apparently. Please stop suggesting I advocate law-breaking, because I most certainly do not. Libel is a real thing. Discussion of the (in)effectiveness of DRM is not illegal, and not against the ToS.

...and yes, I've "sold to the real world", too. Don't patronize me.

By the way, my username is not a reference to BitCoin. It's actually a reference to Dual_EC_DRBG, an insecure-by-design CSPRNG.

I guess it would be stating the obvious by now that my background is in (real) computer security, of which DRM is just one of many interests. If you want to secure your stuff, don't use a PC. How many vulnerabilities are in Intel processors? I've lost count.

[Rob Ainscough]

Your comments are indicative of someone that supports theft:

a. "Make products people really want" .... as if that is some sort of justification to steal software?
b. "There isn't any point" ... in reference to protecting one's work?
c. Link to an article from 2006 regarding Sony's property protection process.

This isn't discussing the "(in)effectiveness of DRM" at all.

The flight simulator community of content providers have lost a good number of developers due to theft of their work from the lack of copy protection.

DRM does work, it has worked for myself and my companies and it continues to work for the software industry as a whole. If DRM didn't work, then why would Adobe, Autodesk, Steam (client specific), and so many companies continue to keep using it?

Securing one's work has nothing to do with the platform be it PC, Console, Mobile, or embedded systems. It's the harsh reality that 75% (3 out of 4 people globally) will steal one's work if they can do it easily and without identification. If you have "sold to the real world" then you would be aware that theft prevent isn't the entire objective, identification of theft IS where one is going recover revenue.

Computer security and DRM are two very different constructs.

As a reminder:

The Forum rules: http://www.prepar3d.com/forum/viewtopic ... 305&t=6328

"Lockheed Martin staff makes every reasonable effort to monitor content, Lockheed Martin retains the right, at its sole discretion, to edit content and take action on any user account that it considers inappropriate."

Cheers, Rob.

[WarpD]

At the end of the day, a lock on the door to your residence won't stop a persistent criminal from entering your home and taking what is yours. Yet you still have a lock on your door, you still lock your door, and you still expect to come back to your home and find your belongings. At the end of the day, when you're coming home and you're tired... Your hands are full and you're juggling the keys to unlock the door, maybe even dropping them and having to bend down to pick them up again... but when you open the door, your belongings are still there.

Security, be it a door lock or DRM can be a pain... but it reduces the chance of someone taking what isn't theirs. It is called deterrence and it's more effective than people are willing to admit.

[Simbol]

Security, be it a door lock or DRM can be a pain... but it reduces the chance of someone taking what isn't theirs. It is called deterrence and it's more effective than people are willing to admit.

+1

Well said Ed.

S.

[Rob Ainscough]

To remind EllipticCurve, this is also a feature request forum and not a place to attack developer feature request nor attempt to turn DRM into a debate. You want to “debate” DRM go somewhere else, but not here.

Cheers, Rib.