IAmA developer of DRM systems and software activation mechanisms. AMA!

Why do companies spend so much on DRM if people figure out how to crack it anyways? How much does your company typically charge for a system? Thanks!

With a few exceptions, DRM (for stuff being exposed to the general public) isn't intended to be a long-term solution. It's meant to be just enough to slow things down that it doesn't affect the first week or so after a release where sales are critical. Especially if supply is short which can cause more people than usual to start looking to obtain it by 'other means'.

There are some longer term things it addresses too. It stops 'joe average' from simply giving their friend a copy of the DVD/downloaded file and have it work. That kind of 'casual' piracy is very dangerous because the knowledge barrier is much lower.

As for cost I can't really say. It's on a individual basis depending on their needs and how much supporting them is going to cost. Generally speaking though it'd be out of the reach of single-person developers.

What is your opinion regarding "always-on" DRM that forces consumers to stay connected to a server?

Unless there are other merits to being always connected for the particular product, I'd say it's stupid. We don't do anything along those lines (we do hardware profiling + oneshot activations, or hardware dongles)

You don't need me to tell you why its stupid of course. Too much demand can make the product unusable.

hardware dongles

You might want to shed some light on what that is before the torrent of puns starts

So you've seen those keychains you get for 2 factor authentication used by banks - you press a button and a number appears. It's basically that but in a USB plugin device.

The device has a serial number on it, you type that number into the software as the activation key, and plug it in. Every time the software starts, it verifies a new one-time key from it.

In at least one case a customer used these, and then soldered the keys to the motherboards of some hardware they shipped via the USB headers. That was a funny phone call. No idea why they did that, but if they pay then they can tell me it's raining frogs and they need a trombone to stop it - I will gladly sell them that trombone.

Ooh yeah, like Blizzard's Authenticator but for DRM? Crazy. What kind of software company would require something like that for product activation? Nuclear Missile Guidance Systems?

I recall either Photoshop itself (or some expensive plugin for it) using a USB dongle to run it. It's pretty rare now in the consumer space since its inconvenient and not massively more difficult to crack than any other type of protection. It's still used in places though where you don't have internet access to do the verification.

Firstly, thanks for the AMA. All the games software on my pc is legit, either steam, cd codes and online activation or genuinely free/shareware but I have been know to dabble in the distant past.

1. Is it disheartening to find how quickly and easily your efforts are overcome.

2. What are your opinions on overzealous DRM that detracts from the paying customers expectations. For example the always online such as Simcity or underpowered because of excessive computing power devoted to DRM such as Cubase DAW, rumoured at ~50%, pirated versions apparently run much better.

3. What is your opinion on freeware and software that has zero DRM, pay if you want structure. Example Reaper DAW is as good as the best, if not better and will never stop working. If you want to pay then do, zero DRM and it works so much more efficently for it, also ~20mb vs many GB of its competitors with their dongles.

4. Adobe. They charge twice as much for Photoshop in Australia as in US, and they are definitely not alone in this practice. When questioned at a press conference, Au CEO can only repeat 'the cloud is the future'. Yet there is a theory that they always wanted Photoshop to be pirated for market dominance, a home user or student won't pay thousands for software, when they get a job, that is what the will have to use.

5. The future, next gen consoles vs pc vs tablet, thoughts?

6. The music, film industry and laws. Are they going to go too far? Also some streaming services pay very little to the artists, will we see this in games?

Sorry for so many questions... I do appreciate that people need to be paid for their efforts.
Thanks.

1 and 2 I've already answered.

3 isn't viable for anything that costs large amounts to develop. You'd never secure VC funding for a large project if you told the investors that users only paid if they wanted to. They'd laugh you out the building.

4 This isn't so much an Adobe issue as a physical retailers issue. For physical products in AU it is quite legitimate for things to cost more due to the cost of getting them there. However then when you try to ship the same product digitally, they get on your case real fast and threaten to drop your product (which represents a significant revenue loss) - physical stores can't compete and they hold everyone else ransom for it.

5 Tablets will be the one to watch. People have gotten used to the idea that tablets are closed environments (like games consoles) that you have little control over and publishers love it that way. PCs are currently getting a boost by merit of massively outclassing the current generation of 10 year old hardware, and I'm sad to say I'm not sure it'll last come the next generation.

6 Can't really comment on this one. Yes the laws are bananas, but I only really deal with software.

1&2, ok.
3 Surely can't be passed off so easily, if a similar product is available legally for free or cheap then it is a huge threat to competitors and open source can easily compete. Firefox, chrome? Android? Reaper as mentioned...
4 Retail issuse = 'Stralia tax. Adobe wanting their software pirated?
5 Yeah, lowest common denominator and accessibility. Their loss if they want to play angry birds..
6 Fair play.
Thanks.

Chrome is developed by a multibillion dollar company for the benefit of furthering their own business. Firefox receives millions of dollars from Google, Reaper probably didn't cost $50M to develop. Imagine trying to pitch the development cost of a AAA title like any of the Mass Effect games and then make paying for it optional. Not gonna happen.

What adobe don't want is their software being a commodity. It's far more cost effective for them to charge thousands to businesses than to make it cheap enough for everyone and their dog to afford it and deal with the costs associated with supporting that kind of userbase.

Reaper proves that you can make competitive software viable with that business model.

Android, well, look at their success by being basically free compared to a locked down iOS. Linux?

AAA vs free to play, surely I don't need to list titles, there are allot.

Screw Adobe.

Android again built by a multibillion dollar company to further their own business goals. Always follow the money.

Free-to-play games have an established revenue stream. You can point and say "the money will come from here and here" - but if there is no reason to pay other than wanting to then you won't get investment.

It's fine to do a "pay what you want, if you want to" if you can develop the software cheaply, or if you already have the money to build it already from other sources. I'm not saying it never works. What I'm saying is that if you wanted to put that forward as a business plan to a venture capitalist, they would not cut you that check.

I understand, but it sometimes works well and surely affects competitors business practices and DRM. Look at Reddit, has been bought by big business yet how much advertising do you see? It would be hard to pitch Reddit as it is but look at the userbase and the traffic directed to imgur etc...

edit- italics for 'etc'.

Reddit wasn't funded by VCs though. You're missing the point entirely. It's fine if you either have the money or simply don't need it to get started (which would be the case for Reddit) - but it doesn't work when you're going and asking someone else to cover the development costs.

How do you feel when you see or hear that one of your products has been cracked?

I bet it's really painful for you to browse trough torrenting websites :(

It's an inevitability so it's not something that gets to you. It's more a case of holding the fort long enough for everyone to evacuate rather than ever defeating the incoming onslaught.

What's you best record? (longest time with your DRM holding the fort). Also, what's the average on that? (I assume both numbers are different between games and other software?)

The best records are basically still standing as of release 4-5 years ago. But that's not for consumer space stuff.

In userland, I'd say for anything vaguely popular we average around 6-8 weeks. 12 weeks tends to be bonus territory (where a bonus is offered or applicable), and roughly 30% of (eligible for bonus) shipping products make it that far.

I'm assuming that's exclusively software figures? Games don't make it past a day in general. Still, pretty good figures (though games is my only comparison so take that with a grain of salt)

We don't do a massive number of games (big publishers tend to have their own schemes) so yeah it's largely software.

[deleted]

It's not the only project I work on, I have decent amount of variety. Overall I'd say I'm happy. This kind of work has an interesting set of problems and challenges not found anywhere else.

How's the pay? Do the people who make the software really believe in it or is it just a corporate cog like outfit.

Very good. As well as the base pay, often get bonuses for schemes that last longer than X weeks after release. Each solution is semi-bespoke (on a set of common core components) so there can be a lot of variation in effective timescales.

There's no believing in something you know will be broken eventually. You just do the best you can. We're not treated like cogs in so far as we have lots of specialist experience that can't be simply brought in off-the-shelf as it were.

What the biggest thing you made DRM for?

Depends on your idea of biggest. One of our customers writes software for use in manufacturing and QC by the automotive industry.

I would assume that manufacturing and QC in the automotive industry is done by rather large commercial entities. Do these companies really pirate presumably key parts of their business?

I can't imagine Ford pirating software for making and testing their parts. The risk and liability would seem far too large.

What tends to happen is that a customer licences for X usage, and then exceeds that. And that happens still in business. In one case, a manufacturer licenced some software for only X production lines or Y produced units/year - software that costs millions to licence, and then installed it more times/uses it more than they had licences for.

As much as I hate to stereotype, some factories in China and Italy were (allegedly) frequently flouting the contract, and then simply 'going quiet' when asked to audit. So we were asked to help.

The main thing for line-of-business is that it removes any plausible deniability on the part of the end user, since there's then an audit trail of what installations were done against what the licence allows.

And that aside there is just the case of keeping the honest honest.

Oh, that makes a lot more sense. Not pirated software (which could be of questionable quality), but exceeding the terms of their license.

Exactly. It's still piracy in a sense, but applied differently.

How do you feel about the work you do?

I regard it as a necessary evil. It helps solve a problem, but with the price attached of risking upsetting customers.

Piracy isn't really the chicken-and-egg thing that some people try to frame it as. The DRM came (a long time after) the piracy.

The main issue is that to beat piracy, you have to provide a better service than piracy. And beating free and convenient is tough and expensive. VALVe have probably done a better job of this than anyone, and even they aren't free of piracy issues.

The DRM came (a long time after) the piracy.

Do you exclude the "copy protections" on the early games in that? because i remember when i started cracking back in the eighties there was copy protection on almost all games.

You're not going back far enough. When I was a kid most games could be pirated just by duplicating the floppy.

My memory might serve me wrong =) this was about 1986-87 and the floppy was not wide spread. The earliest confirmed memory where DRM made me cry was when my legally bought copy of Pandoras Box on the atari ST, refused to start with the dreaded "this game is a copy" message.

Back then copy protection was often made by physically altering the way the disc was written, make half-tracks, double tracks, errors etc and have the game close down if the errors was gone.

I couldn't really comment on anything other than PCs, that's all I used back then :)

What is your favourite language to work with, and which do you use most regularly? (if any)
Also, what has been your favourite project to work on so far?

My favorite language is C#, but due to weaknesses of IL we don't use it much for anything important (Anything written in C# is really easy to reverse engineer a lot of the time) - most of the stuff is written in C++.

I'm not sure if I have a favorite, although one interesting one was integrating our software into some quality auditing software for use by the automotive industry. The customer was having issues with manufacturers in China and Italy only buying small numbers of licences and then massively exceeding that as the install base.

What made it tricky was it had to work on Windows 2000 (this was 3 years ago, and the plants had only then recently upgraded from NT4)

Why do you think is DRM necessary?

I don't think it's strictly speaking necessary, but it does help solve a very real set of problems.

How does it feel spending every working day of your life on something you know is completely futile?

Also, do you work for Flexera?

It's not futile. It just doesn't need to be effective for very long. See my other posts.

Can you explain briefly why Starforce proved to be such a pain in the ass for so many legit users? Thanks for doing the AMA :)

I don't know too much about it so I can't go into much detail. The likely issue however was that Starforce embedded itself quite deep into parts of the OS in order to make it harder to work around. This means being much more heavily affected by different hardware and OS configurations. It just seems like a recipe for things to go wrong. It also means being tied to specific OS versions, so things start to go nasty when newer OSs come along and your title no longer behaves.

Everyone has to pay their bills. Why do you think Amazon has a DRM blocking Linux users using Chrome from watching movies on Amazon Instant Video?

I haven't used Amazon Instant Video, so no comment I'm afraid. It seems like that'd be pretty ineffective though since the user agent can be faked to look like IE 9 on Windows easily enough (unless extra software is involved)

Do you feel like, despite all the piracy, DRM is pretty much working as expected?

What I am getting at is it seems like avid pirates think they are waging a war on DRM that they could one day hope to "win". But my feeling, somewhat validated by some of your other comments, is that DRM is pretty much doing all it was ever intended to do.

Is that the case?

Pretty much. There's no war to win because we're not trying to win. We're trying to cause a stalemate. Or at the very least have it go on long enough to not matter.

How did you get started??and what skills are needed?

I'd been working with the company for a while before, and they asked if I'd like to work on the project. So I figured I'd give it a shot. You need a decent grip of cryptography as the main requirement.

What is your formal/informal education?

I have a first-class honors in Computer Systems Engineering.

How much does piracy actually effect the software companies?

A lot of the time it doesn't really and it's more of a risk offset. There's a simple formula you take:

o*p > c

'c' is the cost of a DRM scheme. 'o' is the opportunity cost lost piracy, 'p' is the probability (between 0 and 1) of high levels of piracy.

So if the above is true, then it makes sense to employ DRM.

Now as for where 'p' comes from, there's a number of factors you can look at. Mobile games for example have higher levels of piracy due to a perception of reduced value. Or in some cases 'p' can have a really low value, but 'o' is very high due to the software being expensive to develop and support but shipping in low volumes.

do companies feel any significant loss in profits after the DRM is cracked, or is the piracy really not effect them much

Not really no. The issue is protecting that first few weeks of heavy sales. After that it doesn't make many odds.

I might be understanding this incorrectly (and please correct me if I am) but is 'o' how much revenue you expect to lose via piracy? If so, how do you calculate that? You always here all of these outrageous claims of XXX millions being lost to piracy when really that aren't lost sales.

It's calculated (or rather estimated) based on piracy figures from similar products released under similar circumstances. So like I mentioned mobile games we know have higher rates of piracy, so 'o' is increased.

It's kind of like the weather. When they say that there's a 80% chance of rain, they're not predicting a 80% chance of rain, they're saying that out of the historic records for the same conditions, 80% of them had rain. And that's effectively what we do.

Do you think that DRM as a whole (and a failure to find a better way of handling things) is going to impact the software industry in the same way it did to the music industry?

Not sure. What hit the music industry was 2 problems:

• They were shipping DRM'ed media (via online stores) at the same time as non-DRMed media (CDs)
• It started to severely upset regular users. They'd gotten used to the idea that they could put a CD in any CD player and it'd work, so why didn't their downloaded music work when put on different media players? Regular users were actively pushing for media they could use on any device.

With software you don't have quite the same problems. You rarely get that mixture of DRM and non-DRM (for anything new) so there isn't that same hole, and since software isn't moved around as much as personal media it doesn't become as much of a hassle.

The bubble is risking bursting though. Not due to DRM itself, but rather incompetence in implementation. One thing that really showed up with the Sim City launch for example was how it affected reviews on Amazon and the like. It was something that 'ordinary' people who wouldn't normally know/care about DRM were being exposed to, especially after amazon temporarily withdrew it from sale.

[deleted]

http://www.reddit.com/r/IAmA/comments/1bzkia/iama_developer_of_drm_systems_and_software/c9bl5gz