The biggest takeaway of this article is that effective security comes from proper threat modeling and analyzing the cost dynamics.
Most media companies in that era attempted to build an "uncrackable" system which always got cracked in short order because the mechanism depended on one tactic. By acknowledging that all protection schemes eventually get figured out and acknowledging the adversary's strengths and weaknesses, the author could then employ defense-in-depth techniques to maximize the cost of cracking the system.
> the author could then employ defense-in-depth techniques to maximize the cost of cracking the system.
Can you provide more details on this statement? I understand defense-in-depth and the different methodologies for cracking software but your statement doesn't make sense when applied as a whole. Do you have any examples?
The real meat of the defense-in-depth analysis is on page three of the article. Spyro had a two-layer defense-in-depth scheme: one layer that looked like a normal PSX cracking problem, and another that would look fine for a while and then mess up the game over time, which forced the crackers to make a complete play-through (and probably multiple failed play-throughs) to verify that their cracks worked. This served to make the cracker's feedback loops as long as possible. The author also acknowledges that it was impractical to add more layers of protection due to computational/IO/space costs, but that it would have offered more security, such as having multiple copies of the game's executable code on disc that are separately encrypted and randomly used, using custom compression algorithms, etc.
At its philosophical core, defense-in-depth is the idea of delaying an attacker rather than preventing an attack. In a military or IT situation this delay usually lets the defender detect the attack and counterattack/prosecute. In the cracking world, the delay IS the counterattack, since release groups measure their performance based on release quickness and the company (theoretically) gains revenue from the game not being on Kazaa during that critical sales season.
Thank you for the response. I never really thought about defense-in-depth from the angle of slowing an attacker down. I have always thought about it from a detection standpoint. You make a good point. Cheers.
Also the reminder that a deterrent doesn't have to be perfect to be effective. Yes, you can easily find a crack for anything. That doesn't mean that the protection didn't serve it's purpose and generate a significant ROI. In the game industry even one day of delay before you hit the warez sites can be worth millions of dollars. With copy protection (including support) costing a tiny fraction of that, it's hard to ignore the option.
And to cut off the "developers spend their time on that crap instead of making the game better" comment before it arrives: frankly, it's a fun and welcomed diversion to code the anti-theft stuff. For every story like this that you read there are hundreds you don't. And the "penalties" imposed by the devs are almost always funny and creative.
I've often heard people say that piracy isn't harmful, but looking at what it does to video game developers, I'm not sure it always isn't. Day 1 cracks are obviously a serious concern if developers like this one would go to so much effort to prevent them. And I remember Nintendo saying piracy had hurt DS software sales in Europe (understandably: instead of buying several full titles, people would buy a cheap "R4" or similar flash cart and play hundreds of games for free - I recall having friends who did this).
I'm not going to argue that piracy isn't harmful, but does fighting it really help? People claim that just preventing cracks for a few weeks is enough to make a difference. Sure, the majority of sales happen in this timespan, but that doesn't mean someone intent on pirating the game will give up and pay just because it isn't available now. That's why I don't like statements like these, from the article
>those two to three months when pirated versions were unavailable must have reduced the overall level and impact of piracy.
Sure, it probably reduced the amount of piracy, but does it reduce the impact? Is there any proof that the pirates bought the game instead of waiting a few months for a crack, or that they didn't ignore it altogether? "Less people pirated the game" doesn't necessarily cause "More people bought the game". And "More people bought the game" is caused by a lot more than just piracy, so you can never be sure.
For comparison, look at The Elder Scrolls: Oblivion, a game that launched with practically no copy protection at all (just an offline CD key check), which was a huge commercial success. And Spore, a game released about a year later, was a flop and actually one of the most pirated games ever, partly out of pure spite against the extremely restrictive SecuRom DRM included with the game.
To me, fighting piracy seems like wasted effort. You can usually only delay it, there's no proof that those efforts will actually earn you sales, and you risk damaging your relationship with legitimate, paying customers in the process. That time and work can be spent making the game better. You hear about games reaching record sales because of good gameplay, good graphics, intense multiplayer, good marketing, whatever. You don't read "GTA V becomes fastest-selling entertainment product in history because of anti-piracy measures."
This is a very valid point and I would like to see it backed or refuted by sales data. Of course, it's very difficult to speculate how much sales were lost due to piracy or how much was gained due to the countermeasures. But comparing several games with roughly similar total sales over a long period vs. the sales by the time a crack to come out could give a nice data point to start with. If there's a strong decline in sales per day when the crack comes out, that should be a clear indicator that piracy is hurting sales (but I find that hard to believe).
Judging by the article, there was a lot of serious software engineering resources put to this crack protection system. It takes thousands or tens of thousands of sales to pay back the time spent. This money and effort could have been spent on making the product better in a way that is directly visible to the customer. How many sales could have that bought?
But things have changed since the days this game (and article) came out. Ubiquitous Internet connectivity is now on consoles too. Games get (more) patches after they are released (well they are also more buggy on release day). The downside is not being able to play when your connection goes down (or the servers go down) but this has become somewhat acceptable (albeit it's a nuisance).
It has become a lot easier to buy games online and a lot more difficult to pirate them. This is what ultimately made me stop pirating games.
>Sure, the majority of sales happen in this timespan, but that doesn't mean someone intent on pirating the game will give up and pay just because it isn't available now.
Sure not all will, but a lot of pirates aren't intent on pirating. They just do it when they can. For example, I want to see American Sniper at the theater. But if a DVD quality rip is out on launch day, fuck it, I'll take it free.
Most PC games go on sale a few weeks after launch and yet people are still paying a premium at launch.
> cracks are obviously a serious concern if developers like this one would go to so much effort to prevent them.
If your crazy uncle wears tinfoil hats to combat CIA mind-rays, this doesn't mean CIA mind control technology is a concern.
It just means your uncle is mentally ill.
> And I remember Nintendo saying piracy had hurt DS software sales in Europe (understandably: instead of buying several full titles, people would buy a cheap "R4" or similar flash cart and play hundreds of games for free
This is no proof that sales were hurt. It could be true (and almost certainly is) that people who did this would not have bought extra games even if the flash carts had been unavailable. If the 12 yr old pirates $17,000 (retail price) of music, this does not mean the record companies are out $17,000... 12 yr olds don't have $17,000 to spend even if they are prevented from pirating.
You're not being logical, you're just parroting anti-copying propaganda. It's more than a little sick.
You're not being logical, you're just parroting anti-anti-copying propaganda.
> If the 12 yr old pirates $17,000 (retail price) of music, this does not mean the record companies are out $17,000... 12 yr olds don't have $17,000 to spend even if they are prevented from pirating.
Right, but it does not mean that the record companies are out $0 either. They are probably missing out on at least several hundred dollars worth of revenue for that particular person.
> Right, but it does not mean that the record companies are out $0 either.
I might concede that this is the case, but only if we first agree that this doesn't mean you get to choose some arbitrary number in the middle and pretend that this is the "average loss".
I know of no economic science that can provide a reasonable number, either. You'd be lying if you claimed you knew of one.
> They are probably missing out on at least several hundred dollars worth of revenue
This would be the very extreme edge of the maximum. They're probably missing out on several tens of dollars.
And for this, they've hijacked the criminal justice system with bribes to congresses and parliaments, extended copyright protection so much that it now lasts a duration best measured in centuries, bankrupted innocent people with million dollar judgements, and sent people to prison for what shouldn't even be misdemeanors.
They want us to all pay, through our tax funding of the criminal justice system, for these minor theoretical losses. Why should I have sympathy for that?
Games companies specifically have broken their own works so thoroughly that it's difficult or impossible to get games just a few decades old to run. This is stealing from the public domain. It'd be like burning down your apartment just before the lease runs out, to make sure the landlord doesn't get it back.
As you say, it's very hard to know how much companies are out.
I would guess it was at least $40, else why pay $40 for a flashcart? A new gateway (the only 3DS card I'm aware of) costs $80.
People who buy 3DS flash carts never buy a game again (in my experience), mainly because new non-pirated games require upgrading the firmware, which they can't do if they want their flash carts to keep working (this may have been improved, I haven't looked in a while). Also because they 'paid for piracy' (unlike on PC), they (I believe) feel happier not paying for games in future.
> I would guess it was at least $40, else why pay $40 for a flashcart?
I will concede that this is reasonable for a lower boundary.
However, it's not that simple. Human psychology being what it is, if he couldn't buy the $40 flashcart it's not certain that he would buy say, two $20 games that he ended up putting on that flash cart. Maybe instead he orders pizza. Being blocked from the flashcart alters decision paths that don't always lead back to video games or even entertainment in general. But with that said, again, I'll accept $40 as a rough lower boundary.
> People who buy 3DS flash carts never buy a game again (in my experience),
Anecdotal, of course, but this seems reasonable. I don't dispute it.
In my own personal experience, people who start downloading movies never buy DVDs again. So not only do I agree, I think we can generalize it either to most entertainment, or all entertainment.
> Also because they 'paid for piracy' (unlike on PC), they (I believe) feel happier not paying for games in future.
Morally, they bought physical goods that employed other people and let those people earn a living. Additionally, those claiming to have been wronged here still earned millions and billions in profit.
Who can fault them for feeling as if no bad outcomes occurred?
As someone who actually works in the game industry - I feel like making an emotional argument. If I write a game, it's released in stores, and then I see someone playing a pirated copy, how should I feel? Elated that they are playing it? Or am I allowed to be upset that they are playing my game without paying for it?
And how is being unable to run games designed for a different system and different time stealing from public domain? Just because tape players are not common today doesn't mean that people who made tapes 20 years ago have somehow stolen from a public domain - you just have to get a tape player. If a game was written for Dos, then well, you have to get a dos system or an emulator. If a game was written for DirectX 7, how can you blame developers that it doesn't run on the latest DirectX 11 system, with the operating system 5 generations ahead? If you are a software developer - how could you predict and counteract this?
Can I claim that you've hurt me? After all, you've never bought any. (I can show you my bank account balance, I really am hurting).
The sticking point, the part that will make it feel to you as if my statement above is non-sensical, is somehow you've managed to attach the idea that they're selling something to the idea that other people have a (very) similar something but haven't paid. So to you that feels like "theft". But it wasn't always this way.
The way you feel has been cultivated, just in the last few decades. And though they've cultivated it for music and movies and video games, I haven't (bothered, been able to, had enough influence) to cultivate the idea that if you haven't bought doodads from me that you've stolen from me.
Let's say I stand in front of your doodad store (imagining you only sell it in a store, for whatever reason) with a megaphone, repeatedly giving an extremely convincing speech about why people shouldn't buy your doodads. Can you claim that I've hurt you then?
Many of the people I talk to would never buy a doodad anyway. Those result in zero harm. Some of them were going to buy a doodad, were non convinced, and bought anyway. Those also result in zero harm. But some were going to buy a doodad and then decided not to. That's harm.
Piracy is the same. Many pirates were never going to buy the thing anyway. Many people purchase anyway. But some non-zero number of people would have purchased but now don't.
Strawman: by not buying doodads from you, I'm not getting the value provided by the doodads either. That is not the case with digital goods.
Say you created those doodads using your time, efforts and resources. Your doodads provide people some value. People usually buy doodads as recompense for that value. But if someone "pirates" your doodads, it means they acquired the value without fairly compensating you.
So you: invested time, effort and resources to provide value to others. The pirates: benefited from that value and gave nothing back. Is that not unfair?
What if those pirates further shared your doodads with their friends (or, you know, random people on the Internet) further depriving you of people who should be paying you for the value your doodads provided. Now can you not claim that the pirates are hurting you?
You may focus on the zero marginal cost of copying digital music and movies and video games. However, observe that the value is not in the bits you copy but the experiences they provide to your mind. If they are truly worth zero to you, I don't see why you should be wasting your time experiencing them in the first place.
If I were to guess, you have not "cultivated that idea" because you've never created something that people found useful, something which you'd think you deserved compensation for, but which was taken without giving anything in return.
> Say you created those doodads using your time, efforts and resources. Your doodads provide people some value. People usually buy doodads as recompense for that value. But if someone "pirates" your doodads, it means they acquired the value without fairly compensating you.
Like if they make their own doodad, after seeing mine?
I'm not entitled to compensation for being the first to do something. A society that sets itself up such that people who do something first are entitled to become rent-seekers for all eternity is dysfunctional.
> What if those pirates further shared your doodads with their friends
That'd be awesome. Unless they did a half-assed job of the sharing. I reserve the right to beat them bloody if they release the music as 32k VBR mp3s. I may murder if they're wma format.
No jury in the world could convict me.
Copyright used to encourage the creation of more works that would enter the public domain in less than three decades.
Now it's used to fund bribing Congress to get longer copyrights.
> If I were to guess, you have not "cultivated that idea" because you've never created something that people found useful,
Yeh. You'd like to believe that, because it's easier to see me as some filthy thief than as someone whose ideas might be correct. The former lets you just call me names and move on, the latter would mean changing your mind and thinking about issues like this critically.
Someday I hope that people like myself strip you of all political influence and make this part of the world a better place. You can go live in Singapore with its thousand year copyright durations and felony download laws.
>>Like if they make their own doodad, after seeing mine?
That's fine. You can make a car that looks like a Mercedes and no one will bat an eyelid, if you really made it with your own hands.
If you look at a game, and make your own that looks similar(or even exactly the same) - again, no one will bat an eyelid. But if you pirate the CAD files used to make said Mercedes and produce it using that then yeah, you stole their work without paying for it. If you pirate the game someone made without paying for it, you are also a scum. Whoever made it is not entitled to compensation, but you are not entitled to use other people's products for free.
Ok, do I really need to spell everything out?
You can make yourself, for yourself, literally anything. You can make a pair of shoes that look like Adidas shoes, and you can stick an Adidas logo on them and absolutely no one will object. The same principle applies to everything else. BUT - if you start selling your product pretending it's original, then you are absolutely breaking a number of laws. How is that not obvious?
>Like if they make their own doodad, after seeing mine?
Copying bits verbatim is not "making" anything. Also we are now conflating patents and copyright, but...
>A society that sets itself up such that people who do something first are entitled to become rent-seekers for all eternity is dysfunctional.
That may be a valid concern in theory, but current and historical evidence overwhelmingly prove this wrong. The most technical innovation has been happening in countries with stronger IP laws, as opposed to, say BRIC. It's not a coincidence.
>If I were to guess, you have not "cultivated that idea" because you've never created something that people found useful...
Way to quote incompletely. Also, nice dodge. Have you created something valuable only to have it ripped off?
>Yeh. You'd like to believe that, because it's easier to see me as some filthy thief than as someone whose ideas might be correct. The former lets you just call me names and move on, the latter would mean changing your mind and thinking about issues like this critically.
Conversely it's easier for you to rationalize your piracy than to acknowledge that your actions could be harmful. I have no stake in this issue, since my livelihood does not depend on copyright. I have been thinking critically and looking at the evidence. Have you?
If I really want or need to acquire your doodad then I am a potential customer and I have three choices. 1) buy your doodad. 2) acquire it without paying money. 3) go without using your doodad.
As a business owner, which would you prefer I do? Would option 2 not result in a loss of potential revenue? Would it not be super-harmful if everyone who wanted to use your product chose option 2?
> If I really want or need to acquire your doodad then I am a potential customer
But are you a promised customer, one that I own as some sort of cow to be milked when I see fit?
Certainly if I repair cars, you don't claim that I get to do all your car work and be paid for it, nor could I sue if you did it yourself. But this is what you're claiming with entertainment...
Think about it. I might make the claim that if you know about how to fix an engine, it was only because I discovered those ideas first. Therefor, even if you fix the engine (or arrange little magnetic islands on a hard drive in a particular sequence), you're still stealing from me.
If you fix the engine the same way I'd fix it, you're just copying my motions and actions.
These are highly comparable, but most people now balk at the idea (even though such absurd restrictions have existed in various times and places throughout history).
Copyright isn't some fundamental human right (time for the weenies to point out that the UN thinks it is). Its formulation was originally a practical matter, so now that it's become impractical it should be abolished or once more limited to reasonable terms.
For the vast majority of ordinary people, entertainment dollars are fixed. People have what they have to spend on entertainment, and when it's gone that month, it's gone.
What happens is the various content producers compete for their share of those dollars.
There just aren't billions out there for entertainment purposes. Wages being flat in the US speaks right to that. People don't have it.
In a perfect no piracy world, people would just consume much less, not spend billions more. Again, because they just don't have it. The money doesn't exist.
So that person pirating a lot of music might spend real dollars on video games instead, much more than they would just spend more on the music.
I doubt there's a fixed entertainment budget. I could see a fixed maximum, but past a certain threshold of being able to obtain things for free, people will spend less.
Even if it was a completely fixed budget, "entertainment" is a diverse category. Movies aren't just competing with other movies, or even just with TV and books and music, but also with things like cake and vodka. Even if the pie is fixed, is it unreasonable for a movie company to try to take some of vodka's pie?
The idea that piracy causes zero lost sales as is ridiculous as the idea that every act of piracy is a lost sale. At best you could make the argument that piracy is a net zero (or gain) because the advertising aspects of piracy match (or outweigh) the losses. But to just declare that piracy does nothing at all is crazy. It may be small, it may be negligible, but it's not zero unless your product is so unpopular that nobody was going to buy it anyway.
Those dollars do vary, and yes a movie company will absolutely compete with vodka and cake.
But there aren't the billions of dollars out there claimed as losses.
And yes, fixed maximum, though there are a lot of options, so people do hit that maximum fairly often.
A quick look through the majority of my peers shows this. They make trade-offs each month. The ones who are better off can flex their entertainment budget considerably. Those who are not, center in on a fairly modest amount, and when it's spent, it's spent. They do other things.
I agree with you about it being equally wrong. It's not zero lost sales, and it's not all lost sales.
However, one must also factor in the network effects of sharing. Mindshare is worth something, and those who have it sell more, and getting it happens through sharing and piracy as much as it does other efforts.
And the opportunity to sell continues to exist despite the piracy too. A few are out there working on that premise.
I don't think it's accurate to say that the vast majority have a fixed entertainment budget.
But even assuming it's true, piracy would still hurt individual companies or even entire industries. Industries you can't pirate so easily would see a disproportionate share of the spending.
DRM would still be very important. People would pirate the stuff that is easy to pirate, and buy the DRM stuff.
This varies some, but most people are locked in for most of their dollars. They may have savings, and can vary that budget some, but there just aren't the billions of dollars out there often cited.
There is a delta from what is being sold now. But it's not multiples. Perhaps additional fractions.
As for the hard to pirate industries, who says?
They must compete with easier, more flexible options. They might actually get less spending than they would otherwise with a more flexible and accessible scheme.
Apple showed this with iTunes and the removal of DRM actually drove more sales. Why? Sharing.
> If your crazy uncle wears tinfoil hats to combat CIA mind-rays, this doesn't mean CIA mind control technology is a concern.
Why do you assume they have no evidence?
> This is no proof that sales were hurt. It could be true (and almost certainly is) that people who did this would not have bought extra games even if the flash carts had been unavailable.
What makes you think kids with flashcarts wouldn't buy games? Their parents buy them a DS and a game or two for Christmas/Birthday. Their parents would probably buy them future games, too. Or the kid has pocket money. But the kid has a flashcart now, they need not buy more games.
This isn't like computer software piracy. They already had to spend money on a DS and flashcart, assuming they wouldn't buy additional games is nonsensical. Who buys a DS and doesn't play games on it?
It is anecdotal, but the people I know who bought DS flashcarts definitely would have bought games. And, although it is just my reasoning, I think it's fair to say people who owned the Nintendo DS would have bought games for it.
In short: what's rebellious when you're a young kid operating at the margins becomes tyrannical and oppressive when performed at massive scale by an elite upper class (hackers today). Piracy is no longer a "countercultural" act. It's more akin to labor union busting -- helping beggar content creators so content distribution mills can "monetize" their stuff for free.
It's a bit puzzling to hear this coming from Nintendo since it's pretty clear that piracy hurts the Windows platform infinitely more than the console industry.
Very, very few console owners run unlocked consoles, so they don't even have the option of running cracked games.
On the other hand, every PC owner can run cracked copies, and it only takes a few minutes of reading for even the most non tech savvy Windows user to find out about bittorrent and how to procure cracked games.
Very, very few console owners run unlocked consoles
If that were true, these console developers wouldn't need to worry about their games being cracked. And yet, as the article discusses, there really is a piracy problem.
> It's a bit puzzling to hear this coming from Nintendo
Those R4 carts were all over the place. I was living in Japan at the time and everyone and their mother had one. There is no doubt it cost them a lot of money.
Every single person I knew who had a PSP ran only pirated games. My cousin had a single legit copy and even then he would run a downloadad ISO because it was faster to load than the UMD. Apparently PSP sold really really well, but no games matched those sales, which suggests that PSP piracy was fairly widespread too.
I had an Evo, and I must admit that it had more ROMs loaded onto it than those matching the cartridges I actually owned. But about 20% of those dozens of cartridges that I did still buy were for games that I might not have even tried otherwise. There were plenty that were played 0 or 1 times, then deleted forever.
I bought the device primarily so that I would have full access to my complete library without having to tote around physical security tokens everywhere.
And that is the same reason I have hard drives and alternative loaders for my PS2 and Wii. I can play any game that I buy without getting off the couch to switch discs. And with the Wii, there is the added benefit that I probably won't have to open it up and replace the optical disc drive for a third time. This has the unfortunate (for them) side effect that it is dead simple for me to pirate games on those platforms if I had the inclination.
So in my particular case, it would seem that the most effective anti-piracy measure would be to remove the requirement that paying customers have to continually juggle physical tokens to enjoy the content that they paid for.
If I have to break the security features in order to add the convenience features that I want most, the psychological barrier for piracy is lowered. If everything that I want is already on this side of the fence, I am far less inclined to jump over it.
It just so happens that Steam provides the feature I like, which is easy access to a whole library. As a result, I have on a few occasions preferred to re-license a game I already own on disc through Steam, just so I won't have to dig up the physical disc, configure a DOSBox or WinXP VM, install drivers, make tweaks, download the official and unofficial patches, and such.
I already have more games than I have time to play games. If I go to pirate something, it won't be because I don't want to pay, but because I don't want to be hassled every time I want to play.
So the number one anti-piracy measure from my perspective is DON'T WASTE YOUR PAYING CUSTOMERS' TIME. That applies equally to unskippable DVD scenes, physical disc checks, and connection-always-required schemes. Don't waste my time, and I won't go looking for ways to stop you from wasting my time. It is impossible for you to irritate me into giving you more of my money.
On the other hand, if you download a console game and play it on your console you don't have to worry that it's bundled with keyloggers or enrolling you in a botnet or whatever.
It would be interesting to see the difference in sales in the 3rd month between US and Europe, since the European version took one more month to crack.
First, this was a decade and a half ago. SHA was slow, open source SHA implementations were rare at the time, crypto had a stigma due to export restrictions, and was generally problematic to work with due to limited hardware support and speed.
Second, several different implementations were needed and they needed to be different enough that a simple pattern search would not find them all. SHA implementations LOOK a lot like SHA implementations in the disassembly, and it's hard to modify them in a way that leaves them functional but different enough that the compiler doesn't optimize away differences. A CRC is simple enough that you can do things like that.
Third, these things were all over the code, and run frequently. They couldn't just set a global flag and be done with it. They had to be fast. I am not sure, but I think the Playstation had hardware CRC support, but no hardware SHA support.
It's amazing that we now live in a world where you wouldn't think twice about using a cryptographically secure algorithm for data you don't actually need to hide (just obfuscate for a month or two) and not have any concern about performance.
I deleted it before I saw there were responses, because I mistakenly assumed this article was relatively recent (I mean, retro look is a thing in video games, right?). I had no idea it was from 2001 until the "(2001)" was added after it was first posted (I'm not a gamer at all). Sorry for the confusion, about 5 people responded at the same time right as I was deleting it (didn't know the comments were incoming).
2001 obviously makes a big difference. I'll pay more attention to dates now.
That said, I don't understand why you wrote "data you don't actually need to hide". Wasn't that the point? I mean, holding off cracks for a month or two was good, but wouldn't holding them off for years be ideal?
And yes (I can't tell if you're being disdainful or honestly amazed) but we do now live in a world when you don't have to worry about performance implications of using SHA in all but the most resource constrained environments (and even then, SHA hardware acceleration is often available).
But you make some other good points I had not considered.
I am honestly amazed by modern technology, and I have to keep reminding myself how cool everything is compared to just a decade back.
The article says October 17th, 2001, right at the start, and throughout the first page they speak of the development period informed by data accurate as of December 2000. The "ten seconds exclusive access to the CD" speaks for itself though.
And given the state of the game market (as described in the article) the difference in terms of revenue between a couple months and forever is minimal. The attention spans of the cracker groups, the peaks in revenue, and the peaks in interest (which drives both revenue and piracy) all have a very strong bias to new games. The primary stated objective of this hack was to prevent pirated copies of the US version from cannibalizing sales of the EU version (which presumably was delayed due to translation work). It's data that's distributed to thousands of machines worldwide, not something you want to keep desperately secret.
>The article says October 17th, 2001, right at the start, and throughout the first page they speak of the development period informed by data accurate as of December 2000. The "ten seconds exclusive access to the CD" speaks for itself though.
Yes, and once again, I vow to pay better attention to dates and context. I already sincerely apologized. I was reading an article on anti-cracking, so that was the part I was concentrating on. And usually, I filter dates out when I read because the difference between a technical article published in 2012 and 2013 is fairly minimal (while the difference between 2014 and 2001 is pretty massive, which is why HN requires old articles to include the year). But clearly, this filter has caused both me and all the commenters unneeded grief, so I'll turn my date filter off.
>And given the state of the game market (as described in the article) the difference in terms of revenue between a couple months and forever is minimal.
Fair enough. I'm not a gamer and don't claim to know much about gaming.
The key thing is that the choice of crypto algorithm makes no difference because that's not the route of the crack. The cracked version would remove the SHA check entirely.
As someone else already wrote, it didn't really matter here. They already knew that whatever they did would be crackable, but it would just be a matter of time. They basically did an obfuscated checksum procedure (and they didn't use just one, but multiple checksums of overlapping regions). The thing this helped with was not to prevent cracking, but to prevent trivial cracking. This must have made the attackers think for a couple weeks at least, before they figured out all the parts of code they needed to modify to remove the checks. And, for those couple of weeks, many would-be pirates would have no choice but to buy the game if they wanted it.
Overlapping checksums and delayed trap flags have been completely normal stock-in-trade of copy protection techniques for 30 years - Dungeon Master from the Atari ST was on here not long ago, to give one specific case study.
Another post indicates that attackers have a budget here. That's misunderstanding the nature of your attacker, which is probably "a skilled determined cracker with time on their hands". Challenges interest crackers. Budgets are only really significant if you're talking about hardware dongle analysis, or if you're offering a bounty to a +veteran for something rare and tricky. Software analysis mainly just takes skill, and time - but no, probably not weeks to a skilled cracker, or money. Two, three days maybe (although they will need to actually find the time)?
Perhaps there's a greater emphasis on first-day sales now, but perhaps that's the nature of publishers' expectations at the moment. Some publishers think they benefit from copy protection. Do developers really benefit from copy protection? Do users? Surely not, but it depends on how intrusive the copy protection is - and decades of experience shows that the more effective a copy protection technique is designed to be, the more intrusive and twitchy it is and the more of an inconvenience or disaster it is to the users (who, in such extreme cases, are actually very glad to be rid of it). Meanwhile, a copy protection that tries hard to not be intrusive - Steam - owns most of the PC gaming market by presenting a platform that's actually convenient, inexpensive, and fairly reasonably.
With years of developers viewing copy protection as a publisher demand, hence the lazy crypter-wrapper-based protections which are just plug and go, maybe that's lowered the effort crackers needed to put in too.
If the publishers are demanding more effort into it now (with the games industry thriving from a vibrant indie scene all the way up to Hollywood blockbuster budgets despite decades of nigh-unstoppable piracy) they're only really gradually rediscovering techniques some developers (and a few crackers) have forgotten - and ones the users would like to forget.
I don't know about you, but I don't want a return to the bad old days of words from the manual or black-on-black code wheels.
It didn't seem to matter in this case. "I know YOTD was vulnerable because the copy protection was only run once, at boot time. I assume the crack bypassed the copy protection and then restored the data to its original state."
The original comment was about the choice of checksum (CRC32), and a different algorithm might have made that harder if they had bothered to attack it.
Most media companies in that era attempted to build an "uncrackable" system which always got cracked in short order because the mechanism depended on one tactic. By acknowledging that all protection schemes eventually get figured out and acknowledging the adversary's strengths and weaknesses, the author could then employ defense-in-depth techniques to maximize the cost of cracking the system.
Remember that every adversary has a budget.