I make my living as a software developer, and this confuses people when they hear me bashing DRM. They are perplexed by the fact that someone who writes software may be so vehemently opposed to copyright protection tools. After all, most musicians, movie makers and book authors seem to support the idea. These tools protect their work from evil pirates who would otherwise download it for free. Whenever I say something critical of DRM schemes they dig out this old chestnut:

Luke, how would you feel if someone pirated your own software?

I’d feel peachy keen actually. My software can’t be pirated because I give it away for free most of the time. The commercial stuff I write, is done on salary or via contract. In other words, I get paid for my software as a service to a given company. Whether or not that software gets pirated or not, does not affect my pay. You see, I removed myself from that equation by refusing to develop and sell commercial products directly to the customer.

This of course doesn’t mean I do not understand their mindset. If I chose too develop and sell a commercial application it would be tempting to try to build in some anti piracy measures. In fact, if you are a small startup and you are selling directly to you users via digital download, this sort of thing may even work.

Some time ago I wrote about Amy Builder and how it’s product remains uncrackable years after the release mostly due to the fact that it is a niche product. Still, I must wonder whether or not this is working for them. You see, their previous version was easily cracked widely available on file sharing websites. Thanks to that fact they have quickly built a critical mass of users.

Now they have a yet to be cracked version, but also a very large user base. A lot of former pirates who are returning to the tabletop gaming hobby may try to find a cracked version, fail and actually buy the product in the end remembering how much they liked it in the past. This means that piracy may have actually helped them in the long run.

But of course the Army Builder is a small application that uses a fairly simple anti-piracy measures. They are complex enough to deter inexperienced crackers, but the application is not notable enough to warrant attention of the big time scene folks who would rather spend their time on popular commercial games or applications. This scheme works for Army Builder because it is a tool designed for a small group of customers: people who play tabletop battle games.

As soon as you gain mainstream popularity you automatically show up on the radar of the more competent crackers. Sooner or later someone will break your copy protection scheme. At that point you can do one of two things:

Re-write the copy protection code and re-release Ignore it

If you choose the former option, you are going to get yourself into a constant battle between you and the crackers. Each time they crack it, you will analyze their crack, go back to the drawing board and try to outsmart them, fool them and get the upper hand. And then they will crack it again.

Eventually you will realize that you are spending more time writing the copy protection code, obfuscating it and creating traps and red herrings for a potential cracker, than actually maintaining the application itself. I’ve seen this happening, and you really don’t want to do this to yourself as a developer. The only way to win this, is to make your application code so complex, and so tightly coupled with the copy protection code that it ceases to be cost effective to crack it. It will never be cracker proof, but you can at some point get it to be such a headache that it’s just not worth cracking. If the difficulty of the crack far exceeds the glory that can be gained out of it, most people will just give up and leave it alone. But if you get to that point you will realize that:

Your application is now a nightmare to maintain If you count lines of code, those that deal with copy protection will outnumber everything else You can no longer normally debug your app Your sales numbers didn’t change at all Legit customers are angry because the copy protection code interferes with their normal operation Pirates are happily running the last cracked version and there are whole communities online devoted towards porting the new contend to that outdated release

Trying to fight with pirates is probably a really great way to develop an ulcer, and experience a genuine mental breakdown.

Of course most of the software these days is not written by lone developers. It is created in teams which must work together and be able to read the code. This means that obfuscation, memory traps and all kinds of clever things that could trip up a potential cracker as he steps through the code in a debugger can’t be used. The code must be readable, maintainable and testable.

So we get to this weird situation where copy protection is now a feature that is created separately from the main product itself. More often than not it is an off-the-shelf product of some sort – like the industry standard SecuROM. And because it is a separate product it is loosely coupled with the application itself. What does that mean?

Firstly, it means that the two products must be integrated – which may take a lot of work, and introduce certain amount of friction in places where the two must interface with each other Secondly, loose coupling means that the cracker’s job is easier. With a completely custom solution you can litter main application code with your copy protection checks. Anyone wishing to crack it, must then find every single one. With a ready-made solution, a cracker simply must find the spot in the code where the DRM gives control back to the main app and then create some sort of a workaround. Thirdly, it allows the crackers to specialize. They can go out and study how SecuROM works and become really good at disarming it. Then when you release your app, it they will know exactly what to do to strip it down of DRM.

So you see, being a developer only reinforces my feelings about DRM. Yes, I can put myself in the shoes of a poor downtrodden programmer who is starving because evil pirates stole his code. I can also put myself in the shoes of a cracker who can’t wait to start stripping DRM from a brand new video game. I can see both sides of the coin, and I can tell that DRM is a dead end.

Everyone who paid attention in their computer security or a cryptography class back in college knows this. A working, un-crackable DRM is impossible to create. It is the computer science version of the perpetual motion machine. In fact, you know that anyone trying to create a perpetum mobile is a crackpot who is simply ignoring the laws of physics. Similarly, anyone working on DRM is a crackpot ignoring everything that was ever written about cryptography.

Yup, I said it. No sane, self respecting computer scientist will ever want to work on a DRM related project. Not unless he has to. Who develops DRM then? Well, there is probably a handful of talented crazies who think that their idea can actually work and a lot of people who simply don’t know it can’t. DRM is written by either insane, misguided programmers or talentless hacks. Unsurprisingly, most of DRM products are not only ineffective but also badly written.

Adding DRM to your product, is really equivalent to smearing it with shit. This is why most of modern DRM products has all these issues. This is why I need to run Fallout 3 as administrator under Vista. This is why I had to disable and remove all my emulation tools to even install it.

This is why I hate it. There is nothing hypocritical about it. As a programmer I would never actually want to get into the copy protection war and I would never want to expose my customers to the steaming pile of shit that is SecuROM. Sure, I’d probably not be happy to find out that people are using my software without paying for it. But I’ve been in this industry long enough to know there is nothing that I can do about it. I can’t stop people from pirating my work – it’s just impossible. Trying to accomplish it will only make an ass out of me, alienate my customers and frustrate me even more. The only way to win this battle is not to fight at all.

I said it before, and I’ll say it again: a single CD-check is usually enough to deter casual piracy and sharing between friends and neighbors. And sadly, you can never even hope to accomplish more than that. Or rather, you can hope – but it won’t mean you will ever be successful at it.