TAL releases TAL-EQ

[audiojunkie]

I should be able to take from my personal backup the plugin installer, and the keyfile (or serial number), and install the application onto a new computer without company intervention.

Once they solve that, users will be happy.

The problem with that is "without company intervention," the developer doesn't have control over how many other computers it's installed on, or if they're even yours. Or even if it's a legitimate keyfile they generated and have a record of, for that matter.

What you are demanding is security theater.

I had to look up what "Security Theater" even was......I'd never heard of it.

For the curious:

Security theater is the practice of implementing security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it.[1][2]

Since the developer is the person that would be implementing security measures, there would be little "theater" from the developer's perspective. Security Theater would be the developer telling us users that copy protection is for our own good and benefits us. So, this doesn't really work in this situation. But I digress--let's move on.

You state:

The problem with that is "without company intervention," the developer doesn't have control over how many other computers it's installed on, or if they're even yours. Or even if it's a legitimate keyfile they generated and have a record of, for that matter.

So, we are at an impasse.

Developers want control over how many other computers the software is installed on, and to whom the software is granted access. Users want to have working software that doesn't stop working when a developer discontinues a product, goes out of business, sells the business, or simply dies.

The result is a lose-lose situation, unless both can find a suitable compromise.

I suggest that if challenge/response copy protection is demanded by a developer, that could work for a user if the following conditions were met:

1. The developer may limit the number of devices, but he must make available on his website a way for the user to sign in and release an activation for a device that is tied to it, so that the user can use the activation for a different computer. Many companies are already doing this and it is easy and convenient for a user to move an activation to a different computer.

2. The company must have a plan in place for users to be able to continue using their software in the event that a developer decides to discontinue a product, sell the company, end the company, or if the developer dies. There is a precedent for this as well. Spectrasonics has had this in place and publicly had it written on their website for Omnisphere 2 (I'll need to check to see if they still provide that promise for Omnisphere 3).

If these two conditions are met, then I believe Challenge/Response software could be used without punishing the honest, if it is done well and makes it very convenient. This would be the win-win compromise, and I believe it would be reasonable.

-------------

EDIT: I just looked up Spectrasonics' info for Omnisphere 3. They still provide a satisfactory challenge response solution (Note: I added highlights to the inportant parts):

https://www.spectrasonics.net/support/k ... aqs/150/23

Copy Protection FAQs
Do Spectrasonics Virtual Instruments use copy protection?
Yes, we have our own system. Once you've installed and opened the plugin, you'll need to authorize the plugin on our web site, via your User Account. It's fast and easy, and you'll get your Response Code for your computer immediately. You don't have to use your music computer to do the web authorization.

Do Spectrasonics Virtual Instruments use an iLok or any kind of dongle for Copy Protection?
No. All Spectrasonics products use a custom-developed Challenge/Response system. This system allows you to install and authorize 24 hours a day, 7 days a week. Additionally, with our system, you aren't limited to using them on only one computer. Since all Spectrasonics instruments have a "single-user/multiple-computer" license, you can install and use them on as many computers that you own and will be using yourself.

Does this mean I can use my Spectrasonics Virtual Instruments on more than one computer at a time?
Yes. This is no problem as long as you are the only user.

What if I need more than one install for laptop use, if my hard drive crashes, or if I get a new computer?
Not a problem! Our web site is available around the clock to handle these situations immediately. It's very easy to do it online and you'll always be able to get the authorizations you need from Spectrasonics.

I'm concerned about what would happen to my Spectrasonics Virtual instruments if the company were to go out of business? Would I be still be able to authorize them?
Absolutely! At Spectrasonics, we believe it is essential to guarantee to our users the ability to get lifetime authorizations for the Spectrasonics instruments they purchased. In the unlikely event that the company were to go out of business, we would provide for all registered users to get continued authorizations. In fact, we already have a system in place for this contingency. However, the good news is that this event is highly unlikely - we’ve been in business for a long time and we plan to be around for many years!

[audiojunkie]

So, I would say that Spectrasonics serves as an example of how Challenge/Response should be done. If it was available for Linux, I wouldn't have a problem buying this product.

Bravo to Spectrasonics! Win-Win situation.

[bnz]

The phrasing "lifetime" doesn't exactly sound good to me. Sounds like purchased games on Steam. Licenses terminate with death of the license holder and cannot be inherited. Thats again not ownership. Not sure if Spectrasonics mean it like they write, but that inheritance stuff is a whole other can of worms if you ask me. A hardware compressor or synthesizer doesn't go back to the manufacturer, but can be sold by those who inherit it.

It's an aspect usually not really discussed very well with respect to software licensing.

[SilverLPs]

And afaik his software remains not fully cracked to this day.

Come on. Why pretend? Even I know that isn't true.

Agreed. I don't think there is anything that hasn't been successfully hacked at some point or another. Even U-he's stuff has been hacked, by his own admission. However, his copy protection kept his software protected long enough to get the majority of the new sales (which is where the majority of money is made), and he updates his protection with each release, which keeps the pirates at bay.

Afaik even Team R2R never managed to remove all timebombs from the license verification. Of course it's hacked in some way and can be used but it's not fully cracked.

I also remember Urs (u-he) publicly stating that his license verification system purposely keeps running without a license for some time (like up to over a year) and at some point it will randomly stop working. I guess it's supposed to make sure that freeloaders get used to the plugins, maybe even integrate it into their daily workflow, and then suddenly they have to make a decision. Reinstall everything, the whole operating system etc. or buy the plugin and keep working. Actually pretty smart and it also specifically targets freeloaders who actually use the plugins regulary and who would more likely buy them if they had to.

[SilverLPs]

That no longer holds true.

With TAL's new system, at least each update needs to be cracked, which limits the speed and scale of the distribution. With a simple serial, once there is a successful keygen, pirates have instant access to every update direct from the developer's website, and dissemination only increases over time and with each update. u-he will have to build a completely new system and cancel all existing serial numbers to regain control over his IP again.

To generate keys (keygen) the algorithm would need to be cracked. In this case it doesn't matter if it's challenge/response or keyfile because you can generate the keys without any limit until the algorithm gets changed. C/R algorithms can be cracked and then a keygen can be created, just as with regular key-based systems.

A single leaked key is an entirely different scenario than a cracked algorithm. The key can be blacklisted from future updates and it is often a big risk for the person who bought and shared the key, because he could be traced back, so it's unlikely to happen.

As long as the algorithm isn't cracked and no key leaked, the plugins verification system would need to be cracked for both C/R and key.

So the conclusion is:

Cracking the algorithm for C/R isn't easier or harder than for a good key-based system, and in both cases you would need to start completely over with a new algorithm and new keys for all users, so the risk and effect stays the same here.

A leaked key would be the only additional risk that key-based systems have, however they can be blacklisted and will then be useless in future updates, so those updates would also need a regular crack again. As long as there is no unpatched key, they need to crack every update just as with C/R, no difference.

[SilverLPs]

I should be able to take from my personal backup the plugin installer, and the keyfile (or serial number), and install the application onto a new computer without company intervention.

Once they solve that, users will be happy.

The problem with that is "without company intervention," the developer doesn't have control over how many other computers it's installed on, or if they're even yours. Or even if it's a legitimate keyfile they generated and have a record of, for that matter.

What you are demanding is security theater.

They shouldn't have that control! If I want to use the plugin on 50 computers or reinstall my system every week, why shouldn't I be able to do so? Does it make the money I spent less valuable? Am I hurting the developer in any way by doing so? Am I breaking any laws? Is it unethical?

No, at the end it comes down to the developer saying, "if you need more activations, you need to buy more licenses". That's usually called a per-machine license and there are many per-machine license business models out there. The difference is, 1. it's usually marketed as such, 2. per-machine means there is no limit on how many users can use the software on the licensed machine, 3. per-machine licenses are mostly attractive for specific cases in the B2B sector and not for consumers.

But in the pro audio sector some developers and publishers seemingly want to license both per-machine(s) and per-user at the same time, while marketing it as per-user license with "copy protection". And in TALs case, he sneaked in that additional per-machine restriction after selling the products as only per-user license, without any clearly visible warnings, that the license model has changed to a more restrictive system!

The reason for all of this is, by changing to that two times restrictive business model, some additional sales can be generated. Thats the reason why C/R gets implemented in the first place. But it's business on the back of customers rights and freedom. That's why using warez stuff is still popular, even among many legitimiate customers. Because the crackers give customers the freedom to fully use the software that they actually paid for. It shouldn't be that way and many developers prove that it doesn't have to.

[audiojunkie]

And afaik his software remains not fully cracked to this day.

Come on. Why pretend? Even I know that isn't true.

Agreed. I don't think there is anything that hasn't been successfully hacked at some point or another. Even U-he's stuff has been hacked, by his own admission. However, his copy protection kept his software protected long enough to get the majority of the new sales (which is where the majority of money is made), and he updates his protection with each release, which keeps the pirates at bay.

Afaik even Team R2R never managed to remove all timebombs from the license verification. Of course it's hacked in some way and can be used but it's not fully cracked.

I also remember Urs (u-he) publicly stating that his license verification system purposely keeps running without a license for some time (like up to over a year) and at some point it will randomly stop working. I guess it's supposed to make sure that freeloaders get used to the plugins, maybe even integrate it into their daily workflow, and then suddenly they have to make a decision. Reinstall everything, the whole operating system etc. or buy the plugin and keep working. Actually pretty smart and it also specifically targets freeloaders who actually use the plugins regulary and who would more likely buy them if they had to.

I remember something about that as well. I've been very pleased with U-he products.

[jamcat]

You're working with very outdated information there.

[exit-eternity]

And afaik his software remains not fully cracked to this day.

Come on. Why pretend? Even I know that isn't true.

Agreed. I don't think there is anything that hasn't been successfully hacked at some point or another.

Acustica audio newer (past 3 year or so) stuff is no cracked so whatever copy protect they has must be goood

[tumface]

That no longer holds true.

With TAL's new system, at least each update needs to be cracked, which limits the speed and scale of the distribution. With a simple serial, once there is a successful keygen, pirates have instant access to every update direct from the developer's website, and dissemination only increases over time and with each update. u-he will have to build a completely new system and cancel all existing serial numbers to regain control over his IP again.

That's kind of implying a false dilemma. Cryptographic license keys like FabFilter and REAPER can't have keygens made for them. (If you are able to make one, you have defeated a modern encryption method which would cause global havoc.) Modifying the .exe/.dll/.vst3 is required to defeat it, which is a crack, and challenge+response doesn't stop that, either. Cryptographic license keys are easy to implement (libsodium is free) and don't require challenge+response or an internet connection, except at time of purchase. I don't know why more companies don't use this method. Maybe they think it's beyond their reach because they don't know about cryptography. But it's not hard and you don't have to know how the actual math works.

I've given more money to FabFilter and Cockos (commercial licenses for over 15 years) than any other audio software company.

[audiojunkie]

Same here with Reaper. I have been using it and updating ever since it began. Great DAW!

[pchase]

Modifying the .exe/.dll/.vst3 is required to defeat it, which is a crack, and challenge+response doesn't stop that, either.

Not really true because you don't need to make a keygen to defeat it, you can just share a valid serial.

[tumface]

Not really true because you don't need to make a keygen to defeat it, you can just share a valid serial.

Well, it's easy to block license keys that leak online by blacklisting them (as hashes) in the next update to the plugin.

But, still, you're right about being able to share keys privately. Challenge+response is better at inhibiting casual key sharing between friends. Which is something that happens. But it's not any better for mass online piracy, which is the majority of piracy. Challenge+response really impacts the quality of the experience for paying users. FabFilter and REAPER are both really successful, for example, so choosing to use challenge+response is not an obvious win.

In the case of TAL, it seems like they used to use cryptographic offline keys (that's what my old ones look like) and have now switched to also requiring online activation. Good luck with that, I guess.