Plugins/Companies using serial, a keyfile, or watermark copy protection

[audiojunkie]

Hmm. Unless they changed it and haven't updated the FAQ.

I didn't even look for a FAQ, I just installed the plugins and was able to activate both of them offline with the supplied keys. No internet access needed.

Who knows? It's possible. But I pulled the info from the FAQ only a few minutes ago. Maybe there is a grace period? Does your computer remain disconnected from the internet permanently, or do you occasionally connect it? Maybe it waits a period of time to allow the connection to the internet to authenticate before making any kind of notification about activation? I'm not sure.

[sprnva]

It's usually online. I pull the ethernet cable when I'm checking plugin activations. Typically if they need internet access they'll complain about it at this stage.

I guess we can leave them out until there's further confirmation.

BTW, I'm not sure about Kilohearts being on the list. They do provide a customised installer with your licenses embedded but it's only a stub. It needs internet access to download the data. There's an offline installer but I don't know if you can use its data with the customised installer for a completely offline install.

They say that you can use any single serial number to authenticate the offline installer. If this works offline then that should be enough. I just don't know if that's the case or if it needs to phone home first.

[audiojunkie]

The more I think about it, I think a couple of tier ratings might be acceptable, to allow for one-time activations that are tied to a machine and do no more. It's not my ideal, but to some, that is acceptable, because even if the company dies, as long as it continues working on the activated machine, that's acceptable to them. It's not so intrusive that it cuts the user off as soon as the company dies or the server goes off line. We could define it as a grade "B" copy protection scheme, while the ultimate tier/rating would be a grade "A" copy protection scheme which allows the user to back up the archive and the activation key/binary/whatever, and then you can restore it years later after a company has died or stopped supporting the application, and the server for activation no longer exists.

I'd also like to track what operating systems are supported in the list, so that users can quickly see if their preferred OS is supported. A simple Windows, MacOS, Linux or even a (W,M,L) appended could be useful for some. I think once we have cemented what we want to be considered acceptable to our ratings system, we will need to go through and assess everything again.

These days, just saying that a program only needs a serial or keyfile is no longer sufficient. Challenge/response is no longer as meaningful of a definition anymore either. Vendor-dependent copy protection is a better definition all around, and covers all anti-piracy schemes. The ratings system simply ranks how Vendor "Independent" an app is, when long term survivability/usage is concerned--as a reference for those of us who care about such things.

[audiojunkie]

It's usually online. I pull the ethernet cable when I'm checking plugin activations. Typically if they need internet access they'll complain about it at this stage.

I guess we can leave them out until there's further confirmation.

BTW, I'm not sure about Kilohearts being on the list. They do provide a customised installer with your licenses embedded but it's only a stub. It needs internet access to download the data. There's an offline installer but I don't know if you can use its data with the customised installer for a completely offline install.

They say that you can use any single serial number to authenticate the offline installer. If this works offline then that should be enough. I just don't know if that's the case or if it needs to phone home first.

My guess is that it probably had a grace period, activated your plugin silently, and leaving it unplugged probably wouldn't tell us much. The key would be to test the app with a machine that never connects on line, and see how long it goes before complaining (if it complains at all).

I also agree about Kilohearts (and others). Everything needs a reevaluation. I've realized for a while that our definitions of serial or keyfile were no longer sufficient to define whether the copy protection is good or not, but it was TAL-Software's hybrid change to their internet connected copy protection that I realized that challenge/response no longer fits the definition properly anymore either. It is really all about the fact that we don't want "Vender-dependent copy protection". In other words, after the purchase, we don't want to have to rely on a vendor and their server in any way. That's just punishing the honest (with the possible loss of not being able to reauthorize), while don't nothing really to the pirates. The ones who pay shouldn't be punished for the sake of those who steal. I'm old enough to remember the days when copy protection wasn't used to the extent it is these days. It was better for the honest who wanted to buy their programs and then be left alone.

So, yeah. I agree. It is time to go back and reassess everything according to new criteria that better fits the development world of today.

[sprnva]

I took another look at Kilohearts and it looks good.

I ran the offline installer with my internet disconnected. It asked for either my email or a product serial. I entered a key for one of my plugins and it offered to install it. Ran fine, fully activated offline.

[Kr3eM]

The more I think about it, I think a couple of tier ratings might be acceptable, to allow for one-time activations that are tied to a machine and do no more.

That would make this whole thread pointless in my opinon. The amount of plugins that needs to call home in order to continue to work are AFAIK not that long. Most plugins that I know of that need to be online to be activated will continue to work until something breaks the machine ID it has locked it too. Of course I hardly use any of those these days so I can be wrong, I only know of Roland that is upfront about it, but maybe there are many that dishonest and are hiding it like I believe Goeey is IIRC.

These days, just saying that a program only needs a serial or keyfile is no longer sufficient. Challenge/response is no longer as meaningful of a definition anymore either.

I don't agree with you that C/R is no longer as meningful of a definition, I think it's more meningful now than it ever has been.

The only problem with it is that you can not rely on the vendors description of what DRM it uses, there's so many that use disingenuous semantic and say the have a serial or keyfile while that is nothing more than a "challenge" that needs a "response" from them in some way or form.

Vendor-dependent copy protection is a better definition all around, and covers all anti-piracy schemes. The ratings system simply ranks how Vendor "Independent" an app is, when long term survivability/usage is concerned--as a reference for those of us who care about such things.

I think this will only make everything messy and confusing, why not set clear definitions the list uses and completely disregard what the companies calls it. In the end it is either a user friendly "you own what you buy" or it is a rentware for a unspecified time.

THAT is of course unless you just want to make a complete list of all the plugins and what DRM the use and how it functions in practise,... kind of what KVR's Plugin data base should be IMO but fails completely due to the amount or Challenge response pluings that are defined to have a "serial" or "keyfile" that conveniently leave out the rest of the authorization procedure and function.

I believed that the list like you have was meant to work as a fast guide to seperate the real Serial/Keyfile vendors from the disguised challenge response systems... no matter what the vendors calls it or try to spin it as. As long as the Serial/keyfile needs any other dependincies it's no longer a Serial/Keyfile DRM. IMO it's not up for debate.

Regardless I believe I understand you point, however, instead of expand this thread/list with things that it orginally was intended to exclude, you could always do a specific list/thread with developers/plugins that needs to call home in order to work, think that's easier and is probably what "C/R, Machine ID, OnlineAuthorization" users would like to be able to find out in a easy and informative way.

IMO a list like this should keep it to self contained Serial/keyfile/watermarks with no other dependencies than itself. That should be the gold standard besides the complete lack of any DRM. By this I mean how the DRM actually function as... any other semantics as for example U-he's new license card that is an image is still a keyfile in the way it works doesn't matter if the image has serial numbers written on it or not, it behaves and function as a Keyfile..as far as I know it doesn't require anything else than itself in order to work, can be copied and backed up, just like a plain keyfile.... so it's a keyfile, a fancy looking one, but still a keyfile in essence.

In other words anything that needs any form of response from the vendor and can't be freely moved to another machine is a by it's function a Challenge/Response aka Machine ID DRM regardless of what the developer/Vendor says it is...

It really doesn't matter if the plugin requires a app/manager like Melda or Kilohearts as long as it can be independently backed up and only Serial/keyfile in other words the "Gold Standard", then it's the same as backing up an installer and your keyfile/serial. Of course it should be noted if it uses a plugin manager app, some like it some don't.

The only thing that should be included as a borderline case is for keyfiles files that needs a one time activation/(response) to be generated and are not tied to any specific hardware, can be backed up and essentially function as a independent keyfile in perpetuity after the online authorization. .

Another bordeline case is CableGuys that, unless they have changed it, needs to connect to their server to download presets dependencies in order to use factory presets for some of the plugins in Shaperbox. These AFAIK are Machine ID locked, the same goes for the internal presets that gets encrypted and locked to the machine and needs to be synced to their cloud if you want to move them to another machine.

Yes, they eventually implemented support for import and export fxp so you can manually move the internal presets but I think you need to export/import every single preset by themself.... (I have not checked this so if anyone knows if this has changed or that you can export more than one preset at a time to fxp, then please correct me)

Things like this that have dependencies within the plugin should be listen and noted on a specific list...


Well, that's my 2 cents

[noiseresearch]

The more I think about it, I think a couple of tier ratings might be acceptable, to allow for one-time activations that are tied to a machine and do no more.

That would make this whole thread pointless in my opinon. [...]

These days, just saying that a program only needs a serial or keyfile is no longer sufficient. Challenge/response is no longer as meaningful of a definition anymore either.

I don't agree with you that C/R is no longer as meningful of a definition, I think it's more meningful now than it ever has been.

The only problem with it is that you can not rely on the vendors description of what DRM it uses, there's so many that use disingenuous semantic and say the have a serial or keyfile while that is nothing more than a "challenge" that needs a "response" from them in some way or form.

Vendor-dependent copy protection is a better definition all around, and covers all anti-piracy schemes. The ratings system simply ranks how Vendor "Independent" an app is, when long term survivability/usage is concerned--as a reference for those of us who care about such things.

[...] I think this will only make everything messy and confusing, why not set clear definitions the list uses and completely disregard what the companies calls it. In the end it is either a user friendly "you own what you buy" or it is a rentware for a unspecified time. [...]

[...] IMO a list like this should keep it to self contained Serial/keyfile/watermarks with no other dependencies than itself. That should be the gold standard besides the complete lack of any DRM.

[...] In other words anything that needs any form of response from the vendor and can't be freely moved to another machine is a by it's function a Challenge/Response aka Machine ID DRM regardless of what the developer/Vendor says it is... [...]

Agree on this.

The only exception I see: offline activation possible + the company clearly states what happens in case a c/r is not possible anymore (company) needs to close. Like Spectrasonics:

I’m concerned about what would happen to my Spectrasonics instruments if the company were to go out of business...would I be still be able to authorize them?

Absolutely! At Spectrasonics, we believe it is essential to guarantee to our users the ability to get lifetime authorizations for the Spectrasonics instruments they purchased. In the unlikely event that the company were to go out of business, we would provide the ability for all registered users to get continued authorizations. In fact, we already have a system in place for this contingency. However, the good news is that this event is highly unlikely...we plan to be around for many years!

https://www.spectrasonics.net/support/k ... ion/220/17

[Dunbar]

Personally, I think it's best to keep it simple: any reliance on a remote computer for software activation is unacceptable. Additionally, I don't think we can trust a company to unlock their software in the event of insolvency/liquidation unless we have their commitment backed by law.

On the subject of the law, I've been following developments in the "Stop Killing Games" consumer movement. Recently, a hearing in the EU parliament gained firm support in favour of consumers who paid for games that publishers subsequently shut down. The arguments against games publishers map directly onto software publishers in general; hopefully, it will result in legislation to protect all software consumers.

[audiojunkie]

Personally, I think it's best to keep it simple: any reliance on a remote computer for software activation is unacceptable. Additionally, I don't think we can trust a company to unlock their software in the event of insolvency/liquidation unless we have their commitment backed by law.

On the subject of the law, I've been following developments in the "Stop Killing Games" consumer movement. Recently, a hearing in the EU parliament gained firm support in favour of consumers who paid for games that publishers subsequently shut down. The arguments against games publishers map directly onto software publishers in general; hopefully, it will result in legislation to protect all software consumers.

You make some good (and interesting) points! In the case of TAL-Software, what would you suggest? His copy protection seems to be a hybrid, and his FAQ on his company site has essentially made it an official company declaration that his software should work, even if the company is gone. Do you still feel that it is unacceptable for our list, or would it still be good and we simply add a note explaining the hybrid quality of the copy protection?

[Dunbar]

From what I gather, TAL software doesn't need an internet connection to install or activate; it phones home only if an internet connection is detected. I disapprove of software that snitches on its users, but as the software functions fully offline, it deserves to be on the list. A note should definitely be added to make people aware the software contains surveillance malware.

[sprnva]

Klevgrand are moving to a new license file activation.

I went to test if it worked offline but the monitor on my studio machine has decided to stop turning on.

Maybe someone can confirm if it works offline?

[audiojunkie]

Klevgrand are moving to a new license file activation.

I went to test if it worked offline but the monitor on my studio machine has decided to stop turning on.

Maybe someone can confirm if it works offline?

This is what they say:

Starting in April 2026, we’ll be implementing a new safer licensing system for our plugins. Our whole product catalog will be updated with this over time.

How will this affect you: If you’re installing our plug-ins by downloading manually from web, there will now be a downloadable license file per product, instead of a serial number.

How to authorize using the license file:

1. Login to your account page and download the license file for the product.
2. Open the plug-in in your DAW and click the demo banner.
3. Choose “License file” and locate the downloaded file on your computer.
4. Success!

If you’re using Klevgrand Helper, all of this will happen automatically.

At first glance, it looks to me like they are moving from Serial # to Keyfile. I don't have any of their products, so I can't check. If it is just a move to keyfile usage, that should still be fine. Hopefully someone will find more info and report back.

[sprnva]

I managed to get up and running sort-of with an old monitor. With the ethernet cable unplugged I hit the demo banner in Korvpressor and was able to activate it with the license file.

Previously Klevgrand were C/R so this is a welcome change.

[audiojunkie]

I managed to get up and running sort-of with an old monitor. With the ethernet cable unplugged I hit the demo banner in Korvpressor and was able to activate it with the license file.

Previously Klevgrand were C/R so this is a welcome change.

Definitely! There are developers out there that have proved that copy protection that doesn't punish the honest can be done (ie U-he, Plogue, etc). Let's hope that these developers are seeing the light!

[Kr3eM]

Previously Klevgrand were C/R so this is a welcome change.

Think they changed that a long time ago, around 2017 IIRC, however at that time I only owned SquashIt so not sure if it was the same for all other products... (Rent to own on Splice is another story)