Vaporware DRM - Developer discussion

[Jeoshua]

This thread is for Mod Author discussion of the Vaporware DRM product. I have included a copy of the product as a spoiler at the bottom of this page, and there is a link in my signature. It is my sincerest hope that this is received in the spirit is intended, as a solution to the question of proper assertion of mod authorship in an uncertain environment.

 

With the addition of the Bonus Module, this technique becomes a general purpose springboard for any and all DRM, licensing, signature, authorship assertion, and attributions that you will ever need to brave the wasteland that is mod authorship. Any holes in this scheme need to be patched quickly, and effectively, and there can be no room for error. People's reputations are on the line and there are people running around weaponizing the mods which we love so much.

 

This has to end now.

 

Please, folks. Find the errors. Fix the holes. Make this your baby, too.

 

 

 

Ownership of Formats and Description of Intent:

Mod theft is a terrible thing. For this reason, I have collected postings describing a technology that can be implemented into any mod which will increase the professionalism of the mod, protect it from mod theft, provide legal standing with which to challenge pirates, and to provide ultimate piece of mind.

 

Zenimax has made, and indeed can make, no claims on ownership of the PEX format, any more than they can make claims of ownership of the PA32+ format which the engine itself runs on. Files like these are code, running on a particular format, and don't immediately become the sole property of Zenimax unless created within the Creation Kit. Crucially in this case, F4SE mods must have their PEX created by a third party utility, and acted upon by another third party utility. The Script Extender's PA32+ binary format cannot be downloaded through Bethsoft.net, will not work on PS4, and is not allowed to be run on the XBone. And while you have to provide a PEX file for the engine to run, you don't need to provide a PSC file for the user to read. In fact, not providing the PSC file of this technology removes the possibility of anyone else claiming any ownership of your source code, because they never had it. This last fact is the key.

Central Module:
Create a holotape using a terminal script, containing a menu. This menu shall contain, but is not limited to:
- The EULA of the game.
- The EULA or User Agreements of any Services used in the creation and distribution of the mod.
- A list of credits of people the modder wants to thank and/or damn.
- A Digital Signature of the modder generated in whichever manner they see fit.

- (Bonus module) A Public key half of a Public/Private key pair, with the public in your original copy of the source code. Do not compile the private half into the code, and keep it separate from the source code entirely. Provides double security as even if they decompile your script, they do not have the rest of this key. Bonus points for using this key to encrypt something.
- (Triple word score module) So named because console versions do not have the code words necessary to run it. Encode any command in an F4SE way, and you make this script only work on PC. Note that this does not require your mod to run F4SE code otherwise, and does not prevent usage on Bethsoft.net for mods which DO work on console.

Name the holotape with an item tag of [DRM] before the name of your mod. You want people to see this because it lets the thieves know what they're getting themselves into, but it doesn't require that they even see it.

ex: [DRM] Clean Deluxe

Keep the source sacred:
By withholding the source code used to create the PEX Fragment script which this holotape will display, you eliminate the possibility of there being anyone else who could have created this file. This provides you with legal standing to prove, beyond the shadow of a doubt, that you are the party who compiled that file. Do not share this file with anyone, excepting possible members of your modding company. Keep your source code off of the internet at all times, and do not share it with anyone for any reason. I'll state it one more time, just for good measure. I'll even bold it. Don't Share The Source. Don't use anyone else's either. The point is that it's supposed to be yours. To make this work, you have to write it. I'm sorry. I want to provide you with a working module, but by its very nature, you have to write this yourself.

 

Other code can have its source shared, if you so wish. Nothing is preventing you from allowing people to view the source code of any other modules. The extent to which you want to have your mod be open source is completely in your hands, since you are the one creating this DRM. Outside of the actual Holotape itself, none of the other script matters to this scheme, and you can either share or withhold that as you deem fit. The same goes with any Blender or 3DSMax object files, Photoshop or GIMP files, Audacity files, or other source that you feel that you should or should not share with the general public. The only thing that matters is the holotape fragment script, and that is your key to all of this, along with the upload dates. More on that, later.

 

Customization:
Further modifications can be made to the DRM Holotape, such as mod settings (if you have them), change logs (please guys), shout outs (or damnations), instructions (definitely), jokes (if you're funny), cheats (if you need to git gud), or anything else that the user wants to put onto this holotape. It can be made a quest item so it cannot be dropped, you can use F4SE commands to ensure that it's PC only, and if you're really inventive you could make it as an ingestible if you can figure out a way to make it entirely in script (but seriously, why aren't more modders using the damned holotapes? I'm sick of eating my settings configurators! Bethesda gave you an integrated way to make menus on the Pip Boy, this time! USE IT!)

Extra Modules:

By implanting a private key of a private/public key pair for all to see in an in game menu, and keeping the public key privately held away from either the source code or the executable, you provide double strength protection against decompilation attacks. If the compiler never sees the private key, it cannot be extracted later on. Software capable of achieving this is easier to get than you think, and much easier to use.

 

By linking one's mod into F4SE, using the debug code to turn something crucial on only if on PC, and not providing source code for that feature, you prevent the mod from being used solely through Bethesda.net. Anyone wanting to steal that mod would have to actually be a modder to understand what had been done and how to remove it. A decade of experience from the Nexus shows that modders can steal other modders work, but that it is highly unlikely and will be the source of much controversy and public outcry against the perpetrator, and rarely damages the reputation of the person who has been the victim.

This is optional, and does not prevent Bethesda.net downloaders from installing your mod while on PC, as they can install the Script Extender like sane people too from its website, they just can't use Bethesda.net to install it for them any more than one used to be able to use the Nexus to do the same. Note that while this may break the menu on console, it will not break any other content, so can still be used to implant the digital signatures on your running mod. This content would not run on console but it would remain present in the files.

 

You can also use the F4SE option to specifically encode your F4SE menu options, so there is your Triple Word Score.

Upload widely:
Armed with a mod that contains data only you could have created, you should upload this file as widely as possible. Your signature within the mod declares it to be yours, and the source in your hand proves it. Even if you do not intend your mod to be used on console, it is recommended to upload it there, as well, and set it to private. This ensures that your signature is distributed widely, and that anyone stealing your mod will not be able to claim that they got there first. Remember, you're not giving out your source, so you're not giving them the keys to your kingdom.

Vaporware DRM:
This technology is merely a technique, and due to its nature no running file or source code can be provided, and only examples given. A template could be created at some point, but the recommendation for proper usage is to create one's own, make it theirs, and never show anyone the exact source code they used to make it. This personal and unique ownership of the source code is both the point of this technology and it's mechanism. Make it your own.

Note:
This does not prevent mods from being stolen by capable modders who understand the technology and its use. A Decade of experience in the Bethesda modding community shows that these people will be dealt with swiftly and harshly upon discovery. It does however prevent anyone from being able to claim your work as their own in a convincing manner, whether that party is a mod thief, a console kiddie, an elite modder, Bethesda, or even Zenimax. No matter what rights you have to sign away to make your mod, this technique will provide legal standing to prove that you are the creator, because you have the key.

Licensing and Copyleft:
I hereby release this technology to the people of the Nexus, to all Bethsoft.net subscribers, to all Lovers, to all scripters, to all console peasants and PC doucebags, and to all modders everywhere, with love, in perpetuity, for ever and ever, Amen. Full rights are given for redistribution and modification of this technology without limitation and without credit, just so long as you're not a douche about it. You know who you are, just drop the bomb and back away.

FAQ:

Q: Will you be making this as a release in some form?
A: No. The very nature of this technique absolutely precludes the possibility of anyone else making it for you. You can use a template of some form, but you must do the scripting and compilation yourself for this to work right.

Q: But I don't know how to script!
A: Learn. The scripting level required to create a basic, working example of this technique is extremely minor. You can learn it within a day, and do it without needing anything more than a text editor and the basic modding tools you already needed to create your mod in the first place.

Q: What if my mod only changes game settings or weapon damage? Will this still work?
A: You haven't changed anything that you can even set claim to. The only thing that you would be claiming is the DRM Holotape, itself. It still proves that you made that mod, but simple changes to the game settings aren't exactly representative of a huge amount of work on your part. You really don't need this technique, that's not your IP anyways.

Q: I hate console kiddies. I want them to die. Will this technique help me achieve that?
A: NO. It will not. You're a monster for asking. Seriously, put down the bomb.

Q: This mod broke my game.
A: No, you broke your game. Do you see the difference?

Q: What if Zenimax tries to say the mod is theirs? I'm afraid my content will be stolen for another Bethsoft game.
A: Then they won't be able to use your scripts, because that would mean they would have to include your name. Load your Holotape with something that you would need to get your mod working. Consider the source. They probably won't try to steal your content anyways, but they might get inspired by your ideas. Nothing will ever protect you from someone flattering you through imitation.

Q: Can't this all just be removed?
A: Yes, and that is why you need to make this yourself, keep the source code sacred, and upload the compiled holotape script to as many places as you can. This technique is all about providing you, the content creator, with legal standing to prove that your claim on being the creator is genuine, unique, and solid.

Q: Should this thread be stickied?
A: I think so, just so long as the comment section doesn't devolve into too much flaming. People aren't going to "like" this, but I hope enough people use it to make it worthwhile. If even one person uses this technique in a mod, I'll be happy.

 

Q: What happens if a really capable modder comes along, and puts his own DRM module on? Does that mean he now has standing?

A: No. You have the earlier file. If you have the source, and it's definitely older, and you can show that you made the mod first, and you have your standing. That said, anyone smart enough to do that would not be crazy enough to think it would work.

 

Q: But why should I add a [DRM] tag? None of the mods which tag your items contain that tag!

A: Not yet, anyway. Plus, this tag notifies any potential thieves of what you've done and why they should reconsider.

 

Q: Couldn't someone just decompile the PEX file and then grab the original key?

A: Yes they can decompile, no that doesn't give the same exact file. This would provide a way to remove your signature, but as long as you've uploaded this mod first, you still have proof that yours is the true claim. This isn't just a Holotape, it's a Holotape, the Source, and the date of upload that are the three key factors that ensure you have the ability to prove that your claim to the mod is the true one.

 

Q: Does this go against the spirit of free exchange of information?

A: The DRM can be as permissive or as restrictive as you want. You can even add an entry to the Holotape that declares what you would and would not like to happen with your mod. You can allow free distribution. You can allow modification. You could even claim that it's completely cool to steal your file and ask for donations from it without giving you any credit, if that's what you want. Anything you want to claim in that, you can. Depending upon what you claim, it may or may not be legally binding, but the entire point of this is to provide you with proof that something foul has occured, and therefore the means to do something about it.

 

Q: Are the bonus modules necessary?

A: No, but their usage is highly encouraged. Both are platform agnostic, can be used effectively on any platform, and in the case of the Public/Private key pair completely impregnable for the purposes of asserting Authorship over a file. You don't even need to share your mod to assert authorship if the private key and your copy of the source are kept safe enough.

 

Q: This isn't FOSS friendly.

A: I just linked you do a GNU product didn't I? What do I have to do, grow a neckbeard? Oh wait. I did.

 

 

[ad3d0]

OMG. This is getting ridiculous.

[Jeoshua]

I would really like to keep this thread clear for discussion on technical points of Vaporware. If you have complaints or gripes of a non technical nature, then please feel free to share them more publicly on other threads discussing this or other issues.

 

A few examples are forthcoming. The technique has actually been refined at this point to only require the PEX file to exist in the download, and does not at any point require the user to run or even see the terminal script. All that is required is a working DRM PEX file, to keep the key pair separate and safe, and you have your signature and your proof of authorship.

Edited June 10, 2016 by Jeoshua

[Karel2015]

Fatal Flaw in the Logic here:

 

 

Keep the source sacred:
By withholding the source code used to create the PEX Fragment script which this holotape will display, you eliminate the possibility of there being anyone else who could have created this file. This provides you with legal standing to prove, beyond the shadow of a doubt, that you are the party who compiled that file. Do not share this file with anyone, excepting possible members of your modding company. Keep your source code off of the internet at all times, and do not share it with anyone for any reason. I'll state it one more time, just for good measure. I'll even bold it. Don't Share The Source. Don't use anyone else's either. The point is that it's supposed to be yours. To make this work, you have to write it. I'm sorry. I want to provide you with a working module, but by its very nature, you have to write this yourself.

 

--Flaw ?

Download a program like Champolion or Caprica, Turn the Code back into Source code, and now I have the source code too.

[JuJooGuppy]

Fatal Flaw in the Logic here:

 

 

Keep the source sacred:

By withholding the source code used to create the PEX Fragment script which this holotape will display, you eliminate the possibility of there being anyone else who could have created this file. This provides you with legal standing to prove, beyond the shadow of a doubt, that you are the party who compiled that file. Do not share this file with anyone, excepting possible members of your modding company. Keep your source code off of the internet at all times, and do not share it with anyone for any reason. I'll state it one more time, just for good measure. I'll even bold it. Don't Share The Source. Don't use anyone else's either. The point is that it's supposed to be yours. To make this work, you have to write it. I'm sorry. I want to provide you with a working module, but by its very nature, you have to write this yourself.

 

--Flaw ?

Download a program like Champolion or Caprica, Turn the Code back into Source code, and now I have the source code too.

 

 

I don't know much about code, but wouldn't your original copy of the source have a creation date that was older than the person attempting to reverse it, thus showing you are the 'original'?

[jet4571]

I am against this. Mod authors do not need DRM. Games do not need DRM. All this is going to do is lower the quality of mods over time by making more secrets of the trade. What we need is, well thats easy! we need mod hosting sites to act like The Nexus does nad have a zero tolerance for mod theft and have volunteer staff like the moderators here to go over the reports. More locking isnt the answer and is counterproductive.

[NorthWolf]

 

I don't know much about code, but wouldn't your original copy of the source have a creation date that was older than the person attempting to reverse it, thus showing you are the 'original'?

 

 

Not going to join the debate as to whether or not this is reasonable as per the OP's request, but no. The creation date isn't a valuable metric: it's entirely trivial to modify. The most meaningful metric is going to be through a 3rd party, namely upload dates on modding websites.

 

Also: how would a private/public key pair with the public key in the source be useful unless you encrypt some kind of token in the source with it? Otherwise you just have two keys that don't have a meaningful relation. I don't see how it's supposed to be "bonus points" if you encrypt something with it. It would be a vital part of having this be a meaningful way to determine authorship.

[Deleted3507349User]

The only form of DRM that I would support would be a message popup. Really though, it's mostly a waste of time because such things are a simple matter to strip out.

 

Seems to me the best thing you can do is upload your stuff here to the Nexus and use the date/time stamp as a copyright. Bear in mind that your mod isn't visible until you release it.

[Jeoshua]

--Flaw ?

Download a program like Champolion or Caprica, Turn the Code back into Source code, and now I have the source code too.

 

Decompilers are possible, but using the provided link to a GPG, with which you can generate a public/private key, eliminates the possibility that anyone can decompile your mod into something that they can use to assert authorship. You have the private half of the key, they will not. It doesn't matter if they decompile it and find your public key. You still have your unimpeachable claim, because only you can say what the private half of the code is.

 

So the public/private key pair, along with multiple uploads to different servers, protects you against the possibility that someone decompiles the script.

 

In fact, you CAN give out the source code to the module, if you want, just so long as you are not including the private half of the key.

 

 

 

 

How would a private/public key pair with the public key in the source be useful unless you encrypt some kind of token in the source with it? Otherwise you just have two keys that don't have a meaningful relation. I don't see how it's supposed to be "bonus points" if you encrypt something with it. It would be a vital part of having this be a meaningful way to determine authorship.

 

 

It's considered bonus points to use GPG to do the digital signatures with. Using some form of encrypted digital signature is part of the core module. The bonus is just using an external, open source, freeware implementation of a proven technology. Either way, you need a valid digital signature to embed into your file. It's just nice if you stay FOSS about it, that's all.

 

As far as the third party download sites acting as an impartial arbiter as to when the file was initially created, you're right on the money. Dates can be faked on a single PC, but it takes some real doing to fake it on 3 separate download sites plus your computer.

 

 

 

The only form of DRM that I would support would be a message popup. Really though, it's mostly a waste of time because such things are a simple matter to strip out.

 

Seems to me the best thing you can do is upload your stuff here to the Nexus and use the date/time stamp as a copyright. Bear in mind that your mod isn't visible until you release it.

 

You can use this technique to display a popup window. Use the public/private key pair, and inject the public half of the key somewhere into the mod.

 

I don't know why people are so concerned with this being stripped off. Truly, it's possible, but that only PROVES that the mod has been illegally distributed. The entire point of this technique is to be able to sign your mods in indelible ink, proving that they are yours. If someone strips off your signature, that does NOT make them theirs, and does NOT absolve them in the slightest.

 

This is not one single tag that can be removed willy nilly. It's a digital signature that cannot be faked, and the file is uploaded to multiple third party sites with that signature embedded. It provides an unimpeachable record that you are the author of the file. Someone taking that signature out and reuploading your file would only damn them further, because it proves that they knew the DRM was in there and intentionally removed it. If you've uploaded the file yourself, and have all the pieces to show where that signature should have been and that it's not there now, you prove beyond the shadow of a doubt that you are the mod author, and that your mod has been stolen.

 

See, here's the thing. Console modding has always been possible. Truly, it has. It was against the terms of service to even talk about it until recently, and the reason for that is that in order to do any modding for console, you needed to hack into your XBox and break quite a few laws. This has bred an attitude amongst console modders where many do not care for the way intellectual property is handled. That's fine, of course, because the difficulty of console modding used to be a barrier against people who didn't know what they were doing.

 

Now, with Bethsoft.net, that barrier is gone. We are left with the same people who don't care about intellectual property, and any old script kiddie can steal mods, upload them, even make minor changes, and they do not require the knowledge of what they are doing anymore.

 

 

By the way: Removing this tag isn't a bannable offense type of thing. It's an illegal, DMCA covered, go to jail type of thing. It's way more serious than just being told not to return to a site, if that's how far the author wants to take it.

 

The DRM can be removed, sure. But only by someone who knows what it is, and how to remove it. That's not easy, if you know how to hide the signatures in your file. A truly capable modder could remove it anyways, but when was the last time an ACTUAL modder capable of ACTUALLY modding stole another person's mod? I mean, it's happened, but it's so rare that worrying about that is pretty ludicrous. The community bands together against that type of person.

 

It's the little morons who CAN'T mod, and steal the mods of others, that this is aimed to stop.

Edited June 12, 2016 by Jeoshua

[Jeoshua]

Also, if you guys want to further discuss the technical merits or demerits of the technique, please scan the latest version of the outline from my signature. I'm treating it sort of as a living document, and it has gone through many changes since I initially posted. At this point, the only required thing is an encrypted digital signature (bonus points for using open source), and uploading the file to a trusted third party website such as Bethesda.net, The Nexus, Loverslab, or any other file storage site which keeps your upload date for all to see.

 

Just compile it into a PEX script, and you technically just need to have that PEX script somewhere in your download. It doesn't even need to run. I suppose it doesn't even need to be in the PEX at all, even, just the digital signature should be injected in some way which imposes itself upon the mod in a transparent and unobtrusive way. My personal favorite idea is to flash the public key and an encrypted signature as part of the holotape boot sequence. Most people won't even see it, because it will look like computer gobbledeegook, but someone with access to the CK or xEdit could pull that information out. Heck, they could even use the decompiler, and they would find the public half of the key easily. That's why you should never put the private half anywhere near anything which is going to be compiling that script. Don't even have it in the source code. Don't let the CK or any external PEX compilers even see it, because that way it's mathematically assured that the two halves of the key cannot be in the final file.

Edited June 12, 2016 by Jeoshua