Steamed over DRM

[Villadelfia]

Have you considered something like this:

If the software triggers a license revalidation, do not immediately kick the user out, instead warn the user that they have 1 week to get it sorted before it deactivates. However, and here's the part to make sure that fooling around with the system clock doesn't work, during that 1 week grace period require an internet connection to start the program.

This kind of stuff is my day job, so if you want to seriously consider it, feel free to mail me for some implementation help.

 

[Togainu]

While such a system works relatively well. It does open the system up for an extra point of possible vulnerability. This together with the fact that systems like that have been cracked numerous times (including with major companies like Adobe). I don't think this is a smart functionality to implement. And as Rob stated situations like this are relatively rare, together with the fact that most of the situations can be user anticipated meaning they can request a reset before doing any of such actions. Which in my eyes doesn't warrant an approach that might add vulnerabilities to the system.

Also seeing the new feature in the license menu (unlink license). I think they might actually be working or have implemented a system to de-activate your license before doing major alterations to your system. (haven't tried using the system yet so this is just an assumptions of what it does. Planning to test it out myself later today actually)

update: Seems it doesn't allow for license movement. Just tried it between 2 machines of mine. (So not sure what that feature does)

 

[Villadelfia]

I know that it's easy to implement it in a way that leads to vulnerability, which is why I offered to help. That wasn't a joke, my day job is implementing network security for a company that you probably know.

 

[Togainu]

Kind of think you are missing the point I was making. No matter how secure you implement it you are adding another point of entry for attacks. Making the program as a whole more vulnerable by default.

Secondly not everyone plays in areas that have access to internet. Meaning they won't be able to start up the program. Course then you can choose to not allow save options. But that means you need to start making notes outside of Hero Lab and enter them at a later point (if you remember and didn't loose your notes which are very realistic scenarios (which is actually how it currently works meaning the connection solution only solves the issue for some users)).

And again it only triggers with major changes to your machine. Which are in majority of the cases user induced meaning you can request a license reset before doing them


Edit: Also seeing the machine ID changed it can't identify itself as the old system anymore, meaning you run into the same issue as before. If someone gives a full copy of their hero lab to someone else. The week reset period can't check reliably if it used to be a legit system.

 

[Exmortis]

Just remember that LWD also answers to the product owners, not just us the consumer.

Rob is a middle man being squeezed by the IP owner and the IP leaser.

It is easy to suggest what will be better for us, but remember the owner of the IP has to be kept happy, or we have no IP to lease.

 

[herald7667]

So is there a fix for the Windows 10/fast ring problem? I can't seem to move My license as it can't connect to the server and it just locks up the whole program until end task on it. I have an email into support.

 

[ShadowChemosh]

So is there a fix for the Windows 10/fast ring problem? I can't seem to move My license as it can't connect to the server and it just locks up the whole program until end task on it. I have an email into support.

Have you installed the latest version of Hero Lab which is v7.3 as it was suppose to have some Windows 10 fixes.

 

[Villadelfia]

Kind of think you are missing the point I was making. No matter how secure you implement it you are adding another point of entry for attacks. Making the program as a whole more vulnerable by default.

This is true, but it's not as if the current security is flawless, in fact it is quite flawed but I respect lone wolf development and will not release my research on that subject. Suffice it to say that small scale piracy is easy, and would not even require any cracking. Large scale piracy on the other hand would require some cracking, but there are some critical flaws in how a license is validated.

If anyone on the dev team is reading this: I'm working on a PoC for both methods and will mail you when they're complete so that you may fix them.

Secondly not everyone plays in areas that have access to internet. Meaning they won't be able to start up the program. Course then you can choose to not allow save options. But that means you need to start making notes outside of Hero Lab and enter them at a later point (if you remember and didn't loose your notes which are very realistic scenarios (which is actually how it currently works meaning the connection solution only solves the issue for some users)).

I think we miscommunicated somewhere, I did not intend my proposal to require a constant internet connection. What I'm intending is this: if the license is valid, hero lab would work exactly as it does now.

However, once it detects a license invalidation, it will phone home and start a week long "trial mode" and require an internet connection from that point until the license becomes valid again.

I can see how this won't work for people that play without internet connection, but for the rest it would provide a nice way to avoid a ruined gaming evening.

As for abuse, this system would obviously invalidate the license for use on any system ID when it gets flagged, this would mean that the original user can no longer update until he contacts lone wolf, and the person he shared it with can only use it once, for one week. Continued abuse would quickly become apparent.

 

[herald7667]

Ok, I have now installed the latest version, and when I go to retrieve the license it can't communicate with the server. I have verified that it is white listed.

 

[herald7667]

Support got me squared away. Thanks for the help folks!

 

[Togainu]

as for security as a whole it never is flawless what is made by man can be broken by man no matter what it is . It is just a matter of how easy

I think we miscommunication somewhere, I did not intend my proposal to require a constant internet connection. What I'm intending is this: if the license is valid, hero lab would work exactly as it does now.

However, once it detects a license invalidation, it will phone home and start a week long "trial mode" and require an internet connection from that point until the license becomes valid again.

I know you didn't mean it for always. However the suggestion you made did state to need an internet connection during the trial period to boot. This means that players that play in areas without internet connections can't do anything. In the current system they can still view their character just not save edits they make to the hero lab file. (meaning make notes manually and add those later after reactivation) Making that trial period actually a huge leap backwards for gamers playing in internet free zones. Compared to a small step forward for gamers with an internet connection. (as I said then you can go the route of unblocking/blocking the save feature but this in my eyes something that is a minor upgrade. Compared to feature/material/bug fixes I rather have the focus there instead of a minor upgrade on the DRM)

I can see how this won't work for people that play without internet connection, but for the rest it would provide a nice way to avoid a ruined gaming evening.

When it invalidates your license the client still has all material the only thing that does stop working is the save feature. Meaning you just need to make notes for that session separate and add those when you reactivated your license. (This is exactly what I do when I forget to request a license update when a new windows 10 insider build comes out). So there never really is a "ruined" game night in all honesty.

As for abuse, this system would obviously invalidate the license for use on any system ID when it gets flagged, this would mean that the original user can no longer update until he contacts lone wolf, and the person he shared it with can only use it once, for one week. Continued abuse would quickly become apparent.

The issue with this is that the original owner would be removed. If for some reason their license got compromised by whatever means. They end up being kicked out of their account over and over again without being actual abuse. This in my eyes would be a worse DRM situation then what is currently in place just not allowing you to save and having to make notes.

 

[evdjj3j]

I'm looking for a replacement

Saturday night. I was wanting to get back into playing PF again. Tried firing up HL but updates wont download and it says I need to activate my license again. I reactivated my license in July when I first installed Win 10 and hadn't used HL since then. No hardware changes or OS installs since the last activation but now HL is no longer activated, so I cant create my character for PF tomorrow. I've spent so much money on HL and it pains me to stop using it but this is the second time I've tried to create a character on a Saturday and been shut down by the terrible DRM. If you are going to use such restrictive DRM then you need to have someone on call 24x7 to deal with licensing issues. While I don't like PCGen as well as HL I don't ever have to worry about this situation when using PCGen. I was so excited to get back into playing PF after not playing for many months but this has really ruined it for me. Also, I've never had tech support respond to any issues that I've emailed about other than licensing issues. Very poor customer service. Like I said it truly pains me when I think about how much money I have sunk into this poorly supported product, I really wish I would have went with PCGen from the get go. You've already got my money so I'm sure this will fall on deaf ears.

 

[liz]

@evdjj3j, I see your support email that you sent us over the week, which outlines the same frustrations you shared here. Our support team will work with you through our support system, as the forums are not the ideal location for troubleshooting.

Also, I've never had tech support respond to any issues that I've emailed about other than licensing issues. Very poor customer service. ... You've already got my money so I'm sure this will fall on deaf ears.

I checked our support system, and of all the emails you sent, we responded the same day or the next business day. If you're not receiving our responses, please check your spam folder and make sure that support@wolflair.com and tracker@wolflair.com are white-listed for your email.

 

[Farling]

No hardware changes or OS installs since the last activation but now HL is no longer activated, so I cant create my character for PF tomorrow.

If you are on the "fast-track" option of Windows 10, then that seems to cause more issues with licensing than receiving just the normal Windows 10 updates.

 

[TheSleeper]

If you are on the "fast-track" option of Windows 10, then that seems to cause more issues with licensing than receiving just the normal Windows 10 updates.

Not sure about Win 10 but I had it reset again 2 weeks ago and while it was reactivated very fast it was a patch of HL that brought it down and was very likely the thing that did so in all cases.

I have 3-4 weeks of Eyes of the Ten left and I am done with pathfinder for a bit. I am just not going to patch it till I am done.

 

[TheSleeper]

Back in November I received an email from Colen McAlister about a feature in the new beta release of HL:

”I wanted to update you on this situation on our end. We're currently testing a new solution for identifying an individual computer, which we're hoping to deploy within the next few months. Hopefully this solution will fix the problems you're encountering, and stop you having to reactivate your license so often.”


Now after testing this version I wanted to post 2 things:

1 - Colen McAlister & LWD are a class act to proactively follow up with me with a well thought up and effective solution.

2 – The reactivation issue has not occurred any more since I installed the new beta version.

I just wanted to post this here to let everyone know what LWD is made of. Props to LWD!