You wouldn't download a back end
cjohanaja.comIf there's sufficient determination, people will just write replacement backends.
This is a real phenomenon. As I recall some years ago Ubisoft tried to come out with a (single-player) video game which couldn't be played offline, and which was dependent on an online server as an anti-piracy tactic. I believe this game was still pirated using some kind of fake server.
It's also interesting how common it is for people to create replacement servers for popular MMOs, given the extent of the reverse engineering that this requires, using custom non-HTTP protocols which are much harder to reverse. MMOs should be "unpirateable" yet unofficial open source server reimplementations are a real thing.
This has become SOP for Ubisoft and EA; but I believe you’re referring to Simcity by EA. That was the most egregious example with the most press and was zero-day cracked with a stub server interface.
EA claimed that it needed a server connection because a desktop computer couldn't run the simulation. This claim was absurd on the face of it; EA couldn't possibly turn a profit if each copy of the game required dedicated beefy-ass server hardware to support it.
But of course, on launch it was quickly discovered the game ran just fine without an internet connection. After 30 minutes, the game would complain the server would time out and shut down voluntarily. But all it took was patching the "30 minutes" magic number. Poof, problem solved.
Long story short, it is an ongoing problem that pirates receive a superior product. (A problem for publishers anyways, not one for pirates.)
> EA couldn't possibly turn a profit if each copy of the game required dedicated beefy-ass server hardware to support it.
I think the charitable interpretation of EA's (fantastical) justification, was that they were planning to have some shared agent-based simulations being run in the cloud (one per "region" — where the whole point of the SC5 "regions" was that they were a sharding boundary for this shared simulation); where your updates to your city would be (asynchronously) incorporated into that shared agentive model; and then the interactions of the agents flowing through that shared model, would get reflected back into your city.
In other words, it wouldn't have been an O(N) computing-power thing, but more like O(N^0.5). Something that would greatly benefit from economies of scale, insofar as a region with 16 tenants wouldn't require much more computation than a region with a single tenant — and likely there'd be a per-region cap on the total number of agents to limit total simulation complexity.
Of course, this isn't what they did; but I think it's what they were claiming they did. Maybe it was even what their marketing department had been misled into thinking they had already done (or would do soon after launch day), because it was something their engineering department had tried to do, but just never got operational "yet".
>it was something their engineering department had tried to do, but just never got operational "yet".
OR it was something a product manager aimed to do, and it was sold internally before it was developed - and then proper resources were not available to make it a reality
> pirates receive a superior product
Including the unofficial day-one patches that fix crashes on their computers and make the game actually possible to run.
> This claim was absurd on the face of it; EA couldn't possibly turn a profit if each copy of the game required dedicated beefy-ass server hardware to support it.
Was it? No, I don't think so. I can imagine numerous computation problems that are not viable to solve client-side (i.e. your device "cannot run the simulation"), but are not a real burden on a server-side for a lot of users. Simpliest example: hosting a couple TB large rainbow table.
(Obviously, I'm not discussing that particular game, my objection is to the general claim only.)
Elite:Dangerous would be an example of that. The simulated galaxy contains 400 billion star systems and the galaxy map can find routes between any two stars, as far as I know that's all handled by the backend.
Though the difference to something like Sim City is that everyone plays in the same shared game world even in "solo" mode.
He is very clearly talking about this specific game. How you interpret the text you quoted as general is hard for me to understand.
> Long story short, it is an ongoing problem that pirates receive a superior product. (A problem for publishers anyways, not one for pirates.)
Yep. Also, don't forget: an even bigger problem for legitimate users.
Not only was Simcity's dial home unnecessary but their servers were extremely underprovisioned for the load[1]. For the first few weeks pirates actually got a significantly better game experience since they could play the game while legitimate players were generally unable to even play in single player.
Simcity was an excellent example of DRM providing no benefits and actively lowering the user's experience - that's almost always the case but it's rarely this extreme and obvious.
1. https://arstechnica.com/gaming/2013/03/clogged-streets-simci...
I'm a city builder fanatic. I played the original simcity, 2000 and 3000. But 4 wasn't very fun and sim city origin was a dumpster fire.
Luckily we have better options now. cities skylines is a worthy successor to the original franchise and the (optional) dlcs only make the experience better.
I actually believe it's referring to Assassin's Creed 2. It had to check in with the central server to see if a legitimate copy was being played, and the way it was cracked was basically going through every possibility where the check can fire off, recording the request/response, and having the cracked version play back the appropriate response to the request. It basically had to be exhaustively played to get to a point where all the request/response combinations got recorded.
It's amazing that anyone is willing to do this, just so that other people can play the game.
Then again, once you've done it, now you can turn off your internet and play the game in peace, so it's not 100% only altruistic.
A lot of DRM (eg the one by denuvo) could be bypassed with hooking from kernelmode, hypervisor shenanigans etc.
But that doesn’t comply with the „scene rules“, they always want a clean executable without any background services. I was always impressed by Razer1911 and CPY who obeyed these rules and did all this work just for clout.
You can make this arbitrarily difficult by moving more and more core functionality into the backend, to the point where the front end is little more than a bundle of cached assets for what's otherwise an online game. At which point, any replacement backend that reused these assets would inarguably be a derivative work infringing on the assets' copyright unless explicitly licensed.
You don't even have to go to this extreme to make conventional piracy all but intractable. As a concrete example, take Civilization 6, and suppose it had been released as a client/server application where the server handled all enemy AI. While creating functional but inequivalent replacement backends may not be terribly difficult — and might even lead to an interesting alternative AI ecosystem — reproducing the precise behavior of the vanilla AI via "black box" reverse engineering would require considerably more effort than cracking an offline game or reimplementing a backend that acts as a mere license server.
Compared to a traditional, fully offline model, moving large portions of a single-player game online would increase both upfront development costs and marginal cost and would be met with disapproval by a nontrivial fraction of potential customers who, for this reason, might choose not to purchase the game. It would also have a slightly smaller potential market to begin due to "always-on" Internet access being commonplace, but not universal.
Still, at this point, there are no real technical obstacles to developers adopting such a model.
In other words, I presume the forces keeping games "crackable" are primarily economic rather than technical.
Runescape private servers anyone? There was a whole scene circa 2012 that reverse engineered the Runescape game client, then built up a dev community of people replicating the game's quests, combat system, leveling system, game loop, multiplayer, chat, etc... with backends written in Java. The community got to a point where prebuilt server "bases" competed in adoption and snippets and tutorials were posted with code that implemented certain functionality built on top of server codebases, that you could copy and paste to create your own Runescape server. What got even more interesting was people creating entirely new game content instead of trying to emulate existing Runescape gameplay, using the same game engine and backends.
MMO games that you speak of are reversed engineered and run on emulated private servers. It turns out that people who reverse engineer those games are as smart as people who program them.
I was always fascinated by software reverse engineering and I spent years researching it. Quite interesting computer science area.
> It's also interesting how common it is for people to create replacement servers for popular MMOs
I believe it might make good money as long as you can dodge legal issues, but I might be wrong.
Hosting and community management is still giant PITA. It potentially is a good money but it's also a hard earned one
The fake server approach was and is used to pirate Diablo 3 as well, which is always online.
>My significant win is that I’ve never personally found a need/desire to pirate something
Personally, I wouldn't count this as a win, more of a lack of curiosity/failure to be adventurous enough to be in a situation where piracy is advantageous
A sibling claims he's 18 years old; it's also just possible that he and his parents are well off enough that he doesn't want for anything, and that paying for everything is reasonable for them to do.
Also consider that streaming (music, TV, movies) has been decently plentiful and cheap for the entirety of his teen years. He may not have had a need to pirate anything just because his parents paid for Netflix and Spotify accounts.
For games, most have an online component and are more difficult to pirate, as he points out in his article. Certainly it's not impossible (there are many single-player/offline games that just want to do a license check, which can often be hacked, and others where the server components have been reverse-engineered and clones), but it was a lot easier to pirate games when you just had a CD or floppy that you could disassemble and poke at to create a patch. And again, maybe he and his parents have been able to afford to buy whatever games he's wanted to play.
But I also see this as a result of the newest generation of computer users being raised in restrictive computing environments. iOS and Android don't encourage you to tinker; their security and product model tries to preclude that. Desktop macOS is more and more locked down with every release. Windows is... well, Windows. Desktop Linux still has yet to develop any kind of traction (and I say this as someone who has been using Linux on the desktop, nearly exclusively, for 20 years). Even many people I know who grew up in the 80s and 90s like I did, who used to have desktop or laptop computers, have shelved them and replaced them with iOS/Android/iPad OS.
In many ways, I think this is really a crappy time for computing. Sure, we have all this cheap computing power, but for the most part we're using it just to consume mainstream media. I say this even with the explosion of easy creation tools like digital cameras, and things like Instagram and TikTok. Fortunately there are still a lot of healthy hacker/maker communities, but I think their percentage of the whole of computing has been steadily dropping over the past 15 years.
The author is 18 years old, I believe. To put this into context.
He writes rather well btw.
You believe correctly, and thanks so much!
Maybe you're right. I'm curious as to what situations would make it advantageous, though.
Make old games playable again. Use professional software you can’t afford to buy or don’t have affordable access to in order to develop your skills (seems ethical to me, though it’s disputable).
Use software for which you have legitimate access to a Windows version but you need it on another OS.
The personal satisfaction and skill demonstration of doing reverse engineering (RIP fravia).
> adblockers will exist for as long as Google deems them unproblematic (...) the existence of such piracy is heavily dependent on the providing body, and as such, are existant by benevolence
Mmm, what? Adblockers aren't piracy.
Adblockers are arguably worse to a company than piracy.
Pirates often argue that they aren't causing a lost sale, because if the product wasn't free, the pirate customer simply wouldn't use the product in the first place.
Pirates however, generally aren't putting sustained load on the IP-holders' servers. Whereas adblockers are putting load on the companies' servers while not "paying" for the services, by blocking the ads.
It's unclear what the business relationship is when you click on a link. I click on a link in a tweet, and I'm taken to a site and apparently I've agreed to be shown ads? No. Plenty of sites I visit are not trying to monetize my eyeballs. Calling using software to give you a choice about what you agree to "piracy" seems wrong.
If sites offered consent - like "Welcome to this site, you'll see 10 ads per page, sold through google's ad network. Our content is written by humans not robots. Please disable adblock and proceed." That's a different relationship. Perhaps then it's more like taking something without paying ("piracy").
Perhaps in a sustained relationship, where you repeatedly visit a site, you know what it offers you and you want it, but are unwilling to pay the price of ads... maybe that starts to edge towards a piracy like situation.
If every ad network sustained website died I for one would be happy with this return to the good old early 2000s when hyper optimized content farms weren't a thing.
Monetization is the root of most evil on the internet.
That's shortsighted. There is only so much money in the system. People who use content blockers usually don't buy stuff in response to ads.
Ad blocking users won't reduce the entire ad revenue that is flowing through the system.
From the perspective of a company this is different of course - a company can increase revenue by maximizing the number of ads shown to users. But when you look at it from the perspective of the entire system, the more users are forced to view ads, the less valuable an ad becomes, so it's a race to the bottom.
The biggest problem is that ads are the wrong solution. In earlier times, many services that operate for free now were primarily paid services - paid voluntarily, which is based on respect and human dignity. And the ads were just printed in paper form, so there was a limit to how much money you could extract out of it. Ads had their place, but were limited in their scope. Publishers of paper newspapers would have never thought to maximize revenue by forcing users to actually look at an ad, because there was no technical way to do it. Now they think they are entitled to be intrusive, and to control user behavior while legally giving away something for free without any legal obligation for readers to return anything. So those who benefit from ads resort to moral pressure.
They have developed feedback systems, and the feedback systems are carefully designed to extract as much money out of people with no regard for anything else, which is dehumanizing, and this means ads (like all systems that use psychology to manipulate behavior) are actively destroying what makes us human.
They will only stop once the ad system has been dried out, and when that happens we finally may get meaningful content and journalism again.
>People who use content blockers usually don't buy stuff in response to ads.
This is not true at all.
>Ad blocking users won't reduce the entire ad revenue that is flowing through the system.
Yes, they do. There is a reason why sites try and bypass adblockers. It's not because they are evil and want people to have a worse user experience. It's because they can earn money by actually showing them ads.
I block ads aggressively for me and my children. Only use PLEX, no streaming services, adblockers everywhere. I get upset when I see ads. My children get confused and cry. But you’re right. When my daughter was in the hospital with pneumonia and seeing ads were unavoidable, she saw a Paw Patrol ad about a million times and started crying for some $50 toy. Finally I bought it so she’d shut up. It works on me too, I see an ad for some new 3D printer and want to spend $500 on it. Or maybe I will pay $10 a month for a subscription until the end of time for STL files I think are cool but will never print.
They already have thousands of toys, and I have multiple printers that fulfill my needs, but the ads keep encouraging me. Maybe I will charge my credit card to get this very well engineered 3D printer part. Maybe the kids do need more toys.
Of course they can make money off of showing me ads. Advertising is where you take the best minds in the world and waste their skill on the most nefarious and toxic type of manipulation that exists. One time my 300 pound fat ass almost spent $60 on edible cookie dough because of a Facebook ad. I pulled the page up a dozen times and almost clicked “buy” a few times.
My mind is constantly assaulted by nonsense. I hate advertisements as much as I hate the people who ignore the “no solicitors - oxygen” sign the children’s hospital gave us, and knock on my door anyway.
I don't see either of you providing any evidence for your claims.
I think it's unlikely that no person who uses an ad blocker wouldn't occasionally click an ad and buy something. But what's the percentage? Is it something small, like 5%, or more like 25%? The grandparent's point about all of this being dehumanizing really resonated with me. At what percentage does it become justified to dehumanize people for revenue?
My opinion is that advertising is emotional manipulation, and is by its very nature unethical. No, that doesn't mean that no one ever has benefited from buying a product that they wouldn't have known about without advertising, but my belief is that the overwhelming majority of ads serve the purpose of causing people to buy things that a) they would have bought anyway (so the ad just wasted their time), or b) they would have gotten along without just fine (so the ad manipulated them into spending money they didn't need to spend).
I ad block at several levels on my laptop and network. I will never, ever click on an ad and buy something. My situation may not be universal among ad-blocking users, but I doubt I'm part of a small minority either.
So don't use an ad driven model. Full fucking stop.
Look - you can attempt to send me any content you'd like. You absolutely (as in utterly, morally, ethically) have zero claim to force me to receive it.
I have autonomy. I can choose what to view, and what not to view.
If you don't want me to get your content without paying for it - ask me to pay for it before sending it to me. EASY FUCKING PEASY.
If you've asked me to pay and I go download it somewhere else: fine, call me a pirate.
If you haven't asked me to pay and you're sending me a firehose of unrelated bullshit every time I attempt to interact with your service - expect me to filter that bullshit out.
Idk about other users, but when I accidentally see an ads and its product seems interesting, I just google it in another tab. If that makes me a pirate, yo-ho-ho.
Yeah but they also lighten the ad servers' load by not downloading the ads themselves, so it evens out. And considering most load from modern websites is indeed tracking and ads, I might even argue that adblocking saves the website money when I was never going to click on an ad anyway.
If a website needs money to exist, paywalls and donations exist. If a website serves content without payment, that's their problem not mine.
The advertiser is saving (pennies) hosting money not the website owner.
The website owner is providing a service, paying hosting and is not getting paid by the advertiser.
If the website owner is not getting paid by the advertiser, why is the website showing ads?
When even Google serve ads that link to fake bank account sites[0], not blocking ads is a poor security practise.
[0]:https://www.abc.net.au/news/2022-06-21/scammers-using-text-m...
Entirely true, though Linus Sebastian would probably disagree. In terms of receiving content without paying the tithe of attention/money/time, though, one could consider it a form of """piracy"""
Linus is totally off his rocker though. His argument is that "he deserves to get paid for what he does, if you AdBlock he doesn't get paid, hence you are taking money from him if you AdBlock."
This idea though is totally wrong, and is some serious post-hoc BS after over a decade of this internet advertising business model becoming comfortable. Linus's business is GIVING AWAY content and hoping that advertisers (his real customers) will want to agree to pay him according to his terms. You can say things about TOS and EULA and how that is totally a legally and morally binding or whatever but that's moving the goalposts now that folks have found a way to exploit audiences for money after years of GIVING AWAY content for free.
I don't have to read each advertising flyer that comes with my pizza, even if the pizza store decides to give me 100 advertising flyers in exchange for making the pizza free, and no amount of EULAs will make it so. It's my computer, I can throw out the garbage you give me if I want.
That's an interesting point. He's paid by the advertisers therefore they're his direct customers whilst the viewing public are secondary, and therefore have far less responsibility to maintain the viability of his business plan.
Instead of demanding my time and attention, which traditionally are not exchanged for goods and services, they should accept money.
Yup. Problem solved.
Make me the customer again, ask me to pay.
What he's really saying is: My customers are these advertisers, and it would be really nice if those pesky users I'm trying to sell would stop doing absolute bullshit like "insisting they have bodily autonomy" and "curating the content they view".
Yeah like, I would have disagreed at first too, but he has a point there.
> There will never be a true way to "pirate a backend"
Get access to one of the machines hosting the backend and download it..
I guess, an even more true way would be to don the wooden leg, cannons and drive up to a data center fueled primarily by rum and old-time maritime jargon xD
"Your instances, hand them over."
People have pirated MMO backends since.. well a long time, mainly KMMO servers. Lineage 2 and Ragnarok Online had big servers running on leaked / hacked official server code for a really long time before emulators became more practical to update with more recent game content.
Playing on unofficial Ragnarok Online servers was fun as hell back in the early 2000s. Modded economies so you didn't have to spend months grinding, modded spawn and drop rates, custom monsters and items. Crazy unstable servers that could crash at any time. 4chan level of discourse. Admins who were barely older than the players themselves. Great times!
These were fun times. The RO soundtrack was great too.
Bringing back some real fond memories.
I can thank Rangarok Online and Lineage 2 for teaching me Unix administration and scripting at a young age. While the eAthena project has rested, there is a fork rAthena that is still surprisingly running. The truth though is that Aegis (the official software) was stolen by an RDP hack on Gravity's servers back in the day. That was a boon to the jAthena and later eAthena projects.
I think this is the most fundamental driver of everything going to cloud. The cloud is DRM, and it's the only kind of DRM that really works.
It also lets companies play both sides by releasing clients open source but keeping the real value back in the cloud. They can be considered "FOSS" while at the same time being even more closed than closed-source software.
You could say the industry has found a way to comply with the letter of FOSS licenses while avoiding the spirit, namely the idea of empowering the user.
This is exactly why I think FOSS has become irrelevant for end-users. An open source client for a proprietary API only gives superficial freedoms and doesn't guarantee those freedoms will not be taken away.
The software landscape has changed so much since the conception of GPL and all it stood for. Back then, freedom was about expert users having autonomy over their own systems. These days, I think the real fight for freedom is about user communities and general end-users.
I think there is potential in the emerging field of community authored software. Community's coming together to build their own platforms is an ethos that I think has gained some traction and, if it builds more momentum, could become the next free software movement.
The fundamental error is confusing free "as in beer" with free "as in freedom." The two are unrelated or in some cases even at odds with one another, such as when "free" stuff is used as a barbed hook to bait people into closed SaaS or surveillance based ecosystems.
The reality is that software is extremely expensive, especially polished software with a good user experience that's usable by non-experts. Good UX can take many times more effort than just getting something working. Without an economic model, FOSS will always lose in the general market.
I've been ranting about this for years on this site and elsewhere. Doctrinaire FOSS people seem to largely not get it or not care.
If you try to introduce any alternative license or distribution model it'll be rejected by the OSI, which is largely captured by the big surveillance capitalist companies like Facebook and Google. These have no incentive to change anything about the landscape. They're perfectly happy with open source as free labor for them and with competitors being unable to grow revenue.
> The reality is that software is extremely expensive, especially polished software with a good user experience that's usable by non-experts.
I get your point here and I think this has been the case for so long that it seems like an immutable law by now. But, is it inevitable that software should be so expensive to produce?
How we write software today is largely based on ways of working and technical limitations that are not much different to what Fred Brooks wrote about in the Mythical Man Month. Brooks had some hope that programming languages would raise the level of abstraction we work at and that software design would shed much of its "accidental complexity".
Better programming languages could enable authors to work on problem solving rather than generating artefacts for machine computation.
The promise of better languages has been with us for a while but I'm not convinced that this avenue is as well explored as some believe it to be. The scope for these kinds of new abstractions isn't just drop in replacements for the programs you might write in C - it extends to other flavours of programming.
An example of progress here is how component libraries are used in web UI development. Mature component libraries require very little work to use and massively speed up development of "polished software".
Declarative end-user programming isn't a lucrative problem domain, but innovation in this space is still possible and could change the face of free software (both definitions) for everyone.
Progress like this could enable user communities to build, maintain and run their own platforms without the level of expense that currently prevents these kind digital commons from forming.
There was a push in that direction in the 1980s and 1990s in the form of Smalltalk, JITed super-portable and somewhat Smalltalk-inspired languages like Java and C#, WYSIWYG GUI design tools like old school Visual Basic (terrible language, but UI the designer is still unequaled), highly productive low-code systems like Hypercard, and so on.
Then we threw all that in the trash and went back to bespoke architectures, brittle un-portable OS-specific (and even OS-version-specific) compiled binaries, and of course the gigantic pyramid of hacks that is the web.
It's a classic case of "worse is better."
My own view on "worse is better" is that it's a result of the same phenomenon I'm alluding to in my parent posts: people want free-as-in-beer stuff. When people invest tons of time and deep thought into a platform they generally want (or need) to get compensated for that. The vast majority of the stuff I listed above was commercial or closely linked to commercial efforts and had commercial, "source available," or at least less liberal sorts of open source licenses. Meanwhile the pile of crap was free, unencumbered, and could thus be copied and cloned at will.
It's not just cost either. It's also friction. Having to pay for things and juggle licensing is a pain in the rear. You don't have to think about free. You just get it and run it. Low friction results in faster viral spread and speed wins.
You get what you incentivize, and you don't get what you don't incentivize. We do not incentivize quality.
Edit:
The same phenomenon is now taking hold in the news media. Quality news and fact-checked information is starting to cost money. Bullshit and propaganda is and will always remain free.
> WYSIWYG GUI design tools like old school Visual Basic (terrible language, but UI the designer is still unequaled)
It was equalled and surpassed only a few years later, by Borland Delphi.
Never used that one, but Pascal would certainly have been a better language than old school VB.
You still can, for free and all. Sure, Borland -- and the whole litany of company names that have owned Delphi, the product, since -- have on-and-off had "free" (=as in beer) editions, but that on-and-off inconsistency tends to sour my perspective on those. But, the venerable Free Pascal language and compiler gained (after a few fits and starts) a sister project, Lazarus[1], which is basically a clone of the Delphi class library and graphical IDE.
All FOSS all the way down. To quote jerryp, "Recommended."
___
[1]: https://wiki.freepascal.org/Overview_of_Free_Pascal_and_Laza...
>I think there is potential in the emerging field of community authored software.
It’s been emerging for the past 30 years, it’s called Open Source. As opposed to commercial projects releasing a “technically open” source code, like with Chrome.
It is now more relevant than ever. AGPL backends fix the proprietary API problem.
It confuses me sometimes that we split the entire community between GPL versions 2 and 3 to thwart the terrible TiVo, but making AGPL just GPL 4 never seems to be discussed. Especially since GPL 3 is self upgrading, so there’s no risk of a new split.
AGPL fixes nothing; the companies will simply base their backends on software that’s not AGPL-encumbered.
Sure seems to fix the "taking software based on ostensibly FOSS licenses non-free by going cloud" problem, doesn't it?
Sure, if companies take software which they wrote themselves from scratch, without basing it on FOSS, down that route, that's their prerogative. But then the potential users have the equal prerogative of saying "No thanks, I prefer FOSS."
It doesn't - companies can still use FOSS software, just not AGPL. That's pretty much exactly how it works right now.
Yes, of course a license can't fix anything if nobody uses it.
So it should be implicitly pretty obvious that that meant "the license can fix things if FOSS developers actually use it", shouldn't it?
Again, no - it would only work if every single one FOSS developer agreed to use it.
> Again, no - it would only work if every single one FOSS developer agreed to use it.
Huh? Whatchoo talking about, Willis?
If "only" 99% of FOSS developers used a truly freedom-preserving FOSS license, only 1% of FOS software could be taken non-free.
If "only" 90% of FOSS developers used a truly freedom-preserving FOSS license, only 10% of FOS software could be taken non-free.
Dunno where you draw the line of "works", but I'd say down to around 80/20 or perhaps even 70/30 would be "pretty much works".
Except when it doesn't.
2 examples: World of Warcraft and Netflix.
WoW had FOSS implementations of server patches, with different success. It eventually lead to Classic Vanilla, Classic TBC (1st expansion), and soon Classic WotLK (2nd expansion). Each of these spanned ~2 years of content.
Netflix is an easy example. Together with everything else streaming services it gets pirated.
Netflix is an easy example.
In a ways, definitely yes. But I was speaking more in terms of modifying frontends to convince providers' backends to grant stuff straight from the source, not reuploaded to a mirror.
WoW server patches and pirated backends I would count since you're getting pirated content on a mostly official frontend.
Though the argument is somewhat flimsy. Can't say I've played many games with reverse-engineered servers.
Yet people are always railing about how restrictive the AGPL is!
Licenses like AGPL are necessary to preserve our freedoms in this cloud DRM world.
It's not piracy per se, but the practice of reverse engineering a backend to a paid service, whether that's real logic or just a licensing server, has existed for a long time.
I remember friends running World of Warcraft private servers back in '08 and '09. Heck, we even hosted one as a class project in high school.
World of Warcraft Classic exists partially due to the number of fans who ran private servers as a way to properly experience previous versions of the game as current expansions have you steamroll through older content.
I need to pirate a backend, but I don't know the API.
A fitness tracker I have (Jawbone Up Move) is coupled with an app, which is coupled with an online service, which has been dead since 2017.
Are there any tips, tricks or resources regarding this? Best I can currently do is `mitmdump –set connection_strategy=lazy` (the last part is important so it doesn't try to connect to the original server and throw a weird error), but I don't know what the app wants as a response to its login request.
A look at the decompiled code doesn't immediately reveal much. Are there any common patterns for this type of stuff?
If you can elaborate on (or show, but I realize that's legally hazy) the decompiled source, I think this should be possible to discern. I'd probably start by looking for anything in the source that looks like it's making any kind of network connection, then narrowing it down from there.
Typically, the response to authentication is a yes/no plus a token or other piece of session state for the authenticated app to store. You might poke through the structure of the in-app storage to see where the authentication information lives, and then go backwards from there to where it is set.
Edit: On a cursory google search, https://github.com/ryanseys/node-jawbone-up looks like it might help you.
I would suggest looking at how the tracker communicates with the app and try to reverse engineer that part. Once you are able to communicate with the tracker, you can build your own app.
Trying to reverse engineer the API the app uses seems harder, and is a less direct solution to your problem, IMO
Reverse engineering APIs tends to be surprisingly trivial, even for binary or otherwise non-standard protocols. The content served by them is the only real challenge.
If asymmetric encryption gets thrown into the mix it becomes much more annoying to get to the point where you can even begin to see the traffic.
There are many things you can do to make reverse engineering more annoying, but the content ultimately reaches the user and somehow you can always mess with that.
I've always wondered how for example private WoW servers work. Do they replicate the whole backend based on observations of how the actual game works and the network requests being made? How is that even possible without knowing all the quirks and other indirect behaviors you have no visibility of? E.g. when the server game loop ticks a thousand things happen that are not transmitted to the clients.
Yes, they reimplement the backend. Yes, this does require a lot of experimentation. Yes, they sometimes get details wrong. Or sometimes they just change it, because they feel like it (e.g. accelerated xp, or just for paying customers)
A lot of games, particularly the "massively multiplayer" ones, don't actually do much on the server. The clients are authoritative for their characters, running the simulation, and the server just relays the serialized state to other clients. They rely on anti-piracy software (kernel DRM modules) to avoid cheating. In that situation replacing the server is easy.
For games where the server is doing the work and clients are just thin frontends which don't even know all the rules, it is basically impossible.
I'd argue writing a headless server is easier than writing a video game client app, but maybe that's only because I'm traditionally a backend server dev.
If your headless server does complex physics and AI processing and needs to be optimized to handle many clients in real-time, possibly taking full advantage of multiple cores or distributing segments of the world between machines, it is hundreds of time more difficult than a Unity client that moves some animated models around.
Some servers are complex, I don't know why you'd paint with such broad strokes as "headless server = easy". Even if your background is completely web development, surely you've been exposed to more than CRUD.
I would. In fact, I learned to program because a misconfigured web server once spit out its source code and I was able to learn from it.
I hear about instances like this a lot. Did a broken request just resolve to the contents of the file that created it, or did it just spit itself out in your browser console?
The former. This was back in the days when CGI was popular and it was common for the URL path to point to the file that served the application, with the web server recognizing that it should execute the file rather than serve it. In this case the misconfigured web server didn't execute the file but rather served it up as if it were a regular file.
PHP was infamous for just dumping whole stacktrace when some site ran into 500.
I ran into a site like this recently. Honestly, I think it's great because you can tell what action you need to take to resolve the error. Clear cookies? Come back later? They're actually out of business? The stack trace reveals all.
I enjoy how transparent client-side apps are these days. I remember trying to order something from an online store, and the "submit" button wouldn't work because some third-party license key wouldn't validate (I think it was to load a map to show your own address?), and that error stopped the actual sending of the HTTP request to submit an order. I patched that out and submitted my order. Easier than finding their email address and waiting a week for their contractors to fix it.
I disagree.
As web apps and web services get more and more e2e encryption and strong privacy, the backends become dumber and dumber. If the backend can't see the data it's working with, it can't have much business logic in - instead the backend ends up looking much like a dumb storage service or message queue. Some companies will just make their app talk direct to S3/pubsub rather than run their own application servers.
At that point, some 'hacker' can download the APK or the javascript bundle of the frontend, and simply put up a replacement backend that does the same storage service.
Well done, you now have a 'pirate' web service.
Let's be realistic, Quizlet is not e2e encrypting their protocol, and most web services are not getting strong privacy. Good old HTTPS is enough for most services.
But in the future, more and more things will be e2e. Some fields like messaging practically require it today. Any company that wants to use 'privacy' as a selling point pretty much has to do e2e encryption today.
> There will never be a true way to "pirate a backend"
The original way to pirate is to bring your vessel in close proximity and then jump aboard the target vessel and have your way with it.
Something like that could be done with a back end.
And then players like Ubisoft go “we’ve decided to shut down the servers”
Calling a publisher and developer a "player" in the context of video games makes your sentence confusing to parse.
Which is exactly why backends need to be pirated!
I guess unofficial APIs through reverse engineering are the closest you can get to what the article proposes. But, as other comments point to, data is still data and access to it is highly restricted, or is vast enough to not making it worthwile (imagine downloading Google's backend).
I real life example of this for web dev is cypress.io which offers enables parallel testing and access to a dashboard of test runs.
then https://sorry-cypress.dev/ came which is a self-hosted version for free. Then came a commercial offering that directly competes with cypress' official version
I'm weirdly cheerful about being able to report that this isn't true. Backends do get pirated with sufficient motivation...mostly in games. MMOs spring to mind, but lots of games with online multiplayer get this treatment. Some of it is piracy, but some of it is because the developer is no longer supporting it, so the community stepped in with emulation.
There's actually a really interesting question here - could it be possible to "pirate" a backend with sufficiently clever AI?
At the end of the day, you're just trying to model a black-box function, mapping inputs to outputs. And most of that is CRUD with some basic access control on top. There are definitely complications (e.g. 3rd party integrations, a properly designed/named database schema), but you might be able to get 80% of the way there in an automated way...
People reverse engineer back end servers for online games all the time. You don't need AI. Just a really dedicated following and a lot of free time.
It's not piracy doing this though. Technically you might still be in breach of some intellectual property but since it's usually discontinued services a lot of games publishers turn a blind eye.
> You don't need AI
I grew up in the private server scene for a popular MMO and you're absolutely right. It was a whole lot of teenagers with energy drinks grinding through reverse-engineering minutia that adults would gawk at and make excuses to avoid doing.
That said there was a lot of automation, scripts, and other tooling, to make it easier. The best were able to i.e. update a private server automatically when the base game updated. We were doing automation at a higher level then F500 companies were at the time (mid 2000s) and we were just kids.
> It was a whole lot of teenagers with energy drinks grinding through reverse-engineering minutia that adults would gawk at and make excuses to avoid doing.
Right. I don't think the question is if you need AI (obviously you don't), but if AI could do all the annoying, tedious bits for us, and speed up the process.
I doubt it. You'd probably end up spending more time training the AI than you would using it.
To be clear, people do this stuff as a passion project so nothing stopping someone from investing the time in training a ML model to assist here if that’s something that sounds like fun to them. they wanted to take on. So from a technical standpoint one “could” use AI. But I’d expect you’d first have to train the AI to play game before you can even think about training it to read the network packets. And the former is a far more daunting problem than the latter.
Sometimes problems are better solved with human intelligence, a lot of automation, and patience.
That kind of is "artificial intelligence" -- the energy drinks artificially (and temporarily) bump up the teenagers' IQ.
"Sufficiently clever AI" would, in this case, be the person writing a reverse-engineered work alike app.
In some of the cases mentioned (e.g. Spotify, Chegg, etc) you can't really do this, because the actual value in the app is just the copyrighted material being purchased. Reverse-engineering is protected under US law for a variety of reasons, mostly that you can't copyright basic functionality (that's for patent law) and that copyright shouldn't extend to interfaces[0].
AI trying to reverse-engineer all of music or art or writing already exists. They're called MuseNet, DALL-E, and GPT-3 respectively. While you can sort of trick them into regurgitating training data in a way that would make their use to create novel works legally perilous, it's still kind of difficult to get them to generate exact copies in a way that would be useful for "pirating" all of Spotify.
[0] SCOTUS tried very very hard in the Google v. Oracle decision not to actually say this. However, the actual ruling has a similar effect.
That would be considered a remake though and would essentially be a competing product with the same api (since it’s highly unlikely the remake would be written the same as the original). Whether copying the api is infringing on anything seems to be uncertain as the outcome of the Google v Oracle case seemed to only set a light precedent
Hmmm… Can I get free BMW seat warming this way?
https://news.ycombinator.com/item?id=32065026 ("BMW heated seats subscription costs $18 per month in South Korea") for people out of the loop.
Quite possible, I think. I've heard quite a bit of buzz around jailbreaking Teslas for unpaid for features.
https://www.vice.com/en/article/y3mb3w/people-are-jailbreaki...
A seat warmer is just a resistor. Find the connector and wire up 12V to it through a switch.
You can see how well this goes.
Except in your heated seat in the car, a heating element that's correctly designed not to fry bacon or heat huge volumes of air is already integrated into your seat. This video is just this guy intentionally being a a moron. (Well, at lest for the first few minutes of it which I could bear to watch. Maybe he smartened up later.)
I spent years playing WoW on a pirated backend.
I read a lot of times about this, and I find it fascinating. Are pirated WoW backends "pirated" in the sense of "someone downloaded leaked code and maybe tweaked it", or are they completely reverse-engineered, in which case it's original code and not piracy?
To my knowledge they are fully reverse-engineered, which makes Blizzard occasionally going after servers for piracy even more infuriating.
All the assets are usually pirated in private servers. Its very illegal and makes it difficult to host them from most countries.
Even if the code is completely new, you need a lot of copyrighted material to run a wow server.
Isn't the copyrighted material in game client itself? Did WOW stream content back then?
Positions and names of NPCs, quest texts, encounter mechanics, texts said by NPCs, I think item names (not completely sure), etc are all stored in the server and are sent over the wire to the player from the server. That’s quite clearly a copyright violation.
The piracy comes into play when people mirror the content of the retail servers - placement of MOBs, names of MOBs, scripted encounters, quests, items, things like that. All of that stuff comes from a DB on the server. People write in-game plugins and other tools that siphon out data for use on other servers.
Interesting. At that point it would seem it would pay off to simply create new content for the alternative WoW server... It'd be a massive effort, but whole new games have been created by a community that are completely free and open source.
(Though, of course, why not create an entirely new game completely unrelated to WoW then?)
The most popular server for years was named after the word nostalgia. A lot of people had a really fun time playing WoW as a kid but had no actual way to play the game any longe since it was online only and ever evolving.
After a decade or so Blizzard finally caved and released their own "classic" versions of the game. Apparently a lot of the infrastructure was incompatible with the software which made it a not so trivial undertaking. They originally said it was impossible but nostalgia hit one of the internal devs and he proved otherwise.
It depends. In WoWs case they're reverse engineered, but there are lots of examples of games that had their servers leaked. Cabal Online for example had a server leaked in 2009, and pirates have since then been modifying it to add current content. It's fascinating.
The latter.
Just as a backend is not a desktop application, so to will "backend piracy" differ from desktop app piracy. You can't think of them in the same terms.
Whereas a crack of a desktop app will allow users to "misuse" the app (by circumventing the license protection or other limitations), a backend can be "cracked" through scraping, botting, or creating alternative clients.
If a backend somehow limits your access to content, a skilled user can scrape that content and make it available through their own alternative backend.
If a backend somehow limits functionality, you can reverse engineer their API and build an alternative client which interacts with the API in a way not intended by its creators, and misuses it.
If a backend rate limits access to it, you can write bots to interact with the backend through multiple proxies and alt-accounts, thereby circumventing the rate limits.
I'm not advocating for any of the above techniques, any more than I advocate for cracking and software piracy. I just want to offer them as examples of how backends are not magically immune to tampering and misuse.
It seems like the popular sentiment here is that not only will client-side programs continue to be crackable, but even server backends too.
I posit the opposite. In the future, it will be impossible (in many cases) to crack even client-side applications. Reverse engineering and de-obfuscation are a cat and mouse game. However it's been proven that it's possible to obfuscate a program such that it's effectively impossible to deobfuscate. This is called indistinguishable obfuscation [1]. Basically like encrypting a program. And even though current implementations are impractical, I'm sure it will get better.
[1]: https://en.m.wikipedia.org/wiki/Indistinguishability_obfusca...
as a full example of how to do this, consider the following proof of concept setup:
- FHE-based implementation of whatever function you want to hide, say, a DRM circuit that sends your TV the symmetric key to a movie if you give it the TV's chained certificate along with a token proving you rented it.
- shortened zk-SNARK proof that you evaluated the FHE circuit correctly.
- simple (iO) obfuscated gadget that decrypts and returns the output of the FHE circuit only if 1) the FHE message says evaluation completed and 2) the zk-SNARK proof checks out; otherwise, return random garbage.
in order for this to work, the gadget must have enough entropy in its class of alternative obfuscations, that you can't distinguish it. but what I'm not sure about is, you still can distinguish the gadget from one that simply always outputs garbage. I don't know how you can prove that reverse-engineering a given iO circuit is infeasible. I just don't have the first clue. Help?
1. Hell yes I would. (Still waiting for my downloadble car.)
2. There is an easy way to pirate backends, you just do some network capture and figure out what the SYN ACK messages between your client and API are.
3. There's plenty of instances of pirated web-based games. (KanKolle comes to mind).
I wrote an essay about this problem in the 01990s: https://www.gnu.org/philosophy/kragen-software.html
I mean you could still intercept and index API requests and generate backend code.
While this has nothing to do with pirating directly, it would still allow to replicate the backend (without business logic).
Put another way, the mainframeization of computing is nearly inescapable. We no longer have personal computing, even when we run our apps & game clients locally.
It turns out individualized software freedom, like all individualized freedom, results in deep systemic problems.
Part of the problem is that ordinary users have no clue just how much the app actually costs to develop and maintain. And how could they?
I worked on Socrative for several years (similar to Quizlet), and we had backlash when we introduced a "Pro" version with paid features. All existing free features, which had been developed over several years, could still be used for free—it was only new features that would be behind the paywall. Many users lamented all over social media that Socrative was no longer "free." But it had never been free—it had been losing over $1m per year!
I realize postwrite that there must be some exploits to some client-side frontends that enables fully-featured capabilities, and that in a lot of cases it would probably take significant effort to lock such features down from the server.
But really, where would that be in the world?
slighty OT, but it is a travesty that Quizlet (previously Slader) has gone behind a paywall. Slader had a lot of community generated solutions to textbook problems. Users gave them the content for free, and they monetized it, kept only verified answered and dumped the (unverified) solutions and feedback.
localstack is the closest thing I could think of to pirating a backend:
That would be true if it _did_ what the API claims, versus just mocking them. I think eucalyptus/Corymbia would be closer to what you had in mind, as their APIs do actually cause things to change in the real world
Also, FWIW, both localstack and the moto library that it wraps are Apache 2
Scihub is a pretty good counterexample to this theory.
That's why Microsoft moved Office to the cloud.
Edit: Didn't know that Adobe didn't move its portfolio to the cloud yet. I thought Adobe Creative Cloud is all about that plus subscription model. My bad.