Suggestion on the protection of Assets

Hello,

I write this message because I have been a publisher on the Asset store for several years.
I've noticed a lot of assets being hacked, and yet despite all its years, no changes are being made by Unity to protect its publishers.

Why is there not the possibility, for a user who has just purchased an Asset, which exists on the Asset Store, to indicate the invoice number of his purchase in the Unity software, to have the authorization of the import into your Unity project?

I spend a lot of time, looking on all the sites, if my assets are shared for free and it's tiring...

Unity software has become very large and powerful over the years, but despite the changes, I don't understand that this problem is not solved.

Thank you,
Cordially.

 

I don't even buy assets if they come with a DLL instead of source code and you expect me to buy an asset with outright DRM baked in?

 

What exactly do you mean by „hacked“?

Some amount of „sharing“ is normal. Heck, even on Steam with DRM enabled games it is customary to share them with friends.

As developers I wager we even have much less of a piracy problem than the games made with our assets due to the simple fact that money is being made with our assets. That implies the great majority of commercial asset users (the same ones spending the most money on the store) are strongly inclined to adhere to the EULA.

 

You need to learn to stop that and just accept that there are people who will pirate your assets and that they were never going to be your customers. People who want to make a legitimate business out of game development are going to be legitimately buying their assets not pirating them.

This. DRM almost always screws up the games that it is in. I don't need it getting in the way of my work. Plus there is one major difference between the games that I enjoy and the assets that I purchase from the store: barring a few exceptions I can create the assets myself from scratch.

If a developer did add this to their asset it would have to be a very valuable asset for me (eg Odin Inspector). If it weren't I would immediately stop using that asset and that publisher would at the very least be very low on my list of considerations if I didn't outright blacklist them. Almost nothing on the store is that valuable to me.

 

Pirated.

It is inconvenient.

1. Even if authorization is there, once asset is imported it can be shared.
2. If you try to combat that you'll end up with a very inconvenient system which would require user to authorize their every mouse movement. And they will not put up with this sort of thing.

 

If not outright impossible as we have a number of people on these forums with limited connectivity.

 

Good point. Offline status would make such asset "unusable".

 

I've wondered if Unity couldn't repackage the unitypackage when you download it from packagemanager and interweave identifying details so if you blindly just post it online to share it'd trace back to your account. Some people would get around it but plenty would get caught.

 

This is just a prime reason for me to never use assets ever again. It also makes the assumption that this wouldn't be detected by any pirate within like five seconds.

 

I believe that explaining how to bypass unity's services and breach their EULA would be against forum rules, even when ways to do it are incredibly obvious.

 

I mean like using steganography, so the user downloading the package would have details infused into the downloaded file about them, and it would be proprietary so only Unity would be able to read the data.

But Unity could then go to pirate sites, download files, and see who originally downloaded it from Unity asset store. Catching prolific pirate accounts.

 

Again, this is trivially easy to detect and bypass and would do more to make sure I literally never buy an asset than it would protect in sales because people who are pirating assets are never going to buy them in the first place.

 

And how do you expect to do something like that when majority of assets are text?

 

https://www.tutorialspoint.com/what-is-text-steganography-in-information-security

I don't really care either way just something I've thought about over time.

 

This is relatively useless because people just create throwaway accounts to pirate from.

As a prime example, I've seen tabletop RPG PDFs that have the buyer's name printed on every single page, and they don't even bother to strip it out because it's not a real person's account.

Also, doing this kind of stuff can really upset your users. When it was discovered that World of Warcraft had been embedding data in screenshots, there was a lot of screaming on the internet for a while.

So, marking the assets won't really help, and it is likely to hurt.

 

A difference with this and the pdfs though is assets are often updated over time, so by sharing it and getting your throwaway banned you have the original asset, but no updates.

And the identifying info doesn't even have to be "jimbob jangles at 123 pine street", but just a unique id hash tied to an account within Unity.

But I'll digress

 

Why exactly? You as a user of the asset wouldn't notice anything of that... When I first bought assets I even assumed something like this is built in since that is not that uncommon (half the industrial software I work with, has user-bound licenses on them).

 

For the same reason I don't buy DLL bundled assets and for the same reason I always seek out DRM free versions of games I buy: once I pay for something, the exchange has F***ing ended.

 

That doesn't really answer my question.

You have a plain text file. What can be done with it?

Because it kinda stinks and is likely to get in your way.

Imagine this.

You're go to a store to buy a bottle of milk, and the clerk says to you, "here's your milk, thief.". Then adds "Oh, you're not a thief for now, but we're watching you". And the bottle comes with the most advanced lock you've ever seen, which requires you to enter 12-digit pin to open it, just to make sure you're authorized to drink it. That's what DRM is about.

It is simply the best not to have any sort of code or mechanisms that are doing who knows what behind your back. Also, potentially those kinds of hidden mechanisms might kill your PC.

 

What you're describing is a best case scenario, and we've seen that in some cases like Steam, but there are also worst case scenarios out there like Denuvo that show us exactly what happens when it's poorly implemented. So while it's possible that it won't get in our way it's also possible that it would completely get in our way.

I don't want to take that chance. I simply refuse to do it. If you want to embed that technology in your asset you're free to do it but I'm likewise free to take my business elsewhere. Which again in the case of most assets it is trivial for me to do so. Games get away with it only because we can't get the same exact experience elsewhere.

 

The text is already esoteric with guids and random blobs you could inject a character here and there and pull it back out before you parse the file with some sequence of offsets you decide up front. (Looking at a scene file in git)

But for this you would do it at the zip/serialization stage when it's bytes and interweave the identifier into the buffer at offsets they pick and they remove before parsing when unzipping.........

It'd be a console app on the server. In C# do File.ReadAllBytes on a unity package, you get an array of bytes. I have 16 bytes that make up an identifier I want to attach to this unitypackage, I could pick indexes 8, 2, 43, 19, 0, 5, 19, 83, etc as my pattern, or some other distribution, insert a character at each of those offsets, and save the file as a unitypackage that I provide a download link to.

When unity decompresses a unitypackage it'd strip out the characters at its secret indexes and then parse it as normal.

Later Unity could take a unitypackage being shared, decode the 8, 2, 43, 19, 0, 5, 19, 83, etc indexes to get the original id attached to the file.

They'd use way better logic than that, just that's the basic idea...they could add padding to a unitypackage bytes that would hold the key or a default value so they don't have to worry about it when decompressing unitypackages.

 

And if somebody just copy/pastes the directory and distributes it as a zip file instead? Congratulations, your brilliant plan has been thwarted by File Explorer.

 

The greatest piracy tool of them all.

 

Couldn't someone simply download the package and then export the assets as a new package?

 

Then people discover this stuff, and begin sharing things as normal archives, to avoid dealing with this nonsense

See, unity does not really need unity packages. It is an artificial thing originally made to force people use unity store. They offer next to nothing.

You can *.7z or *.tgz things, and it will work the same.

 

They were around well before the store, and even before .meta files.

I'm fairly sure the latter is why they exist, because the metadata for asset IDs and references used to need to be exported out from the original and then into the target asset database. Unity wasn't a corporate behemoth back then.

 

And this is the heart of the issue.

Anybody who can open the asset and use it in a game can also write a quick script to read all of the triangles/pixels and then write this data out fresh to a clean copy. Unity is designed to be able to allow this to happen, as there are all sorts of legitimate game uses for this type of script.

Which means any DRM system you implement will only annoy legitimate customers, and will not hamper pirates at all. In fact, the pirated version will be a better version for most devs to work with, which will just encourage more piracy.

 

One thing that could technically be done at least to texture assets: Invisible watermarks.
https://invisiblewatermark.net/how-invisible-watermarks-work.html
Some are even resistant to scaling, slight color shifts etc.
Supposedly Disney and Co. use them for cinema movies, so in case original video is leaked, they are able to track exactly which cinema leaked it. Pretty much the same usecase we discus here, just at a different magnitude of money/business value.

 

In the case of the example in that article, just randomly put 0s or 1s in the last digit of each colour value. Its effectiveness entirely relies on people not knowing that it's there. Once you know then it's trivial to remove. So, as with any other DRM, keeping it effective is a game of cat and mouse. And if everything on the Asset Store uses the same approach then, just as with most other commercial-scale DRM, only one person needs to share a crack and it's defeated for everyone.

- - -

Separately, knowing who did it is great for Disney because they have a small nation of lawyers just to go around smiting people. Do you have that? I don't. So even if I do know that the pirated version of one of my assets was leaked via (not "by"... just "via") someone in particular, what am I going to do about it?

 

Except what's some Joe Bloke independent asset store dev actually going to do with this information? They certainly don't have the money and the clout to invoke legal action.

 

Again, this is barely protection at all. Invisible watermarks can be defeated with a simple noise pass.

 

Honestly the argument "it can be bypassed" is not a very strong one. You will never have 100% security.
For example antivir software (be it Windows defender) to protect our systems. Do they prevent ALL attacks? No. Yet it makes sense to use them.
Games use anti-cheat software and detection of cheaters to ban.
Is there no cheating anymore? Sadly there is, but games with weak meassures show how worse it can be...

It's not a matter of having a perfect solution, but to catch the least careful people at least and deter others (especially this also helps without having lawyers). Furthermore you don't even need lawyers. What if Unity would just block an offenders asset store account, causing them to loose all other assets they bought due to breaking their TOS?

P.s. a simple noise pass does not help against more advanced techs. I had a full chapter about this tech at university and what companies can use in practice probably is another step more sophiscated.

 

What if I just don't like the way the texture looks and I open it in an editor and I just happen to paint over the watermark? I didn't even know it was there! Will I be accused of Piracy when I slop-over the watermark? Will my license be revoked? You can't put DRM in the assets because they're practically meant to be modified. Editting assets is allowed and encouraged and I do it all the time.

 

It is the strongest argument because you have two options:

1. Security that will be unobtrusive but trivially circumvented by file explorer/photoshop/7zip
2. Security that will be obtrusive to the legitimate users of the software

If you can not see this, you do not understand the problem.

 

How would that in any shape or form matter if you do not share the raw files anywhere?
We are not talking about protecting the asset when its baked into a game.

Or I simply have a different background and thus opinion on the matter.
You are thinking too much in absolutisms, if you ask me...

 

A very wise, large man once said:

That man is of course Gabe Newell.

Less DRM makes it more likely that your product sells. GOG wouldn't be as popular as it is if it were for their DRM-free policy. Steam gets away with DRM by being the most convenient store-front to use by a long, long shot.

Having DRM that is either ineffectual or disruptive is a waste of time and money.

This is true for asset store purchases.

 

If such absolute claims would be true, DRMs would long have died (outside of Steam at least), wouldn't they?

 

There's no accounting for stupidity. My common sense isn't someone else's common sense. Anti-cheat software is a booming industry despite it being completely pointless.

It's like the homoeopathy of the Game's Industry.

 

No, because DRM itself is an industry. DRM as an industry is, in fact, F***ing massive and has loads of money that goes around entirely to sell itself to companies that think DRM is actually saving them money.

 

Uh, no.

Any asset seller doing this stuff deserves blacklist, one star review and demand of a refund. There should be no "invisible" bullshit in any of the textures. Frankly it would look like they're trying to hijack games for free advertising.

The strong argument is that a seller doing this kind of crap is probably not worth dealing with as they distrust their clients.

The asset store market is already tiny, because fewer people buy assets compared to people buying videogames.

 

That wasn't the argument, though.

The points are:
- The cat-and-mouse game of DRM is costly, in multiple ways.
- Even if we win that game and catch someone... then what? There's no return on that cost even if we win.

The argument is that, based on the above, it isn't worth your time or money early on. (And maybe not ever. CDPR being a classic example of multiple best sellers, no DRM.)

I have caught a pirate distributing my stuff, once, by the way. It isn't particularly hard. I did it by accident. I was reading reviews for one of my games, within 24h of release. One had a download, right there in tbe "review". Sounds gutsy and stupid, right? Wrong, because even with their name written on it all I could do was request that they cease and desist... which they did, with feigned ignorance.

I am not Disney or Nintendo or anyone else big enough to do anything about it. Assuming the DRM catches someone, I then need tens of thousands of dollars to do something about it, and am unlikely to make that back even if successful again.

Even if I could afford it, my stuff isn't big enough (yet! I hope) to be worth actively protecting. Disney protects Marvel et. al. because a bunch of amateurs making Captain America stuff would materially damage their multi-billion dollar brand. It's worth millions to them to act on that. If someone knocks off my stuff, or typical Asset Store stuff, the same isn't true.

It's not worth complicating stuff or investing in tech to "catch" people who weren't buying our stuff anyway and who we still couldn't do anything about afterwards, anyway.

 

I'd like to elaborate a bit.

The reason for that stance is that "invisible" watermark is a landmine for the customer that can resurface and cause trouble in certain circumstances. For example, some odd shader can cause it to become visible, and then you'll have issue on your hands. Also 8 bit per channel is not a whole lot and with water mark you turn 8 bits into seven which is not good.

Many image formats allow embedding of random data into the image file that doesn't affect image quality at all, although it will be stripped if said image is touched by any editor.

Beyond that point it is like angrypenguin and spiney199 said. It is a service problem.

 

Just accept that information wants to be free

Honestly I don't mind if a few kids with no money pirate my assets, good for them, hope they make a good game out of it. Eventually they will respect money and what it is given for, the universe will teach them in diverse ways.

It's a much better strategy in this digital economy to be adaptable and grow fast, than it is to waste time chasing down anons here and there who are determined to get their hands on an infinitely replicable resource without paying.