Resource Anti-Piracy [DMCA draft included]

Discussion in 'Spigot Plugin Development' started by Hex_27, Mar 11, 2017.

  1. Okay recently there's been wars in plugin development over piracy, obfuscation, and the solutions and methods against it, and whether it should be done etc etc (and then the thread gets locked for offtopic or spam, so I guess this is a place for u to continue arguing about it). So this thread is for me to compile everybody's selected methods here, for any dev wanting to see it.

    So no, for those trying to make protection, you won't find code here, though you may find how people protect their plugins in a brief description.

    Preventions of Piracy
    Obfuscation, and anti-piracy code
    Most of these need a server to connect to, so you'd mostly need to have a server of some kind solely for checking for anti-piracy.
    So far, people either block plugin versions, or use spigot's userid string placeholder. All of these are very easy to catch and remove via decompiling, or just using another program to block the plugin from connecting to your checking server.

    Also, there's a spigot rule that says that you cannot disable the plugin, or limit it if the plugin cannot connect to your checking server.

    To further boost this, people have used obfuscators, like Klassmaster, and (inefficient) Proguard. These examples have proved to work, but can be complicated, and the effort behind it is questionable.
    Pros and cons
    Has proven to actually work 100%, but takes a questionable amount of effort for little actual return. Moreover, poorly made protections will hit buyers directly and affect plugin performance

    Methods of doing so
    Version block [Server needed for peak efficiency] [Difficulty level: Easy - Medium]
    Basically, you need a server (Not minecraft server, obviously.) to host a database (I used SQL). When your plugin enables, connect to your SQL database with an async task, and check if the current version is blocked online.
    By spigot's rules, if the connection fails, you cannot disable the plugin. But if the version is blocked, you can stop the plugin from working. Note that it would be healthy to notify buyers beforehand.

    Pros:
    Very easy to make, if you have the server available. If matched with obfuscation, leakers cannot decompile and remove the protection very easily, especially if you hardcode each version as a string inside the plugin jar.
    Cons: Will disrupt buyers a lot. People who don't want to update cannot not update anymore, and buyers need to check back online frequently. Can make people really hate you. This protection is also highly simple to crack, and without obfuscation, somebody can remove your check with an ordinary IDE search function.
    User ID block [Server needed for peak efficiency] [Difficulty level: Easy - Medium]
    Same concept as above, but instead of blocking versions, you block the user ID, which can be obtained by using spigot's userid placeholder. (https://www.spigotmc.org/wiki/premium-resource-placeholders-identifiers/). This placeholder must be in your main class, as a string, and it would be replaced with a userID when you download the jar. You might want people to test this (because it wouldn't be replaced if the dev downloads it), and see if it works before fully implementing protection. Then you can go ahead and check for version blocks on your server and bla bla, see above.

    Pros: Has proven to work best in the least harmful way towards buyers. Can block a buyer that provides leaks permanently. Works very well with obfuscation (Still needs very high obfuscation, including one that encrypts strings). This was the one that worked 100%.

    Cons: Highly vulnerable without obfuscation, as leakers are very accustomed to removing the placeholder and can spot it a mile away. Also, if leakers get a version from an innocent buyer, you can't block the jar without giving the buyer an unfair treatment. Lastly, even though this can be effective, leakers have cracked most of these protections.
    Moving from spigot [Server definitely needed, along with your personal website] [Difficulty level: High]
    Spigot's rules get in the way of very thorough anti piracy. You can't have access to user data, and key codes, and you technically aren't supposed to have protection anyway (Though spigot generally doesn't seem to care). So what to do? Basically, make your own website, and sell it there. Though the full details of how to do this is beyond me.

    Pros: Probably the most secure way.

    Cons: Can be expensive to make, and you'd need very heavy skill to make powerful keycodes (Because hey, even Microsoft products and Photoshop get cracked.). Also, your download count will naturally drop as buyers leave the safety of spigot, and face the problem of scams and also cannot find your plugin in spigot's list, where most look for plugins nowadays. In the end, your buyer count may drop so much that this wouldn't be worth it anymore. I highly do not recommend this.

    Obfuscating
    I tried it before, and for beginners. It hurts. So. Bad.
    But people have done it very efficiently, and so far I've seen recommendations for ZKM Klassmaster.

    Be warned, there is a spigot approving process when you first upload the premium resource, and because of this, you cannot obfuscate the very first jar you upload. But you may delete the jar and replace it with an obfuscated one after the plugin is approved.

    I can't give further advice because I sucked so hard at this. I could use accurate information for this section.


    Open Sourcing and providing side free downloads
    Well how do you make people not bother cracking your stuff? If it's free.
    It's not as stupid as it sounds, and it can work, looking at examples like MCMMO. They work, BUT, you need a very strong reputation to get to their scale, if not people will just download your work for free anyway. So you'd likely need a few years of updating your free plugin. I haven't seen a successful attempt where a new plugin open sourced at the beginning and was premium, and has decent sales.
    But, they do exist, and they are growing. (Not putting MCMMO here, everybody knows MCMMO. But PM me if you know more new-ish open source premium plugins, I'd like to add them.)

    Pros and cons
    Open sourcing has other pros, like allowing people to pinpoint mistakes, letting more than one person work on the plugin, reducing bad code and errors. Open sourcing your plugin may also make your plugin more compatible with others. For example, I've received reports several times from plugins which interfere with mine. When that plugin is open-source I can take a look at the source and perhaps make it so the plugins are compatible. But this is more or less the same as having a free resource. You will get a much higher rate of income than a free plugin asking for donations, but the real statistic of this is unknown, but has shown some promise. This could be a common practice in future.

    But, another con of open sourcing, is that people can (and likely will) just take your code and use it commercially without telling you. But hopefully this wouldn't blow to the extent where you actually hear of it and have to fight people to take it off. There is a DMCA letter specifically for situations similar to this by @mrfloris
    <Chances of this con happening is to be confirmed.>

    How to do it
    Have your plugin's source hosted on a site like Github, or Sourcetree. When you upload the premium plugin, put the link to the source code in the premium page.

    One way people do it, is that they sell their service and maintenance. So people that buy the plugin get support from you, while people who don't can go fix their own bugs with the source code.

    There is also another way where people would update their premium version frequently, and perhaps only bring their free source up to speed a month or so later

    "Cures" to Piracy
    DMCA and Cease & Desist letters
    Nothing like just going to the link, sending a wall of text, and seeing it go down within a week. It works on most reputable sites, and can be a good way to remove a leak, but it isn't foolproof. Since a DMCA is a toothless threat without a lawyer, if the site refuses to, you're out of luck. So it would work, or it wouldn't. But in my personal experience, it can remove about 70% of the leaks you find around the place. I've provided a draft at the bottom of this post.

    Pros and cons
    Highly effective way to getting rid of existing leaks, especially of older versions without any protection, but does not work on some sites, including infamous spigot leak sites like Blackspigot if the file is hosted directly on it.

    Also, probably not something you'd see anyways, sending a toothless Cease and Desist with no lawyer can get you in trouble. But since it's Minecraft plugins, it is kind of "not worth it", so I'd say nobody's gonna take it to court. But if you use Cease and Desists for everything, it's basically sending legal threats. Keep that in mind, and understand that if you make some rich fellow with a short temper angry, you're in trouble. DMCAs, should be sent only to such file hosting sites and companies with an anti copyright policy as mentioned previously to completely prevent the threat of this.

    Will you get sued for sending a cease and desist? I highly doubt it. But in any case, if you're paranoid, use Negotiation over a Cease and Desist. It's basically the same thing, but politer, if you don't have a lawyer

    How to do it
    I've provided a DMCA draft at the bottom. This is what you send to hosting sites, and link shorteners, like Dropbox, Adfly, Mediafire, etc.
    A Cease and Desist is basically a legal threat to make an individual or company stop doing something. It will come across as aggressive, so only use this if you think you can scare the guy, or have already tried talking. But essentially, this is a toothless roar if you don't have a lawyer ready to take action, and the full identity of the leaker. I've also provided a Cease and Desist draft below

    Negotiation
    I've done this once or twice. I've negotiated with some leakers, and both of the times, it was an act of revenge against one of my plugin team's members. In the end I managed to convince these leakers to just drop the leak, and close the thread. I believe negotiating can work, if your leakers are small-scale, and it might be better to negotiate before sending a cease and desist. Note, when I say small-scale, I mean people just dumping the plugin on leakforums and so on, but take note that it is easy to tell if the person can be convinced or not (Like some people will proudly parade their leak and so on).

    I've also heard of negotiations with Blackspigot and so on, where devs actually requested them to be at least 1 month behind in their leak updates. I don't know how feasible this is, and I don't know what the success rate of this is, but my source was blackspigot staff... so... yea. I've also heard of people paying them to take the plugin off, but yea, I wouldn't say that it's fully trustable to send money like that

    Pros and Cons
    It wouldn't agitate whoever leaks the plugin if you talk politely, but I believe this is highly ineffective against large-scale leakers like those in Blackspigot, and so on.



    Ignoring it
    You're likely the happiest this way. If your plugin is good, it will continue selling despite having many leaks everywhere. Deal with this fact, and you'll be okay.

    Pros and cons
    You wouldn't be that happy. Tried it, and it still irks me enough to go leak hunting and sending DMCAs occasionally. But if nothing else you try works, keep this in mind, and understand that even if you did something, the outcome would be more or less the same.

    These are the ones I've thought of over the top of my head after seeing a ton of these discussions about anti piracy. Feel free to talk about more alternatives to the subject. I'll add it when I have the time.


    DMCA draft I've been using that has worked:
    My name is <name> and I am the owner of <plugin>. A website that your company hosts is infringing on at least one copyright owned by me.
    My file (<plugin>.jar) was uploaded to your servers without my permission
    Main Page of <plugin>: <Spigot link to plugin>
    The unauthorized and infringing copy can be found at:
    <URL of the leak or crack>
    This letter is an official notification under Section 512(c) of the Digital Millennium Copyright Act (”DMCA”), and I seek the removal of the aforementioned infringing material from your servers. I request that you immediately notify the infringer of this notice and inform them of their duty to remove the infringing material immediately, and notify them to cease any further posting of infringing material to your server in the future.
    Please also be advised that law requires you, as a service provider, to remove or disable access to the infringing materials upon receiving this notice. Under US law, a service provider, such as yourself, enjoys immunity from a copyright lawsuit provided that you act with deliberate speed to investigate and rectify ongoing copyright infringement. If service providers do not investigate and remove or disable the infringing material this immunity is lost. Therefore, in order for you to remain immune from a copyright infringement action, you will need to investigate and ultimately remove or otherwise disable the infringing material from your servers with all due speed should the direct infringer, your client, not comply immediately.
    I am providing this notice in good faith and with the reasonable belief that rights I own are being infringed. Under penalty of perjury I certify that the information contained in the notification is both true and accurate, and I have the authority to act on the copyright(s) involved.
    Should you wish to discuss this with me please contact me directly.
    Thank you.
    <Name>
    <City>
    ,
    <Phone number and/or email>

    Cease and Desist draft (Can't tell if it really works, but this is basically how one should look like to be used in a court case)
    CEASE AND DESIST DEMAND

    <date>

    I am writing to notify you that your unlawful leaking of <Plugin> infringes the x statement of the <Plugin> TOS.
    <FULL TOS HERE>

    Accordingly, you are hereby directed to

    CEASE AND DESIST DISTRIBUTION OF <Plugin>.

    I am the owner of a copyright in various aspects of <Plugin>. Under United States copyright law, my work's copyrights have been in effect since the date that <Plugin> was created. All copyright-able aspects of <Plugin> are copyrighted under United States copyright law.

    It has come to my attention that you have leaked a copy of <Plugin>.

    <PICTURE EVIDENCE>

    I request that you immediately, within five (5) days that take down the <Plugin> leaks from <site>, and any other site you may have used.

    If you do not comply with this cease and desist demand within this time period, I am entitled to use your failure to comply as evidence of “willful infringement” and remove your ability to further obtain and use <Plugin> versions.

    Before taking these steps, however, I wish to give you one opportunity to discontinue your illegal conduct by complying with this demand within five (5) days.

    DMCA by @mrfloris specifically countering people who steal your code
    DMCA NOTIFICATION OF COPYRIGHT INFRINGEMENT

    Date: {fulldatestamp}

    Greetings,

    I am the exclusive owner of the site and content at
    {full_originating_source}, and
    {full_permitted_sourc(s)}.

    The following links to the following content are intended to be exclusively
    available at (my) site and no permission has been given to the reported 3rd
    party site to mirror that content and divert my membership or visitors away
    from that content.

    The original content is shown here:

    {full_origin_source_content}, and
    {full_origin_source_content2}, and
    {full_origin_source_content3}.

    The unlicensed breach of my copyright is shown here:

    {infringing_source_content}, and
    {infringing_source_content2}, and
    {infringing_source_content3}.

    Please suspend/remove the content and prevent future abuse.

    Formality:

    In accordance with the provisions the Digital Millennium Copyright Act of
    1998, please expeditiously "take down" or "block access" to the infringing
    material and take appropriate action against the customer to prevent future
    abuse.

    Declaration:

    I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the owner of
    certain intellectual property rights, said exclusive owners being named:

    {full_name_source}, {full_name_source_business}, {full_address_business_or_source}

    I have a good faith belief that the items or materials listed below are not
    authorized by the above intellectual property owners, their agents, or the
    law and therefore infringe their rights. I further aver that the information
    contained in the Notice is accurate.

    Abuse: {unique_token}

    I may be contacted at:

    {full_name_source},
    {full_name_source_business},
    {full_address_business_or_source},

    {full_telephone_source}.
    {full_email_source}.

    Truthfully,

    {full_name_source}.

    This information may be passed to your client who is already be aware of the
    situation.
     
    #1 Hex_27, Mar 11, 2017
    Last edited: Jun 9, 2018
    • Like x 4
    • Useful x 2
    • Agree x 1
    • Funny x 1
    • Winner x 1
    • Informative x 1
  2. This is from the resource rules:
    I'm sorry, obfuscation might be allowed, but anti-piracy systems aren't really allowed. There might be some workarounds, but not what I know of.
     
    • Funny Funny x 1
  3. They are allowed, belongs your plugin will still function if it has no internet access
     
    • Agree Agree x 1
  4. No, the plugin isn't allowed to access the internet when starting, which makes every anti-piracy system worthless.
     
    • Funny Funny x 3
  5. Staff have confirmed that it IS allowed. But, you cannot prevent the plugin form working if your server is down, or if the owner has no internet
     
    • Agree Agree x 1
  6. But can you prevent the (pirated) plugin from working when your server is up and the owner has a internet connection?
     
  7. Yes, and if you read that rule you've sent, it technically doesn't ban that
     
    • Agree Agree x 1
  8. Facepalm...

    It CAN request an internet connection, but if it cannot reach then it has to continue starting up..

    If the server has internet and the user is blacklisted, you can disable it
     
    • Agree Agree x 1
  9. Added a DMCA draft at the bottom of the post for anybody that wants it.

    Also added Negotiation to "Cures"
     
    #9 Hex_27, Mar 11, 2017
    Last edited: Mar 11, 2017
    • Like Like x 1
  10. Added a Cease and Desist draft at the bottom of the post for anybody that wants it.

    Also could use the spigot userid placeholder if anybody knows it. I could also use a brief tutorial on how to obfuscate your stuff.

    Added "How to do it" sections under DMCA & Cease and Desist letters, and Obfuscation & Anti-piracy code

    Since the Obfuscation and anti-piracy code can bring some controversy, please do mention any, so I can add it to the cons area. You can share about DMCA and Cease and Desist experiences too, and I will review them and add to Pros and Cons accordingly as well.
     
  11. This is what I use (since 2009) to protect my stuff (unrelated to MC), it's what I send to the provider (host, isp, lawyer, etc) prior to contacting the person in question. Who gets a cc of the notification with a less formal request to adequately discontinue the distribution and or ripping of my stuff.

    Code (Text):

    DMCA NOTIFICATION OF COPYRIGHT INFRINGEMENT

    Date: {fulldatestamp}

    Greetings,

    I am the exclusive owner of the site and content at
    {full_originating_source}, and
    {full_permitted_sourc(s)}.

    The following links to the following content are intended to be exclusively
    available at (my) site and no permission has been given to the reported 3rd
    party site to mirror that content and divert my membership or visitors away
    from that content.

    The original content is shown here:

    {full_origin_source_content}, and
    {full_origin_source_content2}, and
    {full_origin_source_content3}.

    The unlicensed breach of my copyright is shown here:

    {infringing_source_content}, and
    {infringing_source_content2}, and
    {infringing_source_content3}.

    Please suspend/remove the content and prevent future abuse.

    Formality:

    In accordance with the provisions the Digital Millennium Copyright Act of
    1998, please expeditiously "take down" or "block access" to the infringing
    material and take appropriate action against the customer to prevent future
    abuse.

    Declaration:

    I, the undersigned, CERTIFY UNDER PENALTY OF PERJURY that I am the owner of
    certain intellectual property rights, said exclusive owners being named:

    {full_name_source}, {full_name_source_business}, {full_address_business_or_source}

    I have a good faith belief that the items or materials listed below are not
    authorized by the above intellectual property owners, their agents, or the
    law and therefore infringe their rights. I further aver that the information
    contained in the Notice is accurate.

    Abuse: {unique_token}

    I may be contacted at:

    {full_name_source},
    {full_name_source_business},
    {full_address_business_or_source},

    {full_telephone_source}.
    {full_email_source}.

    Truthfully,

    {full_name_source}.

    This information may be passed to your client who is already be aware of the
    situation.

    Don't forget that even if you know the url, the whois data provided can be inaccurate, but the IP address of the hostname will disclose the hosting provider, and if your log files show who ripped it, the ISP. They do and should have valid records. I usually have an appendix page 2 that I refer to which is a current copy of their publicly available terms of service where they mention that their client can't use their service for breaking the copyright law.

    The combination of contacting the person in question, showing them you're serious - and applying pressure to the host/isp that they have an issue with one of their customers, is sometimes enough to get a response within reasonable time.

    IF you do contact anybody, be it an adult, an underage kid, a corporation, .. it shouldn't matter, but .. be willing to follow through. If they threaten you, file a police report. If they lawyer up, make sure you have a timeline of your documented conversations, etc. Don't use a dmca notification as a loose threat to just apply pressure and feel better about yourself. If the other person feels harassed and counter sues you (or beats you to it), you will have financial consequences. Make sure the license you offer for your products or services are clear and protect you. Create a grey area field and enough confusion for those who take your code and re-apply it, "it was open source, you had a gpl claus for your library", etc.. will just drag things on and cost most money.

    Think twice before doing something 'serious' like sending a dmca notification. And if you do send one: be accurate, and honest. And stay away from personal attacks and name calling. If you want to use the law to have the law on your side, then act accordingly - but realise that if it goes beyond (they might think you are wrong and if you took them down and they claim for damages, you might have a tough summer ahead), be prepared for it as well.

    One tip I can end with is: don't make a public spectacle of your dispute with an individual or company. Feel free to tell people something's up and you're looking into it. Or thank them for their report of your infringed content. But investigate and act behind closed doors.

    Anyway, I hope any of this helps. And I hope i am not wrong with sharing my experiences on this matter.

    Pick your battles.
     
    • Like Like x 2
  12. Yea, in the case, I've recommended that people only send DMCAs to reputable places, and to file hosting sites, or link shortener sites. A cease and desist normally goes to individuals, but I've mentioned that it comes across as aggressive. So far, I find leakers finding a lawyer a little lame. Especially for blackspigot and the likes. I doubt they'd get a lawyer in the case, if they can just ignore you. If someone counter sues you, that person is likely innocent, because in this field (plugins) , so far I haven't seen someone that is serious enough to bring this to court. Nobody I've seen has enforced a DMCA or cease and desist through court, and leakers haven't actually sued the people who've sent these, because it's over minecraft plugins and I guess it radiates a sense of "it's not worth it".

    I'd say getting counter sued is more of a minor threat that should likely not happen. But I'll add your advice to the main page soon.

    As for the hosting thingy, blackspigot is run under one of goDaddy's companies. I've tried sending a DMCA to them, but they frankly don't care, and they trap you in a loop of "it's their problem not mine", pointing fingers to goDaddy's main company, then pointing back over and over.
    One of their staff even went as far as to copy paste their message about how it's not their problem when I pressed for details
     
  13. Fair points. I am just saying someone shouldn't just send out a notice in a rage, and then go oh crap, when it backfires. Think it through, be prepared for a follow through.

    Getting ignored is a consequence for the target party, not for the you (the content holder). Them ignoring the dmca notice is a potential mistake that can backfire on them.

    Also don't forget that offline letters still exist. And you can pay to get a track/trace and a signature.

    Despite that it is "just" some plugin code. The fines for copyright infringement are not cheaper because of it.
     
  14. It would be funny to see a leak site getting torn down legally though. It really feels like they're going through loopholes.


    Added to cons of DMCA & Cease and Desist letters
     
  15. It's a problem that everybody has, be it a forum product like XenForo/vBulletin, Spigot itself, plugins, or Minecraft compiled sources, etc. Everything gets ripped. Because people are cheap and dishonest. It really sucks. Just focus on doing good yourself, put the energy in the right things, and give great support to those who deserve it. Be it a free resource or premium.
     
    • Agree Agree x 1
  16. You can open source your premium plugins and still make a buck while discouraging some piracy efforts.

    • You offer your plugin for a price for server admins who aren't that knowledgeable in plugin development or computer programming in general, along with it is you, the author, personally providing technical support to them.
    • You allow anyone to grab a free copy of the plugin by providing the source code but they have to compile it on their own but they won't be able to ask for your technical support.

    Take a look at Aseprite, the program is pretty famous in pixel art and indie game development communities, it ain't expensive and the source code is available to the public for free. Those who want a free copy can either download the older version of the program OR build from source without technical support from the developers.
     
  17. Already inside the thread under prevention. I agree that this will stop all leaks. But... this is really just making your plugin free. Nobody will really buy it unless they misread the open source portion of it. You'd need a built up reputation to sell an open source plugin here, because it's really easy to get a dev to compile something for you in spigot. I'd estimate buyer count to be about 0 to maybe 1/3 of what you'd normally have if you'd left it fully premium
     
  18. Regardless, it's my preferred distribution method, less hassle and "just works" as intended (at least for OSS advocate authors) unless the plugin author is really looking to make a decent pocket money from his works. It's not like everyone knows how to setup a development environment and build from source properly (just look around Spigot forums, they're everywhere).

    Pardon me for TL;DR, I'm on a phone.
     
  19. Sure not everybody knows how to compile something, but in the case of plugins, they can get someone on spigot to do it for free very easily. Just post a thread with the source asking for someone to compile, and done. Likely get the jar within an hour.
     
  20. MiniDigger

    Supporter

    just the length of this thread shows how much a waste of time this hole thing is.
    make quality plugins, provide good support and call it a day. there will always be leaks, no matter how much time you wasted on preventing that.
    ppl who know me will know that I will suggest open sourcing here. it not only has the benefit of not wasting time, it also helps you in getting community contributions and helps you build up a portfolio. I personally am in my current job because of my github profile. think about that for a second. then think about what will better for you and your plugins in the long term.
     
    • Agree Agree x 8