# User-specific copy protection for Kontakt Instruments



## chrisboy (Nov 2, 2012)

Hi Guys,

some time ago there was a thread where somebody talked about a copy protection mechanism for NKI files. Unfortunately the topic drifted away into somehow weird things, so I think it hasn't been talked through enough.

First of all, we have to clarify the aim is not a bulletproof AES-style protection algorithm. But it should be a huge improvement to the current copy protection (which would be none :D ). I am thinking about a combination of user specific watermarking and disabling the functionality of the instruments if this watermarking is removed. This could be achieved by the following steps:

1. the instrument needs a extern script file located in the user script directory (eg. "key.txt"). This file is generated at the purchase of the instrument (should be doable with PHP) and provided with the NKI File. This file has to be copied manually into the OS specific user script directory. It contains a encoded identification number for each customer and the purchaser name.

2. When the instrument is loaded, a script reads the values from the external file and validates the integrity of the key, decodes the purchaser name and displays it. This should prevent people from sharing those files.

3. If the external file is not found / or the provided key is invalid, the instrument will be disabled. This could be realized by deactivating all script functionality and randomly changing all modulator parameters to mess up the instrument configuration (of course together with a message that the key is invalid to prevent users from thinking that the resulting sound is on purpose).

Before I start realizing this approach, I would like to start a discussion of possible leaks I didn't think of (since I am not an IT security expert). If it works, I would share the results on an open source basis (by that I mean the PHP file generator and the KSP script template.), since I am sure this is a thing that many people could benefit from.

On the other hand, I doubt that a complex encoding algorithm could be written for KSP, so that would maybe rather be a case of "security by obscurity" (where each developer has to write his own decoding algorithm to harden things for the bad guys). But also then, this solution could be considered as starting point.

I am curious for your opinions on this topic.

Best,
Christoph


----------



## chimuelo (Nov 2, 2012)

I support all developers and as long as those expensive 3 cent dongles aren't used I am cool.
Watermarking with degraded functions sounds good if it works.

All I know is Gigastudio developers got screwed as so many deadbeats would buy a great instrument, load it on their drives, and resell the product. I would jump all over them at ebay and complain, even though I am not a developer, but I obviously didn't complain enough as it never stopped.

Kontakt should prosecute anyone they catch to the maximum.
Afterall, the RIAA fined a piracy gal for 86k a couple years ago, so the courts are definately pro intellectual property, even if the songs or instruments are un intellectual.

Good Luck..


----------



## RiffWraith (Nov 2, 2012)

Hi Christoph

I am good with #1

It's #2 I am iffy on. I know some K scripting, but am far from guru. That said, I don't see how it would be possible to have a K instr read values from an external file via a script within the instrument. If I am wrong, then someone who knows better than I do, please correct me.

Cheers.


----------



## Reegs (Nov 2, 2012)

Christoph,

K4 and above allow you to read in arrays from an external file. Using this and some server-side work you can certainly craft some form of an authentication method with unique (RSA?) keys for each user. The resource container system is another option for encapsulating license data. Add an installer system and there's no extra user work needed. I'm a little outdated with my KSP-fu so there are likely other options too.

I've never reverse engineered Kontakt, much less while it's running, but I suspect the interaction between the KSP parser and other parts of the engine might be complicated and random enough to keep most amateur hackers from deducing and adjusting the decode algorithm. Then again, it might be extremely formulaic. And the actual people dong the hacking are more in it for the challenge more than access to SuperString nkis (unlike torrenters).

As great as a discussion like this is to have in the open, I think developers with protection schemes in use might be hesitant to delve too deeply into their protection measures, which is the stance I take. As you mentioned, the first line of defense is security by obscurity. 

(Although, I _am_ very curious about the individualized sample watermarking process and how the nki's are then rolled for delivery from a technical standpoint! PMs welcomed :D )

Peter


----------



## hector (Nov 3, 2012)

i want to throw in my two cents.

there actually is a preventative system out there already. Many developers are using watermarking which is actually simpler for the end user and the developer because of it doesn't rely on an external key file

ultimately as soon as you decide to make open and public the protection you destroy it as any kind of protection system. you're talking about pirate groups that reverse engineer the kontakt application and hack it so it can run protected libraries, they hang out here (yes, many of them hang out in and read this forum).


----------



## d.healey (Nov 3, 2012)

--


----------



## hector (Nov 3, 2012)

the problem is ultimately that you guys publish your methods. it' i just not possible to be open and publish your specs when it comes to security in this kind of context. For example if the watermarking gurus were to post the spec of their watermarking system and tools for anyone to do it would instantly be dissected. they can just remove or bypass the protections

piracy is big business and the group that share these libraries are not average end-users. they are these groups of the same people that reverse engineer dongles to create virtual dongles to bypass them, figure out to break encryption on serial keys and create application cracks to bypass protections they take pride in them and see it as bragging rights and an accomplishment.


----------



## d.healey (Nov 3, 2012)

hector @ Sat Nov 03 said:


> The problem is ultimately that you guys are publishing your methods. It's just not possible to be open and publish your specs when it comes to security in this kind of context. For example, if the watermarking gurus were to post the specs of their watermarking system and tools for anyone to do it, it would instantly be dissected and rendered useless. They may not be able to generate the watermarks, but they can just remove or bypass them. You have to remember that a lot of pirates follow these forums.



I keep seeing this sort of comment and obviously I am aware of everything that you've said, however NI's copy protection is expensive and doesn't work, it has been cracked - every single version has been cracked; and mine is free and does work - maybe not for long but it currently has not been cracked.

Even if it is cracked it is one more thing to make it difficult for hackers and hopefully, with the smaller, less valuable libraries, that a lot of people on here produce they will just think it's not worth it. 

If you look at the system I have created it doesn't matter that they know how it works - it's not very complicated - the exact method can be changed with each individuals libraries, you can incorporate my system into your code in your own way so even if a hacker works out how one works it will take them a little bit longer with the next program. 

If a hacker does break the code, so what? better than putting it up without any protection and resigning yourself to the idea that some unscrupulous individual is going to pirate it. But if you don't want to at least attempt a security system why not only release free libraries?

What you said about watermarking - that's a completely different idea to mine - which works if you don't tell anyone how it's done - mine can be cracked regardless of if you know how it's done (it just takes time and knowlege to work it out) so I might as well share it with you guys. - I know that makes it sound completely ineffective but how many other security systems have been hacked? surely mine is more effective than any system that has already been hacked.



hector @ Sat Nov 03 said:


> Your plain-text PHP and KSP scripts would be picked apart and re-engineered literally within hours. They not only make money from their actions, but they take pride in them and see it as bragging rights and an accomplishment.



They take pride in something that only takes hours to pick apart, after they have been told how the system works? - let them, I take pride in my work and any attempt to limit piracy. If you have a suggestion that is better than mine please share it, or should we just accept that there is nothing we can do?

I should add that I have used my system in a product that has been on sale for several months now, and so far no-one has tried to hack it or if they have they haven't made it easily available online yet. - they will probably hack it now I've said that


----------



## mk282 (Nov 4, 2012)

TotalComposure @ 3.11.2012 said:


> or should we just accept that there is nothing we can do?



This.


----------



## Leosc (Nov 4, 2012)

mk282 @ Sun Nov 04 said:


> TotalComposure @ 3.11.2012 said:
> 
> 
> > or should we just accept that there is nothing we can do?
> ...



... and maybe spend less time devising complex protection mechanisms, and more time making good instruments.


----------



## mk282 (Nov 4, 2012)

Acall @ 4.11.2012 said:


> mk282 @ Sun Nov 04 said:
> 
> 
> > TotalComposure @ 3.11.2012 said:
> ...




Very correct. IMO if you have a really good product, you will have successful sales despite the piracy.


----------



## Raptor4 (Nov 4, 2012)

TotalComposure @ 3.11.2012 said:


> or should we just accept that there is nothing we can do?


There is another way by paying somebody to protect your products - here is an example http://www.tracksaur.com/offer.html (link) for such services (It is just an example). 
The comment below is not addressed to the example link( it just comments some tricky methods etc)!
The piracy must has a mechanism to make money... It looks like some kind of a loop game - like the famous Chaplin's movie "The Kid". _I.e the kid becomes the Tramp's partner in minor crime, throwing stones to break windows that the Tramp can then repair. _ In our scenario you must pay to anybody "A" to protect you, after that "A" must pay to "B" to get administration rules to be able to delete the illegal links, torrents etc, after that "A", "B" or "C" uploads the illegal links again. Note you must pay monthly and I can believe that the protectors will do their job for what you payed for. The problem comes next month when "The Kid" will break your windows again so you have to pay the repairing for ever... 
Anyway this may be an alternative for companies and produces which can afford such protection in case that the protection profit is more than its monthly fee.


----------



## gregjazz (Nov 4, 2012)

Interesting note, I bought Drumasonic, and that uses an external NKA key for authorization. That library is already an encrypted Kontakt Player library, so I guess it's just for added security.


----------



## Lindon (Nov 5, 2012)

Let me preface this by saying try googling "Grid Machine rapidshare" and you will see I'm a "victim" of extensive pirating of my products....I gave up looking after 8 pages of links...

But none of the solutions discussed in any of these threads define any way of stopping this....

We seem to be confusing two things:

1. Authorising a valid install...
2. Stopping copying...

So for 1. We've sold our product to someone with some payment/download mechanism....what more do you want? You can force people to enter a serial number to get a valid version, but in this valid purchase case all you are doing is making harder for ALL purchasers...if you want to do this then add your product to a rar/zip archive and password protect that, much simpler...

For 2. if there is some rogue purchaser, who buys the product and validly installs it and then copies the installed directories and files into a rar archive and posts those on rapidshare or megaupload then you have no way (using KSP) of stopping that....sure if you have some way of uniquely identifying the user involved, each sale has a unique number assigned to a purchaser, then you can pursue the offending first party...good luck with that....and I mean it..GOOD LUCK, more power to your elbow and all that...clearly you are selling more stuff than me as I cant justify the lawyers bills involved...never mind the php/C# code maintenance to do the unique id per-sale thing..

Its what Mario says, live with it. Build good products at a fair price and build a loyal user base.


----------

