TransGaming Tagging Downloads to Combat Piracy

SeanTobin writes "It seems that TransGaming is implementing a new watermarking system to combat piracy. For now it seems that every tgz of Cedega 4.0.1 is individually tagged, and this has been frustrating Gentoo users who (like many others) like to be sure their archives are unmodified. Is this the future of software downloads? Is this tiny loss of personal privacy worth the increase in TransGaming's security?" Update: 08/16 17:42 GMT by S : There's an official response on the TransGaming forums indicating: "We can confirm that Cedega 4.0.1 included some basic watermarking... The objective behind the watermarking was to deal with some peer-to-peer piracy issues that we've been seeing over the past several months... We have suspended the watermarking feature for now and Gentoo users no longer need to be concerned with work-arounds."

Microsoft has done this already...

[tisme]

Microsoft did this with Windows XP beta to see what beta testers were "leaking" the information. Somebody figured it out though and testers were in an uproar shortly thereafter. Frankly, if you buy (or rent) electronic hardware from a store, the serial number is recorded on the receipt to avoid a switcheroo... this is simply an extension of that in my opinion. Not a good thing for people who misuse their licenses... but nothing major for people who follow the rules.

Re:easy workaround

[pc486]

From the article:

Bytes 0x10 through 0x23 in the tgz are the signature. They are unique in every download and are probably recorded by transgaming to know who downloaded what archive. Also, all hopes of using md5 or any other form of checksumming to verify valid files are out the window.

So there you have it. Gentoo is forced to download from Transgaming's website and they keep changing signatures. Unless you are installed a warezed copy of it, MD5 checksums arn't going to be of much use.

Re:easy workaround

[desplesda]

The guy who posted this, Q3Man, posted this followup:

With some help from cyph in #cedega, I've come to the conclusion that the builds are infact watermarked, although simply tagged might be a better description. Bytes 0x10 through 0x23 in the tgz are the signature. They are unique in every download and are probably recorded by transgaming to know who downloaded what archive. Also, all hopes of using md5 or any other form of checksumming to verify valid files are out the window.

Re:Breaks gentoo ebuilds

[codergeek42]

Not necessarily. Just do

# cd /usr/portage/
# ebuild app-emulation/cedega/cedega-4.0.1.ebuild digest

and it will ask you to place the tarball in /usr/portage/distfiles. Then, so long as you don't remove it, the md5sum will match. Hope this helps!

Re:easy workaround

[Waffle+Iron]

A few lines of a shell script plus programs to split the file would do it.

Here you go:

python -c 'import md5, sys; print md5.new(sys.stdin.read()[0x24:]).hexdigest()'

Re:Tis good!

[Richard_at_work]

The fact is, it doesn't affect piracy one bit, but now users gotta deal with additional BS. For example, piece together a new PC and put your copy of XP on it. Now, after activation fails, try to convince Microsoft that you destroyed or got rid of the old computer!

I have actually done this, and there is no problem at all. Ive changed my PC 5 times since I bought the XP license that requires activation, and only on the latest switch did the online activation fail. I rang a 0845 number (UK) and got hold of a very nice girl in a call center. All she asked me was if this installation was a unique install IE I hadnt installed it on other PCs. When I said yes, she reset my activations and gave me the option of activating through her or redoing the online activation, which I chose and was carried out without a problem.

Yes, anti piracy schemes get cracked, but cars also get broken into, you wouldnt see Ford selling cars without a doorlock. They are there to slow down the casual pirates, not the hardcore people.

Re:easy workaround

[Black+Acid]

For those not blessed with Python: dd if=file.tar skip=36 | md5

Re:Breaks gentoo ebuilds

[KentoNET]

Or just 'emerge --digest cedega'.

These will entirely destroy any kind of verification about the dist tarball, though, which is what the focus of the Transgaming forums post was about (and rightly so).

Changes

[rpdillon]

Apparently it is watermarking...I downloaded two copies:

$tar xvzf cedega1.tgz
$ls
cedega1.tgz cedega2.tgz usr
$mv usr usr1
$tar xvzf cedgea2.tgz
$mv usr usr2
$ls
cedega1.tgz cedega2.tgz usr1 usr2
$diff -r usr1 usr2
$

'Nuff said. Its just a watermark, not in the actual files. If you do a:

$diff -rs usr1 usr2

it'll report that every file is identical, just to verify.

Then, make an unwatermarked version:

$mv usr1 usr
$tar czf cedega_clean.tgz usr

Sadly, if you compress the *exact* same folder twice with tar czf it will not md5sum the same (try it!). I can't say I know why. So basically, this helps with piracy but not with the verification problem. =( Don't know how to fix the ebuild problem. Anyone that knows more about why the md5sums for two .tgzs of the same data would be different?

Official response here

[gavriels]

Hi all,

I've posted an official response here:

http://transgaming.org/forum/viewtopic.php?p=400 9# 4009

Take care,
-Gav

--
Gavriel State, Co-CEO & CTO
TransGaming Technologies Inc.
gav@transgaming.com