DRM Company Denuvo Forgets To Secure Its Server, Leaks Two Years Of Emails

Denuvo "left several private directories on its website open to the public," TorrentFreak wrote Sunday, calling it "an embarrassing blunder" for the digital rights management company. "Members of the cracking community are downloading and scrutinizing the contents," the site reports, with one of the finds being an 11-megabyte text file which apparently contains every message sent through Denuvo's web site since 2014. An anonymous reader writes: There's a message from Google's security team, one from Capcom Japan, and "dozens of emails from angry pirates, each looking to vent their anger," according to TorrentFreak. Ars Technica reports that there's also a 2015 message from Microsoft about "an upcoming initiative," as well as messages several game studios, and even one from the producers of Mavis Beacon Teaches Typing. "Combing the log file brings up countless spam messages, along with complaints, confused 'why won't this game work' queries from apparent pirates, and even threats (an example: 'for what you did to arkham knight I will find you and I will kill you and all of your loved ones, this I promise you CEO of this SHIT drm')."

"Since Denuvo's contact page does not contain a link to a private e-mail address -- only a contact form and a phone number to the company's Austrian headquarters -- the form appears to also have been used by many game developers and publishers." And in addition, "much of Denuvo's web database content appears to be entirely unsecured, with root directories for 'fileadmin' and 'logs' sitting in the open right now."
In addition, there's also a slideshow -- which has since been uploaded to Imgur -- bragging that "With over 300 man years of development experience among us, we clearly know what we're doing."

lawyers as hired guns

[harvey the nerd]

If they got the good stuff, they'll have a legal goldmine on felonies by management and lawsuits on the company.

This makes me cry

[Anonymous Coward]

and I just can't stop laughing!

Re:

[Anonymous Coward]

The Bush Administration used private servers to view classified info. They also lost 22 Million E-Mails. Hypocrite much?

Re:

[Anonymous Coward]

Um.. I hope this isn't too much of a shock, but it's time you faced it. By 2017 standards, Bush was basically a Democrat.

Re:

[Narcocide]

Switching to the anti-Buddhist one now, since that biblical scholar schooled you over all the inaccuracies in the anti-Catholic one? Your life must be really sad. Certainly there's a forum somewhere that this drivel is on-topic for, so you can actually have your half-assed trolling pastebin monologues get the response you desire?

Re:

[moosehooey]

Hey buddy... You are in dire need of a good swift kick right in the squishy bits...

Re:

[Maritz]

And the dish ran away with the spoon.

Re:

[Zontar The Mindless]

You waste so much time and effort spouting illogical, self-referential nonsense because you're afraid to think for yourself. You're even more afraid of others thinking for themselves.

Why are you so afraid? You don't have to be.

Re:

[omnichad]

Isn't posting a link AND the full contents of the page a bit redundant? Also, why not create an account if you're going to use your real name on your web site.

"Keep the pirates at bay"

[K. S. Kyosuke]

...from the slide show. Hahaha! Very apt indeed.

Re:"Keep the pirates at bay"

[AmiMoJo]

They claim an average of 272 days until games protected with their products are cracked. May be technically true, but the most recent one lasted a few weeks.

They also neglect to mention the ratio of additional sales to lost/returned sales due to the shitty DRM being a pain in the arse.

Re:

[K. S. Kyosuke]

I mostly referred to a particular web site, though.

Re:

[Bert64]

Also fails to mention the popularity of said games, or where they were released... If noone wants to play a game or isn't aware that it exists, then they won't want to pirate it either.

Re:

[Anonymous Coward]

The game in question is Lords of the Fallen, released in 2014. Not a terrible game, but not terribly famous either - I suspect that most of us went through those first 272 days without ever having heard of it. Plus it was one of the first games with Denuvo, so it's not surprising that it lasted so long.

Rather disingenuous for Denuvo to suggest that it means their customers can expect 272 days from now on too.

Re:

[cdrudge]

They claim an average of 272 days until games protected with their products are cracked.

It actually only said that is how only one of their games went without being cracked, not the average. The fact that they touted 272 days would lead me to believe that the number is the longest their service has gone.

Re:

[elvesrus]

Try 5 days for Resident Evil 7 ;)

"Apparent" pirates or actual customers

[Anonymous Coward]

There seems to be a presumption that the "why won't this game work" questions were from "pirates", when they could just as easily come from actual customers.

You know, the ones the DRM actually fucks over?

captcha: measures (in a sentence: DRM are ineffective measures against pirates)

Re:"Apparent" pirates or actual customers

[amiga3D]

I've never had a problem in any pirated game with DRM. In fact that's often why I downloaded pirated versions of games I had bought. It got to the point where I bought the games to get the printed manuals, the other shit wasn't worth fuckall.

Re:

[omnichad]

I think they're referring to the pirates doing the initial plundering. You have to crack the game before you distribute it - and the people doing so were complaining to the DRM-maker. A bit of a silly thing that still makes me think it's more likely to be legitimate customers complaining about DRM instead. It's not like the pirate says, "I'm a pirate and..."

Re:

[omnichad]

This is what I was thinking, but the worst aspects of DRM pop up 5-10 years later when trying to run older games on newer systems.

It's not so bad...

[Anonymous Coward]

At least nobody at Denuvo was running for the office of President of the United States of America! =)

What about the actual code?

[jonwil]

I do wonder if the leaks include any kind of technical info or code related to their system. If that happened it would be far worse than a bunch of emails.

Re:What about the actual code?

[GameboyRMH]

Was thinking the same thing. Denuvo has to be broken, they're coming dangerously close to inventing what will be, and forever remain, the worst invention in the history of computing: Working DRM. It's the weapon that could banish general-purpose computing to the dark corners of hacker basements forever. Curated computing has already been popularized.

All attempts to summon this demon must be thwarted.

Re:What about the actual code?

[plover]

If DRM is ever successful, it won't be due to companies like Denuvo. Effective DRM requires some critical-path hardware to be complicit in the hiding of a secret from the device's owner. It can't just be pasted-on code that says "check for a valid dongle", because the attackers patch around that. The hardware has to hide something of great importance to the operation of the application, something that can't simply be replicated by software.

Denuvo makes it hard to crack, but without the hardware's participation, it will never be impossible.

Re:What about the actual code?

[Z80a]

Well, there are systems like that, but its quite hard to make a truly secure system when you can't even trust that the chip will run right.
The playstation 3 DRM scheme was basically impossible to crack because the hardware itself locked any access to the code.
The cell processor had this inaccessible internal ROM that was read and executed by one of the SPEs before the boot time, and it "locked itself from inside", making impossible to the rest of the system to read it.
But the crackers managed to get it by glitching the cell processor just when the SPE tried to lock itself, making the instruction fail and exposing it to the other CPUs etc..
This actually became a quite common tool for breaking into consoles now.

Re:

[Wootery]

Interesting read, thanks.

A quick google turned up an interesting article on this: How the PS3 hypervisor was hacked [root.org].

Re:

[GameboyRMH]

Denuvo makes it hard to crack, but without the hardware's participation, it will never be impossible.

I used to think the same thing, but then some Denuvo games have gone uncracked for frighteningly long periods of time. Serious Sam 3 took about 8 months to crack. AFAIK the Doom reboot and Rise of the Tomb Raider are still not cracked. I'm worried that they could invent a form of DRM that's theoretically crackable but practically uncrackable by anyone without NSA-level expertise and equipment.

Re:

[ChoGGi]

Both of those games are cracked
https://www.reddit.com/r/Crack... [reddit.com]

Re:

[GameboyRMH]

Are those actual cracks or bypasses? I know of a bypass that worked temporarily which was released around the time of that posting, and since it relied on a misconfigured key on the DRM server, it's since been closed.

Re:

[ChoGGi]

I'm pretty sure CPY only does cracks. I own both those games, so I couldn't say for sure though.
The torrent comments on TPB seem to suggest cracked.

Re:

[omnichad]

For as long as there have been locks, there have been locksmiths. Unless the CPUs themselves are decrypting the instructions with a private key known only to Intel, it will be possible to decompile/trace. And even then, there will probably still be a way.

Only Pirates sending angry emails?

[Lumpy]

Sorry, but the customers I have are angry at DRM. They own 30 room Yachts that when they update the Firmware on their Kaleidescape it upgrades to HDCP 1.4 and BREAKS the whole system because their TV sets that are sealed and built in are NOT HDCP 1.4 compatible.

I encourage these customers to complain to congress to strike down the DMCA because I tell them , "I could fix that, but the DMCA makes it a felony for me to do so."

And it's affecting their homes, they add in the new 4K Dish TV to their 64 room home and BOOM the digital video system shuts down because of HDCP 2.2 and they did not replace all 64 TV sets in the house.

DRM hits everyone, and a lot of the rich that I do work for I encourage to complain to companies as well as congress about it.

Re:

[Rakarra]

Is it legal to replace one encryption with another?

It might be legal. But probably not legal in the manner you're suggesting.
The encryption is providing access control. As long as access control (not for the user, but for the companies, of course) is not compromised, than then it might be legal, unless there is some letter of the law there that would make this totally illegal.

If it is then rather use a HDCP-to-very-broken-encryption converter.

This would likely circumvent access control, and would of course be illegal under the DMCA.

Re:

[misexistentialist]

Sell them a new updated yacht...it's like you're not trying

Early adopter price

[HalAtWork]

Unfortunately that's the price you pay to be an early adopter. Perhaps these customers should do more research when picking components, especially waiting when different standards are competing and being ratified (4k input, HDR, audio, etc), and also stop firmware updates (and disconnect these devices from the network so they don't get compromised) when their gear reaches a state of "just works." I suggest waiting until these devices are more consumer ready before adopting them. This is why I don't bother j

Re:

[Cederic]

Is HDCP 1.4 or 2.2 support part of the ratified standard, or updates to it?

Waiting doesn't help. Getting fucked over by anti-consumer DRM implementations is going to happen anyway.

Re:

[EvilSS]

OK, that sucks but what exactly does it have to do with Denovo? Did you direct your customers to send them emails? If so why? They don't make HDCP standards or have anything to do with it. If your Jeep runs you over because of a dumb gearshift design do you call Audi and complain about it?

Re:

[EvilSS]

*Denuvo

Nothing personal, but

[MayeulC]

If that could bring down the company into flames, that would be a small relief for the consumer.

That said, DRM is like an Hydra, when you think you won the battle against one, a handful more appear to take its place. I sincerely hope it will be outlawed at some point.
I had a look at these slides, and they're very obviously marketing material. Anyone who has written a handful of those knows how full of exaggerated claims they can be. For example, assuming the 40% piracy figure holds true (for which I cou

Are Denuvo really that bad?

[RogueyWon]

Denuvo have become a popular company to hate recently. There are long-standing complaints that their DRM "harms performance" in the games that use it. The time-to-crack on some of the more recent Denuvo-protected releases has been down to around a week or so, which is a big reduction from the "several months" they could boast a year ago. They can also come over as a bit cocky in their public messaging at times.

And yet... are they really that bad? The war against DRM in PC gaming at the conceptual level was lost years ago, the moment consumers (self included) decided that the convenience of Steam and its equivalents (and the general reduction in game prices that came with them) outweighed concerns about ownership and digital rights. There have been battles since then, to be sure, but those have generally been over the extent to which DRM inconveniences legitimate consumers.

So we had (fairly successful) protests against Spore, which limited the number of installs possible from a single key (a practice which is more or less dead now). There is continuing pushback over the inclusion of always-on DRM in games which don't require it, which looks like it still has some way to run. We've had outcries, again generally successful, against DRM schemes which compromise the security of PCs they are run on (see the recent additional of such DRM to Street Fighter V and its subsequent removal).

But Denuvo doesn't really do any of these things. From the end-users point of view, provided they have a legitimate copy of the game, it is pretty much invisible. The rumours of it having a performance impact persist, but when credible sources like Eurogamer's Digital Foundry have investigated, they've never been able to substantiate them. In many cases, Denuvo appear to have become the scapegoat for poorly optimised PC ports.

PC gaming is actually in quite a good place right now. Most major releases find their way to PC; considerably more than did so 5 or even 10 years ago. Previously console-only developers have realised that they can expand their market for relatively little effort by producing a PC port. This has gone hand-in-hand with a general improvement in the quality of DRM, which appears (though I'll admit the link is not validated) to have deterred at least casual pirates (accepting that the hardcore will likely never be deterred). If DRM is here to stay, I would much prefer Denuvo to some of the alternatives.

Re:

[Anonymous Coward]

But Denuvo doesn't really do any of these things. From the end-users point of view, provided they have a legitimate copy of the game, it is pretty much invisible.

Denuvo does have an online component, it just phones home without the user's knowledge. Whenever there is a change in the system configuration (new hardware etc.), it needs to activate again, and without access to the server (offline mode), the game will refuse to run. Also, the error message in that case does not specifically mention Denuvo, it looks like a generic "Steam error", so the average user does not even know what is really causing the problem and blames Steam instead.

The rumours of it having a performance impact persist, but when credible sources like Eurogamer's Digital Foundry have investigated, they've never been able to substantiate them.

It is difficult to investigat

Re:

[atrex]

DRM does not deter casual pirates. Casual pirates never do any of the leg work, they just wait for hacking groups to release the torrents and then download and play. Steam and services like it have significantly reduced the number of casual pirates though. They did this not through DRM but by making PC Gaming consumer friendly, convenient, and cost competitive. They gave the consumers what they wanted: easy and convenient access to their game libraries, a plethora of frequent sales and discounts, cloud

This is why I went with indie games

[Opportunist]

Indie developers have a lot of advantages. First, you have WAY fewer (if any) useless management sponges and your money goes to the person actually doing the work. But mostly, because it's hassle-free. No need to be always-online, hoping and praying that the connection to the all-important DRM server stays stable (if you can reach it at all at launch), no worries that the game will break as soon as you dare to install something the game's maker considers a nono on YOUR computer, it just works.

Yes, graphics are usually way below what you'll get from AAA titles. But let's face it, games sold on graphics alone age very, very poorly. Cutting edge graphics are like new car smell. It wears off very, very quickly. The next generation of graphics hardware and shading software is always just a few months away and compared to this, your "ohhh, shiny!" game will soon simply suck. And then you can shell out another 60 bucks (and then some for the pretty much mandatory DLC to complete it).

Re:

[LordLucless]

I recently started playing Stardew Valley, which is a single dev game. Apparently, for a while there, that dev was manually correcting individual corrupt saves for customers, because he felt bad that his game had failed them. Just try getting that sort of service from a mainstream developer.

Re:

[Opportunist]

That's one of the aspects, another is that Indie games are usually way, WAY more mod-able than AAA games. Why? Because Indies usually have no interest in trying to rip you off with DLC afterwards. They lack the time to do it anyway, so why bother trying to keep people from creating addons?

Some even went out of their way to provide sensible APIs to enable mods, which led to a very rich and interesting gaming experience because you suddenly had a ton of content creators that threw enhancements and augmentatio

I can recall a pen-test. . .

[Salgak1]

. . . . when we did a simple port-scan, and found every single Solaris box on the net had FTP running. So we did an anonymous FTP login. And in the root of the public directory. . . . was a Kickstart file. With the root password.

We had the entire network pwned in under 45 minutes. Simply because someone didn't bother to clean up. Probably because they'd already redlined the "maintenance" budget. . . .

My idea for a virus

[MrKaos]

The amount of hypocrisy on this issue considering how many set top boxes are out there that violate the GPL to provide DRM compliant streams is breathtaking.

I'd love to see a virus that enforces the license terms on a windows box so that pirated versions of the OS, or any other software, won't run.

Idiots

[kelemvor4]

In that powerpoint they were bragging about being the DRM that protects Game of Thrones. Game of Thrones is constantly in the news for being the most pirated show in history. Not exactly geniuses there at denuvo 'eh?

Thomas Goebl, update your resume...

[Smerta]

Holy crap. After reading the slide show on Imgur, I think we should call a doctor to help Mr. Thomas Goebl, Director of Marketing and author of the presentation. He patted himself and the company so much on the back, he must have broken his arm! I have never seen a more self-indulgent, self-congratulatory presentation in my life.

Re:

[Cederic]

Can we no longer trust Valve to tell us when a game contains 3rd-party DRM?

Never did: http://pcgamingwiki.com/wiki/T... [pcgamingwiki.com]

I'm not sure how much control Valve have over third party DRM notifications. I suspect it's a "Please indicate" but not mandatory.

http://forums.steampowered.com... [steampowered.com] does have a commentator suggesting that Denuvo isn't DRM. I'm not sure how they reached that conclusion but it may be worth sanity checking Valve's definition for DRM too - could be that Denuvo slips through a crack.