Content protection.

My question has already come up in the FAQ, but I found the answer pretty discouraging.

How do I protect my content from pirates?
The “modern” open-source-based answer to this is, of course, that you shouldn’t: instead, you should architect your application or business so that the value is generated by the service you offer, not in the content delivered to the browser. However, in some cases that may well be unduly idealistic. Your best bet for under those circumstances is to look into JavaScript obfuscators.

It is more than unduly idealistic for the following reason. Many companies that build sophistocated web sites rely on content supplied by artists. In the 3d clip art world, most content has an attached license that prohibits it from being used if the data can be easily obtained (i.e. in JavaScript model form). Unless a company actually hires an artist to generate custom content that they own (an expensive prospect), they cannot use it on their site.

I am unfamiliar with JavaScript objuscators, but I have heard they are easily subverted. Is there any way to avoid this mess and load custom binary data using JavaScript?

I totally agree that that paragraph is too weak. Firstly, I should imagine that the vast majority of WebGL based applications will execute largely, or entirely on the client. If I code up a fun little 3D arcade-style game, clearly I don’t need to write any server side code. At the same time, I don’t want my game to be referenced from another site, or simply ripped and hosted somewhere else. Furthermore, I don’t want my game to be ‘modded’ freely - modify the textures and, ‘hey, I have a brand new ‘original’ game!!’

I’m all for open source, but what’s the point in building technology if it can be trivially duplicated or reverse engineered? Obfuscation simply doesn’t cut it. Although I haven’t done it, I’m having a hard time believing you can’t reformat and deduce the ‘meaning’ of the original Javascript if you have a little time on your hands.

I take your point about the protection of 3D model data. I’m not a Javascript guru, but presumably there is a way to encrypt datafiles? At least in a way that is more robust that code obfuscation!

Content protection doesn’t marry well to the web world. The platform is open and even if content protection where to be written into browsers, what would be the point?! The standard would have to be open so ANYONE can retrieve the data. Plus, many browsers are open source so getting at the data would just require minor patches.

I think the key here is that the value will be in the system as a whole and not the content. I doubt very much that a purely client side arcade-style game would be all that popular on the web. The web allows for much richer uses, integration with services like tiwtter/facebook and multiplayer will probably become the expected norm. At that point the content starts to play second fiddle to the delivery systems. I bet any money that content producers will rapidly catch up and get rid of the restrictions that stop there content being distributed, else I’m sure a service will pop up to fill the hole.

Plus, this isn’t like distributing music or movies. I’m yet to see a commercially successful game cobbled together from assets that someone has managed to rip off from other games :wink: Even then getting past obfuscation and learning the code would probably be far more time consuming, guessing what variable do what, etc…it’s just easier to rewrite.

I’m all for open source. But we do live in a capitalistic society, and greedy people will be people, so here’s a solution: do exactly what people who want to sell images do, but in 3D.

You combine (mesh union) your model with a 3D watermark (say, a logo). It’s almost impossible to reverse-engineer since the original model and the watermark will be a single 3d mesh now. Randomly varying the position of the watermark can add extra protection.

I sure hope this doesn’t become the norm. Closed-source is often closed-minded.

The standard would have to be open so ANYONE can retrieve the data.

Why is that? I’m not aware of any rulebook that says data has to be of any particular format.

You combine (mesh union) your model with a 3D watermark (say, a logo).

This misses the point, since what I’m talking about is the licensing of that work by third parties that want to use it without a watermark.

I think the key here is that the value will be in the system as a whole and not the content…I bet any money that content producers will rapidly catch up and get rid of the restrictions that stop there content being distributed, else I’m sure a service will pop up to fill the hole.

Sure, at great expense to the artists!

I’m all for open formats and even open source, to a degree. But artists and programmers have a right to be compensated for their efforts. Personally, I’m more concerned about the JavaScript/WebGL marriage than I am about the content. I am interested in porting my OpenGL engine to WebGL and I’m not sure obfuscation will be enough to prevent theft. I realize that the nature of the internet makes it impossible to protect anything 100%, but I must object to the ease with which anyone can get access to the source - just right-click and there it is!

With regard to open standards, if open source browsers exist what sort of protection do you suppose a browser will be able to provide? If I want you put in a restriction what’s to stop someone else taking it out?

Obfuscation is not at all easy to get around, you loose all context so there is often little point in even trying to figure it out. Let’s put it this way, the following function:
var BOB=function(t,o0,o1,o2,t0,t1,t2){var d00=t.v00-o0;var d01=t.v01-o1;var d02=t.v02-o2;if(d00t0+d01t1+d02t2>0){var d10=t.v10-o0;var d11=t.v11-o1;var d12=t.v12-o2;var d20=t.v20-o0;var d21=t.v21-o1;var d22=t.v22-o2;var e00=d01d12-d02d11;var e01=d02d10-d00d12;var e02=d00d11-d01d10;var e10=d11d22-d12d21;var e11=d12d20-d10d22;var e12=d10d21-d11d20;var l1=e00t0+e01t1+e02t2;var l2=e10t0+e11t1+e12t2;if(l1l2>=0){var e20=d21d02-d22d01;var e21=d22d00-d20d02;var e22=d20d01-d21d00;var l3=e20t0+e21t1+e22t2;if(l2l3>=0){var n0=t.n0;var n1=t.n1;var n2=t.n2;var d1=o0n0-o1n1-o2n2+tri.d;var d2=d1/(t0n0+t1n1+t2n2);return {P:[o0+t0d2,o1+t1d2,o2+t2*d2],N:[t.n0,t.n1,t.n2]};}}}return false;}

Do you have any idea what it does? Personally I wouldn’t bother trying to find out. It would probably take at least an hour or two for something that might be garbage when you find out. Plus, chances are it can only by gleaned by someone with considerable JS experience and at least have some clue as to the context. Where as that same person could probably write a function to do the same thing in maybe half hour.

I admit it might be easier to get round simpler code(but even then probably not worth the effort). But, if you’re planing on doing a game engine it’s complexity should make it very unpalatable for someone trying and get past the obfuscation.

The obfuscation I’ve seen thus far isn’t quite that good, but I agree it’s not something I would personally bother trying to reverse engineer. 'Seems there are some people out there with a lot of time on their hands, though. That was a good point regarding open source browsers. I’ll stop whining now and get back to coding. :wink:

Not sure why content protection was even brought up in this FAQ — total non-issue.

For 30 years, video game companies have shipped artwork with their games and copyright has been a sufficient tool to protect their rights.

Technical content protection techniques have never worked, because at the end of the day you still have to deliver the graphics to the user. For 2d/video, they tried it with HDMI, and it failed ( … ey_release). There just are too many levels at which content can be intercepted — even for 3D graphics where the raw texture/model data can’t just be intercepted as 2D graphics can, one can still easily run the app against fake D3D/GL libs, or fake drivers, or just run it in a debugger, and get the data.

Just want to clarify that this isn’t specific to WebGL or to the browser, in particular doesn’t rely on browsers being open-source as was mentioned above in this thread, the same applies to any software.

Oh I see — “content” here was the JS code.

Was misled by replies above talking about watermarks, but that’s not the point.

Actually, no. By content, I am referring to all content, including artwork, and it’s certainly not a non-issue. There are many uses for WebGL besides games. Imagine a small company that wants to put together a snazzy 3d website and use clip art (3d models) that they purchase online. As I implied in one of my posts, a lot of the companies that supply 3d clip art stipulate that you have to take steps to prevent it from getting stolen and used elsewhere. I wasn’t sure that obfuscation is enough, but after a bit of research I do believe it will be enough to discourage all but the most determined of hackers.

The point of obfuscation is to make it more difficult to read the code than it is to write something new from scratch. Something like Google’s Closure tool turns readable code into mush. Sure - the bad guy can take the mush and run it in unmodified in their own application - but unless they are flat out stealing the entire application, it’ll be an absolute bitch to figure out what they have to do to use it. IMHO, any programmer with enough ability to understand this mess would be perfectly capable of writing whatever he needs himself - and probably in less time.

When you compile C++ code for a ‘conventional’ game into machine-code binaries and package it on a DVD, you’re really just obfuscating the C++ and delivering it in a way that lets the bad guy un-obfuscate it.

There are other strategies:

  • Put most of the critical code on the server…this is the ultimate defense. The majority of the code never leaves your control.

  • At the outset, offer to release the source code in (let’s say) a year from now. It would take a real fanatic to spend all that effort to understand all of this obfuscated code - in the sure and certain knowledge that it’s a total waste of time because you’re going to give it away anyway. This kind of thing buys you more time to make money.

  • Maybe offer a competition to make modded versions - for some small prize money, you get to find out all of the people who want to mess with it. “Know your enemy”…and “Keep your friends close and your enemies closer still”.

  • Follow a path of continuous improvement. If you have multiple programmers working on the product - they can outperform the (typically) lone bad guy who is de-obfuscating your code for whatever purpose. By the time he’s gotten something moderately useful out of it - you are already lightyears ahead.

  • Get lawyers. Just as you can’t truly hide your code - the bad guy can’t truly hide what he does with it. If he’s going to make any inroads into your business, you’ll surely know who he is - and be able to compare his code to yours and sue the pants off him if it’s a ripoff.

There are some exceptions to that which are hard to defend against. Notably, shaders. These are short chunks of code - and they are generally packed with clever tricks that might well be worth un-obfuscating - or even using in their obfuscated form. You don’t need to literally steal the code - the ideas themselves are generally the payback. I can’t imagine a defense against this because even shipping machine-code binary shaders is giving away the farm.

Art (both 3D and 2D), music, sound effects - these are easy to steal - but this is really no different than being able to steal it from a conventionally delivered DVD-based game.

My plan is to put very little of the game code into the client-side software - push as much as possible back into the server. The client will be little more than a dumb renderer…following instructions about what meshes to draw where and with what animations.

Right now, something like 70% of my source code is server-side…but that percentage will increase dramatically as the project moves to completion.

This makes sense from an architectural perspective too. Writing hundreds of thousands of lines of industrial-strength game code in JavaScript is just too painful to contemplate…especially without access to middleware like Morpheme and PhysX.

I regard WebGL as a happy medium between a conventional client-side game and the radical idea of cloud-rendered games such as On-Live are promoting where all of the game AND the renderer live on the server and the player is essentially watching a streaming video of the action. Here we are avoiding the high bandwidth and insane computational/latency requirements of rendering on the server - but maintaining all the benefits of having a pirate-proof game where almost all of the code lives on the server.

Looked at like that, you have very little to lose by letting people see the code for the client-side renderer.

– Steve

Because it’s a question that’s asked frequently :stuck_out_tongue: