StarForce’s response to SimHQ readers’ questions and some general comments I have. Having spent the day researching various copy prevention schemes, I found this piece too difficult to pass up for commentary.

Q: Does StarForce have a higher track record of games not being cracked than the copy protection competition such as SecuRom or Safedisc?

We monitor the titles we protect throughout their lifecycle, … [StarForce] has proved to be much more effective when compared to other copy protection systems. We do have a solid record of hit titles which have not been pirated ever since release…, and this is a very notable result. When the same title is protected using technologies by different copy protection vendors, the other protections get cracked, not StarForce.

Hardly. After some research I’ve discovered StarForce on those titles has been owned. StarForce up to and including v3.5.x.x is ineffectual with some recent, excellent tools released by some dedicated individuals. Whatever their motivations, I appreciate being able to play my titles without worry that my original discs will get damaged from disc swapping or lost.

Q: Several members have stated their objection in principle, saying that it presupposes guilt on the part of the purchaser in advance of any crime being committed. U.S. customers have an expectation of “right to privacy.” Therefore, they feel that StarForce makes these customers uncomfortable because it assumes that what they do within that privacy is illegal.

…
Today we all should realize that protection is designed to not only protect the rights of software providers allowing them to significantly increase revenue (revenue that goes onto further product development), but the customer’s rights as well. Buying protected software the user may be confident in the quality of the product he gets. On the other hand, the protection is a guarantee that customers get clean and secure product. Nobody can say what the pirated copy brings onto your machine in addition to the software it says it does (viruses, Trojans, etc.). How do you prevent the product piracy? By using a strong protection.
…

That’s a crock. Walking into a retail outlet or ordering from a reputable online merchant doesn’t sufficiently signify the copy I am purchasing isn’t pirated? What about the legit box, complete with a product activation serial code? Copy prevention measures are nothing but a vehicle to circumvent my freedom to do with my own property as I please. Even given the EULA I agree to by opening the software before actually reviewing what I am agreeing to, I still have the legal right to make a backup copy for personal use and StarForce interferes with that right. Consumer protection indeed.

Q: Has the StarForce copy protection scheme ever been cited by security alert organizations for containing flaws which could be used to compromise system security.

No, never. StarForce does not compromise system security. We thoroughly test our technologies for security flaws and StarForce has proven to be a stable and high quality product.

Liar. Sounds like a security vulnerability to me.

Q: Inability to make backup copies of StarForce protected software is a big issue. I always make a backup disc of whatever I buy for sake keeping, and I consider that to be part of the fair and legitimate use of the product I paid for. What can be done about this?

We have developed the StarForce ProActive technology which is based on the software license activation approach and does not depend on the physical characteristics of the licensed media. … Today, more and more publishers are using StarForce ProActive along with traditional disc copy protection systems.

… Though if the original disc gets damaged, the end user can always contact product Customer Support or StarForce Support for a “Rescue Key”, which will lock the product license to hardware parameters of the his PC.

I don’t see how this helps. I’m still at the mercy of the publisher. If I do manage to obtain a rescue key, what happens when I buy a new computer? Oops. I’m screwed. Gosh, would’ve been nice if I could’ve made a backup of that StarForce protected game title, eh? And what if I don’t have an Internet connection or I’m on dial up? I have to phone home just to activate my single machine key?

Q: There was a security issue with a previous version of StarForce that allowed access to what should be protected kernel level space. What steps are StarForce taking to prevent such problems in the future?

The old version of StarForce drivers did indeed allow executing code using Administrator rights for its purposes. We would like to clarify some points. What we see here is that drivers may be accessed by any application. This application gets Administrator privileges and is not hampered by OS security as it would have been if being run with normal or low rights. This issue has happened before with some companies, and it was never a “critical” security matter (see here for details).

wtf? Any security issue is a critical issue. You can’t absolve yourself from a security vulnerability merely because any other software company has released software with a vulnerability in the past.

Symantec has faced the same issue with its Norton AntiVirus Device Driver back in 2003, and the vulnerability was classified as “Less critical”.

Oh darn. Failed deflection attempt.

It is well-known that the overwhelming majority of home users work under Administrator accounts all the time, thus this driver vulnerability does not affect them at all, as any application run will work with Administrator rights by default. This is significant only for business workstations working with common user rights. Going further we see that there are no complex StarForce protected games on business workstations, therefore this problem is valid only for office computers that have business applications protected with StarForce using the drivers (yet most of the time business applications are protected without drivers).

What difference does that make? StarForce had a privilege escalation vulnerability. Whether or not most people run with Administrator privileges is irrelevant. Your product contained a vulnerability. Further, rationalizing it away as a nonissue on business workstations is equally irrelevant.

StarForce immediately delivered a patch to fix the vulnerability, and no application was protected using this flawed version of StarForce drivers since January 2005. For the applications released earlier, respective updates were provided by software publishers.

Three months is immediate? What’s more, who is to say any of the publishers bothered to issue a patch merely for a StarForce security vulnerability. Moreover, what of all the now screwed customers who own older, vulnerable tittles, with no way of obtaining a fix?

Update, January 31, 2006. Looks like Starforce is at it again.