It’s amazing what a difference a little bit of time can make: Two years after kicking off what looked to be a long-shot campaign to push back on the practice of shutting down server-dependent videogames once they’re no longer profitable, Stop Killing Games founder Ross Scott and organizer Moritz Katzner appeared in front of the European Parliament to present their case—and it seemed to go very well.
Digital Fairness Act: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14622-Digital-Fairness-Act/F33096034_en
Games should be required to have reproducible source for all components (client and server) sent to whatever the European equivalent of the Library of Congress is, to be made available in the Public Domain whenever the publisher stops publishing them.
Not only games. Goes for all electronics as well.
Sick of supporting your ‘old phones’? You’re required by law to disclose all binary blobs as source code to let somebody else pick it up the slack.
Feeling like bricking old Kindles? Fine, but users must be able to install alternative OS on your old device.
Not providing software updates for your TV anymore after you removed features? That’s your right, but so is the right of the effing device owner to install something else on it.
And it’s not just consumer electronics. (caugh John Deere caugh).
Not to be pro-corporate/anti-repair…but I feel I have to play devils-advocate here…
That sounds like a legal and security nightmare.
If you just give binary blobs and no sources, there’s no way to maintain the code/device long term. As exploits continue to be found in upstream dependencies, the hardware continues to become increasingly insecure.
But if the source needs to be released…I imagine that there are heaps of proprietary code that is still in use on “active” devices even after another model goes EoL…so if that code is released, there’s instantly thousands of nefarious eyes on it.
On top of the regular zero-days that are found out when a popular product reaches EoL.
I think that’s potentially a lot to ask of users. Will your technically-challenged great-Aunt switch to post-support build when her phone hits EoL, or will hackers be able to remote control her banking app and take away your inheritance before the community can even patch it (assuming there’s enough community support out there for an 8-year-old Galaxy A-series…)
Then there could also be licensed code that would need to be released as well…hence the legal nightmare.
Not saying it’s impossible…in fact, I greatly agree with your stance and stated position. Just saying that there are some blockers on this epic.
That is not a corporations problem who’s given away the rights to his product. That is my problem as an informed user, deciding that I know well enough about what I’m doing.
Security can’t be the constant reason for EoLs. Especially when there’s no real reason beyond the company needing the next cash cow.
This isn’t for the average user. My grandma isn’t gonna learn how to flash a custom firmware on her old phone. But an informed user can.
Right now, if your device has no more support, you can use it until something else changes and it becomes incompatible. Then you have a dead box that doesn’t do anything anymore, and simply because the company decided to no longer support it.
It’s about having the OPTION to use it in the future so the community can at least try to fix it.
Security is constantly used as a guise for removing consumer rights and as someone who has been in the security industry for about 9 years I’m so sick of it.
First and foremost, everyone please understand: the user should be allowed to opt into your concept of insecurity: you do not know their threat model and you do not know their risk tolerance.
Using exploits in low level drivers in the wild is approaching APT level, and even if there were a simple one to use it’d likely be useless without some sort or local access to the device (bar some horror show bug in a Bluetooth or WiFi firmware). The risk is incredibly low for the average person. I’d put it pretty close to 0.
Wire transfers aren’t instant and for large sums (your inheritance) the banks will likely require more than just a request from your app. If the bank cares about that then they can also use the attestation APIs which would be more than sufficient, as much as I hate them.
This boogey man of the APT going after my technologically illiterate <family member> with nation state level exploits needs to die. Long ago we entered a new era of security where it just isn’t worth it to waste exploits. Especially when you can just text people and ask for their money and that works plenty well.
Security is not a valid reason to soft brick consumer devices at some arbitrary end of life date.
Agreed, but I think a framing or two is missing here, and it only applies to a subset, is that the people of the world shouldn’t have to deal with more/larger bot nets because these things haven’t been considered.
Another is just that the average great aunt isn’t opting into a concept of insecurity they’re simply ignorant to what threats there are. If it’s possible to distinguish between the two sets of people, or to maybe even bucket devices by potential threat, it might go a long away. I probably a lot wrong here, I just woke up.
But yeah, agreed security is an argument that’s hidden behind
Yes I’m not going to take some “survival of the fittest” nonsense approach to security: consumers need securely built devices and software. This is the first line of defense always: we need to make things secure and then have secure defaults according to whatever we decide “secure” means in the context of our widget or software. Then we need to provide “advanced” (or even just “ignorant but risk tolerant”) users with the ability to change the device or software to match their definition of “secure”.
The easiest example is secure boot. Your laptop likely has a key provided by your OEM and likely Microsoft’s key preinstalled. This is a valid “secure boot” path for the average user, provided your OEM and Microsoft don’t get compromised, which is APT territory. However you are provided with the ability to use a different key if you know how to do that. You have thus opted in to protecting your own private key but now you have more control over your device. This design is notably absent in phones, which is absolutely bananas and actually less secure in some threat models
You could extend examples like this if you wanted. One could easily imagine a device that does soft brick itself after the EOL date to simply protect people that are ignorant of the potential risks, but also provides an advanced user with the ability to revive it in a “less secure” state. The less advanced user will then have to either learn something new or buy a new device.
Security by obscurity is a myth
No. It’s a valid tactic but needs to be part of a much broader strategy.
Absolute security is unachievable, but it is much harder to probe a black box to understand how it works than reading its entire manual.
Technically, I’d say its a stalling tactic, but yeah, by no means is it a sound, comprehensive strategy.
That implies any and all FOSS project should be getting exploited constantly, especially those being run by a community of hobbiests, and that is simply not the case.
They are exploited constantly. And fixed constantly.
There’s been a notable uptick in supply chain attacks coming from the odd FOSS dependency.
Fortunately the FOSS environment as a whole, ironically, reflects the best aspects of a “free market” in the capitalist sense. If a package is no longer maintained, or poorly maintained, or the maintainer is a douche/Russian asset, it forks and many users jump ship to the newer package.
Users have full transparency into how the sausage is made. Everybody does.
So if exploitable code is discovered, it can just as well be discovered first by a defensive researcher (non-inclusive term: white-hat) or offensive researcher (black-hat).
And if an offensive researcher discovers it first, they have a choice:
Submitting bad code to a project in itself though. Some new user with no reputation is going to be heavily scrutinized putting a PR on a large/popular project. And even with a good reputation, you’re still putting the exploit code out there in the open and hoping none of the reviewers or maintainers catch it.
This is one of the points that a French MEP brought up during the meeting. If this is pursued it could as a side effect open up space for digital “orphaned works” which would be fantastic.
It’s not even an issue of “orphaned works.” Every work becomes Public Domain eventually; that’s the point of it.
In fact (according to originalist American sensibilities, at least) the entire point of copyright law is “to promote the progress of science and the useful arts” (i.e., to enrich the Public Domain) to begin with! Allowing works to be copyrighted (essentially, borrowed back from the Public Domain temporarily so the creator can profit, thus incentivizing the creation of works) is merely a means to that end, not some sort of moral entitlement.
Copyright and patent are a compromise.
Society is iterative. Every work of art or technology is significantly based on prior work. So if you go to the extremes, where “I intented it, it is mine forever and passed to my children” society stalls as technoligarchs never license their patents. If you go full blyatski and outlaw personal ownership, you get Soviet Russia, a nation whose contribution to global culture has been a few ballets, some long depressing books and precisely one video game, because nobody is given incentive or even opportunity to create anything, so they don’t.
Give us a full copy of your work, enough information to make a full copy of it. This will be held in trust by the government. We will give you full, exclusive right to monetize your invention for a couple decades, and the copy stored with the government is the stake in your claim, the proof you need to win your lawsuit. After those couple decades are over, the idea becomes public property. Our inventors get to make a living, society gets to progress.
Copyright has gone cancerous, with terms lengthened far beyond a human lifetime to benefit major corporations and not individual creators. We need to fix that.
To be fair, Soviet Russia probably has a bunch more stuff than that; we just don’t know about it because it didn’t get translated and distributed to the West. The “Dr. Livesey Walk” meme is from a Soviet cartoon, for example.
I can only assume artists got funded by government grants or something, IDK. It probably did result in a lot less of it being created than in the West, though.
(Also, I think the ballets and books you’re alluding to might’ve been pre-Soviet?)
Anyway, I completely agree that copyright and patents are a compromise, and that the pendulum has swung way too far to the side of rights-holders at the moment.
(I was thinking of the likes of Shostakovich, born 1906 died 1975, but he did symphonies, not ballets? I think of Soviet performance art and I smell orchestra pit.)
Yeah! Um… what is that again?
¯\_ (ツ)_/¯
If no such thing exists, they should create it.
I like it. If the publisher no longer sells/supports the full game as purchased, then they no longer to get to complain about people pirating it.
I don’t like instantly throwing it public domain, that’s the wrong license to use. I think Creative Common CC BY-NC-SA would be more appropriate. (Credit the original, no commercial use, and any modified/redistributed version must follow same license).
This will prevent xbox from taking all the old PlayStation games, stealing an emulator, and selling them under game pass to people that don’t know those games are freely available.
I’d also add the game must be available as an individual 1-time purchase. If it’s only available as a bundle or subscription service (like game pass), that doesn’t count.
The Public Domain isn’t a “license.” It’s simply the default state of a work when copyright is no longer being enforced for it. I’m saying that copyright should immediately expire for any published work that is no longer being made available by some entity with the right to do so (phrased carefully so as not to break copyleft licenses, BTW) and that anyone should be able to get it directly from a government archive of all Public Domain works.
As for selling Public Domain works, that’s always been allowed and I don’t see any particular reason to change it, provided that regulatory capture doesn’t result in the public archive being the digital equivalent of hidden away in a disused lavatory in a locked basement with a sign saying “beware of the leopard.” If the free option is prominent and well-known but you want to pay money for some reason anyway (in theory, because the person selling it added value in some way), that’s your business.
I’m going to hard disagree on NC.
If the original publisher decided to dump their IP, and someone else has a good enough idea to make money off of it, they absolutely should.
BY-SA gets you the same vibe and encourages the new IP to keep making new content and allows others to do the same.
I agree, if an IP is abandoned then someone else should be allowed to do something with it.
For this post I was talking about the game that was already made and distributed, not just the idea or characters.
I’ll use Mario Kart 1 for example, if Nintendo doesn’t sell that game anymore, then the game is made publicly available.
If the IP is still in use that A) doesn’t exclude Mario Kart 1 form becoming available, B) doesn’t allow competitors to sell modern Mario Kart games (trademark) and C) prevents someone from taking a 30 year old game and just reselling it on their store.
IPs are much more messy to handle, as it’s less a final product and more of a concept. Creative rights should stay with the creative people not a publisher.
If Nintendo decides to drop Mario, but the actual creator of Mario still wants to work with a different publisher, they should be able to do that before the IP becomes freely available for anyone to take over.
This would be the only type creative work that would be burdened like this.
I find it paradoxical that we’re trying to save the gaming industry by burdening (mostly) small developers. Larger studio will no longer be able to abuse the system, but complying will be easy for them.
For indies and small to medium studios though? They struggle enough as it is. Adding the burden of compliance on top is not a great idea.
If we could legally categorize studios in a meaningful way, and therefore target the big ones and leave indies alone, I would support such an idea.
Don’t try being reasonable, the SKG people don’t understand reason.
It’s the only type of creative work that needs to be burdened like this, as all other types of works have always been “self-contained” (for lack of a better term) with no continued reliance on the publisher after the purchase.
Ditto with older games, BTW: you’ll notice that this “Stop Killing Games” movement didn’t start until the game industry started using tactics like DRM and “live service” architectures to forcibly wrest control away from the gamers. Before that, people could just keep playing their cartridges and CDs and even digital downloads, and hosting multiplayer themselves using the dedicated server program included with the game, in perpetuity and everything was just fine.
The industry got fucking greedy and control-freakish, and this is the inevitable and just attempt for society to hold it accountable.
I find it weird that you’re making what seems to me to be a strawman argument about “burdening (mostly) small developers,” as I’d say they are mostly not the ones trying to do this bullshit where they try to retroactively destroy art and culture because it stops being profitable enough. Indie studios typically don’t design their games to use publisher-operated servers with ongoing costs attached in the first place, let alone to self-destruct when they shut off!
Releasing source code isn’t without extra work. My point is, unless you make sure to specifically target the companies abusing gamers, you’re going to mainly hurt the part of the industry that is not the problem.
Nah, if the publisher stop selling a game, just make him to release a docker image for the server and the game patched to use such docker image. No source code needed (even if it would be nice).
Pardon my French but would you please kindly fuck off with “container solutions”? Cheers.
Yes! I hate Docker and containers. Just let me install the fucking app on my machine!
Not sure about public domain. Perhaps a non-commercial license would be best - this way fans can carry on the work, but others wouldn’t be tempted to profit off of the IP.
The original duration of copyright was 14 years. Why should we legally stop anyone else from making a knockoff?
If a studio is using the same base architecture for online services as a game that is currently active, you want developers to share their current live architecture and code?
Yes.
If they don’t like it, they can keep supporting their older stuff. Or better yet, rethink their decision to impose a “live service” business model now that they’d actually be held accountable for it, and consider going back to giving users the means to run their own servers.
(Also, by the way, “security by obscurity” is bullshit. If disclosing their server-side code leads to exploits, that just means they’re fucking incompetent. I have no sympathy at all.)
Set the launch arguments of any Unreal game to “-log” and get back to me on how many lines of log types LogEOS* it spits out before the main menu loads. That usually interfaces SteamOSS, so if there are a low amount of EOS logs they will show up as LogSteamOSS. That is the best hint I can give.
It sounds like you’re trying to “hint” at the idea that a bunch of games are using Epic Online Services and/or the Online Subsystem Steam API associated with it, but beyond that I don’t understand what point you’re trying to make.
If you’re trying to obliquely cite that as some kind of counterexample where it’s reasonable for a game’s source code to remain secret just because part of it is that library, then no, it fucking isn’t. I can’t tell whether EOS has the source code available along with the rest of the Unreal engine or not, but if not, it ought to be and IDGAF about any excuses Epic might have for not making it so.
If you are so hell bent on being right or knowing the answer. You could sign all of the Steam, Epic, and SDK NDAs to get access to all of the documentation.
LOL, what? You’re the one trying to make a point here, not me. Spit it out. I’m not gonna do your fucking work for you!
Nobody can be forced to keep supporting their older stuff forever, assuming it is even possible.
There are solutions to keep a server online or to give ways to run a local server (a docker image comes to mind), but you cannot think a company will keep a server active after years to just make few dozens happy with all the implications.
I agree on the spirit of the initiative, but I cannot really see how it can carried out: my fear is that some types of game will not be sold anymore in EU: no legally sold copies, no legal obligation to keep the server online forever. And in this case we all lose something.
Disclosing server-side code can leads to exploits, true, but I would not call them incompetent: they are not foolproof or omniscent.
No shit, Sherlock. That’s why the tenable and preferred option is for them to give it up once they’re done profiting so that the public can do it themselves instead.
LOL, nothing but FUD. Game publishers made plenty of profit before they came up with this “live service” bullshit, and they’ll continue to make plenty of profit even after we stop allowing them to screw over everyone too.
In case you weren’t aware of it, the only reason we grant copyright to creative works in the first place is to encourage more works to be created and eventually enrich the Public Domain. If the works never reach it (because the publisher is using technological means to destroy it before copyright expires) then they have broken that social contract and don’t deserve to be protected by it in the first place.
These live service game publishers are trying to eat their cake and have it too, and they simply aren’t entitled to that. The fact that they’ve been getting away with this theft from the Public Domain is unjust and must stop.
Removed by mod
Why are you lying about what I wrote? I never claimed the publisher should be forced to maintain it forever.
What part of sending the source to the government archive did you not understand?
And then what? Why are we storing these old games. Move on with your lives. Art doesnt last forever, its not supposed to. But you want publishers to put in extra effort to preserve them, and then have governments put in effort to preserve them, apparently forever.
Its funny how its the people playing the games who want them preserved forever rather than the people making the games, isn’t it. The people making them have pointed out multiple problems with this idea, but who cards about them right?
The people who make the games dont give a fuck about you. Why the fuck do you think we would care about what they want?
Presumably because you want what they can provide you. Its not rocket science my guy.
Oh I see, you’re just a troll who keeps lying and spreading FUD. Reported.