So I'm Google-ing for free web hosting to post the beta of the demo of Caveman 3.0, and low and behold, whats the first result? an old friend of mine from back in the day - rackspace.com!

suddenly it occurs to me: "i can just get a server!"

I actually used to have a server back in the day, come to think of it. site traffic was so high my web hosting company put me on my own dedicated box. i recall they seemed quite proud of it for some reason, don't quite know why.

I've been working on DRM and anti-crack technology for the game. So far I've shyed away from "ET phone home" solutions, due to the requirement for internet connection, and the costs of running a server.

enter rackspace.com.

they can provide a server solution i can afford long term. going through my old web host mewebhost.com is another option.

so with the server costs issue gone, i'm now considering ET phone home solutions.

it does mean html and perl code, neither of which i particularly care for, but i've done it before (secure shopping cart software).

the question is what's the best way for ET to phone home?

the only secure code is code you don't give the user.

so just phoning home with an exe specific serial number registered to a user can be cracked on the client side.

you'd somehow have to DL some code/data to the client that's required for the client to run. and then? hide it? erase it? time bomb it? what?

just thoughts off the top of my head there.

So what ought I be google-ing for on this subject?

the only secure code is code you don't give the user.

So you are giving them a client (a game) that calls home: you are giving them the code. Security by 'obscurity' never worked anyway. If you want to have full control wether the player has payed for your game or not: and importantly deny them to play if they haven't payed for your game, then you HAVE TO put the vital processing on the server side, otherwise it will be a trivial job for a hacker (I called them cracker in the past) to bypass your 'phone home' part of the code. To put the vital processing on the server side is:

1. Risky and costly. You will need to support ALL of your players. Everywhere in the world. (Or where you launch your game.)

2. Artificial. If you put things that could easily be done on the client alone, not depending on having an Internet connection, on a server, then you are putting artificial and annoying restrictions on your game on LEGALLY PAYING customers. They should be able to play your game without requiring an Internet connection, right?

Why do you want to treat your customers like criminals in the first place?

EDIT:

It is trivial to dump an applications memory space to get to any data that you are sending from your server to enable your game:

OSX:

OSXPmem: https://code.google.com/p/pmem/wiki/OSXPmem

Windows:

Volatility: https://code.google.com/p/volatility/

HxD: http://mh-nexus.de/en/hxd/

it does mean html and perl code

Or JavaScript (node.js). Or Ruby (rails). Or PHP. Or Python. Or Visual Basic. Or C++, for that matter ;-)

There are really two and a half kinds of hosts for these kinds of servers:

1) "Free" web hosts. These will give you some HTML and file space, and maybe some PHP and MySQL space, and will put tens of thousands of sites on each single machine. Performance will be terrible. They may inject ads around your HTML code -- this will break many web RPC / XHR mechanisms, but can be worked around. They may also run analytics on the incoming traffic, and if it's not "real browsers" they may kick you anyway. These were all the rage 10 years ago; I don't know if they're around anymore.

2) "Root server" web hosts. These can be virtualized (linode, amazon) or real hardware (serverbeach, higher-end rackspace, etc) Virtualized is fine for web services; real hardware is needed for FPS game servers. You'll have to pay at least some number of dollars per month for these (except the first year of a micro instance plus some small amount of bandwidth is free on Amazon EC2.)

3) "Platform as a service" web hosts. These aren't that different from the virtual server hosting companies, except your application runs within some framework that the provider supplies. This allows them to offer more flexible fractional pricing, and may help you scale if needed (at a cost.) Heroku and Google App Engine are two of the biggest names here.

So, the question is: Is your game single-user, or multi-user?
If it's single-user, then the best option for indies seems to be to sell it DRM-free with included Steam key. Yes, some people will pirate anything. Meanwhile, quality software, with a supporting community, can make money.
If it's multi-user, then you should charge for the "account" rather than the "software." Your server then does something that the client can't do -- match up players, provide shared data, etc.

It all depends on what you want to do with your communication.

I've seen quite a few games that just use a plain http request for phoning home. Web libraries are everywhere, even as OS components so you don't need to include anything but a com reference in your code.

Just as an example and the site is probably going to automatically hyperlink this: https://example.com/phonehome?product=key&token=value&thing=stuff

You don't even need to wait for a reply if your game doesn't need it, perhaps if you are transmitting telemetry values or something. As a more complex functionality you could make a RESTful series of web requests, or perhaps by using a long-term connection. Connectivity not being perfect you cannot assume all connection attempts will succeed. There will possibly be an attacker or two who will send bogus data or want to spam with a bunch of bogus phonehome requests, but those are usually easily dealt with. And since it goes through a regular web page, you get IP address logging for every request and whatever else your host provides.

Web libraries are everywhere, even as OS components so you don't need to include anything but a com reference in your code.

ooh, that's sweet!

included Steam key

but a game that uses steam has steam itself as a form of DRM, doesn't it?

a game that uses steam has steam itself as a form of DRM, doesn't it?

That's not necessarily required. For example, Faster Than Light can be downloaded and run without Steam, but you can also get a Steam key so you can play it within your Steam library if you choose.

a game that uses steam has steam itself as a form of DRM, doesn't it?

That's not necessarily required. For example, Faster Than Light can be downloaded and run without Steam, but you can also get a Steam key so you can play it within your Steam library if you choose.

so a steam key is about e-distribution. and "steam protection" of a steam distributed title is optional. correct? i have yet to delve into the whole steam thing from a developer point of view, so far all i've experienced is the customer side of it. i suppose its ok, as long as you have a good internet connection, and many gigs of bandwidth to DL your AAA titles. but the whole e-delivery thing doen't seem to be quite what its cracked up to be. i paid what $35? for the sims3, and now have to spend another $60 worth of bandwidth to DL it from origin. skyrim through steam was almost as bad. $60 for a cd that makes me spend another $20-$30 in bandwidth to actually get the game. they could have put 10 dvd's in the box for that price, and i could have just installed and played.

now have to spend another $60 worth of bandwidth

What part of the world still charges for networking by the megabyte, and charges that much?

The places I know of in Europe, North America, and Asia, do not have metered service for fixed connections, and have significantly cheaper service than that for mobile plans.

I imagine perhaps South America, Africa, or Eastern Europe/Middle East might have more expensive infrastructure? But, if that's true, it's only a matter of time until those places, too, get to the place where the rest of the world is now.

I imagine perhaps South America, Africa, or Eastern Europe/Middle East might have more expensive infrastructure? But, if that's true, it's only a matter of time until those places, too, get to the place where the rest of the world is now.

big grin here!

guess again. i'm 50 miles south of ground zero, the white house, in washington dc, 1450 yards north of the the shores of the potomac. bald eagle country here. no cable. fios stopped laying cable about 4 miles towards civilization from here. all tv is via dish or directv. verizon is the only carrier who advertises having any sort of coverage here. phone reception is 1XRTT most times, 3g sometimes. so my friends seldom surf from here with their smartfones. i'm in 3 acres of old growth mid-atlantic forrest. monster trees over 100 years old, 150 feet tall, and 4 feet in diameter at shoulder height. the canopy is so thick, light rain doesn't even hit the ground. exceed satellite internet (viacom) has low power modems that cant reach to a clear line of sight. that leaves hughes satellite (maybe - the exceed installer said they have more powerful modems, as they more target commercial accounts - credit cards stuff for small stores) and verizon mobile. i went with verizon mobile. 3g. 4g on rare occasions. so rare i dont even try 4g and just connect at 3g all the time. i'm currently paying something like $60 a month for 6 gig. i already upped from 4 gig this month, and may have to do it again, what with all the recent online activity related to the Caveman beta demo release.