Hi all.
Can you please advise me how I can prevent data about me from being sent to a developer?
Context:
While wandering around the net, I came across an expression about Foundry being ruthless to pirates. There were no specifics, so I simply typed in the search term “foundry piracy” and found the following:
- Legal Advice (https://www.reddit.com/r/NukeVFX/comments/olw8t7/legal_advice/)
- PSA: The Foundry is cracking down hard on piracy. If you use Nuke or any of their software illegally, you’re bound to receive an email sooner or later. (https://www.reddit.com/r/vfx/comments/7k35ve/psa_the_foundry_is_cracking_down_hard_on_piracy/)
- Possible problems with cracked Nuke (https://www.reddit.com/r/NukeVFX/comments/10ls86o/comment/j5z9nuj/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
- Foundry, Creator of Nuke, Demands Thousands of Dollars from Users Running Unlicensed Software (https://www.technadu.com/foundry-targets-pirated-software-users/46535/)
… and I even found a form to report potential piracy on their official website (https://www.thefoundry.co.uk/licence-compliance/report-piracy/).
So I was wondering, how can I protect myself from something like this? How can I prevent any data about me from being sent to the developer? I don’t plan on pirating any software developed by Foundry, because I’m just disgusted with using tools created by the likes of… people? It’s just the first time I’ve seen something like this, and I’m curious.
After trying to search for something on this topic on the net, I only came across this thread (https://www.reddit.com/r/Piracy/comments/ot6xkq/isolating_pirated_software/).
My thoughts/questions:
- It seems to me that just blocking internet access through a firewall isn’t going to help here
- I would ask if using such software only when the VPN is enabled would help, but it seems to me that such software may run some background processes that will be active even after closing the program, and they will just send information about me / my hardware from time to time, including when I disable the VPN, since I won’t be using such software at the moment. And maybe these processes are trickier than normal processes that you can easily close via Task Manager.
- Can a virtual machine help in such a case? How would it help in such a case? I’ve never dealt with virtual machines and I don’t know what they are, but aren’t they connected to the same network as my main computer, and can’t the developer get information about me if I use just another device, albeit a virtual one? Or is a virtual machine and how it works somehow different from a notional regular computer, as if it were virtual instead of real?
- Why does the last-to-last link, in the comments, mention using a separate machine? How is that supposed to help? Wouldn’t that machine be connected to the same network as the main machine? Or, if not connected to the network, how would a machine that is used for everyday needs, but notionally never goes online, be different from a new machine that is not used for any everyday needs, and also never goes online?
- I’ve heard of operating systems like Whonix, Tails, and Qubes. And about WineHQ, which allows you to run software written for Windows on Linux. I’ve only heard of them, and my understanding of them is no more than the word “anonymity”, so I also want to ask, if I use one of these operating systems, and use software like Nuke from Foundry through the use of WineHQ, could that somehow prevent Foundry from sending information about me? I mean using only the raw operating system, one of the ones listed, without using a VPN and a virtual machine along with it. If the answer is no, would a scenario of using an operating system bundled with a VPN and virtual machine help in this situation? Is it even possible to use software like Foundry’s Nuke on such operating systems? Or are they not designed for that, and they only support something more primitive like web browsers?
All I can think of right now is this:
- We have 2 different computers, - one for everyday use, the other for interacting with all the unlicensed software.
- On the computer for everyday use we use an operating system like Linux Mint or Zorin OS. On the computer for interacting with all unlicensed software, we also use the conventional Linux Mint or Zorin OS as the main operating system.
- The computer for everyday use is connected to the Internet, the computer for interaction with all unlicensed software is never connected to the Internet and never goes online.
- Using the computer for everyday use, download the required unlicensed software using a VPN.
- The downloaded software is transferred to an external hard disk or flash drive that is not used for any other needs. From the external hard disk or flash drive, then transfer the downloaded software to the computer to use the unlicensed software.
- Install the unlicensed software on the computer to use the unlicensed software, using a virtual machine with Whonix / Tails / Qubes as the operating system.
- Using the installed software.
My questions are about the above scenario:
- Would this scenario help in a similar situation?
- Does it make sense in the fourth step to not just download using a VPN, but to use a virtual machine as well? Is this even possible? Should I use Whonix / Tails / Qubes operating systems in this virtual machine, or can I just go with the usual Linux Mint / Zorin OS?
- Does it make sense to use a Whonix / Tails / Qubes virtual machine on the second computer if it never goes online? If it never goes online, can I get by with a virtual machine with a regular operating system like Linux Mint / Zorin OS? Or is that still a risk?
- I’ve heard that WineHQ is a kind of “emulation layer” and that software is more unstable when “going through” this emulation layer, is this true in 2024? Can all software be used on Linux operating systems using WineHQ?
- Similar to the question of whether it is possible to use such “heavy” software on operating systems like Whonix / Tails / Qubes, I also want to ask whether it is possible to use it inside a virtual machine? And wouldn’t it be too unstable if a virtual machine is used in addition to WineHQ?
- Will all unlicensed software work without an internet connection?
I apologize if I’ve written some nonsense. I am weak in technical matters. And I also apologize for possible mistakes in the text, I’m using an online translator.
Thanks!
I’m not familiar with the software in question but generally your options are (in order of my personal preference):
- Purchase the license and use it legally.
- Find a suitable open source or at least free (as in beer) alternative.
- Run the warez in a dedicated VM that doesn’t have network access. Or rather doesn’t have network access after downloading the software in question. This can break some modern software that requires an internet connection though.
If you’re intent on option 3, Virtual Box is a decent (though not great) free software for hosting VMs. Windows can be obtained from microsoft.com and doesn’t actually require registration or a license key (At least Win 10 didn’t, not sure about 11). Once the OS has been installed and the software has been downloaded you can easily disable the network interface from Virtual Box’s interface. From the VMs perspective it will be as if it suddenly doesn’t have a network interface anymore. You can then safely install and run whatever. Things cannot phone home if there isn’t a “phone” available.
God, virtualbox is awful. Terrible performance, and the UI is clumsy, disjointed, unclear. I really can’t reccomend it to someone unfamiliar with virtualization, it’s really that bad. And anyone familiar with virtualization will hate it for its terrible UI and poor performance.
QEMU is available via winget (or is it Chocolatey, I forget)
I agree, it could definitely be better, but it is cross platform, and the UI is “good enough” if your needs are as simple as needing a containment environment for software you don’t trust.
Is there a GUI interface for qemu now? I haven’t looked recently as I use Proxmox for my VMs. But that seems a bit overkill for this use case.
For local usage on linux there’s virt-manager, has been good enough for my use at least, and the integrated spice client has relatively good graphics performance for normal desktop use.
Edit: don’t know about a good gui for running qemu on windows, though
You don’t need to give the VM network access to download the software if you have a linux host. You can directly mount a virtual box drive from the host, copy the file(s) onto the drive and then unmount it and start the VM as per normal.
Search for qemu-nbd iirc (network block device) - I have the how to details saved on my host (ie not on me) so ping me if you want them. Note it’s a qemu app that works for vbox
Turn off network or run in a VM without network. Problem solved.
Given the “Oracle style” pricing that’s unaffordable to anyone they are targeting businesses, so they’re going to sue the businesses in order to score a big payout.
Like Oracle is seeing a download for the “free” virtualbox in a Company, they immediately send the lawyer team knocking at the doors
Suing a student or indie creator would be more expensive from a PR point of view
Commenting solely on the PR aspect, i always immediately side with the individual over the company… Even if the person in question is literally trying to destroy the company entirely, and did blatantly illegal things like breaking in to steal a formula or something.
I might change my mind at some point afterward, but I will always immediately side with the individual simply because a company can crush an individual’s life with ease, but an individual cannot so easily crush a company. So as far as I’m concerned, it’s just solidarity to side against the company.
I run a particular online windows game in a modded offline mode under Linux in network isolation and with a restricted apparmor profile. So far so good. Logs show no attempts to break out, except for the smoke test I run to ensure the sandbox is working. This is as much because of the random mods I install as the original devs (who could ban my online account).
On Windows, a VM would indeed be safer. GPU passthrough is possible … I guess easier with Windows using an onboard GPU, then passing a discrete GPU to the VM. You’ll lose some performance with a VM regardless, but it’s easy to disable networking, back up and restore from a known good state, and burn it to the ground when needed.
How do you end up doing this? I’ve been wanting to do the same thing and I’m curious how proton and apparmor interact
Apparmor profiles can be applied to an executable - the profile is then (if so configured) inherited by subprocesses. In my case I have a launch script to run lutris in a safe mode. It also changes the effective gid to be matched by some iptables rules (it was easier than creating a new network namespace, which is also possible). The script then checks that the Internet is inaccessible and that reading/writing to secured paths is denied before launching lutris.
Similarly I have a “safe” script to wrap other commands with an apparmor profile that stops most writes to my homedir/reads from some secure locations, which I often use to run scripts/programs from the Internet.
My sudo also requires a password (or a special keyboard combination, thanks to a custom pam configuration).
All that said and done, I’m sure I’ll be caught off guard one day.
A VM is basically a program which emulates a computer. This emulated computer can be setup to not have internet access.
Wine is a reimplementation of large parts of Windows, for Linux, with the aim of allowing Windows programs to run on Linux. Wine DOES NOT protect you in any way, it has access to the same stuff any other running program does.
With Linux, there are a lot of ways to prevent a program from connecting to the internet. IMO for this kinda use-case, I’ll probably run the program sandboxed with Bubblewrap and just unshare the network namespace.
I never heard of consumer apps doing this. I’m not familiar with foundry, but it seems their target audience are companies? Cracking hard on companies that use unlicensed copy is very common in b2b world. Microsoft, Oracle, etc all doing this to companies, threatening to “audit” them when they detect unlicensed uses from the company’s ip address.
I never heard of consumer apps doing this. I’m not familiar with foundry, but it seems their target audience are companies? Cracking hard on companies that use unlicensed copy is very common in b2b world. Microsoft, Oracle, etc all doing this to companies, threatening to “audit” them when they detect unlicensed uses from the company’s ip address
In the links I sent, at least 2 private users (not companies) complained about Foundry demanding money from them, or otherwise starting to sue. I’m not really sure why they’re doing this if it’s just inhumane to demand money from people who don’t even have any. My understanding is that people are not sitting on torrents out of surplus funds. Probably, if they would give up this kind of behavior and stop paying salaries to employees dealing with this issue, they would cover the expenses they have due to the use of unlicensed versions of software by private individuals. But maybe I’m seeing the situation wrong. But whatever it is, tracking down private individuals who use unlicensed software and demanding money from them is to me a kind of madness.
Honestly, I’d wait to see how that plays out in court before freaking out over it.
I can see any average lawyer convincing a jury that there’s no way to prove the client knew the software was pirated.
find what ports it communicates on and block those ports. done
You can just not give it any internet access. Put it in a VM without any, would be simplest. On Linux you can also start a program without access to certain network interfaces, I’m assuming there must be on Windows too. Buy yeah a VM would be the easiest to set up.
A guy I know used to keep all machines off the internet. He got visited by Foundry lawyers before he took that resolution though. They let him slide as long as he bought as many licenses as he had instances of Nuke running at the time of their visit.
Guys, thank you all so much for the responses. Many of you have recommended using virtual machines, and that will probably be sufficient for most scenarios, but I just want to leave a link to the person’s comment about some software being able to detect virtual machines just in case, so that you keep that in mind and don’t put yourself in danger.
If it concerns you this much, have you considered just buying a legitimate copy?
I’m just wondering how I can protect myself from something like this.
In the case of Nuke, “just buying” a legitimate copy is not “just” - it costs $6,000 per year. But it’s not necessary, I’ve already found alternatives.
and those alternatives are???
and those alternatives are???
My specialty at the moment is 2d/3d art, and I’m only just planning to get into compositing, so my… recommendation? should be taken somewhat critically.
The best alternative I could find is Fusion by BlackMagic, which has already been mentioned by one person in the comments. Only, in addition to that comment, I’d like to point out that Fusion does not come in DaVinci Resolve. The “Fusion” tab in DaVinci Resolve is a stripped down version of Fusion, and full-featured Fusion is a separate program that ships separately. It costs quite a bit - $300 for a (so far) perpetual license. On this page you can find a comparison of the functionality of Fusion, as delivered with DaVinci Resolve, and Fusion as a separate standalone program.
Another alternative is Natron, - free and open-source software aimed, as I understand it, at being a free copy of Nuke. But while I was looking for information about possible alternatives and some software in general, I came across complaints about Natron being slow and unstable. And the latest version on GitHub is dated November 2022. But there’s also a pre-release dated April 2023.
Let me remind you that I’m not professionally compositing at the moment, and may not know some nuances, so this post should be taken somewhat critically, and it’s always better to research and find the best solution for your purposes.
But I plan to start with Fusion, and if I’m missing something, look for it in Natron.
Nuke Indie is $500/yr. That’s less than Adobe CC.
I don’t like to use stripped down versions of programs only to discover in the process that the functionality I need has been cut out. In my experience with ZBrush, the stripped-down versions lack quite important, and I would even say fundamental, functionality. I would still prefer to use the alternatives mentioned above, where if something is missing, it is not something fundamental.
And I just don’t want to give money to developers who put up $6,000 price tags and then sue individuals if they use unlicensed versions of software that they simply can’t afford.
It’s an enterprise app unfortunately.
I don’t know why they persist with the post-house market because it’s been dead for a long time.
Going legit as an indie artist means just using alternatives.
Blackmagic bought out Fusion and stuffed it into Resolve. I’m not a vfx guy but don’t they do similar things?
Yes, thanks for the reply!