New licensing and phone-homes

Hi

I’ve been checking into this new announcement. Firstly, it will be great to be able to activate the product in software, and be able to manage that activation process in our Steinberg logins.

However I have very grave reservations about the proposal to phone home, and require frequent revalidation of activations.

There’s a false premise in this decision: that surely nobody will be without internet access for 30 days. This is not the problem mechanism.

What we learned from Avid, is that if the software isn’t frequently used, and this 30 day expires whilst someone is not using the software, then as soon as they try to load it up, it has to revalidate the activation. Immediately (not some time in the next 30 days). This has a non-insignificant chance of failure for many reasons which I have 25 years experience with (being a proxy server vendor). So you don’t need to be without internet access for a month to trigger this. Only at the point in time that Dorico decides it must revalidate the activation or die trying. This can happen if you just don’t use the software for a while.

Check out the Sibelius users group on Facebook if you want to see what happens with this strategy. It has gained Steinberg a lot of disgruntled Avid refugee customers, who will now be back in the same boat. Being denied access to their legitimately purchased software.

If you look at it philosophically, if you have purchased a perpetual right to use some software, then how can it be justified to afterwards deny this if the activation revalidation fails? activation revalidation can fail for so many reasons. Local network problems, local admin policy (e.g. corporate proxy policy), X.509 certificate store issues, steinberg server issues, etc etc etc. Has Steinberg’s activation servers NEVER failed? Nope, they fail every time a new version is released. Can Steinberg guarantee the servers will still be running in 10 years? 15?

It is legit to disable after the fact activations for example if the license was purchased with a stolen credit card, or the charge is disputed and the merchant gets a charge-back. But card companies have a window within which this is possible for a cardholder to do.

Failure to revalidate an activation should not invalidate it, or deny access to the software.

People feel very strongly about this, and many have posted even on this forum about their experience with Sibelius in that regard.

It’s not even like these licenses expire - they aren’t subscription licenses , so it doesn’t matter if people fiddle with their clocks.

I seriously suggest reconsidering this philosophical position.

Thanks for this feedback, Adrien, which I’ve also seen you express in similar terms in the comments on Scoring Notes.

We have of course discussed the situation where somebody runs the software infrequently, doesn’t run it for more than 30 days, and then needs to run it at a time when they are unlucky enough not to have an internet connection. At the moment we don’t (to my knowledge, anyway) have any specific contingency in place to account for this, but I will take this back to the team and we’ll go around the loop on it again.

Our intention is not to stop or hinder our legitimate users from using the software they have paid for. Our intention is to provide a system that offers some degree of protection against piracy and unauhorised use of the software, allowing us to make reasonable efforts to enforce the terms of the end-user license agreement, while giving our users as much flexibility and control in how they use the software as we reasonably can, accepting that those two requirements are in conflict and must be balanced.

Hi Daniel

Thanks for your response. Being in a similar boat with WinGate I appreciate the goals of such a system. There are ways you may not have thought of to deal with these issues, which I won’t go into in public, but happy to discuss off-line. I have 17 years experience in activation systems, activation enforcement and validation, 26 years in network dramas. I can pretty much guarantee I can come up with failure modes for this that your guys haven’t thought of unless they have significant network experience. Proxy vendors have to deal with all the worst networking problems.

Fundamentally though, Avid does what you describe, and you can see the result in their forums and FB groups. Some people seem to go through pain around this nearly every month.

By requiring a revalidation every 30 days, you’re basically introducing 12 risk events per annum for a customer that they may be denied access. Multiply this out by the number of customers, and the chance of any particular revalidation attempt failing. Honestly I think it will cause Steinberg and customers a lot of problems. And my personal opinion is that you can achieve the goals you spelled out without doing this.

At the very absolute least, you should adopt a strategy to observe prior to acting. What I mean by this, is monitor the license validation checks, but make the server response trigger the client to respond. So, by returning a certain response, the client will invalidate the activation and become inactivated. Other responses will cause the client to do nothing. Then you can turn this on and off depending on the pain it inflicts, and you can monitor levels of activation abuse to see if it’s really needed. We built custom systems to manage this which could easily be packaged up for you guys.

I honestly think you will find the level of activation abuse is insignificant and does not warrant the cost of this kind of enforcement. The noise one person makes when they are denied legitimate access is quite a lot.

Cheers

Adrien

My understanding is that the 30 days requirement is rolling, so if a computer is generally connected it will call home much more frequently than once every 30 days. That computer will then remain successfully licensed for 30 days from its most recent successful communication with the license server. Basically, a revalidation failure only happens if both the host and the server are down/disconnected for 30 days.

Can you explain your point about 12 risk events per annum a little further, please?

Computers that are generally connected mostly won’t have problems.

Computers on corporate networks behind proxy servers or other edge gateways may have all manner of problems that may permanently prevent activation revalidation. Some of these problems will be corporate policy. Some will be bugs in the gateway products they use, or issues with network admins being able to implement white-list entries for such revalidation checks. Even getting approval for a change in a gateway configuration in a corporation can take a lot of time and effort.

So, there are a raft of client-side issues that can prevent revalidation. then there are the path issues - issues in the network path between the client and the steinberg servers.

Then there are all the steinberg-side issues. Frankly Steinberg doesn’t have a great track record at keeping their activation servers available, especially around release of new versions.

Honestly, depending on the design (and I’m assuming it’s based over https, because, well, everything is these days) there can be literally dozens of failure modes.

I think Google a while back (when they were arguing for HTTPS everywhere during the development of HTTP/2.0 on the IETF WG list - which I’m on) collected stats between Chrome installs and its servers to gain some level of reliability of access between its clients and servers. The result was very sobering, I don’t think they got over 95% reliability.

So, there are temporary or permanent networking issues, and then there are issues with this rolling 30 day period thing. In order for that 30 days to be effectively used, there has to be some Steinberg software actually running on the client computer. If this is a feature in Dorico, then Dorico needs to be run in order for an opportunity to revalidate within the 30 day window. If it’s some other agent, e.g. a system service which runs permanently then maybe it’s a different story, but frankly I’d be surprised if it’s a system service. Most companies just use the main app or an ancilliary (e.g. Avid Link).

So there are tons of ways this 30 days can go by without a revalidation, and tons of ways the revalidation can fail each with a certain risk. Multiply out and you get the number of complaints.

Someone who is permanently sectioned from the internet will never be able to revalidate except by some proposed manual off-line mechanism. There are plenty of recording studios where studio computers don’t have network access. I’ve seen complaints about phone home in audio products other than Sibelius as well.

There’s only 1 chance to do this right the first time, I know that.

On the one hand, I tend to think I likely won’t run into any issues; between my desktop and my laptop, both are usually connected to the internet and I usually use Dorico frequently enough that it wouldn’t come up. On the other hand, I very much see where adrien is coming from, and I think it’s worth pointing out that with a phone-home system, over half a decade after launch, Dorico still won’t have a licensing system as flexible as, say, Finale (I realize Sibelius is a different story), which is very much an industry standard if not still the industry standard here in America (for reference: Finale gives you two authorizations, only makes you activate them once–including an over-the-phone option for non-internet-connected computers–and if I’m not mistaken allows for decently easy deauthorization and reauthorization at any time if you want to move licenses around to different computers). I’m very much looking forward to ditching my dongle, but at the same time, I couldn’t give full praise to a product that chooses not to match the functionality of a competitor. It will still be the case that although the Dorico application itself is superior in almost every aspect to its competitors, the licensing system won’t be one of those aspects, at least from the user perspective (again, never been a Sibelius user, so I’m really only talking about Finale).

And along those lines, on the other other hand, when I actually sit and think slightly more specifically about the way I use Dorico, I actually could very easily see myself running into a situation where I haven’t used Dorico for more than 30 days AND I find myself with no internet AND I want to use Dorico (perhaps briefly, but in that moment, it won’t feel like it matters how brief the time is relatively speaking; it will just feel frustrating). Here’s my thinking: the work I do in Dorico is not tremendously regular. I do composing of my own, engraving for others, and arranging/orchestrating for others. Sometimes I’ve got 2-5 things going on at once; sometimes I’ve got 0-1. So in a given 30-day period, I could be in Dorico all day every day or I could be in Dorico zero days. That’s not toooo common, but because I also volunteer for a new-music non-profit and perform here and there, I can definitely occasionally spend all of my musical hours outside of Dorico without necessarily even realizing that I’ve done so. Then the day comes that I want to do something in Dorico; with my desktop there’s a 99.99% chance that this is not a problem. Unless there’s an extremely coincidental internet outage, I’m good to go. My laptop is another story. Because, if the majority of my Dorico-ing is at my desktop (which it is), even if I do spend a good amount of time in Dorico in a given 30-day period, there’s still a very good possibility that I haven’t spent any time in Dorico on my laptop in a long while, maybe even months. All it would take would be for me to pack up my laptop for a train-ride, plane trip, or vacation or general trip to somewhere without easy, reliable, or safe internet access, and now there’s a problem (unless I think to myself beforehand “Oh hm, yes, even though I’ve been using Dorico for the past month, it’s all been on my desktop. Better start up Dorico on my laptop BEFORE I pack it up just to make sure any potential impromptu notation sessions that arise are indeed possible.” Much more likely is that I wouldn’t even think about it, because from the user perspective, Dorico will usually just work). And I can’t imagine that my situation is all that unique. Once you tally up all the desktop-laptop users who usually prefer desktop and then tally up all the outings that they should happen to make with their laptops and so on and so forth, I could indeed see this affecting at least a small group of people.

Anyways, I’ve begun to ramble, so I’ll just leave it at that. TL;DR, the new licensing system will definitely be an improvement, but there could still also be room left over for more improvement

… that is all assuming that the phoning-home happens only when the software itself is run. If there’s some sort of always-on daemon in the background that just does its thing every once in a while, that’s a different story (though not entirely without its own objections)…

It seems pretty evident to me that all of these fears about phoning home are essentially moot when you consider the fact that you can authorize a computer for up to a year. If you’re worried about a specific machine not necessarily having Internet, then just put a manual license on it that’s good for a year.

I don’t use my old laptop very often, so I could see a situation where the 30 days could lapse on that… But if I was really concerned then I would just put a year-long license on it.

Daniel, could you clarify; 30 days from when exactly? Is it always 30 days from the last time I was connected and using Dorico? - in that case I would likely be one of those that never notices.

Some subscription models don’t re-validate until the end of a 30 day billing period , and that one does catch me surprisingly often by making the check when I’m off the network. That may be why there is some sensitivity around what Avid does - but hopefully this is not like that.

FWIW in a previous life our laptops used to have a “check-in-or-die” mechanism. The feature I’d like to point out is that the machine would start giving you warning notices a couple of weeks or whatever in advance of the deadline. That eliminated the nasty surprise and kind of made it your own fault if you got bitten by it. (Unless you didn’t use the machine at all.)

I wasn’t aware you could get such a license which would cause the new Dorico to only check annually rather than every 30 days.

Even then, even though it’s an improvement to only have to go through this hassle once per year, currently people don’t have to go through it at all, so it’s a downgrade from current requirements.

Personally it won’t affect me, but I’m certain others won’t be so lucky.

Basically it’s moving from

CURRENT: here’s your license, it’s good forever
NEW: Here’s your license it’s good for 1 month, after that we promise we’ll give you another one automatically, and another after that, and that. Fingers crossed lads!

Can you see the difference? It creates a dependency in perpetuity. If Steinberg goes out of business, every license becomes junk and unusable. So, they will need to change the EULA as well. The actual license grant will be different.

I don’t know nearly as much about licensing as @adrien , and his objections make sense to me in a similar way as @snakeeyes021 described.
Thus I support an open discussion about this issue.
Why not make it 30 running-days (so the time, Dorico is actually running), instead of 30 calendar days? In this way it is assured, that Dorico has the possibility to warn you before the license expires.
But I am no expert and probably my suggestion is foolish in 200 ways.

But please: after months of recording and editing, when I hop on a train and want to compose I don’t want to be disappointed because I can’t use my beloved Dorico.
I have this regularly occuring with Max 8 and it’s plainly annoying.

It’s true that in the FAQ (New Steinberg Licensing FAQ | Steinberg) about the new system, it does say that there will be an option to have a year-long authorization of a license for computers that aren’t connected to the internet, but it doesn’t say too much more. Is this option available to any computer, even one is actually often online? Does it work the same otherwise (it seems not)? The FAQ says this option will be introduced “shortly.” I presume that means shortly from now and not from D4’s launch, so presumably these questions will be answered in not too long, but at the moment it’s not clear whether the year-long activation will be a viable solution to the concerns raised in this thread.

The problem is that if Steinberg goes bankrupt and there is no more maintenance, we won’t have access to our software.
I don’t know if this solution is reliable in the long term.
Will it still be possible to use the dongle if we prefer?

I started using Dorico in 2017, but still needed Sibelius as I made the switch. By that time, Sibelius had changed its purchasing/leasing options, and I would get a message that popped up asking if I would like to register my license (or words to that effect). I could say “yes”, I could say “never”, or I could choose the “not now, check again in 14 days” option. For some reason I chose the latter, and now, every two weeks I get the popup asking me if I would like to register (and with the same choices each time). Couldn’t something like this be put into play? “We see you haven’t started Dorico in the past 30 days, or you haven’t been connected to the internet. Would you like to do so now?” Not ideal, but at least with a prompt, no one would end up with a situation where the need to open Dorico only to find that it has “timed out.”

There is no perfect solution; but at least Steinberg is trying to find a workable model that allows us flexibility while protecting against piracy. Not an easy line to find or walk.

The current preference is that the background process is only active while it’s necessary. Having permanent daemons running if they’re not needed is not very nice, IMO.

We will be discussing the use case that’s been raised where a user has not been using one of our applications for more than 30 days and then opens it while offline. There are various options to address that.

If Steinberg goes bankrupt then the eLicenser would also be affected in that eLCC would not receive updates and the dongles would only work as long as the software works. The license you have been granted is only perpetual if Steinberg is perpetual.

I confess to being pretty sanguine about all this. It’s NOT a subscription. The use cases that would be adversely affected by this seem to be pretty rare.

But look, the reality is that we live in a time of rampant software piracy. That hurts everyone… in this case, by forcing large software companies to come up with some means of protecting their products which will inevitably cause some inconvenience to users. Adobe and Avid have gone to subscription. Steinberg hasn’t, thankfully.

What MakeMusic does is up to them, and while I love the ease of their system, it does make it relatively easy to illegally share licenses if a user were so inclined.

Is this a problem in the music notation community like it is for DAWs? I have no idea, but Dorico is funded by a big company that encompasses all sorts of audio products, so with that comes some policy limitations that it probably wouldn’t have otherwise.

let’s hope steinberg doesn’t go bankrupt because otherwise everything will be dead.

It’s owned by Yamaha corporation. They’re doing fine.

That’s another thing… the idea of Steinberg going belly-up is the whole topic of risk.

We live with risk. It’s unavoidable. Yeah I have all my Dorico files backed up to the cloud and on several local devices. …and I could be hit by a bus on my way to work today. I can’t live sitting around wondering what sorts of unlikely scenarios might happen. It’s exhausting.

But yeah… Yamaha is huge. So Steinberg is probably less likely to run out of money than I am to be hit by a bus.

Sorry to be so morbid…