Reform Government Surveillance, an organization that represents technology giants like Google, Apple and Microsoft, is pushing the U.S. Senate not to delay reform of National Security Agency surveillance by extending expiring provisions of the Patriot Act.
The House of Representatives voted 338-88 last week to approve the USA Freedom Act that would, among other things, stop the controversial bulk collection of phone records of Americans by the NSA, including by placing restrictions on the search terms used to retrieve the records.
The bill has run into opposition in the Senate from some Republican members who are backing renewal of the current Section 215 of the Patriot Act that provides the legal framework for the phone data collection.
The urgency for Congress to pass legislation comes from the upcoming expiration on June 1 of certain parts of the Patriot Act, including Section 215. Under a so-called “sunset” clause, the provisions will lapse unless reauthorized in the same or modified form by legislation.
A bill introduced by Senate Majority Leader Mitch McConnell last month would extend the surveillance provisions of the Patriot Act until 2020. To apparently buy time as pressure builds for reform, another bill has been placed on the Senate calendar to extend Section 215 and other expiring provisions in the current form up to July 31.
The technology companies said that the USA Freedom Act prevents the bulk collection of Internet metadata under various authorities, and provides for transparency about government demands for user information from technology companies, besides assuring that the appropriate oversight and accountability mechanisms are in place.
Scammers are running wild through British oil company networks without needing to use malware, according to Panda Security.
Hacking is not new, stealing information and data from firms is not new, but doing so without using malware is unusual.
Panda has dubbed the scam Operation Oil Tanker (PDF), which it said has made its way into systems through a socially engineered email and a lone staffer. The security firm said that antivirus systems failed to stop the attacks, but that its own demo software did.
Panda explained that a worker called Susan at a company called Black Gold Ltd was presented with an email on a Monday morning.
The email contained a 4MB attachment apparently related to the oil market which the employee clicked on and opened. While this could have been big trouble, it was not. Why? Because of Panda.
“Neither the mail server antivirus nor the antivirus on her workstation had
found anything anomalous in it. Susan double-clicked the attachment. A blank PDF opened,” the firm explained.
“1,700km away from Susan’s computer, an alarm was triggered. An unknown threat had just been detected and blocked when it tried to steal credentials from Susan’s computer and send them out.”
Panda, which was the blocker, said that there are some 250,000 malware threats a day, but that this one was special.
“There was something really unique about this threat: it didn’t use any kind of malware. That’s why we decided to call it the ‘Phantom Menace’,” it added.
Panda studied the incident, picking apart the email and its PDF and finding that it included an executable. That executable showed no suspicious behaviour, so was not picked up in regular scans. However, it ran a file called dcp.exe, which allows for file encryption.
Files are picked up at the target and sent to a remote location. Panda found files dating back to 2013, and reported that it had gone undetected for some six months. The scammer was able to use the information to fraudulently broker oil sales.
“In short, the scam works like this: the scammer contacts a broker/middleman and offers them a large amount of BLCO [Bonny Light Crude Oil], one to two million barrels, at a very competitive price,” said Panda.
“To close the deal, the buyer must pay a significant amount of money – from $50,000 to $100,000 – in advance. However, once they pay the money they
are met with the nasty surprise that there is no oil.”
Panda has contacted the Spanish National Guard with its evidence and discoveries.
The security firm said that the force has a good history in dealing with cybercrime, and has worked with Panda before. However, it added that no victims are prepared to come forward. Which does not help anyone.
The Openstack Foundation has announced new interoperability testing requirements for OpenStack-branded products and is claiming rapid adoption of the federated identity service introduced in the latest OpenStack release that makes it easier to combine private and public cloud resources.
Foundation executive director Jonathan Bryce said at the first OpenStack Summit event of 2015 that the vision for the OpenStack project was to create a “global footprint of interoperable clouds” that would enable users to seamlessly mix and match resources from their own data centre with those of public cloud providers, delivering a so-called hybrid cloud model.
To this end, Bryce announced new interoperability testing requirements for products that are branded as ‘OpenStack Powered’, including public cloud and hosted private cloud services as well as OpenStack distributions.
“This is a big milestone and introduces common code in every distribution that brands itself as OpenStack, and common APIs that have been tested and validated,” he said.
In practice, this means that, along with an OpenStack Powered logo, products will carry a badge to show certification.
This currently applies only to some of the platform’s core modules, such as Nova (compute), Swift (object storage), Keystone (identity service) and the Glance image service.
But it is intended as a guarantee to users that a certified product contains a set of core services consistent with all other OpenStack products that are similarly certified.
Vendors already offering certified products include HP, IBM, Rackspace, Red Hat, Suse and Canonical, but the list is set to expand this year.
“During 2015, this will go across all products that are OpenStack. You will be able to know what you are getting in an OpenStack Powered product, and you will be able to count on those as your solid foundation for cloud,” Bryce said.
Meanwhile, the Kilo release of OpenStack, available since last month, added the Keystone service as a fully integrated module for the first time.
Despite this, OpenStack said that over 30 products and services in the OpenStack application catalogue support federated identify as of today, and that many OpenStack cloud providers have committed to supporting it by the end of this year.
Together, these two announcements are significant for OpenStack’s hybrid cloud proposition, as they will make it much easier to link a customer’s private cloud resources with those of a public cloud provider.
OpenStack Powered certification means that users can count on a consistent environment across the two, while Keystone provides a common authentication system that can integrate with directory services such as LDAP.
One company already taking advantage of this is high-tech post-production firm DigitalFilm Tree which has been working with HP and hosted private cloud firm Bluebox to build a totally cloud-based production system for film and TV content.
The firm demonstrated at the summit how the system enables footage to be captured and uploaded to one cloud, then transferred to another cloud for processing.
Bryce explained that this is just one example of how OpenStack is driving new use cases and expanding what people can do across a variety of industries.
“Interoperability means you can share your cloud footprint. It shows the power of the ‘OpenStack planet’ we are trying to build,” he said.
Hackers from Brazil have managed to discover a new exploit for the PS4 which enables them to bypass the DRM on any software and games.
A couple of weeks ago, a number of electronic stores in Brazil had been advertising the means to copy and run a series of ripped retail games on the console.
At the time little was known about the hack back then, but information gradually began to trickle out from customers and make its way around the web. Please see below for commentary from Lancope.
Gavin Reid, VP of threat intelligence, Lancope said that Sony was playing an arms race against groups that benefit from the abilities to copy and share games.
The hack originates from a Russian website and has been pushed into the public by Brasilian retailers. The hack isn’t necessarily a jailbreak for the PS4, nor is it really a homebrew technique.
What they did was use a retail PS4, with several games installed on it, with it’s entire game database and operating system (including NAN/BIOS). This was then dumped onto a hacked PS4 via Raspberry Pi.
The entire process costs about $100 to $150 to install 10 games and $15 per additional game.
“Open source groups like Homebrew with more altruistic motivations of extending the functionality of the console alongside groups selling modified consoles specifically to play copied games and of course the resell of the games themselves at fraction of the actuals costs. This has happened historically with all of the major consoles. It would be highly unlikely not to continue with the PS4,” he said.
The company launched an investigation in early May after receiving reports of unusual activity involving payment cards used at some of its stores. While it now has sufficient evidence to confirm an illegal intrusion, the company declined to comment on the breach’s scope until the forensics investigation is complete.
Sally Beauty is one of the largest retailers of beauty products in the U.S. and has over 4,500 stores.
In March last year, the company said hackers stole up to 25,000 customer records containing payment card data. According to the company’s annual report for 2014, attackers managed to install malware on some of its point-of-sale systems and captured “track 2″ card data.
Track 2 refers to one of the data tracks encoded on a card’s magnetic stripe. It contains the card’s number and expiration date and can be used by criminals to clone it.
“There can be no assurances that we will not suffer another cyber-attack or data security breach in the future and, if we do, whether our physical, technical and procedural safeguards will adequately protect us against such attacks and breaches,” the company said in its report.
The compromise of point-of-sale systems with memory-scraping malware has resulted in some of the largest card breaches over the past two years. The technique was used to steal 56 million payment card records from Home Depot last year and 40 million from Target in late 2013.
The tags transmit data via Bluetooth Low Energy and can be worn as wristbands or location badges on lapels or breast pockets. They could be used by people including hospital patients and infrastructure workers to relay data to supervisors.
The tags can also be attached to objects such as shopping carts or walkers for the elderly. They’re part of a cloud-based Internet of Things (IoT) platform from Fujitsu called Ubiquitousware that’s aimed at making IoT applications easier for businesses.
At a Fujitsu technology expo in Tokyo this week the company is showing off the prototype tags. They contain various sensors commonly found in smartphones such as accelerometers, barometers, gyroscopes and microphones. They can also house heart rate sensors and GPS modules.
The sensors are being housed in stand-alone tags to better promote IoT apps, according to Fujitsu.
Algorithms that are part of the platform analyze the sensor data and can automatically send alerts to supervisors when a patient has fallen down, for instance, or if a worker is experiencing a heavy physical load and heat while working on a tower for high-voltage cables.
“These sensors stand out for the many business apps such as medicine or security that are easily incorporated through our cloud solutions,” said Tatsuhiro Ohira, a general manager in Fujitsu’s Ubiquitous Business Strategy Unit.
As an extension of a company’s awareness of its staff, the tags could raise privacy concerns. Fujitsu said the wristbands could also be used to estimate whether the wearer is taking breaks, or to help manage workers’ health.
The sensors are to be rolled out beginning in December but the cost has not been determined yet, Ohira said.
It appears that MediaTek’s move to bring out an octa-core processor has disturbed the mighty Qualcomm.
When the MT6797 SoC came out, there was much mirth amongst MediaTek’s rivals but it turns out that Qualcomm has followed suit after all.
Qualcomm’s version is called the Snapdragon 818, which will probably be a deca-core CPU. Word on the street is that the chip will depend on four low-1.2GHz Cortex-A53 power cores, two middle-range 1.6GHz Cortex-A53 cores, plus four high-power cores of the 2.0GHz Cortex A72 type. It will supports LPDDR4 RAM and will run the Adreno 532 GPU.
This should mean that it can run LTE Cat-10 when that hits the shops. The chip will use 20nm process technology.
If the rumors are correct then it means that the 818 SoC will be slower than MedaTek’s new chip.
Qualcomm is yet to confirm the existence of this piece of silicone, so it is all just rumors. However if it is true, it does mean that MedaTek’s effort was a lot more important than many of its rivals admitted.
An Israeli company has designed a product that it claims is capable of determing if a mobile device connects to a fake cellular base station or Wi-Fi access point, potentially protecting critical data from falling into the hands of hackers.
Two large European carriers are testing the product, which is expected to come to market in early 2016, said Dror Liwer, chief security officer and co-founder of CoroNet, based in Be’er Sheva, Israel.
CoroNet’s software addresses one type of attack that was long thought to be too expensive to conduct. It involves creating a fake base station that has a stronger signal than a real one. Mobile devices are designed to connect to the station with the strongest signal.
Once a device has connected, it’s possible for a hacker to figure out a person’s approximate location and possibly steal data or listen to calls.
Such attacks were thought to be only possible by governments and intelligence agencies, but the software needed to create a base station,OpenBTS, is open source, and the cost of the needed hardware has dropped dramatically, Liwer said.
In the U.S., there has been increasing concern over police departments using such devices, sometimes referred to as IMSI (International Mobile Subscriber Identity) catchers, without court approval.
A technically skilled person could probably build a fake cellular tower for around $350, while a non-technical person could assemble one for around $1,500, Liwer said. For enterprises with sensitive data, the lower barrier to intercepting mobile communications poses yet another risk to data.
CoroNet’s software is a lightweight agent that runs on an Android or iOS device or on a laptop. It is programmed to detect behaviors and characteristics of a base station, as well as those of Wi-Fi networks.
It turns out that fake ones leave a lot of clues that they’re probably bogus. Liwer said there are many signs that CoroNet analyzes.
Those are the findings from enterprise mobility management vendor Good Technology, which issued a report that measured mobile device activations among its business customers. Good says its technology serves more than 6,200 companies.
In the first quarter of 2015, 72 percent of all smartphones activated globally ran iOS. Compared to 2014′s fourth quarter, that’s a 1 percent decrease. Android device activations, meanwhile, reached 26 percent, increasing 1 percent from the fourth quarter of 2014. Windows Phone activations remained steady at 1 percent, the same as the previous six quarters, said the report.
Apple lost significant ground in the tablet market. In the first quarter of 2015, iPads had an 81 percent market share in activations, down from 92 percent in the year-ago quarter, according to the report. Tablets running Android and Windows increased their market share to 15 percent and 4 percent, respectively. According to Good, Microsoft Surface devices, which Microsoft manufactures, as well as Windows tablets sold by third-party makers, were both in demand.
The iPhone 6 was the most popular smartphone for businesses, comprising 26 percent of all smartphone activations in the first quarter of 2015. The Samsung 5 was the most activated Android smartphone. Together, 28 of the top 30 selling smartphones came from either Apple or Samsung, the report said.
The industries with the most iOS activations were education (83 percent), the public sector (80 percent) and financial services (76 percent), the report said. Android activation was prevalent in the tech (47 percent) and energy (44 percent) industries.
Windows device activations, meanwhile, stood out in the retail and entertainment and media markets. In retail, Windows tablets claimed a 5 percent market share while in the media and entertainment industry, 7 percent of device activations were for Windows Phone.
Juniper Research reckons that cyber breaches will cost industry a whopping $2tn by 2019, or around four times as much as this year.
This is bad news. It suggests either that things will get worse or companies will. Companies already suffer from a lot of losses in terms of face, cash and personnel, and Juniper Research said that they might as well get used to it.
The firm said in a report called The Future of Cybercrime & Security: Financial and Corporate Threats and Mitigation, that some 60 percent of the attacks are on US businesses, but that this will change over time as the international going gets better and the pickings get richer.
The wearables market and the ever present Internet of Things (IoT) do not pose too much of a risk to users and do not seem too attractive to hackers. That is now, however, and the risks are likely to come.
Particularly likely, said the firm, is an increase in ransomware based on personal data shakedowns.
“Currently, we aren’t seeing much dangerous mobile or IoT malware because it’s not profitable,” said the reasonably dismissive report author James Moar.
“The kind of threats we will see on these devices will be either ransomware, with consumers’ devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack.
“With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools.”
We were treated to a look at the ransomware threat this week when we reported on hackers making use of the Breaking Bad phenomenon to separate Australians from their hard earned dollars.
Here the threat made itself known, and made its presence felt, through the sending of tainted email attachments, and naturally the advice is to watch out for untrusted links and suspicious content.
USAA, a San Antonio, Texas-based financial institution serving current and former members of the military, is researching the underlying technology behind the digital currency bitcoin to help make its operations more efficient, a company executive said.
Alex Marquez, managing director of corporate development at USAA, said in an interview that the company and its banking, insurance, and investment management subsidiaries hoped the “blockchain” technology could help decentralize its operations such as the back office.
He said USAA had a large team researching the potential of the blockchain, an open ledger of a digital currency’s transactions, viewed as bitcoin’s main technological innovation. It lets users make payments anonymously, instantly, and without government regulation.
The blockchain ledger is accessible to all users of bitcoin, a virtual currency created through a computer “mining” process that uses millions of calculations. Bitcoin has no ties to a central bank and is viewed as an alternative to paying for goods and services with credit cards.
“We have serious interest in the blockchain and we think the technology would have an impact on the organization,” said Marquez. “The fact that we have such a large group of people working on this shows how serious we are about the potential of this technology.”
USAA, which provides banking, insurance and other products to 10.7 million current or former members of the military, owns and manages assets of about $213 billion.
Marquez said USAA had no plans to dabble in the bitcoin as a currency. Its foray into the blockchain reflects a trend among banking institutions trying to integrate bitcoin technology into their systems. BNY Mellon and UBS have announced initiatives to explore the blockchain technology.
Most large banks are testing the blockchain internally, said David Johnston, managing director at Dapps Venture Fund in San Antonio, Texas. “All of the banks are going through that process of trying to understand how this technology is going to evolve.”
“I would say that by the end of the year, most will have solidified a blockchain technology strategy, how the bank is going to implement and how it will move the technology forward.”
USAA is still in early stages of its research and has yet to identify how it will implement the technology.
In January this year, USAA invested in Coinbase, the biggest bitcoin company, which runs a host of services, including an exchange and a wallet, which is how bitcoins are stored by users online.
In April, Chrome accounted for 25.7% of the total browseruser share according to Web analytics vendor Net Applications. User share is a rough estimate of the percentage of the world’s online users who ran a specific browser during a given month, and is tracked by the California metric firm using visitor tallies to its customers’ websites.
Chrome grew its share by seven-tenths of a percentage point from March’s just-under-25%.
Mozilla’s Firefox reached that milestone in November 2009, when its Net Applications-measured user share was a few hundredths of a percentage point over 25%. Firefox held onto that for a month, dipped under the mark, regained it in March and April 2010, when it peaked at 25.1%. After that, it went into a more or less permanent decline.
Firefox averaged a user share of just 11.7% in April, losing ground last month after it had gained some in March.
Mozilla’s position in the browser space has become increasingly tenuous. In the last 12 months, Firefox has lost more than 5 percentage points, or a decline of 32%. Because the browser war is a zero-sum game, when Firefox lost — as did Microsoft’s Internet Explorer (IE) to a lesser extent — someone had to win. The biggest winner has been Chrome, which has added 7.8 percentage points in the past year, representing an increase of 47%.
Chrome’s user share future looks as bright as Firefox’s looks dark. Using trends of the last 12 months, Computerworld projects that Chrome will break the 30% bar in November, and that Firefox will fall under 10% in August. (The projections are just that: Browsers rarely gain or lose share in a linear fashion; they’re more likely to move in fits and starts.)
At 25.7%, Chrome was still lag far behind the perennial leader, IE: Microsoft’s browser accounted for 55.8% of all browsers used in April.
For at least five years, and probably longer, Linux and BSD servers have been used as spam machines thanks to a backdoor cased by a security flaw.
ESET researchers have found that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a “system for automated e-mail distribution” that allows users to send out spam.
The spammers were careful. They didn’t constantly infect new machines, and did not insist that the infected machines blasted out spam all the time. In short they operated under the radar.
ESET discovered the malware on a server that was blacklisted for sending spam. They dubbed it Mumblehard. After analyzing it, they found that it has several distinct components: a generic backdoor that contacts its C&C server and downloads the spammer component and a general purpose-proxy.
Mumblehard components were mainly Perl scripts encrypted and packed inside ELF binaries. The Perl scripts used by the cybercriminals were packed inside ELF executables which is uncommon and more complex than the average server threat.”
The weakness in the software was that the backdoor always and repeatedly tries to contact all of the 10 C&C domains listed in its configuration file. ESET took control of one of them (its registration had expired), which allowed them to monitor the activity of the infected hosts between September 19th 2014 and April 22nd 2015.
The number of infected hosts slowly decreased but it increases from time to time. The operators are initiating discrete waves of server infection rather than spreading in a continuous fashion.
The addresses of the C&C servers hardcoded in the Mumblehard samples what led the researchers to Yellsoft.
DirectMailer is written in Perl and runs on UNIX-type systems which was pretty much like Mumblehard. The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.
But what is worrying is that Mumblehard operators have been active for many years without disruption.
Mumblehard is also installed on servers compromised via Joomla and WordPress exploits, and have urged administrators to check whether their servers have been hit.
451 Research has revealed that proprietary cloud offerings are currently more cost effective than OpenStack.
The Cloud Price Index showed that VMware, Red Hat and Microsoft all offer a better total cost of ownership (TCO) than OpenStack distributors.
The report blames the shortfall on a lack of skilled OpenStack engineers, leading to a high price for employing them.
Commercial solutions run at around $0.10 per virtual machine hour, compared with $0.08 for OpenStack, but going commercial is cheaper when labour and other external factors are taken into account.
The report claimed that enterprises could hire an extra three percent of staff for a commercial cloud rollout and still save money.
“Finding an OpenStack engineer is a tough and expensive task that is impacting today’s cloud-buying decisions,” said Dr Owen Rogers, senior analyst at 451 Research.
“Commercial offerings, OpenStack distributions and managed services all have their strengths and weaknesses, but the important factors are features, enterprise readiness and the availability of specialists who understand how to keep a deployment operational.
“Buyers need to balance all of these aspects with a long-term strategic view, as well as TCO, to determine the best course of action for their needs.”
Enterprises need to consider whether they may end up locked into a proprietary feature which could then go up in price, or whether features may become decommissioned over time.
451 Research believes that this TCO gulf will narrow in time as OpenStack matures and the talent pool grows.
The research also suggests that OpenStack can already provide a TCO advantage over DIY solutions with a tipping point where 45 percent of manpower is saved by doing so. The company believes that the ‘golden ratio’ is 250 virtual machines per engineer.
OpenStack’s next major release, Kilo has just been released, and Ubuntu and HP are the first iterations to incorporate it.
Red Hat and Ubuntu are major contributors to the OpenStack code, in addition to their proprietary products, along with HP as part of its Helion range.
Valve is no stranger to its ventures having a somewhat rocky start. Remember when the now-beloved Steam first appeared, all those years ago? Everyone absolutely loathed it; it only ever really got off the ground because you needed to install it if you wanted to play Half-Life 2. It’s hard now to imagine what the PC games market would look like if Valve hadn’t persisted with their idea; there was never any guarantee that a dominant digital distribution platform would appear, and it’s entirely plausible that a messy collection of publisher-owned storefronts would instead loom over the landscape, with the indie and small developer games that have so benefited from Steam’s independence being squeezed like grass between paving stones.
That isn’t to say that Valve always get things right; most of the criticisms leveled at Steam in those early days weren’t just Luddite complaints, but were indeed things that needed to be fixed before the system could go on to be a world-beater. Similarly, there have been huge problems that needed ironing out with Valve’s other large feature launches over the years, with Steam Greenlight being a good example of a fantastic idea that has needed (and still needs) a lot of tweaking before the balance between creators and consumers is effectively achieved.
You know where this is leading. Steam Workshop, the longstanding program allowing people to create mods (or other user-generated content) for games on Steam, opened up the possibility of charging for Skyrim mods earlier this month. It’s been a bit of a disaster, to the extent that Valve and Skyrim publisher Bethesda ended up shutting down the service after, as Gabe Newell succinctly phrased it, “pissing off the Internet”.
There were two major camps of those who complained about the paid mods system for Skyrim; those who objected to the botched implementation (there were cases of people who didn’t own the rights to mod content putting it up for sale, of daft pricing, and a questionable revenue model that awarded only 25% to the creators), and those who object in principle to the very concept of charging for mods. The latter argument, the more purist of the two, sees mods as a labour of love that should be shared freely with “the community”, and objects to the intrusion of commerce, of revenue shares and of “greedy” publishers and storefronts into this traditionally fan-dominated area. Those who support that point of view have, understandably, been celebrating the forced retreat of Valve and Bethesda.
Their celebrations will be short-lived. Valve’s retreat is a tactical move, not a strategic one; the intention absolutely remains to extend the commercial model across Steam Workshop generally. Valve acknowledges that the Skyrim modding community, which is pretty well established (you’ve been able to release Steam Workshop content for Skyrim since 2012), was the wrong place to roll out new commercial features – you can’t take a content creating community that’s been doing things for free for three years, suddenly introduce experimental and very rough payment systems, and not expect a hell of a backlash. The retreat from the Skyrim experiment was inevitable, with hindsight. With foresight, the adoption of paid mods more broadly is equally inevitable.
Why? Why must an area which has thrived for so long without being a commercial field suddenly start being about money? There are a few reasons for the inevitability of this change – and, indeed, for its desirability – but it’s worth saying from the outset that it’s pretty unlikely that the introduction of commercial models is going to impact upon the vast majority of mod content. The vast majority of mods will continue to be made and distributed for free, for the same reasons as previously; because the creator loves the game in question and wants to play around with its systems; because a budding developer wants a sandbox in which to learn and show off their skills to potential employers; because making things is fun. Most mods will remain small-scale and will, simply, not be of commercial value; a few creators will chance their arm by sticking a price tag on such things, but the market will quickly dispose of such behaviour.
Some mods, though, are much more involved and in-depth; to realise their potential, they impact materially and financially upon the working and personal lives of their creators. For that small slice out of the top of the mod world, the introduction of commercial options will give creators the possibility of justifying their work and focus financially. It won’t make a difference at all to very many, but to the few talented creative people who will be impacted, the change to their lives could be immense.
This is, after all, not a new rule that’s being introduced, but an old, restrictive one that’s being lifted. Up until now, it’s effectively been impossible to make money from the majority of mods. They rely upon someone else’s commercial, copyrighted content; while not outright impossible technically, the task of building a mod that’s sufficiently unencumbered with stuff you don’t own for it to be sold legally is daunting at best. As such, the rule up until now has been – you have to give away your mod for free. The rule that we’ll gradually see introduced over the coming years will be – you can still give away your mod for free, but if it’s good enough to be paid for, you can put a price tag on it and split the revenue with the creator of the game.
That’s not a bad deal. The percentages certainly need tweaking; I’ve seen some not unreasonable defences of the 25% share which Bethesda offered to mod creators, but with 30% being the standard share taken by stores and other “involved but not active” parties in digital distribution deals, I expect that something like 30% for Steam, 30% for the publisher and 40% for the mod creator will end up being the standard. Price points will need to be thrashed out, and the market will undoubtedly be brutal to those who overstep the mark. There’s a deeply thorny discussion about the role of F2P to be had somewhere down the line. Overall, though, it’s a reasonable and helpful freedom to introduce to the market.
It’s also one which PC game developers are thirsting for. Supporting mod communities is something they’ve always done, on the understanding that a healthy mod scene supports sales of the game itself and that this should be reward enough. By and large, this will remain the rationale; but the market is changing, and the rising development costs of the sort of big, AAA games that attract modding communities are no longer being matched by the swelling of the audience. Margins are being squeezed and new revenue streams are essential if AAA games are going to continue to be sustainable. It won’t solve the problems by itself, or overnight; but for some games, creating a healthy after-market in user-generated content, with the developer taking a slice off the top of the economy that develops, could be enough to secure the developer’s future.
Hence the inevitability. Developers need the possibility of an extra revenue stream (preferably without having to compromise the design of their games). A small group of “elite” mod creators need the possibility of supporting themselves through their work, especially as the one-time goal of a studio job at a developer has lost its lustre as the Holy Grail of a modder’s work. The vast majority of gamers will be pretty happy to pay a little money to support the work of someone creating content they love, just as it’s transpired that most music, film and book fans are perfectly happy to pay a reasonable amount of money for content they love when they’re given flexible opportunities to do so.
Paid mods are coming, then; not to Skyrim and probably not to any other game that’s already got an established and thriving mod community, but certainly to future games with ambitions of being the next modding platform. Valve and its partners will have to learn fast to avoid “pissing off the Internet” again; but for those whose vehement arguments are based on the non-commercial “purity” of this corner of the gaming world, enjoy it while it lasts; the reprieve won this week is a temporary one.