There is still a single authentication, they are just (in this hypothetical) encrypting the decryption key a second time.
This in no way shape or form eliminate the possibility of cracking it because everyone KNOWS their own CDKey so decrypting that is absolutely trivial.

I am saying its god awful because its ineffective DRM. There is DRM advantage of using the cdkey to encryption on the fly the regular key for each person when you could just use some generic security instead.

The generic security is harder to crack because the key it uses to encrypt the key is not known to the user (users know their own CDKey) and it also takes a fraction of the computation resources (meaning leaner and cheaper servers)

Using public-private encryption to encryption the transmission of the module decryption key rather then a partial CDkey to full CDkey lookup table eliminates both those issues and is thus far far more effective.

Look it another way.
Client is transmitting fragment of cdkey
Server is looking up full cdkey using fragment (searches through entire list!)
Server encodes using full cdkey, sends to client
Client decodes using full cdkey

This process means that a man in the middle who DOES NOT know the FULL cdkey does not get to snoop it since the cdkey is never transmitted in full. It assumes the private-public encryption is broken (or uses it as well so its triple encrypted) and someone is listening and trying to intercept the key. However, there is no such man in the middle, any cracker ALREADY KNOWS his own full CDKEY and the government isn't going to try to steal your NWN cdkey.

Also, its not as secure as you might think because having part of the key vastly reduces the number of guesses you would have to make when using brute force cracking. This makes the effective length of the key as if it was full length - length of partial (even less if the full length and partial length are fixed numbers or fixed location... aka its always the first 20 of 25 digits... then you don't need to bother with 1-4 and 6+... only look for a 5 digit code and treat the rest as KNOWN salt)

Guys why still quarreling? You are not developers :S

EDIT: Never mind, I'm dumb. I finally have a full grasp on what is going on here. Ignore.

No , still not fixed and we are waiting for official reply .

Hm, I suspect this is gonna take a while, since GOG probably need to explain the situation to Atari or Hasbro (or both) and wait for an answer. :/

Cracking a game with a static generic authentication is routine. You don't need to decrypt it. You just need to duplicate it. That's why the premium mods tied the authentication encryption to the cd key and why most games use some other "random" constant.

Sure... it makes it easier to decrypt your own authentication, but why would you bother cracking an authorization that's valid anyway? The idea isn't to keep people from decrypting their own authorization. That authorization is only good for what? Five installs? The idea is to keep people from being able to build a single crack that can emulate an authorization for any cd key.

Also, just FYI, the last five or six characters of your CD key are not a secret. Any time you visit a server that information is given to the server admins so we can use it to ban troublemakers.

Unfortunately that's a HUGE deal. Hasbro owns the IP rights and Atari owns the code. These companies hate each other. Hasbro is still angry about Atari's abuse of the DnD license when they had it. They have not forgotten all the time and money they spent on the bitter lawsuit that followed and they are trying to promote 4.0 DnD by killing anything 3.X. They would be happy to see NWN2 die a horrible death.

I think in the end they may have to pull MoW.

It's impossible to get anywhere else, and it's an AWESOME module. If you want it you might need to grab it now and just accept the DRM as a necessary evil.

That bad, huh? Ah well, I guess we should be thankful for the simple fact that GOG was able to get the game (and the other D&D games) at all. I'm not giving up hope for a DRM-free MoW just yet, but I think I did the right thing when I insta-bought this. :/

Yeah :/ Maybe we made a miskate :/ Same day I bought Strike Suit Zero . It's really DRM-free . I enjoyed for this . But when I heard MoW is not DRM-free I shocked . And now 2 weeks passed you opened this topic and still not solved . My hopes are nearly lost :/

Unbelievable. GOG, you guys have been great, but EPIC FAIL on this one.......

Fail perhaps, but "epic" seems a little harsh. The GoG guys can't reasonably be expected to catch every nuance of every game every time, especially when the situation is as convoluted as this one. Most hardcore NWN/DnD fans don't even know that the lawsuit between Atari and Hasbro has been over for months. It was never announced in the press and it wasn't noticed or picked up by any gaming sites. Only a few hardcore business and financial journals noticed and as money news it didn't exactly rate a front page story.

Personally I hope they keep it. Just put a warning on the product description not to install MoW if you don't want the DRM.

I just hope it doesn't take a judge's ruling to get this fixed :(

Whatever the technical details of the DRM, it seems like a distribution detail, and something that the publisher should maintain control of, regardless of ownership of the underlying IP. I'm assuming that Atari made a deal to allow GOG to distribute the game, and that part of the deal was that it would be done without DRM.

Course I am not a lawyer, I *like* having a soul, thank you very much.

So what, crackers are gonna crack. And this is also why I said if you are totally paranoid you could use a superior public-private encryption to transmit the module key rather then sending it unencrypted.
If you are talking about the public-private encryption then:
1. public-private encryption is not routine to crack.
2. Online verification is a whole different beast.
3. Any KNOWN "uniqueness" that is 100% predictable (have the crack read the plaintext file called "nwncdkey.ini" to acquire it) is not in any way shape or form increasing security.

You would bother to crack your own authentication in order to get a copy of the module decryption key so you could package it with an emulated server which then encrypts said generic key using the current CDkey, which is stored in a plaintext file and easily accessible, and subsequently hands it off to the client as if it came from the server.
Aka, it is trivial to bypass and as such this is either NOT "the idea" as you say... OR if it was "the idea" and is simply an utterly stupid implementation of DRM that doesn't work.

And that's assuming that's how it actually works. Because its already proven that:
1. The server must be up and involved in authentication
2. The server is currently authenticating all requests even those from people who never bought it.

You claimed (and I agree) that such a system would have prevented #2 had it been implemented. If Y is agreed upon as being impossible if X and X has been proven to happen then Y isn't happening.
The only possibility of it ever being the system used is if it was one of several options built into the client with the server having ultimate choice on which to use.

You can't choose not to install MoW. It is fully integrated with the game. Same as with MotB and SoZ. The only option is not to play MoW.

+1 for the effort.
Now gog needs to do something about the Westgate thing... lol, westgate, watergate...
or stop advertising themselves as DRM-free, which I doubt is the route they'd happily pick.

Or remove westgate from NWN2 package and Kingmaker from NWN1, which would be a shame.