* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Me vs Crackers

I'm sorry to be a little smug, but I just did my periodic check of warez sites.  Since adding my anti-cracking code and stronger licensing (2 years ago) STILL no one has cracked my stuff (and I know people are searching for cracks because I'm in the 'recent searches' area on a number of warez sites).  And the icing on the cake--both of my major competitors HAVE been cracked!

I know this has been debated a thousand times, but _I_ think it DOES make a difference to add some security.  Just don't go overboard (I'd estimate I spent 3 solid days on it).

Excuse me now so I can go make my knuckles bleed with all of the knocking on wood I need to do :)
anon for obvious reasons
Thursday, July 13, 2006
 
 
"And the icing on the cake--both of my major competitors HAVE been cracked!"

Just a silly question: What benefit have you to this fact?

I understand that it makes you smile, but in fact, that your competitors were being cracked dont makes you earn more money, is it? Except that the cracking was so severe that they were out of business.

thanks
Francesc, from hot Barcelona Send private email
Thursday, July 13, 2006
 
 
If they wanted or needed to crack it..they would.
Dan Hirsch Send private email
Thursday, July 13, 2006
 
 
I agree with the OP, adding security does decrease the possibility (and frequency) of being cracked.

"both of my major competitors HAVE been cracked!"

This means that people are using your competitors applications (for free) and not using yours.  That's perhaps worse than simply having your application cracked.
Almost H. Anonymous Send private email
Thursday, July 13, 2006
 
 
Agreed.  Your competitors being cracked is not something to smile about.  That means they are not paying YOU either.  Software developers should take a united stand against cracking, none of this, "at least it wasn't me" attitude.
blow the whistle on crackers
Thursday, July 13, 2006
 
 
it's true.  Crackers may not be paying him, but it's a negative for his competitor and if it got severe enough, could directly effect profits.
Justin Silverton Send private email
Thursday, July 13, 2006
 
 
I am fighting against crackers too.

From my experience, getting cracked and having the crack spread can lower the income from the cracked product by 30% or more.

What do I mean by a spreaded crack? Well, a crack that is on an obscure site few people visit doesn't damage our income.

However, if the crack spreads to warez forums visited by 10000s of users, it starts to have an effect on the income.

If the crack is easily findable using Google or Google Groups, then the income drops by 30-35%.

So, it's worth fighting against cracks.


In order to do this, I recommend the following actions:


1. Unless you are a protection expert and know a lot about assembly language programming, debugging and cracking, use a strong off-the-shelf protection such as Armadillo, Software Passport or ASProtect.

If you are not a protection expert, the protection code you can write is much weaker than that offered to you by a profesionally written protection.


2. Harden your protection. If you use an off-the-shelf tool like Armadillo, Software Passport or ASProtect, add your own protection code so now the protection is made of a standard part (Armadillo) AND a custom part (your code).

This can make the difference between the program getting cracked in 2 days after the release and the program getting cracked in 2 months after the release.

Significant revenue loss can be avoided this way.


3. Release often, so even if a crack appears for version 4.12, you already have the version 4.15 on the market, so the crack doesn't work anymore.

Also, for minor bugfixes don't change the version number, so the crack users aren't aware of the version change. The crack won't work and they won't know why.

You may say that some cracks are generic and can search for code patterns and adapt even if you add something to the program and recompile. This is true in some cases, but if you use a strong protection such as ASProtect, Armadillo or Software Passport, it is a lot harder for the crackers to create such a crack, so it won't exist.

If you release a new version every few months, even such an adaptable crack won't work after half a year or so, .


4. Watch the cracking sites AND your website logs. In your website logs you will often see referers containing cracks for your programs.

Do not test cracks on your development machine! They often install adware or spyware! Use a VMWare virtual machine or a separate computer!


5. When you find a crack that works on the latest version, try to do something to make the crack not work anymore. Add something to your program and recompile. If the crack still works after that, improve your protection so the crack doesn't work anymore. This can mean a simple CRC on your executable stored in the registry by the installer, for example - you can add this in 10 minutes if you are an experienced developer.

If you notice a competitor's program getting cracked, announce them and give them an URL to the crack, because if they fix the problem, it also helps you - the customer looking for a solution for their problem won't be able to find a cracked solution, and so they will buy a solution, and that may be your program.
Jericho
Thursday, July 13, 2006
 
 
Congrats anon.

Silly arguments here. If his competitors are getting cracked that means they are not earning income from the product. Unless they are huge corporations and this is a loss leader for them, that means that they will decide there is not much demand and not keep the product up to date. This provides anon with an opportunity to take over the market.
Scott
Thursday, July 13, 2006
 
 
People spend months developing new products and then don't spring $150 for Armadillo to protect their business.

Madness!
Adam M(UK) Send private email
Thursday, July 13, 2006
 
 
We upgraded our licensing scheme too. It uses a number of cryptographic techniques that should be unbreakable. That frustrated the crackers for a while. They now just buy licenses using stolen credit card details and make the keys available on warez sites.
anon
Thursday, July 13, 2006
 
 
anon - if you want to get around that you need to issue a temporary key, followed up with a permanent key later.

+1 to the Armadillo vote.  Makes all this boring licensing stuff really easy.
MB Send private email
Thursday, July 13, 2006
 
 
If they buy serials and then share them, just add them to the blacklist of serials in your app, so they don't work in the latest version.

Coupled with a "release often" policy this can effectively limit the spreading of working cracks.

Online activation can also foil this - they may share the serials but a serial is only good for 10 activations, so sharing it doesn't do much damage.
Jericho
Thursday, July 13, 2006
 
 
"and then don't spring $150 for Armadillo to protect their business."

"SoftwarePassport protects software by wrapping it in an armored digital "security envelope," preventing unauthorized changes to the software and keeping prying electronic eyes out of your code. It also gives you a complete ready-made registration system with keys that cannot be forged, if you choose to use it. As an added bonus, SoftwarePassport compresses your program, usually making it smaller and often faster to load, and adds other abilities as well, such as automatic network licensing. It's easy to use, requires no changes to your program, and works with any language that produces 32-bit Windows EXE files."

That, my friends, is called a sales pitch!  Binary data is binary data is binary data.  Anyone with the skills can trace and single step byte code in a debugger no matter what it is doing.  Some of the more clever folks are using VMs but that's not necessary.

They couldn't even protect the XBox which had hardware encryption and signed CDs; crackers gave us mod-chips.

Stop fooling yourselves.
Anon.For.This.One
Thursday, July 13, 2006
 
 
Yes, anything can be cracked.  However, the harder it is, the fewer will make the attempt and the longer it will take the experts.  And if you release often as was stated above, eventually it just isn't worth the effort to the experts and they'll spend their time elsewhere.  It DOES make a difference.
Doug Send private email
Thursday, July 13, 2006
 
 
Totally with you on this Doug.  I can't understand Anon.For.This.One's take on this. 

Is he saying compile and ship fresh from the ide? As an micro ISV or or even and ISV charging for your product, that would just be plain irresponsible.  Possible or impossible you owe it to yourself to protect your investment of time and money. 

Obviously no one is advocating going overboard and spending an innordiate amount of time and money on protection but for the love of God, you absolutely must make an effort or these crack artists will take food from your childrens' mouths.
beltandbraces
Thursday, July 13, 2006
 
 
Jericho > In order to do this, I recommend the following actions:

Since you seem to know a lot about cracking, you might want to write an article on your web site so fellow developers don't have to reinvent the wheel.
Fred
Thursday, July 13, 2006
 
 
"Also, for minor bugfixes don't change the version number, so the crack users aren't aware of the version change. The crack won't work and they won't know why."

I'm not sure I see the point of this particular tactic. It seems like it would do more harm than good.
TheDavid
Thursday, July 13, 2006
 
 
Jericho - you got some good points, especially about watching out for your competitors. This is a strategic view that recognizes software theft affects the entire marketplace not just a single product or company. Plus it gives you some good karma points.
Blah
Thursday, July 13, 2006
 
 
"I know this has been debated a thousand times, but _I_ think it DOES make a difference to add some security."

You don't have to speculate; if you release the crack yourself, you'll know exactly what it does!  Who knows, maybe your "crack" registers its user on your website, and then emails the BSA with a confession? ;)
Chris Marshall Send private email
Thursday, July 13, 2006
 
 
TheDavid > "Also, for minor bugfixes don't change the version number, so the crack users aren't aware of the version change. The crack won't work and they won't know why." I'm not sure I see the point of this particular tactic. It seems like it would do more harm than good.

Au contraire, it's a good solution: Most people will give up looking for cracks when they tried twenty different cracks that are all supposed to remove the protection on the trialware they downloaded... and pull out their Visa to buy a legit license. Those who won't just aren't really interested in the software anyway.
Fred
Thursday, July 13, 2006
 
 
>> "Also, for minor bugfixes don't change the version
>> number, so the crack users aren't aware of the
>> version change. The crack won't work and they
>> won't know why."

> I'm not sure I see the point of this particular tactic. It > seems like it would do more harm than good.

This practice is called "slipstreaming" and has been along since the times of WordPerfect.

The point is that many existing cracks will stop working. The crack users will often think that the crackers are incompetent or that the software protection simply can't be defeated.
Jericho
Thursday, July 13, 2006
 
 
That's great.  You should sell your expertise to Microsoft, because they'ld probably pay several million dollars for your uncrackable protection - you'ld be an overnight millionaire. No, seriously, what exactly is it that you know that noone at Microsoft has worked out yet?

Of course, the reality is that 3 days of work and no cracks is a good investment of time, but I'ld suspect that factors other then your superior skills may also be involved.

Only idiots say that all anti-copying protection is bad. Smart people suggest a balance between effort spent and benefit gained.

Incidentally, you're apparantly anon for "obvious" reasons, but aside from fear that someone reading here could easily crack your software just to prove that it can be done, what other reasons would there be to fear publicity of software that we allegedly couldn't steal if we wanted to? Maybe I'm slowe, but what is the "obvious" reason I'm missing?

Thursday, July 13, 2006
 
 
Staying anon because I don't want to _invite_ everyone to try, because as it was said above, EVERY piece of software can be cracked with enough time and talent applied to it.  It's possible I've been lucky (security through obscurity), but one of my other products that I'm still selling was cracked, so I know I'm on the radar.

As an aside, having your software cracked and then put on the 0day websites (among others) does wonders for your Alexa rankings :)
anon for obvious reasons
Thursday, July 13, 2006
 
 
The company I work for has a great strategy against cracking:  The software is so shitty that people NEED the latest release, and when they call to get it, we verify their license code.
Totally Anon For This
Friday, July 14, 2006
 
 
" The company I work for has a great strategy against cracking:  The software is so shitty that people NEED the latest release, and when they call to get it, we verify their license code."

Microsoft?
~Eric
Friday, July 14, 2006
 
 
No!  I was not advocating not protecting one's work.  I was speaking out against spending $150 for software [Armadillo] that promises to protect me.

NOTE: Armadillo is already known and been dealt with in underworlds.

I advocate the self created security measures and changing them often.

And I just don't understand why this issue is so freakin hard for some developers to comprehend.  The logic or should I say illogic of some of these posts simply escapes me.
Anon.For.This.One
Friday, July 14, 2006
 
 
As long as users own their computers, your copy protection can always be defeated.  Always.

Making users enter a serial number when the demo expires is probably the greatest return on investment.  It gets honest people to pay up.  Everything else is just diminishing returns.
Michael B
Friday, July 14, 2006
 
 
Personally I consider minimalistic selfcreated antipiracy methods. I did consider ignoring the potential of cracking, but after these discussions I'm inclined to do something to prevent it.
I have one question though.
What if program doesn't work correctly with a crack do those people assume?
A) Program is buggy.
B) Crack is buggy.
This is especially important if people use cracked version as a evaluation of real thing. And most people who use cracked version haven't used a real one.
The problems maybe small enough for people not distincting the A from B.
Jouni Osmala Send private email
Saturday, July 15, 2006
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz