The Business of Software

I found a torrent containing a version of our software along with a license key. The license key was sold to one of our customers in the UK (we are in the US).

I downloaded the torrent myself and recorded the IP addresses of the 31 peers in the torrent.

I'd like to do something... I know I can't stop piracy, but I have the name and address of the customer who bought this key 8 months ago as well as IP addresses at a know date & time.

Thoughts?

Ban the key in the next patch, send your customer a letter telling them why you did it (with, I should stress, a new key), and forget about it.

Just let it go. You really have nothing to gain from pursuing it and you could actually even lose if you start making accusations. Are you 100% sure that this person leaked the key? Isn't it possible that a cracker just deduced a valid key which just happens to match one that was sold to somebody?

As Patrick said just ban the key in the next version. I personally wouldn't even send them a letter or a new key. Let them come to you if they have a problem. Then you can mention to them why the key was banned and give them a new key if necessary. Chances are you won't ever hear from them again anyway.

Now if it was sold to a business with deep pockets then it would be a different story. Especially if you had some sort of contract with them.

this is useless... forget about it, there's absolutely nothing you can do.

There is no possible way they came up with the key on thier own as this is a public/private key system with enough bits to make that impossible.

It IS possible that the customer's laptop was stolen or similar of course.

Our product needs internet access to fully work and we are considering sending an encrypted form of the key to us when making requests of our server. This way we can block the usefulness of keys here. I don't really like phone-home software but this would be a bit different in that it'd work if it could not reach us, but if it did reach us it could not work for that session.

I would send them an email saying that you will have to issue them another key as theirs has leaked onto the internet. Make it sound like you are sorry for the inconvienance and make no accusations.

If it was an accident then they will feel bad and no doubt apologise, if they did it on purpose they will know you are onto them and they are unlikely to do it again.

This happened to me a couple of years ago. A customer had leaked a license file. My registrations suddenly dropped and I didn't know why.
Then I thought, maybe, just maybe...I searched astalavista and bang! It was on there :-/ Then I immediatelly created a new version that used a 'blacklist', where I could add leaked licenses. I released uploaded to all download sites, but the damage was done...
I also mailed the user but there is nothing really you can do about it. Just create a new version and release ASAP.

Regarding the phone home, personally I don't use that software. If I see that an application is trying to connect to the web without need to connect (no network app, no update functionality,etc) then I uninstall it and switch to another product.

BUT I am actually looking at a good way to protect my new software for these leaks, but how? Phone home seems to be the best way to do this...

Our app IS a network app - it needs to contact our server for a core function and users understand this as it deals with real time data. So we could embed their key in requests (we don't currently) and block functionality of blacklisted keys.

This is where internet activated license key helps: Each license key will be entitled to x number of activations and each time it has to go through your server (directly or indirectly). With this you can be sure no license key that you issue will be out-of-control without your server knowing, and simply blacklist it server-side.

The downside is activation over the internet can be PITA for users with no quick or accessible internet connection when they need to activate.

Chasing after pirates is not going to help at all IMHO.

"I found a torrent containing a version of our software along with a license key. The license key was sold to one of our customers in the UK (we are in the US)."

I'd guess there are 3 things you could do. The first two have already been covered. The third would be to give me his address, and Mr Brice and myself will pay him a visit and....erm...explain your concerns. :¬)

Getting slightly off-topic, but I think that 'phone home' is the only way to go to be sure you're not getting stiffed. 

These days (and in the coming years) internet access is - or will be - so prevalent that people won't mind your app phoning home when you install it.  As long as you make it clear before downloading that the app will do this during the install. 

Depending on your target market, there's a good chance they won't even know it's doing it, much less care (although, in my opinion, your app should tell the user).

If the user doesn't have internet access, provide some way of registered via email.  But I'm betting that 90% of people would allow 'phone home', it's only geeks like us that get nervous.

Getting back on topic, there is absolutely nothing useful you can do with the IP addresses, other than get a rough geographic area of the downloader.  You'll never get any more info than that from an ISP without police intervention.  The folks above give good advice on what to do.

Sorry to the OP for taking this off-topic..but Oooohhh  yes please...+1 for Tim and Andy paying a visit and take you friend 'Mr Sledgehammer'

Of course I am not condoning any form of violence.. but gee, I can smell a new "Reality TV" series in the making.. "When mISVs Strike Back"... why not? Everything else has been done on Reality TV.

Slightly OT but my software is cracked, pirated and so on and so far I've resisted the idea of phone home to register as it bugs me as a user when I buy software.
In fact if software requires internet registration I generally won't buy it. Presumably, if I think this then potential customers will think the same.

But I am finally considering phone home as a protection mechanism, so has anyone any (even vague) idea as to the actual percentage of their sales lost due to cracks?

I can't help feeling that the type of person who goes to the bother of visiting crack sites is generally not going to buy software anyway, and so more robust (inconvenient to the user) protection mechanisms may end up costing you sales. (Clearly this is dependent on your market).

We're dongle-protected (niche market $1000+ cost) and we've had customers say to us they're glad they can "see" it's protected because they don't want to be the only idiots paying for something others can get for free.

This only works for B2B. We bind the license key to their company name. We then use that name in several places on the reports, on the title page and in the footer of every page. No real company wants another companies name on their reports.

+1000 Adrian . Thats the only real way to keep the honest people honest

You might find it gets charged back, every time I've had a key get leeked it's turned out the order was placed with a stolen credit card.

+1 Adrian.
Encoding the customer name sounds like the way to go. If you don't mind issuing long license keys, you should be able to use this for B2C as well by encoding(!) the buyer's name in the license key, and then have your SW decoding and displaying it. Sure, this could be hacked as well, but at least it might deter the majority from giving out license keys to friends and foes?

Henrik, like Tony says they use a fake name and stolen credit card to get the key, so that won't deter much.

In one of my products I include a date stamp in the license key and only allow it to be used for 14 days from the date of issue. If it gets out into the wild its useful life is very short. Of course this creates problems for legit customers, but so do all software protection schemes.

Have you seen Jay and Silent Bob Strike Back? Not Kevin Smith's best by a long shot, but entertaining after you've had a few beers. At the end of the movie, the dynamic duo print off a list of everybody who criticized them on a message board, pay each of them a visit, and kick the s*** out of them.

You already have the guy's name and address details from when he bought the product, and it would certainly make for an amusing video to post to YouTube.

Even if people use stolen credit cards and false names to buy a key then give it away on the internet, displaying the name prominently at startup will at least be a small reminder to the people downloading that key that they didn't actually pay for it. It doesn't prevent anything, but is a subtle way to induce a little guilt. Sure, prevent piracy if you can, but make sure that every pirate who gets around you is at least doing some marketing for you while you try to figure out another anti-piracy technique.


Also, get the legal demo version of your app onto BitTorrent ASAP - if it's popular you'll get bandwidth savings, and people searching for your app will find the legal demo there doing its marketing job. Even if 99% ignore it and download the illegal version you're still a little better off, which is better than nothing.


Every time we have this discussion people whinge that piracy is bad, as if they're the first person on the planet to notice the problem. The real question is whether you're going to hide under your desk from the mean nasty pirates or if you'll take the lemons they're throwing at you and sell them some lemonade.


Another half-assed half-baked thought: node-locking annoys every paying customer who needs to replace their PC when they buy the latest version of Windows, but if the node-locking expires after 6 months then the vast majority of the problems (esp. the need to get a new license even if the vendor has gone out of business) effectively dissapear, but the trick of buying a version then immediately giving it away doesn't work so well. At any time, only the customers who purchased within the last 6 months are a concern, but pirates need to wait for 6 months then remember to upload it. (In the real world they're just going to defeat your protection code faster than that, of course, but I never said you could actually win.)

This is just an off-the-wall idea, but if the ISP of the place where you found this posted is in the US, could you send them a DMCA 'take-down' notice alleging copyright infringement?

Would people prefer it if you said they were "logging in", rather than activating the product?