The Business of Software

I have .NET product that I sell via a website. This morning I received the following email, which to me, sounds like a poor attempt at blackmail...


"
Tunisia December 13th, 2007

Object: Asking for help
Attachment: A zipped code of your application

Dear Sir,

My name is Ramzi gattoussi, I’m a 28 years old man. I was graduated from a high school (My degree was a high technician in administration and communication). Due to joblessness and the fact of losing the possibility to continue my education, I forced myself to gain a high level in computer technology. Now, I have an experience of 5 years in this sector. So, I tried many solutions and programs (Due to the absence of copyrights limits in our county, we have the chance to use any kind of software without any limit). 

In conclusion, I have a good level in programming (Php, Flash and Actionscript, Delphi, Vb, Sql, Vb.Net and C#).  I’m a developer but in a country where the copyrights have no effect. Therefore, I’m asking you to help me by any kind of job in your company and some money to live honourably. And as a result of your help, I will have no need to build a website for commercialising working codes of some good applications like your one (Someone asked me to use the ability of decompiling and reconstruction of application’s codes to get money). Excuse me for sincerity but this is the result of being without a job and having a working brain. In order to convince you, I have joined a zipped file to this email containing a working code. Excuse me another time.

Faithfully, Gattoussi Ramzi
"

With the email was a zip file that contained almost the source code for my product. I say almost because it looks to be auto generated using some decompiler. The code does not actually work properly but is fairly close.

Obviously I have not replied to the email and am not in the least concerned about his threat to start in competition.

Am I right to think this really is blackmail?

Scammers and schemers are everywhere... delete it and move on.

There's nothing in the email itself that says anything specific about your program.

I bet he ran a script with a decompiler against every .net program that he (or another script, perhaps scanning PAD files) could find, and then did a mass email.

It is extortion. You might want to take this as a reason to use an obfuscator with future releases of your program.

If you're in USA then report it, there's a page here http://www.cybercrime.gov/reporting.htm  on how to do so. Most other countries have their own online crime authorities where you could also report it. This way the information about how this scam works can be propagated to everyone, and for those stupid enough to actually hand over money it can help the authorities track them down.

Also, may I reprint your letter on my website? I've taken it upon myself to help people learn about online fraud and this is good :)

Sure, go ahead and reprint it.

Its a waste of your time..  the guy is probably in "India"

If he has to resort to this to get a "Job In your ompany" then he probably sucks at programming or doesnt have a brain.


Do not reply to them at all..  pretent you are not there..  Next time..  Obfuscate your .net products..  its a must if you are selling a commercial product that you dont want replicated with few clicks.

Do not reply.. but do not delete.. 

save .. and move on. :)

see if he contacts you again.

> Due to joblessness and the fact of losing the possibility to continue my education, I forced myself to gain a high level in computer technology.

Wow, talk about desperate measures :o)

Ask him for his bank account number and hand it over to one of those nigerian 419 scammers.

Was your program written in a byte interpreted language like Java or C#?  Didn't you obfuscate it?

This is one reason native compiles are a bit more secure.  All of the symbol information is removed (unless you are dumb enough to ship a debug version) and modern optimizers screw up your executable so much decompilers don't have much luck creating anything but assembler code.

Any how, I would 1) report them to the FBI (no matter where they are from just do it), and 2) not engage in interaction with them.  Most of these people will move on to the next person.  It takes a lot more effort to try to sell that code for a buck or to both implement it and steal your user-base.

Your user-base is your true intellectual property.  If you serve your customer well they will stick with you.  People like this are looking for a quick buck and if they can't make money off you quickly they will move on.

> Do not reply.. but do not delete..
> save .. and move on. :)

+1 to Markito

Joannès

Another +1 Markito.

If you don't obfuscate your .net code, it is simplicity itself to get the source from your assemblies.  Google for 'Lutz Roeder's Reflector' - actually a very useful and practical tool for see what assemblies are doing under the hood.

It doesn't sound like a very good attempt at blackmail to me.  It's just possible he actually was trying to impress you with his mad .net skillz.

But as others have said, I would just leave it and not do anything.  If you don't obfuscate your code, practically anything can get your source code anyway.

That's one of the reasons why I don't use .net.

In the open source world this problem doesn't arise.

In the software-as-intellectual-property world this problem is ultimately insoluble.

It's possible to make money with open source but you have to change your perspective and your business model. Think of software as a service and not as a product.

"In the open source world this problem doesn't arise."

In the open source world nobody makes any money so there's no point in blackmailing anyone.

Really, Rowland, your argument is a bit like saying "in a free love society, rape wouldn't exist."

But to the OP I'd say, "give me a snail mail address and I'll send you a cheque" and see how brave/stupid they are.

> In the open source world this problem doesn't arise.

Are you really suggesting that he ought to change his business model, because of what 1 random idiot on the Internet sent him in an email?  If so, wow...

And actually you're wrong.  It does happen in the open source world - it already happened.  One company (I'm sure you've heard of them), tried to offer the world a choice - either we take effective control of one of the leading open source products, or you pay us a ton of money. This company used a combination of bluster and baseless litigation (about non-existent infringements of copyrights that they didn't even own).  The reason they didn't succeed, is because most people ignored them, and those who did they target as victims, for the most part, stood up to them.


> In the software-as-intellectual-property world this problem is ultimately insoluble.

If you're giving something away, like say the source code, people can't threaten to steal it. It doesn't make sense.

But other retailers suffer theft, and threats of theft too.  Would your answer be for them to give their goods away, and make money carrying the goods to people's cars?



Ultimately this isn't an open source vs closed source.  It's about not giving in to extortion (which can happen with both types of business models), and the OP choosing for himself how he wants to run his business.

"That's one of the reasons why I don't use .net."

Then that's a really poor reason.

Tell him to get his money from an exiled Nigerian oil executive who needs his bank account number to spirit money out of the country...

We see blackmail all the time but they say they have broken the key system and are 16 years old and they can help us make it better for a fee.  Never ever respond and they can't know you even got the email.  Also, they likely have 50 of these going at once so you just drop off their radar.

It is so tempting to reply and just point them to the 50 warez sites that already host our products.  A simple google search will give theives what they want but we can track it and contact the "legitimate" illegitimate users.

"Am I right to think this really is blackmail?"

Yes, that is correct, it is blackmail. The FBI has an internet crimes division, you should file a report with them:

http://www.ic3.gov/

Since this is blackmail, they might take it more seriously than your usual cracking report. But even so don't expect anything to come of it.

"'That's one of the reasons why I don't use .net.'

Then that's a really poor reason. "

Actually that is a real world, real reason not to use .NET.  Factor in that .NET is estentially a Windows only platoform and not truly portable why bother with it?

GetNReal,

I have the feeling Carp doesn't pay the bills writing production code.

These things happen all the time. You gotta deal with it. *shrug*

Typically, companies release a newer version of their product with better activation technology that makes it difficult if not impossible for crackers to pirate.

Two examples of this:
1) Qbik Wingate, which requires online license activation for its award winning proxy-cache software Wingate. They started this (online license activation) from version 6 onwards. And true to the concept, there are *no* working cracks to be found on the internet for this software. 
2) Norton Internet Security 2008 - also requires online account / license activation.

In your particular case, it looks to be an amateur nutcase with no control over his behaviour. A typical IT looney with his priorities mixed up.. c'est la vie..

Do yourself a favour and obfuscate any future releases of your application, use something like: http://www.eziriz.com/  which works well for me. If you don't obfuscate you may as well be giving away your source code with your application...

Anyway, even if he does have source it's still alot of work for him to create a competing website and market the application properly so I wouldn't worry too much. He has probably sent out 100s of those letters and is hoping one or two will come back with some cash and he will forget about the rest.