* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

I was contacted by a cracker

This afternoon, I received the following email. At first, I just dismissed it as spam, but as I kept reading I realized that he was describing actual features of my software. So it appears my software was legitimately cracked!

This is the email in its entirety:

Hello mate..,
this is about your apps , i just found your apps not protected..it'll easy to reversing...and sorry before I'm only trying and your apps was successfully converted to RTM version.
which is one of the trial restrictions is only able make one identity , but now i can make more than one identity.

We know , nothing un-crackable..but try to protect it better than nothing. :)
Anyway..if you want any info regarding your apps.
just let me know , i can be your friend..:)

Now I should point out that this is not a big accomplishment. I am mainly interested in stopping casual piracy, not hard-core piracy, and so I have minimal protection in place. I do not use hardware-locked licensing (nothing against it, it's just a personal choice). I use a product key generated with symmetric encryption, and the decryption code in my software is unobfuscated, so it could be reverse-engineered with less than an hour's work. No patching required. Alternatively, one could just buy a single license and then share that product key with everyone in existence.

In fact, in the past few months, I've come right out and said as much on my product's website:

Important: We want your experience with Password Vault to be as painless as possible, therefore the software is not strict about enforcing licensing requirements. We trust you to do the right thing. Please purchase the correct number of licenses, and do not share product keys with others. We will be happy to assist you with any questions regarding your specific licensing requirements.

I figure that honest people will be honest and will license the software correctly. And as for everyone else...I would rather they use my software for free than pay for (or pirate) a competitor's.

I do not feel particularly threatened by this recent turn of events. Partly because I don't stand to lose that much! But also because I doubt this individual can do much to hurt me. Rather, I'm kind of proud that my product has become the focus of crackers. It's a big day in a product's development. I am curious to know what he means by "being my friend" though!

I'm probably just going to ignore this email. I am also considering sending back a sarcastic reply that summarizes the above. But I definitely have better things to do with my time. I definitely will not be working with this person or sending them any kind of ransom money.

Anyone else have similar stories?
Shawn O'Hern Send private email
Monday, March 11, 2013
I wouldn't worry about it myself. I have similar policies. Since customer service and updates are for paying customers, people keep buying.

I wouldn't send a sarcastic email though.
Scott Send private email
Monday, March 11, 2013
I wouldn't reply at all. At best it is some random lunatic and at worse it'll lead to some kind of extortion.
Scorpio Send private email
Tuesday, March 12, 2013
Yes, absolutely do not send back a sarcastic message.

It's entirely possible that the guy has a missionary zeal about telling people where their software sucks, and he's really not out for extortion. Some hackers really do just want to be appreciated for their craft. (It is a craft.) I'd treat him that way. Especially since he did not mention money up front.

My own tendency would be to reply in a way that indicates that I know that the cracker has power over me and that I am confident based on his attitude that he will act in a responsible way with this information. I'd treat him sort of like a goodwill ambassador at first.

If it went any farther with demands for money, etc I'd stop communicating completely.
WannabeTycoon Send private email
Tuesday, March 12, 2013
Thanks guys. I think I will send the cracker a short, diplomatic reply. I don't want to insult him or be sarcastic. As it stands right now, he has only contacted me privately about a weakness in my licensing (which was by design). He hasn't posted the crack yet that I'm aware of, so I have no beef with him.
Shawn O'Hern Send private email
Tuesday, March 12, 2013
As I said I wouldn't reply myself.

But if for some reason I was going to reply, and I was in your shoes where it's by design and he had clearly described the flaw so I knew he wasn't fishing I'd reply as if to a customer reporting a bug: "Hey thanks for the note. Yeah, we use weak symmetrical rather than strong asymmetrical since we want to be fair dealing with customers. All that strong DRM phone home stuff that restricts peoples rights to use what they pay for just seems the wrong approach, I'm always glad when I hear others feel the same way, so thanks!"
Scott Send private email
Friday, March 15, 2013
Believe it or not, there is an "ethical" subgroup to the hacker community.  Some people enjoy hacking for the challenge and get a buzz from being recognized for calling attention to problems before evil hackers get involved.

I recently hired two ethical web hackers on Odesk to advise me on a web service I own that I thought was bulletproof. They did indeed quickly find some vulnerabilities that we didn't know about. It was worth it.

In your case, the guy sounds legit.  I would reply with a nice thank you note and a free key for your software.

Anything can be  hacked. It primarily comes down to how much work you are going to make it to hack your software or service.  There are always easier targets; most hackers will move on if your software or service exceeds their effort threshold. 

Incidentally, I've found that using your brand's authority with search engines is a good way to insert yourself between hacks of your software and the people who are searching for those hacks. I've recorded many sales of my products that originated with a search for terms like "<brand> hack."  I wrote more about this experience here, if you're interested. http://bit.ly/10WOhFk
Darren Send private email
Friday, March 15, 2013
"we want to be fair dealing with customers"

why is asymmetric licensing unfair to the customer?

Bill Anonomist Send private email
Friday, March 15, 2013
It's not.
Wyatt O'Day Send private email
Friday, March 15, 2013
It's not only unfair it's abusive when your right to use what you paid for can be taken away at a moment's notice because of things that have nothing to do with you.

Yes, companies that use this are immoral, and even evil.

Avoid at all costs since invariably their owners and staff are as well.
Scott Send private email
Sunday, March 17, 2013
"This is the email in its entirety"

If that's really all they said, then where is the proof that they've cracked it?  I see nothing but bragging.  I wouldn't believe them unless they sent me something to actually prove it.
Harry Phace Send private email
Sunday, March 17, 2013
Scott, I’ve always suspected you didn’t read the posts you were responding to. Though, I have to say, I’m a bit shocked you don’t even read your own posts.

The point Bill Anon was raising was that your assertion that asymmetric encryption is “unfair” (or now “immoral and evil”) is nonsense. Asymmetric encryption is no more or less evil than symmetric encryption which is no more or less evil than a hammer. They’re tools for a job.

You can use asymmetric encryption in serial-only licensing (http://wyday.com/limelm/features/why/#serial-only ) or in hardware-locked licensing (http://wyday.com/limelm/features/why/#hardware-locked ).

It seems you’re conflating asymmetric cryptography with hardware-locked licensing. I’m not sure why – in the past you’ve shown (or maybe feigned) you’ve understood the distinction.

>> “Yes, companies that use [hardware-locked licensing] are immoral, and even evil.”

Nope, they’re neither. But then again you think United States of America and the Red Cross are evil, so I guess we’re in good company.
Wyatt O'Day Send private email
Sunday, March 17, 2013

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz