* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Product activation software?

Hi, everyone.

I've done some research on software activation/protection systems, but most of the discussion threads I've found are a bit dated, so I thought I'd bring this topic up again...

These days, what's the latest-and-greatest in cross-platform software protection?

I've read I should avoid Digital River... Software Passport/Armadillo is no more...

Wyatt has done a good job of plugging LimeLM (Hi, Wyatt)...  :)

Any others worth mentioning or avoiding?

I need to support Mac OS X 10.6 and above, and Windows 7 and above.

Thanks,
-Jeff
Jeffrey Grady Send private email
Thursday, October 30, 2014
 
 
Hi, Jeff. :)

>> "I need to support Mac OS X 10.6 and above, and Windows 7 and above."

Yep, we support that. Mac OS X 10.5 and above, Windows XP and above, and all modern flavors of Linux (even distros as old as CentOS 5 / RHEL 5).


>> "Any others worth mentioning or avoiding?"

When evaluating licensing you always want to verify their claims. (Yes, even verify LimeLM's claims). Here's a good guide to spotting the most egregious lies: http://wyday.com/limelm/features/why/#is-legit
Wyatt O'Day Send private email
Thursday, October 30, 2014
 
 
I occasionally play guitar for fun at home and this product seems interesting. I started to learn the different chord positions myself and find it a good exercise to master the fretboard, but this product may anyway be helpful. If I understood correctly, you have to know the chord names to begin with? Not a big deal nowadays.

I am also interested in the same question. I don't like the hw locking option. I would prefer online activation with a real name or email address, plus the license code. Instead of the hw fingerprint, to use the customer name/email (so he would have to type that) and provide the license code. Then this info is validated and stored online. Sending the fingerprint is a plus, but I wouldn't block on first additional hardware. For a single user license, if he installs the software on more than 3 different pieces of HW in a single month, I would lock it and send an email explaining things. Over the year I wouldn't bother if the software is installed 5-6 times on different machines. So, blocking would work only if there is an obvious abuse. Is this something that is possible to do with an existing licensing system?

BTW, what you used for the different platforms, Qt maybe?
ThistimeAnon Send private email
Friday, October 31, 2014
 
 
@ThistimeAnon
>> "I would prefer online activation with a real name or email address, plus the license code."

Yeah, that's not online activation. That's just "pinging a server". It's worse than useless because nothing meaningful is being transferred to the server (nothing to actually lock the licensing to the computer). Meaning whatever "response" the server returns can just be copied to as many computers as they want; thus defeating the whole purpose of contacting any server to being with.

Real "online activation" is just a type hardware-locked licensing (done online; hence the name).

We actually cover this and explain it here: http://wyday.com/limelm/features/why/#competition



>> "For a single user license, if he installs the software on more than 3 different pieces of HW in a single month, [...]"

You can do this with LimeLM. For every product key (a.k.a. serial number) you can set the number of allowed activation to any number. So if you want to allow a customer to run your app on 3 different computers, just set the number of allowed activations to 3. Easy peasy. LimeLM & TurboActivate handle all the details (fingerprinting, detecting VMs, cryptography, etc., etc.: http://wyday.com/limelm/features/why/#hardware-locked-descr )
Wyatt O'Day Send private email
Friday, October 31, 2014
 
 
@Wyatt O'Day
>> Meaning whatever "response" the server returns can just be copied to as many computers as they want; thus defeating the whole purpose of contacting any server to being with.

That assumes the user is not just an ordinary user but a hacker who can intercept the server response and use it "somehow" on other computers. As of course the server would return the info encrypted and extract only a piece of info from the response and use that to unlock the product. I know there are ways to fake a server response to full the program, but this would fall under preventing hacking, not casual piracy.

Good to learn that LimeLM supports something like this. Though, your plans seem expensive for low priced/low volume products.
ThistimeAnon Send private email
Friday, October 31, 2014
 
 
>> "That assumes the user is not just an ordinary user but a hacker who can intercept the server response and use it "somehow" on other computers."

No, it doesn't assume that. See #1 listed here: http://wyday.com/limelm/features/why/#competition

All it takes is copying the license file (whatever the server returned that's stored somewhere on the computer) to another computer. That can be done either maliciously or non-maliciously. The point is it happens.

There's no need to "intercept" anything from the servers.


>> "[...] but this would fall under preventing hacking, not casual piracy."

You're not seeing the full picture. Did my explanation above clear things up? If not, I'll try to break it down further for you.


>> "Though, your plans seem expensive for low priced/low volume products."

We're not the cheapest licensing solution, that's for sure. Then again, cheap licensing solutions go belly up fairly frequently; Armadillo (a.k.a. Software passport) is the latest example of that.

Also it takes good developers to make quality software. Good developers are expensive.

If your software is low volume then you might consider raising your prices (or how else would you make money?).
Wyatt O'Day Send private email
Friday, October 31, 2014
 
 
If you mean that cloning a HDD will let them use the software without activating, then so be it. This may be a problem for highly priced software and BB software, but for consumer software should not be. If my licensing server returns a license and that license is stored in the registry or in any user specific folder and the user managed to copy both the license file and the program, that's a hacker for me!

Seriously, anything priced below $150 using hw locking would just annoy legitimate customers.
ThistimeAnon Send private email
Friday, October 31, 2014
 
 
@Wyatt: the ease with which you dismiss all your competitors in a single sweep on the page you linked to above is a red flag for me.

Are there any independent third-party comparisons that include LimeLM alongside the other major players?
Dmitry Leskov Send private email
Friday, October 31, 2014
 
 
Anyone have any experience with Steam Greenlight?  They seem to do software in addition to games:

http://steamcommunity.com/greenlight

Also, does LimeLM integrate easily with Avangate?

I don't think I've heard any other vendors besides LimeLM... Who are LimeLM's competitors?

Thanks,
-Jeff
Jeffrey Grady Send private email
Friday, October 31, 2014
 
 
Over the years whenever I had to implement some licensing schema, I was searching around and always ended up with my own system. Couple of times I ended up on this site: http://soraco.co/QuickLicenseManager.aspx and can tell that they've been around for at least 5-6 years. But, I haven't even downloaded the trial, so can't say anything except I know they exist.
ThistimeAnon Send private email
Friday, October 31, 2014
 
 
Here is a list I copied from the following review, which is unfortunately in Russian: http://gigamir.net/techno/pub675459

ASProtect http://www.aspack.com/
DotFix NiceProtect http://www.niceprotect.com/
Enigma Protector http://enigmaprotector.com/
ExeCryptor http://www.strongbit.com/execryptor.asp
IntelliProtector http://www.intelliprotector.com/
LimeLM http://wyday.com/limelm/
Obsidium http://www.obsidium.de/
Oreans Themida/WinLicense http://www.oreans.com/
PC GUARD http://www.sofpro.com/pc.guard.htm
PELock http://www.pelock.com/
Safengine http://www.safengine.com/en-us/products/protector/
Setisoft Private exe Protector http://private-exe-protector.com/
SoftwareKey Protection PLUS http://www.softwarekey.com/
SoftwarePassport (Armadillo) http://www.siliconrealms.com/
StarForce ProActive http://www.star-force.com/
VMProtect http://vmpsoft.com/

Of these, I had VMProtect recommended by one of my peers, an expert in secure systems development (10+ years in finance and healthcare, currently focused on Java/Android), but we have not used it ourselves.
Dmitry Leskov Send private email
Friday, October 31, 2014
 
 
Most casual users shy away from pirating when they realise it's going online to check the license.

That's not a scientific statistic, just my observation.



AC
Reluctantlyregistered Send private email
Friday, October 31, 2014
 
 
Answered my question on LimeLM and Avangate:

http://wyday.com/forum/viewtopic.php?f=3&t=26248

Cheers,
-Jeff
Jeffrey Grady Send private email
Friday, October 31, 2014
 
 
Just as another point to all the Wyatt hate: I may or may not know of someone who uses LimeLM and he his very happy.

Fundamentally, it seems to work. Does it prevent 1337 h4x0rz? Probably not, but those aren't his customers to begin with.

I use one of those file licensing systems and yeah, I'm pretty sure 30-40% of the users casually pirate. I couldn't be bothered to fix it right now because I'm lazy and I make enough money.
Bring back anon Send private email
Friday, October 31, 2014
 
 
We always do our own systems for this
and it has never been a big Dev job
C. Stark Send private email
Saturday, November 01, 2014
 
 
>> "the ease with which you dismiss all your competitors in a single sweep on the page you linked to above is a red flag for me."

No, we just sweep aside competitors who sell bogus technologies. Unfortunately it just looks like we're dismissing all competitors because this "crack proof" garbage is prevalent in the licensing industry.

If my company grew and sold beans, and a majority of our competitors sold magic beans, then we would be just as hard on them for their lies.

That being said, we do have 3 competitors that I respect. They have quality products, they're well-designed, and they don't sell anti-crack hokum. (Their might be more respectable competitors now, but I haven't looked thoroughly in about a year).


>> "Are there any independent third-party comparisons that include LimeLM alongside the other major players?"

Probably. I should hire some marketing people, shouldn't I?
Wyatt O'Day Send private email
Saturday, November 01, 2014
 
 
Ooops I meant "There might be..." not "Their ...".
Wyatt O'Day Send private email
Saturday, November 01, 2014
 
 
I looked into this topic some weeks ago. I found decent third-party solutions to be too expensive for my below $20 software. Then, I implemented my own and am really happy with that decision. You can implement your own in about 2 weeks time.

The advantages of implementing your own:
- Much more freedom in tailoring it for your needs.
- Save $$
- The thrill of learning new things. I enjoy learning techy stuff.

Broadly, the idea is the following:

- Compute some kind of signature (aka "machine ID", "machine fingerprint") for the computer. Use things like MAC Address, CPU, disk etc. The signature can be several bytes long. For this, a good starting point I found was the following article.
http://oroboro.com/unique-machine-fingerprint/
Use that as a *starting* point. Improvise on that.
- When your software is first run, check whether "cached license" (stored somewhere on the user's machine) is present. (More on that below). If not, go into first-time activation.
- First time activation: Get the registration key from the user. Send the registration key and machine signature to your server. At the server, check whether the software with that key has already been installed on stipulated number of machines. If so, send "rejection". Else, allow activation and send back encrypted form of the machine signature back.
- The encrypted machine signature is received at the client. Store it somewhere on the user's machine. This is what I referred to as the "cached license".

Each time the software runs, read the "cached license" which in essence is the encrypted machine signature. Decrypt the cached license. Compare the decrypted machine signature with the actual signature. If they are "nearly same" (i.e., "Fuzzy Match" as Wyatt refers to it), accept the validity of installation.

The reason for checking that they are "nearly same" instead of "exactly same" is that you don't want to reject the cached license when the user does small changes to the hardware. How much change you want to tolerate is up to you.

To further clarify the idea, the server side program does the following:
- Listens to activation requests from the software running on user's machine. As I mentioned, the activation request payload is essentially "Registration key & machine signature".
- Maintains a simple database/file that keeps a map of "registration key" to "Signatures of machines on which it has already been installed". 
- Check whether the machine signature  "matches"(fuzzy match) one of the machines software with that key has already been installed. If so, it is a case of user trying to re-install on a machine he had previously installed. So, send back "Accepted payload".
- Otherwise, check whether allowing to be installed on the new machine is within the limits of the license. If so, send back "Accepted payload". Else, send back "Rejected payload".
- The "Accepted payload" is in its essence the encrypted version of the machine signature that came in as part of activation request.

My implementation is working well. One thing I am yet to decide (my software is scheduled to be released only in 2015) is where to run the server side program. I need to determine whether the webhost  company will allow me to run this program on their site without charging too much. If not, I will run it on my own machine. Any thoughts/suggestions?
Victory Send private email
Saturday, November 01, 2014
 
 
> My implementation is working well.

> (my software is scheduled to be released only in 2015)

You can't know that until it is released.
Bring back anon Send private email
Saturday, November 01, 2014
 
 
> I should hire some marketing people, shouldn't I?

You are doing a lot of marketing already, but I think you need to make your message a bit more credible.

Example from your Web site:

"Does the company claim to have a “secret sauce”? If so, run away fast — they're lying."

<...>

"What are the differences between LimeLM and *all* alternatives?" (emphasis mine - DL)

Now, should I run away from your solution fast?

> we do have 3 competitors that I respect.

Why don't you list them explicitly and show how your solution stacks against theirs?
Dmitry Leskov Send private email
Monday, November 03, 2014
 
 
@Dmitry
>> "Now, should I run away from your solution fast?"

No?

I don't know if this is a lost-in-translation moment or if we're not being clear about what "secret sauce" means. It doesn't mean "competitive difference" or "philosophy difference".  It's fairly clear that "secret sauce", in the context in which it was written, means bogus claims which don't have a basis in reality.

The sentence directly after "secret sauce" and "run away fast, they're lying", it says: "Good licensing is based on well-known techniques (described below)." with a link to the description of how properly designed hardware-locked licensing works (including, but not limited to, LimeLM).

Does that make sense?



>> "Why don't you list them explicitly and show how your solution stacks against theirs?"

It's on the long TODO list, trust me.

------

@Victory
>> "For this, a good starting point I found was the following article. [Link to article]"

From what you described it sounds like you have a good start. But I would advise against using any "soft" or user-generated IDs (volume id / partition ID, machine name, etc.). If you do use these then you're setting yourself up for high instances of false-positives and false-negatives. It's best to avoid those types of IDs altogether.

See: http://wyday.com/limelm/features/why/#wrong-id

Also, as BBAnon hinted at: test, test, test. The sooner you start testing across thousands of computers the sooner you'll be able to work at the kinks (the largest of those kinks being false-positives and false-negatives).
Wyatt O'Day Send private email
Monday, November 03, 2014
 
 
@Wyatt:

"What are the differences between LimeLM and *all* alternatives?"

Wording such as "all alternatives" is usually a red flag for me. I won't bother to read further past such a heading.

Perhaps "most alternatives" or "cheaper alternatives" would be okay replacements. But "its major competitors" would be way better. (You'd probably want to supplement such a section with a FAQ like "Why don't you consider X a competing product?")
Dmitry Leskov Send private email
Monday, November 03, 2014
 
 
I know you were looking for Mac support but if you or anyone needs help with a Windows application built in .NET, we offer a licensing and product activation software called LicenseSpot that can help:

http://www.licensespot.com
Jose Send private email
Wednesday, November 26, 2014
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz