The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

how to protect against use of un-licensed software

We are developing a desktop application in VB.NET.  It will be downloaded and paid for over the internet.

- We would like to tie the license to the computer.
- Be able to move the license to another computer if the customer wants to, BUT turn off the copy of the SW running on his old PC. (i.e. one license per user, where the user can select the PC he wants to have it run on)

Can someone recommend a good package that we can use to guard against piracy ?

thanks,
Adam
Adam P. Send private email
Friday, June 16, 2006
 
 
You are going too far with attempting to protect your application.

If I discover that an app I am considering gets locked to a specific computer, that's it, the end.  I will not purchase it.  Period..

Hardware is too fragile and short term.  I change machines too often to put up with that kind a licencing scheme.  If I want to take the app with me on my laptop while on the road, your approach kills that.
ps
Friday, June 16, 2006
 
 
Adam -- you can't fight this. It's an escalating arms race that will get too costly in the end. You come up with something, they find a way around it. You come up with something better, they quickly find a way around that too. Sooner or later you'll be spending all your time on the arms race, spinning your wheels, and not making progress on the application itself. Eventually, you give up, and find you've wasted some serious time and money.

Have at it. You can try. Some of the best minds in the industry have tried. None of them have succeeded. You likely won't either (nothing personal, it just can't be done.)
Sgt.Sausage
Friday, June 16, 2006
 
 
Ummm, Microsoft's product activation works this way.  You're not running anything they've put out in the past 3 years?  If the algorithm is well done, it can survive the changing of a large portion of the hardware.

i.e.  Simply locking it to a single identifier won't work, but locking it to a key of 8 pieces of identification and saying success is at least 50% of them validating means I can swap out various components and still have it work.

The automatic deactivation is nastier, your app would have to 'phone home' to do something like this, and it's questionable from a liability standpoint.
Mark Tutt Send private email
Friday, June 16, 2006
 
 
If you're doing this for a $50 application I agree, it's going to far.  However, if you're doing it for a $5k piece of server software, it might be worth the effort.
Mark Tutt Send private email
Friday, June 16, 2006
 
 
For a (now obsolete) product, I used HASP ( www.aks.com ) with a hardware (i.e., USB) key.  All the usual objections apply (it can be hacked if someone wants to badly enough, and users aren't crazy about it), but it works as well as can be expected given what you want to do.

The biggest benefit is that the hardware key provides something tangible that a user can associate with the ability to run the program.

You might want to consider having the ability to "down-grade" gracefully if the program detects that it has no authorization key (e.g., allow user to open files, but read-only).
BillT Send private email
Friday, June 16, 2006
 
 
+1 for hardware keys if the product costs over $500.

-1,000,000 for putting NO protection on at all. If you don't at least make someone search for a crack, they WILL pirate your app AND give it to all their friends.

Beware of personal opinions on this forum, we're developers and we're not Joe Public - our opinions are skewed because we're technically literate and well-informed. If your aiming at mass market, most of your customers won't be changing their hardware components that often.
Roger
Friday, June 16, 2006
 
 
+1 for the hardware key.  At least then you are not tied to a specific computer and can move the app around as needed.

How have you priced the application?  That will determine your protection approach as has been mentioned.  I assume if it is a downloadable product, it is not expensive so that will probably put the hardware key out of the picture.
ps
Friday, June 16, 2006
 
 
But all their friends weren't planning on buying your software anyway.  This seems to be the most common fallacy in the software licensing debate.  One copy pirated != one lost sale.
SomeBody Send private email
Friday, June 16, 2006
 
 
Again, all the filthy software thieves pop out to proclaim "One copy pirated != one lost sale" which is utterly false. If they didn't want your app, they wouldn't have pirated it. 92% of my downloads are for cracked versions and for my eight years of effort I make $240 a month for those 8% who pay. May you thieves suffocate in your own filthy thieving funk, and choke on your own vomit.
Earl
Friday, June 16, 2006
 
 
Microsoft uses hardware keys for their Point of Sale applications. But then again, they aquired this business form the QuickSell folks so it probably came that way. Microsoft Point of Sale software (the multi-user one) fits the criteria for using a hardware key. It isn't cheap and users would be very likely to copy it for all of their stores.

I agree that you need to do something. But what you do certainly depends on the type of software and how much it costs.

And for what it's worth, there is no single piece of information that identifies a given computer. As someone else said, Microsoft uses a combination of probably about 8 different things. Some of the things you could use (but no just by themselves) include:

1) Hard drive serial number (not always obtainable)

2) Windows product key (which may be duplicated if the customer has pirated their copies of Windows or are on certain licensing plans)

3) Ethernet card MAC address (which can be changed and spoofed, especially for USB network cards).

4) etc.

You may want to also take a look at the WMI capabilites of Windows. These are a bunch of management classes that return all kinds of information about the system.

Good luck.
Turtle Rustler
Friday, June 16, 2006
 
 
"If they didn't want your app, they wouldn't have pirated it."

Now Earl, I'm opposed to software piracy, and I think apps should be reasonably protected against it.  But really.

Consider this: If the dealership across town starts giving away Lexuses for free, I'll sure as hell grab one, Earl.  Heck, if they charged a hundred bucks each, I still think I'd go buy one.  But that doesn't mean I'd still want one if it cost real money.

The pirates want your app...as long as it's free.  They don't want it if it costs money.  Perhaps your _real_ problem is that people don't see your application as a good value for what it costs.  I'm not saying that in defense of piracy...because piracy and lost sales aren't the same thing.

Maybe you could offer it at a discount on Bits du Jour and see if you get any bites?  Maybe that would tell you that the price is wrong, or that you need better marketing.
Kyralessa Send private email
Friday, June 16, 2006
 
 
> Consider this: If the dealership across town starts
> giving away Lexuses for free, I'll sure as hell grab
> one, Earl. 

This is the reason software companies like piracy.
Consider if cars could be pirated, you would think that high value makers had most to lose - since they lose most money. But it is actually cheap makers that suffer, why pirate a ford when you can pirate a porsche?

It's the same in software - if it was made very difficult to pirate Office, home/casual users wouldn't pay $500 for it and there would be a market for $50 word processors / simple spreadsheets. But because it is easy to 'borrow' a copy of Office from work it is impossible to sell an alternative, this is the reason Office has no product activation but makes more money than Windows.
Martin Send private email
Saturday, June 17, 2006
 
 
"One copy pirated != one lost sale."

But 1,000,000 copies pirated can be 1,000 lost sales. THAT'S the problem.

And you have no way of stopping 1 pirate copy turning into 1,000,000 pirate copies once it starts.
anonanon
Saturday, June 17, 2006
 
 
"This is the reason software companies like piracy."

No. We. Don't.

Once a product gains momentum, you can see a slight marketing effect of piracy, but only where there isn't a try-before-you-buy or crippleware version available. BUT you have to be established for this to work, and it therefore is moot in a case like the OP is talking about.

I've had feedback from customers saying that they're GLAD there's copy protection on the software they bought from us, because it means there's less likely to be freeloaders getting for free what our clients have paid for.

And I know for a fact that one of our (cheaper!) competitors who went with just a token protection scheme (i.e. easy to circumvent if you are computer-literate) has been selling significantly less than us. And this is even in markets of high-piracy - they make NO sales there, and we make some (bearing in mind they're low-income countries).

So don't go around taking exceptions to the rule and making out like they're the rule. Protect your app.
Larger Than mISV
Saturday, June 17, 2006
 
 
Yes, tt was meant as an interesting aside not a general truth! If you are a monopoly with strong site licence sales your view is different to an ISV!

I produce shrink wrapped technical software at around $5K/seat. I use a hardware dongle because it is the simplest, most secure and fairest solution. The software functions in viewer only mode without the dongle and is downloaed freely from our site and handed out at shows.

What protection to use depends on the cost and market.

I used to make a $25k/seat app which had no protection at all, but we usually installed and configured it on-site and our customers were goverments or banks.

If you make a $10 util you might be best only trying to collect site-licence type fees from goverment/big business users rather than try and issue track keys from 1000s of downloaders.

If it is a niche market (eg $100 visual studio add-in) then use keys and don't worry about the pirates. Users that will use a pirate copy probably wouldn't have paid anyway.
Martin Send private email
Saturday, June 17, 2006
 
 
> Here some links:

> http://www.xheo.com/
> http://www.aspack.com/asprotect.html
> http://www.siliconrealms.com/armadillo_engine.shtml
> http://www.smartassembly.com
> http://www.eziriz.com
> http://www.strongbit.com/

I tried more than listed below protections. The strongest  most proof most flexible from this list is really EXECryptor form http://www.strongbit.com/. It is not only the mine opinion. Most software vendors agree with me. The only thing I cannot understand is the absence of reviews of EXECryptor in developer press, nor blogs/white papers. However it has very good opinions in different programmer's disscussion. I can assume it is one one things that "its quality sells itself". The other "cons" is EXECryptor does not support .NET platform working only for win32 exe's; dll's and othe PE's and only Windows compatible. However for cross-platform apps licensing there is HardKey License Manager (as well from strogbit.com ). It has less 'bullet-proof' antireverse/anticrack but more advanced and flexible licensing features (however remains unbroken as well as EXECryptor).
So if smb. really needs to solve cracks/piracy problem StrongBit really will DO.
By the way as for .NET protection (the original thread subject) Strongbit partners with dotnet protector author 9Rays and they follozing their press release they are planning to create universal app security.
I'm sure it is the only one protection that warrant attention of people looking for commercial program anticrack security tools.

Regards
Mad
EXECryptor user
Mad
Saturday, June 17, 2006
 
 
OP Ignore the people here that say they won't buy software that uses technique xyz or abc. It is most unlikely that they are your potential customers.

I've used software protection in my apps for years now and there is absolutely no question that sales have improved because of this. Sure it can be a hassle for legitimate users, but in my experience they are pretty understanding. The bottom line is to react quickly if there is an issue.

I'd look at product activation, like in XP and lots of obfuscation and red herrings in the code to hide what's truly happening.

eSellerate have a complete purchasing system along with activation. Have a look at that.
Neville Franks Send private email
Saturday, June 17, 2006
 
 
>> Again, all the filthy software thieves pop out to proclaim "One copy pirated != one lost sale" which is utterly false.

Uh, actually every single piece of software that I have on any system that I own is legally licensed.  Can you say the same?
SomeBody Send private email
Saturday, June 17, 2006
 
 
I can. And I hate pirates too.
AverageJoe
Sunday, June 18, 2006
 
 
Execryptor is easily hacked - you can download tools to unencrypt it (possiblt not for the latest version) the problem with this and most general solution is that the crackers don't have to break your app - just any app protected by the system and they are all broken.

XP product activation is ok but you have to have the infrastructure to cope, including phone support for all time zones!
It also has to work - we have abandoned one product because it fails everytime the wireless lan is enabled ( presumably it reads the active MAC address).
Martin Send private email
Sunday, June 18, 2006
 
 
From the EXECryptor website:

"Write an article or review about EXECryptor in a developer targeted publication and get significant discounts."

Where I grew up this was called bribery.

At least we know why Mad gave such a lengthy, glowing review...
ShillFinder General
Sunday, June 18, 2006
 
 
1. That I've writen is hard to call a "review" it mostly a short feedback. Also I bought EXECryptor before I left my opinion here futher before StrongBit posted their upgraded zeb site with claim about "discount for article".

2. There really are cracked versions of EXECryptor 1.x launched untill Summer 2004 and using encryption method. That's why hackers found decryption ways you tell about.
Since version 2.x (since 2004, july) EXECryptor is build on code morphing (obfuscation) method that cannot be analysed because it is not 'de-morphed' nor 'de-obfuscated' even the protected app runs. So 2.x are not 'decrypted' and I think wont in the near future.

Tuesday, June 20, 2006
 
 
Thank you everyone for your input.
We will defintely put in licensing into our software.
The challenge will be getting the balance right between
our rights as the publishers and the users ease of use.
Thanks for the links as well.  Will explore them further.

Adam
Adam P. Send private email
Thursday, June 22, 2006
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz