Opinions on piracy and anti-piracy techniques

Off-Topic
1

Does anybody use advanced anti-piracy systems? Or does anybody NOT use advanced anti-piracy systems with the software which they write? Please write briefly what you do with your software? I am just curios. :wink: Also, what are peopleā€™s opinions on piracy? Do you think people should pay hefty fines for piracy?Do you think it is harsh to put systems down to get ā€˜piratesā€™ into trouble?

Thanks

2

We use such a system in the IDE but Iā€™m not at liberty to detail what weā€™ve done
So far it seems reasonably effective at stopping crackers

3

There are a lot of techniques you could use. For one, I donā€™t store plaintext strings in my applications anymore. Instead, I create a function called ā€˜cypherā€™ and do something like:

STANDARD METHOD:
tokenContent = ā€œbios get versionā€

MY WAY:
tokenContent = cypher(ā€œ46516d6cd67b3fb0fb2843070d9ca1cdebfc244cā€)

The cypher method does the following:

It checks the last 6 digits of the passed content, which is used as a checksum. If it passes, it will go decypher and return the hex string, using part of the REGISTRATION KEY as the password itself for decyphering. The REGISTRATION KEY is calculated based on a HARDWARE ID from their system, and a value that only I know (which is based on information such as control information on the app, ie. TOP, LEFT, HEIGHT, WIDTH, VALUES, etc.). This way, if they tamper with the REGISTRATION KEY or HARDWARE ID key and simply bypassed the standard check (itā€™s just a boolean, which is easy to bypass by any cracker), then when the application launched, all the controls on the window would be jumbled and full of garbage text (again, since the REGISTRATION KEY itself it used to place the controls and itā€™s content within the application).

I may end up sharing my classes for the public to use. Still debating.

5

[quote=45864:@Eric Brown]There are a lot of techniques you could use. For one, I donā€™t store plaintext strings in my applications anymore. Instead, I create a function called ā€˜cypherā€™ and do something like:

STANDARD METHOD:
tokenContent = ā€œbios get versionā€

MY WAY:
tokenContent = cypher(ā€œ46516d6cd67b3fb0fb2843070d9ca1cdebfc244cā€)

The cypher method does the following:

It checks the last 6 digits of the passed content, which is used as a checksum. If it passes, it will go decypher and return the hex string, using part of the REGISTRATION KEY as the password itself for decyphering. The REGISTRATION KEY is calculated based on a HARDWARE ID from their system, and a value that only I know (which is based on information such as control information on the app, ie. TOP, LEFT, HEIGHT, WIDTH, VALUES, etc.). This way, if they tamper with the REGISTRATION KEY or HARDWARE ID key and simply bypassed the standard check (itā€™s just a boolean, which is easy to bypass by any cracker), then when the application launched, all the controls on the window would be jumbled and full of garbage text (again, since the REGISTRATION KEY itself it used to place the controls and itā€™s content within the application).

I may end up sharing my classes for the public to use. Still debating.[/quote]
Does this take much work to implement? Do you just use this for the registration key and nothing else?

Thanks in advanced

6

IMO the author of any works (software or other) should have the full right, with all of it reserved, to decide whether their work can be copied freely or only obtained through commercial means.

It just doesnā€™t seem ethical to me that a person who made no contribution in terms of energy, intellectual ideas or financial investment, gives themselve the right to take ownership decisions over the works of others.

I guess that makes me an anti-pirate, who do occasionally submit some of my works to the public domain for those who might find it helpful.

7

Piracy is immaterial. Focus on maximizing revenues. If you can find something to charge for that canā€™t be copied, you might actually do better than inconveniencing your users to ensure payment.

8

Iā€™ve always read that no matter how much effort you put in, any protection can be cracked, so you tend to end up spending resources to protect your product instead of using those resources to develop your product. Using your resources to develop your product is in my opinion probably the better way of using oneā€™s resources (since they are always limited).

Also if you have a product that you are convinced would be something a lot of people would be interested in, it can help you get into the market by not worrying about the piracy. I think that in the early days most people had pirated copies of Microsoftā€™s product (DOS, windows, office) and that helped them gain market dominance. Nowadays (after having cornered the market) they put money into making sure licenses are legal, but in the early days they didnā€™t. It helped them for sure.

In the old days we also had shareware which was distributed with software magazines for free. I read an interview with a programmer that said that about 10% of the people that received a copy ended up registering the software. But even with the 10% he made more money than having to go with a company that distributed his software, because all the money ended up going to him with no man in the middle.

Lastly if your copy protection prevents real clients from running your product (yes, this has happened with some companies, think for instance about the Internet always on protection in some games nowadays) the whole thing can backfire and your customers can be alienated from your company.

Lots of stuff to take into account. I guess everyone decides for themselves which way they want to go.

9

The more people canā€™t afford to pay for your software, or the overvalued they think it is, the more likely they will pirate it.

Use a simple protection system, no need to spend money on something that is crackable, no matter the system you use!

Then spend a bit of time uploading a crippled version of your software to pirate sites as cracked, complete with license details. Iā€™d upload a few version under the names of well known cracking groups, some of these versions would cause damage to file systems, Iā€™d have it included in the agreement too, something they are just going to click through.

This will delay the real crackers for awhile, and sometimes even stop them altogether.

Time trials are useless, removing any data you add to track time can easily be removed to reset the trial.

10

I would NOT suggest that. In many countries it would be considered as malicious code. you could end up in the court for that.

Also it could turn back on you. Many Virus checker might block your application.

11

[quote=46045:@John Hansen]I would NOT suggest that. In many countries it would be considered as malicious code. you could end up in the court for that.

Also it could turn back on you. Many Virus checker might block your application.[/quote]

Good point, but not valid. I donā€™t know one user agreement that states court proceedings will be conducted in any country other than the country itā€™s developed in. So if you were to try and sue, then youā€™d need to come here and do it.

Like I said, itā€™s in the the agreement.

12

[quote=46001:@Charlie McCormack]The more people canā€™t afford to pay for your software, or the overvalued they think it is, the more likely they will pirate it.

Use a simple protection system, no need to spend money on something that is crackable, no matter the system you use!

Then spend a bit of time uploading a crippled version of your software to pirate sites as cracked, complete with license details. Iā€™d upload a few version under the names of well known cracking groups, some of these versions would cause damage to file systems, Iā€™d have it included in the agreement too, something they are just going to click through.

This will delay the real crackers for awhile, and sometimes even stop them altogether.

Time trials are useless, removing any data you add to track time can easily be removed to reset the trial.[/quote]
This is a very good idea. I have thought of this myself.

13

[quote=46045:@John Hansen]I would NOT suggest that. In many countries it would be considered as malicious code. you could end up in the court for that.

Also it could turn back on you. Many Virus checker might block your application.[/quote]
Malicious code for ā€˜piratingā€™ your own software??

14

Anti-copy and the like have come back and forth since the dawn of computer age. Truth is, does it inconvenience more legal users, or pirates ? Selling mostly fonts a few years ago, I could not technically protect them once they where installed. And sure enough, a guy came to my site, purchased a MICR font with a stollen credit card, turned around and started selling it on eBay. Fortunately, someone reported it and I was able to stop that.

Having no way to protect my creations made me a bit wiser : instead of just trying to keep what I had, I started launching new products on a regular basis. I find it a lot more important to keep sales high. Pirates are like taxes. They will never go away. Better try to exist in spite of them, than to confront.

As far as protection goes, I like the concept used by Xojo (RB) of a simple license one purchases to get features. It seems pretty robust, and at the same time, easy for the user. Just buy a license, and youā€™re on. It is commercially very sound : no complicated scheme, and easy renewal offers. After all, getting the customer happy is just as important in terms of sales as discouraging pirates.

Just my two centsā€¦

15

Just for fun, hereā€™s a rundown of some unique anti-piracy techniques.

16

From my limited experience here goes.

#1 Use the Mac App Store:

  • Itā€™s really easy for the end user and provides some basic copy protection (they still get cracked).
  • You have to implement your own system to sell elsewhere (including bundles, which are profitable).

#2 Developing your own system:

  • More control, allows you to sell via many places and can ship updates much quicker.
  • Customers can run into issues where they canā€™t enter the serial number correctly (donā€™t know exactly why) and this makes them most frustrated.
  • Customers donā€™t keep e-mails and donā€™t recall where they purchased from, which makes them angry and your problem when this happens, seriously!

If you are going to use your own system, hereā€™s what I would recommend based upon my experience. Create your own registration/activation system. Avoid eSellerate, while theyā€™ll generate serial numbers for you and manage an activation solution, you are still locked out from bundles (unless you want to pay them even more money). They also donā€™t listen or care about small developers so theyā€™re not going to improve their system. Plus eSellerate actively block users from certain countries!

Like others say, you can invest all the time in the world to protecting your application, and theyā€™ll still break it. Sometimes itā€™s not because they want to steal your software, itā€™s because they want a challenge.

  • I would suggest avoiding serial numbers all together, use e-mail addresses as these are easier for customers to remember (although they do change their e-mail and forget their previous one).
  • Keep it light to avoid the simplest person from just sharing their serial number, or copying the app from one computer to many others.
  • Break apart your registration routine in several methods.
  • Have multiple places your app re-evaluates the registration, and use different code every time.
  • Avoid IFā€¦Then or Select Case statements as these are the easiest to crack, basically any binary switch (if yes then, if no then).
  • Mostly make it as easy as possible for customers to activate your application, get the help of non-techie people to try (donā€™t give them any hints) and let them streamline the process. Remember you want it so simple for paying customers they donā€™t even have to think.
17

One of the first things I did when I joined my current company was crack their copy protection and rewrite it. I need to do that again. Or, more likely, have the next young buck coming up in the ranks do it for me. I donā€™t know if I have the patience for it any more.

That said, we are fortunate that our anti-piracy needs have been very modest. The service we provide is worth more than our software. The software is just a tool. Somebody could duplicate our product, but not our service. Thatā€™s our value-add, and protects us more than any anti-piracy technique.

And that said, I am positioning a piece of our product line for the broader market, so I am very interested in this topic again. Iā€™m leaning toward building my own serial number generation/copy protection system. But I havenā€™t made that decision yet.

18

How would it be if you could use a users real postal address as the actual seed of a serial number?

Surely this would make them think twice about putting up a copy on the Internet?

19

The reason why I feel this is the way to go, is it makes who then sells the product irrelevant. When you use a service like eSellerate, and their solution it becomes harder to sell outside their solution (due to their activation fees). Whereas if I had my own serial/activation system. It no longer matters, if I had to endure the crappy system, I can easily change that without breaking existing apps or causing hassle for existing customers.

[quote=46286:@Charlie McCormack]How would it be if you could use a users real postal address as the actual seed of a serial number?
Surely this would make them think twice about putting up a copy on the Internet?[/quote]
In the past we linked serial numbers to e-mail addresses, we then found that some customers use false information with a stolen credit card. So you then have to deal with a chargeback and they have a free copy. Plus it also helps them to break your serial number routine.

What Iā€™m considering right now, is not to use a serial number engine, at all. Simply to get the application to connect online (this will require the user to have an internet connection) and to see if a hash of their e-mail address and application identifier exists on my server. If it does then complete the process (and grab a hash of a hardware ID), so you can tell if itā€™s the same machine or a new one.

This way you have no identifying information for any of customers, incase your system gets compromised. No serial number mechanism to get fooled with a Keygen. Albeit it could probably still be cracked.

Iā€™m just trying to think of a way of storing within the application an identifier so show that the application is registered without using a serial number, and in a way that makes it more difficult for people to fake or just copy a prefs file from one machine tā€™other.

20

In the Windows world I built an app that I delivered on a CD. In this case the CD belonged to a reseller and when they sold my product they would get a commission payment. I created an ISO image of the CD then patched the reseller code before burning (with a Xojo app). Now I know this is out of the normal loop, but I wonder if a delivery system that could patch an installation with a unique serial number and hash a fingerprint of the installed device would be a useful community project.

21

What about storing the hash of the hardware ID in an encrypted SQLite database. When the program starts up, if verifies the hash in the SQLite database with the actual hash. If it doesnā€™t match, the product needs to be registered online first.