AQ is exceedingly easy to circumvent. Wish I could find the source, but a journalist with very little hacking experience was able to break it in about 30 minutes. Worse, there are tools available that allow a user to drop in an AQ app and get back a registered app.
AQ is a very simple system. These hacks exist by replacing the public key embedded in the app with a new one, one where the private key is known. Then the registration data is simply signed using the new private key, and the app doesn’t even realize there is a problem.
Public Key Cryptography is about the best we’re going to get at the moment, but Aquatic Prime is not even close to a fool-proof implementation of it.
I made my own system where people need to be online to run the software the first time. The get 10 days of trial and then they can buy licenses (I give them 2) through paypal - they can put in their own email if their main e-mail is different than they one they’ll use for paypal or use credit card. Then they can activate their computer for one of their licenses. They get an activation email to their email address - this will then get the server to activate the software for them. Once a license has been used for more than 6 months, they can wipe it if they like to use it a new computer.
Friendly customer service and an outrageously good program for a really cheap price combined with a no-brainer registration system is what I’m counting on.
Indeed - we can get so carried away worrying about the people who’re gonna steal the software, that we must not make it overly complicated for those who do choose to pay! It’s a fine balance and we must try our damnedest to adhere to it.
Even the paypal site is accessed inside my software - and all help is in video - it just helps to make it as easy to use as possible (my software has 18 different guitar tools including how to learn to sight-read music)
I haven’t released it yet as I’m still trying to get the activation letters to be automatic using web-services on the server.
That’s a good point, I’m sure it happens to me. I’m just nervous about forcing internet activation as I do have customers who say they install on non-connected computers. I guess there are ways around it though.
Those of you who do Internet Activation, do you allow more than one activation per license? I know the App Store allows up to five Macs per Apple ID, so just wondering if you guys allow multiple machines too? I’m considering adding Internet Activation, but not sure how generous to be!
The really good thing about Internet activation is that it gives you flexibility. First remember, internet activation is not about defeating hackers. They can/will hack around it, like any scheme. It’s about keeping honest people honest, specifically, it’s about them not sharing their code with 1000 of their closest friends.
On a previous product, I advocated (and implemented) that we have email address / activation code validation server side. So we assigned arbitrary, randomly generated codes tied to an email address. With each activation, we sent a SHA1’d hash that included a MAC address in original data. Our license allowed activation on 3 computers. When our system detected an activation past the license limitation, it would just email us. If use of a code got out of hand, we’d manually shut it off. It would surprise you how few I had to shut off. Informing users that server activation is required before they purchase had plenty of “deterrent” effect. We also had a backdoor scheme for school LAN installation.
If you’re up front about it, you will get a few whiny potential customers with whatever sob story about how they are the only person in the developed world who can download the demo of your product, but can’t get on the Internet to activate. And you can use your discretion dealing with them if you like. I think the biggest key in server activation is to set a public policy but have the flexibility to enforce it selectively.
Another thing… if use of a code really gets out of hand, and some will, shut it off at the server, and make the customer contact you. When you reply, do a data dump on them of those SHA1’d hash codes, partial IP addresses, time, and date and suggest they buy a site license :-).
We encourage people to share our software… but just the shareware releases, of course. For piracy protection, we developed a proprietary piece of software that is connected with our license management.
Personally, I think that this is the only way to go. I would never buy a commercial “anti-piracy suite”, because in case of frauds or security holes, we are much faster in fixing them than a third party would be.
Anyway, there is no really safe way of protecting intellectual properties. Besides a hardware dongle sold with every license… but I feel that this isn’t suited for the market we are serving.
And hardware dongles have been cracked since the dawn of the wheel…
Basic rule of thumb, is if you can write it, they can crack it, as Bard said very well, the systems should be there to keep the honest people honest, and it should be easy for them to do so.
But the point is that whatever scheme you use only has to be broken once. Amortized over all the non-paying users that want to steal from you, the per-user cost of a crack is low whether you have an “I paid” checkbox or a hardware dongle. If your software is interesting to a wide enough audience.
Indeed, I’m not disagreeing with that. There’s several ways (more I’m sure), that I’ve come across with our own software.
#1 Distribution of serial numbers (dealt with via activation). #2 A keygen (again dealt with via activation). #3 Cracking. Not much you can do about it.
A casual user isn’t going to crack your software, but there are those who will do it, just for kicks. The more complicated you make the system, the more of a challenge it becomes. The crackers then post the software online for others to download for free. So your app that requires a dongle, gets cracked and shared online for free, and your customers then download it and can use it without the dongle.
So what can you do about it?
From what I understand about cracking, it involves the use of a debugger (not the one in Xojo) and this will allow the cracker to see the compiled instructions and can step through them as the application runs. They look for a binary switch
if dongle.attached = true then
activate
else
complain
Then they alter the binary to reverse the switch.
if dongle.attached <> true then
activate
else
complain
Above is a simulated example, it looks nothing like it, but hopefully you can get the gist of what I’m saying.
Bear in mind that most crackers don’t actually use your software, they’ll simply crack it, test it and then move on.
Remember, you’re not trying to stop the crackers, you’re not trying to stop people from illegally downloading your software, the best case scenario for you, is to convert some of the users of the cracked version into paying customers.
Start by getting a solid update system, and releasing regular updates. This will increase the chances of a cracked version being replaced by a legit version, most of the time there is a gap between when you release a version and when a cracked version is online.
Place validation in obscure places that a cracker won’t find in their test, and make sure you use different validation code so they can’t do a search and replace. Like the 5th time a user saves a document.
Use the code signature to your advantage. A cracker can’t sign the cracked app with your code signature, so use that as a validation somewhere within the application, maybe when the user prints out the document.
When your application realizes it’s been cracked, alert the user that it’s been compromised and for their security they should download a safe version from your site. Don’t accuse them of stealing or being dishonest. A large number of people I questioned about piracy, honestly don’t think it’s a crime!
When it comes to support, grab the code signature from the app, then if the code signature is invalid, you can ask the user to download a fresh copy as theirs appears damaged.
Lastly, Apple’s “Move to Trash” dialog with unsigned apps has slowly made a difference, while some users will disable the option, others actually get nervous because of it. We’ll never stop piracy, but even mental triggers like this is helping us developers. It’s the fear that an unsigned app, could be malicious.
As surely said somewhere in the discussion, a software developer should carefully evaluate the cost/performance ratio when it comes to fraud prevention.
I think the average software developed in a similar way by dozens of other programmers isn’t worth a complex protection, regardless how this is finally put into practice (hardware dongle, online activation, serial number tracking, etc.). While your unique million-euro idea (or dollars) definitively would be.
It’s also a balancing act between piracy protection and user convenience. Personally, I don’t like software that requires me to have a live Internet connection while running (a one-time online activation is acceptable, however).
I believe the ‘honor’ of being cracked is reserved to real successful software, and an easy way to find out the ranking order of your program is to look into a pirate search engine, such as https://kat.ph where you will be in excellent company with the best of the industry.
If you see your program there, then you are enough in demand for crackers to take an interest. Do what is needed. If not, then stop worrying about dongles, extra-paranoid code, and have a life. We all know that a good program requires often 90% or UI coding before it can be released. Do you really want to add the extra 9% in convoluted anti boogie man code ? I rather spend that time issuing an extra app and make money from it
Interestd topic, just one think in my mind:
"IF we create an application, Buy some Protection online which will create a serial number, then also it add in code ONLY 1 MACHINE possible to install, then also they need to put paypal ID email (example) AND EVEN THROUGH someone will share on some fiverr.com your work, SO HOW IT IS POSSIBLE they crack that security?
AND WHY WE ARE SO ‘STUPID’ that we pay some protections (or i will do i hope in feature) rather then give it without any serial?
I thinkwe can save moeny from buying expensive licenses and subscription online in other web companies which where u can manage your license from their servers.
Hmm…just think about it
[quote=80917:@db]Interestd topic, just one think in my mind:
"IF we create an application, Buy some Protection online which will create a serial number, then also it add in code ONLY 1 MACHINE possible to install, then also they need to put paypal ID email (example) AND EVEN THROUGH someone will share on some fiverr.com your work, SO HOW IT IS POSSIBLE they crack that security?
AND WHY WE ARE SO ‘STUPID’ that we pay some protections (or i will do i hope in feature) rather then give it without any serial?
I thinkwe can save moeny from buying expensive licenses and subscription online in other web companies which where u can manage your license from their servers.
Hmm…just think about it[/quote]
I literally have no idea what you’re trying to say.
i tried to say that everytime is someone who will crack some app, so i asked how to protect and if its even possible today, coz i can imagine how many hours i spending now with simple task i just learning now, and once i create really something and then someoen will stole it and crack it even i had some protection, so irather give for free lol
Then we found the solution, give the pirate’s address to db so he can “explain” that still software is a bad things.
We will put a logo on our software “protect by db”
I bought some games long time ago, and I tried to re-install them on my new Mac. But the serial I had was linked to the old Mac, so it doesn’t work. I don’t care because I don’t think I will pay again, I just wanted to re-install them just in case. But it’s not normal, I paid them and I can’t use them.
I hold the opinion that any kind of copy protection would harm your paying customer base more than creating more revenue.
The best instrument to control your licenses is an single online activation in combination with Customer Center or Helpdesk, giving a customer some extra value.
Don’t harm your (paying) customers with serial numbers, activations or any limitiation. That’s my advice.
For piracy protection, we developed a proprietary piece of software that is connected with our license management.
