Fog Creek Software
Discussion Board




Piracy protection of "non-programmatic" products..

OK, the title may be slightly misleading but I hope not! What i'm trying to get is people's experience of trying to prevent piracy of "script-like" products. For example, at the moment, i'm working on a system designed to be a generic solution to be deployed on people's intranets, and served via a standard web server + .NET. SO far so good. It's essentially at heart just a set of .aspx pages. Maybe a few custom components thrown in, but there needn't be in general.

So how do you stop people just copying this and installing it a thousand times? If i'm trying to make money selling it, if it turns up on the net next week (vanity perhaps here) I won't make so much. OK this is a greed point maybe, but the point is still valid I think. With installed software you can at least try and do things like online registration, keys, etc. With something you can just drop into a directory and run... Well...

What do people think? Is it naive, anti-open source, or whatever, just to try?

Andrew Cherry
Thursday, July 25, 2002

I think your best bet is to create a valuable product, set a fair price, make it clear that the product is not free and make it easy to pay for.

pb
Thursday, July 25, 2002

I'd try to think of a way to have it very infrequently (say once a month) send the registration id to your authentication server.

Upside:
They don't know you're on to them for the first month, then they're trapped into paying.

Downside:
You may not have access to the internet, might make cranky sysadmins or paranoia nuts angry.

I know some webserver backend software uses this technique.

b
Thursday, July 25, 2002

Become a consultant, hire yourself out for $250/hour and provide the software as a service.  You provide support, training documentation and upgrades.  They know they can copy it and install it, once they understand it.  Stick something like the GPL in there that obligates them to notify you when they change it.  Make yourself an addiction to them.  You'll have money coming out the wazoo.

Nat Ersoz
Thursday, July 25, 2002

Hmm, I've seen that on television shows. Only the soft ware was a soft drug...

Erik van Linstee
Friday, July 26, 2002

""Downside:
You may not have access to the internet, might make cranky sysadmins or paranoia nuts angry.
""

MM... I'd be rather shocked to hear anybody calling me a "paranoia nut", but I do know for sure that if I buy a software product (_any_ software product) that tries to "phone home" _and_ I haven't been told so before (that's the important part), then you can be sure I'll be more than angry, I'll be _ballistic_.

If the software producer is upfront about the need for the product to contact their servers (and I mean, upfront, not some clause hidden on page 37 of their EULA), then I might (or might not) use the product, but I know what I have to accept. But for a product to do so "underhand"? I'd consider it a breach of contract and of trust. I _might_ go on using the product, if I have no other choice and I really need it desperately... but that's going to be _very_ desperate indeed. And you can bet that I will think twice before trusting the vendor again.

To sum it up, I consider it to be a low trick. Now that everybody talks of "trusting and working with" your clients, of being "your client's partner in success"... well, think of what you'd feel if your partner pulled a trick like that.

It's not a case of paranoia (after all, if the "server" where the program is running doesn't need to access the internet, then it'll be firewalled out of it.. it's just standard security practice, I think, so the program won't be able to access the 'net), it's just a case of misplaced trust.

my €0.02

Javier JJ
Friday, July 26, 2002

Hmmm - i'd like to think that I could make money charging for support for a product, and giving the product away. But I think that with the kind of product I do, if you need paid support, i've failed with the usability! This isn't something that a reasonable sized company, given time, and resources, and a few people with knowledge in the right areas in the IT dept. couldn't produce themselves. The selling point is that you don't have to. Install it, and it runs, for a sum in the hundreds, rather than paying developers to do a couple of weeks programming, which would cost more.

And I don't really think the idea of "phoning home" is going to win me any friends! I used to work for a company where you had to activate the product first time you used it... I think that worked fairly well, but wouldn need connection to the net...

Hmmm it's a minefield really...

Andrew Cherry
Friday, July 26, 2002

Package your functionality as a COM component.

Hugh Wells
Friday, July 26, 2002

[i'm working on a system designed to be a generic solution to be deployed on people's intranets, and served via a standard web server + .NET]

I would just like to point out that even if you compile your scripts into classes and then obfuscate them they can till be reverse engineered fairly easy given the nature of .Net and the IL code compiling generates. I think this is why we are seeing more source code released (not always for free) with .Net products, especially developer related ones such as simple components. We know that people will bust open any product regardless of the protection schemes. .Net makes this even easier with diassemblers for the IL code. So why not just release the source code and protect yourself through legal means? It's a tough choice that I've had to face myself and there is no easy answer. It depends on your particular product and the situation.

Ian Stallings
Friday, July 26, 2002

oh btw, there's a name for apps that phone home without telling - spy ware. I see that as a breech of trust. If you tell me up front I can make a choice to go/no go with the installation. But if it's hidden, ugh. No thanks.  Norton phones home all the time and I love it. Other products are not so up front but easily caught.

Ian Stallings
Friday, July 26, 2002

Actually, I meant, and should have specified, package the functionality as C++ COM components.

Hugh Wells
Friday, July 26, 2002

As an aside, relying on "legal" protection strikes me as naive. The open source world is full of rip-offs. I've seen some of my own code from years ago appearing with some other b's name claiming authorship and rights. 

Hugh Wells
Friday, July 26, 2002

Name One.

Nat Ersoz
Friday, July 26, 2002

I'm with one of the previous posters. Make a valuable product and offer it at a fair price, -and- offer support for the product, and companies will buy it from you.

If you're worried about your script being used illegally by companies, don't. It is true that if you release your script, and have any publicity at all, it -will- be pirated. Release groups vie for new releases, even of script-based web applications. The thing is, these folks are good at what they do, and if you make your software phone home, they will notice, and in all subsequent versions they will make a point of taking that functionality out (or of telling people what ip range to add to their firewall). However, scripts usually aren't spread very widely beyond the narrow confines of the 'scene' unless they're wildly popular. Pirated versions of your script may make their way onto personal websites, etc, where people don't have the money or inclination to pay for your software, but companies usually have higher standards about piracy.

If companies won't buy your software, you have bigger problems than piracy.

Anon
Friday, July 26, 2002

> Name One.

Put up or shut-up, right? I don't want to go down that route. It's not important, they're not making squillions and I don't beleive in hassling people without reason.

Hugh Wells
Friday, July 26, 2002

"> Name One.

Put up or shut-up, right? I don't want to go down that route. It's not important, they're not making squillions and I don't beleive in hassling people without reason.

"

No, you just painted the whole group of Open Source authors with a wide brush, and that's that.... I'm not saying it's not _possible_, just that I'd consider it quite unlikely, considering how easy that's to prove when the code is open (diff works wonders). I'm assuming you're talking about some _code_ you released some time ago, not an app that mimics another app you wrote. That's different, and quite common. And not illegal / wrong at all, at least from my POW.
But using some one else's code in an open product and not give attribution... well, that's strange and quite useless (no point in doing that), too, IMO.

The only cases I've know about are the other way round, finding open code in someone else's (closed) product.

My 0.001 € (I'm feeling cheap today :)

Javier JJ
Saturday, July 27, 2002

> Stick something like the GPL in there that obligates them to notify you when they change it.

The GPL has no such requirement.

Daryl Oidy
Sunday, July 28, 2002

Of course legal protection isn't gonna protect you against people that steal the software, that's already been proven time and again but it does offer something. There is no technique that cannot be reverse engineered. It's just one step to protect yourself. If it was totally invaluable then why do large software companies protect themselves legally? Do you not protect yourself legally?

People will always try and steal your material, that's to be expected when you are selling software. But if you intend to make a profit you should use due diligence to protect yourself using both technical and legal means. How far you want to go with those are up to you.

Ian Stallings
Sunday, July 28, 2002

*  Recent Topics

*  Fog Creek Home