Fog Creek Software
Discussion Board




How do we shut down pirate sites in China?

As a small software company, one of the largest enemies we have are the pirate sites.

The pirate sites distribute pirated copies of, well, lots of software, including ours.

Whenever our software gets pirated, the number of sales drops significantly.


I studied the issue and I shut down some of the pirate sites by writing their web hosting providers, and telling them (with proof) that the sites contain pirate software.

Most web hosters will shut down a site they host if you can prove to them that it contains pirate software.


However, there is one problem:

Many of the large web sites containing lots of pirated software are hosted in China. There are pirate web sites, hosted in China, which carry hundreads of different software packages!

Altough the sites are usually written in Chinese, many people in the US know about them, and download pirated software from them.

I never succeeded in taking down any of the sites hosted in China.


I wonder: is there an authority (police / electronic fraud investigation division, or something) in China that I can write to, and have them shut down the sites?

Software piracy hurts especially small software development companies.

Is there any institution in China which combats software piracy, and which can take down pirate sites?


Thank you!

Jericho
Sunday, September 21, 2003

This is a little-used provision in the DMCA that allows for an copyright owner to get an injunction ordering backbone providers to block access to sites from the US.

Last year the site Listen4ever.com was distributing thousands of songs copyrighted by RIAA members. The RIAA sued AT&T Broadband, Cable and Wireless, Sprint and UUNet to get them to block access to the site from the US. After the lawsuit was filed, the website came down the the RIAA dropped the lawsuit. See http://www.wired.com/news/mp3/0,1285,54689,00.html

John Brophy
Sunday, September 21, 2003

Not to be too ignorant, how did you find these websites?

Anonymous
Monday, September 22, 2003

> Last year the site Listen4ever.com was
> distributing thousands of songs copyrighted
> by RIAA members. The RIAA sued AT&T
> Broadband, Cable and Wireless, Sprint and
> UUNet to get them to block access to the site
> from the US.

That's the RIAA, an organization with a HUGE budget, compared to ours.

I wonder why Microsoft, Macromedia, Adobe or other large publishers don't do something about this.

I was wondering if there is something more accessible to a small firm, like calling the Chinese Police, Chinese BSA, or something.

Jericho
Monday, September 22, 2003

I struggled with the same problem a few years ago, when working in a software company. I managed to close down several sites listing pirated software, but they re-appeared the next day in some other place.

We thought about this for a while, and decided not to spend more energy to it than write to a web site hoster whenever we find a site like this, and ask them to shut down that site.

Why? Because a) we figured we could never put the pirates out of business without spending a lot of money (and even then the odds would be slim), and b) it wasn't actually hurting our sales.

Think about the latter one for a while: how many of those who use an illegal copy of your software, would ever pay for it? Probably not very many, so there you have the gain (increased sales) and cost (time and money spent hunting the pirates down) which you need to figure out.

Now, if there was someone somewhere who we could report the pirates, and who would actually do something (bring them to justice), I'd be willing to pay for such service. I have no sympathy for these creatures. But for a small software company the battle will, IMO, probably cost more than it's worth.

Antti Kurenniemi
Monday, September 22, 2003

We are really losing revenue when a pirated version or crack appears.

If a pirated version appears and spreads, our sales can drop to just 30% of the normal.


About pirate sites that appear again: yes, they may appear again, but it will take a while until users find out about the sites.

Jericho
Monday, September 22, 2003

How do you know that the drop in sales is because of these pirated / cracked copies? I'm not saying it's okay that they exist, but really I'd like to know.

When I worked for the company where I was involved with this stuff, I found cracked versions and unlocking keys from dozens of sites, every day, and it wasn't any more difficult than to do a google search.

However, I did keep on informing the hosting companies that there is illegal material in their systems, if for nothing else then at least to provide a little uncomfort to the crackers.

Antti Kurenniemi
Monday, September 22, 2003

Has anyone tried writing messages to the hackers in the software to see if they respond? From what I understand, cracking is a game of wits where the hacker gains prestige by hacking more and more difficult software... Though I'm sure some do it for profit "Photoshop for $15."

Has anyone put a small message in their code the hacker could decrypt asking them how to make their software more secure?

Odds are the response back would be "hire me to write your protection scheme" but on the off chance they're actually cool about it....

In an earlier thread someone suggested getting involved in the hacker community - by releasing hacked versions of your own software to gain prestige - and actually feature-limiting the hacked versions in subtle ways.

Mark T A W .com
Monday, September 22, 2003

> How do you know that the drop in sales is
> because of these pirated / cracked copies?

The spread of the pirated copies counts a lot.

I mean, if a pirated copy appears on an obscure site, our sales don't drop.

If a pirated copy appears on a large pirate site with forums which have hundreads of active users and thousands of visitors, then our sales drop.

If a pirated copy is easily accessible using Google, then our sales drop even more.


You could say it's just a coincidence.

No - it's not. I have seen too many times the effect "pirated copies appear --> large sales drop".

It's not a coincidence. :-(


Also, at one time, we have made some moves to invalide a crack which was quite spread out.

First there was a working crack.

Then we made the moves to invalidate the crack.

When the user tried to crack the software, the crack didn't work (the software was still in trial mode), and the purchase link in our software changed to a special purchase link.


That special purchase link was used ONLY if the user tried to crack the software.

So, by counting sales through this link, we knew how many people have first tried to crack the software, it didn't work, and then purchased it.

I won't give you the exact percentage - but a lot of users try to crack the product, and buy it only if it doesn't work.


Also, most of the times we invalidate a crack, our sales go up.

These are not coincidences.

Jericho
Monday, September 22, 2003

I'm curious - does your website generate the top hits on Google and other search engines when someone types in your software name as a search term? If not, that might be one way of reducing the effects of the cracking (and is so damn obvious I'm sure you've already considered it), particularly if you could reduce the crack sites to the third or subsequent page of hits.


Monday, September 22, 2003

Jericho,

that was actually a pretty neat idea, having the crack change the link :-)  I never thought of that.

I hope you'll figure out a way to contact some authority in China or any other place where a lot of pirated stuff is hosted. Just don't get too hung up with piracy, don't let it affect your development too much (i.e. don't spend too much time & money on it, not more than it's worth).

All the best,

Antti Kurenniemi
Monday, September 22, 2003

China is not part of the international copyright treaty, in other words these Chinese sites are legal in their country of hosting so there is very little you can do about it.

The best way to reduce piracy, IMHO, is to add lots, and I mean lots, of different crack-detection schemes in, and have most of them trigger only in obscure circumstances or after a period of time. Most pirates do no more than run the cracked product to see if it works, by adding layers of 'cracking' you can cut out a large portion of this piracy (for a time anyway, they'll do it eventually) - this approach worked very well for Spyro The Dragon (different world, I know).

Mr Jack
Monday, September 22, 2003

Someone suggested, and I have to agree - change your application a lot and change the protection scheme each time. After a few months of "version of the week" then casual surfers will quickly get frustrated trying to find a crack that works.
I'd also suggest not changing version numbers while you do this - change them internally, but externally stay with 3.4 (or whatever). The dates on the exe will change, but you can recompile daily to keep *that* from being a valid tracking mechanism.

Spend 1-2 months now (or after your next stable deployment) just tap-dancing protection schemes, then do a switch every other month after that.

Figure most people would give up after 2-3 cracks not working.

As for why the big boys don't care:
1) They make their money on business licenses
2) Most businesses try a lot harder to be honest
3) They know chasing crackers is a zero-sum game
4) If people are cracking their software, that means they're using it. Then when the boss asks "what [x] app should we get" more people will say the "right" answer. This is known as the crack dealer approach. :)

Philo

Philo
Monday, September 22, 2003

The problem is that they buy license keys with stolen credit cards.

After they distribute the license keys, we find out, and add the keys to the blacklists.

After this, they simply host the old version of the app (without that key in the blacklist) on a Chinese web server, together with the working stolen key.

They win, end of story. :-(

Jericho
Monday, September 22, 2003

A 30% swing on a arrival at a pirate site?  What is your software?  How is it distributed and why would 30% of your business disappear?  Does it need to be "refreshed" that often?

The number sounds like the RIAA's and "10% loss of revenue on pirates"  It could not have been because of the economy, it had to be piracy?

MSHack
Monday, September 22, 2003

I understand you have a license server serving keys to workstations. This LS is hosted in China by the pirates.

Then you need to verify the license server and make sure is an authorized one.

Dino
Monday, September 22, 2003

There are several "levels" of piracy:

Level 1 - a pirated version or a crack appears on an obscure site such as a cracker's personal site

Level 2 - the pirated version or crack spreads to several small sites

Level 3 - the pirated version or crack spreads to at least a large site with hundreads of active users, like the sites hosted in China

Level 4 - the pirated version or crack spreads to a lot of sites, and can be found in 15 minutes using Google or Google Groups


The large drop in purchases happened several times, exactly at the moments when piracy reached level 3.

But in order to combat piracy effectively, you have to combat it when it is at level 2 (or level 1, but level 1 piracy is very hard to detect), otherwise, you have little chance of holding them off.

Unfortunately we are not able to defeat them, but we can slow them down a lot - and if we slow them down for 2 months, for example, that's two months worth of increased sales.

I have also calculated that it actually makes good business sense to hire an anti-piracy guy and have him work for maybe 16 hours per week in combating piracy.

Jericho
Monday, September 22, 2003

> I understand you have a license server serving
> keys to workstations. This LS is hosted in China
> by the pirates.

No. They simply have HTTP servers serving:

- the program installation kit

- the license key

:-(

Jericho
Monday, September 22, 2003

So why not have your registration thingy talk to *your* server?
"Here I am, using this license key and these registration details"
"Very well - you're good to go"

Then when a key is compromised, you add it to a kill list - any attempts to register with that key immediately disable the software.

You can also run this authorization via email, with the same result.

Is it just me? You keep swatting down suggestions about what you can do to combat the problem. Why are you posting here? To whine and hope some uberlobbyist will jump into the fray and shut down all piracy in China tomorrow? Ain't gonna happen.

Philo

Philo
Monday, September 22, 2003

From Philo:
"So why not have your registration thingy talk to *your* server? "

Not all users have net access on all their PCs. So that could be a problem.

Martin Schultz
Monday, September 22, 2003

"No. They simply have HTTP servers serving:

- the program installation kit

- the license key"

Then your keys must be unique for each installation (machine dependent). Key deployment and allocation must  be controlled directly by your company (keys may be downloaded, returned, canceled, etc)

Check what Borland does with their JBuilder and try to do a similar thing.

Dino
Monday, September 22, 2003

Considering some of the reverse engineer I know, if your code is available anywhere, they'll break it if they really want to. Now,  those I know stick to the "legal" stuff, like kernel modification, porting Linux on WinCE hardware, doing device drivers and finding security holes. But if you can do those things, bypassing a program calling home is not that hard. They did it for dongles and all hardware protections so I don't see why software could work any better.

Saruman
Monday, September 22, 2003

It really depends on the application domain. Some applications are much easier to protect than others.

If you aren't selling something really useful to a large number of customers, crackers have better thing than to crack your software. They can spend their time much better trolling Tucows and the like looking for the next big challenge.

If you haven't spent a single iota of energy protecting your software its says a lot for how badly pirated your software will be.

Li-fan Chen
Monday, September 22, 2003

I have said this many times before but I don't know if it makes any difference, but if your software fit in the webservices to client-side client model of distribution you'll have a pretty good chance of refusing services (and hence, software) to people who don't pay. All you need is do what game designers do, determine the space (0 to 2^number-of-bits) and thinly populate that space with current and future valid keys. And then put the valid keys in an accessible lookup-authentication server that you control (hire someone qualified to lock it down).  If you catch dups just invalidate them. A good registration process after that will ensure the "victim" of the key leak will be provided with another valid key. After that, don't provide keys unless people pay you.

Li-fan Chen
Monday, September 22, 2003

Add anti-communist propoganda to your documentation (preferably in a Chinese-readable character set and language).

When your software gets pirated, point out to the chinese authorities that the webserver in question is hosting anti-communist propoganda.

Chinese gubment shuts down server.

Richard Ponton
Monday, September 22, 2003

For example if you need to create 5,000,000,000 keys, that's a little more than 2^32 (32 bits, or 4 bytes x 8 bits or 6 bytes hex or 8-12 chars of user friendly base32 key characters). So create a space around 5 billion or more than that around each key. That will double the number of registration keys. You then have 5,000,000,000 random valid keys that hide in a space of 25,000,000,000,000,000,000 or say 16-24 random user friendly characters. I think there are companies that uses much less than this or use (3)DES to decrypt back to valid text so that they don't have to do db lookups (The people who developed Quake uses this technique).

Now all you gotta do is have a lookup database of valid users and look these keys up. Table lookups of 32 char index tables are pretty quick and you can even optimize it to handle tens of thousands of concurrent access per second.

For good random numbers try MS's CryptoAPI's CryptGenRandom

For reasonably useful (but probably not as fast as you think) memory tables try DataSet in the .Net Framework. You can also peg most major RDBMs' tables in ram.

For a web services custom designed just for authentication try basic libraries like the ones talked about at http://www.continuumtechnologycenter.com/?1064279270170 or http://www.eecs.harvard.edu/~mdw/proj/seda/

Li-fan Chen
Monday, September 22, 2003

This ridiculous exercise requires you to have web services dependant shareware/commercial ware. Which means 24/7/365 for both the web services and the authentication server. And has the company lead you are also responsible for keeping the authentication server secured (don't leave it in a cohost, that kinda doesn't count).

Li-fan Chen
Monday, September 22, 2003

CryptGenRandom creates about 1,000 secret bytes a second for me on a P4 2.8, you'll need to modify the Provider in CryptoAPI to boost the solution to 50,000 bytes a sec if you want to use Intel's Hardware RNG.

Li-fan Chen
Monday, September 22, 2003

None of this will work, guys. The competent cracker will code around the call to the authentication server.

Give up - you can't do it. Either live with the parasites or change your business model.

pdq
Tuesday, September 23, 2003

pdq, the reason it will work is due to the fact that actual services dependent by the software needs to be served after you log in with the valid key.

If you say going around the authentication server will bypass this method that doesn't make sense.

It's the same principle as having to log into a website before using the services made available to registered users.

Li-fan Chen
Tuesday, September 23, 2003

Well actually I'll refine the solution proposed earlier.
A cracker can just try to get valid keys by challenging the server using a distributed parallel login attack. By having 200+ clients... each clients just has to carry out 100 login challenges per second and for 2 day you'll have just about exhausted the space (200 * 100 * 2 * 24 * 60 *60 = 3,456,000,000).. so basically your authentication server has to drag the bad connections through the mud when a bad key is provided.. possibility throttling all responses to last 10+ seconds before giving an answer.. but this has the problem of affecting the good users too. Or an authentication can lie.. but this is all half ass solutions, the best way is to probably use DES or something to ensure that valid keys decrypts to something meaningful, that way the key is the ciphertext and theoretically only those who has the DES secret key will be able to generate 1) valid and 2) decryptable secrets. The cost of this is that you have to add a 2-4 byte secret which is the signature for your company. like when you decrypt the key you must get a 0xCE in the 3rd byte and a 0xAF in the 5th byte.

Li-fan Chen
Tuesday, September 23, 2003

Forget what I said, the previous solution is fine, the space is billion billion.. not billion.

Li-fan Chen
Tuesday, September 23, 2003

Richard Ponton's comment sounds like the best idea.  Match their ingenuity with your own.  Only try not to make it too controversial so that they don't get shot for the trouble!

Alternatively perhaps time limit the keys.  If you add a time into the key that is decoded at runtime you can make them effectively have a 'sell by date' meaning the user needs to use it within a month of purchase for example.  If this key then creates a registration file that is tied to the machine the user can then back this up when changing things while you have a reasonably secure key system.

I expect that you will get customers wanting to move machines etc. and so needing a new key, but if they are able to quickly and easily email your customer support and get a new one for the purpose this shouldn't pose too much of a problem for the user.  I am perfectly happy to email ultraedit for my new keys for new versions of ultraedit for example. 

Ultimately the best thing is to just keep using your ingenuity, you probably can make an impact, just keep at it and try not to annoy the customers in the process.

Colin Newell
Wednesday, September 24, 2003

Adding to Colin's idea of deriving a key based on client's hardware try:

http://www.licenturion.com/xp/fully-licensed-wpa.txt

Li-fan Chen
Wednesday, September 24, 2003

> Is it just me? You keep swatting down
> suggestions about what you can do to
> combat the problem.

Philo, that's because I have already tried some of the suggestions, and I know what happens.


> Why are you posting here? To whine
> and hope some uberlobbyist will jump
> into the fray and shut down all piracy
> in China tomorrow?

No, Philo. I'm posting here because I know for a fact that there are a few people reading this forum which run small software development firms, and sell their own products.

If I tried something before, I describe it, so they don't have to try it for themselves to see that it's wrong.

Jericho
Thursday, September 25, 2003

Jericho, which methods are you using for your current product line?
Can you elaborate on exact techniques and tell us what sort of software you are trying to protect (URLs are fine)...

Li-fan chen
Thursday, September 25, 2003

*  Recent Topics

*  Fog Creek Home