Fog Creek Software
Discussion Board




enforcing licences

I am looking for a scheme to help prevent licence infringement (piracy protection) for a small shareware program. 

Does anyone have any suggestions? 

I have seen hashes that are created from the company and user name, but those are easy to defeat by just sending the licence hash around. 

http://www.summitsage.com/

christopher baus (tahoe, nv)
Thursday, October 16, 2003

There was a good discussion of this a few months ago:

http://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=44547&ixReplies=32

BTW, I like the design of your site.

Lee
Thursday, October 16, 2003

I agree, your site is just gorgeous!

Israel
Thursday, October 16, 2003

Thanks for the links and the praise on the site design.

I wish I could take credit for the design, but I think I can only take credit for knowing what I like and having where with all to hire a designer that can do it.

So how do you all feel about using registration servers?  Good or evil?  That's what I am leaning towards.

christopher baus (tahoe, nv)
Thursday, October 16, 2003

your site IS gorgeous.... but its not "Sensationable"

Control Freak
Thursday, October 16, 2003

Whatever ...  this thread really isn't about my web site which is obviously in alpha stage.

christopher baus (tahoe, nv)
Thursday, October 16, 2003

We use Armadillo (http://www.siliconrealms.com/armadillo.shtml) for protection of our prerelease builds given to not in-house partners. It runs fine and offers a reasonable protection level for our purposes. From what it looks like, it seems to offer all that is needed for shareware protection.

Dirk Ringe
Thursday, October 16, 2003

I am curious about this too (protection for a small shareware app, not the website).

I was going to go with the username/company name has key.

What I did think was perhaps generating a UID from something in the macine that won't change, presenting this 'registration' number to the user, and having them include this when requesting registration.

Trouble is, I do not know exactly how to find a UID on the machine. Perhaps there is some unique identifier encoded on the HDD?

Aussie Chick
Thursday, October 16, 2003

Aussie chick,

A common thing to do is use the MAC address in the ethernet card.  A LOT of privacy advocates find this evil though.  This is the primary reason intel doesn't put a serial number in the chip.

christopher baus (tahoe, nv)
Thursday, October 16, 2003

For licencing, generate a unique (Random - not based on the PC) number or code and have them contact you (by phone or through an activation server) to retrieve a code, your system will generate a code based on their invoice number plus the unique code, your inhouse rego system will generate a code that you get them to plug into the system and register it. Using the random number, each code is only valid for one entry - so the next time the company has to reinstall they need to call you back (which most people don't seem to mind from my experience).

This is of course easily defeatable just like every other licencing scheme ever invented because the users only need to figure out where you are storing the rego details and copy that to other machines. But of course you have encoded the companies name into the rego code based on their invoice number so if you find codes for your program on the net you can trace it back to the invoice number. But this will only deter people if you are selling your software to proper companies who have a reputation to keep, and not to users using stolen credit cards who won't care if you ever trace it back to them.

And I know I shouldn't but I will, I am going to discuss your site:

Does anybody else find it incredibly annoying that you can't see the guy in the photos head? I kept trying to scroll up thinking there was more to the page.

Bob
Thursday, October 16, 2003

Grr..  Bob that's what my gf said about the web site.  Ahh man there goes the artsy fartsy design.  I feel I just lost that discussion.  I'll have to call the designer and get rid of the headless developer ; )

christopher baus (tahoe, nv)
Thursday, October 16, 2003

Christopher,

>> A common thing to do is use the MAC address in the ethernet card.  A LOT of privacy advocates find this evil though. <<

You just need to use a one-way hash (MD5 or SHA) of the MAC address - then the privacy issues go away.

I'm leaning towards this solution for our next project - but unfortunately it's .NET-only, so might not be suitable for you. Even if you can't use the solution, it's very useful reading Dan's analysis of the licencing problem.

HTH,

Mark

Mark Pearce
Thursday, October 16, 2003

Oops, sorry, here's the actual link!
http://www.desaware.com/DlsL2.htm

Mark Pearce
Thursday, October 16, 2003

If you want a unique ID on Windows, I think it's more robust to use GetVolumeInformation to get the C drive's serial number, instead of their MAC address. UUIDCreate used to return the MAC address in the last 12 digits but I think they did away with that in Win2K because of the privacy concern.

My small shareware product's validation scheme uses the 2nd, 8th and 4th digits (for example) to create a filename which it simply checks to see if it exists on my web page (the actual order is determined by the 3rd, 7th and 5th digits, for example).  So to invalidate a batch of reg codes, all I have to do is delete the corresponding file on the page.

Then every 2-3 weeks or so I generate a new batch of reg codes, upload the file.txt to my web page, delete the previous (actually two previous ago, I keep the one before that) and sit back. If a reg code gets out, it's only good for 4-6 weeks at most, until I delete it from the page.

And if somebody sniffs the packets, figures out the scheme then goes through the effort to set up a 127.0.0.1 dns entry and set up IIS or something to spoof my web site, I say they deserve my little app for free.... but I doubt anybody does that. My scheme mostly keeps them from posting a reg code bought with a stolen credit card on a warez site.  If they try, it's only good for a few weeks.

However, I also have a batch of always-good codes I can give out if somebody complains their code can't validate (usually due to firewalls, or they downloaded to their laptop and unplugged).  That rarely happens, though.

Shemp Stooge
Thursday, October 16, 2003

Do you want to limit access, or just make copies trackable?

The suggestions given (MAC adderss, drive serial number, etc.) will allow you to limit access. But they will also bother legitimate users if they switch hard drive, network card or upgrade their machine.

If you're content enough with _tracking_ a registration, then you could use public key cryptography - The user fills their details, and you (using a private key) sign their request so that it can be checked -- but not forged -- with the public key.

Thus, if a registration code gets posted on news boards, you know who to blame and possibly blacklist in the next version.

Warning: Crypto stuff is _very_ easy to do wrong even when you use well known methods (e.g., the WiFi's original encryption standard). If you do choose this option, make sure you check your implementation details with someone who can properly evaluate it.

Ori Berger
Thursday, October 16, 2003

The problem with using a MAC address is that they can change. 

Of course, for most users they don't change very often but for some (for example, laptop users with PCMCIA network cards) they change very frequently.  A really insidious form of this occurs when a company manages software installations on laptops by plugging in a network card, installing the software, and then unplugging the card before handing it back to the user.  If you decide to go with MAC addresses, you might end up annoying the heck out of a small percentage of customers though this percentage can vary greatly depending on the application. 

The headless developer doesn't bother me as much as wondering where his chair and desk are!

SomeBody
Thursday, October 16, 2003

The MAC address thing is pretty common.  It's also easily defeatable because most ethernet cards will allow you to assign a MAC address.  This would probably prevent piracy by an unscrupulous business because they need to have unique MAC addresses on their internal network, but it won't do a thing to prevent a home broadband user from pirating because the MAC address of their cable modem is the only thing the rest of the network sees anyway.

The biggest problem with MAC address locked licensing is that it's really annoying for your paying customers.  Any time an ethernet card dies or you upgrade PCs you have to call the company to re-register the software.  In the meantime, you're stuck without access to that application.  For this reason, I strongly prefer dongle licenses for the expensive mission critical apps that have to have anti-piracy protection.  For other apps, MAC address licensing is a major PITA and I'd strongly prefer that companies didn't make me bother with it.

We use a few apps that have flexlm licensing.  That works out better because you then have a license server and the individual workstations get their license from the server.  You only have to call and get a new license when the server hardware is upgraded.  You also have the advantage of being able to have floating licenses, in which case, the amount you're paying is more closely aligned with how much you use the app rather than how many PCs it's installed on.

Floating licenses are also a big plus for employers that provide VPN access for their workers at home.  Some of my most productive MATLAB coding sessions happened while I was at home.  The point here is that there's no way I could justify purchasing another license just in case I might want to do some coding at home.  Because the software had a floating license this was not an issue and my employer benefitted from the extra productivity.  A really well implemented floating license scheme will also allow a laptop user to check out a license, disconnect from the network, and use the application while offline.

One additional downside of any licensing scheme that requires the user to communicate with the vendor to obtain a license that is then locked to the hardware, particularly for a shareware app, is that my investment in your software is effectively lost if your company goes out of business because I can no longer get another unlock code the next time the Windows registry gets corrupted or I upgrade my hardware.  This means that my decision to purchase your software is going to be heavily influenced by what I think of your company's balance sheet.

Matt Latourette
Thursday, October 16, 2003

The headless developer is at least a realistic representation of how we often have to do our work though. I think you should keep it.


Friday, October 17, 2003

One vote for the headless hacker!  ; )

christopher baus (tahoe, nv)
Friday, October 17, 2003

Matt Latourette, when a company goes out of business, they can give away a few keys to the public. That's what happen to TclPro at the beginning until they decided to just open source it.

Li-fan Chen
Saturday, October 18, 2003

*  Recent Topics

*  Fog Creek Home