The Old Joel on Software Forum: Part 3 (of 5)

software copy protection

There are various ways software companies try to implement copy protection. I know for a fact that no copy protection is 100% effective. If multi-billion-dollar companies cannot come up with a way to protect their expensive software, I am sure it is next to impossible to do it period.

However, in your opinion, what are good ways of achieving at least some level of copy protection? What are some of the latest trends with respect to this issue?

Your thoughts are appreciated.
Thank you!

P.S. I just remembered reading one of Joel's articles. He mentioned giving out source code to customers so that they can find and fix bugs if necessary. Is this really a viable option? I personally cannot come to terms with giving away the source code for whatever reason. If I am to do that, why bother with copy protection?! Technically customers already paid for the product, but anyone (including people who didn't pay for anything) who comes across the source code can build the application.

E.Diril
Friday, December 12, 2003

"He <Joel> mentioned giving out source code to customers so that they can find and fix bugs if necessary."

I don't own any of their stuff, but to my knowledge Fog Creek does not distribute the source code to their apps. Maybe Joel thinks it is a great idea for everyone but him, I dunno.

In the component business it is not uncommon to distribute source with the components - more so in the Delphi/VCL world, less so in the VB/ActiveX world. Copy protection on that kind of stuff is very difficult, so most vendors don't attempt it, other than perhaps a password encoded install file or something like that.

When it comes to commercial apps this is much, much less common. If you are trying to lock the app down with some type of copy protection then distributing the source hoses that whole idea.

Mitch & Murray (from downtown)
Friday, December 12, 2003

copy protection is bad, you want lots of copies of your software out there - just not illegally licensed/cracked/keygen'd software. Therefore the only method that's least detrimental to your paying userbase, is a feature in & of itself and cuts down on the "casual pirates" is to add a serial/license key scheme and do automatic update checks, in the updates themselves, have a blacklist of keys which will invalidate the updated installation back to it's 'trial' state.

GiorgioG
Friday, December 12, 2003

erm...I think the relevant article is "Up the Tata without a Tutu":

http://www.joelonsoftware.com/articles/fog0000000026.html

In it he says: "...if you find a bug in FogBUGZ and fix it, and send me the fix, I'll incorporate it into the next version."

a cynic writes
Friday, December 12, 2003

FogBUGZ is an ASP application, so at the very least he has to give away the ASP pages.

"However, in your opinion, what are good ways of achieving at least some level of copy protection?"

Don't give them binaries. Seriously. That's the only foolproof system. That's one of the very nice features about an ASP business model (not to be confused with Microsoft Active Server Pages). By keeping everything -- source, binaries, and data -- then it's basically impossible for someone to pirate the application without breaking into your servers.

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, December 12, 2003

Regular serial protection would probably work great if it were not for crackers. At least if you update it every so often and have any kind of novelty value. Pirates dont like to use last years version.

I read somewhere (Gamasutra.com i think) that the best protection against cracks is not a scheme which is hard to crack, but one that is boring and time consuming.

Litter the code with little checksum checks. Dont do it 'properly' -have 10 different functions for it and call them at random. Have the actual checksum stored in 20 different places. Put public vars in every class which together can produce the checksum.Make time deleyd checks or tie the to rarely used functions. etc etc...

Looks like a nightmare to maintain though.

Eric DeBois
Friday, December 12, 2003

Eric is right, this is the security mantra...

"There's no such thing as a completely secure system. The more time and effort it takes, the less worth it is."

Whether it's personal security or cracking programs, the same rules apply. The more effort, the less likely it is someone will do it, and for software this includes effort over time, so multiple releases, and keeping only the latest release available on your website so crack sites quickly fall out of date is another good method.

www.MarkTAW.com
Friday, December 12, 2003

On Commodore 64 and Commodore Amiga they were a couple of pretty good protection (all have been cracked!)
on games.

TrackBurner
Friday, December 12, 2003

The situation with the Commodore 64 really illustrates the futility of copy protection. Software companies went to some pretty amazing lengths to protect their programs and it didn't work, they still got cracked. They'd write custom boot loaders that would download code into the 1541 drive, completely reprogramming it to read some bizarre proprietary filesystem with 40 tracks instead of the normal 35 (some of these even caused damage to the drive over time because they'd slam the read head back and forth and cause it to become misaligned). Some games came with paper code wheels and you'd have to decrypt a cypher by aligning the wheels. People just took the wheels apart and photocopied them. Some even used hardware dongles on the joystick port. They still got cracked. 20 years later we still haven't learned the lesson.

anon
Friday, December 12, 2003

Sure, anything can be cracked. Nobody is arguing.

The idea is not to make crackproof applications, but to make time a factor. Since you brought up games.. If the dev studio can delay the crack 3 months, thats going to have a large impact, since the larger part of the sales for a game takes place during the first 3 to 6 months after the release. After that the game isnt so hot anymore, and cracking it may even become a low priority for the cracker since its all about the latest and greatest.

This can be done, and has been done successfully, by making the crackprotection illogical and scattred. Its about forcing the cracker to do loads and loads of compiling and testing.

Eric DeBois
Friday, December 12, 2003

I will indulge the group and say in advance that copy protection is a terrible idea. Hey, you gotta get along... :-)

Having said that ... I have been curious. Does anyone make an embeddable equivalent to Microsoft's activation protocol for their Windows XP and Office products? This seems like an untapped niche.

It seems to me that product activation that is dependent upon the user's hardware configuration is probably about as secure as the old hardware dongles. (for better or worse...)

Bored Bystander
Friday, December 12, 2003

I once read about a key generation algorithm that is tied to the harddrive's serial number (not the Volume ID). As long as the harddrive is SMART, then this option looks pretty viable.

Of course, this doesn't cover the possibility that the customer's harddrive dies, the software gets loaded to a new harddrive and at that point a new key is required... Or if we are going to be cynical, someone could "claim" to have lost their harddrive, get a new key and move on... :)

Does anyone know if "FLEXlm license manager" is any good? I know many "expensive" applications use it.

E.Diril
Saturday, December 13, 2003

> Does anyone know if "FLEXlm license manager" is any
> good? I know many "expensive" applications use it.

It isn't. After reading an article on the web about how easy it is to crack FLEXlm on Win32, I decided to see if I can "apply the lesson" on UNIX.

30 mintes later I had cracked versions of Purify and SunWorkshop on Solaris (I do have legal license for each).

The vendors could have made this harder by properly stripping the binaries, but they didn't.

Employed Russian
Saturday, December 13, 2003

For applications that are to be widely distributed and used by a lot of people, copy protection is VERY important.

It can increase your income (as a software developer) dramatically.

For applications that are to be used only by companies, copy protection is less important.

Companies don't want to risk being caught (by the BSA, for example) with pirated applications on their hard-drives, so they tend to buy what they use, even if they have a crack.

For protecting Windows applications, please look into Armadillo and ASProtect.

They are both excellent products which can help you protect your app.

Jay
Saturday, December 13, 2003

Just imagine if every piece of software was open source. Then, all these copy protections strategies, opinions, and discussions become pointless. It's the ultimate "Copy Protection". Boy, wouldn't all those clever crackers / pirates be pissed. Then maybe they could devote their considerable talents (not being sarcastic here) to something really productive and beneficial to the rest of us. Not that it would ever happen, just interesting to consider.

Chris C
Saturday, December 13, 2003

>Does anyone make an embeddable equivalent to Microsoft's activation protocol for their Windows XP and Office products?

Actually, there are a number of companies that offer this technology to software publishers. One that I'm intimately aware of is called Aladdin Knowledge Systems. They are/were a hardware dongle company but have recently added a software-only option called Privilege.

NotMe
Saturday, December 13, 2003

"I personally cannot come to terms with giving away the source code for whatever reason. If I am to do that, why bother with copy protection?!"

I dunno, if it's good enough for Microsoft it's good enough for me. You're free to argue that Gates and co don't have a clue when it comes to protecting their business if you, like, though. (Microsoft licenses their source code, which is something that involves letting customers actually see and use this code. And when I say 'their code' I mean actual source code to commercial applications, not brief examples on MSDN.)

You see, Joel doesn't give away his source code and didn't suggest anyone else does either. He did, however, suggest doing something known in the professional software development world as 'licensing' it whereby people do what is technically known as 'pay' for a 'service'.

As for why you'ld do something that makes copy protection irrelevant? Perhaps he thinks making his paying customers happy to keep giving him money is more important than inconviencing people who would never give him any money anyway.

Oddly enough, the ease with which people crack software and rip music, then share it at no cost and without paying the owner suggests to me that sensible people are looking for a business model that doesn't rely on absolutely perfect copy prevention.

Piracy is easy, even with the huge effort put into stopping it because of the nature of the medium. It's hard to steal a chair, and even if you steal a chair you only have the one you stole. It's easy to steal software or music, and trivial to duplicate it. I would have thought it's obvious that the security that's applicable to one type of industry is not necessarily particularly effective in another.

Ah well, I'll just dream of losing a billion dollars a year to theft and still being able to pay the maintenance for my 3rd mansion without even noticing the missing cash. :)

Sunday, December 14, 2003

FlexLM is designed to be easy to use and they don't care that it's not too secure. It's designed for high end software sold to big corporations where the purpose is to keep them honest. The company is not likely going to use cracked software, but might use an extra copy or two if it wasn't protected.

My main advice on copy protection is that people who use cracked software are not your customers. Design the copy protection with your real customers (e.g. people who will pay) in mind. It should keep them honest without being too much of burden.

pdq
Monday, December 15, 2003

Copy protection is futile and pointless.
The best protection is not to add any software protection, this way nobody can crack it as there is nothing to crack.

If your software is good enough people will buy it, but you will always have the minority that will not buy it now or ever, an effective method used recently by an unnamed game software house appealed to it's users to stop making copies and ditributing the software to friends and warez sites as it was having a major impact on their revenue.
Which would likely cause them to abandon their efforts to release the next PS2 conversion to the Mac & PC, it was that simple, they would not continue with the next game release if the piracy continued. This appeal was made through a computing magazine with a known large subscriber base for maximum impact.

Of course this did not stop it completely, and it never will, like I say there are people who just refuse point blank to pay for software no matter how useful it may be to them, but what happened over the next 2 months was amazing, suddenly the money started flowing in once more, they were unwilling to give any percentages or figures, but confirmed that they were happy to continue with the development of the next anticipated release of the next game.

So I think the only real prevention of copy protection is to release good quality, bug free useful software, which I have to say is not the case with the majority of commercial software vendors, who put profits above quality for the sake of being the first to release a certain application or in retaliation to a competitior releasing an application.

Get it right the first time, make sure it is tested properly then release it, it will not matter if they are not the first to release this amazing app, as long as it is useful, and relatively bug free, they will gain a good loyal user base and most likely beat their competitor anyway.

A classic example of this is the story of how one vendor now known as A on the Mac has gained a very large user base from another well known Mac vendor now known as B, and why? because this well know software vendor B, got nervous at having competition, I suspect someone at the top of B started shouting the odds and demanding faster releases to stay ahead of the competition, I would not be surprised if jobs were threatend if this did not happen people in the company also got nervous, after all they had mortgages to pay, kids to feed and clothe and they could not afford to lose their jobs.
Now under duress they start rushing things and making mistakes, project managers had to make cuts somewhere to save time, and unfortunately in the Software Development Lifecycle testing always seems to have a lower priority anyway, and it seems this is what happened, and the result, they still didn't quite achieve thier goals and they lost loyal users respect, because they released poor quality software.

Now if the update was free it would not have mattered so much, but becuase it had a large price tag attached, people were less forgiving of the poor quality software, and chose vendor A, that offered a similar product at a competitive price, and many of those that hadn't already forked out for vendor B's update switched, not all but enough to produce the opposite reult to what vendor B intended.

Unammed
Saturday, April 24, 2004