share
Stack OverflowHow do you protect your software from illegal distribution?
[+85] [25] petr k.
[2008-09-21 01:58:00]
[ security licensing protection software-distribution piracy ]
[ https://stackoverflow.com/questions/109997/how-do-you-protect-your-software-from-illegal-distribution ]

I am curious about how do you protect your software against cracking, hacking etc.

Do you employ some kind of serial number check? Hardware keys?

Do you use any third-party solutions?

How do you go about solving licensing issues? (e.g. managing floating licenses)

EDIT: I'm not talking any open source, but strictly commercial software distribution...

(75) I'm waiting for the day that someone pirates my software. That would be AWESOME! - Will
(4) The thing is, one day someone pirates your software, you probably wouldn't know about that :-) - petr k.
(7) In my opinion Pirates aren't likely to ever pay for your software anyway so I don't worry about them much. Write great software and you will make money. - Mike
(6) No offence, but "Write great software and you'll make money" is just partly true. Consider MS Office. Criticism aside, it is good software. Yet, world average, over 70% of Office copies are illegal. Wouldn't MS earn much more if it wasn't for piracy? Is piracy really directly related to SW quality? - petr k.
(5) @petr k.: I don't agree. One important side effect of piracy is in fact the popularity of MSOffice (MSWindows for that matter). MS will lose if it can curb piracy completely. @Mike: That is a very good point. By putting licensing server, etc. we are only making things difficult for our paid customer - rpattabi
(1) @petr - I think it's a safe call that OpenOffice would be much more popular if MS Office had bulletproof copy protection. That said, I've been on the commercial-software side of this -- but our black-box servers phoned home for support, updates and remote backup, so we checked license usage then. - Charles Duffy
@Charles Duffy- You are correct about MS Office losing popularity if it was pirate-proof. I wish I still had a link to the source, but I remember hearing a Microsoft executive mention that they would rather have their software pirated and maintain a stranglehold on the market than have pirate-proof software that would drive would-be pirates to alternative/competing software packages. - bta
fsf.org/bulletin/2007/fall/antifeatures - If people really want to pirate your software you wont stop them, but you can annoy your paying customers significantly. - Flexo
[+67] [2008-09-21 02:24:32] Adam Davis [ACCEPTED]

There are many, many, many protections available. The key is:

  • Assessing your target audience, and what they're willing to put up with
  • Understanding your audience's desire to play with no pay
  • Assessing the amount someone is willing to put forth to break your protection
  • Applying just enough protection to prevent most people from avoiding payment, while not annoying those that use your software.

Nothing is unbreakable, so it's more important to gauge these things and pick a good protection than to simply slap on the best (worst) protection you are able to afford.

  • Simple registration codes (verified online once).
  • Simple registration with revokable keys, verified online frequently.
  • Encrypted key holds portion of program algorithm (can't just skip over the check - it has to be run for the program to work)
  • Hardware key (public/private key cryptography)
  • Hardware key (includes portion of program algorithm that runs on the key)
  • Web service runs critical code (hackers never get to see it)

And variations of the above.

-Adam


Any examples of hardware key in use? - Łukasz Lew
(2) @Lukasz - They are also known as dongles - electronic devices that connect to the computer. Check out en.wikipedia.org/wiki/Dongle for more information on this option. - Adam Davis
1
[+27] [2008-09-21 02:22:25] rpetrich

Whatever route you go, charge a fair price, make it easy to activate, give free minor updates and never deactivate their software. If you treat your users with respect they'll reward you for it. Still, no matter what you do some people are going to end up pirating it.


Well said. I agree that there is much more about protecting a software than just keys and serials. Technical protections are breakable anyway, we shouldn't strain ourselves too much on those stuff. - Jaya Wijaya
Yep, the main reason that I'd ever pirate software(not the I ever have, of course ;D) is outrageous prices. Then of course, users not paying for it makes you less money in the end. So stick with fair prices, and you'll make a fair amount of money. - Ponkadoodle
2
[+24] [2008-09-21 03:52:33] Asmor

Don't.

Pirates will pirate. No matter what solution you come up with, it can and will be cracked.

On the other hand, your actual, paying customers are the ones who are being inconvenienced by the crap.


(6) Thats not exactly true, there are ignorant users who will just take software because they simply do not think about it. Normal people will steal if they don't think about it. - Arthur Thomas
(9) I agree. I always get upset at the FBI "you wouldn't steal a car" intros to DVDs I've actually paid for! - Christian Davén
(6) If done correctly it will be almost invisible to legitimate users. And don't underestimate the impact of casual piracy on the bottom line. There are a lot of markets where demand is fairly inflexible that 'DRM' can make a huge difference in revenue. - smo
I know is hard for you wrap your mind around this, but is true, DRM can be burden for your users. add some basic protection like activation keys (even if you know that it can be broken), but never put in your users way, or they'll simply push your software away. - levhita
(3) Wrong. See kalzumeus.com/2006/09/05/… - Karl
(1) @Christian D - How about this? "You wouldn't copy a car, because you can't." Copying is not theft because you're not permanently depriving someone else of ownership of the stolen item. - Guge
I really do not understand why this answer, which is really answering nothing, does get this amount of upvotes. -1 - petr k.
@petr k.: Because it's thinking outside the box? :) Well, mostly because people are really, really, really, really, pissed of with all the excrement that is called DRM or copy protection software. - Ilari Kajaste
@smo: It'll be invisible right until the legitimate user wants to do something weird. Like, say, running the software on a laptop without CD drive to validate the installation. Or running it through emulation in another OS. I think you're confusing legitimate users with normal users. And don't overestimate the impact of casual piracy on the bottom line... In fact, better not to estimate it at all, since there are no reliable estimates. - Ilari Kajaste
-1. This is an answer from the customer point of view, the question is looking for the point of view of the code owner. - MarkJ
(4) @MarkJ: Actually, any code owner who wishes to keep their customers should frequently adopt the POV of the customer... - sleske
(1) As well as the "ignorant" users that @Authur mentions, there's also the fact that people are often busy and under pressure and if it's too easy to use the software without a licence they might just think "I'll register tomorrow"...but tomorrow never comes. So the copy protection just needs to make unlicensed use slightly more inconvenient than paying and activating the software. - Todd Owen
-1 for not answering at all. What about licensing to limit some features just to avoid compiling different versions? - Marc Climent
3
[+22] [2008-09-21 02:30:09] Grant

Make it easier to buy than to steal. If you put mounds of copy protection then it just makes the value of owning the real deal pretty low.

Use a simple activation key and assure customers that they can always get an activation key or re-download the software if they ever lose theirs.

Any copy protection (aside from online-only components like multiplayer games and finance software that connects to your bank, etc.) you can just assume will be defeated. You want downloading your software illegally, at the very least, to be slightly harder than buying it.

I have a PC games that I've never opened, because there is so much copy protection junk on it that it's actually easier to download the fake version.


++ for "make it easier to buy than to steal". - AlcubierreDrive
+++ "for make it easier to buy than to steal"! - Denis Shevchenko
4
[+15] [2008-09-21 16:35:14] Jason Short

The Microsoft Software License scheme is crazy expensive for a small business. The server cost is around $12,000 if you want to set it up yourself. I don't recommend it for the feint of heart.

We actually just implemented Intellilock [1] in our product. It lets you have all of the decisions for how strict you want your license to be, and it is very cost effective as well. In addition it does obfuscation, compiler prevention, etc.

Another good solution I have seen small/med businesses use is SoloServer [2]. It is much more of an ecommerce and license control system. It is very configurable to the point of maybe a little too complex. But it does a very good job from what I have heard.

I have also used the Desaware license [3] system for dot net in the past. It is a pretty lightweight system compared to the two above. It is a very good license control system in terms of cryptographically sound. But it is a very low level API in which you have to implement almost everything your app will actually use.

[1] http://www.eziriz.com/intellilock.htm
[2] http://www.softwarekey.com/swk_products/solo/server/
[3] http://www.desaware.com/support/faq/licensing/index.aspx

5
[+14] [2008-09-21 02:11:51] Cody Brocious

Software protections aren't worth the money -- if your software is in demand it will be defeated, no matter what.

That said, hardware protections can work well. An example way it can work well is this: Find a (fairly) simple but necessary component of your software and implement it in Verilog/VHDL. Generate a public-private keypair and make a webservice that takes a challenge string and encrypts it with the private key. Then make a USB dongle that contains your public key and generates random challenge strings. Your software should ask the USB dongle for a challenge string and send it up to the server for encryption. The software then sends it to the dongle. The dongle validates the encrypted challenge string with the public key and goes into an 'enabled' mode. Your software then calls into the dongle any time it needs to do the operation you wrote in HDL. This way anyone wanting to pirate your software has to figure out what the operation is and reimplement it -- much harder than just defeating a pure software protection.

Edit: Just realized some of the verification stuff is backwards from what it should be, but I'm pretty sure the idea comes across.


Hey I always wondered how those dongles worked. Thanks! - Jeff
(2) Most of them don't work that way, but just implement part of an algorithm and don't do the public key auth. For instance, AutoCAD (or was it 3dsmax?) did their matrix rotation on the dongle. If you didn't have the dongle in, the rotation would be /slightly/ off, which would add up over time. - Cody Brocious
(1) That's a clever trick. Make the software work wrong when it's not registered properly; not totally wrong, but only just such that you don't notice it at first. - rpetrich
(1) Also, when deciding to use USB dongles for software protection do bear in mind that a lot of software these days run in virtual environments where access to physical hardware (e.g. USB ports) may be limited. There's also cost for replacement dongles involved (yes, and customer will "lose" dongles). - PoppaVein
(1) and there are cracks for these dongles as well - they are defeatable, like using a tabulated response (recorded from a real dongle) for challenge/response types. for algorithm encoded types, it's disassembled, and the algorithm reinserted back into the app's binary. - Chii
(5) This type of protection has stopped Cubase/Nuendo (leading DAW software on Windows) being cracked a few years. The last version to be hacked had a little note from the crackers. They claimed it was the hardest crack they'd even undertaken. They also stated that because so many of the program routines hit the dongle that performance of the software was degraded. Their emulated dongle worked much faster. Lots of legit users were very angry and ended up installing the crack anyway just to get better performance. - Alex
@rpetrich "Make the software work wrong when it's not registered properly; not totally wrong, but only just such that you don't notice it at first" - this seems like a horrible idea. Users would think it's a problem with your product and that it exists in the legal version too. Lots of people pirate software in order to try it out and make sure it's worth the cash before buying it. Unless you're giving away a free trial version, you might lose a lot of these customers. - Ponkadoodle
6
[+9] [2008-09-21 03:48:36] Nathan Strong

Digital "Rights" Management is the single biggest software snake-oil product in the industry. To borrow a page from classic cryptography, the typical scenario is that Alice wants to get a message to Bob without Charlie being able to read it. DRM doesn't work because in its application, Bob and Charlie are the same person!

You would be better off asking the inverse question, which is "How do I get people to buy my software instead of stealing it?" And that is a very broad question. But it generally starts by doing research. You figure out who buys the type of software you wish to sell, and then produce software that appeals to those people.

The additional prong to this is to limit updates/add-ons to legit copies only. This can be something as simple as an order code received during the purchase transaction.

Check out Stardock software, makers of WindowBlinds and games such as Sins of a Solar Empire, the latter has no DRM and turned a sizable profit off a $2M budget.


+1 for the well-phrased inverse question! - Ilari Kajaste
7
[+6] [2008-09-21 02:02:39] Ian P

There are several methods, such as using the processor ID to generate an "activation key."

The bottom line is that if someone wants it bad enough -- they'll reverse engineer any protection you have.

The most failsafe methods are to use online verification at runtime or a hardware hasp.

Good luck!


8
[+3] [2008-09-21 01:59:23] Jeff

Online-only games like World of Warcraft (WoW) have it made, everyone has to connect to the server every time and thus accounts can be constantly verified. No other method works for beans.


(1) Well, I do not think this is a realistic solution for, say, 90% of software. I should have made it more clear in the post - the software we're building is not an online game. Although the question was meant to be general, so your answer is still pretty valid of course. - petr k.
(3) Well, there are private servers available for which no payment is needed. - user
Well sure Petr, is isn't realistic for everyone, but it is still the truth: no other method works. Inconvient, sure, but true. - Jeff
9
[+3] [2008-09-21 02:32:04] titanae

Generally there are two systems that often get confused -

  • Licensing or activation tracking, legal legitimate usage
  • Security preventing illegal usage

For licensing use a commercial package, FlexLM [1] many companies invest huge sums of money into licensing think they also get security, this is a common mistake key generators for these commercial packages are prolifically abundant.

I would only recommend licensing if your selling to corporations who will legitimately pay based on usage, otherwise its probably more effort than its worth.

Remember that as your products become successful, all and every licensing and security measure will be breached eventually. So decide now if it is really worth the effort.

We implemented a clean room clone of FlexLM a number of years ago, we also had to enhance our applications against binary attacks, its long process, you have to revisit it every release. It also really depends on which global markets you sell too, or where your major customer base is as to what you need to do.

Check out another of my answers on securing a DLL [2].

[1] http://en.wikipedia.org/wiki/FLEXlm
[2] https://stackoverflow.com/questions/106347/secure-dll-with-license-file#107503

10
[+3] [2008-09-21 04:04:33] Fernando Barrocal

Is not exactly the answer you are looking for, but is a great resource on piracy from a game developer who actively asked their pirates about why they do that. And is related to the first part of the answer you choose.

Readi it at Talking to Pirates [1].

[1] http://www.positech.co.uk/talkingtopirates.html

11
[+2] [2008-09-21 02:22:05] Phil Wright

Given a little time your software will always be cracked. You can search for cracked versions of any well known piece of software in order to confirm this. But it is still well worth adding some form of protection to your software.

Remember that dishonest people will never pay for your software and always find/use a cracked version. Very honest people will always stick to the rules even without a licensing scheme just because that is the kind of person they are. But the majority of people are between these two extremes.

Adding some simple protection scheme is a good way of making that bulk of people in the middle act in an honest way. It is a way to nudge them into remembering that the software is not free and they should be paying for the appropriate number of licenses. Many people do actually respond to this. Businesses are especially good at sticking to the rules because the manager is not spending his/her own money. Consumers are less likely to stick to the rules because it is their own money.

But recent experience with releases such as Spore from Electronic Arts shows that you can go to far in licensing. If you make even legit people feel like criminals because they are constantly being validated then they start to rebel. So add some simple licensing to remind people if they are being dishonest but anything more than that is unlikely to boost sales.


12
[+2] [2008-09-21 17:08:29] Dustin Getz

DRM this, DRM that - publishers who force DRM on their projects are doing it because it's profitable. Their economists are concluding this on data which none of us will ever see. The "DRM is evil" trolls are going a little too far.

For a low-visibility product, a simple internet activation is going to stop casual copying. Any other copying is likely negligible to your bottom line.


13
[+2] [2009-11-07 06:24:50] Duncan Bayne

Illegal distribution is practically impossible to prevent; just ask the RIAA. Digital content can just be copied; analog content can be digitised, and then copied.

You should focus your efforts on preventing unauthorised execution. It's never possible to completely prevent the execution of code on someone else's machine, but you can take certain steps to raise the bar sufficiently high that it becomes easier to purchase your software than to pirate it.

Take a look at the article Developing for Software Protection and Licensing [1] that explains how best to go about developing your application with licensing in mind.

Obligatory disclaimer & plug: the company I co-founded produces the OffByZero Cobalt software licensing solution for .NET [2].

[1] http://www.offbyzero.com/resources/software_protection_licensing
[2] https://cobalt.offbyzero.com/

14
[+2] [2010-03-17 09:06:04] Paul Taylor

The trouble with this idea of just let the pirates use it they wont buy it anyway and will show their friends who might buy it is twofold.

  1. With software that uses 3rd party services, the pirated copies are using up valuable bandwidth/resource which gives legit users a worse experience, make my sw look more popular then it is and has the 3rd party services asking me to pay more for their services because of the bandwidth being used.

  2. Many casual wouldn't dream of cracking the sw themselves but if there is an easy assessible crack on a site like piratebay they will use it, if there wasn't they might buy it.

This concept of not disabling pirated software once discovered also seems crazy, I don't understand why I should let someone continue to use software they shouldn't be using, I guess this is just the view/hope of the pirates.

Also, its worth noting that making a program hard to crack is one thing, but you also need to prevent legit copies being shared, otherwise somebody could simply buy one copy and then
share it with thousands of others via a torrent site. The fact of having their name/email address embedded in the license isn't going to be enough to disuade everyone from doing this, and it only really takes one for there to be a problem.

The only way I can see to prevent this is to either:

  1. Have server check and lock license on program startup every time, and release license on program exit. If another client starts with same license whilst the first client has license then it is rejected. This way doesn't prevent the license being used by more than one user, but does prevent it being used concurrently by more than one user - which is good enough. It also allows a legitimate user to transfer the license on any of their computers which provides a better experience.

  2. On first client startup client sends license to server and server verifies it, causing some flag to be set within the client software. Further requests from other clients with the same license are rejected. The trouble with this approach is the original client would have problems if they reinstalled the software or wanted to use a different computer.


15
[+2] [2010-05-27 00:07:15] bta

Even if you used some kind of biometric fingerprint authentication, someone would find a way to crack it. There's really no practical way around that. Instead of trying to make your software hack-proof, think about how much extra revenue will be brought in by adding additional copy protection vs. the amount of time and money it will take to implement it. At some point, it gets to be cheaper to go with a less rigorous copy protection scheme.

It depends on what exactly your software product is, but one possibility is to move the "valuable" part of the program out of the software and keep it under your exclusive control. You would charge a modest fee for the software (mostly to cover print and distribution costs) and would generate your revenue from the external component. For example, an anti-virus program that is sold for cheap (or bundled for free with other products) but sells subscriptions to its virus definitions update service. With that model, a pirated copy that subscribes to your update service wouldn't represent much of a financial loss. With the increasing popularity of applications "in the cloud", this method is becoming easier to implement; host the application on your cloud, and charge users for cloud access. This doesn't stop someone from re-implementing their own cloud to eliminate the need for your service, but the time and effort involved in doing so would most likely outweigh the benefits (if you keep your pricing model reasonable).


16
[+1] [2008-09-21 02:26:27] coppro

As has been pointed out, software protection is never guaranteed to be foolproof. What you intend to use depends largely on your target audience. A game, for instance, is not something you are going to be able to protect forever. A server software, on the other hand, is something far less likely to be distributed on the Internet, for a number of reasons (product penetration and liability come to mind; a large corporation does not want to be held liable for bootleg software, and the pirates only bother with things in large-enough demand). In all honesty, for a high-profile game, the best solution is probably to seed the torrent yourself (clandestinely!) and modify it in some way (for instance, so that after two weeks of play it pops up with messages telling you to please consider supporting the developers by purchasing a legitimate copy).

If you put protection in place, bear two things in mind. First, a lower price will supplement any copy protection by making people more inclined to pay the purchase price. Secondly, the protection must not get in the way of users - see Spore for a recent example.


17
[+1] [2008-09-21 22:26:40] davenpcj

The simple, and best solution, is just to charge them up front. Set a price that works for you and them.

Asking paying customers to prove that they are paying customers after they've already paid just pisses them off. Implementing the code to make your software not run wastes your time and money, and introduces bugs and annoyances for legitimate customers. You'd be better off spending that time making a better product.

Lots of games/etc will "protect" the first version, then drop the protections in the first patch due to compatibility problems with real customers. It's not an unreasonable strategy if you insist on a modicum of protection.


18
[+1] [2008-09-21 22:32:16] wnoise

Almost all copy-protection is both ineffective, and a usability nightmare. Some of it, such as putting root-kits on your customers' machines becomes downright unethical


Why the downvote? - LM.
I down vote - You are assuming everyone with a anti scheme is performing illegal activities like root kits. - Jason Short
No, I don't assume that. I explicitly said some. And there are well-documented cases of rootkits for DRM. - wnoise
19
[0] [2008-09-21 02:09:41] pdavis

Make part of your product an online component which requires connection and authentication. Here are some examples:

  • Online Games
  • Virus Protection
  • Spam Protection
  • Laptop tracking software

This paradigm only goes so far though and can turn some consumers off.


20
[0] [2008-09-21 02:15:46] Mike

If your interested in protecting software that you intend to sell to consumers I would recommend any of a variety of license key generating libraries (Google search on license key generation). Usually the user has to give you some sort of seed like their email address or name and they get back the registration code.

Several companies will either host and distribute your software or provide a complete installation/purchase application that you can integrate with and do this automatically probably at no additional cost to you.

I have sold software to consumers and I find this the right balance of cost/ease of use/protection.


21
[0] [2008-09-21 16:16:28] PoppaVein

I agree with a lot of posters that no software-based copy protection scheme will deter against a skilled software pirate. For commercial .NET based software Microsoft Software License Protection (SLP) is a very reasonably priced solution. It supports time-limited and floating licenses. Their pricing starts at $10/month + $5 per activation and the protection components seem to work as advertised. It's a fairly new offering, though, so buyer beware.


And in 2011 the price for SLP has grown to €145/month for the smallest package. - Michael Olesen
22
[0] [2008-09-22 16:26:38] levhita

I suggest simple activation key (even if you know that it can be broken), you really don't want your software to get in your users way, or they'll simply push it away.

Make sure that they can re-download the software, I suggest a web page where they can logging and download your software only after they paid (and yes they should be able to download as many times they wish it, directly, without a single question about why on your part).

Thrust your paid users above all, there is nothing more irritating that being accused from being a criminal when you are a legit users (DVD's anti-piracy warnings anyone).

You can add a service that checks the key against a server when online, and in case of two different IPs are using the same key, popup a suggestion to buy another license.

But please don't inactivate it, it might be a happy user showing your software to a friend!!!!


23
[0] [2010-05-26 23:29:29] user332801

We license our commercial software using our own licensing system - which is what we are selling (license management tools). We generally sell subscription licenses, but can also sell based on usage if we wish. It has been secure for us so far: www.agilis-sw.com


24
[0] [2011-02-11 13:39:55] user613111

If you are a software developer, one of the possible solutions is to embed a meta data direct into your product. Check out for an instance Destruction Security tool from theredsunrise.


25