Wibu-Systems Blog

How Much is Your IP Worth?

Posted by Terry Gaul on Oct 28, 2015 5:18:17 AM


The intellectual property gained during the development of an ISV’s flagship software product most likely represents an investment in hundreds and hundreds of man hours. 

The majority of that time is spent on developing features and functionality, refining, and testing to assure that the final product addresses the needs of the customers in the most effective way possible – that’s the core strength of the software engineers. The business end of the development process is in software monetization – implementing creative licensing strategies and protection against piracy to assure that the company achieves the maximum revenue it deserves. However, that capability may not be the core strength of the software engineer and the reason why many ISVs are looking for help from licensing and security specialists to protect their IP investment and monetize their software.

For example, consider the case of Belsim, a spin-off company of University of Liège in Belgium. Belsim’s VALI-suite is the leading worldwide solution for Data Validation and Reconciliation (DVR) software. The VALI-suite is the result of many years of R&D and it represents the centerpiece of Belsim’s intellectual property.

According to Christophe Pirnay, Belsim’s Development Manager, "When we decided to develop VALI’s newest version in Microsoft .NET, it was clear that we also needed a partner to support the solution’s license management and to protect it against software piracy."

"We never really knew if our software was copied or used illegally", says Christophe. "We were a bit suspicious at times, but we never were sure if it was really happening. In those days, we were handling license management and software protection ourselves," he added.

Belsim recognized that license management and software protection were not part of their core business and they began to search for a security partner. Their search steered them toward Wibu-Systems’ CodeMeter software protection, licensing and security solution. CodeMeter protects VALI against unauthorized use, but also against anyone who tries to take a peek at the code. This way, CodeMeter also keeps Belsim’s competitors at a safe distance, as well as others who might try to build their own solution based on Belsim’s code.

In this case, with the help of CodeMeter, Belsim can fully concentrate on its core business – the development and implementation of software – while CodeMeter guarantees the protection that is needed at the heart of their solution.

download Belsim case studyRead the full case study and see how CodeMeter protects Belsim’s invaluable intellectual property.

Topics: CodeMeter, secure licensing, Anti-piracy, Copy Protection

Certificates for Authenticity, Authentication or both?

Posted by Terry Gaul on Apr 23, 2015 10:50:21 AM


Live Event:

Certificates for Authenticity, Authentication or Both?
April 28, 2015
9 - 10 am PST


Software developers have an affinity for encryption methods, but not all have quite mastered certificate management. Digital certificates are often seen in relation to authentication practices such as single sign-on, email signature, and file encryption, but they are also a key pillar in software protection.

This crash course will navigate you from theory to practice, illustrating basic principles and best application uses. Whether your goal is protecting a computer or embedded software, there are techniques that you can implement and requirements you should follow to achieve greater effectiveness in shielding your application from piracy and tampering.

Through the integrated use of certificates, CodeMeter serves a dual scope: authenticity and authentication. While mechanisms like Authenticode offer authenticity for the software user, CodeMeter offers authenticity for the software developer. If an application consists of more than one executable, small and easy to use proprietary certificates are used by CodeMeter to check the integrity of the whole application. In case of an embedded system such as VxWorks, the integrity of the entire embedded device can also be verified: the authenticity of each module from the bootloader and the operating system, up to each software running on this system is validated.

Additionally, with authentication, you can make sure only users with entitled credentials can use or maintain your software or can log in to cloud-based solutions.

Get familiar with the terminology and become a proficient user of certificates. Register Here

Topics: CodeMeter, software copy protection, Anti-piracy, Copy Protection

Integrity Protection for Embedded Systems

Posted by Terry Gaul on Oct 21, 2013 9:51:00 AM

In their book, Embedded Systems Security, David and Michael Kleidermacher point out some all-to-real scenarios about the consequences of malicious threats to embedded systems.

Consider that for every PC in the world, there are hundreds of embedded systems, interconnected over various communication channels, like WiFi, Bluetooth and RFID. And nothing has become more computerized faster than the modern automobile. Computers, in the form of self-contained embedded systems, have been integrated into virtually every aspect of a car's operation and diagnostics, including throttle control, transmission, brakes speedometer, climate and lighting controls, external lights and entertainment systems.

The authors gave one example of an industrial company that sells bearings that use a magnetic field to suspend a shaft. A Digital Signal Processor performs 15,000 calculations per second to keep operations running smoothly. The bearing controllers have Ethernet connections.  With a coordinated attack on the bearings, plant operations could be brought to a halt.

The authors also discuss the security issues brought on by non-malware bugs. As embedded systems become increasingly ingrained in our lives, any bug that compromises the reliability of a system can become a mission-critical security threat. For example, what would happen if automated jail control doors failed to close? A task that errantly consumes too many resources (like memory) or CPU cycles can prevent other activities from running: the traffic light fails to turn red, the railroad signal remains open, or the ATM’s bill counter fails to stop spewing money. 

The Department of Homeland security notes that our country’s reliance on cyber systems to run everything from power plants to pipelines and hospitals to highways has increased dramatically, and our infrastructure is more physically and digitally interconnected than ever. Yet for all the advantages interconnectivity offers, critical infrastructure is also increasingly vulnerable to attack from an array of cyber threats.

Most embedded systems developers have little training in security and are largely unaware of both the threats and the techniques and technologies needed to make their products secure. In order to develop effective methods aimed at preventing attacks, the potential threat scenarios need to be understood. Some of the possible attacks to embedded systems are listed here below:

  1. Attackers develop a "fake device," a device that looks just like the original, but whose functions have been altered for nefarious purposes, that could be installed, for example, as a replacement part during equipment service.
  2. Attackers develop their own software and run it by replacing the memory card in the embedded system.
  3. Attackers extract the memory card out of the embedded system, manipulate the software and plug the card back into the system.
  4. Attackers modify the software on the embedded system by controlling the communication interfaces from the outside.
  5. Attackers monitor an embedded system, while in use by the application, in order to analyze it and to develop avenues of attack.

Finally, the authors make one more important point. They say that one of the most important tenets of computer security is that it is difficult, unwise, and often financially and/or technically infeasible to retrofit security capability to a system that was not originally designed for it. Therefore, they conclude, the only hope for improving security across the world of embedded systems is to educate the developers, who must learn to think about security issues as much as they already think about functionality, memory footprint, and debugging.

And that's where Wibu-Systems comes in. For 25 years, we have delivered the tools needed by software developers to protect their software against piracy, IP theft, and manipulation.  We continue to incorporate state-of-the-art security technologies into our software protection tools for embedded systems and PC software as well as cloud services and mobile apps.

Protect Your Embedded Systems

The term "Integrity Protection" encompasses security measures, namely protection of system resources, programs and data against unauthorized manipulation, or at least identification and display of such modifications. The challenge consists in guaranteeing data integrity, and, if not possible, bringing the system to a safe mode and stopping the execution of any function. The best integrity protection solutions are based on cryptography and associated security mechanisms, such as digital signatures and message authentication. This 12-page white paper will describe these advanced encryption techniques.

Topics: CodeMeter, software copy protection, Copy Protection, Anti-piracy, embedded security, secure licensing

5 Things To Consider When Looking For Software Piracy Protection

Posted by Terry Gaul on Mar 1, 2013 3:00:00 PM

The CodeMeter product line offers excellent choices in software piracy protectionThere are several things to look for when choosing an anti-piracy protection system for your software application. As a software developer you put a lot of time and resources into developing your application and are entitled to a return on investment. The last thing you want to see is your application "pirated" and being sold by another vender for their profit or end users downloading your application from the web for free. Or worse: someone tampers with your software and adds malware and viruses to it. Adding a layer of security to prevent such tampering and illegal use is good. But, the best case scenario is having a piracy protection system that is integrated with a secure licensing solution.

What to look for when choosing an integrated anti-piracy and license management solution? 

  • IP Security – You should be able to secure your intellectual property with automated encryption utilities to protect against the pirating of your code. 
  • License Security – Is your license doing a simple check (license valid – yes/no) which can be easily spoofed or is your license secured with encryption and doing a key exchange to verify license validity?
  • Easy to Implement – Security should be a part of your license management. The goal is to easily integrate your piracy solution into your current business processes without changing one line of source code or recompiling.
  • Scalable Solution – You should choose a solution that will grow with your business opportunities. You should have the option to deliver your secured software with either a license file (software activation bound to a target machine) or secure device that contains your license (USB Key or a "dongle" in other form factors). The best solutions let you be flexible enough to choose your method on the fly (at order time).
  • A solid company to back up its offering that is focused on secure software licensing. Make sure you choose a vendor that is focused on providing the most secure anti-piracy solution which will also enable your business growth through secure software licensing.Some other things to consider:  how long has the company served this market; does the company have a satisfied customer base; and where does their product development take place?

If you are interested in learning more about protecting your software, securing your licenses, and enhancing your software monetization opportunities download the free Frost & Sullivan White Paper on Best Practices in Software Monetization, a Customer-Centric View of Secure License Management.

FREE White Paper HERE

Topics: CodeMeter, Anti-piracy

Secure Software Licensing Part 2

Posted by John Browne on Aug 1, 2012 4:46:00 AM

In the last blog post, we talked about what is meant by "secure" in the phrase "secure software licensing." But what exactly do we mean by "software?"software

At first blush I think most of us think of "software" as a desktop application like Photoshop or perhaps an OS like Windows. And frankly this is the bulk of what we see people needing advanced secure software licensing for. But wait, as they say, there's more:

  • Executables: Anything in the PEF (portable executable file format) can be protected against license abuse or copying. 
  • DLLs: dynamic-link libraries (DLLs) and shared libraries on MacOS and Linux can be used to store a significant amount of protectable code. 
  • Data files: files associated with particular applications may need to be protected as well. For example, PDF files (used by Adobe Acrobat) are a popular format for distrubuting electronic documents, some of which can contain sensitive information. You might want to secure the availability of these to certain people or certain time frames. Additionally, if your application uses a database of proprietary data (perhaps industry benchmarks you have painstakingly collected over the years) you might want to prevent unauthorized access or copying of that data.
  • Media files: Both music and video have multiple DRM systems in place for commercial distribution. But what if you want to stream video from your website but limit its distribution to a set of license rules? This can be difficult without a secure software licensing system. 
  • Website access: As more and more applications move into the cloud, or are presented as Software as a Service (SaaS) like salesforce.com, access control and authentication become more and more important. Current systems like named users with passwords are ripe for abuse (sharing credentials among multiple users). 
In the next article I'll dig into the term "software licensing" to discuss what is arguably the most interesting part of this concept.

Topics: License Management, Copy Protection, Anti-piracy, software piracy

Secure Software Licensing

Posted by John Browne on Jul 31, 2012 9:39:00 AM

We talk a lot about copy protection in this space but what I want to focus on today is what is meant by the phrase "secure software licensing." Let's unpack the term and look at each component separately:


The sina qua non of all this is security. If your software isn't secure nothing else that follows matters. By "secure" we're talking about preventing a host of bad things you don't want to happen:

  • License piracy: your customers bought a certain right or entitlement to use your software. That entitlement needs to be secured in such a way that the customers can't accidentally or even deliberately use more copies than they have purchased. Addditionally, you need to be able to ensure that non-customers cannot use your software until they have a license (i.e., become a customer).
Locked briefcase
  • Code cracking: Modifying the executable code to circumvent or disable any license verification is pretty common these days, particularly for very popular applications. You can find these cracked versions on the usual Internet sites. But increasingly even niche-market B2B software is being cracked, particularly for use in the developing world. 
  • Reverse Engineering: Reverse engineering of the original IBM PC BIOS led to a slate of instant clones competing with IBM for the same market space. Reverse engineering of software is not illegal in the USA, since it's considered fair use under the copyright laws. Protecting your software against this is critical.
  • IP Theft: You're in the software business, and in software your most important assets are your IP--some of which probably exists as algorithms in your code base. Do you want your competitors to see how you solve tough problems and use that to their advantage? Of course not. 
  • Code Tampering: How do you know that the binary you have is the binary that was created originally? How can your users know? In some applications, this may be the most important question of all. For example, if you're selling applications to the military or healthcare industry, being able to assure them the there are robust internal safeguards against the code having been modified before they execute it can be vital.
  • Malicious attacks: similar to code tampering, but in this case you want to ensure that no malware payload has been inserted at any time. Further, you want to know that the code can't be modified on the user's machine. 
These are some of the more common areas for concern in secure software licensing. In the next blog post, I discuss the next part of this expression: "software."

Topics: Code Integrity, CodeMeter, License Management, Copy Protection, Anti-piracy

Simplifying software license management

Posted by John Browne on Jun 28, 2012 11:22:00 AM

The world is flat

Thomas Friedman argues in his classic work that modern telecommunications makes global trade and competition a simple fact of modern life. And so you need flat earth software license management.

If you're an ISV your customers can be in Silicon Valley or Singapore. Brooklyn or Beijing. Utah or Ukraine. They might be companies you know and have done business with for years. People you know and trust. Or they might be someone you never heard of before. Someone who needs to earn your trust.

shady character

The sad fact is that there are bad people out there who will steal your software. The good news is with flat earth software license management, you can easily handle both the trusted and the (not-yet) trusted customers.

For customers you know and trust, CmActLicense is a perfect solution. Using a software-only solution, it binds to the PC it is installed on, preventing piracy but also preventing license portability. (More on that below). With SmartBind™ the number of times users have to reactivate after making small changes to their PC configuration is drastically reduced. All in all it's a great solution for trusted customers.

For those you haven't had a chance to know, you want maximum security. Here's where the genius behind CodeMeter really shines. You can easily decide--at the time of sale--which customers get their license on a CmDongle vs which ones can get CmActLicense. CmDongle provides best-in-classs security while also allowing for license portability. This is critical in some industries where a failover solution is vital. In these cases, the customer should be allowed to install the software on a standby machine; if the primary machine fails the license (on the CmDongle) is just moved to the standby machine. 

What if the dongle fails? This is almost unheard of, but anything's possible (for instance, it could get get lost or physically damaged). Here's how you handle that: Provide the customer a second CmDongle with a license using the Usage Period Product Item Option (PIO). If you set the Usage Period for 30 days, the license will be valid for 30 days from the first time it is accessed. That way the customer has business continuity with the backup dongle while you replace the one lost or damaged. And for extra security you can blacklist the one being replaced so it can never be used as a "free" license.

CmActLicense is really just a software emulation of CmDongle, virtually identical in all respects. Any API call you make to CmDongle will work equally well on CmActLicense. All the PIOs are available on both. So virtually no advance planning or effort is needed to take advantage of this great flexibility. The only real difference is in the binding; you have to install a license information file (*.wbb) on the customer's PC for CmActLicense to use. 

Great Wall of China

For those customer around the flat world who you want to use CmDongle, remember that we have offices globally where we can ship from. Say you want to sell your product to that customer in Beijing, but want the license to be protected by CmDongle. Importing that dongle into China can be difficult for you (lots of paperwork). We can ship it from our offices in Shanghai or Beijing to your customer, but all the invoicing and paperwork will happen here in the USA. Saves you some trouble. 

Topics: CodeMeter, Anti-piracy, dongles, CmAct

57% of all users agree: piracy protection is critical

Posted by John Browne on Jun 20, 2012 4:35:00 AM

Ok, I might have misread this data a bit. The BSA (Business Software Alliance) has just published its annual study of global software piracy rates. One interesting finding: 57% of the world's PC users admit they pirate software. Only 38% said they never do, and 5% were at Starbucks getting a venti no-foam latte with extra shot when the question was asked.

Perhaps even more interesting, it's not 14 year old kids swiping games here, it's "business decision makers" who have the dirtiest hands--they outnumber "ordinary" users when it comes to software piracy rates. And given that the most massive piracy takes place in emerging economies, this translates pure and simple into a competitive advantage (via illegal means) for those businesses against the ones who play by the rules.

laughing buddha
Why is this man smiling?

At a recent conference I attended Dave Graubart of Synopsis spoke as the chair of the Anti-Piracy Committee from the Electronic Design Automation Consortium about the problem. EDAC's own data collection methodology closely matches the BSA data at 40% global piracy rates. This is approximate, of course--he had some interesting methods people use to track piracy, such as getting support calls from a company which has never bought the product. 

In the "old days" piracy for complex software (and complex frequently equates to expensive) piracy was less of a perceived problem because support was such a critical element in user success. Now software is more sophisticated and ease of use are vital for market success, so it's easier for people to use pirated software without calling tech support, who might want to confirm their license status. 

The top 4 countries in terms of the dollar value of pirated software are US, China, Russia, and India. All these countries compete on the global market and the companies who do so without paying for their licenses have a potentially huge advantage over those who do (keep in mind we're not talking about Microsoft Office here, we're talking about electronic design software that can cost 5 or 6 figures per seat).

What to do, what to do? Well, start (and end) with good piracy protection. The best, of course is CodeMeter: who else can make the statement that it defeated both Chinese and Russian crackers?  

Topics: Anti-piracy, software piracy

Tariffs are not software protection

Posted by John Browne on Jun 19, 2012 11:57:00 AM

Kenya in a bold move has decided to eliminate duties on imported software as a means of combatting piracy. 

Apparently the piracy rate in Kenya is 83%, double the worldwide average, according to the BSA's 2011 global software piracy report

Of course, the total value of pirated software in eastern and southern Africa (excluding South Africa) is a relatively paltry $108M, chump change compared to the $9.7B in estimated value of pirated software in the US of A. (Note: I have no dog in this fight--the BSA has been criticized for the manner in which they calculate the "economic value" of pirated software; it's probably an inflated number because not everyone who steals something would buy it otherwise, but it's a consistent measurement so it has value to show trend lines.)

TThree cheetahs sitting in Kenya Africa acinonyx jubatus
These are not the cheatahs you are looking for. Three cheetahs sitting in Kenya Africa acinonyx jubatus by Stolz Gary M, U.S. Fish and Wildlife Service

Kenya's Finance Minister, Njeru Githae, is on the right track, but it won't solve the problem. In fact, I doubt it will make a dent in the problem. The reasoning seems to be that someone who is willing to steal something because it costs X will pony up instead if it costs less than X. 

Whether this will make ISVs rush to market products in Kenya or not I can't say. I can say unequivocally that the ISVs who aren't worried are the ones using robust software protection. When I park my car downtown, I don't first check to see what the current state of grand theft auto conviction rates are. I have a key, I lock the car, it's hard to steal. I want someone to rip it off, I can leave the key in it. It won't last long that way, unless it belongs to Jerry Seinfield.

Topics: software copy protection, Anti-piracy

How to Pick Copy Protection Software (NOT!)

Posted by John Browne on Jun 6, 2012 6:08:00 AM

Here's a brief list of things (NOT) to do when picking a vendor for copy protection software:

  1. Make sure from their website they have no phone number, physical address, or any way to contact them except through a form. Hey, it's a virtual world! Who needs offices and employees and phones? C'mon! What you want, when it's hard on the deadline and the tool isn't working, is a vendor with a webform on the "contact us" page. The mystery of wondering if you'll ever hear back from them, or even what time zone they're located in, will keep life interesting for you. 

    CC image by Houza Soucup on flickr

  2. Don't sweat the details. If they tell you their solution can't be cracked, why question it? The specifics of exactly HOW they keep 12 year old nerds with bad complexions in Belarus from cracking their "protection" in exactly 6 minutes are irrelevant, aren't they? 

    Is this your cracker?

  3. Make sure that the application has to "phone home" every time it starts. This will delight any users who want to run it without an Internet connection. Or when the server crashes. When, not if.
  4. Ensure that the entire protection scheme decomposes into a challenge-response test. That will make it super-easy to crack.
  5. Just ignore the problem. After all, anything you do will just get cracked, right?

Topics: Copy Protection, Anti-piracy