Wibu-Systems Blog

Are Those Storm Clouds Ahead?

Posted by Terry Gaul on Oct 30, 2013 11:40:00 AM

storm clouds on the horizon
Adobe may have raised some eyebrows last year when they announced they were moving their packaged Creative Suite PC software to the cloud, but most industry analysts predicted this day was coming – it was just a matter of how soon. Microsoft is moving in the same direction with their Office 365 cloud offering and other enterprise application developers are sure to follow suit. However, after the story came out recently that hackers broke into Adobe's network and stole personal information, including an estimated 2.9 million credit card numbers, the cloud may be darkening a bit.

Skeptics have pointed at data security from day one as the most serious drawback to cloud computing and Adobe's misfortune makes their case. But is that enough to break the momentum of the roll out of subscription based model to software delivery? I don't think so because the cost advantages to cloud-based software applications are too great, for both the ISV and the end user. And, end users want access to their apps from any device, from anywhere, and the cloud is the most effective way to fulfill that need.

Nonetheless, it is incumbent upon the software developer and hosting vendor to keep the data out of the wrong hands. There are three types of cloud computing scenarios that exist:

  • Application (SaaS): Independent software vendors (ISV) host their applications in the cloud from where the ISV customers (end users) store their data which is accessed by those applications. The ISV manages the cloud space. Example: salesforce.com.
  • Platform (PaaS): ISVs host their applications in the cloud but, in contrast to SaaS, the user has more flexibility in usage of the stored data by accessing development tools, databases, or web services. The ISV still manages the cloud space. Examples: force.com, windowsazure.com.
  • Infrastructure (IaaS): Users lease the infrastructure (a virtual computer) in the cloud, store their data there, and install, host and run applications. The cloud space is managed by the user rather than the ISV. Example: amazon.com.

Each approach has its unique security strengths and vulnerabilities and requires a strong user authentication and data encryption strategy to protect the cloud-based application. Moving from conventional perpetual licenses to subscription based licensing in the cloud also requires ISVs to consider new licensing strategies to secure the process and protect against license sharing.

In the IaaS environment, traditional software licensing control through a machine binding or a dongle is not possible and new licensing methods must be addressed.

As a provider of software protection and secure licensing solutions for over 25 years, we've been able to apply our experience to the development of the tools that our customers need to secure their software in the cloud and provide their users with the peace of mind that their data is safe.

You can learn more about our proven cloud security techniques by watching this 1-hour pre-recorded webinar, in cooperation with our partner, charismathics. We demonstrate how we protect ISVs' data and business logic in SaaS, PaaS and IaaS schemes against license counterfeiting and duplication. With the integration of charismathics CSSI, we can also guarantee user's secure access based on PKI two-factor authentication for SaaS and PaaS. Explore our complete offering for cloud security during the webinar or go to our web page for more information.

Photo by longhorndave

Topics: CodeMeter, Copy Protection, CmAct, CodeMeter License Central

Simplifying software license management

Posted by John Browne on Jun 28, 2012 11:22:00 AM

The world is flat

Thomas Friedman argues in his classic work that modern telecommunications makes global trade and competition a simple fact of modern life. And so you need flat earth software license management.

If you're an ISV your customers can be in Silicon Valley or Singapore. Brooklyn or Beijing. Utah or Ukraine. They might be companies you know and have done business with for years. People you know and trust. Or they might be someone you never heard of before. Someone who needs to earn your trust.

shady character

The sad fact is that there are bad people out there who will steal your software. The good news is with flat earth software license management, you can easily handle both the trusted and the (not-yet) trusted customers.

For customers you know and trust, CmActLicense is a perfect solution. Using a software-only solution, it binds to the PC it is installed on, preventing piracy but also preventing license portability. (More on that below). With SmartBind™ the number of times users have to reactivate after making small changes to their PC configuration is drastically reduced. All in all it's a great solution for trusted customers.

For those you haven't had a chance to know, you want maximum security. Here's where the genius behind CodeMeter really shines. You can easily decide--at the time of sale--which customers get their license on a CmDongle vs which ones can get CmActLicense. CmDongle provides best-in-classs security while also allowing for license portability. This is critical in some industries where a failover solution is vital. In these cases, the customer should be allowed to install the software on a standby machine; if the primary machine fails the license (on the CmDongle) is just moved to the standby machine. 

What if the dongle fails? This is almost unheard of, but anything's possible (for instance, it could get get lost or physically damaged). Here's how you handle that: Provide the customer a second CmDongle with a license using the Usage Period Product Item Option (PIO). If you set the Usage Period for 30 days, the license will be valid for 30 days from the first time it is accessed. That way the customer has business continuity with the backup dongle while you replace the one lost or damaged. And for extra security you can blacklist the one being replaced so it can never be used as a "free" license.

CmActLicense is really just a software emulation of CmDongle, virtually identical in all respects. Any API call you make to CmDongle will work equally well on CmActLicense. All the PIOs are available on both. So virtually no advance planning or effort is needed to take advantage of this great flexibility. The only real difference is in the binding; you have to install a license information file (*.wbb) on the customer's PC for CmActLicense to use. 

Great Wall of China

For those customer around the flat world who you want to use CmDongle, remember that we have offices globally where we can ship from. Say you want to sell your product to that customer in Beijing, but want the license to be protected by CmDongle. Importing that dongle into China can be difficult for you (lots of paperwork). We can ship it from our offices in Shanghai or Beijing to your customer, but all the invoicing and paperwork will happen here in the USA. Saves you some trouble. 

Topics: CodeMeter, Anti-piracy, dongles, CmAct

What is software piracy?

Posted by John Browne on Mar 7, 2011 12:50:00 PM

Software piracy can take a number of forms, intentional and unintentional. What normally comes to mind with you hear "software piracy" in context are hackers or crackers (more about that in a minute) doing something illegal. But it can also include people who inadvertently violate license agreements without knowing.

What are hackers and what are crackers? In discussions about piracy, you see both terms used interchangeably. People who "crack" the system an ISV uses to prevent copies are called "crackers." Hackers, on the other hand, has traditionally been a term to refer to people who break into corporate or government networks. Sometimes it easier to just say hackers to lump together all the bad guys out there who try to do digital mischief.

So how do they do it? A common approach is to take a legitimate copy of say, Windows or Photoshop, and create a cracked version by patching some DLLs so that the licensing code thinks it's running on a legal copy. Then that single version is propagated around the world courtesy of file sharing sites.

Software-based anti-piracy systems try to bind a single licensed copy of an application to a given machine. Sometimes it will allow you to install on a couple of computers. Typically this is done with fingerprinting: identifying some characteristics of the host computer that the software has to match to. For example, you can look at the MAC address, CPU serial number, hard disk serial number, and so on. When the software first installs it gathers these fingerprints; later when you start up the application it checks the machine fingerprints against the ones it originally installed on and decides if this is a legal copy or not.

Since people upgrade and replace computers this schema is flawed from the get-go. The ISV has to decide how stringent to be about matching hardware fingerprinting on program load. If you have four values and only three match, do you go ahead and run or do you throw up a dialog telling the user they have to check with the publisher before the software will run? CmAct lets you decide how many factors (out of four total) you need to match before running the application. So you can set it to be two of four; if any two match the application will start.

These methods offer protection from casual theft but have a basic issue in that the fingerprint information has to come from the operating system. Contemporary OS do not let application code address hardware directly. If you want to know the serial number of the CPU, you use an OS system call to get it. That unfortunately makes the process somewhat vulnerable to spoofing: making the app think it's talking to the OS when it's not. And in that way many applications are cracked every day. Some of these are given away while some are sold as "real"--you can find them on various ecommerce stores online.

Of course if you use a dongle it should be a lot harder to crack the protection code; in the case of applications protected correctly with CodeMeter they should be impossible to crack. You can find online sites advertising dongle "emulators" or "eliminators" and they are basically cracking sites. Some developers use their dongle in the weakest possible way, by having the application merely check for the existence of a dongle and don't use it for key generation. This is incredibly easy to crack and is never recommended!

Topics: CodeMeter, software copy protection, Anti-piracy, dongles, software piracy, FAQ, cracking, CmAct