Wibu-Systems Blog

Software licensing: it's all about flexibility and security

Posted by Terry Gaul on Dec 14, 2015 11:23:11 AM

Licensing-Blog_Post-USA.jpg

IDC recently released their annual top 10 software licensing and pricing predictions for 2016 and I think they are right on target based upon feedback from organizations who are using our CodeMeter secure licensing platform.  I believe a few of the predictions will have an immediate impact on software developers:

  • Software subscription revenues will continue its rapid growth trajectory
  • Software license complexity will indirectly cost organizations an average of 25% of their software license budgets in 2016
  • At least three software vendors will announce in 2016 the intent to end all perpetual licensing

There are many more details outlined in the report, but the bottom line for me was that the licensing environment is rapidly evolving and software publishers, now more than ever, need to have the flexibility to roll out new licensing models to meet their customer’s needs as well as achieving their own software monetization goals. Let’s take a brief look at some of the license models that are currently in play, ranging from single user/network licenses to modern consumption and user-based models:

  • Single user license: the license is stored on a local PC or dongle plugged into the local PC.
  • Single user license in a virtual machine: the license is bound to a virtual machine and when the virtual machine is copied, the license becomes invalid.
  • Network license: the license is stored on a license server in the network.
  • Feature-on-Demand license: individual licenses are used to activate specific product features and modules.
  • Perpetual license: the license never expires.
  • Demo/Trial license: the user can only access specified features for a limited time.
  • Rental, Leasing, Subscription License: the developer specifies how long the licensee is valid.
  • Pay-per-Use license: billing is based on the number of units used.
  • License with software assurance: a perpetual license with a maintenance agreement that includes automatic updates.
  • License with downgrade-right: the license provides the right to optionally use older versions of the program.
  • License with upgrade-right: the license covers the right to optionally use a newer version of a program.
  • Grace period license: software can used for a limited time without activation.
  • Volume licensing: the customer is sent a large number of licenses to cover the required number of seats.

This is just a short list of licensing options (read an expanded list of licensing options here) which could possibly double in size by next year. Whether you are using your own, home grown licensing solution or you’ve outsourced to licensing professionals, it is imperative that you have the flexibility to adjust your model as the market dictates.

 Finally, let’s go back to the IDC report. One surprising note was that there was no mention of license security. No doubt, secure software licensing is at the forefront of the discussion, particularly in the rapidly growing IoT sector. We’ve covered IoT security in this blog frequently and will continue to post more thoughts in the coming months as the market emerges.

Topics: License Management, CodeMeter, secure licensing, software licensing

Security by Design for connected devices

Posted by Terry Gaul on Dec 4, 2015 7:52:53 AM

IoT_600.jpg

There were some interesting findings released in a global study this past June conducted by Harbor Research (in conjunction with Progress Software) on the State of IoT: 2015 Global Developer Study. Not surprisingly, inexperience, interoperability and security were at the top of the list of challenges mentioned by 678 developers polled in the study. Here are a few of the key findings: 

  • Only 50% of developers say they have the skills, resources and technological tools to deliver on IoT expectations.
  • Interoperability, integration, security and privacy are among the top concerns of IoT developers
  • Low levels of monetization reflect business models that have not kept pace with technology advances
  • Current activity to address these issues is scattered among government organizations, various company alliances and other disparate groups
  • Security must be factored in from the beginning of development of any IoT product or application
  • Developers believe commercial vendors and the open source community have the greatest power to help them overcome these challenges

Certainly security and software monetization are on the top of our list and the main focus of our business. In our ongoing discussions with customers, we’re finding that more and more developers are looking to vendors like Wibu-Systems to help them address security from the start rather than later in the development process. And this is a growing sentiment with embedded system developers of connected IoT devices, in particular.

WP-IoT-Licensing-cover.jpgTo put it all into perspective, I invite you to read our latest white paper, Licensing and Security for the Internet of Things. This document delves into the current trends in IoT device development, strategies for success, and standards for protection and licensing systems in the IoT. It also presents a detailed explanation of our extensive CodeMeter toolkit that provides protection that can be easily and securely integrated into the software. The technology protects against reverse engineering and software replication and provides integrity protection of the application, licensing options, and flexible management of access rights.

Download the white paper and learn about the benefits of security by design.

Topics: CodeMeter, embedded security, Internet of Things

Endpoint Security for a Rail System: Another Industrial Internet System Success Story

Posted by Terry Gaul on Nov 18, 2015 10:45:11 AM

CodeMeterTrain_550.jpg

When At&T, Cisco, GE, IBM and Intel founded the Industrial Internet Consortium in March 2014, I wonder if they had envisioned how quickly the International technology community would embrace the their mission to catalyze and coordinate the priorities and enabling technologies of the Industrial Internet. Many amazing collaborative solutions have already emerged – for example, RTI and Siemens teamed up on a solution to network and control hundreds of wind turbines for better control and optimization, and National Instruments and Airbus have developed tools for smarter factories. Just take a look at the many case studies published by IIC members in a variety of fields – communications, energy, healthcare, manufacturing, transportation and logistics, and security – and you will gain a sense of the enormous potential for the connected world.

Industry collaborations and technology partnerships are the foundation upon which these innovative Industrial Internet systems will be created. Wibu-Systems’ main focus is to provide the protection platform for our partners to secure these next generation systems. For example, as a member of the Infineon Security Partner Network (ISPN), we have worked closely with Infineon and other leading security vendors to secure devices and systems in various applications. In a recent collaboration, we employed Infineon’s SLE 97 security controller and our CodeMeter Embedded Protection to deliver an endpoint security solution to safeguard railway control systems.

Wibu_CS_Endpoint_Security-c.jpg

In this use case, the safety of the application was paramount. Hardware components had to comply with an extended operating temperature range, moisture challenges, and vibrational conditions. The software security elements were tasked to guarantee the highest level of security against cyber threats while protecting IP against reverse engineering and piracy. And, the solution needed to be compatible with the real-time VxWorks operating system already in use. The multiplicity of potential attack vectors called for an endpoint security solution. The CodeMeter-based solution met all these criteria and was then integrated into the existing power-controlling infrastructure.

You can read more specific details about the cryptographic elements of the solution, secure boot mechanism and other innovative development and implementation details in this case study.

 

Topics: CodeMeter, Code Integrity, embedded security, Internet of Things, cybersecurity

How Much is Your IP Worth?

Posted by Terry Gaul on Oct 28, 2015 5:18:17 AM

Erfolgsgeschichte_Belsim_EN

The intellectual property gained during the development of an ISV’s flagship software product most likely represents an investment in hundreds and hundreds of man hours. 

The majority of that time is spent on developing features and functionality, refining, and testing to assure that the final product addresses the needs of the customers in the most effective way possible – that’s the core strength of the software engineers. The business end of the development process is in software monetization – implementing creative licensing strategies and protection against piracy to assure that the company achieves the maximum revenue it deserves. However, that capability may not be the core strength of the software engineer and the reason why many ISVs are looking for help from licensing and security specialists to protect their IP investment and monetize their software.

For example, consider the case of Belsim, a spin-off company of University of Liège in Belgium. Belsim’s VALI-suite is the leading worldwide solution for Data Validation and Reconciliation (DVR) software. The VALI-suite is the result of many years of R&D and it represents the centerpiece of Belsim’s intellectual property.

According to Christophe Pirnay, Belsim’s Development Manager, "When we decided to develop VALI’s newest version in Microsoft .NET, it was clear that we also needed a partner to support the solution’s license management and to protect it against software piracy."

"We never really knew if our software was copied or used illegally", says Christophe. "We were a bit suspicious at times, but we never were sure if it was really happening. In those days, we were handling license management and software protection ourselves," he added.

Belsim recognized that license management and software protection were not part of their core business and they began to search for a security partner. Their search steered them toward Wibu-Systems’ CodeMeter software protection, licensing and security solution. CodeMeter protects VALI against unauthorized use, but also against anyone who tries to take a peek at the code. This way, CodeMeter also keeps Belsim’s competitors at a safe distance, as well as others who might try to build their own solution based on Belsim’s code.

In this case, with the help of CodeMeter, Belsim can fully concentrate on its core business – the development and implementation of software – while CodeMeter guarantees the protection that is needed at the heart of their solution.

download Belsim case studyRead the full case study and see how CodeMeter protects Belsim’s invaluable intellectual property.

Topics: CodeMeter, secure licensing, Anti-piracy, Copy Protection

Good Things Come in Small Packages

Posted by Terry Gaul on Oct 14, 2015 11:49:38 AM

10y-mSD-Blog_Post-USA-3

The SD Association recently celebrated the 10th anniversary of the microSD™ Card.  Founded in 2000 by Panasonic, SanDisk and Toshiba, the SD Association is a group dedicated to establishing SD standards and facilitating their adoption and development. In their Thought Leadership article, the Association shares interesting facts, including that the memory capacity of the microSD card had increased 6,000 times during that 10 year period, with the latest version available to consumers today containing 200 gigabytes of storage. 

Due to their tiny form factor, microSD cards have found their way into a growing list of devices that require expanded memory, from smart phones to wearable devices and many more. For Wibu-Systems the microSD form factor is a perfect solution for protecting and licensing embedded systems and the next generation IoT devices. Our CmCard/microSD contains an integrated smart card chip with approximately 384 kbytes of secure memory available for storing more than 1,000 licenses and providing the full complement of CodeMeter security functions, including symmetric and asymmetric encryption, signatures, and the storage of X.509 certificates. At only 11 mm x 15 mm x 0.7 mm in size, the CmCard/microSD will fit in the tiniest of devices, providing both security and flexible licensing options in space limited embedded systems and Industry 4.0 sensors.

Integrated security functionality and built-in SLC flash memory are standard features in all of our CmCard form factors that include µSD, SD, Compact Flash, and CFast cards along with optional SLC or MLC flash memory for our USB Sticks. The combination offers our customers many benefits:

  • Lower costs by combining functions on a single device
  • Industrial grade design for long life
  • Field upgradeability without any changes to hardware
  • Dedicated data partitions offer application flexibility, such as storage of highly sensitive data on mobile devices
  • Prevention of software piracy
  • Protection against counterfeiting
  • Additional security for gambling machines, ATMs or other devices frequently targeted for tampering and attacks


You can learn more technical details about our flash-equipped CmDongles in our latest whitepaper, CmDongle with Flash Memory in Practice. The document illustrates the technological alternatives, the modalities of use, the possible applications, and the commercial reasons that provide the commercial advantages for Wibu-Systems’ protection, licensing, and security devices.

The white paper specifically addresses:

  • The types of memory best suited to commercial and industrial purposes
  • The available partitions (encrypted, read-only, CD-ROM, and public areas)
  • The complete calculation concerning the Total Cost of Ownership
  • The advantages of a combination product
  • The benefits in terms of increased security
  • The versatility of the many form factors
  • Real-world customer applications

Wibu-Systems-White_Paper_Cm-_125Download the whitepaper

Topics: dongles, CodeMeter, CmSticks

From Stuxnet to iPhone: The evolution of modern computer viruses

Posted by Rüdiger Kügler on Sep 22, 2015 12:50:13 PM

Whether it be Stuxnet or an iPhone virus, it is people who are the cause for trouble. But let’s go back to how the story began: Just a few days ago, it was unthinkable for an iPhone to be infected with a virus. The concept of the App Store itself – which only allows the distribution of software authorized by Apple – seems to suggest that the spread of viruses through their apps would be impossible. It is the same belief we had for one of Siemens’ controllers years ago: "They can never be subject to viruses." It was just a matter of time before both assumptions were proven wrong.

What happened then? Any software running in a closed system, like an iPhone, must be signed by a software publisher. For this purpose, the developer uses a key pair consisting of a private and a public key. The private key is kept secret and used for the cryptographic signature. The public key is signed by the manufacturer of the closed system, in this case Apple, with his private key (root key). The resulting electronic document – which includes the developer’s public key and the signature from Apple – is called a certificate. For validation purposes, the closed system only requires the public key (public root key) that is already included in iOS by Apple: "Only developers that I know and trust, are allowed to run software in my closed system."

In a jailbreak, this mechanism is undermined by the user of the device. A modified operating system skips this check. While any software can then run on the device, the user of a jailbroken phone inadvertently opens the door to virus threats as well. However, the issue now affects respectable users (those not using jailbreaks) too.

And why is the iPhone case so similar to Stuxnet? In both cases, the development environment of the software developer was attacked. This means that the virus had already taken hold of the software after compiling, but before signing the application. When the developer signed the software, he included the virus as well, which thus passed any verification controls unnoticed. Compared to this, the attack via Stuxnet occurred at an alarming lower level. The new incident exploited human vulnerability – convenience first and foremost – by offering a tampered pirated copy of XCODE for download. China was affected more significantly by it, as the use of pirated products is widespread and usually regarded as a minor offense.

What are the takeaways from this incident?

  • Even free software needs protection against piracy, protection against reverse engineering, and very robust integrity protection.
  • The signature of a software must be made in a trusted environment. For instance, the key should be safely stored in a secure hardware element.
  • Even in a closed system, we should not assume that all software will be reviewed in detail and take our security for granted. The review process is only one link in the protection chain.
  • A security solution is only as good as the weakest point in the chain. Even the best approach may be undermined, if it is not done holistically.
  • A protection solution must offer the same level of security across all platforms. This is where a professional solution like CodeMeter comes into play.

Siemens responded quickly and did a good job after all. Let's hope that Apple is equally responsive. If you are ready to implement the lessons learned from this episode, you can count on CodeMeter, our all-in-one protection suite, and on the professional expertise of our team.

Topics: software protection, CodeMeter, Code Integrity

Anti-Piracy, Flexible Licensing and software monetization

Posted by Terry Gaul on Sep 17, 2015 11:03:39 AM

We’ve all seen the disturbing software piracy statistics released by BSA | The Software Alliance in their Global Software Survey:

  • 43 percent of the software installed on personal computers globally in 2013 was not properly licensed
  • The global rate at which PC software was installed without proper licensing rose from 42 percent in 2011 to 43 percent in 2013 as emerging economies where unlicensed software use is most prevalent continued to account for a growing majority of all PCs in service.
  • The commercial value of unlicensed PC software installations totaled $62.7 billion globally in 2013.

These trends are sure to put a dent into any ISVs bottom line. In their blueprint for reducing software piracy, the BSA points to increased public education and awareness, modernization of IP laws, and stepped-up enforcement with dedicated resources as important steps towards thwarting piracy.

Of course, a more immediate approach to preventing piracy is to integrate copy protection directly into the application with a robust software protection solution like Wibu-Systems’ CodeMeter. It takes just minutes to protect software from illegal copying, reverse engineering or tampering without having to change a single line of source code.

In addition to preventing software piracy and hacking, a sound monetization strategy will serve to maximize ISV revenues as well. With secure, flexible licensing capabilities, ISVs and device manufacturers can effectively implement creative licensing strategies to meet the dynamic market requirements of their end users. The days of the perpetual software license are long gone and ISVs need the ability to introduce various pricing schemes based on pay-per-function, pay-per-use, subscription, or other possible licensing options. A representative example of a flexible licensing system is CodeMeter License Central, which enables ISVs to create, manage and distribute all types of licenses in a secure, straightforward manner.

Industry analyst firm, Frost and Sullivan, concluded in a white paper that “customers experience best long-term value in terms of both top-line revenue realization bottom-line costs and efficiency when license management solutions inherently provide comprehensive functionality and robust security.”

Download Frost and Sullivan Whitepaper

I invite you to download the full whitepaper, entitled Best Practices in Software Monetization: A Customer-Centric View of Secure License Management. The White Paper sheds light on various aspects of successful software monetization strategies, ranging from business-enabling licensing architectures to resilience against hacking. The document demonstrates how changing times demand that ISVs implement customer-centric business models and customer-friendly enforcement in order to increase their top line software revenues while controlling bottom line costs.

   

Topics: License Management, software protection, CodeMeter, secure licensing, software piracy, CodeMeter License Central

Protecting the Healthcare Landscape of 2020

Posted by Terry Gaul on Sep 8, 2015 1:00:00 AM

The Deloitte Centre for Health Solutions paints an interesting picture of the healthcare and life science sectors in their report, Healthcare and Life Sciences Predictions 2020 – a bold future? The landscape they envision is being shaped by the many scientific and technology innovations emerging today.

By 2020, they foresee an era of digitized medicine where patients manage their own electronic health records and provider and patients share crowd-sourced data via social media and other electronic communities. Today, wearable technologies have been embraced mainly by fitness buffs. But by 2020, Deloitte points to the development of new biosensors that will enable broad adoption of wearables for remote monitoring, disease management and early detection. And in the age of fully digitized medicine, Big Data will have found a way to leverage the healthcare data exposition and deliver information to patients and providers to make better and more informed decisions.

Deloitte imagines that “the convergence of biomedicine, IT, health data, wireless, and mobile will have transformed medicine from an art to a data driven science providing the right care, in the right place, at the right time and at affordable cost.”

The report presents quite an optimistic outlook, but quite plausible from Deloitte’s standpoint, based on the evidence presented. However, Deloitte also points out the many hurdles that will have to be addressed along the way. The two most prominent issues involve patient privacy and safety. While an abundance of patient data will help develop better treatments and improve outcomes, the protection of patient privacy and confidentiality is still paramount. Much more progress needs to be made in cybersecurity to provide the assurances that patient information is protected.

One area that was not addressed in detail in this particular report is the importance of protecting not only patient data, but the connected devices and embedded software themselves from malicious tampering. I like to use the example of former U.S. Vice President Dick Cheney when he acknowledged that he once feared that terrorists could use the electrical device that had been implanted near his heart to kill him and had his doctor disable its wireless function. The device in question was a defibrillator that could detect irregular heartbeats and control them with electrical jolts. Cheney had his doctor turn off the device’s wireless function in case a terrorist tried to send his heart a fatal shock.

Deloitte delved further into these type of issues in a brief entitled, Networked medical device cybersecurity and patient safety: Perspectives of health care information cybersecurity executives. The brief notes that while connected medical devices have the potential to play a transformational role in healthcare, they also may be a vehicle that exposes patients and providers to safety and cybersecurity risks such as being hacked, being infected with malware and being vulnerable to unauthorized access.

With the rapid proliferation of electronic patient data, wearables and other connected medical devices in the healthcare landscape, cybersecurity will be more important than ever. Fortunately, proven technologies exist today for protecting embedded software and connected devices from tampering and execution of malicious code.

Read how custo med, a leading medical diagnostic company in Germany, employs Wibu-Systems’ technology to keep patient data private and protect their diagnostic cardio-respiratory acquisition and reporting system from tampering. Download the case study.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

The Role of Security in the Macroeconomy

Posted by Terry Gaul on Jul 2, 2015 3:45:59 AM

A recent report released by the Economist Intelligence Unit EIU-reportentitled Long-term Macroeconomic Forecasts: Key trends to2050 highlighted some of the emerging economic issues expected to shape global business in the coming decades. Some of the key findings of interest were:

  • China is anticipated to overtake the United States in 2026 in nominal Gross Domestic Product (GDP) and maintain its position as the largest economy by 2050 while India will likely move to third place with the US in second.
  • By 2050 Asia is predicted to account for 53% of global GDP.
  • Climate change, international security and global economic governance are key issues that will be addressed by the leading economies.

Also noteworthy was the projection that “economic growth will be driven by countries moving from less technologically intensive production to capital-intensive manufacturing production.” For more advanced economies, the report went on to predict that “gains from the more efficient usage of capital through increased technological progress as a result of investment in research and development (R&D) will boost growth.”

Undoubtedly, much of this technology investment and growth will be fueled by the Internet of Things and the efficiencies to be gained by the networking of machines, people and business in the so- called smart factory or Industry 4.0. In his article, Internet of Things – Security is a prerequisite for success, in the May 2015 issue of The Vault, Dr. Stefan Hofschen, Infineon Technologies AG, wrote:

“Especially in the context of Industry 4.0 and the automotive industry, the increasing connectivity provides a great number of opportunities for the economy. Yet, it also presents great challenges for businesses, foremost in questions of data security. How can business secrets and intellectual property be protected on the open Internet? How is data protection and confidentiality ensured? How secure is the communication between the different devices or components? And how can attacks be recognized and potential damage prevented? In short, data security and system integrity are essential for the success of new business models, because they protect the availability and reliability of products and services.”

And while many divergent issues will impact the macroeconomy of the future as reported by the EIU, cybersecurity, or the lack thereof, will undeniably be a key factor as the financial damages caused by security breaches can far exceed the upfront technology investments. For example, manipulation of the firmware during an update of a single production machine can cause damage to the entire production process.

Well planned and technologically superior security measures are vital to provide protection against manipulation and tampering of connected machines and devices, loss of Intellectual property and know-how, and theft of proprietary business or personal data. Fortunately, companies like Wibu-Systems have developed cryptographic technologies and other modern security mechanisms to protect the integrity of these smart systems and prevent such malicious activities.

At the IT Summit 2014 in Hamburg Germany, Infineon, Deutsche Telekom, Fraunhofer SIT, TRUMPF, Wibu-Systems and Hirschmann demonstrated such a security solution for an industrial manufacturing process. I invite you to read more about the technology solution and how it was implemented and visit our new Web site to learn more about all of our proven security solutions for PC applications and embedded systems.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

Integrity Protection for Embedded Systems

Posted by Terry Gaul on Jun 9, 2015 11:00:00 PM

connectedplanet-257pxSoftware for embedded systems is based more and more on open system platforms – Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (APIs). Such standards simplify software development between several teams within a large enterprise or even between different software companies. And similar to the success of software for traditional desktop systems or smart phones, developers can find more solutions that can be purchased from third parties instead of developed in-house.

However, this new open world also makes embedded systems vulnerable to attacks from two main challenge points. First, the embedded system can be attacked directly from the Internet. Execution codes can be replaced or modified by malicious code during code updates. Weaknesses in the code itself can also be exploited. Secondly, hackers have access to the same open source information as the developer. With knowledge of the execution code binary structure, hackers can use powerful development/analytical tools to directly modify the code in a static attack. Furthermore, with knowledge of the memory and process architecture, the hacker can initiate a dynamic attack by inserting malicious code into the boot process.

Recent examples of such exploitations include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The Internet of Things (IoT) now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers who can be located anywhere in the world.

One solution to prevent such attacks is the installation of security barriers between the code and the open internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.

A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent hackers from installing their own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized operating system.

There are two advantages to this approach. First, the execution code is authenticated by a private key accessible by the developer or owner of the key; no other source is possible and the code cannot be modified during delivery or on the embedded system. Second, the execution code is encrypted and cannot be easily reverse engineered by a hacker or a competitor.

Our CodeMeter technology provides this type of code protection at all levels of an embedded system where software components are running. The authentication process begins in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different development departments or companies. Dynamic updates of any component are possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.

I invite you to view a pre-recorded Webinar to see how CodeMeter enables the flexibility of secure code upgrades, which will be required in the ever evolving world of connected embedded systems, with the security of the closed, non-changeable, unconnected systems of today.

Access the recording now.

Topics: CodeMeter, Code Integrity, embedded security