Wibu-Systems Blog

Good Things Come in Small Packages

Posted by Terry Gaul on Oct 14, 2015 11:49:38 AM


The SD Association recently celebrated the 10th anniversary of the microSD™ Card.  Founded in 2000 by Panasonic, SanDisk and Toshiba, the SD Association is a group dedicated to establishing SD standards and facilitating their adoption and development. In their Thought Leadership article, the Association shares interesting facts, including that the memory capacity of the microSD card had increased 6,000 times during that 10 year period, with the latest version available to consumers today containing 200 gigabytes of storage. 

Due to their tiny form factor, microSD cards have found their way into a growing list of devices that require expanded memory, from smart phones to wearable devices and many more. For Wibu-Systems the microSD form factor is a perfect solution for protecting and licensing embedded systems and the next generation IoT devices. Our CmCard/microSD contains an integrated smart card chip with approximately 384 kbytes of secure memory available for storing more than 1,000 licenses and providing the full complement of CodeMeter security functions, including symmetric and asymmetric encryption, signatures, and the storage of X.509 certificates. At only 11 mm x 15 mm x 0.7 mm in size, the CmCard/microSD will fit in the tiniest of devices, providing both security and flexible licensing options in space limited embedded systems and Industry 4.0 sensors.

Integrated security functionality and built-in SLC flash memory are standard features in all of our CmCard form factors that include µSD, SD, Compact Flash, and CFast cards along with optional SLC or MLC flash memory for our USB Sticks. The combination offers our customers many benefits:

  • Lower costs by combining functions on a single device
  • Industrial grade design for long life
  • Field upgradeability without any changes to hardware
  • Dedicated data partitions offer application flexibility, such as storage of highly sensitive data on mobile devices
  • Prevention of software piracy
  • Protection against counterfeiting
  • Additional security for gambling machines, ATMs or other devices frequently targeted for tampering and attacks

You can learn more technical details about our flash-equipped CmDongles in our latest whitepaper, CmDongle with Flash Memory in Practice. The document illustrates the technological alternatives, the modalities of use, the possible applications, and the commercial reasons that provide the commercial advantages for Wibu-Systems’ protection, licensing, and security devices.

The white paper specifically addresses:

  • The types of memory best suited to commercial and industrial purposes
  • The available partitions (encrypted, read-only, CD-ROM, and public areas)
  • The complete calculation concerning the Total Cost of Ownership
  • The advantages of a combination product
  • The benefits in terms of increased security
  • The versatility of the many form factors
  • Real-world customer applications

Wibu-Systems-White_Paper_Cm-_125Download the whitepaper

Topics: dongles, CodeMeter, CmSticks

5 Reasons to Choose Software Copy Protection Dongles

Posted by John Poulson on Jan 29, 2013 9:55:00 AM

Dongles – The Historical “Bad Rap”

The WibuBox parallel port copy protection dongleWhen describing software protection dongles in a 2007 article appearing in PC Magazine, John C. Dvorak, a well-respected (but self-described curmudgeon) and award winning columnist said, “The dongle was a mostly failed copy-protection device that came into existence in the 1980s. It was also a point of controversy…”

The controversy mentioned by Mr. Dvorak boiled down to (1) The rights of software publishers to get paid for their efforts and (2) the rights of users to use the software they legally purchased without the inconvenience associated with plugging in a hardware dongle.

Activation Codes – The Compromise

In an effort to address the concerns of their users, software publishers rolled out a scheme of utilizing activation codes which bind a license to a PC. When companies like Microsoft and Adobe began requiring users to activate licenses, the practice became almost universal for software costing as little as $50.  In essence activation codes turn the whole PC into a “dongle”.

Dongles in the Twenty-first Century

It has been over five years since Mr. Dvorak’s comment. But more tellingly, it has been over twenty-five years since the first parallel port dongle appeared on a PC protecting the first CAD/CAM programs written for DOS.

Worldwide dongle sales have increased year over year since the late 1980s and any computer technology that has been around that long must have merit. And such software copy protection technology should be seriously investigated by any software publisher tasked with protecting Intellectual Property, controlling software usage via licensing, and preventing profit erosion due to wide-spread illegal use of software titles. If you are tired of seeing “free” versions of your products posted on bit-torrent sites; read on.

Why End-Users Prefer Dongles

The CodeMeter/C. All the benefits of CodeMeter and in a tiny package.Considering all the technologies that have come and gone in the last twenty-five years, it’s remarkable that dongles are not only still with us but are still undergoing improvement in both function and design. There are some things that an end user can do with a dongle that cannot be done with an activation code. In a recent survey of users who had software installed protected with a dongle, the following were the top five reasons they preferred this method of license enforcement over activation codes.

  • License Portability – The license is on the dongle and is easily moved from one system to another.
  • License Recovery – The end user can self-restore a license to an existing or replacement dongle.
  • License Borrowing – Licenses can be lent out (to travelling engineers and salespeople, for example)
  • License Redundancy – Important in “Mission Critical” applications (Ex:  Hot and Cold Stand-by licenses)
  • License Security – Conscientious companies do not want employees or others using software illegally.

Software Activation via activation codes can offer end-users the ability to recover licenses. This usually involves communicating with the software developer and convincing them that you need to move your legally purchased software to your new PC. This can be time consuming and problematic, especially if the activation code is protecting a 25 user license on a server where the hard drive just failed.

Dongles v Activations – Why not have both?

The CodeMeter License Platform from Wibu-Systems offers an ISV the option to seamlessly protect a product with a dongle and/or activation code. Either method has its pro and cons. We leave it up to you, your sales team and your customers to choose which method is best.

john poulsonJohn Poulson has worked in the software protection industry since 1988 and has been with Wibu-Systems since 2000. He is an expert in license authentication best practices and deep powder skiing.

Topics: CodeMeter, software copy protection, Copy Protection, dongles, software activation

Simplifying software license management

Posted by John Browne on Jun 28, 2012 11:22:00 AM

The world is flat

Thomas Friedman argues in his classic work that modern telecommunications makes global trade and competition a simple fact of modern life. And so you need flat earth software license management.

If you're an ISV your customers can be in Silicon Valley or Singapore. Brooklyn or Beijing. Utah or Ukraine. They might be companies you know and have done business with for years. People you know and trust. Or they might be someone you never heard of before. Someone who needs to earn your trust.

shady character

The sad fact is that there are bad people out there who will steal your software. The good news is with flat earth software license management, you can easily handle both the trusted and the (not-yet) trusted customers.

For customers you know and trust, CmActLicense is a perfect solution. Using a software-only solution, it binds to the PC it is installed on, preventing piracy but also preventing license portability. (More on that below). With SmartBind™ the number of times users have to reactivate after making small changes to their PC configuration is drastically reduced. All in all it's a great solution for trusted customers.

For those you haven't had a chance to know, you want maximum security. Here's where the genius behind CodeMeter really shines. You can easily decide--at the time of sale--which customers get their license on a CmDongle vs which ones can get CmActLicense. CmDongle provides best-in-classs security while also allowing for license portability. This is critical in some industries where a failover solution is vital. In these cases, the customer should be allowed to install the software on a standby machine; if the primary machine fails the license (on the CmDongle) is just moved to the standby machine. 

What if the dongle fails? This is almost unheard of, but anything's possible (for instance, it could get get lost or physically damaged). Here's how you handle that: Provide the customer a second CmDongle with a license using the Usage Period Product Item Option (PIO). If you set the Usage Period for 30 days, the license will be valid for 30 days from the first time it is accessed. That way the customer has business continuity with the backup dongle while you replace the one lost or damaged. And for extra security you can blacklist the one being replaced so it can never be used as a "free" license.

CmActLicense is really just a software emulation of CmDongle, virtually identical in all respects. Any API call you make to CmDongle will work equally well on CmActLicense. All the PIOs are available on both. So virtually no advance planning or effort is needed to take advantage of this great flexibility. The only real difference is in the binding; you have to install a license information file (*.wbb) on the customer's PC for CmActLicense to use. 

Great Wall of China

For those customer around the flat world who you want to use CmDongle, remember that we have offices globally where we can ship from. Say you want to sell your product to that customer in Beijing, but want the license to be protected by CmDongle. Importing that dongle into China can be difficult for you (lots of paperwork). We can ship it from our offices in Shanghai or Beijing to your customer, but all the invoicing and paperwork will happen here in the USA. Saves you some trouble. 

Topics: CodeMeter, Anti-piracy, dongles, CmAct

Software protection dongles and embedded systems

Posted by John Browne on Jun 13, 2012 4:58:00 AM

There are plenty of reasons to use a software protection dongle even when you're running an embedded system. Some people believe that embedded systems are immune to piracy because the software has to be tied to a specific piece of equipment. 

Embedded system with CodeMeter software protection dongle

But piracy may not be the primary concern for embedded systems; theft of intellectual property is. Increasingly today the machine is only a tool; it's the IP that the machine uses that has huge value. After all, a competitor can take your machine apart and see how it works. From that information they can build a competitor, knock-off, or even possibly improve on it. However, the software that makes the machine really valuable is a different matter.

We're finding an increased interest in using CodeMeter as a protection device for IP--basically the customer uses a CmStick or CmCard with additional flash RAM and stores their IP on the RAM in encrypted form; only the presence of a valid license will decrypt it.  Further, a password can be placed on the CodeMeter software protection dongle preventing access in the event it falls into the wrong hands. That's two factor authentication. 

A typical use for this is commercial weaving systems that make polo-style shirts or tee shirts. The patterns and/or embroidery on those shirts may represent valuable IP (for example, the pattern to make a logo). Preventing the data from falling into the hands of counterfeitors makes it harder for fake shirts to be produced. In this case the CodeMeter software protection dongle can store not only the programs to drive the weaving machine but also the IP in the form of designs or logos. 

Above is a picture of a Beckhoff CX1010 industrial PC with a CmStick (USB) and a separate CmCard (CF). This device can run either Windows Embedded or Windows CE.

Topics: dongles, software protection

Is strong authentication the killer app of the future?

Posted by John Browne on Mar 19, 2012 3:12:00 PM

Banks have been protecting money for years to avoid this:

Butch and Sundance had the right idea; they just went about it wrong. You can't blow the door off a bank vault with a few sticks of dynamite anymore, but you can apparently get the money out through a less noisy approach.

These days money of course is just bits and bytes and needs to be protected like any other bits and bytes. The banks have arguably done a much better job with their vaults and armored cars protecting the tree-derived variety than they have with the digital variety, since the big heists these days come via the Internet rather than a tunnel under the street.

The vaults of the future that protect bits and bytes--whether they represent money or something else like intellectual property--will be as ubiquitous as passwords are today. The familiar user name/password combination of today is like the old-fashioned skeleton key: it creates a sense of security, but it's not very strong security. Today no one would protect anything valuable with a lock that relied on a skeleton key, and in the future strong authentication will have long-since left the user name/password combo in the dust of antiquity.

One fundamental problem with user name/password is that it represents only one-factor authentication (in this case, something you know--that is, your password). Authentication that relies on a single factor is easy to break or steal: your car and house keys represent a single-factor authentication scheme and if someone grabs your keys they can steal your stuff. And as more seniors move to Internet banking, expect phishing and fraud to get worse before it gets better.

To get strong authentication, you need at least two factors (the Holy Grail of strong security is three-factor authentication: something you know, something you have, and something you do). CodeMeter can provide very strong two-factor authentication in the case of web access to sensitive data or web applications (like banking) via our CodeMeter Identity product.

CodeMeter CmStick/C for compactTo the standard challenge response paradigm of a user name/password, CodeMeter Identity adds some crypto mojo that confirms to the server that it's actually talking to who it thinks it's talking to, not some impostor. Since there is some server-side code, it's virtually impossible to crack unless someone can get access to the server itself. And the client-side components can reside either in software like or even in a CmStick for maximum security and portability.

I really believe that we will carry these personal security devices in the not-too-distant future just like we carry around our smart phones and car keys today. The same device, of course, can not only protect the access to websites but also SaaS software and on-premise applications as well. Now if we could only get those jetpacks we were promised!

Topics: CodeMeter, Copy Protection, dongles, Uncategorized

Copy protection: dongles or activations?

Posted by John Browne on Jun 2, 2011 6:43:00 AM

Ok, let's assume you're tired of having your software ripped off and need some copy protection. Now what?

You could roll your own copy protection. On the surface it seems simple, but, as they say, the devil is in the details. Chances are, anything you can create yourself (in a reasonable amount of time) will be easy to crack. Maybe not by your college roommate, but by some nefarious hackers who do this all the time.

So you've (wisely) decided to turn to an outside supplier for your copy protection. But should you use dongles or activations?

Good question. Dongles are more secure and allow easy license portability, but they cost more and can conceivably get lost by the customer. One more thing to pay attention to. And what about drivers? Software activations seem easier (invisible, nothing to lose, no hardware to worry about, no drivers). But activations ultimately can't be quite as secure as a good dongle, and can create problems for users when they change out their computer or some components and now the machine binding in the software license no longer works.

We've all experienced this situation: you have a legal version of an application but you have to reinstall it and now it won't activate. You have to call Microsoft or Adobe or whomever and wait on a support phone queue forever and then try to convince someone you're not a license cheater. Their copy protection has worked for them but made your life miserable.

We have a new feature--just released in CodeMeter 4.30--that we call "smart binding." It reduces the run/don't run question to an algorithmic analysis of the state of the computer. For example, some hard drives change their serial number--at least what the OS reports as the HD SN changes randomly. Why? Who knows? But if your binding scheme is tied to the HD SN, you're going to have a customer who's calling constantly for a reactivation. So our smart binding looks at a bunch of stuff--you decide if you want normal, strict, or loose binding enforcement and it does the rest. Over time we expect this will result in fewer false negatives.

Activations are perfect for trial versions. You can set the binding scheme to "None" and it won't be limited to running on a single PC. Of course, if your trial is fully functional, you need to set the expiration time or limit the number of starts.

A hybrid scheme combining dongles and activations may be perfect. If you use CodeMeter, you can decide at the time of licensing whether you want to ship a dongle or an activation (CmAct license). Suppose you have a big, important customer, and it happens to be one you trust completely. But they don't want dongles. You can send them CmAct-protected versions. You have another customer in China (not to bash PRC, but stating that IP gets ripped off there is like saying it occasionally rains in Seattle). Send them CmSticks and get a full night's sleep--they're not going to be cracking your code any time soon.

Finally, here's something only a dongle can do: you can put the app, all the data, the protection, and yes, even an OS, on the dongle. We've got customers who do this. Insert memory USB CmStick (or compact flash or SD card), fire up computer, and away you go. Nothing need be installed on the actual PC.

Topics: CodeMeter, software copy protection, Copy Protection, Anti-piracy, dongles

Copy protection dongle myths redux

Posted by John Browne on May 9, 2011 2:08:00 PM

Myth #1: Dongles are a problem for users because of driver issues.

Reality: Wibu-Systems has a patent on a driverless dongle. Doh! No driver, no hassle. How do we do it? We look exactly like a flash drive to windows, which has had native support for these devices since, oh, Windows XP or so. Since bad device drivers are responsible for at least 50% or all Windows BSOD, eliminating the driver basically eliminates the problem for the end user.

So if your dongles have been causing problems, or if you want a driverless dongle, step up to CodeMeter. You'll also get the best protection known on the planet.

Topics: CodeMeter, software copy protection, Copy Protection, dongles

Announcing CodeMeter 4.30

Posted by John Browne on Apr 28, 2011 12:57:00 PM

This week we released CodeMeter® 4.30 and AxProtector 7.11 on all platforms to improve your software protection, include Win 32 and 64, Mac OS, Linux, and more. There is a ton of new stuff in these two components, so I urge you to download the updates to our SDK and try it out. Some highlights:

  • Maintenance Periods: I wrote about these in my post "A Unique Solution for License Management" but now they are real with this release. It does require a minimum CmStick firmware of 1.18 or better (1.18 is the current version). Maintenance Periods can save you money because (among other reasons) you can ship software without doing license updates to the key.
  • SmartBind™ is an improvement (for those of you who want to use activations for software protection and licensing) over how CmAct figures out whether the PC it's bound to is the right one or not. We now use heuristics to calculate an internal value and you can merely set parameters of "tight, medium, or loose". We'll have a bit more explanation of this later but some of the details we will understandably keep under our hats so crackers can't get a leg up.
  • The runtime now supports the CmStick /C and /T variants. The Compact version (/C) is now available in quantities (subject to backorder, however, since demand has exceeded our expectations) and in eight colors. More pics coming soon.
  • We now have full support for protecting Microsoft Silverlight apps. Our goal is copy protection on all popular platforms.
  • We now support Linux on PowerPC processors.

Read more about this release here.

Topics: CodeMeter, AxProtector, dongles, Corporate News

How to pick a software protection system

Posted by John Browne on Apr 7, 2011 6:00:00 AM

Recently I was asked by a developer about picking a license management /software protection system for .NET. Microsoft's popular platform for app development, .NET, is easy to reverse engineer unless you use strong security. Our solution has been proven uncrackable multiple times. A software-only solution is always going to be more affordable than a solution using a dongle, but a solution using a security dongle can be completely protected against all attacks.

It's crazy to me how many developers want to roll their own licensing system. I talked to someone recently who uses a dongle to encrypt a serial number. That is SO easy to crack, it's just nuts. It's like leaving a convertible in the street with the top down and the doors locked. Hello?

We're not the only copy protection tools vendor. If you want to protect your .NET code, you need to get SDKs/eval units, do plenty of research and testing, and determine what works best for you. Some criteria you might want to consider:

  1. Do you want to target any platforms other than .NET? Linux, Mac, ??
  2. Do you want to be able to provide easy activation in low-risk markets and stronger security in higher-risk markets?
  3. What pricing/business models interest you? You should be able to, at a minimum, support pay per use, pay per time (subscription), pay per user, concurrent licensing, and network licensing. Even better is pay use/feature/module.
  4. Do you want a demo or trial unit for marketing purposes?
  5. Do you want to enable use under VMs without having your license scheme subverted?
  6. Do you need any special physical requirements for a hardware device (unusual form factors, additional flash RAM, environmental ruggedness, etc)?
  7. Where can you get support from?
  8. Where do they ship from?
  9. What are minimum order quantities?
  10. Are there annual fees you have to pay, or is it pay as you go?
  11. How robust and complete are their software tools?
  12. How do you create and program licenses with their tools? Are licenses field-updatable? Are dongles field-updatable?
  13. If you are looking at a dongle, does it require a driver? Who supports your end-user for dongle issues, if any? What is the warranty on the hardware? What OS/versions does the vendor support?

The more I talk to developers the more I realize they are frequently unaware of a) issues around license management/copy protection and b) what tools are already available to solve these problems. There's a lot of mis-information out there (more about this in a future post). There's also a lot of downright hostility towards people who don't want to give away all their hard work. (I admire the open source community, but there are plenty of cases where open source just doesn't make sense.)

Ever discovered something that looked simple on the outside and was hideously complex under the hood (like, say, organic chemistry)? Copy protection is like this. If you had any idea how easy most stuff is to crack, or how much work we've invested in making our solution robust, you'd never dream of doing it yourself.

Topics: CodeMeter, software copy protection, License Management, Copy Protection, dongles, software piracy, tools, FAQ

Wait to the last minute, then panic

Posted by John Browne on Apr 5, 2011 7:05:00 AM

This post questions why developers can't estimate time. Nice discussion. In the over 30 years I've been working on software projects, I've see few ship on schedule. Unless the "schedule" is the one set 5 minutes before the actual release. Those dates are pretty accurate.

A not-all-that-uncommon call we get here sounds something like this:

Developer: Hello, Wibu? Hi, I need a dongle. Our code is ready to ship and we just need to bolt on some copy protection and license management.

Me: What exactly do you mean by "bolt on"?

Dev: We've implemented our own system, we just need to get the serial number of the dongle and read it back to the application.

Me: Hmmm, you can certainly do that, but you DO know that it can be cracked in like, oh, 10 seconds, right? (Briefly explains CodeMeter)

Dev: Well, that sounds good, but we already implemented this in source code and we're READY TO SHIP. Except for the license thingy.

Me: Sigh.

Imagine if you're building a house and the contractor comes to you and says something like, "Well, we're ready for you to move in as soon as we figure out how to get running water to all the sinks and toilets. I think we're gonna tie garden hoses around the house, drill holes in the outside walls, and snake them in through the holes..."

Some recommendations for best practices:

  1. Include product marketing in the design and planning stages before coding. Adding requirements for how you want to package, market, and yes, license the software is important. You need to Design to Sell.
  2. During the design/architecture phase, make your outside dependency decisions so you know what degrees of freedom you actually have. If you're going to use CodeMeter, you don't need to do any API-level implementation, but you CAN, in order to gain certain flexibility. It's nice to know that up front before you are at code complete.
  3. Find out from support what activation and licensing problems users have experienced on prior releases. Make sure your solution addresses these issues.
  4. Get the sales team bought in. Could be that they have an opportunity to make some sales if you had a different licensing model. For example, they might be able to lease a product if you supported that. Or maybe a subscription could gain some traction in a key account rather than a perpetual license due to customer cash flow concerns. Point is, you won't know if you don't ask them. Again: Design to Sell.

Waiting to the last minute to plan and implement license management may be common, but so is missing your dates. The first will almost guarantee the second.

Topics: CodeMeter, software copy protection, License Management, dongles, sales, Software Development