Wibu-Systems Blog

Confusion aboundeth.

Posted by John Browne on Apr 5, 2011 6:01:00 AM

Here's a post full of mis-information and virtual drivel about preventing software piracy. One contention is that dongles are only used by ISVs to audit channel sales.

Let's be perfectly clear about all this: that is just dumb.

Dongles store keys securely. It's that simple. For some users, they are a significant convenience. Yes, I said convenience, not inconvenience. Think I'm nuts?

Imagine you are a music engineer who does sound at live concerts. You depend on audio processing software that runs on your MacBook Pro. Suppose you get to the concert and the computer's hard disk goes kerplooie. You have a back up laptop, but how to run the software on it? A typical activation (no dongle) scheme binds the software to the machine, making it impossible to install on two machines so you have a ready backup. The ISV doesn't want you to have it on multiple machines because you could run two copies instead of buying two copies. So the band is tuning up, the fans are firing up their Bic lighters, and you're hosed because you don't have software to run your board.

Enter the dongle: If the ISV stored the audio software's license on a dongle, you could install the software on as many computers as you want. What would they care? It won't run without the license, and the license is on the dongle. If one machine breaks down, you can just put your security dongle in another machine with the software already installed and off you go. Everything working fine. And the fans can hear "One of England's loudest bands."

Topics: dongles, CodeMeter, software copy protection

What is software piracy?

Posted by John Browne on Mar 7, 2011 12:50:00 PM

Software piracy can take a number of forms, intentional and unintentional. What normally comes to mind with you hear "software piracy" in context are hackers or crackers (more about that in a minute) doing something illegal. But it can also include people who inadvertently violate license agreements without knowing.

What are hackers and what are crackers? In discussions about piracy, you see both terms used interchangeably. People who "crack" the system an ISV uses to prevent copies are called "crackers." Hackers, on the other hand, has traditionally been a term to refer to people who break into corporate or government networks. Sometimes it easier to just say hackers to lump together all the bad guys out there who try to do digital mischief.

So how do they do it? A common approach is to take a legitimate copy of say, Windows or Photoshop, and create a cracked version by patching some DLLs so that the licensing code thinks it's running on a legal copy. Then that single version is propagated around the world courtesy of file sharing sites.

Software-based anti-piracy systems try to bind a single licensed copy of an application to a given machine. Sometimes it will allow you to install on a couple of computers. Typically this is done with fingerprinting: identifying some characteristics of the host computer that the software has to match to. For example, you can look at the MAC address, CPU serial number, hard disk serial number, and so on. When the software first installs it gathers these fingerprints; later when you start up the application it checks the machine fingerprints against the ones it originally installed on and decides if this is a legal copy or not.

Since people upgrade and replace computers this schema is flawed from the get-go. The ISV has to decide how stringent to be about matching hardware fingerprinting on program load. If you have four values and only three match, do you go ahead and run or do you throw up a dialog telling the user they have to check with the publisher before the software will run? CmAct lets you decide how many factors (out of four total) you need to match before running the application. So you can set it to be two of four; if any two match the application will start.

These methods offer protection from casual theft but have a basic issue in that the fingerprint information has to come from the operating system. Contemporary OS do not let application code address hardware directly. If you want to know the serial number of the CPU, you use an OS system call to get it. That unfortunately makes the process somewhat vulnerable to spoofing: making the app think it's talking to the OS when it's not. And in that way many applications are cracked every day. Some of these are given away while some are sold as "real"--you can find them on various ecommerce stores online.

Of course if you use a dongle it should be a lot harder to crack the protection code; in the case of applications protected correctly with CodeMeter they should be impossible to crack. You can find online sites advertising dongle "emulators" or "eliminators" and they are basically cracking sites. Some developers use their dongle in the weakest possible way, by having the application merely check for the existence of a dongle and don't use it for key generation. This is incredibly easy to crack and is never recommended!

Topics: dongles, CodeMeter, software copy protection, Anti-piracy, software piracy, CmAct, cracking, FAQ

If Fords Were Software

Posted by John Browne on Mar 3, 2011 6:50:00 AM

Imagine if every Ford car used the same physical key. It would be pretty easy to steal Fords. If you had a Ford key, you could drive off in any Ford you found. While this sounds crazy it’s not unheard of: some industrial equipment shares keys for convenience. For example, I happened to learn recently that all Kubota L series tractors use the exact same key. Since a would-be criminal stealing one of those tractors could only make his getaway at the blinding speed of about 12 mph, theft concerns are less of an issue.

Duplicate keys would be an issue for consumers, but less so for manufacturers. Now imagine anyone who wanted a new Ford could duplicate the exact car their neighbor had, for free! Imagine a dealership selling those bogus cars, rather than the “real” ones.

Sounds ridiculous, doesn’t it? Yet this is exactly what the software industry has been facing since the beginning of the PC era. PC software was easy to copy and distribute, compared to mainframe software which usually required some direct customer support, making illegal copying harder to go undetected.

I remember clearly some of the earliest attempts to prevent illegal software piracy—very early versions required the user to insert the original floppy disk to run the software. If I remember correctly, there was a game that required you to use colored glasses to see hidden codes in the user manual. And I remember the absolute frustration when a perfectly legal copy of a product wouldn’t run because of a glitch in the anti-piracy paradigm.

In my opinion the new CodeMeter CmStick/C dongle eliminates the last objections to preventing piracy. It’s so tiny you can leave it connected to a laptop and never worry about it sticking out too far or getting damaged. You would only need one because it can store licenses from hundreds of ISVs. And it provides uncrackable levels of security.

What’s not to like?

Topics: dongles, CodeMeter, software copy protection, Anti-piracy, software piracy, Copy Protection

Engraving on CmStick/C

Posted by Kevin Browne on Mar 1, 2011 3:03:00 AM

Here you can see an actual CmStick/C with the laser engraving on it. The 2D barcode allows for inventory tracking systems at your customer's site. The serial numbers are automatically read out of the firmware and then engraved on the product.

CodeMeter CmStick/C showing engraving

Topics: dongles, CodeMeter, engraving, in production

Big and little dongles

Posted by John Browne on Feb 23, 2011 9:56:00 PM

Here's a nice comparison of the "old" CmStick against the new /C variant. Remember that they are functionally equivalent.

Standard USB CmStick compared to new tiny /C variant

Topics: dongles, CodeMeter, Wibu-Systems news, Corporate News


Posted by John Browne on Feb 21, 2011 10:45:00 AM

Our latest KEYnote features some of the manufacturing and test equipment we use to make our CmSticks, CmCards, and WibuBoxes. This machine reads the firmware to get the serial number of the chip, then engraves that serial number on the case. Frankly I think anodized aluminum is pretty sexy.

Robotic arm loads a WibuBox/U  for engraving

Topics: dongles, Corporate News, in production

Smallest way to protect software from piracy

Posted by John Browne on Jan 29, 2011 8:43:00 AM

We just received yesterday our first prototypes of the new CodeMeter CmStick/C. I can't believe how small it is.

CmStickC- World's smallest copy protection dongle

The electronics are all in the USB connector and it even has two LEDs for status. These will be available in March 2011 in quantities.

Topics: dongles, CodeMeter, Wibu-Systems news, Anti-piracy, in production

Venture capital getting scarce; what to do?

Posted by John Browne on Jan 13, 2011 8:29:00 AM

Dow Jones reported yesterday that funding for venture funds hit a seven-year low in 2010, as more and more limited partners (LPs), scared by the poor returns over the last 10 years, looked elsewhere for their portfolios.

In the 90's the fad was to build your tech company with OPM (other people's money) and then cash out. VCs were practically throwing term sheets wrapped around a rock through corporate windows to get deal flow.

Those days are gone, probably forever. ISVs that are looking to grow their companies will have to find other sources of capital instead of spending their days wooing the ever-shrinking pool of venture capitalists.

What has this got to do with software protection and licensing? Consider that in 2009 (according to the BSA) over $50B of stolen piracy went into use. For the sake of argument, assume that half of that would never have been purchased legitimately. That still leaves $25,000,000,000 of lost revenue to ISVs. Try to get a check THAT big from your friendly neighborhood VC.

How can you get some of that? Simple:

  1. Introduce your product to high-risk foreign markets protected by a CodeMeter CmStick. This gives you complete security against piracy and opens up markets maybe you were reluctant to enter because of high piracy rates. China has lots of money, but also has high piracy rates. Entering the Chinese market with a CmStick-protected opens up new revenue streams without interfering with your ability to sleep at night.
  2. Protect your products that are getting stolen now with a CodeMeter CmStick. For low-risk markets, use CodeMeterAct for software-based activations. This gives you a single method to license and protect your products with strong, scalable security against piracy.

Both of these methods will increase revenue due to lower piracy rates and simplified license management. Use the additional money for reinvestment into your company to grow without the dilution of outside investment.

For more information, request a free CodeMeter evaluation kit today!

Topics: dongles, CodeMeter, Anti-piracy, software piracy, Evangelism

What is software piracy?

Posted by John Browne on Jan 12, 2011 4:45:00 AM

Software piracy is the unauthorized duplication of programs such as operating systems, applications, and utilities. In 2009, 43% of all software globally was pirated. In China alone over $7 billion worth of software was stolen in 2009.

Piracy is often the result of organized criminal enterprises who crack copy-protection schemes and then manufacture counterfeit copies of commercial software. It can be very difficult for end-users to tell counterfeit software from legitimate copies.

Pirated software (also known as “cracked” software) can contain malware such as Trojan horses, bots, and keyboard loggers. The widespread use of peer-to-peer (P2P) file sharing such as bit torrent sites has rapidly increased the distribution and availability of pirated software. Counterfeit software is sold via online auction sites, often to end users who are unaware that they are purchasing illegal and potential dangerous software.

Software developers work diligently to prevent their software from illegal piracy. Systems such as code obfuscation or machine binding are popular but easily cracked by sophisticated pirates.

The only truly fool-proof method to prevent illegal piracy is through the same method that the US Government uses to protect its most valuable secrets: encryption. By encrypting the application program and its data, piracy can be prevented. CodeMeter uses AES 128-bit encryption to protect programs from piracy. A brute-force crack of CodeMeter’s encryption would require the pirate to find the one key that works in the approximately 340,000,000,000,000,000,000,000,000,000,000,000,000 (3.4 x 10^38) possibilities. CodeMeter’s strongest security comes when the private key data is stored in the CmStick—a Smart Card based dongle that is effectively uncrackable.

How do we know it's uncrackable? Because Wibu-Systems is the only software-protection company bold enough to offer crackers a large cash ($40,000) prize if they could crack CodeMeter. And, although many have tried, none has succeeded. Nevertheless, we know that the battle with crackers requires constant vigilance, which is why we continually updates our protection methods as we find new exploits that crackers attempt to use.

Check out CodeMeter if you are looking for a great software anti-piracy solution or simply contact us.

Topics: dongles, CodeMeter, software copy protection, Anti-piracy, software piracy, Copy Protection, FAQ, mythbustin'

Not your Daddy's dongle

Posted by John Browne on Dec 14, 2010 9:00:00 AM

I hear a lot of confusion and mis-information out in the market about dongles these days. A lot of this is based on people's experiences in the 1980s with early dongles.

Here are some common myths about dongles and the actual facts:

1. Dongles are unreliable. Sure, the really cheap stuff might be, but CodeMeter has a failure rate that's so small we are happy to guarantee the dongle for life. I even drove over one in my Subaru and it still worked. I can't remember hearing about any that have failed in the field.

2. Dongle drivers are problematic. Good dongles don't use drivers--CodeMeter uses Windows services (or Mac or Linux depending on the OS) so no drivers are installed. Basically a CmStick looks like a flash drive to the OS. Since Microsoft estimates that half of all Windows crashes historically are due to buggy device drivers (produced by 3rd party hardware vendors) this is good. I would avoid dongles that require custom device drivers.

3. Dongles can be cracked. Hey, anything can be cracked, given enough time, computing power, and smarts. You can blow any safe with enough dynamite but is it worth it? The architecture of CodeMeter would require lots of dynamite--that is, significant time and energy to create a crack, and then it's a one-time crack only. No universal crack is possible due to the nature of the key exchange.

4. Dongles are a nuisance for users. Not really; they're not any more trouble than the ignition key you have for your car. Want to use the car? Put in the ignition key and turn it. And a dongle can do something your car keys can't: let you run your software on multiple computers (just not necessarily at the same time). So if a computer fails, you could already have the software installed on a backup machine, just waiting for you to insert the dongle and go. That's pretty handy if you're running factory floor automation software, or controlling the mix at a concert.

5. You can build your own dongle out of a cheap USB flash drive. Sure you can, but why? First of all, a "good" dongle isn't just a cheap USB flash drive. CodeMeter is a smart card chip, high-end memory controller, and a bunch of memory, all on a physical device (USB, SD, micro SD, CF, etc). And then there's the firmware. Unless your crypto skills can match our full-time rocket scientist cryptographer, don't even try. The crackers are miles ahead of you.

6. The API beats a wrapper hands down. Ok, not technically a dongle-related myth, but part of the story. Wrappers (or "envelopes") enclose an executable in some sort of protection scheme that can be unlocked only if the dongle is present. Some wrappers are worthless, leading to their bad reputation. Our wrapper (AxProtector) is a full encryption system that include all the protection know-how we've amassed over 21 years. We update it all the time to make it stronger. Using it will guarantee you the strongest possible protection against piracy. I'll save a more detailed discussion of tools for another blog.

Got a dongle myth you want busted? Post a comment here.

Topics: dongles, CodeMeter, software copy protection, mythbustin', dongle drivers