Wibu-Systems Blog

How to pick a software protection system

Posted by John Browne on Apr 7, 2011 6:00:00 AM

Recently I was asked by a developer about picking a license management /software protection system for .NET. Microsoft's popular platform for app development, .NET, is easy to reverse engineer unless you use strong security. Our solution has been proven uncrackable multiple times. A software-only solution is always going to be more affordable than a solution using a dongle, but a solution using a security dongle can be completely protected against all attacks.

It's crazy to me how many developers want to roll their own licensing system. I talked to someone recently who uses a dongle to encrypt a serial number. That is SO easy to crack, it's just nuts. It's like leaving a convertible in the street with the top down and the doors locked. Hello?

We're not the only copy protection tools vendor. If you want to protect your .NET code, you need to get SDKs/eval units, do plenty of research and testing, and determine what works best for you. Some criteria you might want to consider:

  1. Do you want to target any platforms other than .NET? Linux, Mac, ??
  2. Do you want to be able to provide easy activation in low-risk markets and stronger security in higher-risk markets?
  3. What pricing/business models interest you? You should be able to, at a minimum, support pay per use, pay per time (subscription), pay per user, concurrent licensing, and network licensing. Even better is pay use/feature/module.
  4. Do you want a demo or trial unit for marketing purposes?
  5. Do you want to enable use under VMs without having your license scheme subverted?
  6. Do you need any special physical requirements for a hardware device (unusual form factors, additional flash RAM, environmental ruggedness, etc)?
  7. Where can you get support from?
  8. Where do they ship from?
  9. What are minimum order quantities?
  10. Are there annual fees you have to pay, or is it pay as you go?
  11. How robust and complete are their software tools?
  12. How do you create and program licenses with their tools? Are licenses field-updatable? Are dongles field-updatable?
  13. If you are looking at a dongle, does it require a driver? Who supports your end-user for dongle issues, if any? What is the warranty on the hardware? What OS/versions does the vendor support?

The more I talk to developers the more I realize they are frequently unaware of a) issues around license management/copy protection and b) what tools are already available to solve these problems. There's a lot of mis-information out there (more about this in a future post). There's also a lot of downright hostility towards people who don't want to give away all their hard work. (I admire the open source community, but there are plenty of cases where open source just doesn't make sense.)

Ever discovered something that looked simple on the outside and was hideously complex under the hood (like, say, organic chemistry)? Copy protection is like this. If you had any idea how easy most stuff is to crack, or how much work we've invested in making our solution robust, you'd never dream of doing it yourself.

Topics: CodeMeter, software copy protection, License Management, Copy Protection, dongles, software piracy, tools, FAQ

What is software piracy?

Posted by John Browne on Mar 7, 2011 12:50:00 PM

Software piracy can take a number of forms, intentional and unintentional. What normally comes to mind with you hear "software piracy" in context are hackers or crackers (more about that in a minute) doing something illegal. But it can also include people who inadvertently violate license agreements without knowing.

What are hackers and what are crackers? In discussions about piracy, you see both terms used interchangeably. People who "crack" the system an ISV uses to prevent copies are called "crackers." Hackers, on the other hand, has traditionally been a term to refer to people who break into corporate or government networks. Sometimes it easier to just say hackers to lump together all the bad guys out there who try to do digital mischief.

So how do they do it? A common approach is to take a legitimate copy of say, Windows or Photoshop, and create a cracked version by patching some DLLs so that the licensing code thinks it's running on a legal copy. Then that single version is propagated around the world courtesy of file sharing sites.

Software-based anti-piracy systems try to bind a single licensed copy of an application to a given machine. Sometimes it will allow you to install on a couple of computers. Typically this is done with fingerprinting: identifying some characteristics of the host computer that the software has to match to. For example, you can look at the MAC address, CPU serial number, hard disk serial number, and so on. When the software first installs it gathers these fingerprints; later when you start up the application it checks the machine fingerprints against the ones it originally installed on and decides if this is a legal copy or not.

Since people upgrade and replace computers this schema is flawed from the get-go. The ISV has to decide how stringent to be about matching hardware fingerprinting on program load. If you have four values and only three match, do you go ahead and run or do you throw up a dialog telling the user they have to check with the publisher before the software will run? CmAct lets you decide how many factors (out of four total) you need to match before running the application. So you can set it to be two of four; if any two match the application will start.

These methods offer protection from casual theft but have a basic issue in that the fingerprint information has to come from the operating system. Contemporary OS do not let application code address hardware directly. If you want to know the serial number of the CPU, you use an OS system call to get it. That unfortunately makes the process somewhat vulnerable to spoofing: making the app think it's talking to the OS when it's not. And in that way many applications are cracked every day. Some of these are given away while some are sold as "real"--you can find them on various ecommerce stores online.

Of course if you use a dongle it should be a lot harder to crack the protection code; in the case of applications protected correctly with CodeMeter they should be impossible to crack. You can find online sites advertising dongle "emulators" or "eliminators" and they are basically cracking sites. Some developers use their dongle in the weakest possible way, by having the application merely check for the existence of a dongle and don't use it for key generation. This is incredibly easy to crack and is never recommended!

Topics: CodeMeter, software copy protection, Anti-piracy, dongles, software piracy, FAQ, cracking, CmAct

What is software piracy?

Posted by John Browne on Jan 12, 2011 4:45:00 AM

Software piracy is the unauthorized duplication of programs such as operating systems, applications, and utilities. In 2009, 43% of all software globally was pirated. In China alone over $7 billion worth of software was stolen in 2009.

Piracy is often the result of organized criminal enterprises who crack copy-protection schemes and then manufacture counterfeit copies of commercial software. It can be very difficult for end-users to tell counterfeit software from legitimate copies.

Pirated software (also known as “cracked” software) can contain malware such as Trojan horses, bots, and keyboard loggers. The widespread use of peer-to-peer (P2P) file sharing such as bit torrent sites has rapidly increased the distribution and availability of pirated software. Counterfeit software is sold via online auction sites, often to end users who are unaware that they are purchasing illegal and potential dangerous software.

Software developers work diligently to prevent their software from illegal piracy. Systems such as code obfuscation or machine binding are popular but easily cracked by sophisticated pirates.

The only truly fool-proof method to prevent illegal piracy is through the same method that the US Government uses to protect its most valuable secrets: encryption. By encrypting the application program and its data, piracy can be prevented. CodeMeter uses AES 128-bit encryption to protect programs from piracy. A brute-force crack of CodeMeter’s encryption would require the pirate to find the one key that works in the approximately 340,000,000,000,000,000,000,000,000,000,000,000,000 (3.4 x 10^38) possibilities. CodeMeter’s strongest security comes when the private key data is stored in the CmStick—a Smart Card based dongle that is effectively uncrackable.

How do we know it's uncrackable? Because Wibu-Systems is the only software-protection company bold enough to offer crackers a large cash ($40,000) prize if they could crack CodeMeter. And, although many have tried, none has succeeded. Nevertheless, we know that the battle with crackers requires constant vigilance, which is why we continually updates our protection methods as we find new exploits that crackers attempt to use.

Check out CodeMeter if you are looking for a great software anti-piracy solution or simply contact us.

Topics: CodeMeter, software copy protection, Copy Protection, Anti-piracy, dongles, software piracy, FAQ, mythbustin'

Why lock software?

Posted by John Browne on Dec 21, 2010 11:29:00 AM

I keep my car locked and use a key to unlock it. The same key allows it to start and run. It probably wouldn't last long parked downtown if it didn't need a key to drive it away.

My house has a key; so does my mailbox. People lock their cars, boats, airplanes, houses, safe-deposit boxes, storage lockers, bathroom doors, gun cabinets, gym lockers, even suitcases. My computer has a lock so when I'm not around no one can snoop on it. I've seen keys on band saws, lawn mowers, tractors, and back hoes.

So why all the fuss about locking software?

Locking programs or data is easy: you just encrypt it. We all use encryption all the time, we just don't think about it. Anytime your browser says "https" instead of plain old "http" you're running an encrypted session. When you encrypt software, it can't be run without decryption, and the only way to decrypt is with the right key.

The key can be stored in a file on your computer, or it can be stored in a separate device (usually called a dongle). Dongles are inherently more secure for key storage than files (also known as machine binding) for lots of really technical reasons.

AxProtector from Wibu-Systems can encrypt an executable (lock it) in just a couple of minutes. You don't need to make any source code changes. And then that executable is completely useless without the right key. Just like my car is merely a roadblock without the right key.

Topics: CodeMeter, software copy protection, AxProtector, FAQ, Evangelism