Wibu-Systems Blog

Software Licensing & Copy Protection – DIY or Buy?

Posted by Terry Gaul on Oct 3, 2013 8:01:00 AM

How do you protect your software gold?I stumbled upon an interesting Internet forum started by someone who posted the following question:

"As an ISV/software publisher, would you produce your own licensing/copy protection solution, or would you buy into a professional solution?"

Even though the discussion was started three years ago, I found the advice given by the participants is still very relevant today. Here a few of the comments I found interesting:

  • In general, time you spend developing and supporting your licensing system can be very steep, and it's non value add - it's taking time away from adding features and doing things your customers really want.
  • If you can fit your needs into an off the shelf system you are likely to be better off in the long run because they've already figured out that file permissions and encryption work differently on Windows XP Home than Windows Server 2008 or in Turkey or whatever. These aren't problems you want to take up your time.
  • There are some very good purchased systems. I'd recommend you seriously examine them before investing significantly in your own system. If you do invest in your own, have it be for a competitive advantage because it is going to occupy a sizable portion of your development budget if you're a small company, at least initially.
  • Your time is better spent making and marketing your product rather than wasting thousands of hours needed to make decent licensing in-house.
  • I would definitely consider using an off-the-shelf licensing product - developing a license scheme is not so easy and you are better off spending that time on developing your actual core product functionality.

And finally, one software developer pointed out that "To really build an unhackable system takes some serious cryptographic and application structure." What's more, hackers continuously find new and more devious ways to unravel your software, and if copy protection is not your core business, it would be extremely difficult to gain the expertise needed to truly protect your software.

This is where companies like Wibu-Systems come in to play. Software protection and license management is our passion and we've been at it for more than 25 years. In fact, it's all we do. We are on our fifth generation of CodeMeter, our secure software licensing and copy protection platform, that is used by leading software vendors around the world.

Webinar: Hackers Reverse Engineering Uncovered

Join Wibu for Hackers Reverse Engineering UncoveredAnd on Wednesday, October 9, 2013, at 10 a.m. EDT, we'll demonstrate best practices in software protection during a two-hour webinar, entitled Hackers Reverse Engineering Uncovered.  If you are an Independent Software Vendor or Embedded System Manufacturer, you know how important it is to protect your intellectual property and business assets. We'll discuss how you can outsmart the hackers and protect your software from unauthorized license duplication, code manipulation, and reverse engineering. Here are a few of the technical details we'll cover:

  • Software protection API calls in .NET
  • Usage of Authenticode signatures
  • Obfuscation techniques
  • Code encryption
  • Performance vs. paranoia: how to fine-tune your application
  • Integration of features-on-demand
  • Examples of traps to lock the license

I hope you can join us.

Register now for this free webinar

Topics: License Management, CodeMeter, Copy Protection

License Central 1.51 released

Posted by John Browne on Aug 7, 2012 2:23:00 PM

Just a quick note to tell you that we've released version 1.51 of CodeMeter License Central.

What's new:

Windows 8: this release completes our support for Windows 8 with the addition of CmActLicenses in the "supported OS" screen. 

License Central 1.51

So now you can use either CmDongle or CmActLicense for your Windows 8 applications with this release of CodeMeter License Central (it was possible earlier but you had to use CmBoxPgm to create the licenses and activation schemes). Notice also we have full support for Windows Server 2012. Now you can test creating licenses for your protected applicaitons using License Central with your beta or pre-release copies of the next Microsoft operating systems.

Individual License Activation: When you go to the depot and click on a ticket with multiple licenses, you can select which of those to activate if you don't want to activate all at once:

CodeMeter License Central

 

 

In addition to these improvements, we also fixed some bugs (yes, we have bugs too). You can see which ones by looking at the change log. As always, download the latest versions of CodeMeter software here.

Topics: License Management, CodeMeter, CodeMeter License Central

Secure Software Licensing Part 3

Posted by John Browne on Aug 2, 2012 3:42:00 AM

If you've been following along up to now you'll be familiar with what we mean by "software" and also "secure." That leaves perhaps the most mis-understood term, "licensing." Let's look at that today.

I have in my wallet a driver's license, which gives me the right to drive a car in those jurisdictions that recognize its validity (currently all of the United States and many other parts of the world). Along with that right is a restriction to obey the laws governing motor vehicle use. Right now my license says I can drive a non-commercial vehicle as long as I'm wearing my glasses but I can't ride a motorcycle anymore.Keyring

When you buy or sell software, you don't really get to "own" but instead you get a license that allows you to use it under the restrictions that are in place. These restrictions are usually spelled out in legalese in a document called an End User License Agreement or EULA. 

Now in a perfect world that document would be all we need to make sure no one violated our license agreements. But it's not a perfect world.

Besides, we want to have licensing rules that optimize our business model. So some of the licensing that might be interesting includes:

  • Pay per user: the most traditional style--each user pays for a license and they can use the software in perpetuity.
  • Pay per time (subscription): More normal with SaaS software, but with the right licensing system this is easy for desktop applications as well. 
  • Pooled or floating licenses (concurrency): You have a block of licenses (say 10 for example's sake) and they can be used by anyone on the network until all 10 are in use. The next person who wants one has to wait until a license is freed up by someone exiting the program. 
  • Pay per use: In this model, each time the program is run there is a fee required. For simplicity's sake you can sell blocks of usage credits in advance; the licensing system has to decrement those credits each time the software is run. 
  • Pay per feature: Perhaps the most obscure of all, and normally the most difficult to implement. In this model, some aspects of the software are metered by their own licenses. A trivial example would be a program that charges extra to save a file or print a document. 
  • Maintenance period: Many ISVs charge a separate maintenance fee to customers to cover the cost of support and any releases that ship during the contract period (typically a year at a time). With maintenance period licensing, you can simplify ensuring that only customers currently under contract can run the releases.
  • Trial and/or demo versions: A trial is typically a full version but time limited. A demo is frequently a crippled version with some functionality removed (like saving data or work). Either should be easily enabled by a licensing solution without you having to branch your code and develop new stuff.
  • Internet activation: Your customers should be able to buy, download, and activate their software over the Internet without jumping through a lot of hoops. You, as the ISV, should be able to offer this via an ecommerce website that easily connects to your license management system, your back-end systems like ERP and CRM, and to your application with minimal fuss and bother. A good license management system will handle this for your via XML/SOAP web services.

Again, if all we had was a EULA to enforce these models we'd be out of luck; too many people are willing to violate these licensing agreements, as the BSA knows all too well. So we need a "secure software licensing" system that provides the security to enforce the license rules and restrictions. CodeMeter is designed to do just that. 

Topics: License Management

Secure Software Licensing Part 2

Posted by John Browne on Aug 1, 2012 4:46:00 AM

In the last blog post, we talked about what is meant by "secure" in the phrase "secure software licensing." But what exactly do we mean by "software?"software

At first blush I think most of us think of "software" as a desktop application like Photoshop or perhaps an OS like Windows. And frankly this is the bulk of what we see people needing advanced secure software licensing for. But wait, as they say, there's more:

  • Executables: Anything in the PEF (portable executable file format) can be protected against license abuse or copying. 
  • DLLs: dynamic-link libraries (DLLs) and shared libraries on MacOS and Linux can be used to store a significant amount of protectable code. 
  • Data files: files associated with particular applications may need to be protected as well. For example, PDF files (used by Adobe Acrobat) are a popular format for distrubuting electronic documents, some of which can contain sensitive information. You might want to secure the availability of these to certain people or certain time frames. Additionally, if your application uses a database of proprietary data (perhaps industry benchmarks you have painstakingly collected over the years) you might want to prevent unauthorized access or copying of that data.
  • Media files: Both music and video have multiple DRM systems in place for commercial distribution. But what if you want to stream video from your website but limit its distribution to a set of license rules? This can be difficult without a secure software licensing system. 
  • Website access: As more and more applications move into the cloud, or are presented as Software as a Service (SaaS) like salesforce.com, access control and authentication become more and more important. Current systems like named users with passwords are ripe for abuse (sharing credentials among multiple users). 
In the next article I'll dig into the term "software licensing" to discuss what is arguably the most interesting part of this concept.

Topics: License Management, Anti-piracy, software piracy, Copy Protection

Secure Software Licensing

Posted by John Browne on Jul 31, 2012 9:39:00 AM

We talk a lot about copy protection in this space but what I want to focus on today is what is meant by the phrase "secure software licensing." Let's unpack the term and look at each component separately:

Secure

The sina qua non of all this is security. If your software isn't secure nothing else that follows matters. By "secure" we're talking about preventing a host of bad things you don't want to happen:

  • License piracy: your customers bought a certain right or entitlement to use your software. That entitlement needs to be secured in such a way that the customers can't accidentally or even deliberately use more copies than they have purchased. Addditionally, you need to be able to ensure that non-customers cannot use your software until they have a license (i.e., become a customer).
Locked briefcase
  • Code cracking: Modifying the executable code to circumvent or disable any license verification is pretty common these days, particularly for very popular applications. You can find these cracked versions on the usual Internet sites. But increasingly even niche-market B2B software is being cracked, particularly for use in the developing world. 
  • Reverse Engineering: Reverse engineering of the original IBM PC BIOS led to a slate of instant clones competing with IBM for the same market space. Reverse engineering of software is not illegal in the USA, since it's considered fair use under the copyright laws. Protecting your software against this is critical.
  • IP Theft: You're in the software business, and in software your most important assets are your IP--some of which probably exists as algorithms in your code base. Do you want your competitors to see how you solve tough problems and use that to their advantage? Of course not. 
  • Code Tampering: How do you know that the binary you have is the binary that was created originally? How can your users know? In some applications, this may be the most important question of all. For example, if you're selling applications to the military or healthcare industry, being able to assure them the there are robust internal safeguards against the code having been modified before they execute it can be vital.
  • Malicious attacks: similar to code tampering, but in this case you want to ensure that no malware payload has been inserted at any time. Further, you want to know that the code can't be modified on the user's machine. 
These are some of the more common areas for concern in secure software licensing. In the next blog post, I discuss the next part of this expression: "software."

Topics: License Management, CodeMeter, Anti-piracy, Copy Protection, Code Integrity

Yet more software license management flexibility

Posted by John Browne on Jul 12, 2012 4:55:00 PM

Time for some how-to.

You don't have to use an API to implement CodeMeter--in fact, you can just use AxProtector (Automated Executable Protection) and wrap your whole executable (or dll or file or what have you, but we'll focus on executables in this blog post) with strong encryption that needs a valid license at runtime. Badda bing, badda boom. You're done.

That was easy.

And you can get a lot of flexibility in your software license management with no more work. Time based licenses, usage-based, network, concurrency, all those things and more are available with no source code changes--just protect with AxProtector and then set the licensing rules when you create the license.

So why mess with the source code? Good question. There are two reasons:

1. You can turn on or turn off individual functions or methods with separate licenses, thus enabling a pay-per-feature business model. This can be really cool if you think about all the possibilities (more later).

2. You can increase the security of your application, since multiple licenses with multiple separte keys are needed for it to run. While cracking CodeMeter is no small feat, this will just make it that much tougher.

How hard is this source code intergration? Pretty basic. We have a low-level API (the "Core API") which you don't repeat do not want to use. If in doubt, please give us a call to ask if you should use this. Normally our customers only use it when they need to implement CodeMeter on a platform we don't yet support. 

These are not the functions you are looking for...

The one you want is WUPI (Wibu Universal Protection Interface). WUPI is a high-level encapsulation of the Core API and by using it you will avoid shooting off your toes the way you can with the Core API. WUPI will do most anything you need to do.

WUPI only needs 15 functions to cover the whole gamut of stuff:

  1. Accessing: allocate and free a license; get a handle to a license
  2. Encryption: Encrypt and decrypt code
  3. Manage: Decrease Unit Counter; Get License Type; Query info; Read/write data
  4. Security: Debugger check and license check
  5. Errors: Get last error

That's it. Most of it you don't need to worry about. All the functions return either a BOOL or an INT, which makes them easy to use in a number of programming languages.

Parking meter

Integration couldn't be easier. There's an include file (we're talking C++ now), and you have to point your linker to some libs. The CodeMeter API guide (accessed from the CodeMeter Start Center, which is part of the Evaluation System) gives you sample code to cut & paste.

Here's an example:

#include <WibuIxap.h>
 int iWupiResult = WupiCheckLicense(0);
 if (!iWupiResult)
{
// License check failed.
}
else
{
// Successfully checking license.

That's it. Pretty simple--you just need to wrap these kinds of calls around the code that does stuff inside your application. 

Suppose, for example (and I know this is a trivial example) you wanted to meter printing. You could wrap your print function with a call to decrease the CodeMeter Unit Counter:

#include <WibuIxap.h>
 
int iWupiResult = WupiDecreaseUnitCounter(0, 0);
 
if (!iWupiResult)
{
// Unit Counter reached 0.
// License isn´t available or already allocated.
}
else
{
// Successfully decreased Unit Counter by the specified units.
// No Units remaining.
}

 If you use some counter in your code for the number of pages as a parameter to the WupiDecreaseUnitCounter() function, you can meter things exactly. Unit Counter values are set at license time, so this would require you to sell "blocks" or pages to be printed; when they get low on available pages (ie UnitCounter value) the system will let them know that they might want to buy some more. When they are gone, no more printing.

Printing is trivial (well, perhaps not if you're a printer) but there are plenty of other things you could wrap in this kind of protection. Perhaps you want to have Bronze, Silver, and Gold versions of your product. The normal way you'd do that is to branch your code or use conditional compiles. But it's a lot of work. With WUPI you can build one monolithic application, wrap that Bronze, Silver, and Gold functionality in separate license calls, and ship the whole thing to everyone. They get the product they paid for (because the correct license turns things on). Nothing more.

One last thought. This API stuff is not needed if you use .NET; because it's managed code you can actually protect individual .NET methods from inside AxProtector. 

photo credit: lakewentworth via photo pin cc

Topics: License Management, CodeMeter, AxProtector, Software Development

Software license management flexibility

Posted by John Browne on Jul 10, 2012 2:28:00 PM

Here's a great post about the problems software license models can create for researchers. Short version is that most commercial software licenses restrict the usage on massively parallel systems so that researchers can't take advantage of them without buying zillions of licenses, which, of course, isn't going to happen. 

Open source software is one solution to the problem, since it's not metered and thus not restricted. But (and this is no slam on OS software) sometimes the commercial stuff is better. Just is. Or it's what the researcher is already using, and converting to a different platform isn't feasible.

So they're stuck, and the problem has to chug along on one core forever instead of getting solved quickly on the parallel system.

Waiting for the program to finish.

How did we get to this mess, anyway? Commercial software vendors (ISVs) have struggled with the conflict between traditional licensing models and new computing ones. Back when computers were basically one core, one user, one desktop it all seemed so easy. Just ship great software and don't worry about the license. But multi-core processors, and multi-processor servers, and now cloud services with varying numbers of virtual machines instantly available as a scalable deployment--suddenly it all got a heck of a lot more complicated. If a user was running on an 8-core machine, should they pay more for the license than a user running on a single core?

ISVs reacted by metering stuff they could: number of cores, number of physical processors, speed of the processor, restricting or preventing VM use, and so on. This certainly didn't endear them to their customers, who saw (mostly anyway) these capabilities as allowing them to get more computing bang for the buck. 

Unfortunately their software license management systems kept getting in the way of finding metering solutions that allowed them to map true value to revenue. They metered what they could; not what necessarily made sense (this is granting them the benefit of the doubt--I hope they didn't just ignore customer input about how to best license under emerging computing paradigms). 

One thing we've always tried to do with CodeMeter is provide for virtually unlimited flexibility in license models: we like to think if you can dream it up we can implement it with the existing system. We've made some improvements over the last year to handle the new virtuality reality and we will continue to exhance the products in this area in the future. We're extremely interested in hearing from customers on these issues to make sure we're working on what you need. So if you have some thoughts about how you'd like to be able to license and/or meter your software, please pick up the phone and give us a call. 

Topics: License Management

Make License Management Work For You

Posted by John Browne on Jun 4, 2012 1:22:00 PM

Let's suppose you've finished designing your killer application and you're well into the coding step. At some point you need to consider some basic housekeeping issues, including:

Let's spend a few moments to review how license management can make or break the success of your software application. 

License management diagram

If you're writing for iOS or Android, of course you have to use the iTunes Store or Google Play to put them out in the marketplace. In this case you won't have much control over the license management. You'll have to accept what they provide.

Assuming you're targeting Windows, MacOS, or Linux, you need to decide if you are creating on-premise software or something that will be delivered as SaaS, or both. 

License Management Checklist

The term "license management" can mean different things to different people. Setting priorities for your license management goals is a good thing. Some possibles:

  1. Simplifying (to the point of complete automation) the entire process of identifying new customers and managing their entitlement to use the software, including initial sale, renewal, upgrades, and so on
  2. Connecting your license and entitlement database to your ERP/accounting/CRM systems, as well as ecommerce site and/or the application itself
  3. Preventing unauthorized usage of the software by people who are not entitled to use it
  4. Preventing the reverse engineering of your intellectual property and algorithms
  5. Preventing people from modifying the executable so that the license management controls are disabled
  6. Increasing the flexibility of the sales and marketing departments to create unique business models
  7. Simplifying the creation of trial or demo versions
  8. Support deployment either as a cloud service (SaaS) or on-premise (desktop).

Of course, in an ideal world all this can happen after you've finished the code without any internal source code mods. Since we're wishing, we might as well hope license management that connects to our back office systems and external websites easily as well.

There are an infinite number of ways to solve this problem, some better than others. Having done nothing else for the last 23 years, we believe strongly that CodeMeter is the best license management tool available. We invite you to learn more.

Topics: License Management

Top 5 Software license management requirements

Posted by John Browne on Apr 12, 2012 8:06:00 AM

Let's say you're just starting off as a software publisher--maybe you've got a great idea for an improvement in a specific domain where you have experience. You write some code, you test it, now you're ready to start raking in the cash, but wait?

How the heck do you manage your licenses?

Good question, because it turns out software license management is a non-trivial problem. 

Software license management is like panning for gold.

If you're writing your own operating system, or compiler, or I/O libraries, feel free to tackle software license management on your own. You're clearly a roll-your-own kind of guy. But most smart software developers want to stay focused on their core competencies--the places where they can add the most value. Domain-specific features. Bug-free code. Great UI design. Documentation and help files. 

Software license management is clearly one of the things where the make vs. buy argument lands squarely in the "buy" camp. 

What should you look for in a software license management solution? Here's a few must-haves:

  1. Clean integration with your selling side (website, channel partners) and back office systems (ERP/CRM).
  2. Flexibility to create trials and demos, run promotions, and build business models on the fly 
  3. Seamless integration with solid protection against illegal copying or reverse-engineering
  4. Support for standard offerings like named user, node-locking, network license administration, machine binding, or feature metering
  5. Automated activation of authorized users
  6. Finally, it must be affordable: the net cost compared to the value received has to make sense to your specific circumstances. 
Most software license management vendors will provide you a fully-functional evaluation system. Click on the button at the right to try out CodeMeter.

Topics: License Management

Software licensing solutions in the cloud

Posted by John Browne on Mar 26, 2012 8:56:00 AM

With the increasing number of end users taking advantage of SaaS solutions, independent software vendors are faced with new licensing challenges and the need to prevent illegal software copying, as well as the running of a single license on numerous virtual machines.

But there are software licensing solutions for the cloud that can meet these challenges. On the cloud, you can actually achieve highly efficient licensing processes and enhanced protection for your software. You can reduce revenue loss due to piracy while also improving your customers’ experience. You don’t have to include tests in your application code to disable the software if a virtual machine or terminal server session is detected.

There are dongle devices on the market that you can connect to a computer within the customer’s network to enable it to function as a license server. This license service considers each VM or TS as a completely different user. It makes no difference if the use is from a VM, a TS session, or a desktop computer—the license server automatically counts the correct number of users for these “floating licenses.”

Another solution is to connect the dongle directly to the host server, which can be configured as a license server to allow use of floating network licenses, as long as you allow network functionality.

The dongle can also be connected to only a single guest system (an operating system running in a virtual machine), or it can be connected to the terminal server. It’s important in this scenario to use a device that counts local licenses in the same way as network licenses, because all sessions have local access to the license if they are running on the same instance of the operating system.

With the right software licensing solutions for the cloud, software will be disabled whenever multiplying of licenses is attempted using VMs, TM session, or reverse USB hubs.

Topics: License Management, software copy protection, Anti-piracy, Copy Protection