Wibu-Systems Blog

Anti-Piracy, Flexible Licensing and software monetization

Posted by Terry Gaul on Sep 17, 2015 11:03:39 AM

We’ve all seen the disturbing software piracy statistics released by BSA | The Software Alliance in their Global Software Survey:

  • 43 percent of the software installed on personal computers globally in 2013 was not properly licensed
  • The global rate at which PC software was installed without proper licensing rose from 42 percent in 2011 to 43 percent in 2013 as emerging economies where unlicensed software use is most prevalent continued to account for a growing majority of all PCs in service.
  • The commercial value of unlicensed PC software installations totaled $62.7 billion globally in 2013.

These trends are sure to put a dent into any ISVs bottom line. In their blueprint for reducing software piracy, the BSA points to increased public education and awareness, modernization of IP laws, and stepped-up enforcement with dedicated resources as important steps towards thwarting piracy.

Of course, a more immediate approach to preventing piracy is to integrate copy protection directly into the application with a robust software protection solution like Wibu-Systems’ CodeMeter. It takes just minutes to protect software from illegal copying, reverse engineering or tampering without having to change a single line of source code.

In addition to preventing software piracy and hacking, a sound monetization strategy will serve to maximize ISV revenues as well. With secure, flexible licensing capabilities, ISVs and device manufacturers can effectively implement creative licensing strategies to meet the dynamic market requirements of their end users. The days of the perpetual software license are long gone and ISVs need the ability to introduce various pricing schemes based on pay-per-function, pay-per-use, subscription, or other possible licensing options. A representative example of a flexible licensing system is CodeMeter License Central, which enables ISVs to create, manage and distribute all types of licenses in a secure, straightforward manner.

Industry analyst firm, Frost and Sullivan, concluded in a white paper that “customers experience best long-term value in terms of both top-line revenue realization bottom-line costs and efficiency when license management solutions inherently provide comprehensive functionality and robust security.”

Download Frost and Sullivan Whitepaper

I invite you to download the full whitepaper, entitled Best Practices in Software Monetization: A Customer-Centric View of Secure License Management. The White Paper sheds light on various aspects of successful software monetization strategies, ranging from business-enabling licensing architectures to resilience against hacking. The document demonstrates how changing times demand that ISVs implement customer-centric business models and customer-friendly enforcement in order to increase their top line software revenues while controlling bottom line costs.

   

Topics: License Management, software protection, CodeMeter, secure licensing, software piracy, CodeMeter License Central

Secure Software Licensing Part 2

Posted by John Browne on Aug 1, 2012 4:46:00 AM

In the last blog post, we talked about what is meant by "secure" in the phrase "secure software licensing." But what exactly do we mean by "software?"software

At first blush I think most of us think of "software" as a desktop application like Photoshop or perhaps an OS like Windows. And frankly this is the bulk of what we see people needing advanced secure software licensing for. But wait, as they say, there's more:

  • Executables: Anything in the PEF (portable executable file format) can be protected against license abuse or copying. 
  • DLLs: dynamic-link libraries (DLLs) and shared libraries on MacOS and Linux can be used to store a significant amount of protectable code. 
  • Data files: files associated with particular applications may need to be protected as well. For example, PDF files (used by Adobe Acrobat) are a popular format for distrubuting electronic documents, some of which can contain sensitive information. You might want to secure the availability of these to certain people or certain time frames. Additionally, if your application uses a database of proprietary data (perhaps industry benchmarks you have painstakingly collected over the years) you might want to prevent unauthorized access or copying of that data.
  • Media files: Both music and video have multiple DRM systems in place for commercial distribution. But what if you want to stream video from your website but limit its distribution to a set of license rules? This can be difficult without a secure software licensing system. 
  • Website access: As more and more applications move into the cloud, or are presented as Software as a Service (SaaS) like salesforce.com, access control and authentication become more and more important. Current systems like named users with passwords are ripe for abuse (sharing credentials among multiple users). 
In the next article I'll dig into the term "software licensing" to discuss what is arguably the most interesting part of this concept.

Topics: License Management, Copy Protection, Anti-piracy, software piracy

57% of all users agree: piracy protection is critical

Posted by John Browne on Jun 20, 2012 4:35:00 AM

Ok, I might have misread this data a bit. The BSA (Business Software Alliance) has just published its annual study of global software piracy rates. One interesting finding: 57% of the world's PC users admit they pirate software. Only 38% said they never do, and 5% were at Starbucks getting a venti no-foam latte with extra shot when the question was asked.

Perhaps even more interesting, it's not 14 year old kids swiping games here, it's "business decision makers" who have the dirtiest hands--they outnumber "ordinary" users when it comes to software piracy rates. And given that the most massive piracy takes place in emerging economies, this translates pure and simple into a competitive advantage (via illegal means) for those businesses against the ones who play by the rules.

laughing buddha
Why is this man smiling?

At a recent conference I attended Dave Graubart of Synopsis spoke as the chair of the Anti-Piracy Committee from the Electronic Design Automation Consortium about the problem. EDAC's own data collection methodology closely matches the BSA data at 40% global piracy rates. This is approximate, of course--he had some interesting methods people use to track piracy, such as getting support calls from a company which has never bought the product. 

In the "old days" piracy for complex software (and complex frequently equates to expensive) piracy was less of a perceived problem because support was such a critical element in user success. Now software is more sophisticated and ease of use are vital for market success, so it's easier for people to use pirated software without calling tech support, who might want to confirm their license status. 

The top 4 countries in terms of the dollar value of pirated software are US, China, Russia, and India. All these countries compete on the global market and the companies who do so without paying for their licenses have a potentially huge advantage over those who do (keep in mind we're not talking about Microsoft Office here, we're talking about electronic design software that can cost 5 or 6 figures per seat).

What to do, what to do? Well, start (and end) with good piracy protection. The best, of course is CodeMeter: who else can make the statement that it defeated both Chinese and Russian crackers?  

Topics: Anti-piracy, software piracy

What The Avengers tell us about piracy protection.

Posted by John Browne on May 14, 2012 10:23:00 AM

An interesting article on torrentfreak caught my eye. They argue that the data shows that Disney's freakout over a camcopy of The Avengers hitting the torrent sites would kill boxoffice sales. Yet Thor, Iron Man, Hulk, et al are boffo boxoffice, smashing records like Thor's hammer smashing heads.

comicconthor resized 600

The logic, according to torrentfreak, is that the camcopy doesn't kill sales because the experience of seeing the movie in the theater is so different than watching a camcopy downloaded via bittorrent. They argue that based on the DL numbers, even if all the 100,000 people in the US who downloaded the camcopy had bought a movie ticket that would only boost revenue .05%.

The Grateful Dead   Collage Poster C10314578I don't have any data on the lost sales (and frankly their math doesn't hold up to close scrutiny) but part of their logic is reasonable: camcopies are the theatrical equivalent to bootleg concert tapes. They are the domain of the fanboy, the collector, and the curious. Switching to music, who has the most bootleg tapes in the universe? Deadheads. And who went to the most Grateful Dead concerts? Yep, those same Deadheads.

Don't get me wrong, copying is copying. But Disney getting its tightywhities in a knot because of a camcopy? I bet if they had released TA in the US first instead of overseas the number of DLs for the camcopy would have been seriously lower. People need their fix.

So what has this got to do with piracy protection? Just that there's piracy and then there's piracy. Physical media can bring an extra dimension to entertainment that's not easily duplicated with software. Windows is Windows; Photoshop is Photoshop. A camcopy of TA is not the same as playing hookie sitting in an ice-cold movie studio on a hot day with a gallon of Dr. Pepper and a box of Jujubees looking at a 10 foot tall Hulk.

Any clown with a camcorder and a backpack can make a copy of The Avengers. But watching it will be a poor second to seeing the real deal. Software, on the other hand, needs piracy protection. Not just to protect the publisher (which is important), but to protect the consumer, too, and make sure that downloaded app isn't a trojan horse for some really nasty malware.

Topics: Anti-piracy, software piracy

Is piracy protection software for you?

Posted by John Browne on May 1, 2012 12:58:00 PM

Here's a quick check to find out if you need piracy protection software. Start with the bittorrent sites and search for your executables. If you find cracked versions, you need piracy protection. Next, google "buy [your product name here]." If websites come up selling your product for a big discount, but you've never heard of them, you need piracy protection software. Those are very possibly bad guys selling counterfeit copies of your product...customers will think they are legit, and they they are getting a great price. Sound implausible? Think again...we have customers with exactly this problem. 

iStock 000003413901 small

Frankly there's no easy way to write your own protection software against piracy. Some things are much better left to professionals. Would you create your own firewall or anti-virus software? Of course not. It makes no sense to try to create your own software where the stakes are so high and the knowledge is so specialized. 

Instead, check out CodeMeter, the most secure piracy protection software available. You can add complete protection to your application and data files in as little as a few minutes. And keep the guys in the black ski masks at bay.

Topics: CodeMeter, software piracy

Does MegaUpload closure mean the end of software piracy?

Posted by John Browne on Feb 1, 2012 11:30:00 AM

With the FBI arresting seven managers of Megaupload and shuttering the website--said to be the 13th most popular website in the world at one point--does this mean the beginning the end for software piracy?

Not likely, methinks. The timing of the raid, coming on the heels of world-wide protests against SOPA legislation in Congress one day before, highlighted how divided people are on the issues of IP protection and ownership vs. web freedom.

The facts remain that unprotected software--whether movies, music, or executables--is easy to pirate and distribute. The security that most companies use (when they use any at all) to prevent illegal copying is usually easy to circumvent or non-existent. The worst cases of all are when a company makes life difficult for its legitimate users without actually strengthening its protection--sort of like having 11 deadbolts on your front door next to a window that is perpetually open.

The degree that it makes sense to protect any asset is in direct proportion to the value of that asset. The gold in Fort Knox is guarded with far greater security than your safe deposit box, which in turn has more safeguards than the mayonnaise jar full of loose change in the bedroom.

Whether Megaupload did something legal or illegal will be settled in the courts. Regardless, shutting down the site won't do anything to stop piracy; if anything it will simply move it to places where it's harder to stop. There are laws against stealing bicycles, yet they get stolen anyway. Only a good chain and padlock will deter the bad guys, and even that won't stop the most determined.

Fact is, if someone wants your bike, they can get it. Ditto your car, your wristwatch, and your software. But you can make it really really hard to steal your bike, your wristwatch, or your software.

Topics: software copy protection, Copy Protection, Anti-piracy, software piracy, SOPA, MegaUpload

If the BSA were right about piracy, we could close all the prisons

Posted by John Browne on Aug 1, 2011 9:19:00 AM

The BSA apparently thinks that piracy, like poor table manners, is simply a societal problem that can be corrected by changing people's behaviors. Note that they've concluded that litigation alone won't work. Note also that throwing people in jail for stealing cars hasn't stopped auto theft.

No, this is not our youngest developer.

Employing the same logic my father used when he said, just before delivering a no-doubt well-deserved spanking, "This will hurt me worse than it hurts you," which I understood at even a tender young age was complete nonsense, the BSA thinks apparently if we just give all these software pirates a stern talking-to the whole thing will somehow just vanish.

Right.

While the BSA explores this approach to ending crime (the successful conclusion of which will no doubt see them employed in follow-up campaigns against teen pregnancy, drug use, and drunk driving), I would suggest if you don't want to wait try locking your software like you do your car, house, and safe deposit box.

Of course, merely locking your car won't guarantee Nicholas Cage can't steal it. But it will sure cut down on the number of local clowns who will try. And if you lock your car, inside a locked garage, with a locked gate on your driveway, and add some surveillance cameras you will have the automotive equivalent of CodeMeter.

Topics: CodeMeter, software copy protection, Copy Protection, Anti-piracy, software piracy

How to pick a software protection system

Posted by John Browne on Apr 7, 2011 6:00:00 AM

Recently I was asked by a developer about picking a license management /software protection system for .NET. Microsoft's popular platform for app development, .NET, is easy to reverse engineer unless you use strong security. Our solution has been proven uncrackable multiple times. A software-only solution is always going to be more affordable than a solution using a dongle, but a solution using a security dongle can be completely protected against all attacks.

It's crazy to me how many developers want to roll their own licensing system. I talked to someone recently who uses a dongle to encrypt a serial number. That is SO easy to crack, it's just nuts. It's like leaving a convertible in the street with the top down and the doors locked. Hello?

We're not the only copy protection tools vendor. If you want to protect your .NET code, you need to get SDKs/eval units, do plenty of research and testing, and determine what works best for you. Some criteria you might want to consider:

  1. Do you want to target any platforms other than .NET? Linux, Mac, ??
  2. Do you want to be able to provide easy activation in low-risk markets and stronger security in higher-risk markets?
  3. What pricing/business models interest you? You should be able to, at a minimum, support pay per use, pay per time (subscription), pay per user, concurrent licensing, and network licensing. Even better is pay use/feature/module.
  4. Do you want a demo or trial unit for marketing purposes?
  5. Do you want to enable use under VMs without having your license scheme subverted?
  6. Do you need any special physical requirements for a hardware device (unusual form factors, additional flash RAM, environmental ruggedness, etc)?
  7. Where can you get support from?
  8. Where do they ship from?
  9. What are minimum order quantities?
  10. Are there annual fees you have to pay, or is it pay as you go?
  11. How robust and complete are their software tools?
  12. How do you create and program licenses with their tools? Are licenses field-updatable? Are dongles field-updatable?
  13. If you are looking at a dongle, does it require a driver? Who supports your end-user for dongle issues, if any? What is the warranty on the hardware? What OS/versions does the vendor support?

The more I talk to developers the more I realize they are frequently unaware of a) issues around license management/copy protection and b) what tools are already available to solve these problems. There's a lot of mis-information out there (more about this in a future post). There's also a lot of downright hostility towards people who don't want to give away all their hard work. (I admire the open source community, but there are plenty of cases where open source just doesn't make sense.)

Ever discovered something that looked simple on the outside and was hideously complex under the hood (like, say, organic chemistry)? Copy protection is like this. If you had any idea how easy most stuff is to crack, or how much work we've invested in making our solution robust, you'd never dream of doing it yourself.

Topics: CodeMeter, software copy protection, License Management, Copy Protection, dongles, software piracy, tools, FAQ

How does copy protection work?

Posted by John Browne on Mar 22, 2011 6:56:00 AM

We all know software piracy is a Bad Thing. But how can you prevent it?

The answer isn't quite as simple as you would expect. The easy way, of course, is to rely on CodeMeter to protect your software absolutely. Using AxProtector and a CmStick, your software is rendered effectively uncrackable. How uncrackable is that? We designed it from the beginning to have no universal crack (because there's no single key to decrypt the code). And we've tested it against hacking contests where we invited all the bad guys to take a swing at the protection with big bucks if they could break it. So far no one has.

So CodeMeter is the gold standard. How does it work? How do you keep people from stealing your creation? How do other systems work?

Let's start with CodeMeter. Our protection system, like a stool, has three legs: encryption, key storage, and debugger detection.

Encryption: We use AxProtector to encrypt your executable (.exe) using AES 128-bit algorithms. Since it's encrypted, the compiled assembly language is now meaningless drivel to your CPU until it's decrypted. Encryption is used all the time--every time you log onto Amazon.com and use a credit card to make a purchase that credit card info is being encrypted at your computer, transferred over the 'net, and decrypted in Amazon's server. AES 128-bit is recognized as sufficiently "strong" enough that no brute-force attack is possible.

Key Storage: The beauty of the CmStick is that it stores the key necessary to decrypt your software so it will run. The CodeMeter runtime turns the encrypted meaningless drivel back into assembly language via decryption. The key is stored inside the CmStick in an area that can't be accessed—even trying can cause the stick to permanently lock itself. And the key generation is dynamic with up to 4,000,000,000 different keys possible, eliminating the possibility of a "master crack."

Debugger Detection: Of course, once the application has been decrypted and loaded into memory, a cracker could just take a "picture" of the contents of the computer's memory and use that to create a cracked version of the application, right? No. Here's why:

First of all, CodeMeter never completely decrypts the entire application at any one time. Some critical pieces are left encrypted until called, then decrypted individually until they are no longer needed. So if you take a snapshot of memory you only get a partial decryption of the application, which is not a crack. Second, you can optionally turn on debugger detection: when you choose this, the license is locked if a debugger is detected on the computer. This works well to prevent reverse engineering or theft of algorithms. It can be unlocked, but it would require someone to call you up and say, "Uh, hmmm, gosh, I tried to crack your license and now my license is locked. Could you please unlock it so I can try again?"

What do other systems do? Many rely on encryption and hardware-based key storage like we do. Some take a simpler route, using code obfuscation or just checking for the existence of a dongle. These simpler methods are extremely easy to crack, and should never be used for high-value software. In future posts I'll describe how simple these are to crack.

Topics: CodeMeter, software copy protection, AxProtector, software piracy

What is software piracy?

Posted by John Browne on Mar 7, 2011 12:50:00 PM

Software piracy can take a number of forms, intentional and unintentional. What normally comes to mind with you hear "software piracy" in context are hackers or crackers (more about that in a minute) doing something illegal. But it can also include people who inadvertently violate license agreements without knowing.

What are hackers and what are crackers? In discussions about piracy, you see both terms used interchangeably. People who "crack" the system an ISV uses to prevent copies are called "crackers." Hackers, on the other hand, has traditionally been a term to refer to people who break into corporate or government networks. Sometimes it easier to just say hackers to lump together all the bad guys out there who try to do digital mischief.

So how do they do it? A common approach is to take a legitimate copy of say, Windows or Photoshop, and create a cracked version by patching some DLLs so that the licensing code thinks it's running on a legal copy. Then that single version is propagated around the world courtesy of file sharing sites.

Software-based anti-piracy systems try to bind a single licensed copy of an application to a given machine. Sometimes it will allow you to install on a couple of computers. Typically this is done with fingerprinting: identifying some characteristics of the host computer that the software has to match to. For example, you can look at the MAC address, CPU serial number, hard disk serial number, and so on. When the software first installs it gathers these fingerprints; later when you start up the application it checks the machine fingerprints against the ones it originally installed on and decides if this is a legal copy or not.

Since people upgrade and replace computers this schema is flawed from the get-go. The ISV has to decide how stringent to be about matching hardware fingerprinting on program load. If you have four values and only three match, do you go ahead and run or do you throw up a dialog telling the user they have to check with the publisher before the software will run? CmAct lets you decide how many factors (out of four total) you need to match before running the application. So you can set it to be two of four; if any two match the application will start.

These methods offer protection from casual theft but have a basic issue in that the fingerprint information has to come from the operating system. Contemporary OS do not let application code address hardware directly. If you want to know the serial number of the CPU, you use an OS system call to get it. That unfortunately makes the process somewhat vulnerable to spoofing: making the app think it's talking to the OS when it's not. And in that way many applications are cracked every day. Some of these are given away while some are sold as "real"--you can find them on various ecommerce stores online.

Of course if you use a dongle it should be a lot harder to crack the protection code; in the case of applications protected correctly with CodeMeter they should be impossible to crack. You can find online sites advertising dongle "emulators" or "eliminators" and they are basically cracking sites. Some developers use their dongle in the weakest possible way, by having the application merely check for the existence of a dongle and don't use it for key generation. This is incredibly easy to crack and is never recommended!

Topics: CodeMeter, software copy protection, Anti-piracy, dongles, software piracy, FAQ, cracking, CmAct