Protecting Your Software - Authorisation and You

Protecting Your Software - Authorisation and You

Tuesday 30 September 2008

Piracy is always a big issue in the software industry.  It's a global epidemic and everyone is guilty of it.  You are too, and you know it.  That doesn't make you evil, it just means you are as morally flexible as everyone.  So taken this as a given, as a SME developing custom software, how do you protect your investment and ensure the success of your product?

First, we need to address some universal truths.

  1. All software of any value will be pirated.
  2. All copy protection mechanisms will be worked around by someone of sufficient intelligence.
  3. If you have produced a good product for sale on the open market, it will be pirated.

Stealing software is VERY easy.  Once we, as professionals, are comfortable with the fact that our products WILL be stolen, we can start attempting to maximise the sales.  In order to sell just about anything, you need to know who your target audience is.  Who exactly are you selling to?  There are four types of user...

  1. The Legitimate Customer

    If you have the pleasure of having a legitimate customer, make sure nothing stands between them and using your software.  Help them out at every turn and never obstruct their usage.  They pay your bills, remember that.  These people will pay for your software and upgrade and maintenance.  They may well all be corporate entities who under threat of inspection need to remain 100% above board (tip: Develop software for the legal industry, they're pretty much not allowed to steal).  Home users may fall into this category simply because they don't know they can steal software easily.
  2. The Moral Pirate

    You probably fit into this category.  You pay for software, you like to think you're a good software citizen.  You may occasionally go to the pirate bay to grab a cracked version of an application because the demo or cripple-ware version really gets in the way of you trying the software.  You probably wouldn't think twice about installing one copy of Windows on two separate machines however.  People can end up accidentally becoming moral pirates simply due to a lack of understanding of (often confusing) software licenses.
  3. The Immoral Pirate

    Immoral pirates use file sharing networks, Usenet, peer to peer or private FTP as their default method of software delivery.  They don't want to pay for software.  They may believe they're stealing, they may believe they're in the moral clear as your product endorses evil / closed source mentalities / kills kittens.  You'll only ever get a sale from the camp if your software is so incredibly hard to steal or find that it's much more convenient to pay for it.  And even if that's the case, they're more likely to investigate an alternative first.
  4. The Career Pirate

    You will never sell a copy to this person, except if they're actively trying to produce a crack themselves.  Career pirates will produce cracks, publish 0-Day copies of your application, and they'll do it for the challenge.  Intricate copy protection mechanisms act as encouragement to career pirates.  The harder the better.  It's an arms race that they will *always* win.

Coming to Terms With Piracy

The first thing you have to realise is that software piracy isn't actually a bad thing.  Software piracy often introduces people who will later become legitimate users of your software to your product.  If you find that a vast majority of your users are stealing your software, the first thing you need to do is find out why they're stealing instead of paying...

  • Is your software too expensive?
  • Are you pricing for business but aiming at the individual user?
  • Is the cracked version of your application actually better than the paid for edition?
  • Is your "home" offering too basic and people prefer to steal an overpriced "Professional" edition?
  • Worst of all, is your software crippled by draconian DRM?

If the answer to any of the above questions is yes, then you're not dealing with a technical problem, you're dealing with a social engineering and marketing issue.  It's YOUR FAULT that your software is being stolen because you're not selling it properly.  You have to be prepared to take responsibility for a misjudged business decision.  It's not about blaming anyone, it's about fixing the problem.

Targeting Your Audience

Out of the four groups of users listed above, ignore the fact that the third and fourth group exist.  You will never sell software to those people, they will steal it.  Get over it and move on.  You're not going to stop them, don't waste valuable time and money trying to.  Yes?  Good.

You need to protect your software in a way that it actively encourages the first and second groups of users to pay you for your hard work.  The legitimate customer is easy.  They're going to pay.  Don't make it hard for them.

The second group is slightly harder.  They're probably going to pay you, but if they can steal your software really easily, they probably won't bother.

What you need is some kind of authentication system that is reasonably simple, doesn't hinder the users and offers some kind of advantage to the paying customer.  Now the funny thing is, this is a solved problem.  For the past decade companies have been experimenting in trying to squeeze the odd payment out of the immoral and career pirates who were not going to pay a penny to start with.  The answer is the serial number.

Serial numbers work.

If you take anything from reading this essay, please take this.

What Not To Do

The following authentication mechanisms are horrible ideas...

  • Online authentication

    Do not presume your clients have always on internet access.  If they don't and you implement this, they WILL pirate your software or go to a competitor.
  • Products that Phone Home

    If you've been naive enough to saddle your software with online authentication and start thinking that products that phone home are a good idea, start thinking about what happens when that product no longer has internet access...
  • Commercial Root-kits 

    There is nothing more immoral than saddling your users machine with software they don't know about and can't remove, especially when it is recording their usage and using up CPU cycles.

But!  What if these authentication mechanisms can actually net me a few more sales!  Forget it.  They won't.

The pirates will still steal, and most importantly...?

You'll have just spent a small fortune in R&D, infrastructure and development creating a bypass-able authentication system that you then have to keep operational forever.  Unless you manage to con your users into what is essentially a software rental model, those servers of yours have to be available until the end of time, with databases of all your registered users, the level of access they're allowed to your application and all manner of other data.

Running these oppressive registration mechanisms is expensive, and can potentially introduce defects into your pristine code.  What's more, they can get in the way of legitimate users and paying customers, driving them to become moral pirates.  As was stated at the start of this piece, you must never put obstacles between legitimate users and paying for your software.  That is commercial suicide.

This is not to say that you should give your product away.

Protecting Your S oftware

Now that we've looked at what not to do, how on earth can we protect our software?  I really do believe in the serial number.  But a few sane coding practices can help you protect your software fairly easily.

At the simplest level, a serial key can be achieved using common Public-Private key encryption techniques.  Take some key data regarding your application (commonly something like registered user / organisation name, number of licenses granted, perhaps an email address) and encrypt it with a private key.  Your application has the public key embedded within it.  If that information decodes correctly, then the application is registered.  Simple.

But not fool proof.  I'd rather not mislead you by implying that that solution would just work perfectly.  If a cracker could isolate the portion of your code where you load the public key into memory, he could produce a cracked executable with a different public key encoded inside, and thus sign his own keys that would unlock the modified application.

The good news is that depending on your target audience, it's almost certainly more work than your average user would bother with to steal your program (just don't load a file from "approot\publicKey.key" and think you're being diligent!)

The benefits of a simple solution?  Easy.

  1. It's really really easy for users to register your software.  They pay you, they get a serial key.
  2. You need not store lots of user information for registered users, the key can be regenerated given the same inputs.  Therefore, low overhead on authentication servers as the user technically only need perform this operation once.
  3. Relatively secure, uses known cryptographic techniques.  Certainly beats some traditional "just multiply the username as bytes by some random number".
  4. Low impact on the application as a whole.
  5. Authentication data can be changed between minor versions, breaking any key generators in the wild and making the software more inconvenient to crack a second time.

There are a few other tricks you can use.

  1. If your software is lucky enough to print out user data in some output, then you're home free, people won't share a serial number if their name is stamped on all the documents that the counterfeit copies produce.
  2. Don't externalise your serial number checks in to an easily replaceable DLL / assembly.  It's just too easy to isolate and replace.
  3. Don't call the authentication method just once returning a boolean representing "is registered" or not, this is also easy to isolate and replace.
  4. If you use an interpreted language, user code obfuscating tools to stop simple decompilation.

Conclusion

Hopefully the above outlines have made the issue of small software piracy a little easier to understand along with explaining why obstructive software registration techniques won't win you sales and instead often cost you both sales and development money.

Don't fear software piracy, just attempt to give your legitimate users an experience that'll make them want to act as your agents to their friends and associates.

You can't pay for any marketing as effective as genuine goodwill.