How your keycodes get onto a warez site..
-
With the software protection system I've built into ED (see sig) a license key can only be used for up to two weeks to activate the software. After that the user needs to contact us for a new key. This causes some pain all round, but the benefits are enormous. In essence your problem and many others go away. I have no idea why this isn't common practice. Neville Franks, Author of ED for Windows. Free Trial at www.getsoft.com
Excellent idea! Thank you, aside from all the other stuff that we do that would be very beneficial. We currently have a temporary keycode system that we use for purchase orders in case they don't get paid, but we don't use that for credit card purchases, I'm also thinking of making that more widespread as well. (I.E. the initial keycode is a temporary one and we email a replacement when we actually get paid, but it could be extended to any order after a couple of weeks get the final keycode) What we also do and something that I don't know why more people don't do is we don't have anywhere in the program a visible way to enter a keycode. The enter keycode dialog doesn't contain any static text related to keycodes all that text is encrypted in the program and it's a hidden option you can only bring up with a certain set of mouse clicks on a certain screen which the users so far have had no problem with, but it means that you don't know how to enter a keycode unless you get the official registration email which is the only place we publish that information. The person that posted the keycode didn't include those instructions so we've been amused to see replies to their message saying that there is no way to enter the key. It doesn't take a genius to find an alternative way to do it, but it probably stopped a number of people right off the bat.
-
John, Thanks (well maybe thanks isn't the right word, especially given all the hassle involved) for a really fascinating post. What about setting up a CP contest to come up with the a secure anti-piracy lib that could be used by others? The final test would be to try and attract people to hack it, and the one that lasts longest wins. Perhaps even start a new section, dedicated to copy-protection etc solutions. Surely this is something other people have to deal with as well? ¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned
I agree but it would have to be a system that doesn't work through obscurity for obvious reasons. I'd love to see all the ideas for a system that works even though the method is plainly obvious and documented. There is a *lot* of good info on other techniques and about the problem in general here: http://inner-smile.com/nocrack.phtml[^] But as the title says those methods just make it harder, not impossible.
-
So for anyone who is interested in how a license key gets onto one of those piracy sites I can now speak from experience: On September 11th we get an order for one license of our software. We email the unique license key to the address provided. Last weekend hits to download our software on our website go through the roof, 1000 times more than normal. We backtrack the link and find it's a Chinese site that does nothing but provide license keys, cracked versions of software etc. We find that a link has been placed to our software with the license key and regto name 4 days after it was purchased. We get pissed off, immediately update the download to not work with the keycode in question, problem is that hundreds and hundreds of people have already downloaded and our software is mirrored at tucows which takes forever to update. They continute to download at an astonishing rate, we're over 7GB of bandwidth on Sunday alone. There can't possibly be this many people actually interested in the software, I get the feeling that they are people that would download anything if it's free. We can't simply move the file on our site to break their link, it's linked to by thousands of shareware sites, tucows etc. Our isp tries all day to block anyone coming in with the referrer of this chinese cracker site, ultimately manages to only cause everyone coming to any page on our site to get a permission denied and finally gives up and can't do anything about it. (it's an IIS server, not unix). Mean while, while all this is going on, we contact our lawyers, they start rubbing their hands together, I realize this is going to cost a lot of money so we opt to try to sort it out ourselves. We call the Canadian and U.S. big anti software piracy groups. They basically laugh at us and say give is $5,000.000 to sign up and we'll take a look at it. At this point I'm even more pissed off so I decide it's time to just phone and find out what's going on. I phone the credit card owner, they have no idea what our software is and it turns out have many other charges they didn't authorize. (note, this is a nice older couple, no chance they did this, their credit card info was stolen). I phone the person who we emailed the license key to, he works in another state entirely from the credit card owner, turns out their network was hacked into and our software wasn't the only one that was stolen through thier network and email, they have sinced patched and have kept all the records for any criminal investigation.
It happened to me recently, I am sure none of the people who downloaded would have bought it anyway and most probably won't use it. Just increases my bandwidth and I have to spend time trying to stop them accessing my site! Actually there is a freeware version of this software on my site, which for 99.9% of people is more than adequate!
Hell, there are no rules here-- we're trying to accomplish something. - Thomas A. Edison
-
Ivor S. Sargoytchev wrote: Have the ability to disable any activation key at any time. We do and have done so for some time, but we can't do it any time, the problem is that we can only disable it in a new release, i.e. it's compiled (in encrypted form) in the executable. We posted fresh copies of our software that zapped that license key, but we can't do anything about the people that downloaded before we did that unless they decide to upgrade. If I could find a reliable way to do that automatically without having to post a new executable, and in a way that wouldn't scare people because the software was automatically connecting to the internet etc it would be sweet. Unfortunately I don't think there is any realistic option for doing it automatically that doesn't start to have negative consequences.
What about something that discretely "checks online for updates," and while it's "checking" it also checks to make sure that the activation key is still valid? That way, even if you have a very sophisticated user who can sniff the packets and, somehow, figure out that you are sending data back to a server, you can say it's all part of the update process...plus, if there is an update you can tell them so (maybe even prompt to pay for additional upgrades). D Daniel Larsen, Professional Casanova Blood, Sweat, Toil and Tears
-
What about something that discretely "checks online for updates," and while it's "checking" it also checks to make sure that the activation key is still valid? That way, even if you have a very sophisticated user who can sniff the packets and, somehow, figure out that you are sending data back to a server, you can say it's all part of the update process...plus, if there is an update you can tell them so (maybe even prompt to pay for additional upgrades). D Daniel Larsen, Professional Casanova Blood, Sweat, Toil and Tears
Yes, I think that could work if it's something they initiate, just not sure about the ethics of disabling their software after they connect to our web site, will put that idea in the hopper as well. It's actually a good time for us to be thinking of this because we're rewriting our app completely from scratch in .net and licensing is one of the major areas we're going to be revising.
-
I agree but it would have to be a system that doesn't work through obscurity for obvious reasons. I'd love to see all the ideas for a system that works even though the method is plainly obvious and documented. There is a *lot* of good info on other techniques and about the problem in general here: http://inner-smile.com/nocrack.phtml[^] But as the title says those methods just make it harder, not impossible.
John Cardinal wrote: _http://inner-smile.com/nocrack.phtml\[^\]_ Excellent FAQ! I bookmarked this last time it was posted, and I'll use the info if I ever need to create software that uses keycodes (which, in all likelihood, I will).
"Blessed are the peacemakers, for they shall be called sons of God." - Jesus
"You must be the change you wish to see in the world." - Mahatma Gandhi -
I agree but it would have to be a system that doesn't work through obscurity for obvious reasons. I'd love to see all the ideas for a system that works even though the method is plainly obvious and documented. There is a *lot* of good info on other techniques and about the problem in general here: http://inner-smile.com/nocrack.phtml[^] But as the title says those methods just make it harder, not impossible.
Right, but what I would prefer is a collection of ready to use libraries. Stuff that people can drop in to an app, or however most appropriate to set it up. it would have to be a system that doesn't work through obscurity for obvious reasons. I'd love to see all the ideas for a system that works even though the method is plainly obvious and documented. I would to. Surely there are enough people here who can come up with good, creative, possible solutions, as well as enough people who like low level bit twiddling to attemtp to crack the solutions to verify the integrity of the solution. I've never done anything like this, but I have some ideas.... ¡El diablo está en mis pantalones! ¡Mire, mire! Real Mentats use only 100% pure, unfooled around with Sapho Juice(tm)! SELECT * FROM User WHERE Clue > 0 0 rows returned
-
Excellent idea! Thank you, aside from all the other stuff that we do that would be very beneficial. We currently have a temporary keycode system that we use for purchase orders in case they don't get paid, but we don't use that for credit card purchases, I'm also thinking of making that more widespread as well. (I.E. the initial keycode is a temporary one and we email a replacement when we actually get paid, but it could be extended to any order after a couple of weeks get the final keycode) What we also do and something that I don't know why more people don't do is we don't have anywhere in the program a visible way to enter a keycode. The enter keycode dialog doesn't contain any static text related to keycodes all that text is encrypted in the program and it's a hidden option you can only bring up with a certain set of mouse clicks on a certain screen which the users so far have had no problem with, but it means that you don't know how to enter a keycode unless you get the official registration email which is the only place we publish that information. The person that posted the keycode didn't include those instructions so we've been amused to see replies to their message saying that there is no way to enter the key. It doesn't take a genius to find an alternative way to do it, but it probably stopped a number of people right off the bat.
Not sure if I like hiding the registration dialog, as it makes things that bit harder for legitimate users. With time limited activation most all problems go away. I also lock the license info to the PC, after it is sent. What this does is allow the license info to be backed up and restored for that PC, but prevents it being restored to another PC. One of the perenial problems we all have is where company x uses more licenses than they've paid for. This helps stop that. And on it goes. ;) A good friend of mine Russell Robinson, is developing a comprehensive Software Protection System + Web based CRM with options to enable the verification of licenses back to your server, along with the ability for a legit customer to request a new license at any time. As most people are connected to the Web these days, this is a very good way to go, as others have said. He has a demo of the CRM up and running which you can play with and the guts of the SPS working. The licensing system has grown from code Russell developed for his products and is part of what I use in ED. I suggest you drop Russell an email at: russellr@rootsoftware.com and see what he is up to. Neville Franks, Author of ED for Windows. Free Trial at www.getsoft.com
-
So for anyone who is interested in how a license key gets onto one of those piracy sites I can now speak from experience: On September 11th we get an order for one license of our software. We email the unique license key to the address provided. Last weekend hits to download our software on our website go through the roof, 1000 times more than normal. We backtrack the link and find it's a Chinese site that does nothing but provide license keys, cracked versions of software etc. We find that a link has been placed to our software with the license key and regto name 4 days after it was purchased. We get pissed off, immediately update the download to not work with the keycode in question, problem is that hundreds and hundreds of people have already downloaded and our software is mirrored at tucows which takes forever to update. They continute to download at an astonishing rate, we're over 7GB of bandwidth on Sunday alone. There can't possibly be this many people actually interested in the software, I get the feeling that they are people that would download anything if it's free. We can't simply move the file on our site to break their link, it's linked to by thousands of shareware sites, tucows etc. Our isp tries all day to block anyone coming in with the referrer of this chinese cracker site, ultimately manages to only cause everyone coming to any page on our site to get a permission denied and finally gives up and can't do anything about it. (it's an IIS server, not unix). Mean while, while all this is going on, we contact our lawyers, they start rubbing their hands together, I realize this is going to cost a lot of money so we opt to try to sort it out ourselves. We call the Canadian and U.S. big anti software piracy groups. They basically laugh at us and say give is $5,000.000 to sign up and we'll take a look at it. At this point I'm even more pissed off so I decide it's time to just phone and find out what's going on. I phone the credit card owner, they have no idea what our software is and it turns out have many other charges they didn't authorize. (note, this is a nice older couple, no chance they did this, their credit card info was stolen). I phone the person who we emailed the license key to, he works in another state entirely from the credit card owner, turns out their network was hacked into and our software wasn't the only one that was stolen through thier network and email, they have sinced patched and have kept all the records for any criminal investigation.
What irks me is that when software companies such as yours have to defend themselves they have to (1) spend lots of money to reduce the effects, and (2) potentially lose out of licence revenue. I'm a software developer, naturally - which I am here - and as far as I am concerned takes the food off my table and the roof from my head if people don't pay. I am irked by people (mostly non-computing people) asking that since I have an MSDN subscription, and therefore a vast library of MS software, could I see my way to lending them the Office or Windows disk. :mad: No I B@&*dy well could not! :mad: I pay my mortgage because people pay me to write software. "But, :-D Microsoft is a big company with billions in cash in the bank - they won't notice:-D." ":mad:I don't care! Its the principle. Microsoft pays its software developers, who use that money to feed and clothe themselves, to provide a roof over their heads, to provide for their families. If people like you :mad: don't pay for software, Microsoft's or not, then the software companies can't pay their employees, and they can't in turn can't afford to feed themselves!" "But, I am sure you've got copied software. ;)" "NO I HAVE NOT! :mad: AND I AM DISGUSTED THAT YOU THINK I DO :mad:" ":omg:You've never copied software?" "NOT EVEN AT UNIVERSITY :mad: - I WAS THAT LONE STUDENT WHO PAID FOR THE EDUCATIONAL EDITION OF MICROSOFT OFFICE and BORLAND C++" . . . .... :-O Excuse me... I have to go and rest for a bit. I'm a bit flustered... --Colin Mackay--
"In the confrontation between the stream and the rock, the stream always wins - not through strength but perseverance." (H. Jackson Brown)
-
Excellent idea! Thank you, aside from all the other stuff that we do that would be very beneficial. We currently have a temporary keycode system that we use for purchase orders in case they don't get paid, but we don't use that for credit card purchases, I'm also thinking of making that more widespread as well. (I.E. the initial keycode is a temporary one and we email a replacement when we actually get paid, but it could be extended to any order after a couple of weeks get the final keycode) What we also do and something that I don't know why more people don't do is we don't have anywhere in the program a visible way to enter a keycode. The enter keycode dialog doesn't contain any static text related to keycodes all that text is encrypted in the program and it's a hidden option you can only bring up with a certain set of mouse clicks on a certain screen which the users so far have had no problem with, but it means that you don't know how to enter a keycode unless you get the official registration email which is the only place we publish that information. The person that posted the keycode didn't include those instructions so we've been amused to see replies to their message saying that there is no way to enter the key. It doesn't take a genius to find an alternative way to do it, but it probably stopped a number of people right off the bat.
One more thing. We require prospects to Register with their email address etc, and then send them login details for our Forums, where they can download the software. This no doubt puts some people off, but serious punters will go through the process. If you had a system like this I'm sure it would have stemmed the flood of downloads considerably. The other upside is we can follow up with them later, as we know how to contact them. Neville Franks, Author of ED for Windows. Free Trial at www.getsoft.com
-
What irks me is that when software companies such as yours have to defend themselves they have to (1) spend lots of money to reduce the effects, and (2) potentially lose out of licence revenue. I'm a software developer, naturally - which I am here - and as far as I am concerned takes the food off my table and the roof from my head if people don't pay. I am irked by people (mostly non-computing people) asking that since I have an MSDN subscription, and therefore a vast library of MS software, could I see my way to lending them the Office or Windows disk. :mad: No I B@&*dy well could not! :mad: I pay my mortgage because people pay me to write software. "But, :-D Microsoft is a big company with billions in cash in the bank - they won't notice:-D." ":mad:I don't care! Its the principle. Microsoft pays its software developers, who use that money to feed and clothe themselves, to provide a roof over their heads, to provide for their families. If people like you :mad: don't pay for software, Microsoft's or not, then the software companies can't pay their employees, and they can't in turn can't afford to feed themselves!" "But, I am sure you've got copied software. ;)" "NO I HAVE NOT! :mad: AND I AM DISGUSTED THAT YOU THINK I DO :mad:" ":omg:You've never copied software?" "NOT EVEN AT UNIVERSITY :mad: - I WAS THAT LONE STUDENT WHO PAID FOR THE EDUCATIONAL EDITION OF MICROSOFT OFFICE and BORLAND C++" . . . .... :-O Excuse me... I have to go and rest for a bit. I'm a bit flustered... --Colin Mackay--
"In the confrontation between the stream and the rock, the stream always wins - not through strength but perseverance." (H. Jackson Brown)
Okay [Starts to breath more easily, and colour is returning to normal] I've calmed down a bit... I've just gone to look and see how easy it is to find cracked software. :eek: That was way too easy!:omg: But what gets me in the site I found was that its "Easy 3 step instructions" include as the third step: Crack-Locator.com wrote: 3. If you like the software, please support the author and buy it! Every good job should be paid. :wtf: Is that not the pot calling the kettle black? --Colin Mackay--
"In the confrontation between the stream and the rock, the stream always wins - not through strength but perseverance." (H. Jackson Brown)
-
So for anyone who is interested in how a license key gets onto one of those piracy sites I can now speak from experience: On September 11th we get an order for one license of our software. We email the unique license key to the address provided. Last weekend hits to download our software on our website go through the roof, 1000 times more than normal. We backtrack the link and find it's a Chinese site that does nothing but provide license keys, cracked versions of software etc. We find that a link has been placed to our software with the license key and regto name 4 days after it was purchased. We get pissed off, immediately update the download to not work with the keycode in question, problem is that hundreds and hundreds of people have already downloaded and our software is mirrored at tucows which takes forever to update. They continute to download at an astonishing rate, we're over 7GB of bandwidth on Sunday alone. There can't possibly be this many people actually interested in the software, I get the feeling that they are people that would download anything if it's free. We can't simply move the file on our site to break their link, it's linked to by thousands of shareware sites, tucows etc. Our isp tries all day to block anyone coming in with the referrer of this chinese cracker site, ultimately manages to only cause everyone coming to any page on our site to get a permission denied and finally gives up and can't do anything about it. (it's an IIS server, not unix). Mean while, while all this is going on, we contact our lawyers, they start rubbing their hands together, I realize this is going to cost a lot of money so we opt to try to sort it out ourselves. We call the Canadian and U.S. big anti software piracy groups. They basically laugh at us and say give is $5,000.000 to sign up and we'll take a look at it. At this point I'm even more pissed off so I decide it's time to just phone and find out what's going on. I phone the credit card owner, they have no idea what our software is and it turns out have many other charges they didn't authorize. (note, this is a nice older couple, no chance they did this, their credit card info was stolen). I phone the person who we emailed the license key to, he works in another state entirely from the credit card owner, turns out their network was hacked into and our software wasn't the only one that was stolen through thier network and email, they have sinced patched and have kept all the records for any criminal investigation.
Why not use online activation? That way, if a key code is stolen you can immediately invalidate it so that no one using it will be able to activate. That's what I do, but I'm not sure if it has adverse effects on legitimate customers. I have a symbiotic relationship with my computer.
-
So for anyone who is interested in how a license key gets onto one of those piracy sites I can now speak from experience: On September 11th we get an order for one license of our software. We email the unique license key to the address provided. Last weekend hits to download our software on our website go through the roof, 1000 times more than normal. We backtrack the link and find it's a Chinese site that does nothing but provide license keys, cracked versions of software etc. We find that a link has been placed to our software with the license key and regto name 4 days after it was purchased. We get pissed off, immediately update the download to not work with the keycode in question, problem is that hundreds and hundreds of people have already downloaded and our software is mirrored at tucows which takes forever to update. They continute to download at an astonishing rate, we're over 7GB of bandwidth on Sunday alone. There can't possibly be this many people actually interested in the software, I get the feeling that they are people that would download anything if it's free. We can't simply move the file on our site to break their link, it's linked to by thousands of shareware sites, tucows etc. Our isp tries all day to block anyone coming in with the referrer of this chinese cracker site, ultimately manages to only cause everyone coming to any page on our site to get a permission denied and finally gives up and can't do anything about it. (it's an IIS server, not unix). Mean while, while all this is going on, we contact our lawyers, they start rubbing their hands together, I realize this is going to cost a lot of money so we opt to try to sort it out ourselves. We call the Canadian and U.S. big anti software piracy groups. They basically laugh at us and say give is $5,000.000 to sign up and we'll take a look at it. At this point I'm even more pissed off so I decide it's time to just phone and find out what's going on. I phone the credit card owner, they have no idea what our software is and it turns out have many other charges they didn't authorize. (note, this is a nice older couple, no chance they did this, their credit card info was stolen). I phone the person who we emailed the license key to, he works in another state entirely from the credit card owner, turns out their network was hacked into and our software wasn't the only one that was stolen through thier network and email, they have sinced patched and have kept all the records for any criminal investigation.
John Cardinal wrote: Bottom line is that technically, we're out USD$20,000.00+ worth of licenses from the people that downloaded before we patched our software to not use that keycode (of course they will never be able to upgrade) Actually, although I'm very sorry for your problems, this linear extrapolation is just that. I know it probably doesn't do much to soothe your soul, but the lionshare of illegal downloads were probably by people who wouldn't have bought your software anyway, so you may not be out anywhere near as much you think. I don't know what your software is or does, and that will also have bearing on how much you lost, depending on the intended audience, etc. But this is the age-old debate over piracy. How many people who acquire illegal copies of a given piece of software would have bought it had they not been able to acquire it illegally? It's a nearly unknowable factor. The only option is to use s different licensing system (yes, I know, there are upsides and downsides to everything) which doesn't allow multiple installations from one key. Good luck in the future. Paul
-
John Cardinal wrote: Bottom line is that technically, we're out USD$20,000.00+ worth of licenses from the people that downloaded before we patched our software to not use that keycode (of course they will never be able to upgrade) Actually, although I'm very sorry for your problems, this linear extrapolation is just that. I know it probably doesn't do much to soothe your soul, but the lionshare of illegal downloads were probably by people who wouldn't have bought your software anyway, so you may not be out anywhere near as much you think. I don't know what your software is or does, and that will also have bearing on how much you lost, depending on the intended audience, etc. But this is the age-old debate over piracy. How many people who acquire illegal copies of a given piece of software would have bought it had they not been able to acquire it illegally? It's a nearly unknowable factor. The only option is to use s different licensing system (yes, I know, there are upsides and downsides to everything) which doesn't allow multiple installations from one key. Good luck in the future. Paul
A few people have pointed this out already, it's not so much the potential loss of licenses, it's the real costs we've already incurred from the whole incident: In expenses we're down the price of a license, the price of lost time and productivity of two of our senior staff dealing with this, a few hundred dollars lawyers fees to find out what's involved, lot's of long distance calls all over the U.S., bandwidth charges from our ISP, lost revenue when our site went down while the ISP was trying to block that referrer and real paying customers couldn't get through, delays for downloads of legit people because the file was being hammered so heavily on our site etc. In real expense just to deal with this, completely ignoring the lost sales potential we're probably out a few thousand at least which is big for us
Strangers passing in the street By chance two separate glances meet And I am you and what I see is me...
-
I've thought about this and I think Microsoft has the best scheme. Make the user activate...once they've activated, make sure you have their IP, hardware config, etc. Hey, they're already downloading your software...what's a few minutes more online for an activation process, eh?
Hawaian shirts and shorts work too in Summer. People assume you're either a complete nut (in which case not a worthy target) or so damn good you don't need to worry about camouflage... -Anna-Jayne Metcalfe on Paintballing
I think it took something like three days to break Microsoft's activation process. If I remember correctly, the OS checks for a particular value in a particular file. All you need to do is drop the right value into that file and bam - WindowsXP thinks it has already been activated. Turn off the windows update (which apparently makes sure you are using a registered copy of WindowsXP) and the OS runs just fine. (Turning off the windows update means you don't get patches, though - remember the Blaster virus?) Of course, I haven't done any of this. But, that's what I've heard from other people. ------------------------------------------ The ousted but stubbornly non-dead leader reportedly released an audiotape this weekend, ending by calling on Iraqis to, quote, "resist the occupation in any way you can, from writing on walls, to boycotting, to demonstrating and taking up arms." adding, "you know, pretty much anything I used to kill you for." - The Daily Show
-
So for anyone who is interested in how a license key gets onto one of those piracy sites I can now speak from experience: On September 11th we get an order for one license of our software. We email the unique license key to the address provided. Last weekend hits to download our software on our website go through the roof, 1000 times more than normal. We backtrack the link and find it's a Chinese site that does nothing but provide license keys, cracked versions of software etc. We find that a link has been placed to our software with the license key and regto name 4 days after it was purchased. We get pissed off, immediately update the download to not work with the keycode in question, problem is that hundreds and hundreds of people have already downloaded and our software is mirrored at tucows which takes forever to update. They continute to download at an astonishing rate, we're over 7GB of bandwidth on Sunday alone. There can't possibly be this many people actually interested in the software, I get the feeling that they are people that would download anything if it's free. We can't simply move the file on our site to break their link, it's linked to by thousands of shareware sites, tucows etc. Our isp tries all day to block anyone coming in with the referrer of this chinese cracker site, ultimately manages to only cause everyone coming to any page on our site to get a permission denied and finally gives up and can't do anything about it. (it's an IIS server, not unix). Mean while, while all this is going on, we contact our lawyers, they start rubbing their hands together, I realize this is going to cost a lot of money so we opt to try to sort it out ourselves. We call the Canadian and U.S. big anti software piracy groups. They basically laugh at us and say give is $5,000.000 to sign up and we'll take a look at it. At this point I'm even more pissed off so I decide it's time to just phone and find out what's going on. I phone the credit card owner, they have no idea what our software is and it turns out have many other charges they didn't authorize. (note, this is a nice older couple, no chance they did this, their credit card info was stolen). I phone the person who we emailed the license key to, he works in another state entirely from the credit card owner, turns out their network was hacked into and our software wasn't the only one that was stolen through thier network and email, they have sinced patched and have kept all the records for any criminal investigation.
I understand your pain. The last app I made, I spent more time on security then the actual app. Hence neither has it been broke, or very popular. Good luck Regardz Colin J Davies
*** WARNING *
This could be addictive
**The minion's version of "Catch :bob: "It's a real shame that people as stupid as you can work out how to use a computer. said by Christian Graus in the Soapbox
-
Okay [Starts to breath more easily, and colour is returning to normal] I've calmed down a bit... I've just gone to look and see how easy it is to find cracked software. :eek: That was way too easy!:omg: But what gets me in the site I found was that its "Easy 3 step instructions" include as the third step: Crack-Locator.com wrote: 3. If you like the software, please support the author and buy it! Every good job should be paid. :wtf: Is that not the pot calling the kettle black? --Colin Mackay--
"In the confrontation between the stream and the rock, the stream always wins - not through strength but perseverance." (H. Jackson Brown)
I love the idea that warez sites are free security services, that test that your protection is up to standard. Regardz Colin J Davies
*** WARNING *
This could be addictive
**The minion's version of "Catch :bob: "It's a real shame that people as stupid as you can work out how to use a computer. said by Christian Graus in the Soapbox
-
A few people have pointed this out already, it's not so much the potential loss of licenses, it's the real costs we've already incurred from the whole incident: In expenses we're down the price of a license, the price of lost time and productivity of two of our senior staff dealing with this, a few hundred dollars lawyers fees to find out what's involved, lot's of long distance calls all over the U.S., bandwidth charges from our ISP, lost revenue when our site went down while the ISP was trying to block that referrer and real paying customers couldn't get through, delays for downloads of legit people because the file was being hammered so heavily on our site etc. In real expense just to deal with this, completely ignoring the lost sales potential we're probably out a few thousand at least which is big for us
Strangers passing in the street By chance two separate glances meet And I am you and what I see is me...
John Cardinal wrote: A few people have pointed this out already, it's not so much the potential loss of licenses, it's the real costs we've already incurred from the whole incident: And you're absolutely correct, which is why I indicated that you hadn't lost 'as much as you think', whereas some will try to suggest that you haven't lost _anything_. The truth is always somewhere inbetween. Econimically, you've lost a certain amount of tangible expenses that you wouldn't normally incur (talking to your lawyers) and some intangibles that are always difficult to quantify (such as lost technician time- the results of which will vary from tech to tech). As far as the tangibles (lawyer expenses) this may be an opportune time for you to rethink the use of your lawyers if they weren't able to do anything for you. But that's another issue altogether. Again, my ultimate advice would be to consider a different licensing scheme. The downsides usually being that if it becomes a difficult, cranky process for an individual to get your pgm up and going (registered) you may alienate potential legit users. And again, don't get me wrong- I don't suggest you haven't lost anything. The upside is that your information to the group here has been valuable and has generated some good discussion of the 'what if's' of licensing schemes and potential violations. Good luck in future. Paul
-
So for anyone who is interested in how a license key gets onto one of those piracy sites I can now speak from experience: On September 11th we get an order for one license of our software. We email the unique license key to the address provided. Last weekend hits to download our software on our website go through the roof, 1000 times more than normal. We backtrack the link and find it's a Chinese site that does nothing but provide license keys, cracked versions of software etc. We find that a link has been placed to our software with the license key and regto name 4 days after it was purchased. We get pissed off, immediately update the download to not work with the keycode in question, problem is that hundreds and hundreds of people have already downloaded and our software is mirrored at tucows which takes forever to update. They continute to download at an astonishing rate, we're over 7GB of bandwidth on Sunday alone. There can't possibly be this many people actually interested in the software, I get the feeling that they are people that would download anything if it's free. We can't simply move the file on our site to break their link, it's linked to by thousands of shareware sites, tucows etc. Our isp tries all day to block anyone coming in with the referrer of this chinese cracker site, ultimately manages to only cause everyone coming to any page on our site to get a permission denied and finally gives up and can't do anything about it. (it's an IIS server, not unix). Mean while, while all this is going on, we contact our lawyers, they start rubbing their hands together, I realize this is going to cost a lot of money so we opt to try to sort it out ourselves. We call the Canadian and U.S. big anti software piracy groups. They basically laugh at us and say give is $5,000.000 to sign up and we'll take a look at it. At this point I'm even more pissed off so I decide it's time to just phone and find out what's going on. I phone the credit card owner, they have no idea what our software is and it turns out have many other charges they didn't authorize. (note, this is a nice older couple, no chance they did this, their credit card info was stolen). I phone the person who we emailed the license key to, he works in another state entirely from the credit card owner, turns out their network was hacked into and our software wasn't the only one that was stolen through thier network and email, they have sinced patched and have kept all the records for any criminal investigation.
John, I feel your pain. Ouch! I've come in late on this thread, and Neville Franks has already declared my interest in this topic. Reading through though, I've noticed some really good ideas put forward - timing out registration codes, using a temporary registration code until payment is made, encrypting stuff, communication back to your server. These are all good. There's at least one bad idea too - a "drop in" library that provides crack proofing. This won't and can't work. If 100 apps use a library that protects their software, then one crack on that library cracks all the 100 apps too (or, at the very least, makes it easy to crack all the apps). Interestingly, nobody has actually said "you can't crack proof your software, so don't bother, just sell it cheaply and let anyone copy it". That's the usual diatribe one gets from at least someone when you talk about protecting your software from theft. BTW, is anyone interested in an article that debunks the Free Software Foundation's Manifesto? (I like the FSF, I'm extremely grateful to them, but the Manifesto is rubbish). The important point is that any protection system you use *will be* cracked if someone really wants to crack it. Similarly, your car *will be* stolen and your house *will be* broken into if some thief wants it badly enough - no matter what security measures you use. And that's exactly the point....people who say "don't protect your software" are missing the fact they they themselves lock their own doors! It's all about deterrents and increasing the effort required by the thief. Also, a *really* good idea, that was mentioned indirectly by someone, is to let the cracker think he has done it! They move on, and lose all their kudos when their posted crack doesn't work. I always think it's like kicking them in the groin. Oh Yeah! Enough ranting. Here's my strategy.... 1. Use strong encryption for registration codes and any other encryption you use. Weak encryption means that the thief can attack you there; and possibly generate registration codes themselves. That's the worst scenario possible. Strong encryption forces them to play by your rules. 2. Force them to crack your software (strong encryption does this for you). This knocks out all casual crackers and customers who just want to "lend it to their friends". The cracker must now play the game you've created for him. 3. Recognize that a Turing machine is a simple beast and a computer is just a glorified Turing machine. Any code in a Turing
-
Nishant S wrote: But I am trying to tell you that you did not lose anything financially as you seem to have convinced your Sorry but that's plain wrong, even if you disregard the value of the licenses, here's why: In expenses we're down the price of a license, the price of lost time and productivity of two of our senior staff dealing with this, a few hundred dollars lawyers fees to find out what's involved, lot's of long distance calls all over the U.S., bandwidth charges from our ISP, lost revenue when our site went down while the ISP was trying to block that referrer and real paying customers couldn't get through, delays for downloads of legit people because the file was being hammered so heavily on our site etc. In real expense just to deal with this, completely ignoring the lost sales potential we're probably out a few thousand at least which is big for us.
John Cardinal wrote: In real expense just to deal with this, completely ignoring the lost sales potential we're probably out a few thousand at least which is big for us. Yup, you are right. I apologize for being so short sighted in my previous reply. I empathize your pain much more now than earlier. Regards Nish
Extending MFC Applications with the .NET Framework [NW] (coming soon...) Summer Love and Some more Cricket [NW] (My first novel) Shog's review of SLASMC [NW] Come with me if you want to live