

Implementing a partial serial number verification system - Torn
http://www.brandonstaggs.com/2007/07/26/implementing-a-partial-serial-number-verification-system-in-delphi/

======
mattmanser
He produces Bible Study software and still has to fight keygen hackers. Even
as an atheist I find that slightly sad.

~~~
xulescu
Best comment of the day :D.

------
a2tech
This really seems like a lot of hassle to go through to protect your software.
Why bother really? The people who are getting cracked versions of the software
aren't going to pay for it, so its not like you're losing a customer to the
cracked version.

I've always thought the 'nag screen' software seemed like the best solution-
let the user buy a key to turn off the prompts but leave full functionality
enabled for non-paying customers. However-throw up a nag screen when commonly
used functions are activated. Click the 'Save' button? Throw up a nag screen
for a variable amount of time between 5-15 seconds. Long enough for the user
to see it and be reminded, but not long enough to really irritate them.

~~~
tomjen3
>The people who are getting cracked versions of the software aren't going to
pay for it, so its not like you're losing a customer to the cracked version.

This is often stated, but is actually not true. There is a really old article
where a guy a shareware program such that when it was installed it would
randomly choose (with equal probability) whether it should be a fully working
version or it should print every 4th page with a registration form, rather
than the page the user wanted to print.

His experiment proved that significantly more users paid for the program when
it was crippled than when it wasn't (I think it was 100% more, but I am not
entirely sure).

So no, people who would otherwise be willing to pirate your program won't do
this if you make it difficult enough.

~~~
eli
That sounds more like a test of trialware vs donationware, which I don't think
is exactly the same as someone seeking out and using a cracked version.

I'm sure there are people who would buy a program if they couldn't find a
cracked version, but...

1) It has to be enough lost sales to make it worth the effort of protecting
the app rather than, say, adding features that would bring in new customers.
And you also don't want to implement onerous DRM that would _cost_ you sales.

2) If your app is at all popular, it will get cracked anyway. I'm pretty sure
most of the people cracking software are doing so for fun, not profit. And
they appreciate a challenge.

------
nadam
A question to those who are more experienced than me:

I know that crackers are a big problem in the case of 'consumer software' e.g.
games, simple utilities. My assumption is that this is not a problem in case
of software specifically created for small and medium-sized companies. So
currently I think I will not build any copyright protection into the software
I am creating right now. I assume that companies (at least in the 'developed
countires') mostly play fair (-> behave according to the license of the
software). Is my assumption right?

~~~
count
I think it depends on how expensive your software is, and who makes the
'decision'.

I've seen thousands of WinZip installs go unlicensed for years.

I doubt anybody pirates Oracle for business use though.

~~~
qeorge
Same experience here, but consider this:

WinZip will work forever without being licensed. Oracle makes you buy a new
license for every core.

Part of it might be the cost of the software, but pirating Oracle is also much
harder than pirating WinZip.

~~~
someone_here
Actually Corel just changed winzip to stop working after 60 days and saw a
sales increase of 20%.

~~~
count
I always wondered how they made any money - then I did some work for the US
DoD. Nearly every desktop has a licensed copy of WinZip! My new firm has
WinZip licenses as well - while Windows can do zip files natively now, it
still cannot (as far as I know?) encrypt them natively.

------
charleso
Why not implement the keygen using public key cryptography? Wouldn't that
eliminate the possibility of a reverse-engineered keygen right off?

~~~
gxti
If a "license file" is acceptable, this works great -- you can use a human-
readable text file describing the license (expiration, features, etc.) and
sign it inline with PGP. I've seen Citrix XenServer use this approach, for
example. However, even just the signature is really too big to use as a serial
number replacement. ECC might work.

~~~
m_eiman
If you sell the software digitally the size of the "serial number" isn't a
problem.

Just put it on a web page (and in an email, for later use) and have the user
copy-paste it. Or even better, do what patio11 is doing: when the user clicks
"Buy software" in the app, add a magic number to the URL you send the user to
and have the software poll the server to see if the user has paid yet.

Also: poll the clipboard to see if the user has copied a valid serial key, to
save the user the hassle of pasting it in the correct input box.

------
ars
Doesn't the checksum allow the cracker to check if a key is "real" even if he
only can reverse engineer part of it?

Or at the very minimum the checksum reduces the number of possible keys that
still work with the checked portions, so the cracker can release a series of
keys and tell the user to keep trying them.

~~~
pornel
Cracker might find working key from known checksum, but that would give only
one key, and if you have checksum, you probably have rest of the key too.

Cracker couldn't create keys from checksum algorithm alone, because random
checksummed data would pass only first checksum check, but not additional
validation.

------
drv
I don't see how automatic, silent updates are any better than "phoning home"
for key validation. The partial verification system requires constant updates
to be any more useful than a verification of the entire key, and if these
updates are optional, the illicit users will just opt out of updating.

Presumably it's also possible to run out of new parts of the key to check, at
which point anyone who has been keeping track will have enough information to
build a full generator.

~~~
gus_massa
I think he is speaking about "silently updating" the downloadable installer
that is in the web page, not about "silently updating" the installed version
in the user’s computer.

------
kevinpet
This solution seems a good compromise between the security provided and the
inconvenience. The inconvenience is simply entering a license key when you
install or reinstall. This is key -- more restrictive DRM solutions with
phoning home and so on are a serious inconvenience.

The security is good enough that someone looking for you software probably
won't be able to find a working license key or keygen.

