
Ask HN: How to best release “Windows desktop software” in wild? - tejpratap
I am going to be releasing a windows desktop software for sportfist.com in wild soon and need HELP.<p>What steps did you take to maintain control over your software?<p>How often did you ping your server with what information?
Which obfuscator did you use?<p>How did you make sure that software becomes useless on license expiry (given that most of the obfuscation can be reversed)?<p>Which software did you use to update your app (squirrel, clickonce etc)?<p>What&#x27;s the cheapest way get certificate?<p>How did you get error log back to server (given that log files can be bulky &amp; smaller log files might loose relevant info)?<p>How did you password protect your sqlite db (ilspy can be used to reverse any password protection strategy)?<p>How did you minimize support effort for your software?<p>Anything else I should keep in mind (release checklist, tips)?
======
dogma1138
Rule of thumb do not put anything in the client that you do not want a user to
see, any "protection" can and will be broken.

Obfuscation doesn't stop attacker nor does it even really slow them down it
can hinder client side debugging and cause it's own set of issues (anti
viruses for example tend to dislike obfuscated binaries even if they are
signed).

Same thing with protecting the DB, what for? I'll assume you want to hide some
business logic well either move it server side or have it exposed a password
won't stop anyone, even if you super obfuscate it an attacker can just steal
the connection string from memory ;)

Same goes for licensing, any scheme will be broken and unlike a game your
software isn't time sensitive a copy protection mechanism that delays a crack
even by a few days did its work as it's designed to give a window for the
impulse buyers/easily frustrated that will buy the game if it's not cracked on
release.

For commercial software a week or month won't matter so if it will be popular
it will be craked.

~~~
tejpratap
Your points are valid, but I still want to make it as hard as possible for my
software to be broken. First this will reduce number of counterfeit copies.
Second this will give me peace of mind that I have done my part well.

~~~
dogma1138
Why? some basic licensing scheme might be required for some liability
insurance and distribution channel deals.

Look at it this way, all software gets hacked within hours, if you delay the
hacker by 30min is that worth investing your resources in?

If anything going the way of "begware" might be better since it takes little
to no effort and provides just as much real world protection as virtually any
other protection scheme.

If your customers are primarily businesses it doesn't matter, the liability of
using counterfeit software is too large, if it's individuals then it's all
about pricing and support.

It seems that you are aiming your product at a niche market which is good, but
heck Siemens physical simulation software that doesn't have a large install
base worldwide gets cracked, primarily because there are individuals and
institutions in emerging markets that want to use it but cannot afford the 6
figures or so price tag.

But in all honesty a niche software aimed at a locked (racquet sports) western
market with probably sufficiently high income isn't too much at risk of being
pirated that much as long as the pricing isn't prohibitive.

Your efforts are better spent on pricing it right, marketing it well and
having easy distribution channels to get the software distributed. You can
sell digital software on Amazon these days (they email you the license key),
you have the Windows App store, worry less about pirates and more about
getting an easy way for people to get your software.

In all honesty a larger threat to your sales will be open source projects (if
they exist) and existing software (again if it exists) and inaccessibility.

While I don't like to generalize too much I'm not sure how much overlap there
is between racquet sports coaches, pros and semi-pros and TorrentLeech's user
base.

Rule of thumb if the first thing someone googles after hearing about your
software is "yoursoftware + crack" its going to be because you do not offer a
proper evaluation version, or getting a legitimate copy is too difficult or
price prohibitive for your targeted market.

------
yodon
This isn't what you want to hear, but protecting desktop software from piracy
isn't something you can bolt on at the end of a project.

If everything lives on the user's machine, there is no technology that can
stop it from being pirated. That's why SaaS software exists and why just about
every software company of any significance founded since 1995 (the dawn of the
web and the dawn of ubiquitous piracy) is either a SaaS model, advertising
model, or open-source-plus-support-or-hosting model.

~~~
tejpratap
I started with SaaS and btw it's still supported. Specific section of users
have requested some functionality to be available offline. Hence the need for
desktop software.

------
techjuice
Do not do ping backs without notifying and getting consent from the user. As
most run a firewall or use a network with one which will more then likely
block the request and data should not be sent to you without the user manual
opt-in.

In terms of maintaining control over your software, it is not possible once
you release it to the world. Most companies use a license key they generate on
their server that works with the compiled version of the software the user
downloads. As you will also need to support offline activations, just like
Microsoft and other big companies do. You may also want to use a license file
that the user can download. I would also recommend against having software
stop working unless you insure the user knows up front that it is subscription
based and has an explicit expiration date when they launch the program.

In terms of tracking registrations, I normally will allow the user to register
the software on launch and if they do not want to, I have the option in a help
menu but do not make it a requirement as some people need to work offline, and
requiring an internet connection would cause some serious issues.

Obfuscation only deters the regular joe, the top of their game types can get
what they are looking for very quickly so do not waste too much time and
effort into code obfuscation. If you do want to many companies use Themida to
handle their licensing and IP protection needs.

I normally use my own servers to host and distribute update code behind Akamai
services so there is no direct connections back to my systems from non Akamai
systems. This insure the servers are always available and I can scale easier
and cheaper. In terms of updates I will ask the end user if they would like to
automatically check for updates along with a preferred time interval. If they
agree I will check for updates in the background matching their preference. If
they select no, then I do not check for updates and will normally have a nice
message appear 30 days later informing them there has not been a check for
updates in 30 days with the option to never show the message again or check
for updates.

I would stay away from cheapest way to get a certificate as those can be
aligned with companies that do not follow the proper procedures at all times
for being a certificate authority. Go with the trusted brand that shows up on
most of the software you use and have a backup plan in case the CA gets
revoked.

For errors, when one occurs I ask the user if they want to send the error
message and logs to the developer. If they do not then I do not collect them,
if they do then I will normally upload it the system and have them
authenticate to validate the error/crash report. This allows them to see all
of their reports and view the status of them.

I do not protect the sqlite databases in any way as if it is on their machine
they should be able to read it. It really helps if there was an application
issue and they are required to make manual updates in rare occasions.

For minimizing the support efforts I make highly detailed downloadable PDFs,
CHM kits videos and customer FAQ pages. If they submit even the smallest how
do I do ABC, I write a tutorial on how to do it, as if they asked someone else
will do the same eventually. I also spend an extremely large amount of time on
UI/UX to insure that it is dead simple to use. This also includes heavy
automated GUI and CLI testing of the application, including how it acts on
high/low end high/low bandwidth systems and different operating systems.

My biggest tip would be to make it dead easy for the end user to use your app,
do not overly nag them, ask for permission before making any system changes or
sending out or receiving any data. Also never send them promotional emails or
mail unless they opt-in to receive them. One last thing, treat the user like
someone you are trying to befriend face to face and treat them with respect
and you will gain their loyalty and they will normally help you dramatically
with word of mouth advertising without you having to ask them to do it.

~~~
tejpratap
Thank you for the detailed reply. I concur with most of your suggestions.
Added creating detailed PDF manual for the software to list of my backlog.

------
marczellm
Did you consider distributing it through the Windows Store? It can, AFAIK,

\- accommodate desktop software (Win32) with the Desktop App Converter

\- deliver updates

\- take care of license stuff

~~~
tejpratap
Is app store available on Windows 8/7? Not all of my clients are on Windows
10.

------
GnarfGnarf
Zendesk is great for managing customer support.

~~~
tejpratap
Yes, I have used it for my previous project. One thing to keep in mind is that
they have very steep pricing model.

