
Show HN: Add license key verification to your apps - frknsn
https://github.com/furkansenharputlu/f-license
======
paypalcust83
Be very careful with licensing.

VMware early-on had licensing code that disabled a customer's app and cost
them a lot of money. Licensing of enterprise features is best to have a nag
screen and disable some future actions rather than drop a ban-hammer. They
were forced to strip out that code and ended up with weak enforcement of
licensing.

Telemetry and online verification are unacceptable to some customers of on-
prem software. To them, it should work even if the vendor goes out of
business.

Volume license keys should exist for large-scale deployment of on-prem
software in concert with open sources surveillance (search engines and warez
sites) of license keys and software to prevent abuse. Even then, it's better
to reissue volume license keys to customers because DLP of an external entity
is an essentially impossible task.. at least they will know there's a problem
and may work to police themselves.

Stopping all piracy is undesirable because persons who cannot afford it but
are in/direct decision-makers have the ability to sabotage sales and/or
acquire an unfavorable impression of the brand. Piracy and leaks are
indirectly helpful to overall sales and marketing. Keep it down to a dull
roar, because some people and some factions of industries are more-or-less
like Fight Club. If something is used commercially at-scale from a small
vendor, support their survival with licensing fees... don't be Best Buy.

~~~
ptx
> open sources surveillance (search engines and warez sites)

That's the first time I've heard "open source" used to refer to a warez site.

Is this overloading of the term being seeded by someone in order to, in a
roundabout way, discredit the open source movement? A few years ago there
would have been an obvious suspect for such FUD, but they seem to have
embraced open source these days, so that wouldn't make sense.

Weird.

~~~
frobozz
Open Source surveillance means "looking for/at stuff that is openly published"
\- e.g. looking on warez sites for keys being shared..

I'm pretty sure the term has been in use since the 1940s

~~~
ptx
Ah, I guess so. Thanks. Perhaps my tinfoil hat got in the way of seeing the
context.

~~~
p_l
It is called some other terms depending on country, so it can be non-trivial
to grok when you first encounter it.

(For years, I knew it as "White Intelligence")

------
huhtenberg
No to be harsh, but this is largely useless.

The biggest issues with in-app licensing is

(1) Binding licensing to the machine (or the user!)

(2) Making sure that your licensing check can't be NOP'ed by a l33r haxxor
within 5 minutes of the release.

Tangential to that is (3) which is an ability to tolerate minor changed to the
machine _and_ OS reinstalls without invalidating the license.

(1) and (3) aren't hard to solve, just need to decide which machine/OS
properties a license should be to "latched on". Popular choices are MACs, HDD
serials (from the ATA IDENTIFY block), SMBIOS IDs, MachineGuid on Windows,
etc. Better yet, it's not a bad idea to bind to a _set_ of machine properties
and then tolerate a change of _some_.

(2) is a domain of its own. Basically that's an anti-reverse-engineering task.
It's not terribly hard to roll out something on your own, but you do need to
know what typical hacks look like. From exe patching to process training / API
hooking, there _is_ a substantial learning curve, but it's a quite interesting
one.

That is the biggest part of any "license key verification" is not the actual
"license key verification", but rather all the nuances that make sure it
actually works as designed and doesn't affect users' experience in normal-use
cases.

~~~
nexuist
I really believe this is why SaaS is such a dominating business model now.
Software licensing failed because it is technically impossible, and no amount
of clever tricks will save you from determined groups / individuals. If it
runs on your machine, you will be able to get it to run again without the
licensing requirements. We saw large companies get pwned time and time again.

On the other hand, there is no way you can see what a SaaS backend is doing
and replicate that locally. Sure, you can rip off the frontend, but that's
just a thin client over the API anyways. The API is the proprietary product,
and much easier to secure.

Even if a blackhat breaks into your SaaS repository and leaks your source code
(which is generally a freak event, especially among businesses that take
cybersec seriously) - what are your customers supposed to do with that? I
wouldn't expect your average AirTable customer to be able to understand how to
launch and maintain an AirTable instance.

It's just a better idea to serve your product over the Web. If you sell native
applications, you can't expect to make as much money as SaaS equivalents.

~~~
jfkebwjsbx
This is not true for business applications and many customer ones.

Enterprises cannot risk legal problems. And home customers will buy licenses
if price is fair.

------
lukevp
Is remote verification fully open over http with no user credential
verification or rate limiting? If I were to implement remote verification in
an app, I would want to have the user logged in to an account prior to adding
a license key. You could accomplish this by putting the KMS behind a proxy but
this seems like a likely attack surface if using this the way it’s outlined in
the docs.

------
looping__lui
Personally I found LimeLM offering a pretty amazing and sophisticated product
at very decent prices. Personally, I would never want to suffer the pain of
keeping licensing servers running etc. :-)

In my experience, software licensing will just “get rid of the casual piracy”
- but I could never see not having a licensing solution in software work for
business...

Beyond protecting software I found it similarly necessary to take down illegal
software copies. There are automated tools for that luckily.

Yeah, your software will be cracked sooner or later. But it is not all black
and white and there are now really great sophisticated solutions out there
that _minimize_ the frustration for paying customers whilst also protecting
your IP...

~~~
toyg
_> I could never see not having a licensing solution in software work for
business_

The most business-y of business-y tech businesses, Oracle, doesn't use license
keys. Everyone can download pretty much any of their products. When they
acquired the company I worked for, the first thing they did was to release
master licenses to everyone for free. Saved us peons in the support trenches
the aggro of dealing with a terrible license-server we embedded, the name of
which I've mercifully forgotten.

How do they do it? Their audience are legitimate businesses who would rather
stay on the right side of the law than save a few pennies here and there. And
Oracle won't answer the phone unless you have a paid support contract.

Obviously this model won't work for everyone, but IMHO businesses who sell to
businesses can live happily without license keys (and the stress/costs they
generate on their support operations).

~~~
rahimnathwani
Oracle does not rely on companies' good intention, or their need for ongoing
support.

They use contracts and audits to make sure they get what they're owed. If you
can force companies to pay _after_ they start using something, then making it
as easy as possible for them to expand usage is going to maximise your
revenue.

Google 'Oracle License Audit' or 'Oracle LMS' to learn more.

~~~
toyg
Man, I worked for them, I know the score :)

And that's precisely what I said: they just use the law ("contracts").
Legitimate businesses don't want problems with the law. It's more effective,
for Oracle, to carefully draft (and subsequently enforce) legal documents,
than to add some rigamarole that will only make life harder for legitimate
clients and their own support ops.

~~~
rahimnathwani
Right, but the cost of enforcement doesn't scale linearly with licence cost.
If your median customer spends millions with you per year, you can afford to
spend money on enforcement. If your median customer spends $10k/year, I don't
see how you can compel them to submit to an audit, or how you can get positive
ROI from enforcement activities.

This is one of the benefits of SaaS (for sellers).

~~~
toyg
You’d be surprised how far a couple of graceful but stern legal-looking
template letters can go.

Of course SaaS is a solution, but that doesn’t really apply to the type of
software that requires license keys (i.e. standalone and likely behind the
firewall).

------
systemvoltage
Why MongoDB?

~~~
rooam-dev
Why !MongoDB?

~~~
jedberg
Because MongoDB is a document store and you really only need a key/value store
for this.

Also because MongoDB started life preferring speed vs durability, which is a
bad look for a database. They may have fixed that now, but I cannot forgive
them for that.

~~~
rooam-dev
"The best tool is the one I know".

~~~
jedberg
Except when it's not. :)

~~~
rooam-dev
I don't compare HTML vs. C here, obviously I am talking about databases. All
personal feelings aside, there is no technical reason to NOT use MongoDB as a
key value store if one has experience with it, because after release comes
maintenance and learning a new tool while fixing production problems doesn't
make sense to me.

------
FloatArtifact
I much rather have a license key tied to a preferred account then to a
platform like Google/Apple. That's also allows for cross-platform licensing
which is rare among apps.

------
mikejulietbravo
This is really cool - you should write a how-to blog on it when you have time.
I think it could really help drive more adoption.

~~~
frknsn
Should I write it in GitHub wiki page? Or, is there any other place that you
can suggest? Thanks a lot for the feedback!

------
frknsn
Should I remove remote verification entirely? Or, how can I adjust to make it
more proper to use?

------
ackbar03
I can prob patch this over in the time it takes to finish a mug of coffee

