

Ask HN: Copy protection? - randrews

My employer is worried that our clients will steal our application, and so want me to research copy protection methods.<p>The application is all client-side, must run without access to the network, and is written in Ironruby.<p>I'm having a lot of trouble thinking of a solution that I wouldn't be able to break. I know that it's impossible for it to be totally unbreakable, but could someone give me an idea of a pretty good solution?<p>Apparently cost is no object either.<p>Edit: Dongles are apparently cheaper than I thought, in the $200 range for a starter kit with five of them. Has anyone worked with them before? What do they do, just give you a small storage area that's somehow hard to access?
======
fragmede
Depending on how much 'cost is no object', hardware dongle's
(<http://en.wikipedia.org/wiki/Dongle>) are very much still used for copy
protection on larger, professional software packages. <http://www.safenet-
inc.com/> and <http://www.marx.com/> are two that I know of.

Another method I've seen is to lock the software down to a particular hardware
instance. In this method, the customer has to run a program on the computer
that the program will be installed to, which grabs all sorts of unique things,
like MAC address of any network devices, hard drive serial numbers, etc. The
customer then sends the resulting info file back and a unique unlock key is
generated.

But at the root of it, the protection is still done in software, which is very
much still crackable to a skilled enough attacker. But for software you cannot
download from the internet without a company provided password, skilled
attackers are harder to come by. Compare that to something like winzip which
was used as a teaching tool for how to write cracks.

~~~
randrews
That's the problem I've been running into. At some point, in a piece of code
we ship them, we will have to have a thing that checks a license and then
decrypts the code and runs it. They can just edit that code.

~~~
wmf
You're thinking too hard. Use a dongle, and if people crack it then it's not
your problem (blame the dongle vendor).

~~~
randrews
I've been looking at a dongle that allows you to run code on it, so you'd be
able to pass it an encrypted program and it would encrypt it for you (without
putting the key on the host machine). That should be as secure as the dongle
is.

My problem is that I've been thinking of a dongle as a secure-ish way to store
a key, which still leaves the responsibility for using the key on my code.

------
hga
If you're serious and "cost is no object", you probably want something dongle
based: <http://en.wikipedia.org/wiki/Dongle#Copy_protection>

Note that the objective probably isn't something _you_ can't break, but
something that raises the bar high enough it's not worth it for any/many of
your customers to pay someone to break.

~~~
randrews
Some kind of dongle is definitely required, but wouldn't someone be able to
read the code to our app, remove the dongle-checking part, and then copy it
all they want?

We do have a way to keep the code encrypted until we run it, but we have to
ship the key with the code...

~~~
trin_
so you're shipping the code with the product or is the code the product
(website/app)?

~~~
randrews
Yeah, the code is the product, it's a program to do physical simulations of a
certain industrial process (actually more interesting than it sounds!)

~~~
trin_
and why dont you just ship compiled versions and add some sort of licencing
into your program? or does the contract state that you have to give the
sourcecode along with the programm (that would make it "some software you
built on contract for a company" and not "your product"!)?

~~~
randrews
The main problem is that we want to do time-based licensing, so they can only
use the product for a month or whatever before buying a new license. Anything
we do in the program to check that license, they'll be able to edit the
program to remove.

~~~
ig1
Just include an audit clause in the contract which allows you to audit them
for licence compliance. Add a comment in the code around the check which says
"If you report your employer for illegally using our software we will give you
a $10,000 reward anonymously".

~~~
randrews
That's actually a pretty good idea. :-)

