

Use deception to protect your software from piracy - shin_lao
http://www.bureau14.fr/blogea/2010/01/security-through-deception/

======
jrockway
Question 1: Are you making enough money from the legitimate users? If so,
forget about piracy. Some people will always steal, just because they think
it's fun. Don't waste your time on these people; spend your time adding value
for the people that actually pay for your software. If your anti-pirate
protection is buggy, you will piss off the people who are already paying for
your software.

As an example, take the movie industry. Their "war on piracy" has ensured that
I will never pay for (or watch) a major movie again. When you pirate a movie,
it's HD, and it plays on any device. You don't need a special cable, you don't
need an HDCP-capable surge protector (or whatever). You can fast-forward
whenever you want, and you can't be forced to watch ads or the "don't pirate
this" propaganda. If you have a fast connection, you can usually watch the
movie as it downloads. All in all, a great user experience.

When you pay for a movie, though, all that is out the window. You have to
watch ads. You can't have HD unless you have a special cable and a special
monitor. You can't watch the movie on a portable device. You can't download
the movie; you have to walk to the store, pick something up, talk to a clerk,
and carry the movie home. You have to buy a lot of stuff you don't need, you
get less features, and you have to pay $20 for the privilege.

The movie industry thinks these piracy countermeasures discourage piracy, but
actually, they make not pirating the product extremely unappealing. You would
have to be insane not to pirate the movie.

Don't do this to your software.

~~~
shin_lao
I really agree with you about the movie industry and also the music industry.
That's because they didn't analyze that copying a movie or lending it to
friends is actually a feature.

There's also much more to music and movies than just the product. It's Art,
it's a way of communication. It conveys cultural and ideological values.
People can have a deep and emotional link with a movie or music. Adding "don't
pirate this" movies and making it hard to share what you love with your
friends is really killing what your business is about.

Software is different. ISV are actually hurt by piracy. Platforms have died
because of Piracy (Atari, Amiga), and most importantly it's possible to
protect a little bit from piracy without annoying your users. I think asking
for a serial number once or calling home from time to time is really
reasonable. It doesn't affect the user experience and protects both you and
your customers.

Where you are right is when you say you must evaluate how much piracy costs
you before doing anything. Copying your software must not be "trivial". You
want to avoid the situation where it's easier to find a pirate copy than an
original one.

But spending months adding anti-reverse engineerings features is just plain
stupid.

~~~
jrockway
I don't think ISVs are hurt by piracy, they are hurt by people not buying
their products. Sure, with piracy, it's easier to not buy your product. But I
doubt anyone has ever gotten to the serial number screen and said, "oh, this
needs a serial number? I guess I will pay $1000 for a real copy instead of
looking for a crack." No. The people that pay for software already made the
decision to pay you.

As a practical matter, we use a lot of "ISV" software at work. None of it
requires registration or activation or phoning home. If it did, we wouldn't be
allowed to purchase it. (This is at a company of 300,000 people, and I think
most companies of this size have similar restrictions.)

------
storborg
This seems like a fast track towards building a really bad reputation for your
software. In many markets the pirates will be the most vocal users, and this
could paint your software in a horrible light. How do users know if the crash
is caused by your copy protection, or by just plain bad software?

And that's not even getting started on the people-try-before-they-buy-with-
piracy argument, which is controversial enough that I don't want to go there.

~~~
scotty79
I second that. You want to cripple pirated version of your software in
specific, obvious, maybe even fun way.

The Sims had such protection. If game was incompetently pirated then player
could not kill cockroaches in the game. It was specific enough so when people
googled for some info about cockroaches they were finding out that the cause
is badly pirated version. Some of them might have bought legal version. Others
just looked around for more thoroughly pirated version. But every one knew
game is good and solid.

------
harry
"It must be so much easier to buy the software from you than getting the
illegal copy that your customers will quickly dismiss the latter."

Yes THIS! Exactly.

Perfect example in my book is Steam. Steam has singlehandedly made me a
consistent game purveyor in my off-work hours. Provide me with games from a
trustworthy source where I don't have to get up off my ass to go buy it from a
kid behind a counter - offer a service that's reliable, fast, keeps my games
up to date and lets me do away with a gigantic binder of 200 cd's & cdkeys and
I'll happily dish out the money you deserve.

~~~
billybob
<pedantic>

purvey

1 : to supply (as provisions) usually as a matter of business

2 : peddle

</pedantic>

~~~
hyperbovine
Is the close pedantic tag meant to suggest that you are not normally a pedant?
I find it hard to envision somebody who is not posting such a comment.

</querulous>

~~~
allenbrunson
the OP's use of the word 'purvey' was exactly backwards. if i had made such a
mistake, i'd want to know about it.

~~~
Retric
It's not the message that's annoying, but the format:

FYI: You flipped it, "A purveyor of goods or services is a person or company
that provides them" not the other way around.

That communicates the same thing and takes up less space, and is easier to
understand. And by starting with FYI: most people can simply skip it.

~~~
allenbrunson
okay, that's fair. but i thought billybob's presentation was pretty good! it
struck me as ironic-slash-cheeky, which is a quality i see in a lot of the
best technical people.

------
alextgordon
This is certainly a bad idea.

The last thing you want to do is get into a battle with crackers. They have
far more time and expertise at cracking software than you do at stopping them.

For this to work, the intentional bug would have be small enough not to
warrant "fixing" by the cracker. In other words, it's unlikely to make a
difference.

It's better to think about _why_ people pirate software. A large proportion
don't have the means or inclination to buy, so let's disregard them
completely. The remaining group _could_ buy, but for whatever reason, do not.

If piracy is easier than purchasing the software legitimately, you've got a
problem. Ideally your store should be one page, and require as little
information to be entered as possible. Multiple payment methods minimise the
chance that a customer won't be able to complete the transaction. PayPal makes
impulse purchases easier (assuming you're at that price point).

To sum up: You're probably not losing many real sales to piracy. In the cases
where you are, you won't restore them by adding layers of "protection", but
rather by looking at why someone might chose to pirate in the first place, and
fixing it.

~~~
NateLawson
Instead of dismissing it out-of-hand, perhaps suggest that developers find
metrics for measuring piracy and apply the appropriate amount of protection to
their problem.

Disclaimer: one of Root Labs' areas of business is exactly that.

------
snprbob86
This reminds me of the Gamasutra article about Spyro the Dragon a few years
back: <http://news.ycombinator.com/item?id=1031510>

Randomly removing essential game items required for progression. We'll that's
just cruel :-)

------
mcotton
What legal implications does this have? You shouldn't be liable for someone
illegally using your software. If you store their information they may have
some claim against you for locking up their data.

~~~
lmkg
(IANAL) In California, it's illegal to place (injuring) booby-traps, because
it's effectively punishing somebody for a crime without a trial and that
violates due process of law. However, refusing someone use of a stolen good
isn't the same as punishing them for stealing it. I doubt this has come to
trial yet, but a reasonable line to draw would be that bad side effects can
castrate the stolen software as much as you want, but cannot extend any
further than the intended use of the software itself. Having stolen software
not work is totally fine; damaging the host computer in some way or leaking
private information is probably a good way to get yourself sued.

~~~
rdtsc
> I damaging the host computer in some way or leaking private information is
> probably a good way to get yourself sued.

The intent is to not damage anything, but rather to only crash the program
itself. This might lead the user to visit a support forum where they will be
kindly adivised to purchase a legitimate copy of the software.

However, if I understand correctly, the program is crashed when it overwrites
its own memory. That means that at some point it could end up executing random
code. Although very unlikely, it is possible that it could execute the
equivalent of "remove users home directory" code. A more likely, but less
'punishing' outcome could be the execution of a tight infinite loop. That
could be interpreted as a 'denial of service' and thus full under the booby-
trap law.

------
thinkbohemian
If major corporations aren't dick enough to do this to their users, i don't
think many of us have the luxury.

------
ThinkWriteMute
Does this mean I should write my future software in Whitespace (
[http://en.wikipedia.org/wiki/Whitespace_(programming_languag...](http://en.wikipedia.org/wiki/Whitespace_\(programming_language\))
)?

