This really seems like a lot of hassle to go through to protect your software. Why bother really? The people who are getting cracked versions of the software aren't going to pay for it, so its not like you're losing a customer to the cracked version.
I've always thought the 'nag screen' software seemed like the best solution-let the user buy a key to turn off the prompts but leave full functionality enabled for non-paying customers. However-throw up a nag screen when commonly used functions are activated. Click the 'Save' button? Throw up a nag screen for a variable amount of time between 5-15 seconds. Long enough for the user to see it and be reminded, but not long enough to really irritate them.
>The people who are getting cracked versions of the software aren't going to pay for it, so its not like you're losing a customer to the cracked version.
This is often stated, but is actually not true. There is a really old article where a guy a shareware program such that when it was installed it would randomly choose (with equal probability) whether it should be a fully working version or it should print every 4th page with a registration form, rather than the page the user wanted to print.
His experiment proved that significantly more users paid for the program when it was crippled than when it wasn't (I think it was 100% more, but I am not entirely sure).
So no, people who would otherwise be willing to pirate your program won't do this if you make it difficult enough.
That sounds more like a test of trialware vs donationware, which I don't think is exactly the same as someone seeking out and using a cracked version.
I'm sure there are people who would buy a program if they couldn't find a cracked version, but...
1) It has to be enough lost sales to make it worth the effort of protecting the app rather than, say, adding features that would bring in new customers. And you also don't want to implement onerous DRM that would cost you sales.
2) If your app is at all popular, it will get cracked anyway. I'm pretty sure most of the people cracking software are doing so for fun, not profit. And they appreciate a challenge.
Piracy for video games generally reports one lost sale per one thousand pirates. Games seem fungible, in that they all solve the 'boredom' problem. I'd imagine the more unique the problem you are solving, the more worthwhile piracy prevention is.
On the other hand, worrying about piracy sometimes seems like fitting a square peg into a round hole, or tweaking a garlic and ham dessert recipe. Find a way to benefit both sides of the transaction instead.
If a "license file" is acceptable, this works great -- you can use a human-readable text file describing the license (expiration, features, etc.) and sign it inline with PGP. I've seen Citrix XenServer use this approach, for example. However, even just the signature is really too big to use as a serial number replacement. ECC might work.
If you sell the software digitally the size of the "serial number" isn't a problem.
Just put it on a web page (and in an email, for later use) and have the user copy-paste it. Or even better, do what patio11 is doing: when the user clicks "Buy software" in the app, add a magic number to the URL you send the user to and have the software poll the server to see if the user has paid yet.
Also: poll the clipboard to see if the user has copied a valid serial key, to save the user the hassle of pasting it in the correct input box.
A question to those who are more experienced than me:
I know that crackers are a big problem in the case of 'consumer software' e.g. games, simple utilities. My assumption is that this is not a problem in case of software specifically created for small and medium-sized companies. So currently I think I will not build any copyright protection into the software I am creating right now. I assume that companies (at least in the 'developed countires') mostly play fair (-> behave according to the license of the software). Is my assumption right?
My experience is that companies generally have the intention of playing fair and paying for all the licenses they need, but without any license protection enforcing it, nobody is going to keep an eye on how many people are actually using the software within the organisation.
This is exactly right - licensing exists for enforcing contracts. Weak systems (e.g. serial-only licensing) results in actual lost sales. It's not always malicious thieving - mostly it's just inefficient bureaucracy.
This means you should either protect your software using hardware dongles, or online activation. Hardware dongles are a pain in the ass and will increase your support costs, but some companies prefer them.
Nadam, if you're looking for licensing and online activation we're the makers of LimeLM (http://wyday.com/limelm/ ). Or you can build your own. But we do offer entrepreneur friendly pricing.
I always wondered how they made any money - then I did some work for the US DoD. Nearly every desktop has a licensed copy of WinZip!
My new firm has WinZip licenses as well - while Windows can do zip files natively now, it still cannot (as far as I know?) encrypt them natively.
Doesn't the checksum allow the cracker to check if a key is "real" even if he only can reverse engineer part of it?
Or at the very minimum the checksum reduces the number of possible keys that still work with the checked portions, so the cracker can release a series of keys and tell the user to keep trying them.
Cracker might find working key from known checksum, but that would give only one key, and if you have checksum, you probably have rest of the key too.
Cracker couldn't create keys from checksum algorithm alone, because random checksummed data would pass only first checksum check, but not additional validation.
I don't see how automatic, silent updates are any better than "phoning home" for key validation. The partial verification system requires constant updates to be any more useful than a verification of the entire key, and if these updates are optional, the illicit users will just opt out of updating.
Presumably it's also possible to run out of new parts of the key to check, at which point anyone who has been keeping track will have enough information to build a full generator.
I think he is speaking about "silently updating" the downloadable installer that is in the web page, not about "silently updating" the installed version in the user’s computer.
This solution seems a good compromise between the security provided and the inconvenience. The inconvenience is simply entering a license key when you install or reinstall. This is key -- more restrictive DRM solutions with phoning home and so on are a serious inconvenience.
The security is good enough that someone looking for you software probably won't be able to find a working license key or keygen.
