how to handle software piracy?

[spy1]

I agree - Two different programs (from different servers) should be the way it's done.

The trial program would automatically, irrevocably stop working after the trial period (is there a way to encrypt the code that would cause it to do so to prevent tampering/cracking?) and would have to be un-installed prior to d/l'ing/installing the full-featured, registered copy.

Couple of points to ponder: (a) Bandwidth isn't free - the developer has to pay for it, and the larger (the program itself) or the more frequent its' use (the updates), the more expensive it becomes. What I wish we had were real-life examples from some of the independent smaller software developers stating their actual costs in that area. Therefor, in my opinion, the argument that 'they're not losing anything' due to piracy doesn't hold even a drop of water - they're losing money every single time someone d/l's from their server that hasn't paid for the license to cover that bandwidth cost.

(b) We also seem to be sluffing off the cost of the initial purchase of a server itself - they are not cheap (pick up your favorite computer mag and check the prices on the ones they evaluated last and you'll see what i mean). They also require upkeep/maintenance/updating to stay secure and reliable (the developers time spent doing that costs him time [read money ] that could have been spent doing other, more program-oriented things that would more directly benefit the programs' users' ).

So let's not try to pretend that money isn't being lost or not being spent by the developer to keep his program on the Internet, okay?

As far as the possible 'identifier' I mentioned (network address, or something similarly unique to each individuals computer), I think that the use of such a process should be left up to the purchasers of the program itself . Just about every developer today has either a newsletter, an online forum, or both - they should use those resources to discuss those kinds of options with their users. Personally, I wouldn't have a problem being uniquely identified by any of the software makers I've chosen to trust by using their programs ( not referring to OS providers, here! ).

If they at any point would ever abuse that trust, the remedy would be quite simple - you un-install their program, find something else to use and broadcast their betrayal all over the internet to warn others!

Another thing I think they may need to do is quit pushing updates ! If you want to see if there's an update to a program, go to the providers main site and check and, if need be, manually d/l and install the update yourself ! Yes, it's slightly more inconvenient for the user to do it that way, but ultimately, it's more secure (c'mon guys, you know you should at least be together enough to check for updates yourself every day) , and probably would help the developer out, too (from the standpoint of not automatically offering the updates to all the people who don't legally use the program).

As a side-note, I'm definitely not convinced at all that people that don't actually use a given program should be given a voice in what the developer does with (as far as protecting it from theft/misuse goes) it.
Sure, everyone should have input on suggestions as to how they think the issue should be handled, but people that don't purchase a given program (and definitely the thieves) do not have the 'right' to dictate what the softwares' programmer must or must not do. (Some seem to be conveniently forgetting that the programmer has rights, too).

As long as the developer clearly, in plain English, on his site, on his forum, in his newsletter and as part of the installation routine itself spells out what he's going to do to protect his copy-writed material, then only the people who use/purchase the program have the right to make decisions on it. You either accept what the programmer wants to do with his property - or you buy something else!

BTW, why wouldn't someone use their primary email addy to initiate getting/paying for the program from? I think that should be an up-front requirement as well!

Isn't this what freedom of choice and free enterprise are all about ? Pete

[MickeyTheMan]

I would think that in the case Av's and At's which need to be updated regularly to have and keep any value, it's much more the updates themselves rather than the programs that developers should seek to protect. *Surely there could be ways there where one would need to show clean hands to obtain such updates.

[luv2bsecure]

Quote:

As a side-note, I'm definitely not convinced at all that people that don't actually use a given program should be given a voice in what the developer does with (as far as protecting it from theft/misuse goes) it.
Sure, everyone should have input on suggestions as to how they think the issue should be handled, but people that don't purchase a given program (and definitely the thieves) do not have the 'right' to dictate what the softwares' programmer must or must not do.

Absolutely correct. It's a free country! A software developer can do whatever they want. They can make their program easy for piracy or they can make it difficult and not worth the trouble. I don't think anybody that's posted here so far has suggested that software developers have to do things one way or another. I think the posts have all been in the spirit of Paul's challenge and question: "How to handle software piracy?"

John

[Checkout]

Here's an idea (yeah, here we go again!):

One of the good (by that,I mean useful, in terms of anti-piracy) features of anti-virus and anti-trojan programs is that they are self-obsoleting. *Without updates, they might as well not be used.

Suppose: *I want to update TDS (or WormGuard, or whatever) so I must either logon or be logged on to the Net. *Let's say I click a button marked "Update". *Next thing, I send an email to DCS (or whoever) requesting a tailored update. *The email identifies me as a registered user. *The reply is a one-time key pinged directly to my sofware. *The update takes place. *No unregistered users can update a copy.

Any holes in this, folks? *

Re-reading this, I don't think I made it very clear. *So:

• User installs TDS
• User visits DCS to register
• During registration, TDS checksums the install disk's major software components - which makes a fairly unique signature of that disk
• The signature is uploaded to DCS during the registration
• The keyfile is sent to the user
• user begins normal, registered TDS operation

Then, as time passes:

• User wants TDS update
• User logs on to Net
• TDS automatically sends an email using the email address used when registering
• DCS sends a message to TDS uniquely identifying an update for it
• TDS retrieves and installs the update along with the previous signature

No other user can use this update since the signature (checksums) would not match anyone else's hard disk, and TDS would throw up loads of error messages. *No other person can get a copy of the update from DCS since they won't have the same email address, and even if they did, no second copy will be issued except by DCS administration authority.

There, does that read better?

[Checkout]

More thoughts: *suppose the keyfile was more than just a keyfile! *Let's suppose that TDS's checksum feature was permanently engaged, and the data produced from it was stored in the keyfile. *Copy that to someone else's machine, and it would create havoc!

This does imply that, when a user registers TDS, that at least some checksum info is gathered during the registration process, and a customised keyfile is sent to the newly-registered user. *And that TDS will not operate on a 'blank' keyfile.

Ho hum. *Back to offline mode.

[Mr.Blaze]

will i actualy know how to stop software piracy for good but im wont say how untill i patent it lol=)

unfoutunitly my way can be a little expensive and its only god for as long as you owen your computer meaning you cant install it on another system.

youed have to send 10 bucks and the cd back to get a new one for your new computer lol.

id only recomend it for expensive programs like photo shop and animation master 600$ to 800$ dollar software

Hi Checkout,

I'm not sure whether I understand this right:

Quote:

During registration, TDS checksums the install disk's major software components - which makes a fairly unique signature of that disk

You can of course change "the install disk's major software components", or do I understand you wrong?

Same as you, I too was thinking about some checksum algorithm, but alas, my brain doesn't seem to work very well the last days, so I have not come up with some solution....

BTW: if a checksum algorithm will be used for these kind of things, let it please not be CRC32: much too unsecure!!!

[Checkout]

Quote:

Hi Checkout,

I'm not sure whether I understand this right:


You can of course change "the install disk's major software components", or do I understand you wrong?

Same as you, I too was thinking about some checksum algorithm, but alas, my brain doesn't seem to work very well the last days, so I have not come up with some solution....

BTW: if a checksum algorithm will be used for these kind of things, let it please not be CRC32: much too unsecure!!!

I wasn't thinking of any particular programs - whatever the user has installed, such as an AV or firewall, as well as (perhaps) the Windows (or whatever) directory. * Maybe files chosen randomly.

It'd be nice to hear a developer's take on this.

[spy1]

With the increasing size of updates (KB-wise), I don't know whether (a) ISP's would appreciate the increased traffic on their mail servers or (b) whether I'd like having to wait wait my dial-up mail service takes forever to get it into my inbox.

How about this - Every time you do a scan, the program automatically notes all keygen programs found on your computer.

The presence of any that have displayed the ability to crack this particular program get flagged.

The next time you request an update (or one is automatically initiated), the update server checks for the presence of any flagged keygen programs on the requesting computer - if it finds any, the update aborts with a message to contact the software maker (period).

Sound familiar? Pete

Quote:

With the increasing size of updates (KB-wise), I don't know whether (a) ISP's would appreciate the increased traffic on their mail servers or (b) whether I'd like having to wait wait my dial-up mail service takes forever to get it into my inbox.

How about this - Every time you do a scan, the program automatically notes all keygen programs found on your computer.

The presence of any that have displayed the ability to crack this particular program get flagged.

The next time you request an update (or one is automatically initiated), the update server checks for the presence of any flagged keygen programs on the requesting computer - if it finds any, the update aborts with a message to contact the software maker (period).

Sound familiar? Pete

That would be considered Spyware and profiling, not an ideal, that's going to get off the ground. One program has no right to scan a computer for keygens, unless the users knows what it's doing, a keygen is not a Trojan, a Trojan scanner needs to stick to it's job and scan for Trojans.

Same with any program, it should only do, what it was designed to do nothing more.

The last method used by the vendor, that basically caused all of this, is the correct way of dealing with piracy.

If an illegal key is found in the same directory/folder as the program being used illegally, deleting the key is acceptable, but if the key is in say, another folder, or in an e-mail as an attachment, then it can not be touched, possession is not necessarily a crime, only when the key is being used, or it is in the same directory/folder.

[Paul Wilders]

Since this issue does no longer affect TDS in particular, but instead is covering a general question after DCS has handled this in specific, this thread has been moved to "other security"

regards.

paul

[Checkout]

Quote:

The last method used by the vendor, that basically caused all of this, is the correct way of dealing with piracy.

Ah! *You're back! *I wondered where you'd gone, *Vampirefo Spy!

Quote:

If an illegal key is found in the same directory/folder as the program being used illegally, deleting the key is acceptable, but if the key is in say, another folder, or in an e-mail as an attachment, then it can not be touched, possession is not necessarily a crime, only when the key is being used, or it is in the same directory/folder.

You're on shaky ground here, Vampirefo Spy. *The law decides what's acceptable and what isn't, not individuals like you. *Whether you like it or not.

Quote:

vendor

Hey! *Cunning disguise! *

Quote:

You're on shaky ground here, Vampirefo Spy. *The law decides what's acceptable and what isn't, not individuals

I like this comment, seeing that is exactly, what the whole thing was over one company thinking it was up to them to decide whom was guilty or innocent, LOL, however, a good public smacking, and they got right back in line.

Now can you stay on topic?

[luv2bsecure]

Hi Checkout,

I LOVE your idea with the comparison table. I saw some of the posts about smileys and all that, but if you just kept it a "this is what this program does and that program does this" kind of thing I think many, many people would find that extremely useful. For one thing, so many people seem overwhelmed with the whole idea of computer security. It just sounds complicated and they don't know where to start. Your simple to use table could be a real ice breaker for newbies especially. I think it's a great idea. Good job!

John

[Paul Wilders]

FYI: after consulting parties involved, possible offending posts/part of posts have been removed, and referrers to it as well.

This thread has been opened once more.

regards,

paul