how to handle software piracy?

Discussion in 'other security issues & news' started by Paul Wilders, Mar 17, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Subject says it all: how should software vendors handle and cope with software piracy in general.

    Postings regarding individual software users, other boards, and not being general of nature will be deleted.


  2. MickeyTheMan

    MickeyTheMan Security Expert

    Since vendors can already identify illegal copies of their software, there certainly is a mechanism by which in the case of AV's and AT's they could simply deny updates which everyone knows would render these types of software useless in very short matter of time.   And should this be the case of an error, it wouldn't leave a legal user without complete protection until the matter got resolved.  A  "we're terribly sorry for the inconvenience"  wouldn't cut it.
    In the case of p2p's, again a downloaded file could refuse to play after a certain number of times played.

    But to access someone's system without authorization and start deleting entries and files is simply break and entry.  2 wrongs don't make it right !
  3. luv2bsecure

    luv2bsecure Infrequent Poster

    I hope I'm not being too philosophical here, but, suppose I have a version of XYZ software and my neighbor has a version of XYZ software. Both of us "have" it, but I bought mine by downloading and registering the program with the vendor. My neighbor has his by downloading it from a warez site. The vendor has profited from the sale of his software from me. However, did the vendor lose anything by my neighbor stealing his from the warez site? The answer is - NO! The reason the vendor hasn't "lost' money from my neighbor is he has told me on numerous ocassions that he wouldn't ever pay for that software, but since he saw a free copy, he got it to check it out.

    Two things here. 1) Each time there is a download of the product from the official site, it's money in the bank. When my neighbor downloaded the same thing, the vendor didn't "lose" money because the software itself is a series of digits and has no tangible value. No money left the vendor's bank or inventory left his shelf. It's like the warez downloader never existed. It's going to cost the vendor the same in capital outlay whether 50 download the software or 500 download the software from his site (assuming he breaks even). So the neighbor didn't actually "cost" the vendor anything.

    2) As I have been saying in another thread, the hypocrisy of calling warez downloaders awful names while having even one Napster downloaded song on your hard drive is glaring. The music artists are not getting their cut of the song had it been purchased at the store. Same scenario for the software vendor.

    The point being that intangibles are always going to be copied, traded, and make the rounds. Look at movies and VHS tapes. If I tape a movie off of HBO to keep, have I "cost" the Hollwood makers? No. Because there is a 99.95% chance I wouldn't have ever actually bought it anyway. They are not having to put a capital outlay out into MY version that I videotaped. The same can be said of music and mp3s. Before that, taping songs off the radio on cassette. There IS no way to stop it and software vendors have to focus on the honest buyer and the profit they are receiving and forget about the few that will download illegal copies. If they wouldn't have actually bought it anyway, no money is actually LOST.

    This doesn't work with things we all have to have. Say you drive away without paying for gas. That COST the gas station because there is now less gas to sell and the guy who stole it is going to HAVE to purchase gas as long as he drives that car. So, he DID lose money. But the software vendor? He would never miss anything from inventory and is not "out" anything!

    I'm not saying do nothing to try to stop it, I'm just saying it is futile and not worth messing with. You would be no less for the wear if somebody was using a pirated piece of your software, because it's just a bunch of zeroes and ones and whatever else, you would never know about it AND the bottom line here is that most warez downloaders aren't going to shell out the fifty bucks for the program anyway. But if they use the illegal copy - you are not OUT the fifty dollars either.

    It's like watching the Cubs games in Wrigley field from the roof tops. Are the Cubs "losing" money off of them? No! Because they know most of those people wouldn't buy a ticket anyway and there is no servicing costs to them, so whether they are there and can see the game or are not there, it doesn't mean anything to the Cubs. They focus on their paying fans and go on.

    It will always be with us. And the economics of the intangible loss is nothing to be concerned about as long as the product is of such quality that sufficient numbers of people BUY the product and you make a profit.  How many times do we have to go through this? Cassette tapes. VHS tapes. Illegal downloads and CD-R's, and yes, SOFTWARE. It comes with the landscape of selling something this is intangible (in that there are no production costs for *each* copy you sell). Naturally, I am speaking of shareware products here.

    I'm still sick with the flu, so I am going back to bed.

  4. MickeyTheMan

    MickeyTheMan Security Expert

    Luv2bsecure, you are forgetting one thing.
    Who do you think pays for the number of stolen copies ?
    Registered users of course as these costs have to be absorbed by someone.  Wouldn't it be nice if you could pay say half of what your paying now for your software ?

    Warez sites are another matter.  Laws don't seem to go fast enough to follow dev in that area.  But surely there could be crack downs on these by special task forces.

    I certainly could do without the .mp3, but if i had no way but to get a legal copy of an AT, i doubt i would do without for very long, and if i made the comment i would never pay for it, well then let me be without access to an illegal copy, and see if my attitude would change, and i bet in a lot of cases it would.
  5. Detox

    Detox Retired Moderator

    I don't have too much to say, except that if the Codemaster's FADE technology that I wormed into the "Morpheus' New Anti-Piracy Move" thread in "privacy general" is a reality, I think that it is the ideal manner in which to deal with piracy. It keeps someone from stealing the software, yet allows a pirated copy to work long enough to be a demo...
  6. Checkout

    Checkout Security Rhinoceros

    Scenario:  I develop a product, over a considerable period of time and at personal cost, a product which solves a particular problem and is popular.

    Within weeks, even hours, of its launch, it's cracked and posted on warez sites.  What have I lost?  Everything. I cannot recover my development expenses.  I cannot look forward to a reasonable or even modest income from my labour.
  7. Checkout

    Checkout Security Rhinoceros

    I suggest to you that it is impossible to prevent reverse engineering.  However, the deterrent is to make it too much time and trouble to do so.

    Consequently, if every downloaded copy of a licensed program were in some way unique - say, code shuffled about - then there would be no generic key able to defeat built-in copyright protection.
  8. TAG97

    TAG97 Registered Member

    I have this one thought I like to share, Being from Connecticut,a small state in the USA, I am amaze how many non US citizens(spellingo_O) are in these forums.
               But yet I keep hearing "you're breaking the law. So my thought is; Is there a world like law governing the Internet? It always seems to be people from my country who keep bringing up laws made in the USA and applying them to the rest of the World.
                             Just a thought o_O
  9. Blacksheep

    Blacksheep Spyware Fighter

    luv2bsecure has offered some astute observations about the psychological numbers game - LOST. Hmm... Some are crying "lost billions!". IMO one must HAVE something before one can LOSE it.

    Oh yes, the hypocrisy of crying FOUL about cracked software while having cracked tunes, movies, etc. on ones HD.

    Well, how about this possible hypocrisy:

    Suppose a professional coder was vigorously fighting piracy and someone asked "Hey coder! Have you ever cracked a proggy or used warez?" I wonder what would be the truthful answer?

    Piracy is a serious issue and in effect is stealing one's labor. But, countermeasures that trample privacy rights and break laws are unacceptable. Any business has a LOSS factor. It is unavoidable.
  10. Blacksheep

    Blacksheep Spyware Fighter


    Heyus Mickey! :D Got a question for ya; If all piracy were eliminated do you think the price of software would be reduced? For example would one be able to buy M$ OS at a cheaper price? :)
  11. Blacksheep

    Blacksheep Spyware Fighter

    Well OK, back to the topic - Piracy.

    (BTW Pete, I wasn't agreeing to the "dumb" part.:))

    Seems to me the biggest sources of cracks/warez are Russia and Asia. So, one could plead to the governments but, IMO the response would probably be nada - no help.

    The effective piracy countermeasure would need to be in the software. To be acceptable to all but the warez user, and probably be legal in all countries, the countermeasures should be benign - do not phone home, do not remove files, and do not require prog to have Internet access in order to function. Now this is a technical problem for the coder. How to do it?
  12. Alan Magee

    Alan Magee Guest

    Hello, I am new here but have been interested in the many & varied opinions.

    Since this debate started I have been trying to think of a sure fire way of protecting the developers & users property,
    Shareware is what it says not freeware or possibly not even a fully working product,

    IMO the shareware vendors should ensure their product is firstly time coded with a warning that is either disabled or removed from the users machine after the expiry date & secondly that certain functions are crippled using one part of a keyfile (in the case of AV or AT updates come to mind)  so that, even if they do manage to break the time code, they do not have a proper working product and cannot activate it. I'm not a programmer but I am sure that a split encrypted keyfile is possible. (bicrypted?)

    In the case of programmes requiring regular updates the encrypted keyfile (encryption proces?) may require changing or updating from time to time but this should be noted to the user via the EULA & stipulated on the vendors site

    When & if the user registers the product a keyfile + any additional corrective code is sent to the user allowing activation & full use of the product.

    The vendor would state this on their download site with appropriate links to both the EULA & Privacy statements which should both be unambiguous & in plain language.

    Unfortunately, as with any system, in time, someone will crack it. Then, I guess, the only thing that limits usage is the need for updates which could be "caught" by the above method.

    As I am not a programmer I would be interested in any caveats that such a system may encounter.

    Alan M
  13. luv2bsecure

    luv2bsecure Infrequent Poster

    Paul has posed a valid challenge to us with this thread, " How to handle software piracy?"

    The following are some thoughts and ideas

    I think my earlier post belongs in this thread as food for thought, but assuming there is something we MUST do to stop piracy, I offer a few ideas in the spirit of Paul's question.

    First though to Mickey: I still believe the loss in warez, cracks, etc. is mostly "lost" to people who wouldn't buy the program anyway. You asked the question,
    Again, there are no "costs" to be absorbed! If it were something tangible like gasoline, where you took off and ran without paying, yes, that would mean less gas to sell and a need to absorb the costs. But my point is that if a cracked version is being used by X number of people and the vendor never knew it, there would be no "costs" to absorb. There's no inventory of tangible goods to "lose!" Or, as I think Blacksheep said it, "You have to HAVE something to LOSE it."

    With that out of the way, what CAN be done? I think there are several steps a developer can take to minimize illegal software cracks, downloads, etc.

    1. Eliminate username and serials to register the program. The serial racket is rampant. Why still produce software that relies on emailing a username and password after payment?

    Technically, this is a violation of Paul's fair rules I suppose, but I am using this in a positive way so I hope it is OK. WebRoot Software (makers of Window Washer and others) was one of the first in the business to take a stand against piracy. They stopped emailing username and passwords and went to a system of the "trial" version being just that, and only that. Once it times out, it's timed out. There's no inserting of numbers to "activate" the program to "registered" status. If you want to own a copy of one of their products, you must order from the company and you will receive a URL which goes to a direct download of their fully licensed software. They change that URL sometimes daily so nobody can pass around the URL for downloading of the full version. This makes a lot of sense. So, why not eliminate a BIG problem (the passing of serials) by bringing a halt to the practice of serial numbers activating the product after a trial?

    2. Target the distributors.  I would argue this is somewhat like our "war on drugs." Instead of the insane and extremely expensive practice of going after users, why not divert those resources into stopping the distributors? This could take the form of a consortium of software developers banding together to seek, find, and destroy those who are using the Internet to offer free access to their programs. This is a tricky area because of international laws, but just what goes on in the USA would put a big dent into the illegal software trade.

    3. Much like music and movies, include software in the "conventions" of countries that are signators that allow for prosecution in one country for violations of copyright in another. This again would take the form of targeting the distributors and not the users. We currently have this to some extent, but not  recognized by nearly as many countries that recognize music/movie copyright laws.

    4. Be prepared for the halt of SOME of this illegal activity, but not all. The problem will always be with us, just as it is in the music and motion picture industry. Realize that we are dealing with a global problem that requires the cooperation of many, many countries. A good example to look at with the problems with international enforcement is Child Pornography. Countries around the world all define it differently, they have different opinions as to what is and is not pornographic. Then there is the question if mere possession is a crime. In the US it is. In most countries, it's not enforced at all -- the focus is all on the distributors. Then the age question. In the United States we have the "under 18" law which means that if you have ONE picture on your drive and she turns out to be 17 -- you go to jail. Most other countries think this is extreme. Some say if the girl is under 16, some 14, in several it's still 12. See the problem? We are dealing with an international problem that requires much broader solutions. Trying to enforce things internationally is very difficult.

    Which brings me back around to the ONE THING software developers should begin doing today, and that is stopping the serial number as being the activator. Instead of looking outside for protection, look at how the software is being distributed and offered for sale in the first place. Sure, there will be keygens and cracks to deal with, but the serial racket is rampant and will stop a lot of the piracy cold if software developers stopped the serial number method. It's too easy and spreads much faster than cracks and keygens.

    In the spirit of Paul's question, I offer these things for discussion.


  14. diginsight

    diginsight Security Expert

    Vendor should realize there are different sorts of piracy:

    The very common 'refuse to pay for anything' software pirate. If you disable your product they will find a better key generator or start using other software.

    Warez hobbyist/collectors that like to try everything they can lay their hands on just for the fun it. If they like something, they might be tempted to buy it.

    Potential customers that would like to evaluate the software for a longer period then the 30 days before they decide to buy it.

    Potential customers that don't have the money to buy the product, but would like to in future.

    Customers that share their products with friends or family.

    So called 'consultants' or people that help friends or family maintain their PC and install software to manage the PC, but know their 'customer' is not going to buy the product, because they find it's too expensive.

    IT professionals that don't have the funding to buy all the software they use or would like to try it for longer period.

    People that 'forget' to order more license then they are already using. This is very common.

    People who only buy software they use regularly, but don't buy software that they use only very occassionally.

    The first type of software pirate will never be your customer unless you force them or they run out of alternatives. The same goes for people that install your product on other their friends or familie's PC to remedy a problem or people that find any software that didn't come with their PC too expensive.

    It's the other types of customers you need to target. If you handle them too rough you run the risk they might not buy your product anymore or start to dislike your company. If you handle them too soft, they might 'forget' to buy the product or think they can get away with it.

    It's up to the vendor how he would like to handle these customers and how large this potential customer base is.
  15. Blacksheep

    Blacksheep Spyware Fighter

  16. spy1

    spy1 Registered Member

    Can update ability be tied to your network address? Or does that change all the time? (I've never really paid that much attention to whether it stays the same or not).

    Or, could update ability be tied to something else that's specific to each individuals computer?

    Either option with complete disclosure of what's being used? Pete
  17. Blacksheep

    Blacksheep Spyware Fighter

    IMO auto-update must be user option. Manual update also user option.
  18. diginsight

    diginsight Security Expert

    Update ability can be tied to number of licenses and you're required to use a username/password to be able to update. If a certain username/password is used simultaneously you can mail the owner about a possible violation and reset their password.

    The problem left is how you handle multiple user licenses.
  19. Blacksheep

    Blacksheep Spyware Fighter

    It is a pleasure to see serious thought applied to a serious issue. :D
  20. luv2bsecure

    luv2bsecure Infrequent Poster

    Pete, obviously it CAN be done. The question is should it be done? I tend to agree with Blacksheep on this as freedom and privacy comes before all else.

    Micr.....(sorry)....... that BIG company up in Redmond, Washington has tied product activation to things that are specific and unique about the user's computer. Should everyone you buy software from know that you own a Brand X 60gig HD with a serial number of 10653M56X78, and a Brand X motherboard with....o_O?

    I say NO! There are things that can be done NOW (like my earlier post that included the idea of stopping the emailing of usernames and passwords to stop the serial number racket.)

    We can ALL be safe and secure if we allow a corporate/government/elite axis to follow our every move, check all of our fingerprints and iris patterns, know the serial numbers of parts in our computers, eavesdrop without a court order, throw out probable cause and "profile" everybody into little boxes that they can keep an eye on us with. Do YOU want to lose your freedoms and rights for security? Now, it sounds like maybe you are proposing shareware software developers be allowed to have their software snoop around until they can find a unique identifier inside my computer?  

    Would SOMEONE please send a copy of Orwell's 1984 to a few folks on this forum so they can see the eerie resemblance to everything going on today? Let's not continue down the road of killing privacy in order to protect software vendors!

  21. Blacksheep

    Blacksheep Spyware Fighter

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
    - Benjamin Franklin, Historical Review of Pennsylvania, 1759.
  22. Vampirefo

    Vampirefo Guest

    This has been my point all along, I have made the same suggestions made in this thread already, but the only response I got was that I couldn't spell, and I was a thief. I have been surfing today and two people already claim to have gotten around, this one product, and are passing out the method, in all honesty, I would have sent this information to the vender. As I have sent it to other venders, from time to time. But after being called a thief, and so on, I just don't remember when I was out when I read, what I thought I read, hell I am just a moron, and didn't understand what they were talking about anyway.

    Anyway, I have suggested, that two version be made, and the first version could not be registered this would just be for a demo, a stripped down version, then another version a full version could be bought. This suggestion was strapped cause it would require to much work, on the coders part to make two programs and maintain two or more download sites.

    Every suggestion was knocked down that asked the to coder to do anything, it seems the coders only want to take the easy route, and break into pc, this is not now nor will it ever be acceptable.
  23. Vampirefo

    Vampirefo Guest

    Here in this thread you can find some suggestions made by me and others, plus perhaps get answers to other questions. It's a long thread but a good read for anyone, that truly wants to help.;f=14;t=001217
  24. luv2bsecure

    luv2bsecure Infrequent Poster

    I am writing from the United States. In the USA we worship at the shrine of the "free market." Until developers do all THEY can do to stop thievery of their own product, they should look nowhere else. The "too much work" line is bogus. If it's "too much work" to do what needs to be done to protect your product, then don't complain when it is stolen. Simple. As for maintaining two download sites, that is really very lame. They could only HOPE they could keep both download sites busy! Another download site would cost per month what ONE piece of registered software would cost. So that one doesn't wash. I am in full agreement with the tossing of the old serial number route and offering a timed-out demo and if you want to purchase the product you are, after payment, given a unique URL which could change daily, to download the licensed version. Or, would that be too much trouble too? It seems many want to wave the flag and worship free enterprise, but they don't want to have to accept any of the responsibilities that go along with it. If all of the ideas we have mentioned, to help protect THEIR product, is dismissed as "too much work" maybe they should hang up their digits and find an 8-5 job and forget about having to "work so hard."

  25. Blacksheep

    Blacksheep Spyware Fighter
Thread Status:
Not open for further replies.