Software Protection

[Rodaxoleaux]

After spending a lot of work on a tool, (my first commercially (and at all) distributed program! hooray for me) I'm trying to implement a software key kind of deal to protect it from being shared so easily. I tried using an online verification program like IntelliProtector, although now during the build, it seems to just freeze every time. But either way, I also tried looking into RSA Cryptography, etc, although that seems to be taking an extremely long time to understand for me, and I don't even know if I'm taking the correct path. What is the best way for me to protect my software?

[grumpy]

What are you trying to achieve by "protecting" your software? Are you trying to prevent reverse engineering? Or are you trying to ensure you receive license fees?

Who are you trying to "protect" it from? How much time and effort are they likely to expend to bypass the protections?

How much money or effort are you willing to expend in order to "protect" your software?

How much inconvenience for the intended end-users are you willing to impose? [All protection schemes involve some inconvenience for intended end-users, whether that involves entering a pass key, having to buy a dongle, or anything else. That is the cost of trying to protect software from folks other than intended end-users].

All of these questions have different answers, depending on what you are trying to achieve through "protection" of your software. And the "best" protection varies depending on the answers.

[Rodaxoleaux]

Just trying to prevent the act of buying a copy, and then publicly sharing it as it needs no other action but to copy paste onto someone's computer. My initial audience I'm selling to probably wouldn't try much more than sharing it with everyone they know, and if there was a software key needed to use the program, that would go faulty if used on another computer not on the same network or something like that. As for inconvenience, I just want to basically have a software key that would be registered to a user and could only be used by said user. I don't really have much money to spend right now. I was hoping that something that sounds so simple would be simple and free (Although with programming, we all know nothing follows that rule.)

It could... read from a file on an FTP server or something, and if it doesn't find the IP address being used, it could ask for a software key, pulled from a list of keys in another file. If the key is valid, add the IP address to the file and remove that key from the server file, if not, then do not allow the program to run? I have no idea, but that's an example.

[rags_to_riches]

It could... read from a file on an FTP server or something, and if it doesn't find the IP address being used, it could ask for a software key, pulled from a list of keys in another file. If the key is valid, add the IP address to the file and remove that key from the server file, if not, then do not allow the program to run? I have no idea, but that's an example.

IPs are not necessarily static though.

Doing this "right" is difficult, which is why there are entire companies built around it.

[Rodaxoleaux]

That's true. It's just an example of what I'm trying to accomplish. I'm not quite sure how to proceed O:

[brewbuck]

If you come up with something yourself, it's guaranteed that it will A) be defeated within minutes by pirates and B) fail in the field, angering legitimate customers. Home-rolled copy protection will hurt you, not help you.

The company I work for uses commercial software to protect our stuff. It is a system which has been used by the Department of Defense to secure their cruise missile navigation software. We pay $450,000 per year to get the software.

Good luck. As an end user, if I knew you had some kind of Internet based check built into your code, I would not buy your product, as it might fail to work correctly. I'd happily pirate it, though.

[Rodaxoleaux]

I guess that's where the old "You gotta spend money to make money" line comes in. I hear you.

[Cynic]

Just trying to prevent the act of buying a copy, and then publicly sharing it as it needs no other action but to copy paste onto someone's computer.

Ok, so casual copying. I think if you do a google on preventing software piracy and license keys, you'll find something you need for this.

As for the person determined to have/give away your software, there really is no protection. It's like your car. You can spend $100,000 on protecting it, but if they want it bad enough, they are going to get it.

Some companies, if not all, take lost revenue from piracy on the chin in stride. They do what they can to ensure they make a profit, but don't get heavy handed gestapo over it.

[grumpy]

Ok, so casual copying. I think if you do a google on preventing software piracy and license keys, you'll find something you need for this.

There are plenty of down sides to such things.

License keys can be copied or cracked which means unauthorised users can use the software. There are many web sites devoted to providing illegal license keys or even to providing versions of executables with the licensing checks bypassed or compromised.

If the license keys actually work, they tend to introduce inconvenience to end users. Everything ranging from a need to enter long license keys every time the program is installed, through to the need to get new license keys whenever one upgrades computer hardware.

I once read a thought experiment (from the computer security world). It describes a system where the software is accompanied by a hardware device that would periodically demand a urine sample, and the software would not run unless a urine sample was provided by the authorised user and correctly validated within some specified time interval. There were a few problems identified with this scheme: firstly, it would have a rather severe user acceptance problem. Second, the security could be bypassed quite easily by getting a urine sample by nefarious means from the authorised end user. Third, the hardware or software itself could be modified in various ways in order to bypass the authentication checks. So it would be necessary to back this scheme up with other measures, depending on how much this software needed to be protected.

Some companies, if not all, take lost revenue from piracy on the chin in stride. They do what they can to ensure they make a profit, but don't get heavy handed gestapo over it.

There are quite a few companies that do get "heavy handed" about it, and don't take the loss of revenue at all philosophically. Consider the entertainment industry, with all of their copy-protection schemes (which tend to impose significant inconvenience on end-users, but are routinely removed in pirated versions) and attempts to push through legislation (SOPA, etc) to protect their rights.

[Rodaxoleaux]

I have to agree with grumpy on this one.

I also found a free verification service named IntelliProtector. The client keeps crashing at the module build, and not many people seem to have used/heard of it so that's a no as well.

[Elysia]

Focus on giving end users a good experience instead of trying to make it harder to copy.
The idea is that instead of preventing users from buying it, you should make them want to buy it (and no nefarious stuff, because then they'll pirate it).
Give them a trial. Let them use the program. Make them see the use of continued use of the program, and make them feel it's worth a little fee.

But beware: if you charge for a program, then they are your customers, and you are obliged to listen to them, and service them. You can't just quit working on the software or do what you will with it any more.
Happy customers are returning customers, and happy customers recommend your program to other customers.

[cyberfish]

Don't punish your legitimate users for pirates. Legitimate users will turn into pirates when they realize all they have to do is go on pirate bay, and download a fully cracked version of your program, instead of jumping through a bunch of hoops with a bunch of restrictions to make your legitimately purchased programs run (eg. require internet connection, require key entry, require authentication on hardware change, require static IP, etc).

Just make good software and people will buy it.

[MK27]

But beware: if you charge for a program, then they are your customers, and you are obliged to listen to them, and service them. You can't just quit working on the software or do what you will with it any more.

Then, 18 months from now, if you are sick of answering emails from the three people that actually paid, you can abandon the project in disgust and just leave a big frowny face on the support page

[Rodaxoleaux]

Then, 18 months from now, if you are sick of answering emails from the three people that actually paid, you can abandon the project in disgust and just leave a big frowny face on the support page

XD Eventually, when I'm in college, that will happen as I will have no time to answer: "Y U NO HALP ME PORT FORWARD FOR CONECKSION?"

[whiteflags]

But beware: if you charge for a program, then they are your customers, and you are obliged to listen to them, and service them. You can't just quit working on the software or do what you will with it any more.

Well that's wrong. As a customer I've never felt like I could tell anyone to do anything.

And when you want to quit? Either:
a) groom your successor, or
b) freeze development and work under an alias for the rest of your career

I have no shortage of alternate names.

-Deep Wang