Seeking help identifying software development security tool

Hi,

First, my apologies if you feel this is a mispost or that I’ve invaded the wrong “realm” (please don’t flame me :( Also, this is posted to the C++ forum as well). I chose this forum (along with a few others) because I am seeking help from the C/C++ programming community. I am open to suggestions of places that might be better to seek this kind of help.

I am involved with a stealth–mode startup and have been asked by my engineering staff to help them locate a particular kind of software development security tool for their C/C++ programming efforts. There is a mission to protect our intellectual property above and beyond licensing and activation requirements/restrictions. My engineering team has mentioned features that would include tamper-proofing, obfuscation, watermarking, among others. I’m a noob at this and still learning. However, I interpret this as an effort to protect our executable code.

I would be very grateful for any help (and time) you can offer. I’ve created a short set of questions (I tend to like to be organized ;) the answers to which would be a great help. However, I’m also very accepting of more “free form” responses, as well. You can reply to this post either publicly or privately (if that capability exists).
Again, thank you for your time and any insight you can offer. If my research results in any information different from what I receive here, I’ll be happy to come back and post those results. Or, you can contact me directly and I’ll forward on a copy of my results.

Cheers…Steph

Questions

1. What are the top 3 products/companies you considered for this software development security tool, the top 2 or 3 features you liked about the product (or company), and why?
1A. Product/Company 1:
Feature 1:
Why:
Feature 2:
Why:
Feature 3:
Why:
1B. Product/Company 2:
Feature 1:
Why:
Feature 2:
Why:
Feature 3:
Why:
1C. Product/Company 3:
Feature 1:
Why:
Feature 2:
Why:
Feature 3:
Why:

2. If you purchased the product, are you willing to share pricing information?
2A. Product purchased:
2B. Price: per (1 seat, 5 seats, 10 seats, unlimited, etc.)

3. If you purchased the product, did it:
3A. Exceed expectations: ( ) Yes ( ) No Why:
3B. Meet expectations: ( ) Yes ( ) No
3C: Fail to meet expectations: ( ) Yes ( ) No Why:

4. For those products you did not select, what are the top 3 reasons you did not select them (and was there a common reason among a number of the products)?
4A. Reason 1:
4B. Reason 2:
4C. Reason 3:

Stop wasting time and money worrying about "protecting" your executable. It doesn't work. You'll just end up frustrating legitimate paying users with nonsense (like have to have a connection at all times, need to plug in a USB drive to run the program, have the program keep nagging you to activate even though you already have, and lock up your computer if you don't in 3 hours, etc), while illegal users still get what they want.

Write good programs, and people will pay for it.

Game companies have been trying to do this for the past 30 years or so. I don't think there is one single game that has not been cracked. If they (talented developers in many big companies in a billion dollars industry) can't do it, do you think you can?

Quote:

---

Originally Posted by stephr1

My engineering team has mentioned features that would include tamper-proofing, obfuscation,

---

Has your engineering team considered just shooting themselves in both feet now to save some time?

Who has cracked Netflix? Who has broken WoW warden? You can't win theoretically, but you can make it pretty damn difficult. Consider, though, whether your product is really so fascinating and important as to make it worth the effort.

Quote:

---

Originally Posted by cyberfish

Game companies have been trying to do this for the past 30 years or so. I don't think there is one single game that has not been cracked. If they (talented developers in many big companies in a billion dollars industry) can't do it, do you think you can?

---

While I don't disagree with you, it's probably not a good idea to rule it out as a possibility.

Some of our greatest inventions have come out of people's garages and basements...

:D Lawn Darts, Pet Rocks, Hula Hoops ... I rest my case! :D

The only games I know that are successful at protecting themselves is by doing significant amount of computation on their servers. Eg. WoW.

Activation requirement can be patched out, but having to rewrite a whole world simulator is a lot more difficult.

Hi all,

I appreciate you taking the time to respond. I was hoping for replies that would help lead me to viable solution options (as my original posting sought to do). However, your input provided some interesting insight and perspectives. Thanks.

Cheers...Steph

Software protection through technical means is worth it when each license of your product is sold for a 5-digit sum or more. The problem is the cost of deploying a good system.
When you really want effective protection, you need a hardware dongle. Purely software-based systems are generally too easy to crack, leading to problems for legitimate users without any benefit.
Hardware dongles mean: shipping a dongle to each customer (there's a license fee for that from the protection company), shipping license updates, offering support when users fail to correctly apply the updates (frighteningly common), offering support when the dongles don't work for another reason (e.g. firewalls), and of course the whole support programming you have to do. There is a pretty big cost associated with hardware dongles, and since quite a bit of it is per-customer, it's only viable when you ship to 100 customers for 50000$ each, not when you ship to 50000 customers for 100$ each.

That said, we've had reasonably good experience with the Wibu CodeMeter hardware dongle system.

Thanks much for the suggestion. We are trying to avoid hardware dongles because of the logistics you mention. However, it is on our list. Appreciate your input. Cheers...Steph

Quote:

---

Originally Posted by CornedBee

Software protection through technical means is worth it when each license of your product is sold for a 5-digit sum or more. The problem is the cost of deploying a good system. When you really want effective protection, you need a hardware dongle. Purely software-based systems are generally too easy to crack, leading to problems for legitimate users without any benefit. Hardware dongles mean: shipping a dongle to each customer (there's a license fee for that from the protection company), shipping license updates, offering support when users fail to correctly apply the updates (frighteningly common), offering support when the dongles don't work for another reason (e.g. firewalls), and of course the whole support programming you have to do. There is a pretty big cost associated with hardware dongles, and since quite a bit of it is per-customer, it's only viable when you ship to 100 customers for 50000$ each, not when you ship to 50000 customers for 100$ each. That said, we've had reasonably good experience with the Wibu CodeMeter hardware dongle system.

---