Securing an application

Figment

I have got an application developed which i intend to sell. Its a small make life easier tool that will be used with a specialist existing web application.

I haunt got my payment model fully in place yet but it will be retailing for between 10 - 20 Euro per licence and there should be a licence for each machine in a company where it is used.

My question is if i should secure it with some kind of serial number or other?

Is it worth it as serial numbers can be copied as easily as an app?

Would its value price encourage more people to just pay for it or just devalue its worth in the eye of the end user so they have no problem copying it.
They may think its not worth being sued over like a 600 Euro copy of photoshop would be. And they would be right.

There will not be a large percentage of companies in the world that would require it but if they did then more then likely everyone in that company would require it.

If any kind of copy protection/security system put in place would be of little use would it make more sense to look at it from another angle.
Create a price structure for the user to choose at the start to best suit their needs and if the line gets fudged then accept it and move on.

Something like a 1 user licence, a company of 1-5 users licence, 1-10 users etc..

Is a serial number or similar authorisation a turn off for an end user or is it just excepted as the way of computers?

aidan_walsh

There have been few complaints when it comes to serial identification, but you recall the complaints that XP and Steam caused with their activation models. Mind you, I don't recall there being any fuss about Photoshop when Adobe adopted a similar model for CS, leading me to think that its an acceptable model for professional/specialist products. Flipside again, that might mean the arguments weren't as mainstream either...

In summery, I don't know But I'll ponder it some more.

ecksor

I think that a trial evaluation period and then require a license number to activate model might work for you here. Those sorts of models are hideously insecure really, but for an application that isn't going to be used on a large scale and isn't prohibitively expensive in a commercial environment, you may find that a small hurdle in the way is enough to prevent most if not all piracy.

Martyr

I agree with previous posts and would like to add that there
are applications available that would deter most crackers
from trying create key generators for your application..of
course, it will depend on how popular it is also.

Think of writing a serial routine based on some
MD checksum and fingerprint of host computer..like serial
of CPU or operating system, if its available.

You can also find some freeware PE compressors and
encryptors about here and there..might be worth a look.

http://www.protools.cjb.net/

aidan_walsh

Average Joe wrote:

Think of writing a serial routine based on some
MD checksum and fingerprint of host computer..like serial
of CPU or operating system, if its available.

This is what was causing the uproar over Steam and XP activation, because then you are limiting the software to use on only one machine, taking away the users freedom to use the software should you upgrade or need to use it on a second machine, e.g. a laptop.

Figment

I think ecksors suggestion of a trial evaluation period might work best.
Will also allow people to use and become reliant on it before the 30 days run out and they need to activate it.

Seems to be the best combination of ease of use and security.

Thanks for the replies guys.

Capt'n Midnight

Look at the AutoDESK network server app for AutoCAD.
This means you only have to authenticate the server. It then handles the licenses for the company - and can allow N concurrent users. It can also reserve licenses for specific users, and export licenses to laptops. The really cute part is that if the license on the laptop evaporates after 30 days if not renewed or released back in the office. This means you can work off site but can't steal the sw. Also cuts down on tech support from you cos the license does not have to be reauthenticated.

for big companies define terms like site and organisation , can a multinational buy licenses for everyone on the WAN or is it just per site and if so one of our suppliers considered sub offices within 5Km of the main site to be on the same site.

aidan_walsh

Capt'n Midnight wrote:

Look at the AutoDESK network server app for AutoCAD.
This means you only have to authenticate the server. It then handles the licenses for the company - and can allow N concurrent users. It can also reserve licenses for specific users, and export licenses to laptops. The really cute part is that if the license on the laptop evaporates after 30 days if not renewed or released back in the office. This means you can work off site but can't steal the sw. Also cuts down on tech support from you cos the license does not have to be reauthenticated.

I cannot find the words to express how fantastically brilliant an idea I think that is.

Capt'n Midnight

doodle_sketch wrote:

This is what was causing the uproar over Steam and XP activation, because then you are limiting the software to use on only one machine, taking away the users freedom to use the software should you upgrade or need to use it on a second machine, e.g. a laptop.

I really hate restrictive licenses, the worst being one service that if you renew after cancelling for a few years, back charges you for the time you wern't using it !!
IMHO since non-oem microsoft serial numbers prior to windows 98 meant you had a 1 in 7 chance of getting it right, I reckon the official policy was to kill off the competition first ( you can't undercut the zero cost of borrowed CD's ) and only when there was no competition to implement mechanisms to stop copying. Had they used some sort of activation/registration we could still have DrDos , PcDos , Dos 7 (the 32 bit microsoft version that was shelved because they wanted to force people to use windows 95) and apps like wordperfect (the Dos one) , Lotus, ami-pro etc. etc.


Also to be considered in licencing
, downgrade rights - do you force people to upgrade thier whole organisation when they go to buy extra licenses because the new version is incompatible with the old one or do you say "hey you can use an older version if you want but we won't be giving it as much support as a newer one."
Do you allow people to upgrade to the latest version at no cost or only if they subscribe or at a discount , or do you charge them full whack every time or stack the subscription price such that they pay for a new version every few years ?

will you release the code or sections of , or the data format or developers kit etc. will you charge extra for these ?

will you make many add ons and services and charge for each of them and then charge for a server license and then for client access licenses and then insist that they will only run on a specific platform (microsoft take a huge bow here - just how many licenses do you need to open an access database sent to you in an email ?)

As you can guess I really hate obtuse licensing terms and conditions.

aj3001

Right, I have just registered to post this so appreciate it!

If you make it so you need a serial, nothing personal but I doubt you will get it so its uncrackable, there are simple things like repeating "1234567" untill the serial number is reached and that works on older applications, you may suffer from this kind of problem, and if there is a full version available it can very easily find its way to p2p networks where other people can download it, so all you need is one person to buy it using fake credit card details and it can be open to the net.
Then if you do find another way you can get a security company like Paradox, Micro****, Red&Black making crackers to crack it on demos, you will never protect yourself, to be honest I know absoloatly no one with a version of Office 2003 that they have paid for, thats how bad the situation is

Capt'n Midnight

aj3001 wrote:

if there is a full version available it can very easily find its way to p2p networks where other people can download it, so all you need is one person to buy it using fake credit card details and it can be open to the net.
Then if you do find another way you can get a security company like Paradox, Micro****, Red&Black making crackers to crack it on demos, you will never protect yourself, to be honest I know absoloatly no one with a version of Office 2003 that they have paid for, thats how bad the situation is

did you read my previous post ?

I reckon the official policy was to kill off the competition first ( you can't undercut the zero cost of borrowed CD's

M$ are making sw harder to copy. But they haven't done much on the corporate volume licence keys yet.. It's not a technical issue, it's a marketing one.
Yes apps can be cracked, but it can't be done as casually as before so if a company is found with cracked apps then the BSA have a much better case ..

BTW: warze monkies using software that uses a different file format to the previous one eventually forces legit users to upgrade when they don't have to - so there is a financial and moral case against pirating regardless of what anyone thinks of the multinationals - also www.openoffice.org - if you are going to crack an app , the same effort could replace the need for cracks in the first place. White hat hackers don't crack !

[edit] you could require the app has internet access and have it dial home every so often with a hash of the HW keys used on the clients - if you were sneaky you would call it automatic updates and have the server app hang if it goes more than X time without an "update" - but then the customer could have a denial of service later on so probably not worth doing..

aj3001

Capt'n Midnight wrote:

did you read my previous post ?

Nope was too long, programs can be cracked in one of two ways:
Keygen
Crack

If you are using a keygen, it just makes a working serial key that you enter into the product and it works, a crack changes .dll files and stuff

And you cannot ensure the app has internet accses, without knowing the type of app, what happens if you run it on a computer that is not connected to the internet? They can still use it and no one is any the wiser

ecksor

aj3001 wrote:

Right, I have just registered to post this so appreciate it!

I don't know what we we did without you up to now.

If you make it so you need a serial, nothing personal but I doubt you will get it so its uncrackable

Nothing is uncrackable. If it was it'd be useless garbage since the information would have to have been destroyed. Even then we find that one way functions do get 'cracked'.

The target for this thread should be to find the most practical way to deter casual or systematic abuse considering the target market and price of the software. For this particular instance I think there's a lot of overkill solutions being thrown about.

there are simple things like repeating "1234567" untill the serial number is reached and that works on older applications, you may suffer from this kind of problem

figment is lucky in this regard in that I'll review his code against such problems for the princely sum of a pint of guinness next time I see him.

and if there is a full version available it can very easily find its way to p2p networks where other people can download it, so all you need is one person to buy it using fake credit card details and it can be open to the net.
Then if you do find another way you can get a security company like Paradox, Micro****, Red&Black making crackers to crack it on demos,

It easily can, but will it? I'd like you to present your reasoning from the scenario painted by the original poster rather than the generalisations about rife piracy on the Internet (which includes all sorts of software). Also, if it does, what is your recommendation for encouraging companies to pay for the software? Are you assuming 0% honesty amongst the relevant companies? 20%? 50%? 90%?

Anyway, the important calculation is: For an application that only has application in a specialist environment, how many situations can you cook up where it would occur to someone, let alone be economically viable, to try to warez something that is likely to have a rather low cost and will probably save a company time/money/hassle.

you will never protect yourself, to be honest I know absoloatly no one with a version of Office 2003 that they have paid for, thats how bad the situation is

Believe it or not, Microsoft do make money from office which suggests that there's light at the end of the tunnel. However, neither their products or their market is not even slightly comparable or relevant to this thread ...