Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

What's the Right Amount of Copy Protection? 561

WPIDalamar writes "I'm currently working on a piece of commercial software that will be available through a download and will use a license key to activate it. The software is aimed at helping people schedule projects and will be targeted mostly to corporate users. With the recent Windows Vista black screen of death, it got me thinking about what sort of measures I should go through to prevent unauthorized users from using the software. While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate? Is it acceptable for the software to phone home? If so, what data is appropriate to report on? The license key? Software version? What about a unique installation ID? Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key? Would a simple message stating the software may be pirated with instructions on how to purchase a valid license be sufficient?"
This discussion has been archived. No new comments can be posted.

What's the Right Amount of Copy Protection?

Comments Filter:
  • None at all (Score:5, Insightful)

    by Ckwop ( 707653 ) * <> on Wednesday September 12, 2007 @05:19AM (#20569005) Homepage

    While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate?

    This may not be what you want to hear but any copy-protection will burden legitimate users. Pirates will remove the copy protection from your software and the unprotected version they create will be more usable than the version you offer.

    It doesn't just hurt your customers, it hurts you too. The time you waste trying to create some copy-protection and losing the arms race with the pirates (which you will lose) is time you could have spent making your product better.

    The way to beat the pirates is to provide a better service to your customers than they do. The commonly advocated business model is to provide support on the software to paying users - and since your target is business customers this makes a lot of sense.

    Businesses, by the way, tend not to pirate on the scale of the private user. Piracy is a big risk to business because businesses have very deep pockets.

    In short, the answer is to have no copy protection at all and trust your customers. Trusting the customer is hard but they'll appreciate it.


    • Re:None at all (Score:5, Insightful)

      by JohnFluxx ( 413620 ) on Wednesday September 12, 2007 @05:35AM (#20569115)
      I disagree.

      In the work place, most people might enter a fake installation code for example, but won't go as far as to apply a crack. If the software requires you to apply a crack to use it, then I think most people at work will get their company to buy it. If it just installs anyway with just a small nag screen or something, then most people won't buy it.
      • Re: (Score:2, Informative)

        My recommendation would be Elicense or similar.

        With Elicense, you get an order ID. You enter that, it contacts their server and "unlocks" the software. You can choose how many installations are allowed as well. For example I have a few games that use it that come with two licenses, so you can run it on two computers. Another title only gives you one.

        The install is painless (it installs a license control service that in many years of using I've never had any sort of issue with), and it stops a LOT of piracy.
        • by aliquis ( 678370 )
          They better have an Internetconnection then.

          I doubt they will love to phone or send snail mail.
          • by rucs_hack ( 784150 ) on Wednesday September 12, 2007 @07:02AM (#20569649)
            I doubt they will love to phone or send snail mail.

            Oh I dunno, that used to work in the seventies and eighties. What'd'ya mean that was years ago, eh? Come 'ere you young hooligan, say that again! Get off my Property!

            ZZZzzzzzzzz whut?
          • One of my first assignments was to configure a database for a product demonstration. I had to do it outside of my home country and the software/customer could not provide a connection to the internet to the server.

            One of the pieces of software required a connection to do its activation. No phone or snail mail supported. It was so backwards where we had a tech from the software company online and they didn't know how to activate the software w/o an internet connection. We had to wait for them to send us
        • Re:None at all (Score:5, Insightful)

          by FlyveHest ( 105693 ) on Wednesday September 12, 2007 @06:49AM (#20569545)
          So, in short you recommend using a piece of software, that installs another piece of software, that stays on the system after uninstalling the first piece of software (How else could it work, if you have multiple pieces of software that uses it?), and, as you say service, I assume it runs while the original piece of software is not.

          Even though you say that you have never had any problems with it, I would absolutely HATE using anything of the kind, and would actively avoid using any piece of software that uses that kind of activation.
          • Re:None at all (Score:4, Informative)

            by mce ( 509 ) on Wednesday September 12, 2007 @08:14AM (#20570139) Homepage Journal

            ... that stays on the system after uninstalling the first piece of software (How else could it work, if you have multiple pieces of software that uses it?), and, as you say service, I assume it runs while the original piece of software is not.

            You obviously have no clue what you are blabbering about. There is no reason whatsoever why you can't have multiple independent products protected by the same third party mechanism without linking said products together. I know, because I've done it.

            In short: Nobody interested in anti-pirating wants the licensing to be in a dedicated dll, since those are easy to locate, break, and replace. Licensing code should always be fully merged into a key component of the product you're protecting and as such be "invisible". That automatically means that you can have multiple copies of it that are not aware of each other and that are automatically uninstalled together with the product they protect.

        • Re: (Score:3, Interesting)

          by DarkMantle ( 784415 )

          I'm not familiar with ELicense but this sounds similar to what we used at a shop I worked at before.

          Basically the user entered a "product key" and then the system generated a "unique" install ID and contacted the web server for an activation number. What was cool with the one we used was if your product key was 1234-5678-0123-7890 then the first 5 (or 6 I don't recall) characters of the activation request was based on that product key was the same. the last half of the activation request was all hardware

          • Re: (Score:3, Insightful)

            I have registered a lot of shareware over the past decade and more. In fact, I have ended up with a whole CD-R that I label 'registered shareware' that has folders with all the shareware installers and the cd keys, license files, etc. that are collected with them.

            One of the things I will not do, and it's something that causes me to no longer consider registering or paying for a piece of software, is if it has one of the complicated 'validation' schemes like you describe. I will NOT run a piece of software
            • Re: (Score:3, Insightful)

              by fishbowl ( 7759 )
              >I have registered a lot of shareware over the past decade and more. In fact, I have ended up with a whole CD-R that I label 'registered
              >shareware' that has folders with all the shareware installers and the cd keys, license files, etc. that are collected with them.

              1. I've outlived more than a couple of developers, both in the sense that individuals died and that companies vanished. I may or may not ever use their software again, but that's my decision not theirs.

              2. I've used software in emulation
        • by Snibriloid ( 717827 ) on Wednesday September 12, 2007 @08:26AM (#20570261)
          Really, really bad marketing.

          So how do i get the creepy feeling that this guy isn't entirely honest, but actually an elicense marketing stooge?

          The install is painless (it installs a license control service that in many years of using I've never had any sort of issue with), and it stops a LOT of piracy.
          Err, yes. I have original software too, but somehow the companies failed to send me regular, detailed newsletters about the LOTS of piracy they stopped with their particiular brand of DRM.

          It IS possible to "unwrap" the executable, but of all the Elicense protected software I've used, I've only ever seen one game cracked. (Ironically it is the most obscure of the ones I own.)
          Yeah, shure, I too make regular searches on the web for cracked versions of the originals i own, especially when the DRM is soooo good that i dont't want a no-cd crack.
          And by the way, what are the multiple(!) games that haven't been cracked? I would really like to buy them, if only for rarity value. After all, in the whole history of mankind they are likley to be the only pieces of software ever that weren't cracked....

          I am vehemently opposed to DRM, copy protection, call it what you will, but I find Elicense extremely inoffensive due to it's ease of use.
          Yeah, i'm opposed to DRM but happy to install extra software on my computer that monitors me. But i am vehemently against everything else DRM-related, trust me.

          DRM should not impact legitimate consumers, and this one is the only one I've come across that has never caused me any sort of negative experience.
          Software where you have to enter a code ONCE is really a pain in the ass, believe me. But elicense is soooo easy to use, i have to mention it five times. Please buy our product.

          DRM-Companies, i beg you, if you let your marketing division run loose on slashdot, at least stop them from taking drugs. Thanks!

        • Re:None at all (Score:5, Insightful)

          by Ender77 ( 551980 ) on Wednesday September 12, 2007 @08:39AM (#20570407)
          Do you guarantee his business will be here in a couple of years? Do not put anything in where you have to contact somewhere to get a key/permission. If the company goes down and you have to reinstall the software, you are screwed.
          • Re:None at all (Score:5, Insightful)

            by walt-sjc ( 145127 ) on Wednesday September 12, 2007 @09:48AM (#20571441)
            Bing bing. Give that man a dollar.

            Working in a larger environment, the ONLY software we allow ANY kind of phone-home / activation shenanigans is from large vendors that have a proven business record - you know they will be around tomorrow / 3 years from now. Not thrilled about it in any case, but we will deal.

            Any smaller vendor is required to put source code in escrow for any such eventuality, and none of that activation crap. We need to be able to move software from one machine to another without someone's blessing in order to handle EOL replacement, swapping out failing hardware, etc.

            • Re:None at all (Score:4, Insightful)

              by TClevenger ( 252206 ) on Wednesday September 12, 2007 @04:44PM (#20578839)
              Broderbund has done this both with Print Shop and American Greetings CreataCard. My wife has a Creatacard installation CD that is worthless, because they've shut down the activation server [], and there's no other way to activate the software. In fact, Broderbund's tech support site [] says that reinstallation from the disc is not possible.

              Activation sucks--Broderbund ripped off a paying customer.

        • by Digital_Quartz ( 75366 ) on Wednesday September 12, 2007 @08:41AM (#20570423) Homepage
          If your target is buisness users, this sort of "phone-home product activation" scheme is going to cause you and your customers a lot of grief. The install might be "painless" on someone's home computer (assuming the someone isn't ethically opposed to product activation), but it won't be in a corporate environment, where your product may have to traverse a proxy server (or even an authenticating proxy server) to reach the internet.
      • Re:None at all (Score:5, Insightful)

        by xtracto ( 837672 ) on Wednesday September 12, 2007 @06:17AM (#20569347) Journal
        f it just installs anyway with just a small nag screen or something, then most people won't buy it.
        I agree, you just have to see the hundreds of computers I have seen in several different government offices that use WinZip, they invariably show the startup nag screen telling you how many thousands of files have you compressed and asking you to buy it... of course, you just have to click the continue button and keep using it..
        • Re: (Score:3, Insightful)

          by daeg ( 828071 )
          If WinZip had forced purchases, I doubt it would have become so pervasive. Out of the many millions of installations of WinZip, few probably purchase the software.

          Also remember, I think people tend to pay more willingly for obscure or specialized software. I don't buy WinZip (or WinRar) because I find them to be basic utilities. If I didn't use WinZip, I could just as easily use some other compression utility and be just as happy. However, I'll drop $25 for a well-built, quality SQL browser/editor. Why? It'
    • Some copy protection stops the casual pirate. The people who don't know much about computers and may email your app to friends.

      But using dongle protection is pretty stupid, especially when in some cases it cripples performance (Steinberg's use of dongle copy protection on Cubase has been rumoured to do that).
      • and you can easly get a cracked copy of Steinberg's Cubase.
    • Re:None at all (Score:5, Interesting)

      by lukas84 ( 912874 ) on Wednesday September 12, 2007 @05:48AM (#20569179) Homepage
      I disagree, even though just on a tiny bit.

      Businesses tend to purchase software they need, yes, but extending of software licenses is often overlooked.

      e.g. they buy 5 licenses of your software. A year later, a team member is added to the team using said software. Now there are 6 users. Over time, many more people than the original number of licenses will use the software.

      This doesn't happen in all Businesses, but the smaller the more often.

      A good idea would be to add "soft activation". This means customer have to activate your software, and the number of currently active machines counted. Deactivating machines should be running a simple tool that removes the software and decrements the activation count on the server. Activation should never fail (even if the activation server is unreachable), but the customer should be reminded if he is running unlicensed software. This way, you can make sure that users don't mistakenly use to many licenses.

      Criminal elements will of course find ways around this, so i wouldn't bother with making the activation process very secure - it's essentially just a license counter for your honest customers.

      • Re:None at all (Score:5, Insightful)

        by arth1 ( 260657 ) on Wednesday September 12, 2007 @06:36AM (#20569485) Homepage Journal

        A good idea would be to add "soft activation". This means customer have to activate your software, and the number of currently active machines counted. Deactivating machines should be running a simple tool that removes the software and decrements the activation count on the server. Activation should never fail (even if the activation server is unreachable), but the customer should be reminded if he is running unlicensed software. This way, you can make sure that users don't mistakenly use to many licenses.

        Any system that requires an active deactivation through a tool on the machines where it is installed is badly designed, because the host might not be available for deactivation. If a PC dies, and is replaced with a new one, you can't deactivate the old installation. Similarly if a PC is restored to a point before the installation occured -- then it's impossible to deactivate. (This is part of what bit the Biosphere users -- some people installed the software, ran into problems, and rolled back to pre-install, and tried again.)

        Plus, then you have a potential loophole in that people can install on one machine, back it up, deactivate, install it on a second machine, et cetera, and then restore all the backups, and you have a park full of activated copies.

        The only sensible approach that I can see for large scale installations is to count concurrent usage through a network server or appliance, and bill according to peak usage. Anything else is going to create a headache for the admins who have to deal with broken machines and reinstalls on a daily basis, and can't reasonably be expected to hang over people's shoulders to count who is using software either.
      • Taking this just a little further, rather than having an uninstall routine that then contacts the vendor/server and frees the license (like Adobe Acrobat and others now do which is a PITA if a hard disk gets corrupted), have a license file on the server that allows for a set number of concurrent users (like Autodesk's License Manager).

        You then can simply make the installation part of the standard build (if necessary), although you may get the problem of someone forgeting to log out of the software hogging a
    • Re:None at all (Score:5, Insightful)

      by struppi ( 576767 ) <struppi&guglhupf,net> on Wednesday September 12, 2007 @06:00AM (#20569247) Homepage

      Good points, but I can not completely agree with you. I personally never found it much of a burden to enter a license key. Even a one-time online activation is OK IMHO as long as it's painless. And I can understand why software companies put these measures in, not to stop pirating at all, but to keep the honest people honest.

      I know that piracy is not so much of a problem when it comes to businesses, but consider the following: A company purchased 50 user licenses of a product, but the product has no copy protection whatsoever. Probably the people in charge won't even notice if more than 50 employees install the software - at least not in the companies I have worked so far. OTOH, if this software would have told the 51st user "Your company has no more licenses for you to install the software. You can use this program for another 30 days, but please contact your system admistrators to buy a license for you", the company probably will buy another 20 licenses.

      So, IMHO, one-time activation is OK if it doesn't get too much in my way, but phoning home at every start or some annoying procedure like the Vista phone activation (I went through that once - took me more than 1.5 hours to activate a copy of Vista) is not OK.

      • by Leebert ( 1694 )

        I personally never found it much of a burden to enter a license key.

        Spoken as a person who has apparently never lost a license key.
    • Re: (Score:3, Interesting)

      by jamesh ( 87723 )

      In short, the answer is to have no copy protection at all and trust your customers.

      It depends on how the product is distributed. If it's downloadable then I think a one off registration key is probably a requirement - it doesn't have to be very complex, just a step so that people won't download the product and not get around to paying you.

      I'm all for trusting people not to be intentionally dishonest, but I think you'd go broke trusting people not to be slack.

    • by porkchop_d_clown ( 39923 ) <> on Wednesday September 12, 2007 @07:30AM (#20569813) Homepage
      So, by way of example, I wrote an un-copy-protected software package and released it as "guiltware" - I asked them to click on the paypal link and make a donation to MDA through me. 5 years on, I know people are still using it because I get help requests.

      But not one person ever, ever, ever clicked the link.
    • Re: (Score:3, Interesting)

      by teh moges ( 875080 )
      I've always considered the best method is a combination of none and some. Have a license key that activates the program. Link the license key to the purchaser. If >x licenses are activated, notify the purchaser. If they didn't know about it, void their last serial number and give them a new one. If this happens too many times (like twice), stop issuing new serial numbers.

      This removes the problem of false negatives (since all activations count) and eventually copied serial numbers will be found as the
    • Where do you work? A Deli? 1996?

      You run cracked software on a workplace PC here in 21st Century Corporate America, you'll be lucky to get away with a strictly worded warning. Get caught again and your employment will be terminated for sure.

      On the other hand, install some nice new DRM-free software in the corporate workplace and wave it around enough and it will get copied and brought home by hundreds of non-paying users.

      The answer to the man's question lay in just exactly how good and unique his software i
  • Just like any kind of DRM. Dedicated individuals will find ways around it and likely have some fun in the process. Cracking copy protection is practically a game to a lot of people who will never even use the software. The only people who will be inconvenienced are the people willing to pay for the software.
  • Don't phone home (Score:5, Insightful)

    by Anonymous Coward on Wednesday September 12, 2007 @05:26AM (#20569043)
    Use a license key, make constant improvements to the product and each new version needs a valid key, disable disclosed keys in new versions.

    To use your product a pirate would either have to settle for an old version, or constantly get a new hacked version and new hacked keys. It's enough to eventually get them to be legal.

    Remember if you make your product hard to use with lots of negatives like phoning home, them you'll learn the lessons the Record companies are learning. Nobody is bigger than their customers.
    • It's enough to eventually get them to be legal.

      Bzzzzt! Right answer, but not in the way you are thinking. If the price isn't right, the anti-piracy stuff making it difficult does get them to be legal. Often getting legal is simply using a competitor's product.

      When MS Office started introducing copy protection and CD Keys (early versions of Works didn't use a CD key), I moved to Star Office by Sun Microsystems. Now I am almost completely on Open Office on Ubuntu and Freespire. The days of picking up a p
    • Agree, this may be the best balance of protections I've seen so far. It doesn't intrude on the OS or anything else running on it at all, and don't require a functional Internet connection. Phoning home is among the worst ways of doing it, as you introduce so many points of failure -- someone not being connected, or maybe even your own license servers having problems.
  • by gunne ( 14408 ) on Wednesday September 12, 2007 @05:28AM (#20569069) Homepage
    Prompting for a license key upon installation could be ok, since most users are used to that hassle anyway (though it's still a hassle).

    "Phoning home" should never be done. Keep in mind that internet connection isn't flawless, sometimes it doesn't work for one reason or another, and would you really want to get a bunch of angry customers mailing/calling you when the software won't work/install because their internet connections went down for a while.
    On top of that, if your main user base is business users, most of them will sit in a protected environment which probably won't let your program phone home even if it tries.

    This is just an aside from the real problem with programs "phoning home", though. Integrity and privacy should not be taken ligthly.
    • by burnttoy ( 754394 ) on Wednesday September 12, 2007 @05:53AM (#20569209) Homepage Journal
      Spot on - I know plenty of people who use PCs (usually laptops) in their music and/or art studios who never connect those machines to the internet... EVER! The muso types will often strip back everything on a PC leaving a bare OS + drivers + sampler/sequencer + ASIO drivers. It's all they need and they believe they get better performance and more security without it.

      I also know, and have worked for, companies where information is so secret (mission critical biz stuff or military) that you have to use a provided laptop in a room with no windows that's shielded from radio wavs... paranoid, yes, but "phone home" software is simply not an option in that case. Also. no phones were allowed in that room so manual "phone home" wouldn't have been possible.

      Also, some of us are so paranoid that we don't let anything in/out of our firewalls except our browser application. Mind you, I can still use the interweb and I've never been trojan/virused... except this damn cold I seem to have but I can't blame the internet for everything!
      • It's all they need and they believe they get better performance and more security without it.
        s/they believe //
    • If your app requires an Internet connection or can die if it can't phone home, my experience has been that the user will often go out of his way to find a pirated version which doesn't have that annoyance. When it comes time to upgrade, the user then thinks, "Hmm, that pirated version worked pretty well last time. Do I really want to pay for an upgrade when I'm just going to be downloading the pirated version again?"
    • On top of that, if your main user base is business users, most of them will sit in a protected environment which probably won't let your program phone home even if it tries.

      My home LAN hands out DHCP address that are blocked at the router. It is one of the few things I do to keep leaches off the wireless by dropping them in unroutable space. Only machines with a proper static address can get through the gateway. This has caused problems with many software packages that phone home before permitting you to
  • by Draconix ( 653959 ) on Wednesday September 12, 2007 @05:30AM (#20569085)
    A license key is enough to discourage the casual pirate (custom encryption and multiple variables helps, such as name + password instead of just password) while, from my experience, not being enough to discourage regular users. Entering a key once and not worrying about it ever again is normal enough, and not bothersome. Going beyond that is asking for some glitch to cause legit customers to be calling you up to ask what the hell just caused their copy of your software to invalidate, or why they can't install it on their new computer, etc. Most importantly, it will also encourage people to crack your protection, thus making the pirate version more appealing to the end user.
    • by jamesh ( 87723 )
      I agree completely, and would also add that by releasing updates (with new features) often, you'll also avoid the pirates somewhat, and give paying users a sense of value for money (assuming they are entitled to free updates). It doesn't take long to break a registration key system (I used to do it when I was a kid on games I owned so I didn't have to futz around with code wheels which invariably got lost or wrecked), but it does require some effort, and to have to do it every 3 or 6 months is a bit of a pa
  • by dargaud ( 518470 ) <slashdot2@gdarga[ ]net ['ud.' in gap]> on Wednesday September 12, 2007 @05:37AM (#20569123) Homepage
    I worked with equipment that was 3000+km and 10 months away from the closest internet connection, so anything that requires a net-activated key is an absolute no-no. We are still using Win2K for that purpose, and more Linux all the time (although you have to select a distro that won't try to download itself all over again once a week).

    You don't need to go this far: I spent the last 3 weeks on the road with my laptop: Matlab ceased to function as soon as the license key manager got out of touch of the license server. I hate that macromedia shit.

    • by nietsch ( 112711 )
      [quote](although you have to select a distro that won't try to download itself all over again once a week)[/quote]
      Showing your lack of skills are you? Some distros might include a desktop program that reminds the user that there are new updates available. If it can't find any repository (or you create a cdrom repository), it can never find any updates so it won't bother you. Just turning off the nagging program works too. Was it too hard to figure that out yourself?
    • matlab is from mathworks not macromedia and i'm pretty sure you can get nodelocked licenses that don't require a license server. If you really need matlab on the road then your company shouldn't have bought a floating license for you.

      Windows XP corp and big brand OEM don't need activation either and even whitebox OEM and retail can be phone activated.
  • by pla ( 258480 ) on Wednesday September 12, 2007 @05:38AM (#20569125) Journal
    Is it acceptable for the software to phone home?

    As a member of a small corporate IT department, I can tell you that (except for Microsoft itself), software phoning home for anything other than updates means instant banning of your product.

    If so, what data is appropriate to report on? The license key?

    If you insist on going down that path, what information would really help you reduce piracy? Keep in mind that, merely during the initial evaluation of your software, the same license may get used a dozen times without any intended piracy... "Yup, works on XP. Yup, works on 2k... Oops, blows a gasket on 98... Doesn't seem to like server versions...".

    Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key?

    That gets tricky... IANAL, but only the big boys like Microsoft can get away with that BS. If you try it, you should probably prepare to get sued.

    Now, you do have one chance to block it - At installation. Even I'll allow (grudgingly) most products a one-time online activation. If at that time you deny activation and give an EASY way to contact you to resolve the problem (you can expect them to lie, and should probably just give them a new code, but it might serve as a reminder to the users that they shouldn't make too many more copies), okay, fair game. After-the-fact, though? YOu'll just piss legitimate users off.
  • Code Wheels (Score:5, Funny)

    by ameoba ( 173803 ) on Wednesday September 12, 2007 @05:43AM (#20569151)
    I've been waiting for code-wheels to make a comeback.
    • Ahh the good old days, when you had to take the weird paper rivet from between two sheets of card and photocopy them so you could play your pirated (*snigger*) copy of Monkey Island 2.

      I quite liked the copy protection in Sam and Max Hit the Road, where there was a picture of Sam and Max in fancy dress on each page of the manual and the game asked you to dress them on screen to match page X of the manual. Maybe this guy could take a load of photos of himself in different fancy dress outfits and put them o
  • by clickety6 ( 141178 ) on Wednesday September 12, 2007 @05:43AM (#20569155)

    Have each copy personally delivered(*) to the client and you will find that they never pass on copies and will faithfully purchase every upgrade you make available.

    (*) Personal Delivery service to be carried out by Marco and Guido who have their own, very smart uniforms (Gucci suits, dark glasses) and will also provide their own baseball bats. A personal message from you to the client will also be delivered with every copy of the software with a reassuringly soft, menacing undertone. Contact Marco and Guido DRM(**) Services on 555-NO-REFUSAL.

    (**) DRM = Delivery with Real Menace

  • Do unto others (Score:3, Interesting)

    by TheLink ( 130905 ) on Wednesday September 12, 2007 @05:44AM (#20569157) Journal
    As you would have them do unto you.

    FWIW, I think license keys are fine. But phoning home is not a good idea.

    If you can link a license key to a mailing address or email address then that's good (could be yahoo mail doesn't matter - it's a matter of getting some stats).

    If you're planning to have future versions of your software then you might as well decide on how upgrades and patching is to be done - key upgrades, discounts etc :).

  • Companies usually don't apply cracks. At least not anymore in this climate of "we sue the pants off you if you crack our shit". But they care about productivity.

    What I would do is this: Have your software, upon installation, create a keyfile. This file can be saved and, should a reinstall be necessary, be reapplied to the software. That way, you can requrest that your user enters a few key informations about himself upon installation, even a lot, because he will only do it a single time. This keyfile can th
  • by otter42 ( 190544 ) on Wednesday September 12, 2007 @05:48AM (#20569181) Homepage Journal
    Who was it that said to always make sure to leave a spot in the fence where children could sneak through? P.T. Barnum, perhaps? The point is, people used to understand and accept that a certain amount of "losses" will occur, and that sometimes these "losses" are in fact good for profits, by driving more paying customers to the business. It's only recently that we've evolved the technology and capabilities to ensure that EVERY person gets charged for EXACTLY what they consume. As if we could even know that for sure...

    Don't apply macro-laws (movement of fluids) to micro situations (individual molecules in a fluid). Focus on the macro violations-- widespread corporate use without a license-- but let the little people slip through the cracks. Those of us who install and forget, and never really get much use out of the program anyway, are very unlikely to buy the program in the first place.

    Explaining to people how to pirate but appealing to their goodwill might go a little far, though. I would report only the serial numbers used in the registration, along with the IP address that contacts your server (not the IP address of the machine itself). The rest of the information is None Of Your Business (TM). Try to find a happy medium between accepting a couple copied serial numbers in the wild, and noticing that a large number of computers coming from similar IP addresses are using the same serial number.

    Definitely do NOT disable the program if it cannot phone home. I *hated* that about Bioshock, when my crappy firewalled network made it almost impossible for me to activate the software. Since you're aiming at corporate networks, you're certain to have lots of people with this problem.

    Good luck with it.

    PS: What are the current laws on downloading a program and using a serial number to unlock it? We all know that EULAs have yet to be proven in court, with many cases existing that both support and reject EULAs. So is there a clear case where it's illegal to use a serial number to unlock freely given content?
  • Any copy protection will affect legal users.

    Short and simple, that's it, take it or leave it. If you want copy protection, you must understand that you cannot "hide" it from legal users.

    As for the right amount... it all depends on the situation.

    Since you are going for businesses which would have multiple installations; make it centralized. Make a small central "activation" server app that all installations contact at some interval and manage all registration from there (just use single multi-seat keys or so
  • If I was really worried, then I'd skip the hassling of customers, and instead try to gather data on wether there is any real piracy going on. For example, let the setup program phone home and log itself as a unique installation. You can even skip the license number then. Of course, if the phoning home fails, it fails quietly. Noone should need an internet connection to install the software. And if the software is denied an internet connection (by means of a firewall for example) the installation should succ
  • The key is to make the protection a slight annoyance/reminder to the user (but not enough that stops them using the software), but not worth the effort for a cracking group to spend time ripping it out and distributing it.

    The best example I can think of is Windows Commander ( [] ), which is a program I both use and love. It has a nagware screen each time you start it up, but otherwise functions fully for free. I did actually buy it, as it's a great program, but I found that out by usi
  • As you say it's "targeted mostly to corporate users", you don't need any software locks. Just a simple serial number activation. Doesn't matter if it's easily cracked or shared. That market doesn't use cracked software. It may irritate you to see it traded on warez groups, but none of them will actually use it, even if it were free. Don't use sneaky phone-home tricks, but you can be up-front and have a default option to check in, for the purpose of seeing if there are any updates, but of course at the same
  • by Ash-Fox ( 726320 ) on Wednesday September 12, 2007 @05:58AM (#20569239) Journal
    The only copy protection you need is something to detect you're inserting a disc/disk into the system, then have a black guy which raps with artificial intelligence to interact with the user [].
  • You don't need any copy protection if you're after corporations. Why?

    1. Corporations are terrified of the Business Software Alliance.
    2. Corporate IT departments have an incentive to search the company for unlicenced software - it gives them something to do. Licence compliance is a nice, simple, easy-to-explain and wonderfully time-consuming activity. It provides a marvellous way for the IT department to justify its own existence and be seen to be busy bees.

    So, just let them get on with it. All you have to d
  • If you have any kind of marketing and sale infrastructure at all, you have nothing to worry about. No company in its right mind will allow software piracy on its premises, especially not for the benefit of the company. Don't bother with anything fancy; just give your prospective users an easy hoop to jump through. The more red tape and annoyance you add, the less likely you are to gain customers.
  • A few vital pointers: First of all, I'd recommend using a serial as the core method for authenticating your software. Preferrably a key somehow based on the name & e-mail address should be used, having your name on "the record" is a deterrence to casually releasing the key on the net. I do not know if you plan to offer a "trial/demo" functionality (something I'd recommend, as try-before-you-buy is always good) but if you do then I'd suggest an additional "hardware-fingerprint-hash", displayed when he in
  • BUT. You should provide benefits for registration and you should let people know clearly that they are using unregistered software, and that you know.

    Why is the right amount none? I don't believe that we were unique when (in a past life) on removing copy protection on our software, our sales grew by about 20%.

    I think people want to test software before they pay for it, and copy protection stops them from using a try-before-you-buy approach. I think that most people who can afford the software and who think
  • Assuming that your program manages to differentiate itself from the 255 million other software programs that do that exact same thing, the answer to your question is none.

    If the piracy community wants your software for free and considers it worth having, then they will have it. You can't do anything about it. Ask Apple or Sony or Microsoft about how much money they spend protecting their software from piracy. Ask the 16 year old kid from New Jersey how many episodes of Pokemon he had to miss to destroy t
  • by Peeteriz ( 821290 ) on Wednesday September 12, 2007 @06:16AM (#20569341)
    "While I don't wish to burden legitimate users, I do want to prevent most piracy."

    This will not happen. Cracks for very heavy-handed measures will be available to exactly the same people in exactly the same ways as a cracks for a simple serial-number check on installation, ergo a simple serial-check will get you 99.9% effectiveness of any other software system.

    The only things I have seen that seem to work are the hardware usb-dongles; the earlier ones were cracked but the new versions seem to be quite safe. (but they cause a number of other issues and don't qualify as non-intrusive).
  • The license key I entered was "unoriginal", and the software knew.

    I believe it said something like: "You do not wish to pay me for this software huh? Well, fine. But please then donate some money to UNICEF."
    And the software continued to work with that code.

    I liked that. Some people can't afford to pay for each bit of software, but still need it. It shouldn't be made easy for those people, but it shouldn't be impossible either. One day they'll pay.

  • Know thy customer (Score:3, Insightful)

    by Minupla ( 62455 ) <> on Wednesday September 12, 2007 @06:23AM (#20569379) Homepage Journal
    Consider your potential customer:

    You're writing project management software, so we're probably talking 150-200+ employees. Companies of this size are going to have some sort of security policy in this day and age, and potentially (depending on your market segments) may be on closed (meaning no or extremely limited external internet access) networks.

    There's a good chance at the low end of your customer base that they will have some variety of managed software push in place where IT pushes down software and licenses to the workstation users, and it's almost a certainty at the high end of project management using companies (my primary contract fits into this category, and uses centrally managed software).

    I'd therefore recommend a model that allows for central licensing, preferably with no need for IT management to install a license server (lower barrier to entry for your application) and does not need to phone home. I'd suggest a license key mechanism with an optional ability for volume licensees to share a single license database via a network connection.

    Will it be hacked? Yep, naturally (but you sound like you're clued enough to have worked that out without my help) but you're trying to keep honest people honest here. Let's face it, do you really care if you have one or two users install it for free at home to hone their skills if you just sold 500 licenses to the multinational who employs them?

    Large organizations have busy IT depts who appreciate it when software developers make their lives easier. Having an IT dept pushing your software over your competitors can only be perceived as a good thing, so take advantage of it! IT can put up very effective roadblocks if they perceive you as making their life more difficult and impeding things such as system imaging. The last thing you want to be is branded "incompatible with our environment" by your customer's IT dept.

  • How much copy protection is appropriate?

    Define 'appropriate', and you will have your answer immediately.

    If you want to maximize immediate profits at all costs, use the most powerful copy-protection you can - phoning home, disabling suspect keys even at the cost of inconveniencing paying users, etc. etc.

    If you believe the project has long-term possibilities, then you need to start worrying about pissing people off. Don't phone home. Minimal product activation once at installation.

    If you believe th

  • FLexlm (Score:3, Informative)

    by Colin Smith ( 2679 ) on Wednesday September 12, 2007 @06:29AM (#20569425)
    License management software. Very common.

  • I can just see the grin on the editor's face as they noticed this one...
  • Since you are talking about corporate software, I don't think any copy restriction measures are needed at all. In fact, make the full uncrippled version downloadable freely for personal/evaluation use. Of course charge $$$ for full licenses and "support". Companies need the ability to evaluate software before buying, do not want to be encumbered by crazy copy restrictions, and they almost alway will pay for the software because they always have to have "support".

    Oracle lets you download much of their softwa
  • What to remember (Score:2, Interesting)

    by rjwoodhead ( 112122 )
    As a veteran of the first copy protection wars, let me give you one simple insight that should guide you:

    "Thieves don't buy"

    Software thieves will not pay for your software, no matter how much you lock it up. If they can't get a cracked copy or code, 99.44% of them won't use it. It doesn't matter if they still live with their parents, or are the CEO of a big company; thieves don't buy.

    Thus, you must tailor your strategy towards supporting your non-thief customers, while minimizing the parasitic cost of the
  • The problem with digital media; it's digital and can be reproduced and transferred easily. Non-standard CDROM formats are just as ill fated as the physically damaged floppy sectors of the early 90's. The spell books for entering RPG games were easily xeroxed or scanned, and anyone that can trace a program through softice, or ida, can circumvent dongles and just about anything else. Copy protection is a false sense of security that will cost you a lot of money. There are plenty of snake-oil salesmen out t
  • by 15Bit ( 940730 ) on Wednesday September 12, 2007 @06:51AM (#20569567)
    Any level of copy protection is an inconvenience to the end user:

    1. Install keys are a pain, but we're all used to them now and we accept them. Very few users send the software back or refuse to upgrade just because of install keys.

    2. Phone home activation is a bigger pain. It gives you some control but can cause headaches for the customers IT dept. It can also make cracked versions more appealing, and makes non-internet connected computers impossible to activate. In general though, it is acceptable if its a once only affair. However, regular phone-home checks are more than enough to sway the purchasing decision against your product.

    3. Locally installed license servers can be a pain, but they offer both you and the end user complete control over whats going on. They do represent an initial setup hurdle, but after that they offer considerable flexibility in that the end user can install your software on all the computers on their system and then there is a limit applied on how many clients can run at any one time. Your customer can then buy a small number of licenses and upgrade to more if necessary. Obviously this still needs the customer to have a decent internal network, but not necessarily internet connected, which is an issue in some places.

    4. Hardware dongles are just a menace and a guaranteed way to drive your customers away.

    At the end of the day i think you need to evaluate how important your software is to your customer. If its critical, and they have no alternative, then you have the option of going the Microsoft route and pissing them off as much as you like cos they need you more than you need them. This may come back to bite you in the arse.

    If your software has little or no value to the home user (i.e. they have no use for or it or wouldn't pay for it anyway) then you can probably get away with just a license key activation cos business customers tend to be a little more honest by nature. This also makes your product appealing to small companies cos they can buy one license (so they feel honest) and use it on 3 or 4 computers. This *is* technically "stealing", but you've still sold one more copy than you might have done.

    If you really want to have total control, and you think your customers will accept it, then the license server is a good choice. Your sales people should be able to dress it up as a convenient way for the IT staff to manage their licenses and if some sort of phone home is needed then only one hole needs to be drilled through the firewall. In future revisions you could also expand its role into an update server or something.

    It is possible to do some mix and match. For instance, Intel distribute the free versions of their C++ and Fortran compilers with both a phone home activation code AND a license key file. I find this to be quite convenient (though admittedly it doesn't stop the software being replicated across several machines). You could for instance sell single or double licenses to small companies (in the expectation that they will use it on more than one or two computers) and sell license servers to larger companies (who might be more strict about license accounting). This sort of flexibility (not adopting a one size fits all approach) would reduce the chances alienating whole segments of potential customers.

    So in summary, you are selling a product and that product has to be acceptable to your potential customers. If its not, they won't buy. Consider your target market and implement your controls accordingly. And if you can afford it, don't be afraid to offer flexibility in the licensing systems.

  • gentle reminders (Score:4, Informative)

    by devonbowen ( 231626 ) on Wednesday September 12, 2007 @06:51AM (#20569569) Homepage
    A while back I wrote an app that was key activated. The key had two components. The first was the name of the person that it was sold to (from the credit card) and the other was a hash of that name, the version number, etc. The user needed to enter both in order for it to work. (And the two needed to match, of course.) My thinking was that using the name in plain text would make it personal and encourage the user to not give it away while still allowing them to do what they thought was reasonable (running on both a laptop and desktop, for example). Basically, a gentle reminder to help honest people stay honest. The dishonest people are just going to hack your binaries anyway.

  • I've heard a Camorra Hit Team is quite effective. Have the software phone home the IP, track down it's position with Google Maps and some IP-to-map service and fork off some of your revenue to pay the mob to take the licence offender out. Your local Camorra Joint might even offer a subsciption which could come you cheaper if there's a lot of rippers distributing you software.
    Maybe you want to try it yourself. The Steyr AUG Sniper Rifles are good for this sort of job, but you can resort to a bomb under the c
  • I have no idea how, when I hit Ctrl-V, "Seattle City Light" came up as the subject of this post, but:

    Your corporate customers will, on the whole, pay for your software.

    You're wasting your time coding vs. the miscreants, why are people so perpetually clueless about this?
  • by WPIDalamar ( 122110 ) on Wednesday September 12, 2007 @07:39AM (#20569877) Homepage
    Thanks for all the comments everyone. I've been reading through them and have some ideas. Here's a scheme I had been considered that might address some of the concerns brought up.

    1) Upon purchase, user gets a license key.
    2) When installing, the software generates a random (somewhat) unique installation id
    3) The license key is checked locally, with no net connection required.
    3) Upon app startup, if there's an internet connection, the software phones home with the software version, the license key, and the installation ID
            The phone-home also gives a version-check to let the user know about any updates.
    4) We log the license key and installation ID

    Someday, we do some data analysis and find any license keys with a large number (maybe 5, maybe dozens, not sure) of installation ID's. The data analysis should look for interwoven log records of installation ID, because the user might have uninstalled it on one machine, and installed it on another. Then a person (not automated process) would get a report and be able to investigate and flag certain keys as compromised.

    What happens next?

    Do we cause the software to stop functioning? (I don't like that)
    Do we cause the web service-portion to stop functioning? (I don't like that either)
    Do we pop up a window saying, "Hey, this might be pirated. Go to http://xxxxx/ [xxxxx] to purchase additional copies"
    Maybe the software does nothing, and we deal with it through customer support. A friendly email to the original purchase agent?

    I guess the goal is make honest people stay honest. As many have pointed out, it will be impossible to prevent someone who REALLY wants to pirate the software.

  • by weave ( 48069 ) on Wednesday September 12, 2007 @07:46AM (#20569941) Journal
    Some tidbits... my personal opinions, not necessarily those of my employer.
    1. When evaluating software, if all things are equal between software products being evaluated, the one with the least or no copy protection always wins out.
    2. If a product requires a dongle, either on a client or server, unless my back is up against the wall from users and there's no other product to meet the need, it always gets rejected.
    3. A product requiring a license server is tolerable in some cases, but see #1 and #2. There's also the issue of disconnected laptop users to address.
    4. A product requiring a unique product key is a royal PITA for multiple automated deployments. This means while we might buy n number of copies and install n number of copies, each copy is going to end up with the same product key via ghost image or scripted install. Would you shut us down even though we have purchase enough copies?
    5. Activation during install is OK if it can be automated during an install or first run (and if the latter, doesn't require admin or power user rights). However, be advised that machines are regularly reinstalled and software can move around as users move around. (If they move their office, their desktop probably won't go with them, they'll just get a new install at the new office and their old office will get re-installed for the new person there)
    6. I can be held legally liable if I know about copyright abuses where I work. Think I'm going to put myself at personal risk if my employer is too cheap to be legit? Think again.
    7. IT shops *want* to do the right thing. Don't fight us, help us. That means give us tools to help us remain compliant that are non-intrusive. Like something I can go to to see what copies are installed where and deal with non-compliance on my own. Yes, a lot of shops have tools like this already but many don't, so also make it optional. Just don't treat us as an enemy. Also remember rule #1

If you suspect a man, don't employ him.