Slashdot Mirror
Independent Developers Fight Piracy & Lose
An anonymous reader writes "The author of the Echelon decided to take his fight against software piracy to the next level and then threw in the towel. After someone began posting new serial numbers on a well known hacking site, the author took matters into his own hands. With version 1.0, entering a hacked serial number causes the software deleted the user's Home directory. Yes, you read it right, the software completely erases it (aka rm -rf ~). A variety of people have voiced some some strong opinions on this. While some argue that piracy is good for established companies, a few large companies are battling piracy and having limited success. Small, independent developers, however, are recognising this is a serious problem and are generally stumped by what to do about it."
Anyway, this guy's product and any future products will definitely not be getting any of my money (and I certainly won't be downloading his apps).
Ha, who am I kidding, I wouldn't download it anyway. Open source all the way baby!
and by accident nukes the home dir? is there any responsibility from the part of the software designer?
It seems that this would break some law or other. Mantraps are quite illegal, and while the stakes are not as high, this is conceptually the exact same thing.
Standalone software is inherently vulnerable. With an increasingly "always-on" net culture, it's highly beneficial to look at your software design and see if there is a way to move some of the functionality to server side (storing account data, etc). This way you maintain some control and create a dependency on you the software vendor.
Is clearing the Home directory much worse than inserting files into the network stack, creating Viral software that is almost impossible to remove, and that reinstalls itself when it detects part of it was removed?
Worst thing that comes out of this is that people learn to back up their data, and EULA's become trash..
What are we going to do tonight Brain?
UNIX/Linux Consulting
Can you imagine if Auto makers took this attitude towards chip reprogramers? Alter our product and we'll make sure your brakes suddently stop working.
But seriously he has no right to do this and if it happened to me I'd sue and he would lose. I'd have no problem paying whatever civil penalty there was and really nailing him for damages.
If he wants the program not to work because a stolen serial is beig used, fine. If he wants to phone home and then report that users IP to the authorities, fine. If he wants to put up a notice saying "hey you Fucker, don't steal my software!", fine. But the idea of actually destroying a users property is wrong any way you slice it. I can't believe some idiots have posted "you get what you deserve".
Rather than spend a considerable amount of time and effort in a vain attempt to foil copyright violators, try simply putting out a decent product at a fair price. Those who are honest (who, I think, are most of us) will be willing to pay for something they believe is fairly priced, and those who are dishonest won't be willing to pay for something no matter what -- they'll do everything in their power to illicitly copy it instead.
Honestly, I suspect that the return on the money wasted on fighting copyright infringement by fringe elements is far less than the amount actually spent fighting it.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
The bomb-code was only up for a few hours, and reputedly nobody got nailed, so why is this article in existance, anyway?
I mean, with MS you click "I Agree" to a box that says they can modify or delete anything on your PC anyway. I think the big licenses even include a "search anytime we want" language too.
Oh, wait -- This is a MAC program. They're not used to losing all their data instantly (viruses, hideous crashes... etc...)
Well, you Apple fans don't have any decent viruses yet, and you need something to share our pain...
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Perhaps grabbing files from the home directory and encrypting them. Contact the author for resolution.
Tools like these should also have a built-in sunset date. If, in fifteen years, someone is using this ancient copy of your software b/c they can't purchase it... just let it go.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
I can guess how the majority of this discussion will go, so I just have one question. Why do people always try to apply the ideas of OSS to commercial software? It's like people get so used to being able to download anything they want for free that they for some reason take that set of principles and apply it to software they weren't given permission to download without paying for. That's completely the opposite of the free spirit of OSS, which is that someone is purposely giving away their effort of their own volition, and you can contribute back to it for the good of the community. Pirating doesn't contribute anything except lost sales for the people who make a living and feed their families. It's not free advertising, it's not try-before-you-buy (that's what demos are for), it is nothing more than people not wanting to pay for something. Same thing with MP3 piracy, movie piracy, etc.
What is really funny is that Echelon is about encoding. More precisely batch encoding. You now the kind of things that are used to convert say, dvd to, say divx. Which generally ends up on p2p networks.
So, yeah, the guy is probably what MPAA would call a 'pirate'. When you look at the people that want to "stick it to the man", they generally worse than big corps. I never understood why some random asshole that rips a dvd to divx wannt to put his l33t na3e on at the begining. Or people repackaging stolen code borderine legal code were often the one putting extensive notices, saying 'this is our hard work, dont give to other', or why 0day warez proeminently display the craker name, like a copright notice (on something they did not create).
So, well, I am not very surprised that a pirate making tools for pirate is upset by piracy when it comes to *him*. Thieves don't like beeing burgled...
Yeh, the most that would happen to me if they delete my PC's home directory is my settings, bookmarks, and a few other minor things. At most, I might need to perform a repair on SOME installs to get an app working correctly.
But I don't store anything in "My Documents," "My Pictures," or the like. Sure, some games default their saved games there, but boo hoo.
My Powerbook on the other hand, I'd have to kill someone. Seriously, I'd wring their little necks.
But I don't pirate software. I make enough money that if I need software X, I buy it, ESPECIALLY if it was designed / published by a small house.
Personally, I hate it when someone pirates software from a small software company. I mean, is it that friggin hard to pay $27 USD for "Gish" or some other delightful game gauranteed to keep you happy for days on end, or $30 USD for TextPad if you use it every day? MS Ofice I could understand (though I paid for mine), but little apps like Textpad are usually worth it.
These jerks had it coming.
I find it hard to believe that nobody has bought your software with millions of downloads. I find that a really good program gets about a 1% (ouch) download/purchase rate.
I'm working on designing my site so that the keys are available on a web-based DB. Do an MD5 on the key, and match hashes with with the one on-line at program startup. No match, no save capability. Too many people going for one key? Disable that key.
Have the program run OK if it fails once or twice in a row, but the third time, the program dies until it can check its key.
People may still be able to crack your software (No real defense against people rewriting your program...), but keygens and re-used keys become a rarity.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
If you know a kid is going to steal a coke, is it okay to put poision in that coke?
I think a better analogy is: if you know a kid is going to steal a coke, is it okay to put laxatives in that coke, along with a sign on the coke saying "if you didn't pay for this it has laxatives in it"?
MORTAR COMBAT!
"Little college dorm room kiddies will just come along and download it and then run to boards like Slashdot and justify it as "free advertising." "
Whats funny is you mention this in the terms of being a musician.
I have worked on a number of music software applications over the last few years from anything from being a beta tester to designing the GUI for guys that have a great product, but a shitty interface.
And this is this same exact arguement used everywhere -- its just free advertisement. Or if I use it to make money, I'll pay for it. Or I'm just a little guy, and the pros should have to pay since I haven't had my first hit yet.
In this area, I've *NEVER* seen a pro pay for professional music software...if you are making money off of it, you will more than likely get it given to you for free. Hell, I haven't paid for 90% of the software I've been given -- and most of it sits in its box on the shelf as the software I *USE* is almost the inverse of this (for some reason, I'm more likely to use the stuff I pay for -- it has real value to me).
But the thinking goes, being a paid musician is like winning a spot on a basketball team -- there are only so many spots opening a year, and most likely its not going to be you. So the software is given to the professionals to advertise to the little guys...I don't know how many times folks will come to my studio and ask what I'm using, only to run out and buy it thinking that it means they can leave me outta the mix, so to speak...only to realize you can't buy talent out of a box -- it comes from years of hard work.
So honestly, the software is sold entirely to the guys that can't make a buck and most likely will never make a buck. Great guys -- and a lot with real talent, but really don't want to do anything but play on weekends with a bunch of friends.
Anywho, the companies advertise as they feel like advertising and need no help from anyone else. I wish there was a decent way to prevent piracy but the folks that want everyone elses hardwork without doing anything for it want to be rebels. Its like the fuckwad kids that think stealing their instruments make them an authentic punk band even though they are from the suburbs.
I love free software and have contributed to some of it -- in my day job we give away several packages I've solely designed and developed, but all in all, folks need to respect the opinion of those that provided the software...even if there were no laws preventing the copying of software or music or whatever, you'd think folks would have the decency to understand that if someone creates something they should have the ultimate say on how its used. If ya don't like that, you are free to develop your own...its not like the ideas are that hard to come up with, and an army of OSS programmers should be able to replicate anything who can give their software away under the ideals they wish it to be released...
It's quite common for me to loose the original packaging (and the SN#) to a game, and then get a serial number from online. I still have the CD.
Now if my hard drive were trashed by such a program, I would sue (yeah, it's probably in the EULA that they can do that, but there's a good chance that such a clause will be neemed null and void).
In normal (non-internet) society, such an action would be the revenge a phycho would extract by killing the person sleeping with his girlfriend.
The game floppy had its write-protect notch covered, as with most commercial software. We played around with the disk, changed some things, and then tried to run the game.
It turns out that the very first thing the program did was to attempt to format the floppy disk!! Of course, for most users nothing happened, because of the write-protect tab. But we had to go back to the store to get another copy. (First thing we did after that was to take out the format command.)
We were annoyed but respectful.
yo.
There was a bug in the vBuild component of InstallShield last summer which could result in an accidental `rm -rf ~`. After being bitten by it once (fortunately I noticed the disk activity before it deleted anything for which I didn't have backups), I helped to track down the problem; apparently at one point there was a "mkdir /cachedir; cd /cachedir; rm -rf *" (or rather, the equivalent in C) and they never checked the return codes of the first two operations.
So, to everyone who is asking "what if he made a mistake?": Mistakes can result in data loss even if you don't intend to delete anyone's data.
Tarsnap: Online backups for the truly paranoid
The best anti-piracy serial number solution I've seen was one (I can't remember the program) that, when you entered a known pirated serial number, it said "You just entered a pirated serial number. I know I can't stop you, but I can sure make you feel guilty. You can use the program now withouth the nagging now, you cheap bastard" (Or similar, it's been a while.)
It worked. I decided to delete the program until I could convince work to buy it for me. (New job, so the copy stayed with them.) I've never looked at pirating serial numbers the same since. I try hard to get work to buy the smaller software companies stuff that I use, or I delete it, or look for freeware so at least I'm being cheap but without the guilt.
I am, and always will be, an idiot. Karma: Coma (mostly effected by
If reversing serials is too error prone then crackers will simply write a crack for the program.
Either a crack that hard-patches the programs binary or a loader than runs the program then patches it in memory.
I don't think this is going to accomplish much for the author, except perhaps to gain publicity (maybe bad publicity..)
Comment removed based on user account deletion
The system you describe is, from what I understand, trivial to defeat with a hex editor. Simply flip the if/then check on the key, so that the program only works when it can't check the key.
How illegal would it to be to have systems with pirated serial numbers produce trashed output files? If the Echelon developer was really cruel, the Mpegs could be good for a few megabytes, so the preview would be okay (along with a quick check of the video).
I admit that deleting the root directory is too far and I would agree encrypting somebody's files but surely a program using a pirated serial number could not be expected to work properly?
Maybe they could even catch a few pirates that asked for support for the "defective" software!
myke
Mimetics Inc. Twitter
At first glance, you might think, "Yeah! Serves 'em right! Delete their home dir!" The thing is, it's akin to setting up a trap in your car or home for burglars that hurts or kills them (although deleting ~user shouldn't be physically harmful, at least directly). In short, going on the offensive in an equally or more sinister way doesn't always make it the right thing to do.
Uh, isn't that the American way? Shoot anyone who tresspasses on your property?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Seriously. Deleting a users data as direct revenge for him using a hacked serial is WRONG!
And in any case 2 wrongs don't make a right.
P.S. It wouldn't be the first time that I use a serial number from internet for a software I purchased, just because I forgot, lost or temporarily misplaced the original codes. Which by the way is a perfectly legal thing to do.
And I'm pretty sure I'm not the only one.
Besides, if you mess with my data, you better run god-damit!
We went the route of requiring licenese certificates. Since our business model is subscription-based, we issue software certificates that are good for about one month. (depending on the contract and payment terms)
Getting a certificate is an automated, push-button process - we made it as easy as humanly possible.
But, we didn't stop there. We decided to capitalize on this certificate process, and in fact perform a full backup of the user's database, along with publishing software updates.
Further, we allow them to use their software on any computer or any number of computers. We don't restrict when and where, or on what computers they can install the software, and everywhere the user goes, their data follows.
It's an ASP business model, with a sort of "rent-a-software" hosted application twist. Since we bill by the data size, we really don't care. And the benefits are enormous.
1) Since we keep redundant backups of the users' data, it's not a big deal if the user's computer crashes or is stolen.
2) We get paid for providing quality software.
3) Customers are happy to see software updates when hooking up to backup their data and get a new certificate.
4) Customers love the freedom to work on whatever computer and at whatever location they desire.
Just recently, we had a user in tears on the phone, thanking us for providing this service. Her computer had been thoroughly hosed by a worm, and she lost all her data. 100%, and no backups - months worth of work gone forever. Except for the extensive work she'd done with our software product. Because of the frequent backups obtained with the re-certifying of her software, we had a recent backup of all her stuff on our servers and she was able to recover it automatically!
Product registration is a pain in the 4ss, but you can either hate it, or find some way to make it really worthwhile to the consumer.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Your software *thinks* I pirated it, ergo it can do anything it wants and get away with it? Nuh uh. What happens when a pirate releases a keygenned key that happens to match mine? What happens when I hit a bug in the key verification code? What happens when a cosmic ray flips a bit in the relevent code and a FALSE turns into TRUE?
Says who? Based on what evidence? I pirated it, saw that it sucked, and then did exactly what I would have done anyway; I didn't buy it. Did they lose $60 on me anyway? Maybe they would have if I'd cancelled my preorder based on that, but then I'm just using my increased knowledge of the products available to spend my money more wisely. Is that still a bad thing? Maybe for Id, but not for me, and I don't think for the market either; mindless shooters with crappy atmosphere and insanely repetetive gameplay should not a blockbuster make.
Kindly provide statistics and sources that show more and more people are pirating software, and that as a result the amount of purchased software is going down. Or are you just assuming that's what's happening?
Here's a scenario that has happened to me a couple times:
I download something and either a) discover that the demo is too crippled to get a real feel for whether the software is worth the money, or b) I run it the first time and then don't have time to get back to it before the demo period expires. I have been known, on such occasions to grab an illicit serial number. If I like the software, though, I buy it. I mean, really, software from small developers is so cheap, why not buy it? A couple hundred bucks can by a lot of nifty little tools, or one big bloated MS product. I'll gladly give the small guy my money. But...
If one of the above scenarios were to occur to me and the software decided to delete my home directory in response, well, I would be inclined to put a severe dent in the developer's head.
My three cents.
// This is not a sig.
The laws against software piracy are pretty strong. There certainly aren't a lot of convictions for "holding someone's data to ransom," and if the author of the software is smart he'll cover his butt by putting a warning in the license terms (which nobody reads, but still have some legal force). In a legal confrontation, the software's author will almost certainly win.
Although the idea of hordes of morally outraged software thieves getting together for a class-action lawsuit is strangely appealing. I guess anything can happen in America.
Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
Are you sure that simply typing in an unauthorized serial code is "piracy?" The program is freely downloadable. The fact that the user has possession of the software is not, in and of itself, a copyright violation, since the author has explicitly designed his business model this way.
I know of no instance where a person was convicted of copyright violation merely because they entered an incorrect code into a computer program. IMHO, it would be absurd.
As for software piracy being more "serious" than the malicious destruction of data, I must ask: are you kidding?
Not to mention that the copyright violation would certainly fall into the civil category, not the criminal. OTOH, what this author did is something like a criminal misuse of computer resources with nameable damages. Thus, the case against the author could be prosecuted without a plaintiff, but in order for the author to sue the pirates he would need a lawyer. That would be difficult, considering he'd be in a jail cell.
A bunch of people coming forward with sworn statements to the effect that the software they stole did bad things to their computer could change that, I suppose...
I'd still like you to explain how typing an unauthorized serial code into a dialog box is even remotely like theft. I'm not even sure that it's equivalent to copyright violation.
This actually isn't a new idea. I remember an early version of Lotus 1-2-3 (for DOS) that did something like this. If the program thought it had been pirated, it deleted its main .exe files. This forced you to have to re-install it (assuming you were the legal owner), but didn't damage any of your data or other programs.
At the time, they weren't using serial numbers as copy control. The floppy had some kind of copy protection on it (a "diskcopy" wouldn't work), and it wrote some files in the install directory that were marked system and read-only. You couldn't touch these files. If they got moved by a defrag program (for example), the program would zap itself. (I found that out the hard way. It was not mentioned anywhere in the manual.)
Doing this is probably the only legally defendable kind of destructive copy-protection. If the user pirates your software, he has done something illegal. That does not give you the right to do something illegal back to him. If he has no right to run your software in the first place, then there's nothing wrong with your software deleting itself, since he shouldn't have it in the first place.
As with my example above, when implementing destructive copy-protection, you must be very careful to make sure it won't backfire on legitimate users. I did own a legal copy of Lotus 1-2-3, which I had installed from the original disks. I didn't know that allowing the file to be moved by my defragger would cause the program to think it was pirated. Suppose Lotus had decided to delete my data files (no "home directory" on DOS) instead of just the 123 program? Then I would have lost my data even though I was a legitimate owner of the program and I was doing nothing wrong, according to the software manual. As it was, instead of losing my data, I only lost about half an hour of time performing a re-install.
I hate to break it to you but sharing is not
pirating. Your Bell Labs to Berkley analogy is broken because they agreed to share their code.
If you pirate someones software it is theft.
Pure and simple. No amount of handwaving will
change that. You can tell yourself all sorts of stories to make it sound nice,
but at the end of the day it's theft.
The F/OSS has ideals of sharing at its core
Closed source & Shareware means if you want it,
you must pay for it. The guy who writes the code
is the only one who has the right to decide that.
Not you or anyone else.
Help! help!, the termites are eating my DRAM!!!
The timestamp is almost always retreived from a secure server using a proprietary protocol for precisely this reason. The only people who trust the system clock for operations like this are amateur programmers who either don't know better or don't care.
Something else we do that I would strongly encourage other developers to adopt is to force entry of the userid/key pair to enable a limited number of downloads. This way, only persons who have completeed the purchase process may download. Make the software tell you it is installed, once it is installed, then disallow downloading. That way, you don't end up providing free bandwidth for the community of thieves. If they hack a key/id pair in that the software doesn't know about yet, they'll have to use their own resources to distribute the software (which in our case is 70 megabytes.) They can't just point all their criminal friends to your download site and rip you off yet more.
One last point: In our particular case, we offer a very high end graphics package for about $50. It exceeds Photoshop's performance in many, many areas - layered image handling, UI interaction, animation features... We feel this is an excellent value by any rational standard - and so turn a deaf ear to the cries of "overpriced."
I've fallen off your lawn, and I can't get up.
if someone stole your car and i bought it from him would you have *me* responsible?
.. you are responisble for any stolen property you possess, whether or not you stole it. (in the us)
I am Wincent Colaiuta, the developer of Synergy (posting as anonymous coward because I don't have a slashdot account).
Synergy is nearly 40,000 lines of code. If you think I was able to write that in a Saturday afternoon then you're mistaken. If you could write the same in an afternoon then you're a very gifted programmer.
If you take a look at the the changelog you'll see that it has undergone continuous development since I first released it in November 2002. It is the product of what I estimate to be thousands of hours of work.
If you want to get paid for your work on software, put up a donation box. Implement planned improvements once sufficient funds accumulate. Make the result available freely. Don't waste any resources fighting the ease of information sharing.
If nobody makes a donation, it means there isn't enough demand for your programming skills. Find something else to work on. If you still end up making the improvements without the funds, it means you already found compensation (the enjoyment of programming, perhaps).
You might also add a way to vote on features when making a donation, or perhaps even make those funds available only for that feature.
It's a waste to spend resources on countering the near zero cost of information duplication. Let it work for you.
I've run into a tactic like this before many year ago, except instead of a bad serial number being the trigger, it was a missing piece of hardware. I forget the name of the company/software package now (hopefully the head guy is standing in the unemployment line somewhere), but we had a specialized piece of manufacturing software that read CAD files and prepped data for input to our presses. It ran on IBM PS/2 Model 70's (yuck!) that had the system boards modified with a special BIOS chip by the software vendor. Lo and behold one of the system boards died and was replaced without the BIOS chip being transferred to the new board. The next time the software was run it nuked the entire C drive. We had a legitimate right to use the software, but because of a failed piece of hardware we suffered the wrath of some bastard programmer.