What's the Right Amount of Copy Protection?

WPIDalamar writes "I'm currently working on a piece of commercial software that will be available through a download and will use a license key to activate it. The software is aimed at helping people schedule projects and will be targeted mostly to corporate users. With the recent Windows Vista black screen of death, it got me thinking about what sort of measures I should go through to prevent unauthorized users from using the software. While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate? Is it acceptable for the software to phone home? If so, what data is appropriate to report on? The license key? Software version? What about a unique installation ID? Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key? Would a simple message stating the software may be pirated with instructions on how to purchase a valid license be sufficient?"

None at all

[Ckwop]

While I don't wish to burden legitimate users, I do want to prevent most piracy. How much copy protection is appropriate?

This may not be what you want to hear but any copy-protection will burden legitimate users. Pirates will remove the copy protection from your software and the unprotected version they create will be more usable than the version you offer.

It doesn't just hurt your customers, it hurts you too. The time you waste trying to create some copy-protection and losing the arms race with the pirates (which you will lose) is time you could have spent making your product better.

The way to beat the pirates is to provide a better service to your customers than they do. The commonly advocated business model is to provide support on the software to paying users - and since your target is business customers this makes a lot of sense.

Businesses, by the way, tend not to pirate on the scale of the private user. Piracy is a big risk to business because businesses have very deep pockets.

In short, the answer is to have no copy protection at all and trust your customers. Trusting the customer is hard but they'll appreciate it.

Simon

Re:None at all

[JohnFluxx]

I disagree.

In the work place, most people might enter a fake installation code for example, but won't go as far as to apply a crack. If the software requires you to apply a crack to use it, then I think most people at work will get their company to buy it. If it just installs anyway with just a small nag screen or something, then most people won't buy it.

Re:None at all

[lukas84]

I disagree, even though just on a tiny bit.

Businesses tend to purchase software they need, yes, but extending of software licenses is often overlooked.

e.g. they buy 5 licenses of your software. A year later, a team member is added to the team using said software. Now there are 6 users. Over time, many more people than the original number of licenses will use the software.

This doesn't happen in all Businesses, but the smaller the more often.

A good idea would be to add "soft activation". This means customer have to activate your software, and the number of currently active machines counted. Deactivating machines should be running a simple tool that removes the software and decrements the activation count on the server. Activation should never fail (even if the activation server is unreachable), but the customer should be reminded if he is running unlicensed software. This way, you can make sure that users don't mistakenly use to many licenses.

Criminal elements will of course find ways around this, so i wouldn't bother with making the activation process very secure - it's essentially just a license counter for your honest customers.

Re:None at all

[Goldberg's+Pants]

My recommendation would be Elicense or similar.

With Elicense, you get an order ID. You enter that, it contacts their server and "unlocks" the software. You can choose how many installations are allowed as well. For example I have a few games that use it that come with two licenses, so you can run it on two computers. Another title only gives you one.

The install is painless (it installs a license control service that in many years of using I've never had any sort of issue with), and it stops a LOT of piracy. It IS possible to "unwrap" the executable, but of all the Elicense protected software I've used, I've only ever seen one game cracked. (Ironically it is the most obscure of the ones I own.)

I am vehemently opposed to DRM, copy protection, call it what you will, but I find Elicense extremely inoffensive due to it's ease of use. DRM should not impact legitimate consumers, and this one is the only one I've come across that has never caused me any sort of negative experience.

Re:None at all

[struppi]

Good points, but I can not completely agree with you. I personally never found it much of a burden to enter a license key. Even a one-time online activation is OK IMHO as long as it's painless. And I can understand why software companies put these measures in, not to stop pirating at all, but to keep the honest people honest.

I know that piracy is not so much of a problem when it comes to businesses, but consider the following: A company purchased 50 user licenses of a product, but the product has no copy protection whatsoever. Probably the people in charge won't even notice if more than 50 employees install the software - at least not in the companies I have worked so far. OTOH, if this software would have told the 51st user "Your company has no more licenses for you to install the software. You can use this program for another 30 days, but please contact your system admistrators to buy a license for you", the company probably will buy another 20 licenses.

So, IMHO, one-time activation is OK if it doesn't get too much in my way, but phoning home at every start or some annoying procedure like the Vista phone activation (I went through that once - took me more than 1.5 hours to activate a copy of Vista) is not OK.

Re:None at all

[jamesh]

In short, the answer is to have no copy protection at all and trust your customers.

It depends on how the product is distributed. If it's downloadable then I think a one off registration key is probably a requirement - it doesn't have to be very complex, just a step so that people won't download the product and not get around to paying you.

I'm all for trusting people not to be intentionally dishonest, but I think you'd go broke trusting people not to be slack.

Re:None at all

[xtracto]

f it just installs anyway with just a small nag screen or something, then most people won't buy it.
I agree, you just have to see the hundreds of computers I have seen in several different government offices that use WinZip, they invariably show the startup nag screen telling you how many thousands of files have you compressed and asking you to buy it... of course, you just have to click the continue button and keep using it..

Re:None at all

[arth1]

A good idea would be to add "soft activation". This means customer have to activate your software, and the number of currently active machines counted. Deactivating machines should be running a simple tool that removes the software and decrements the activation count on the server. Activation should never fail (even if the activation server is unreachable), but the customer should be reminded if he is running unlicensed software. This way, you can make sure that users don't mistakenly use to many licenses.

Any system that requires an active deactivation through a tool on the machines where it is installed is badly designed, because the host might not be available for deactivation. If a PC dies, and is replaced with a new one, you can't deactivate the old installation. Similarly if a PC is restored to a point before the installation occured -- then it's impossible to deactivate. (This is part of what bit the Biosphere users -- some people installed the software, ran into problems, and rolled back to pre-install, and tried again.)

Plus, then you have a potential loophole in that people can install on one machine, back it up, deactivate, install it on a second machine, et cetera, and then restore all the backups, and you have a park full of activated copies.

The only sensible approach that I can see for large scale installations is to count concurrent usage through a network server or appliance, and bill according to peak usage. Anything else is going to create a headache for the admins who have to deal with broken machines and reinstalls on a daily basis, and can't reasonably be expected to hang over people's shoulders to count who is using software either.

Re:None at all

[FlyveHest]

So, in short you recommend using a piece of software, that installs another piece of software, that stays on the system after uninstalling the first piece of software (How else could it work, if you have multiple pieces of software that uses it?), and, as you say service, I assume it runs while the original piece of software is not.

Even though you say that you have never had any problems with it, I would absolutely HATE using anything of the kind, and would actively avoid using any piece of software that uses that kind of activation.

Re:None at all

[rucs_hack]

I doubt they will love to phone or send snail mail.

Oh I dunno, that used to work in the seventies and eighties. What'd'ya mean that was years ago, eh? Come 'ere you young hooligan, say that again! Get off my Property!

ZZZzzzzzzzz whut?

Re:None at all

[tomstdenis]

Yeah but Oracle and IBM DB2 get away with that because their software is so hard to use that casual users won't do it themselves. Most of their business is based on support anyways.

Having worked on DB2 internally, even *I* needed to get help debugging error messages, and sometimes even the IBM veterans didn't even know what they meant.

This is what happens when you only have 16 error codes that read like "network failure" or "database failure". Ok I'm exaggerating, but in all honesty, most of their error codes map to at least a half-dozen DISTINCT and often MUTUALLY EXCLUSIVE problems.

Tom

Re:None at all

[teh+moges]

I've always considered the best method is a combination of none and some. Have a license key that activates the program. Link the license key to the purchaser. If >x licenses are activated, notify the purchaser. If they didn't know about it, void their last serial number and give them a new one. If this happens too many times (like twice), stop issuing new serial numbers.

This removes the problem of false negatives (since all activations count) and eventually copied serial numbers will be found as the pirated software spreads.

You can then do as Citrix does, freely deploy the client software (helpful if you loose the CD) on your website, and sell only licenses instead.

Re:None at all

[Chelloveck]

You don't work in a corporate environment and/or I doubt you deal with many systems.

Maybe he doesn't, but I do. And I completely agree with him. Installing a background task just to deal with license keys is bad juju. You recommend Elicense. How many other services are there? This isn't the only program I'm likely to install. How many different license key monitors do you think I want running on my machines? How are they all going to interact with each other?

Re:None at all

[daeg]

If WinZip had forced purchases, I doubt it would have become so pervasive. Out of the many millions of installations of WinZip, few probably purchase the software.

Also remember, I think people tend to pay more willingly for obscure or specialized software. I don't buy WinZip (or WinRar) because I find them to be basic utilities. If I didn't use WinZip, I could just as easily use some other compression utility and be just as happy. However, I'll drop $25 for a well-built, quality SQL browser/editor. Why? It's more obscure, and more likely written by someone just like me.

If you write your program well, it performs well, and is targeted to corporate users, I don't think you'll run into much piracy that would've otherwise been sales. If you want it deployed in a corporate environment, market it as such -- make it easy for IT to deploy, update, and validate serial numbers or whatever other protections you enable. With any big sale (more than a few licenses) it'd do you well to communicate regularly with the IT department that deployed it to make sure they have no issues, no major user complaints, etc. While it may take time to make those calls, you can find great ideas from users that use it every day and don't think like a programmer.

Re:None at all

[DarkMantle]

I'm not familiar with ELicense but this sounds similar to what we used at a shop I worked at before.

Basically the user entered a "product key" and then the system generated a "unique" install ID and contacted the web server for an activation number. What was cool with the one we used was if your product key was 1234-5678-0123-7890 then the first 5 (or 6 I don't recall) characters of the activation request was based on that product key was the same. the last half of the activation request was all hardware ID based. The activation server stored this in the database. So if request with the first 5 digits being the same constantly came in then we'd cancel that key. We sold shop licenses so that quiet often they were installing on at least 5-10 computers so we had the cut off high. Like 30 in x days (lets say 30) or 100 overall. This allowed for them to reinstall after system failures.

Since it was done just like entering product code and the rest was done in the background, no one ever complained.

Re:None at all

[mce]

... that stays on the system after uninstalling the first piece of software (How else could it work, if you have multiple pieces of software that uses it?), and, as you say service, I assume it runs while the original piece of software is not.

You obviously have no clue what you are blabbering about. There is no reason whatsoever why you can't have multiple independent products protected by the same third party mechanism without linking said products together. I know, because I've done it.

In short: Nobody interested in anti-pirating wants the licensing to be in a dedicated dll, since those are easy to locate, break, and replace. Licensing code should always be fully merged into a key component of the product you're protecting and as such be "invisible". That automatically means that you can have multiple copies of it that are not aware of each other and that are automatically uninstalled together with the product they protect.

Re:None at all

[GPL+Apostate]

I have registered a lot of shareware over the past decade and more. In fact, I have ended up with a whole CD-R that I label 'registered shareware' that has folders with all the shareware installers and the cd keys, license files, etc. that are collected with them.

One of the things I will not do, and it's something that causes me to no longer consider registering or paying for a piece of software, is if it has one of the complicated 'validation' schemes like you describe. I will NOT run a piece of software where I have to pass numbers back and forth from a live server somewhere to generate a 'key' and 'validate' the software. When I see that's how a piece of software works I drop it and move on to consider other packages. I've did so in several instances and it's always turned into money sunk down a hole that was a waste.

Don't tie my use of your software to your ability to stay in business. I can and will send you money for to register a piece of software. After doing so, I do not want to lose use of it because you happened to go out of business or changed your business plan.

When Microsoft started using this scheme for 'validating' software is when I decided Microsoft had ceased being an entity I wanted to do business with.

Re:None at all

[morgan_greywolf]

I do. And I hate these things. At any place that I've worked that uses these background daemons to control licensing, due to the proliferation of various similar programs, we've had to run a special license server -- and usually more than one. FlexLM, LUM, proprietary license solutions, etc., with multiple daemons usually. A typical box might run 25 different license processes. And management is usually a big PITA, because these processes almost always break in some way sooner or later.

Re:None at all

[Ender77]

Do you guarantee his business will be here in a couple of years? Do not put anything in where you have to contact somewhere to get a key/permission. If the company goes down and you have to reinstall the software, you are screwed.

Re:None at all

[LarsG]

Paradox Entertainment

One thing to note about Paradox is that they make complex strategy games. Their entire 'copy protection' seems to evolve around providing an excellent printed manual.

What kind of 'copy protection' to use depends in part on what kind of software it is. Ideally, you want to give the paying customer some sort of advantage over those using the cracked/pirated version. That can range from a cd-key that enable online multiplayer in games to a good printed manual to access to support/community forums on the manufacturers website.

Re:None at all

[morgan_greywolf]

Don't know what version of FlexLM you used, but every version I've used does nodelocked licenses by tying to a machine's 'lmhostid', which typically matches the MAC address on the machines first Ethernet card. Hardly unique, to be sure, but AFAIK, faking the MAC address with software doesn't work (but changing it using firmware that allows the MAC to be changed does.)

Re:None at all

[fishbowl]

>I have registered a lot of shareware over the past decade and more. In fact, I have ended up with a whole CD-R that I label 'registered
>shareware' that has folders with all the shareware installers and the cd keys, license files, etc. that are collected with them.

'
1. I've outlived more than a couple of developers, both in the sense that individuals died and that companies vanished. I may or may not ever use their software again, but that's my decision not theirs.

2. I've used software in emulation of 20+ year old hardware, and not just for games.

I will buy software that gives me a license key which I am responsible for keeping.

I will not buy software that's tied to some specific device (e.g., Synchrosoft or ILok dongle, don't even assume "USB" or current architecture), nor will I buy anything that has to "call home" (will you still be answering in 20 years? I'm not willing to take the chance that you'll answer *tomorrow*.)

Re:None at all

[walt-sjc]

Bing bing. Give that man a dollar.

Working in a larger environment, the ONLY software we allow ANY kind of phone-home / activation shenanigans is from large vendors that have a proven business record - you know they will be around tomorrow / 3 years from now. Not thrilled about it in any case, but we will deal.

Any smaller vendor is required to put source code in escrow for any such eventuality, and none of that activation crap. We need to be able to move software from one machine to another without someone's blessing in order to handle EOL replacement, swapping out failing hardware, etc.

Re:None at all

[orclevegam]

Ok, I'll bite.

I'm a programmer, I make my living writing applications for various companies, and I get paid pretty well to do it because I posses specialized knowledge. I should point out also that at this time I don't work for a "software" company, but I'm writing applications for internal use. Assuming copyright was abolished, this would effectively kill off the entire software industry. Without copyright you would need to recoup the entire cost of an application on its first sale, which in the case of anything major could run into the millions. Effectively this means the only software that would ever be developed would be business applications. Take something like Halo 3, expected by all concerned to be a run away success, and with a huge development budget backing it on the assumption it will easily recoup all the invested money. Without copyright no one would be willing to fund it, because no consumers would be able to afford it. What's that, you want a Halo 3, no problem, just find a way to pay Bungie 10 million dollars, and you'll be the first kid on your block with a copy. Of course, after that you could easily just hand it out to all your friends for free, or you could try to sell it to them for I don't know, maybe 2 million a copy, but odds are they would then either resell it or give it away cheaper than you. It would ultimately turn into a pyramid game, first person to pony up the cash takes the biggest hit, tries to recoup by reselling, but ultimately gets undercut and never recoups the loss. Pretty quickly the ability to sell any given piece of software for more than $0 becomes impossible. Oh yes, this sounds like an excellent system.

Going to a system without copyright would quickly destroy any motivation to provide works not directly beneficial to major corporations (who could afford their huge development costs), or that aren't simple hobbyist pieces. The only thing of value would be physical goods, returning us to an industrial civilization. Way to bring back sweatshops. As an added bonus, medical research would be pretty useless as well. No point researching a drug to cure cancer, you couldn't sell it for more than 10 cents ultimately, so why bother. You seem to forget that people are greedy, and without motivation they don't work. There must be at least a reasonable hope of profit (either in the traditional sense, or as some sort of personal gratification) before someone is willing to undertake the effort.

Re:None at all

[torkus]

See, you assume your version of the hypothetical future is the only outcome. Society has proven that if there's a way to make money, someone will. If you can't see any POSSIBLE way for someone to make money...someone you can't see WILL make money.

How about this scenario. Abolish "copyright law" as it stands. Allow companies to develow a REAL, EFFECTIVE DRM system. To take your laughable Halo 3 ... do honestly thing that *copyright law* will prevent illegal duplication of the game? Erm...i don't think so. I think MS's DRM and ability to prevent updates, online play, etc. via their XBLive service will keep FAR FAR more people away from copied games than copyright law.

Abolishing copyright laws would kill off many companies. Many others would take their place. How about a company (companies?) to provide real-time DRM, authentication, etc.? This way, if it's yours you're guaranteed to have access to install and use it where ever you go. Internet connectivity is not universally available yet but... i'm also not going to solve copyright/DRM for the world in a /. post.

Basically copyright has managed to re-direct the task of protecting a companies work from the company itself to the court system. "Well your honor, yes we made a full version available to download but it specifically stated that you had to pay $50 up-front or $50,000 after 60 days. As such, we're requesting $50,000 in damanged plus legal fees plus $billions in penalty.

Or how about "our laughable drm depended on microsoft's autorun feature in windows so we're going to sue someone for posting in a forum that holding the shift key 'breaks' our DRM. It's breaking encryption/DRM and thus illegal to publish via the DMCA."

The thought that an idea or information can be illegal is...just beyond stupid if you ask me.

Copyright is useful to some...in some ways...sometimes. It also has many bad aspects and could be replaced.

Re:None at all

[UnknownSoldier]

> I'm a programmer, I make my living writing applications for various companies, and I get paid pretty well to do it because I posses specialized knowledge.

Same -- knowledge is traded for money.

> Assuming copyright was abolished, this would effectively kill off the entire software industry.

Nonsense. Copyright is only a RECENT invention, and other industries where it costs ZERO to copy something, are still around.

People would still pay (gasp!) for software, because most are under the moral law of supporting the authors. (There are a few above it, and a few who think they are above it, but that has always been the case.)

The whole concept of "ownership" is based on a system of greed, because people can't treat others how they want to be treated.

> Going to a system without copyright would quickly destroy any motivation to provide works not directly beneficial to major corporations

Did you forget the fact that BEFORE copyright, people CREATED because they ENJOYED it? Famous works such as The Bible, we written not because of some corporation, but because people wanted to share a different outlook on how to live.

I see tons of open source programs created because a developer found it interesting. Heck, myself I work on one, precisely because I find it fun.

> As an added bonus, medical research would be pretty useless as well. No point researching a drug to cure cancer,

So now you are going to put a price on SAVING a human life?! Yay for capitalism! Screw the long-term thinking of doing things for the greater good, and focus on the short term solution of making a quick buck.

> You seem to forget that people are greedy, and without motivation they don't work.

You seem to forget that money is not the only motivation.

> There must be at least a reasonable hope of profit (either in the traditional sense, or as some sort of personal gratification) before someone is willing to undertake the effort.

Tell me, do you have any hobbies? And you do them for profit??

Someday, the human race will look back at copyright for what it was, a necessary step along the way from when people were focused on controlling their expressions and thinking they determined the "value". I have a dream where someday people will willingly share their creative expressions, and the value of that is not only thought in terms of financial gain, but also by the lasting value it creates in people's lives.

Laws are created BY people, and by the number of people sharing music, videos, etc, more people are ready to acknowledge copyright is an archaic hold-over from when physical things (let alone information) was a form of power; its time to stop being so greedy and short sighted, and look towards the long term where people enjoy sharing (positive) things with each others, and not just focused on what they can get from others.

Peace

Re:None at all

[iminplaya]

In the HOPE that the market will reward them for their efforts.

It's time to find another way besides the prohibition against distribution. And no, you don't have to wait for the work to be completed before you get paid, so the analogy you put forth is incorrect. However applying my analogy to copyright would mean that I should receive a royalty payment for 75 years after I change your oil. I could retire after five years of work. I can dig that.

Re:None at all

[TClevenger]

Broderbund has done this both with Print Shop and American Greetings CreataCard. My wife has a Creatacard installation CD that is worthless, because they've shut down the activation server, and there's no other way to activate the software. In fact, Broderbund's tech support site says that reinstallation from the disc is not possible.

Activation sucks--Broderbund ripped off a paying customer.

Re:None at all

[Em+Adespoton]

Maybe he doesn't, but I do. And I completely agree with him. Installing a background task just to deal with license keys is bad juju.

I also agree -- Working for a hardware company that also sells support software, we've found a very elegant solution that has worked quite well while not being too cumbersome:
1. Tie the version of the software you're using to the hardware they have -- basically, sell more than one part of the solution, and make them depend on each other.
2. Provide a "serial number activation" field during install. Any number entered will work as long as it fits the right hash and is the right length. The number is encoded in such a way that it contains the product version, date of sale, and some piece of information about the customer (eg. last 4 digits of contact phone number). This information shows up in the about box of the installed software.
3. Whenever anyone calls in for support, we ask for the serial number. If the phone number doesn't match, we ask for further verification that the person is a legitimate customer.

So far, the "enter a serial number" step seems to be enough to keep piracy down, when combined with the hardware+service model. If we ever went out of business, the software would continue working. No serial number (old Apple style) tends to not stop the average person from pirating, but making licensing more than a simple step will cause at least one person to decide it is easier to crack the software than to jump through all the hoops -- at which point you lose control.

Think of it as "newspaper box" level security. Sure... someone could put in their money and take ALL the papers, but they have little incentive to do so. Make it difficult to get that first paper (sign up and provide SSN, credit card, etc.) and someone will break into the box and take the whole stack. This seems to be the human condition.

Copy Protection is a Myth

[gambolt]

Just like any kind of DRM. Dedicated individuals will find ways around it and likely have some fun in the process. Cracking copy protection is practically a game to a lot of people who will never even use the software. The only people who will be inconvenienced are the people willing to pay for the software.

Don't phone home

Use a license key, make constant improvements to the product and each new version needs a valid key, disable disclosed keys in new versions.

To use your product a pirate would either have to settle for an old version, or constantly get a new hacked version and new hacked keys. It's enough to eventually get them to be legal.

Remember if you make your product hard to use with lots of negatives like phoning home, them you'll learn the lessons the Record companies are learning. Nobody is bigger than their customers.

Phoning home is _not_ an option

[gunne]

Prompting for a license key upon installation could be ok, since most users are used to that hassle anyway (though it's still a hassle).

"Phoning home" should never be done. Keep in mind that internet connection isn't flawless, sometimes it doesn't work for one reason or another, and would you really want to get a bunch of angry customers mailing/calling you when the software won't work/install because their internet connections went down for a while.
On top of that, if your main user base is business users, most of them will sit in a protected environment which probably won't let your program phone home even if it tries.

This is just an aside from the real problem with programs "phoning home", though. Integrity and privacy should not be taken ligthly.

A license key is enough.

[Draconix]

A license key is enough to discourage the casual pirate (custom encryption and multiple variables helps, such as name + password instead of just password) while, from my experience, not being enough to discourage regular users. Entering a key once and not worrying about it ever again is normal enough, and not bothersome. Going beyond that is asking for some glitch to cause legit customers to be calling you up to ask what the hell just caused their copy of your software to invalidate, or why they can't install it on their new computer, etc. Most importantly, it will also encourage people to crack your protection, thus making the pirate version more appealing to the end user.

Re:What's the Right Amount of Copy Protection?

[pilaftank]

If the question is how much should I beat the customer over the head, the answer is none. However, the question is wrong. The really question is how can my licensing mechanism best help legitimate customers track their licenses and stay compliant within the licensing agreement. The customers you want have no desire to steal your software, but they'll get annoyed if you make it laborious to maintain license compliance. Forget about the people who want to pirate your software. You add no value to your product when you waste time on them.

Don't require a connection

[dargaud]

I worked with equipment that was 3000+km and 10 months away from the closest internet connection, so anything that requires a net-activated key is an absolute no-no. We are still using Win2K for that purpose, and more Linux all the time (although you have to select a distro that won't try to download itself all over again once a week).

You don't need to go this far: I spent the last 3 weeks on the road with my laptop: Matlab ceased to function as soon as the license key manager got out of touch of the license server. I hate that macromedia shit.

As little as it takes...

[pla]

Is it acceptable for the software to phone home?

As a member of a small corporate IT department, I can tell you that (except for Microsoft itself), software phoning home for anything other than updates means instant banning of your product.



If so, what data is appropriate to report on? The license key?

If you insist on going down that path, what information would really help you reduce piracy? Keep in mind that, merely during the initial evaluation of your software, the same license may get used a dozen times without any intended piracy... "Yup, works on XP. Yup, works on 2k... Oops, blows a gasket on 98... Doesn't seem to like server versions...".



Should I disable license keys for small amounts of piracy, like when there's 3 active installations of the software? What about widespread piracy where we detect dozens or hundreds of uses of the same license key?

That gets tricky... IANAL, but only the big boys like Microsoft can get away with that BS. If you try it, you should probably prepare to get sued.

Now, you do have one chance to block it - At installation. Even I'll allow (grudgingly) most products a one-time online activation. If at that time you deny activation and give an EASY way to contact you to resolve the problem (you can expect them to lie, and should probably just give them a new code, but it might serve as a reminder to the users that they shouldn't make too many more copies), okay, fair game. After-the-fact, though? YOu'll just piss legitimate users off.

Re:As little as it takes...

[pla]

So you guys don't use Adobe or Google products?

Google, absolutely not (except directly, as a web page).

Adobe, you can "break" its phone-home aspects simply by replacing the updater executable (the name of which seems to change with each version) with a stub exe that simply returns 0 (the standard Unix "true" program, if I can say that without causing an argument about true vs. Posixly-true).

And believe me, if I could ban Adobe products, I most certainly would. For supposedly high-quality, nearly-ubiquitous software, that crap causes me more headaches than just about anything except a POS POS (both interpretations intended) program we use. Unfortunately, at least Acrobat falls into a category approaching my "Microsoft" exemption for importance to the company.

Code Wheels

[ameoba]

I've been waiting for code-wheels to make a comeback.

Personal Delivery

[clickety6]

Have each copy personally delivered(*) to the client and you will find that they never pass on copies and will faithfully purchase every upgrade you make available.

(*) Personal Delivery service to be carried out by Marco and Guido who have their own, very smart uniforms (Gucci suits, dark glasses) and will also provide their own baseball bats. A personal message from you to the client will also be delivered with every copy of the software with a reassuringly soft, menacing undertone. Contact Marco and Guido DRM(**) Services on 555-NO-REFUSAL.

(**) DRM = Delivery with Real Menace

Do unto others

[TheLink]

As you would have them do unto you.

FWIW, I think license keys are fine. But phoning home is not a good idea.

If you can link a license key to a mailing address or email address then that's good (could be yahoo mail doesn't matter - it's a matter of getting some stats).

If you're planning to have future versions of your software then you might as well decide on how upgrades and patching is to be done - key upgrades, discounts etc :).

Let some fall through the cracks

[otter42]

Who was it that said to always make sure to leave a spot in the fence where children could sneak through? P.T. Barnum, perhaps? The point is, people used to understand and accept that a certain amount of "losses" will occur, and that sometimes these "losses" are in fact good for profits, by driving more paying customers to the business. It's only recently that we've evolved the technology and capabilities to ensure that EVERY person gets charged for EXACTLY what they consume. As if we could even know that for sure...

Don't apply macro-laws (movement of fluids) to micro situations (individual molecules in a fluid). Focus on the macro violations-- widespread corporate use without a license-- but let the little people slip through the cracks. Those of us who install and forget, and never really get much use out of the program anyway, are very unlikely to buy the program in the first place.

Explaining to people how to pirate but appealing to their goodwill might go a little far, though. I would report only the serial numbers used in the registration, along with the IP address that contacts your server (not the IP address of the machine itself). The rest of the information is None Of Your Business (TM). Try to find a happy medium between accepting a couple copied serial numbers in the wild, and noticing that a large number of computers coming from similar IP addresses are using the same serial number.

Definitely do NOT disable the program if it cannot phone home. I *hated* that about Bioshock, when my crappy firewalled network made it almost impossible for me to activate the software. Since you're aiming at corporate networks, you're certain to have lots of people with this problem.

Good luck with it.

PS: What are the current laws on downloading a program and using a serial number to unlock it? We all know that EULAs have yet to be proven in court, with many cases existing that both support and reject EULAs. So is there a clear case where it's illegal to use a serial number to unlock freely given content?

Use nothing, or hardware

[Alkonaut]

If I was really worried, then I'd skip the hassling of customers, and instead try to gather data on wether there is any real piracy going on. For example, let the setup program phone home and log itself as a unique installation. You can even skip the license number then. Of course, if the phoning home fails, it fails quietly. Noone should need an internet connection to install the software. And if the software is denied an internet connection (by means of a firewall for example) the installation should succeed anyway.

Be open about the phoning home. Noone likes a closed source software that phones home for no reason. Don't hassle customers, even the ones who install a copy that is known to be pirated. You can't really tell who's the legitimate customer and who is not.

If you discover that there is widespread piracy of your product, and you want to do something about it, then make the leap to hardware protection. Bear in mind that dongles are quite a hassle for the customer. But at least the hassle is effective. Other means of protection means a hassle for paying customers, and just a fun challenge for pirates.

Protected Environments.

[burnttoy]

Spot on - I know plenty of people who use PCs (usually laptops) in their music and/or art studios who never connect those machines to the internet... EVER! The muso types will often strip back everything on a PC leaving a bare OS + drivers + sampler/sequencer + ASIO drivers. It's all they need and they believe they get better performance and more security without it.

I also know, and have worked for, companies where information is so secret (mission critical biz stuff or military) that you have to use a provided laptop in a room with no windows that's shielded from radio wavs... paranoid, yes, but "phone home" software is simply not an option in that case. Also. no phones were allowed in that room so manual "phone home" wouldn't have been possible.

Also, some of us are so paranoid that we don't let anything in/out of our firewalls except our browser application. Mind you, I can still use the interweb and I've never been trojan/virused... except this damn cold I seem to have but I can't blame the internet for everything!

A rapping black guy

[Ash-Fox]

The only copy protection you need is something to detect you're inserting a disc/disk into the system, then have a black guy which raps with artificial intelligence to interact with the user.

Re:What's the Right Amount of Copy Protection?

[cliffski]

wow, what awesome insight. you sound like you are answering the question "what is the right price for my software?" to which the slashdot crowd will answer "Free!".
You will not get a sensible answer here on slashdot, as this post above me clearly illustrates. there are far too many people in the "stick it to the man!, lets torrent everything!, all software should be free!, information wants to be free! MAFIAAAAA! is dinner ready yet mom?" crowd on here.

Yes, copy protection will annoy a small fraction of legit customers.
Tough.
That's the price of doing business. Do security guards irritate people in shops? does having to get a security tag taken off clothes at the till slow down the sale and irritate the end user? We get sued to a small amount of hassle in return for businesses preventing casual theft in the real world, the software world should be no different. I'd like to see most of the anti-DRM people on here try to extend your theories to the meatspace world. Try leaving the right money on the counter and walking out of a store next time you go shopping, after all, that guy at the till is just an irritating bit of theft prevention in this case isn't he?

As for this lunacy that you should make it free and charge for support, that gives you zero incentive to ship a bug-free product, and makes you a wage slave again rather than a creator of new products.

Re:Give it away for free

You can make tons of money on service contracts. Spoken like somebody who has never run a software development company.

The fact is most companies will not make tons of money on support. If people are not willing to pay for the software up front, they are not willing to pay for support. I will take my former employer as an example. They purchased one copy of RHEL and had a support contract in place for that one copy. They installed it on over 200 machines.

My current company charges $100 per agent and $20 per agent/year for support. We often get requests from people asking if we have a free or open source version. We have had people make comments that they would gladly pay for support if we had a free version. Based on experience, that is a lie and these people want something for nothing. We have business expenses to cover and cannot rely on support fees that may not show up.

Unrealistic expectations

[Peeteriz]

"While I don't wish to burden legitimate users, I do want to prevent most piracy."

This will not happen. Cracks for very heavy-handed measures will be available to exactly the same people in exactly the same ways as a cracks for a simple serial-number check on installation, ergo a simple serial-check will get you 99.9% effectiveness of any other software system.

The only things I have seen that seem to work are the hardware usb-dongles; the earlier ones were cracked but the new versions seem to be quite safe. (but they cause a number of other issues and don't qualify as non-intrusive).

Know thy customer

[Minupla]

Consider your potential customer:

You're writing project management software, so we're probably talking 150-200+ employees. Companies of this size are going to have some sort of security policy in this day and age, and potentially (depending on your market segments) may be on closed (meaning no or extremely limited external internet access) networks.

There's a good chance at the low end of your customer base that they will have some variety of managed software push in place where IT pushes down software and licenses to the workstation users, and it's almost a certainty at the high end of project management using companies (my primary contract fits into this category, and uses centrally managed software).

I'd therefore recommend a model that allows for central licensing, preferably with no need for IT management to install a license server (lower barrier to entry for your application) and does not need to phone home. I'd suggest a license key mechanism with an optional ability for volume licensees to share a single license database via a network connection.

Will it be hacked? Yep, naturally (but you sound like you're clued enough to have worked that out without my help) but you're trying to keep honest people honest here. Let's face it, do you really care if you have one or two users install it for free at home to hone their skills if you just sold 500 licenses to the multinational who employs them?

Large organizations have busy IT depts who appreciate it when software developers make their lives easier. Having an IT dept pushing your software over your competitors can only be perceived as a good thing, so take advantage of it! IT can put up very effective roadblocks if they perceive you as making their life more difficult and impeding things such as system imaging. The last thing you want to be is branded "incompatible with our environment" by your customer's IT dept.

Cheers,
Minupla

Re:What's the Right Amount of Copy Protection?

[Rik+Sweeney]

None.

Wrong, everyone has the right to protect something that they've worked hard on. What if the product you made was your only source of income and no-one bought it but everyone had a copy of it? You'd do whatever you could to protect your livelihood.

Get out of your fucking tree, cut your hair and get a job.

FLexlm

[Colin+Smith]

License management software. Very common.

What to remember

[rjwoodhead]

As a veteran of the first copy protection wars, let me give you one simple insight that should guide you:

"Thieves don't buy"

Software thieves will not pay for your software, no matter how much you lock it up. If they can't get a cracked copy or code, 99.44% of them won't use it. It doesn't matter if they still live with their parents, or are the CEO of a big company; thieves don't buy.

Thus, you must tailor your strategy towards supporting your non-thief customers, while minimizing the parasitic cost of the thieves.

Consider doing this:

* Require registration for support, not for running the program. If they run an unregistered copy (ie: no serial number), give them full functionality but remind them how to pay on startup, gently. Perhaps do it only when you do the weekly update check, or whatever. Support is your major marginal cost, so you want to try and avoid giving support to the thieves.

* Phone home to check for updates, but continue to run no matter what. If the phone-home does detect a registration conflict, alert the user ("someone may have stolen your registration number") but continue to run.

* Explicitly disclose what your phone home does, and allow the user to disable it, or the registration check, if they so desire.

* Provide a way for your legit users to get logs of the phone-home information. Say their laptop gets stolen; the IP address logged on the phone-home could mean it gets recovered, you're a hero, and have a customer for life. But have strong data privacy rules about the information and how long it gets retained.

* If you have a product with low/no marginal costs, consider letting your users decide how much to pay you (works best with small ticket items). See http://tipping.selfpromotion.com/ for an essay I wrote on this some years back.

* Always remember to add the clause to your software license that makes Bill Gates promise to become your towel-boy.

The easier you make it for your honest users to pay you, and the more helpful you are to them, the more you will be paid.

How important is your software?

[15Bit]

Any level of copy protection is an inconvenience to the end user:

1. Install keys are a pain, but we're all used to them now and we accept them. Very few users send the software back or refuse to upgrade just because of install keys.

2. Phone home activation is a bigger pain. It gives you some control but can cause headaches for the customers IT dept. It can also make cracked versions more appealing, and makes non-internet connected computers impossible to activate. In general though, it is acceptable if its a once only affair. However, regular phone-home checks are more than enough to sway the purchasing decision against your product.

3. Locally installed license servers can be a pain, but they offer both you and the end user complete control over whats going on. They do represent an initial setup hurdle, but after that they offer considerable flexibility in that the end user can install your software on all the computers on their system and then there is a limit applied on how many clients can run at any one time. Your customer can then buy a small number of licenses and upgrade to more if necessary. Obviously this still needs the customer to have a decent internal network, but not necessarily internet connected, which is an issue in some places.

4. Hardware dongles are just a menace and a guaranteed way to drive your customers away.

At the end of the day i think you need to evaluate how important your software is to your customer. If its critical, and they have no alternative, then you have the option of going the Microsoft route and pissing them off as much as you like cos they need you more than you need them. This may come back to bite you in the arse.

If your software has little or no value to the home user (i.e. they have no use for or it or wouldn't pay for it anyway) then you can probably get away with just a license key activation cos business customers tend to be a little more honest by nature. This also makes your product appealing to small companies cos they can buy one license (so they feel honest) and use it on 3 or 4 computers. This *is* technically "stealing", but you've still sold one more copy than you might have done.

If you really want to have total control, and you think your customers will accept it, then the license server is a good choice. Your sales people should be able to dress it up as a convenient way for the IT staff to manage their licenses and if some sort of phone home is needed then only one hole needs to be drilled through the firewall. In future revisions you could also expand its role into an update server or something.

It is possible to do some mix and match. For instance, Intel distribute the free versions of their C++ and Fortran compilers with both a phone home activation code AND a license key file. I find this to be quite convenient (though admittedly it doesn't stop the software being replicated across several machines). You could for instance sell single or double licenses to small companies (in the expectation that they will use it on more than one or two computers) and sell license servers to larger companies (who might be more strict about license accounting). This sort of flexibility (not adopting a one size fits all approach) would reduce the chances alienating whole segments of potential customers.

So in summary, you are selling a product and that product has to be acceptable to your potential customers. If its not, they won't buy. Consider your target market and implement your controls accordingly. And if you can afford it, don't be afraid to offer flexibility in the licensing systems.

gentle reminders

[devonbowen]

A while back I wrote an app that was key activated. The key had two components. The first was the name of the person that it was sold to (from the credit card) and the other was a hash of that name, the version number, etc. The user needed to enter both in order for it to work. (And the two needed to match, of course.) My thinking was that using the name in plain text would make it personal and encourage the user to not give it away while still allowing them to do what they thought was reasonable (running on both a laptop and desktop, for example). Basically, a gentle reminder to help honest people stay honest. The dishonest people are just going to hack your binaries anyway.

Devon

Speaking as a very successful vendor: None.

[fyngyrz]

how can my licensing mechanism best help legitimate customers track their licenses and stay compliant within the licensing agreement

A much better question is, how can we maximize the rewards to our paying customers for providing us with the income we need to pursue our chosen path of software development?

The answers are:

• Provide them with a software key that is uniquely theirs so they have the means to protect their investment in us, not so we can attack them.
• Archive that software key so we can give it to them again if they lose it.
• Never, ever disable, restrict, or otherwise cripple a customer's product.
• Provide a means so they can legitimately share our software so as to spread the word.
• Price software reasonably; if the market is large, price low. If small, price higher.
• Be valuable: Provide strong functionality. Remain valuable: Fix it, improve it, be helpful.
• If someone wants a key and can't pay for it or wants to look before they leap, just give them one. Really. Doesn't hurt a thing. People who won't or can't pay aren't going to anyway. Better they use our stuff than our competitor's; better to make them happy than annoy them; better to see to it there's no value to an underground trade, because hacked software presents a security risk to us all.
• Last, but not least, don't burden our customers with "agreements" or "licenses." We wrote stuff, they paid for it. Done deal. Now it's up to us to add value to the product so they'll continue to boost our positions by using our support; spreading the word, the demo, the results.

You know the people who will insist on paying you when you mom their lawn, carry groceries, etc.? Those are the socialized, economically stable majority. They'll pay for good stuff as long as you price it sensibly and shovel value at them like it is going out of style (it actually seems to be in some cases, so use that instead of being part of it.) There is simply no need to go to war with everyone else - be a leg up instead of an obstacle to overcome.

I've done extremely well using this approach, as have my loyal employees. The only thing I would raise a flag about is you actually have to have something worthwhile; if you hand customers (and non-customers) bloated, cpu-hogging bugware, no amount of good will can counter the negative effects of the software itself.

Re:Speaking as a very successful vendor: None.

[inflex]

Well, that pretty much summed up everything I could have said. The first few times I encountered people who insisted they paid 100% price for each and every licence completely shocked me - of course, that was a long time ago and I'm more than happy to have them roll up for more sales :D

Well done.

Re:Speaking as a very successful vendor: None.

[j00r0m4nc3r]

Price software reasonably; if the market is large, price low. If small, price higher.

How about you price it based on it's value, not the size of the market? Just because the market is small, that does not make your software more valuable. Just because the market is small, it doesn't mean you should try to gouge your customers. It only takes one good competitor to destroy you. I would say, "Price software reasonably and competitively regardless of market size". Get rich by making and selling a good product to lots of people, not by trying to gouge in a small market. If the market is too small to be profitable with your product, you need to rethink your business strategy and expand into other markets.

That trick never works.

[porkchop_d_clown]

So, by way of example, I wrote an un-copy-protected software package and released it as "guiltware" - I asked them to click on the paypal link and make a donation to MDA through me. 5 years on, I know people are still using it because I get help requests.

But not one person ever, ever, ever clicked the link.

Re:That trick never works.

[Just+Some+Guy]

I've done the same sort of thing with my GPL Palm software, Contraction Timer.

Whoa, hey, back up. Contraction Timer?

Husband: Honey, can you just hold it a second longer?
Wife: STOP PLAYING WITH THAT $#!$(@)#$! PALM AND GET YOUR ASS IN THE CAR!
Husband: But I almost have it uploaded!
Wife: You have no chance to survive make your time.

Re:Not strictly true

[cliffski]

*sigh*

So if the customers want the product for free, you work for nothing?

It isn't that simple. Customers want unreasonable things. I want every pizza I ordered to be free, delivered instantly by a dozen naked supermodels. But just because my local pizza company will not provide such a service does not mean a new company will materialize to do so.

throwing out glib comments you read on some web forum does not equate to actual business experience. You cannot pay employees or bills with glib expressions, only profits earned from PAYING customers.

Case Study.

[bronney]

I am not as knowledgeable as most replies here but I can tell you which software I bought and which I didn't. Maybe it'll give some insights.

===

1. Fraps. Bought.

Copy protection: reg key

Tried the trial version many years ago, cool to record your games, not much games needed recording, and youtube wasn't out. Forgot about it. Later when youtube hits the web, there're some stuff I wanna post up. Insta thought of fraps. Googled it, wow this guy's still at it! I can easily crack it, but bought it instead because it's "worth" it and the dude is still working hard on it. Lifetime upgrade, smooth running program. Would I've bought it if it was $3449 usd? Probably not. Even if fraps didn't require a reg key, I would donate to it. Why? It does what it says it does, and it does it in a quick, smooth, no BS way.

2. Steam. Bought.

Copy protection: online registration (MMO account style), clean, works instantly after format, no backups necessary

When I felt like playing CS again, it installs steam by default. Thought nothing of it. Later when HL2 came out, pirated, played first map, blew me away. I emailed dev and asked if they will earn more money if I buy it off steam or the box. The answer is "same". But I skip the publisher anyway and bought off steam while I already had a copy in my hdd. The game was so good I didn't mind the $50 to show props. Again, smooth running, works as advertised. Doesn't cost $4k.

3. Famous photo editing software. Pirated.

Copy protection: activation key

Can't afford, but need to use. New version every year (not sure, maybe 2 years). With newer version files non-importable back to older version without losing some data. Cannot afford every new version upgrade price. Would I pay for it if it were the same price of a PC game? Definately. Would I pay for it if it were the same price range as some less reputable photo software? Yes. Would I pay for Winning Eleven 8, 9, 10, 10 Evolution every year just cuz the jerseys changed? No.

4. Famous OS. Pirated.

Copy protection: activation key

Can afford, however doesn't always do as advertised. Requires tremendous attention and work to make it work smoothly. Makes me nervous when people need to use my computer as little voice says they will screw it up and it'll cost you another 3 hours of my finite life. Not sure if I will get MORE support by paying for it. Worst, not sure if MORE support will make this experience "better".

===

I guess what I am trying to show is, and my general direction towards CP is that the the best CP is no CP. Instead, make something that is truly fun, good, happy, addictive, smooth, sexy, that people want to pay for it. Your software might not be at the Ferrari level, but at least make it so that people feel like pirating a Mercedes is teh ghey. Pirating a Hyundai is less so, you agree? It doesn't have to be cheap, look at Smart car. Nice, cute. But if you see a pirated Volkswagen beetle, you'd immediately think it's ghey. Pirating ipod? Ew. Pirating a famous memory makers' mp3 player? Sure.

I generally agree with the fraps direction. Pay once, use it for life. Lifetime upgrade, lifetime URL to download the upgraded version, quick, fast, and malware free. Pirate it? you gotto search for the seeds every single time, read comments, and virus scan it every time buddy.

Ideal copy protection

[eknagy]

The answer is, as for any good questions: depends.

A few rules what not to do:
A) "Phoning home required" and "online registration required" means "won't use this".
B) Crippling unregistered versions is a bad idea for business software - they need to spend more on IT support.
C) Time-limiting your software is a no-go - the limit will be exceeded in the middle of an important meeting/negotiation, and your software will be eradicated in two days.
D) No matter what you add, pirates can remove it, but legitimate users will suffer.
E) Never take your client's data as ransom - you will lose your customers if you do (in this particular case, a read-only access for unregistered clients could be acceptable).

A few rules what to do:
A) Printing nice license certificates will get you more money from typical business users.
B) "Phoning home for updates if accepted by user" and "online updates are available only for registered instances, offline updates are available only for registered cusmtomers" is OK - they feel they get support.
C) Giving volume licenses will save some headache for Business and for you (if they need 7 license, they will likely to buy a 10-pack for a price of 8 licenses).
D) Offer site licenses based on the size of the company, if they ask you about the price/discount - that way, your software has a chance to become "the internal standard".
D) Unique ID is a good idea, as long as it is visible to the user and the software is working even if not capable to phone home (a red "unregistered" label is a good reminder for legitimate users).
E) If you add time-locked registration codes, you should make it possible to load multiple codes and continue if at least one of them is valid.
F) Consider building customised instances for them - like embedding a background image of "Licensed to company X, for 10 seats".
G) Offer them absolutely copy-protection free versions for double-price.
H) An automated version check in the background (no serial, just checks an txt file via http) will give you some info if you have access to the web server logs and will be considered as a feature.

Wheee, my first slashdot article!

[WPIDalamar]

Thanks for all the comments everyone. I've been reading through them and have some ideas. Here's a scheme I had been considered that might address some of the concerns brought up.

1) Upon purchase, user gets a license key.
2) When installing, the software generates a random (somewhat) unique installation id
3) The license key is checked locally, with no net connection required.
3) Upon app startup, if there's an internet connection, the software phones home with the software version, the license key, and the installation ID
        The phone-home also gives a version-check to let the user know about any updates.
4) We log the license key and installation ID

Someday, we do some data analysis and find any license keys with a large number (maybe 5, maybe dozens, not sure) of installation ID's. The data analysis should look for interwoven log records of installation ID, because the user might have uninstalled it on one machine, and installed it on another. Then a person (not automated process) would get a report and be able to investigate and flag certain keys as compromised.

What happens next?

Do we cause the software to stop functioning? (I don't like that)
Do we cause the web service-portion to stop functioning? (I don't like that either)
Do we pop up a window saying, "SOFTWARE PIRACY DETECTED!! YOU ARE GOING TO JAIL IF YOU DON'T STOP!"
Do we pop up a window saying, "Hey, this might be pirated. Go to http://xxxxx/ to purchase additional copies"
Maybe the software does nothing, and we deal with it through customer support. A friendly email to the original purchase agent?

I guess the goal is make honest people stay honest. As many have pointed out, it will be impossible to prevent someone who REALLY wants to pirate the software.

Re:Wheee, my first slashdot article!

[bj+bignell]

What happens next? Nothing. Don't disable the software, don't handicap the software, and for chrissakes don't you dare email me to tell me I'm pirating your software. Even if it's true, I don't want to hear it and I sure as hell will not do anything about it.

What might be appropriate is a simple email once every six months thanking each customer for their purchase of X number of licenses, and asking them to please get in touch if they have any questions at all. Make sure to prominently display the emails and phone numbers for sales and support. If you suspect someone might be pirating your software in a big way, include a special one-time offer to expand their licenses and/or support for a very good price. But don't suggest that they're pirating; it will be viewed as insulting and invasive even if it's true.

Re:Not strictly true

[PopeRatzo]

So if the customers want the product for free, you work for nothing?

It isn't that simple. Customers want unreasonable things. I want every pizza I ordered to be free, delivered instantly by a dozen naked supermodels.

See, that's because you are unreasonable. Most people will gladly pay a fair price for a good product. It's when we have to pay exorbitant prices for buggy products that we get upset and go to your competitor. And when you throw in "get treated like a thief", that just about guarantees that we'll rush to your competitor.

I would also like a pizza delivered by a dozen naked supermodels (if only to make my neighbor green with envy), but I'd expect to pay quite a lot for that service.

Speaking as an IT Director

[weave]

Some tidbits... my personal opinions, not necessarily those of my employer.

1. When evaluating software, if all things are equal between software products being evaluated, the one with the least or no copy protection always wins out.
2. If a product requires a dongle, either on a client or server, unless my back is up against the wall from users and there's no other product to meet the need, it always gets rejected.
3. A product requiring a license server is tolerable in some cases, but see #1 and #2. There's also the issue of disconnected laptop users to address.
4. A product requiring a unique product key is a royal PITA for multiple automated deployments. This means while we might buy n number of copies and install n number of copies, each copy is going to end up with the same product key via ghost image or scripted install. Would you shut us down even though we have purchase enough copies?
5. Activation during install is OK if it can be automated during an install or first run (and if the latter, doesn't require admin or power user rights). However, be advised that machines are regularly reinstalled and software can move around as users move around. (If they move their office, their desktop probably won't go with them, they'll just get a new install at the new office and their old office will get re-installed for the new person there)
6. I can be held legally liable if I know about copyright abuses where I work. Think I'm going to put myself at personal risk if my employer is too cheap to be legit? Think again.
7. IT shops *want* to do the right thing. Don't fight us, help us. That means give us tools to help us remain compliant that are non-intrusive. Like something I can go to to see what copies are installed where and deal with non-compliance on my own. Yes, a lot of shops have tools like this already but many don't, so also make it optional. Just don't treat us as an enemy. Also remember rule #1

Re:Speaking as an IT Director

[weave]

My users often steal dongles, sometimes just to be pricks. As for servers, I try to virtualize as much as possible. Dongles complicate that, or often don't work in that situation.

From the 3D software side

[imashination]

The best method I've really seen is at the company I used to work for, Maxon Computer, they make cinema 4d. The only stuff you can really protect against is casual opportunistic pirating. Ie a company that buys a copy and puts it on several machines at once instead of buying several licences; which by the way is extremely common amongst smaller 10 man studios. C4D uses a serial number, this is very little burden for you or the customer. The serial is not tied to the hardware in any way; its freely moveable and installable on any machines you like. The check is simple, it checks the network to see if someone else with the same serial is already running the software, if so then it just doesn't load, that's it. Yes, you can in theory start yanking out network cables before you load it and so forth but this isnt really an option for most, crawling under the desk, losing shared network drives of media etc several times a day. Just make a personally identifiable serial number to scare some away from giving it out and add a network check to stop people casually spreading it around the office. If someone wants to copy your software for free, they will do it, no protection will save you, just accept this and don't burden your paying customers with annoying crap. - Dongles cost money, you'll have driver/os issues, they'll break, they'll get fried and corrupted, they take up slots, they get stolen, they are truly crap IMHO. - Tying your serials to NICs is a hassle and you will be forever sending new serials every time someone upgrades their computer, you don't want to set yourself up for this eternal headache - Online checks, lets not even go there.

elicense marketing sucks

[Snibriloid]

Really, really bad marketing.

So how do i get the creepy feeling that this guy isn't entirely honest, but actually an elicense marketing stooge?

The install is painless (it installs a license control service that in many years of using I've never had any sort of issue with), and it stops a LOT of piracy.
Err, yes. I have original software too, but somehow the companies failed to send me regular, detailed newsletters about the LOTS of piracy they stopped with their particiular brand of DRM.

It IS possible to "unwrap" the executable, but of all the Elicense protected software I've used, I've only ever seen one game cracked. (Ironically it is the most obscure of the ones I own.)
Yeah, shure, I too make regular searches on the web for cracked versions of the originals i own, especially when the DRM is soooo good that i dont't want a no-cd crack.
And by the way, what are the multiple(!) games that haven't been cracked? I would really like to buy them, if only for rarity value. After all, in the whole history of mankind they are likley to be the only pieces of software ever that weren't cracked....

I am vehemently opposed to DRM, copy protection, call it what you will, but I find Elicense extremely inoffensive due to it's ease of use.
Yeah, i'm opposed to DRM but happy to install extra software on my computer that monitors me. But i am vehemently against everything else DRM-related, trust me.

DRM should not impact legitimate consumers, and this one is the only one I've come across that has never caused me any sort of negative experience.
Software where you have to enter a code ONCE is really a pain in the ass, believe me. But elicense is soooo easy to use, i have to mention it five times. Please buy our product.

DRM-Companies, i beg you, if you let your marketing division run loose on slashdot, at least stop them from taking drugs. Thanks!

Re:elicense marketing sucks

[cool_arrow]

This guy has a good BS detector.

Re:And the is answer is none.

[smittyoneeach]

+1 Spinal Tap reference.

Product activation is not appropriate for buisness

[Digital_Quartz]

If your target is buisness users, this sort of "phone-home product activation" scheme is going to cause you and your customers a lot of grief. The install might be "painless" on someone's home computer (assuming the someone isn't ethically opposed to product activation), but it won't be in a corporate environment, where your product may have to traverse a proxy server (or even an authenticating proxy server) to reach the internet.

Requiring an internet connection.

[IndustrialComplex]

One of my first assignments was to configure a database for a product demonstration. I had to do it outside of my home country and the software/customer could not provide a connection to the internet to the server.

One of the pieces of software required a connection to do its activation. No phone or snail mail supported. It was so backwards where we had a tech from the software company online and they didn't know how to activate the software w/o an internet connection. We had to wait for them to send us a patch disk that included the activation files.

Fascinating. But Back on Earth, It's Like This:

[RobotRunAmok]

Where do you work? A Deli? 1996?

You run cracked software on a workplace PC here in 21st Century Corporate America, you'll be lucky to get away with a strictly worded warning. Get caught again and your employment will be terminated for sure.

On the other hand, install some nice new DRM-free software in the corporate workplace and wave it around enough and it will get copied and brought home by hundreds of non-paying users.

The answer to the man's question lay in just exactly how good and unique his software is. If he's created the new spreadsheet-like paradigm for which their is no competition, he can attach a big ball and chain to the floppy and Corporate America will still make him rich (God Bless the USA!). If it's "Yet Another [fill in the blank]" for which there are better marketed (e.g., MS) or free open-source versions of, then he'll need a friendlier DRM scheme, or folks will just go with what they know/what costs less.

Re:What's the Right Amount of Copy Protection?

[Floritard]

Yea those darn security guards. Wouldn't be so bad if they just stayed in the shops, but they insist on moving in with us and making sure we use the product appropriately and let no one else use it who didn't pay for it. My kids really hate them. They like to "crack" jokes at the guards and have silly nicknames for them like "dongle." I know, my kids are weird. Those security tags are a pain too, I wish they'd just take them off at the store and not leave them on my clothing to get snagged on every thing I walk by. They itch too. Price of doing business I guess. But hey there are real thieves out there!

Do what your customers expect

[Exp315]

Lots of good comments here already, but what the heck - always room for a few more. I was a shareware vendor for many years, and now I run a small software company offering commercial products. I've dealt with this issue for a long time, so I can offer a few observations. The first thing I would say is "do what your customers expect". In some markets, people expect to have to enter a serial number, but nothing more. In other markets, people expect to use a hardware dongle with the software. If you find out what others are doing and do the same, you won't violate your customers' expectations. They will perceive you as a responsible, professional vendor, while accepting a modest amount of inconvenience. Most new software vendors tend to err on the side of too much copy protection, because they over-estimate the value of their work and they get really pissed-off at the thought of people stealing it. You should be so lucky! Cut whatever you had in mind in half, and do what must to deal with piracy later if you are fortunate enough to have your software widely copied and used. Most business and professional software users are pretty responsible about paying for the software they use. A very modest speed bump that lets them notice if they are using a non-legitimate copy is generally sufficient. In every successful company I have ever worked at, there's a clear policy that all commercial software in use must be properly licensed and paid for. Not that there isn't some unofficial copying going on, but it has to stay below the level that comes to anyone's official attention. My company is very careful to protect the value of its commercial products, but never in a way that gets beyond customer expectations. In various markets we use registration codes, timeouts, permanent personal registration of software copies, and even hardware dongles. All have their value, but it's never worth losing customers over this issue. Any legitimate customer complaints, and we would back right off and offer an acceptable alternative. That's business. Personal software is another matter. As a shareware author I always made sure that my trial versions remained useful even if never registered, and I always encouraged users to ask their support questions even if they weren't registered. Based on the support questions and the number of downloads versus paid registrations, I would estimate about a 10:1 ratio between users and paying customers. Did that make me unhappy? Not at all! Most of those unpaid users would never pay for the software anyway, but by using it they are spreading the word and helping me test and improve the product. Plus I don't mind doing a little bit to improve the world for free as long as I'm getting an adequate return on my personal time investment.

Re:None at all-Money

[Homr+Zodyssey]

Well if they were all that then people would be using them instead of Winzip in the first place?

They are all that. People aren't using them in the first place because of the 'MindShare' aspect that you mentioned.

Spending money on a free version? Perish the thought.

The GP was right. I've now worked at two large corporations and one small one that all had site licenses to WinZip. They install them on all desktop systems automatically. Most large corporations have policies in place such that pre-installed software must be licensed. This is for audit reasons and so they can claim support if they need to.

I, of course, promptly uninstall it from my machines and replace it with 7-Zip. Last time I checked, Winzip still didn't handle several major file-types (like RAR).

What type of corporate software do you mean?

[dfsteen]

Really there are two types of machines that corporations use - employee PCs and servers. These have different requirements. While a nag screen may

work on employee PCs it definitely won't work on servers that need to be able to reboot by themselves (and if the nag screen does not halt booting of the program than you have not accomplished anything as in many cases no-one will see it). In the same way you *MAY* get away with phone home software on a PC, but it definitely would not work on a server - especially one that may not have any direct internet access.

I would agree with previous posters that a one time installation code would be acceptable, and even perhaps one that expires over time (though that would certainly be annoying) as long as the process to upgrade is easily scriptable.

For employee PCs you might be able to get away with a call-in-on-boot type scheme as long as it uses standard protocols like http or ftp. But I would certainly understand people balking at this sort of thing.

It depends on where your software is intended to be installed.

Re:The only game to ever not be cracked

It's called a lie. (Laser Induced Error) If a specified track/sector on the disk returns an expected error, then do the next valid step; otherwise operate as if it's a pirated copy and quit working properly.

Many software titles from the late 80's and early 90's used this method of copy protection. With CD installations and later downloaded installations, this method was no longer feasable.