Ask Slashdot: Copy Protection Advice For ~$10k Software?

An anonymous reader writes I'm part owner of a relatively small video editing software company. We're not yet profitable, and our stuff turned up on thePirateBay recently. Some of our potential paying customers are using it without paying, and some non-potential customers are using it without paying. Our copy protection isn't that tough to crack, and I'd rather see the developers working on the product than the DRM (I'm convinced any sufficiently desirable digital widget will get copied without authorization). Would it be insane to release a 'not for commercial use' copy that does some spying and reporting on you, along with a spy-free version for ~$10,000? I feel like that would reduce the incentive to crack the paid version, and legit businesses (In the US anyway but we're trying to sell everywhere) would generally pay and maybe we could identify some of the people using it to make money without paying us (and then sue the one with the biggest pockets). What would you do?"

"does some spying and reporting on you"

[Gaygirlie]

Please do clarify as to:

1) What would the program actually collect about users?
2) What would you do with the data?
3) Would you do that without informing the users of this or not?

You see, whether or not that is even LEGAL in the first place depends on the answers of yours.

Re:"does some spying and reporting on you"

[hellkyng]

To the already great questions above, I would also add:

How will you feel when your product is flagged by Anti-Virus companies as malicious, and what will the impact be to your reputation?

Re:"does some spying and reporting on you"

[iamhassi]

I'd like to add:
4) Along with spying, enable ability to send pop-up to individual users if you notice non-paying business usage, and give them a way to contact you to negotiate. Maybe it's not worth $10,000 to them, but it's probably worth *something*. Maybe $1,000? Maybe $100 a month? Anything would be better than stealing and getting nothing from them.

I have downloaded software in the past and many times I didn't think it was worth full asking price but really wished I could give them some money for it. Unfortunately there's no way to do that right now, it's full price or nothing, and it's even worse when the item is no longer sold because you can't even pay full price for it, you're forced to download

I think every software company should have a "pay us something if you downloaded our software" option on their website somewhere.

Re:"does some spying and reporting on you"

[iamhassi]

How will you feel when your product is flagged by Anti-Virus companies as malicious, and what will the impact be to your reputation?

Why would it be flagged for malicious? A lot of software reports back, that's how you're notified of new updates. Doesn't your firewall tell you when your software attempts to connect to the company's server?

Re:"does some spying and reporting on you"

I have downloaded software in the past and many times I didn't think it was worth full asking price but really wished I could give them some money for it. Unfortunately there's no way to do that right now, it's full price or nothing, and it's even worse when the item is no longer sold because you can't even pay full price for it, you're forced to download

Have you tried? I've purchased several application from small-business vendors at a discount simply by sending an email saying "I like your product, but it's value to me is $X instead of your price at $Y. Would you be willing to sell me a copy at $X?" You'd be surprised, it works. I think some companies recognize that a sale made at a discount is better than a sale lost entirely.

Re:"does some spying and reporting on you"

[Moryath]

I have another question to the anonymous devloper: Have you considered NOT being an asshole about it?

Yes, your software turned up on TPB. So has software from Microsoft, and from Adobe, and from Bethesda, and from... well pretty much every software company on the fucking planet. So your first job is to get over yourself and realize that all that has to happen is for someone to crack or strip out your copy protection once, and that's that, the DRM is meaningless and a wasted cost to you.

Now, have you considered building up brand loyalty instead? Reward your paying customers with support, treat them well, maybe give them access to beta or updates if they want. Focus on making your software the best you can, and making your customers feel like their investment in your software is worth it.

Now let's look at your NEXT proposal: Would it be insane to release a 'not for commercial use' copy that does some spying and reporting on you, along with a spy-free version for ~$10,000? I feel like that would reduce the incentive to crack the paid version - Yes, it would be insane. Anyone who doesn't want to be spied on is going to block the damn thing via firewall, or they'll crack the unpaid version and route all its traffic to 127.0.0.1 or dev/null.

Or this: Some of our potential paying customers are using it without paying - face it, if they're not paying now, you are either charging too much or they'll be just as happy with freely available alternatives that either cost less or are completely free-to-them.

, and some non-potential customers are using it without paying. - If they're not a potential customer, why do you give a rat's ass? Again, they'll just go to some other source or use some other free (to them, whether actually free or not) program.

Chances are, 90% of the software's functions that these people are using are duplicated already by Virtualdub (Free/Opensource) and Windows Live Movie Maker (Not open source but free to anyone with Windows). If you want to make sales, try not being an asshole, price your program appropriately, and treat your customers as customers with whom you want to build loyalty.

Oh, and by the way: a legit copy of Adobe Premiere Elements 10, which probably does everything your software does and then some, is available for somewhere between $70 and $130 online right now. $10,000 for your suite? No fucking way it's even close to that cost.

Re:"does some spying and reporting on you"

[CSMoran]

Wouldn't that make the other full-paying customers just say "I will only pay $X", cutting revenue significantly?

In a perfect market where everyone knows everyone else's decisions, yes. In real life, probably no.

Re:"does some spying and reporting on you"

[Moryath]

If you can make $10,000 by selling one copy at $10,000, but you could make $20,000 by selling 100 copies at $200 each (and enough customers exist that WOULD pay that but will never fucking pay $10,000), and your current price is $10,000, most people would say you're overpriced...

Re:"does some spying and reporting on you"

[mhajicek]

I'd say you should have two versions of the software, like many high end developers do. One should be the "professional" full blown thing, and with the purchase price would come support, patches, and updates for a specified period, or indefinitely with maintenance. The other should be a stripped down "home" version which is either free or cheap. Don't put spyware in your software, it just sucks and makes people hate you.

Re:"does some spying and reporting on you"

[demonlapin]

Now you have 100 people to support, instead of one. Depending on his cost structure, that might be a losing proposition.

Re:"does some spying and reporting on you"

[Moryath]

Chances are, the "non-paying" customers who are "not potential customers" are people who are using the software to do something like clip videos of their 3 year old crawling around to send to the grandparents.

A dozen free or cheap alternatives, but they were told by a "tech-savvy buddy" that "this software is really kewl."

Note his example pricing - $10,000 a copy. Want to wonder why the potential pool of "non-paying customers" is so high, that's probably the reason. Same way that for the longest time, before their prices came down to something approximating reality, Adobe just kind of looked the other way when kids at home would get copies of Premiere or Photoshop; Adobe assumed that when/if the kids ever got into jobs where they would be doing that sort of work, they'd get the business to buy the software and convert into paying customers, and it was better (for Adobe) for the kids to be used to using pirated Adobe branded stuff rather than, say, GIMP or Paint.net and realizing that Adobe didn't need to be part of the equation.

Re:"does some spying and reporting on you"

I'd add another one here: Don't DRM, join the BSA, and if you have evidence that one of your potential customers is pirating your software, send the BSA to audit them. (fake an employee leak if you have to.) Odds are if they're pirating your software they're pirating someone else's and as terrible as it sounds, they'd be getting what they deserve.

While I have fewer problems with pirating at a personal level, pirating for-profit tools deserves no pity, especially if they're not hurting for cash.

Re:"does some spying and reporting on you"

[gestalt_n_pepper]

It must be nice on your planet. I mean, not having to make a profit and having fair minded customers.

Here on Earth, people will steal whatever they can get their hands on if they think they need it and it's relatively easy to do without consequence. Granted, some vendors are unusually proud of their software and a charge of $10,000 for it may be far more in value than anyone gets out of the software. These folks need to re-evaluate their price point. This is tricky, however. If your market size is small, say 3000 users total, you may have to charge that much to pay development staff a decent wage and keep the lights on. That's just the economics of software. Niche market software is always more expensive and has to be. Ultimately, customers should be able to decide if your software is worth that much. If they can get it for free, of course, that process is totally short-circuited.

What the original poster should do is move the application to the cloud where it can be run in a browser. For legacy applications, spoon.net or Application Jukebox will do this with a minimum of hassle and expense. Hosting your application in this way basically makes it unhackable and controls licensing. Then let the market decide on the price.

Re:"does some spying and reporting on you"

[Grishnakh]

You can also embed watermarks into each sold copy of the program, different for each customer, and use that to figure out who's uploading their copy to TPB. For a small company and $10k per copy, it might be worth it to sue the customer who let the cat out of the bag.

Re:"does some spying and reporting on you"

[0111+1110]

Have you ever done any video editing? You do realize that video editing is resource intensive? If you tried to run the software from a remote server it would be an absolute performance nightmare. You'd be famous for creating the slowest video editing software known to man.

I agree, however, that remote execution is the only way to prevent your software from getting cracked. Essentially the program never leaves the company servers. Crackers can't crack what they don't have. Another "solution" is to release software that is so bad or that does something so useless that no one will bother to crack it. Or there is always security through obscurity. Don't tell anyone about the software. Keep it a secret. If people don't know about the existence of the software they can't crack it.

Re:"does some spying and reporting on you"

[Lumpy]

Dont even have to do that. Encode binary in the top scan line that states it's not licensed. easy to detect automatically and would be invisible to 99% of the pirates.

Re:"does some spying and reporting on you"

[Runaway1956]

My hat is off to you, Moryath. Excellent reply.

I am somewhat curious what this ten thousand dollar per seat software does that an open source software can't do. Probably nothing. Ten thousand dollars. Crap, I could use ten thousand dollars to put a computer into as many as fifty classrooms in a third world country. Ten thousand, for just one license. That is ridiculously over priced. Sounds to me like the submitter has wasted his life developing something that no one in his right mind would pay for.

Re:"does some spying and reporting on you"

[budgenator]

For $10K you would think the answer would be to hard code the customer's Logo and info into each custom build; at least that way the company that leaked the program would be known.

Re:"does some spying and reporting on you"

[crath]

This will be the least popular (in /. terms) answer to your question; but, it's actually the best one for your business as it avoids adding DRM (or a dongle) to your software but gives you a lever to enforce compliance.

Step 1: Join the BSA.
Step 2: When you detect illegal use of your software, report those firms to the BSA so that the BSA can perform an audit.

I would recommend that you ignore individual users who wouldn't normally be your customers; as, the BSA isn't going to audit them and for those users you are probably not financially out of pocket. That said, if you find that there are lots of individual rogue users, maybe that is indicating demand for a "lite" version of your application that costs 1/10th the full version and is accessible to non-commercial individuals.

Re:"does some spying and reporting on you"

[Moryath]

If your market size is small, say 3000 users total, you may have to charge that much to pay development staff a decent wage and keep the lights on.

If your market size is that small, finding out if they're using your software without paying is pretty damn easy without having to resort to spyware and nonsense.

That's just the economics of software. Niche market software is always more expensive and has to be. Ultimately, customers should be able to decide if your software is worth that much. If they can get it for free, of course, that process is totally short-circuited.

Except that we're talking about a "small video editing software company." So we're not talking about a "niche market" here; we're talking about someone who is competing with (probably) the following programs/companies to some extent or other:

- Adobe (Premiere/Elements, Encore, After Effects)
- Apple (Final Cut / Pro, iMovie)
- AVS Video Editor
- Avid
- Corel
- Cyberlink
- FXhome Limited
- Magix
- Media 100
- Newtek
- Pinnacle
- Quantel
- Womble
- Clesh

On top of that, we also have Free/OSS options (leaving a few off like VLMC that I'm not certain how functional they are in alpha/beta):
- Avisynth
- Blender VSE
- CineFX
- Kdenlive
- LiVES

And if you really need "just the basics", Microsoft gives away Windows Live Movie Maker for free. :P

Either we are talking about a "Niche Software" package that's targeted ONLY to professional grade movie makers who render things on server farms, or the submitter's idea of their "Market" is very different from reality.

Re:"does some spying and reporting on you"

[hellkyng]

A lot of software does report back, but to quote op "that does some spying and reporting on you." That doesn't sound like its going to be a legitimate implementation of some minor reporting back to the parent company. Especially given his goal of then filing a lawsuit against the violators with "big pockets". Of course firewalls should be able to identify outbound connections, but the point isn't that the implementation is weak. The point is that its a bad idea from the start.

Re:"does some spying and reporting on you"

[Moryath]

Yes, and these are much larger companies.

Doesn't matter what size they are. Software from companies large and small alike shows up on TPB. Hell, software made by one guy in his garage in the 1980s that only runs on DOS 5.0 often shows up on TPB. Saying the world is doomed because "our software showed up on TPB" is silly.

Re:"does some spying and reporting on you"

[StikyPad]

Here on Earth, people will steal whatever they can get their hands on

People, somewhat, businesses, generally no. The question of whether to spend $10k on a license or to defend a possible lawsuit in the future with lawyer fees, damages, and the license they should have bought in the first place isn't even a question for most businesses. All it takes is one (ex-)employee with a grudge. Sure, there are exceptions -- companies run by idiots who are penny wise and pound foolish -- but they tend not to last very long anyway.

And $10k isn't an outrageous price for commercially used software at all. Our software is very uncomplicated and starts at about $3k, and we sell tens to hundreds of programs to individual companies. Why? Because it costs a lot more than that for someone to hire a competent developer with the technical knowledge necessary to write the software themselves. Even if they hire a developer on contract, they need someone to support it, and support can get expensive when you're not pooling your resources with other clients and getting "free" updates and bug fixes (built in to the cost of the software, really).

What the original poster *should* do is accept that the people who aren't paying for the software are almost certainly people who never would or could, but that these people are still providing a service, because they'll eventually take their knowledge and (if it's worth pirating over, say, Sony Vegas or Adobe Whatever) love of your software to their job where they will extol its virtues, and where sales will potentially be made. The question would actually be much more difficult to answer if he were writing consumer oriented software, but he's not, so the answer is simple: ignore the piracy unless and until it's brought to his attention that a business is using it without a license, and then decide how to handle that separately. Running video editing software in a browser is particularly stupid given the bandwidth requirements, unless you're suggesting that the processing be done locally, which is also stupid because then you're creating unnecessary overhead versus a native app AND it can still be copied. There's nothing magical about running code locally just because it's running inside of a browser.

Re:"does some spying and reporting on you"

[bzipitidoo]

You're the ones who are lost in space. As has been repeated many, many times: copying is not stealing. Maybe it's illegal, but if so, it's a different crime, just like vandalism is a different crime. As long as so many of you have difficulty with this basic fact, we can't move on. You refuse to see copying in any other light.

Copying is good! We all benefit from easy copying. But some of you have bought into the dream that you might create something of value yourself, and think you need copyright to protect your valuable work from exploitation. You're so afraid you might miss out on some profit you deserve, you'd strangle all creativity and ignore huge, huge savings just to prevent that possibility. Many also significantly overvalue their work, and feel that those who disagree with their valuation are just robbers, trying to lowball them. You think no one would pay if they didn't have to, that strong protections, harsh laws, and force is the only way to make it work, and that force can make it work. Yet no force can make it work. The current copyright system functions somewhat because there are lots of people who could pirate but choose not to. In other words, they didn't have to pay, but they did. They were not forced. There is another way, and it's called patronage. But you can't believe patronage could work. You believe in copyright, despite the many ways in which it is broken, but you won't give patronage a chance. You think if only we got serious and really clamped down on piracy with even harsher laws, more invasive surveillance, and harder locks, we could make copyright work. Except that can't be done. Even if all that could be put in place, it still would not stop piracy. The cloud is not a silver bullet that can fix all these problems either. There isn't anything that can. We'll all have to continue suffering with this costly, dysfunctional system.

Here on Earth, we obey the laws of nature. You cannot reasonably regulate copying. Copy protection simply does not work. Only has to be cracked once, and protection is always cracked. Software producers have been trying copy protection schemes for more than 30 years, and not one has remained uncracked, not even for long enough to wring all the value out of initial sales.

Re:"does some spying and reporting on you"

[Anonymus]

Open source solutions don't exist for everything. In fact, even the solutions that do exist are often lacking in certain features that make them useless to many users.

There are a lot of comments bashing the $10k price tag, but there are a lot of specialty applications that are only needed by a very small group of users. If your maximum entire market consists of maybe a thousand businesses around the world, lowering your price isn't going to do anything except put you out of business.

Re:"does some spying and reporting on you"

[aix+tom]

Of course, there would also be the option to sell the software with "Online User Community Support" for $100, and with "Work hour e-mail support" for $1000 and with "premium 24/365 phone support" for $10,000.

If the act of copying the software one more time is cheap, but support expensive, then charge for what really is expensive.

Re:"does some spying and reporting on you"

[Rasperin]

In my defense, I'm not saying the world is doomed because his software is TPB. My point was more to the effect that these companies can take that kind of loss, a small company has a much harder time loosing sales then megacorp.

The real question is this: Are you really charging the right price if someone is going elsewhere for your software (like TPB). It's part of the reason why most companies do either a "per person" or "per CPU" or etc type pricing model to make it far more affordable for small companies (plus vendor lock in) and profitable on much larger companies.

Keep in mind, pirating is always going to happen, even with fair prices, so back to my original post on helping slow that down even.

Re:"does some spying and reporting on you"

[aix+tom]

EXACTLY this. I'll probably get stoned for this, but the one Software I *rally* like license-wise is the Oracle Database.

Download everything you like, use everything you like for prototyping and self education, no DRM at all, but God help you legal-wise if you are found to use it in production unlicensed somewhere. Either you will get sued into oblivion, or you will get hung out to dry if there is some problem someday and you can't get support when your business data is in jeopardy.

The *legal* copy protection is the only model out there where the customer has less problems than the pirate. With any *technical* DRM the customer has more problems than the pirate.

Re:"does some spying and reporting on you"

[gestalt_n_pepper]

...Copying is not stealing.
Doesn't have to be, but it usually is. Look kid. I've been in the software business since the 80s and seen what works and what doesn't. Allowing working copies of your software is profitable marketing if you happen to have the word "Microsoft" as your corporate name and sell mostly to businesses in the USA and/or Europe. Emperically, it just doesn't work most of the time. Sorry, I have no idealism left at all on this one. Just experience and reality. Allow your software to be freely copied and nobody will pay you for it. Feel free to query a few thousand ISVs who went broke that way. And feel free to send me examples of folks who put together small software packages that could be copied without limit and made any money. Red Hat does it by selling services and configuration and I know some individuals who make their living configuring open source, but these are few and far between and a lot of the ones I know are struggling.

FYI, yes you can use the cloud quite effectively to reduce most piracy, though not all. You don't want to stop *all* of it. It's no more cost-effective to do that than to try and prevent two people from using the same computer or reading the same book. But you do have to minimize the ease of doing so, so that it's easier to buy than steal.

Re:"does some spying and reporting on you"

[wierd_w]

For 10k, they could splurge on a USB hardware key with a TPM inside. That's what MasterCAM does.

Using a sufficiently aggressive UUID with a private key to decrypt part of the executable at runtime would put the kabosh on a lot of copying and cracking attempts.

dongle

[HBI]

Why aren't you using one already?

Re:dongle

[TemperedAlchemist]

I don't think he's interested in stopping the piracy by forcing hardline anti-piracy methods. For one, it is made clear that non-customers are using the product, and if they are, it's like free advertising. I could imagine a full-fledged professional version requiring a dongle, though.

There are a number of business models that avoid piracy, like student edition software, low monthly subscription, or using a stripped down "free" versions.

Re:dongle

[0123456]

I don't think he's interested in stopping the piracy by forcing hardline anti-piracy methods.

Dongles are not 'hardline anti-piracy methods'; Avid use dongles and their software is still available on pirate sites. Dongles are a way to keep honest customers honest, because they can't accidentally install the software on ten PCs when they only bought five copies.

They're mildly annoying to legitimate buyers, but far less annoying than crappy 'activation' schemes that deactivate at random and lock you out of the software you've paid for.

Re:dongle

[HBI]

So just write the software so that it operates in "free user" mode until it finds a dongle. That would get him out of the business of maintaining two versions of the software and destroy most of the desire to crack the software. Besides which, if the dongle calls are interspersed across multiple libraries, it'll be too much of a pain in the butt to remove them all every time he updates the software.

For extra points, build in the ability to remote disable the code based upon particular dongle numbers, have the software phone home with its particular dongle id, and when you see a remotely multiplying dongle spread across the world, just disable that dongle number and reissue a replacement to the legitimate owner.

If you're going to run a software business you need to run it like a business. This isn't hardcore antipiracy. He's just making it easy for casual pirates to play with the software without broaching the reason why people will pay $10k for it.

Re:dongle

[Short+Circuit]

No better than DRM. As far as I know, it all comes down to one of two types of setups:

1. "Is this authorized? Then do stuff" However the sophisticated the rest of the setup, all a cracker needs to do is identify this if conditional and patch it. In this type of system, the rest is just obfuscation of where that clause is, and how it works.
2. "Decrypt necessary code or data, then execute." At some point, the encrypted material will be in the clear, at which point it can be snagged. Binary gets patched to use the snagged, unencrypted form rather than need to use the encrypted form.

Now, I'm not an expert; I just develop software. I haven't tried to crack others' protection.

Re:dongle

[dintech]

Yeah, as far as I know, iLok 2 hasn't been cracked yet. I have only heard of it being used for music software but I can't think of a reason why it couldn't be used for other varieties. No idea how much it costs though.

Can I suggest a counter argument though? It was piracy and ease of acquisition that made things Windows and Photoshop popular.

Re:dongle

[Jerom]

I have seen setups where the dongle contains a processor and code (quite a library actually) - the software then calls this dongle to perform certain critical calculations. Quite hard to hack if the algorithm is unknown...

Re:dongle

Do you have locks on your doors? Why? Anyone can break a window and get into your house or car. And yet, we all have locks on our houses and cars. And yet, when it comes to DRM, the computer geeks (of which I am one) love to decry any technique with the argument that the protection could, in theory, be circumvented.

The point is, nothing is 100%. The game is to make it sufficiently difficult that the number of people who have the skill and time and interest to crack the protection is small (for a suitable definition of small). Then people will have the choice of either a) lots of effort to steal code which will become obsolete or b) pay for it.

In terms of the actual technologies, there are lots of third party libraries out there to do this. And no, they are not, in general, trivial to defeat. No DRM library worth its salt has a single 'if' condition to check for a proper license. The logic gets woven into the executable in multiple places in multiple ways.

In terms of encryption, most packages that do this only keep a small portion of the code decrypted at any given time, with complicated logic to dynamically find and decrypt other blocks of code as needed. There is an obvious performance penalty for doing so, but for many applications the penalty (at least on modern computers) is acceptible. Could you try to grab all the decrypted code segments from memory? Sure. Could then then try to piece them all back together in the right order? Sure. Could you then reverse engineer the executable image (with suitable reloc and library linkage info)? Sure. Could anyone do it? No way. Is it something that one does in an afternoon? Certainly not. The level of effort to crack this sort of scheme is actually quite high, and at the end of the day you end up with one version of the product which one will have no support options for, and which will rapidly become obsolete.

Then you can go the dongle route. I've seen dongles that actually execute the encrypted code inside the dongle - meaning you never get a chance to see the decrypted code. Short of cracking open the dongle, these are very effective. There is the burden of shipping dongles and the tracking/management of the dongles, but for a high end package (which $10K would qualify as) the trade off seems acceptable.

Re:dongle

[Short+Circuit]

And most of those 35k checks are going to use the same idiom, right? Or did figure out how to make each one sufficiently unique that scanning the assembler code for a fingerprint wouldn't find it.

Did you call a function which performs the check? Patch the function. Did the compiler inline it? Find a few copies of the check, find the common sequence of instructions (or, if you're really clever, the semantic behavior of the instructions, so you don't get twigged by compiler optimizations), and scan the code for that. You look into what a lot of those academic analyzer tools are capable of by this point. Or what ideas you might give to an undergrad looking to make his mark.

As I said, I'm not an expert. These are just the obvious workarounds that come to mind.

Re:dongle

[cforciea]

My guess is that's security through obscurity at work. That key hasn't been cracked because there hasn't been enough reason for anybody to bother cracking it. It's possible that $10k/copy software locked behind it would get people interested enough.

The problem is that you're running up against the software version of the analog hole. Before you feed it into the processor pipe, your application has to be in the standard machine code format that your processor is going to understand. You can dedicate some small portion of your codebase to refusing to work under certain circumstances, and you can make the binary inaccessible until right before it gets executed, but if the entire working application is on a cracker's computer, he's pretty well guaranteed a way to beat it. That leaves always-on style DRM schemes that constantly phone home to continue working, but if I buy $10,000 a seat software and I can't use it because one of your servers goes down, you can be pretty sure I'm not going to be very happy with you.

You also have to remember that hard to break DRM isn't a deterrent to your average pirate unless it is so hard that nobody does it. So what if it takes Sven The Reverse Engineering Scandinavian 30 hours of Monster and amphetamine-fueled thrashing about to circumvent your USB key DRM scheme? That will just make him even more of a hero when he posts the cracked copy of your software to The Pirate Bay for everybody to install. And at that point, the pirated version of your software is now easier to use as a consumer than the commercially released version; you are trying to sell an inferior product.

Re:dongle

[Short+Circuit]

The point is, nothing is 100%. The game is to make it sufficiently difficult that the number of people who have the skill and time and interest to crack the protection is small (for a suitable definition of small). Then people will have the choice of either a) lots of effort to steal code which will become obsolete or b) pay for it.

Did you see me arguing that anything was 100%?

Could anyone do it? No way

It only takes the one, who turns around and uploads it.

Is it something that one does in an afternoon? Certainly not. The level of effort to crack this sort of scheme is actually quite high

Sure. But most people I know who've ever done this kind of thing do it for personal entertainment and challenge.

at the end of the day you end up with one version of the product which one will have no support options for, and which will rapidly become obsolete.

Yup. I've taken support calls from people whose serial number matched that of a cracked version of one of our products which floats around being sold by a scam artist. You know what we do? We solve their problem, and then offer to sell them a legit copy at a discount. Having just gotten out of a time-sensitive jam, they're always quite happy to get things straightened out properly. I'd much rather distribute the software for free, and then go the support route. That'd clear off that scam artist, too.

Re:dongle

[Surt]

The modern version of this technique is to remote the computation over tcp/http to a server you control. Then only allow licensed ip addresses to run.

Re:dongle

[0111+1110]

But crackers are able to figure out unknown algorithms when they create key generators. Why would this be any different? In one case a unique key of some kind is created by a CPU attached to your USB port. In another it is created by a secret software program that only the developer or publisher has. Either way the cracker is left guessing what the algorithm is. Anyway, all of this ignores the possibility that the cracker could just remove the dongle checks entirely from the binary.

Re:dongle

[0111+1110]

That's an interesting idea, but what if one of your customers copies that code from the dongle and uploads it to the intertubes where cracker groups can just insert it back where it belongs. It might also slow down the program. For a word processor that might not be noticeable, but for something like video editing it probably would slow it down noticeably. Then you'd have the usual situation of even paying customers feeling pressure to download the noticeably faster version from TPB.

Re:dongle

[flimflammer]

Well, you wouldn't need to store the video processing code on the dongle. You would want to tailor whatever dongle-housed code to be something not inconsequential but not computationally heavy. Something it could contribute while still being completely necessary.

As for uploading the dongle contents to the internet -- that's always a possibility if the user has a means to even do it. I mean it's not like the dongle would be an ordinary USB thumb drive. But you could always watermark the binary in the dongle and use that to get an idea who leaked, and report them to the BSA or something.

Nothing is perfect as we're all aware. It will always be a race, but that doesn't mean it shouldn't be done.

Two words:

[kheldan]

Hardware dongle.
If your software is really worth that much, then I think it's justified.

Re:Two words:

[vinehair]

And if you use it, USE IT PROPERLY, bake in the encryption into your software so it becomes fiendishly difficult to crack (it will never be impossible.)

Guilt-ware doesn't work (WinZip, mIRC, anyone?) and I would ask a lawyer before attempting any kind of data collection.

Re:Two words:

[vlm]

And if you use it, USE IT PROPERLY, bake in the encryption into your software so it becomes fiendishly difficult to crack (it will never be impossible.)

You must be new to the internets. The crack will be up on pirate bay (etc etc) by the end of the week. Why waste the time and money on something guaranteed not to work?

Re:Two words:

[MisterMidi]

How about moving the code to save your work to the dongle? Encrypted, of course. People will be able to toy around, but to actually do something useful they'd need the dongle. You could even give away the software for free and sell the dongle. It will work as long as the encryption doesn't get cracked.

Re:Two words:

[fermion]

I use Autodesk software. I note that it does not use a dongle. I see other software does use a dongle, and see that there are issues with OS updates. I am not sure how widespread the problem is but my preference as a consumer is not to be inconvenienced by the software I pay for.

A model I can live with is one in which a big watermark is placed over all print, and a pop up is presented occasionally to make the user aware that the copy is not licensed and how to get a license.

Years ago, before the internet was used for verification, I used software in which each copy appeared to be personalized. The company details could not be changed by the end user. Therefore the software could be loaded onto any machine, but it was not practical for another firm to use the software because all prints and interactions wold list the original firms information.

Just some ideas that might not cause the user to hate the software while still providing some incentive to pay for a product that presumable generates profit for a firm.

Re:Two words:

And if you use it, USE IT PROPERLY, bake in the encryption into your software so it becomes fiendishly difficult to crack (it will never be impossible.)

You must be new to the internets. The crack will be up on pirate bay (etc etc) by the end of the week. Why waste the time and money on something guaranteed not to work?

Ah HA! What if they go with a hardware dongle and they ship said dongles using a method that takes longer than a week to get there?

Ha! See that? You little internet punks think you're soooooo clever, don't you?

Re:Two words:

[rmstar]

And if you use it, USE IT PROPERLY, bake in the encryption into your software so it becomes fiendishly difficult to crack (it will never be impossible.)

Better yet, bake some important core logic into the USB stick. This way, even if the encryption is discovered, the contents of the USB stick remain relevant.

Sure, given enough resources, someone will hack around that too, but it will be harder.

Re:Two words:

[CompMD]

I agree. At $OLD_DAYJOB, we sold software for about the same price per perpetual floating license. Early versions of our software used password protection which was easily circumvented, then a software key based system (quickly cracked) and you could find those versions of our software all over TPB. After a major overhaul to the software, we incorporated WIBU key dongles and peppered our code with various kinds of dongle interactions. There were literally thousands of license checks. There was also encrypted data stored in the key itself that instructed the program how to run. In three years of working there, I never ran across a single instance of our new software being successfully cracked. We were very happy with this, especially considering we sold the full version (at huge discount) to students, and had several commercial and academic customers in China.

The only problems I ever had with piracy of our software included a guy who had the old version who came onto our forums asking for help, apparently not realizing we knew who every one of our customers were. We also had some students at a Canadian university install pirated software on lab computers. The installations phoned home to say "I've been installed!" (there was nothing nefarious, it was designed to do this as part of the registration process) and we noticed that the school wasn't licensed for that version. Their IT department was very helpful in tracking down those responsible.

Good luck.

Re:Two words:

[tibit]

The encryption won't get cracked, that'd be quite silly methinks. Whatever key is used on the application side will get replaced with a different one, and then you can encrypt whatever you want and send it to the application. Then you use a filter driver that pretends to be the USB device, and that's it. Of course the saving code would need to be captured, but all you need for that is one working system: capture it from the memory (say a VM snapshot), roll into the hack, end of story. The only thing is: how much work would it take, and if there's anyone out there who'd wish to implement it. Popularity is a losing proposition here: the more popular your software, the more likely it'd be to find an able and willing hacker. You can almost be sure that eventually one crucial order from somewhere in Asia will come, and the software/dongle combo will be used solely for reverse engineering.

Re:Two words:

[OneMadMuppet]

It doesn't have to encrypt the saved files, just the save/export function.

Re:Two words:

[MisterMidi]

You don't lose your work or your backups, you just won't be able to save new work. And I'm sure that for 10k, the company will gladly send you a replacement if you lose or break it and you can prove you own the software.

Re:Two words:

[pixelpusher220]

Plus you'll annoy customers who'll inevitably lose/break dongles.

Either you build in a workaround that users with broken dongles can use until they get a new one shipped or they are SOL.

Option 1 - you've defeated the purpose of the dongle

Option 2 - Customer gets so pissed off they find a different product that just works.

Re:Two words:

[robthebloke]

The crack will be up on pirate bay (etc etc) by the end of the week.

I was crunching on an all-nighter once, just putting the finishing touches to a product prior to it's version 2.0 release. Whilst building the installer, I thought I'd browse the web to see if the first version had been cracked yet. Rather interestingly, I came across a download link for version 2.0 of the software, as well as a number of torrents for it. Most of those were only available if you bought some premium rate download service membership or some crap like that. I think that a small fee for a download service is a damned good deal if you ask me. Announce a release date, download the installer from bit torrent, and then ship it! Everyone's happy! :)

Re:Two words:

[jandrese]

You only need one customer cracking the software, dumping the decrypted form to disk, and uploading to the Pirate Bay. Now you have a massively complicated and expensive DRM system that only punishes people who actually paid for your product.

Re:Two words:

[robthebloke]

I use autodesk software. It does not use a dongle, but it does have a rather draconian license server. Once upon a time, they had learning editions with watermarks, and now they just have 30 day trials. Trust me, a dongle is far less hassle than autodesk's license server & license keys.... especially if you need to get a range of their software served from the same machine.

Re:Two words:

[cdrguru]

There are simple dongles that do nothing more than identify themselves and the software checks for the presences. Those are easy to get around.

There are others that decrypt for an incredibly short period of time blocks of code in the program itself. Immediately upon exiting from that block of code it is re-encrypted. All of the encryption and decryption is done by code running in a processor on the dongle itself. If you don't start with a copy of the program with a dongle it is pretty much hopeless. As most dongle cracking is done by people that never had a legit copy of the software to start with, this is very secure. Unless your customers want to destroy the publisher's business - that means you have other problems.

Such dongles are somewhat pricey and can cost as much as $100 each in small quantities. Combined with the effort to integrate the code into the product this can be a substantial committment but for a product that is worth over $1000 to a customer it may be worth it. Remember, in most cases the customer will choose the cheapest option available and when piracy is viable, it is certainly the cheaper option. Morals, ethics and law have very little to do with it. There are no "piracy inspectors" that stop by to see if your papers are in order which means pretty much anything goes.

As far as customer relations are concerned, of course it is important to have customers that want to be your customer. However, if you do this with software that needs continual support and hand-holding you are failing. If customers can choose "no support" because they don't need it this is clearly a preferred model for both the customer and the publisher. If they are calling or emailing every week for some new issue it may be wonderful because they are paying for support but awful because they will come to hate the fact that level of support is needed.

Software piracy is all about destroying the revenue model for software completely. It is supposed to bring us one step closer to the mythical Star Trek universe where money is obsolete. The thinking goes that if we can make money obsolete for software this week maybe we can make it obsolete for groceries next week. Talk to some committed people in the pirate community and you will see. Then try to explain to your employees they aren't getting paid this week because the last 10 customers decided not to pay.

Re:Two words:

[CompMD]

We said very clearly in the installer that when installation was complete, the user would be taken to a registration page. Registration included name, organization, address, email, and software serial number. Upon successful registration, you were sent your unlock key (based on the serial number).

The registration page was hosted on our own web servers, so we knew when software was installed (and the IP of the machine it was on) based on when a registration page was loaded. No other data was transmitted, ever.

We only started tracking this information after the old EOL'd software that used unlock codes was no longer sold or supported. Therefore, every time the old registration page was loaded, it was a pirated copy that was being installed. All legitimate users got upgraded as part of their included maintenance.

Simple

[Mashiki]

Well provide the paid version like you do now, and provide a stripped down version that has some really neat features that the pirates who would really want your software would use. There's no form of DRM that will stop anyone from taking it, none. Auth servers? Crackable. Dongles, about 8mins with a soldiering iron. Token keys, same deal, just longer. Rings, yep. And every bit of DRM that you use, will more than likely piss off your paying customer when it breaks the software.

Unique serials do work, especially if they're uniquely identified to who you're selling it to. Then you can at least go after them for copy infringement.

Don't waste money.

[headkase]

No matter how much DRM you put on it it will always be removed. The best thing to do is concentrate on adding value for paying customers. Do an on-launch check against the serial number over the Internet. If no Internet is available up to X number of times then launch without it. This is similar to what DOOM 3 by id Software does. If the same serial number is showing up too often then ban it. Basically: you're a niche - put a little DRM on it, enough so that a normal user wouldn't notice it at all ideally but at the same time that just enough that it would need to be cracked for every version for illegitimate users.

Re:Don't waste money.

[samjam]

NO! I've paid for software that does these stupid online serial number checks; and I wish I'd pirated the software instead.

Big fail there, to make a paying customer WISH he had a pirated version.

Too late

[Zerth]

you should have posted the spyware one to thepiratebay yourselves before it got cracked. Then nobody would've bothered to crack your commercial version, assuming it is indistinguishable feature-wise.

Re:Too late

[vlm]

Being video editing software the real solution is video edited by an unauthorized unlicensed copy automatically uploads the edited video file to pirate bay.
That would scare the crap out of genuine commercial users, yet the future customers who are just experimenting or people who are experimenting and will never be customers simply won't care.

Re:Too late

[Jeremi]

Even just posting a couple random stills converted to .jpg onto 4chan would freak out the commercial customers into paying up.

Actually, I'm pretty sure it would freak out the paying customers into switching to the competition's product ASAP.

Intellectual property is what pays the legitimate customers' paychecks. Keeping it off of pirate sites until it reaches the intended (revenue-producing) venues is job one. When they hear that their video editor has code in it to automatically upload their work product to a pirate site, they will drop that program so quick it will dent the floor. The fact that the shenanigans are only "supposed to" happen to "pirates" won't matter -- all it takes is one user (legitimate or not) complaining about this on a support forum, and nobody would ever trust the software (or the company) again.

non-commercial commercial

[symes]

Not for commercial use option would allow people to upskill using your product. Some of these guys may end up in the industry you sell to and in taking their skills into that industry raise your products profile. I would think that this is the easist way to become the defacto supplier of niche software. However, spying on these people might turn them away from you.

Re:non-commercial commercial

[0100010001010011]

Some of our potential paying customers are using it without paying

Exactly, how can you prove that potential paying customers are using it? I work at a rather large company and stuff is locked down. You're not going to be installing pirated versions of anything.

One example is Matlab. I pirate Matlab, I don't feel bad about it. I use it for random home projects (Especially since Simulink works with Arduino). I'm not a potential paying customer. I'd never be able to afford a seat. But I can put that on my resume and sell myself to a company. My COMPANY then buys it. That is your customer. I've even talked the powers that be to buy some additional licenses to toolkits that I taught myself to use on the pirated version. I know they have a 30 day trial but you never know when you're going to need that toolbox to experiment with.

Re:non-commercial commercial

[AmeerCB]

I don't know why every company who sells serious development/production software doesn't give away "developer versions" of their software which can legally be used for home-use only. No one is going to pay a boatload for software that isn't going to make them money and any serious business whose employees use the software will be willing to pay for a legitimate license. *cough*adobe*cough*

Re:non-commercial commercial

[zootie]

Complex applications require that people know how to use them, and it takes time and investment for people to get trained.An growing expert user base is the best advertising that you can get. Having your SW out there, in the hands of students and young people trying to figure out how to use it helps it remain relevant as they go to work for companies that end up purchasing the SW.

IMO, more than open source and the Internet and hosting (paradigm shift), this is what is actually killing off Microsoft. It used to frown on piracy, and fight it mostly to scare up business that could afford to pay, but more or less allowed for the general population, since ensured that new users would have an easier time finding its SW, and that would encourage them to remain on the Windows platform. With XP and its activation scheme, MS didn't stop piracy (ie, determined users that aren't going to pay you anyway will either break it, or use alternatives), but made it harder for new users (students and home users) to get into its products, and with he rise of alternatives, and the Vista fiasco, it is relegating itself to oblivion ("the harder you hold on, the more you lose").

There is also the logic that these companies see new users as a source of revenue, not only as licenses, but as requiring training. So instead of giving away their SW to people that would self-train, they expect them to pay to get trained. With companies not wanting to send employees for training, and with motivated individuals unable to pay for it themselves, this IMO is a losing strategy (it generates short term revenue if your product is an industry standard that most be learned, but you lose out on dedicated people, and your user base tends to erode and eventually your product becomes irrelevant).

$10K video editing?

[StuartHankins]

I thought all the $10K video editing programs had gone away except a couple of holdovers from yesteryear. Use a hardware dongle and piss people off like Autodesk did. Or use an online authentication scheme that will piss off other users. Hell, for $10K, fly a lackey there to install it personally.

My point is, if someone wants to crack it, they will. The high price tag makes it more attractive.

Some thoughts

Release the software as free, open-source software. Then, use the community goodwill and appreciation to feed your family and pay rent.

Alternatively, identify the client who released the software into the wild and sue them for breach of contract.

Lastly, make your software so awesome that one of the big players can buy you out before the well runs dry.

Oh, and brace for the commenters calling shenanigans. People who pirate software don't like the thought that there may be actual, real-life negative consequences for small development houses.

Re:Some thoughts

Well for 10K software there aren't many negative real-life consequences for small development houses. That kinda of price tag (an insane one) is clearly aimed at large production companies, and most of those will pay for it because they do not want to get in trouble. The 50000 downloads you might see on TPB are most likely amateur and prosumer users that never ever could afford that price, which means you now have thousands of people using and talking about the product (free advertising) while your income loss due to piracy is close to %0.

The best thing to do in this case is to release a cheap ($100) consumer version with a license that permits non-commercial use. The market for $10K video editing software is abysmal at best. That kind of software will never be profitable unless it's through support contracts.

Pirated goods

[Gideon+Wells]

If I knew the commercial free version did any sort of spying I would not trust the company what-so-ever. There is a reason I am boycotting Sony.

Nickel and Dime

[L4t3r4lu5]

Is there potential for offering a basic product for a nominal amount, and selling modules which improve functionality to those willing to pay?

I certainly wouldn't pay the many thousands of dollars for Photoshop, but I might pay the hundred or so for the functionality I actually needed. Bolt-ons seem to make sense when appealing to many different markets.

Re:Nickel and Dime

[L4t3r4lu5]

As I said in a different post on a different subject, it depends on the price. I've used pirated software before I earned my own money, but now I have a modest expendable income I can afford to pay for convenience. If I want to use one feature of this product and my options are $10,000 or piracy, then I'm kind of limited to the latter. If my options are $10,000, piracy (and the risks that entails) or $150 for product + $50 bolt-on functionality, then it looks a lot more likely that I will buy it.

It's not about DRM restriction, it's about convenience and value. I know I can pirate any new game within days of release, but I still buy them on Steam / D2D / GOG etc because it's convenient and good value for money. DRM doesn't come into it.

Do as you like

[Stumbles]

Your flaw is to assume those "pirating" your software are "potential customers". They are not.

Re:Do as you like

[L4t3r4lu5]

Your flaw is to assume those "pirating" your software are "potential customers". They are not.

That's an incomplete assumption. Some of those who "pirate" the software are potential customers who won't pay $10,000 for the full product in order to use the two or three tools they actually want. These would maybe pay $50 for a basic version (home user), $200 for extended (mom and pop video editing, semi pro) etc. They may also be interested in paying only for certain features as modules instead of certain package types.

Making paying customers out of pirates is about offering a better service. If I can pay for what I want and have it conveniently offered to me, I more than likely will. I won't, however, pay $X,000 for a funky filter effect as (was?) is the way with Photoshop. Then again, Adobe have already said that those using unlicensed copies of Photoshop just lead to companies using PS as the standard because everyone was familiar with it. Guess that could work too.

Once a program becomes good enough

[tepples]

How would this work for a product that's so reliable and so easy for most end users to figure out that it doesn't need a lot of support/services/consulting?

Non-Commercial Free Version

[nahdude812]

My recommendation would be to provide a not-for-commercial-use free version which is almost totally identical to the premium version. Have this version embed a digital watermark so you can identify if videos pop up commercially which haven't paid for a commercial license. Make it non-obtrusive so home users don't mind (I recommend it not being a visible logo or anything of that sort, just the digital watermark).

You're not going to be able to prevent a pirated version from cropping up except that you make the pirated version not attractive compared to the legitimate version. Those inclined to not pay for the software are not going to pay for the software. Provide it for free with the forensic ability to detect license violations. The paid version places no watermark, so you get the best quality and the legal right to use videos commercially after it's paid for.

Re:Non-Commercial Free Version

[nahdude812]

Digital watermarks survive re-encoding unless the re-encoding is very aggressive (at a substantial quality loss). You can use different strength watermarks which survive greater amounts of distortion. It's not impossible to remove them, but it can be challenging without really impacting image quality.

Also, couldn't pirates remove the "digital watermark" functionality from the executable file? (Theoretically?)

Yes, of course. That's why it's important to make the watermark not very intrusive (why I recommended not including a logo overlay). If the watermark just looks like film grain or ISO noise, most free uses of the software won't mind - maybe won't even notice - and so won't be compelled to find a pirated version. The commercial users who'd be inclined to find a pirated version because of the watermarking would have been inclined to pirate it either way; you'll never get a license fee out of them except through litigation. At least the watermark makes it likely they either don't notice they're leaving behind digital fingerprints, or don't care.

Watermark the files...

[Theaetetus]

... and include in the license agreement that the user agrees to pay royalties of X% on gross revenues for work involving the files, but with the stipulation that you won't go after users earning less than $Y. Then offer an ability to purchase a royalty-free license for your $10k price. Big commercial users would want the royalty free license, small commercial users would want the percentage license, and non-commercial or educational users could use the program freely. Then, just watch for the watermark in videos of commercial entities that haven't paid.

Can also add in a quick reporting function, and check if the source IP is from a major studio.

Disclaimer: I am not your lawyer, this is not legal advice, but is simply for my own amusement and should not be relied upon.

Re:Watermark the files...

[Vegemeister]

The thing is, most people who crack DRM don't do it so some megacorp can avoid paying license fees to some other megacorp. If the copy protection scheme doesn't affect home users, nobody will give a fuck.

Watermarking instead?

[vlm]

Would it be insane to release a 'not for commercial use' copy that does some spying and reporting on you, along with a spy-free version for ~$10,000?

Watermarked as non-commercial use only? Hilarious if you run your water mark detector on a TV show or movie and it shows up and you start blogging about the pirates.

Another good laugh would be bait and switch the free version has 75% of the features removed at compile time. You can left align or right align all you want but if you want to center its $10K. Or you could use any font you want for $10K but for free its only possible to use... comic sans.

Another good laugh would be speed. Intentional slow down loops in the free version. While evaluating your software for possible purchase do I care if everything happens 20% slower? Heck no. But if I'm a bean counter at corporate, I'd be insane to reduce my employees productivity by 20% just to save $10K Unless said employee using the software for 2 years earned less than $25K/yr, which is probably the case outside the US...

The problem you're going to have is "free or $10K" is an absolutely insane market. It better be unimaginably amazing to be worth $10K in a world of 99 cent apps and $100 video editors. Rather than the revenue from 100 sales at 10K each, wouldn't you prefer a million app store sales at $20 each?

Would I download your software for free at home if its legal? Maybe. Why not a license of pure profit where any CC released work is a $10 software license with no support. The cost to you is minimal and you get "free" revenue. Or a license where its gotta be CC licensed work with a link to your company in the comments or credits screen or something, basically they pay you, to market for you. Or "please support us by purchasing an anonymous coward XXL tee shirt along with a software license for CC released works for only $50" Or the software is free for CC editing work, but the fine manual in printed and pdf form is only available for $50 along with a formal written license for CC-released work.

Re:Watermarking instead?

[wer32r]

I basically agree with most of your post, except for the part where you write about slowing down the loops in the free version. This may scare off any prospecting customers who are using the free version to evaluate the paid product.

solved years ago...

[yodleboy]

after 10 min just pop up a random passage from the user manual and make the user find the correct page. the longer the manual, the more effective this is. alternatively, devise a strange set of symbols and provide the user with a high tech spinning paper wheel so they can "decode". this isn't rocket science here ; )

Re:solved years ago...

[operagost]

This also isn't a computer game from the 1980s!

FlexLM...

[Last_Available_Usern]

Use FlexLM (license server tied to a hardware address - defeatable, but annoying) like the the majority of other vendors. Also, try to remember that you're company is in it's infancy. The more publicity and use your product gets the better. Better to lock it down after more people use it than before.

Re:Serial number that calls home

[ArsonSmith]

And why would I allow a system housing my valuable, corporate pre-production video data, direct access to the internet?

Re:To the cloud!

[vlm]

Doing some of the processing server-side might work for some applications but not for video editing because of the immense amounts of data that would need to be uploaded.

Thats assuming you'd need to upload/download the whole works.

It would be hilarious if the app had no concept of how to create a simple .avi header each time it saved to a new file (made up example). You can't just NOP around that, and its not much bandwidth and its probably too much of a PITA for the crackers to write their own.

The only thing funnier is the support calls when your https avi header webserver is down, or when the paying $10K customer is having a momentary internet outage or firewall issue. ha ha funny.

You've come to the right place

[ZahrGnosis]

Well, you certainly won't find a shortage of opinions on Slashdot. :-)

If you think the software is good enough, then a non-commercial version with limited registration information (e-mail, name), and some very privacy-thoughtful reporting (maybe to ensure that the registered serial numbers are only being used by one machine at a time), should only be a good thing. Getting your software into the hands of the people that might buy it will get them used to it, relying on it, and eventually make them customers. But (as others here have posted), don't abuse the "spying"... if you start to make money by pilfering the free registrations for ancillary information you're just going to annoy your users and they'll be more apt to pirate the software or use fake registration information. Giving them something in return, like forum access for very limited support, is helpful.

Other possible models include giving the software for free and asking payment for support -- nearly all profitable Open Source companies do this, and even if you leave the source closed the business model isn't terribly different. You could publish a "crippleware" version, which I find rather annoying, unless the limits are such that the home and non-commercial users needs are really satisfied, and the only people that need to pay $10k for the software are those to whom it's worth it. I give a nice shout out to Andrea Mosaic for doing this correctly (at a lower price point).

Lastly an option you may have missed may be to ignore it because it isn't a problem. A pirated version by a customer that wouldn't have paid anyway probably doesn't hurt you. A pirated version by a customer that would have paid may actually turn into a sale if they need assistance. When you upgrade, if the pirates liked it, they'll want the next version, so they may buy. It may be pirated by employees or students who years later may remember it and decide to buy it. You never can tell.

In those cases, you're getting your software out there and used; you could take an "all exposure is good exposure" attitude. The fact that you didn't list the name of your software in the original post here means that you may not think that way, or you may outright disagree.

Still, piracy is going to happen. At least you're asking the right questions. Don't let yourself get dragged into a fight with the anonymous masses on the internet, though -- you'll probably lose.

$10,000 for video editing software?

[alen]

WTF does it do?

Apple has Final Cut for the prosumer and wannabe pro
Avid is the pro software market
people like me use imovie or adobe something which is like $100 and includes the adobe version of iphoto whatever the name is

video editing software is a mature market. unless you are making some cool plug in or your software does something really cool that the big boys don't do you are screwed

contractual approach?

[kentborg]

$10,000 is a lot. Maybe make real but effectively no-op customizations to each legit copy so each is unique, including a banner that says whose copy it is. If it later shows up stolen you know whom to sue. Add some phone-home statistics and you know how much to sue them for. Do a little runtime checking on the visible ID banner to make hard to remove.

Re:What is your software called

[SJHillman]

You obviously don't have much experience with software at the business level. The $10k usually includes support, upgrades, etc. It's not like they're charging $10,000 for a basic word processor.

Don't Fret

[savanik]

The only DRM you need is: Make sure that your users have a valid serial number before you start providing support for the product.

You're trying to compete with 'free'. The solution is to make the version you're selling for $10,000 worth that much. Add more features, innovate, and provide support to the users who have paid you.

Also, most of the people yanking your software off of the Pirate Bay are not your customers now - they either can't afford it, or they're not even sure if your software will meet your needs. In the future, they might have that same need AND the money to pay you, and at that point they'll know your name.

Partial Key Verification

[Deffexor]

This is something that I have never dealt with directly, but I saw a similar post on StackOverflow a few months ago and bookmarked it because it seemed useful.

The answer it seems is something called "Partial Key Verification": http://stackoverflow.com/questions/3550556/ive-found-my-software-as-cracked-download-on-internet-what-to-do

In short, the software would still work, but re-direct people to a page letting them know that they've been "caught" pirating software and that they should really purchase it. This won't stop everyone, but some people (especially in a business environment) won't risk "being caught", so they will purchase the software knowing that you know that they know they are pirating your software.

worth $10K?

[vlm]

Is what the software does worth $10K? If it really is, then you'd be far better off hiring some in house editors and offering your services using your magic proprietary undistributed tools. After all, you'd be able to undercut all your competition by at least $10K/yr equivalent.
Its has to be worth more than that, like $25K/yr, otherwise your purchasing clients would not waste the time and money learning new software, they'd just throw more bodies/billable hours at the task and not have to deal with you. They're planning to save $25K using your software of which they're giving you $10K to keep it legal. Why not keep the whole $25K for yourself?
Its one of those put your money where your mouth is moments... if its really worth the dough, you'd make more money reselling video editing services than you'd make selling the tools to edit video.
My guess is, you're about to discover the appropriate price would be maybe $100 not $10K.

Re:overpriced

[KingMotley]

What makes it worth 10k? How about developing software that takes a team of 5 people 3-7 years to write, for a target market of 200-500?

You and 4 of your buddies may be willing to work for the next 7 years for a possible income of (500*100 = 50,000), and you can split it between yourselves. Sounds fair. What number can I call you to schedule when you can start?

Who's stealing it exactly?

[DRMShill]

I have a Reprap 3d printer. The software that seems to work the nicest for designing parts is Solidworks. But they only sell it in two ways: for business for about $4000 and for verified university students for $150 a year. I'm neither. They don't make an option for hobbyits. Which leaves me with the Pirate Bay option. That kind of sucks because I wish there was a way a hobbiest could use this software without stealing it.

So that's something to consider. Who's stealing it? If it's businesses then yeah you have a problem. If it's hobbyists then maybe it's because you don't have a deal for them.

Re:What is your software called

[na1led]

Specialized software can be very expensive especially when there is no alternative around. I've seen this happen many times with businesses looking for some special iventory database, or software to run specialized equipment. The problem is that other software companies catch on to these specialized programs and start selling similar software for a much lower cost. It's like tapping into a new idea, charging a crazy amount for it until someone else jumps on, and the price falls down from $10,000 to $100.

Serialize

[erroneus]

When your software is THAT expensive, then you can afford to compile each instance for each customer. By recompiling for each customer, you can make each release version they have unique to them so you know where the leaked copy came from. Secondly, you can also arrange and require a "license server" on the network where it will be run. This enables a machine to run without internet access but will need access to a licensing server. You can figure out the details to make it usable but the idea is that it won't run without licensing information available at any or even all times.

And since you are compiling each copy for each customer's site, "cracks" will be a bit harder to maintain, but in order to accomplish this feat, you would have to take some pages from virus writers' playbooks.

In the end, everything I have spelled out is defeatable. EVERYTHING. In the end, software is a series of instructions that the computer runs. It's not a magic box.

And this interpretation of "potential customers just getting it for free" is nonsense. If they use it professionally, they will pay. There will be incidents where some professionals will not want to pay. You will either have to live with it or spend a lot of money on investigators and lawyers. Is that really where you want your existing profits to go?

And are you SURE you're not charging too much in the first place?

Re:What is your software called

[tibit]

You are living on some cloud nine. We have seats of parametric 3D cad software: about $4500 per seat, with a discount, too. Yearly maintenance is $1500 or so per seat. It works out because there's no one else who provides it any cheaper than that, and the file formats are completely proprietary and their binary structure is intentionally obfuscated. We attempted to move to a different system, by writing scripts for the source software to export all the data to a human-readable text file, and then writing other scripts for the target software to read it in. It turned out that the underlying representation of data in both pieces of software differed enough that we'd need to license a not-cheap 3D geometry engine just to massage the data. Overall cost of migration looked like it'd pay itself back in the per-seat difference savings over ~15 years. IOW: they know exactly what they are doing with their pricing. You'd need a 100 seats to have payback in a reasonable amount of time (3 years), and then you're still betting on other things (lack of new killer features on the more expensive end, etc).

Re:What is your software called

[91degrees]

10k is pretty cheap for a lot of specialised software. The support you get tends to involve having an engineer actually solve your problem.

Whether it's cheap for video editing software depends on what useful features it has, and whether that can save several days' work over the course of a year

DRM is SnakeOil, but I have a thought..

[hAckz0r]

DRM is nothing but SnakeOil, and any salesman that tells you it will cure your problem is already counting his money. The fact is, as others have already noted, is that any DRM can and will be broken. In fact there are people out there that don't even want to run your software, they just break the DRM and post it on the Internet for fun. These are serious hackers, and you only need one to waste all your DRM SnakeOil money. There is no DRM that is worth the money.

Ok, I hate being pesimistic, but we need to face the facts. Money spent on DRM is wasted money. However, there are some ways others have spoken about that have some merit, but also problems. One such is the aways-online network model and also hardware dongles. Networks go down and standard dongles are easy to hack around. So, what to do?

The always-online model has the strong point that a portion of the processing can be off loaded so the central server, and user's software itself has code missing that can not be simply hacked around like in the dongle. The dongle can have some unique embedded features which can be tested for but is generally easy to hack around since its easy to bypass code. What about a mix of the two? What about a custome dongle that actually adds processing power to the software and the software is then sold as a "system".

If the dongle/board/unit has real functionality (e.g. FPGA accellerator board) the software without it is useless, and if the device is non-trivial it would be very hard to duplicate by the average hacker, and they couln'd just post the results of that hacked code online. You need both. It would be too costly to develop the replacement hardware for fun and impossible to sell it without being noticed. It would not be like a "standard" dongle that one can hack by putting in noop's and nonconditional jumps to deactivate it, as it actually does things the software side needs. A pirate would have to be *very* comitted, and with much more money and resources than the cost of one simple licensed unit to even think about trying to replicate it. As long as the coprocessor dongle unit adds functionality in the form of function or performance it may be acceptable to users, but not unless it actually gives them something for their money. So, can you product be decompoed into two peices where a portion is hardware accellerated?

Re:You have to be sneaky...

[Animats]

The best way I've found to do this is to have a non-obvious component actually doing the licensing evaluation (periodically as part of some normal functional operation) and if that fails to subtly screw up the operation of the software. You still want to have standard 'relatively easy to tear out' protection so that legitimate users get notifications of a bad configuration or license, but what you're trying to do is make the software useless for people pushing it on a torrent/warez site.

Yes. AutoCAD did that, back in the DOS era. There were several levels of protection. The first level checksummed the program during loading to detect a corrupted executable. That prevented any accidental error from triggering the deeper checks. Anyone attacking the software would first have to bypass the checksum code. Further down were many other checks for changes to the protection code. These checks were executed randomly, based on the state of the program, at varying levels of odds. Some were executed every few minutes; some as infrequently as once a year on average. Some of them just made the program exit without saving. Some made subtle changes in the drawing data.

This destroyed the market for cracked versions of AutoCAD. No one trying to crack the software could ever be sure they'd found all the checks. There were dealers selling cracked versions as if they were real ones. Those guys had some very angry customers.

This was effective enough that it stopped piracy in Hong Kong and the USSR. The USSR eventually cut a deal with Autodesk for a bulk buy on a Cyrillic version.

Notes from someone in a similar position

[sigmabody]

(Note: Developer, small dev shop, higher-priced software, same situation.)

If you distribute an "unlimited" version, this will be what is pirated; there's no value in having different versions. Also, if you have a key which allows "unlimited" access without secondary verification, this is what will be distributed on pirate sites.

In our experience, it took about a week from changing the key format to a new crack key being distributed. Obviously, this is for software which is "in-demand", but don't expect that implementing a new scheme with the same underlying characteristics will buy you much time.

For "good" protection, you basically need secondary verification which is "hard" to fake. Currently, that is hardware dongles or an online verification loop. Both of these can be pains for the users, costly for you, and/or prohibitive in some environments (online, in particular, doesn't play nice with classified government envs).

Keep in mind also: most people who pirate are not potential customers, at least at anything close to full price, but their experience using the tool may turn into a sale at a company later.

My suggestion: do what you can to track usage, but don't be overly obtrusive and/or try to prevent all piracy usage. Being able to watch and track, and act when appropriate, is much better than trying to prevent all piracy.

Re:What is your software called

[19thNervousBreakdown]

Some software just costs that much. Hell, a lot of software used by businesses cost much more.

When a company needs a certain functionality that just plain doesn't exist anywhere else, it has to be paid for somehow. I'm not sure you have a good understanding of how much time is actually put into developing software--an engineer who gets paid $80k/year costs the company about $160k/year. If that engineer works on a problem for 3 lousy weeks, that software cost $10,000. Just to develop. That's $0.00 profit for the company.

Some special functionality is very easy. Huge changes from a user perspective can be made in minutes with just a couple lines of code. On the other hand, stuff that seems like it should take no time at all can require an entire re-architecture of a project and take years. Now, your first instinct if you're not a software developer, or a new one, will be to say "if it was made right it wouldn't require re-architecture", but that's just not true in a lot of cases. The only absolutely flexible architecture is an unwritten program, every line of code is a constraint.

Microsoft Office costs so little because it's used by millions of people, but if only 25 developers worked on it (a lot more did) for only 5 years (it's been around for twice that long, and Microsoft doesn't like to throw out code), and they had no managers (they had lots), no testers (there were lots), and no corporate scaffolding (more than you can probably imagine), there are more than a hundred years of human effort in that piece of software. When you look at it, does it look like the culmination of hundreds of years of effort? Not intuitively, not even to me, and I have a very good idea of how hard it was. Specialized software costs a lot. It might sound silly to you, but that's just because you are--don't take this the wrong way I'm not trying to be insulting, it's just the word that best fits--ignorant of the actual costs.

Three words: I hate dongles.

[mdarksbane]

My experience as both a user and a developer is that hardware dongles suck major donkey butt.

They are excellent at preventing customers and pirates alike from using your software.

The drivers for every brand we tried was buggy, and often had conflicts - *especially* when installed on the same machine as a different version of the same brand dongle from someone else's software.

It was a support nightmare, because it can easily turn into a problem that *you* can't fix - only the manufacturer of the dongle and the other software you from who knows where can.

You can also very quickly require a separate USB hub just for all of your dongles.

Best DRM: the license agreement.

[FellowConspirator]

At $10,000 for a license, the software you sell is not a consumer product. That's not to say that a consumer may not want to use it, but that you've already discounted them as a customer. You should simply not trouble yourself with thwarting them because they would never be able to pay for it. They aren't your clients and by familiarizing themselves with your product, they may well turn their employer or future employers into clients. Some companies even embrace the idea by offering unsupported no-cost versions for non-commercial use.

Once you've decided that your customer base will only be professional / commercial customers, then the license is the important part. A commercial customer stands to loose A LOT if they are caught using unlicensed software. For them, they should consider the software part of their cost of doing business. If your product is too pricey, they should select another, otherwise, they need to purchase it and expense it. If you catch a customer using unlicensed copies, contact them and give them an opportunity to true up (after all, sometimes companies simply loose track of how many licenses they purchased - crappy license management is rampant). If a company still continues to use unlicensed versions of the software, then have a lawyer draft a demand for payment (and consider terminating their licenses; mind you, you'll loose them as a customer). When all else fails, file an infringement claim against them.

There's simply no DRM scheme that's 100% effective, and it only needs to be cracked once for it to become widely available. DRM schemes cost vendors like you lots of money to implement, and they are invariably a nuisance to the customers that legitimately license your software. Ultimately, DRM makes the pirated copies more valuable -- they are more portable between systems as they are upgraded, there are no dongles, issues with license key management, etc. It would be hard to make the case that DRM is likely to pay for itself.

Octave

[SgtChaireBourne]

Instead of pirating Matlab you should take a look at Octave. It's fairly similar to Matlab and heavy duty enough for regular work, not just the home projects you mention pirating Matlab for.

Re:Octave

[0100010001010011]

Octave to Matlab is as a transvestite is to a real woman. Octave is a joke compared to Matlab. It'd be like me coming into a discussion about C and suggesting everyone just uses PHP, because it's practically the same syntax.

There is absolutely no Simulink equivalent, there aren't anywhere near the number of toolboxes. Matlab is expensive because Mathworks pays some top level PhDs to develop them. As far as I can tell you can' compile Octave to anything. Simulink will compile to one of a dozen embedded processors, including the one my company uses for our ECMs and XPCs we use for prototyping work.