tags:

views:

492

answers:

7
+2  Q: 

How to implement copy protection of content in an open source application?

I have an idea for an open source app -- the app would be free, but I would charge a small fee for data that a customer would order. For instance, let's say I'm writing a map application. I'd give the app away, make it open-source, but I would like to sell various maps to individual users.

Is there a way to protect the data in such a way that makes it very difficult for someone to simply take the map they bought and distribute it to others? Is this feasible for an open source app?

+1  A: 

Have the application create a private and public key pair on the first launch. When the user wants to purchase a map, they must provide you with their public key. Encrypt the map files using this key. Users that do not know the private key cannot use the map.

However, if a user looses their private key, they will have to recreate the pair and you will have to provide them with new maps that correspond to the new key.

This doesn't stop a user from giving away the maps along with the private key or even decrypting the maps and distributing the plain-text maps. You can try hiding the key from the user in some way, but this won't actually help much, especially since the application is open-source.

Revocation lists, key expiration or any other client-side validation is futile, since users could just compile the application such that your validation methods just return true. So avoid implementing anything other than decryption on the client-side.

Ben S  2009-11-17 22:30:47
How does this really help? It just takes one user to decrypt the maps (which any user can because she has the private key) then the maps can be freely distributed without a key.
sleske  2009-11-17 22:47:23
You don't store the decrypted maps on disk, you keep them in memory. Of course a user could just add code to the application to decrypt the maps on disk. What the OP is asking is not possible, but I think this is the closest solution.
Ben S  2009-11-17 22:49:34
The problem is that all it takes is one person to pull the maps out of memory, and it's even easier to do that with an OS app than a binary-only one.
David Thornley  2009-11-17 22:57:58
+3  A: 

No, I do not see how it is feasible. Any user can just remove the copy protection check from the sources and recompile the application.

Encrypting the data won't help either; the app needs to decrypt it, you could just extract the decryption routine from the app and decrypt the data (then use a version of the app without encryption).

sleske  2009-11-17 22:45:16
I think you're confusing encryption with compression. Encryption requires a **key** in order to retrieve the plain-text data. Without the key, you can't just "extract the decryption routine" to decrypt data.
Ben S  2009-11-17 22:47:51
@Ben S: The application needs to be able to decrypt the data, which means it needs to have the key.
David Thornley  2009-11-17 22:56:57
@David: Yes, of course. That was assumed in my answer.
sleske  2009-11-19 11:51:31
+1  A: 

Usually the proper way to make money with open source is to use a service model.

The idea is you want your software out in as many hands as possible, and then to add services that make the application valuable. This could be providing for-pay custom integrations or a data feed that is higher quality than maybe a freely provided data feed.

Due to the ability to freely modify it and distribute it, the software propagates faster (providing it is useful, of course). The more people that have the software, the larger the pool of people willing to pay for a service.

License management is sort of painful anyhow, and most software protection goes down in flames anyway.

Nathan  2009-11-17 22:49:38
+1  A: 

Copy protection is basically a losing game, those who would pay for the information will do so regardless of the copy protection scheme. Those who will not pay won't do so.

The only successful copy protection implementation that I have seen is Steam, but the only reason that it's successful is because it gives the users a value-added service. Steam games are still pirated, but the people who are on the fence about paying might do so through Steam because of the extra value that they receive.

Perhaps you could serve the map information to users through a web service, this could automatically update the maps for the users, maybe even save their configuration data(if any) online. The pirates will still just steal the maps, but maybe you can get more users to purchase.

jessecurry  2009-11-17 22:50:35
"...those who would pay for the information will do so regardless of the copy protection scheme. Those who will not pay won't do so." This is absolutely not true, but I certainly hear that statement a lot. I have personally witnessed on several occasions software protection increase revenue 5-10x and a working crack/keygen/etc have a huge negative impact on revenue. While I understand any protection can be circumvented it will discourage casual piracy. Just like a casual thief checking for unlocked cars and skipping locked ones looking for an easy target.
Dana Holt  2010-03-15 18:52:03
+3  A: 

Perhaps watermarking the content would help? While it does not prevent copying, you can track down the origin of leaks and maybe even hold them accountable for damages caused by unauthorized copying.

meriton  2009-11-17 23:17:40
A: 

The solution is quite simple. Set up a open source plugin API in your code.

Then write a closed source plugin that can load your map. This plugin will perform the license check (with asymetric crypto) and feed the Open Source part of the code with on-the-fly decoded data. People could work out a way to save the map, but if the effort requires more time than the map price, it's very unlikely they'll do this. (Understand than if your map cost 5$, then I don't think anyone would ever try to write a "dumper").

X-Ryl669  2010-03-15 18:06:15
there is always some high-school or college student that is unemployed with unlimited time on their hands that will hack something just for the challenge, so it is VERY likely that someone will spend the time to crack whatever you come up with.
fuzzy lollipop  2010-03-15 18:23:56
I like this answer quite a bit. The more I think about it, the more I feel it's the right balance between keeping the app itself open source, and making the data somewhat difficult to copy.
Lococo  2010-05-13 20:20:33
X-Ryl669  2010-05-26 14:45:44
you are assuming a specific attack, people are more clever than brute force attacks. Take the iPhone and the iPod Touch, XBOX and other consoles MILLIONS of dollars are spent on designing those things to be secure and IN HARDWARE no less. It only takes a few dedicated creative individuals with lots of free time, and they figure out how to root those devices. To think you can do better than that is a stretch in confidence.
fuzzy lollipop  2010-05-26 16:40:53
Again, you're speaking theorically, and you're right. However, in practice, some cryptographic primitives haven't been broken yet by anyone. The idea is not to protect the software or data against limitless people, but to keep honest people honest. Honest people don't have limitless money, nor limitless processing power, so they can't decrypt all the data in a timeframe that worth it.
X-Ryl669  2010-05-31 08:25:08
+1  A: 

Any data that has to be decrypted to be used is not any more secure than just supplying the non-encrypted equivalent data, all the data has to be in memory decrypted and patchers, loaders and hooks can be written easily for non-open source apps to dump that data out un-encrypted, so an open source program would be that much easier to subvert. If someone with the resources of Apple or Microsoft can't create a secure DRM scheme that can't be circumvented by college students, then I doubt a single developer can do better. Making it difficult implies that you are going to burden the paying customer in some way while not really burdening the people that are willing to pirate in the first place.
Make your content compelling and reasonably priced and people will buy it, those that don't would never have bought it anyway.

fuzzy lollipop  2010-03-15 18:22:17
A corollary to the last sentence is: "make your content compelling and easy to pirate, and people will pirate it." If you make it more difficult to freely share the data, you ought to be able to at least reduce casual theft. Anyway, the point of my question was to explore the technical feasibility, not to discuss the relative merits or evils of DRM, which I agree tend to the latter.
Lococo  2010-05-13 21:42:02

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords