views:

916

answers:

16

Anyone visiting a torrent tracker is sure to find droves of "cracked" programs ranging from simple shareware to software suites costing thousands of dollars. It seems that as long as the program does not rely on a remote service (e.g. an MMORPG) that any built-in copy protection or user authentication is useless.

Is it effectively not possible to prevent a cracker from circumventing the copy protection? Why?

+10  A: 

Copy-protection is like security -- it's impossible to achieve 100% perfection but you can add layers that make it successively more difficult to crack.

Most applications have some point where they ask (themselves), "Is the license valid?" The hacker just needs to find that point and alter the compiled code to return "yes." Alternatively, crackers can use brute-force to try different license keys until one works. There's also social factors -- once one person buys the tool they might post a valid license code on the Internet.

So, code obfuscation makes it more difficult (but not impossible) to find the code to alter. Digital signing of the binaries makes it more difficult to change the code, but still not impossible. Brute-force methods can be combated with long license codes with lots of error-correction bits. Social attacks can be mitigated by requiring a name, email, and phone number that is part of the license code itself. I've used that method to great effect.

Good luck!

Jason Cohen
I'd argue that copy-protection isn't "like" security, it IS security on alot of levels. Some more ideas for making things harder is to throw a few exceptions around early, check for attached debugger AFTER this, and other fun things like that. In the end though, everything can be reversed with time.
Matthew Scharley
We theorized back in the 90's that putting the customers credit card details in the software license would dissuade them for circulating it.What else does the seller know about the buyer that they really don't want anyone else to know? It's just escalating the conflict to taking hostages ( see my answer below)
Tim Williscroft
@Tim -- Nice point, depending on your customers. For example at Smart Bear 95% of our sales are through purchase orders, so that doesn't work. But I like it!
Jason Cohen
+4  A: 

I think given enough time a would-be cracker can circumvent any copy-protection, even ones using callbacks to remote servers. All it takes is redirecting all outgoing traffic through a box that will filter those requests, and respond with the appropriate messages.

On a long enough timeline, the survival rate of copy protection systems is 0. Everything is reverse-engineerable with enough time and knowledge.

Perhaps you should focus on ways of making your software be more attractive with real, registered, uncracked versions. Superior customer service, perks for registration, etc. reward legitimate users.

Bob King
I like your reference to Fight Club. :-)
Jason Cohen
I was wondering if anyone would notice it ;-)
Bob King
+11  A: 

Because it's a fixed defense against a thinking opponent.

The military theorists beat this one to death how many millennia ago ?

Tim Williscroft
Which is why products that update usually do a security revamp on each revision.
Yar
+5  A: 

Basically history has shown us the most you can buy with copy protection is a little time. Fundamentally since there is data you want someone to see one way, there is a way to get to that data. Since there is a way someone can exploit that way to get to the data.

The only thing that any copy protection or encryption for that matter can do is make it very hard to get at something. If someone is motivated enough there is always the brute force way of getting around things.

But more importantly, in the computer software space we have tons of tools that let us see how things are working, and once you get the method of how the copy protection works then its a very simple matter to get what you want.

The other issue is that copy protection for the most part just frustrates your users who are paying for your software. Take a look at the open source model they don't bother and some folks are making a ton of money encouraging people to copy their software.

William
Agreed. Since stand-alone games used to make the majority of their profit in the period just after the release date, it seemed that game companies were going to just keep upping the ante with the pirates. I thought online gaming would get rid of these types of measures but now the game companies are using similar technology to prevent online cheating. So, the cycle begins anew.
Kelly French
+12  A: 

No, it's not really possible to prevent it. You can make it extremely difficult - some Starforce versions apparently accomplished that, at the expense of seriously pissing off a number of "users" (victims might be more accurate).

Your code is running on their system and they can do whatever they want with it. Attach a debugger, modify memory, whatever. That's just how it is.

Spore appears to be an elegant example of where draconian efforts in this direction have not only totally failed to prevent it from being shared around P2P networks etc, but has significantly harmed the image of the product and almost certainly the sales.

Also worth noting that users may need to crack copy protection for their own use; I recall playing Diablo on my laptop some years back, which had no internal optical drive. So I dropped in a no-cd crack, and was then entertained for several hours on a long plane flight. Forcing that kind of check, and hence users to work around it is a misfeature of the stupidest kind.

Peter
+4  A: 

}} Why?

You can buy the most expensive safe in the world, and use it to to protect something. Once you give away the combination to open the safe, you have lost your security.

The same is true for software, if you want people to use your product you must given them the ability to open the proverbial safe and access the contents, obfuscating the method to open the lock doesn't help. You have granted them the ability to open it.

Zoredache
+4  A: 

You can either trust your customers/users, or you can waste inordinate amounts of time and resource trying to defeat them instead of providing the features they want to pay for.

It just doesn't pay to bother. Really. If you don't protect your software, and it's good, undoubtedly someone will pirate it. The barrier will be low, of course. But the time you save from not bothering will be time you can invest in your product, marketing, customer relationships, etc., building your customer base for the long term.

If you do spend the time on protecting your product instead of developing it, you'll definitely reduce piracy. But now your competitors may be able to develop features that you didn't have time for, and you may very well end up selling less, even in the short term.

Tanktalus
A: 

This is one occasion where quality software is a bad thing, because if no one whats your software then they will not spend time trying to crack it, on the other hand things like Adobe's Master Collection CS3, were available just days after release.

So the moral of this story is if you don't want someone to steal your software there is one option: don't write anything worth stealing.

Unkwntech
-1 for "This is one occasion where quality software is a bad thing".
Piotr Dobrogost
A: 

I think someone will come up with a dynamic AI way of defeating all the currently standard methods of copy protection; heck, I'd sure love to get paid to work on that problem. Once they get there then new methods will be developed, but it'll slow things down.

The second best way for society to stop theft of software, is to penalize it heavily, and enforce the penalties.

The best way is to reverse the moral decline, and thereby increase the level of integrity in society.

Lance Roberts
Please look up what influence the death penalty has on crimes: None. People don't break the law to piss you off, they are smart. Creating a law that 90% of the population will not follow will not get you anywhere.
Aaron Digulla
@Aaron You missed "and enforce the penalties." part. +1 to make up for -1 (I guess from you).And go for a trip to Switzerland, please.
Piotr Dobrogost
+4  A: 

As others point out, you can easily end up frustrating real and legitimate users more than you frustrate the crooks. Always keep your paying users in mind when you develop a circumvention technique.

If your software is wanted, you have no hope against the army of bored 17 year old's. :)

Robert Paulson
+4  A: 

The difference between security and copy-protection is that with security, you are protecting an asset from an attacker while allowing access by an authorized user. With copy protection, the attacker and the authorized user are the same person. That makes perfect copy protection impossible.

KeithB
+2  A: 

In the case of personal copying/non-commercial copyright infringement, the key factor would appear to be the relationship between the price of the item and the ease of copying it. You can increase the difficulty to copy it, but with diminishing returns as highlighted by some of the previous answers. The other tack to take would be to lower the price until even the effort to download it via bittorrent is more cumbersome than simply buying it.

There are actually many successful examples where an author has found a sweet spot of pricing that has certainly resulted in a large profit for themselves. Trying to chase a 100% unauthorized copy prevention is a lost cause, you only need to get a large group of customers willing to pay instead of downloading illegaly. The very thing that makes pirating softweare inexpensive is also what makes it inexpensive to publish software.

+4  A: 

"Trying to make bits uncopyable is like trying to make water not wet." -- Bruce Schneier

Copy protection and other forms of digital restrictions management are inherently breakable, because it is not possible to make a stream of bits visible to a computer while simultaneously preventing that computer from copying them. It just can't be done.

As others have pointed out, copy protection only serves to punish legitimate customers. I have no desire to play Spore, but if I did, I'd likely buy it but then install the cracked version because it's actually a better product for its lack of the system-damaging SecuROM or property-depriving activation scheme.

Just Some Guy
+9  A: 

It is impossible to stop it without breaking your product. The proof:

Given: The people you are trying to prevent from hacking/stealing will inevitably be much more technically sophisticated than a large portion of your market.
Given: Your product will be used by some members of the public.
Given: Using your product requires access to it's data on some level.

Therefore, You have to released you encrypt-key/copy protection method/program data to the public in enough of a fashion that the data has been seen in it's useable/unencrypted form.
Therefore, you have in some fashion made your data accessible to pirates.
Therefore, your data will be more easily accessible to the hackers than your legitimate audience.
Therefore, ANYTHING past the most simplistic protection method will end up treating your legitimate audience like pirates and alienating them

Or in short, the way the end user sees it:
Steal This Comic

David Frenkel
A: 

A lost cause if ever I heard one... of course that doesn't mean you shouldn't try.

Personally, I like Penny Arcade's take on it: "A Cyclical Argument With A Literal Strawman"alt text

Gabriel Hurley
A: 

There's an easy way, I'm amazed you haven't said so in the answers above. Move the copy protection to a secured area (understand your server in your secure lab). Your server will receive random number from clients (check that the number wasn't used before), encrypt some ever evolving binary code / computation results with clients' number and your private key and send it back. No hacker can circumvent this since they don't have access to your server code.

What I'm describing is basically webservice other SSL, that's where most company goes nowadays.

Cons: A competitor will develop an offline version of the same featured product during the time you finish your crypto code.

X-Ryl669