tags:

views:

868

answers:

7
+5  Q: 

How to avoid piracy when shipping source code?

This question is more or less for Joel Spolsky, but if anyone else has an answer, they are welcome!

If you ship the source code, like in FogBugz [1], and you allow the costumer to modify it; how do you avoid the costumer from unblocking how many users can use it (and thus, destroying your business model)?

[1] I seem to recall when you buy FogBugz you can modify the source code and that they sell it by the user. If that's not correct I'm still interesting in the situation I'm describing and not FogBugz in particular.

+4  A: 

Well, I would gather that the customers that Fog Creek cares about would be the ones that are just mildly inconvenienced by the activation step, just enough to purchase the number of of user licenses they require.

The licenses aren't that expensive either.

And then I would gather that the people that would go to lengths in order to get a free copy of Fog Bugz would probably not be worth any time at all for Fog Creek to consider, much less work hard to counter.

Lasse V. Karlsen  2008-11-14 23:26:02
A: 

Easy way could be to have a module linked via Fog Creek servers. If this downloadable piece of code is not available [this may well be used to check your license], the application refuses to work :)

In essence, even if you possess the source code, all you will know is the URL from which the code module is downloaded. If the software verifies for a signature, even subverting the URL wouldn't work.

Vyas Bharghava  2008-11-14 23:47:31
Unless you comment out the verification section...
amdfan  2008-11-15 00:02:10
So what happens when the internet is broken ?
mP  2009-08-23 01:42:46
@mP: Allow access for sometime (say a week) and then refuse to work
Vyas Bharghava  2009-08-29 04:30:00
+16  A: 

Include a license agreement with your code.

This is a legal issue, not a technological issue. Most people who end up knowingly stealing software never had any intention to pay for it, so it is misleading to view this theft as lost revenue.

Ask yourself this: If there were a techno-magical solution to prevent unlicensed use (along the lines of Trusted Computing), how much would sales increase? No matter how annoying you make your copy protection, the "thieving scumbag" demographic is never going to be a real moneymaker. However, you can definitely curtail sales in an otherwise lucrative market by incorporating burdensome copy protection.

Instead, focus on making it easy for the average person to acquire and account for the licenses they need. It doesn't need to be ultra-secure, just enough to thwart inadvertent violations. A simple "license key", issued with no questions asked for each new machine, actually simplifies bookkeeping for your business customers.

erickson  2008-11-14 23:48:01
Well put. No need to abuse your best customers with draconian DRM that won't work anyway.
Kiv  2009-01-01 20:28:09
+6  A: 

We encode a single "license" file that contains information about the customers license (how many users they can create, for example). The rest of the source code is visible and editable, but the one license file isn't. The license file isn't just a bunch of information, but actually contains code used throughout the application.

It is of course possible to go around everywhere and modify places that use the routines defined within the license file, but from our experience, people would rather just pay to upgrade their plan. Considering how often code changes (new releases, new plugins etc) it'd be a really big chore to continuously reverse engineer it.

Christopher Nadeau  2008-11-14 23:48:45
There was a recent question at the podcast where Joel explained what they do with FogBugz and it was essentially this.
J. Pablo Fernández  2009-01-12 14:37:30
+1  A: 

(original answer removed)

Update: Joel Spolsky in one of his podcasts was talking about this. The trick is to price your software the way that it's easier for employee (developer) to go through company's ordering process than fiddling around with source code. If your software is expensive, you will need to make your source code more difficult to crack.

Of course there will be still some companies that make it so hard for employees to purchase any expensive software whatsoever that any kind of protection will fail no matter what if employees really need it.

So selling the software for lower price is probably the key.

lubos hasko  2008-11-14 23:55:55
Inadvertant piracy by businesses is fairly common. If you have no controls on usage an individual at a company will often copy software rather than go through the company's ordering process.
DJClayworth  2009-03-02 22:54:53
you're right. joel spolsky was talking exactly about this and it makes sense.
lubos hasko  2009-03-03 00:40:44
+7  A: 

In decreasing order of effectiveness:

  • Don't ship through the area around Somalia.
  • Aquire international maritime protection before entering dangerous waters.
  • Use a fast boat.
  • Constant vigilance!

In short:

  • Try to avoid using terms implying murder and violence when describing white-collar crimes.

[posted as wiki-answer to avoid skewing my rep with humour]

David Schmitt  2008-12-05 08:01:54
Thank you. That was roughly my thought as well.
Dave Sherohman  2009-02-04 00:38:46
awesome answer. I had a question like this - tagged boat-programming and it was a question about piracy. It got deleted unfortunately...
Tim  2009-07-03 00:44:06
I'm not sure if you're just having fun here or you're seriously objecting to references to murder and violence. If the latter, you must find this a tough field to be in. We're constantly talking about "killing a task", "aborting a process", "destroying an object", etc etc. I think people routinely use violent language like this in many fields -- "that violinist murdered Beethoven last night", "the new pricing policy really cuts our sales reps off at the knees", etc.
Jay  2010-02-18 17:22:23
@Jay: you are missing the point. When I kill a child (process) I'm not trying to protect my outdated business model from innovation by trying to criminalize breaches of civil law by pouring millions into lobbying instead of innovating. I'm pretty serious about not abusing terms in such a blatant orwellian newspeak way. See also http://en.wikipedia.org/wiki/Newspeak
David Schmitt  2010-02-18 20:25:01
Hmm. Okay, let's be literal. I would think that acquiring a copy of somebody else's software without paying for it and without their permission is, liteally, "stealing". Don't you agree? If I don't like a company's license agreement or the mechanism they use to protect their property, I have the right to not buy it. I don't have the right to steal it just because I object to their pricing or licensing requirements. ...
Jay  2010-02-18 22:02:05
... Just like, if I think a department store charges too much or makes me go to too much trouble before they'll accept a check, I can shop elsewhere, but that doesn't give me the right to steal their products. Maybe I'm missing what you're trying to say. Yes, "piracy" is an exagerrated word for stealing, but it's still stealing.
Jay  2010-02-18 22:02:53
@Jay: If someone **steals** from a shop they can be **sent to jail**, because they prevent the shop owner from selling the thing they have stolen. If people copy unlicensed software from the internet they may be sued for damages they **cannot be sent to jail** because they to not hinder the original owner in the use of her property. This is the difference between criminal charges and breaches of civil law. I wouldn't call shoplifting "piracy"; why should I call copying of unlicensed content so?
David Schmitt  2010-02-19 08:50:20
@David: 18 USC Section 2319 provides criminal penalties for copyright infringement, up to 10 years in jail for a second offense. Of course there are differences between the mechanics of shoplifting and of copyright violation, but the net effect is the same: Steal a $20 toaster and the store owner is $20 poorer; make an unlicensed copy of a $20 software product and the manufacturer is $20 poorer. Sure, make an unlicensed copy and the manufacturer can still make and sell more copies. Steal a toaster and the manufacturer can still make more toasters. ...
Jay  2010-02-20 02:33:29
... Suppose someone broke into your house, damaged nothing and carried nothing away, just made use of your property without your permission. Should that be okay because he hasn't deprived you of the ability to use your property? I think most people would say no: You have the right to say who can use your property. It isn't up to someone else to decide whether your decisions about who can use your property and when are "fair" or "reasonable". It's yours: you can do what you want with it.
Jay  2010-02-20 02:35:54
@Jay: I will accept that you follow the music industry's kool aid. I still prefer non-exaggerating terms.
David Schmitt  2010-02-20 08:37:52
@David: No, I think the music industry is nuts. But surely I can say that something is morally wrong and rightfully illegal without necessarily agreeing that trivial or accidental infractions should result in destroying someone's life, or that people should be convicted of doing it without evidence. The original poster didn't say that he wanted to find a way to take someone's house away because they used a demo for 31 days when the license was for only 30. He was asking for general information about copy protection.
Jay  2010-02-20 20:16:49
... I think shoplifting is wrong and rightfully illegal. I don't therefore conclude that if, say, someone accidentally leaves an item on the bottom of their shopping cart and walks out of the store without paying for it that they deserve life imprisonment. Nor do I think someone should be convicted of shoplifting because an item was missing from the store and the store-owner thinks he might have seen someone who resembled the "suspect" in the same city a few days after the incident and calls that "evidence".
Jay  2010-02-20 20:19:07
+1  A: 

I'm not sure whether you're asking how to crack Fogbugz (or why people is not actively cracking Fogbugz), or how to protect your own software, so i'll answer both.

Fogbugz in particular has a couple mystical DLLs that do license control, and a few other vital things... (Most web based commercial software that you host in your own server work like this, with varying degrees of ASP/Compiled ratios)

Now, you can theoretically find all the calls from ASP into DLLs, and re-wire/re-write them, in the cases where the DLL just does license control.
There's also a Windows service... I'm not sure how vital it is to the workings of the system, but it's definitely compiled (although it seems to be .Net, so it's easier to decompile and crack).

And as usual, you can disassemble the DLLs and just crack them. But it's probably more work than the cost of the licenses.

Now, on the lines of protecting your own software...

The one thing that Fog Creek does, that in my opinion is INCREDIBLY smart, and it's also probably the main reason why Fogbugz isn't cracked, is to just not give you the source code for free in the first place.
This is resourcefully expensive to pull off the first time, but it seems to me like it's very effective.

You HAVE to buy at least ONE license to get your hands on the product and start checking it out. You can't just download a free version and try to crack it, as with a lot of software out there.

Now, the reason I say this is expensive to pull off is that to be able to actually sell your software, it's a very good idea to let people try it before buying. And the only way to do that without having them download it is to provide it in a hosted environment (like Fogbugz On Demand).

Which is not exactly rocket-science if your software is already browser-based, but if you have a product that people just download and install, then the extra effort to also host it yourself, and automatically add instances (create databases, users, etc, etc) as people request demos, etc, etc is non-trivial.

I'm really curious what they did from the "demo" point of view before OnDemand existed.

Just my 2 cents.

Daniel Magliola  2009-02-04 00:23:00

related questions

Can you improve this 'lines of code algorithm' in F#?
JDK/JRE source code with matching JSSE (SSL) source code and matching runnable JDK / JRE?
How to get JRE/JDK with matching source?
How many lines of debugged code do you produce in a day's work?
Where to find beautiful PHP code to read?
SAP R/3 package code modification
Subversion and shared files across repositories/projects?
What to write in the header comments of a code file?
How do you prefer to organize exception definitions?
Best rule for maximum function size?
Can you debug a .NET app with ONLY the source code of one file?
Converting C++ code to HTML safe
What Are Some Decent ISPs That Host Subversion
Best file comparison tool
Where to find Java 6 JSSE/JCE Source Code?
What open source virtual private server program do you recommend with windows as host
How to highlight source code in HTML?
What's the right way to branch with Visual Source Safe?
Directory layout for pure Ruby project
How would you organize a Subversion repository for in house software projects
How do I avoid having the database password stored in plaintext in sourcecode?
How do you actually read source code?
Programmatically editing python source
alternative to VSS for a one man show (army of one?)
Any good java source code analyzing and modifying libraries?