Welcome to the MacNN Forums.

starman · Mar 12, 2005, 01:55 PM

Anyone deal with this before? I haven't, but I'm going to have to soon. What's a good one out there? Do you have to create the keys yourself or is there a site you can work through?

Mike

Oneota · Mar 12, 2005, 02:21 PM

I assume you mean some method of protecting shareware you're writing, as opposed to generating #s to unlock other people's work?

OwlBoy · Mar 12, 2005, 02:23 PM

Originally posted by Oneota:
I assume you mean some method of protecting shareware you're writing, as opposed to generating #s to unlock other people's work?

yeah I was about to come in here and yell at him, now I wonder.

-Owl

CD Hanks · Mar 12, 2005, 02:26 PM

www.kagi.com ?

TheBadgerHunter · Mar 12, 2005, 02:39 PM

There are a few good ones on macupdate.

starman · Mar 12, 2005, 02:48 PM

Jeez, you people see what you want to see. Did I use the word "crack" anywhere?

Mike

Krypton · Mar 12, 2005, 02:50 PM

Stone/Caffeinesoft License kit

effgee · Mar 12, 2005, 02:54 PM

Originally posted by starman:
Jeez, you people see what you want to see. Did I use the word "crack" anywhere?

Mike

Uhmm, crack = disabling protection/removing requirement for serial number, not generating serial numbers.

If you haven't done so yet, read this article on unsanity.org - it's not brand new but it covers the basics. Also, I'm quite certain that, if you have a specific question, the Unsanity folks will answer your email - Slava seems like a nice enough guy

starman · Mar 12, 2005, 02:58 PM

Originally posted by effgee:
Uhmm, crack = disabling protection/removing requirement for serial number, not generating serial numbers.

If you haven't done so yet, read this article on unsanity.org - it's not brand new but it covers the basics. Also, I'm quite certain that, if you have a specific question, the Unsanity folks will answer your email - Slava seems like a nice enough guy

Thanks for the article. The last time I released a piece of shareware I made it voluntary and still made a good amount of $ from it, but this time I'm going to make it a full-fledged shareware app and I want to make sure serials don't show up on the serials lists two days later.

Mike

Oneota · Mar 12, 2005, 03:18 PM

Originally posted by starman:
Jeez, you people see what you want to see. Did I use the word "crack" anywhere?

Mike

I never accused you of seeking cracks; in fact, my post was meant to clarify what you were asking, to deter others from jumping to the wrong conclusion.

CharlesS · Mar 12, 2005, 03:39 PM

Originally posted by starman:
Thanks for the article. The last time I released a piece of shareware I made it voluntary and still made a good amount of $ from it, but this time I'm going to make it a full-fledged shareware app and I want to make sure serials don't show up on the serials lists two days later.

Mike

No matter what you do, it'll show up on the serials lists. Unfortunately, the only real way I know of to make a registration code that would be sure to be difficult to crack would be to use public/private key encryption with a strong key. Unfortunately, that would result in a code so huge you'd have to distribute it as a registration file rather than a code the user could type in in any reasonable amount of time. If the latter is what you want, you're really limited in what you can do and how much you can encrypt the data.

Unless someone has figured out some technique which actually works, in which I'd really like to hear about it (via PM or e-mail).

With that said, one thing to keep in mind is not to use any pre-made commercial serial generator. Invent your own, else all the crackers have to do is crack the commercial serial scheme and they can now generate cracks or serials for every single program that uses that scheme. At least if you invent your own they will have to reverse engineer it, which may cause it to take a slightly longer time to appear on the serial lists.

dampeoples · Mar 12, 2005, 08:24 PM

I don't have an answer, but I wish you luck in finding a solution. I

starman · Mar 13, 2005, 01:30 AM

Originally posted by Krypton:
Stone/Caffeinesoft License kit

The Licenser Kit is normally $10,000. To kick off the Mac OS X Revolution, we are offering it to developers for only $1995, and this includes the ability to use The Licenser Kit on all your apps royalty-free, a fantastic savings.

macaddict0001 · Mar 13, 2005, 01:57 AM

anyone who has the programming skills to write a halfway decent shareware program has the programming skills to write under 20 lines into a random number generator.

starman · Mar 13, 2005, 02:00 AM

Originally posted by macaddict0001:
anyone who has the programming skills to write a halfway decent shareware program has the programming skills to write under 20 lines into a random number generator.

I do that in my sleep.

The problem is this:

1) Making sure that validated versions of the app don't get on P2P systems.
2) If they do, should I bother tracking the person down? Is it worth my time?
3) What about a limited public release and a full-featured paid-for release through kagi or amazon? Well, then see #1.
4) Serial number generators can be cracked.
5) A "phone home" system, but who runs the server?

All I'm trying to do it protect my software. There's much more to it than 20 lines of code. I'm trying to find the best solution and if I have to pay for it, the best price.

Amazon's isn't bad - $40/month + 5% of the sales, but then what happens if the volume in sales drops?

Mike

Athens · Mar 13, 2005, 02:06 AM

Originally posted by starman:
Anyone deal with this before? I haven't, but I'm going to have to soon. What's a good one out there? Do you have to create the keys yourself or is there a site you can work through?

Mike

Dont bother with serials, just make a secret method to make it full version like a special key combination which you send to those that pay and keep a database of those that paid incase they need support. If the product is good then a serial or crack will hit the net in weeks, if the product stinks then there is no point in putting in so much effort to protect it. Just price it right that people will pay. Anything 10.00 to 20.00 I usally buy. And offer payments in CDN, US and Euros because that will help if people have the option in paying in there own currency. Look at how much effor Microsoft and adobe put into protecting there products and it dosent work. 321Studios, the makers of DVDXCopy prob had the best protection and it was still cracked. Price right and save the effort, honest people will pay the ones that dont will find a way not to. Main reason Apple dosent have serials on most of there products.

Athens · Mar 13, 2005, 02:11 AM

Originally posted by starman:
I do that in my sleep.

The problem is this:

1) Making sure that validated versions of the app don't get on P2P systems.
2) If they do, should I bother tracking the person down? Is it worth my time?
3) What about a limited public release and a full-featured paid-for release through kagi or amazon? Well, then see #1.
4) Serial number generators can be cracked.
5) A "phone home" system, but who runs the server?

All I'm trying to do it protect my software. There's much more to it than 20 lines of code. I'm trying to find the best solution and if I have to pay for it, the best price.

Amazon's isn't bad - $40/month + 5% of the sales, but then what happens if the volume in sales drops?

Mike

1) Impossible
2) Its not worth your time or money
3) Again it full version will hit the P2P networks so again dont bother
4) Yes so not much point
5) useless in most places, you need to have millions of dollars for lawyers, the time to deal with it and most places the laws protect the privacy of the person which makes it impossible for you to get hte information you need to do anything about it. Not to mention most of the world will be out of your ability to deal with it.

If you are that worried about protecting your software then dont make anything. Just price it right that people will pay for it and make it easy for them to pay.

tooki · Mar 13, 2005, 02:42 AM

Just for the record, I think it's worth mentioning that elaborate activation keys and whatnot won't prevent lost sales. They may reduce the number of unpaid users, but they won't reduce the number of lost sales. By this I mean that a lot of the people who use pirated copies would never pay for one; many of them are kids who simply don't have the money, or casual users who want to use it once a year. If the activation system prevents them from using it illegally, they still won't buy it; they'll just not use it at all. They might do without, or they might use a competitor's product.

I hate to say it, but I sometimes fall into that group. I cannot justify buying $80 "shareware" (which, by the way, if it's not full-featured 100% of the time, unregistered, it's not shareware, it's demo- or trialware) to do a task that I will do once or twice a year for school. I'll either pirate a code, or I'll do without.

I have to emphasize again how much I hate how "shareware" authors have mangled the meaning of the word "shareware". It used to mean software that you shared with friends, and if you found it to be useful, you sent the author some money (or beer, or postcards, depending on what was requested!), and if you didn't, the software kept working just as well as before. Nowadays, shareware authors have perverted the word to mean any software that can be copied to others, but isn't free. If it's not full-featured, or if it is time-limited, it's not shareware, it's a demo version or a trial version. GraphicConverter is an example of true shareware; a lot of the so-called shareware is not.

Shareware also shouldn't be $50, 60, 90, 100+: that's squarely the range of commercial software.

tooki

Athens · Mar 13, 2005, 03:01 AM

Originally posted by tooki:
Just for the record, I think it's worth mentioning that elaborate activation keys and whatnot won't prevent lost sales. They may reduce the number of unpaid users, but they won't reduce the number of lost sales. By this I mean that a lot of the people who use pirated copies would never pay for one; many of them are kids who simply don't have the money, or casual users who want to use it once a year. If the activation system prevents them from using it illegally, they still won't buy it; they'll just not use it at all. They might do without, or they might use a competitor's product.

I hate to say it, but I sometimes fall into that group. I cannot justify buying $80 "shareware" (which, by the way, if it's not full-featured 100% of the time, unregistered, it's not shareware, it's demo- or trialware) to do a task that I will do once or twice a year for school. I'll either pirate a code, or I'll do without.

I have to emphasize again how much I hate how "shareware" authors have mangled the meaning of the word "shareware". It used to mean software that you shared with friends, and if you found it to be useful, you sent the author some money (or beer, or postcards, depending on what was requested!), and if you didn't, the software kept working just as well as before. Nowadays, shareware authors have perverted the word to mean any software that can be copied to others, but isn't free. If it's not full-featured, or if it is time-limited, it's not shareware, it's a demo version or a trial version. GraphicConverter is an example of true shareware; a lot of the so-called shareware is not.

Shareware also shouldn't be $50, 60, 90, 100+: that's squarely the range of commercial software.

tooki

Hehe Graphic Converter is one of those GREAT shareware programs which I acutally paid for too. Price is a big thing, think of it this way, Assume you have a shareware product and 10 000 people are using it. At 80.00 a copy no one buys it you made nothing. At 40.00 a copy 100 people bought and made 4000.00 from it. At 30.00 a copy 500 people bought it and you made 15000 from it. At 20.00 per copy 1000 people bought it and you made 20000 from it. At 10.00 per copy 4000 people bought it and you made 40000 from it. My point is you may make more pricing it right then putting in tons of effort into protecting it and making it difficult to register.

I personally download mostly freeware and shareware. Ive paid for maybe 5 or 6 shareware apps over the years that I thought where worth it. The others I dont use or rarly use. I also some times download commercial software if its something big and has heavy system requirements just to see if it functions good enough on my computer which only has 256MB of ram in it. Currently the only thing I have that I plan to buy but cant afford yet use right now is Photoshop. I imagine it will take me about another 8 months before I can buy it. Everything else is free, shareware or I own. Microsoft could use a lession on this, if Office was only 40.00 more people would own legal copies.

Superchicken · Mar 13, 2005, 04:53 AM

I'm one of those do without types... there are a few shareware apps I'd love to get and pay for... but they add up really quickly and most of them I don't really need. Or some are just horribly over priced... not to mention I don't have a credit card right now. That said I'm really glad Open Source is getting so popular. It means I can get great software like Adium and Cyberduck. actually nearly all of my software is either freeware, Apple, Graphcis apps or Open Source. One of these days though I'm gona pay for SubEthaEdit that's an apps that's worth it. I'd also love to get a license for iConquer.

effgee · Mar 13, 2005, 05:02 AM

Originally posted by starman:
I do that in my sleep. ...The problem is this:
1) Making sure that validated versions of the app don't get on P2P systems.
2) If they do, should I bother tracking the person down? Is it worth my time?
3) What about a limited public release and a full-featured paid-for release through kagi or amazon? Well, then see #1.
4) Serial number generators can be cracked.
5) A "phone home" system, but who runs the server?

All I'm trying to do it protect my software. There's much more to it than 20 lines of code. I'm trying to find the best solution and if I have to pay for it, the best price. ...

Forget it. As stated above, if your app is any good it will be pirated, no matter what you do. If Adobe, Macromedia, etc. have a hard time restricting illegal use of their apps, what makes you think that you'll succeed where they failed? Do you have that much time on your hands?
What I would do is pay attention to the issue and try to monitor if certain IP blocks (as in: corporate IP blocks, not ISPs) show up frequently and go after those "corporate pirates". I most likely wouldn't bother going after single folks - again, this depends on how much time you have on your hands. Assuming you're in the US - imagine the hoops you're going to have to jump through in order to get an ISP in Portugal to give up the information necessary for you to go after a single pirated copy of your app
Not my cup of tea and personally, I will not try/buy "crippleware" - not including the obvious exceptions such as Adobe, Macromedia, etc. products - since those aren't advertised as shareware anyway.
Not "can", they "will" be cracked. The only question is "when", not "if".
That's fine if you think that's what it takes to protect your product. Personally, I will not allow any software product on any of the machines in my office to "call home" without me pressing a button first - that's what Little Snitch is for. I find the development of software publishers telling me to "trust" them with my personal information deeply disturbing and any software that refuses to run under the conditions I set (no "calling home" without my prior interaction, Little Snitch, etc.) will go right in the trash.

Assume for a second that you own a Sony TV - how would you like it if your TV established an internet connection every time you turned it on. Yeah, Sony would tell you that they'd never create a personal profile that includes your TV watching habits but at the same time their privacy policy also tells you that it can be changed/amended whenever they see fit.

In the end, it is all about finding the perfect balance between protecting your intellectual property and not getting swept away by tracking down pirates to the point where it has a negative influence on your ability to run your business (add features to the app, fix bugs, provide tech support to paying customers, etc.)

IMHO, one of the best examples of a serial number protection done right is BBEdit - the app doesn't call home without your consent but still - every time the Barebones folks release a new version, the kids on "that site" scramble for weeks until they finally get a number that works. I doubt the guys at Barebones will fill you in on exactly how they protect their app but maybe it's worth a couple of hours of your time to look into that and see what you find out.

BBEdit works exactly the way I think an app should work in terms of protection - it's not spying on me, it doesn't inconvenience me as a paying customer and yet, it seems to be well-protected. At least from your casual, every-day "pirate" - and if you look at it realistically, that's about all you can hope for, anyway.

tooki · Mar 13, 2005, 11:04 AM

Originally posted by Athens:
Hehe Graphic Converter is one of those GREAT shareware programs which I acutally paid for too. Price is a big thing, think of it this way, Assume you have a shareware product and 10 000 people are using it. At 80.00 a copy no one buys it you made nothing. At 40.00 a copy 100 people bought and made 4000.00 from it. At 30.00 a copy 500 people bought it and you made 15000 from it. At 20.00 per copy 1000 people bought it and you made 20000 from it. At 10.00 per copy 4000 people bought it and you made 40000 from it. My point is you may make more pricing it right then putting in tons of effort into protecting it and making it difficult to register.

Well that's not quite right, either -- if you price it too low, people may not take it seriously, and won't pay because of that. It's also not correct to assume that cost is the only reason people won't register: there's a certain number of people who won't register no matter what. In business, the science of finding the right price is basically a discipline unto itself, not something that a simple linear equation will solve well.

tooki

P.S. Followup to my post above: lest anyone think that I also think it's OK to steal a car for when I just need to make a quick trip to the store, I should point out that with software, there's no way to rent it when you just need it for a short time. If I need a moving van -- something I use very, very seldom -- I can just rent one. If I need some specialized program for one single school project, I have no option to rent such a beast, I have to buy it.

Oneota · Mar 13, 2005, 11:18 AM

Originally posted by tooki:

P.S. Followup to my post above: lest anyone think that I also think it's OK to steal a car for when I just need to make a quick trip to the store, I should point out that with software, there's no way to rent it when you just need it for a short time. If I need a moving van -- something I use very, very seldom -- I can just rent one. If I need some specialized program for one single school project, I have no option to rent such a beast, I have to buy it.

Hmm..interesting idea. Short-term, low-price licenses. Potential buyers could have the option of paying full-price for a normal license, or a much lower price for a shorter-term, like a single-use or a 7-day license. Naturally, not all software would benefit from a license scheme like this, but the right piece of software could do very well by it, I think.

theolein · Mar 13, 2005, 11:28 AM

Originally posted by starman:
Anyone deal with this before? I haven't, but I'm going to have to soon. What's a good one out there? Do you have to create the keys yourself or is there a site you can work through?

Mike

It might be too much hassle to worth the effort but have you thought of online activation?

effgee · Mar 13, 2005, 11:28 AM

Originally posted by Oneota:
... , or a much lower price for a shorter-term, like a single-use or a 7-day license. Naturally, not all software would benefit from a license scheme like this, but the right piece of software could do very well by it, I think.

Longhorn?

DeathMan · Mar 13, 2005, 11:36 AM

Originally posted by Oneota:
Hmm..interesting idea. Short-term, low-price licenses. Potential buyers could have the option of paying full-price for a normal license, or a much lower price for a shorter-term, like a single-use or a 7-day license. Naturally, not all software would benefit from a license scheme like this, but the right piece of software could do very well by it, I think.

For some reason, I don't think that would fly. It makes sense to me, but I'm not sure people want to rent software.

This is what has gotten money out of me in the past:

Set up your software so that you don't need a key right away. Find something that is somewhat limiting, but no so much that you go look for alternatives. CSSEdit is a perfect example. They had a couple limitations. The first was to give it a line limit (or char limit, I don't remember) the second was copy/paste didn't work right (it would paste something like: "If you like this software, please register it, it will help keep development going" or something like that.

Doing this got me to the point where I was using it a lot. Then I saw the value in it. So I bought it.

If its something useful, let them use it without too much trouble, and give them a *gentle* reminder every once in a while that registration helps development, and contributes to independent software production.

CharlesS · Mar 13, 2005, 01:39 PM

Originally posted by effgee:
That's fine if you think that's what it takes to protect your product. Personally, I will not allow any software product on any of the machines in my office to "call home" without me pressing a button first - that's what Little Snitch is for. I find the development of software publishers telling me to "trust" them with my personal information deeply disturbing and any software that refuses to run under the conditions I set (no "calling home" without my prior interaction, Little Snitch, etc.) will go right in the trash.

That's something I've been thinking about. How would you feel if a program didn't upload any information but rather only downloaded it? Say for example, a program could download a blacklist of known pirated serial numbers and return the app to an unregistered state if you're using one of them. No personal information would be sent this way, and the developer could simply check "that app" from "that site" every month and add the latest serial to the blacklist. It wouldn't stop people from trading custom serials in the forums, or posting serial generator apps, but at least it would take care of the casual pirates who only know about "that app" from "that site".

It seems to me that this would be not so different from other types of automatic downloading that programs already do, such as downloading info on whether a new version is available or not.

How would you respond to something like this?

effgee · Mar 13, 2005, 02:10 PM

Originally posted by CharlesS:
... How would you respond to something like this?

In one sentence - "not on my machines it won't"

Seriously though, I fully understand your concern - and I do sympathize with you. Nothing ticks me off more than people stealing my work. But there's other ways of dealing with this problem than inconveniencing (or even "spying on") your "legal" customers.

That being said, not a single piece of software on any of my machines will make a connection to the outside world without my express consent ("clicking a button") - if it tries, Little Snitch will stop it. If I feel especially geeky, I'll add the software company's IP(s, block) to my hosts file ("69.90.122.197 127.0.0.0"). If the software refuses to run it goes in the trash - regardless of whether I already paid for it or not.

To be blunt, I don't care about the purpose of the connection - serial check, software update, whatever - it's not happening on my machine.

I've been around "playing" with the internet as well as with marketing folks in general for too long to give anyone the benefit of the doubt. And please don't get me wrong here - I don't believe that you personally are an evil guy or that you/your product would attempt to "lift" personal info off my machine - but all it takes is one bad apple, one occasion. Software developers and/or marketing depts. of software companies are no different than any other part of the population - 90+ percent good folks, x% bastards - thus, nobody gets to play.

If I subscribed to the notion of trusting someone because he tells me so I could just as well leave my house door unlocked at night since most of the people are decent folks who'd never break into my house. But most of us don't do that either, don't we?

I don't want my fridge to tell the supermarket that I'm out of milk, I don't want my car to tell the shop that an oil change is due, I don't want my cable box to tell the cable company what I watch on TV.

I do of course realize that I most likely am a member of a small minority here and that my POV is a bit on the extreme (feel free to call it "paranoid") side - but as stated above:

I don't leave my house unlocked because someone I've never met before tells me it's safe to do so - why should I change my behavior when my computer(s) is (are) concerned?

Mafia · Mar 13, 2005, 02:31 PM

there was a cocoa tutorial a while back that showed you how to write your own in cocoa. would be simple to modify a bit to your own liking.

Stradlater · Mar 13, 2005, 03:33 PM

Originally posted by Athens:
Microsoft could use a lession on this, if Office was only 40.00 more people would own legal copies.

And they wouldn't make nearly as much money. Most of the people that steal Office are individuals -- usually outside of educational institutions that offer competitive discounts (you can get Office 2004 for about $50 at a number of universities).

Microsoft gets most of its money from businesses that buy a ton of licences -- businesses that can't pirate the software.

Trust me, if you changed the pricing of Office to 40.00 a pop, people would still steal it, and you and Bill Gates would be significantly less wealthy.

dialo · Mar 13, 2005, 04:19 PM

I'm with you 100%, effgee.

CharlesS · Mar 13, 2005, 04:32 PM

Originally posted by effgee:
Seriously though, I fully understand your concern - and I do sympathize with you. Nothing ticks me off more than people stealing my work. But there's other ways of dealing with this problem than inconveniencing (or even "spying on") your "legal" customers.

...snip...

I don't want my fridge to tell the supermarket that I'm out of milk, I don't want my car to tell the shop that an oil change is due, I don't want my cable box to tell the cable company what I watch on TV.

But if a product only downloaded instead of uploaded, wouldn't that alleviate this concern? Since no information whatsoever would be sent to the developer, no "spying" or "telling" anything would take place.

PurpleGiant · Mar 13, 2005, 04:37 PM

Originally posted by CharlesS:
But if a product only downloaded instead of uploaded, wouldn't that alleviate this concern? Since no information whatsoever would be sent to the developer, no "spying" or "telling" anything would take place.

I would have no problem with that. But then again, I'm pretty relaxed with most things.

I imagine effgee's problem is still that you would have a record of his IP and every time that IP connects to download the file. I know, what are you going to do with a bunch of IPs, but I'm guessing that's what the deal there is.

effgee · 05:25 PM

Originally posted by CharlesS:
But if a product only downloaded instead of uploaded, wouldn't that alleviate this concern? Since no information whatsoever would be sent to the developer, no "spying" or "telling" anything would take place.

PG was almost there

Close, but not quite.

For the sake of the example below, let's assume for a second that you are a "malicious" software developer (think "Doubleclick") and I'm a regular customer. There's nothing you'd like more than to know as much as possible about me. Let's also assume - this being a worst case scenario, that your app, like some others (Synchronize Pro X, for example), not only runs its main application but also a hidden app that supposedly makes sure that no other copies with the same serial are running on my LAN.

Here's why I wouldn't trust you when you tell me that the internet connection is "only" established to check for new versions, pirated serials, etc.:

While I could open my Terminal app every time your app connects so I can make sure that only the information you listed will be sent, I have better things to do than to go through kilobytes and kilobytes of logged TCP packets. Why should I believe you?
How do I know that you really only collect the data listed in your EULA?
How do I know that your main and/or the invisible app do not write personal/sensitive information of mine to an encrypted/hidden file, the contents of which are being transmitted when your app checks for an "update"?
Your main and/or invisible app could easily keep an eye on what other related products I frequently use (e.g., Retrospect to correspond with the example above), so in return you can go and implement similar features in your own app to gain a competitive advantage.

And here comes my main point of complaint - to be brutally honest: "Why should I let you inconvenience me because you have a problem keeping your product secure. That's your problem as a developer and not mine as a paying customer."

Would you let your supermarket install a video camera in your kitchen because the theft of frozen chicken in their store has increased by 80% last year?

I don't think so.

How about if they promise you to only turn on the camera for 60 minutes after you went shopping there and only to check for their own products?

I don't think so either.

As far as your idea of a blacklist download is concerned - there's only two ways to do that. Either you initiate the contact from your licensing server, in which case I never get to see your request because your packets will be dropped at my hardware firewall. Or you write your app so that it periodically initiates a connection, promising me that it'll "only download" something, in which case I will add your IP to my host file or I'll let Little Snitch take care of the "issue".

In short - and I mean no offense by that - you (or any other software developer, for that matter) are a total stranger to me and the fact that I gave you $20, $200 or even $2000 does not imply that I trust you to rummage around in my computer and only take (or put there) the stuff you said you'd take (put there).

And since I don't feel like checking every imaginable log file on a regular basis just to make sure that nobody snooped around where they shouldn't - nobody gets to push/pull anything. Ever.

So no, it's not about the IP address per se (you can get that one when I visit your site anyway) - it's about the potential for abuse and software developers trying to unload their problems onto my back.

It's that my entire professional life resides on the machines in my office and there's no way in hell that I'll give you (or anyone else) a key to that. No matter how nicely you ask or much you promise not to look in certain cabinets.

CharlesS · Mar 13, 2005, 05:30 PM

Originally posted by effgee:
As far as your idea of a blacklist download is concerned - there's only two ways to do that. Either you initiate the contact from your licensing server, in which case I never get to see your request because your packets will be dropped at my hardware firewall. Or you write your app so that it periodically initiates a connection, promising me that it'll "only download" something, in which case I will add your IP to my host file or I'll let Little Snitch take care of the "issue".

Okay, how about this scenario:

The app downloads the information from the server by fork/execing the /usr/bin/curl tool. Curl downloads the information to a file, then the app reads in the file. Since your firewall probably tells you what app is trying to initiate a connection, it shows you that the app is /usr/bin/curl, and since you know what /usr/bin/curl does and that it basically downloads stuff and doesn't send any personal information, then there's no cause for concern.

Right?

effgee · Mar 13, 2005, 05:30 PM

starman - check out this guys' product - maybe it'll fit your needs.

not that I'd ever become a customer of yours if you actually decided to use it, mind you.

effgee · 06:21 PM

Originally posted by CharlesS:
Okay, how about this scenario:

The app downloads the information from the server by fork/execing the /usr/bin/curl tool. Curl downloads the information to a file, then the app reads in the file. Since your firewall probably tells you what app is trying to initiate a connection, it shows you that the app is /usr/bin/curl, and since you know what /usr/bin/curl does and that it basically downloads stuff and doesn't send any personal information, then there's no cause for concern.

Right?

In theory - yes. You would however face the problem that:

Most "regular" users have no clue what curl is/does and therefore will not know whether something is being up- or downloaded. (Even though I would guess that those folks aren't really your target audience anyway)
It still requires trust which, between the two of us, has never been establshed - your app starts curl, Little Snitch tells me "The application curl wants to connect to 69.90.122.197" in which case (after a quick IP whois) I immediately create a rule that will prevent your IP from ever being contacted from any of my machines - regardless of application used, direction of traffic and/or protocol/port.

I have no time to go after each and every app that wants to establish an internet connection to check exactly (and beforehand) what it is it wants to send/receive - in the last two years or so, this "feature" has become an epidemic. And my antidote is: "No internet for you! Come back in two years!"

You want to send me something? Why? I paid for the app, I'm using it - and I can see very well for myself whether or not it's been updated.

Keep in mind though, I'm only speaking for myself here - I'm not trying to tell you that what you're doing is wrong. It's wrong for me personally as one guy who buys software - I think developers could just as well use the time they spend on devising online licensing schemes to improve their serial number (checking) schemes. It seems to work alright for the guys at Barebones as well as for the guys at Unsanity - why not for the others as well?

It might still be good for your business - as long as your customers go along with it. Personally, I wish they wouldn't - but I know better. They're a lazy and complacent bunch - and until, one fine day, a whole lot of them got their hard drives plundered by some unscrupulous pr!ck, nobody will care.

But after that day, those will be the ones who scream the loudest. And I'll be sitting in my office chair, reading those news and have a good, evil giggle - nothing beats a healthy dose of "Schadenfreude". Or what did Will Smith say to the scientist chick in iRobot after he whacks the evil robot:"... Somehow "I told you so" doesn't quite do it justice ..."

macaddict0001 · Mar 13, 2005, 07:38 PM

what if you had someone enter a serial number online before they could do the download. at which point their os and filesystem were verified and it was installed directly from your server. then someone would have to create an installer before widespread piracy could take place.

dampeoples · Mar 13, 2005, 07:41 PM

Originally posted by Oneota:
Hmm..interesting idea. Short-term, low-price licenses. Potential buyers could have the option of paying full-price for a normal license, or a much lower price for a shorter-term, like a single-use or a 7-day license. Naturally, not all software would benefit from a license scheme like this, but the right piece of software could do very well by it, I think.

I think Omnioutliner gives away a week trial or something, that fits tookis category, and seems to work well for them, as I hear nothing but good things about it.

CharlesS · Mar 13, 2005, 08:00 PM

Originally posted by effgee:
It still requires trust which, between the two of us, has never been establshed - your app starts curl, Little Snitch tells me "The application curl wants to connect to 69.90.122.197" in which case (after a quick IP whois) I immediately create a rule that will prevent your IP from ever being contacted from any of my machines - regardless of application used, direction of traffic and/or protocol/port.

But why? In this scenario, the fact that it's using curl proves that it's only downloading data, and your whole reasoning behind "requiring trust" has been that you don't trust apps not to send your personal data or other information to the developer. What malice could be caused by the app downloading a file that couldn't have been done simply by including a malicious file in the app bundle?

Keep in mind though, I'm only speaking for myself here - I'm not trying to tell you that what you're doing is wrong.

Oh, I'm not "doing" anything at the present time. Right now I'm just brainstorming.

It's wrong for me personally as one guy who buys software - I think developers could just as well use the time they spend on devising online licensing schemes to improve their serial number (checking) schemes. It seems to work alright for the guys at Barebones as well as for the guys at Unsanity - why not for the others as well?

Improve their serial number checking scheme how? AFAIK it's impossible to create an uncrackable serial scheme since the crackers can just disassemble your app and poke through your code. Your best bet is public/private key encryption, but the only way to encrypt the data into something small enough is to use a tiny key, like 128 bits, which is easily crackable via factoring. If you use strong encryption, like a 2048 or 4096-bit key, you end up with something so huge that there's no way you can expect any end user to be able to type it in. You'd have to give them a registration file instead of a registration code, and they would have to drag the file onto the app or select it in an Open dialog box in order to register the program.

It might still be good for your business - as long as your customers go along with it. Personally, I wish they wouldn't - but I know better. They're a lazy and complacent bunch - and until, one fine day, a whole lot of them got their hard drives plundered by some unscrupulous pr!ck, nobody will care.

But how could that happen if the only app accessing the remote server was /usr/bin/curl? You haven't really established the risk to the end-user in the scenario I posted.

Xeo · Mar 13, 2005, 10:21 PM

Originally posted by CharlesS:
But why? In this scenario, the fact that it's using curl proves that it's only downloading data, and your whole reasoning behind "requiring trust" has been that you don't trust apps not to send your personal data or other information to the developer. What malice could be caused by the app downloading a file that couldn't have been done simply by including a malicious file in the app bundle?

With every connection, there is data being sent and received.

/usr/bin/curl "http://myserver.com/blacklist.php?fname=John&lname=Doe&CCN=402 3-2034-1010-4044"

goMac · Mar 13, 2005, 11:36 PM

Be careful with the standardly sold serial code systems. All our products used a standardized one. One of our programs was cracked, and it seems pirates are cracking the rest of our programs because they all use the same generator. Needless to say we're coding something better in house for new software.

starman · Mar 14, 2005, 12:37 AM

This is a great discussion.

I just now finished what I would release as a "Preview" version of the app. It's not finished, but gives a good idea of what it'll do once it IS done. However, I'm not sure if I'm going to release it tomorrow just yet. It doesn't have any bugs, just missing features.

And I need button icons.

Then I started shopping around. Kagi seems like a good deal. Amazon has a good deal too but they want $40/month for unlimited downloads. Maybe I'll make that, maybe I won't.

I think I'm going to avoid the whole serial # bull---- for now. Too much trouble, and I don't even know how well received the app will be.

I was considering making it "donationware", but that won't work out as well as I'd like. I did that with ResurrXtion because the app was so small to begin with. A "gentle reminder" or some limited features should help. I haven't decided if I'm going to make the app expire. That might frustrate people into seeking out a P2P version (but yes, as Tooki says, people that don't want to pay for it won't, but if they USE it, well, that fits into the catagory of "they SHOULD pay for it").

It's late. I'm going to bed. Thanks for the suggestions. Sorry I can't divulge more about it yet. If things go well (meaning...if I have time), I'll put some more features in and maybe release it tomorrow or the next day. There's a date I'm shooting for to get it completely finished so a "Preview" version will be a good teaser and get feedback.

What amazes me is that I wrote the damn thing in a week. Cocoa just kicks ass.

Mike

Jan Van Boghout · Mar 14, 2005, 12:39 AM

Effgee, it puzzles me that you throw away any app that contacts a web server because of a lack of trust, yet isn't it a considerable leap of faith (IMHO) to trust an application that sifts through all your network activity and potentially even modifies it?

CharlesS · 12:55 AM

Originally posted by Xeo:
With every connection, there is data being sent and received.
/usr/bin/curl "http://myserver.com/blacklist.php?fname=John&lname=Doe&CCN=402 3-2034-1010-4044"

Point. But, such a command line would show up in ps -ax.

Spliff · Mar 14, 2005, 12:57 AM

Didn't Ambrosia Software come up with a very effective way of protecting their software? We need Moki to post to this thread and give us an update about how effective their strategy has or hasn't been.

CharlesS · Mar 14, 2005, 01:03 AM

Originally posted by Spliff:
Didn't Ambrosia Software come up with a very effective way of protecting their software? We need Moki to post to this thread and give us an update about how effective their strategy has or hasn't been.

The Ambrosia apps have license codes that expire after a given amount of time, and if you reformat your drive, get a new computer, have more than one user on the same machine use the app, or whatever, you have to call them and ask for a new code. Not only is this something that actually is a pain in the rear end for paying users, but all the requests for new registration codes would be something that a one-man shareware company couldn't possibly hope to be able to handle.

Balneum · Mar 14, 2005, 01:37 AM

Have ever tried distributing it free and asking for some donations via PayPal. I don�t know about rest of you but I donate for regular basis for good couses like excellent programs...

Jan Van Boghout · Mar 14, 2005, 01:46 AM

Originally posted by CharlesS:
The Ambrosia apps have license codes that expire after a given amount of time, and if you reformat your drive, get a new computer, have more than one user on the same machine use the app, or whatever, you have to call them and ask for a new code. Not only is this something that actually is a pain in the rear end for paying users, but all the requests for new registration codes would be something that a one-man shareware company couldn't possibly hope to be able to handle.

Doesn't this happen automatically? I thought they just requested a new code to a license server and it would handle everything in the backgroundm no telephone calls involved

Athens · Mar 14, 2005, 02:27 AM

Originally posted by Oneota:
Hmm..interesting idea. Short-term, low-price licenses. Potential buyers could have the option of paying full-price for a normal license, or a much lower price for a shorter-term, like a single-use or a 7-day license. Naturally, not all software would benefit from a license scheme like this, but the right piece of software could do very well by it, I think.

I wouldnt mind a monthly rental if its cheap enough and it includes updates. Paying 10.00 a month for office is something I would do, 6 years of rental would be 760