Ayende @ Rahien

Refunds available at head office

A complete and utter waste of my time

For NH Prof, I need to have some licensing solution so people would be reminded that after 30 days of using the trail, they should pay. Initially, I bought a licensing component. That didn’t work out, and I now find myself in the position of having to writing the licensing infrastructure for NH Prof.

Any second that I put into the licensing infrastructure is a second that I can’t put into actually making the product itself useful. More than that, in order to produce a good licensing story, you need to invest a lot of time writing some tricky code so hackers would have harder time breaking this.

I got some advice in the matter from friends, which I am very grateful for, if not for the fact that this is so depressing.

Now, just to make things more complicated. Licensing is actually a big topic. I got requests from users regarding the licensing. Those range from being able to use a license on several machines, support floating licenses and removing a license from a machine.

Argh, what a waste of time!

Comments

firefly
01/26/2009 05:31 AM by
firefly

Why don't you sell or open source it? :) then it wouldn't be a complete waste of your time. I would check out some obfuscation product too if you are paranoid. Otherwise I afraid it might be too easy to break.

Justin Rudd
01/26/2009 05:55 AM by
Justin Rudd

Good luck! You might consider just selling it and letting people be honest about it. I know if I needed 5 copies, I'd pay for 5 copies. I'm sure most others would as well.

But for those people that want to break in, they're going to break in. Witness all the time and money spent on DRM. A simple Google search will find you a number of different solutions to ripping DVDs, removing DRM from iTunes aac files, etc.

Ayende Rahien
01/26/2009 06:01 AM by
Ayende Rahien

Justin,

It is serving more as a way for people to be honest than anything else.

James Kovacs
01/26/2009 06:22 AM by
James Kovacs

Oren, I would recommend keeping it simple with the sole purpose of reminding honest people to be honest. The truly evil people will crack whatever you create. The software is running on their computers after all, which gives them broad ability to modify the running application. (i.e. Reverse the logic in the if(IsLicensed) switch in the running program. ILDASM, remove the licensing code, ILASM... etc.) A friend at a well-known software company saw a license key generator for their product appear on warez sites within 1/2 hour of releasing their latest version. The sad reality is that the more you hacker-proof your licensing code, the more hassle it becomes for your end users. Probably the best you'll do is turn a 20-minute hack into a 2-day hack at most. Please promise us that you won't create Rhino DRM. :)

Michael Morton
01/26/2009 07:00 AM by
Michael Morton

No matter what you do, no matter how hard you make it, any licensing solution you choose or make will be cracked.

What's worse? Only marginally delaying the time until someone is able to crack the software or having a paying customer not be able to install or use the software because of an issue with the licensing routines in their environment?

I've never seen a single licensing solution that was not able to be cracked but I have seen people have many problems installing and/or running software they have legal purchased because of issues with the licensing routines. Just ask anyone who had issues with StarForce or SecureROM.

Jonas Pihlström
01/26/2009 08:00 AM by
Jonas Pihlström

I have many fond memories of having to buy a cd reader and disconnect my burner drive any time I wanted to play a game with StarForce protection.. These days I stick to playing solitaire, much easier. :)

A protection system in .Net's going to be difficult to make without it being easy to hack out by anyone with any .Net experience.. And consider that's your target market, I think you're going to find your product making its way into the hand of less kind-hearted developers rather quickly, unfortunately..

Unless there's actual good reason for purchasing aside from obtaining the actual product.

I'd say it's worth having something, for sure, if nothing else just to be able to separate unlicensed users in support errands. I hope you find solution that fits you, it's a difficult and ridiculously boring area of software development for sure.

Tommaso Caldarola
01/26/2009 08:30 AM by
Tommaso Caldarola

You could think to a limited version (some features only) of tool...

Rafal
01/26/2009 10:05 AM by
Rafal

Hi, I think there's no way that your product makes it to the top 10 P2P downloads list, so maybe you should reconsider the protection level? It will be used by professional developers or software companies, they usually pay for tools they use. Simple 'your trial has expired' message should be enough.

Or, instead of investing too much at the beginning, go with basic protection in version 1.0 and if you see the software being pirated - apply stronger protection in 2.0.

Niklas
01/26/2009 10:09 AM by
Niklas

There are so many benefits to providing a very simple activation model. You'll avoid angry mobs of paying customers who can't use their software (see QuarkXPress and other dongle-protected pieces of software) and people will be able to learn and become addicted to your tool on their spare time, which will result in purchases by their employers. Adobe, Microsoft and Ableton are a few obvious examples of success as a direct result from "pirating", although they'd never admit it officially.

Rik Hemsley
01/26/2009 11:00 AM by
Rik Hemsley

My suggestion: Make it free for non-commercial use, sell a commercial version, trust your users to honour your licence. As has already been said here, if anyone wants to get past your 'protection', they will anyway.

glueball
01/26/2009 11:42 AM by
glueball

The last thing you can do is to write your own licensing server using DHT =) But It seems there is very little sense to hug the mind with strong licensing. Just include annoying, really ANNOYING, alert into NHProf.

And actual limitation can more effective - let NH Prof kills user data through NHSession it inspecting, if time of free using is over %)

It;s a joke, of course.

Matt
01/26/2009 01:09 PM by
Matt

+1 for building it, using it, selling it

Jay
01/26/2009 01:26 PM by
Jay

I don't think you should spend much time on licensing at all.

If people want to steal your software, they'll find a way.

It's a losing battle. You can very easily dump huge amounts of time/brainpower into trying to come up with clever ways to protect it, and they'll crack it anyway, probably in less time than it took you to protect it in the first place. There's also only one of you, and many of them.

My best advice to you is to make it easy/desirable for people to buy it and treat the ones who do buy it with respect.

You talk about zero friction development all the time, apply that to purchasing.

1) Price it reasonably. Many companies have a purchase size above which they need a PO. Make it less than that for an individual developer.

2) Don't offer too many types of licenses. Make the terms very easy to understand. If customers need to consult with their lawyer to find out if they're in compliance or not you've done something wrong.

3) Offer a cheap(er) personal license. Not everyone who's going to want to use this is necessarily a professional developer flush with cash (yet). If you hook them now, at least some of them will push for your product to be adopted at their future companies.

4) Improve the product on a regular basis. Make it easy for registered owners to get the latest version.

5) Don't add anything to your protection system that will inconvenience a legitimate customer. It's better that 100 people steal it than you enrage one person who has already paid for it. You'll also be losing money every time you have to support one of these users.

The overall theme is to make it easier to be honest than to be a pirate. Most people want to do the right thing, but some companies make it so incredibly difficult to be their customer that being a pirate is an attractive option even if you're authorized to buy the software.

Mr_License
01/26/2009 02:05 PM by
Mr_License

Look at CrypKey. For $800 you're in and it supports single and network licences as well as moving a license from machine to machine.

Randall Sutton
01/26/2009 02:07 PM by
Randall Sutton

My favorite licensing scheme is done by grc.com the makers of SpinRite. Basically you get a serial number. This serial number is used to access a download area that includes the software, docs, etc. The software you download embeds your information, so when I run SpinRite it shows my name (This way if you find pirated copies you know where they came from). Also if you buy 3 copies that is equivalent to a site license.

Hopefully that helps.

efdee
01/26/2009 02:08 PM by
efdee

No matter how much effort you will invest in keeping crackers out, it will only make them want to get in harder, and make it harder on your users to work with the application.

Floating licenses? Remove license from machine? I bought a license and I pretty much expect to be able to use the program anywhere now, as long as it's me using it. And hopefully without too much hassle.

Mr_Obfuscation
01/26/2009 02:10 PM by
Mr_Obfuscation

For obfuscation, cjecl out PreEmptives Dotfuscator - that'll set you back $3000 or so.

I use Dotfuscator + CrypKey + HASP dongles on my code. I have $5000 or so invested in anti-piracy tools alone, but the time I spend writing code is worth WAY more than that.

Besides, I like to sleep at night knowing I've been paid for my work.

BTW - since I purchased a NH Prof license I'd hate to see it go open-source without some sort of refund...

Ayende Rahien
01/26/2009 02:12 PM by
Ayende Rahien

Mr_Obfuscation,

You can safely assume that I have no intention of making NH Prof open source.

Andrea
01/26/2009 03:40 PM by
Andrea

+1 on the free for personal use and pay for company use.

I think is the way to go for Software development tools

also its a pita when you want to try to see if something is the tool you are actually looking for or it will do what you think it should

my 2 cents

David
01/26/2009 03:47 PM by
David

Nah keep up the good work, we're about to pay no problem :)

Hard Times Guy
01/26/2009 04:06 PM by
Hard Times Guy

~$180 is fine for a large software vendor, but for an independent contractor, we have to "think" about making the purchase, make the price low enough so we don't have to "think" about it.

LukeB
01/26/2009 05:38 PM by
LukeB

"My best advice to you is to make it easy/desirable for people to buy it and treat the ones who do buy it with respect"

Bingo.

Daniel Auger
01/26/2009 07:47 PM by
Daniel Auger

I really tend to agree with the others who say that no matter what you do, the program will be cracked. Video game companies have been trying to solve this problem for decades and to this day most games are cracked within a couple days of release. In the end, a strict copy protection / activation scheme only serves to make the use of the product difficult for the honest person.

It's easy for me to say this, but I'd say you should:

  • Keep the pricing as is for organizations

  • Lower pricing for individuals

  • Go the nagware route or shut off functionality if not registered

  • Make registration easy and not machine based. A registration key that can be used on many machines works well as a way to remind the honest folks to buy the product, but it doesn't cause friction if they want to install it on another computer.

Tobin Harris
01/26/2009 08:31 PM by
Tobin Harris

This may sound naive, but I think your audience are probably happy to pay for NHProf :) I'd be inclined to pick some really easy licensing solution that is low cost and low overhead. Just make sure your product expires after 30 days, and I need to contact you and pay $##.## for a license key that makes it work again.

JetBrains seem to do very well with their approach - I've not met any developer who's got a dodgy copy of ReSharper.

As for pricing, here's a thought: Offer a cheap or free version that works with Open Source databases, and a more pricey one that works with commercial ones.

About the actual price... As a freelancer/contractor I don't think twice about spending less than $100 on a tool. If the tool is good it's a no-brainer. Your tool may be worth more, but that's a sweet spot for me at least.

All these are awesome products that I wouldn't hesitate to pay for (in fact, I own most of them!).

$79.00 - Balsamiq Mockups

$48.75 - TextMate

$39.95 - Scrivener

$99.00 - Screenflow

I think that most managers can sign off this kind of purchase without 2nd thought too.

If your product sells like hot cakes, you can invest in tighter licensing then, and maybe offer more enterprisey features at a higher price.

Demis
01/26/2009 08:46 PM by
Demis

I agree with Tobin,

I've also paid for R# and Balsamiq without any consideration as they are both fantastic products at an attractive price point.

The friendly reminder is all that I needed to remeber to buy the licence version if I wanted to continue to use the product.

Unfortunately NH Prof currently falls in the same category as Code-Smith for me, i.e. to expensive to justify the purchase cost for the tiny portion that I would use it for. I would seriously consider making a lite $79 version with most of the features and a 'professional version' for people wanting to use it with Oracle, etc. (like another poster suggested).

I think an Alert reminder every 5-10 mins reminding you to purchase the full version is the only protection you need as the power users will more than likely purchase the product.

Maksym Trushyn
01/26/2009 08:53 PM by
Maksym Trushyn

I agree with others in the fact that there is no protection from your application be hacked. Therefore there is no sens to add strong protection to the program. But some basic protection should be added just as proof that program was hacked and currently is used without a license.

If developer actually use it on everyday basis IMHO it is easier to buy the product with all additional services available for registered customer than to try "saving" a hundred dollars spending an hours of valuable time in the future keeping application up to date. Also may be it has sens to implement some unique functionality as web-service available only for registered customers :).

Hopefully I said something new. :)

alwin
01/26/2009 10:55 PM by
alwin

I bought a licence of Eziriz .NET Reactor, and it serves me good enough.

It has multiple levels of protection, including obfuscation, embedding licencing, converting to native application etc. (I don't use all functions by far). And it's reasonably priced, 180 dollar. Cheaper than NHProf hint hint ;)

http://www.eziriz.com/dotnet_reactor.htm

Mr_Obfuscation
01/26/2009 11:38 PM by
Mr_Obfuscation

Cracking is a myth unless your software is a game.

From my response on 1-2-09 in my post to Frans Bouma:


@Frans Bouma

Mr_P>Also, use at least 2 reputable protection products and the crackers will move on to something else in no time because it's too much trouble to crack your product.

FB>It's still available because I gave up on adjusting the copy protection every week.

Thanks for validating my exact point to liviu.


You might also want to check out a licensing product from Desaware. Like CrypKey it's been around forever which is what you want in a protection product.

What makes the Desaware system nice is that you can integrate the back-end into your server. A lot of other products want you to integrate into their servers.


If you really want to shut-up all these little cracker pest, simply use two licensing products. For any competent programmer who uses the API's not the envelope utilities, there are a zillion nasty things that can be done - a simple one - encrypt the config connect string and save it to the dongle's memory. The fun and schemes are endless and as entertaining as any programming you have ever done. You'll wake up at 3 AM for weeks on end laughing about the next nasty thing you are going to do.

For the rest of your audience who may be alarmed at my post, I'm not saying Ayende has to inconvenience his customers by activating two products etc., I'm just suggesting he use two products to protect his intellectual property.

For a decade I've managed to load massive copy protection into my programs without pissing off my customers. It's really quite easy.

Then dare the crack wannabes. They'll move onto another target before their supper gets cold I assure you.

Signed - been there, done that.

Michael Morton
01/27/2009 12:18 AM by
Michael Morton

@Mr_Obfuscation

"Cracking is a myth unless your software is a game."

... I think the makers Photoshop, 3D Studio Max, Maya, and a bunch of other non-game applications, even small no-name ones, would disagree. You should take a look around the darker places on the net and see what software is available with cracks and/or keygens before making a statement like the above. Crackers don't always want to use what they crack ... sometimes they crack it just because it's there.

Tristan
01/27/2009 12:42 AM by
Tristan

This is game related, so it may not be applicable, but I like the way stardock copy protects their games. Rather than trying to punish people who pirate their software they reward their paying customers by providing them with free upgrades and additional features though their serial number system.

http://forums.galciv2.com/106741

Mr_Obfuscation
01/27/2009 02:08 AM by
Mr_Obfuscation

@Michael Morton

Get back with me when you have both written commercial software and written copy protection for it. You need experience in both because if you havent protected it, you havent tracked it to see if it's cracked yet.

Also, please keep NH Prof in perspective and dont be so absurd as to put it in the same category as Photoshop.

Michael Morton
01/27/2009 03:26 AM by
Michael Morton

@Mr_Obfuscation

I was merely using Photoshop, and the others, as examples of well known "non-game" software for which cracks are readily available. Also, as I mentioned, there are plenty of no-name software packages that have been cracked and get cracked on a daily basis.

As for NHProf, I'd probably put it in the same arena as some of the individual tool offerings from Red Gate, for which numerous cracks are available.

And for what it's worth, google already picked up one person searching for a crack for NHProf on 1/5/2009.

Francois Germain
01/27/2009 03:56 AM by
Francois Germain

Hi Oren,

Do you have a handle on who is your main target audience?

How much risk does adding this licensing scheme to your product represents in terms of meeting your general release plan?

How much future risks are you willing to swallow because you're now stuck supporting a component that was not planned for and you're trying to rush last minute?

How much risk does not having a "Strong" licensing scheme in your product represents over a 12 months period in $ terms?

What kind of risk are you facing in terms of being cracked the day you release this product out anyway?

I know you probably already made the math, just putting it out there in case. :)

pb
01/27/2009 06:02 AM by
pb

I'd go with a few hours of work to put something reasonable and non-annoying to users for v1 such as a serial number to enter, etc. Then observe if that was good enough. When you add more features in v2, upgrade the protection if you feel you need to.

Ray
01/27/2009 12:02 PM by
Ray

I'd say don't waste your time trying to make it harder to break because no matter what you do it will be hacked anyways. Make simplest solution that will work and it actually will be as effective as toughest you could imagine.

Obfuscate assemblies of course.

Roger
01/27/2009 02:35 PM by
Roger

What was the problem with XHEO licensing?

Nico Granelli
01/27/2009 02:49 PM by
Nico Granelli

Just an idea: I've been asking for recommended solutions in the area of obfuscation and license management.

Too many people told me the same as here, they will break it. But they told me a possible solution also: Make the software call home. I mean, put something in a server, and access by a WS.

I'm not sure if you can use this advice with NH Prof, because It sould be usable without internet conection, but I'm coding a software to use a lot of internet, so this solution is working for me

Mr_Obfuscation
01/28/2009 02:41 AM by
Mr_Obfuscation

@Nico

Yes I agree. Phone home is my favorite way of turning pirated copies of my software "off" if it's not properly licensed.

Since my stuff is black hat I destroy my software on the way out to strongly discourage the user from installing it again, and to also leave them wondering - ummm - what else is he doing to my box??

Pirates beware. License your software.

tbb
01/28/2009 06:13 AM by
tbb

@Mr_Obfuscation

And your server license mgmt is foolproof? Innocent, licensed users never get their legit software destroyed. Ever?

I would never knowingly install or purchase software like that. Just like you said, "what else is he doing to my box?".

And yes, you can come back with your favorite line "until you have written copyrighted/protected...." but that doesn't change the fact that you have no more right to barge into my computer (whether or not you are really doing it) than the RIAA has of kicking down my door into my house. I have no sympathy for pirates, but the collateral damage of innocent users with your heavy handed approach gives me pause.

Mr_Obfuscation
01/28/2009 01:50 PM by
Mr_Obfuscation

@tbb

Like I said, my stuff is black hat and my customers spout drivel like all the cracker wannabes on this thread. They cant decide if they want to crack "for the fun of it" or play Madden Football when they get home from school.

Properly protected software keeps 99.9% of the wannabes playing games instead of cracking them. Put a dongle on it and you are at 100%. Run stolen software and beware - who knows what counter-measures the author put in it, or for that matter what malware the cracker put in it (after all the cracker wannabes seem to think these guys are Gods or something - whatever their code SUCKS too).

Microsoft et al. nukes your computer as much as anything else you run. Do you REALLY know what the software you purchase is doing on installs / uninstalls? Of course not. It's all about trust.

How many times have you had to re-install Visual Studio because something got nuked.

My point is, we all knowingly run software each day that is heavy handed - because we have no choice. We run software based on trust.

Trust = Properly licensed = You paid $$$ to the author so he can feed his family, just like your employer pays you.

Crackers, well who cares about them. They're scum and deserve to have vital entries in their Registry erased. Gosh was that too harsh?!

firefly
01/28/2009 08:10 PM by
firefly

heh speaking of trust we now know who not to trust :)

I find most of the suggestion in this thread valid. In a lot of case, pirate help to promote your software as well like Niklas pointed out.

Mr_Obfuscation
01/28/2009 09:38 PM by
Mr_Obfuscation

@firefly

Hehe... Yeah or who to pay anyway... Hehe...

Ray
01/29/2009 11:06 PM by
Ray

Nice thats a nice idea but I doubt it will work for NHProf case.

The best is to encourage users to buy your software because its good and useful and saves them time and money. I know its hard but looking on NHProf I'd say its one of those cases when it will work.

I myself will gladly buy it when it will be released because I already see how many hours of my work this application could have saved me if I had it before...

Luke Breuer
01/30/2009 10:24 PM by
Luke Breuer

Just use a nag screen. It's cheap & easy. Are you really worried that you will lose that many sales if you just set up a nag screen?

Mr_Obfuscation
02/01/2009 03:03 AM by
Mr_Obfuscation

@Luke

According to all the "crackers" on this thread they'll bypass his nag screen in no time thereby allowing more time for Madden Football.

Comments have been closed on this topic.