Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
Hello to the CodeCall forums,
I am looking for a new copy protection package and I am strongly considering HASP SRM.
I am also considering Matrixlock, iLok, UniKey, and softwarekey.
It is very difficult to find independent reviews about these products (not a press release) and I am looking for opinions and users with experience with these or similar products.
If this is not the correct location for such a post, I would appreciate it if someone would push me in the right direction.
Thanks for your time,
LMHmedchem
8 replies to this topic
Back to top|
|
|
#2
Posted 21 January 2009 - 11:51 AM
WingedPanther
-
- Moderators
-
- 16,831 posts
A spammer's worst nightmare
One of the things the video game industry is slowly realizing is that copy protection schemes on popular software don't work, but do irritate their honest customers. Ultimately, every scheme can be circumvented, and the people doing the circumvention aren't telling how they do it. The real question is: why are you looking at them?
#3
Posted 21 January 2009 - 12:33 PM
LMHmedchem
-
- Members
-
- 6 posts
Newbie
There are a few issue to be considered.
I already have copy protection software, but it is old and I am afraid that it does not do very much. I am looking to streamline that part of my development pipeline as much at to improve security.
I have contractual obligations that require all of my vendors (including myself) to only sell or give out copy protected versions of the application. The truth is that if an average user (generally honest) gets an installer that they can just run and then use the software, they are much more likely to go ahead and use it. If the bar is raised such that they have to enter an unlocking code or go through an online registration, most users will be stopped at that point. Even though it may be possible to bypass the security, the user is fully aware at that they are stealing something at that point and often that is enough.
We have also had some situations where users thought they were buying a legitimate copy of the software and were not. Having unlicensed installers floating around is a good way to find you product being sold by who knows who on a dozen different shareware sites.
I am moving to hardware key based license management. This appears to be the most difficult to compromise, and also lets met authorize a large number of seats in an efficient process (not having to node lock and authorize each individual installation).
My software is not in demand in the same way that a video game would be. Most of my users are cooperate and actually will not install software that is not licensed and copy protected. The liability is more of an issue to the users than the cost. The only thing I need to prevent is a user leaving a company and taking a copy of software with them and that kind of thing. I understand that a good hacker could probably still get the program working without the hardware key, but I believe that would be difficult enough to discourage it happing on a broad basis.
These companies are also trying to keep up with security threats and by off-loading to a vendor, I think I have the best chance of keeping current without my spending too much time on it. My current system was custom, but I am tired of dealing with it and I am not going to go with another custom solution that will be out of date before it hits the shelf.
Is there any way to determine which of these possible vendors has the best product?
LMHmedchem
I already have copy protection software, but it is old and I am afraid that it does not do very much. I am looking to streamline that part of my development pipeline as much at to improve security.
I have contractual obligations that require all of my vendors (including myself) to only sell or give out copy protected versions of the application. The truth is that if an average user (generally honest) gets an installer that they can just run and then use the software, they are much more likely to go ahead and use it. If the bar is raised such that they have to enter an unlocking code or go through an online registration, most users will be stopped at that point. Even though it may be possible to bypass the security, the user is fully aware at that they are stealing something at that point and often that is enough.
We have also had some situations where users thought they were buying a legitimate copy of the software and were not. Having unlicensed installers floating around is a good way to find you product being sold by who knows who on a dozen different shareware sites.
I am moving to hardware key based license management. This appears to be the most difficult to compromise, and also lets met authorize a large number of seats in an efficient process (not having to node lock and authorize each individual installation).
My software is not in demand in the same way that a video game would be. Most of my users are cooperate and actually will not install software that is not licensed and copy protected. The liability is more of an issue to the users than the cost. The only thing I need to prevent is a user leaving a company and taking a copy of software with them and that kind of thing. I understand that a good hacker could probably still get the program working without the hardware key, but I believe that would be difficult enough to discourage it happing on a broad basis.
These companies are also trying to keep up with security threats and by off-loading to a vendor, I think I have the best chance of keeping current without my spending too much time on it. My current system was custom, but I am tired of dealing with it and I am not going to go with another custom solution that will be out of date before it hits the shelf.
Is there any way to determine which of these possible vendors has the best product?
LMHmedchem
#4
Posted 21 January 2009 - 01:56 PM
WingedPanther
-
- Moderators
-
- 16,831 posts
A spammer's worst nightmare
For a serious question:
It looks like most of these are dongle-based security, an inherent inconvenience to both you and your customers (you have to provide the dongles, the have to keep track of them). A major question will have to do with the desired licensing scheme. Concurrent licensing of a database app is very different from licensing a single seat of Word, for example. Inconvenience is another issue: should the protection be a one-time deal or not? What happens if you require a dongle and the customer loses it? That's not acceptable for a mission-critical app. etc. etc. etc.
I would start with two things: your licensing model and the user experience. The protection you use must accommodate both of those. My company could not use the dongle approach, for example. The product type is another issue. Is it pure software, or some mixture of hardware and software?
It looks like most of these are dongle-based security, an inherent inconvenience to both you and your customers (you have to provide the dongles, the have to keep track of them). A major question will have to do with the desired licensing scheme. Concurrent licensing of a database app is very different from licensing a single seat of Word, for example. Inconvenience is another issue: should the protection be a one-time deal or not? What happens if you require a dongle and the customer loses it? That's not acceptable for a mission-critical app. etc. etc. etc.
I would start with two things: your licensing model and the user experience. The protection you use must accommodate both of those. My company could not use the dongle approach, for example. The product type is another issue. Is it pure software, or some mixture of hardware and software?
#5
Posted 21 January 2009 - 02:21 PM
LMHmedchem
-
- Members
-
- 6 posts
Newbie
The licensing is unusual in the specific case I am working on at the moment. The software will be installed on laptop computers that will be loaned out for short term use of the software. Installation and maintenance of the license and authorization will be my problem. What is necessary is to make it difficult for the software to be moved off of the laptop and onto another computer and used there. I may actually install the hardware key internally on the MOBO usb header so there is no chance of it getting lost.
Aside from this special case, I am looking for a solution that will be flexible so that I can use a hardware key where that makes sense (site license where many seats are authorized by a network key, Linux where you can' do much else but a hardware key, etc) or a software authorization in other cases. I also need a tool that will work in the same way on either Linux or Windows (to streamline my end). I will probably only use hardware keys for Linux site licensing where the key can go on a network server, or windows licenses where I am not so sure about the client.
Several of the solutions I mentioned seem to provide about the right set of features, but I have no idea how well they really work and so am looking for information. Have you ever seen objective reviews of these products?
LMHmedchem
Aside from this special case, I am looking for a solution that will be flexible so that I can use a hardware key where that makes sense (site license where many seats are authorized by a network key, Linux where you can' do much else but a hardware key, etc) or a software authorization in other cases. I also need a tool that will work in the same way on either Linux or Windows (to streamline my end). I will probably only use hardware keys for Linux site licensing where the key can go on a network server, or windows licenses where I am not so sure about the client.
Several of the solutions I mentioned seem to provide about the right set of features, but I have no idea how well they really work and so am looking for information. Have you ever seen objective reviews of these products?
LMHmedchem
#6
Posted 21 January 2009 - 04:23 PM
WingedPanther
-
- Moderators
-
- 16,831 posts
A spammer's worst nightmare
All I know about them is what I saw on their websites. I wouldn't recommend modifying the MOBO USB header... that's a great way to piss off IT departments.
Getting back to the point: I would get back to looking at the desired user experience. Consider what happens if a user is having to manage several dongles, one per application. What you may want to do is something like this:
Get a unique hardware ID (MAC address or CPU ID comes to mind). When the user registers, they have to enter a license key and contact your company's registration server. Then, when the registration is approved, an encrypted form of the ID is saved to the registry and checked whenever the program starts. Attempts to move it to a new computer would require re-registration, which would fail (already registered).
Getting back to the point: I would get back to looking at the desired user experience. Consider what happens if a user is having to manage several dongles, one per application. What you may want to do is something like this:
Get a unique hardware ID (MAC address or CPU ID comes to mind). When the user registers, they have to enter a license key and contact your company's registration server. Then, when the registration is approved, an encrypted form of the ID is saved to the registry and checked whenever the program starts. Attempts to move it to a new computer would require re-registration, which would fail (already registered).
#7
Posted 21 January 2009 - 05:40 PM
LMHmedchem
-
- Members
-
- 6 posts
Newbie
They system that you describe is basically what I already have in place. It uses the serial number of the hard drive, the MOBO and the MAC to create a unique registration. Problem 1 is that it really doesn't work at all. I have had hackers (working for me) break it in less than one minute with very simple tools, meaning that the bar is very very low. I was hoping to move up a bit and make things like debugging, pulling the app out of memory at least a little more difficult. Possibly some code morphing/obfuscation would be nice. The users expect that there will be some kind of system and have not complained so far about having to register and unlock each installation.
The second problem is my current system really does not work on Linux at all because you only have logical access to the hardware. You can't get serial numbers for the MOBO or HDD or anything useful. You can use the MAC or IP, but those can spoofed a bit too easily.
On the one hand, I am not all the worried about how well it works because everything can be defeated. On the other hand, I would like to make it as difficult as possible without making the user jump through more hoops than they are willing to. I also want to get this out of my hair so I can spend my time on other things. An out of the box package that is reasonable in cost will probably work better than anything I can come up with and it will be maintained by people who spend allot of time thinking about how to stay ahead of the hackers and crackers.
I am contractually obligated to have something, so I would like it to work as well as possible and take up as little of my time as is reasonable.
LMHmedchem
The second problem is my current system really does not work on Linux at all because you only have logical access to the hardware. You can't get serial numbers for the MOBO or HDD or anything useful. You can use the MAC or IP, but those can spoofed a bit too easily.
On the one hand, I am not all the worried about how well it works because everything can be defeated. On the other hand, I would like to make it as difficult as possible without making the user jump through more hoops than they are willing to. I also want to get this out of my hair so I can spend my time on other things. An out of the box package that is reasonable in cost will probably work better than anything I can come up with and it will be maintained by people who spend allot of time thinking about how to stay ahead of the hackers and crackers.
I am contractually obligated to have something, so I would like it to work as well as possible and take up as little of my time as is reasonable.
LMHmedchem
#8
Posted 21 January 2009 - 06:10 PM
WingedPanther
-
- Moderators
-
- 16,831 posts
A spammer's worst nightmare
I would ask your in house people what they think. I question how much more effective these mechanisms might be. Another valid question is: will your customers have the same technical expertise to circumvent the protections?
#9
Posted 02 February 2009 - 08:29 PM
LMHmedchem
-
- Members
-
- 6 posts
Newbie
WingedPanther,
I thought I would update you on what I decided to do about the copy protection.
Right now I am evaluating two products from microcosm.
CopyMinder is a software based copy protection scheme and DinKey is hardware based. So far, I have found CopyMinder to be easy to use. There is some performance decrease in the copy protected version, and it puts allot of files in the installation directory. I think it will probably be quite a bet better than my current system and the product is not expensive. CopyMinder starts at £95.00 and the hardware keys are about £10 with free software.
I am sending out a protected dummy version of my software to see how easily it can be hacked. If it is as good or better than what I have now, I will go with it just to get it out of my hair. Most of the time I have spent was in turning off all of the features I don't want.
I will let you know how the real testing goes.
Thanks for your input,
LMHmedchem
I thought I would update you on what I decided to do about the copy protection.
Right now I am evaluating two products from microcosm.
CopyMinder is a software based copy protection scheme and DinKey is hardware based. So far, I have found CopyMinder to be easy to use. There is some performance decrease in the copy protected version, and it puts allot of files in the installation directory. I think it will probably be quite a bet better than my current system and the product is not expensive. CopyMinder starts at £95.00 and the hardware keys are about £10 with free software.
I am sending out a protected dummy version of my software to see how easily it can be hacked. If it is as good or better than what I have now, I will go with it just to get it out of my hair. Most of the time I have spent was in turning off all of the features I don't want.
I will let you know how the real testing goes.
Thanks for your input,
LMHmedchem
