Coding Clarity

In Software Licensing (Part 1), I wrote about the issue concerning PC game piracy. This is not only an issue for the gaming market, but also for commercial software. Consider, Microsoft Windows. They took a lot of flack over their Windows Genuine Advantage system when they first rolled it out. The system took a “guilty until proven innocent” approach where it suspected all users of being pirates until they “validated” that their copy of windows was genuine. Microsoft took this system one step further with Windows Vista. After your Windows CD Key has been used twice (once to install the first time and once to allow for a reinstall), the key is locked and will not allow further validation against Windows Genuine Advantage. If you are in the habit of regularly reinstalling your operating system, you still can do this but it requires an extra step to call Microsoft and request that they reactivate your key.

At first, this validation mechanism seems similar to what Valve Software has done with Steam (discussed in part 1). The key difference here is that the software validation only works one way. Microsoft can verify that each CD Key is used once and only once for authorizing a copy of Windows Vista. What it does not do is authentication. The user has no way of proving to the Microsoft Genuine Advantage Servers that they own the CD key entered. Instead, the first person to happen to come along with that key is taken in as the rightful owner with no questions asked. If for some reason, you need to reinstall Windows Vista (more than once), Microsoft has to allow your CD Key to be used on additional computers. Since this is a common task for many users, this type of procedure is a common request of Microsoft Technical Support.

This type of request has become so common that you can even get a CD key reset without even giving your name. A friend of mine was telling me that it is possible to get Windows Vista Ultimate that is Windows Genuine Advantage validated without even owning a copy of the software.

1. Download Windows Vista. This should be pretty easy to come by. I do not think Microsoft cares too much if you pirate the CD because you cannot use it without your copy being validated by Windows Genuine Advantage.
2. Download a CD Key generator for Vista OR borrow a CD Key from a friend
3. Call Microsoft support and indicate that you need to reinstall your computer but your CD key did not work. Microsoft will unlock this key to allow it to be used on more computers.

For all of the work Microsoft put into their new Anti-piracy system, a pirate can now easily get a “genuine” copy of their product simply by calling their tech support. I doubt this was what Microsoft had in mind when they implemented this new security scheme.

Licensing in Software Development

Make licensing easy. Do not treat your customers like criminals. Instead make the licensing process simple. For a long time PC games have required the physical CD to be in the drive in order to play the game even if the entire game contents are on the hard drive. This sort of a thing is more of an annoyance to paying customers rather than a deterrent against piracy. A pirate will crack the software so that no CD is required. Requiring the CD restricts the user more and actually makes the pirated way better. I knew a friend who usually purchased games legally and used cracks to allow him to play the games without the CD in the drive.

Long product keys are not the most friendly form of licensing. I work with business software and prefer using license files as opposed to a simple key. I also believe that these license files should be in plain text with a hash signature. The benefit to this is that you can store lots of information about the customer inside the file. The hash protects the file from tampering and the file can be read by a user.

For example, consider the following license file format:

<?xml version="1.0" encoding="UTF-8"?>
<license>
   <product>Product XYZ</product>
   <version>1.0</version>
   <customer-name>Jane Smith</customer-name>
   <key>647608973E40E3D2A31A886DC1AE3092</key>
</license>

A simple utility can be created to create this license XML file and generate the “key”. The key can be simply the content of the license file with a little salt thrown in. The salt can be secret predetermined random string that is added to the content before hashing. Unless the secret value of the salt is known, the hash can not be recreated with new values for the content. This protects the license from tampering.

To use this license file, the key can be checked to verify that the license has not been tampered with. After that the XML can be read with a standard XML parsing library to extract the license data. The software can store whatever information required here with no restrictions on length or type of content.

Piracy Protection

Licenses do not guarantee that the software will not be pirated. They provide a deterrent so that it is not as easy to pirate the software. So what should a software developer do to protect your software from piracy?

The simplest and probably best solution is to provide a service that accompanies your software. In part 1, Valve Software only allows users access to their online multi-player if they have an authorized account. If you are in a situation where you can provide services along with your software, it may provide an incentive for an otherwise pirate to purchase your software.

When it comes right down to it, if your users want to pirate your software, they will find a way. You can take whatever measures you want to make that harder for them, but they will inevitably find a way around them. Look at things like DVD encryption. Broken. HD-DVD and Blue-ray were said to be impossible to break within the lifespan of the media. Also broken. Providing security mechanisms is a good deterrent to casual pirates but even the best security can be eventually countered. The key is to not make the security too strict that it creates a hassle for paying customers.

I read an interesting article today at gamepro about PC game piracy. The article quoted from Call of Duty 4’s game blog:

“On another PC related note, we pulled some disturbing numbers this past week about the amount of PC players currently playing multi-player (which was fantastic). What wasn’t fantastic was the percentage of those numbers who were playing on stolen copies of the game on stolen / cracked CD keys of pirated copies (and that was only people playing online).” – Robert Bowling

It was not the fact that PC game piracy was rampant that surprised me but the fact that the pirates with stolen copies of the game are permitted to play online. To me, this seems utterly ridiculous. To understand why this is ridiculous, it is necessary to understand how online gaming works. A typical multi-player PC game allows users to do two basic things, host games for other people to join and join a game hosted by someone else. This service is sort of like a directory listing for games that are being played. Since the listing is controlled by the software publisher’s service and not the game itself, it can validate users and only allow users who purchased the game to use the service.

I believe that no matter how difficult we make the software protection process, pirates will always find a way to break the simple protections put in place over software. When you ship a piece of software, it contains the complete working product. Even if we had 1024 bit encryption keys with 256 character long CD keys for users to enter, when it comes right down to things, the software product knows how to validate that key. All a hacker needs to do is figure out how the program does that validation.

The only way to protect this is by having the key validation done by something other than the software product given to the user. This way they could not modify the product to get around the problem. Games like the Orange Box from Valve Software do this very well. When you purchase the game (either physically or electronically), the game is linked to an account on the Steam service that Valve provides. This service authenticates users and only allows them to play the game if logged into the service. Essentially it provides both the authentication of the user and the game listing services for users.

When you move the validation to a third party system, a pirate would be required to simulate the entire third party system. If a user had a pirated copy of Orange box and a service that “emulated” the steam service, they would still not have access to the game listings that valve provides through the legitimate steam service.

Essentially what this gives is an incentive to users to purchase the game instead of pirating it. Pirating games is simply too easy today. A 12 year old kid can more easily download a cracked copy of a game than to go through the process of acquiring 60$ from their parents and a round trip ticket to the mall. Now, if suddenly you told that 12 year old kid that they will not be able to play the game online with the pirated version, it may provide them with an incentive to go with the more difficult process.

In part 2, I look into the piracy issue with Microsoft Windows.

I have wanted to get into blogging for a long time but I was not sure if I would actually stick with it if I did. I started this blog as a bit of an experiment to see if I could get into regularly writing. I think it has been successful and I plan to continue in the future.

A friend of mine at Perfect Hosting offered to help me with the hosting. This would require me to move from blogger to another blogging system. I chose Wordpress for this because it seemed to be the easiest to use with the majority of the features I required. It also has a good plugin system. I liked the idea of having a site that I could control a bit more than blogger but I did not want to lose my posts and comments when I made the switch.

After I got Wordpress set up, I was able to migrate all of my old content to Wordpress. I was very surprised how easy this was to do. To do this, you click on “Manage->Import” in the Wordpress admin site. From there you click on “Blogger”. This will take you to a google page to authorize access to your blogger account. After you do this, you select the blogger blog that you want to import. This imports all of the posts and comments from the blogger blog.

After this was complete, I had to update a few things manually. All of the “labels” from blogger were imported as categories in Wordpress. Really, I think the labels are more of tags on a post or at least that is how I used them. So I updated all of the posts, changing the categories to tags and adding just 4 categories. I also had to update some of the formatting of code in the posts as it did not translate well to the new system.

It took only about an hour to get the new Wordpress system configured how I wanted and all of my data migrated over from my blogger account.

Testing is a hard problem because there is no way to guarantee that a certain product or piece of code is 100% bug free. Many organizations have testing or “quality assurance” departments who are responsible for doing the majority of product testing before software goes to the customer. Even with a dedicated testing department, developers still have a role to play in testing their code. This article describes the developer testing philosophies used on the project I work on. The project is a server application that mainly manipulates and creates documents.

After the developer testing is complete, the build should be in a good state to enter testing by the quality assurance group. The beauty of this is that it all can happen automatically overnight.

Nightly Builds
A full build of the project is automatically run each night after the developers go home. This is not a testing method by itself but it provides a process for further testing. Developers know that they cannot check in code into version control that will not build that evening. After a new feature has been committed, all members of the team can have access to this the next morning and ensure it works properly. If required, this build can be given to others outside the development team. This is a fully working version of the product that may even go to the customer.

A report of the build is emailed to the team indicating if the build passed or failed. Each build has a unique build number that is the same as the Subversion revision number. This way the build number is unique and the developers can get that exact build code from the source code repository if needed.

Nightly Unit Testing
After the nightly build is done all of the unit tests are run for the whole project. We try to restrict the unit tests to test true “units”. That is to say, test a single class or a very small number of classes. All of the unit tests are either Java JUnit tests or Groovy unit tests. A report of the unit tests is generated using the junitreport ant task. This indicates which tests passed and failed with information on any errors.

Nightly Integration Testing
After the unit tests are complete a set of integration tests are run. These integration tests test the entire product. The integration test suite installs the product, runs the product and then performs a series of tests to ensure that the basic end-to-end functionality of the product works. On this product a bunch of test input files are processed through this running server. The outputs of these are validated to ensure everything works properly. A lightweight test harness was created in Java and Groovy to do run the integration tests and perform this validation. This framework was created from scratch rather than basing it on JUnit as these tests are specific to the application domain. A report for these tests is generated.

Performance Testing
Performance is an important part of this application. The same test harness that runs the integration tests can be used to run the performance tests. Instead of validating if the software works, the speed in which the software performs its tasks is measured. This can be compared to previous versions of the software. This is not run with every nightly build because it takes more than 24 hours to run. It is instead run on occasion over the weekend.