Tag Archives: licensing

Software Licensing (Part 2)

In Software Licensing (Part 1), I wrote about the issue concerning PC game piracy. This is not only an issue for the gaming market, but also for commercial software. Consider, Microsoft Windows. They took a lot of flack over their Windows Genuine Advantage system when they first rolled it out. The system took a “guilty until proven innocent” approach where it suspected all users of being pirates until they “validated” that their copy of windows was genuine. Microsoft took this system one step further with Windows Vista. After your Windows CD Key has been used twice (once to install the first time and once to allow for a reinstall), the key is locked and will not allow further validation against Windows Genuine Advantage. If you are in the habit of regularly reinstalling your operating system, you still can do this but it requires an extra step to call Microsoft and request that they reactivate your key.

At first, this validation mechanism seems similar to what Valve Software has done with Steam (discussed in part 1). The key difference here is that the software validation only works one way. Microsoft can verify that each CD Key is used once and only once for authorizing a copy of Windows Vista. What it does not do is authentication. The user has no way of proving to the Microsoft Genuine Advantage Servers that they own the CD key entered. Instead, the first person to happen to come along with that key is taken in as the rightful owner with no questions asked. If for some reason, you need to reinstall Windows Vista (more than once), Microsoft has to allow your CD Key to be used on additional computers. Since this is a common task for many users, this type of procedure is a common request of Microsoft Technical Support.

This type of request has become so common that you can even get a CD key reset without even giving your name. A friend of mine was telling me that it is possible to get Windows Vista Ultimate that is Windows Genuine Advantage validated without even owning a copy of the software.

  1. Download Windows Vista. This should be pretty easy to come by. I do not think Microsoft cares too much if you pirate the CD because you cannot use it without your copy being validated by Windows Genuine Advantage.
  2. Download a CD Key generator for Vista OR borrow a CD Key from a friend
  3. Call Microsoft support and indicate that you need to reinstall your computer but your CD key did not work. Microsoft will unlock this key to allow it to be used on more computers.

For all of the work Microsoft put into their new Anti-piracy system, a pirate can now easily get a “genuine” copy of their product simply by calling their tech support. I doubt this was what Microsoft had in mind when they implemented this new security scheme.

Licensing in Software Development

Make licensing easy. Do not treat your customers like criminals. Instead make the licensing process simple. For a long time PC games have required the physical CD to be in the drive in order to play the game even if the entire game contents are on the hard drive. This sort of a thing is more of an annoyance to paying customers rather than a deterrent against piracy. A pirate will crack the software so that no CD is required. Requiring the CD restricts the user more and actually makes the pirated way better. I knew a friend who usually purchased games legally and used cracks to allow him to play the games without the CD in the drive.

Long product keys are not the most friendly form of licensing. I work with business software and prefer using license files as opposed to a simple key. I also believe that these license files should be in plain text with a hash signature. The benefit to this is that you can store lots of information about the customer inside the file. The hash protects the file from tampering and the file can be read by a user.

For example, consider the following license file format:

<?xml version="1.0" encoding="UTF-8"?>
<license>
   <product>Product XYZ</product>
   <version>1.0</version>
   <customer-name>Jane Smith</customer-name>
   <key>647608973E40E3D2A31A886DC1AE3092</key>
</license>

A simple utility can be created to create this license XML file and generate the “key”. The key can be simply the content of the license file with a little salt thrown in. The salt can be secret predetermined random string that is added to the content before hashing. Unless the secret value of the salt is known, the hash can not be recreated with new values for the content. This protects the license from tampering.

To use this license file, the key can be checked to verify that the license has not been tampered with. After that the XML can be read with a standard XML parsing library to extract the license data. The software can store whatever information required here with no restrictions on length or type of content.

Piracy Protection

Licenses do not guarantee that the software will not be pirated. They provide a deterrent so that it is not as easy to pirate the software. So what should a software developer do to protect your software from piracy?

The simplest and probably best solution is to provide a service that accompanies your software. In part 1, Valve Software only allows users access to their online multi-player if they have an authorized account. If you are in a situation where you can provide services along with your software, it may provide an incentive for an otherwise pirate to purchase your software.

When it comes right down to it, if your users want to pirate your software, they will find a way. You can take whatever measures you want to make that harder for them, but they will inevitably find a way around them. Look at things like DVD encryption. Broken. HD-DVD and Blue-ray were said to be impossible to break within the lifespan of the media. Also broken. Providing security mechanisms is a good deterrent to casual pirates but even the best security can be eventually countered. The key is to not make the security too strict that it creates a hassle for paying customers.

Software Licensing (Part 1)

I read an interesting article today at gamepro about PC game piracy. The article quoted from Call of Duty 4’s game blog:

“On another PC related note, we pulled some disturbing numbers this past week about the amount of PC players currently playing multi-player (which was fantastic). What wasn’t fantastic was the percentage of those numbers who were playing on stolen copies of the game on stolen / cracked CD keys of pirated copies (and that was only people playing online).” – Robert Bowling

It was not the fact that PC game piracy was rampant that surprised me but the fact that the pirates with stolen copies of the game are permitted to play online. To me, this seems utterly ridiculous. To understand why this is ridiculous, it is necessary to understand how online gaming works. A typical multi-player PC game allows users to do two basic things, host games for other people to join and join a game hosted by someone else. This service is sort of like a directory listing for games that are being played. Since the listing is controlled by the software publisher’s service and not the game itself, it can validate users and only allow users who purchased the game to use the service.

I believe that no matter how difficult we make the software protection process, pirates will always find a way to break the simple protections put in place over software. When you ship a piece of software, it contains the complete working product. Even if we had 1024 bit encryption keys with 256 character long CD keys for users to enter, when it comes right down to things, the software product knows how to validate that key. All a hacker needs to do is figure out how the program does that validation.

The only way to protect this is by having the key validation done by something other than the software product given to the user. This way they could not modify the product to get around the problem. Games like the Orange Box from Valve Software do this very well. When you purchase the game (either physically or electronically), the game is linked to an account on the Steam service that Valve provides. This service authenticates users and only allows them to play the game if logged into the service. Essentially it provides both the authentication of the user and the game listing services for users.

When you move the validation to a third party system, a pirate would be required to simulate the entire third party system. If a user had a pirated copy of Orange box and a service that “emulated” the steam service, they would still not have access to the game listings that valve provides through the legitimate steam service.

Essentially what this gives is an incentive to users to purchase the game instead of pirating it. Pirating games is simply too easy today. A 12 year old kid can more easily download a cracked copy of a game than to go through the process of acquiring 60$ from their parents and a round trip ticket to the mall. Now, if suddenly you told that 12 year old kid that they will not be able to play the game online with the pirated version, it may provide them with an incentive to go with the more difficult process.

In part 2, I look into the piracy issue with Microsoft Windows.