Question 1: Are you making enough money from the legitimate users? If so, forget about piracy. Some people will always steal, just because they think it's fun. Don't waste your time on these people; spend your time adding value for the people that actually pay for your software. If your anti-pirate protection is buggy, you will piss off the people who are already paying for your software.
As an example, take the movie industry. Their "war on piracy" has ensured that I will never pay for (or watch) a major movie again. When you pirate a movie, it's HD, and it plays on any device. You don't need a special cable, you don't need an HDCP-capable surge protector (or whatever). You can fast-forward whenever you want, and you can't be forced to watch ads or the "don't pirate this" propaganda. If you have a fast connection, you can usually watch the movie as it downloads. All in all, a great user experience.
When you pay for a movie, though, all that is out the window. You have to watch ads. You can't have HD unless you have a special cable and a special monitor. You can't watch the movie on a portable device. You can't download the movie; you have to walk to the store, pick something up, talk to a clerk, and carry the movie home. You have to buy a lot of stuff you don't need, you get less features, and you have to pay $20 for the privilege.
The movie industry thinks these piracy countermeasures discourage piracy, but actually, they make not pirating the product extremely unappealing. You would have to be insane not to pirate the movie.
This cannot be stated enough. Punishing your money-paying customers for actions perpetrated by people that aren't your customers will do one thing: leave you with fewer customers.
I have not watched a movie in at least a couple years now where I have not stripped out the protections and re-burned it.
I really agree with you about the movie industry and also the music industry. That's because they didn't analyze that copying a movie or lending it to friends is actually a feature.
There's also much more to music and movies than just the product. It's Art, it's a way of communication. It conveys cultural and ideological values. People can have a deep and emotional link with a movie or music. Adding "don't pirate this" movies and making it hard to share what you love with your friends is really killing what your business is about.
Software is different. ISV are actually hurt by piracy. Platforms have died because of Piracy (Atari, Amiga), and most importantly it's possible to protect a little bit from piracy without annoying your users. I think asking for a serial number once or calling home from time to time is really reasonable. It doesn't affect the user experience and protects both you and your customers.
Where you are right is when you say you must evaluate how much piracy costs you before doing anything. Copying your software must not be "trivial". You want to avoid the situation where it's easier to find a pirate copy than an original one.
But spending months adding anti-reverse engineerings features is just plain stupid.
I don't think ISVs are hurt by piracy, they are hurt by people not buying their products. Sure, with piracy, it's easier to not buy your product. But I doubt anyone has ever gotten to the serial number screen and said, "oh, this needs a serial number? I guess I will pay $1000 for a real copy instead of looking for a crack." No. The people that pay for software already made the decision to pay you.
As a practical matter, we use a lot of "ISV" software at work. None of it requires registration or activation or phoning home. If it did, we wouldn't be allowed to purchase it. (This is at a company of 300,000 people, and I think most companies of this size have similar restrictions.)
The best part is that none of these restrictions bother the pirates at all. On-disk encryption is a huge novelty for many very smart minds until it is broken, at which point straight disk copying is trivial.
The "Analog hole" doesn't need plugging when there are fast ways to make a perfect copy of a disc.
Yup. The legitimate users are punished with inconvenience and expensive mandatory hardware purchases. (And, of course, the lack of a Free Software movie player.)
Those that pirate it have no inconveniences, no mandatory hardware purchases, and can use a completely Free Software stack. Is the movie industry really surprised that piracy is rampant!?
Any idea how much money is made on a DVD not being rippable for the first week of release? The movie industry thinks it does and that's why it spends on copy protection for some titles.
I think they are forgetting about people like me that don't want to buy a $300 player every time they invent some new format. My computer plays 1080p video files just fine. My TV displays 1080p video just fine. I have virtually unlimited download bandwidth. And yet, I can't watch HD movies.
To do that, I would have to spend several hundred dollars on a special player for special disks, and I have to replace my HDTV with one that has HDCP, and I have to get a special HDMI cable to connect the player to the TV. No thanks. I don't want your movie that badly.
If there was no copy protection and they were interested in making money, they could sell me access to that movie file. I would download it, and then my computer could play the movie on my TV, and everything would be fine. They get money, I get movie. No piracy happens.
But instead, since I can't pay for a movie even if I wanted to, piracy is the only option.
(The movie thinks there is some moral dilemma that would prevent me from pirating something. But in my generation, there's not. I saw a book I wrote available on a torrent site a while ago. I didn't even get upset, I thought, "wow, that's awesome, people are pirating my book". I still made plenty of money. Just like I think the movie industry would make plenty of money if they got rid of DRM.)
This seems like a fast track towards building a really bad reputation for your software. In many markets the pirates will be the most vocal users, and this could paint your software in a horrible light. How do users know if the crash is caused by your copy protection, or by just plain bad software?
And that's not even getting started on the people-try-before-they-buy-with-piracy argument, which is controversial enough that I don't want to go there.
I second that. You want to cripple pirated version of your software in specific, obvious, maybe even fun way.
The Sims had such protection. If game was incompetently pirated then player could not kill cockroaches in the game. It was specific enough so when people googled for some info about cockroaches they were finding out that the cause is badly pirated version. Some of them might have bought legal version. Others just looked around for more thoroughly pirated version. But every one knew game is good and solid.
In the old Command & Conquer games you'd get about 5 minutes of gameplay, and then all of your buildings will spontaneously self destruct. Googling for the problem would inform you of your guilt :)
The thing is that people quickly realize your "bugs" come from the pirate version, a famous example is CDRWin which toasted CDs with invalid serials. Everybody knew the original version didn't have the problem.
You need to be clever about it. Another example is video games that are impossible to finish when they are pirated.
The Operation Flashpoint game displayed a message "Original versions don't fade" on pirated versions and ceased to work.
Counterexample: Skype. No one complains about its obfuscation and software tamper resistance. It has been effective in preventing workalike clone clients. I haven't heard any complaints that it crashes, blaming the copy protection.
"It must be so much easier to buy the software from you than getting the illegal copy that your customers will quickly dismiss the latter."
Yes THIS! Exactly.
Perfect example in my book is Steam. Steam has singlehandedly made me a consistent game purveyor in my off-work hours. Provide me with games from a trustworthy source where I don't have to get up off my ass to go buy it from a kid behind a counter - offer a service that's reliable, fast, keeps my games up to date and lets me do away with a gigantic binder of 200 cd's & cdkeys and I'll happily dish out the money you deserve.
okay, that's fair. but i thought billybob's presentation was pretty good! it struck me as ironic-slash-cheeky, which is a quality i see in a lot of the best technical people.
The last thing you want to do is get into a battle with crackers. They have far more time and expertise at cracking software than you do at stopping them.
For this to work, the intentional bug would have be small enough not to warrant "fixing" by the cracker. In other words, it's unlikely to make a difference.
It's better to think about why people pirate software. A large proportion don't have the means or inclination to buy, so let's disregard them completely. The remaining group could buy, but for whatever reason, do not.
If piracy is easier than purchasing the software legitimately, you've got a problem. Ideally your store should be one page, and require as little information to be entered as possible. Multiple payment methods minimise the chance that a customer won't be able to complete the transaction. PayPal makes impulse purchases easier (assuming you're at that price point).
To sum up: You're probably not losing many real sales to piracy. In the cases where you are, you won't restore them by adding layers of "protection", but rather by looking at why someone might chose to pirate in the first place, and fixing it.
Instead of dismissing it out-of-hand, perhaps suggest that developers find metrics for measuring piracy and apply the appropriate amount of protection to their problem.
Disclaimer: one of Root Labs' areas of business is exactly that.
What legal implications does this have? You shouldn't be liable for someone illegally using your software. If you store their information they may have some claim against you for locking up their data.
(IANAL) In California, it's illegal to place (injuring) booby-traps, because it's effectively punishing somebody for a crime without a trial and that violates due process of law. However, refusing someone use of a stolen good isn't the same as punishing them for stealing it. I doubt this has come to trial yet, but a reasonable line to draw would be that bad side effects can castrate the stolen software as much as you want, but cannot extend any further than the intended use of the software itself. Having stolen software not work is totally fine; damaging the host computer in some way or leaking private information is probably a good way to get yourself sued.
> I damaging the host computer in some way or leaking private information is probably a good way to get yourself sued.
The intent is to not damage anything, but rather to only crash the program itself. This might lead the user to visit a support forum where they will be kindly adivised to purchase a legitimate copy of the software.
However, if I understand correctly, the program is crashed when it overwrites its own memory. That means that at some point it could end up executing random code. Although very unlikely, it is possible that it could execute the equivalent of "remove users home directory" code. A more likely, but less 'punishing' outcome could be the execution of a tight infinite loop. That could be interpreted as a 'denial of service' and thus full under the booby-trap law.
As an example, take the movie industry. Their "war on piracy" has ensured that I will never pay for (or watch) a major movie again. When you pirate a movie, it's HD, and it plays on any device. You don't need a special cable, you don't need an HDCP-capable surge protector (or whatever). You can fast-forward whenever you want, and you can't be forced to watch ads or the "don't pirate this" propaganda. If you have a fast connection, you can usually watch the movie as it downloads. All in all, a great user experience.
When you pay for a movie, though, all that is out the window. You have to watch ads. You can't have HD unless you have a special cable and a special monitor. You can't watch the movie on a portable device. You can't download the movie; you have to walk to the store, pick something up, talk to a clerk, and carry the movie home. You have to buy a lot of stuff you don't need, you get less features, and you have to pay $20 for the privilege.
The movie industry thinks these piracy countermeasures discourage piracy, but actually, they make not pirating the product extremely unappealing. You would have to be insane not to pirate the movie.
Don't do this to your software.