Is there a way to protect my software EXTENSION of an Adobe design product from piracy?


1

What we are doing at the moment is asking companies how many users they have on site and charging them per user, and then emailing them the extension.

The problem is that there is currently nothing that prevents them from just installing the extension on as many computers as they want.

Is there a good way to set up at least a nominal barrier to keep most people from doing this? I understand it's not possible to stop a determined hacker, but just something to discourage the practice.

Thanks for your help.

Piracy Software Licensing

asked Dec 28 '11 at 06:09
Blank
Mitya
8 points
  • How do you handle updates, bug-fixes, etc.? Is there any existing process for the extension calling home to your company's servers? – Jay Neely 6 years ago
  • At the moment there is not... but from the research I've done, it looks like I am going to have to implement one. – Mitya 6 years ago
Add Comment

1 Answer


2

The problem is that there is currently nothing that prevents them from just installing the extension on as many computers as they want.


Is there a good way to set up at least a nominal barrier to keep most people from doing this? I understand it's not possible to stop a determined hacker, but just something to discourage the practice.

This sums up the casual piracy problem eloquently. And the way you protect extensions to products is the same way you protect full application: hardware-locked licensing. But before I continue explaining what hardware-locked licensing let me first correct a common misunderstanding.

E.T., don't phone home

I see that Jay made a comment on your question about "calling home" to your servers. This is a common misunderstanding of what proper licensing is. There's a big difference between proper hardware-locked licensing (like online activation) and just "pinging" and server. Just pinging a server to get an "OK" or "Not OK" response is worse than useless. It's actually harmful. But let me first explain why it's useless then I'll continue with an example of why it's harmful.

Why phoning home is useless "Pinging" a server to see how many times a customer is using your software is useless because there's no accurate way of telling which computer they installed it on. That is, many computer can be behind the same IP address, so you can't use that as a "indicator of uniqueness". In fact generating a unique "fingerprint" based on all of the hardware components is the only way to correctly ID computers.

Why phoning home is harmful If you're just "pinging" a server (i.e. you're not using the computer fingerprint and you're not cryptographically signing your results) then there's absolutely no way to accurately limit your users. If you try to limit users based on a "false ID" then they will get enraged when your app suddenly fails to work.

For instance, let's say you used the IP address of the computer as the unique ID of the computer. They install your extension on their computer and everything works fine. Happy customer! At the end of the day they pack up their laptop and bring it home to make a few last minute changes to their work. They get home, open their laptop, start the Adobe product and start using your extension. But they can't because their IP address is different. Angry customer! There are other bad "false ids", of course:

  • The MAC address.
  • The computer name.
  • The "volume ID" (partition ID) of harddrives.
  • Etc, etc.

I can list exactly why these are bad if you want.

Hardware-locked licensing (online activation, dongles, etc.)

There are many varieties of hardware-locked licensing. There's online activation (à la Windows Activation, Office Activation, or Adobe Activation), there's hardware dongles, and there's floating license servers, etc. But the basic concept behind hardware-locked licensing is the same between all varieties: your app gets the "fingerprint" of the computer and it gets a cryptographically signed response verifying the user has permission to use your app.

But the whole point of getting the computer "fingerprint" and getting the cryptographically signed response from a server is that you can limit how many computers a customer can install your extension on.

That is, if a customer buys 5 licenses of your extension they can only use it on 5 computers. How is the "fingerprint" different from the "false IDs"? A proper "fingerprint" of a computer takes into account all the hardware components of a computer. A good fingerprinting algorithm must have very low false negatives (seeing computers as different when they're really the same) and false positives (seeing computers as the same when they're really different).

If you're going to build hardware-locked licensing yourself then you need to spend a considerable amount of time perfecting this algorithm. This includes buying multiple computers of the exact same model to ensure you reduce chance of false positives. And you need to handle cases where customers modify their computer (thus to reduce chance of false negatives). In other words the customer shouldn't need to contact you if they reformat their computer, or replace a harddrive, or increase their memory, etc.

If you're planning to build this licensing yourself then it can get complicated quickly.

I'm founder of the company that makes LimeLM (a licensing solution for Windows, Mac and Linux), so obviously I'm going to recommend you buy a 3rd party licensing solution (namely us). There are even a couple of our competitors that are worth trying out (and thousands of our competitors that you should avoid like the plague).

Also, see: What's the use of copy protection? (a.k.a. Everything can be cracked)

answered Dec 28 '11 at 21:30
Blank
Wyatt O'day
964 points
  • Adobe activation is what I was leading to re: phoning home. W/o physical components (impractical for most) verification must be done via some online check, whether one-time or regularly. Not sure hardware-locked licensing is a frustration-free solution. Machines die / get replaced. License-checkers, MAC or hardware based, need logic allowing reasonable uncertainty before auto-locking users. If 2 or 3 more computers seem to be using the software than the 50 licenses allow, alert me and let me decide to call, don't piss off customers using a MAC-switcher on a few machines for some other reason. – Jay Neely 6 years ago
Add Comment

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Piracy Software Licensing