HUNTING

Fire Protection

On Software Protection Dongles

Part 1. A War between Copy Protection and Piracy

Copy protection and piracy are conflicts that fighting forever. When a new technology is introduced into copy protection, and counterpart will research the corresponding sword to it. Without a very long time, this so called “new technology” can be cracked. It is a truth in the world. It is ridiculous that saying a product is “un-crack able”, because we know everything in the world can be reversed; the only problem is efficiency and time. If we had a powerful computer (it is only an assumption), and we were smart enough (if we were lucky), then we would crack any algorithm. Maybe you think our pre-condition is not realistic, but we should be serious for this topic.

Since this war is ever taking, no fighter will stop fighting, we should explain this topic for a scientific and realistic point of view.

First of all, we can say no software is completed “un-crack able”. We have explained this topic before.

Second, for software developers or vendors, the only task they can do is to improve the software copy protection, and make it more difficult. There is a balance between software protection and piracy. If the cost of cracking overrides (or too big) the cost of software, cracking such software becomes a meaningless job; no one would like to crack it any more.

Third, from software developers’ point of view, what they are really doing is not protecting the software; the real aim is to make maximum profit. To keep the maximum profit from the software is the only and most business reason that drive the developers to protection they software. If we looking at the topic from this side, we can say “copy protection” is only a side effect that brought by the commercial aim.

In the next installment, we will present the detailed of software protection.

Part 2. An Overview on Software Copy Protection

Here, we can discuss some techniques on software copy protection.

The general purpose of software copy protection is to prevent un-authorized usage of software. So we can say any method or action to prevent un-authorized usage of software is software copy protection.

We can classify software copy protection into 3 main types.

The first one is “software based”. This type of protection is pure software based, and no extra meta is needed. The members in this type are typical serial number, software packer (also called shell or enveloper).

Serial number

End-users can only use the software or the full function of the software if and only if the user have a correct (or reasonable) serial number. The advantage of such protection is that it is easy and cheap. While cracking such copy protection is not a difficult job for a professional hacker. If we found the authentication code in the file, then we can reverse it and make a general cracker against it.

Packers

Packing a software is a very common method to protect software. It is easy and without any additional programming job. Developers need only several simple clicking, then the

The advantage of pure software based protection is the cost. In general it is relative cheap. While, on the other hand, the disadvantage is easy to see, or we can say the disadvantage is obvious, that it is easy to be cracked. As we said before, nothing is un-crack able, if we leave all the protection at end-users side, we open everything to the hackers, who may find way to crack your protection finally.

---------------------------------------------------------------------------------------------------------------------

|               good                      |                   bad             |

----------------------------------------------------------------------------------------------------------------------

| 1. easy                                   |  1. easy to crack                     |

| 2. cheap                                        |  2. weak license control                |

|                                         |  3. easy for piracy                    |

----------------------------------------------------------------------------------------------------------------------

The second protection method is “On-Line License”. You can find this kind of protection from everywhere, such like “On-Line Activation” for Windows XP, and Pro Engineering… This kind of protection needs a license server, which holds the database for licenses/activation keys. It will bring a central control for the license. You need a start/initial fees budget for on-line license, since an extra server is needed, well you also can share this server with others.

Compared with “software-based” protection, “on-line license” is better. You can enjoy the convenience of license schemes and a better security. The cost is a little bit higher, and start/initial invest is a must. This protection is good for big software vendors, who sell more than 5000 thousands copies per year and need a rough license control.

---------------------------------------------------------------------------------------------------------------------

|               good                      |                   bad              |

----------------------------------------------------------------------------------------------------------------------

| 1. easy                                    |  1. easy to crack                     |

| 2. relative low cost                          |  2. rigid schemes                     |

| 3. centralize license control                   |  3. relative high initial cost             |

----------------------------------------------------------------------------------------------------------------------

The last kind of software protection is “Software Dongle”, or we call hardware-based protection, dongle-based protection, software copy protection dongle, etc. This kind of protection might be the best, and it can maximum the software vendors’ revenue.

Is a software dongle un-crack able? The answer must be NO, but why it is the best? It is just because it can maximum the software vendors’ revenue. Ok, now we have repeat the same sentence twice, just for emphasis this point. Let me explain it in detail.

First, why we need software protection? Just for anti-piracy? No, anti-piracy is not the real or the root reason, the real aim is profit. We want to make money from the software, while pirated software cannot bring any profit to us, so we need anti-piracy. Now, let come back to software protection, the real goal of software protection is to protect the profit.

Can a software dongle maximum the revenue? How? To explain this question, we have to explain how we sell software. Nowadays, we sell software via our distributors or direct sell on the Internet. We can call them sales channel. The direct software customer is the sales channel. In fact, we do not know how many software has been sold, what the price for each copy. We just collect money from this channel, and check if the number is correct with what they claim. If without a dongle, we do not the specific number, we just know they are selling this software, but we will fell at loss when face to the number of copies, we do not know how to control the license copy. In this sense, the first usage of a software dongle is to get the number.

One may say, if the software is pirated at end-users side, the software vendor will get nothing too. Good question, but thinking from a software vendor point of view, we should not and cannot let piracy disappear from the earth. The pirated software just give a good place for software vendors to cultivate the market. For a software vendor, especially a CAD/CAM/CAE vendor, who is your customer, a company/institute/university or just a poor student/developer? The answer is too simple. The real customer is the people who can buy or may buy the software, i.e the entity who afford this software. The people who cannot afford the software is only potential customer, who cannot buy the software right now. These kind of people might buy your software in the future if they feel good, but now is not the right time. If you want to cultivate the market, let them use the pirated copy is not a bad choice. Remember the words “make money from the people who can make money”. Finally, we should make the one point clear, if we can make money from the people who can make money, it is the point we maximum our profit.

Software dongles can help you implement various software protection schemes. We will discuss this topic in the next chapter.

Now, let me summarize software dongles.

---------------------------------------------------------------------------------------------------------------------

|               good                       |                   bad             |

----------------------------------------------------------------------------------------------------------------------

| 1. better protection                           |  1. relative high cost                |

| 2. better revenue                              |  2. longer deliver time               |

| 3. flexible protection schemes                  |  3. need programming experience      |

----------------------------------------------------------------------------------------------------------------------

The following table show the target customer vs different software protection method

---------------------------------------------------------------------------------------------------------------------

|  pure software based protection  |   1. low cost software, (price less then 10 USD)         |

|                            |  2. shareware                                     |

|                            |  3. free software (live on donations)                   |

---------------------------------------------------------------------------------------------------------------------

|  one-line license protection     |   1. low cost software at big volume (price less than 50 USD, volume more then 1000 copies.              |

|                            |  2. shareware                                     |

---------------------------------------------------------------------------------------------------------------------

|  dongle-based protection       |   1. cost software (price more than 50 USD)            |

|                            |   2. volume software which need license control         |

|                            |   3. customized software                            |

|                            |   4. shareware                                    |

---------------------------------------------------------------------------------------------------------------------

From the table we can see, dongle-based protection covers more area, and give you a better space for growth. If it is affordable, you’d better choose dongle-based protection.

Part 4. Software Protection Schemes

In this sector, we will discuss the software protection schemes, and also how to implement these schemes with software dongles.

Software protection schemes is based on the software sales model. In order to make a better schemes, you should know well the software function, sales model, and target customers.

Sell per function.

It is common that a software consists of several functions, for example OFFICE consists of WORD, PowerPoint, Excel… a customer can buy the all function or only some of them. You can use software dongle to control this license. In general, this function in dongles called “module” or “license module”

Software lease

Software lease is most based on time. So you need a timing dongle. There is not too many dongle with real time clock embedded. You can use some simple tricks to check the time, for example, check the internet time server. The real time dongle is a good choice. You may refer to HASP-Time. But the cost is high.

Software running limitation

To only let the software run a certain times, for example after execute 50 times, the software stops. Some dongle vendor offer decreasing function, you may take advantage of it. Otherwise, decrease this number and write it back to the dongle every time.

Software credentials

Save digital credentials to the dongles, it will bring your better protection. Do not only check if the dongle is there, leave some thing inside dongle. But be careful, the data should be encrypted, if the dongle has an encryption engine it would be perfect.

Involve the dongle into computation

The ordinary protection is just to check if the dongle is there. This protection is really week. If you can involve the dongle into a computation, it will give your really good effect. Some dongles have a computing engine, which can run a certain algorithm inside dongle, it would be better choice.

Some dongle vendors offer some cook books or other hint on software protection, you may refer to them, they are professional indeed.

Part 5. How to Choose Software Protection Dongles

There are about 20 software dongle vendors all over the world. The big figure in this area is Aladdin ( http://www.Aladdin.com ). Since rainbow was acquired by safe-net, they lost the first position. Well, how to choose a dongle is another topic. We cannot say the biggest vendor offer the best product. The best product is the product which meet your requirements.

In the following paragraph, we will discuss on how to choose a dongle from different aspects.

Price

Doubtless to say, price is always the first topic. We just use the most popular dongle vendors as an example. HASP is expensive, more than 20 USD level. Sentinel is similar, but 1 or 2 USD less. WIBU ( http://www.WIBU.com )  is almost the same with Sentinel (http://www.SafeNet-Inc.com) . Eutron (http://www.Eutron.com) is 10-20 USD level, and similar with UniKey (http://www.eSecuTech.com). You can get a special offer from dongle vendors if you are a really volume customer.

Interface

There are several types of dongle, LPT, PS/2, Serial, USB and even PCI cards. Based on my experience, USB would be best selection, since 95% computer go along with USB ports.

Support

Since software protection is a job need experience, you should know support is also a part of product. Before you buy it, you should check if the support is really good. Try to get more suggestion from their support engineers. If you think the support is not good, you’d better find an alternative to avoid further problems.

Product quality

It is shown that most dongles are produced in China. But it seems that if the production process is controlled under a better management, the product is better. If it is under to bad management, the product is bad quality. It is recommended to choose an international brand, and be careful with the pure Chinese brand even they are cheap.

Functions

The dongle function can help you to implement the software protection schemes. The most basic function is to read and write. All the dongles have this function. If you want to implement more function, you should consult the support engineer from software dongle vendor. If the dongle only has read/write function, it is not a real dongle, it is only a toy.

Trouble shooting

After you buy dongles and send dongles with your software, you will support the dongle for your customers. If you customer meet any problem, you have to help them to trouble shoot the problem. The most common problem is “Dongle Not Found” problem, i.e. after customer install the driver and insert the dongle, the software still say no dongle found. It is a headache for software dongle vendors. But it seems we find a better solution now,. Entron and UniKey provide so-called “Driverless” dongles, which need not install a driver. It is an HID (human interface device), working like mouse. This kind of dongles provide a better solution than traditional dongles.

Part 5.Conclusion

In this simple paper, we discuss the sensitive topic on software protection, and an overview on dongle protection. I just want to share my experience in this area with other developers. Hope you can enjoy it.

About the Author

How many acres of "controlled burns" does California Department of Forestry and Fire Protection do annually?

My wife and I were having a debate on California's current wildfires, and the question of how many acres are burned in a controlled manner came up. Anybody know the answer? I was curious about the ratio of wildfire acres (which I was able to get from Wikipedia) to controlled acres.

Here's a link to some CDF stats (1989-2002) and burn policy.

http://www.fire.ca.gov/ResourceManagement/pdf/VMP2004.pdf

For that time period, 27,000 acres average per year.

Here's another link with other CDF factoids and more recent stats on California fires.

http://www.cdf.ca.gov/communications/communications_factsheets.php

Stack an extra chair in front of the computer and have fun debating with the wife tonight!

Scott Grainger, FPE - Fire Protection Engineer