Adobe recently announced that its upcoming release of the popular (and industry standard) Creative Suite will have a new purchasing option. You will be able to subscribe on a monthly basis, and they will rent you a license to the software. This is, of course, good for designers without a lot of cash on-hand — they’ll be able to use (I can’t really say “they’ll be able to buy”) Adobe’s software without a large initial outlay of money. Of course, one wonders about the issue of taking a pound of flesh monthly from those who don’t have much flesh to give (think for a moment about the sketchy business practices of, e.g., furniture rental outfits that cater to the poor, routinely milking them by the month in extreme fashion), but that’s a topic for another post.
What all of this got me thinking about was how, for those who are renters of Creative Suite, Adobe will be checking your license against their servers on a monthly basis. If your subscription lapses, your software will fail to authenticate with Adobe and will be rendered useless (after a five-day grace period). This is, in a way, as it should be — if you stop paying your rent, you get evicted. said struggle generally hurts the legitimate customer more than it hurts theBut it reminded me of the endless struggle software companies have with pirates, and how pirates.
Anti-Piracy Measures of the Past
I recall the early days of anti-piracy measures with an almost fond nostalgia. In the nascency of PC software development, piracy wasn’t a huge issue — it practically cost more to buy a blank floppy disk than it did to buy a program on a floppy disk. But eventually software firms realized that they were missing out on some revenue due to illegal copying, and they started issuing arcane serial numbers to go along with their floppy disks. That way, you couldn’t just copy disks and give them to your friends; you had to also write down an arcane serial number. Once the software companies figured out that this wasn’t a very difficult barrier to piracy, they got more serious. They started burying code words in the product manuals, so that people would actually have to copy entire manuals in order to spread free copies of programs. But photocopy prices went down, and this soon became a non-issue for pirates as well.
So new and better anti-piracy measures were developed. My favorite system was the code wheel.
A game would prompt you during installation to get out your handy code wheel, and would ask you in some random fashion to rotate the dial (or dials) into such and such a configuration. Then a code would be displayed and you could type that code in to continue the installation. Again, however, pirates cracked this problem — either by disassembling the wheel, photocopying the parts, and basically building a duplicate code wheel, or by generating all of the wheel’s combinations and detailing them in a table that could be easily copied and distributed.
CD-ROM games came along and started embedding copy protection on the actual discs, obviating the need for code wheels and the like. (Though serial numbers continue to be a part of software companies’ anti-piracy regimens.) But pirates are never far behind the software companies, and have been cracking copy protection in short order, each time a new scheme is instituted. Adobe, interestingly, is one of the pioneers of the online activation method of protection, where your installation of their products has to communicate with Adobe’s servers in order to install correctly. Adobe’s latest rental offering is just taking this authentication to extremes. But, of course, pirates have cracked online authentication schemes, and whatever Adobe rolls out, the hackers will crack.
What’s the Point?
So what’s the point of all of these Byzantine copy protection schemes? If hackers will always win, what do companies like Adobe get out of applying them? And who gets hurt by all of this? Well, I imagine that, being a large, successful company, Adobe (and I don’t mean to pick on Adobe in particular in all of this, but they’re the ones who got me pondering it all) has done the math and decided that the expenditure on engineering copy protection outweighs the cost of piracy. But, make no mistake, the cost of these protection schemes has to be significant. (Team members devoted to the project; extra manufacturing costs; hardware and software infrastructure to handle online authentication; constant research on how to outsmart the pirates…)
Does any of it stop piracy? Nope. Every new development in copy protection delays piracy for a while, as the hackers turn their efforts to breaking that protection. And they always break the protection. This should be a given in the anti-piracy world. No protection is good enough. So the copy protection doesn’t hurt the pirates all that much, unless we’re talking about a pirate organization on the scale of a company like Adobe — then, perhaps, a delay of a few weeks in launching pirated software would cost these pirates something significant.
What about the upstanding legitimate purchasers of copy-protected software? We are indeed hurt by copy protection. The least obvious but most widespread harm comes in the form of pricing. There’s no way that the significant outlay of cash by companies like Adobe for copy protection schemes isn’t reflected in their retail pricing. You and I are paying the cost of their research, salary, and infrastructure for something that doesn’t help us in the least — it’s not an added feature that caters to the users; it’s a security device that is meant to thwart someone else entirely. (I imagine that Adobe might counter that retail costs would skyrocket if pirates were left unfettered in their evil plans. I would like to see credible data to support this common claim.)
Another harm is in the hurdles legitimate users have to go through to install and re-install software. Not only do we have to jump through the hoops to install these products (serial numbers, online authentication, and the like), but when we re-install the software after getting a new operating system or a new computer, we have to jump through those hoops again. And if we’ve misplaced the serial numbers, it’s a long phone call to Adobe to straighten things out. These time-wasting hassles bring no value to the clients of a small agency like ours. And what if Adobe goes out of business and we have to re-install our Adobe software? Online activation won’t work, unless Adobe kindly keeps their servers up and running.
Wise Words…
…from someone over at rampantgames.com:
I’m actually not completely against online activation / authorization. I just think the use of it as an absolute gatekeeper is stupid — and sucks. As Shamus notes, not only is it a pain in the patootey for legitimate consumers, too often it is no obstacle at all for the pirates. In other words, piracy provides a superior product than what can be provided by the publisher.
That’s bad business, folks. If I am buying new shoes, and my choice is between a brand name and a cheaper no-name knockoff, my concern is usually weighing the difference between quality and price. I’m too old and too geeky to let the brand affect my self-image. But if the cheaper no-name knockoff is actually a far superior product, sure to last longer and provide me with better support — there IS no choice.
That is why I feel that online activation is ultimately doomed. It’s not just a good / bad thing — it’s bad business which cannot be sustained over the long haul.
Amen.
The software binding schemes Adobe, MSFT, and similar companies use to authenticate their software licenses is frequently implemented in a less-than-ideal manner, but to tar all copy protection with that brush is uninformed and inaccurate. Many vertical market apps come with a hardware key (aka a dongle)–to run the software, just insert the key. Kind of like your car key… Of course, many publishers don’t want (or can’t support) the added expense of the physical keys, but they create potentially uncrackable protection (compared to the often-cracked activation scheme used by Adobe).
“Potentially uncrackable” doesn’t equate to uncrackable. I am definitely not a security expert, but a quick Google search for “dongle crack” generates more than enough hits to tell me that dongles are not uncrackable in practice. And my consumer-centric point remains the same: copy protection (of any sort) doesn’t help us. It’s an unwanted hoop we have to jump through because software manufacturers are doing battle with pirates. Consumers get caught in the crossfire.
Great, a debate!
Of course you can’t make something completely uncrackable. But we’ve held multiple open contests to see if anyone could crack our dongle, and no one has (one contest lasted 6 months and had a $40,000 prize). So it’s “effectively” or “potentially” uncrackable. Why split hairs? I guarantee you that companies who sell software for $10,000 or $30,000 are not going to protect it with something that’s easy to crack.
Look, I lock my car, my bank account, my house, and my desk. Those assets are valuable and I don’t want them stolen. Why should a software company not lock its software? The trick is to make protection easy for customers, and still be strong.
Not all dongles are created equal, and even good dongles can have poor implementations by the software developer using them. If someone only checks in code for the presence of the dongle, that’s an easy crack. Likewise if they pass the decryption key in plain text from the dongle to the OS, that’s wide open for a man-in-the-middle attack. Or, decrypting the entire executable in memory makes it easy to take a memory snapshot and create an exe from that. All those attacks (and these are the obvious ones, not the rocket-scientist ones) are stuff that good protection companies, like Wibu-Systems, protect against. The other, more advanced stuff, like differential power analysis, is much harder and requires more work to block. That’s why we have a full-time crypto expert on staff, and yes, we’re definitely security experts 🙂