Searching \ for '[EE] shareware / software copy protection' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=shareware+software
Search entire site for: 'shareware / software copy protection'.

Exact match. Not showing close matches.
PICList Thread
'[EE] shareware / software copy protection'
2007\03\22@223940 by Dwayne Reid

flavicon
face
Good day to all.

Here at work, we may be interested in releasing some software as
shareware.  It probably has a fair amount of hobbyist appeal
(isolation path G-code generation for PCB milling).  It will be a
while before its in a form suitable for outside use - it started life
strictly to fill a gap in the toolchain we use to generate the G-code
files for milling some of our simpler prototype circuit boards.

However, we are thinking of polishing it up and releasing it for
outside use.  What I do NOT want to see is us sell a few copies of
this, then not sell any more of them because someone decided to share
their copy with the whole world.

So: I am wondering about a punitive approach to uncontrolled release.

Let me bounce a really strange concept off all of you.

How about customizing each copy of the software that is sold to the
specific purchaser.  Embedded within each purchaser's copy of the
software is as much personal data as I can gather as part of the
sale.  That would include their full name, their mailing address and
phone number.

General question to all: Should that information also include the
credit card number used to make the purchase?

All of the information would be in somewhat encrypted form and only
the user name would show up on the screen.

IF someone decides that they want to share their copy with others **
AND ** if their copy somehow winds up in the wild, the person
responsible can be easily tracked.

More to the point: that person now gets seriously inconvenienced.

I would make it clear to each purchaser that their personal
information is embedded within the software and that it is to their
best interest NOT to allow copies out into the wild.

I'm not naive - I fully expect that friends share software between
themselves.  I do have a problem with someone deciding to post a copy
on a warez site.

Like I mentioned above: a punitive approach to uncontrolled release.

Ideas?  Comments?

dwayne

PS - Not yet decided whether to finish this software up and release
it.  Its a useful tool for us and I think that there is a genuine
need for it.  Just not sure its worth the hassle.

dwayne

--
Dwayne Reid   <spam_OUTdwaynerTakeThisOuTspamplanet.eon.net>
Trinity Electronics Systems Ltd    Edmonton, AB, CANADA
(780) 489-3199 voice          (780) 487-6397 fax

Celebrating 22 years of Engineering Innovation (1984 - 2006)
 .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-
    `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'
Do NOT send unsolicited commercial email to this email address.
This message neither grants consent to receive unsolicited
commercial email nor is intended to solicit commercial email.

2007\03\22@233402 by David VanHorn

picon face
>
>
> General question to all: Should that information also include the
> credit card number used to make the purchase?


Definitely not.  Exposing any personal information like that could get you
sued, unless the user specifically agrees, and even then it better not be a
shrink-wrap licence.
There are bad ways to get on CNN, this is one of them.

2007\03\23@042134 by Philip Pemberton

face
flavicon
face
Dwayne Reid wrote:
> However, we are thinking of polishing it up and releasing it for
> outside use.  What I do NOT want to see is us sell a few copies of
> this, then not sell any more of them because someone decided to share
> their copy with the whole world.
>
> So: I am wondering about a punitive approach to uncontrolled release.
[snip]

What you're talking about is similar to the protection system used on Cadsoft
EAGLE. You have the application, which checks for a licence key file. That key
file contains (IIRC):
  Name
  Company name
  Full mailing address
  Licence serial number
  Licence levels (Windows/Linux, Lite/Standard/Pro)

.. So by sharing your copy, you have to give out your keyfile - changing any
of the data invalidates the licence, so the 'leaked' key points right back to
the releaser.

The problem you have is, what if someone copied the licence without the
owner's knowledge or permission - in that case, you have two separate
licences. One stays on the install disc and needs an install key (say, a
16-digit alphanumeric string) to activate it. When that licence is activated,
its data is copied onto the hard disc and 'signed' with a machine-specific
code (maybe read the C: drive volume label and volume serial number?). Copying
that won't do you any good - it won't run on any machine other than the one it
was installed on.

All I'm going to say is, you can generally do what you want, but many
customers will actively avoid your product if they feel the licensing method
is too obstructive. Don't use Product Activation or anything that modifies
hard disc sectors (read: anything like the Macrovision protection systems).

Also consider making your software downgrade into a demo version in the event
it is copied. That way people can see what it can do, and might actually buy
it as opposed to using their friends' licences.

Ultimately it's going to be pirated whatever you do - it's basically an arms
race. All you can really do is slow the pirates down. Even Windows XP Product
Activation got cracked in the end. Remember that you're only really going to
stop casual copying - the real pirates are going to copy your software
whatever you do, so don't spend an excessive amount of time and money trying
to defend against them, only to find a crack or key-generator on P2P two days
after release.

In case you can't tell, I've done this sort of thing before... :P

Thanks.
--
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
.....piclistKILLspamspam@spam@philpem.me.uk         | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.

2007\03\23@064327 by Tamas Rudnai

face picon face
> Even Windows XP Product Activation got cracked in the end.

In the end? They had the crack before most of us could have a chance to buy
it from the shelf. Also nowadays most of the illegal XP copies are from
Enterprise Editions that does not need Activation Keys...

Protecting softwares are useless, wasting of development time and computer
resources and least but not last just makes legal users life much harder.
You can't stop people using your product illegal, but you can reduce the
number of people to use it without your permission.

I think if the software just displays the licence owner's name for a short
period of time when your application starts up would be enough to warn most
users not to share their copies to others. You also need a serious EULA
strictly saying making illegal copies are against the law. You also have to
keep in mind that software not only can have been shared with the world but
also can be stolen...

Tamas




On 3/23/07, Philip Pemberton <piclistspamKILLspamphilpem.me.uk> wrote:
{Quote hidden}

> -

2007\03\23@071306 by Jake Vickers

flavicon
face
Dwayne Reid wrote:
> Good day to all.
>
> Here at work, we may be interested in releasing some software as
> shareware.  It probably has a fair amount of hobbyist appeal
> (isolation path G-code generation for PCB milling).  It will be a
> while before its in a form suitable for outside use - it started life
> strictly to fill a gap in the toolchain we use to generate the G-code
> files for milling some of our simpler prototype circuit boards.
>
> However, we are thinking of polishing it up and releasing it for
> outside use.  What I do NOT want to see is us sell a few copies of
> this, then not sell any more of them because someone decided to share
> their copy with the whole world.
>
> So: I am wondering about a punitive approach to uncontrolled release.
>  
Whatever you put out will be cracked. Period. This is from a programmer.
What you have to look at is your target customer. You're not looking at
a large market base, even on this list. I run CNC stuff, and maybe 4 or
5 others. Your product is not going to be something that everyone wants,
so it's not going to be pirated (much) as there will not be a large
demand for it.
I'd say go with a serial code and leave it alone. If you put in code to
add people's personal info, that's all fine and dandy but all that needs
to be done is to replace that info or route around it (there was a good
discussion about this on a programming forum I'm in). Anything more than
the serial/key and you're inconveniencing the customer, which is a no-no
in my opinion. I personally won't even buy software where I have to call
and get the challenge code (like Peachtree for our accountant) again.
Too much of a hassle, and annoying to boot.
If you think your software is viable for the market you're looking at,
go ahead and release it. Being a CNC'er that makes PCBs myself I would
look at it. Would I steal it? Naw. I can afford end mills and
copper-clad so I can afford your registration fee if it's something I
need or makes my process easier. And I think you'll find most of your
market will be like this. Just my humble opinion.

2007\03\23@080935 by Rikard Bosnjakovic

picon face
On 3/23/07, Dwayne Reid <EraseMEdwaynerspam_OUTspamTakeThisOuTplanet.eon.net> wrote:

> General question to all: Should that information also include the
> credit card number used to make the purchase?

*NO*!

> IF someone decides that they want to share their copy with others **
> AND ** if their copy somehow winds up in the wild, the person
> responsible can be easily tracked.

Tracked to of which use? You cannot prove that the customer actively
gave his friend a copy. The friend could have borrowed the
cdrom/floppy/whatever, made a copy of the software and put it back
without the customer knowing.

Like Jake said, whatever software you add some kind of protection to
it will be cracked.


--
- Rikard - http://bos.hack.org/cv/

2007\03\23@083234 by Jinx

face picon face
> Ideas?  Comments?

Dongle ?

2007\03\23@084903 by wouter van ooijen

face picon face
> General question to all: Should that information also include the
> credit card number used to make the purchase?

General remark: if your software is for a small audience, is it realy
worth making it into a product that you will have to support? If that
audience coincides with your set of potential customers it might be a
much better idea to embed some advertising and release the result as fee
software.

As others have said: software protection schemes can be cracked, even
hardware protection can be cracked. The only real protection is to put
some (essential) part of the functionality in hardware. (That can be of
course be copied/cloned...)

Wouter van Ooijen

-- -------------------------------------------
Van Ooijen Technische Informatica: http://www.voti.nl
consultancy, development, PICmicro products
docent Hogeschool van Utrecht: http://www.voti.nl/hvu



2007\03\23@085133 by Jake Anderson

flavicon
face
Rikard Bosnjakovic wrote:
{Quote hidden}

I feel its best to make your licence such that there isn't much
motivation to steal it in the first place.

2007\03\23@090111 by Yigit Turgut

picon face
Hello Dwayne,

You haven't mentioned so I will assume your software will be running
on MS platforms and optimized for this.Since you are looking for a
strong licence methodology, you have to develop it your self.And this
is something you can not find here.This is a whole different area of
profession and information which is going to solve your problem is
some sort of commercial data.

> > IF someone decides that they want to share their copy with others **
> > AND ** if their copy somehow winds up in the wild, the person
> > responsible can be easily tracked.

This is completely wrong.

> Like Jake said, whatever software you add some kind of protection to
> it will be cracked.

This is wrong too.Although, not completely.

In my professional experiences none of the software protection
techniques have been %100 secure.In this point , you have to be more
creative and come up with a new protection hardening method.Since I
don't know the details of your project and the code , it is not
appropriate to make more comment.But counting on my 8 years of
experience, I can say that I developed protection techniques which did
really good job and still are in use.You have to developed a hardening
module so unique.if I don't have the notes and the source codes of my
techniques,at some of them, I may probably stuck somewhere in the code
and not able to crack it even now.But, depending on your softwares
functions,if someone or a company hires an experienced security
engineer or a professional software reverse engineer -as an abstract a
person who makes living from this job- to crack your code and -in
theory- eventually he is going to crack it.This is how things
work.Theoritically none of the software are %100 protected.Most of the
underground cracking groups have limited skills and background theory
on software protection.And according to the statistics softwares which
are cracked during the past 8 years use public and known protection
techniques.Another reason for this is that usual programmers do not
have strong security perspectives,they only do what they are focused
on.This is why IT and IS are different communities.

I hope you got my point.If you think your software is worth to invest
more,you can contact me.

Cheers.

2007\03\23@091948 by Alan B. Pearce

face picon face
>Most of the underground cracking groups have limited skills
>and background theory on software protection.

I doubt this. From what I have observed there are very skilled people in the
underground cracking community, who have extremely good math and programming
skills. In many aspects I suspect that there are as many very well skilled
people doing hacking as there are people providing security measures. I am
not sure that those doing the latter are necessarily as good as the hackers
though.

2007\03\23@102510 by David VanHorn

picon face
Dongles and other extreme methods, locking it to one computer, etc, all make
it a risk for me to use your software.  What happens when the computer I was
using has a problem, (blown nic or whatever) or the dongle takes an ESD
hit?  You'd be making your problem (piracy) into my problem (restrictions
and downtime).

2007\03\23@112750 by Yigit Turgut

picon face
> I doubt this. From what I have observed there are very skilled people in the
> underground cracking community, who have extremely good math and >programming skills.

This is completely relative.A subjects complexity is limited to
observers understanding.In order to understand the level of people on
a specified subject, we must have knowledge at least they have to see
wrongs and rights.You can't make comments on a topic which you are not
predominant unless the level of topic is higher than your knowledge.

>In many aspects I suspect that there are as many very well skilled
> people doing hacking as there are people providing security measures. I am
> not sure that those doing the latter are necessarily as good as the hackers
> though.

There are skilled people underground.Been there.But most people of
these communities are self educated which leads us to the theoretical
background deficiencies.Some cases, practically , these people can be
better and faster.But in complex problems and cases which are
requiring depth knowledge and analytical thinking, comparison is out
of question.People providing security measures is something
different.Today, most of the people who are providing penetration
testing or auditing have no knowledge in depth of what they do.They
are like users who type the relevant strings in compiled and
ready-to-go programs.Their abilities are limited to the abilities of
the softwares they use.A penetration tester who has no or superficial
knowledge at least on operating systems, protocols and commonly used
server softwares is nothing more than a fraud cheating his client.And
on the other hand, security measurement is not on the computer -
software side only.For example ; once, there was a leak in the company
and we had to examine all the employees blackberry's.Hackers are
divided into categories.If someone who can reverse an operating system
or a software and find the hole in, code the exploit for it is what I
call a hacker.Even when I was 17, I had granted access to various
systems and was some kind of a local legend.Even then, I had known
that that wasn't hacking.After I had my engineering education
everything became crystal clear.

As a result,underground people are limited because of their
theoretical deficiencies.But, it is not a personal deficiency.You can
not expect someone to slam dunk if he is 5'7" (of course there are
exceptions i.e Spud Webb)

2007\03\23@113354 by Robert Rolf

picon face
David VanHorn wrote:

> Dongles and other extreme methods, locking it to one computer, etc, all make
> it a risk for me to use your software.  What happens when the computer I was
> using has a problem, (blown nic or whatever) or the dongle takes an ESD
> hit?  You'd be making your problem (piracy) into my problem (restrictions
> and downtime).


True. But you can have the software give a 'grace period' of a certain number
of runs without valid authorization in order to give the customer time to
get a new key. But NOT run the first time without a key, to prevent the 'reinstall
forever' method to defeating copy protection.

And if the software is THAT important, provide the user with TWO dongles, so that
they always have a working dongle.

The one method I saw that seemed quite effective is that ALL output (screen and printed)
has "licensed to COMPANY NAME" on it. Makes it hard for a thief to use the
output for profit since to do so would be promoting the competitor and would discourage
the giver since the source of the leak would be prominently displayed everywhere the
pirated software was used.

The amount of piracy is also a function of price. If I've paid a LOT for a package
I am less likely to share it with someone (why 'gift' them) than if a pay a nominal
amount.

Quite frankly, if you are that concerned about your losses to piracy, I would suggest
that it's not worth your trouble to bring it to market. (why make it easier for your
competitors?)

Nearly every method of copy protection can be defeated, and will be, so either saturate
the market quickly, at low price, or don't bother. You're not a megalithic company with
deep pockets to fund the legal battles copywrongs bring you.

Robert

2007\03\23@115445 by William Chops Westfield

face picon face

On Mar 23, 2007, at 6:19 AM, Alan B. Pearce wrote:

>> Most of the underground cracking groups have limited skills
>> and background theory on software protection.
>
> I doubt this. From what I have observed there are very skilled
> people in the underground cracking community, who have extremely
> good math and programming skills.

You have to watch that "Most of" phrase.  It's a feature of the
modern internet environment that a small number of talented people
can create a big impact.  Sure, there are some sharp people doing
math and programming attacks against license schemes, but if you
search the internet for "CommercialProgram crack", "most of" what
you find will be simply stolen registration codes, things that
were found randomly, or repetitions of the few 'clever cracks' by
the "relatively few" skilled crackers...

I wonder if Cadsoft considers their licensing and protection scheme
a "success"?  They've got the freeware and low cost licenses, yet
you still see a fair number of "can't load schematic because it was
made on a cracked version" issues on their forums.  They're probably
in the same class as your app; relatively valuable but generally
low-interest level software...

BillW

2007\03\23@121649 by wouter van ooijen

face picon face
> I wonder if Cadsoft considers their licensing and protection
> scheme a "success"?  They've got the freeware and low cost
> licenses, yet you still see a fair number of "can't load
> schematic because it was made on a cracked version" issues on
> their forums.

I shows their software is cracked, but also that users of a cracked
version get into problems lateron, and (most important) that fact is
widely known. So I think it can be considered a (relative) succes.

Wouter van Ooijen

-- -------------------------------------------
Van Ooijen Technische Informatica: http://www.voti.nl
consultancy, development, PICmicro products
docent Hogeschool van Utrecht: http://www.voti.nl/hvu



2007\03\23@122731 by Tamas Rudnai

face picon face
Bill,

Everybody goes for the easier way - so the crackers. If a software can be
used by simply listing stolen keys, then they will doing it and will not
bother of cracking. If they can write a keygen application that generates
valid keys they will doing it instead of modifying the binary code. If they
can simply disable a dongle by modifying the code only they will doing that
instead. And if the only way is to write a device driver that emulates a
dongle they will do that but that's the last resort for sure.

For 90% of the cases they just simply says here is the key use that one -
and software providers change key methods from time to time or blacklists
many keys circulating all around the net.

Tamas



On 3/23/07, William Chops Westfield <@spam@westfwKILLspamspammac.com> wrote:
{Quote hidden}

> -

2007\03\23@123437 by Mark Hanchey

flavicon
face
Dwayne Reid wrote:
{Quote hidden}

I found a book a few days ago that is an excellent read on software
protections and how they are broken and how to protect against it.
The book covers everything from serial numbers to cdrom protection, to
hardware dongles.

The book is called "Crackproof your software", available at
http://www.nostarch.com/crackproof.htm  .

Mark Hanchey

2007\03\23@124332 by M. Adam Davis

face picon face
1) Do not put credit card info into anything that you distribute.  Not
only is this a bad idea from a number of perspectives, chances are
good that if you read your merchant agreement with your CC processor
you'll see this sort of thing is expressly forbidden.

2) Whatever you come up with will be cracked by someone who has just
as little cracking experience as you have software protection
experience.  Many software protection utilities, programs, shareware,
etc that you can add to your program have standard cracks.

3) Unless you have deep pockets for lawsuits, any protection you add
that helps you find the perpetrators is useless.  You must add
protection that prevents an unauthorized user from executing or using
your program.

4) You will be expected to provide support for your product.  Price it
accordingly.  This isn't like most shareware where the user knows what
it does and how to use it - you're going to get all sorts of questions
about how to get a particular junk CNC machine to run your code.  Put
a lot of thought into the price, and how much support you can provide.
Create rich documentation for users of all levels of experience.

5) For production, maintenance, and support reasons, I and many others
actively avoid software that requires activation (what if the company
stops supporting?), dongles (oops, new computers don't have parallel
ports, or vista doesn't support the USB dongle driver yet), or tie
themselves to the hardware.  Consider whether your market will stand
for any of these schemes.  Keep in mind that not only will you have to
support the software, but your own protection through time.

The best protection scheme I've seen is to put decent software license
protection on each release, and release a new version with major
features at least once a year, while releasing the older versions for
free to hook new users.  Ideally you'll have updates and fixes
released several times per year.  When you find a key that's been
distributed, make sure the new versions don't allow that key.  When
you see a cracked version of the software, change the internal scheme
a bit so they have to start all over again.  Since you have fully
functional free versions the need to crack is not as strong, yet
compelling features will bring paying customers.  Schools and
hobbyists will use the free version, and when they go into the
industry will buy the official version.

Of course, that requires work, and it sounds like you're more
interested in releasing it and just getting another source of income,
without a long term plan for the software.  Make sure that whatever
you do is in line with your business goals.

-Adam

On 3/22/07, Dwayne Reid <KILLspamdwaynerKILLspamspamplanet.eon.net> wrote:
{Quote hidden}

> -

2007\03\23@125440 by Alan B. Pearce

face picon face
>The book is called "Crackproof your software", available at
> http://www.nostarch.com/crackproof.htm  .

I seem to remember that those methods of detecting Softice given in the
excerpt were fairly well known and got around when the book was published in
2002. I wonder how well any other methods given in it have faired in the
last 5 years.

2007\03\23@132645 by Bob Blick

face picon face
(I'm cc'ing this to HiTech since it seems applicable)

Most discussion here seems to center around copies
floating around on the net. Protecting your software
against people who wouldn't pay for software seems
like a waste of time to me.

But how about multiple installations in-house? That
seems to be the use that CAD and dev tool makers are
focusing on today.

However you will certainly annoy your paying customers
more than anyone else. I've been a HiTech C customer
for 9 years, but I am absolutely not renewing my
HiTech C contract next year now that the product
requires internet activation. HiTech could disappear
overnight and my compiler become uninstallable when I
replace my hard drive. Even if they stay in business,
needing to justify to them the reason when I replace
my hard drive and need to reinstall? It makes me feel
like a cop has asked me if I know why he pulled me
over.

So I vote with my pocketbook. Paying for software is
one thing. Renting it is quite another, I'd rather use
an inferior product. Or you could say HiTech has
become inferior because of activation.

Cheerful regards,

Bob Blick

2007\03\23@132749 by Byron A Jeff

face picon face
On Fri, Mar 23, 2007 at 12:43:30PM -0400, M. Adam Davis wrote:

What an excellent post! I'll throw a couple a nickles at it.

{Quote hidden}

Agreed on both points. It's simply not workable.

> 2) Whatever you come up with will be cracked by someone who has just
> as little cracking experience as you have software protection
> experience.  Many software protection utilities, programs, shareware,
> etc that you can add to your program have standard cracks.

Sometimes I think crackers simply take it on as a challenge to see what
it takes to circumvent.

> 4) You will be expected to provide support for your product.  Price it
> accordingly.  This isn't like most shareware where the user knows what
> it does and how to use it - you're going to get all sorts of questions
> about how to get a particular junk CNC machine to run your code.  Put
> a lot of thought into the price, and how much support you can provide.

Or you may want to consider pricing support as a separate item when the
target falls outside of certain parameters. Support can be a black hole
when the target is unknown.

>  Create rich documentation for users of all levels of experience.

Absolutely. Also try to foster an online community where users can help
support each other.

> 5) For production, maintenance, and support reasons, I and many others
> actively avoid software that requires activation (what if the company
> stops supporting?), dongles (oops, new computers don't have parallel
> ports, or vista doesn't support the USB dongle driver yet), or tie
> themselves to the hardware.  Consider whether your market will stand
> for any of these schemes.

This is a tough call. The problem with protection is that it drives the
honest folks away and offers little real protection to the dishonest ones.
You really need to examine protections schemes that are transparent until
violated.

>  Keep in mind that not only will you have to
> support the software, but your own protection through time.

Trying to stay ahead of the curve.

{Quote hidden}

That's lots of work. Also I'd bet that the user pool is too small in this
instance to allow for free versions to float.

> Of course, that requires work, and it sounds like you're more
> interested in releasing it and just getting another source of income,
> without a long term plan for the software.  Make sure that whatever
> you do is in line with your business goals.

Agreed.

How about another angle? Instead of selling software, why not consider selling
a service? Have folks send you their plot files, you convert them, and you
send them back results? Charge per use though subscriptions would be nice.

Now you're not selling software that you have to try to protect out in the
wild. It generates a revenue stream that you can get a better handle on.
You can even offer the free hook of a limited test service so that folks can
be sure that it works with their equipment before buying.

Just a thought.

BAJ

2007\03\23@135002 by Byron A Jeff

face picon face
On Fri, Mar 23, 2007 at 10:26:39AM -0700, Bob Blick wrote:
> (I'm cc'ing this to HiTech since it seems applicable)
>
> Most discussion here seems to center around copies
> floating around on the net. Protecting your software
> against people who wouldn't pay for software seems
> like a waste of time to me.

Here's the problem Bob: Opportunity is often the only difference between a
large segment of the potential user base buying or obtaining for free. If a
company takes away the opportunity to freely download, part of this
population will buy. While I agree there is a segment who would not purchase,
it's the segment that would purchase if there were no easy free options
that's the real target.

You're probably not the problem, other than the fact that protection schemes
tick you off. You'd buy because it's what you're supposed to do.
Unfortunately when it comes to digital entities floating around the Internet,
folks who are generally honest often can't resist picking up the "free" SWAG
simply because it's there and it's convenient to download.

> But how about multiple installations in-house? That
> seems to be the use that CAD and dev tool makers are
> focusing on today.

It's an orthogonal issue to a point. The problem is that it's difficult
to separate a legitimate user with multiple installations and a group
of freeloaders. One way to do it is to issue the legit user multiple
valid keys.

> However you will certainly annoy your paying customers
> more than anyone else.

Unfortunately that segment is probably small enough that you can afford to
lose it if you can in fact corral the larger quasi-legit segment that would
buy if there were no other options.

{Quote hidden}

All because you are a legit customer. But if a company is losing 90% of its
potential customer base to free copying and it can recapture even half
of that group with activation, how can a company afford not to go that route
even if it pisses the 10% of truly legit users off? Even if they lose that
entire 10% population (and all of their referrals) would it come close to
matching the %45 percent of folks who actually walk away from a locked door
instead of trying to pick it or kick it in?

BTW all numbers in the above example pulled from where the sun don't shine! ;-)

> So I vote with my pocketbook. Paying for software is
> one thing. Renting it is quite another, I'd rather use
> an inferior product. Or you could say HiTech has
> become inferior because of activation.

I think it's just reality. We all know folks who wouldn't dare think to take
a piece of gum from the store without paying, yet downloads software music
and movies with abandon. Culturally this segment of the population has
brainwashed themselves into thinking that it isn't stealing and that it isn't
wrong. But just a simple thumblock type reminder (such as activation) is
often enough to deter them from straying.

The problem is how to have real protection with as much transparancy as
possible? But frankly no matter how transparent the protection process can
be made, it's going to intrude on legit users. It's easy to blame the
company, but it seems to me it's the users who are not honest and won't
follow the rules that are the real cause.

BAJ

2007\03\23@142835 by Bob Blick

face picon face

--- Byron A Jeff <spamBeGonebyronspamBeGonespamcc.gatech.edu> wrote:

> The problem is how to have real protection with as
> much transparancy as
> possible? But frankly no matter how transparent the
> protection process can
> be made, it's going to intrude on legit users. It's
> easy to blame the
> company, but it seems to me it's the users who are
> not honest and won't
> follow the rules that are the real cause.

All the points you make are quite true - it's
business, and anyone is free to choose their own path.
Their previous protection method utilized a key they
provided. Each time the software ran, my name was
printed. It doesn't bother me, and when I need to
reinstall I have the key so it doesn't matter if the
company has gone out of business or I'm not able to
access the net.

For a developer, incorporating protection into your
product can also be a distraction. Or even discussing
it, which reminds me, I have better things to do :)

Apologies to HiTech, I won't forward any more emails.

Cheerful regards,

Bob

2007\03\23@154454 by Gerhard Fiedler

picon face
Byron A Jeff wrote:

> How about another angle? Instead of selling software, why not consider selling
> a service? Have folks send you their plot files, you convert them, and you
> send them back results? Charge per use though subscriptions would be nice.

A variation of this is a web service. If you have a program that can run,
you usually can make it run through a web interface. No protection scheme
necessary, other than a web site login scheme (which is relatively
difficult to crack, and pretty much commonplace). You can charge per time
(day, month, year) or per use (with discounts for heavy users).

Gerhard

2007\03\23@181422 by Jake Anderson

flavicon
face
Gerhard Fiedler wrote:
> Byron A Jeff wrote:
>
>  
>> How about another angle? Instead of selling software, why not consider selling
>> a service? Have folks send you their plot files, you convert them, and you
>> send them back results? Charge per use though subscriptions would be nice.
>>    
>
> A variation of this is a web service. If you have a program that can run,
> you usually can make it run through a web interface. No protection scheme
> necessary, other than a web site login scheme (which is relatively
> difficult to crack, and pretty much commonplace). You can charge per time
> (day, month, year) or per use (with discounts for heavy users).
>
> Gerhard
>
>  
I don't think this type of application would run well as a web service,
but if you wanted to "lock" it then using the web each time the program
was run would be an effective way of doing it. Until its hacked.

Personally I'd give it away for free. If you want any support at all
then sign up with our $30 monthly support contract which gets you email
support, automatic updates and a warm fuzzy feeling. Telephone support
is charged at $100 per hour. On site support is $200 + traveling expenses.
That way you get a bigger user base and your competition cant compete on
price. If its free people are more likley to try it. Heck if you make it
open source then there is a chance that your users might even help
improve your code.
This is the model I am looking at for my current "big programming job".
Its written in python and will run on all platforms. I'm hoping that
being able to set a new user up for $800 in hardware Vs ~$3000 with the
current software + windows + office, will make a difference, as well as
the customer sleeping sound in the knowledge that if I disappear they
can still keep their software running.

2007\03\23@195333 by Dwayne Reid

flavicon
face
At 02:21 AM 3/23/2007, Philip Pemberton wrote:

>All I'm going to say is, you can generally do what you want, but many
>customers will actively avoid your product if they feel the licensing method
>is too obstructive. Don't use Product Activation or anything that modifies
>hard disc sectors (read: anything like the Macrovision protection systems).

I'm actually quite against any form of copy protection, whether it be
software or dongle based.  I actively avoid software vendors who
resort to those measures and assume that many others think as I do.

Instead, I want to try and make the purchaser of the software be able
to be held accountable should they decide to share with the world.

There is a difference.  Copy protection assumes that all users are
thieves.  I don't believe that for a moment.

That said, there *are* thieves out there.  It is those people whom I
would like expose.

More than anything, I am looking at this as a deterrent.  Don't post
the software on a warez site because bad things will happen if you do.

I see that I have lots of other comments to read through - please
bear with me as I do so.

dwayne

--
Dwayne Reid   <TakeThisOuTdwaynerEraseMEspamspam_OUTplanet.eon.net>
Trinity Electronics Systems Ltd    Edmonton, AB, CANADA
(780) 489-3199 voice          (780) 487-6397 fax

Celebrating 22 years of Engineering Innovation (1984 - 2006)
 .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-
    `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'
Do NOT send unsolicited commercial email to this email address.
This message neither grants consent to receive unsolicited
commercial email nor is intended to solicit commercial email.

2007\03\23@200809 by Jinx

face picon face
> The only real protection is to put some (essential) part of the
> functionality in hardware. (That can be of course be copied/
> cloned...)

Needing hardware like a dongle is still much better than simply
s/w protection that can be hacked and distributed. Although I'm
not forgetting the Playstation mods with a 12C508 that reached
epidemic proportions. Even though that was a solution to get
around s/w protection. No offense Dwayne, but your s/w won't
be in the same desperate "I wannit" category as a Playstation, so
maybe you won't have an army of busy hands and brains trying
to break it. The Playstation case is an interesting one. Actions
showing people how to do something illegal are legal and not
easily stopped. IMHO the best you can do is make it difficult

Someone mentioned dongles & co breaking down. I doubt a
dongle has any greater or lesser chance of failure than a HDD
or mobo that the s/w may be registered to. Including (or supplying
on request) a back-up dongle would be the answer

2007\03\23@221932 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 12:07 +1200, Jinx wrote:
> Someone mentioned dongles & co breaking down. I doubt a
> dongle has any greater or lesser chance of failure than a HDD
> or mobo that the s/w may be registered to.

Hehe, right, but a MB or HD can be bought about 5 minutes away from me
for minimal $. The dongle?

> Including (or supplying
> on request) a back-up dongle would be the answer

So, I just sit on my hands, watch my customers walk away, miss a bunch
of deadlines, waiting, hoping, the replacement dongle comes, of course
only after I wait for the next business day to REQUEST the replacement
dongle?

Sorry, but that is no acceptable to me. Aside from that fact that you
are FORCING me to pay for the development of a dongle, you are GREATLY
increasing my risk that the software won't do the job when I need it. No
thanks. I'll go with the vendor that doesn't treat me like a criminal
after I give THEM money.

TTYL


2007\03\23@231511 by Jinx

face picon face
> > Including (or supplying on request) a back-up
>
> So, I just sit on my hands, watch my customers walk away, miss a
> bunch of deadlines, waiting, hoping, the replacement dongle comes,
> of course only after I wait for the next business day to REQUEST
> the replacement dongle?

I did say you could include a second. It would be equally unacceptable
if you lost your only set of car keys and were stuck somewhere freezing
your wotsits off in a blizzard waiting for replacements

> I'll go with the vendor that doesn't treat me like a criminal after I
> give THEM money

But really Herbert, piracy is rampant (criminally or just "Hey, I've
got a program that'll do that, I'll do you a copy" - people just don't
see it as theft, it's only a CD), and I'm sure no offence would be taken
by a customer who knows that the system can't be just conveniently,
easily and cheaply copied

2007\03\23@233107 by Jinx

face picon face
> I'll go with the vendor that doesn't treat me like a criminal

I don't think this is a monumental stretch - look at all the
security measures in the world today. Tamper-proof lids,
searches at airports, police booze patrols, the list goes on

Do you get in high dudgeon (resent strongly) when you're
stopped by a routine traffic patrol, checking for licence,
registration etc ? Push airport security guards away, saying
there's no need to search me ? Don't alarm your house or
car ?

I'm afraid the pendulum has swung towards expecting the
worst from people and the checks are to make sure they
didn't, aren't doing or won't do something. Regrettable, but
I think that's true, and I believe the principle applies to
theft prevention

2007\03\24@004219 by Jake Anderson

flavicon
face
Jinx wrote:
>> I'll go with the vendor that doesn't treat me like a criminal
>>    
>
> I don't think this is a monumental stretch - look at all the
> security measures in the world today. Tamper-proof lids,
> searches at airports, police booze patrols, the list goes on
>
> Do you get in high dudgeon (resent strongly) when you're
> stopped by a routine traffic patrol, checking for licence,
> registration etc ? Push airport security guards away, saying
> there's no need to search me ? Don't alarm your house or
> car ?
>
> I'm afraid the pendulum has swung towards expecting the
> worst from people and the checks are to make sure they
> didn't, aren't doing or won't do something. Regrettable, but
> I think that's true, and I believe the principle applies to
> theft prevention
>
>  
I'm not too sure how many deaths have been caused by software piracy.
Drunk drivers and nutters on aeroplanes are a different story. Security
till you buy the software in the store sure thing, that stops other
people. Security that makes me nervous about upgrading my girlfriends PC
(IE XP product activation) that is not a good thing.

2007\03\24@005528 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 15:30 +1200, Jinx wrote:
> > I'll go with the vendor that doesn't treat me like a criminal
>
> I don't think this is a monumental stretch - look at all the
> security measures in the world today.

> Tamper-proof lids,

This is a safety issue, someone could die.

> searches at airports,

Again, safety issue, someone could die.

> police booze patrols,

Again, safety issue, someone could die.

> Do you get in high dudgeon (resent strongly) when you're
> stopped by a routine traffic patrol, checking for licence,
> registration etc ?

I don't personally like it, but that would get me arrested, and someone
could die if it wasn't done.

> Push airport security guards away, saying
> there's no need to search me ?

Again, I don't like it, but that would get me arrested, and someone
could die if it wasn't done.

> Don't alarm your house or
> car ?

Actually, neither are alarmed in my case.

> I'm afraid the pendulum has swung towards expecting the
> worst from people and the checks are to make sure they
> didn't, aren't doing or won't do something. Regrettable, but
> I think that's true, and I believe the principle applies to
> theft prevention

It doesn't. EVERY case you've given (except the car/house alarm) are
precautions taken to increase public safety. Our society tolerates a
certain level of "rights abuses" to increase public safety. Sometimes
these efforts go too far IMHO (i.e. not being able to take a nail file
on a plane), but they at least have public safety (or at least perceived
public safety) as a reason for existing.

Adding anti copying measures that remove my rights as a consumer (i.e.
fair use rights for music) are a COMPLETELY different situation, and
none of your examples are IMHO applicable.

Note I have NO problem with efforts that try to prevent copying that do
not remove any of my rights, and won't cause me problems in the future.
A serial number approach is perfectly fine IMHO.

Online activation, dongles and the like are NOT acceptable to me, and I
actively ensure zero of my money goes to ANY product that uses these
tactics.

At work we use several tools with a floating license system. Over the
past few years we have lost HUNDREDS of man hours due to license issues
(i.e. license server going down, new software needing new license
daemon, vendor forgetting to update our license, etc.).

The fact is, no matter WHAT protection you try to put on your product,
it WILL be broken, so why bother going insane with it? Put something
simple to curtail casual copying and leave it at that. Stop wasting my
money on technology that will never work.

The best example is the copy protection on HDDVD and BluRay. They spent
MILLIONS on this technology, money consumers will be paying, and the
system has been breached, quite easily. A HUGE amount of money for
absolutely nothing. Why bother?

Just my opinion. TTYL

2007\03\24@012650 by Jinx

face picon face
> It doesn't. EVERY case you've given (except the car/house alarm)
> are precautions taken to increase public safety

Herbert and Jake -

Yes, but WHY are those precautions necessary ? Human Behaviour,
that's my point. I'm not comparing the physical acts of drink-driving
to sofware piracy

> Note I have NO problem with efforts that try to prevent copying that
> do not remove any of my rights, and won't cause me problems in the
> future. A serial number approach is perfectly fine IMHO

Well, that's what Dwayne has to decide. I agree with you about
fair use. ISTR court cases and debate in forums about the inability
to make genuine archive copies because of protection

2007\03\24@032719 by Jake Anderson

flavicon
face
Jinx wrote:
>> It doesn't. EVERY case you've given (except the car/house alarm)
>> are precautions taken to increase public safety
>>    
>
> Herbert and Jake -
>
> Yes, but WHY are those precautions necessary ? Human Behaviour,
> that's my point. I'm not comparing the physical acts of drink-driving
> to sofware piracy
>
>  
But you are saying they should be treated the same.
cops doing random breath tests is needed to stop drink driving.
minor inconvenience to the non-law breaker, major effect towards
improving my life (ie i don't get dead)
needing rectal exam to reinstall XP because i am a geek and keep my GF's
computer on the cutting edge (the fact that i use it for games is beside
the point)?
inconvenience is *far* greater than a RBT, (last time i got tested it
took about 2 minutes, microsoft product activation has wasted several
hours of my life in total so far and i have been driving longer than XP
has been out)

Therefore, my drive to pirate XP is greater than my drive to
drink/drive. (metaphorically speaking)

If its free I'm not going to steal it.
>> Note I have NO problem with efforts that try to prevent copying that
>> do not remove any of my rights, and won't cause me problems in the
>> future. A serial number approach is perfectly fine IMHO
>>    
>
> Well, that's what Dwayne has to decide. I agree with you about
> fair use. ISTR court cases and debate in forums about the inability
> to make genuine archive copies because of protection
I am going to depend on somebody hacking the crap out of blue-ray and
the like so I can watch HD-DVD's on my Linux HTPC. If I want to pirate a
movie then I'll just download it, same with DVD regioning. Putting copy
protection on the disk itself will *only* penalize legitimate users. If
somebody wants to steal it bad enough they will, and once they have,
everybody else who wants it free will have it within days. For the
record, I watch pretty much only that which i get from free to air TV.
If I do download something its probably because I missed it on TV.

My suggestion for the OP is to open source it, or make it free as in
beer. The market is small, people are going to be wary of spending cash
on your product and you will get a support headache from customers who
have paid but are just generally crap at using computers. Give it to all
who want it, and then charge them for convenience and the support.
Customers who are hellish before suddenly become A1 best friends, billed
by the hour. Charge for automatic maintenance and feature updates as a
subscription service if you want a retainer.

2007\03\24@034919 by Jinx

face picon face
> Putting copy protection on the disk itself will *only* penalize
> legitimate users. If somebody wants to steal it bad enough they
> will, and once they have, everybody else who wants it free will
> have it within days

That's why I think a dongle or some hardware dependency isn't
that much of a burden or inconvenience

Certainly consumers have rights, but what about Dwayne's right
not to be ripped off ? If you aren't there already, put yourself in
his place. Exactly how charitable do you think you'd be if sales
dwindled to a fraction of what they should be ? You could turn
from liberal to conservative pretty quickly when it's your money
on the line

A story the other day about a local band - they should be making
a living wage, but an estimated 90% of distribution of their material
is peer-to-peer, for which they get nothing

Forget my other examples. I think they have a common principle
but the point doesn't seem to be getting across

2007\03\24@074750 by Jake Anderson

flavicon
face
Jinx wrote:
>> Putting copy protection on the disk itself will *only* penalize
>> legitimate users. If somebody wants to steal it bad enough they
>> will, and once they have, everybody else who wants it free will
>> have it within days
>>    
>
> That's why I think a dongle or some hardware dependency isn't
> that much of a burden or inconvenience
>  
Your right, i have used plenty of pirated software that was supposed to
use a dongle.
(for non profit purposes of course)
Those dongles sure did work well, (well i assume that all the legitimate
purchasers never had a problem with them because the dongle free pirated
version worked fine.)

> Certainly consumers have rights, but what about Dwayne's right
> not to be ripped off ? If you aren't there already, put yourself in
> his place. Exactly how charitable do you think you'd be if sales
> dwindled to a fraction of what they should be ? You could turn
> from liberal to conservative pretty quickly when it's your money
> on the line
>  
Sure thing, but deluding yourself into thinking that copy protection
will provide that is silly.
Use a serial number and perhaps it could just "email in" that it had
been installed. Nothing to stop the instillation or anything and if you
are a "dedicated hax0r" you will bypass it. But do not make it hard to
use or you will piss your valid users off.
The people who pirate your software will use it without any of that
licensing stuff in it. So the harder the license scheme the harder it is
on people who have paid for it.
> A story the other day about a local band - they should be making
> a living wage, but an estimated 90% of distribution of their material
> is peer-to-peer, for which they get nothing
>  
Depends on who calculates the 90% I think ;-P.
P2P sharing of stuff that people don't want shared is a bad thing.
That is theft and should be treated as such. With the knowledge that it
is the digital age and the only damage caused is financial.
> Forget my other examples. I think they have a common principle
> but the point doesn't seem to be getting across
>
>  
It is but you don't seem to see why requiring your customers to jump
through some licencing scheme that if you go away means they are left
high and dry is a bad thing.

If ford went bust you can keep driving you car after its next service.
If Microsoft goes bust nobody with legitimate XP can keep their machine
running through a hardware upgrade.
People who pirate XP won't have a problem though....

2007\03\24@080507 by Jinx

face picon face
> Use a serial number and perhaps it could just "email in" that it
> had been installed. Nothing to stop the instillation or anything
> and if you are a "dedicated hax0r" you will bypass it. But do
> not make it hard to use or you will piss your valid users off.

I think we fundamentally agree that you should make at least some
effort to protect yourself, so I'm debating, not arguing ;-)

You and Herbert are most likely right that a simple registration
scheme would work and that anyone determined to get around
dongles or other protection will do so. Then again, just to debate
a little more ;-), could Dwayne be certain that his product would
actually fall into the hands of a hardware hacker anyway ? Guess
it has to fall into the hands of just one .....

(walks away to get a cup of tea, scratching head, still wondering
why a dongle isn't a viable solution)

2007\03\24@085416 by Jinx

face picon face
> i have used plenty of pirated software that was supposed to
> use a dongle. (for non profit purposes of course)
> Those dongles sure did work well, (well i assume that all the
> legitimate purchasers never had a problem with them because
> the dongle free pirated version worked fine.)

If you're saying that in your experience dongles are next to
useless, then that's fine. I just thought they may offer a greater
degree of protection. There's no smarts you can put in a dongle
that's unbreakable ?

2007\03\24@090839 by Gerhard Fiedler

picon face
Jake Anderson wrote:

>> A variation of this is a web service. If you have a program that can
>> run, you usually can make it run through a web interface. No protection
>> scheme necessary, other than a web site login scheme (which is
>> relatively difficult to crack, and pretty much commonplace). You can
>> charge per time (day, month, year) or per use (with discounts for heavy
>> users).
>>
> I don't think this type of application would run well as a web service,

Why not?

AFAIR, Dwayne said this about the type of product: "It probably has a fair
amount of hobbyist appeal (isolation path G-code generation for PCB
milling)."

I take the following points from this:

- "Hobbyist appeal": Not time-critical ("needs to be done yesterday"), so
the few seconds it takes longer with a web application than with a local
program shouldn't matter. If you really think it needs to be scriptable,
you can provide a simple web API (without much extra work; just document
the steps your page takes to get a file converted). Privacy concerns are
there, but not that big for the hobbyist market. And after all, it's only
the PCB Gerber the user needs to provide (I assume); not a lot of IP value
in this that's worth stealing (if the thief doesn't have the schematic).

- "Isolation path G-code generation for PCB milling": Used for PCB milling.
You (especially as a hobbyist) don't mill a different PCB several times an
hour. Creating a PCB involves a number of steps that take some time, and
the milling itself isn't done in a second either. So the time required to
run a file through a web service (as opposed to running it through a local
app) is IMO not really relevant.

Most potential users have web access, a browser is commonplace, the web
interface is by definition multi-(user)platform, the IP in the software is
as protected as can be... So why not?

Gerhard

2007\03\24@104402 by Byron A Jeff

face picon face
On Sat, Mar 24, 2007 at 12:55:23AM -0400, Herbert Graf wrote:
> On Sat, 2007-03-24 at 15:30 +1200, Jinx wrote:
> > > I'll go with the vendor that doesn't treat me like a criminal
> >
> > I don't think this is a monumental stretch - look at all the
> > security measures in the world today.
>
> > Tamper-proof lids,
> > searches at airports,
> > police booze patrols,

Others snipped...

{Quote hidden}

The problem is that any such efforts are so trivially broken as to be
worthless.

> Online activation, dongles and the like are NOT acceptable to me, and I
> actively ensure zero of my money goes to ANY product that uses these
> tactics.

So what will you do when all commercial software products employ such
protections?

> At work we use several tools with a floating license system. Over the
> past few years we have lost HUNDREDS of man hours due to license issues
> (i.e. license server going down, new software needing new license
> daemon, vendor forgetting to update our license, etc.).

All the license and protection stuff are certainly a hassle and a nuisance.
You're not the target of such protections, simply the victim.

> The fact is, no matter WHAT protection you try to put on your product,
> it WILL be broken, so why bother going insane with it?

Because the longer the interval between the product being introduced and the
protection broken, the more likely that the company will make money. And as
is being argued in another thread, usually companies are in business to make
money.

> Put something
> simple to curtail casual copying and leave it at that.

Doesn't work. If you curtail casual copying, then high level crackers will
crack that "protection" like an egg. Zero day exploits and all that good stuff.
Closing the protection interval to zero is just like not having protection
at all.

In this area is has become a guilty until proven innocent world. And the reason
is that there are so many guilty parties, that frankly the innocent ones don't
matter anymore.

> Stop wasting my money on technology that will never work.

I firmly believe that if this trend continues, where companies cannot secure
the value of their work, they will simply stop producing the work.

Then what will you do with your money, if there's nothing to spend it on?

> The best example is the copy protection on HDDVD and BluRay. They spent
> MILLIONS on this technology, money consumers will be paying, and the
> system has been breached, quite easily. A HUGE amount of money for
> absolutely nothing. Why bother?

Just because it was done improperly doesn't mean that you stop trying.

> Just my opinion. TTYL

It makes sense. But the system is broken.

BAJ

2007\03\24@105314 by Byron A Jeff

face picon face
On Fri, Mar 23, 2007 at 05:53:30PM -0600, Dwayne Reid wrote:
> At 02:21 AM 3/23/2007, Philip Pemberton wrote:
>
> >All I'm going to say is, you can generally do what you want, but many
> >customers will actively avoid your product if they feel the licensing method
> >is too obstructive. Don't use Product Activation or anything that modifies
> >hard disc sectors (read: anything like the Macrovision protection systems).
>
> I'm actually quite against any form of copy protection, whether it be
> software or dongle based.  I actively avoid software vendors who
> resort to those measures and assume that many others think as I do.
>
> Instead, I want to try and make the purchaser of the software be able
> to be held accountable should they decide to share with the world.

Understandable. The problem is that they are held accountable even if it's not
their fault. Your software is on their laptop and it gets stolen. What then?

> There is a difference.  Copy protection assumes that all users are
> thieves.  I don't believe that for a moment.

I don't think that's true. Copy protection targets the market segments that
are thieves, either directly (crackers), or indirectly (downloaders of cracked
software).

In neither case does it target legit users, only annoys them.

> That said, there *are* thieves out there.  It is those people whom I
> would like expose.

But a thief would simply steal from a legit user, exposing the legit user,
not the thief. Little is accomplished.

> More than anything, I am looking at this as a deterrent.  Don't post
> the software on a warez site because bad things will happen if you do.

But you can see the downsides to that approach. In the end you'll be liable
for exposing a legit user that did nothing wrong.

The thief will mislead you because they have no interest in playing fair.

It isn't worth the risk. You'll need to work out another path.

> I see that I have lots of other comments to read through - please
> bear with me as I do so.

Have fun. You started a great discussion.

BAJ

2007\03\24@105633 by Vasile Surducan

face picon face
On 3/23/07, Dwayne Reid <RemoveMEdwaynerspamTakeThisOuTplanet.eon.net> wrote:
> Good day to all.
>
> Here at work, we may be interested in releasing some software as
> shareware.
snip
> What I do NOT want to see is us sell a few copies of
> this, then not sell any more of them because someone decided to share
> their copy with the whole world.
snip
> How about customizing each copy of the software that is sold to the
> specific purchaser.  Embedded within each purchaser's copy of the
> software is as much personal data as I can gather as part of the
> sale.  That would include their full name, their mailing address and
> phone number.

It seems people understand the word "shareware" in different ways.
In my assumption shareware software it's a free software which could
be payed by the user if it's found satisfactory or could be not payed
as well.
Forcing the user to activate his shareware software is often  made by
different buttons which must be pushed pseudorandom, countdown timers
randomly activated, promises of major upgrade for registered copies,
etc.

Once a copy of the software is customisable it's not shareware anymore.

Talking about dongle with a shareware product become hilarious...

Vasile

2007\03\24@112453 by wouter van ooijen

face picon face
> > Online activation, dongles and the like are NOT acceptable
> to me, and
> > I actively ensure zero of my money goes to ANY product that
> uses these
> > tactics.
>
> So what will you do when all commercial software products employ such
> protections?
> (snip)
> It makes sense. But the system is broken.

I think the reality has to be faced: protecting software the way it was
done yesterday works less and less. So the path for succesfull software
forks:

1: software that is well-protected (hardware dongle, preferrably with
some work done inside the dongle),

2: software that is not realy protected but tries to persuade people to
pay anyway (guilty-ware?),

3: realy free software, still various forms: GPL (copyleft,
contaminating), realy free (BDS and the likes), addware (various forms,
maybe just the name that draws people to your website, maybe
pay-per-click adds like google)

I think the most interesting category is 3.

Proton PICbasic, Eagle, etc seem to fall in category 1. On type 2: I
have used GreenPrint32 for years and years and I love it. I would like
to pay for it, but I can't locate the author..... My Jal compiler is a
type 3, when I started my shop it was one of the things people mentioned
when I asked "how did you find my shop". The Wisp628 is a 2/3
combination: it is free for those who would not buy it anyway, yet sells
well (of course this is much easier for a hardware product than for
software!).

Wouter van Ooijen

-- -------------------------------------------
Van Ooijen Technische Informatica: http://www.voti.nl
consultancy, development, PICmicro products
docent Hogeschool van Utrecht: http://www.voti.nl/hvu



2007\03\24@114613 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 17:26 +1200, Jinx wrote:
> > It doesn't. EVERY case you've given (except the car/house alarm)
> > are precautions taken to increase public safety
>
> Herbert and Jake -
>
> Yes, but WHY are those precautions necessary ? Human Behaviour,
> that's my point. I'm not comparing the physical acts of drink-driving
> to sofware piracy

But my point is human society "tolerates" some removal of rights ALOT
more when safety is involved.

Yes, the reason they are necessary is due to human behaviour, but just
like capital punishment isn't used for someone who runs a stop sign, nor
should my rights be violated "as much" when trying to stop someone
copying software as someone driving drunk.

TTYL

2007\03\24@115502 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 19:49 +1200, Jinx wrote:
> > Putting copy protection on the disk itself will *only* penalize
> > legitimate users. If somebody wants to steal it bad enough they
> > will, and once they have, everybody else who wants it free will
> > have it within days
>
> That's why I think a dongle or some hardware dependency isn't
> that much of a burden or inconvenience

Obviously you've NEVER had to deal with "hardware dependency" problems.
Walk in those shoes and maybe your opinion would shift a little.

> Certainly consumers have rights, but what about Dwayne's right
> not to be ripped off ? If you aren't there already, put yourself in
> his place.

He has every right to do whatever he wants with his software to protect
it. The point is we are in a free market, and if his restrictions are
any more then the competition, I will go to the competition.

How much profit does a developer loose due to wasting money and time on
"protections" that will or have been cracked, customers who never buy
the software because of the "protections", and customers who never go
back to that vendor because of problems they had with the "protections"?

Piracy is WAY overhyped. Every time I see piracy figures they ALWAYS use
the retail value of what was "stolen". It is completely false to state
the figures that way since it assumes EVERY SINGLE pirate WOULD have
purchased the item if they hadn't pirated, which is clearly incorrect.

Every time there is a study on piracy of IP (that isn't financed by the
media companies) the results show that piracy in the end has a VERY
neglible effect on sales, and drops in sales are often directly linked
to other effects (i.e. the movies suck).

Again, people can do whatever they want with their software, I'm just
stating my view on the subject to help them decide on whether they
should waste their time on these things.

TTYL



2007\03\24@115945 by Herbert Graf

flavicon
face
On Sun, 2007-03-25 at 00:04 +1200, Jinx wrote:
> a little more ;-), could Dwayne be certain that his product would
> actually fall into the hands of a hardware hacker anyway ? Guess
> it has to fall into the hands of just one .....

Every time I've seen a dongle bypassed it had nothing to do with the
hardware, the hack was accomplished by bypassing or replacing the
"dongle check" in the software, no hardware hacker needed.

If instead you contain some of the "functionality" in the dongle, then
it's likely some hardware "hacking" will be required, but even then a
man in the middle attack in the software layer may be enough to crack
the scheme (depending on how you do things).

Finally, let me add, that very often people crack these things NOT to
pirate, they crack them for the challenge, and just release the result
for fun.

TTYL

2007\03\24@121017 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 10:44 -0400, Byron A Jeff wrote:
> > Note I have NO problem with efforts that try to prevent copying that do
> > not remove any of my rights, and won't cause me problems in the future.
> > A serial number approach is perfectly fine IMHO.
>
> The problem is that any such efforts are so trivially broken as to be
> worthless.

What about CSS or ACSS, MILLIONS have been spent on those protection
schemes, they've been broken by 1 or two hackers. Seems the more money
you spend on a scheme, the more people look at it as a target, making it
just as "trivial" as the "trivial" efforts.

> > Online activation, dongles and the like are NOT acceptable to me, and I
> > actively ensure zero of my money goes to ANY product that uses these
> > tactics.
>
> So what will you do when all commercial software products employ such
> protections?

Hehe, easy, I moved to open source. I still run win2k on one of my
machines at work (some software that still needs windows). The list
however has been shrinking and I'm down to two apps I still need windows
for at work. Haven't upgraded to WinXP (can upgrade for free since the
company has the licenses) since it gives me nothing that 2k doesn't.

Aside from that, I run linux on my main machine at work and my machines
at home are both linux. I keep a 2k machine at home for MCU devel tools
like MPLAB.

> > The fact is, no matter WHAT protection you try to put on your product,
> > it WILL be broken, so why bother going insane with it?
>
> Because the longer the interval between the product being introduced and the
> protection broken, the more likely that the company will make money. And as
> is being argued in another thread, usually companies are in business to make
> money.

But how do you make the interval bigger? Spending MUCH more money didn't
work for HDDVD and BluRay (they were cracked MUCH faster then DVD was).

> > Stop wasting my money on technology that will never work.
>
> I firmly believe that if this trend continues, where companies cannot secure
> the value of their work, they will simply stop producing the work.

It will never happen, since despite the number of dishonest people,
there are FAR more honest people out there. If you create an app that is
worth the money you are charging, and curtail simple copying with
something non intrusive, people will pay for your work. It's when the
market disagrees with what you are charging (i.e. VISTA) honest people
will become pirates.

I use mostly open source. I do pay for some apps as long as they work
well and don't go crazy with protections. The industry will survive.

TTYL


2007\03\24@142934 by olin piclist

face picon face
Herbert Graf wrote:
> Again, people can do whatever they want with their software, I'm just
> stating my view on the subject to help them decide on whether they
> should waste their time on these things.

OK, but what you want has a cost, and in a perfect capitalistic system that
gets passed on in the price of a product.  Let's say there's a piece of
software out there that you would like 3 people at your organization to use
unpredictably for up to a few hours at a time about 3 times/week.  The
software vendor has spent considerable effort to produce some features you
really want that are either not available or considerably more clumsy in
competetive products.  What if there were different prices for different
levels of protection:

$50 - Hardware USB dongle that looks like a small thumb drive.  You download
the software for free or buy the CD for minimal duplication charge, but the
dongle is what you're buying.  The dongle must be plugged into the USB the
whole time the software is running.

$70 - One time web registration so the copy on your computer is node-locked.
The vendor states up front that the license becomes invalid if you change
motherboards or possibly reformat the boot drive.  The registration can be
done online if you have internet access, or via email or via phone.  Once
registered, the software runs forever on that machine without any
interaction with the vendor.

$150 first, $50 additional - Simple unique key you have to type in.  The key
is on a sticker on the CD case.  The vendor ships every CD with a different
key, or you download the software and get a unique key when you pay on the
web page with a credit card.

So what would you do?

#1 - $150.  Buy 3 dongles, totally legal.

#2 - $50.  Buy 1 dongle and share it, totally legal but inconvenient.

#3 - $210.  Three node-locked licenses, more convenient than dongles but
licenses can't be moved to newer machines.  Totally legal.

#4 - $250.  Three CD-key licenses.  No hassle, can be easily moved, totally
legal.

#5 - $150.  One CD-key licesnse and use it on all three machines.

#6 - $0.  Use a CD-key you found on the web.  You weren't really looking to
do this, but you ran accross it accidentally and there it is.  Who's ever
going to know?

#7 - something else?

Let's further say the vendor has reasonably accurately adjusted the prices
to cover the loss from theft of each of the license types.  This is
hypothetical, so let's not argue the vendor got it wrong.  I'm asking about
your reaction to such a pricing/licensing scheme.


********************************************************************
Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products
(978) 742-9014.  Gold level PIC consultants since 2000.

2007\03\24@145632 by wouter van ooijen

face picon face
> So what would you do?
> #1 - $150.  Buy 3 dongles, totally legal.
> #2 - $50.  Buy 1 dongle and share it, totally legal but inconvenient.
> #3 - $210.  Three node-locked licenses, more convenient than
> dongles but licenses can't be moved to newer machines.  Totally legal.
> #4 - $250.  Three CD-key licenses.  No hassle, can be easily
> moved, totally legal.
> #5 - $150.  One CD-key licesnse and use it on all three machines.
> #6 - $0.  Use a CD-key you found on the web.  You weren't
> really looking to do this, but you ran accross it
> accidentally and there it is.  Who's ever going to know?
> #7 - something else?

*I* would beg management to buy 3 dongles plus one spare. They would
probably buy 1 and let the techies share it. PC support would probably
argue for three node-locked license, easier for them to manage. The
decision process would carry on forever, so I would either buy one
dongle myself, or use the CD-key I found on the web.

Wouter van Ooijen

-- -------------------------------------------
Van Ooijen Technische Informatica: http://www.voti.nl
consultancy, development, PICmicro products
docent Hogeschool van Utrecht: http://www.voti.nl/hvu



2007\03\24@165510 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 13:30 -0500, Olin Lathrop wrote:
{Quote hidden}

Personally? #7 - I would seek another vendor. The vendor is treating me
like a criminal, asking me to "pay them off" to get them to stop
treating me like a criminal, so I'd go elsewhere.

On top of this they've already wasted the money developing the dongle,
so that effort is in the price of the software, whether I go for a
"dongle" license or not.

I have a feeling that a person CAN'T understand this issue until they've
been impacted by it. Dongles/activation seem SO simple on paper, and
99.5% of the time there are zero problems. However, it's when something
DOES go wrong that things go down the crapper.

I HATE wasting my time figuring out compiler bugs. Wasting time because
of licensing issues like this are 10 times worse then trying to figure
out compiler bugs in my book. Why? Because bugs in software are not (I
would assume) put into the product purposely. These sorts of protections
ARE put in purposely to punish people trying to do something wrong,
instead more often then not they punish the people PAYING you for your
software, and the vendors KNOW (or SHOULD know) that it will hurt their
customers.

Don't get me wrong, software vendors have a hard choice to make, what's
the better solution:
- kill sales, piss off customers but pretty much ensure you're not at
all pirated
- loose sales that probably would have never BEEN a sale, don't piss off
your customers

It seems simple, but it's not. I'm just trying to ensure that any
software vendor here understands what these issues look like to the
paying customer treated like a criminal and wasting hundreds of hours
solving issues that should, in my opinion, not be there at all.

TTYL

2007\03\24@170553 by Vasile Surducan

face picon face
On 3/23/07, Jinx <joecolquittEraseMEspam.....clear.net.nz> wrote:
> > Ideas?  Comments?

Don't write software. You have better to do with your life.

2007\03\24@180959 by Jinx

face picon face
> > > Ideas?  Comments?
>
> Don't write software. You have better to do with your life.

Haha, after going cross-eyed with some convoluted code last
night, very late last night, you might be on to something. Maybe
it's time to resurrect that dream of being An International Man
Of Mystery

Luckily for most of us we don't have to worry (too much) about
s/w being stolen from PICs. I don't envy Dwayne and his decision

2007\03\24@183331 by olin piclist

face picon face
Herbert Graf wrote:
> Personally? #7 - I would seek another vendor.

OK, but you don't get something for nothing.  You don't just get to wave a
magic wand and say you're going with another vendor without it costing.
After I sent that message I realized I should have added two more options:

#8 $50/week - Don't get any software.  This costs in lost productivity and
employees nagging you to get the ACME software they've all heard about.
It's easy for them to say since it's not their money.

#9 $25/week - Find some open source software that's sortof good enough.  The
cost is in decreased productivity and the employees spending time grumbling
about how the #$!#$*! boss is too cheap to get the ACME software instead of
this crap.  Again, it's not their money so they only see their own
frustration.

So I guess you're going with #9.  This costs less initially but you'll have
spent the $250 for three totally hassle free licenses in 2 1/2 months.  2
1/2 months is a rather short ROI plus it keeps the employees happy.  Care to
revise your business decision now that more facts are available?

> The vendor is treating me
> like a criminal, asking me to "pay them off" to get them to stop
> treating me like a criminal

No, they're just passing on their costs.  You could have chosen option #4,
the three CD key licenses for $250.  This meets your concerns as you've
stated them, so obviously it's just about money despite all the bravado to
the contrary.  The vendor gave you that option, but you decided the cost
wasn't worth it.

Think of it this way:  The price for everything you wanted was $250.  The
vendor offered you discounts in return for certain restrictions.  That was
merely a busines proposal, not treating you like a criminal.  You turned
down the offer.  Fair enough, but don't go complaing that they didn't have
what you wanted.  They did, but you didn't want to pay for it.  It's purely
a matter of money.

> On top of this they've already wasted the money developing the dongle,
> so that effort is in the price of the software, whether I go for a
> "dongle" license or not.

You don't know that.  The cost could be completely accounted for in the
dongle only license price.  However it doesn't matter how the vendor arrived
at their price.  From your point of view it is what it is, and you can only
accept or reject it.


********************************************************************
Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products
(978) 742-9014.  Gold level PIC consultants since 2000.

2007\03\24@194710 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 18:33 -0400, Olin Lathrop wrote:
> Herbert Graf wrote:
> > Personally? #7 - I would seek another vendor.
>
> OK, but you don't get something for nothing.  You don't just get to wave a
> magic wand and say you're going with another vendor without it costing.

Ok, what the heck are you talking about? When did I say anything about
getting something for nothing? I would GLADLY go with another vendor
that cost the same, or even more, as long as their "protections" don't
cause risk to what I'm doing.

{Quote hidden}

Olin, WHY are you putting words in my mouth? For something I'm doing
professionally I would have zero hesitation paying for software (and
have paid for software in the past), where did I say I was against
paying for software?

If there is an open source option I will investigate it, but I won't go
for something simply because it's free, it has to be of a similar
quality as a commercial application (and there are alot of open source
options out there that are easily as good as commercial apps, often
better. A perfect example is apache).

The fact that you are automatically equating: open source=crap software
tells me that you are not very familiar with open source, and therefore
I think it's a little irresponsible of you to comment on that portion of
the software world.

For my personal life I actually seek out open source, mostly to know
what's out there, and for the educational aspects of getting some of
these apps working. It can be frustrating at times, but in the long run
can be VERY rewarding. My usefulness in my current job has been greatly
increased due to my familiarity with the open source world (my company
has been switching almost completely from solaris to linux).


> > The vendor is treating me
> > like a criminal, asking me to "pay them off" to get them to stop
> > treating me like a criminal
>
> No, they're just passing on their costs.  You could have chosen option #4,
> the three CD key licenses for $250.  This meets your concerns as you've
> stated them, so obviously it's just about money despite all the bravado to
> the contrary.  The vendor gave you that option, but you decided the cost
> wasn't worth it.

No, it's the principle of the thing, I don't know where you get the idea
I'm against paying for software. The fact is, this $250 is STILL paying
for the development of that dongle protection, so I'm not interested in
paying at all for software that makes me pay for protections that don't
work and hurt the people giving THEM money.

> > On top of this they've already wasted the money developing the dongle,
> > so that effort is in the price of the software, whether I go for a
> > "dongle" license or not.
>
> You don't know that.  The cost could be completely accounted for in the
> dongle only license price.  However it doesn't matter how the vendor arrived
> at their price.  From your point of view it is what it is, and you can only
> accept or reject it.

And I rejected it because the company will use my money to develop their
dongle crap.

Again, I've wasted HUNDREDS of hours due to issues like this, as a
result I will avoid any company (as much as possible) that uses crap
like that. People always say "vote with your dollars", why are you
attacking me because that's exactly what I do?

TTYL

2007\03\24@201307 by Jinx

face picon face
> And I rejected it because the company will use my money to
> develop their dongle crap
>
> Again, I've wasted HUNDREDS of hours due to issues like this,
> as a result I will avoid any company (as much as possible) that
> uses crap like that.

Herbert, you seem to be really down on dongles. What was the
nature of your bad expereience ? Is it a problem you see with
dongles per se or was it you unfortunately got burned by poor
design(s) ? Obviously everyone wants to steer clear of crap, but
can you tar every dongle with the same brush ?

When you say "as much as possible", that would be some reluctant
acceptance of the fact that sometimes it's unavoidable to use things
you don't like. So what qualities do you look for and what assurances
would you insist on ? I ask out of personal interest, not to put you
on the spot or make you justify any decisions

2007\03\24@204323 by Herbert Graf

flavicon
face
On Sun, 2007-03-25 at 12:12 +1200, Jinx wrote:
> > And I rejected it because the company will use my money to
> > develop their dongle crap
> >
> > Again, I've wasted HUNDREDS of hours due to issues like this,
> > as a result I will avoid any company (as much as possible) that
> > uses crap like that.
>
> Herbert, you seem to be really down on dongles. What was the
> nature of your bad expereience ? Is it a problem you see with
> dongles per se or was it you unfortunately got burned by poor
> design(s) ?

No clue, have seen quite a few dongles just "stop". On top of that is
new OS's not working with the dongles (and the company not releasing new
drivers since the software I'm using is "no longer supported"),
companies only offering lpt dongles (despite that port being gone from
most PCs), poor drivers (problems like what people here have described
with regards to ICD2 drivers). The BIGGEST issue is you have to hope and
pray that the company continues to exist. Have encountered problems with
dongles and then discovered the company went belly up, so zero support.
All of a sudden the thousands of dollars we've spent on a piece of
software, and the hundreds or thousands of man hours spent learning the
software, is down the drain.

> Obviously everyone wants to steer clear of crap, but
> can you tar every dongle with the same brush ?

Yup. Since they are easily bypassed or cracked (try a google search on
pretty much any "dongle software", you'll find many have easy cracks to
get around) what is their point? They don't really stop piracy, they
have a REAL chance of pissing off your customers, why bother?

> When you say "as much as possible", that would be some reluctant
> acceptance of the fact that sometimes it's unavoidable to use things
> you don't like. So what qualities do you look for and what assurances
> would you insist on ?

The only way I'd go with a piece of software that had insane
restrictions on it is if there was no other equally functioning option.
Unfortunately there are a few cases where we've had to do this.

> I ask out of personal interest, not to put you
> on the spot or make you justify any decisions

No problem, but trust me, if you had as many issues with "protections"
on software as I've had, your opinion would at least be closer to mine.

TTYL

2007\03\24@213750 by Byron A Jeff

face picon face
On Sat, Mar 24, 2007 at 12:10:15PM -0400, Herbert Graf wrote:
> On Sat, 2007-03-24 at 10:44 -0400, Byron A Jeff wrote:
> > > Note I have NO problem with efforts that try to prevent copying that do
> > > not remove any of my rights, and won't cause me problems in the future.
> > > A serial number approach is perfectly fine IMHO.
> >
> > The problem is that any such efforts are so trivially broken as to be
> > worthless.
>
> What about CSS or ACSS, MILLIONS have been spent on those protection
> schemes, they've been broken by 1 or two hackers. Seems the more money
> you spend on a scheme, the more people look at it as a target, making it
> just as "trivial" as the "trivial" efforts.

Herbert,

I still think that most of those protection schemes are generated by novices
who think the know the process. That's why they are so easily broken.

{Quote hidden}

I'm an Open Source guy too. But many believe that it doesn't have value if
it's actually free.

> Aside from that, I run linux on my main machine at work and my machines
> at home are both linux. I keep a 2k machine at home for MCU devel tools
> like MPLAB.

I'm completely Linux based for my PIC toolchain. Tools including gputils,
JAL, NPCI (my own HLL), picprg, linwload (used with Wouter's WLoader),
various Python pieces, and pkp from pikdev are all in my toolkit to various
degrees of use. The last time I used MPLAB was when it was running on DOS
well over 10 years ago.

{Quote hidden}

I'm reading the HDDVD thread now. Again it was cracked due to stupidity.
Specifically leaving a decrypted key in memory for anyone to see.

It really doesn't matter how tightly one locks up one's house if they leave
all the keys on the stoop, does it?

> > > Stop wasting my money on technology that will never work.
> >
> > I firmly believe that if this trend continues, where companies cannot secure
> > the value of their work, they will simply stop producing the work.
>
> It will never happen, since despite the number of dishonest people,
> there are FAR more honest people out there.

Here's where I disagree. As I stated in another post, people's honesty is
directly coupled to their opportunity. While there are clearly honest folks,
and clearly dishonest folks, most fall into the situational ethics category,
where they'll do something dishonest if there's little risk and an easy
opportunity. In short if the option are pay for something legally or get
it free illegally, many in this group will choose the latter. They'll only
consider paying if that's the only easy option.

Funny enough though this same group of folks would even consider taking even
a stick of gum from a store without paying for it.

> If you create an app that is
> worth the money you are charging, and curtail simple copying with
> something non intrusive, people will pay for your work.

No. One of the dishonest folks will crack it and release a cracked version,
giving the gray area group a choice. At that point most won't pay.

> It's when the
> market disagrees with what you are charging (i.e. VISTA) honest people
> will become pirates.

The price point is somewhat of a factor. If you make it convenient and cheap,
some of those folks will pay for convenience. However if copying is simple,
you'll quickly be competing against free cracked copies of your own code. The
race becomes how easy is it to locate the cracked copy.

> I use mostly open source. I do pay for some apps as long as they work
> well and don't go crazy with protections. The industry will survive.

Open Source foregoes the software selling profit model. There's limited money
in it.

A different protection scheme is needed. And no matter what it is, there's
going to be some inconvenience to legit users.

BAJ

2007\03\24@222151 by Herbert Graf

flavicon
face
On Sat, 2007-03-24 at 21:37 -0400, Byron A Jeff wrote:
> I still think that most of those protection schemes are generated by novices
> who think the know the process. That's why they are so easily broken.

I'd have to partially disagree. I can't believe that technologies like
ACSS and HDCP were "generated by novices". I'm certain, given the money
spent, that MANY experts were involved.

However, being used for what they are used for, they are HUGE targets,
and attract MANY people trying to defeat them.

I think of it kinda like the "superbugs" we have these days. Out of
millions or billions of bacteria, if only ONE survives an anti-biotic
"attack", it will reproduce and multiple, creating a "superbug". It's
similar with protection schemes that have such a large scope, all it
takes is ONE person to get lucky and break it, then it's all over.

> > Aside from that, I run linux on my main machine at work and my machines
> > at home are both linux. I keep a 2k machine at home for MCU devel tools
> > like MPLAB.
>
> I'm completely Linux based for my PIC toolchain. Tools including gputils,
> JAL, NPCI (my own HLL), picprg, linwload (used with Wouter's WLoader),
> various Python pieces, and pkp from pikdev are all in my toolkit to various
> degrees of use. The last time I used MPLAB was when it was running on DOS
> well over 10 years ago.

My problem is my addiction: I'm addicted to using the ICD2 for my PIC
work. ICD2 support under Linux is quite poor. While there are some
software packages that support programming some (perhaps most) devices,
I don't believe there is much (if any) debug support. At home I run a
win2k virtual machine just for this reason.

Other MCU vendors are even worse however, I don't believe Freescale,
Luminary or Cypress parts have any Linux support, either from the
manufacturer or third parties. It's for that reason that I have to keep
that virtual win2k machine available.

> > But how do you make the interval bigger? Spending MUCH more money didn't
> > work for HDDVD and BluRay (they were cracked MUCH faster then DVD was).
>
> I'm reading the HDDVD thread now. Again it was cracked due to stupidity.
> Specifically leaving a decrypted key in memory for anyone to see.
>
> It really doesn't matter how tightly one locks up one's house if they leave
> all the keys on the stoop, does it?

Your analogy is incomplete. It would be more appropriate to say: the
house is locked, the problem is they had to give out keys to a bunch of
people. ONE of those people left the keys in their unlocked car.

The fact is there will ALWAYS be a way to break something created by
humans. The fact that I as a consumer are paying for these efforts ticks
me off.

> > I use mostly open source. I do pay for some apps as long as they work
> > well and don't go crazy with protections. The industry will survive.
>
> Open Source foregoes the software selling profit model. There's limited money
> in it.

I don't think so. Redhat is making TONS of money selling and supporting
open source software.

Linksys/Cisco has made CRAPLOADs of money selling the WRT54 series of
routers due to their open source nature (LOTs of geeks have bought these
routers specifically due to the fact it's open source).

Despite the FUD that commercial software vendors claim, money CAN be
made with the open source model, sometimes VERY good money. That said, I
don't believe ALL software should be open source, I have no problem
compensating a vendor for software that is worth the money.
Unfortunately there is ALOT of software out there that isn't worth the
money charged for it.

TTYL

2007\03\24@225840 by Jake Anderson

flavicon
face

>
> Despite the FUD that commercial software vendors claim, money CAN be
> made with the open source model, sometimes VERY good money. That said, I
> don't believe ALL software should be open source, I have no problem
> compensating a vendor for software that is worth the money.
> Unfortunately there is ALOT of software out there that isn't worth the
> money charged for it.
>
> TTYL
>
>  
And the problem there is you don't know that until after you have paid
for it :-<

2007\03\25@004548 by William Chops Westfield

face picon face

On Mar 24, 2007, at 4:47 PM, Herbert Graf wrote:

> I would GLADLY go with another vendor that cost the same, or even more,
> as long as their "protections" don't cause risk to what I'm doing.
>
Sure, if you don't have a couple gigabytes of code that would need
"slight modifications" to work with a different compiler.  One of
the unfortunate aspects of open source compilers (ie gcc) is that
the developers don't seem to have so much motivation to maintain
enough backward compatibility to keep "customers" very happy.  Every
time we upgrade to a new release of gcc, we wind up with an expensive
firedrill where our tools maintenance group gets to patch all the
things we really think we need into the compiler, and the rest of
development engineering gets to patch the product code to fix the
things the new compiler doesn't like that we end up agreeing are
actually wrong.  And of course we can't talk to a "real" compiler
vendor without taking along a list of "special" features that their
compiler has to support before we can even consider looking at it.

Y'all who are careful about version control and archiving ARE doing
the version control on your entire toolset chain, right?

Going to a new compiler usually doesn't mean replacing your old one;
it means you get TWO compilers that you have to support, and pretty
soon you have:

unix<2079> pwd
/router/bin
unix<2080> ls gcc*
gcc.c2.95.3-p10@           gcc.c2.95.3-p12.mips64@
gcc.c2.95.3-p10.68k@       gcc.c2.95.3-p12.ppc@
gcc.c2.95.3-p10a@          gcc.c2.95.3-p12.sh@
gcc.c2.95.3-p10a.68k@      gcc.c2.95.3-p12.solaris@
gcc.c2.95.3-p10a.armelf@   gcc.c2.95.3-p5@
gcc.c2.95.3-p10a.linux@    gcc.c2.95.3-p5.68k@
gcc.c2.95.3-p10a.mips64@   gcc.c2.95.3-p5a@
gcc.c2.95.3-p10a.ppc@      gcc.c2.95.3-p5a.68k@
gcc.c2.95.3-p10.armelf@    gcc.c2.95.3-p5a.armelf@
gcc.c2.95.3-p10a.sh@       gcc.c2.95.3-p5a.linux@
gcc.c2.95.3-p10a.solaris@  gcc.c2.95.3-p5a.mips64@
gcc.c2.95.3-p10.linux@     gcc.c2.95.3-p5a.ppc@
gcc.c2.95.3-p10.mips64@    gcc.c2.95.3-p5.armelf@
gcc.c2.95.3-p10.ppc@       gcc.c2.95.3-p5.mips64@
gcc.c2.95.3-p10.sh@        gcc.c2.95.3-p5.ppc@
gcc.c2.95.3-p10.solaris@   gcc.c2.95.3-p8@
gcc.c2.95.3-p11@           gcc.c2.95.3-p8.68k@
gcc.c2.95.3-p11.68k@       gcc.c2.95.3-p8.armelf@
gcc.c2.95.3-p11a@          gcc.c2.95.3-p8.linux@
gcc.c2.95.3-p11a.68k@      gcc.c2.95.3-p8.mips64@
gcc.c2.95.3-p11a.armelf@   gcc.c2.95.3-p8.ppc@
gcc.c2.95.3-p11a.linux@    gcc.c2.95.3-p9b@
gcc.c2.95.3-p11a.mips64@   gcc.c2.95.3-p9b.68k@
gcc.c2.95.3-p11a.ppc@      gcc.c2.95.3-p9b.armelf@
gcc.c2.95.3-p11.armelf@    gcc.c2.95.3-p9b.linux@
gcc.c2.95.3-p11a.sh@       gcc.c2.95.3-p9b.mips64@
gcc.c2.95.3-p11a.solaris@  gcc.c2.95.3-p9b.ppc@
gcc.c2.95.3-p11b@          gcc.c2.95.3-p9b.solaris@
gcc.c2.95.3-p11b.68k@      gcc.c3.4.3-p1@
gcc.c2.95.3-p11b.armelf@   gcc.c3.4.3-p1.68k@
gcc.c2.95.3-p11b.linux@    gcc.c3.4.3-p1.armelf@
gcc.c2.95.3-p11b.mips64@   gcc.c3.4.3-p1.linux@
gcc.c2.95.3-p11b.ppc@      gcc.c3.4.3-p1.mips64@
gcc.c2.95.3-p11b.sh@       gcc.c3.4.3-p1.ppc@
gcc.c2.95.3-p11b.solaris@  gcc.c3.4.3-p1.sh@
gcc.c2.95.3-p11c@          gcc.c3.4.3-p1.solaris@
gcc.c2.95.3-p11c.68k@      gcc.c3.4.3-p2@
gcc.c2.95.3-p11c.armelf@   gcc.c3.4.3-p2.68k@
gcc.c2.95.3-p11c.linux@    gcc.c3.4.3-p2.armelf@
gcc.c2.95.3-p11c.mips64@   gcc.c3.4.3-p2.linux@
gcc.c2.95.3-p11c.ppc@      gcc.c3.4.3-p2.mips64@
gcc.c2.95.3-p11c.sh@       gcc.c3.4.3-p2.ppc@
gcc.c2.95.3-p11c.solaris@  gcc.c3.4.3-p2.sh@
gcc.c2.95.3-p11.linux@     gcc.c3.4.3-p2.solaris@
gcc.c2.95.3-p11.mips64@    gcc.c3.4.3-p3@
gcc.c2.95.3-p11.ppc@       gcc.c3.4.3-p3.68k@
gcc.c2.95.3-p11.sh@        gcc.c3.4.3-p3.armelf@
gcc.c2.95.3-p11.solaris@   gcc.c3.4.3-p3.linux@
gcc.c2.95.3-p12@           gcc.c3.4.3-p3.mips64@
gcc.c2.95.3-p12.68k@       gcc.c3.4.3-p3.ppc@
gcc.c2.95.3-p12.armelf@    gcc.c3.4.3-p3.sh@
gcc.c2.95.3-p12.linux@     gcc.c3.4.3-p3.solaris

2007\03\25@081611 by olin piclist
face picon face
Herbert Graf wrote:
> Ok, what the heck are you talking about? When did I say anything about
> getting something for nothing? I would GLADLY go with another vendor
> that cost the same, or even more, as long as their "protections" don't
> cause risk to what I'm doing.

But that's not one of the choices, at least not for the same feature level
of software.  As I said, the best alternate software, which also happens to
be free, costs $25/week in lost productivity and unhappy employees.  I'm
trying to get you to make hard choices just like in real life.  You don't
get to define a new choice where everything is the way you want.

> If there is an open source option I will investigate it, but I won't
> go
> for something simply because it's free, it has to be of a similar
> quality as a commercial application

As I already said, the next best alternative costs you $25/week.  So what's
your choice?

> (and there are alot of open source
> options out there that are easily as good as commercial apps, often
> better. A perfect example is apache).

Not in this case.

> The fact that you are automatically equating: open source=crap
> software
> tells me that you are not very familiar with open source, and
> therefore
> I think it's a little irresponsible of you to comment on that portion
> of
> the software world.

I wasn't and I didn't.  This is a single hypothetical case.  In this
instance the open source software is "softof good enough" as I said, and
costs you $25/week as I also already said.

> No, it's the principle of the thing, I don't know where you get the
> idea
> I'm against paying for software. The fact is, this $250 is STILL
> paying
> for the development of that dongle protection, so I'm not interested
> in paying at all for software that makes me pay for protections that
> don't
> work and hurt the people giving THEM money.

Again you don't know how the dongle development is being paid for, but it
could very well be paid for by the dongle only licenses, which would
actually be a smart way for the vendor to set his prices.  You certainly
have no evidence to the contrary.  Would it change your choice if I
stipulated that the vendor is indeed funding the dongle development only
from the dongle license sales, or would you still not buy the unencumbered
license strictly due to the mere existance of the dongle license?

> Olin, WHY are you putting words in my mouth?

You're being vague and not directly answering the question, so I'm trying to
paraphrase what you are saying in a way relevant to the question posed.
This is hard to do since you haven't directly answered the question.  You're
doing a lot of chest beating but haven't made any hard choices yet.  Stand
up and be counted, then they're be nothing for me to misinterpret.

> And I rejected it because the company will use my money to develop
> their dongle crap.

OK, so I guess you're saying you're willing to take a $25/week hit and annoy
your employees on the principle that the alternative might fund development
of dongle protection.  I think this is what you're saying, but if I've put
words in your mouth it's only because you haven't clearly answered the
question.  Now would it change your answer if you knew for a fact that the
dongle development was completely paid for by the dongle license sales?

> Again, I've wasted HUNDREDS of hours due to issues like this, as a
> result I will avoid any company (as much as possible) that uses crap
> like that. People always say "vote with your dollars", why are you
> attacking me because that's exactly what I do?

I'm not attacking you, just trying to nail down exactly how you are voting
with your dollars.


********************************************************************
Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products
(978) 742-9014.  Gold level PIC consultants since 2000.

2007\03\25@091529 by Byron A Jeff

face picon face
On Sat, Mar 24, 2007 at 10:21:49PM -0400, Herbert Graf wrote:
> On Sat, 2007-03-24 at 21:37 -0400, Byron A Jeff wrote:
> > I still think that most of those protection schemes are generated by novices
> > who think the know the process. That's why they are so easily broken.
>
> I'd have to partially disagree. I can't believe that technologies like
> ACSS and HDCP were "generated by novices". I'm certain, given the money
> spent, that MANY experts were involved.

No disagreement there. In fact from the articles that I've read, the
encryption has not in fact been broken.

> However, being used for what they are used for, they are HUGE targets,
> and attract MANY people trying to defeat them.

Where they failed is key management.

> I think of it kinda like the "superbugs" we have these days. Out of
> millions or billions of bacteria, if only ONE survives an anti-biotic
> "attack", it will reproduce and multiple, creating a "superbug". It's
> similar with protection schemes that have such a large scope, all it
> takes is ONE person to get lucky and break it, then it's all over.

But it wasn't luck here. That's where I come back to the novice point. You
can have a tank and it's easily breached if you leave out the keys to open
it. Rule #1 of envcryption is key management. Anyone who doesn't take that
into account is in fact operating at the novice level.

I agree about the fact that there will be a concerted effort to break. But
the true failure is the insistence of having software players. It's a heck of
a lot more diffcult to circumvent firmware just because of sheer accessibility.

{Quote hidden}

I can't be addicted to something that I haven't taken. I've been working with
microcontrollers and microprocessors as a hobbyist for 20 years. Everything
from Motorola 6802->6809->68K to 8051s to PICs. Most didn't have the hardware
debugging support that the ICD2 offers. So you learn to simulate, to hex dump,
and the like. Hardware debugging is absolutely essential when you have issues
like race conditions and whatnot. But their value for logic errors isn't as
great.

Of course having one debugging tool that can do it all is a great thing. But
tying back to the original theme, it's tough to be forced to do things the
original content provider wants it done. That's why folks like muselix64 who
cracked the keys for HDDVD and Blu-Ray did what he did.

I can't figure out why Microchip has been so secretive about the ICD2 protocol.
They're so open about everything else. And AFAICT they haven't run into any
severe support issues with anything else.

> Other MCU vendors are even worse however, I don't believe Freescale,
> Luminary or Cypress parts have any Linux support, either from the
> manufacturer or third parties. It's for that reason that I have to keep
> that virtual win2k machine available.

Companies have no good reason to support anything other than Windows. I
would not expect them to. What they need to figure out though is that they
can get a additional customer base simply by providing enough documentation
so that someone can generate their own tools. Someone will take up the
task.

{Quote hidden}

In this case it's the software guy that did it. If all HDDVD and blue-ray
players were firmware embedded, they wouldn't be cracked. But as usual
Microsoft has to get in the middle of it, and they want to insist on how
you can play those disks.

It's the same reason that original DVD was cracked. Folks couldn't abide that
they couldn't play their legally bought DVDs in their legally bought DVD drives
without being forced to use some certain software.

It's a tough problem because the freedom to use your own tools and the
responsibility not to abuse go hand in hand. Companies continue to try to
restrict freedom, and that's why the cracking occurs. But the crackers (or
others that end up with the cracked content) are irresponsible.

And so the battle rages on.

> The fact is there will ALWAYS be a way to break something created by
> humans. The fact that I as a consumer are paying for these efforts ticks
> me off.

I got that. The question remains: Does a company simply give up because
some segment of the population refuses to play fair?

A while back you responded to a post about giving up from freedoms in the
name of public safety. I believe you dismissed this as an apples and gorillas
argument because the public welfare is important enough that giving up some
freedoms are acceptable, while protecting company content isn't nearly so
important.

But what you miss is that attemtping to protect that content is absolutely
vital to that company, regardless of how you, the legit paying consumer,
feels about it. You can't investors if your business plan doesn't show how
you'll try to proect the content.

Also I think ALWAYS may be a bit of a reach. You have to limit the scope of
the question to "Can it be done in a time frame that makes it usable for
the cracker." If I come up with a scheme that takes 18 months to crack,
then I'm in business.

Getting back to the novices who keep attempting to protect content, they're
taking the wrong approach. They keep trying to protect content by obscuring
it: security by obscurity. They need exactly the opposite: shine a spotlight
on it. If I needed to really proect content, then I'd start an X-prize style
contest opening up a cracking competition for whatever scheme I've come up
with. Offer $50k to the first one who can crack the content with the given
player. Require that the cracker explain the process before paying. Give a
limited time frame (say 30 days) to get it done.

I bet after a few iterations with the real motivated experts out in the
field, you'd come up with something that would be difficult enough to pass
muster. I really don't care if you need 10,000 years and a quantum computer
to get the job done because no one has those types of resources. Just get it
to a point where you're not doing something stupid.


> > > I use mostly open source. I do pay for some apps as long as they work
> > > well and don't go crazy with protections. The industry will survive.
> >
> > Open Source foregoes the software selling profit model. There's limited money
> > in it.
>
> I don't think so. Redhat is making TONS of money selling and supporting
> open source software.

Less selling, more supporting, mostly marketing. It's in fact a great example
of the segmentation of the market. Redhat makes very little off students,
hobbyists, and well versed Unix/Linux folks. They download Fedora, support
themselves, and wave nicely at RedHat. The sales and support comes from
companies and middle level managers who feel naked unless they have a finger
to point when things go wrong.

This works in a huge market, where the second segment is large enough to
support your company. But if the pie is small, like in the OPs case, the model
fails. You have to be able to capture part of that first segment simply to
survive. But the first segment is the group motivated to relieve you from
your software without having to pay (either directly by cracking or indirectly
by receiving cracked software). Note that only a handful of companies meet
your requirements. For the average OpenSource project, the profit model tends
towards zero.

> Linksys/Cisco has made CRAPLOADs of money selling the WRT54 series of
> routers due to their open source nature (LOTs of geeks have bought these
> routers specifically due to the fact it's open source).

But that's not a software model. It's an excellent model, but not a software
one. Linksys/Cisco is selling hardware. And each and every hardware company
should embrace OpenSource, because it'll sell more hardware for them, and
give many more innovative uses for that hardware.

Motorola gets it too with their Linux phones. But they are not selling
software. They are selling phones.

> Despite the FUD that commercial software vendors claim, money CAN be
> made with the open source model, sometimes VERY good money. That said, I
> don't believe ALL software should be open source, I have no problem
> compensating a vendor for software that is worth the money.

Unfortunately most of the customer base doesn't feel like you do.

A question: do you financially support OpenSource projects? By this do I mean
have you sent a financial donation to an author who wrote something that you
use?

> Unfortunately there is ALOT of software out there that isn't worth the
> money charged for it.

Of course. And that's both in the OpenSource and ClosedSource arenas.

I'm enjoying the discussion. I'm learning a lot.

BAJ

2007\03\25@093403 by peter green

flavicon
face
part 1 1269 bytes content-type:text/plain; (unknown type 8bit not decoded)

> But it wasn't luck here. That's where I come back to the novice point. You
> can have a tank and it's easily breached if you leave out the keys to open
> it. Rule #1 of envcryption is key management. Anyone who doesn't take that
> into account is in fact operating at the novice level.
and rule one of drm is you have to give your customer the decryption key in some form.

software only drm is the weakest, hardware with self destruct systems and encrypted channels (with decryption only happening inside chips with self destruct systems) right to the video output device is the strongest but the keys must be there in some form and with something as widely licensed as hd-dvd or blueray it only takes one licensee to fuck up and provide a soloution where the keys aren't stored in a secure location (see above comment about self-destruct systems). Furthermore the media must actually be decoded and sent to a playback device, here again one mistake here by one licensee and again the cracker has an unencrypted video stream they can copy.

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.17/732 - Release Date: 24/03/2007 16:36




part 2 35 bytes content-type:text/plain; charset="us-ascii"
(decoded 7bit)

2007\03\25@102345 by Gerhard Fiedler

picon face
William ChopsWestfield wrote:

> One of the unfortunate aspects of open source compilers (ie gcc) is that
> the developers don't seem to have so much motivation to maintain enough
> backward compatibility to keep "customers" very happy.  Every time we
> upgrade to a new release of gcc, we wind up with an expensive firedrill
> where our tools maintenance group gets to patch all the things we really
> think we need into the compiler, and the rest of development engineering
> gets to patch the product code to fix the things the new compiler
> doesn't like that we end up agreeing are actually wrong.  

If you don't go with an open source compiler, you can't patch it -- in this
sense this is correct. But then, you could resist the temptation to patch
an open source compiler even if you do use one -- if the patching is not
worth it :)

> And of course we can't talk to a "real" compiler vendor without taking
> along a list of "special" features that their compiler has to support
> before we can even consider looking at it.

See... the "real" vendors don't seem to be a "real" alternative. The
problem doesn't seem to be open source, but the very specific features you
guys need.

Gerhard

2007\03\25@103854 by Peter P.

picon face
Some software comes with dongles and that's that. The problem is not the dongle
but the usual compatibility nightmares caused by the vendor requiring a
particular version of OS and other setups. That causes trouble 100% of the time.
That, and old style dongles (parallel) which clash with just about any
nonstandard parallel hardware out there, and often with operating system
drivers. Because of this typically a dongled machine can be used only as a
single-task single-application machine. That puts the cost of a dongled software
equal to the cost of a dedicated computer.

While all license systems are some sort of a hassle, the dongled systems have
all the hassles of non-dongled license systems plus the one described above, and
that's often the last straw. Otoh, dongled software with specific uses (often
bookkeeping and such) does get used a lot, but then the machine is really
dedicated and the data on it is very valuable (besides the software etc).

So dongles are not really bad, and I think that there is hope for a new
'revival' of dongles with USB, which removes some of the idiotic limitations
hardware (parallel) dongles had.

I can vouch for the kind of frustration caused by a faulty dongle. Two weeks of
ordering a replacement, shipping, testing, not working, calling support, being
accused of fraud, clearing that, followed by success after reinstalling twice
(the second time without a fax driver or something like that). During this time
almost $100 changed hands in re-ordering costs, phone, new cable (not necessary)
(the original license did not cost much more than that). Downtime is not counted
here.

With a pure software license system it would have taken less than a business day.

Peter P.


2007\03\25@111214 by Herbert Graf

flavicon
face
On Sun, 2007-03-25 at 07:11 -0500, Olin Lathrop wrote:
> Herbert Graf wrote:
> > Ok, what the heck are you talking about? When did I say anything about
> > getting something for nothing? I would GLADLY go with another vendor
> > that cost the same, or even more, as long as their "protections" don't
> > cause risk to what I'm doing.
>
> But that's not one of the choices, at least not for the same feature level
> of software.  As I said, the best alternate software, which also happens to
> be free, costs $25/week in lost productivity and unhappy employees.  I'm
> trying to get you to make hard choices just like in real life.  You don't
> get to define a new choice where everything is the way you want.

Olin, you are CRAFTING a situation to force me to give you an answer you
want. I'm not going to do that. You're talking about "real life", yet
you modified your first post when I gave an answer you "didn't
consider". Is that real life? Some uber creature comes in and changes
the situation at their whim?

I've already said there HAVE been cases where we've had to go with
software that forces certain protections that we don't like, why do you
need more?

> > (and there are alot of open source
> > options out there that are easily as good as commercial apps, often
> > better. A perfect example is apache).
>
> Not in this case.

A case which ISN'T real life, but instead is something you've created to
get me to say something you want me to.

{Quote hidden}

Specifically you said: "Find some open source software that's sortof
good enough." The way you said it CLEARLY seems to indicate you don't
think there is ever open source software that's as good as closed
source.

It doesn't matter what you MEANT to say, it only matters WHAT you said.

> Again you don't know how the dongle development is being paid for, but it
> could very well be paid for by the dongle only licenses, which would
> actually be a smart way for the vendor to set his prices.  You certainly
> have no evidence to the contrary.  Would it change your choice if I
> stipulated that the vendor is indeed funding the dongle development only
> from the dongle license sales, or would you still not buy the unencumbered
> license strictly due to the mere existance of the dongle license?

Mere existence. There is ZERO chance that none of my money would be used
to fund the "dongle program", not matter what "assurances" are made.
Sales people lie, ALL the time. They will say WHATEVER they can to get a
sale, promising me that my money isn't going to go towards dongle
development is easy to say, impossible for me to prove otherwise, and
worth less then the piece of paper it's written on.

> > Olin, WHY are you putting words in my mouth?
>
> You're being vague and not directly answering the question, so I'm trying to
> paraphrase what you are saying in a way relevant to the question posed.
> This is hard to do since you haven't directly answered the question.  You're
> doing a lot of chest beating but haven't made any hard choices yet.  Stand
> up and be counted, then they're be nothing for me to misinterpret.

Hehe, you sound like there's a war and I'm a dissenter. I've ALREADY
stated that there have been cases where we've had to go with a vendor
using stupidly restrictive "protections", and that we've been ROYALLY
burned by them. Why do you need me to say I would possibly be put in a
situation where I'd have to make that mistake again?

> > And I rejected it because the company will use my money to develop
> > their dongle crap.
>
> OK, so I guess you're saying you're willing to take a $25/week hit and annoy
> your employees on the principle that the alternative might fund development
> of dongle protection.  

Depends, $25/week is pretty much nothing, so I might be willing to risk
it. Employees will ALWAYS be annoyed, no matter what choice you make, so
that's a non issue. Reason being in the end we'd at least have a tool
that worked well enough (since we'd be able to fix the problems with it
that we encounter) and would never "disappear" because the vendor didn't
like the way we brushed our teeth. OTOH if the cost were higher, or
deadlines tighter, we'd have to consider the other vendor.

> > Again, I've wasted HUNDREDS of hours due to issues like this, as a
> > result I will avoid any company (as much as possible) that uses crap
> > like that. People always say "vote with your dollars", why are you
> > attacking me because that's exactly what I do?
>
> I'm not attacking you, just trying to nail down exactly how you are voting
> with your dollars.

No Olin. I've CLEARLY stating how I'm voting with my dollars.

You're doing what you always do. You've encountered someone who
disagrees with something you seem to be very passionate about. You craft
a theoretical situation, that the person gets around. Then you "recraft"
the theoretical situation to "entrap" the "dissenter", using words like
"real world" and "hard choices" to try and convince that person that
your theoretical situation is happening right now.

You have ZERO interest in seeing my point of view, all you want is to
"win" by getting me to say what you want me to say. That's NOT how
debates are run in my part of the world, and I won't play your game.

You certainly have every right to have your opinion, but to try and
force your opinion on someone in this way is not acceptable to me.

2007\03\25@112942 by Ling SM

picon face
>>Here at work, we may be interested in releasing some software as
>>shareware.
>
> snip

Back to the OP question.  I assume that they are for business use.  I
think the situations should be better in US than here on software piracy
in the business setting.  It does not make business sense here to use
pirated software because the price to pay when a disgruntled
(ex)employee making a report outweigh the benefits many more times.

Under this situation, a simple notice on who the software belongs to,
and a footnote on who to report (with or without) to for the employee if
he/she found that the company does not pay for it shall be good enough.

In this case, distribution in the warez world shall be beneficial for
the product.  But if it is a consumer grade software, the equation shall
be different.

Or just make it a web2.0 product.  Online base applications.

Cheers, Ling SM

2007\03\25@134648 by Dr Skip

picon face
I have dozens of apps and development tools, paid for and legal over the
last 15 yrs +-, that either the company went away, or the product is no
longer supported, or it was bought by a bigger company and it's
'technology' became part of a bigger $1000 'suite'. In all cases,
problems occurred because of new OSes, conflicts with other, newer
software, or problems with new hardware and some help or update was
needed. I don't care what the customer is being told, when the board or
the founder decides to sell or close the doors, you will probably get
screwed. End of story.

The bigger vendors and customers enter into code escrow deals. Critical
processes should not be built around small-time PC programs. If you can
manage your margins with a $100 per yr support or renewal fee, and the
vendor raises it to $10,000 per yr, then if it's critical, you're stuck
for some time paying it and YOUR business is in jeopardy. Same thing if
the vendor disappears... Plus all of the retraining expenses.

We look first at open source these days and have been quite happy.
Buying that great tool from some small vendor is our last resort. We
also partition processes out so that one bad vendor could be worked
around and doesn't control everything. It has kept costs down over time,
and our risk exposure is much less.

>From a vendor point of view, consider what business you are in. If I
remember, you said you developed something in-house, and now were going
to offer it to others. Do you build widgets, or build software? Two
different businesses, although widget makers seem to think the road to
being a software company is lined with gold! The truth is the road to
Hell is lined with software companies! ;)  If your customers number in
the hundreds or few thousands, you may not get a return on your
investment in support costs, packaging, development, etc, even if it's a
high ticket item.

I also wouldn't believe that piracy is as big as Microsoft would have
you believe. It isn't reasonable to count how many PCs exist, subtract
how many licenses of the latest OS have sold, and conclude the result is
pirated copies and lost revenue. In many cases of actual piracy, the
person couldn't afford it and would not have been a customer anyway. Yes
they're getting the benefit, but it isn't a 'lost sale'. There's also
folks who LIKE the older versions, etc. If it's specialized software,
and the customers are corporations, very few would be looking for hacks
or cracks to steal it. However, it does come down to departments doing
the actual buying and having the need, so if the terms and costs are
onerous, they will find ways to play in any 'gray area' as you may see
it, like sharing copies internally within the department. In many cases
it's a value perception as well - if 3 people use the software on 3
machines for 1 hour per week on different machines, and the 3 machines
are not one machine because it's more convenient to the people involved
to have their own stations, then there is motivation to circumvent
having to buy 2 more $1000 licenses for the others. They still aren't
using it beyond 1 license worth of utility. There is more motivation to
cheat as the arbitrary license terms depart from the benefit it brings
to the customer. In reality, the OS is probably the only piece that
could be rationally protected to ensure each PC had a unique copy. Even
a word processor could be set up on one machine and a process made to
use it only there. It used to be that the logic behind licenses bought
by the company were based on concurrent users. If I set it up on 2
stations - Jim's so he could work on it on Mondays in his office, and
Jane's, so she could work on it in her office and not in Jim's on
Fridays, I'm within one license. It's the company that bought it, and
actually, only getting 2/5 of the potential use of the product. Where
they put it is the customer's business. It COULD be set up on one
station in the hallway, but that's not how we conduct our business.

Somewhere along the line, abject greed set in, and I'm waiting for
license terms that say I can only use it while standing on my head
(perfectly legal to add) or I have to pay more.

IF you're not a software company, and if your 'market' could have
something to add, you might consider releasing it as open source. Your
costs for support and sales and all would not exist, and the payback
would be contributions from customers and others to improve it, which
you then would benefit from in your own core business. There are lots of
variations, including open source and selling support contracts,
variations on maintaining control, controlling derivative works, etc. If
it's a technical audience, it works best too. You will get fixes for
things that haven't even affected you yet in your own house, before they
impact your own business.

You also reinforce the fact that you're a widget company first, and good
enough at it that you can show off some of your internal tools, rather
than a wannabee software company making widgets until you can sell
enough software to get out of that business....

-Skip

{Quote hidden}

2007\03\25@135626 by olin piclist

face picon face
Herbert Graf wrote:
> Olin, you are CRAFTING a situation to force me to give you an answer
> you want.

No, only one where there aren't easy choices.

> you modified your first post when I gave an answer you "didn't
> consider".

As I said, I did consider it too late.  That was a oversight on my part,
since it provided a easy answer that didn't require you to chose between a
bunch of non-optimal options.

> I've already said there HAVE been cases where we've had to go with
> software that forces certain protections that we don't like, why do
> you need more?

Because that's vague and I wanted a answer to *this* case.  It was
specifically designed to see how far (or not) you and others would go and
what costs you would put up with to avoid various software protection
schemes you are so apposed to.

> Specifically you said: "Find some open source software that's sortof
> good enough." The way you said it CLEARLY seems to indicate you don't
> think there is ever open source software that's as good as closed
> source.

To infer my opinion of open source software from a single hypothetical
example I posed is completely illogical.

> There is ZERO chance that none of my money would be used
> to fund the "dongle program"

Sigh.  I guess I'm just not getting the concept of a hypothetical example
accross.

{Quote hidden}

Finally a clear answer.  (clouds part, angels sing, ...)

Frankly this is not what I originally expected you'd say.  I figured you'd
go for the more expensive unencumbered CD-key licenses.  Your aversion to
even the *possibility* of funding the development of stronger protection
schemes despite a clear business advantage on your part amazes me.

For the record, I would have gotten the three CD-key licenses.  The first
one costs more, but then the incremental cost is the same as the dongle
version.  So I'm paying a one time fee to not have to use dongles, which I
personally dislike.  I would also be nervous about the node-locked licenses
because I don't know whether a motherboard or hard disk might die tomorrow.
Of course I might think differently and play the odds with a larger price
spread.  The $50 cost for additional CD-key seats is low enough that it's
not even a temptation to use it on a few more machines later without paying
should the need arise.  I also think the satisfaction of the employees is
important.  Saving $25/week AND reducing their frustration level sounds like
a no-brainer to me.

I still don't get why you are willing to hurt your business to avoid a
software vendor that offers a discounted license with additional
restrictions for those willing to put up with them, when this vendor offers
exactly the kind of license you do want.  It appears to be some sort of
emotional reaction to "teach the software vendor a lesson".  I don't see why
you should care what other products the vendor offers, as long as they have
what you want at a price that works for you.


********************************************************************
Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products
(978) 742-9014.  Gold level PIC consultants since 2000.

2007\03\25@143101 by Derward

picon face
Dr Skip,

I agree with you completely.  I want software developers to make money, but
I also want to be protected.
I bought a $12,000 microwave & RF software package from Eagleware in Stone
Mountain Georgia in about 1999, in about 2004 they stopped support.  This
has a parallel port dongle and can't be used with
most new machines without a parallel port or with new software.  Now they
have been bought by
Agilent EEsof EDA and that adds to the problem.

I think if you buy a $12,000 package you should get to use it much longer.
This is the type of thing that is leaving a bad taste in the mouth of so
many.



Derward Myrick






{Original Message removed}

2007\03\25@151520 by Philip Pemberton

face
flavicon
face
Jake Anderson wrote:
> Those dongles sure did work well, (well i assume that all the legitimate
> purchasers never had a problem with them because the dongle free pirated
> version worked fine.)

You have to be careful how you implement them - if you do something like:

  if (isDonglePresent()) {
    // run application
  } else {
    // no dongle, error out
    errorMessage("Plug the dongle in!");
    exit(-1);
  }

Then you're not going to defend against anything beyond a kid with a hex
editor and a copy of Ollydbg. If you do something vaguely clever, you have a
better chance.

For instance, say you're protecting a service tool for a mobile phone. Have
the phone do a crypto handshake to negotiate an encryption key with the
service tool. Then you have a public key on the phone, and a private key in
the dongle. To actually do anything, the dongle signs the command block and
the phone checks the signature. If your RSA (or DSA, or ElGamal, or LUC..
etc.) key is big enough, breaking it will become less a function of 'how many
machines do I need?' and more a problem of 'how many years do I have left
before the Sun burns out?'.

In this case, breaking the public key (on the phone) with factoring is
infeasible, and breaking into the dongle to get the key could involve a lot of
mess (resin-encapsulated anti-tamper-coated PCB with battery-backed RAM and
thin wire tamper sensors, anyone?).

Your aim isn't to make it impossible - it's to make it hard enough that the
attacker will crack your competitor's product (or something else entirely)
instead of yours. It's basically the same idea as with car crime and home
security - if you were a burglar, would you break into the house with no
visible security, or the one with the burglar alarm, steel-barred windows and
the dog in the back garden?

--
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
EraseMEpiclistspamphilpem.me.uk         | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.

2007\03\25@152521 by Herbert Graf

flavicon
face
On Sun, 2007-03-25 at 12:57 -0500, Olin Lathrop wrote:
> > There is ZERO chance that none of my money would be used
> > to fund the "dongle program"
>
> Sigh.  I guess I'm just not getting the concept of a hypothetical example
> accross.

I will not consider a hypothetical example that has no chance of
existing in real life. It's like asking me if I'd consider a vendor

> I still don't get why you are willing to hurt your business to avoid a
> software vendor that offers a discounted license with additional
> restrictions for those willing to put up with them, when this vendor offers
> exactly the kind of license you do want.  It appears to be some sort of
> emotional reaction to "teach the software vendor a lesson".  I don't see why
> you should care what other products the vendor offers, as long as they have
> what you want at a price that works for you.

I already explained that, it's called "voting with my dollars". If I
support a vendor that has these sorts of things, whether I'm directly
paying for them or not, I'm in essence telling the vendor it's OK to
have these things.

Yes, by buying the "CD license" version I would be telling the vendor I
PREFER not to have a dongle, but that is FAR away from stating "I won't
accept a dongle version". By voting with my dollars (and telling the
vendor the reason, which I would) I'm making it VERY clear I won't
tolerate protections which add significant risk to my work.



2007\03\25@153227 by Herbert Graf

flavicon
face
On Sun, 2007-03-25 at 20:15 +0100, Philip Pemberton wrote:
> Your aim isn't to make it impossible - it's to make it hard enough that the
> attacker will crack your competitor's product (or something else entirely)
> instead of yours. It's basically the same idea as with car crime and home
> security - if you were a burglar, would you break into the house with no
> visible security, or the one with the burglar alarm, steel-barred windows and
> the dog in the back garden?

Actually it isn't the same, because you are assuming the only people
wanting to crack your scheme are interested in stealing your IP.

This is false. A good number of people have NO interest in stealing the
IP, they simply like the "challenge" of breaking your scheme. They see
it as a game. In the case of your house example such things don't happen
since the chance of getting caught is so high. In the software world the
chance of getting caught is pretty much zero, so many more will be
willing to try cracking your scheme.

CSS was cracked simply because there was no Linux support for playing
DVDs. The person who did it had no real interest in stealing IP, he just
wanted to be able to play back the IP he had rights to on the machine he
choose.

Look at the guy who cracked fairplay. He wasn't at all interested in
copying songs, if he had been he would have attacked an easier to crack
"competitor". No, he cracked fairplay since he didn't like it, and liked
the challenge.

These examples however are for VERY big targets, what you describe may
be such a small target that noone will be interested in cracking it, but
don't rely on that, all it takes is ONE person to crack your scheme, if
only just for fun, and the game is up.

2007\03\25@161800 by olin piclist

face picon face
Herbert Graf wrote:
> I will not consider a hypothetical example that has no chance of
> existing in real life.

I don't think this example is all that far fetched.  Besides the point was
to get people to make some tradeoffs.

> Yes, by buying the "CD license" version I would be telling the vendor I
> PREFER not to have a dongle, but that is FAR away from stating "I won't
> accept a dongle version". By voting with my dollars (and telling the
> vendor the reason, which I would) I'm making it VERY clear I won't
> tolerate protections which add significant risk to my work.

But they don't since you'd be buying the CD-key version.

Oh well, I give up.  This is sounding more and more like a religious
conviction so strong that you're willing to cut off your nose to spite your
face.  It is pointless to discuss religious or fanatical convictions, so
I've got nothing more to say.


********************************************************************
Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products
(978) 742-9014.  Gold level PIC consultants since 2000.

2007\03\25@174059 by William Chops Westfield

face picon face

On Mar 25, 2007, at 7:12 AM, Gerhard Fiedler wrote:

>
>> And of course we can't talk to a "real" compiler vendor without taking
>> along a list of "special" features that their compiler has to support
>> before we can even consider looking at it.
>
> See... the "real" vendors don't seem to be a "real" alternative.

Sure they are.  "real vendors" are more interested in meeting customer
needs in return for the customers spending their dollars there.  If
you're big enough to dangle a potential couple of thousand seats of
compiler usage in front of a vendor, there's a good chance that they'll
do quite a bit for you...  Smaller companies have similar influence over
smaller compiler vendors.

> The problem doesn't seem to be open source, but the very
> specific features you guys need.
>
In general, they're not "very specific", but rather behaviors that
match older versions of the compiler(s).  As an example, sometime
around 1986, cisco engineers decided that that it would be a nice
idea if our version of printf() supported formats like "%i" and "%e"
for Internet and Ethernet addresses, respectively.  That was swell;
C was a language syntax that explicitly didn't include much in the
way of specifications for how libraries behaved...  Somewhat later,
standards organizations decided (probably correctly) that a language
spec with no library spec was ... less than ideal.  People started
to grumble about our printf() not being "standard."  More years went
by and "buffer overflows" became a hot topic, and compiler vendors
implemented CHECKING of the printf() arguments against the format
strings.  That was a nice feature and we wanted to benefit from it,
but of course our arguments didn't match the standard.  So we need
vendors to either support our specific argument sets (yuck) or
support a configurable method of specifying which argument types
go with which format specifiers for which printf-like functions (which
they ought to have done anyway, IMO, since the format string/arg list
concept is so generally useful...)  And more recently we have problems
with the way the preprocessor orders string concatenation WRT other
preprocessor operations like #include.  It was never called out in
the language specifications, but it used to work and now it doesn't.
(you USED to be able to have parts of the path for a #include come
from one string and parts from another string, and now you can't,
as far as I can tell...)

BillW

2007\03\25@180413 by Herbert Graf

flavicon
face
On Sun, 2007-03-25 at 16:17 -0400, Olin Lathrop wrote:
> Herbert Graf wrote:
> > I will not consider a hypothetical example that has no chance of
> > existing in real life.
>
> I don't think this example is all that far fetched.  Besides the point was
> to get people to make some tradeoffs.

I don't see why you need me to say I'm willing to make tradeoffs, that's
so obvious it's like proclaiming the sky is blue. Engineering IS about
tradeoffs, it always has been, always will be.

> > Yes, by buying the "CD license" version I would be telling the vendor I
> > PREFER not to have a dongle, but that is FAR away from stating "I won't
> > accept a dongle version". By voting with my dollars (and telling the
> > vendor the reason, which I would) I'm making it VERY clear I won't
> > tolerate protections which add significant risk to my work.
>
> But they don't since you'd be buying the CD-key version.

But they can pose a risk in the future. Who knows what their next
version will be? Maybe they'll drop the "CD key" version since so few
wanted it (or some bean counter was convinced it was causing too much
piracy), and then force all their current customers into the dongle
scheme. Not that far fetched.

> Oh well, I give up.  This is sounding more and more like a religious
> conviction so strong that you're willing to cut off your nose to spite your
> face.  It is pointless to discuss religious or fanatical convictions, so
> I've got nothing more to say.

Hehe, it's funny, you seem to read only the parts of my posts that seem
to prove your point, and nothing else.

I have stated that I would go with the "dongle option" if there was no
other choice. What more do you want?

Yes, I WOULD pay more money for software from another vendor that didn't
use dongles (or other schemes). The reason has NOTHING to do with
religion, it is pure business.

Dongled software can end up costing you ALOT of money, either through
lost time (dongle broken), lack of support for older versions of
software (forcing an upgrade to a later version, costing more money) or
the company disappearing, turning your software into a useless piece of
plastic. Some of these costs can reach infinity if you end up going out
of business because the software you've invested so much time and money
in is now useless to you.

TTYL

2007\03\25@183823 by Jake Anderson

flavicon
face

>> Yes, by buying the "CD license" version I would be telling the vendor I
>> PREFER not to have a dongle, but that is FAR away from stating "I won't
>> accept a dongle version". By voting with my dollars (and telling the
>> vendor the reason, which I would) I'm making it VERY clear I won't
>> tolerate protections which add significant risk to my work.
>>    
>
> But they don't since you'd be buying the CD-key version.
>
> Oh well, I give up.  This is sounding more and more like a religious
> conviction so strong that you're willing to cut off your nose to spite your
> face.  It is pointless to discuss religious or fanatical convictions, so
> I've got nothing more to say.
>  
I don't think it is a "religious" viewpoint. He is unhappy with the
environment (IE Dongles) and wont support vendors who use them. His
"belief" is that there is an immediate business case is for buying the
locked software, but he would rather support vendors that don't do that
in order to change the long term case. Its like global warming, the
absolute cost of an item may not be reflected in the price you pay today.

2007\03\25@193138 by Gerhard Fiedler

picon face
Byron A Jeff wrote:

> For the average OpenSource project, the profit model tends towards zero.

That depends on the model you're using :)

In general, software is not used for its own purpose but to achieve
something (outside the software). So writing the software is mostly not a
goal in itself (like raising carrots would be), but the goal is to
facilitate some other activity. In general, as long as this other activity
achieves its increase in productivity, there is no need to have a profit
model for software.

Gerhard

2007\03\25@195358 by Jinx

face picon face
> unhappy with the environment (IE Dongles) and wont support
> vendors who use them

I know serial and parallel ports have pretty much disappeared, but
do you think PC hardware may have settled down now ? "For the
foreseeable future" is not forever of course, and OS's change too
["they are improved" ;-))) ]. Will USB be around longer than serial ?
Who can say

2007\03\25@231513 by John Chung

picon face
Most open source projects don earn tonnes of money. If
there was it would be channeled to a selected few
which the rest of the contributors don get rewarded.
If you are interested, you can get on the transcript
of Theo of OpenBSD and the contribution he gets.
Depression thought for a developer.

John


--- Gerhard Fiedler <RemoveMElistsEraseMEspamEraseMEconnectionbrazil.com>
wrote:

{Quote hidden}

> --

2007\03\26@045036 by Alan B. Pearce

face picon face
>> Someone mentioned dongles & co breaking down. I doubt a
>> dongle has any greater or lesser chance of failure than a HDD
>> or mobo that the s/w may be registered to.
>
>Hehe, right, but a MB or HD can be bought about 5 minutes away from me
>for minimal $. The dongle?
>
>> Including (or supplying
>> on request) a back-up dongle would be the answer
>
>So, I just sit on my hands, watch my customers walk away, miss a bunch
>of deadlines, waiting, hoping, the replacement dongle comes, of course
>only after I wait for the next business day to REQUEST the replacement
>dongle?

But if the software is locked to a NIC, HDD or motherboard, you are still
going to have to wait till the next business day to get a new unlock code.

>Sorry, but that is no acceptable to me. Aside from that fact that
>you are FORCING me to pay for the development of a dongle, you are
>GREATLY increasing my risk that the software won't do the job when
>I need it. No thanks. I'll go with the vendor that doesn't treat me
>like a criminal after I give THEM money.

Is it you they are treating like a criminal, or the burglar or employee of
yours that does the actual theft?

Perhaps one way out of this is to have software which will allow a copy to
have a short term trial period where it is fully functional, and then
degrades to limited functionality. I bought a software package recently
where the program works in full mode for 10 days, then reverts to demo mode
(doesn't save, and other limitations) until an unlock code is entered. The
code can take two forms, an online registration, or an off line registration
where you send a code that identifies the machine hardware combination, and
you get sent an unlock code back. Both modes have a means of de-registering
that machine and transferring the licence to another machine. Not ideal if
the hardware goes belly up, but a phone call to the vendor is normally
enough to sort it out. Meanwhile installing the software on the replacement
machine gives 10 days to get the registration reset.

2007\03\26@050501 by Alan B. Pearce

face picon face
>At work we use several tools with a floating license system.
>Over the past few years we have lost HUNDREDS of man hours due
>to license issues (i.e. license server going down, new software
>needing new license daemon, vendor forgetting to update our
>license, etc.).

Unfortunately this area is one that has forced many software vendors to use
dongles and the like. It is all too easy for a corporation to use more
copies than the licenses they have paid for.

We have floating licenses for Orcad and several other packages. There has
never been any outages due to licence servers going down that I am aware of.
Maybe the machines get replaced on a regular basis, and if so these are done
out of business hours anyway. There have been a couple of instances where
software updates required a new dongle, and some scripts weren't set up
quite right in a change over, but it hasn't been anything like the scenario
you describe.

2007\03\26@052739 by Alan B. Pearce

face picon face
>> i have used plenty of pirated software that was supposed to
>> use a dongle. (for non profit purposes of course)
>> Those dongles sure did work well, (well i assume that all the
>> legitimate purchasers never had a problem with them because
>> the dongle free pirated version worked fine.)
>
>If you're saying that in your experience dongles are next to
>useless, then that's fine. I just thought they may offer a greater
>degree of protection. There's no smarts you can put in a dongle
>that's unbreakable ?

Grief, go home for the weekend, and you guys have these big discussions I
come back and catch up on ....

My observation of many dongle protected packages is that the dongle has only
a product ID and serial number validation method in them. Then in many cases
the driving software for the dongle is only minimally linked into the host
program so that often all that is needed is to find the link module and
bypass it by substituting any replies that go back to any call points in the
main program.

But for what started this thread, I do wonder if a dongle containing an 18F
or 30F PIC doing a calculation on the data may well be a viable way of doing
things. An 18F would be an obvious candidate as there is a USB version, and
they can be got with reasonably large amounts of RAM, but hits could be
supplemented by I2C or SPI memory for buffers if needed. Then the PC program
becomes a front end to this "computation engine" in the dongle. The dongle
cost could well be low enough that supplying a 2 seat package as the minimum
would not be a hardship - probably a $15 increase on a single seat for the
cost of an additional dongle. This gets around Jakes device failure
objections, and a busy house would have 2 seats available. It may even be
practical to sell additional dongles at $50 apiece if they wanted more than
2 seats.

2007\03\26@061544 by Alan B. Pearce

face picon face
>> I still think that most of those protection schemes are generated
>> by novices who think the know the process. That's why they are so
>> easily broken.
>
>I'd have to partially disagree. I can't believe that technologies like
>ACSS and HDCP were "generated by novices". I'm certain, given the money
>spent, that MANY experts were involved.

One of the problems with a scheme such as the media protection systems is
that they need to be able to be decrypted on the fly. This implies that some
form of block encryption is needed, with a decryption system easily
implemented in a single chip somewhere late in the media chain. This in turn
restricts the available encryption schemes. Would you be prepared to wait 30
seconds from pressing play to having the DVD start to show the copyright
scheme on screen? People would soon vote with their $ by going for something
else.

Such restrictions on the schemes available must in turn play into the
hackers hands when it comes to attempting to crack such a scheme.

2007\03\26@063931 by Jinx

face picon face

> But for what started this thread, I do wonder if a dongle containing an
> 18F or 30F PIC doing a calculation on the data may well be a viable
> way of doing things

That's what I was thinking. DES3 may be overkill, perhaps TEA ?

http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm

Or whatever. Any form of dynamic and ongoing encryption would
surely deter many hackers, and the PIC itself is reasonably physically
secure

That doesn't address Herbert's concerns of course


2007\03\26@070901 by Victor Fraenckel

flavicon
face
Having officially lost sight of the OPs concerns perhaps it might be
beneficial to lurk on some of the forums at:

http://www.cnczone.com/forums/index.php

and see if there is not S/W available that basically does what the OP's
does. In the overall scheme of things, he/she is preaching to a very
tiny audience. I expect that there are plenty of other programs
available to do the CNC stuff the OP's does.

The shareware/software copy protection horse has pretty much been
flogged to death here!

Vic
--

*____________________________________________________________________________________________*

*Victor Fraenckel
KC2GUI
victorf ATSIGN windreader DOT com**
*


2007\03\26@071426 by wouter van ooijen

face picon face
> and the PIC itself is reasonably physically secure

you did read http://www.bunniestudios.com/wordpress/?page_id=40 ?

Wouter van Ooijen

-- -------------------------------------------
Van Ooijen Technische Informatica: http://www.voti.nl
consultancy, development, PICmicro products
docent Hogeschool van Utrecht: http://www.voti.nl/hvu



2007\03\26@071624 by Gerhard Fiedler

picon face
Herbert Graf wrote:

> This is false. A good number of people have NO interest in stealing the
> IP, they simply like the "challenge" of breaking your scheme. They see
> it as a game. In the case of your house example such things don't happen
> since the chance of getting caught is so high. In the software world the
> chance of getting caught is pretty much zero, so many more will be
> willing to try cracking your scheme.

Add to this that (AFAIK) in most jurisdictions cracking such a scheme is
not illegal -- illegal would usually be using the cracked product. So the
cracker is mostly free to go after it.

Gerhard

2007\03\26@071955 by Alan B. Pearce

face picon face
>You also reinforce the fact that you're a widget company first, and
>good enough at it that you can show off some of your internal tools,
>rather than a wannabee software company making widgets until you can
>sell enough software to get out of that business....

Perhaps a good example of this is Linear Technologys SwitcherCAD software -
a full featured SPICE program that they make available for free.

2007\03\26@072617 by Alan B. Pearce

face picon face
>I still don't get why you are willing to hurt your business to
>avoid a software vendor that offers a discounted license with
>additional restrictions for those willing to put up with them,
>when this vendor offers exactly the kind of license you do want.

That was the bit I couldn't fathom either. If they later go for only dongle
protection you still have the CD key licenses. I guess what you are worried
about is that you then cannot get another seat if they go for only dongle
licenses, but that is still a problem if they go belly up ...

2007\03\26@074132 by Alan B. Pearce

face picon face
>Yes, I WOULD pay more money for software from another vendor
>that didn't use dongles (or other schemes). The reason has
>NOTHING to do with religion, it is pure business.

They may not use dongles with this version, but how do you know that the
money you just paid them isn't going into development of dongle protection
for the next version?

Seems to me that there is a cleft stick here. You are better off stating
your preference when the vendor offers both types of protection by
purchasing the style you want, thereby voting for more of that protection
style, rather then going with a vendor who has only the one style, and may
change at the next version.

2007\03\26@075048 by Jinx

face picon face
> you did read http://www.bunniestudios.com/wordpress/?page_id=40 ?

Er, I did now........

Who'da thunk it eh ?

So Microchip need to do a little work on the metal shields then. The
hacked one isn't very old

2007\03\26@075826 by Alan B. Pearce

face picon face
>> But for what started this thread, I do wonder if a dongle containing an
>> 18F or 30F PIC doing a calculation on the data may well be a viable
>> way of doing things
>
>That's what I was thinking. DES3 may be overkill, perhaps TEA ?

I wasn't thinking that, I was working on the basis that the input data
stream is fed to the PIC in the dongle, the data gets manipulated by the PIC
into the G-code form, and then fed back to the host program to stick in a
suitable file somewhere.

Now none of the relevant calculations that are the basis of the whole
program are done in the easily got at software. They are all hidden in the
dongle, and the data path has to go through the dongle, so there is no way
past it.

2007\03\26@080028 by Alan B. Pearce

face picon face
>> and the PIC itself is reasonably physically secure
>
>you did read http://www.bunniestudios.com/wordpress/?page_id=40 ?

Yes, but see the message I just posted. I wonder if those in Dwaynes end
user market (or any of the steps between) would have the knowledge to do
that.

2007\03\26@080915 by wouter van ooijen

face picon face
> So Microchip need to do a little work on the metal shields
> then. The hacked one isn't very old

The problem with both copy protection and war plans is that it is not so
difficult to make perfect preparations for fighting yesterdays battle,
but what you have to face is the hacker / enemy who has tomorrows
techniques and probably full knowledge of your (today) plans. So after
uChip has done a little work on the metal shields the hacker has do do a
little work on his technique (who knows, maybe home-brew scanning
tunneling microscope?) and we are back at square one.

Wouter van Ooijen

-- -------------------------------------------
Van Ooijen Technische Informatica: http://www.voti.nl
consultancy, development, PICmicro products
docent Hogeschool van Utrecht: http://www.voti.nl/hvu



2007\03\26@082031 by Tamas Rudnai

face picon face
Most of these solutions are based on public key encryptions. You send a data
to the dongle, and the dongle encrypts it or sign it with the private key
and sends back the results so the software of yours can check it using the
public key. But then the cracker eliminates this checking mechanism in your
software so its not even sending the data to the dongle or just overpassing
the condition jumps. Some other dongles decrypts piece of codes of yours.
That's the situation where usually crackers write a device driver to emulate
the dongle and maybe make some modification to the code as well.

You can make it very hard to crack but never could make it uncrackable. It's
your decision how much money you would like to spend on developing such
stuff or buying an existing one and then seeing that somebody put the crack
onto the net on the next month or so.

Tamas



On 3/26/07, Alan B. Pearce <RemoveMEA.B.Pearcespam_OUTspamKILLspamrl.ac.uk> wrote:
{Quote hidden}

> -

2007\03\26@084350 by Jinx

face picon face
> The problem with both copy protection and war plans is that it is not
> so difficult to make perfect preparations for fighting yesterdays battle,
> but what you have to face is the hacker / enemy who has tomorrows
> techniques and probably full knowledge of your (today) plans

The solution seems to be then that anyone who buys Dwayne's s/w
has to use it in Dwayne's house under Dwayne's supervision ;-)) !!!

2007\03\26@084947 by Alan B. Pearce

face picon face
>Most of these solutions are based on public key encryptions. You
>send a data to the dongle, and the dongle encrypts it or sign it
>with the private key and sends back the results so the software
>of yours can check it using the public key.

But you missed my point that I was making in the bit you quoted.

My understanding of Dwaynes situation is this.

He has data that he wishes to manipulate to send to a milling machine to
make a 1 off PCB.

He manipulates this data using a program on a PC, to generate the necessary
data stream to drive the mill.

By sending the manipulated data from the PC to the mill, the 1 off PCB is
made, with milled outlines to the tracks.

Now having developed the program, Dwayne wants to distribute it.

My suggestion is to put the calculation engine that converts from the
original data to the milling machine code into the dongle. There is no
encryption/decryption involved. The dongle is part of the data path between
the original clear data, and the clear data fed to the mill machine. The
dongle does all the data manipulation, not the PC program.

By having the dongle do the data manipulation the PC program becomes little
more than a file server/transfer mechanism. The dongle HAS to be present for
the data manipulation to take place, and cannot be bypassed. The PC program
can be copied as many times as anyone likes, but when they disassemble it,
all they will find is a data path that goes from the input file to the
dongle. Then from the dongle to the output file. The output file could be a
disk file or it could be straight to the mill.

2007\03\26@091038 by Tamas Rudnai

face picon face
Yes, as long as the calculation speed is ok, the arithmetic is precise
enough and there is no need to update the 'calculation engine' it is
possibly the best solution, I agree.

Tamas


On 3/26/07, Alan B. Pearce <RemoveMEA.B.PearceTakeThisOuTspamspamrl.ac.uk> wrote:
{Quote hidden}

> -

2007\03\26@092356 by olin piclist

face picon face
Alan B. Pearce wrote:
> My suggestion is to put the calculation engine that converts from the
> original data to the milling machine code into the dongle. There is no
> encryption/decryption involved. The dongle is part of the data path
> between the original clear data, and the clear data fed to the mill
> machine. The dongle does all the data manipulation, not the PC program.
>
> By having the dongle do the data manipulation the PC program becomes
> little more than a file server/transfer mechanism. The dongle HAS to be
> present for the data manipulation to take place, and cannot be
> bypassed. The PC program can be copied as many times as anyone likes,
> but when they disassemble it, all they will find is a data path that
> goes from the input file to the dongle. Then from the dongle to the
> output file. The output file could be a disk file or it could be
> straight to the mill.

So PCs are now just GUI engines, clickety-click servers, connections to the
world, and power supplies.  Applications are shipped with their own
processors since they are small and much cheaper than the IP in the
application.


********************************************************************
Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products
(978) 742-9014.  Gold level PIC consultants since 2000.

2007\03\26@102030 by Tomas Larsson

flavicon
face
I just hate those "dongles", and heres the reason:
The following scenaria is unfortunately very common

You have specialiced controllers installed i x number of location's.
In order to service these controllers, changing parameters etc, you need a
lap-top with some specialiced SW.
This software, although it's not very expensive, say $1500 for each license
is protected by a parallelport dongle
(aladin HASP), now considering that each service engineer needs to have one
license, then it starts to multiply.

The software itself, has not been developed for the past 10 years or so,
it's basically still a WIN 3.11 SW with some tweaks to run in NT/XP
enviroment.

You would probably say that "go for something else", but that is basically
impossible, since there is nothing that can replace the current system.

Now, you need to replace the lap-tops since they are getting old, and you'll
find out that the new lap-tops does not have a lpt-port anymore.
You then calls the SW vendor and asks him what to do.
Then you get the answer: You need to buy new licenses for each "seat" and
then you'll get a USB dongle instead, Because we don't have any ex-change
policy on the dongle.

You ends up with buying the same sofware twice, just because the vendor is
big enough to do what ever he wants, and he knows that nothing can replace
his controllers/SW.



With best regards

Tomas Larsson
Sweden
http://www.tlec.se
http://www.ebaman.com
http://www.ktl.mine.nu
http://www.naks.mine.nu
Excellent and cheap hosting, use http://www.servage.net/?coupon=cust23962
Verus Amicus Est Tamquam Alter Idem

2007\03\26@102739 by Alan B. Pearce

face picon face
>So PCs are now just GUI engines, clickety-click servers, connections
>to the world, and power supplies.  Applications are shipped with
>their own processors since they are small and much cheaper than
>the IP in the application.

Well, if a web application is used, then all the PC is doing is being a GUI
interface ;)

And for a lot of things these days, on many peoples desks the PC isn't doing
much more than I am suggesting. Think in terms of a front end to an SQL
database somewhere else, a means of getting at email on a corporate server,
a means of displaying something got from somewhere out on the web, if Google
and others have their way it will be a front end for all office applications
...

The way we (as in us engineers) use PCs as an instrument in their own right
is a very small percentage of the way the world works.

2007\03\26@102747 by Alan B. Pearce

face picon face
>So PCs are now just GUI engines, clickety-click servers, connections
>to the world, and power supplies.  Applications are shipped with
>their own processors since they are small and much cheaper than
>the IP in the application.

Well, if a web application is used, then all the PC is doing is being a GUI
interface ;)

And for a lot of things these days, on many peoples desks the PC isn't doing
much more than I am suggesting. Think in terms of a front end to an SQL
database somewhere else, a means of getting at email on a corporate server,
a means of displaying something got from somewhere out on the web, if Google
and others have their way it will be a front end for all office applications
...

The way we (as in us engineers) use PCs as an instrument in their own right
is a very small percentage of the way the world works.

2007\03\26@121723 by Aaron

picon face


Jake Anderson wrote:

{Quote hidden}

Jake,

So saying it is non-profit makes it acceptable to pirate software?  I'm
sure the original poster, targeting the hobby market, is trying to
prevent just that!

Aaron

2007\03\26@134524 by Robert Rolf

picon face
Olin Lathrop wrote:
{Quote hidden}

And with the capacity of some of the newer processors,  why not?
Then he'd have yet another product to sell. USB dongles with lots of horsepower
to impliment copy protection <G>.

And ironically, the very people who would WANT to use Dwayne's software
are the ones most likely to have the tools to crack it/reproduce it
(circuit designers).

R

2007\03\26@151310 by Dwayne Reid

flavicon
face
At 05:05 AM 3/26/2007, Victor Fraenckel wrote:

>http://www.cnczone.com/forums/index.php
>
>and see if there is not S/W available that basically does what the OP's
>does.

I haven't spent much time there but one of my co-workers has - both
there and elsewhere.

Its why we wound up developing this in the first place - it seems
that the only good isolation path G-code tools were part of the
expensive machines (T-Tech, LKPF) and not available elsewhere.

However, we are not adverse to finding something else.  I'll continue looking.

Our situation is this: we have a toolchain that allows us to process
the output from our CAD system into a form that allows us to use a
small CNC mill to make simple prototype circuit boards.  Part of that
toolchain is software that we wrote because we couldn't find anything
to do that job.

I'd be content to just keep this in-house.  It serves our needs.

However, I spend a fair amount of time on mailing lists where it
seems that many people are having difficulty in coming up with a
similar toolchain.

So: my thought was to have our software guy spend a significant
amount of time in putting the software into a form that others can
easily use.  We don't need to do this if we just keep this as
in-house process.  Its clunky and darn-right user-unfriendly but it
gets the job done.

So: if I want to let this out for others to use, it has to be
polished up and whatever little niggles that currently exist need to
weeded out.  That costs money - that person could be / should be
working on other paying projects.  We would want to recover at least
a portion of those costs.

Here's where what I call "copy protection" comes in.

If we do release this to the public, I would want to do so in such a
way that each copy the software is tied to person who purchased it.

I'm thinking of something like how Steve Gibson (GRC) has dealt with
Spinrite: each copy of the software is custom-compiled with
personally identifying information for its purchaser.

Someone mentioned the model I'm thinking of: "Guiltyware".  Sort of:
"Shame on you if you stole this".

This has been an interesting discussion.  I've certainly been exposed
to ideas that I had not considered and I am grateful for all of the
comments.  Keep them coming <grin>.

dwayne

--
Dwayne Reid   <EraseMEdwaynerspamspamspamBeGoneplanet.eon.net>
Trinity Electronics Systems Ltd    Edmonton, AB, CANADA
(780) 489-3199 voice          (780) 487-6397 fax

Celebrating 22 years of Engineering Innovation (1984 - 2006)
 .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-.   .-
    `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'   `-'
Do NOT send unsolicited commercial email to this email address.
This message neither grants consent to receive unsolicited
commercial email nor is intended to solicit commercial email.

2007\03\26@171532 by Dr Skip

picon face
I hate to repeat, but this is a perfect scenario for an open source
variant. By allowing others (with your control) to do things like build
a real user interface, etc, YOU get a really nice piece of software to
use, YOU get the benefit of having it tested and fixed to work in other
environments (possibly ones you may migrate to in the future), YOU don't
have the cost of making it usable, YOU don't have to field support
issues if you don't want to (the community can share in that too), YOU
learn from other programmers with code you already know, and YOU get
feedback and collaboration on how to make it better, rather than having
demanding customers who want fixes NOW...

You can write the terms of the license so that you retain control (see
the various license types such as GPL and others) and even prohibit any
derivative work from being sold or included in anything sold. In some
ways, that's much better than tracking individual copies. For such a
small, close market, if someone were to take your code and include it in
another product, the value of the litigation is much more in your favor
than going after pennies from individual users that may have an illegal
copy. If company X wants it in their product, you SELL them the rights.
Then they handle all of their customers, they sell it, you collect
royalties.

It's a bit like the patent vs trade secret argument. Trade secrets =
closed source and tracked copies, patent = open source. If someone
violates your patent, you go after them, but it's all in the open. If
someone takes your closed code and reverse engineers it or otherwise
makes other use of it (besides using their one copy), it's equivalent to
having lost a trade secret - it's lost. It's much harder to enforce in
law (or prove in most cases), which is why there is so much effort
wasted on 'copy protection' and the like.

If there isn't a profit imperative, you could reduce your internal
support costs and still get a better 'product' by including others with
your same needs to contribute. By formalizing the open license, you
still have recourse to cover whatever reasons you seem to have for
tracking each user (unless it's just curiosity).

-Skip


Dwayne Reid wrote:
{Quote hidden}

2007\03\26@173059 by John Dammeyer

flavicon
face
Hi Dwayne,

Take a look at how Richard from Imagecraft has done it with a keycode.

John Dammeyer


Automation Artisans Inc.
http://www.autoartisans.com
Ph. 1 250 544 4950


> {Original Message removed}

2007\03\26@202217 by Jake Anderson

flavicon
face
Aaron wrote:
{Quote hidden}

I'm saying I would never have used the software at all if I had to pay
for it. The seller lost nothing and when I do have money and wish to do
something similar again I will purchase their product because I know how
to use it and I know it does what I want. Asking for $10000 for software
that I will only use for a hobby means that I won't buy it. If it was
$100 then yes but I just don't have the cash to waste. So I either use
their software and tell others how good it is. Or I use a pen and paper.
Either way the seller has lost nothing and has gained reputation.

Anything I do for business is legal. All the copies of XP/Office etc are
above board. (although I now install open office for everyone I can,
"here use this its legal and free and will save you about $200" "wow
cool!"). Its a moral code I can live with, don't take anybodies lunch.

2007\03\26@203235 by Gerhard Fiedler

picon face
Jinx wrote:

>>> > Ideas?  Comments?
>>
>> Don't write software. You have better to do with your life.
>
> Haha, after going cross-eyed with some convoluted code last
> night, very late last night, you might be on to something.

I think he /is/ on to something :)  Providing solutions (where software may
be a part) is usually a better deal.

Gerhard

2007\03\26@203507 by Gerhard Fiedler

picon face
Dr Skip wrote:

> I hate to repeat, but this is a perfect scenario for an open source
> variant.

I hate to repeat, but this is a perfect scenario for a web application :)

Gerhard

More... (looser matching)
- Last day of these posts
- In 2007 , 2008 only
- Today
- New search...