To hardware protect or not? [Archive]

View Full Version : To hardware protect or not?

kornalius

09-23-2006, 10:44 PM

Hi,

We are trying to streamline our ordering system and found out the Hardware Fingerprint protection is a little too hard to find in the PIDE*or either too complicated for some users. We realize we are loosing sales because of it too.

Our question is, will it be easier and be more accessible to remove the hardware fingerprint system and just use a regular serial number based on the name of the customer?

We are fully aware that serial #'s will appear on the internet but we plan on releasing updates quite often and scan for possible serial #'s on the internet and deactivate them in every version.

What are you thoughts?

llamatrails

09-23-2006, 11:14 PM

While hardware serials are more secure from your point of view, they are a lot of trouble for folks that upgrade their systems.

With Vista looming on the horizon, and the Apple folks now able to run Windows, I see a lot of people getting more powerful boxes.

Another program that I use, Qimage, forces customers to request a new unlock code every 6 months or so. A link is on their web site to request one when needed.

Maybe a way to handle it would be to have the current version expire in 7 months while forcing new unlocks in 6. This would keep the older versions from being used with older unlocks on the web. It would also make it easier than trying to find all of them on the warez sites.

bmanske

09-24-2006, 02:24 AM

I hope everyone will reply to this and say what you feel. I'm being a bit of a rebel on this one. We try to present a unified front to the users but this is one of my hot buttons. 

I hate (but tolerate) software keys, hardware dongles, DRM systems! At the top of my list is being threatened by Interpole and the FBI before every movie that I watch. I find it insulting when I am forced to sit through these warnings because I have purchased the disk while pirates on the other hand have removed the copy protection and the offending video. In short, only the "good" customers get punished by this system. 

Now that I'm on the other side of the fence as helping provide content, I'd like to see it locked down, but a system of expiring the software every six months only effects the honest people and the people with cracked software aren't touched. We could always spend more time and money making it harder to crack, then that takes resources from efforts to help the people who have paid and again, in effect, punishing them. 

You'll notice that I haven't offered any suggestions. That is because I want to hear from all of you. Please give your thoughts and suggestions to help us achieve a customer friendly balance.

mmtbb

09-24-2006, 03:17 AM

I hardware specific S#, though stronger, has its own problems and frustrations for the honest.

There are online activations which can be considered to a specific email address requiring a return email from user. That can slow down and monitor piracy. But takes know-how (many big companies do this).

S# are the weakest, but less hassle, and if I ever find PPL on a crack site, they're in trouble.

plinydogg

09-24-2006, 04:45 AM

I've gotta say that I tend to feel like bmanske does. Not to plug my own stuff or anything, but I have written several times about overly-stringent copy protection measures. If you're interested, you can see my two cents at:

http://www.pocketpcmag.com/blogs/index.php?blog=27&p
=1168&more=1&c=1&tb=1&pb=1#more1168

Also, see my old blog's post:

http://ppcgems.blogspot.com
/2006/01/android-and-lament-about-its.html

Paul Fielder

09-24-2006, 10:39 AM

I have to say that I'm seriouslly considuring NS basic or even Visual Studio, I started som work with the beta version only to find that now under version 1 it't dosent now work, once patched how much further will I go before I find the next stumbling block. To pay out for software only to find that i'tt dosent work would drive me crazy, I like the idear of the light and standard and pro versions but feel that the light should be able to use the Game API as well so you can harness the full power of PPL if you then want to distribute your application as A standalone app you would then need to buy the standard / pro version to compile in to the Exe.

zehlein

09-24-2006, 12:04 PM

@Paul Fiedler:
this is my opinion too, but I will stick to PPL (at least for quite some time to come) for the following reasons:
*PPL seems to be (given all features work as they should) very powerful
* the developers are really trying hard to catch up on all the bugs
* you get response in this forum instantly (hey you PPL guys, thats a big plus!)
* you can write your programs without the use of an emulator for testing (my machine has its 7 years by now and is not the fastest...)

See thread: http://www.arianesoft.ca/e107_plugins/forum/forum_viewtopic.php?194

@ kornalius:
I know without copy protection you can't set up a software businness, it's a pity. As a user I have to vote for the least annoying procedure. That means I do not want to
* register my product again after every six months or so
* register again after upgrading my computer/ installing on a newly bought one (imagine arianesoft going out of business - my product would be worthless).

After all we all know that there is no protection strong enough to withstand a serious and skillful attack. The more effort you put in your side of the "game", the more you give your customers a hard time by using your product. Conclusion: do what you have to to prevent your software from beeing distributed freely over the net by everyone. But do not a single bit more, as I said, I would consider it useless.
Btw, people who do program theirselves might be a bit more sensitive to that question, i.e. buy the soft even if they could get it for free simply by knowing what a hard work coding is.

So, a bit lengthy the reply uh? But here we are...

MagNet

09-24-2006, 01:49 PM

Whatever you do you can't beat the crackers, they'll always find their way if they want to imo. But I would really remove the hardware fingerprint because it's really annoying to change your computer or something and find out that you have to buy again or contact the support.

I would go with the disabling way or maybe even better, internet checking if the key is valid but still as bmanske said the cracked versions will not be checked and only the legal users will be affected.

I really don't know.

kornalius

09-24-2006, 03:40 PM

Paul:

I understand your concerns, PPL is only at version 1. NSBasic is at 6.5, it's been around for years. PPL need some more time to mature but I can tell you it is pretty mature for a version 1.

You have a 15 days trial for the Pro. This gives you plenty of time to test PPL IMHO. The GameAPI is included (not fully) in the Standard version for a very cheap price. We have to give more in the Pro than just .exe building, that's marketing.

Our support is certainly hard to beat. We are doing our best to make PPL the best.

Version 1.02 is a big improvement in terms of features fixes. In terms of compiler / interpreter bug fixes I basically just fixed your Private() statement issue. The compiler and interpreter are pretty solid right now. In version 1.03 we might just fix a little thing here and there and will certainly not take a week to be released. For version 1.02 we wanted to fix as much as possible in one release.

A programming language as full of features as PPL is a big task and there are so many areas to cover. A language takes time to mature, just check VB, Delphi, C...

When you buy PPL, you are backed by a team that are ever present in the forums, by email too, to make sure you are satisfied and happy.

kornalius

09-24-2006, 03:42 PM

As for the protection question, it looks more and more like we will remove the hardware fingerprint in 1.02 and just deal with a Customer Name and Serial # and monitor the crack sites, P2P and mIrc on a regular basis.

The bottom line is user satisfaction.

zehlein

09-24-2006, 05:54 PM

ack!

MagNet

09-24-2006, 08:58 PM

I'll be checking it for you aswell kornalius!

And I always wondered who's the "team", I know there's you and the guy that develops the PPC stuff and maybe the 2 guys that betatest PPL for a long time... any more?

kornalius

09-25-2006, 01:21 AM

Magnet:

I am the main developer then there is Brad Manske (Main, Editor, VFB and testing), Eric Pankoke (help file and testing), John (GameAPI testing).

Vever

09-25-2006, 07:43 AM

Monitoring of warez sites and P2P is time consuming and you could use your time for code improvements ;) .
On the other hand, I thing good crack can break hardware fingerprint too. It can slow cracking down but you cann't avoid it. And you should monitor them too.
IMHO, I think Name + SN should be enough. It is not so robust but anyway, better protection can be broken too... :( .

frank

09-25-2006, 09:55 AM

If you're using a regular serial number based on customer name, I would buy the pro version today.

Why don't you protect the support forum or the upgrade area? Only registered user can get access to the forum.

* free version - no exe and no support
* standard version - no exe but support in the forum and on an upgrade page
* pro version - exe, support and upgrades

Vever

09-25-2006, 11:55 AM

To frank:
Support for paid PPL only !dodge ? I think it would be problem for some users (e.g. for me). I'm absolute newbie to programming and I've chosen PPL because of its perfect support for free. I don't want to buy Standard od Pro NOW, because I want to learn how to use. But I think I'll buy it, when I get used to it (e.g. because of compiler to .exe). I'd have chosen another language, if PPL support (or PPL itself) had been paid...

kornalius

09-25-2006, 03:30 PM

MagNet

09-25-2006, 04:02 PM

Magnet:

I am the main developer then there is Brad Manske (Main, Editor, VFB and testing), Eric Pankoke (help file and testing), John (GameAPI testing).

Thanks, always wanted to know that.
It's just because of that constant usage of "we".

Monitoring of warez sites and P2P is time consuming and you could use your time for code improvements ;) .

I'm here to help, all the time.

mmtbb

09-25-2006, 04:13 PM

good idea. Of course with every major release, change the serial algo. I'll email you with some other suggestions that won't be too hard to impliment

Vever

09-25-2006, 09:26 PM

To MagNet:
I can help too. And I want to... I can search some basic warez sites but I'm not sure about MS FireWall ... I don't want to have my computer infected with any virus or trojan ...

MagNet

09-26-2006, 09:57 PM

Go search those sites for some better firewall.
Really don't trust the XP firewall, it shouldn't be there, it just makes the illusion that you're safer when you're not :P

DirectDance

09-26-2006, 10:45 PM

What about the existing customers like me? Will you email a new reg-code using my real name to me?

Cheers,
Directdance

kornalius

09-26-2006, 11:34 PM

Customers who have the Pro or Standard version will be contacted with a new Serial # when 1.02 comes out.

phendric

09-27-2006, 05:38 AM

One thing I would never do is lock the forums. However I will probably try to ask for the serial number in the member registration if possible. This way I can offer 1st priority support for paying customer. Just a thought.

Just wondering, since I don't know much about how crackers do their work, but could you implement some type of system so that you have a DB of user names/emails/registration #'s, and as people submit support / upgrade requests, they have to fill out that information?

The plus side of that (and note, this is just me jotting down my thoughts on e-paper :D ) is that people may crack the reg code with some given user name, and post that name/code combination on some warez web site somewhere. However, though people may get that copy of the software, they will not be able to upgrade because they'll submit an email address different than what you have in the DB (or the user name they submit will be one you don't even have in the DB), and so you'll know they're not an authentic user.

Is this idea any good at all?

Phillip

kornalius

09-27-2006, 12:55 PM

The problem with that is that people often use different email addresses. I will try to check the registration # to match the member email address at registration time in the forums. I hope I can add a registration # field in the members database here in the forums.

For email support I will have to try to match the name with a list of paying customers first.

tigme

02-02-2007, 05:42 AM

I employ a keyfile solution. I just distribute the key file to my buyers. This works very well rather than typing in the codes. I would use the users registration details and then generate a key file containing for example:

+------------------------- IPCOMServer ------------------------+
Company: (YOUR COMPANY NAME)
Name : (YOUR NAME)
Email : (YOUR EMAIL ADDRESS)
Country: (YOUR COUNTRY)
License: (YOUR LICENSE TYPE)
Serial : (0004IPCSXXXXXXXX)
<08><19><FC><BF><75><12><8D><70><AA><25><B9><44><8 F><E6><92><8B>
<72><95><CC><8D><1F><4A><99><D5><87><FF><F5><FE><8 B><91><1D><93>
<88><E1><F6><D5><19><E6><56><CA><CC><35><CE><DD><6 2><89><10><05>
<2D><0D><73><75><D0><55><BB><E0><AC><AF><DE><FB><5 C><34><2A><A9>
<CA><F7><FB><46><31><29><DF><55><5B><48><04><5D><8 E><C8><93><55>
<A1><8B><6B><79><5A><11><9F><77><9D><45><21><78><2 2><B5><14><1F>
<C9><71><F7><07><D2><C6><28><EF><77><11><42><B8><5 9><64><EA><AA>
<7F><04><E2><AE><A0><D5><78><1A><1A><A7><58><26><1 9><85><7D><78>
<85><F8><1B><51><28><F5><E1><BC><65><AE><09><1A><E E><56><2B><E0>
<43><3F><52><FB><67><96><BF><82><43><04><3F><DA><0 D><39><C7><92>
+-- TIGME.COM ------------------------------- info@tigme.com --+

The HEX number below is tied with written text at the if user changes anything the key file is corrupt. The hex code is generated by a Blowfish encryption algorithm. It works well, never had any complaints from my few customers. This key file can be embedded into compiled PPL applications making it easier for the developer to trace software to the source. I suppose this can also be cracked but so far it has worked for me.

Anycase it's just an idea. :D

kornalius

02-02-2007, 01:38 PM

Thanks for the idea, however we needed something easy and automatic. Esellerate could provide us with a secure serial # system on each order, eliminating the manual process for each order we get.

Heinz

02-02-2007, 04:22 PM

What about using a dynamic RPN code based on the user name as protection? Most vendors support that system, it is not to hard to implement and for the customer it has the advantage that she/he has no problem when using a new device as long as the user name is the same.

kornalius

02-03-2007, 03:58 AM

That is pretty much what is used now but a lot stronger that just RPN.

Anyway this is an old topic we have been using this serial # system almost since release and people didn't complain so far.