Copy protection schemes in a professional environment

The subject of copy protection, be it for media or software, for customer usage is pretty much a dead horse everybody still loves to beat. Extreme examples of copy protection gone wrong are plenty, both at the technical level (e.g. sony installing rootkits) to law enforcement, just look at the stifling effect the DMCA has had on security research in general.

Of course, from a software or media owner point of view it is understandable to introduce these schemes. People copying your stuff costs at least some money, which is never nice.

Now another angle is the professional software market, especially for smaller companies and niche products. The same problems can theoretically appear, say a small startup builds some great tool, licenses it for a small amount of money as an evaluation to a large company who then never buys a full license and just copies the cheaper product ad infinitum. The main difference between this case and the consumer case is the agreements made between parties. Where a consumer doesn’t sign any legal documents when buying a new cd or some software, companies spend much effort drafting and signing legal agreements that prevent just the above from happening, in the sample above, the smaller company can just start a legal procedure for breach of contract and all will be well (in theory).

Now for some reason this doesn’t lead to any technical alleviation of the urge to add complex copying measures into new software products. Being involved with integration of many, many 3rd party pieces of software into our software platform I have pretty much seen it all. Some of them working ok, some of them utter failures. Roughly speaking there are two groups of copy protection, those that work and you forget about them, and a group that sometimes work and constantly remind you of their existence. In practice, the second group is unfortunately larger than you’d hope for.

Starting with some ‘nice’ schemes, my favorite one is still the time-limited scheme, and then one that doesn’t bother checking if you mess with your clock. You install the software, put a reminder in your calendar a few days before expiry and you’re done, it just works. Why I mention the clock? Sometimes our ntp server has issues and I want to manually fix the clock, even changing the time with a few minutes will typically permanently break the license for my machine, so I have to open a support ticket, spend a few hours to days without the license, all because I didn’t want to be late for lunch again.

A step up in complexity, but still manageable is the mac address based scheme. You send your mac address to the vendor, and you get some license back that works with that mac. Nothing spectacular, and luckily this usually keeps working if you are changing your network settings because you have to run some VMs or connect to a VPN using weird software. The reason I like this less than the time-limited scheme is because my machine can (and will) break every 2-3 years, and it will usually take close to a week to re-license all the bits and pieces of software. Also, the little thing called cloud software is becoming popular, and typically this will break copy-protection software as well.

Another step up and we start running into the realm of broken-by-design software. Let’s start with the online schemes where you license your machine with some online service. You install some software which calculates a hardware id, it negotiates with the remote server and if you’re lucky you can now use the software. That is, if the license service is online, your sysadmin isn’t performing maintenance on the external connection (which of course never should take more than a few seconds downtime but somehow always does), and you’re actually allowed to connect to the outside world using some proprietary protocol on a non-standard port. The only benefit is that this is pretty much the only scheme that could apply for cloud deployments if the vendor supports this, other than that, it sucks.

Then we have to 3rd party 3rd party schemes, where the vendor has bought a ‘solution’ to enforce some copy protection scheme, the most well known is probably HASP. The vendor ticks a few boxes (usually all of them) and the HASP software will disallow usage of their product in many if not most cases. Because the ticks include features like ‘disallow remote desktop’ you usually end up with software which you can’t work on from home and troubleshooting on a server is pretty much impossible (if your problems are more than the HASP software itself). Because many products are SDKs, the likelihood of somebody attaching a debugger to the software are pretty high (I’m one of those developers that prefers a debugger over printf debugging) but of course the ‘don’t allow debuggers attached’ is a common scenario; joy.

Last we have the category of home-brew protection software, here all bets are off. The funniest behavior, for some definitions of funny, I have seen are schemes where the copy-protection code is so buggy that it corrupts its own license file after some use. Another fun example is where the software would do an internal check every 90 seconds, and on some (AMD) processors would randomly fail half the time, so your software would work for 90 seconds, then break for 90, work for 90 etc etc.

Any why all this fuzz? We do have to sign that we won’t leak/share/use documentation, source, binaries outside of the contract agreements, and we’re trusted not to do that, but somehow the software itself is almost always wrapped in another layer of poop to actually prevent us using it. At least in my company we won’t even think of using software that is unlicensed, it can be costly and personally it can mean loss of job, so why would I bother risking that. It just adds to frustration and lots of unnecessary work.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s