macOS Combatting software piracy (e.g. Little Snitch, etc)

Ambrosia had something where the registration key would expire after a certain length of time and required you to go to their website in order to reobtain it using the credentials you provided at the time of purchase. It seemed to work pretty well.

Alternatively, you could concentrate on making your software worth paying for. If someone wants to pirate, they're going to pirate it. Changing how you obtain a registration key isn't going to stop them.

That sounds like a terrible way to go about copy protection. Whether your program runs or not shouldn't depend on other apps the user is running. Little Snitch is useful for legitimate reasons, it's kind of like using an arc welder where some Krazy Glue would do.

You stand a bigger chance of really pissing off your paying customers by trying to get too cute with schemes like the one you propose. Unless you're making software that is selling for several thousand dollars per unit, it doesn't make a lot of sense to waste your time with anti-piracy measures. Spend that time improving your app and you'll probably see an increase in sales that significantly outweighs the bump you get by fighting pirates.

You should make the effort to keep honest-people, honest. Trying to convince dishonest people to pay for your product is an inefficient use of your limited time/resources. I would certainly demand a full refund if I discovered an app was secretly scanning to see what other software I was running.

Anyone using some tools to avoid paying for software isn't going to pay for your software anyway. If they can't use it without paying, they won't use it. On the other hand, there will be people who were perfectly willing to pay for your software, but if you put any obstacles into their way, they are not going to use the software. You _will_ be losing money by doing this. And you wasted development effort that you could have used to release earlier, do more testing, fix bugs or improve usability.

I don't know what software you are developing, but hopefully, your paying customers outweigh the pirating ones. Whatever the situation is, I think it's better to please your honest customers and not to ruin the user experience (oh dear, I hate this impression!) just to make the pirate's job slightly more difficult.

The most important thing is to remember that most pirates would never get your application if they had to pay for it. You are not necessarily losing as much revenue just because some people choose to use an illegitimate version of your software.

Personally, I can't stand registering multiple times and for me, that just ruins the whole thing.

i know barley anything about programming (even though i kind of had to do it for a year) but couldn't people use apple script to block access to the activation servers if it uses online activation?

please excuse me if that post made absolutely no sense

A, If you're making a game I suggest using steam. They have anti-piracy stuff built into steamworks. If you're making a normal program, there are plenty of existing DRM schemes you could implement.

B, You need to find a balance between protection and and transparency. A CD key will stop most wares but not determined crackers.

It would be trivial for a pirate to circumvent the type of spyware based antipiracy software you propose anyways. I can think of several methods off the top of my head and I'm not even the type of person who avoids paying for software and digital media. Really a waste of time and a good way to lose money by pissing off honest customers.

libraryrat said:

It seems that a lot of Mac users use Little Snitch and similar products to prevent software from phoning home and use stolen serial registration numbers, etc.

For an application, I am thinking about having a separate email/telephone registration process when it's discovered that Little Snitch is present on the user's Mac. I detect that Little Snitch is installed by checking whether the NSURLs returned by

[[NSWorkspace sharedWorkspace] URLForApplicationWithBundleIdentifier"at.obdev.LittleSnitchConfiguration"]
[[NSWorkspace sharedWorkspace] URLForApplicationWithBundleIdentifier"at.obdev.LittleSnitchNetworkMonitor"]
[[NSWorkspace sharedWorkspace] URLForApplicationWithBundleIdentifier"at.obdev.LittleSnitchUIAgent"]

are non-NULL or not. Could somebody who has Intego installed on their machine give me the bundle identifier for their outbound firewall product? (I can't remember what they call it exactly)

What other popular programs are used by Mac users to prevent applications from phoning home?

Thanks!

Click to expand...

I think you're looking at the problem from a wrong perspective. You cannot prevent piracy, full stop.

All copy protection and activation mechanisms achieve only one thing: They punish the customers who have actually paid for your software. Pirates usually don't even see those activation dialogs because they download and install patched versions of your software.

Somebody who does not want to pay for software won't ever give you his or her credit card number just because your software requires activation.

So... Why again do you want to punish those who paid for your product?

I think the right way to approach this problem is to give your customers an incentive to pay for your product. Make them feel good about supporting you instead of giving them the feeling that you don't trust them. Add value to a legal copy. (See e.g. what Infocom did back in the day with their "feelies". Or just give outstanding support. Just think of something.)

GorillaPaws said:

You stand a bigger chance of really pissing off your paying customers by trying to get too cute with schemes like the one you propose. Unless you're making software that is selling for several thousand dollars per unit, it doesn't make a lot of sense to waste your time with anti-piracy measures. Spend that time improving your app and you'll probably see an increase in sales that significantly outweighs the bump you get by fighting pirates.

Click to expand...

This is some of the best advice I've seen on this board in months.

libraryrat, you don't make money by hunting pirates. You make money by making people want to support your products and give you money to this end. (The latter is also much more fun, trust me.)

GorillaPaws said:

I would certainly demand a full refund if I discovered an app was secretly scanning to see what other software I was running.

Click to expand...

Same here.

I'm with the others on this. You can only fight piracy so much and pissing off your paying customers isn't good for your company's image.

C4 had a panel where they discussed piracy for 6 minutes in this 50 minute video. It starts at the 15:40 mark. The talk is C4[2] Shipley: Panel where Wil is the host.

In C4[1] Shipley: Monster Marketing, Wil mentions interesting things to this discussion. See "Be a Software Slut" starting at 25:40-32:00 and the mention of piracy at 44:00-44:56. The whole talk is very interesting.

gee, why don't you try using a hardware dongle?

as that worked so well for Quark, and a few of the other PAID apps that I have had. Frankly, clandestine snooping, and constantly calling "home" is a real annoyance/deterrence for me installing any software that does that. The advice here is good, heed it... although I have my doubts on that.

Spend a LOT less time worrying about piracy, and subsequently degrading the overall experience for your PAYING customers, and MORE time trying to come up with a worthwhile, fairly priced product. Otherwise you make the PAYING customers feel like you don't trust them (and they did trust you enough to spend money on your product). We bought your software product to use. Thats it. If you want to "see" what other products we use, or how often/long we use your product, you are pushing it. We did not pay money and then give you that right as well. If you want to run an information gathering service, fine... GIVE away your software, and just let us know the deal ahead of time. We can opt in, or not...

Overpriced applications, constantly shifting packages (like Adobe does), in my opinion would logically increase the odds of piracy (I would guess). Not sure what apps are the most pirated, or what demographic pirates the most, but I would make an agist guess the ages skews towards the younger. At one point some gaming software companies required the CD to be in, while the app was running from the computer. Better solutions would be requiring an activation key that you would generate and send back, and the enduser would PASTE the key into the activation dialog, as this is not an invasive/intrusive method.

The skallywags & miscreants will always be there, and those folks will not care about your efforts to subvert them, as they will easily dodge most of them. Your legitimate customers however will be suffering from your misguided attempts. Misguided, in that is is a poor use of time/effort/money.
Lookup the RIAA's efforts to stop music piracy online...
-the amount of money spent is huge
-the amount they are ACTUALLY recouping small
-meanwhile they are throwing grannies and kids in jail or hitting them with huge financial judgements

Apple has it right, however many companies do not...
Lower the prices, and the incentive for piracy goes down. iLife sells for $45. Music sold for 99 cents (or did). And, most importantly their apps are worthwhile.

So, what is the name of the application and your company? I want to stay as far away from it as possible.

Sorry to be blunt, but I think you will find most of us here will find your efforts repugnant.

cheers,
michael

libraryrat, my company is in a similar predicament, although we plan to approach the problem differently. You can see some of my posts to this forum to get an idea of the lines I'm thinking along.

We're also seriously concerned about software piracy. We display a EULA to the user and if the user agrees, they give us permission to pretty much do whatever the hell we want and that includes unloading the Little Snitch kernel extension.

We'd rather not disable Little Snitch on the machine, so we're reverse engineering Little Snitch's .xpl format and our plan is to simply just add an always allow rule for our app without bothering the user and inconveniencing them by asking for permission. We may also just add a kernel extension whose soul purpose is to bypass Little Snitch by hooking ahead of it.

I don't like the kernel extension approach because it's very much rootkit-style technology, but it might be necessary since the .xpl format might change in future version of Little Snitch.

It's very risky to bring a Mac OS X product to market given its low market share compared to Windows and piracy only compounds this risk.

Frank

a partial apology...

libraryrat said:

Michael,

This is a programming forum and I somehow doubt that "most" full-time developers will find basic countermeasures to be "repugnant."

In my local iPhone developers group, a lot of people are seriously pissed off about app piracy.

Click to expand...

Listening to your replies, your point sounds a bit more measured...

However obviously you have touched a nerve regarding how much information is gathered, and what is done with it. You only have to read about the stories about the self-regenerating flash cookies (after deletion) to make some of a wee bit leery of "noble intentions". Remember when Google's motto was "don't be evil". lol. Also, lot of people run little snitch or turn to the activity monitor to figure out what the strange slow-downs or bottle necks are, and nothing more. I would think the average bear who routinely pirates software en masse, would rely only something more than little snitch to subvert detection.

I am not claiming this is not an issue, but as an end user I get irked when as a paying customer I get a feeling I am not being trusted. A good example would be in the old days of Quark, when upgrading legitimate serial numbers was always treated with an air of suspicion, and oddly Adobe products were then seemingly unconcerned with copying and had little "safeguards" or schemes to prevent such. The mutual trust and good will between a company and a paying customer should rightfully exist, as those are the ones who ARE paying (so don't punish us for the acts of malfeasance of others). As a paying customer I want to be trusted to "do the right thing" (and am not a fan of "trust but verify" on the sly).

Also, I am a believer in the power of the 99 cent app, or even the $4.99 one.
Angry Birds sold an unbelievable 6.5 million copies with zero advertising. I am sure some additional copies were pirated beyond that, but there legitimate sales are impressive. I also don't mind paying for good software applications that provide value, as I make my living using them (and pay quite a bit for some of them).

Also, pardon my ignorance, but wouldn't you need a jailbroken device to install a pirated app? (I don't know answer to that). Perhaps if the iPhone/iPad apps had demos, maybe the piracy numbers would less. Are we talking... tried it a few times.... or use it every day for years?

Now my apology. I didn't realize that this thread was under programming, which is not a usual haunt for me. The topic was short-cutted to on the main page, and I had thought I was under a different thread topic. Until you pointed it out I didn't realize this was under programming. But even here I sense an initial gut lukewarm reception... and I am guessing that some of these folks are developers as well (unlike me an end user).
peace.
michael

yikes... this is disturbing (a case in point)

frankpuccino said:

...We display a EULA to the user and if the user agrees, they give us permission to pretty much do whatever the hell we want and that includes unloading the Little Snitch kernel extension.
Frank

Click to expand...

And this is exactly why some of us are distrustful. Is a thief going to be bothered by your 8 page, 4pt type EULA? No. However your legitimate customers might indeed be bothered by your cavalier attitude that you can "pretty much do whatever the hell we want". If you are so comfortable with that position as a company perhaps you should include it on your FAQ...

Not saying this is not an issue... but you might want to think about your response and what it says about you as a company.
cheers,
michael

libraryrat said:

In my local iPhone developers group, a lot of people are seriously pissed off about app piracy.

Click to expand...

The problem is that you're assuming that any pirates would have really bought the application. I'm guessing many would have just skipped it. Be careful that you don't kill your user base who does pay trying to make people pay who will never pay.

BTW, I don't let any application phone home from my machine and let Little Snitch block everything. If you're app requires that I'll simply throw it away and look for something else.

frankpuccino said:

libraryrat, my company is in a similar predicament, although we plan to approach the problem differently. You can see some of my posts to this forum to get an idea of the lines I'm thinking along.

We're also seriously concerned about software piracy. We display a EULA to the user and if the user agrees, they give us permission to pretty much do whatever the hell we want and that includes unloading the Little Snitch kernel extension.

We'd rather not disable Little Snitch on the machine, so we're reverse engineering Little Snitch's .xpl format and our plan is to simply just add an always allow rule for our app without bothering the user and inconveniencing them by asking for permission. We may also just add a kernel extension whose soul purpose is to bypass Little Snitch by hooking ahead of it.

I don't like the kernel extension approach because it's very much rootkit-style technology, but it might be necessary since the .xpl format might change in future version of Little Snitch.

It's very risky to bring a Mac OS X product to market given its low market share compared to Windows and piracy only compounds this risk.

Frank

Click to expand...

Any software that I find that does what you're suggesting will never be installed on my machine, any machine of a person I know or any other machine that I have some sort of control over. What you're describing is basically malware at this point and is something that anyone who knows what you're doing will not tolerate. Also keep in mind that if you start silently turning off security measures on someones machine and it leads to them getting hacked and losing valuable information that you could end up being liable.

mdatwood said:

The problem is that you're assuming that any pirates would have really bought the application. I'm guessing many would have just skipped it. Be careful that you don't kill your user base who does pay trying to make people pay who will never pay.

BTW, I don't let any application phone home from my machine and let Little Snitch block everything. If you're app requires that I'll simply throw it away and look for something else.



Any software that I find that does what you're suggesting will never be installed on my machine, any machine of a person I know or any other machine that I have some sort of control over. What you're describing is basically malware at this point and is something that anyone who knows what you're doing will not tolerate. Also keep in mind that if you start silently turning off security measures on someones machine and it leads to them getting hacked and losing valuable information that you could end up being liable.

Click to expand...

mdatwood,

Malware? To some extent, antivirus and security software can be viewed as rootkits, but I wouldn't describe them as malware.

Antivirus companies do stuff like this ALL the time and in the United States at least, this is perfectly legal and fine as long as the user authorizes it.

We ask for authorization before we do anything on the user's machine.

Frank

I agree 200% with mdatwood:

• That way of "protecting" software against piracy is basically making your applications behave as a spyware/malware, such applications have no business being on my computers no matter how functional and useful they may be; not mentioning that your software triggering an online connection is a potential security vulnerability that ill-intentioned hackers could use for an exploit.

• The notion that pirated copies of your work are lost sales is bogus. IMO, at most 1% of pirates would have paid for the app if there were no way to pirate it. On the other hand your approach itself makes you lose sales to people who are concerned about online security.

I fully understand that the 5:1 figure of pirated v. legit copies is upsetting, but there is a way to look at that positively: those 5 pirates actually dig your product, so instead of looking at it as a loss, there might be a way to turn it into an opportunity by providing them an incentive to pay for the product or some other product that you can offer. Your time and energy will be better used in identifying the opportunity instead of going for convoluted and questionable counter-measures.

mdatwood said:

The problem is that you're assuming that any pirates would have really bought the application. I'm guessing many would have just skipped it. Be careful that you don't kill your user base who does pay trying to make people pay who will never pay.

Click to expand...

I agree with this, I bet 80% of those people pirating your app would never have gotten your app if they couldnt pirate it.

Don't spend any time on copy protection. Even if you invent something really fancy it will piss off your existing user base and make it attractive for crackers to see if they can dismantle it. Instead, invest the time in making a good product.

frankpuccino said:

We ask for authorization before we do anything on the user's machine.

Click to expand...

Well that isn't what you said above

frankpuccino said:

...our plan is to simply just add an always allow rule for our app without bothering the user and inconveniencing them by asking for permission. We may also just add a kernel extension whose soul purpose is to bypass Little Snitch by hooking ahead of it.

Click to expand...

What you indicated is that you would just take an action without notifying your customer. Violating a customers security setting is a very serious issue. It should NEVER be done without notification and should have an opt out option. It is the customers machine, not yours.

Frankly, if developers are going to start this kind of draconian action, I think they should hi-light this under their features propaganda. The customer should be made aware of these styles of coding before a purchase, along with negative consequences.

One thing I'd like to here about is your fail over plan. What if your customer does not have an internet connection for a long period (days/weeks/months) of time, or not at all? Does your software fail to work when it can't phone home?

This could be a benefit to competitors who could advertise that a feature of their similar product does not phone home to keep their honest customers continuously honest.

I actually hope you fail with any product that engages in such disgusting and pointless behaviour.

I use Little Snitch for an extra layer of perfectly legitimate security and I can honestly say I haven't pirated ONE SINGLE APP on my mac in about 20 years of using the platform.

Personally I agree with those who would consider any app that did what you are suggesting as malware.

Can you please tell me what apps you make so I can avoid them altogether?

libraryrat said:

It looks like nobody wants to do me a favor and give me the bundle identifiers for Intego and other similar products?

Click to expand...

You are asking posters for assistance in compromising the security of someone's machine, so no.

Coincidentally, I am concerned about my machine getting hacked and am worried about potential buffer overflows in system libraries and services. Could someone please show me how to identify such vulnerabilities in these files (so I can protect myself)?