macOS Combatting software piracy (e.g. Little Snitch, etc)

[mlblacy]

Amen...

I actually hope you fail with any product that engages in such disgusting and pointless behaviour.

Can you please tell me what apps you make so I can avoid them altogether?

Sounds like a chorus here. I guess repugnant was on the mark, lol.

Here's a question... If what you are doing is so on the up-and-up, why don't you simply contact the folks at Little Snitch and ask them? Instead you are trolling about in a forum as a dewey-eyed newb, who has posted exactly once... And to this thread. So end-users are expected to give away the farm with a piece of cr@p Eula.... But developers can skulk around on the sly and ask for tips on how to compromise your end users machines. Sorry, I agree... This is more malware than copy protection. Maybe you would have better luck on the hacker forums.

So, what software apps do you make? It seems we all want to know, and for the same reasons...

Don't alienate your real customers in a misguided attempt to reduce piracy, and clearly both of you are doing that. I am not an expert on the subject, nor as a developer... However I am a seasoned gray beard professional end user, who sees folly in your actions. I sense a bit of bitterness in one of the comments about piracy in regards to developing for the Mac platform. As if Mac folks are more likely to pirate, or their piracy is more impactful. Bull. Frankly, none of us really want to buy software from resentful, arrogant producers. Look up hubris and then look up karma... My two cents.
Cheers, michael

 

[mdatwood]

mdatwood,

Malware? To some extent, antivirus and security software can be viewed as rootkits, but I wouldn't describe them as malware.

Antivirus companies do stuff like this ALL the time and in the United States at least, this is perfectly legal and fine as long as the user authorizes it.

We ask for authorization before we do anything on the user's machine.

Frank

xStep beat me to it, but asking for authorization is not what you originally said. If I click 'Yes' to some 10 page EULA and you start disabling Little Snitch and my OSX firewall (yes I have this prevent all out going connections too) then IMHO, that's malware using social engineering (who reads EULAs?) to get installed.

AV software is very up front about what it's doing, why you're installing it, and would be classed as security software. If I'm installing some text editor and it's silently turning off some of my security that is not okay. Ever.

 

[joeconvert]

It looks like nobody wants to do me a favor and give me the bundle
identifiers for Intego and other similar products?

Why don't you buy a copy and find out?

On our iPhone app, we use UDIDs to get an idea of how bad the piracy
problem is, and for every legit purchase, there are about five pirated
copies. We have talked with other iPhone developers at developer
meetings and piracy in the Mac world is rampant and out of control.

Out of all the people using our iPhone app, less than 20% actually paid
for it. Our app only costs $0.99. We can't sell it for less.
Amazingly, our app is supposedly on the low end of the piracy scale.
I've had one developer tell me that for every person who paid $0.99
for their app, they have more than 100 illegal copies. It's that bad.

UDIDs, eh? You do realize that the iTunes Ts and Cs allow users to install on multiple devices. I am quite sure that the actual "piracy" rate is lower than you think. As far as the 1 to 100 you are quoting form the other developer, I am throwing the flag.

I think you should at least take the feedback you are hearing on this forum. You are getting free market research and it is telling you that you are making a mistake.

 

[thejadedmonkey]

Why not just ping your registration server, and if it doesn't respond, assume that little snitch or another program is running, and start the alternative method of registration?

 

[mdatwood]

UDIDs, eh? You do realize that the iTunes Ts and Cs allow users to install on multiple devices. I am quite sure that the actual "piracy" rate is lower than you think. As far as the 1 to 100 you are quoting form the other developer, I am throwing the flag.

That's a great point that I always forget. I believe the rules are the same as music, up to 5 devices per account. This means a family of 4 will potentially only need to buy 1 copy to install on their iPhones and iTouches, assuming they share their iTunes account.

 

[darkplanets]

I hate to rain on your parade... but you're not going to stop piracy. Ever.

Sony tried, and failed miserably. Remember the Sony DRM rootkits for CDs? SECURom for games? Blueray DRM? Yeah, that worked... not. Blueray was cracked a week before it was even officially released, SECURom was cracked about a month before Spore's release, and Sony got a slap on the wrist for the DRM rootkits.

The point is, no matter what you try, if your app is worthwhile and/or valuable, it WILL be cracked, hacked, or have a keygen. That's just life. As others have said, work more on making your App worthwhile, and forget the complicated anti-piracy measures. Increased app value and worth will generate you more revenue than trying to clamp down on pirates, and won't frustrate and alienate legitimate, paying customers who happen to have the targeted software.

If you implement your anti-piracy measures, you're going to do three things; 1) Waste your time, 2) Alienate legitimate paying customers who have either VirusBarrier X6 (Or Netbarrier X5), or Little Snitch, and 3) give yourself a bad rep (and possibly lose sales) by having obtrusive, spyware-esque software. Not a good plan.

You do, however, seem intent on doing this, so some words of warning. For one, you're going to get into a war of escalation, one that you won't win. Example; here. Some of his licensed products have been undergoing a constant piracy barrage, that is, they find a loophole, he fixes, they find another, he makes it more complicated, they find a workaround, etc. He's always on the offensive, and always losing. It usually takes about a week for his new releases to be cracked. Meanwhile, while you're wasting your time, you aren't improving the app much, and the codebase gets bloated by all the anti-piracy measures you're trying to implement. Not a wise choice. Furthermore, there's some things you should be aware of, [k]'s (cracks), Special K specifically, SerialBoxes, CORE keygens, Bad APE, regular keygens, home-brew cracks, and even easy, conventional fixes.

For example, for CS5, there is an easy workaround to allow non-legitimate serials to be authenticated, and this is from Adobe, a company with far more anti-piracy experience than you. If you're going to rely on Internet authentication, you have to realize that 1) Not everyone will have constant Internet access, and 2) Changing the HOSTS list is easy either via terminal or AppleScript. You want to stop people from blocking your dial-outs, but they can just do this anyways by reverting that call back to 127.0.0.1 via a loopback connection, thus making it appear as if there is no Internet connection to start with.

My advice; stop trying, and focus on your Apps content in order to generate revenue. Furthermore, you have to realize something, which most developers don't get. THOSE WHO PIRATE SOFTWARE ARE NOT LIKELY TO PAY FOR SAID SOFTWARE IF THEY CAN'T PIRATE IT, ESPECIALLY IF THERE ARE ALTERNATIVES. In this day and age there are plenty of alternatives for just about everything, many of which are free and/or readily cracked. Another thing to realize is this; should you make good software, those pirates are more likely to pay for a legitimate copy, that is to say they'll support you if they like it. It's a common mantra among many pirates. There's some market research out there, which I can't find right now, that shows that those who pirate the most (this is for movies and music, mind you) also spend the most per year on legitimate content. As long as you don't encroach on ridiculous pricing (ala CS5), I would say that it's in your best interests to forgo the anti-piracy measures.

EDIT: You also make it seem like piracy on OSX is far worse than Windows... the opposite is quite true. Have a look around on the Internet sometime, and see how many keygen.exe or crack.exe there are in comparison to OSX keygens or cracks; I think you'll be quite surprised.

 

[GorillaPaws]

We don't plan on enumerating all the applications that the user has installed on their machines. We'll only check for the existence of Little Snitch and similar products...

How do you plan on checking for the existence of Little Snitch and other similar apps without enumerating through the array of bundle identifiers, or using an API that does this behind-the-scenes on your behalf?

 

[balamw]

That's a great point that I always forget.

This is true, and in our household we have an iPhone 4, a 3GS and a 3G. Probably an iPad one of these days. Most apps are installed on all three devices. No jailbreaking or piracy, just using the apps per the license. One purchase three devices and thus three UDIDs.

However, the point I wanted to add is: Isn't TomTom and maybe some other apps licensed to a single device via downloadable content, subscription or some other means, yet it is still sold in the App store.

As others have said, focus on making the app easy to buy and worth buying in the first place and focus less on technological means of preventing piracy. You won't win.

B

 

[Peter Maurer]

We'd rather not disable Little Snitch on the machine, so we're reverse engineering Little Snitch's .xpl format and our plan is to simply just add an always allow rule for our app without bothering the user and inconveniencing them by asking for permission.

Depending on how you present this to the user, it might be okay with him.

But reverse-engineering Little Snitch instead of trying to find a solution in cooperation with Ob-Dev... wow. You're setting yourself up for a race against Little Snitch updates, as any successful uncaught change to their data is obviously a security risk from their point of view.

Even if you stayed ahead in this race for a while, and even if you didn't sink a lot of time into this, you'd definitely not come across as taking the high road in the public's eye. And a suffering reputation could cost you way more than a few copies you didn't sell because of piracy would--especially on the Mac software market, which has always been refreshingly sensitive with regard to moral issues.

 

[mlblacy]

or maybe...

Why don't you buy a copy and find out?

or maybe you could pirate a copy somewhere, lol.
Sorry... couldn't resist.

 

[Eraserhead]

To be perfectly honest people who can afford an iPhone (or an iPod touch) which cost at least several hundred dollars can clearly afford to pay $0.99 for apps for it.

Its not like these pirates are people who earn $100/month and have a $100 PC and can't realistically afford to pay $100 for Windows and $150 for Office.

And its also not as if you are ripping off a multi-billion dollar a quarter company like Microsoft like most of the pirates in the developing world are doing.

 

[mlblacy]

who owns your computer?

A good read...

http://lauren.vortex.com/archive/000681.html

I would wager it phones home a heck of a lot more than once every 90 days, lol...

Another good read here:
http://wilshipley.com/blog/2007/02/piracy-reduction-can-be-source-of.html

And lastly here, in which folks on the wrong side get a better deal to go legit:
http://www.labnol.org/software/tutorials/windows-xp-pirated-converted-to-genuine/1879/

---
Are you thinking you can do it better (better at being "evil"?) than Microsoft does? Or are you hoping to figure out something they are missing? Lots of luck with that...
michael

 

[blunderboy]

I think it's a perfectly awful idea. As others said, if you want to combat piracy, make a great product that people will want to buy. Companies that implement draconian DRM/activation schemes like Microsoft and Adobe end up making people angry, because they feel as though they're being treated like thieves. Instead of lowering prices or improving their products, they jack things up and add more DRM into the mix to deter pirates. Pirates are always a step ahead when it comes to overpriced applications, so my advice to you is to just keep working on your app and making sure that it's good quality and attractive to customers, and is reasonably priced.

 

[UTC2]

It looks like our impressions of Mr. Frank Puccino were indeed correct. He is not a legitimate business person but is in fact a thief that wishes to steal your info and use it for nefarious deeds. Which is exactly why Little Snitch was invented, to stop thieves like Mr. Puccino.

Here's the proof. These are excerpts taken from a discussion on how to steal user credentials by spoofing a legitimate website. And yes, there is only one person named Frank Puccino in the whole world:

Social Engineering Toolkit - Credential harvesting via https
I have SET up and running and functional for harvesting credentials for a cloned https site. However, the site is hosted in SET on standard http port 80. I am looking to be able to host the cloned site using https as it adds an additional layer of reality to the cloned site. I think that it is also prudent to encrypt this traffic since you are capturing users credentials. In the set_config file, you can change the web port and I am able to change it to port 443, however it still uses only standard http without encryption. Has anyone tried something like this?

Keep in mind that your modern web browser will start screaming at the user that he is trying to connect to a site with an unrecognized certificate ...

Agarax, it depends on whether SET does something like spoofing arp or if it rewrites an HTML landing page to strip out SSL like Moxie's sslstrip. The former will result in screaming and the latter requires the user to not notice the missing padlock.

Frank

So, our little buddy Frankie likes to steal user credentials and moves in the circles of people who do such things. That's why he wouldn't tell anyone who he works for. He works for himself writing malware that steals your credit card info and kills babies. He's probably a terrorist...

 

[amorya]

That's a great point that I always forget. I believe the rules are the same as music, up to 5 devices per account. This means a family of 4 will potentially only need to buy 1 copy to install on their iPhones and iTouches, assuming they share their iTunes account.

Actually it's unlimited devices. One purchase, install on as many as you want.

 

[iindigo]

If you want to know why piracy has exploded on the Mac platform, I'd say it's because at the same time (the past 5-7+ years) there has been an explosion of "shareware" apps that have little functionality but charge a full-scale price. I'm sorry, but most people are not going to want to pay $20 for a prefpane that does nothing but change the color of the Apple in the menubar or something else equally as frivolous. It's pretty similar to charging $20 for something that could be found at the local $1.00 store....

I'll mirror what has echoed in this thread once more: make software worth buying and people will buy it.

 

[xStep]

If you want to know why piracy has exploded on the Mac platform,...

What explosion?

 

[iindigo]

What explosion?

Well, ok, to be honest I don't know how much piracy is going on. I was responding to the developer claiming piracy was high. It was also logical to me that piracy would increase along with the number of overpriced, functionally limited applications.

 

[andreas32]

BTW, we won't be pissing off paying customers. After all, they only need
to enter a registration code like other software. We'll just check that they
don't use Little Snitch, etc. to block our application from phoning home and
use a stolen registration code.

I have Little Snitch and I use legitimate paid-for software. I still block my legitimate software from calling home. Frankly, I paid for the right to use the software and I don't think it's anyone's business, even the developer's, to know how often I use the software. There are too many developers programming backdoors to software for me to feel comfortable not taking some sort of security measures. That's also why I try to use as much opensource software as possible.

 

[pianojoe]

The EULA that deliberately allows you to disable security measures on my computer is illegal in my country, even if I should accept it. Thus, you're losing the fourth largest ecomony in the world.

Not a smart move.

 

[mrfoof82]

As an independent software developer (games)... You cannot prevent pirates from obtaining your software through unofficial channels. Period. People crack hardware and hardware protocols, for crying out loud... Most of these guys are smarter than you'll ever be. Rather than trying to outsmart them, and failing in ways that will piss off your legitimate customers, there's a much easier solution.

What you can do is create incentive to not pirate your product. For example, providing additional value for registered customers. Don't cripple the product. Design your product around providing extra value to legit customers.

A good example is Minecraft. Minecraft is written by a member of Sweden's Pirate Party. His solution? If you're not using a pirated version, you can (or will be able to) move your inventory easily from server to server, or from server to private local playground. Your skin and identity is managed on a central server.

If you pirate it? Well, you don't get that. And you can't play online. The offline client is still barrels of fun, but not being able to participate in multi-player is a huge incentive to give the guy 10 euros.

That's been my stance with iPhone games. If you pirate, well, there'll be no decent multi-player since it runs through Apple's Game Center. You can do single-player all you want, but you'll never be able to play with your friends except if you're in range of each other via Bluetooth. I'm aware the piracy rate of one of my games is 1 in 6 copies. Yes! One in six for a $2 game! Well, the Game Center version comes out in a few weeks for real online multi-player. Either they'll pay for the game, or they'll live without that functionality that all my patient customers will get for paying me in the first place.

 

[Cromulent]

The EULA that deliberately allows you to disable security measures on my computer is illegal in my country, even if I should accept it. Thus, you're losing the fourth largest ecomony in the world.

Not a smart move.

Most EULAs contain things which are illegal. That is why they all have a clause stating that if a part of the EULA is found to unenforceable in a court of law then it will not affect the other parts of the EULA and they will continue to apply.

 

[someguy]

You stand a bigger chance of really pissing off your paying customers by trying to get too cute with schemes like the one you propose.

<~snip~>

Spend that time improving your app and you'll probably see an increase in sales that significantly outweighs the bump you get by fighting pirates.

<~snip~>

Trying to convince dishonest people to pay for your product is an inefficient use of your limited time/resources./QUOTE]
This.

There is little you can do to stop piracy. Just do the best you can at making a stellar product and those that pay for software will gladly pay for yours.

 

[filfortugno]

you'll lose buyers

i guarantee that if you implement such things not only will you decrease pirating, but you'll dramatically decrease paying customers.

 

[Cromulent]

i guarantee that if you implement such things not only will you decrease pirating, but you'll dramatically decrease paying customers.

That is correct except for the decreasing piracy part.