programming and human factors
by Jeff Atwood
Software is digital through and through, and yet there's one unavoidable aspect of software installation that remains thoroughly analog: entering the registration key.
The aggravation is intentional. Unique registration keys exist only to prevent piracy. Like all piracy solutions-- short of completely server hosted applications and games, where piracy means you'd have to host your own rogue server-- it's an incomplete client-side solution. How effective is it? One vendor implemented code to detect false registration keys and phone home with some basic information such as the IP address when these false keys are entered. Here's what they found:
| Software Connectivity | Ratio of pirated to legitimate keys |
| no internet connection required | 45 : 1 |
| occasional internet connection necessary | 60 : 1 |
| internet must be "always on" | 110 : 1 |
I have no idea how reliable this data is. The vendor is never named, and given that the title of the URL is sharewarejustice.com/software-piracy.htm, I'd expect it to be biased. But it is data, and without the registration key concept (and pervasive internet connectivity), we'd have no data whatsoever to quantify how much piracy actually exists. The BSA estimated 35% of all software was pirated in 2006, but it is just that-- an estimate. I'll choose biased data over no data whatsoever, every time.
I don't have a problem with registration keys. You could, in fact, argue that registration key validation actually works. Microsoft recently stated that the piracy rate of Vista is half that of XP, largely due to improvements in their Windows Genuine Advantage program-- Microsoft's global registration key validation service.
As a software developer, I can empathize with Microsoft to a degree. Unless you oppose the very concept of commercial software, there has to be some kind of enforcement in place. The digital nature of software makes it both easy and impersonal for people to avoid paying (note that I did not say "steal"), which is an irresistible combination for many. Unless you provide some disincentives, that's exactly what people will do-- they'll pay nothing for your software.
Microsoft's history with piracy goes way, way back-- all the way back to the original microcomputers. Witness Bill Gates' Open Letter To Hobbyists, written in 1976.
Almost a year ago, Paul Allen and myself, expecting the hobby market to expand, hired Monte Davidoff and developed Altair BASIC. Though the initial work took only two months, the three of us have spent most of the last year documenting, improving and adding features to BASIC. Now we have 4K, 8K, EXTENDED, ROM and DISK BASIC. The value of the computer time we have used exceeds $40,000.The feedback we have gotten from the hundreds of people who say they are using BASIC has all been positive. Two surprising things are apparent, however, 1) Most of these "users" never bought BASIC (less than 10% of all Altair owners have bought BASIC), and 2) The amount of royalties we have received from sales to hobbyists makes the time spent on Altair BASIC worth less than $2 an hour.
Why is this? As the majority of hobbyists must be aware, most of you steal your software. Hardware must be paid for, but software is something to share. Who cares if the people who worked on it get paid?
Is this fair? One thing you don't do by stealing software is get back at MITS for some problem you may have had. MITS doesn't make money selling software. The royalty paid to us, the manual, the tape and the overhead make it a break-even operation. One thing you do do is prevent good software from being written. Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free? The fact is, no one besides us has invested a lot of money in hobby software. We have written 6800 BASIC, and are writing 8080 APL and 6800 APL, but there is very little incentive to make this software available to hobbyists. Most directly, the thing you do is theft.
Although computers have changed radically in the last thirty years, human behavior hasn't. (Alternately, you could argue that the economics of computing and the emergence of an ad-supported software ecosystem have fundamentally changed the rules of the game since 1976. But that's a topic for another blog post.)
I accept that software registration keys are a necessary evil for commercial software, and I resign myself to manually keeping track of them, and keying them in. But why do they have to be so painful? You do realize a human being has to type this stuff in, right? Here are some things that I've seen vendors get wrong with their registration key process:
Quick! Is that an 'O' or an '0'? A '6' or a 'G'? An 'I' or an 'l'? A 'B' or an '8'? At least have the courtesy to scour your registration key character set of those characters that are commonly mistaken for other characters. And please print the key in a font that minimizes the chances of confusion.
The most rudimentary grasp of mathematics tells us that a conservative 10 character alphanumeric registration key is good for 197 trillion unique users. Even factoring in the pigeonhole principle, we can estimate about 14 million random registration key combinations before we have a 50 percent risk of a collision. So why, then, do software developers insist on 20+ character registration keys? It's ridiculous. Are they planning to sell licenses to every grain of sand on every beach?
Rather than smashing your key into one long string, make it a group of small 4 to 5 characters, separated by a delimiter. It's the same reason phone numbers are listed as 404-555-1212 and not 4045551212: People have an easier time handling and remembering small chunks of information.
Short of providing every customer a handy USB barcode scanner, at least make the registration key entry form as user friendly as possible:
The key is important. Without it we can't install or use the software. So why is it buried in the back of the manual, or on an easy-to-overlook interior edge of the package? Make it easy to find-- and difficult to lose. Provide multiple copies of the key in different locations, maybe even as a peelable sticker we can place somewhere useful. And if the software was delivered digitally, please keep track of our key for us. We're forgetful.
Software registration keys are a disconcerting analog hoop we force users to jump through when using commercial software. Furthermore, registration keys are often the user's first experience with our software-- and first impressions matter. If you're delivering software that relies on registration keys, give that part of the experience some consideration. Any negative feelings generated by an unnecessarily onerous registration key entry process will tend to color users' perception of your software.
Also, make it easy for us to move it to a different computer. Please. I'm going to get a new computer, if I have to re-buy your software, I'm going to go looking for something else.
Alex on December 17, 2007 4:25 AMIf you do 5 textboxes, than make the focus automatically switch to the next box, once the box is full.
Also, is that Vista Key real? :P
gregory on December 17, 2007 4:26 AM Quick! Is that an 'O' or an '0'? A '6' or a 'G'? An 'I' or an 'l'? A
'B' or an '8'? At least have the courtesy to scour your registration
key character set of those characters that are commonly mistaken for
other characters.
Slow down! What's the rush? You paid hundreds of pounds for that software, and you only have to enter it once.
Keys are long so the ratio of correct to invalid keys is high, so you can't just guess valid ones. That also explains "Tell me as soon as I've entered a bad value in the key". That's the last thing you want to do. Remember, the user is entering it once only. Entering 20 characters is no more taxing than entering 2 or 3 passwords.
Dave on December 17, 2007 4:28 AMWe struggled for a long time with this when deciding how to license blendables. We ultimately went with a product key and activation model. While many people don't like this idea of "activating" we knew that the ease of "sharing" would ultimately lead to abuse. We're a new player in the space and we're always looking to adjust the model but I do feel without ANY type of enforcement people would just "share" across an org.
Kurt
Kurt Brockett on December 17, 2007 4:37 AM"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."
Doesn't that make it easy to "guess" or figure out a key by trial and error? All you'd have to do is start with a character then keep typing characters until it says you messed up. Go back and change the last character until you get it right and then continue.
Tom Tutko on December 17, 2007 4:52 AMHi, can I ask for clarification of your statement:
"I'll choose biased data over no data whatsoever, every time."
At first glance, that seems to me like a bad idea - at least with no data, you KNOW you don't know anything, whilest with biased data, you can very possibly draw some very bad conclusions?
Other than that, I agree with your article (well, except for what Dave pointed out :-D).
Phillip on December 17, 2007 4:55 AMNot only must the font be readable, it's got to be BIG ENOUGH to read. I've had keys that I literally could not read without a magnifying glass.
David A. Lessnau on December 17, 2007 4:57 AM"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."
Let's do the same with passwords! It'll make it much less annoying.
Wait, I feel like there might be a problem with changing the difficulty of guessing from "Guess the whole key" to "Guess the next digit".
Mr Brain not on yet today?
Stephen on December 17, 2007 5:04 AM"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."
This confuses me. Wouldn't it be trivial for a human (even me) to continue to type in digits and/or letters until receiving an "All Clear"? Tedious, sure, but how long would it take you to make enough money to pay for 3ds max (which actually is a terrible example because it makes use of Autodesk's ridiculously bad activation system AND a code, which can be any 10-digit number)
Also, how many of the 14 million possible representations of the 10-digit key are supposed to be valid? I'm sure it's not just a big ol' table of good ones that the installer is checking against, and rather is an algorithm of some kind, so even if the company sold, say, MinerVGA, the algorithm might accept 10 million or more.
Also also, I love the idea that on the older microsoft one, they have a barcode, presumably to ease entering the code, but the barcodes on the newer sticker are not relevant, and are just IDs. Points for not even bothering to obscure those. I think the Yellow MS one is probably Microsoft Bob and therefore no good to anyone anyway, am I right?
Adam on December 17, 2007 5:04 AMEr, obvious duplication while I penned my post, and also need to correct where it says "sold, say, 5 million copies of MinerVGA"
Adam on December 17, 2007 5:06 AMOk,i think that's the 'don't tell users when they enter a bad character' angle covered now guys!
You seriously want it to tell you when you've messed up as soon as you hit a wrong key? Uhh yeah, that'll make it hard to figure out a valid key. :) Second of all, valid keys are based on THE WHOLE KEY (if the system is any good). You can't tell if a key is valid until the whole thing is entered. So I assume anyway. I haven't implemented such a system before.
Tim on December 17, 2007 5:16 AMDitto what Tutko said. Telling you as soon as you've entered an invalid string makes it possible to heuristically figure out a key. Actually, it can get even worse- Write a program to enter the key into the textbox, detect dialog boxes indicating your invalid key, and use those to go back and try again. Then you can write a keygen without even understanding the algorithm that generates a correct key.
It also lets you cut down the keyspace exponentially- For example, alpha-numeric keys, which have 62 possible characters (26 + 26 + 10) , with a key of length 10, go from 62 ^ 10 to 62*10, since you only have to go through each character in each position in the sequence once.
I wish I could remember the name of the computer, but a few years ago in an OS class, our professor was discussing the fine art of Paging virtual memory, and told us about a bug on an old computer that would use Paging exceptions to guess the password- Basically it entered the password one character from the end of a "page"- If the password didn't start with that character you got an "invalid password" messege- if it did, you got a "Paging Exception" first. Move the password 1 byte back in memory, and try again... and BAM- Password.
As far as "This key appears to be valid"- This happens a lot with shareware- They use a complicated algorithm to generate valid keys, put a giant number of generated keys in an online database, and then puts the algorithm IN THE SOFTWARE to check for those keys. "This Key appears to be valid" really means "This key meets the algorithm, but we might not have issued it to you." It's a second level of protection against keygens. I feel like this is valid, it falls under the same "necessary evil" clause that validation keys themselves do.
On the other hand, there's such a thing as going too far. I read once about a disk scrubber that securely deleted files, but if you entered a key that 'met the algorithm' but didn't match a key in the database, would only PRETEND to work. Another case was a popular CD burning program that would do the same thing, but churn out coaster after coaster and pretend the burn was successful. I don't really approve of these tactics- A software developer that likes to play headgames with their customers is either too self-righteous or morally flexible for me to be comfortable running their code on my box.
"Where's the #$%ing key?" - That's the one that really resonated with me. I wish they'd put a second copy of the serial ON the disc- That way as long as we had the disc we could have a copy of the serial (for writing down elsewhere later on, obviously)- it doesn't seem like there's any way pirates could take advantage of this, nor could it make it more convenient for anyone to pirate- the backup serial solution is still completely analog.
Alex on December 17, 2007 5:17 AMPerhaps the best serial key I am yet to see was a really long one (512 characters). But instead of having to type it in, you simply double-clicked the key file and it worked. No chance of a typo.
Jivlain on December 17, 2007 5:17 AMEveryone knows the real reason Vista is pirated less is because people want it less. Duh.
Ian Sinke on December 17, 2007 5:26 AM"Unless you oppose the very concept of commercial software, there has to be some kind of enforcement in place."
I'd be inclined to disagree, and willing to bet that just about everyone who'd be willing to pirate something in the first place isn't going to be stopped by simple serial number validation, the only viable alternatives to which are ridiculously flawed/intrusive/whatever schemes like WGA that inconvenience everyone and drive the price of software even higher. The customer isn't the enemy.
I wish more companies would take Apple's stance -- not only has the OS never required a serial, but the few apps of theirs that ever have are slowly but surely having the requirement removed (the latest version of Logic being the latest to come to mind). And it's not because they're a "hardware company."
Eric on December 17, 2007 5:29 AMFor BitBacker (www.bitbacker.com - my startup company, which is building super secure, Mac-only backup software), we were faced with a similar problem. We use 128-bit AES encryption, which means our keys are really long and annoying - 32 characters long when printed in hex. And not only do the users sometimes have to type them in, but they have to write them down on paper. (We can't store the key on our servers because then we'd be able to read the user's files; and we obviously can't trust it to their hard drive because that's what we're backing up.)
So we generate these random 128-bit keys, but I found a pretty good way to present them to the user. We use RFC 1751, which defines a "Convention for Human-Readable 128-bit Keys" - basically just a mapping of bit blocks to strings of words. Here's an example in Python (apologies if this gets mangled by Jeff's blog software):
key = os.urandom(16) # Generate 16 random bytes (128 bits)
key
'a\xaa`\xe4:^\x7f\xdbK\x86\xa4\x89{R\xa0\xdc'
print bin_to_hex(key) # Print the key in hex (32 characters)
61aa60e43a5e7fdb4b86a4897b52a0dc
y = RFC1751.key_to_english(key)
y # The key in words - it's longer than the hex, but easier to read and write
'BUSY BARN RUB DOLE TAUT TOOK ALTO PRY KIT WALL MUG CURT'
RFC1751.english_to_key(y) # The transformation is always reversible
'a\xaa`\xe4:^\x7f\xdbK\x86\xa4\x89{R\xa0\xdc'
The keys are still *very* long, of course, and this is unavoidable for our application. But when translated to words, it's easier to write them down or type them in without making a mistake. In BitBacker's case, we actually make the user re-enter the generated pass phrase he wrote down, and pasting is disabled for that text box. This is quite annoying, but it's a heck of a lot better than losing your pass phrase, which would make your backups inaccessible!
Despite its "128-bit" title, RFC 1751 works on arbitrary string lengths. Or at least, the implementation in the "pycrypto" library does.
Gary Bernhardt on December 17, 2007 5:32 AMThe less annoying key I have seen so far looks like a block of ascii armored text, almost like if it is a security certificate. The key holds the name of the owner, the type of license and how many concurrent copies can run in the local subnet. To enter the license you simply copy the encrypted block of text and paste it into a box in the "about" menu.
Pedro Vera on December 17, 2007 5:34 AMI'm not going to comment on the obvious brain fart you had with that "tell me as soon as I make a mistake", I'm sure with all the other comment's you can figure out the difference between 3,656,158,440,062,976 different possibilities and 360 different possibilities.
What I do however not get is how you could put that Microsoft quote about stealing software there without at least a mention of the fact that the vast majority of the early Microsoft business has been due to stolen code, stolen features and stolen interfaces. DOS and Unix, anyone ?
J. Stoever on December 17, 2007 5:35 AM"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."
Err... if you did that then people would be able to guess the key using trial and error one character at a time.
Stewart on December 17, 2007 5:42 AMDare I ask if you modified the serials you provided at the top of the post? I mean, not to imply that such a thing would be, basically, distributing serials, but... uh...
Shmork on December 17, 2007 5:54 AMIf you're going to implement multiple text entry boxes that automatically focus on the next field when the current field is filled, don't make it insanely stupid to go back and EDIT a previous field. I've had to enter registration keys that automatically moved focus to the next field when then current field had 5 characters in it. A mistyped 5th character means you can NEVER go back and edit that field (not without some fancy, stupid fast keyboard tricks to hit delete or something before the focus changes).
My favorite is shift-tab to backup to the last field, and it moves back to the current field because the last field is full. Who tested this crap?
Axel on December 17, 2007 6:09 AMDid you just give us a bunch of valid install keys? ;)
Kzinti on December 17, 2007 6:09 AMWhen serious organizations lock down software, they do it with hardware. In the old days it was a parallel port extender filled with epoxy, and today it's USB keys. No CD key code to hassle with, and it can't be posted to a forum and shared.
If you want to force the digital world into an 18th century view of property law (you know, can't be copied and shared, it's "property" that is non-the-less licensed, etc...) just make a physical key.
Or you could get Linux, and get on with life.
Jim on December 17, 2007 6:14 AM@J. Stoever-
"DOS and Unix, anyone?"
Microsoft actually purchased exclusive rights to 86-DOS in 1981.
As far as stealing from UNIX- After reading Jeff's posts on virus protection being pretty much unnecessary if we'd all stop running as Admin... I can't help but feel that Windows would be much better if they HAD. :D
Alex on December 17, 2007 6:14 AMI like to keep my possessions to a minimum and so dispose of packaging and put CDs and DVDs into a carry case.
You can imagine my annoyance when my Vista and Office 2007 retail boxes wouldn't let me peel off the serial number to stick into my carry case. It's like a piece of plastic with a sticker on it is somehow my proof of purchase...
Don't get me started on how Vista wants to reactivate every time I boot it natively on my Mac as opposed to being virtualed... (each switch effectively deactivates it and makes Microsoft think it's been pirated onto yet another machine)
[)amien
Damien Guard on December 17, 2007 6:22 AMThe first thing I do is take a sharpie and write the key onto the cd.
For shareware my preferred key is the giant block of text that gets pasted in. And let the username and key be in the same block. After all, I am just going to paste it in from a registration email, and dont really want to spend time filling in multiple textboxes.
Steve on December 17, 2007 6:31 AM"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."
I remember the good old days where the reg key was just a checksum digit so you could type in N-1 numbers and then just change the final digit from 0-9 until it 'passed'
Zman on December 17, 2007 6:38 AMI regularly spend time at work maintaining the license file + dongle-protection scheme for our commercial software, and giving support when problems arise. I also know that our protection scheme can be trivially broken with a good debugger. From this experience I feel that copy-protection is a collosal waste of effort. Not that I have any say in it.
Wouldn't it make more sense to pay for the development of software instead of for the copied bits, and not restrict copying? But it turns out that's not what happens. Apparently it is even an accepted business practice not to get the source code (except in escrow) when you let contracters develop custom software for internal use! Boggles my mind.
I'm pretty sure every commenter here has missed the point.
"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."
Note the phrase "bad value". I doubt Jeff is advocating validating one character at a time...I can't imagine he would make that elementary of a mistake (apologies if you did :P). I would tend to assume that he instead means alert the user if a character outside the set of valid characters is entered. So if it accepts all alphanumeric characters except 1, l, 8, and B, throw up a warning as soon as a user enters one of those.
Eric Burnett on December 17, 2007 7:17 AM2wcoenen
"Wouldn't it make more sense to pay for the development of software instead of for the copied bits, and not restrict copying?"
Actually 75% of software industry works just that way. Customer pays for development of software, not for license.
Konstantin on December 17, 2007 7:20 AMPersonally, I think that if anything dooms commercial software, it's the attitude that it is ok to make it harder for honest users to use your product than free, open-source alternatives.
Forcing people to manually enter registration keys is barbaric. Plenty of commercial applications do just fine with server based systems where you are emailed the key. Hell, some commercial applications do just fine without any copy protection at all.
One of the reasons I bought a console and no longer game on the PC is that I can no longer play some of the games I purchased because I lost the key. No. Wait. That isn't true. I could play any one of them merely by going and downloading one of the cracked copies. If it is true that people will pay nothing for software if they can get away with it, then commercial software is doomed, because anyone with a web browser and google can get cracked versions of any popular commercial software application.
Copy protection, especially intrusive protection like manually entered keys, stops no pirates, is a waste of coding resources and drives your customers into open-source alternatives. If you do it, prepare not to sell any copies to people like me, who are sick and tired of being treated like criminals. We'll be happy to go spend our money at vendors who actually trust their customers.
I've never paid for PC software (expect pre-installed Windows). I actually tried to pay for software a few times, but it was always too difficult. Piracy was just easier. (Since moving to Linux, I don't even pirate anymore. FOSS gives me everything I need.)
To actually have any affect on piracy (among individuals), you're going to have to make buying and registering your software easier than pirating it. If pirating your software is extremely easy, you're really going to have your work cut out for you.
I don't understand why I can't just go to a website, enter in my credit card information, and download an installer that knows the registration key and can activate through the web on its own. Why does the registration key have to come separate from the installer? Why do I have to manually combine them? I see no reason for having them separate.
If you don't do this for your users, they're just going to end up pirating your software.
James Justin Harrell on December 17, 2007 7:36 AMI think I'd complain more about having to re-install software for most upgrades of Windows OSes.
Steve on December 17, 2007 7:54 AMAny chance that Vista CD Key has a few activations left on it? :)
nat1192 on December 17, 2007 7:55 AMthere has to be some kind of enforcement in place.
Really? You assert no users would buy the software, but in the cited 110:1 example, less than 1% bought it, even when there was a serial number scheme in place. It seems pretty darn pointless. Dongles are just annoyances to those few users who don't get a cracked copy instead. In fact I've seen users who used a cracked version even though they had a legit copy, because the dongle caused problems that the cracked version did not.
Microsoft is in the very unusual position of having its product almost always be preinstalled by a third party for the user, who is not in a position to know or care whether that third party actually paid Microsoft for a license. For the average app developer, you're dealing directly with your customer, who has to deliberately pay you, or to seek alternatives such as piracy. Also, Microsoft's Genuine Advantage is expensive (call centers required to sort out false negatives, etc.) and widely hated, but people put up with it because they have little choice. For an ordinary developer, running a support call center would be costly and the customer irritation of a draconian registration/activation scheme would be hard to justify. As a result it's probably not useful to most developers to look at how Microsoft handles piracy for guidance.
I'd be interested to see any hard data that anyone knows about that compares unprotected commercial apps vs. "nagware" shareware vs. serial number protected software vs. dongle software.
I did find a comparison of "honor system" shareware vs. "nagware" shareware which was interesting. Summary: nagging works.
http://hackvan.com/pub/stig/articles/why-do-people-register-shareware.html
My suspicion is that due to digital distribution of cracked software, copy prevention schemes are a complete waste of money, except in odd cases like Windows, and developers should instead rely on nagware that trusts the user when the user claims to have paid (instead of requiring a registration code). But I have no data to back up this hunch.
Jamie Flournoy on December 17, 2007 8:37 AMI will admit I've pirated software. However, I agree with using activation keys, and all software I use on a daily basis has been acquired legally. The way I see it, if you go into a store, say Futureshop, and want to purchase some Memory, you have to get the person to open the showcase for you. You can't grab it yourself and head off to the cash register. Why? Because they don't want you to steal the damn thing. So what if I have to spend 30 seconds typing in a key that lets me use the software.
I agree its a good idea to make inputting the code easy, like using legible fonts, and sizes.
I have to disagree with some of the comments here: "Copy protection, especially intrusive protection like manually entered keys, stops no pirates, is a waste of coding resources and drives your customers into open-source alternatives." Absolutely, it doesn't stop pirating, no doubt there, but to go back to my Memory analogy, the waste of coding resources is like building the showcase. I *could* smash the case, and then book it out of the store. But to most customers, would you rather smash the thing and run, or tell the employee your going to buy something? If a customer saw some guy on a street corner selling memory, would you buy it/take it, or would you rather trust the memory in the store, in the shiny showcase, that you know hasn't been messed with?
That point hits on multiple levels. Is pirated code safe? It could be, but there is no absolute answer. Would you rather use code that was built specifically as a job task - i.e. the coder was paid to do it, or would you rather use the code that was built on the off hours of the coder who was being paid to build another application? Some open source projects are actually built quite well - ok a lot are. I'll even say linux is built fairly well. But, I don't think I could trust code that was built as a hobby.
Enough of that rant, the original purpose was simply to agree that better key management is deffinately a UX bonus. :)
Steve Syfuhs on December 17, 2007 8:41 AMI recently implemented a registration key scheme for a tiny digitial image management utility I developed, called CardSharkV. Entering the key is done by dragging and dropping a keyfile onto a field in the application. You can drag the file either from Windows Explorer or an email client (the key is delivered via email). I thought this was a good way of avoiding most of the problems Jeff mentions in this article.
I'm actually looking for some feedback both on the utility itself and on the usability of the registration key mechanism. If anyone is interested in taking a look, please check out my blog.
GeekTieGuy on December 17, 2007 9:15 AM
I find it somewhat humorous how few of Bill's statements in that letter hold true today ...
More on topic: why oh why do so many companies insist on disabling copy/paste into the serial number/key text box? I mean, you're not stopping a single pirate except perhaps someone brute-forcing the registration process (but if you're after that type of attack, timeouts and lockouts after, say, 100 incorrect guesses would be much more effective ... a true hacker would just write their own keyboard driver to emulate keys being pressed at the HID layer).
I'm with one of the previous posters: at the very least, for digital downloads offer a license file which I can double-click (or select in an Open File dialog) instead of entering text. And, yes, if you're selling boxed software, provide a way for me to photograph or scan the number on the box and a widget to OCR that into your license key. Hell, every Mac sold today includes a camera; if you make Mac software allowing a bar-code scan a la Delicious Library is a no-brainer!
Yes, reg keys are a "one time" annoyance. But, they're a "one time" annoyance every time I move computers, which is once every couple of years, for every single application.
I have many applications which I've paid for once and since abandoned (which means, not paid for any upgrades) because it was too much trouble to re-enter the serial number in my next computer. You are losing sales from this!
Tom Dibble on December 17, 2007 9:28 AMI agree with all your point except those two:
2.Excessively long keys:
maybe i am wrong, but the long key may be necessary, because not every possible combination of character can be a valid key, there would be a lot more spaces for invalid keys, so making it more difficult for key generators to find legit key.
Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at.
wouldn't it defeat the security purpose of the key? as it would make it easier to just brute force the keys? it would depends on implementation though, maybe like, if you entered only one or 2 character wrong AFTER typing the full key, then there would be a indicator for wrong character, any more than that it will display nothing helpful at all.
There might be other issue with this problem though, what if software has no access to cleartext registration key in memory? for example if they simply hash the user input key and compare the hashed value to that of a legit key, like they do with password validation?
I think the statement of wouldn't you enter the key character by character waiting to see if it's wrong is completely incorrect. How the hell would the product even know that, since as I understand it, there is an algorithm in place to create an incredibly small number of keys that work. It's not like your going to enter 3 characters, and the algorithm knows that these same 3 characters also happen to match a key that's in place.
However, if you type in the entire key, then it does it's validity check and is wrong, it would be very easy to go to each character, try each alphanumeric combination, and see if any of those generate a valid key. If they do, just accept the key and move on (no need to even ask for it to be reentered). Worried about a collision, add 1 extra character to the key for this convenience.
The incredible part about this is that as soon as you start getting more then 2 or 3 characters wrong, the computation power required to do this check would begin to take exponentially more cpu power, so it would be impractical if more then 2 or 3 characters were screwed up, so the software wouldn't even try.
This would be nice if your going to use a key anyways, however, key protection is ultimatly useless if your just asking to enter a key. Anyone can give you a valid key who's bought the product once, so all you've done is spent extra developement time ensuring that atleast 1 copy of your software is purchased. Wouldn't it make more sense to take the time to you know, develop a product that customers want to buy. And yea there will be pirates, but let your marketting department incur the expense to their budget, for all of the people promoting your software through it's usage.
Of course if your really nasty, the number 1 way to protect your software would be to run the expensive system, where you have to log on to a key server on the internet every time you use the product. This key server would then provide the code decryption keys required to even run the software. And even that has to be transport / memory protected. But to me, unless you really really know what your doing, the imposed risks of running this system would tend to stop all your product users from using your software if it doesn't work exactly as expected.
Kevin Nisbet on December 17, 2007 9:42 AM@ "...there has to be some kind of enforcement in place."
It may be strange for a guy who earns a living making software to disagree, but consider: For most of Microsoft's history, it sold software that was in the main entirely free of any meaningful copy protection, and it did it in the 1980s and 1990s, an environment of even more rampant piracy than we see today. And yet it managed to become one of the most profitable organizations on Earth. Without enforcement.
Hey, it may be biased data, but it is data.
Also, consider this spectrum of possible relationships that a person/company/government might have with (say) Microsoft software:
1 - Purchases, uses MS software
2 - Pirates, uses MS software
3 - Uses competing software
4 - Doesn't own a computer, doesn't use any software
Wouldn't this be the order of desirability, from Microsoft's point of view? Piracy cements and re-enforces a successful product's market share.
Western Infidels on December 17, 2007 10:10 AMSome Mac OS X apps have found a nifty solution to this.
For example, I recently purchased Voodoo Pad (http://flyingmeat.com/voodoopad/). The last step of the purchase process was a confirmation web page containing the following link:
x-voodoopad-registration:regname=Your+Nameregkey=crazylonghexstring
Clicking that link opens the VoodooPad app (the trial version was unlockable, natch) and auto-registers it with the registration key. No typing, not even cut/paste.
(This trick works because of a little Mac OS magic: the app bundle contains a plist file that registers that URL scheme with the app.)
Michael B on December 17, 2007 10:47 AMDave
Actually, mistaken characters in key is a big problem.
I was almost unable to install my NWN game.
The font chosen to print the key was the worst possible, they've even put up a FAQ issue on it.
See here: http://nwn.bioware.com/support/known.html#42
Microsoft recently stated that the piracy rate of Vista is half that
of XP, largely due to improvements in their Windows Genuine Advantage
program
I would say it's largely due to the fact that it's Vista. Who would want to pirate that?
Dave on December 17, 2007 11:31 AMSerial numbers (or keys) are the least intrusive for the honest user, while internet activation and dongles are more intrusive. Which is why I generally don't mind serial numbers.
However, none of these schemes don't work very well.
Copy protection doesn't prevent piracy. As everyone who bothers to look knows, any software protected by a serial key or activation is widely available as a cracked version or with a key generator program. This is true even for quite intrusive protection schemes such as CD copy protection.
On the other hand, copy protection schemes DO scare away honest users. Personally, I am really tired of games that nag me to find the CD, windows that nags me to install WGA or to activate, and software that nags me to find the license key. Had I been using pirated software, all I had to do is install, copy crack, done.
Microsoft may consider WGA a success from their point of view, but I think it's (a) short sighted, and (b) a failure from a customer's (me) point of view.
I am sure many of us had the experience of having to reactivate Windows after installing a sound card, a new DVD drive, or whatever.
WGA has been known to report valid installations as pirates (i.e false detection). Also a while ago Microsoft had trouble with the WGA servers, causing trouble for the many users who suddenly had their installation detected as invalid.
Updated WGA cracks come out about two days after every update to WGA. I doubt this inconveniences an honest pirate. I am sure it inconveniences an honest user.
So basically all WGA does is to scare away honest users.
As for Microsoft's "hard data" (assuming you take it at face value, which you shouldn't), I don't agree with their interpretation. Pirated versions of Vista ARE easily obtainable. Probably easier than actually going to the store and buy one. If indeed the "piracy rate" for Vista (whatever that means) is half of XP, it may be because many people aren't bothering to switch to Vista anyway. Or perhaps pirates got better at hiding, due to the aggressiveness of Vista's WGA.
M on December 17, 2007 11:44 AMWhat a coincidence! Just yesterday I was skimming through all my old mails, and read a forward about Bill Gates` hobbyist mail.
Today i open my Reader, to find your post having the exact same content!
If you have a 16-character code aranged in four blocks of four characters, add a fifth character to each block as a checksum so that you can easily highlight typos without indicating whether or not the key is actually valid. You can publish your checksum algorithm and still not give away the actual key generation algorithm.
In addition to checking that the characters typed by the user are in the valid set of characters, the key could contain a checksum that's checked right away once the full length has been typed, for immediate feedback before a more involved check.
Personally I think that registration keys are used a bit too much. If I buy software on a CD/DVD, why can't a unique key be printed on the CD/DVD? Why do I have to manually type it? Surely there has to be a way of printing a short unique code on each CD/DVD, readable by the disc drive (maybe by burning/punching holes in the surface, damaging a pattern of sectors), without prohibitive costs. With online purchases there isn't even that excuse.
Also, I cannot understand the point of registration keys, unless they are checked online against a list of valid keys. Otherwise, crackers can and will figure out how the keys are checked and generate their own, or just buy a copy and pass that one key around.
If I buy software on a CD/DVD, why can't a unique key be printed on
the CD/DVD?
Because of the cost.
As well as your five rules, here's another:
6. Use consistent terminology in your code and packaging. Some products have several numbers of various kinds within their packaging, and it's not always obvious which number is the software key as the labels sometimes don't match. If necessary you should show a dummy sample key during installation to make the printed key easier to identify (eg XXX-XXX-123-XXX).
David on December 18, 2007 1:23 AM"avoid paying (note that I did not say "steal")"
Yeah, what's the difference again? Next time I take some stuff through HMV's door, neatly bypassing the till, I'd like a convincing explanation. BTW, "Stealing from rich people is still theft."
"I'd be inclined to disagree, and willing to bet that just about everyone who'd be willing to pirate something in the first place isn't going to be stopped by simple serial number validation"
Well you'd *lose*. Products with serial numbers get pirated at a lower level than products without, even if it's easy to fake the serial number. Apparently it's a social compliance thing. Basically, the average consumer (read, non-programmer) will assume that, if there's no serial security, it's okay, much as if you leave a door ajar, they'll assume it's okay to open it. There's also the fear that the serial code makes the product trackable and you'll be caught.
"18th century view of property law"
What, that if someone spends 5 years making something that you use, you should pay? That's pretty early to mid 20th Century too.
There is an alternative no-one's considered. Everyone should release software so buggy, so ineffably crap, that your only alternative to pay to have it fixed. Fortunately, if we stick with only garage-hacker companies that work for free, that'll probably be the situation we find ourselves in. I could start my own business, "fixing garage software; For moneys!"
"I've run into several issues playing games because of a cd-rom driver, or a video driver."
Yes, but I've run into several issues playing games on a Mac because... it's a Mac!
Alex Said: "I wish they'd put a second copy of the serial ON the disc"
Well, unless they're doing CDR print-on-demand that's just not going to work well for them, logistically (sticker on CD = bad; individually printing them directly on the CD is also nightmarish).
On the other hand, you can do what I've done for years (especially with our MSDN volume-license downloads) and *write the number on the disk* with a Sharpie. (Also, on the disk sleeve. And inside the manual.)
Sigivald on December 18, 2007 1:29 AM"As far as stealing from UNIX- After reading Jeff's posts on virus protection being pretty much unnecessary if we'd all stop running as Admin... I can't help but feel that Windows would be much better if they HAD. :D"
Agreed. And I'm endlessly interested in what appears to be a massive over-hype. What exactly did Microsoft "steal" from UNIX, was it copyrighted/patented, and if not, did the creators of UNIX observe basic commercial security, as far as possible for the time?(Rule 1: if you talk about it in a public lab, it's not commercially confidential/Rule 2: You only release the blueprints for your product via the patent office).
"nagware that trusts the user when the user claims to have paid"
You'd require some form of proof, or even I'd click the button marked "I've paid" at some point. Just to see what would happen. And then it's no longer nagware.
I like Spiderweb Software's approach for Shareware games.
www.spidweb.com
Technically, Windows (insert flavor here) is designed to also work only on one platform: the PC. In essence: a dongle.
This is surely only a valid comparison if the "PC" was a product produced by a company. Microsoft are not a hardware company in this respect, so actually, it's arguably designed to "work" on anything that will support it.
D.W. on December 18, 2007 1:42 AM"The most rudimentary grasp of mathematics tells us that a conservative 10 character alphanumeric registration key is good for 197 trillion unique users"
alphanumeric: 26 letters + 10 digits = 36 possible values for each character
36 choices per character ^ 10 characters = 3,656,158,440,062,976 combinations
I'm on cold medicine right now...am I missing something? How did we get 197 trillion instead of ~3.6 quadrillion?
Michael on December 18, 2007 1:42 AMMike seemed to be on the same track that I was. I think that you should add an additional factor that would alleviate most of the other concerns...
Make the Key Machine Readable
Many registration keys include a bar code, which might help but presupposes that you have a bar code reader. What if the key were encoded in a way that could automatically be recognized by the computer.
My thought would be a pattern that could be scanned via a web-cam. The use case is on the registration screen there would be a button that offers "Scan Key Using Webcam". Upon pressing the button the installation software would fire up the webcam, display a small image from the webcam and start parsing the result. When the user puts the coded image up to the camera the parsing algorithm would detect and evaluate the code in the image. When the key from the code is recognized, the installation software beeps and congratulates the user. On with the installation.
Only drawback is that a scan converted to a gif of the installation code is as good as the original, but how is this different than copying the characters by hand into a text file, web page or email?
Jim on December 18, 2007 1:49 AMIf they can print unique CD keys inside the box, or in the manual, I don't see why it's so difficult to have the keys printed directly on the disk instead (or printed on a sticker stuck on the disk).
Of course, I think evil companies try to ensure keys are easy to lose - they make more $$$ by forcing you to buy a second copy.
KG on December 18, 2007 1:55 AMIn the good old days the key used to be printed on the back of the box, and the bog standard installers said "Type the CD key found on the back of the box". Then they realised how stupid it was to put the CD key in plain sight and moved it to the back of the manual or, in some cases, inside the box. But the installers didn't change. That threw quite a lot of people.
In the good good old days we had code wheels. Might have been annoying, but damn they were a darn sight more fun than a series of digits.
I've not had to type a key in for ages. All of the software I've bought in the lasst 6 months has been online and thus comes with the niceties of registration that provides (so long as you are connected). Oh, other than Visual Studio, which I copy and paste instead.
[ICR] on December 18, 2007 1:57 AM"This brought back nerve-wracking memories of trying to install Neverwinter Nights. Not only did it apparently have both 0 and O in the key but it was printed in a deeply ambiguous squared-off font which made 0, O and D almost entirely indistinguishable. Also V and U were almost indistinguishable. It took about 45 minutes to type in the key from the box and actually get the software installed."
You fool, don't you understand? That makes it more secure!
I was developing a key entry form for an application. I initially proposed and was approved to create an automatic feedback so that the user didn't have to press OK after entering the key to find out that it worked. This was especially important since we had a 1 second delay so that automated scripts couldn't break it with a birthday attack. It worked, everyone saw it worked and the feature was pulled and the Check Key button was added in. I never got a good reason for the change.
mccoyn on December 18, 2007 2:04 AMAston-
Don't remember the hardball- However, I DO remember a copy of "Where in the world is Carmen Sandiego" which would ask you to type in the nth word from the top of page x in the Almanac that came with the game.
Wacky, huh?
Alex on December 18, 2007 2:09 AMI have a pirate copy of every game I bought, as it's much simplier to just install it, crack and use some VCDROM solution than to search for the CD and play with the disturbing CD noise, not to mention I cannot play on my CD-less tablet PC.
Luckily, the same is not always true for other software, but the biggest pain when reinstalling system / moving from one computer to another is the activation, typing serial numbers, finding them in emails, finding old installation files (since you simply cannot download the old version from vendor's website)...
Jakub Kocureq Anderwald on December 18, 2007 2:11 AM"The difference is that when something is really stolen, the original possessor no longer has it. It was pretty much a Bill Gates "innovation" to mis-apply the term to copying software."
Fair enough. How about if I read a comic in a comic book store and then don't buy it. Technically I'm not stealing, nor am I breaching copyright. Am I committing a crime?
Tom on December 18, 2007 2:13 AM I was then prompted to enter something like 6 to 8 different CD keys!
That's about 20 minutes of my life that I'll never get back.
8 keys in 20 minutes = 2.5 minutes per key. Assuming the key was 20 digits long = 7.5 seconds to enter each character. (6 keys each of 10 characters = 20 seconds per character). And you were installing Command and Conquer, right? Tell me, do you play for money?
Dave on December 18, 2007 2:14 AM Fair enough. How about if I read a comic in a comic book store and
then don't buy it. Technically I'm not stealing, nor am I breaching
copyright. Am I committing a crime?
I give up. What crime are you committing?
Dave on December 18, 2007 2:16 AMI think I have a rock solid solution for this whole serial key dilemma:
Please enter the word orange into the textbox below ;)
Kevin Nisbet on December 18, 2007 2:29 AMone unavoidable aspect of software installation[...]: entering the registration key.
Registration keys? How quaint and 20th-century. An artifact of software companies deluded enough to think that it somehow hurts the bad people without hurting their sales significantly.
The aggravation is intentional.
Indeed it is, and it's one of many reasons to choose software that doesn't have such intentional aggravation designed in.
Unique registration keys exist only to prevent piracy.
No, they're to prevent copyright infringement. Piracy is an entirely separate, violent crime that has nothing to do with copyright.
I accept that software registration keys are a necessary evil for commercial software
Then you accept a falsehood. There are plenty of companies making plenty of money selling commercial software that has no such aggravation, like PostgreSQL and Apache.
It may be that *proprietary* software is less viable without user-hostile measures like registration keys. However, that merely supports the idea that proprietary software is an unnecessary evil.
Sorry, but I prefer no data over biased data. Biased data is presented with an obvious interest, and when the linked page starts its conclusions with one of the oldest lies of the industry ("Piracy is a worldwide problem that costs software developers billions of dollars every year"), its credibility quickly becomes zero for me.
As for Vista piracy rate being half of XP, sincerely... Who wants Vista?. Not me. The only reason for the rate is that most of the people using Vista have it because it came with their computer and they don't know how to get rid of it. And less people are pirating it because, frankly... XP is better. Why?. You only have to read this great article to know it:
http://dotnet.org.za/codingsanity/archive/2007/12/14/review-windows-xp.aspx
I don't feel any pity for Microsoft, specially when the subject is piracy. Piracy put them where they are now, and many times have they "mistakenly" released unprotected versions of their products, just to make people try them and hook them. It's drugs all the way. Except Vista. No one's going to get hooked on that.
In the end, I feel Registration Keys are useless. You lose them, you have to keep them, you have to input them, and in the end... you know what?. Your software is still pirated, and the pirates just use a .reg or a keygen and are free of the hassles you as a customer have to go through.
Drop the keys and just use the mail of the customers!. Use it to push updates, to get support (you use a form in the website and receive a short UUID to call TS), etc, etc. If anyone thinks the keys do anything more than irk potential customers, they're fooling themselves.
paketep on December 18, 2007 3:12 AM"one of the oldest lies of the industry ("Piracy is a worldwide problem that costs software developers billions of dollars every year")"
'That this is a lie is one of the oldest lies of piracy.' (equally valid PoV) Billions is an exaggeration, but to simply go "it's a lie" without any kind of link to evidence is ridiculous.
The last registration I did was done by dragging and dropping the email I got with the registration details in it onto the registration dialog. That was worth the $20 right there ;)
(You also had the option of manually typing it in, if you were missing the pain...)
Matt Gibson on December 18, 2007 3:27 AM"PostgreSQL and Apache"
Ah yes, two mass market companies there. It's not like they're for a niche audience; I can't tell you the number of times I've chatted to my cabbie or doctor about Apache.
Also, these are products with an attached community. The users tend to frequent forums and deal with the creators/developers/users on a daily basis. That's simply not true for OS's/Games/Office Suites/Media Players, etc.
Tom on December 18, 2007 3:35 AM"I give up. What crime are you committing?"
Trust me, as far as the owner's concerned, there's a crime. Dunno what it is, though.
"one of the oldest lies of the industry ("Piracy is a worldwide
problem that costs software developers billions of dollars every
year")" 'That this is a lie is one of the oldest lies of piracy.'
(equally valid PoV) Billions is an exaggeration, but to simply go
"it's a lie" without any kind of link to evidence is ridiculous.
One could just as well argue that your suggestion that "Billions is an exaggeration" is ridiculous, as it's not backed up.
How can one prove that piracy doesn't cost developers billions of dollars? People who make claims need to back those claims up. Saying "it's a lie" is just a challenge to produce some proof, and doesn't need any evidence.
How come Microsoft wants you to register the key online and then they forget you exist for just about every other transaction with the company and the software? Why do I have to prove who I am and that I bought it for rebates processing or trouble shooting. Isn't all this info in a database that the company and their partners can access? It's all much more complicated and bureaucratic than it has to be.
fxp on December 18, 2007 3:44 AMI'd also add to the rules that the key should either be asked for at the very beginning of installation, at the very end or on first execution. Asking for a key in the middle of a long installation process is just asinine and unfriendly. (I'm looking at you, Microsoft.)
kbiel on December 18, 2007 3:53 AMIt may be that *proprietary* software is less viable
How do you define proprietary? Unless it's open source, is not all software proprietary?
Rocketboy on December 18, 2007 4:04 AMwow there is a lot of stupid in these comments. my sympathy
i find the replies to "Every Mac is the world's largest hardware dongle." very funny, thanks. The reason Jeff mentioned that is OSx wont run unless it's on apple hardware... so like the "key" is in the hardware... just like a dongle...
Funny thing about the Windows validation services. My coworker needed to validate his copy of windows for a developer download. At the time the genuine advantage servers were down, windows validation considered his copy of windows invalid due to the lack of response. Immediately his system crippled itself and he was unable to work from home the rest of the weekend.
http://www.downloadsquad.com/2007/08/25/windows-genuine-advantage-validation-servers-down/
It was a fun weekend. Not.
There is less piracy of Vista because many of those that would pirate an OS cant afford decent graphics cards. :P jk
NOTE: This comment was copied from the sources cited below...
Dan
It is a mistake to credit Bill Gates with dropping out of Harvard. He did not. He was expelled from Harvard for improperly using the schools computer systems for personal business. He was warned multiple times and eventually expelled. The only evidence ...for this is Prof. Fischer. Fischer taught an Intro to Communications class ...at Boston College. He was at Harvard during the tenure of Gates and claimed to be personally familiar with the situation involving the library computers.
http://www.pennylicious.com/#comment-183#comment-183
http://neil.franklin.ch/Usenet/alt.folklore.computers/19990222_Open_Letter_to_Hobbyists
I agree with the "if the software is delivered digitally" allow us to retrieve our key somehow. I'm going through something similar with an Office 2007 Pro key I can't find.
Tom on December 18, 2007 4:29 AMwell... I can't believe people are still struggling with licence keys...
free software baby, free software...
Gabriel Patio on December 18, 2007 4:46 AMTo all you folks talkig about "t only runs on Macs so that's already copy protection" and especially you Jeff with the your"Are you kidding me? Every Mac is the world's largest hardware dongle"
How is running software A on any specific hardware+software B copyprotection to software A?
I can install my Leopard on as many Macs as i like without it ever failing, same as i could with Tiger and all the other big cats, and even classic Mac OSs before it as long as the hardware is supported. (Windows also only installs on supported hardware, it just supports more hardware) Fact of the matter is my copy of Leopard would install just as fine on my neighbours Mac as on my own, so in effect there is _no_ copy protection.
There's a lot of folks i would've expected a statement like that from, but not you Jeff. that's very dissapointing and it definately bites into the percieved trustworthyness of your blog. Dont turn in to some OS flamewar inducing blog for stupid people like so many have before you, I expect more from you!
kris on December 18, 2007 4:56 AMI've built an activation system for work. Each cd key had 3 levels of checking:
1) Checksums. Every group of digits had its own checksum to detect typing errors.
2) HMAC: A larger "validation code" was stored in the key, so if a person just fiddled with the check digits to get all the things to say ok, then we could still check if the key was invalid on the client side. (though since a HMAC is symmetrical, you can reverse engineer it and create valid keys)
3) Each key encoded a unique, non-guessable number. So on activation, we check to make sure this number is valid. This is the only measure that actually provides any real promises for security, the other parts trust the client.
I hated doing it though, it really isn't the sort of thing I want to be spending my time on when I'm at work. I'd much rather be making things that will actually make people happy, rather than making hoops for them to jump through. And now we have to maintain an activation server, and handle the added tech support costs, and all that sort of thing. All this, and I'm still not convinced that it is going to do anything to increase our sales (and no, decreasing the rate of piracy is not the same thing as increasing sales).
a little bit anonymous on December 18, 2007 5:09 AMLinux
:-)
So why, then, do software developers insist on 20+ character
registration keys? It's ridiculous. Are they planning to sell
licenses to every grain of sand on every beach?
Elliptic curve keys with feature bits inside... 25-digit isn't too bad anyway if it's broken into 5x5 groups and you can paste.
Don't passively-aggressively inform me that "the key you entered
appears to be valid." Is it? Or isn't it? What's the point of unique
registration keys if you can't be sure? I guess paying customers
can't be trusted.
There's two reasons for this: either the real check is done server side (yeah, installer could contact the server I guess), or a quick check is done now and a more thorough check later, as an anti-cracking measure. Not that big of a deal either, imho.
But you do have a very important point wrt. the characters in the serial and the font used for printing, as well as *NOT* having 5 bloody tab-requiring input fields and no clipboard paste support, grr.
I'm not sure why the big fuss over entering the key every time you MOVE your software to a new computer. By far the bigger hassle is going through the reinstall (now which features did I install last time?) and configuration of the reinstall (how did I set up that feature?). Granted, it does take time to find and enter the key and that time does add up. I have started writing notes about what I have installed and how I have configured it so I have some chance of redoing it later.
Les on December 18, 2007 5:47 AM"Granted, it does take time to find and enter the key and that time does add up."
It's when you lose the manual/somebody's pulled the sticker off that you begin to swear, swear like a trooper.
"I can install my Leopard on as many *Macs* as i like without it ever failing"
Yes, but each time, you've paid Apple for the *Mac*. Basically, all Mac products you buy now come free with any new Mac you buy.
But woe betide you if you stray from the path of the one true OS. That Leopard won't roam the jungle of Linux, or the swamp of Windows.
"I'll choose biased data over no data whatsoever, every time."
No data means nothing. Biased data is wrong. Often, it's crucially wrong. Sometimes, it's perniciously wrong.
Patrick Stephens on December 18, 2007 6:01 AMMost interesting that MS believes the lack of Vista piracy has more to do with "Genuine Advantage" and not Vista sucking, so no one wants it. If I were them, I would be concerned if people aren't pirating my software . . .
Jim on December 18, 2007 6:02 AMHey Now Jeff,
In these days of p2p file sharing key generators, it seems that many apps are so easy to use for free. I wonder the future for this what is the best way to enforce this. As previously stated the honor system isn't the best option here. @ Michael B the URL registration seemed interesting. How many people reading this have click a generate key button, copied it and pasted it? A metric of the top of my head 95.07%. FYI - I prefer inaccurate data over no data.
Coding Horror Fan,
Catto
Great synopsis, but I've got a point to make regarding software piracy in relation to the free market economy: The mere fact that piracy exists means there is a DEMAND for the product! Piracy doesn't mean people want to pay NOTHING, it means the price is not right.
Software developers should be paid for their work, but I think most of them simply charge too much. How can Microsoft justify charging X dollars for a Windows license (which they can print an infinite number of) when someone in Iran or Venezuela has to pull two FINITE barrels of oil out of the ground to pay for it?
I don't have all the answers, but I think there needs to be a lot of work done in the Intellectual Property area. It makes everyone crazy including me.
I'll admit that I'm a strong open source supporter, but I wouldn't pay for a copy of Microsoft Windows even if it was $1!
Alan on December 18, 2007 6:14 AMSerial numbers don't work to prevent piracy. Pretty much every single serial-number "protected" application has a keygen, or a list of serial numbers somewhere on the internet (Search for "[app name] serial", skip past all the viruses and chances are, you'll find a serial number)
They are also extremely annoying - not so much that I have to type it in when installing, but that I have to keep track of this little bit of paper.
Many times I've taken a disc out it's case (or put a couple of games in one case) and tried to install it somewhere else (i.e not at home), only to realize I don't have the otherwise pointless manual which contains the serial number...!?
The ironic(?) thing is, if I pirated the game, it wouldn't be an issue, as there would be a keygen in the disc-image I burned to a DVD - And I can then copy/paste the serial number.
When I moved to Australia for a year, I forgot to bring my Final Cut Studio discs to install on my laptop. Luckily my sister was flying over not long after, so I got her to bring the discs, and what I described as the serial number leaflet. When she arrived, I was handed the discs, and the wrong leaflet - it had a serial number on it, but not the one I needed to install Final Cut - thankfully I was able to phone my parents to read the serial number over the phone, but it's extremely annoying. Had I downloaded Final Cut, the serial number would have been on the disc, and it wouldn't have been an issue...
"Microsoft recently stated that the piracy rate of Vista is half that of XP, largely due to improvements in their Windows Genuine Advantage program"
Vista really isn't hard to pirate, it's on pretty much every torrent site that will accept it. In fact I have it burned to a disc somewhere - but I don't actually use it (I installed it, played around for a while, and restored XP).
I imagine a lot of people using it because it was pre-installed on the machine. I don't know many people who have gone out and bought it, or even downloaded and regularly use it.
If you effectively force people to buy an generally-unwanted product with a new computer, a lot more people are going to be using it legally (from with the new computer) than are downloading it illegally, thus the improvement in pirated to legal users.. It's nothing to do with "better anti-piracy"
Anti piracy methods are only effective (and should only be used to) prevent pirated copies being available within the first day or two of sales. After that, pretty much any game is going to get cracked.
After those few days, you may as well make it as easy for users to buy your software, otherwise you're going to force them to go down the far more convenient piracy route...
- Ben
There better than a dongle...
Mac (aka John McPherson) on December 18, 2007 6:15 AM"Software developers should be paid for their work, but I think most of them simply charge too much. How can Microsoft justify charging X dollars for a Windows license (which they can print an infinite number of) when someone in Iran or Venezuela has to pull two FINITE barrels of oil out of the ground to pay for it?"
Ah, the old "it's cheap to copy = it's cheap to create" fallacy. I can print 1000 copies of Terry Pratchett and Neil Gamain's "Good Omens" an hour with a cheap printer and MS Word '98. I'm relatively certain I couldn't have written the book.
Remember, when they talk about Gates' wealth, they don't mention how much of it is actually tied up in Microsoft.
When you crack Vista, you're not ripping off Bill Gates. You're ripping off the hundreds of Software developers who go to work every day at Redmond. Bill will be fine. They will be fired.
And then, as they are better coders than you, with better resumes, they'll take *your* job.
"Microsoft recently stated that the piracy rate of Vista is half that of XP, largely due to improvements in their Windows Genuine Advantage program"
Not to mention the spike in people punished due to false positives. Like me, just recently. Made an overnight Linux user out of me. I don't mind software licensing, or product keys, or even M$ checking to see if the key I'm using has already been used. They need money to keep cranking out mediocre beta-test products to the market.
I mind the fact that they arbitrarily deactivated an OS that I paid money for. And I mind the fact that M$ couldn't/wouldn't give me reasonable assurance that they wouldn't do it again.
Installed Ubuntu that same day, haven't looked back. There are- and should be- consequences for treating legitimate customers like criminals.
Matt on December 18, 2007 6:44 AMConsidering Microsoft's business model: Make every PC manufactured has a licensee for Windows whether or not Windows is actually installed on that PC. I find it hard to believe that Microsoft really has a problem with piracy with Windows in the Western world.
Microsoft may have a problem in the developing world. However, one of the documents in the Netscape case was a series of memos concerning Microsoft's market share in China. Reading through these memos, you realize that Microsoft wasn't concerned with the sales of Microsoft Windows and Office in China, but that not enough people were pirating Microsoft Windows and Office.
At that time at least, it was more important to Microsoft that people in China steal their software, use it, and like it, than not steal it, and get use to something else. As the memos pointed out, sooner or later, the Chinese market would become more legitimate, and all those stolen licenses would be paid for.
I predict that the licensing cost of Windows Vista Home Basic will drop to less than a dollar by the end of next year. As the price of PCs continue to drop, and improvements are made in alternate operating systems, PC makers will find it harder and harder to pay Microsoft for a Windows license. In order to keep Windows as the prime operating system on all PCs, Microsoft will drop the price of Vista Home Basic to almost free to compete with open source alternate operating systems.
Instead, Microsoft will give users the option to upgrade to Windows Vista Premium on line, and offer other on line offers as a way to keep the money rolling in. A few users may figure out a way to game the system to be able to pirate Vista Premium, but without DVDs and CDs of the OS running around, it makes it much harder to "share". Most users who do upgrade to Vista Premium will be licensees.
David on December 18, 2007 6:47 AMFirst off when I get a CD with a card with the reg key written on it, I grab a sharpie and copy the key to the printed side of the disc so it stays with the software.
Also some of those numbers may be in error, if you work for a large installation and have 80 computers to install you are probably going to make a master image from a completely installed system and then duplicate it to the others hard drives. While the co. may have the 80 license keys it is not practical to individually install each program on the computers.
Licensing of expensive software has lately turned me towards open source alternatives. Case in point was Adobe had a great little web page program, PageMill, about $50 to $100 and capable of painlessly maintaining a basic web site. Now all they have to sell is this over-powered dreamweaver or even more so - the creative web suite. Komozer/NVU is a good alternative (if only they would behave with PHP files.)
I think a lot of the companies have the mentality that they can never reduce prices significantly and then alienate the introductory user by positioning their products out of their price range. How much would you pay for software you never tried before - better yet, how much would you pay for software don't know how to use?
Larry on December 18, 2007 6:48 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |