December 17, 2007
Software is digital through and through, and yet there's one unavoidable aspect of software installation that remains thoroughly analog: entering the registration key.
The aggravation is intentional. Unique registration keys exist only to prevent piracy. Like all piracy solutions-- short of completely server hosted applications and games, where piracy means you'd have to host your own rogue server-- it's an incomplete client-side solution. How effective is it? One vendor implemented code to detect false registration keys and phone home with some basic information such as the IP address when these false keys are entered. Here's what they found:
|Software Connectivity||Ratio of pirated|
to legitimate keys
|no internet connection required||45 : 1|
|occasional internet connection necessary||60 : 1|
|internet must be "always on"||110 : 1|
I have no idea how reliable this data is. The vendor is never named, and given that the title of the URL is sharewarejustice.com/software-piracy.htm, I'd expect it to be biased. But it is data, and without the registration key concept (and pervasive internet connectivity), we'd have no data whatsoever to quantify how much piracy actually exists. The BSA estimated 35% of all software was pirated in 2006, but it is just that-- an estimate. I'll choose biased data over no data whatsoever, every time.
I don't have a problem with registration keys. You could, in fact, argue that registration key validation actually works. Microsoft recently stated that the piracy rate of Vista is half that of XP, largely due to improvements in their Windows Genuine Advantage program-- Microsoft's global registration key validation service.
As a software developer, I can empathize with Microsoft to a degree. Unless you oppose the very concept of commercial software, there has to be some kind of enforcement in place. The digital nature of software makes it both easy and impersonal for people to avoid paying (note that I did not say "steal"), which is an irresistible combination for many. Unless you provide some disincentives, that's exactly what people will do-- they'll pay nothing for your software.
Microsoft's history with piracy goes way, way back-- all the way back to the original microcomputers. Witness Bill Gates' Open Letter To Hobbyists, written in 1976.
Almost a year ago, Paul Allen and myself, expecting the hobby market to expand, hired Monte Davidoff and developed Altair BASIC. Though the initial work took only two months, the three of us have spent most of the last year documenting, improving and adding features to BASIC. Now we have 4K, 8K, EXTENDED, ROM and DISK BASIC. The value of the computer time we have used exceeds $40,000.
The feedback we have gotten from the hundreds of people who say they are using BASIC has all been positive. Two surprising things are apparent, however, 1) Most of these "users" never bought BASIC (less than 10% of all Altair owners have bought BASIC), and 2) The amount of royalties we have received from sales to hobbyists makes the time spent on Altair BASIC worth less than $2 an hour.
Why is this? As the majority of hobbyists must be aware, most of you steal your software. Hardware must be paid for, but software is something to share. Who cares if the people who worked on it get paid?
Is this fair? One thing you don't do by stealing software is get back at MITS for some problem you may have had. MITS doesn't make money selling software. The royalty paid to us, the manual, the tape and the overhead make it a break-even operation. One thing you do do is prevent good software from being written. Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free? The fact is, no one besides us has invested a lot of money in hobby software. We have written 6800 BASIC, and are writing 8080 APL and 6800 APL, but there is very little incentive to make this software available to hobbyists. Most directly, the thing you do is theft.
Although computers have changed radically in the last thirty years, human behavior hasn't. (Alternately, you could argue that the economics of computing and the emergence of an ad-supported software ecosystem have fundamentally changed the rules of the game since 1976. But that's a topic for another blog post.)
I accept that software registration keys are a necessary evil for commercial software, and I resign myself to manually keeping track of them, and keying them in. But why do they have to be so painful? You do realize a human being has to type this stuff in, right? Here are some things that I've seen vendors get wrong with their registration key process:
- Using commonly mistaken characters in the key
Quick! Is that an 'O' or an '0'? A '6' or a 'G'? An 'I' or an 'l'? A 'B' or an '8'? At least have the courtesy to scour your registration key character set of those characters that are commonly mistaken for other characters. And please print the key in a font that minimizes the chances of confusion.
- Excessively long keys
The most rudimentary grasp of mathematics tells us that a conservative 10 character alphanumeric registration key is good for 197 trillion unique users. Even factoring in the pigeonhole principle, we can estimate about 14 million random registration key combinations before we have a 50 percent risk of a collision. So why, then, do software developers insist on 20+ character registration keys? It's ridiculous. Are they planning to sell licenses to every grain of sand on every beach?
- Not separating the key into blocks
Rather than smashing your key into one long string, make it a group of small 4 to 5 characters, separated by a delimiter. It's the same reason phone numbers are listed as 404-555-1212 and not 4045551212: People have an easier time handling and remembering small chunks of information.
- Making it difficult to enter the key
Short of providing every customer a handy USB barcode scanner, at least make the registration key entry form as user friendly as possible:
- Let the user enter the key in any format. With dashes, without dashes, using spaces, whatever. Be flexible. Accept a variety of formats.
- Do not provide five input boxes that require us to tab through each one to enter the key. It's death by a thousand tiny textboxes.
- Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at.
- Accept pasting from the clipboard. Once we've installed the software, we'll probably install it again, and nobody likes keying these annoying resgistration keys in more than once. I've seen some clever software that proactively checks the clipboard and enters the key automatically if it finds it there. (Kudos to you, Beyond Compare.)
- Don't passively-aggressively inform me that "the key you entered appears to be valid." Is it? Or isn't it? What's the point of unique registration keys if you can't be sure? I guess paying customers can't be trusted.
- Where's the %*@# key?
The key is important. Without it we can't install or use the software. So why is it buried in the back of the manual, or on an easy-to-overlook interior edge of the package? Make it easy to find-- and difficult to lose. Provide multiple copies of the key in different locations, maybe even as a peelable sticker we can place somewhere useful. And if the software was delivered digitally, please keep track of our key for us. We're forgetful.
Software registration keys are a disconcerting analog hoop we force users to jump through when using commercial software. Furthermore, registration keys are often the user's first experience with our software-- and first impressions matter. If you're delivering software that relies on registration keys, give that part of the experience some consideration. Any negative feelings generated by an unnecessarily onerous registration key entry process will tend to color users' perception of your software.
Posted by Jeff Atwood
OK, I just have to point out that the best C++ compiler I've used requires no registration or access key -- it's gcc. Same for the best dynamic language, Python. Why pay Microsoft and put up with the aggravation?
Licence Keys - are just a another legitimate customer annoyance feature
There are two models for selling software
Here is some software you pay for it by buying a licence
Here is some software pay for updates/support
If your software licence does not cost enough to warrant the hassle people will pirate it because it's easier (people will also pirate expensive software but that's because it's expensive)
But you need something to protect your investment that does not annoy your customers (just the pirates)
Dongles annoy customers
Typing in long licence keys annoy customers
Retyping long licence keys when moving PC's annoy customers
The cut and paste and click here to activate system work just fine and I suspect are no more secure if you are careful?
I know it's not the primary focus of the article, but I've always had a problem with the BSA's piracy statistics. Have you ever looked at their methodology? They take hardware sales, figure out what they expect software sales to be, based on a model of software use within a given country; then take the retail value of the expected software sale minus actual sales. Voila: piracy!
I'd be interested to hear why more software shops that sell online don't go with the license file approach instead of serial numbers? I have used XHeo licensing (www.xheo.com) and it works pretty well.
After purcahse the publisher supplies a download link to a customer specific license file. The customer just saves it to the application install folder. The publisher usually saves the customer license information so it can be downloaded again if the customer needs it.
"I'll choose biased data over no data whatsoever, every time."
is a foolish credo. Good data is better than no data, which is infinitely better than bad data. Bad data leads one to make erroneous conclusions. No data makes one seek good data to draw scientifically accurate conclusions.
Please, Jeff, never use bad data for anything other than motivation to find good data!
I bet even in the days of Altair BASIC Gates was grossly overpricing his software. It's funny reading about Bill Gates wondering who would provide professional quality software for free while I'm using Firefox in lieu of his wonderful "professional quality" IE. It's also funny that, despite this rampant, evil piracy, Gates is one of the richest men on the planet.
I'm so tired of hearing how piracy is bad, you're stealing, blah blah blah blah, but the people doing the complaining are making MILLIONS. What's wrong with this picture? Maybe, instead of pointing your finger at all of us peons, you should take a look at your friggin pricing scheme and wonder if you might be a charging a little too much. $15 for a CD that took less than $1 to create? Are you telling me that the other $14 is for "creative property" and studio time? Hardly. $110 for the most BASIC OEM version of your poorly designed OS? Why? For the hundreds of features you put in that the average user will never touch? And, of course, these prices have to go up with newer versions, because they are increasing in quality.
Great article Jeff. Enjoyed the read.
"On the other hand, copy protection schemes DO scare away honest users."
I paid for a copy of Pro Tools LE (audio recording software) and have been using it as a hobbyist - until I changed a hard drive in my computer. Now one of my plugins ("Amplitube") insists that it's been stolen, and proceeds to launch a registration dialog that doesn't work, freezing the entire program. Moreover, the Amplitube website won't give me another key.
The prospect of re-installing my whole Pro Tools system and having to re-register all of my plugins, falling into God knows what other traps along the way, sounds so terrible that I haven't touched Pro Tools in months.
"Personally, I am really tired of games that nag me to find the CD, windows that nags me to install WGA or to activate, and software that nags me to find the license key."
Lately I just don't install anything that requires WGA. I'm tired of playing that game. It's insulting, and I'm not entirely comfortable with Microsoft calling home with my information.
"avoid paying (note that I did not say "steal")"
Yeah, what's the difference again?
The difference is that when something is really stolen, the original possessor no longer has it. It was pretty much a Bill Gates "innovation" to mis-apply the term to copying software.
The legal wedge used to deter copying software (in the US anyway) is US copyright law. Copyright is really nothing other than a government-granted monopoly on copying a work. In the eyes of the law, no one owns the work itself. So all software "piracy" really amounts to is a violation of some company's government-backed copying monopoly.
Copyright was intended to be an industrial regulation. Until very recently violations of it were considered civil matters (whereas theft would be a criminal matter). Its the big copyright holders who want you to think of it as a nasty criminal activity by using loaded (and inaccurate) words like "piracy" and "theft".
Probably the best term I have heard for it is "unauthorised copying", but I'll admit it doesn't have a lot of pizzaz.
I do think the service model offers a lot more rosy picture than the current way. And with web services becoming more and more prominent/feasible, maybe the time is right. I'm not an economist but it seems to make sense to let people pirate the software if they want; charge for services.
Point the first:
I have to disagree with Jeff regarding the use of biased data. Biased data cannot be trusted. A scientist wouldn't use biased data because it presents a skewed view of the results. We want to be objective, not biased. In this case, *unbiased* data is preferable to *biased* data, and that renders *no* data the better choice.
Point the second:
To all the posters claiming that the lower piracy rate on Vista is due to its lower sales rate: get real. When these figures are calculated, they are calculated as a *percentage* of the sales rate. Thus, if the number of copies of Vista that are out there that are pirated is half of what the number of XP copies are that are pirated, that's a *ratio* and not the total number of copies. It's not a 1:1 correlation.
Point the third:
Linux is not a silver bullet. Mac is not a silver bullet. Windows is not a silver bullet. No one operating system is going to solve the software registration problem because the operating system is not the problem. Software registration is the problem. It's not an OS problem. It's something we, as developers, have historically handled badly. There are a plethora of solutions out there, some good, some bad, none perfect. If there was a perfect solution out there, it would likely have been universally adopted by now.
I was so disappointed that "Where in the world is Carmen Sandiego" wasn't designed around using the Almanac to play the game rather than it just being a lame copy-protection scheme.
If software piracy is a crime, I believe it would either be copyright violation or breach of contract. Except that—if I recall correctly—breach of contract is technically not a “crime” but a “civil offense”.
"Unless you provide some disincentives, that's exactly what people will do-- they'll pay nothing for your software."
This statement is a bit odd in an article that otherwise seems to recognize that this isn't an issue of absolutes. Registration keys won't stop all pirates from pirating; the lack of registration keys won't stop all honest customers from paying.
Also, don't forget that even without some anti-piracy scheme, copyright law itself still serves as a disincentive.
"Products with serial numbers get pirated at a lower level than products without, even if it's easy to fake the serial number."
But the important questions are:
Do products with serial numbers sell more than products without? Does the extra revenue cover the costs of the anti-piracy scheme?
There's little point in trying to prevent piracy if it doesn't result in higher profits.
On the bit of checking for valid data as you enter it:
It would be quite possible to add a simple checksum to each block. This wouldn't be of any help to the guy trying to brute-force it because just because it passed the checksum wouldn't mean it's valid. It would be a big help in reducing the hunt for the error when the system doesn't take the key, though.
The worst experience I ever had with registration keys was the opposite of the normal ones, though: The game took an invalid key! It was a case of a bad font and both I and 1 were legal. I got it wrong, the game was happy--but the updater wouldn't work because the website did know the key was no good. Uninstall/Reinstall.
Activation keys don't work. I've installed tons of pirated software with keys: only cracks or keygens were necessary. The only stuff that can crack piracy are those online games with CD keys. Now, who will crack these???
The only stuff that can crack piracy are those online games with CD
keys. Now, who will crack these???
Which game hasn't been cracked?
Thank you for posting the security keys. Now I can install the software I just pirated.
I think it would be cool if some software company parsed their key into some form of picture that we could reproduce. Something as simple as 3 rows of 7 blocks 12 to 15 of which should be filled with 7 distinct colors (these could be in the form of block placed under the key which the user can drag). This method would give us 4 quadrillion (pidgin hole: 75 million) with 12 unique blocks and 25 quadrillion (pidgin hole: 600 million) with 15 unique blocks. Granted, with this method you could not copy-n-paste, but its fast enough that I don't think users would mind putting it in every time, and it should be really easy for someone to see a mistake (and hard to make a mistake in the first place).
All in all you only hassle the legitimate user, while pirates can crack and use your software anyway.
I would also recommend developers to make keys case unsensitive.
"And if the software was delivered digitally, please keep track of our key for us. We're forgetful."
Thank you, Steam.
What? No biometrics? CROCK! lol
They could just put the key into the installer like they do with Visual Studio, but I guess that is just too much work.
There's really no excuse to steal software. There's so much free software out there. If you say you can't afford it... Well I can't afford a Porche so should I just go over to the car dealer and take one?
WGA is a half-cocked piece of software.
- it is proven fact that false positives do happen, and happen often.
- it is easily bypassed with relative ease
I believe that even by Microsoft standards, WGA fails in every possible way. Or does it? Was this intended from a design standpoint? It's easy to say that you are losing 'billions' per year due to Piracy, because it is not easy to prove either way. Eliminating (read: 'vastly-reducing') piracy would provide a surefire means to an end... the revenue increase that year would indeed indicate exactly what you were losing for that specific timeframe. On top of that, public opinion would be that you should lower your product prices, after all you've been claiming that piracy drove the price up there in the first place. As far as large software corporations, to beat piracy is to beat ones self.
Point-blank. Microsoft do NOT want to beat pirates. Their trials and tribulations regarding WGA are a farce at best, how could a company with so much experience and expertise possibly create WGA with so many fundamental problems that it ends up costing legit users so much?
Beating pirates is useless, those who do not pay do so for a reason. Those who are paying... get them to pay twice. This is reflected even in their EULA when it was first released (now more relaxed).
I may be paranoid... but still, I call it how I see it.
on paying for anything at all:
if it's easier to steal than to buy, you have a problem. this applies to everything (digital, as many people wouldn't just go into a store and steal stuff). it seems that noone actually notices that. buying music on the internet still isn't as easy as buying, and you can't hear it once to see if you like it, you can just download it illegally, decide you do like it and then think about going thru the hassle of buying.
i don't want to go into semi unrelated topics here tho....
microsoft (namely gates) says: "The royalty paid to us, the manual, the tape and the overhead make it a break-even operation. One thing you do do is prevent good software from being written."
now they have a yearly profit in the 10s of billions of dollars. yet they try to fight piracy with new genuine advantage tools and the ever more restricting eula. instead of letting someone who bought an operating system use that same operating system on all computers he owns himself, maybe make it easier to buy (online, download), and cheaper.
Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at.
Sorry, I should have been more clear here. I mean prevent me from entering keys that can't possibly be correct based on the key characterset, eg, "%" or whatever. Also, dynamically validate the entire key with a visual thumbs up/down when it's completely entered-- don't make me click OK to find out the key is invalid.
I wish more companies would take Apple's stance -- not only has the OS never required a serial, but the few apps of theirs that ever have are slowly but surely having the requirement removed (the latest version of Logic being the latest to come to mind). And it's not because they're a "hardware company."
Are you kidding me? Every Mac is the world's largest hardware dongle. Ask yourself this: why can't you virtualize OS OX? Hmm.
I did find a comparison of "honor system" shareware vs. "nagware" shareware which was interesting. Summary: nagging works. a href="http://hackvan.com/pub/stig/articles/why-do-people-register-shareware.html"http://hackvan.com/pub/stig/articles/why-do-people-register-shareware.html/a
Fascinating result-- this '93-'94 experiment shows a similar 80% reduction in payment when you put people on the honor system.
Apple, has provided the peelable sticker for its iWork package. I immediately made the ubiquitous backup of the DVD then applied the sticker to the case for the backup and one in the master.
Kudos to Apple for taking that step at least. As for other Apple software and registration processes? Non-existant for Leopard which REQUIRES its own hardware anyway.
However, given that an Apple user COULD have more than one qualifying Mac and then install that new copy of Leopard onto those others, it seems kind of pointless not to have some kind of restriction imposed. Apple must not have really cared about that one for some reason. With iWork, you have to enter the key then it makes its trip out to a validation server in la-la-land, thereby preventing the installation of it on other Macs. With the Family Pack edition, the server keeps track of how many times it's been installed and whatever unique identifier for the hardware it's been installed on. In that case, you can install it any number of times you like on the same machine, as you would expect.
What I find curious, is the Leopard "no register" policy. Leopard was over $100. iWork: under $100. I don't quite get it. Apple is basicaly giving away Leopard (arguably the best OS in recent years...)
Parallels (VM software for Mac - ROCKS!) for Mac has its own registration policy, but it doesn't take into account multiple installations on multiple Macs. But again, it only runs on Mac. Halfway there on the registration/anti-piracy front.
And I have to agree that Vista's piracy rate could be more attributed to the lower upgrade rate. Hardware manufacturers (HP, Dell, etc.) are pressured into selling Vista at a low rate with new PCs, and pressured into selling XP at a higher rate with the same PCs. With the problems involved with software/hardware compatability in Vista, a lot of XP users aren't upgrading, and the only way to insure your PC itself is Vista compliant is to buy that new PC. With a downturn in the economy and the rising gas prices, etc., new PC sales are also not climbing like they did in past years. With all that, you would possibly have a lower piracy rating in Vista.
Personally, I think XP is a decent OS, and Vista still has some issues to work out. But that's not the topic of discussion...
From my previous comment....
- it is easily bypassed with relative ease
Ignore my bad English there... it is Tuesday and I'm still warming up :)
I can't help but feel that Microsoft did pretty OK with making money despite everyone pirating their software. Heck, they're still doing better than just about anyone despite the fact that people still pirate their software. Bill has been the richest man on the planet for years, even if he isn't right now. Yet somehow, they are still complaining over people pirating their software and "stealing" from them.
I guess the lesson is simply that the rich always want to be richer, no matter what.
Intrusive? That's dongles that screw up your system. Really, a serial is painless compared to challenge/response or the plastic crap taking up USB ports, not to mention the inconvenience those are with laptops. There are people who have to use USB hubs full of dongles just so they can run all their software. Oh well, at least that's better than the tail of LPT-dongles I saw in most CAD shops.
One thing the Flash 5 installer did was show when you completed the serial if it was correct. That's probably a better solution than showing whether it's correct while typing.
The purpose of selling license keys is to try make digital copies of software behave a bit like physical items, so it's fundamentally on pretty weak ground. The only reason still we do it is that no-one has worked out a better business model that reliably (and profitably) for pure software development companies, now that selling actual software media is not a valuable service.
It would be really cool to see MS or someone else invest resources in looking at solutions for smaller software development firms, rather than relying on the current fraction of paying customers to accept a worse experience than the dishonest ones.
Every Mac is the world's largest hardware dongle.
I got a chuckle out of this, especially following right behind your comment with my Mac talk.
Technically, Windows (insert flavor here) is designed to also work only on one platform: the PC. In essence: a dongle.
With Apple's recent Intel and Boot Camp push, yes, you can install and run XP or Vista on a Mac, or even run a VM with one those or a lower version (I have a DOS 6.22 VM so I can finish a few games I never finished way back when...).
The only reason I can think of there being no Mac VM is Apple still hasn't let go of its low level hardware code. I remember way back when they considered it, but after market and technology analysis, they found that they could better profit from a closed and higher quality machine. As opposed to what happened in the PC world and cheaper hardware, lowered quality controls, numerous compatibility issues, blah, blah blah. Look at how hard it is to set up your Windows PC today? Sure you can configure it anyway you like, but will all of your software/hardware work with that new video card? I've run into several issues playing games because of a cd-rom driver, or a video driver.
Again, that's all another topic...
...I should have said "solutions that scale down to smaller development firms". Software as a service might work for Google-sized, or at least Red Hat-sized, companies, but the smaller ISVs are stuck with license keys unless/until somebody figures out a better revenue model, and it puts them in an awkward place.
Are those real keys you are reproducing? I can't tell you how unimpressed I was when some thickos at a PR agency had a valid licence key for my software printed in a wedding magazine (meaning anyone could download and use the software for free - until I invalidated the key 24 hours later).
Are you kidding me? Every Mac is the world's largest hardware dongle. Ask yourself this: why can't you virtualize OS OX? Hmm.
It does take hacks, though. :)
Another problem with keys that developers should avoid: don't encode an expiry date within the key! There is one particular software product I purchased many years ago (PMMail) where the key contains some kind of date stamp. So the software can only be installed within X number of days after the key is sent. This becomes especially annoying whenever I would re-install my computer systems every few years. Every time I had to contact the vendor since my previous key would no longer work. If we pay the money to purchase the software, at the very least we should be allowed to install it when we want.
I recently bought a compilation of several games in the "Command and Conquer" series. I was then prompted to enter something like 6 to 8 different CD keys! That's about 20 minutes of my life that I'll never get back. Why the company didn't just put one freakin' CD key on it and be done with it is beyond me. This is a fine example of why pirating is so popular. I'm sure that with a little searching, I could have gotten the same software -- for free -- without typing a small novel of random alphanumerics.
OS X might not have any copy protection (because, face it, you purchased the OS with the hardware) but Apple's other products sure as hell do. In fact, they're every bit as obnoxious as MS's.
Even the demo versions of Apple software (like final cut and motion) require getting emailed time-sensitive activation keys.
There is less piracy on Vista because people who can pirate things would rather eat their own feet than use such thing as Vista.
What is the ratio of people reading previous comments before posting their own? Must be like 1:10e30.
There is less piracy on Vista because people who can pirate things
would rather eat their own feet than use such thing as Vista.
To be fair to Microsoft, they seem to have realised there are a few problems with Vista and have now released an upgrade to it, called XP, which has fixed most of them. There's a review here:
Tiger Technologies are another company that provide excellent support, with sensible keys that can copied and pasted and are not unnecessarily long, the ability to install the software on another computer without re-purchase and access to the registration number online if it has been lost.
Alas they seem to have stopped developing 'Holiday Lights' - a desktop decoration package that I used to love on Mac OS9 and also worked great on old Windows, but not on new systems I am told.
I think there's probably about around 10000000000000000000000000000000 people posting here without reading previous comments for every person who does. I wonder what others think?
q"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."/q
If that's the case, anyone can crack the secret key, simply by trying each character on the keyboard, no matter how long the key is. Am I missing the point?
If that's the case, anyone can crack the secret key, simply by trying
each character on the keyboard, no matter how long the key is. Am I
missing the point?
You're certainly missing the many, many other people who posted the exact same observation way back at the beginning of this blog.
Dave (on Mac hardware issues): True enough...
D.W. (on comparing Windows install on PC to a dongle): If you read the EULA, which most people have not, Windows is only supported on IBM PC type hardware. Since this limits what architecture Windows can be installed on, this makes the PC a dongle. This dongle is one that EVERYONE (except Apple, until recently) makes.
But doesn't all software require a dongle of sorts though? The machine to run it on?
Dave (on upgrading to XP): Good one... I'm considering the move too. ;)
As far as keys and copyright infringement go, if I release a software project, I tack on a copyright statement, a "no warranty" statement, and release it open source. Why? Most of what I do is in C#. You can take Reflector and view my code. Do I want to spend money on an obfuscator? No. Do I pirate one? No. It's easier and more legal to use my method. Can a copyright be removed unknowningly in this case? Sure. Do I care? No. Have I made a useful change in someone's life? I hope so.
A friend fo mine made a statement many years ago, long before this topic was of such an issue: locks are meant to keep honest people out. This still holds true today.
"Personally I think that registration keys are used a bit too much. If I buy software on a CD/DVD, why can't a unique key be printed on the CD/DVD?"
Yeah right. With SecuROM and similar copy protection schemes there is. The CD itself is the key. (Yes, that means every once in a while you want to play a game, they want you to find out the _original_ CD (which has been put out of reach of children for a reason) and put in this "key" for them.)
So if "serial numbers are annoying", what is this then?
I try to read as many comments at the beginning and the end as possible. Once the numbers start getting high, you can't really expect people to read /all/ of them.
Speaking as someone who's gotten so sick of proprietary software I've basically sworn not to use it again, I think I may have some useful information for you:
If you don't want people pirating your stuff, let them know there are alternatives. They may not need 100% of the functionality your app provides. The person either believes information should be free, in which case they should go use Free Software instead, believes that it shouldn't be free, in which case they should pay for it, or knows what they're doing by pirating is wrong and does it anyway.
I try to turn every pirate I meet into a Free Software user. The harder you make piracy for them, the easier you make what I do. Good luck making life easy for legitimate users in the mean time. You're going to need it or you may just turn a bunch of them into people like me, who may in turn code a Free alternative to your software out of anger with you, and frustration over license management schemes.
You might try requiring them to call in with a code, which will be replaced with another code read to them over the phone before the software works. Pirates aren't likely to be as comfortable doing that.
The problem with telling you that your key is invalid is not only a problem because it would provide people with a trial and error approach to finding a valid key, but also because it depends on the algorithm.
Chances are, it won't know if the key is valid until you enter in the full length (though many know on a block by block basis) of the key because the algorithm asserts an equation based on the values.
It's sad but true that they can't help you without hurting themselves here. Unfortunately, every key eventually gets reversed engineered anyway.
Where's the %*@# key? Well very often, printed on the %*@# CD which is at the moment in the %*@# drive... So to install the software you have first to copy it somewhere... and then figure out if the mistake is in the copy or in the key entry...
License keys / activation codes are one form of security on the application. Anyone who deals with security issues knows security is not digital - its analog: Nothing is completely secure, you can only make something "more secure". So you balance functionality, ease of use, customer relationships, and supportability, with "security". Its not easy.
Example: Certain types of DRM can make things more secure (and certain types of DRM are useless for security), but it can also make the file less functional, harder to use, piss off the customers, and be hard to support across platforms and OS versions.
Microsoft recently stated that the piracy rate
of Vista is half that of XP, largely due to
improvements in their Windows Genuine Advantage
program-- Microsoft's global registration key
I think it's because people would rather use XP.
As for the keys themselves, I don't care about the length, as long as I get it by e-mail. Just let me copy paste the thing. Also, I would prefer if I did not need Internet access to enter the key. Believe it or not, sometimes I am in a position where I have to enter a key without Internet access. Also, I'd like to use your application to read my documents a decade from now, even if your company is dead by then.
"Fascinating result-- this '93-'94 experiment shows a similar 80% reduction in payment when you put people on the honor system."
My company moved to adding registration because we ran into a lot of situations where people were not paying for our very niche and very expensive software. Oddly enough, we have a near 100% payment now after 60 days when the registration is finally, truly required.
Have you seen the 'Graphical license card' implemented for 1Password (Mac software)?
Basically its a digital solution to registering software - and very nice it is too.
"I'll choose biased data over no data whatsoever, every time."
This is the stupidest thing I've read all week. If you can't verify the data, then the whole discussion is bogus.
I hate entering codes, it is so annoying, Digital would be great
Can you explain in which way entering codes is `analog` and how some other system would be `digital`. I can't think of anything more digital than digits.
Linux. My "piracy" rate dropped dead. I actually spend more money now on software, I donate however much I wish/can afford.
"Tell me as soon as I've entered a bad value in the key."
You didn't think this through... this makes bruteforcing trivial.
Does that Vista Home key work? Time for me to give it a try.
What I hate it when important info is put on a tiny errata sheet that is easily lost.
I recently bricked a Nintendo DS game (Age of Kings DS) because the WARNING!!! sheet that said don't use a three character profile name was missing.
It was missing because I bought it from one of those stores that opens the original packaging and keeps the game cartridge in a lockbox to cut down on shoplifting.
Using commonly mistaken characters in the key
Excessively long keys
Not separating the key into blocks
It's on purpose: to avoid sight picking the key and discourage lazy people.
Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at.
Suppose you have a 20 alphanumeric characters key and that the error is signaled in real time (by shifting the color of a widget ...).
If I write a program that automatically type a character and test if the key is correct and takes 1 second to do it, it will take 20*36=720 seconds aka 12 minutes to crack the key in the worst case.
Brute-Force can be easily thwarted by a simple throttle on how often you can attempt to enter a key. Only check fully-formed serials (so partials don't count against you), apply a throttle, and viola. Good for your end user, good for your security.
"The difference is that when something is really stolen, the
original possessor no longer has it. It was pretty much a Bill
Gates "innovation" to mis-apply the term to copying software."
Fair enough. How about if I read a comic in a comic book store and
then don't buy it. Technically I'm not stealing, nor am I breaching
copyright. Am I committing a crime?
My opinion on software piracy (the actual use of software to which you do not own a legal/legitimate license) is that you are appropriating a copy of something which has value, without paying for the privilege to do so. This is a dictionary definition of theft.
You could also arguably define theft as a deliberate loss of value.
I think a more appropriate correlation, Tom, would be to ask if you went into a book store, photocopied yourself the comic, and took the photocopies home. Yes, that's theft and much more akin to what piracy entails.
Regarding Bill Gates letter -- it was a different climate back then. People freely shared their programs and most (but not all) were available for free. The attitude was that of sharing innovations until some people (Gates, Allen, Ballmer and Jobs) saw that there was gold in them their hills. They saw this and went for it, charging for their software.
One thing never changes, piracy will always be around.
I want key for internet download manager
i want bullguard antivirus key
send it immediatly
i want key for driver updater pro please
About the software, I`m pretty shore that everyone who posted on this forum has Windows on their PC`s. What i want to say is how can a simple person with small budget can afford to buy a Windows and a good PC + extra software, when a Windows Home Basic(a version of Windows witch has nothing but the Media Player and some other software)is about $200, AND the Ultimate is about $320 witch has software but not so useful for people who don`t do to much on their PC (not useful). I have Ultimate, OEM, with geniune license:) but I recommend, and i think I`ll do the same thing soon. BUY APPLE! GOOD USEFUL AND NOT SO EXPENSIVE COMPARED WITH A PC WITH WINDOWS VISTA BOUGHT FOR IT! RIGHT? A GOOD PC IS ABOUT $1000+200 Home basic, I recommend Apple because i saw what can a MAC do. MONEY SPENT WISELY . Cheers
FOR WHO DID not understood my opinion about piracy is that SOFTWARE PIRACY IS BECAUSE THE Price Is to exagerated. I support Original software but what i don`t support (and not only me) is the way they increase their soft prices. REDUCE FOR MORE USE :)) I made a slogan, ha ha. Bye
i quite enjoyed reading you're article/rant, i agreed with most of it too. Personally i have no problem with keys...but i think there should be no protective softwares preventing the copying of your disc more than three times. Not that you ever need to back it up at all, but it's nice to be able too without counting one,two,three. i agree that the keys should be divided with - because it helps you keep track of what section you're typing in. :)
Whats my reigistration key?
"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."
Surely that would defeat the purpose? If it tells me which is wrong then I can keep changing it until it's correct and work out a valid key.
(unless you only allow 1 or 2 wrong in the whole lot)
This brought back nerve-wracking memories of trying to install Neverwinter Nights. Not only did it apparently have both 0 and O in the key but it was printed in a deeply ambiguous squared-off font which made 0, O and D almost entirely indistinguishable. Also V and U were almost indistinguishable. It took about 45 minutes to type in the key from the box and actually get the software installed.
James Justin Harrell: you might not pay for software, but don't forget to tip the developers or donate to the bandwidth bills.
I was just thinking about the comparison with music. Very many people use LimeWire to get their music, some even boasting that they've never bought a CD. Sales of mobile phone ringtones are massive, billions of your chosen currency every year. So there must be a significant portion of LimeWire users who also pay extortionate amounts to get ringtones for their phones; even though most phones that can play mp3s can use any mp3 you transfer to them as a ringtone. I guess some people's value systems are a little out of whack. The CD would probably be cheaper than the ringtone! iTunes certainly would be, although that's a bad example because they charge twice for ringtones. Anyway, ringtones are evil. Vibrate only!
When I get my 2nd HDD to use as a Time Machine drive to backup my music better I will probably start buying music via iTunesPlus as well as CDs. I haven't used P2P since Napster, but it goes to show, if paying for something is easy then people will pay.
I think the reasoning behind why the serial space is so large is that it prevents finding a valid serial by brute-force.
You could in theory, write a program that hooks in to the code that the entry panel uses to check the serial is valid and just enter a million serials a second at random and hope you chance on a valid one.
You could say: "If you're going to that, why not just crack the program?" Well you could do that but then you've changed the binary and that might break updates etc.
I've heard anecdotal evidence that while people will gladly use a rogue serial, they would rather pay than crack the product.
In that case, having a large serial space makes absolute sense.
You cannot stop the people who want to pirate the software. The serials or keygens or cracks will be out there. The serial numbers are just an inconvenience to legitimate users.
The real problem is that because it is so cheap to make copies of software (torrent, CD burners) that what you are selling, a COPY of the software, is valued at near zero.
The economic model is broken. I don't know how to fix it yet, but I trust the market to figure it out. Perhaps the answer is that there will be no more software billionaires, or perhaps even millionaires, but instead a lot more people making a nice living doing it than there are now by selling open source services and customizations. I don't know if the market there is big enough to make a real living. Geek Squad makes me think it may be possible, but there would have to be a crash first, and that will hurt the industry.
I write software for internal use. If, perhaps, I wrote PHP web applications, adding functionality or removing bugs from PHP would be in the best interest of my employer, but who would be served by managing the project as a whole, or hosting the whole mess.
I don't think there is an answer yet, but remember that before Microsoft, software wasn't generally sold, but shared. This was easier then because everyone who had a computer was a programmer. Now, with it being an appliance for the masses, I don't know how to make that work. Maybe the OEM's would be better served to do a collaborative OS and applications. They already pay for it with software licenses. Perhaps paying a few developers would be cheaper than paying for the licenses, but how to keep the moochers from wrecking it for the rest of them?
I think that the software industry, like the music industry, is ready for an extreme shift in business models. I just don't know the workable model yet. The only thing I know for sure is that the money will be spread across more people, with a lot fewer really rich ones.
Any remember the "Activation Wheel" that they shipped with Hardball 3?
It was three cardboard circles of various sizes connected at the center in a way such that all three could spin individually of each other. Each circle contained a set of images and codes as well as a cut-out portion to allow you to see a small piece of the circle below that one.
Each time you installed the game, the installation would randomly generate 3 images (one for each circle) and then you'd use the wheel to highlight each of the images, revealing an unique code combination you'd need to enter. Very effective, and a pain in the ass to copy.
That was probably 15 years ago, and to think that software activation still depends on some piece of the physical world that comes with it is just baffling.
How hard is it to store all the used registration keys in a database. If the key has already been entered, then you need to prove that you're the same person who entered the other key... say, with some kind of private identification. A SSN would work well, because most pirates wouldn't say "REG. NUMBER=a8495jcskjc8", SSI=********"... but i suppose I wouldn't trust any company with MY SSN... sigh.
There are plenty of companies making plenty of money selling commercial software that has no such aggravation, like PostgreSQL and Apache.
Really? How much money do they earn in comparison to Microsoft or Oracle? Do they earn money at all, or do they live from spended money from companies like IBM or Sun? Or kill they jobs, which otherwise would nutrify people?
I'm not so optimistic as some naive.
Well, one comment about your scheme where at every wrong character, the system automatically alerts you to the error, that doesn't work very well. A pirate can easily just type in random value until it works for every value, its very easy. Its the same reason why websites tell you when password and username don't match until after you've entered everything in.
I remember when software used to come on special floppies with holes burned in them so that it was physically impossible to copy them. My, the times they are a changing.