Also, make it easy for us to move it to a different computer. Please. I'm going to get a new computer, if I have to re-buy your software, I'm going to go looking for something else.

If you do 5 textboxes, than make the focus automatically switch to the next box, once the box is full.

Also, is that Vista Key real? :P

> Quick! Is that an 'O' or an '0'? A '6' or a 'G'? An 'I' or an 'l'? A
> 'B' or an '8'? At least have the courtesy to scour your registration
> key character set of those characters that are commonly mistaken for
> other characters.

Slow down! What's the rush? You paid hundreds of pounds for that software, and you only have to enter it once.

Keys are long so the ratio of correct to invalid keys is high, so you can't just guess valid ones. That also explains "Tell me as soon as I've entered a bad value in the key". That's the last thing you want to do. Remember, the user is entering it once only. Entering 20 characters is no more taxing than entering 2 or 3 passwords.

We struggled for a long time with this when deciding how to license blendables. We ultimately went with a product key and activation model. While many people don't like this idea of "activating" we knew that the ease of "sharing" would ultimately lead to abuse. We're a new player in the space and we're always looking to adjust the model but I do feel without ANY type of enforcement people would just "share" across an org.

Kurt

"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."

Doesn't that make it easy to "guess" or figure out a key by trial and error? All you'd have to do is start with a character then keep typing characters until it says you messed up. Go back and change the last character until you get it right and then continue.

Hi, can I ask for clarification of your statement:

"I'll choose biased data over no data whatsoever, every time."

At first glance, that seems to me like a bad idea - at least with no data, you KNOW you don't know anything, whilest with biased data, you can very possibly draw some very bad conclusions?

Other than that, I agree with your article (well, except for what Dave pointed out :-D).

Not only must the font be readable, it's got to be BIG ENOUGH to read. I've had keys that I literally could not read without a magnifying glass.

"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."

Let's do the same with passwords! It'll make it much less annoying.

Wait, I feel like there might be a problem with changing the difficulty of guessing from "Guess the whole key" to "Guess the next digit".

Mr Brain not on yet today?

"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."

This confuses me. Wouldn't it be trivial for a human (even me) to continue to type in digits and/or letters until receiving an "All Clear"? Tedious, sure, but how long would it take you to make enough money to pay for 3ds max (which actually is a terrible example because it makes use of Autodesk's ridiculously bad activation system AND a code, which can be any 10-digit number)

Also, how many of the 14 million possible representations of the 10-digit key are supposed to be valid? I'm sure it's not just a big ol' table of good ones that the installer is checking against, and rather is an algorithm of some kind, so even if the company sold, say, MinerVGA, the algorithm might accept 10 million or more.

Also also, I love the idea that on the older microsoft one, they have a barcode, presumably to ease entering the code, but the barcodes on the newer sticker are not relevant, and are just IDs. Points for not even bothering to obscure those. I think the Yellow MS one is probably Microsoft Bob and therefore no good to anyone anyway, am I right?

Er, obvious duplication while I penned my post, and also need to correct where it says "sold, say, 5 million copies of MinerVGA"

Ok,i think that's the 'don't tell users when they enter a bad character' angle covered now guys!

You seriously want it to tell you when you've messed up as soon as you hit a wrong key? Uhh yeah, that'll make it hard to figure out a valid key. :) Second of all, valid keys are based on THE WHOLE KEY (if the system is any good). You can't tell if a key is valid until the whole thing is entered. So I assume anyway. I haven't implemented such a system before.

Ditto what Tutko said. Telling you as soon as you've entered an invalid string makes it possible to heuristically figure out a key. Actually, it can get even worse- Write a program to enter the key into the textbox, detect dialog boxes indicating your invalid key, and use those to go back and try again. Then you can write a keygen without even understanding the algorithm that generates a correct key.
It also lets you cut down the keyspace exponentially- For example, alpha-numeric keys, which have 62 possible characters (26 + 26 + 10) , with a key of length 10, go from 62 ^ 10 to 62*10, since you only have to go through each character in each position in the sequence once.

I wish I could remember the name of the computer, but a few years ago in an OS class, our professor was discussing the fine art of Paging virtual memory, and told us about a bug on an old computer that would use Paging exceptions to guess the password- Basically it entered the password one character from the end of a "page"- If the password didn't start with that character you got an "invalid password" messege- if it did, you got a "Paging Exception" first. Move the password 1 byte back in memory, and try again... and BAM- Password.

As far as "This key appears to be valid"- This happens a lot with shareware- They use a complicated algorithm to generate valid keys, put a giant number of generated keys in an online database, and then puts the algorithm IN THE SOFTWARE to check for those keys. "This Key appears to be valid" really means "This key meets the algorithm, but we might not have issued it to you." It's a second level of protection against keygens. I feel like this is valid, it falls under the same "necessary evil" clause that validation keys themselves do.

On the other hand, there's such a thing as going too far. I read once about a disk scrubber that securely deleted files, but if you entered a key that 'met the algorithm' but didn't match a key in the database, would only PRETEND to work. Another case was a popular CD burning program that would do the same thing, but churn out coaster after coaster and pretend the burn was successful. I don't really approve of these tactics- A software developer that likes to play headgames with their customers is either too self-righteous or morally flexible for me to be comfortable running their code on my box.

"Where's the #$&%ing key?" - That's the one that really resonated with me. I wish they'd put a second copy of the serial ON the disc- That way as long as we had the disc we could have a copy of the serial (for writing down elsewhere later on, obviously)- it doesn't seem like there's any way pirates could take advantage of this, nor could it make it more convenient for anyone to pirate- the backup serial solution is still completely analog.

Perhaps the best serial key I am yet to see was a really long one (512 characters). But instead of having to type it in, you simply double-clicked the key file and it worked. No chance of a typo.

Everyone knows the real reason Vista is pirated less is because people want it less. Duh.

> "Unless you oppose the very concept of commercial software, there has to be some kind of enforcement in place."

I'd be inclined to disagree, and willing to bet that just about everyone who'd be willing to pirate something in the first place isn't going to be stopped by simple serial number validation, the only viable alternatives to which are ridiculously flawed/intrusive/whatever schemes like WGA that inconvenience everyone and drive the price of software even higher. The customer isn't the enemy.

I wish more companies would take Apple's stance -- not only has the OS never required a serial, but the few apps of theirs that ever have are slowly but surely having the requirement removed (the latest version of Logic being the latest to come to mind). And it's not because they're a "hardware company."

For BitBacker (www.bitbacker.com - my startup company, which is building super secure, Mac-only backup software), we were faced with a similar problem. We use 128-bit AES encryption, which means our keys are really long and annoying - 32 characters long when printed in hex. And not only do the users sometimes have to type them in, but they have to write them down on paper. (We can't store the key on our servers because then we'd be able to read the user's files; and we obviously can't trust it to their hard drive because that's what we're backing up.)

So we generate these random 128-bit keys, but I found a pretty good way to present them to the user. We use RFC 1751, which defines a "Convention for Human-Readable 128-bit Keys" - basically just a mapping of bit blocks to strings of words. Here's an example in Python (apologies if this gets mangled by Jeff's blog software):

>>> key = os.urandom(16) # Generate 16 random bytes (128 bits)
>>> key
'a\xaa`\xe4:^\x7f\xdbK\x86\xa4\x89{R\xa0\xdc'
>>> print bin_to_hex(key) # Print the key in hex (32 characters)
61aa60e43a5e7fdb4b86a4897b52a0dc
>>> y = RFC1751.key_to_english(key)
>>> y # The key in words - it's longer than the hex, but easier to read and write
'BUSY BARN RUB DOLE TAUT TOOK ALTO PRY KIT WALL MUG CURT'
>>> RFC1751.english_to_key(y) # The transformation is always reversible
'a\xaa`\xe4:^\x7f\xdbK\x86\xa4\x89{R\xa0\xdc'

The keys are still *very* long, of course, and this is unavoidable for our application. But when translated to words, it's easier to write them down or type them in without making a mistake. In BitBacker's case, we actually make the user re-enter the generated pass phrase he wrote down, and pasting is disabled for that text box. This is quite annoying, but it's a heck of a lot better than losing your pass phrase, which would make your backups inaccessible!

Despite its "128-bit" title, RFC 1751 works on arbitrary string lengths. Or at least, the implementation in the "pycrypto" library does.

The less annoying key I have seen so far looks like a block of ascii armored text, almost like if it is a security certificate. The key holds the name of the owner, the type of license and how many concurrent copies can run in the local subnet. To enter the license you simply copy the encrypted block of text and paste it into a box in the "about" menu.

I'm not going to comment on the obvious brain fart you had with that "tell me as soon as I make a mistake", I'm sure with all the other comment's you can figure out the difference between 3,656,158,440,062,976 different possibilities and 360 different possibilities.

What I do however not get is how you could put that Microsoft quote about stealing software there without at least a mention of the fact that the vast majority of the early Microsoft business has been due to stolen code, stolen features and stolen interfaces. DOS and Unix, anyone ?

"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."

Err... if you did that then people would be able to guess the key using trial and error one character at a time.

Dare I ask if you modified the serials you provided at the top of the post? I mean, not to imply that such a thing would be, basically, distributing serials, but... uh...

"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."

Surely that would defeat the purpose? If it tells me which is wrong then I can keep changing it until it's correct and work out a valid key.

(unless you only allow 1 or 2 wrong in the whole lot)

If you're going to implement multiple text entry boxes that automatically focus on the next field when the current field is filled, don't make it insanely stupid to go back and EDIT a previous field. I've had to enter registration keys that automatically moved focus to the next field when then current field had 5 characters in it. A mistyped 5th character means you can NEVER go back and edit that field (not without some fancy, stupid fast keyboard tricks to hit delete or something before the focus changes).

My favorite is shift-tab to backup to the last field, and it moves back to the current field because the last field is full. Who tested this crap?

Did you just give us a bunch of valid install keys? ;)

When serious organizations lock down software, they do it with hardware. In the old days it was a parallel port extender filled with epoxy, and today it's USB keys. No CD key code to hassle with, and it can't be posted to a forum and shared.

If you want to force the digital world into an 18th century view of property law (you know, can't be copied and shared, it's "property" that is non-the-less licensed, etc...) just make a physical key.

Or you could get Linux, and get on with life.

@J. Stoever-

"DOS and Unix, anyone?"

Microsoft actually purchased exclusive rights to 86-DOS in 1981.

As far as stealing from UNIX- After reading Jeff's posts on virus protection being pretty much unnecessary if we'd all stop running as Admin... I can't help but feel that Windows would be much better if they HAD. :D

I like to keep my possessions to a minimum and so dispose of packaging and put CDs and DVDs into a carry case.

You can imagine my annoyance when my Vista and Office 2007 retail boxes wouldn't let me peel off the serial number to stick into my carry case. It's like a piece of plastic with a sticker on it is somehow my proof of purchase...

Don't get me started on how Vista wants to reactivate every time I boot it natively on my Mac as opposed to being virtualed... (each switch effectively deactivates it and makes Microsoft think it's been pirated onto yet another machine)

[)amien

The first thing I do is take a sharpie and write the key onto the cd.

For shareware my preferred key is the giant block of text that gets pasted in. And let the username and key be in the same block. After all, I am just going to paste it in from a registration email, and dont really want to spend time filling in multiple textboxes.

"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."

I remember the good old days where the reg key was just a checksum digit so you could type in N-1 numbers and then just change the final digit from 0-9 until it 'passed'

I regularly spend time at work maintaining the license file + dongle-protection scheme for our commercial software, and giving support when problems arise. I also know that our protection scheme can be trivially broken with a good debugger. From this experience I feel that copy-protection is a collosal waste of effort. Not that I have any say in it.

Wouldn't it make more sense to pay for the development of software instead of for the copied bits, and not restrict copying? But it turns out that's not what happens. Apparently it is even an accepted business practice not to get the source code (except in escrow) when you let contracters develop custom software for internal use! Boggles my mind.

I'm pretty sure every commenter here has missed the point.

"Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at."

Note the phrase "bad value". I doubt Jeff is advocating validating one character at a time...I can't imagine he would make that elementary of a mistake (apologies if you did :P). I would tend to assume that he instead means alert the user if a character outside the set of valid characters is entered. So if it accepts all alphanumeric characters except 1, l, 8, and B, throw up a warning as soon as a user enters one of those.

2wcoenen

"Wouldn't it make more sense to pay for the development of software instead of for the copied bits, and not restrict copying?"

Actually 75% of software industry works just that way. Customer pays for development of software, not for license.

Personally, I think that if anything dooms commercial software, it's the attitude that it is ok to make it harder for honest users to use your product than free, open-source alternatives.

Forcing people to manually enter registration keys is barbaric. Plenty of commercial applications do just fine with server based systems where you are emailed the key. Hell, some commercial applications do just fine without any copy protection at all.

One of the reasons I bought a console and no longer game on the PC is that I can no longer play some of the games I purchased because I lost the key. No. Wait. That isn't true. I could play any one of them merely by going and downloading one of the cracked copies. If it is true that people will pay nothing for software if they can get away with it, then commercial software is doomed, because anyone with a web browser and google can get cracked versions of any popular commercial software application.

Copy protection, especially intrusive protection like manually entered keys, stops no pirates, is a waste of coding resources and drives your customers into open-source alternatives. If you do it, prepare not to sell any copies to people like me, who are sick and tired of being treated like criminals. We'll be happy to go spend our money at vendors who actually trust their customers.

I've never paid for PC software (expect pre-installed Windows). I actually tried to pay for software a few times, but it was always too difficult. Piracy was just easier. (Since moving to Linux, I don't even pirate anymore. FOSS gives me everything I need.)

To actually have any affect on piracy (among individuals), you're going to have to make buying and registering your software easier than pirating it. If pirating your software is extremely easy, you're really going to have your work cut out for you.

I don't understand why I can't just go to a website, enter in my credit card information, and download an installer that knows the registration key and can activate through the web on its own. Why does the registration key have to come separate from the installer? Why do I have to manually combine them? I see no reason for having them separate.

If you don't do this for your users, they're just going to end up pirating your software.

I think I'd complain more about having to re-install software for most upgrades of Windows OSes.

Any chance that Vista CD Key has a few activations left on it? :)

>there has to be some kind of enforcement in place.

Really? You assert no users would buy the software, but in the cited 110:1 example, less than 1% bought it, even when there was a serial number scheme in place. It seems pretty darn pointless. Dongles are just annoyances to those few users who don't get a cracked copy instead. In fact I've seen users who used a cracked version even though they had a legit copy, because the dongle caused problems that the cracked version did not.

Microsoft is in the very unusual position of having its product almost always be preinstalled by a third party for the user, who is not in a position to know or care whether that third party actually paid Microsoft for a license. For the average app developer, you're dealing directly with your customer, who has to deliberately pay you, or to seek alternatives such as piracy. Also, Microsoft's Genuine Advantage is expensive (call centers required to sort out false negatives, etc.) and widely hated, but people put up with it because they have little choice. For an ordinary developer, running a support call center would be costly and the customer irritation of a draconian registration/activation scheme would be hard to justify. As a result it's probably not useful to most developers to look at how Microsoft handles piracy for guidance.

I'd be interested to see any hard data that anyone knows about that compares unprotected commercial apps vs. "nagware" shareware vs. serial number protected software vs. dongle software.

I did find a comparison of "honor system" shareware vs. "nagware" shareware which was interesting. Summary: nagging works.
http://hackvan.com/pub/stig/articles/why-do-people-register-shareware.html

My suspicion is that due to digital distribution of cracked software, copy prevention schemes are a complete waste of money, except in odd cases like Windows, and developers should instead rely on nagware that trusts the user when the user claims to have paid (instead of requiring a registration code). But I have no data to back up this hunch.

I will admit I've pirated software. However, I agree with using activation keys, and all software I use on a daily basis has been acquired legally. The way I see it, if you go into a store, say Futureshop, and want to purchase some Memory, you have to get the person to open the showcase for you. You can't grab it yourself and head off to the cash register. Why? Because they don't want you to steal the damn thing. So what if I have to spend 30 seconds typing in a key that lets me use the software.

I agree its a good idea to make inputting the code easy, like using legible fonts, and sizes.

I have to disagree with some of the comments here: "Copy protection, especially intrusive protection like manually entered keys, stops no pirates, is a waste of coding resources and drives your customers into open-source alternatives." Absolutely, it doesn't stop pirating, no doubt there, but to go back to my Memory analogy, the waste of coding resources is like building the showcase. I *could* smash the case, and then book it out of the store. But to most customers, would you rather smash the thing and run, or tell the employee your going to buy something? If a customer saw some guy on a street corner selling memory, would you buy it/take it, or would you rather trust the memory in the store, in the shiny showcase, that you know hasn't been messed with?

That point hits on multiple levels. Is pirated code safe? It could be, but there is no absolute answer. Would you rather use code that was built specifically as a job task - i.e. the coder was paid to do it, or would you rather use the code that was built on the off hours of the coder who was being paid to build another application? Some open source projects are actually built quite well - ok a lot are. I'll even say linux is built fairly well. But, I don't think I could trust code that was built as a hobby.

Enough of that rant, the original purpose was simply to agree that better key management is deffinately a UX bonus. :)

Why not suggest that the registration key is entered on some normalized document - for instance a credit-card like piece of plastic, or a business card.

This way, you can store all your registration keys inside a dedicated wallet, making registration key management a lot easier.

I recently implemented a registration key scheme for a tiny digitial image management utility I developed, called CardSharkV. Entering the key is done by dragging and dropping a keyfile onto a field in the application. You can drag the file either from Windows Explorer or an email client (the key is delivered via email). I thought this was a good way of avoiding most of the problems Jeff mentions in this article.

I'm actually looking for some feedback both on the utility itself and on the usability of the registration key mechanism. If anyone is interested in taking a look, please check out my blog.

I find it somewhat humorous how few of Bill's statements in that letter hold true today ...

More on topic: why oh why do so many companies insist on disabling copy/paste into the serial number/key text box? I mean, you're not stopping a single pirate except perhaps someone brute-forcing the registration process (but if you're after that type of attack, timeouts and lockouts after, say, 100 incorrect guesses would be much more effective ... a true hacker would just write their own keyboard driver to emulate keys being pressed at the HID layer).

I'm with one of the previous posters: at the very least, for digital downloads offer a license file which I can double-click (or select in an Open File dialog) instead of entering text. And, yes, if you're selling boxed software, provide a way for me to photograph or scan the number on the box and a widget to OCR that into your license key. Hell, every Mac sold today includes a camera; if you make Mac software allowing a bar-code scan a la Delicious Library is a no-brainer!

Yes, reg keys are a "one time" annoyance. But, they're a "one time" annoyance every time I move computers, which is once every couple of years, for every single application.

I have many applications which I've paid for once and since abandoned (which means, not paid for any upgrades) because it was too much trouble to re-enter the serial number in my next computer. You are losing sales from this!

I agree with all your point except those two:

>2.Excessively long keys:

maybe i am wrong, but the long key may be necessary, because not every possible combination of character can be a valid key, there would be a lot more spaces for invalid keys, so making it more difficult for key generators to find legit key.

>Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at.

wouldn't it defeat the security purpose of the key? as it would make it easier to just brute force the keys? it would depends on implementation though, maybe like, if you entered only one or 2 character wrong AFTER typing the full key, then there would be a indicator for wrong character, any more than that it will display nothing helpful at all.

There might be other issue with this problem though, what if software has no access to cleartext registration key in memory? for example if they simply hash the user input key and compare the hashed value to that of a legit key, like they do with password validation?

I think the statement of wouldn't you enter the key character by character waiting to see if it's wrong is completely incorrect. How the hell would the product even know that, since as I understand it, there is an algorithm in place to create an incredibly small number of keys that work. It's not like your going to enter 3 characters, and the algorithm knows that these same 3 characters also happen to match a key that's in place.

However, if you type in the entire key, then it does it's validity check and is wrong, it would be very easy to go to each character, try each alphanumeric combination, and see if any of those generate a valid key. If they do, just accept the key and move on (no need to even ask for it to be reentered). Worried about a collision, add 1 extra character to the key for this convenience.

The incredible part about this is that as soon as you start getting more then 2 or 3 characters wrong, the computation power required to do this check would begin to take exponentially more cpu power, so it would be impractical if more then 2 or 3 characters were screwed up, so the software wouldn't even try.

This would be nice if your going to use a key anyways, however, key protection is ultimatly useless if your just asking to enter a key. Anyone can give you a valid key who's bought the product once, so all you've done is spent extra developement time ensuring that atleast 1 copy of your software is purchased. Wouldn't it make more sense to take the time to you know, develop a product that customers want to buy. And yea there will be pirates, but let your marketting department incur the expense to their budget, for all of the people promoting your software through it's usage.

Of course if your really nasty, the number 1 way to protect your software would be to run the expensive system, where you have to log on to a key server on the internet every time you use the product. This key server would then provide the code decryption keys required to even run the software. And even that has to be transport / memory protected. But to me, unless you really really know what your doing, the imposed risks of running this system would tend to stop all your product users from using your software if it doesn't work exactly as expected.

@ "...there has to be some kind of enforcement in place."

It may be strange for a guy who earns a living making software to disagree, but consider: For most of Microsoft's history, it sold software that was in the main entirely free of any meaningful copy protection, and it did it in the 1980s and 1990s, an environment of even more rampant piracy than we see today. And yet it managed to become one of the most profitable organizations on Earth. Without enforcement.

Hey, it may be biased data, but it is data.

Also, consider this spectrum of possible relationships that a person/company/government might have with (say) Microsoft software:

1 - Purchases, uses MS software
2 - Pirates, uses MS software
3 - Uses competing software
4 - Doesn't own a computer, doesn't use any software

Wouldn't this be the order of desirability, from Microsoft's point of view? Piracy cements and re-enforces a successful product's market share.

Some Mac OS X apps have found a nifty solution to this.

For example, I recently purchased Voodoo Pad (http://flyingmeat.com/voodoopad/). The last step of the purchase process was a confirmation web page containing the following link:

x-voodoopad-registration:regname=Your+Name®key=crazylonghexstring

Clicking that link opens the VoodooPad app (the trial version was unlockable, natch) and auto-registers it with the registration key. No typing, not even cut/paste.

(This trick works because of a little Mac OS magic: the app bundle contains a plist file that registers that URL scheme with the app.)

> Dave

Actually, mistaken characters in key is a big problem.
I was almost unable to install my NWN game.
The font chosen to print the key was the worst possible, they've even put up a FAQ issue on it.
See here: http://nwn.bioware.com/support/known.html#42

>Microsoft recently stated that the piracy rate of Vista is half that
>of XP, largely due to improvements in their Windows Genuine Advantage
>program

I would say it's largely due to the fact that it's Vista. Who would want to pirate that?

Serial numbers (or keys) are the least intrusive for the honest user, while internet activation and dongles are more intrusive. Which is why I generally don't mind serial numbers.

However, none of these schemes don't work very well.

Copy protection doesn't prevent piracy. As everyone who bothers to look knows, any software protected by a serial key or activation is widely available as a cracked version or with a key generator program. This is true even for quite intrusive protection schemes such as CD copy protection.

On the other hand, copy protection schemes DO scare away honest users. Personally, I am really tired of games that nag me to find the CD, windows that nags me to install WGA or to activate, and software that nags me to find the license key. Had I been using pirated software, all I had to do is install, copy crack, done.

Microsoft may consider WGA a success from their point of view, but I think it's (a) short sighted, and (b) a failure from a customer's (me) point of view.

I am sure many of us had the experience of having to reactivate Windows after installing a sound card, a new DVD drive, or whatever.
WGA has been known to report valid installations as pirates (i.e false detection). Also a while ago Microsoft had trouble with the WGA servers, causing trouble for the many users who suddenly had their installation detected as invalid.
Updated WGA cracks come out about two days after every update to WGA. I doubt this inconveniences an honest pirate. I am sure it inconveniences an honest user.
So basically all WGA does is to scare away honest users.

As for Microsoft's "hard data" (assuming you take it at face value, which you shouldn't), I don't agree with their interpretation. Pirated versions of Vista ARE easily obtainable. Probably easier than actually going to the store and buy one. If indeed the "piracy rate" for Vista (whatever that means) is half of XP, it may be because many people aren't bothering to switch to Vista anyway. Or perhaps pirates got better at hiding, due to the aggressiveness of Vista's WGA.

on paying for anything at all:
if it's easier to steal than to buy, you have a problem. this applies to everything (digital, as many people wouldn't just go into a store and steal stuff). it seems that noone actually notices that. buying music on the internet still isn't as easy as buying, and you can't hear it once to see if you like it, you can just download it illegally, decide you do like it and then think about going thru the hassle of buying.

i don't want to go into semi unrelated topics here tho....
microsoft (namely gates) says: "The royalty paid to us, the manual, the tape and the overhead make it a break-even operation. One thing you do do is prevent good software from being written."
now they have a yearly profit in the 10s of billions of dollars. yet they try to fight piracy with new genuine advantage tools and the ever more restricting eula. instead of letting someone who bought an operating system use that same operating system on all computers he owns himself, maybe make it easier to buy (online, download), and cheaper.

> Tell me as soon as I've entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I've screwed up? You're the computer, remember? This is what you're good at.

Sorry, I should have been more clear here. I mean prevent me from entering keys that can't possibly be correct based on the key characterset, eg, "%" or whatever. Also, dynamically validate the entire key with a visual thumbs up/down when it's completely entered-- don't make me click OK to find out the key is invalid.

> I wish more companies would take Apple's stance -- not only has the OS never required a serial, but the few apps of theirs that ever have are slowly but surely having the requirement removed (the latest version of Logic being the latest to come to mind). And it's not because they're a "hardware company."

Are you kidding me? Every Mac is the world's largest hardware dongle. Ask yourself this: why can't you virtualize OS OX? Hmm.

> I did find a comparison of "honor system" shareware vs. "nagware" shareware which was interesting. Summary: nagging works. http://hackvan.com/pub/stig/articles/why-do-people-register-shareware.html

Fascinating result-- this '93-'94 experiment shows a similar 80% reduction in payment when you put people on the honor system.

Apple, has provided the peelable sticker for its iWork package. I immediately made the ubiquitous backup of the DVD then applied the sticker to the case for the backup and one in the master.

Kudos to Apple for taking that step at least. As for other Apple software and registration processes? Non-existant for Leopard which REQUIRES its own hardware anyway.

However, given that an Apple user COULD have more than one qualifying Mac and then install that new copy of Leopard onto those others, it seems kind of pointless not to have some kind of restriction imposed. Apple must not have really cared about that one for some reason. With iWork, you have to enter the key then it makes its trip out to a validation server in la-la-land, thereby preventing the installation of it on other Macs. With the Family Pack edition, the server keeps track of how many times it's been installed and whatever unique identifier for the hardware it's been installed on. In that case, you can install it any number of times you like on the same machine, as you would expect.

What I find curious, is the Leopard "no register" policy. Leopard was over $100. iWork: under $100. I don't quite get it. Apple is basicaly giving away Leopard (arguably the best OS in recent years...)

Parallels (VM software for Mac - ROCKS!) for Mac has its own registration policy, but it doesn't take into account multiple installations on multiple Macs. But again, it only runs on Mac. Halfway there on the registration/anti-piracy front.

And I have to agree that Vista's piracy rate could be more attributed to the lower upgrade rate. Hardware manufacturers (HP, Dell, etc.) are pressured into selling Vista at a low rate with new PCs, and pressured into selling XP at a higher rate with the same PCs. With the problems involved with software/hardware compatability in Vista, a lot of XP users aren't upgrading, and the only way to insure your PC itself is Vista compliant is to buy that new PC. With a downturn in the economy and the rising gas prices, etc., new PC sales are also not climbing like they did in past years. With all that, you would possibly have a lower piracy rating in Vista.

Personally, I think XP is a decent OS, and Vista still has some issues to work out. But that's not the topic of discussion...

I can't help but feel that Microsoft did pretty OK with making money despite everyone pirating their software. Heck, they're still doing better than just about anyone despite the fact that people still pirate their software. Bill has been the richest man on the planet for years, even if he isn't right now. Yet somehow, they are still complaining over people pirating their software and "stealing" from them.

I guess the lesson is simply that the rich always want to be richer, no matter what.

Intrusive? That's dongles that screw up your system. Really, a serial is painless compared to challenge/response or the plastic crap taking up USB ports, not to mention the inconvenience those are with laptops. There are people who have to use USB hubs full of dongles just so they can run all their software. Oh well, at least that's better than the tail of LPT-dongles I saw in most CAD shops.

One thing the Flash 5 installer did was show when you completed the serial if it was correct. That's probably a better solution than showing whether it's correct while typing.

> Every Mac is the world's largest hardware dongle.

I got a chuckle out of this, especially following right behind your comment with my Mac talk.

Technically, Windows (insert flavor here) is designed to also work only on one platform: the PC. In essence: a dongle.

With Apple's recent Intel and Boot Camp push, yes, you can install and run XP or Vista on a Mac, or even run a VM with one those or a lower version (I have a DOS 6.22 VM so I can finish a few games I never finished way back when...).

The only reason I can think of there being no Mac VM is Apple still hasn't let go of its low level hardware code. I remember way back when they considered it, but after market and technology analysis, they found that they could better profit from a closed and higher quality machine. As opposed to what happened in the PC world and cheaper hardware, lowered quality controls, numerous compatibility issues, blah, blah blah. Look at how hard it is to set up your Windows PC today? Sure you can configure it anyway you like, but will all of your software/hardware work with that new video card? I've run into several issues playing games because of a cd-rom driver, or a video driver.

Again, that's all another topic...

Another problem with keys that developers should avoid: don't encode an expiry date within the key! There is one particular software product I purchased many years ago (PMMail) where the key contains some kind of date stamp. So the software can only be installed within X number of days after the key is sent. This becomes especially annoying whenever I would re-install my computer systems every few years. Every time I had to contact the vendor since my previous key would no longer work. If we pay the money to purchase the software, at the very least we should be allowed to install it when we want.

What a coincidence! Just yesterday I was skimming through all my old mails, and read a forward about Bill Gates` hobbyist mail.
Today i open my Reader, to find your post having the exact same content!

In addition to checking that the characters typed by the user are in the valid set of characters, the key could contain a checksum that's checked right away once the full length has been typed, for immediate feedback before a more involved check.

Personally I think that registration keys are used a bit too much. If I buy software on a CD/DVD, why can't a unique key be printed on the CD/DVD? Why do I have to manually type it? Surely there has to be a way of printing a short unique code on each CD/DVD, readable by the disc drive (maybe by burning/punching holes in the surface, damaging a pattern of sectors), without prohibitive costs. With online purchases there isn't even that excuse.

Also, I cannot understand the point of registration keys, unless they are checked online against a list of valid keys. Otherwise, crackers can and will figure out how the keys are checked and generate their own, or just buy a copy and pass that one key around.

> If I buy software on a CD/DVD, why can't a unique key be printed on
> the CD/DVD?

Because of the cost.

As well as your five rules, here's another:

6. Use consistent terminology in your code and packaging. Some products have several numbers of various kinds within their packaging, and it's not always obvious which number is the software key as the labels sometimes don't match. If necessary you should show a dummy sample key during installation to make the printed key easier to identify (eg XXX-XXX-123-XXX).

"avoid paying (note that I did not say "steal")"
Yeah, what's the difference again? Next time I take some stuff through HMV's door, neatly bypassing the till, I'd like a convincing explanation. BTW, "Stealing from rich people is still theft."

"I'd be inclined to disagree, and willing to bet that just about everyone who'd be willing to pirate something in the first place isn't going to be stopped by simple serial number validation"
Well you'd *lose*. Products with serial numbers get pirated at a lower level than products without, even if it's easy to fake the serial number. Apparently it's a social compliance thing. Basically, the average consumer (read, non-programmer) will assume that, if there's no serial security, it's okay, much as if you leave a door ajar, they'll assume it's okay to open it. There's also the fear that the serial code makes the product trackable and you'll be caught.

"18th century view of property law"
What, that if someone spends 5 years making something that you use, you should pay? That's pretty early to mid 20th Century too.
There is an alternative no-one's considered. Everyone should release software so buggy, so ineffably crap, that your only alternative to pay to have it fixed. Fortunately, if we stick with only garage-hacker companies that work for free, that'll probably be the situation we find ourselves in. I could start my own business, "fixing garage software; For moneys!"

"I've run into several issues playing games because of a cd-rom driver, or a video driver."
Yes, but I've run into several issues playing games on a Mac because... it's a Mac!

"As far as stealing from UNIX- After reading Jeff's posts on virus protection being pretty much unnecessary if we'd all stop running as Admin... I can't help but feel that Windows would be much better if they HAD. :D"
Agreed. And I'm endlessly interested in what appears to be a massive over-hype. What exactly did Microsoft "steal" from UNIX, was it copyrighted/patented, and if not, did the creators of UNIX observe basic commercial security, as far as possible for the time?(Rule 1: if you talk about it in a public lab, it's not commercially confidential/Rule 2: You only release the blueprints for your product via the patent office).

"nagware that trusts the user when the user claims to have paid"
You'd require some form of proof, or even I'd click the button marked "I've paid" at some point. Just to see what would happen. And then it's no longer nagware.
I like Spiderweb Software's approach for Shareware games.
www.spidweb.com

> Technically, Windows (insert flavor here) is designed to also work only on one platform: the PC. In essence: a dongle.

This is surely only a valid comparison if the "PC" was a product produced by a company. Microsoft are not a hardware company in this respect, so actually, it's arguably designed to "work" on anything that will support it.

This brought back nerve-wracking memories of trying to install Neverwinter Nights. Not only did it apparently have both 0 and O in the key but it was printed in a deeply ambiguous squared-off font which made 0, O and D almost entirely indistinguishable. Also V and U were almost indistinguishable. It took about 45 minutes to type in the key from the box and actually get the software installed.

Deeply unhelpful.

In the good old days the key used to be printed on the back of the box, and the bog standard installers said "Type the CD key found on the back of the box". Then they realised how stupid it was to put the CD key in plain sight and moved it to the back of the manual or, in some cases, inside the box. But the installers didn't change. That threw quite a lot of people.
In the good good old days we had code wheels. Might have been annoying, but damn they were a darn sight more fun than a series of digits.

I've not had to type a key in for ages. All of the software I've bought in the lasst 6 months has been online and thus comes with the niceties of registration that provides (so long as you are connected). Oh, other than Visual Studio, which I copy and paste instead.

"This brought back nerve-wracking memories of trying to install Neverwinter Nights. Not only did it apparently have both 0 and O in the key but it was printed in a deeply ambiguous squared-off font which made 0, O and D almost entirely indistinguishable. Also V and U were almost indistinguishable. It took about 45 minutes to type in the key from the box and actually get the software installed."
You fool, don't you understand? That makes it more secure!

James Justin Harrell: you might not pay for software, but don't forget to tip the developers or donate to the bandwidth bills.

I was just thinking about the comparison with music. Very many people use LimeWire to get their music, some even boasting that they've never bought a CD. Sales of mobile phone ringtones are massive, billions of your chosen currency every year. So there must be a significant portion of LimeWire users who also pay extortionate amounts to get ringtones for their phones; even though most phones that can play mp3s can use any mp3 you transfer to them as a ringtone. I guess some people's value systems are a little out of whack. The CD would probably be cheaper than the ringtone! iTunes certainly would be, although that's a bad example because they charge twice for ringtones. Anyway, ringtones are evil. Vibrate only!

When I get my 2nd HDD to use as a Time Machine drive to backup my music better I will probably start buying music via iTunesPlus as well as CDs. I haven't used P2P since Napster, but it goes to show, if paying for something is easy then people will pay.

I have a pirate copy of every game I bought, as it's much simplier to just install it, crack and use some VCDROM solution than to search for the CD and play with the disturbing CD noise, not to mention I cannot play on my CD-less tablet PC.

Luckily, the same is not always true for other software, but the biggest pain when reinstalling system / moving from one computer to another is the activation, typing serial numbers, finding them in emails, finding old installation files (since you simply cannot download the old version from vendor's website)...

Sorry, but I prefer no data over biased data. Biased data is presented with an obvious interest, and when the linked page starts its conclusions with one of the oldest lies of the industry ("Piracy is a worldwide problem that costs software developers billions of dollars every year"), its credibility quickly becomes zero for me.

As for Vista piracy rate being half of XP, sincerely... Who wants Vista?. Not me. The only reason for the rate is that most of the people using Vista have it because it came with their computer and they don't know how to get rid of it. And less people are pirating it because, frankly... XP is better. Why?. You only have to read this great article to know it:

http://dotnet.org.za/codingsanity/archive/2007/12/14/review-windows-xp.aspx

I don't feel any pity for Microsoft, specially when the subject is piracy. Piracy put them where they are now, and many times have they "mistakenly" released unprotected versions of their products, just to make people try them and hook them. It's drugs all the way. Except Vista. No one's going to get hooked on that.

In the end, I feel Registration Keys are useless. You lose them, you have to keep them, you have to input them, and in the end... you know what?. Your software is still pirated, and the pirates just use a .reg or a keygen and are free of the hassles you as a customer have to go through.

Drop the keys and just use the mail of the customers!. Use it to push updates, to get support (you use a form in the website and receive a short UUID to call TS), etc, etc. If anyone thinks the keys do anything more than irk potential customers, they're fooling themselves.

"one of the oldest lies of the industry ("Piracy is a worldwide problem that costs software developers billions of dollars every year")"
'That this is a lie is one of the oldest lies of piracy.' (equally valid PoV) Billions is an exaggeration, but to simply go "it's a lie" without any kind of link to evidence is ridiculous.

The last registration I did was done by dragging and dropping the email I got with the registration details in it onto the registration dialog. That was worth the $20 right there ;)

(You also had the option of manually typing it in, if you were missing the pain...)

> "one of the oldest lies of the industry ("Piracy is a worldwide
> problem that costs software developers billions of dollars every
> year")" 'That this is a lie is one of the oldest lies of piracy.'
> (equally valid PoV) Billions is an exaggeration, but to simply go
> "it's a lie" without any kind of link to evidence is ridiculous.

One could just as well argue that your suggestion that "Billions is an exaggeration" is ridiculous, as it's not backed up.

How can one prove that piracy doesn't cost developers billions of dollars? People who make claims need to back those claims up. Saying "it's a lie" is just a challenge to produce some proof, and doesn't need any evidence.

NOTE: This comment was copied from the sources cited below...

Dan

It is a mistake to credit Bill Gates with dropping out of Harvard. He did not. He was expelled from Harvard for improperly using the schools computer systems for personal business. He was warned multiple times and eventually expelled. The only evidence ...for this is Prof. Fischer. Fischer taught an Intro to Communications class ...at Boston College. He was at Harvard during the tenure of Gates and claimed to be personally familiar with the situation involving the library computers.

http://www.pennylicious.com/#comment-183#comment-183
http://neil.franklin.ch/Usenet/alt.folklore.computers/19990222_Open_Letter_to_Hobbyists

I agree with the "if the software is delivered digitally" allow us to retrieve our key somehow. I'm going through something similar with an Office 2007 Pro key I can't find.

well... I can't believe people are still struggling with licence keys...

free software baby, free software...

To all you folks talkig about "ït only runs on Macs so that's already copy protection" and especially you Jeff with the your"Are you kidding me? Every Mac is the world's largest hardware dongle"

How is running software A on any specific hardware+software B copyprotection to software A?

I can install my Leopard on as many Macs as i like without it ever failing, same as i could with Tiger and all the other big cats, and even classic Mac OSés before it as long as the hardware is supported. (Windows also only installs on supported hardware, it just supports more hardware) Fact of the matter is my copy of Leopard would install just as fine on my neighbours Mac as on my own, so in effect there is _no_ copy protection.

There's a lot of folks i would've expected a statement like that from, but not you Jeff. that's very dissapointing and it definately bites into the percieved trustworthyness of your blog. Dont turn in to some OS flamewar inducing blog for stupid people like so many have before you, I expect more from you!

I've built an activation system for work. Each cd key had 3 levels of checking:

1) Checksums. Every group of digits had its own checksum to detect typing errors.
2) HMAC: A larger "validation code" was stored in the key, so if a person just fiddled with the check digits to get all the things to say ok, then we could still check if the key was invalid on the client side. (though since a HMAC is symmetrical, you can reverse engineer it and create valid keys)
3) Each key encoded a unique, non-guessable number. So on activation, we check to make sure this number is valid. This is the only measure that actually provides any real promises for security, the other parts trust the client.

I hated doing it though, it really isn't the sort of thing I want to be spending my time on when I'm at work. I'd much rather be making things that will actually make people happy, rather than making hoops for them to jump through. And now we have to maintain an activation server, and handle the added tech support costs, and all that sort of thing. All this, and I'm still not convinced that it is going to do anything to increase our sales (and no, decreasing the rate of piracy is not the same thing as increasing sales).

I think the reasoning behind why the serial space is so large is that it prevents finding a valid serial by brute-force.

You could in theory, write a program that hooks in to the code that the entry panel uses to check the serial is valid and just enter a million serials a second at random and hope you chance on a valid one.

You could say: "If you're going to that, why not just crack the program?" Well you could do that but then you've changed the binary and that might break updates etc.

I've heard anecdotal evidence that while people will gladly use a rogue serial, they would rather pay than crack the product.

In that case, having a large serial space makes absolute sense.

Simon.

Linux
:-)

> So why, then, do software developers insist on 20+ character
> registration keys? It's ridiculous. Are they planning to sell
> licenses to every grain of sand on every beach?

Elliptic curve keys with feature bits inside... 25-digit isn't too bad anyway if it's broken into 5x5 groups and you can paste.

> Don't passively-aggressively inform me that "the key you entered
> appears to be valid." Is it? Or isn't it? What's the point of unique
> registration keys if you can't be sure? I guess paying customers
> can't be trusted.

There's two reasons for this: either the real check is done server side (yeah, installer could contact the server I guess), or a quick check is done now and a more thorough check later, as an anti-cracking measure. Not that big of a deal either, imho.

But you do have a very important point wrt. the characters in the serial and the font used for printing, as well as *NOT* having 5 bloody tab-requiring input fields and no clipboard paste support, grr.

I'm not sure why the big fuss over entering the key every time you MOVE your software to a new computer. By far the bigger hassle is going through the reinstall (now which features did I install last time?) and configuration of the reinstall (how did I set up that feature?). Granted, it does take time to find and enter the key and that time does add up. I have started writing notes about what I have installed and how I have configured it so I have some chance of redoing it later.

"Granted, it does take time to find and enter the key and that time does add up."
It's when you lose the manual/somebody's pulled the sticker off that you begin to swear, swear like a trooper.

"I can install my Leopard on as many *Macs* as i like without it ever failing"
Yes, but each time, you've paid Apple for the *Mac*. Basically, all Mac products you buy now come free with any new Mac you buy.
But woe betide you if you stray from the path of the one true OS. That Leopard won't roam the jungle of Linux, or the swamp of Windows.

"I'll choose biased data over no data whatsoever, every time."

No data means nothing. Biased data is wrong. Often, it's crucially wrong. Sometimes, it's perniciously wrong.

Most interesting that MS believes the lack of Vista piracy has more to do with "Genuine Advantage" and not Vista sucking, so no one wants it. If I were them, I would be concerned if people aren't pirating my software . . .

Hey Now Jeff,
In these days of p2p file sharing & key generators, it seems that many apps are so easy to use for free. I wonder the future for this what is the best way to enforce this. As previously stated the honor system isn't the best option here. @ Michael B the URL registration seemed interesting. How many people reading this have click a generate key button, copied it and pasted it? A metric of the top of my head 95.07%. FYI - I prefer inaccurate data over no data.
Coding Horror Fan,
Catto

Great synopsis, but I've got a point to make regarding software piracy in relation to the free market economy: The mere fact that piracy exists means there is a DEMAND for the product! Piracy doesn't mean people want to pay NOTHING, it means the price is not right.

Software developers should be paid for their work, but I think most of them simply charge too much. How can Microsoft justify charging X dollars for a Windows license (which they can print an infinite number of) when someone in Iran or Venezuela has to pull two FINITE barrels of oil out of the ground to pay for it?

I don't have all the answers, but I think there needs to be a lot of work done in the Intellectual Property area. It makes everyone crazy including me.

I'll admit that I'm a strong open source supporter, but I wouldn't pay for a copy of Microsoft Windows even if it was $1!

Serial numbers don't work to prevent piracy. Pretty much every single serial-number "protected" application has a keygen, or a list of serial numbers somewhere on the internet (Search for "[app name] serial", skip past all the viruses and chances are, you'll find a serial number)

They are also extremely annoying - not so much that I have to type it in when installing, but that I have to keep track of this little bit of paper.
Many times I've taken a disc out it's case (or put a couple of games in one case) and tried to install it somewhere else (i.e not at home), only to realize I don't have the otherwise pointless manual which contains the serial number...!?

The ironic(?) thing is, if I pirated the game, it wouldn't be an issue, as there would be a keygen in the disc-image I burned to a DVD - And I can then copy/paste the serial number.

When I moved to Australia for a year, I forgot to bring my Final Cut Studio discs to install on my laptop. Luckily my sister was flying over not long after, so I got her to bring the discs, and what I described as the serial number leaflet. When she arrived, I was handed the discs, and the wrong leaflet - it had a serial number on it, but not the one I needed to install Final Cut - thankfully I was able to phone my parents to read the serial number over the phone, but it's extremely annoying. Had I downloaded Final Cut, the serial number would have been on the disc, and it wouldn't have been an issue...

> "Microsoft recently stated that the piracy rate of Vista is half that of XP, largely due to improvements in their Windows Genuine Advantage program"
Vista really isn't hard to pirate, it's on pretty much every torrent site that will accept it. In fact I have it burned to a disc somewhere - but I don't actually use it (I installed it, played around for a while, and restored XP).
I imagine a lot of people using it because it was pre-installed on the machine. I don't know many people who have gone out and bought it, or even downloaded and regularly use it.

If you effectively force people to buy an generally-unwanted product with a new computer, a lot more people are going to be using it legally (from with the new computer) than are downloading it illegally, thus the improvement in pirated to legal users.. It's nothing to do with "better anti-piracy"

Anti piracy methods are only effective (and should only be used to) prevent pirated copies being available within the first day or two of sales. After that, pretty much any game is going to get cracked.

After those few days, you may as well make it as easy for users to buy your software, otherwise you're going to force them to go down the far more convenient piracy route...
- Ben

There better than a dongle...

"Software developers should be paid for their work, but I think most of them simply charge too much. How can Microsoft justify charging X dollars for a Windows license (which they can print an infinite number of) when someone in Iran or Venezuela has to pull two FINITE barrels of oil out of the ground to pay for it?"

Ah, the old "it's cheap to copy => it's cheap to create" fallacy. I can print 1000 copies of Terry Pratchett and Neil Gamain's "Good Omens" an hour with a cheap printer and MS Word '98. I'm relatively certain I couldn't have written the book.
Remember, when they talk about Gates' wealth, they don't mention how much of it is actually tied up in Microsoft.
When you crack Vista, you're not ripping off Bill Gates. You're ripping off the hundreds of Software developers who go to work every day at Redmond. Bill will be fine. They will be fired.
And then, as they are better coders than you, with better resumes, they'll take *your* job.

"Microsoft recently stated that the piracy rate of Vista is half that of XP, largely due to improvements in their Windows Genuine Advantage program"

Not to mention the spike in people punished due to false positives. Like me, just recently. Made an overnight Linux user out of me. I don't mind software licensing, or product keys, or even M$ checking to see if the key I'm using has already been used. They need money to keep cranking out mediocre beta-test products to the market.

I mind the fact that they arbitrarily deactivated an OS that I paid money for. And I mind the fact that M$ couldn't/wouldn't give me reasonable assurance that they wouldn't do it again.

Installed Ubuntu that same day, haven't looked back. There are- and should be- consequences for treating legitimate customers like criminals.

Considering Microsoft's business model: Make every PC manufactured has a licensee for Windows whether or not Windows is actually installed on that PC. I find it hard to believe that Microsoft really has a problem with piracy with Windows in the Western world.

Microsoft may have a problem in the developing world. However, one of the documents in the Netscape case was a series of memos concerning Microsoft's market share in China. Reading through these memos, you realize that Microsoft wasn't concerned with the sales of Microsoft Windows and Office in China, but that not enough people were pirating Microsoft Windows and Office.

At that time at least, it was more important to Microsoft that people in China steal their software, use it, and like it, than not steal it, and get use to something else. As the memos pointed out, sooner or later, the Chinese market would become more legitimate, and all those stolen licenses would be paid for.

I predict that the licensing cost of Windows Vista Home Basic will drop to less than a dollar by the end of next year. As the price of PCs continue to drop, and improvements are made in alternate operating systems, PC makers will find it harder and harder to pay Microsoft for a Windows license. In order to keep Windows as the prime operating system on all PCs, Microsoft will drop the price of Vista Home Basic to almost free to compete with open source alternate operating systems.

Instead, Microsoft will give users the option to upgrade to Windows Vista Premium on line, and offer other on line offers as a way to keep the money rolling in. A few users may figure out a way to game the system to be able to pirate Vista Premium, but without DVDs and CDs of the OS running around, it makes it much harder to "share". Most users who do upgrade to Vista Premium will be licensees.

First off when I get a CD with a card with the reg key written on it, I grab a sharpie and copy the key to the printed side of the disc so it stays with the software.

Also some of those numbers may be in error, if you work for a large installation and have 80 computers to install you are probably going to make a master image from a completely installed system and then duplicate it to the others hard drives. While the co. may have the 80 license keys it is not practical to individually install each program on the computers.

Licensing of expensive software has lately turned me towards open source alternatives. Case in point was Adobe had a great little web page program, PageMill, about $50 to $100 and capable of painlessly maintaining a basic web site. Now all they have to sell is this over-powered dreamweaver or even more so - the creative web suite. Komozer/NVU is a good alternative (if only they would behave with PHP files.)

I think a lot of the companies have the mentality that they can never reduce prices significantly and then alienate the introductory user by positioning their products out of their price range. How much would you pay for software you never tried before - better yet, how much would you pay for software don't know how to use?

OK, I just have to point out that the best C++ compiler I've used requires no registration or access key -- it's gcc. Same for the best dynamic language, Python. Why pay Microsoft and put up with the aggravation?

Licence Keys - are just a another legitimate customer annoyance feature

There are two models for selling software
Here is some software you pay for it by buying a licence
Here is some software pay for updates/support

If your software licence does not cost enough to warrant the hassle people will pirate it because it's easier (people will also pirate expensive software but that's because it's expensive)

But you need something to protect your investment that does not annoy your customers (just the pirates)
Dongles annoy customers
Typing in long licence keys annoy customers
Retyping long licence keys when moving PC's annoy customers

The cut and paste and click here to activate system work just fine and I suspect are no more secure if you are careful?

I'd be interested to hear why more software shops that sell online don't go with the license file approach instead of serial numbers? I have used XHeo licensing (www.xheo.com) and it works pretty well.

After purcahse the publisher supplies a download link to a customer specific license file. The customer just saves it to the application install folder. The publisher usually saves the customer license information so it can be downloaded again if the customer needs it.

I bet even in the days of Altair BASIC Gates was grossly overpricing his software. It's funny reading about Bill Gates wondering who would provide professional quality software for free while I'm using Firefox in lieu of his wonderful "professional quality" IE. It's also funny that, despite this rampant, evil piracy, Gates is one of the richest men on the planet.

I'm so tired of hearing how piracy is bad, you're stealing, blah blah blah blah, but the people doing the complaining are making MILLIONS. What's wrong with this picture? Maybe, instead of pointing your finger at all of us peons, you should take a look at your friggin pricing scheme and wonder if you might be a charging a little too much. $15 for a CD that took less than $1 to create? Are you telling me that the other $14 is for "creative property" and studio time? Hardly. $110 for the most BASIC OEM version of your poorly designed OS? Why? For the hundreds of features you put in that the average user will never touch? And, of course, these prices have to go up with newer versions, because they are increasing in quality.

"On the other hand, copy protection schemes DO scare away honest users."

I paid for a copy of Pro Tools LE (audio recording software) and have been using it as a hobbyist - until I changed a hard drive in my computer. Now one of my plugins ("Amplitube") insists that it's been stolen, and proceeds to launch a registration dialog that doesn't work, freezing the entire program. Moreover, the Amplitube website won't give me another key.

The prospect of re-installing my whole Pro Tools system and having to re-register all of my plugins, falling into God knows what other traps along the way, sounds so terrible that I haven't touched Pro Tools in months.

"Personally, I am really tired of games that nag me to find the CD, windows that nags me to install WGA or to activate, and software that nags me to find the license key."

Lately I just don't install anything that requires WGA. I'm tired of playing that game. It's insulting, and I'm not entirely comfortable with Microsoft calling home with my information.

You cannot stop the people who want to pirate the software. The serials or keygens or cracks will be out there. The serial numbers are just an inconvenience to legitimate users.

The real problem is that because it is so cheap to make copies of software (torrent, CD burners) that what you are selling, a COPY of the software, is valued at near zero.

The economic model is broken. I don't know how to fix it yet, but I trust the market to figure it out. Perhaps the answer is that there will be no more software billionaires, or perhaps even millionaires, but instead a lot more people making a nice living doing it than there are now by selling open source services and customizations. I don't know if the market there is big enough to make a real living. Geek Squad makes me think it may be possible, but there would have to be a crash first, and that will hurt the industry.

I write software for internal use. If, perhaps, I wrote PHP web applications, adding functionality or removing bugs from PHP would be in the best interest of my employer, but who would be served by managing the project as a whole, or hosting the whole mess.

I don't think there is an answer yet, but remember that before Microsoft, software wasn't generally sold, but shared. This was easier then because everyone who had a computer was a programmer. Now, with it being an appliance for the masses, I don't know how to make that work. Maybe the OEM's would be better served to do a collaborative OS and applications. They already pay for it with software licenses. Perhaps paying a few developers would be cheaper than paying for the licenses, but how to keep the moochers from wrecking it for the rest of them?

I think that the software industry, like the music industry, is ready for an extreme shift in business models. I just don't know the workable model yet. The only thing I know for sure is that the money will be spread across more people, with a lot fewer really rich ones.

> "avoid paying (note that I did not say "steal")"
> Yeah, what's the difference again?

The difference is that when something is really stolen, the original possessor no longer has it. It was pretty much a Bill Gates "innovation" to mis-apply the term to copying software.

The legal wedge used to deter copying software (in the US anyway) is US copyright law. Copyright is really nothing other than a government-granted monopoly on copying a work. In the eyes of the law, no one owns the work itself. So all software "piracy" really amounts to is a violation of some company's government-backed copying monopoly.

Copyright was intended to be an industrial regulation. Until very recently violations of it were considered civil matters (whereas theft would be a criminal matter). Its the big copyright holders who want you to think of it as a nasty criminal activity by using loaded (and inaccurate) words like "piracy" and "theft".

Probably the best term I have heard for it is "unauthorised copying", but I'll admit it doesn't have a lot of pizzaz.

@ Grant:

I do think the service model offers a lot more rosy picture than the current way. And with web services becoming more and more prominent/feasible, maybe the time is right. I'm not an economist but it seems to make sense to let people pirate the software if they want; charge for services.

"Unless you provide some disincentives, that's exactly what people will do-- they'll pay nothing for your software."

This statement is a bit odd in an article that otherwise seems to recognize that this isn't an issue of absolutes. Registration keys won't stop all pirates from pirating; the lack of registration keys won't stop all honest customers from paying.

Also, don't forget that even without some anti-piracy scheme, copyright law itself still serves as a disincentive.

"Products with serial numbers get pirated at a lower level than products without, even if it's easy to fake the serial number."

But the important questions are:

Do products with serial numbers sell more than products without? Does the extra revenue cover the costs of the anti-piracy scheme?

There's little point in trying to prevent piracy if it doesn't result in higher profits.

On the bit of checking for valid data as you enter it:

It would be quite possible to add a simple checksum to each block. This wouldn't be of any help to the guy trying to brute-force it because just because it passed the checksum wouldn't mean it's valid. It would be a big help in reducing the hunt for the error when the system doesn't take the key, though.

The worst experience I ever had with registration keys was the opposite of the normal ones, though: The game took an invalid key! It was a case of a bad font and both I and 1 were legal. I got it wrong, the game was happy--but the updater wouldn't work because the website did know the key was no good. Uninstall/Reinstall.

Activation keys don't work. I've installed tons of pirated software with keys: only cracks or keygens were necessary. The only stuff that can crack piracy are those online games with CD keys. Now, who will crack these???

> The only stuff that can crack piracy are those online games with CD
> keys. Now, who will crack these???

Which game hasn't been cracked?

Thank you for posting the security keys. Now I can install the software I just pirated.

I think it would be cool if some software company parsed their key into some form of picture that we could reproduce. Something as simple as 3 rows of 7 blocks 12 to 15 of which should be filled with 7 distinct colors (these could be in the form of block placed under the key which the user can drag). This method would give us 4 quadrillion (pidgin hole: 75 million) with 12 unique blocks and 25 quadrillion (pidgin hole: 600 million) with 15 unique blocks. Granted, with this method you could not copy-n-paste, but its fast enough that I don't think users would mind putting it in every time, and it should be really easy for someone to see a mistake (and hard to make a mistake in the first place).

All in all you only hassle the legitimate user, while pirates can crack and use your software anyway.

I would also recommend developers to make keys case unsensitive.

> "And if the software was delivered digitally, please keep track of our key for us. We're forgetful."

Thank you, Steam.
http://www.steampowered.com/

Any remember the "Activation Wheel" that they shipped with Hardball 3?

It was three cardboard circles of various sizes connected at the center in a way such that all three could spin individually of each other. Each circle contained a set of images and codes as well as a cut-out portion to allow you to see a small piece of the circle below that one.

Each time you installed the game, the installation would randomly generate 3 images (one for each circle) and then you'd use the wheel to highlight each of the images, revealing an unique code combination you'd need to enter. Very effective, and a pain in the ass to copy.

That was probably 15 years ago, and to think that software activation still depends on some piece of the physical world that comes with it is just baffling.

What? No biometrics? CROCK! lol

They could just put the key into the installer like they do with Visual Studio, but I guess that is just too much work.

There's really no excuse to steal software. There's so much free software out there. If you say you can't afford it... Well I can't afford a Porche so should I just go over to the car dealer and take one?

WGA is a half-cocked piece of software.
- it is proven fact that false positives do happen, and happen often.
- it is easily bypassed with relative ease

I believe that even by Microsoft standards, WGA fails in every possible way. Or does it? Was this intended from a design standpoint? It's easy to say that you are losing 'billions' per year due to Piracy, because it is not easy to prove either way. Eliminating (read: 'vastly-reducing') piracy would provide a surefire means to an end... the revenue increase that year would indeed indicate exactly what you were losing for that specific timeframe. On top of that, public opinion would be that you should lower your product prices, after all you've been claiming that piracy drove the price up there in the first place. As far as large software corporations, to beat piracy is to beat ones self.

Point-blank. Microsoft do NOT want to beat pirates. Their trials and tribulations regarding WGA are a farce at best, how could a company with so much experience and expertise possibly create WGA with so many fundamental problems that it ends up costing legit users so much?

Beating pirates is useless, those who do not pay do so for a reason. Those who are paying... get them to pay twice. This is reflected even in their EULA when it was first released (now more relaxed).

I may be paranoid... but still, I call it how I see it.

From my previous comment....
>>- it is easily bypassed with relative ease

Ignore my bad English there... it is Tuesday and I'm still warming up :)

The purpose of selling license keys is to try make digital copies of software behave a bit like physical items, so it's fundamentally on pretty weak ground. The only reason still we do it is that no-one has worked out a better business model that reliably (and profitably) for pure software development companies, now that selling actual software media is not a valuable service.

It would be really cool to see MS or someone else invest resources in looking at solutions for smaller software development firms, rather than relying on the current fraction of paying customers to accept a worse experience than the dishonest ones.

...I should have said "solutions that scale down to smaller development firms". Software as a service might work for Google-sized, or at least Red Hat-sized, companies, but the smaller ISVs are stuck with license keys unless/until somebody figures out a better revenue model, and it puts them in an awkward place.

Are those real keys you are reproducing? I can't tell you how unimpressed I was when some thickos at a PR agency had a valid licence key for my software printed in a wedding magazine (meaning anyone could download and use the software for free - until I invalidated the key 24 hours later).

> Are you kidding me? Every Mac is the world's largest hardware dongle. Ask yourself this: why can't you virtualize OS OX? Hmm.

You can.

It does take hacks, though. :)

I recently bought a compilation of several games in the "Command and Conquer" series. I was then prompted to enter something like 6 to 8 different CD keys! That's about 20 minutes of my life that I'll never get back. Why the company didn't just put one freakin' CD key on it and be done with it is beyond me. This is a fine example of why pirating is so popular. I'm sure that with a little searching, I could have gotten the same software -- for free -- without typing a small novel of random alphanumerics.

If you have a 16-character code aranged in four blocks of four characters, add a fifth character to each block as a checksum so that you can easily highlight typos without indicating whether or not the key is actually valid. You can publish your checksum algorithm and still not give away the actual key generation algorithm.

Alex Said: "I wish they'd put a second copy of the serial ON the disc"

Well, unless they're doing CDR print-on-demand that's just not going to work well for them, logistically (sticker on CD = bad; individually printing them directly on the CD is also nightmarish).

On the other hand, you can do what I've done for years (especially with our MSDN volume-license downloads) and *write the number on the disk* with a Sharpie. (Also, on the disk sleeve. And inside the manual.)

"The most rudimentary grasp of mathematics tells us that a conservative 10 character alphanumeric registration key is good for 197 trillion unique users"

alphanumeric: 26 letters + 10 digits = 36 possible values for each character

36 choices per character ^ 10 characters = 3,656,158,440,062,976 combinations

I'm on cold medicine right now...am I missing something? How did we get 197 trillion instead of ~3.6 quadrillion?

Mike seemed to be on the same track that I was. I think that you should add an additional factor that would alleviate most of the other concerns...

Make the Key Machine Readable

Many registration keys include a bar code, which might help but presupposes that you have a bar code reader. What if the key were encoded in a way that could automatically be recognized by the computer.

My thought would be a pattern that could be scanned via a web-cam. The use case is on the registration screen there would be a button that offers "Scan Key Using Webcam". Upon pressing the button the installation software would fire up the webcam, display a small image from the webcam and start parsing the result. When the user puts the coded image up to the camera the parsing algorithm would detect and evaluate the code in the image. When the key from the code is recognized, the installation software beeps and congratulates the user. On with the installation.

Only drawback is that a scan converted to a gif of the installation code is as good as the original, but how is this different than copying the characters by hand into a text file, web page or email?

If they can print unique CD keys inside the box, or in the manual, I don't see why it's so difficult to have the keys printed directly on the disk instead (or printed on a sticker stuck on the disk).

Of course, I think evil companies try to ensure keys are easy to lose - they make more $$$ by forcing you to buy a second copy.

I was developing a key entry form for an application. I initially proposed and was approved to create an automatic feedback so that the user didn't have to press OK after entering the key to find out that it worked. This was especially important since we had a 1 second delay so that automated scripts couldn't break it with a birthday attack. It worked, everyone saw it worked and the feature was pulled and the Check Key button was added in. I never got a good reason for the change.

Aston-

Don't remember the hardball- However, I DO remember a copy of "Where in the world is Carmen Sandiego" which would ask you to type in the nth word from the top of page x in the Almanac that came with the game.

Wacky, huh?

"The difference is that when something is really stolen, the original possessor no longer has it. It was pretty much a Bill Gates "innovation" to mis-apply the term to copying software."

Fair enough. How about if I read a comic in a comic book store and then don't buy it. Technically I'm not stealing, nor am I breaching copyright. Am I committing a crime?

> I was then prompted to enter something like 6 to 8 different CD keys!
> That's about 20 minutes of my life that I'll never get back.

8 keys in 20 minutes = 2.5 minutes per key. Assuming the key was 20 digits long = 7.5 seconds to enter each character. (6 keys each of 10 characters = 20 seconds per character). And you were installing Command and Conquer, right? Tell me, do you play for money?

> Fair enough. How about if I read a comic in a comic book store and
> then don't buy it. Technically I'm not stealing, nor am I breaching
> copyright. Am I committing a crime?

I give up. What crime are you committing?

I think I have a rock solid solution for this whole serial key dilemma:

Please enter the word orange into the textbox below ;)

> one unavoidable aspect of software installation[...]: entering the registration key.

Registration keys? How quaint and 20th-century. An artifact of software companies deluded enough to think that it somehow hurts the bad people without hurting their sales significantly.

> The aggravation is intentional.

Indeed it is, and it's one of many reasons to choose software that doesn't have such intentional aggravation designed in.

> Unique registration keys exist only to prevent piracy.

No, they're to prevent copyright infringement. Piracy is an entirely separate, violent crime that has nothing to do with copyright.

How hard is it to store all the used registration keys in a database. If the key has already been entered, then you need to prove that you're the same person who entered the other key... say, with some kind of private identification. A SSN would work well, because most pirates wouldn't say "REG. NUMBER=a8495jcskjc8", SSI=********"... but i suppose I wouldn't trust any company with MY SSN... sigh.

> I accept that software registration keys are a necessary evil for commercial software

Then you accept a falsehood. There are plenty of companies making plenty of money selling commercial software that has no such aggravation, like PostgreSQL and Apache.

It may be that *proprietary* software is less viable without user-hostile measures like registration keys. However, that merely supports the idea that proprietary software is an unnecessary evil.

> There are plenty of companies making plenty of money selling commercial software that has no such aggravation, like PostgreSQL and Apache.

Really? How much money do they earn in comparison to Microsoft or Oracle? Do they earn money at all, or do they live from spended money from companies like IBM or Sun? Or kill they jobs, which otherwise would nutrify people?
I'm not so optimistic as some naive.

"PostgreSQL and Apache"
Ah yes, two mass market companies there. It's not like they're for a niche audience; I can't tell you the number of times I've chat