82

Why does it seem so easy to pirate today?

It just seems a little hard to believe that with all of our technological advances and the billions of dollars spent on engineering the most unbelievable and mind-blowing software, we still have no other means of protecting against piracy than a "serial number/activation key". I'm sure a ton of money, maybe even billions, went into creating Windows 7 or Office and even Snow Leopard, yet I can get it for free in less than 20 minutes. Same for all of Adobe's products, which are probably the easiest.

Can there exist a fool-proof and hack-proof method of protecting your software against piracy? If not realistically, how about theoretically possible? Or no matter what mechanisms these companies deploy, can hackers always find a way around it?

gnat
  • 20,543
  • 29
  • 115
  • 306
Snowman
  • 445

17 Answers17

80

Code is data. When the code is runnable, a copy of that data is un-protected code. Unprotected code can be copied.

Peppering the code with anti-piracy checks makes it slightly harder, but hackers will just use a debugger and remove them. Inserting no-ops instead of calls to "check_license" is pretty easy.

  • Hard-to-hack programs do progressively more annoying things.
  • But vendors have to sell customers software they are prepared to use.
  • Not everyone allows computers to phone home.
  • Some people working on sensitive stuff refuse to connect machines to the internet.

Programs I sell at my current employer (aerospace tools) don't phone home ever. The customers wouldn't tolerate phoning home for "activation" every time the program starts.

Worst case, the program runs in a VM with no networking, where it's always a fixed date.

So it might have been legitimately installed once, but no efforts on the part of the developers can have it tell that it's not how it was.

  • Attempts to add hardware "copy prevention" to general purpose computers are doomed to failure.
  • Whatever company sells hardware without copy prevention ends up selling all the hardware.
  • Vendors like Dell and Intel progressively try to introduce spy-hardware like Palladium, but they are strongly resisted.
  • When the computer is doing something scientific, real-time, any interruptions to "check for pirated content" will cause failures. If all computers had hardware DRM, the special scientific/realtime ones would have to not have it. Accidentally everyone would buy special scientific/realtime ones.

  • Hardware DRM checks will have false positives on some kinds of content.

    • Simplest case: resolution. I record Quad HD video from my camera array (sitting on my desk right now). Windows DRM gets between me and the data because it's QuadHD.

    • Signature analysis: The Hardware DRM is small and has a relatively fixed data set. It also has to use the same data bus as the CPU so it slows things down intermittently. This ruins anything realtime.

    • So then to make the Hardware DRM smarter during a false positive your computer will eventually get interrupted to go and check using a web service. Now my science data processor either fails because it isn't networked, or stops streaming data.

samthebrand
  • 368
Tim Williscroft
  • 3,543
65

Ultimately the big problem is that most software involves handing both the lock and the key to the potential attacker and hoping they don't figure out how to put them together.

The only secure method of protecting software is not giving it to the user (e.g. SaaS). You'll notice you can't "pirate" Google Docs, for example. Ultimately, if you're trying to secure something, you have to assume they have full knowledge of anything you give them. You can't trust the client. This applies to preventing piracy just as much as it does to protecting a system against being compromised.

Since the existing software distribution models are based around giving the client the whole package and then attempting to protect it on hardware the potential attacker controls, the distribution model is incompatible with any concept of "unpirateable" software.

Ansd
  • 161
Anon.
  • 2,195
33

Why is it that software is still easily pirated today?

It's more profitable to sell software that's easy to pirate.

When deciding about anti-piracy measures, companies do a cost-benefit analysis. For any given set of measures, if the benefits don't outweigh the costs, the company doesn't do it.

Costs include time and effort to implement, document, support and maintain the measures, and perhaps sales losses if they're really annoying. Generally speaking, there are two kinds of benefits:

  • Larger profits because people who would have pirated the program bought it instead..
  • The people who make decisions are happy the program isn't getting pirated.

Here's a simple example: Microsoft Office.

Now, MS is all about the money, and not so much about making execs happy about piracy. For some time, MS has been selling a "Home and Student" edition of Office for way cheaper than the "normal" edition for business. I bought this a few years ago, and it had no copy protection at all! And the "anti-piracy" technology consisted of entering a product key which was then stored in the application folder. But you could run it on as many computers as you wanted simultaneously, and they'd all run fine! In fact, on the Mac, you could drag the application folder across the network to another computer where you'd never done an installation, and because the product key was stored with the application, it ran great.

Why such pathetic anti-piracy technology? Two reasons.

The first is because the added cost of tech support for home users screwing up their installations was just not worth it.

The second is the non-technical anti-piracy measures. MS has a whistleblower program where if you know a company has pirated MS software - like installing 200 copies of the same "Home and Student" Office - you can give them a call. Then MS comes in and audits the company, and if it finds pirated software, sues the crap out of them - and you get a big cut of the winnings.

So MS doesn't have to use technology to prevent piracy. They find it more profitable to just use cold, hard cash.

Bob Murphy
  • 16,098
30

IMHO a fundamental problem is that most or all of the "foolproof and hack proof" methods* of protecting software against piracy also annoy or even drive away the innocent and legal users.

E.g. checking that the app is installed only on a single machine may make it difficult for a user to change hardware in their machine. Hardware dongles may mean you can't use the same app on your work and home machines. Not to mention DVD area codes, CSS, the Sony rootkit et al., which are not strictly for software protection, but closely related.

*which, as @FrustratedWithFormsDesigner noted, are never perfect in practice; there is no 100% safety, you can only try to make it costly enough for an intruder to break the defense so that there won't be "too many" of them. And I believe it is due to the fundamental nature of software and digital information, that once someone manages to break a particular defense, the break can almost always be trivially replicated by millions.

Péter Török
  • 46,547
25

As Bruce Schneier said, trying to make digital files uncopyable is like trying to make water not wet. He talks primarily about "DRM", which is applied more to content (e.g., movies) than code, but from the viewpoint of preventing copying what's in the file makes little real difference -- copying a file is copying a file is copying a file.

Jerry Coffin
  • 44,795
17

There is only one "fool proof and hack proof method of protecting your software against piracy":

Free Software (As in you can do what ever you want with it, even sell it.)

You can not steal what is freely given. Granted, that'll muck up some dinosaur companies software models, but piracy is going nowhere. Sell something you can't copy, preferably something that accompanies what you gave away free; your help for instance.

ctrl-alt-delor
  • 572
Orbling
  • 5,686
13

This is caused by the combination of four main factors:

At a fundamental level, a lot of what a computer does works by copying data around. For example, in order to execute a program, the computer has to copy it from the hard drive into memory. But once something has been copied into memory, it can be written from memory onto another location. Bearing in mind that the fundamental premise of "piracy protection" is to make software that cannot be successfully copied, you can begin to see the magnitude of the problem.

Second, the solution to this difficult problem acts directly against the interests of both legitimate users and those who wish to use the software without acquiring it legally. Some of those users will have the technical knowledge needed to analyze compiled code. Now you have a competent adversary actively working against you.

Because this is a difficult problem, and because producing correct software is also inherently difficult, it's very likely that your solution will contain at least one exploitable bug somewhere. For most software, that doesn't matter, but most software isn't under active attack by a determined adversary. The nature of software being what it is, once one exploitable bug is found, it can be used to take control of the entire system and disable it. So in order to produce reliable protection, your solution to the very difficult problem must be perfect or it will be cracked.

The fourth factor is the worldwide Internet. It makes the problem of transmitting information to anyone who's interested trivial. This means that once your imperfect system is cracked once, it's cracked everywhere.

The combination of these four factors means that no imperfect copy-protection system can possibly be safe. (And when's the last time you saw a perfect piece of software?) In light of this, the question shouldn't be "why is software still easily pirated?", but "why are people still trying to prevent it?"

Mason Wheeler
  • 83,213
9

One often overlooked, major motivation behind Cloud based SaaS solutions is securing revenue streams.

I think this is where the future of IP monetization and protection really is.

By shifting focus from selling on-premise solutions that are to be run in an environment that is outside the control of Vendors, eventually every strategy against software piracy is doomed to fail. There is just no way to protect your assets when you give them out to someone else, since the protection needs to be enforced on his machine.

By having your Software hosted in the Cloud and provided as a service, you are effectively raising the bar for piracy to a level where its monkey business.

Johannes Rudolph
  • 676
8

I think the answer you are searching for is that many companies don't really care about piracy that way anymore. Nobody wants their stuff getting out for free, but when you look at the trade off between annoying and having to support all the folks where the advanced copy protection broke or broke their computers. A few companies have gone far out of their way to care, but at the end of the day the stuff is still cracked and their users tend to leave with a bad taste in their mouths.

It isn't worth the pain (or the potential loss of customers) to try and implement it for the few people you would prevent from hacking in anyway.

Some companies have even viewed the pirate users as a resource. Valve made a splash in the news with a comment like that a while back, and you cannot tell me that Microsoft didn't come out on the winning side of all the pirated Windows installs in Asia over the years.

For the microsofts out there, they look to sell large blocks of licenses for the little guys they need every sale but cannot afford to loose customers or in some cases even afford the rootkits and other vile crap people use to try and build that sort of lock-in.

You can't make a perfect anti-piracy, but there are not a lot of people who are highly motivated to try anymore.

Bill
  • 8,380
7

Whatever you build into your software, it has to be understandable by the machine that will run it. As software has got more sophisticated, the software to understand other software has also got more sophisticated. So if that software is understandable by the machine, it is understandable (and modifiable) by the pirate.

For example, in principle, you could build strong encryption into your executable, so that most of the software is unreadable. The problem then is that end-users machines can no more read that code than the pirates. To solve that, your software must include both the decryption algorithm and the key - both either in the clear, or at least hiding behind weaker encryption (with the decryption for that being in the clear).

IIRC, the best disassemblers can warn you about encrypted code and help you capture and analyse what's hiding behind the encryption. If that seems like the disassembler writers are evil, consider that security developers need this every day, to investigate viruses and other malware that also hides in encrypted code.

There's probably only two solutions to this. One is the closed platform that locks its own users out. As the Playstation 3 shows, that's not necessarily a guarantee. In any case, there's a large class of non-evil users who won't like it.

The other is for your software to run on servers that are under your control.

5

Technically speaking, software can still be pirated because most of the IT still operates on software and hardware environments conceptually engineered millenia ago, when even the notion of software piracy didn't exist.

Those foundations have to be maintained for backwards compatibility further increasing our dependency on them.

If we were to redesign hardware/software environments from scratch with the anti-piracy in mind, we could add significant improvements.

See for yourself:

  • The same open operating system with all its components entirely exposed and literally offering itself for manipulation

  • The same open computer architecture which will take any software you throw at it

  • Software distribution model is still based on unencrypted files which are handed over to the user

The exactly same problem exists with the Internet and its low security, many vulnerabilities, openness for manipulation, spam and distributed attacks. We would do it much better the second time, if we could redo the Internet. Unfortunately we have to stick with what we have to maintain compatibility will the mass of applications and services in existence.

For now it seems that the best way to protect software from piracy is to introduce changes at the hardware level:

  • Close down the hardware and turn it into a black box. Make it impossible for a user to mess with the hardware and its software. The approach here is to probably encrypt everything at the chip level so that their external interfaces are fully encrypted. A good example of that is the HDCP encryption for the media interface HDMI - a media stream is encrypted before it leaves the player box and decrypted inside of a display unit so that there is no open data stream to intercept.

  • Close down distribution channels. Make all external media and online channels fully encrypted so that only certified hardware is able to decrypt the datastream.

It is possible to pull off both but it will turn the entire ecosystem into a prison. Most probably a parallel/underground movement of a free hardware/software will arise creating a parallel ecosystem.

5

One reason I guess is, the very same people that know how to write decent security, are probably hackers themselves.

Also, trying to protect yourself against piracy is really, really difficult. Since your computer has to execute this protection itself, it can be intercepted at any given point (memory/execution/network traffic/...). That's where obfuscation comes in, trying to make it impossible to understand what's going on.

I believe the power in serial numbers and activation keys lies in the fact that you can at least see who is pirating, and try to track it/block it this way. I believe that's part of the reason why so many services are online services nowadays. (Steam, Windows update etc...) It suddenly becomes a lot more difficult to crack, ... but again still possible.

Where you have a succesful product, you have more people trying to crack it, so chances it will get pirated are bigger.

Steven Jeuris
  • 5,834
5

Automated Anti-Piracy is a logical contradiction.

Legitimate users are trusted by the vendors.

Any "automated" anti-piracy seeks to automate the trust relationship.

How can this work? How can any technical means ever come to "trust" a person?

Trust is an inherently human relationship. Any technical mechanism can always be subverted by people who appear trustworthy but aren't.

For that matter, people misplace their trust all the time, too.

S.Lott
  • 45,522
  • 6
  • 93
  • 155
4

Given the effort, almost-perfect copy-protection could probably be achieved… but it wouldn’t be worth the cost. Several notable blogs have discussed it excellently: specifically, the concept of an optimal piracy rate.

Anti-piracy measures have several costs: the direct cost of implementing them, but also indirect costs: eg the measures often cause inconvenience, driving away users.

Piracy has costs, but they’re often not terribly high. It may also even have some benefits, e.g. in expanding user base. As one commenter wrote on the Coding Horror post: “Now that I'm a developer and I actually have money to spend of software, I tend to buy the programs that I pirated in my college days because I'm already familiar with them.”

So, some anti-piracy protection is important to make sure legitimate sales aren’t undercut too badly; but beyond a certain point, there’s just no economic incentive to make the anti-piracy measures better.

Peter LeFanu Lumsdaine
  • 370
4

All the answers seem to be technical, but it is not a technical problem, it is social.

Software is easy to copy and hard to write. If it where not easy to copy we would not bother. Most programs are just to expencive to write as one offs, and the smaller ones rely on bigger programs to be able to run. If we also make programs difficalt to copy, then we are putting our selfs at a competative disadvantage. Yes you can maximise short term profit by discoraging copying. But in the end you will lose market share to who ever can minimies cost-to-copy, cost-to-write and cost-to-use.

Free Software minimises 1 of these costs cost-to-copy, and has a masive reduction on the other 2 cost-to-write and cost-to-use.

cost-to-copy

I can install Ubuntu linux in about the same time and effort as windows 7 [windows 7 needs me to additionaly add a licence key making it slightly more difficult].

Windows 7 will cost £100, but for Ubuntu I can download it, buy it for £6 at the magazine store (with a free magazine thrown in), £2 mail order or borrow a cd from a friend.

cost-to-write

Free Software can be modified, this reduces the cost. I don't have to start from the begining.

cost-to-use

With Windows 7 I get no applications, except a web browser, with Ubuntu I get every application I can immagine, lots install with the OS.

I don't need a virus scanner on Linux.

I can run Linux on older hardware.

With Free Software, no one is forcing be to upgrage, by making incompatible versions of there office tools.

ctrl-alt-delor
  • 572
3

In a world where computers are similar enough to be able to download software from the net and immediately run it, it is very hard to identify something that allows determination of whether this computer is ok to run on, but that computer isn't.

It eventually boils down to you having something nobody else has. This can be a serial number you've paid for, a hardware dongle or a dvd with physical errors in a certain location on it. The software then looks for that specific thing, and refuse to run if it isn't there. For serial numbers you also need to have a location on the internet where the software can validate that the serial number is acceptable to the mother ship.

Unfortunately hackers are very good at surgically remove such checks, so the code needs to be very convoluted and hard to modify to make it difficult, but with sufficient dedication a human still can do it.

Hence, most inexpensive software products go for the serial number with a mothership on the internet validating it, plus a license policy that the coorporate cashcows are obliged to follow. The expensive products usually use dongle protection.

2

There are different type of software which have protections.

When you take the example of windows 7, it's obvious that the answer is no, simply because the PC architecture and PC programming is very well known.

But if you consider other hardwares, like the PS3, the PSP and the iPhone, it's utterly different, mainly because the manufacturer has the control over everything, no just the software anymore: they can make the hardware run only genuine software, and this requires good hacking skills to break those.

You should take a look at the microsoft longhorn project back in the day: at the time they wanted to implements chips to check wether your software were genuine or not. Theorically it would have been very difficult to hack, but they didn't do it because it would have been very intrusive.

jokoon
  • 2,280