Duplicate key checking over the Internet as an anti-piracy tactic
September 15, 2004 3:18 PM   Subscribe

Why don't the software companies use the internet to see if two people are on the internet and using the same software license on two separate machines (as defined by IP address, or serial number, or whatever)? This seems like such a basic anti-piracy strategy, and even if it's easily flauted by the technorati, that still means that 95% of users, and maybe 80% of pirates, will be foiled by it. But no one seems to do this. Why? (I've often wondered the same thing about speeding tickets; there have to be more cost-effective ways of catching speeders than paying highway patrolmen to sit there -- is lax enforcement synonymous with tacit endorsement, while still allowing the enforcers to profit by penalizing the occasional transgressor?)
posted by blueshammer to Computers & Internet (17 answers total)
Some programs have done this, or at the very least, something like it. I remember I, um, circumvented the registration on some program once and it popped up a message regarding whether it was wise to do such things in the age of ubiquitous internet connection, particularly when this program was made to do it's thing via the internet.

This would not prevent people who use serial key generators, nor would it prevent people who crack the program -- they'd just remove the code that called the company's server to identify itself. This would *only* prevent people who used identical serial numbers to other people. I'd argue this is a pretty small group.
posted by RustyBrooks at 3:22 PM on September 15, 2004

Well, for one thing it assumes that people will be connected to the internet while the software is in use, and that if they are connected to the internet, they will permit the software to initiate or receive connections. Given the array of problems awaiting even the casual 'net user on their home dialup, to say nothing of people fiddling about with home LANs, it's a fair bet that lots of trouble would arise. For example, if your company loses its net connection, does it mean I can't use your software while your link is down? How many clients do you think would like that, and how fast do you think a competitor would take advantage of the situation?

The net result would be a large increase in the number of calls to tech support, which would in turn require troubleshooting innumerable LAN/ISP configs, and software companies generally like to minimize tech support. They would be unable to minimize THIS tech support, since it would directly affect their sales. Giant pain in the ass for them, and expensive too.

Second, corporate users will typically not allow this sort of authentication. Period. Crackers then simply attack the "corporate versions" of the software, defeating the mechanism and rendering the whole consumer-level security expenditure meaningless.

...so the software firm in question would find themselves spending out the ass on tech support, for little to no additional security. The most common solution, in recent history, is "product activation" which, as we've seen, isn't perfect.
posted by aramaic at 3:53 PM on September 15, 2004

Historically, or so the story goes, large software companies have turned a blind eye to piracy. As long as they're rich enough, it makes sense that everyone uses their software. (Larry Ellison famously said that it's not enough that you succeed, your enimies have to fail) Smaller companies can't think like that, so in the small business sector there have been serious efforts to combat piracy.

A couple of reasons (extra to other peoples comments) why software doesn't "phone home" before every use.

1. It's a lot harder to do than you'd think. smaller companies couldn't cope with 10,000 people logging on at 9.00am to see if the software is allowed to work. This is because of bandwidth, server shortages, technical ability. (All three are less of a hurdle now)

2. privacy issues. for some reason, people don't take too kindly to software that passes information back to the supplier.

Product activation is being used more and more though. With the increased usage of the internet, easier access to TCP/IP libraries and a more resiient network, I see it as a matter of time before your ideas are implemented.

As a matter of interest, Microsoft may already be implementing it in a limited sense with the activation of Terminal Services Client Access Licences. I was told last week by an MS support guy that Licences held on a licence server are checked regularly against the Microsoft server. Don't know if this is true, but that's what I was told.
posted by seanyboy at 4:19 PM on September 15, 2004

It's also interesting to note, that by accident, many new software products (thinking specifically of MMORPG's) have this functionality built in.
posted by seanyboy at 4:22 PM on September 15, 2004

It's also interesting to note, that by accident, many new software products (thinking specifically of MMORPG's) have this functionality built in.

Well, I have lots of apps that don't do anything if you don't have an Internet connection, but that's not the same thing as phoning home to validate a serial number.
posted by jjg at 4:41 PM on September 15, 2004

A lot of software runs behind corporate firewalls. All the servers checking ip addresses would see is one single address for however many employees are using the software. Lock those people out and you've guaranteed that you'll fail as a business. In addition many home users do the same thing, even though they don't know it. Have wireless? Run more than one computer? Then you're sharing an external ip address.
posted by substrate at 4:55 PM on September 15, 2004

Office X on the macintosh behaves this way, and there was, er, a fix for it.

Every once in awhile, while doing the internet thing at a coffee shop, I would be informed that someone was using the same copy that I was, and I'd look around to see who else was wearing the eyepatch.

Office X, of course, only behaves this way when it's connected to a network, so it's *additional* copy protection, and would probably remind businesses of the need to buy additional licenses that they might otherwise have "forgotten" to do.
posted by fishfucker at 5:08 PM on September 15, 2004

Online games do this all the time.
posted by falconred at 5:26 PM on September 15, 2004

Adobe does the same thing with its software, or at least Photoshop as far as I know. If your copy of Photoshop suddenly decides to quit right after launching, that's why. It's happened twice on me because I did not go through the routine right after installation to prevent Photoshop from phoning home. It takes about a year from installation to deactivation in my experience.
posted by emelenjr at 5:33 PM on September 15, 2004

Have you ever cracked commercial software? This is just another type of copy protection, and just as likely to be broken as any other. Hell, there are cracks for hardware dongles, so don't expect any method to foil those who actually want to pirate software. Not that I would know anything about that.
posted by uncleozzy at 6:00 PM on September 15, 2004

In the world of Graphic Design this is in fact what later versions of QuarkXpress do. If you have a site license for Quark you must "check in" your copy of Quark to a central server which verifies that you are not using more versions of the software than you have paid for.

The problem of course is what happens when you cannot check in the software because your connection is down or are on a laptop or what have you.

To take care of these issues, Quark issues "Emergency" serial numbers good for 24 hours, which if you use them, you must then apply for a new one.

So how do you get these "Emergency" numbers? By e-mail, of course, which doesn't work if your ... connection is down.

This complex system takes more time to make work than you might think. And what happens if it doesn't work? Take a look.
posted by jeremias at 7:11 PM on September 15, 2004

I know of one product that does this, or something similar anyway. Periodically, it will connect to the internet (it's not at all an internet-related application) and then contact the company and "revalidate" your serial number. This gives the company the means to yank a serial number if it becomes widely spread, as sometimes happens when people trade installers with a serial # over P2P, etc.

The fallout for them was that everyone hates the feature, finds it annoying as hell, and the new version of their product, which has this security feature, isn't getting the high praise that all their former products did. This is probably because you *must* be connected to the internet in order to use the product, even though it's just a video processing app. I guess this leaves some people up shit creek.
posted by scarabic at 8:03 PM on September 15, 2004

"Why don't the software companies use the internet to see if two people are on the internet and using the same software license"

Because, simply put, people like me won't pay money for their fucking trojan horse. Or because anyone with a grain of sense in their head will use one of those little "personal firewall" applications to deny network access to the application.

Either trust me as a customer and keep me, or distrust me and lose.
posted by majick at 8:30 PM on September 15, 2004

I believe that one of the Office X updates actually killed that, um, feature.
posted by anathema at 8:40 PM on September 15, 2004

That sort of checking would rule out anyone trying to get their small office a redundant internet connection.

IOW, it would needlessly piss off the VERY FEW users buying the software as is.
posted by shepd at 11:24 PM on September 15, 2004

Plus I'm not buying any software that relies on the company staying in business. And just because your a big company doesn't let you off the hook. 10 years ago who would have thought you couldn't contact DEC.
posted by Mitheral at 10:41 AM on September 16, 2004

just to reiterate what other people have said here: it's been done. and it's been defeated. Most of the time it goes like this: company writes a program that periodically checks to see if the registration is valid. Then a Hacker/Cracker writes a program that either: takes out this registration check altogether, or uses a Man in the middle attack to intercept these checks, and automatically return a "this serial number is ok" response.

The only way have registration work is when the application requires use of a secured central server for it's basic functionality. For example, in online gaming, the game (Ex: counter-strike) requires information from the server, and the server requires authentication, so there's pretty much no getting around that. (Yes, you can find servers that do not require authentication, but that is rare. I think most server owners think registration is a good thing).

So the basic rule is: if a program does not require the use of a secured central server for it's basic functionality, then it can be cracked. and probably will be.
posted by escher at 11:00 AM on September 16, 2004

« Older Looking for a reliable power c...   |  AutoFilter (1995 Nissan Sentra... Newer »
This thread is closed to new comments.