Security through deception

Posted by user on 03 Jan 2010

In battle, use direct forces to match the enemy and use indirect forces to win the enemy.-Sun Tzu

A trick to protect yourself from burglars is to have in an obvious - but not too obvious - place a reasonable amount of cash.

An opportunity burglar - not the one after your Matisse - is looking for easy money. When the front door is locked, most of them give up. The most resilient may break a window and perhaps pick a simple lock, but don't expect anything fancy.

Once in, there are only two objectives:

  1. Steal something small and valuable (I'm not sure that carrying around your 46" television is of any interest to the average thief);
  2. Get the hell out.

Which means that leaving an envelope in a drawer near the entrance containing a plausible amount of money (let's say 200 €) is a form of insurance. The thief will think he found your stash, decide that 200 € for one night is pretty decent and consider objective #2. Your other valuables are protected.

This is how you want to design your copy protection.

Buy a cheap over-the-counter copy protection. Let the cracker beat it. Let him think he won. The real protection isn't there.

Add your custom integrity checks within the software (don't use the copy protection you bought and make sure the compiler will not factorize your checks). Make the software unusable after a reasonable amount of time. Example: randomly overwrite a memory region after 200 clicks.

How to write code integrity checks? Read a code segment, hash it and make sure it's what you expect. In C/C++ it's just a matter of using the function's address. Feel free to review our related consulting services.

Users will come to your forums, mail support and complain about the crashes. You got yourself a pretty decent opportunity to sell a legitimate license to pirates. Don't worry, if people like your software and the price is right, they'll buy it. People who don't aren't potential customers in the first place.

It is paramount to evaluate with accuracy and fairness how much piracy costs you. One pirated license does not equal one lost sale, it's an order of magnitude less.

When you spend time implementing and testing copy protection, you're not implementing new features or fixing bugs. Keep in mind you could be driving your motorbike along those wonderful curvy roads. Wait. That's not what you're doing. You're implementing some sort of copy protection mechanism because a student with too much free time is going to reverse engineer your software and write a key generator for it.

Remember that your goal is to sell software and be profitable. For each software there is an optimal amount of copy protection. Sometimes this amount is zero. Obvious case: free software, less obvious case: software that needs to gain notoriety.

Adding more copy protection than needed is a huge waste of time and money, notwithstanding the annoyance you may cause to your legitimate users. If you played games with overzealous copy protections, you know what I mean.

See piracy as competition. See it as the lowest segment of your price grid. You want to make sure it's hard to find a working illegitimate copy, hard enough to make buying a license interesting. It must be so much easier to buy the software from you than getting the illegal copy that your customers will quickly dismiss the latter.

You cannot prevent piracy, but you can prevent it from harming your business.

Topics: Security, copy protection, reverse engineering, Uncategorized