Seminar on Software Piracy Risks and Strategies

We were in San Francisco at The Palace Hotel last week for a private luncheon and seminar on software piracy risks and strategies.

The hour long session focused on:

• V.i. Labs’ software piracy research for high value applications
• Aggregate results and data from our deployed customers using piracy detection and reporting
• New features and benefits in CodeArmor Intelligence 2.0 which give ISVs the ability to identify and report on unlicensed use of software

Our guests included representatives from various software vendors who are responsible for licensing, compliance or piracy efforts, and their feedback was overwhelmingly positive - especially the aggregate data and revenue recovery results from our deployed customers.

While it does seem odd to blog about an event and not include any photos of the audience, we do, of course, respect their privacy given the nature of the topics discussed.

Given their response to the information presented, we are happy to schedule private briefings with qualified software vendors to review this new material - just email me at mgoff [at] vilabs.com.

- Michael

Software Piracy Research - Who Knew?

As frequent readers know, we do a lot of original research on software piracy to better understand and quantify the risks to software vendors. In July, we issued a report focused on a review of crack releases and piracy enablement approaches. We followed up in September with a report on software piracy distribution channels and networks.

Our September research was the focus of recent articles on Computerworld by Eric Lai and The Register by John Leyden. Not surprisingly, many of the comments to the articles (and on Slashdot) were variations on the theme of "This is not news" (other comments weighed the relative merits of different channels for obtaining unlicensed software, and some defended/rationalized the practice of obtaining software without paying for it).

Our response? Of course this is not news to the people who have been downloading unlicensed software from these channels! It is, however, important for the software vendor community to understand the wide range of distribution channels where their unlicensed software can be downloaded.

More than one commenter echoed our opinion that trying to take down file sharing sites is like playing "whack-a-mole" - even in the face of the BSA doubling the number of takedown notices it had issued in the first half of 2009.

Given this, a piracy business intelligence approach makes more sense and is more effective. By leveraging these decentralized and well organized piracy distribution channels, vendors are recovering license revenue from the businesses that are actually using their software without paying for it.

-Michael

New Version of CodeArmor Intelligence, Real Data, and New Piracy Research

Today we announced CodeArmor Intelligence 2.0 - here's a short three minute video that Vic did covering some of the aggregate data our deployed customers have shared with us along with highlights on some of the new features (including dynamic notification capabilities and enhanced data collection and reporting):

We also announced the latest report in our Piracy Risk Assessment research series. Part 2 focuses on "Software Piracy Distribution Channels and Networks" and is available today (Part 1 focused on Crack Releases and Piracy Enablement Approaches). Part 3 of the series will assess the trends and overall piracy activity levels for specific software markets using metrics based on piracy group activity.

- Michael

Holy Piracy Twist Batman!

OK, so forgive the title of this post, but how often do I get to talk about anti-piracy approaches from the gaming world that have interesting implications for the larger ISV community?

I came across "Eidos Sets Sneaky Trap for Arkham Asylum Pirates" and was really impressed by one approach Eidos took to address piracy.

According to the article: "On the Eidos forums, a user by the name of Cheshirec_the_cat announced a problem he was having with the game, which he apparently downloaded for free. Let’s just say Eidos’s response is absolutely hilarious."

Cheshirec_the_cat (The Pirater):

“Hi!
I’ve got a problem when it’s time to use Batman’s glide in the game. When I hold , like it’s said to jump from one platform to another, Batman tries to open his wings again and again instead of gliding. So he fels down in a poisoning gas. If somebody could tel me, what should I do there.”

Keir (Eidos Admin):

“The problem you have encountered is a hook in the copy protection, to catch out people who try and download cracked versions of the game for free.

It’s not a bug in the game’s code, it’s a bug in your moral code.”

Now, we all know that the gaming world is very different from business software and high value applications, but the approach taken here is very interesting and could be applied by a wider range of ISVs.

When your application detects that it has been tampered with to enable piracy, have it escalate through an appropriate series of responses to alert the user or company to the fact that the application is being used illegally. This could start with a simple notification and eventually lead to altering the behavior of the application.This approach gives ISVs more control and lends itself to a dialogue with the infringing organization.

What do you think of this approach?

As a side note, I enjoyed "MartinDude's" comment on the article and his (grudging?) respect for this approach:

"Although I can’t say I never pirated anything, I can really appreciate a thing like this against “us pirates” :D Keep it up! :)"

Relying on Anonymous Tipsters to Confront Software Piracy?

Ars Technica has an interesting article about a company accused of software piracy that has sued the anonymous tipster claiming defamation. The DC Court of Appeals has allowed the case to proceed with instructions to the trial judge on the guidelines to apply when determining whether to reveal the identity of the anonymous tipster. The case highlights the importance of vetting sources and having solid evidence before pursuing businesses using pirated software.

"The case started with an anonymous complaint submitted to the Software & Information Industry Association, which (much like the Business Software Alliance), allows anyone to finger institutions for using pirated software. In this case, the person who submitted the complaint suggested that a company that makes software for the Defense Department, Solers, Inc., was engaged in piracy. The SIIA sent Solers a threatening letter, suggesting it undertake an audit of its compliance and return the results.

Solers argued that it was in compliance, and requested the identity of the John Doe who had turned it in. When the SIIA declined to identify him, the company filed a complaint, alleging that the anonymous tip amounted to defamation, and that it interfered with the company's ability to do business. As part of the suit, Solers subpoenaed the SIIA, demanding it turn over all the information it had on John Doe. The SIIA went to court in an attempt to quash the subpoena. The presiding judge agreed, but Solers appealed, leading to the current decision.

...

In short, the plaintiff [Solers] has to provide evidence that its claims are reasonable and the identity of the defendant [the anonymous tipster] is needed before the suit could continue. The defendant should also be given the opportunity to attempt to block his or her unmasking in court."

This is a great example of one of the big challenges that ISVs have when trying to recover revenue from businesses using their software without paying for it. In many cases, ISVs rely on someone to "drop a dime" and report the infringement. After that, there is a request/demand/court order for a software license audit that the accused infringing business often challenges (as happened in the Solers case).

Beyond the additional time and steps required to address these challenges, the accused business will likely challenge the motives of the tipster (especially if it is a "disgruntled ex-employee"), distracting attention from the underlying claims and issues at hand. Interestingly, Ars Technica used a picture of the mask from "V for Vendetta" to illustrate its article.

It seems like a better solution for ISVs (and the SIIA and BSA) is to have evidence of infringement before confronting or accusing a business of using its software illegally. Faced with detailed data showing actual and continued use of unlicensed applications, the accused business loses its ability to delay and distract by shifting the focus to the anonymous tipster.

That is the benefit of piracy business intelligence - it's automatic software auditing that lets the ISVs know when their applications are being used unlicensed and who is using them.

- Michael

Software Piracy Initiatives Forum

How big is the software piracy problem globally? How big is the impact on your company's bottom line? How does your company measure it? What are you doing to address it?

The piracy scene is well organized and successful in its efforts to obtain and distribute software. Shouldn't the software industry be even more organized and successful in its efforts to address and confront it?

V.i. Labs is sponsoring a new group on LinkedIn - the Software Piracy Initiatives Forum to give software vendors a venue for discussing these issues and share their experiences to minimize piracy's impact on the industry.

If you are responsible for analyzing and addressing the impact of overt piracy and license overuse or interested in getting a better understanding of the software piracy scene in general, please join the group and contribute to advancing the industry's efforts to combat piracy.

- Michael

Free Automated Software Piracy Alerts from V.i. Labs

Leveraging the infrastructure we have built to conduct our original research, we are now offering a free automated software piracy alert service for ISVs. Verified employees of software vendors can now receive an email alert when new piracy activity on their applications is detected.

Each piracy alert will let you know:

• Which software title and version has been cracked
• When the cracked version was released
• The name of the crack group responsible for the release
• The piracy crack approach used

Sign up now: www.vilabs.com/piracyalerts

V.i. Labs Software Piracy Risk Assessment Report - July 2009

We have been continuing to gather and analyze data on software piracy since we issued our first reports last summer and are ready to issue the first part of our Software Piracy Risk Assessment Report.

The first installment is a detailed review of crack releases and piracy enablement approaches. Tampering or bypassing the embedded license enforcement is a key enabler of piracy. Most high value applications have adopted third party licensing systems to enforce software entitlements for their customer base.

We reviewed 83 separate piracy group distributions of cracked software that were released between 2007 and 2009 from 39 Independent Software Vendors (ISVs). These high value applications have an average list price exceeding $4,000 (USD) per user seat and are used for Architecture Engineering and Construction (AEC), Computer Aided Design (CAD), Computer Aided Machine (CAM), Computer Aided Engineering (CAE), Electronic Design Automation (EDA), Product Lifecycle Management (PLM), and other specialized engineering and scientific modeling and analysis.

Interestingly, the top five piracy groups (out of 212) contributed 59% of the cracked releases in the study.

All of the pirated software releases used a crack mechanism or other approach to tamper with license enforcement and enable illegal use. However, there was a great range in terms of how well documented the cracks were and the level of expertise required to configure the crack. Three general approaches were used (click image to enlarge):

• Binary patches (52% / 43 releases)
• Key maker (36% / 30 releases)
• Vulnerability (12 % / 10 releases)

The analysis also revealed that the piracy groups and the reverse engineering talent they recruit can tamper with a variety of hardware and software based licensing systems to enable overt piracy. Strengthening licensing using hardware dongles or tamper resistant licensing may be useful prevention for overuse within a licensed customer environment, but it should not be viewed as a defense against overt piracy.

To learn more about the results of the research, the complete report is available for download here.

- Vic

Goldman Sachs Code Theft - Mitigating the Risks

Software Protection is not the panacea for code theft issues like the one that occurred with Goldman Sachs. In fact, this case is very similar to the 2004 insider code theft of Cisco’s IOS code. However, outside of just stronger access control and perimeter security measures, these threats do suggest a closer look at how to securely share valuable IP contained within code in a distributed and rapid software development process.

Although there are few details in terms of the development platform of the application and the exact access the alleged thief had, organizations should consider a few options to mitigate the risk of theft of sensitive IP within code:

• If managed code is involved, protect it - If the development language is managed (Microsoft .NET or Java), code obfuscation and encryption most be used. Even once the applications are compiled, it is only partially compiled into an intermediate language which is easily decompiled into source code representation. Another alternative is to place the sensitive IP into an unmanaged component to minimize exposure.
• Create protected APIs - If the software development process requires the use of outsourced development partners or contractors, create an application programming interface that contains the sensitive IP within compiled application components versus sharing the source. Although this would obviously require additional work by the organization, an API option that uses compiled binaries allow more options to use software protection and harden the API against reverse engineering.
• Embed threat detection and reporting – Add threat detection and reporting mechanisms (sometimes referred to as phone home systems) to the application itself. This approach can be used to continuously test for tampering or installation in unauthorized networks, and if a threat exists, notifies the owning organization in real-time. This presumes that the enterprise application (or in the context of this discussion a protected API) is designed to be deployed within specific networks, data centers or hosting partner networks.

Gartner's Neil MacDonald blogged about this news ("Security No-Brainer #7: If You Have Intellectual Property Embedded in Software, Protect it") and Gartner's "Hype Cycle for Cyberthreats (2006) coined a term for the emergence of software IP threats as enterprise code reverse engineering (“Definition: Enterprise code reverse engineering is reverse engineering of enterprise application
code for the purposes of targeting vulnerabilities or stealing intellectual property.”).

We believe as general perimeter, application, and physical security improves, hackers, foreign governments and competitors will increasingly turn to reverse engineering tactics to access valuable software IP or alter it for malicious purposes. In these threat scenarios software protection and threat detection reporting can play an important role in mitigating these risks.

- Vic

Latest Spam uses Yahoo! Profiles and Cheap Software prices to Capture Credit Card Data

For the last month (at least from my inbox perspective) spammers have been using the Yahoo! personal profile interface to send spam with cheap software offers (see image 1).

Image 1: Email with Yahoo profile reference (click to enlarge)

The ploy attempts redirect users to an authentic looking web site offer software at prices too good to be true (image 2). The IP address of the site can tracked to an IP address assigned in China and hosted on a server that includes over 400 other gambling and software commerce sites.

Image 2: Homepage of Web site offering to sell pirated software (click to enlarge)

Further navigation of the site reveals a checkout form with all the right images to lure the unsuspecting user to enter their credit card information and buy low priced software.  However, it should be obvious to most users who purchase anything on the Web that this site is a scheme to grab credit card data.  Although a secure connection symbol is shown, the form itself asks for credit card information over a non-SSL session. Also, the BBBOnline program (which no longer is operational) VISA, and TRUSTe seals do not provide a link for verification (image 3).

Image 3: Checkout form on false commerce site (click to enlarge)

I would hope that it is completely obvious to users with some internet experience that they should not trust this site or the method used to arrive at the site. However, given that it is relatively cheap to host hundreds of these sites using virtual servers and leverage Yahoo! to promote them, it probably only takes one uninformed user to justify this criminal approach.

- Vic