Stack Exchange
This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites.
maq asks:
Why does it seem so easy to pirate today?
It just seems a little hard to believe that with all of our technological advances and the billions of dollars spent on engineering the most unbelievable and mind-blowing software, we still have no other means of protecting against piracy than a "serial number/activation key." I'm sure a ton of money, maybe even billions, went into creating Windows 7 or Office and even Snow Leopard, yet I can get it for free in less than 20 minutes. Same for all of Adobe's products, which are probably the easiest.
Can there exist a fool-proof and hack-proof method of protecting your software against piracy? If not realistically, could it be theoretically possible? Or no matter what mechanisms these companies deploy, can hackers always find a way around it?
See the full, original question here.
Running code
Tim Williscroft answers (45 votes):
Code is data. When the code is runnable, a copy of that data is un-protected code. Unprotected code can be copied.
Peppering the code with anti-piracy checks makes it slightly harder, but hackers will just use a debugger and remove them. Inserting no-ops instead of calls to "check_license" is pretty easy.
- Hard-to-hack programs do progressively more annoying things.
- But vendors have to sell customers software they are prepared to use.
- Not everyone allows computers to phone home.
- Some people working on sensitive stuff refuse to connect machines to the Internet.
Programs I sell at my current employer (aerospace tools) don't phone home ever. The customers wouldn't tolerate phoning home for "activation" every time the program starts.
Worst case, the program runs in a VM with no networking, where it's always a fixed date.
So it might have been legitimately installed once, but no efforts on the part of the developers can have it tell that it's not how it was.
- Attempts to add hardware "copy prevention" to general purpose computers are doomed to failure.
- Whatever company sells hardware without copy prevention ends up selling all the hardware.
- Vendors like Dell and Intel progressively try to introduce spy-hardware like Palladium, but they are strongly resisted.
- When the computer is doing something scientific, real-time, any interruptions to "check for pirated content" will cause failures. If all computers had hardware DRM, the special scientific/realtime ones would have to not have it. Accidentally everyone would buy special scientific/realtime ones.
- Hardware DRM checks will have false positives on some kinds of content.
- Simplest case: resolution. I record Quad HD video from my camera array (sitting on my desk right now). Windows DRM gets between me and the data because it's QuadHD.
- Signature analysis: The Hardware DRM is small and has a relatively fixed data set. It also has to use the same data bus as the CPU so it slows things down intermittently. This ruins anything realtime.
- So then to make the Hardware DRM smarter during a false positive your computer will eventually get interrupted to go and check using a Web service. Now my science data processor either fails because it isn't networked, or stops streaming data.
Trade-offs
Péter Török answers (20 votes):
IMHO a fundamental problem is that most or all of the "foolproof and hack proof" methods* of protecting software against piracy also annoy or even drive away the innocent and legal users.
Checking that the app is installed only on a single machine may make it difficult for a user to change hardware in their machine. Hardware dongles may mean you can't use the same app on your work and home machines. Not to mention DVD area codes, CSS, the Sony rootkit et al., which are not strictly for software protection, but closely related.
*As @FrustratedWithFormsDesigner noted, "foolproof and hack proof" methods are never perfect in practice; there is no 100 percent safety, you can only try to make it costly enough for an intruder to break the defense so that there won't be "too many" of them. And I believe it is due to the fundamental nature of software and digital information, that once someone manages to break a particular defense, the break can almost always be trivially replicated by millions.
Pirates own the hardware
Anon. answers (19 votes):
Ultimately the big problem is that most software involves handing both the lock and the key to the potential attacker and hoping they don't figure out how to put them together.
The only secure method of protecting software is not giving it to the user. You'll notice you can't "pirate" Google Docs, for example. Ultimately, if you're trying to secure something, you have to assume they have full knowledge of anything you give them. You can't trust the client. This applies to preventing piracy just as much as it does to protecting a system against being compromised.
Since the existing software distribution models are based around giving the client the whole package and then attempting to protect it on hardware the potential attacker controls, the distribution model is incompatible with any concept of "unpirateable" software.
Freedom is foolproof
Orbling answers (11 votes):
There is only one "fool proof and hack proof method of protecting your software against piracy": free software. (As in you can do what ever you want with it, even sell it.)
You can not steal what is freely given. Granted, that'll muck up some dinosaur companies software models, but piracy is going nowhere. Sell something you can't copy, preferably something that accompanies what you gave away free; your help for instance.
Sell your wares
Bob Murphy answers (10 votes):
You ask, "Why is it that software is still easily pirated today?"
The answer is: It's more profitable to sell software that's easy to pirate.
When deciding about anti-piracy measures, companies do a cost-benefit analysis. For any given set of measures, if the benefits don't outweigh the costs, the company doesn't do it.
Costs include time and effort to implement, document, support, and maintain the measures, and perhaps sales losses if they're really annoying. Generally speaking, there are two kinds of benefits:
- Larger profits because people who would have pirated the program bought it instead.
- The people who make decisions are happy the program isn't getting pirated.
Here's a simple example: Microsoft Office.
Now, MS is all about the money, and not so much about making execs happy about piracy. For some time, MS has been selling a "Home and Student" edition of Office for way cheaper than the "normal" edition for business. I bought this a few years ago, and it had no copy protection at all! And the "anti-piracy" technology consisted of entering a product key which was then stored in the application folder. But you could run it on as many computers as you wanted simultaneously, and they'd all run fine! In fact, on the Mac, you could drag the application folder across the network to another computer where you'd never done an installation, and because the product key was stored with the application, it ran great.
Why such pathetic anti-piracy technology? Two reasons.
The first is because the added cost of tech support for home users screwing up their installations was just not worth it.
The second is the non-technical anti-piracy measures. MS has a whistleblower program where if you know a company has pirated MS software—like installing 200 copies of the same "Home and Student" Office—you can give them a call. Then MS comes in and audits the company, and if it finds pirated software, sues the crap out of them—and you get a big cut of the winnings.
So MS doesn't have to use technology to prevent piracy. They find it more profitable to just use cold, hard cash.
Find more answers or leave your own answer at the original post. See more Q&A like this at Programmers, a question and answer site for professional programmers interested in conceptual questions about software development. If you've got your own programming problem that requires a solution, log in to Programmers and ask a question (it's free).
