On May 29, 2009, at 8:48 AM, Peter Gutmann wrote:

Jerry Leichter <leich...@lrw.com> writes:

For the most part, software like this aims to keep reasonably honest
people honest. Yes, they can probably hire someone to hack around the
licensing software.  (There's generally not much motivation for J
Random User to break this stuff, since it protects business software
with a specialized audience.) But is it (a) worth the cost; (b) worth
the risk - if you get caught, there's clear evidence that you broke
things deliberately.

I think a far more important consideration for license-management software isn't "how secure is it" but "how obnoxious is it for legitimate users"? I know a number of people who have either themselves broken or downloaded tools to break FlexLM and similar schemes, and in every single case they were legitimate users who were prevented from using their legally purchased product by the license-mismanagement tools, or who after spending hours or even days fighting with the license-mismanagement software found it easier to break the protection than to try and figure out what contortions were required to keep the license- checking code happy....
I agree 100%.

The most important thing to keep in mind when doing license management software is that it has *NO* value to the *customer*. The guys who sell this stuff will always claim that it "helps the customer keep track of licenses" or some such rot - but it's complete nonsense. In fact, license management code has *negative* customer value. That doesn't mean it doesn't have a legitimate role - the cash registers in the supermarket add a negative value to all the sold, but the supermarket wouldn't be there without them. But unless you understand, deep down, that this is something that you're imposing on your customer and that therefore it needs to be as close to invisible and fail-safe as possible; and you act *effectively* on that basis - you're just going to encourage circumvention or a search for alternatives to your software.

                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to