Re: consulting question.... (DRM)
John Gilmore wrote: ... PPS: On a consulting job one time, I helped my customer patch out the license check for some expensive Unix circuit simulation software they were running. They had bought a faster, newer machine and wanted to run it there instead of on the machine they'd bought the "node-locked" license for. The faster their simulation ran, the easier my job was. Actually, I think we patched the Unix kernel or C library that the program depended upon, rather than patch the program; it was easier. Kernel. Instead of calling the subroutine that would retrieve the 32-bit hostid from the PROM, you just did a load immediate with the right number. The instructions were the same length, so everything worked fine :) Not that I know of any places that actually did this, of course :) /ji - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
On May 29, 2009, at 8:48 AM, Peter Gutmann wrote: Jerry Leichter writes: For the most part, software like this aims to keep reasonably honest people honest. Yes, they can probably hire someone to hack around the licensing software. (There's generally not much motivation for J Random User to break this stuff, since it protects business software with a specialized audience.) But is it (a) worth the cost; (b) worth the risk - if you get caught, there's clear evidence that you broke things deliberately. I think a far more important consideration for license-management software isn't "how secure is it" but "how obnoxious is it for legitimate users"? I know a number of people who have either themselves broken or downloaded tools to break FlexLM and similar schemes, and in every single case they were legitimate users who were prevented from using their legally purchased product by the license-mismanagement tools, or who after spending hours or even days fighting with the license-mismanagement software found it easier to break the protection than to try and figure out what contortions were required to keep the license- checking code happy I agree 100%. The most important thing to keep in mind when doing license management software is that it has *NO* value to the *customer*. The guys who sell this stuff will always claim that it "helps the customer keep track of licenses" or some such rot - but it's complete nonsense. In fact, license management code has *negative* customer value. That doesn't mean it doesn't have a legitimate role - the cash registers in the supermarket add a negative value to all the sold, but the supermarket wouldn't be there without them. But unless you understand, deep down, that this is something that you're imposing on your customer and that therefore it needs to be as close to invisible and fail-safe as possible; and you act *effectively* on that basis - you're just going to encourage circumvention or a search for alternatives to your software. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
Jerry Leichter writes: >For the most part, software like this aims to keep reasonably honest >people honest. Yes, they can probably hire someone to hack around the >licensing software. (There's generally not much motivation for J >Random User to break this stuff, since it protects business software >with a specialized audience.) But is it (a) worth the cost; (b) worth >the risk - if you get caught, there's clear evidence that you broke >things deliberately. I think a far more important consideration for license-management software isn't "how secure is it" but "how obnoxious is it for legitimate users"? I know a number of people who have either themselves broken or downloaded tools to break FlexLM and similar schemes, and in every single case they were legitimate users who were prevented from using their legally purchased product by the license-mismanagement tools, or who after spending hours or even days fighting with the license-mismanagement software found it easier to break the protection than to try and figure out what contortions were required to keep the license-checking code happy. I've experienced this myself with a software tool I use, there are some (as I found out after several hours of searching support forums) well-known problems with it that the vendor doesn't seem interested in fixing, and that you can eventually resolve either with some registry hacks and other low-level changes or by downloading haxor tools that'll achieve the same result with a few minutes work (just for the record, I took the multi-hour route). So if your license-management software is sufficiently obnoxious that it turns legitimate users into DMCA-violators, you have a problem. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
>Their product inserts program code into > existing applications to make those applications monitor and report > their own usage and enforce the terms of their own licenses, for > example disabling themselves if the central database indicates that > their licensee's subscription has expired or if they've been used > for more hours/keystrokes/clicks/users/machines/whatever in the > current month than licensed for. > > The idea is that software developers could use their product instead > of spending time and programming effort developing their own license- > enforcement mechanisms... Many people have had the same idea before. The "software license manager" field is pretty full of little companies (and divisions of big ones). Your prospect might be able to find a niche in there somewhere, if they study their competition to see what's missing and how they can build up an edge. But customers tend to hate software that comes managed with license managers, so it takes an exceptional company to fight the uphill sales battle to impose them. (And having a company switch from License Manager A to License Manager B requires reissuing licenses to every customer, an extraordinary customer- support hassle.) Only in markets where the customer has no effective choice (of a competing DRM-free product) does it tend to work. My last startup, Cygnus, sold un-license-managed compilers, competiting with some entrenched companies that sold license-managed compilers. We kept seeing how our own automated overnight software builds would fail using our competitors' compilers because the license manager would screw up -- or merely because the local net or Internet was down. Or it would hang overnight awaiting an available license, and doing no work in the meantime. Our compiler always ran when you asked it to. We got tens of thousands of people to switch to our (free) GNU C and C++ compilers, and enough of them paid us for support and development that our company kept growing. Our best selling point against Sun's compilers, for example, was that ours didn't use any license manager. Once you bought or downloaded it, it was yours. It would run forever, on as many machines as you liked, and you were encouraged to share it with as many friends as you could. It was simple for us to invade their niche when they had deliberately forsworn a feature set like that. John Gilmore PS: Our trade-show giveaway button one year was "License Managers Suck"; it was very popular. PPS: On a consulting job one time, I helped my customer patch out the license check for some expensive Unix circuit simulation software they were running. They had bought a faster, newer machine and wanted to run it there instead of on the machine they'd bought the "node-locked" license for. The faster their simulation ran, the easier my job was. Actually, I think we patched the Unix kernel or C library that the program depended upon, rather than patch the program; it was easier. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
This is getting a bit far afield from cryptography, but proper threat analysis is still relevant. On May 27, 2009, at 4:07 AM, Ray Dillinger wrote: On Tue, 2009-05-26 at 18:49 -0700, John Gilmore wrote: It's a little hard to help without knowing more about the situation. I.e. is this a software company? Hardware? Music? Movies? Documents? E-Books? It's a software company. Is it trying to prevent access to something, or the copying of something? What's the something? What's the threat model? Why is the company trying to do that? Trying to restrain customers? Its customers would be other software companies that want to produce "monitored" applications. Their product inserts program code into existing applications to make those applications monitor and report their own usage and enforce the terms of their own licenses, for example disabling themselves if the central database indicates that their licensee's subscription has expired or if they've been used for more hours/keystrokes/clicks/users/machines/whatever in the current month than licensed for. The idea is that software developers could use their product instead of spending time and programming effort developing their own license- enforcement mechanisms, using it to directly transform on the executables as the last stage of the build process. The threat model is that the users and sysadmins of the machines where the "monitored" applications are running have a financial motive to prevent those applications from reporting their usage. If this is really their threat model, it's ill-considered. First, no reputable company in their right mind would play games with software licensing in an attempt to save a few dollars. In fact, most companies bend over backwards with internal audits and other mechanisms to ensure they are in compliance. The risk is far too great to do otherwise -- both to reputation and to the bottom line. They may counter that they are attempting to nudge into compliance reputable companies that are simply not large enough or savvy enough to ensure their own compliance. In this case, something far less complex than what is traditionally implied by "DRM" can be used. Thus, the users you are now considering are members of _disreputable_ companies. Since DRM is easily circumvented, and the company is disreputable, you have a reasonable expectation that your DRM will be ineffective. Second, sysadmins have no financial motive, unless they are also the owners. It is irrelevant to the sysadmin whether the business pays an appropriate amount for licenses. His salary is still his salary. Finally, large institutions (let's take financial firms as this is my area of expertise) will not install software that has hard expirations or other restrictive licensing mechanisms. The reason is simple. These mechanisms cause outages -- sometimes because of snafus in the renewal of licenses, sometimes because of poor code quality in the enforcement mechanism. At my firm, any such scheme is an immediate non-starter. -wps - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
On Wed, May 27, 2009 at 2:01 AM, Darren J Moffat wrote: > John Gilmore wrote: >> >> It's only the DRM fanatics whose installed bases of customers >> are mentally locked-in despite the crappy user experience (like >> the brainwashed hordes of Apple users, or the Microsoft victims) >> who are troublesome. In such cases, the community should > > I assume the Apple reference here is aimed at iTunes. You do know that > iTunes Music Store no longer uses any DRM right ? For the music, that's true, but not for the other items sold there (movies, TV shows, and especially not iPhone apps, as any iPhone developer who's jumped through those DRM hoops will tell you). n - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
The introduction of the acronym "DRM" has drawn all the hysteria it always does. The description you've posted much more closely matches license (or sometimse entitlement) management software than DRM. There are many companies active in this field. Many are small, but Microsoft sells some solution and there are moderately large companies around. Some of these have been around for many years. Traditionally, license management software looked at local files or databases rather than out on the Internet. However, I'm sure Internet options exist. The better software of this sort is challenging to crack. Certainly, none of it is *impossible* to crack - though the best dongle-based systems are probably extremely difficult (but also unacceptable for most kinds of software). For the most part, software like this aims to keep reasonably honest people honest. Yes, they can probably hire someone to hack around the licensing software. (There's generally not much motivation for J Random User to break this stuff, since it protects business software with a specialized audience.) But is it (a) worth the cost; (b) worth the risk - if you get caught, there's clear evidence that you broke things deliberately. Probably the greatest use for such software is not in preventing unlicensed users from running it at all but in enforcing contractual limits - e.g., you can only use this to manage up to X machines. Every company that has sold software with that kind of contract will likely find that, unless the software enforces the limitation, its customers will exceed it - often unknowingly, often by large factors. I'd suggest that you, and the company you're consulting to, spend some time understanding the market. What kind of software vendors are you selling to? B2B is a very different marketplace from consumer. Within B2B, "high touch" sales are very different from mass market. If you go international, a great deal depends on where you think you're going to sell. If you are ultimately depending on contractual enforcement, with the licensing software just an encouragement to good behavior, you're fine in the US and Western Europe, but you're not going to have a happy time in, say, Russia and China. A Google search on "license management software" turns up many hits, including an overview article that may be useful: http://software.forbes.com/license-management-software (One thing to be aware of is that this phrase is a bit ambiguous, covering both software a vendor puts in to its code to manage licenses, and software sold to large end users to help them keep track of what licenses they are using. The listing in the article covers both, but is still incomplete - it misses one of the long-established companies, Acresso Software - a new name - that sells the FLEXnet license enforcement software, a business it's been in for at least 10 years or so.) -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
John Gilmore wrote: It's only the DRM fanatics whose installed bases of customers are mentally locked-in despite the crappy user experience (like the brainwashed hordes of Apple users, or the Microsoft victims) who are troublesome. In such cases, the community should I assume the Apple reference here is aimed at iTunes. You do know that iTunes Music Store no longer uses any DRM right ? -- Darren J Moffat - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
On Tue, 2009-05-26 at 18:49 -0700, John Gilmore wrote: > It's a little hard to help without knowing more about the situation. > I.e. is this a software company? Hardware? Music? Movies? > Documents? E-Books? It's a software company. > Is it trying to prevent access to something, or > the copying of something? What's the something? What's the threat > model? Why is the company trying to do that? Trying to restrain > customers? Its customers would be other software companies that want to produce "monitored" applications. Their product inserts program code into existing applications to make those applications monitor and report their own usage and enforce the terms of their own licenses, for example disabling themselves if the central database indicates that their licensee's subscription has expired or if they've been used for more hours/keystrokes/clicks/users/machines/whatever in the current month than licensed for. The idea is that software developers could use their product instead of spending time and programming effort developing their own license- enforcement mechanisms, using it to directly transform on the executables as the last stage of the build process. The threat model is that the users and sysadmins of the machines where the "monitored" applications are running have a financial motive to prevent those applications from reporting their usage. > What country or countries does the company > operate in? What jurisdictions hold its main customer bases? They are in the US. Their potential customers are international. And their customers' potential clients (the end users of the "monitored" applications) are of course everywhere. > Why should we bother? Isn't it a great idea for DRM fanatics to > throw away their money? More, more, please! Bankrupt yourselves > and drive your customers away. Please! You're taking a very polarized view. These aren't "DRM fanatics"; they're business people doing due diligence on a new project, and likely never to produce any DRM stuff at all if I can successfully convince them that they are unlikely to profit from it. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: consulting question.... (DRM)
It's a little hard to help without knowing more about the situation. I.e. is this a software company? Hardware? Music? Movies? Documents? E-Books? Is it trying to prevent access to something, or the copying of something? What's the something? What's the threat model? Why is the company trying to do that? Trying to restrain customers? Competitors? Trying to build a cartel? Being forced to do it by a cartel? Is their product embedded? Online? Hardware? Software? Battery powered? Is it on a phone network? On the Internet? On no network? What country or countries does the company operate in? What jurisdictions hold its main customer bases? How much hassle will its customers take before they switch suppliers? What kind of industry standards must the company adhere to? What other equipment or data formats do they have/want to interoperate with? Most DRM is probably never cracked, because the product it's in never gets popular enough that anyone talented wants to crack it. If they only sell a thousand units, will they be happy? Or do they hope/plan/need to sell millions of units? Most DRM exists to build a cartel -- to make an artificial monopoly -- not to prevent *customers* from copying things, but to prevent *competitors* from being able to build compatible or interoperable equipment. This is largely because US reverse-engineering law makes such a cartel unenforceable in court, unless you use DRM to make it. > Can anyone point me at good information uses I can use to help prove > the case to a bunch of skeptics who are considering throwing away > their hard-earned money on a scheme that, in light of security > experience, seems foolish? Why should we bother? Isn't it a great idea for DRM fanatics to throw away their money? More, more, please! Bankrupt yourselves and drive your customers away. Please! It's only the DRM fanatics whose installed bases of customers are mentally locked-in despite the crappy user experience (like the brainwashed hordes of Apple users, or the Microsoft victims) who are troublesome. In such cases, the community should intervene on behalf of the users -- not to prevent the company from wasting its time and money. John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com