PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Protecting Proprietary software from being copied.

Sun Jun 25, 2017 8:20 pm

I realize that its probably impossible to protect software at this point as if someone really desires to hack it then it will happen. All I want to do is to make it where its not worth their effort to make this happen.
With that out of the way,.. any good ideas on how to "make it difficult" for someone to want to hack a program residing on the RPI?
We will be using Rasbian Jessie LITE and the Application does require a internet connection so possibly I could have the RPI connect to a serve for authentication in addition to encrypting the SD Card. I've also seen some methods that use a USB dongle or a PCB that attaches to the RPI to protect the use of the Software. I've even seen some comments that suggested glueing down the SD card to the RPI to prevent someone from making copies,...

I've looked online and read the forums to see what the best idea is but can't come to a conclusion on the best method to protect the pirating of the software.
Ideas or links to products that you may be aware of would be appreciated.
Thanks,
Phil

Heater
Posts: 12601
Joined: Tue Jul 17, 2012 3:02 pm

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 8:38 pm

Don't bother.

It can't be done 100% securely.

It's a pain to do.

Copy protection tends to annoy any legitimate customers.

Probably anyone who copies it would not be buying it if they had to anyway.

Are you really sure that whatever you have created is so desirable that anyone would pirate it?

B.Goode
Posts: 7855
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 8:50 pm

Welcome to the forums.

Your question has been asked, and discussed in depth, in these forums many times over the past 5 years. Those discussions remain on the record.

The summary is that there is nothing watertight.

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 8:56 pm

Thanks for your input,.. I've put some replies in the quote below. My replies are in BLUE.
Heater wrote:Don't bother.

It can't be done 100% securely.
I realize it can't be done 100% but would think that if I made it difficult to copy, then maybe someone would decide not to attempt it.

It's a pain to do.
I would imagine,.. but I have to weigh the cost vs benefit of that pain. Thats why I'm doing research to figure out if its worth it.

Copy protection tends to annoy any legitimate customers.
I would think that legitimate customers would understand. I would want to have a process that does not interfere with the customers experience, if at all possible. It's like when someone wants to see my ID when I use my Credit Card,.. I don't mind.


Probably anyone who copies it would not be buying it if they had to anyway.
I failed to share this point in the original post, this RPI with included software would be provided to dealers who would in turn resell to their clients and I would think that some dealers, motivated by profit, would want to buy one, copy the contents, and sell them to their clients while not compensating me for the software.


Are you really sure that whatever you have created is so desirable that anyone would pirate it?
I'm not positive that it would be pirated, but finding out that it is desirable after shipping out the program unprotected would be a mistake.

User avatar
CarlRJ
Posts: 599
Joined: Thu Feb 20, 2014 4:00 am
Location: San Diego, California

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 9:01 pm

Aside from echoing the "maybe don't bother" suggestion...

If you have a long-running application and an always on network connection, have your application download some vital-to-proper-execution bit of data from your server when it starts up, and keep it only in memory. Request that data over an https connection where you first send up the application user's serial number, and conduct some sort of challenge/response modulo the serial number (so its unique to that account). Perhaps the special data you send back to authenticated machines is today's encryption key (for their client account) for whatever other data your application is exchanging over the always-on network connection.

If your server sees the same serial number in use in multiple parts of the country simultaneously, that's a sign of something bad happening, and you can invalidate that serial number and issue a replacement to the legitimate user (since you'll have the associated email address and such on file).
If the same user's serial number goes rogue multiple times, possibly that customer needs some extra scrutiny (perhaps they have a seriously compromised machine or email account).

Note that if your server ever goes down, you'll likely have some very unhappy customers.

I wouldn't bother with trying to encrypt the microSD card, or gluing it in or any such thing. And dongles, whether USB or plug-on cards, mean either a lot of time and expense and learning and manufacturing for you, or buying some third party solution (more money going to that rather than to you), and in either of those cases, it's another physical item that has to be made/stocked/shipped, and possibly replaced if it breaks.
Last edited by CarlRJ on Sun Jun 25, 2017 9:06 pm, edited 1 time in total.

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 9:03 pm

B.Goode wrote:Welcome to the forums.

Your question has been asked, and discussed in depth, in these forums many times over the past 5 years. Those discussions remain on the record.

The summary is that there is nothing watertight.
Thanks for that info. I did do a search using dongle protection etc but got back numerous post about "wifi dongle" etc I tried to filter out the -wifi but it did not seem to work for me.
I appreciate that its not watertight but from what I have read elsewhere if you can make it more costly for a person to crack it vs buying it again, then it makes sense that a person would purchase another RPI/Software.
I'll do another search to see if I can find those post, thanks,..

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 9:11 pm

CarlRJ wrote:Aside from echoing the "maybe don't bother" suggestion...

If you have a long-running application and an always on network connection, have your application download some vital-to-proper-execution bit of data from your server when it starts up, and keep it only in memory. Request that data over an https connection where you first send up the application user's serial number, and conduct some sort of challenge/response modulo the serial number (so its unique to that account). Perhaps the special data you send back to authenticated machines is today's encryption key (for their client account) for whatever other data your application is exchanging over the always-on network connection.

If your server sees the same serial number in use in multiple parts of the country simultaneously, that's a sign of something bad happening, and you can invalidate that serial number and issue a replacement to the legitimate user (since you'll have the associated email address and such on file).
If the same user's serial number goes rogue multiple times, possibly that customer needs some extra scrutiny (perhaps they have a seriously compromised machine or email account).

Note that if your server ever goes down, you'll likely have some very unhappy customers.

I wouldn't bother with trying to encrypt the microSD card, or gluing it in or any such thing. And dongles, whether USB or plug-on cards, mean either a lot of time and expense and learning and manufacturing for you, or buying some third party solution (more money going to that rather than to you), and in either of those cases, it's another physical item that has to be made/stocked/shipped, and possibly replaced if it breaks.
Thanks for all of these suggestions. I appreciate the information.

Heater
Posts: 12601
Joined: Tue Jul 17, 2012 3:02 pm

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 9:51 pm

Having to have network connections up all the time and disabling software remotely when the legitimate user has done nothing wrong, is of course one of the many ways such schemes annoy your customers. As far as they are concerned if the thing does not run when authentication fails your program is broken.

Perhaps you could hint as to what this product actually is, software and hardware, then some suitable compromise might arise.

B.Goode
Posts: 7855
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 10:18 pm

I'll do another search to see if I can find those post
An early example:
viewtopic.php?f=41&t=27259

and another:
viewtopic.php?f=29&t=77894


W. H. Heydt
Posts: 10282
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Protecting Proprietary software from being copied.

Sun Jun 25, 2017 11:29 pm

PhilWebb wrote: I realize it can't be done 100% but would think that if I made it difficult to copy, then maybe someone would decide not to attempt it.

Probably anyone who copies it would not be buying it if they had to anyway.
I failed to share this point in the original post, this RPI with included software would be provided to dealers who would in turn resell to their clients and I would think that some dealers, motivated by profit, would want to buy one, copy the contents, and sell them to their clients while not compensating me for the software.
This is the point at which, not only can you not stop people, but it extremely difficult to even slow them down. You software is sitting on removable media (which you need to be able to replace if it goes bad...so you really don't want to glue it in place). Therefore, *anyone* can simply remove the SD card and copy it. If they can log in to the PI and gain root privileges (often very easy to do), then they can copy the file(s) directly from a given Pi to anywhere they choose.

The best you can do is tie each copy to the serial number of the Pi it is running on. That's where your internet connection will probably come in.

A bigger question is...what license are you running the software under? The license will spell out the legal permissions and restrictions for use of the software and any discovered violations of the license give you a pretty strong cause of action, subject to the laws of the countries you're operating in.

User avatar
Gavinmc42
Posts: 3138
Joined: Wed Aug 28, 2013 3:31 am

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 12:23 am

You could use the VC4 to run some of the code and tie it to the serial number.
I mostly code baremetal with Ultibo these days, it can be copied but much harder to change without the source code.

If your application is worth protecting then it is worth pirating, that's the way the market works.
A lot of companies are going the other way.
Going open source and allowing for rapid development to stay ahead
I'm dancing on Rainbows.
Raspberries are not Apples or Oranges

User avatar
Imperf3kt
Posts: 2388
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 12:23 am

Regarding USB dongles, you could try http://www.dongleservice.com/

This was suggested at another programming forum I read frequently
Google is ubiquitous - Try it today, it's free!
https://opensource.com/life/16/10/how-ask-technical-questions

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 22660
Joined: Sat Jul 30, 2011 7:41 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 8:51 am

I'd go for some sort of crypto dongle. Either USB or sit on the GPIO pins.

I fail to see why people are so negative about this. You need to be paid for your work, hoping people might contribute something doesn't pay the mortgage. It's only big companies who can afford to do OSS, because they get income from elsewhere. If this SW is your only source of income, you need to protect it.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

6by9
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6864
Joined: Wed Dec 04, 2013 11:27 am
Location: ZZ9 Plural Z Alpha, aka just outside Cambridge.

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 9:56 am

Ultimately anything can be compromised.
The executable is on the Pi, so could be reverse engineered to find the call to check online/crypto chip/random obscure thing and make it always return success. Don't leave any logging or other nice strings around in that code - they make nice pointers to use when analysing the code. Also don't just call it at one point within your code - that also makes it harder to find and nobble.

Ideally you'd pass some resultant data through an asymmetric crypto chip which you have programmed with a private key, and your app has the public key. That way there is a forced break in the data flow if the crypto is missing, but it all depends on what data is flowing around your app. Hardware obviously has an inherent cost implication.

Using the VC4 serial number (as has been suggested by others) could be faked if the hacker fancied modifying the kernel to pick up the relevant IPC calls and returning a preferred answer. OK they'd have to fix the 3 (IIRC) different methods you could use to check it, but none would be terribly complicated to do.

It all comes down to whether your software is viewed as being appropriately priced compared to the effort required to hack it. Get that bit right and it makes hacking it uneconomic.
Software Engineer at Raspberry Pi Trading. Views expressed are still personal views.
I'm not interested in doing contracts for bespoke functionality - please don't ask.

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 2:49 pm

6by9 wrote:Ultimately anything can be compromised.
The executable is on the Pi, so could be reverse engineered to find the call to check online/crypto chip/random obscure thing and make it always return success. Don't leave any logging or other nice strings around in that code - they make nice pointers to use when analysing the code. Also don't just call it at one point within your code - that also makes it harder to find and nobble.

Ideally you'd pass some resultant data through an asymmetric crypto chip which you have programmed with a private key, and your app has the public key. That way there is a forced break in the data flow if the crypto is missing, but it all depends on what data is flowing around your app. Hardware obviously has an inherent cost implication.

Using the VC4 serial number (as has been suggested by others) could be faked if the hacker fancied modifying the kernel to pick up the relevant IPC calls and returning a preferred answer. OK they'd have to fix the 3 (IIRC) different methods you could use to check it, but none would be terribly complicated to do.

It all comes down to whether your software is viewed as being appropriately priced compared to the effort required to hack it. Get that bit right and it makes hacking it uneconomic.
Thanks for the heads up,..

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 2:49 pm

jamesh wrote:I'd go for some sort of crypto dongle. Either USB or sit on the GPIO pins.

I fail to see why people are so negative about this. You need to be paid for your work, hoping people might contribute something doesn't pay the mortgage. It's only big companies who can afford to do OSS, because they get income from elsewhere. If this SW is your only source of income, you need to protect it.
Thanks for the input,..

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 2:50 pm

Imperf3kt wrote:Regarding USB dongles, you could try http://www.dongleservice.com/

This was suggested at another programming forum I read frequently
Thanks for the link and info,..

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 2:50 pm

Gavinmc42 wrote:You could use the VC4 to run some of the code and tie it to the serial number.
I mostly code baremetal with Ultibo these days, it can be copied but much harder to change without the source code.

If your application is worth protecting then it is worth pirating, that's the way the market works.
A lot of companies are going the other way.
Going open source and allowing for rapid development to stay ahead
Appreciate the advice,..

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 2:52 pm

B.Goode wrote:
I'll do another search to see if I can find those post
An early example:
viewtopic.php?f=41&t=27259

and another:
viewtopic.php?f=29&t=77894
Thanks for finding those links,..

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 2:52 pm

Heater wrote:Having to have network connections up all the time and disabling software remotely when the legitimate user has done nothing wrong, is of course one of the many ways such schemes annoy your customers. As far as they are concerned if the thing does not run when authentication fails your program is broken.

Perhaps you could hint as to what this product actually is, software and hardware, then some suitable compromise might arise.
Good points,.. thanks,..

Heater
Posts: 12601
Joined: Tue Jul 17, 2012 3:02 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 3:33 pm

Depending on what your application is. How big it is, what performance it needs, etc, you could off load a big junk of it's "secret sauce/source" to another device that does have code protection.

For example the ESP32. With it's dual 32 bit cores running at 160MHz. A very cheap place to hide functionality.

I'm sure there other such solutions perhaps ARM based.

W. H. Heydt
Posts: 10282
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 4:22 pm

What the whole issue comes down to is economics. Can you make cracking your program less cost effective than buying/licensing a copy? Bear in mind that there will always be people who take copy protection as a challenge and who will do everything they can to crack it regardless of cost (and, if truth be told, regardless of any utility they see in the program as well...it's just the challenge they're after).

On the other hand, adding cost, inconvenience, and potential "false positive" failures to the legitimate users also has a cost. Run these factors too high and end users will seek a less expensive/frustrating solution, whether that is illicit copies of your program or someone elses program with enough of the same functionality to serve their needs...or even writing their own code to do the job. Pissing off your users is not a good idea.

Only you can decide where you want to place the balance of forces and decide if--and how--to implement a copy protection scheme and how restrictive to make it. Another topic that hasn't been much discussed is: What license are you using? Obviously you need to avoid any form of the GNU license, as that would *require* you to release source code to your customers and permit them to make all the copies they want and modify the code if they wish. If you go with a custom license, you'll need a lawyer to write it and a custom license may scare off some potential customers.

You could, of course, avoid the whole copy protection mess by giving the software away and selling support for it.

PhilWebb
Posts: 16
Joined: Sat Jun 24, 2017 9:29 pm

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 10:37 pm

W. H. Heydt wrote:What the whole issue comes down to is economics. Can you make cracking your program less cost effective than buying/licensing a copy? Bear in mind that there will always be people who take copy protection as a challenge and who will do everything they can to crack it regardless of cost (and, if truth be told, regardless of any utility they see in the program as well...it's just the challenge they're after).

On the other hand, adding cost, inconvenience, and potential "false positive" failures to the legitimate users also has a cost. Run these factors too high and end users will seek a less expensive/frustrating solution, whether that is illicit copies of your program or someone elses program with enough of the same functionality to serve their needs...or even writing their own code to do the job. Pissing off your users is not a good idea.

Only you can decide where you want to place the balance of forces and decide if--and how--to implement a copy protection scheme and how restrictive to make it. Another topic that hasn't been much discussed is: What license are you using? Obviously you need to avoid any form of the GNU license, as that would *require* you to release source code to your customers and permit them to make all the copies they want and modify the code if they wish. If you go with a custom license, you'll need a lawyer to write it and a custom license may scare off some potential customers.

You could, of course, avoid the whole copy protection mess by giving the software away and selling support for it.
Lots of good information here,.. thanks for the input especially on the license,....

User avatar
CarlRJ
Posts: 599
Joined: Thu Feb 20, 2014 4:00 am
Location: San Diego, California

Re: Protecting Proprietary software from being copied.

Mon Jun 26, 2017 11:28 pm

Please don't take this the wrong way, but it's not necessary to reply to every single post, quoting the entire post, just to say thank you. It doubles the amount of words in the thread without doubling the amount of unique content. We get that you're appreciative, and it's nice to hear that (most of us have, at one point or another, taken the time to write a multi-paragraph response to a first-time poster, only to have them seemingly never return to read it). Use selective quotes if there's a particular bit you want to reply to or ask a question about. Thanks!

Return to “General discussion”