I was a guest on episode 21 of Bootstrapped.fm, the podcast of Andrey Butov and Ian Landsman. The discussion was very wide-ranging, touching on SAAS vs web, the Qt development environment, the royal wedding, A/B testing, capoeira, Adwords, the history of shareware, my new training course and lots more besides. I really enjoyed it. Boostrapped.fm also has a thriving discussion forum at discuss.bootstrapped.fm.
Stephane Grenier is publishing an interview a week from his 2008 book Blog Blazers on followsteph.com. This week he published my interview from the book. It was interesting to re-read it 5 years on. I never did quite reproduce the success of my early software award scam post, but I am still posting – albeit not very frequently.
Through an unforeseen series of events, I have ended up corresponding with a cracker known only to me by a Hotmail address and the pseudonym “CrackZ”. It quickly became clear that he knew what he was talking about, but was motivated by curiosity rather than criminality. Obviously crackers are a more diverse group than the criminal masterminds and script kiddies of popular imagination. To my surprise he agreed to be interviewed for this blog and I jumped at the chance to find out a bit more about the shadowy world of cracking.
*** I realize this is an emotive subject, but please read the whole interview before posting anything in the comments. ***
What is your background? How did you get into cracking software?
I graduated in software engineering about 10 years ago and started out seriously cracking software in my first year at University. It was the first time I’d had access to a fast, unmetered Internet connection and my interest became collecting software and then breaking it; most of my associates never proceeded much beyond the downloading lots of free software stage. Prior to this I’d really only ever had a casual knowledge of the piracy scene from owning a Spectrum, Commodore 64 and then an Amiga. Think tapes and copy disks being swapped in the playground and you wouldn’t be far wrong ;-). The first PC experiences I can recall were studying some very early Phrozen Crew cracks and the Quox virus that someone gave to me on a disk.
Do you also write software? Is your day job in the IT industry?
Yes and yes.
What is the motivation for cracking software?
Motivation for cracking really seems to vary. For me I think its always been mainly about the intellectual challenge, studying code, or ‘breaking the minds of protection authors’ as one correspondent so eloquently put it. For many there is also the ‘social aspect’ of being amongst a like-minded group of individuals (see some of the interviews with former members of famous groups e.g. PWA, DOD if you want to understand how powerful a *pull* the social element can be). Then there are also those who simply enjoy getting software for free or those who do it simply for ‘kicks’. Contrary to the various anti-piracy associations propaganda, very few of those I’ve ever been associated with have been motivated financially. That’s not a justification of course, but it might help if most authors realised that the person who cracked their software is more likely a bored 16 year old Chinese male than a future terrorist.
Is cracking an individual activity or is it organized?
The answer is both, but that is an oversimplification. Most of my cracking has been pretty much a lone-wolf occupation, although there have been times I have worked with others on group projects, expensive CAD/CAM applications for example. One only has to look at the scene to see that there are plenty of organized groups out there and some of the group infrastructures I’ve seen would rival small corporations in their sophistication. A lot of authors are often quite surprised to find their software on the cracking scene radar.
What is your attitude to intellectual property? Do you release cracks and keygens ‘into the wild’? What do you think of those that do?
I’ve actually gone full circle here; in my early years IP literally meant absolutely nothing to me, the value of the software didn’t matter and authors were inconsequential. I would happily release cracks and key generators under a variety of nicknames and scene groups and I didn’t lie awake at night thinking about the damage I might be causing to someone’s livelihood. Currently, I’m 100% in the ethical category (you can debate that). I haven’t been able to curb my interest in protection code, but have managed to channel my interest towards simply contacting the authors when I have broken their code. Sometimes I’ll even offer a little helpful advice; though I’m afraid that’s probably the ‘moral best’ I’m ever going to be. I don’t support those who release cracks and key generators. I’ve heard enough from authors to know how damaging it can be, but anyone who has ever experienced the scene can probably understand why it still happens and will continue.
I can understand the attraction of cracking as an intellectual challenge. But why do some crackers then release the cracks? What do they gain?
Respect amongst their peers and the ‘scene’ at large and dubious notoriety. I’ve known some who did so in order to get a job.
When people release cracks do they think about the effect they are having on the livelihoods of the people who write the software? Do they care?
My guess would be ‘probably not’ on both counts. I think this changes with age though and many get more considerate as they get older.
What is your opinion of people that add trojan horses and other malware to cracks?
I suppose I might be accused of some degree of hypocrisy ;-), but these really are the bottom-feeders and low-lifes of the world.
What types of software do you target?
Myself it has been pretty much exclusively Windows, with the occasional bit of *nix, but there is plenty of interest in virtually every platform out there, even groups dedicated solely to them. Nothing escapes attention these days.
What tools and techniques do you use for cracking?
My tools of choice are IDAPro (the best disassembler which also includes a debugger) and also a mixture of other debuggers depending on the target (e.g. OllyDbg, SoftICE, Syser and even WinDbg). And then there are other associated tools like a decent Hex Editor (Hiew, UltraEdit) and more specific utilities covering the various cracking fields. There are quite a few books out there on the subject of reverse engineering that list virtually all of the tools in most crackers toolsets.
How long does it take you to crack the protection on an average piece of software?
On average shareware protections I’d usually be able to break them in a matter of hours, although understanding their intricacies might take a good deal longer. I’ve had some fall in minutes and others take full days of analysis. Perhaps as a small comfort, I’d say that each year the average protection seems to be getting a little more difficult to crack.
How long are you prepared to spend to try to crack a piece of software? Do you ever come across software you can’t crack?
In the past I’d be prepared to invest most of the hours in a day in one piece of software. I’d make literally pages of notes on paper and in the disassembler, naming functions, variables, structures, commenting fields etc. For many crackers time is a commodity they have in spades. I’ve met several targets that I couldn’t crack and several I simply didn’t bother completing because others had beaten me to it. Of the few I couldn’t break I did understand the reasons why (some need specific server-side responses). In some cases, several years later, users sent me the necessary hardware / information to enable me to break those targets.
Are applications protected by commercial anti-piracy software harder to crack than applications with home grown protection?
This is a tricky one; commercial anti-piracy software is pretty much exclusively written by ex-members of the cracking community and by default is protected better than many authors own creations. However, once a protector gains what I’d best term as a ‘critical usage mass’, its attractiveness as a target becomes that much greater. Experienced crackers are drawn to it almost like moths to a flame, since breaking an entire ‘protector’ can yield a lot of targets. Some of the very best and worst of the protections I’ve seen have been of the home grown variety. A lot of authors (IMHO rightly) conclude that improving the attractiveness of their software to potential customers is a much more productive use of their time than writing the ultimate copy protection.
Is software that phones home harder to crack?
Software that simply ‘phones home’ presents more of a nuisance than any real barrier to cracking. I’ve seen some that implement server license checking (mIRC is a widely available example) and it hasn’t stopped the cracks appearing. Several other targets have required decryption keys to be fetched from the server and these also haven’t presented any real problem. Its worth remembering that a cracker will often have access to a legitimate license with which to perform his study. At some stage a true client/server protection model over the internet will be a real possibility (MS has some stuff already like this), where all of the code is actually executing on a server. This will most likely simply move the goalposts, but seeing as a lot of the software I have been asked to look into was leaked to me by company employees the server model might not be as secure as it suggests.
Do hardware solutions (e.g. dongles) make software significantly harder to crack?
Hardware keys and, more recently, smart cards do make software harder to crack, largely due to the fact there is usually an element of hardware encryption these devices perform that can’t be easily replicated without access to the original device. However, over the years, I’ve met literally hundreds of disgruntled end-users of these devices, many of whom have sent me their keys and risked their jobs just to be free of them. A few eastern European contacts of mine sell ‘dongle emulating’ solutions and have archives of probably more than 10,000 individual dongles.
Is any method of securing software 100% secure?
Absolutely not, and anyone who tells you otherwise is lying.
What are the commonest mistakes software developers make related to security?
In no particular order:
- Depending on commercial protection schemes for security.
- Directly comparing the license string entered with the correct one.
- Not using some sort of encryption/obfuscation (XOR isn’t *good* encryption).
- Using a single simplistic registration function that is easy to isolate.
- Displaying message boxes with helpful strings sending the cracker straight to the protection code.
- Not integrity checking against patching.
- Not updating the software once a crack is discovered in the wild.
Do you think software vendors should spend more time making their software harder to crack?
I’m pragmatic; I’d advise all software authors to invest time in a *reasonable* copy protection and keep abreast of whether cracks are out there, educating your potential customers can be worthwhile. Make your protection something custom and use some imagination by all means, but make it proportional to what you are protecting. There isn’t much point having a £million lock on a £100 product, you simply can’t defeat every single cracker out there.
Can you expand on “educating your customers can be worthwhile”?
‘Educating’ might be the wrong word, but appealing to peoples conscience can be quite effective. A few software authors have ‘crack catcher pages’ for the search engines that say things like “I work 60hrs per day on my software, please support me if you want me to continue adding features” etc. Its also worth pointing out that there are plenty of con-merchants and dodgy sites out there selling cracks that often do contain trojans/viruses. One could also appeal to the fact that ‘time is money’ for a lot of potential software buyers, so why invest several hours of their life looking for a crack if it’s more cost effective to buy?
Can you recommend any online resources for authors wanting to know how they can protect their software better?
There are several books and web resources on anti-debugging & protection advice, Google will find them ;-). There are also several mainstream books, Pavol Cerven’s springs to mind.
Software developers are usually so busy writing software for other techies, that they often forget there is a bigger world out there. Terrell Miller has a successful herd management software product for cattle ranchers. He generously agreed to share his experiences on what it has been like building a software business in a non-techie niche market.
Can you tell us a bit about CattleMax?
CattleMax is herd management software designed specifically for beef (meat) cattle, and helps ranchers keep track of their cattle records including births, purchases, sales, breeding history, measurements, lineage, and more. Having the records in one location enables producers to stay organized and helps them make better decisions – which in turn helps them be more efficient and profitable in their operation.
What was your background before CattleMax?
My wife Penny and I met at Texas A&M University while we were both in Undergraduate programs. My degree in Information Systems in the College of Business and family member’s involvement in cattle, along with Penny’s degree in Agricultural Leadership and years of showing cattle, proved to be a great compliment for us to start a business where we could work together.
How long have you been working on CattleMax?
I started working on the first version of CattleMax, which started out as a custom application for a local ranch, in July 1999 right after I graduated and have worked for Cattlesoft ever since. Penny worked at the local university on a full and then part time basis for 18 months before joining the business on a full-time basis.
What technologies and languages do you use to develop CattleMax?
CattleMax is developed in Microsoft Access 2007. Access has been a key ingredient to our desktop software’s success. A lot of developers don’t give Access the credit it deserves as a powerful and rapid development tool. We have done extensive customizations to our interface to differentiate from the Access default templates and many customers don’t realize we are even using Access.
If you were starting CattleMax from scratch today would you go for a web based solution? Or would you stick with a desktop solution?
You could say the market chose us. Initially, we wanted to create a side project that involved both of our interests. Being students at Texas A&M helped open doors to talk with professors and experts about our product and ideas. Through these talks, we were introduced to a nearby ranch who needed an easy-to-use cattle record keeping system. They became our first customer and continue to use our software today.
How long did it take you you to get CattleMax to v1.0?
It took about 9 months to get CattleMax marketable and stable. Our first public release date was at a local trade show where we received great response. Being a student, we didn’t really have any income to replace – it was the ideal time for us to have started Cattlesoft and the software. We had little to lose and the rest of our life to recover from any business or financial mistakes made.
How technically proficient are your customers? Can you reach them with online marketing?
Our average customer is in the 45 – 65 age range. Over the years, cattle ranchers have become much more knowledgeable with technology. Our marketing is primarily online (PPC, SEO, direct website advertising) along with some print advertising.
The CattleMax user interface looks very slick and intuitive. Do you do any usability testing? Did you find the switch to a ribbon bar difficult for you or your customers?
In the beginning, I would go to a customer’s ranch and watch them use the software. By listening and watching how they interacted with the software, I was able to identify areas of confusion and see ways that we could make processes and areas easier to work with.
The ribbon was mandatory when we switched to Access 2007. While I was initially apprehensive about the change, I now see that the ribbon has made CattleMax easier to use, since it allows priority of certain menu items/common areas by giving them larger icons and visibility.
I see you have a Facebook widget on your home page. Have you found Facebook to be a useful marketing tool?
We use Facebook to post upcoming events, interesting articles and ask our customers for their feedback, plus it’s another way for customers to ask us questions. While advertising on Facebook allows for laser targeting based on interests, our in-house email list is larger than the number of ranchers on Facebook according to their PPC platform. Therefore most of our communications efforts are through our email newsletter and Cattle Management blog.
How did you choose the price of the product?
In the beginning, we chose prices that were comparable to other cattle software programs. We have two editions of our software, one for the commercial/beef producer and another for the purebred/seedstock producer. Each of these editions is available in a Small Herd (50 cow limit) and Standard (no record limit). We chose two editions so that it would be easy for a rancher to confidently choose the edition right for their herd. The two herd size options are so we can offer a solution to small herd producers while providing additional value for larger herds that may require additional support. See Camels and Rubber Duckies.
You have a generous 60-day money back guarantee. Do you have to give many refunds?
We may have one customer, at most, per year return the software because of dissatisfaction. We may have 5 returns a year from people who bought without downloading our trial and wanted a refund – a few of those reasons are receiving it as a gift and not wanting it, software not working on their computer (Windows 95 anyone?), or lacking a key feature. I highly recommend a satisfaction guarantee as it does help customers buy with confidence, knowing that you will stand by your product. No software company wants a dissatisfied customer who feels you “took their money.”
Do you charge for upgrades? Is this a significant source of income?
Our upgrades have been on about a 2-3 year schedule, and current customers can purchase them at half the price of the full version. While upgrade purchases are a double-digit percent of our business, we focus more on new sales. One of the challenges of making a good product is it takes an even better product for customers to understand the value in upgrading.
Do you outsource much work?
We work frequently with independent contractors and freelancers. While we’ve had 6 or more full and part-time employees over the years, I find employee management and “keeping people busy” to be too distracting from working on the big picture. Having people working from their own locations gives us more flexibility, plus we are not limited to just our physical location/city for finding experienced workers.
Do you have any products besides CattleMax?
We adapted CattleMax into LonghornMax, a software for Texas Longhorn cattle that enables breeders to record horn measurements in addition. LonghornMax primarily arose from our connections with the Texas Longhorn Breeders Association where we were previously their official software program. We also raise Texas Longhorn cattle on our ranch near College Station, which is about 90 miles west of Houston. Another spinoff is EquineMax, a software program for horse owners to keep track of their horse records.
Stepping beyond software in 2010, we launched CattleTags.com which is a website for purchasing cattle ear tags. In 2011 we launched LivestockSupplies.com which includes additional equipment and supplies for the ranch. Selling livestock supplies has proven to be a nice complement to our software as it helps us offer additional services and value to customers by offering them convenience and variety of selections, without them even needing to leave the ranch!
Would you recommend others to start a business straight out of college? Or should they work for other people first to gain experience?
This blog is hosted on WordPress.com. This has its advantages, but it means that I can’t use the huge range of add-ins that are available to those that host their own WordPress server. In my attempts to find a simple way to add social bookmarking to WordPress posts I stumbled across GetSocial, a Windows desktop program that generates the social bookmarking icons you see at the bottom of my recent posts. GetSocial is donationware – the author requests a small donation if you find the software useful. But the software is not crippled or time limited in any way and the donation is optional. I found the software useful so I made a small donation.
I use a number of donationware products. Human nature being what it is, I rarely get round to making donations – despite the best of intentions. It just never quite makes it to the top of my ever expanding TODO list. I have also heard various tales about how dismal the donation rates are. So I was curious about how well the donationware model works in this particular case. I emailed the author of GetSocial, Hillel Stoler, and he was kind enough to do this interview.
What was the motivation behind GetSocial?
GetSocial is not a business – it’s my contribution to the WordPress.com community. I needed a way to generate social bookmarking buttons for my own blog, and when I saw none was available I made GetSocial. I decided to request donations because I too was curious about the feasibility of donationware, and wanted to investigate the subject. I hate spammy “business models” such as installing Toolbars, embedding ads and so forth and wanted to make software that I would like to use.
Does anyone actually make a donation?
Surprisingly, yes. Many people donate, and I think all of them are glad to do so.
What is the average donation?
At the beginning I was only asking for a fixed amount (5 USD). The reason for this was that a fixed donation simplifies the donation process (because the potential benefactor needs to make one less decision). I’ve selected 5 USD because it was the lowest sum of money for which the PayPal commissions amounted to less than 10% of the donation.
Recently I’ve enabled donations in different currencies and variable amounts (but only on my websites, donations made from inside the application are still fixed). I’ve seen some decline in the ratio of donations per download (although it could be explained by many factors, and cannot be directly attributed to the added complexity of the process without applying proper A/B testing methods). However, the average donation has increased to 9.19 USD, and I’ve also received donations of over 20 USD. This is interesting because 19.99 USD is enough to purchase many commercial software products. To date, no one has donated less than 5 USD.
What is the donation/download ratio?
First of all, please consider that GetSocial is upgraded frequently, and I cannot differentiate between a new download and an upgrade download. Also, I can only count downloads which originated from my own websites. That said, dividing the number of the donations by the total number of documented downloads yields a donate/download ratio of about 0.55 percent (e.g. a single donation is received on average about every 182 downloads).
Can you make any money out of donationware?
I do make some money out of GetSocial, but I’m far from making a living out of it. With the current donation/download ratio, GetSocial will only begin to become economically interesting when it hits the 500k download mark. It’s not impossible market-size wise (there are about 10 million bloggers in WordPress.com) but it’s not easy.
The amount of money one can make with donationware is directly proportional to the number of people involved. For example, in the case of GetSocial, take a million downloads, divide by 182 and multiply by 5 dollars and you have 27k USD (before PayPal commissions). This amount of money can cover the development costs for many small software products.
That said, a million is a big number, even for free software. If you’re thinking about making real money out of a donation based product, I would recommend that you research the size of your market carefully. Getting those million downloads is not an easy task.
I personally don’t think that money is the sole motivation for doing things though. When discussing profits, we should also take into account the indirect benefits I receive from GetSocial such as incoming links, a user base, visits to my website, comments, world fame (or at least some publicity), and even fan mail!
And hey, the donationware model works for Wikipedia, doesn’t it?
Why did you choose a donation model instead of selling licences?
The reason I made GetSocial was that when I started hillelstoler.com (on a WordPress.com platform), I wanted to add social bookmarking buttons for my visitors. When I realized no one was doing that (there was an old text file floating around for manual use) I decided to make GetSocial. I wanted to attract visitors to my new blog, and I knew that distributing a hyped piece of free software would help me build credibility and acquire an international audience. It did.
Why did you choose donationware over freeware?
Out of curiosity, I guess. I wanted to know if one could make any money this way, and if people actually pay when they don’t have to (especially in cases where no one is looking). Today I can clearly say that I was pleasantly surprised. I think that Donationware is a beautiful (and very user-friendly) concept, and I’m glad it’s not just another web myth. Besides, I knew that people needed GetSocial, but to be honest I didn’t really think that anyone would actually pay for such a service at the time. In the end, I think that my potential buyers are also the ones who made the effort and donated, even though they didn’t have to. I’ve actually received some donations larger than what I could possibly charge if GetSocial was a commercial product!
Another important factor in my decision was the fact that I could do it rather easily. Recall the old days, when Donationware DOS programs asked you to kindly snail-mail some cash to a P.O box? That’s the kind of thing I would never bother with, especially when we’re talking about an international market.
Do you think you have made more money through donations than you would have through selling licences?
Absolutely! When I’ve received my first donation I was surprised (so people do donate after all), and as donations kept pouring in I realized that there is a donation culture. Selling licenses also meant becoming a part-time police officer, and that’s not what I was after.
What really amazed me, is that even in this very specific niche of social bookmarking for WordPress.com blogs (where I offer an industry grade solution for free) competition still sprung!
How did you promote GetSocial?
I didn’t. I’ve posted about it on the WordPress.com forums several times, and wrote about it on my website, hillelstoler.com. Other people wrote about it too. No paid ads or anything like that. You’ll notice that I didn’t even include a link on the toolbar itself (the viral ‘Get one!’ link you see everywhere else) because it was important to me not to impose.
You now have a web version of GetSocial. How long did that take to create compared to the desktop version? How do the desktop and web version compare in terms of the amount of use and the amount of donations?
GetSocial Live (the on-line version) started as a weekend project actually. GetSocial is a Windows application, and many people wanted a Mac version. Since I don’t even own a Mac, I decided to make a cross-platform web service (currently, about 40% of GetSocial Live visitors are indeed Mac users). It was easy to make, because I copied some of the code directly from GetSocial. The images are all photos I took of the plants in my house. In the end it did mean additional costs (hosting, domain, etc), but originally it was hosted for free on (the late) Google Pages service.
Later on, I discovered that the on-line version made GetSocial much more flexible and dynamic. I can now post updates much more quickly and effectively. The web version is also much easier to upgrade and maintain because it lacks some of the internal complexity of the GetSocial application (things like self encryption).
Do you get any useful revenue from the Google ads on getsociallive.com ?
As in the case of the donations, I was curious about AdSense. I know for a fact that I never click sponsored links myself, but I guess some other people do because Google makes a living out of it. I didn’t bother with A/B testing and other cash boosters, I just added a single ribbon of ads.
So far revenue has been disappointing (this is also the place to mention that the process of getting my AdSense account approved was very annoying and arbitrary, with zero support). There were some cases where I got more than 1 dollar per click, but I currently get more money through donations than through AdSense. Interestingly, the ratio of ad clicks per page view is similar to (though a bit lower than) the ratio of donations per download.
Mike Dulin has just uploaded an MP3 of an interview we did at SIC 2009 for Sharewareradio.com. In the 15 minutes we discuss marketing, how I got started with PerfectTablePlan, ads, the wedding industry, newsletters, the ASP, this blog and more. There are some problems with the recording levels, but hopefully that doesn’t detract too much.
I was recently interviewed by Bob Walsh and Patrick Foley for The Startup Success Podcast, episode 25. We cover a wide ange of topics including: microISVs, conversion ratios, being specific, PerfectTablePlan, usability, the global recession, software award scams, ‘works with vista’ certification, stackoverflow.com and twitter. I wonder how much I have to pay them to edit out the ‘ums’?