Software piracy is a real issue for every software company, large and small, and it isn’t going away any time soon. So when I heard that fellow microISV owner Nikos Bozinis had created a tool to help software vendors fight piracy, I asked him to write a guest post. He kindly agreed to write this post about software piracy, the Digital Millennium Copyright Act and his CrackTracker product.
Why buy something when you can download it ‘for free’? Billions of dollars are lost every year from illegal downloads of music, movies and software. People around the world seem to have very lax morals when it comes to abusing digital content. Downloading the latest movie or windows software from rapidshare.com somehow doesn’t strike them as theft — it’s not like stealing a loaf of bread! The traditional music industry is already down on its knees as a result, and software may be the next to follow.
Software authors and music enterprises are fighting back by tightening the DRM (Digital Rights Management) of their products in a futile effort to stop online piracy. But usually crackers have no problem circumventing any protection system that we can dream up. To add insult to injury legitimate customers are usually hurt by such reinforced software protection and activation systems. A little bit like the war on terror, isn’t it?
A different line of defense for ailing copyright owners is the Digital Millennium Copyright Act (DMCA), a US law with global reach for copyright protection (the european EUCD equivalent is not as broadly known). This law is very broad, and not without controversy, but it works – closing down websites that distribute illegal content and removing copyright infringing downloads from file-hosting websites with summary procedures, among other things. So if you discover your software illegally distributed in some warez website, you can send a so called “DMCA section 512 takedown notice” to the website host and they are expected to remove that particular file from circulation — or risk the wrath of the law.
I have been a microISV for over 10 years so lets forget about the entertainment industry and concentrate on my field, software. There are over 200,000 programs listed on download.com and that’s just for Windows. Many are created by very small to medium sized companies — many even run by a single programmer/webmaster/marketer/entrepreneur. I bet that all these programs are cracked in one way or another — at least those popular enough for crackers to care about them. If you search for warez or torrents you will find the software you want for free, either the latest or an older working version.
Piracy statistics from Business Software Alliance report 2009 (click image to enlarge).
I sell a file manager called xplorer². I track how many people install the program every day and also I have a good guesstimate for the number of people using cracked versions of xplorer². I estimate over 70% of the regular users use one of the known keygens. Imagine if this 70% didn’t exist or it was converted to regular paying customers!
How is it done?
Downloadable software falls into 2 categories: those that run in trial mode until you buy a key to unlock the full functionality; and those that are special downloads for customers that pay the registration fee. In all cases some sort of unlocking takes place using a plain key, or a license file, or online activation, or some combination thereof. Many ISVs write their own licensing code, while others rely on off-the-shelf protection and licensing products (Armadillo, WinLicense etc).
Imagine you shipped your source code along with your program, then it would be trivial for even amateur crackers to bypass your protection and run the program without paying. Very few vendors supply source code, but people in the know can read off your licensing logic like an open book using specialized reverse engineering tools (softICE, IDA and other debuggers and disassemblers). Then they can create a ‘patch’ or modification to your executable that bypasses the protection.
An even worse type of compromise is a keygen. When the cracker uncovers the logic of your unlock keys, he can create a program to generate such keys which look and behave exactly like the legitimate ones you sell to your customers. Then he doesn’t need to patch your program, he just supplies this keygen to the warez community and everyone can help themselves to your program. You can guard yourself against such attacks using asymmetric encryption algorithms for your keys.
Is there a perfect protection system?
In short, no. If you consider that your program is presenting its logic to anyone with moderate experience in machine language, then sooner or later any protection can be circumvented. Professional protection schemes utilize encryption to protect sensitive parts of your code, but even they won’t withstand the cracker test. And remember the harder your DRM the more likely your program will be mistaken for malware (!) as many viruses and trojans use encryption tricks.
Even if there was a perfect system, your sales would still be at risk. All that’s required is some of your customers to post their unlock key in a warez site, and the game is lost. You would then blacklist that serial, until another one was leaked and so on.
The warez scene
There are people who don’t spend any time in Facebook or YouTube. They surf the internet for free stuff. Cracked versions of commercial software (aka warez) circulate in some shady forums that bring together the crackers with the downloaders e.g. http://www.warez-bb.org. Browse a warez site and you will find any software, movie or music you fancy, with an assortment of popups and dodgy advertisements of the usual internet 3P products (Pills, Poker and Girls [sic]). For your convenience there are even specialized search engines that search a number of such forums simultaneously, e.g. http://www.warez.com.
These forums do not host the actual files. They refer the traffic to specialized file hosting services like rapidshare.com. To make the most of warez you need to buy a subscription to access such file hosting sites (e.g. unlimited downloads from $9/month). Incurable cheapskates could get away without paying anything though, as you can download for free after a forced (nag) waiting of a minute or two.
A bit more up-market are download sites where to gain access you need to purchase a subscription, e.g. http://www.nowdownloadall.com. I have never paid to enter such a site, but they promise access to any download you can imagine. So you pay a monthly fee to download as much as you like. Note that this is different from paid-for hosting mentioned above. I suppose that you need a file hosting subscription on top to get the actual files downloaded. With so much stuff available for free I don’t know if this approach makes economic sense.
Finally there are traditional peer-to-peer file sharing networks, where people share their software music and video through torrents. After the demise of Napster torrents are still strong, with completely decentralized databases immune to legal intervention. The downside of torrents is their inherent unreliability, so people in a hurry will prefer the immediate gratification of a full download from rapidshare.com and the like.
Why do they do it?
It is easy to understand why someone will prefer ‘free’ software instead of paying up. But what about the crackers, the people who circumvent the DRM and distribute these warez. Why do they do it? Here are a few plausible motives:
- For kicks. The traditional hacker stereotype is a geeky person whose pastime is breaking into computer networks. Cracking into a software’s protection and stripping it clean must be a pleasure in itself, a ritual destruction of the evil Death Star.
- For glory. Marxist theory claims that private property is theft. This concept has struggled with real tangible property, but digital property is the ideal trophy. Many groups feel that software and music should be free (!) so taking down the big media and software corporations is a noble cause for them. But many small ISVs fall victims too, and the real motives are far less revolutionary…
- For profit. Marx is dead; long live Das Kapital. Warez downloads are big business in a number of ways:
- Direct subscriptions charges to access the downloads
- Selling password unlockers (e.g. you download something in a ZIP archive which is locked and you need to buy some software to unlock it)
- Distributing malware. Many downloads are packed with malware (sample report for a keygen), from straightforward scams and ransomware to trojans that turn your computer to a zombie, waiting for instructions to launch a DDoS attack or send spam.
You *can* remove illegal downloads
If your software is available to download from warez sites, either compromised (patched or keygened) or simply accompanied by a simple serial number to unlock it, you will definitely lose sales. The good news is that, using DMCA provisions, you can have these unauthorized downloads removed. Without these downloads prospective users will have no choice but to buy your software — or move on to your competitor’s cracked software.
Here is how to remove illegal downloads:
- Find your download links. All illegal downloads end up in a host like rapidshare.com or megaupload.com (I know of more than 100, but there are 10-20 big player websites). A standard Google search for your software name plus ‘crack’, ‘keygen’ or ‘rapidshare’ will find some hits, especially if you search in groups or blogs. Even better use specialized warez search engines like http://www.filestube.com with just your software name as a keyword — the results will be just downloads.
- Validate download URLs. Some of the download links you discover may be dead (e.g. very old). Click on each one to see if they are valid or 404.
- Send DCMA notices. Group the download links by provider (rapidshare, hotfile, etc), and send a DMCA notice to the abuse email address of each website. Usually this is firstname.lastname@example.org (e.g. email@example.com). Each website lists the steps for filing DMCA notices for file removal.
This sounds like a lot of hard work, and it can be, but it works. File sharing websites like rapidshare.com run a legitimate business — they are not responsible for cracks — so if you send them a polite DMCA takedown notice they will remove the copyright infringing downloads.
The DCMA takedown notice
Strictly speaking when you send a DMCA notice you are making allegations of copyright infringement, which is a serious crime. You would imagine that a formal complaint should be launched under the guidance of a solicitor/lawyer. Given the amount of copyright infringement that goes on, the red tape would bring everything to a standstill. The beauty of the DMCA law is that it simplifies the procedure. Sometimes a plain English email explaining the situation to the download site, along with a list of your download locations is all that’s required to have the links removed.
A few websites require a more formal DMCA email including details such as your company address, contact telephone numbers, and some boilerplate statements like “I swear, under penalty of perjury, that the information in the notification is accurate…”. You can find many sample DMCA notices online so I won’t repeat them here. The general idea is that you present yourself as the copyright owner and declare the download URLs as unauthorized, and therefore infringing your copyright.
Torrents slip by
DMCA is very good for removing illegal downloads hosted in popular file sharing websites, but it is powerless against torrents. There is no single source for the download, as the files are kept in many computers. You would have to contact each and every person who shares illegal copies of your software in the peer-to-peer network. This would be hopeless and a waste of effort. Thankfully for the ISV, torrent use is on the decline. People prefer direct downloads of the full package instead of slower peer-to-peer downloads.
The sales pitch
Anyone can search and remove illegal downloads manually. I was doing it the hard way for quite some time, each time I released a new version of my software tool (there’s a lot of cracker activity for each release as they need to update their patches and keygens). However this is very tedious, as you must:
- enter shady warez forums to search for your keyword, facing annoying popups and adverts you wouldn’t want your wife to see
- search many locations to ensure you get as many download URLs as possible
- validate each download URL to see if it is still alive or dead
- organize download URLs and write DMCA takedown emails for each file hosting website
Even if one wipes all the illegal downloads, new ones will appear over time. So the locate-report-remove cycle must be repeated regularly. This was the motivation for writing Crack Tracker, a tool that simplifies the removal of illegal downloads.
Crack Tracker is a desktop tool, with a meta search engine that securely scans warez databases for your downloads. You supply the search keyword (e.g. your software title or company name) then crack tracker will do an exhaustive search, collect a list of suspect download locations and verify the links with robotic efficiency. After you examine the results you just hit a button and the relevant DMCA emails are sent automatically. It doesn’t get any easier than that.
Crack Tracker doesn’t have a fancy user interface but it is very easy to use. It knows of more than 120 file hosting websites and works with 6 major warez search engines (the list is expanding). It is free to try as a search engine; to send the actual DMCA emails you need a registration, but I believe the price is very reasonable, especially if you consider the money you lose in pirated versions of your software.
Why don’t you try it for free and see how many cracks of your software it finds?
Download CrackTracker for Windows (318KB)
Nikos Bozinis ditched his Process Systems Engineering PhD to run his own microISV ZABKAT since 1999. He also writes a weekly blog focusing on file management and occasionally on programming, debugging and running a software business.
Good post – thanks. Good to know we’re all in the same boat, at any rate.
Pingback: Tweets that mention How to remove software cracks and keygens from file hosting sites « Successful Software -- Topsy.com
Interesting article and cool link!
Do you have a crack for it ;)
Thank you for this usefull information. I also noticed that 1 or 2 weeks after I posted my software on “clean” download sites, some cracks and serial numbers appeared on “dirty” sites. I didn’t try to download any cracked version of my own software (especially by fear of virus or trojan) but I’m not sure all these cracks and serials are actually effective. I think sometimes, dirty sites just list your software (whose name has been retrieved from other clean sites) plus words like “crack”, “patch”, “keygen” next to it just for advertising purpose (and Google ranking): indeed, a dirty site who claims to have every last software’s crack is likely to be famous and visited.
Anyway, I also want to say there are several kind of protection devices. I use a tierce tool that uses a hardware identification code. Normally, this ensures that a single code can not work on different computers. This is not always convenient (for me as well as the customer) but it seems to be quite efficient. Does anyone has any opinion about this technic or any other one?
You can’t stop us. Concede that bits are bits, digits digits, and numbers numbers. You can’t own a number any more than you can own gravity or electromagnetism.
Hackers of the world, unite!
You are so lame…
Long Live the Scene.
We, at Software Candy, take a different approach: We don’t copy-protect our software.
Yes, you heard this right. We do not employ annoying activation or copy-protection schemes.
Why annoy the very best people that support us?
We respect our customers — and our customers respect us in return. That’s how it should work and that’s how we achieve 100% customer satisfaction (among other things). We had customers coming back to purchase the same exact download for additional computers, despite knowing that they could *technically* re-use the setup file.
As long as the market tells us that our customers are not interested in copy-protection schemes that only complicate install, backup & restore, transfer to a replacement computer, etc. we will continue this approach.
“Why buy something when you can download it ‘for free’?”
Because it’s software worth supporting and you have the spare money to support the developer.
“The traditional music industry is already down on its knees as a result”
I haven’t seen a millionaire musician in years. Oh, wait. No. We see them daily. No, they aren’t hurting at all. They just want you to believe they are and you’re eating it up. We continually hear about record breaking sales of music and movies and how it made X billion dollars more than the last record or movie did.
“I estimate over 70% of the regular users use one of the known keygens. Imagine if this 70% didn’t exist or it was converted to regular paying customers!”
If they couldn’t use it for free, most probably wouldn’t use it at all. There will always be some free (Freeware/OSS) software that does roughly the same thing. They’d just switch. They might be using your software for free right now, but they might also be telling people that your software is good and generating sales for you.
TL;DR The people who do not want to pay for software will not pay for software. They are not a lost sale. They would never have given you money to begin with. That doesn’t make it right, but it makes things like “We’re loosing billions!” complete rubbish.
Very timely post for me as I’m about to unleash my software on the world!
This is interesting, we’ve had a similar product under development for about half a year that does something similar: Pirate Poacher. Instead of making the users manually search for their cracked product and manually making them send DMCA notices we handle it all. Plus we keep track of when the links are removed.
Also Pirate Poacher does deep scans of the web — we don’t wait for “pirate aggregators” to scrape the links. We actively index pirate sites. Additionally we also send DMCA notices to public torrent trackers.
Some of the commenters have misunderstood the point of this article. I am NOT advocating using more annoying protection to avoid software piracy.
What I am saying is that piracy exists, it is costing sales and now there is a NEW idea how to go about fighting it: removing the warez from file sharing websites like rapidshare.com, where a large chunk of people get their ‘free’ software from.
I am sure some extra cash will come in as fewer people have easy access to your cracked software. How much more is debatable, but as this is a new approach, I believe it at least deserves some experimenting with before we reach any dismissive conclusions!
1. You are right. Piracy is a problem.
2. You are right. Users hate annoying DRM.
3. You are wrong “music industry is already down on its knees as a result”. The music industry has seen increased sales year over year. It is the recording industry that is down and that is not from piracy that is from acts finding their own path through the Internet.
4. You are wrong. Those reports that you link to about losing billions of dollars are fabricated with no real evidence of actual dollars lost.
Read Tech Dirt for the real story of what is going on.
The best way to fight piracy is to make a good product. Of course it will still be pirated but there will be people willing to pay for it if it is worth it. And wasting your time sending DMCA take downs is a short term solution. The crackers(not hackers) will just post another version as soon as they see it taken down.
Hackers do not pirate software, they figure out how things work. Crackers pirate software and put it out there for all to get for free.
I don’t claim to have Pope’s infallibility but accusing someone of being wrong just because you read something somewhere is far fetched! If you want _real_ evidence, here is some from a case study I did with _real_ pirate data:
> The crackers will just post another version
> as soon as they see it taken down.
this is also not true. I have been removing downloads to xplorer2 for some time and there is a clear pattern. Only when I release a new version will the crackers get their act going again. So you have to do your periodic DMCA notices but you don’t have to do it every day!
Tech Dirt http://www.techdirt.com/
Nick your case study is all very well, but based on the obviously flawed assumption that everyone who would download a cracked version of the software could be persuaded to pay for it. Drastically reducing the price would persuade quite a few, but even then some people don’t pay on principle.
It’s very hard to come up with evidence-based figures on how much money you lose. I wonder what scientific studies have been done to establish some estimates? Even if you had some proven ratios, it would still vary with price, product, presentation, crack availability…
So yes making cracks less available is likely to help sales slightly – but I doubt it would be even 15%, given the highly competitive product space (including freeware). Your post definitely doesn’t give “hard facts to take away”.
Did you see this other ‘case study’ mentioned above?
It is hard to get solid dollar facts, but at least you could say that in absense of cracks people could have the same chances of buying like every other legitimate download of your trial software (whatever your conversion ratio is).
tools like crack tracker run automatically and remove cracks without hassle. Even if you get a small sales increase the it would be worth the price and effort!
Yeah that’s the case study I was talking about.
Does your software monitor whether/when the cracks are removed?
Thanks for this link http://zabkat.com/blog/23-jan-11-software-piracy-map.htm
Sorry that first sentence should say “that *most* who would download a cracked version”…
I’ll concede to the DMCA concern. Most pirates are pretty insistent on keeping things pirated so I just assumed that they would do whatever it takes to get around the DMCA take downs.
On the point of money lost to piracy in software, music etc. I didn’t just read it somewhere. All the studies showing billions in lost profits have been debunked. Your personal experiment may have shown a certain correlation but the numbers touted by the industry giants are one download equals one lost sale. Which is entirely bogus.
Referring now to the excellent question opening this blog post: “Why buy something when you can download it ‘for free’?”
Quoting from the excellent “Better than Free” article from The Technium: People will pay for Immediacy, Personalization, Authenticity, Embodiment, Patronage and Findability.
Copy protection does affect immediacy but short term only.
The best way to avoid piracy is to make people love your software. Only then they would be willing to pay for it. I am gradually making the protection in my software easier and easier to circumvent. Crackers are less and less likely to bother with a “patch”, because there is no challenge. It is working.
Thinking that someone will buy just because they cannot find a crack is nonsense. Majority of the people, who even try to search for a crack, are not buying no matter what. They will either find a crack or switch to a competing (possibly free) software.
If you want to prove that your software is useful, do a real study that shows how sales go up (or not) after the software was used to remove the cracks.
Even if your software were successful in removing the cracks, they will re-appear soon. Remember that that process too can be automated and more easily than the removing, because it does not require human interaction.
From my point of view, your software will accomplish one thing: More automated email.
Yes, some people DO download cracked software, “full releases” and/or use serial numbers/keys they find on the Internet rather than pay. I’ve been guilty of this in the past. I don’t do it anymore but I’m ashamed to say that I have indeed used software for free (software I _would_ have paid for if it wasn’t available for free) by searching for illegal downloads online. So, anyone who says “people who download illegal software free wouldn’t pay for it even if free access wasn’t available” simply doesn’t know what they are talking about.
“Downloading the latest movie or windows software from rapidshare.com somehow doesn’t strike them as theft — it’s not like stealing a loaf of bread!”
I do agree that piracy is a problem, but I am sick and tired of reading that this is theft. It is NOT.
Do we really need this kind of rhetoric?
“Do we really need this kind of rhetoric?”
Do we really need this kind of semantics?
Call it whatever one will. The real point is its a crime. Engaging in it is a crime making the person doing it a criminal. Who cares if they want to nit pick – and are oblivious to jurisdictions defining and prosecuting it as theft when some do – when at the end of the day they are merely talentless crooks or as the “scene” commenting above would say – “lamers”.
At the end of the day semantics on naming it go nowhere, are no defence in court and lets face it – can still get the perp a hefty fine and/or serious jail time.
It’s not just semantics. In some countries, you can go to jail for believing the wrong religion. In others, you can go to jail for “stealing” a number.
People who pirate believe it is not stealing, because information is copied, it is not taken. The internet has changed the nature of the information marketplace, making distribution costs essentially zero, and anti-piracy measures are like trying to hold back the tide.
Actually, Chris, in the juridiction I live in it IS tried as theft. I know this because I’ve had people prosecuted that way for companies I’ve worked for and represented.
But that, again, is semantics. For you to then jump to “The internet has changed the nature of the information marketplace…” is really the point you are trying to make. So, regarding that point, the Internet changed nothing in respect of the law. What changed was opportunity. Highways make it easier to commit crimes in far off places. By the logic you use we should then make those crimes not crimes because the highway makes the effort of getting to that location so much easier, cheaper and less effort?
My point was, just because it’s illegal doesn’t mean it should be illegal. There is a lot of discussion still to be done about what information should be controlled and how.
Before digital distribution, there wasn’t so much debate over copyrights because copying was so laborious it wasn’t worth doing except to resell. Now copying is free, people copy without reselling someone else’s work, without impersonating the original author, and without needing to even borrow the original information medium.
Copying something is clearly different to taking a physical item from someone. How can it be stealing, when the original owner doesn’t lose anything? Granted, they *might* lose profits, but it’s not at all automatic. Sometimes profits even increase due to piracy! The argument that because people sometimes copy, that they always copy, or that every copy made denies the original author of profit, is ridiculous.
Free distribution in an industry should result in a big change in prices. If it doesn’t, there must be some kind of monopoly going on, which is the kind of thing that’s supposed to be legislated against.
There is a place for copyrights, but they should not prevent competition or creativity. The scientific revolution and the internet revolution have changed the world for the better through the free transfer of information, and could not have happened if everything had been tied up in copyrights, as some industry associations would like. The anti-piracy movement has gone so far as to try to stop parodies and remixes of art, which seems especially boneheaded since both usually increase demand for the original…
Information publishers need to come to terms with their new role as service providers instead of distributors.
We are going to have to agree to disagree on your insistance upon semantics and your view a workable system should change to accomadate the morally bankrupt. I’m 100% behind Intellectual Property law as it stands. I would like to see and do indeed lobby for it to be strengthened. Personally I’d like to see more people collared when caught and for the full convictions to be enforced more frequently than they are.
crack user will never buy the software, people purchase software will always pay for programs they need
I don’t agree and I have evidence to the contrary. As Ariely shows in ‘predictably irrational’ most people can be a bit dishonest, depending on the circumstances.
The very best people will always pay for programs they need.