PerfectTablePlan Royal Wedding Special

It is the Royal Wedding tomorrow and everything has gone Royal Wedding crazy here in the UK. I did send the happy couple a complimentary copy of my Perfect Table Plan software a while ago. I haven’t heard anything back, but I will be checking my support emails tomorrow morning, just in case. ;0)

I am doing my bit to cash in honour the occasion by putting the Home Edition of Perfect Table Plan on one-day discount site BitsDuJour on the big day. 51% off for 29th April only.

After the discount, BitsDuJour’s commission and support costs, I won’t be making much per sale. But I figure it might be worth it for the exposure to a different audience. Also some of the purchasers might upgrade later. My product is rather different to most of the other products featured on BitsDuJour, so it will be interesting to see how it does.

Will you, or anyone you know, be planning a seated event (wedding, charity gala, award ceremony etc) in the future? If so, you can get the 51% discount here.

Interview with a cracker

Through an unforeseen series of events, I have ended up corresponding with a cracker known only to me by a Hotmail address and the pseudonym “CrackZ”. It quickly became clear that he knew what he was talking about, but was motivated by curiosity rather than criminality. Obviously crackers are a more diverse group than the criminal masterminds and script kiddies of popular imagination. To my surprise he agreed to be interviewed for this blog and I jumped at the chance to find out a bit more about the shadowy world of cracking.

*** I realize this is an emotive subject, but please read the whole interview before posting anything in the comments. ***

What is your background? How did you get into cracking software?

I graduated in software engineering about 10 years ago and started out seriously cracking software in my first year at University. It was the first time I’d had access to a fast, unmetered Internet connection and my interest became collecting software and then breaking it; most of my associates never proceeded much beyond the downloading lots of free software stage. Prior to this I’d really only ever had a casual knowledge of the piracy scene from owning a Spectrum, Commodore 64 and then an Amiga. Think tapes and copy disks being swapped in the playground and you wouldn’t be far wrong ;-). The first PC experiences I can recall were studying some very early Phrozen Crew cracks and the Quox virus that someone gave to me on a disk.

Do you also write software? Is your day job in the IT industry?

Yes and yes.

What is the motivation for cracking software?

Motivation for cracking really seems to vary. For me I think its always been mainly about the intellectual challenge, studying code, or ‘breaking the minds of protection authors’ as one correspondent so eloquently put it. For many there is also the ‘social aspect’ of being amongst a like-minded group of individuals (see some of the interviews with former members of famous groups e.g. PWA, DOD if you want to understand how powerful a *pull* the social element can be). Then there are also those who simply enjoy getting software for free or those who do it simply for ‘kicks’. Contrary to the various anti-piracy associations propaganda, very few of those I’ve ever been associated with have been motivated financially. That’s not a justification of course, but it might help if most authors realised that the person who cracked their software is more likely a bored 16 year old Chinese male than a future terrorist.

Is cracking an individual activity or is it organized?

The answer is both, but that is an oversimplification. Most of my cracking has been pretty much a lone-wolf occupation, although there have been times I have worked with others on group projects, expensive CAD/CAM applications for example. One only has to look at the scene to see that there are plenty of organized groups out there and some of the group infrastructures I’ve seen would rival small corporations in their sophistication. A lot of authors are often quite surprised to find their software on the cracking scene radar.

What is your attitude to intellectual property? Do you release cracks and keygens ‘into the wild’? What do you think of those that do?

I’ve actually gone full circle here; in my early years IP literally meant absolutely nothing to me, the value of the software didn’t matter and authors were inconsequential. I would happily release cracks and key generators under a variety of nicknames and scene groups and I didn’t lie awake at night thinking about the damage I might be causing to someone’s livelihood. Currently, I’m 100% in the ethical category (you can debate that). I haven’t been able to curb my interest in protection code, but have managed to channel my interest towards simply contacting the authors when I have broken their code. Sometimes I’ll even offer a little helpful advice; though I’m afraid that’s probably the ‘moral best’ I’m ever going to be. I don’t support those who release cracks and key generators. I’ve heard enough from authors to know how damaging it can be, but anyone who has ever experienced the scene can probably understand why it still happens and will continue.

I can understand the attraction of cracking as an intellectual challenge. But why do some crackers then release the cracks? What do they gain?

Respect amongst their peers and the ‘scene’ at large and dubious notoriety. I’ve known some who did so in order to get a job.

When people release cracks do they think about the effect they are having on the livelihoods of the people who write the software? Do they care?

My guess would be ‘probably not’ on both counts. I think this changes with age though and many get more considerate as they get older.

What is your opinion of people that add trojan horses and other malware to cracks?

I suppose I might be accused of some degree of hypocrisy ;-), but these really are the bottom-feeders and low-lifes of the world.

What types of software do you target?

Myself it has been pretty much exclusively Windows, with the occasional bit of *nix, but there is plenty of interest in virtually every platform out there, even groups dedicated solely to them. Nothing escapes attention these days.

What tools and techniques do you use for cracking?

My tools of choice are IDAPro (the best disassembler which also includes a debugger) and also a mixture of other debuggers depending on the target (e.g. OllyDbg, SoftICE, Syser and even WinDbg). And then there are other associated tools like a decent Hex Editor (Hiew, UltraEdit) and more specific utilities covering the various cracking fields. There are quite a few books out there on the subject of reverse engineering that list virtually all of the tools in most crackers toolsets.

How long does it take you to crack the protection on an average piece of software?

On average shareware protections I’d usually be able to break them in a matter of hours, although understanding their intricacies might take a good deal longer. I’ve had some fall in minutes and others take full days of analysis. Perhaps as a small comfort, I’d say that each year the average protection seems to be getting a little more difficult to crack.

How long are you prepared to spend to try to crack a piece of software? Do you ever come across software you can’t crack?

In the past I’d be prepared to invest most of the hours in a day in one piece of software. I’d make literally pages of notes on paper and in the disassembler, naming functions, variables, structures, commenting fields etc. For many crackers time is a commodity they have in spades. I’ve met several targets that I couldn’t crack and several I simply didn’t bother completing because others had beaten me to it. Of the few I couldn’t break I did understand the reasons why (some need specific server-side responses). In some cases, several years later, users sent me the necessary hardware / information to enable me to break those targets.

Are applications protected by commercial anti-piracy software harder to crack than applications with home grown protection?

This is a tricky one; commercial anti-piracy software is pretty much exclusively written by ex-members of the cracking community and by default is protected better than many authors own creations. However, once a protector gains what I’d best term as a ‘critical usage mass’, its attractiveness as a target becomes that much greater. Experienced crackers are drawn to it almost like moths to a flame, since breaking an entire ‘protector’ can yield a lot of targets. Some of the very best and worst of the protections I’ve seen have been of the home grown variety. A lot of authors (IMHO rightly) conclude that improving the attractiveness of their software to potential customers is a much more productive use of their time than writing the ultimate copy protection.

Is software that phones home harder to crack?

Software that simply ‘phones home’ presents more of a nuisance than any real barrier to cracking. I’ve seen some that implement server license checking (mIRC is a widely available example) and it hasn’t stopped the cracks appearing. Several other targets have required decryption keys to be fetched from the server and these also haven’t presented any real problem. Its worth remembering that a cracker will often have access to a legitimate license with which to perform his study. At some stage a true client/server protection model over the internet will be a real possibility (MS has some stuff already like this), where all of the code is actually executing on a server. This will most likely simply move the goalposts, but seeing as a lot of the software I have been asked to look into was leaked to me by company employees the server model might not be as secure as it suggests.

Do hardware solutions (e.g. dongles) make software significantly harder to crack?

Hardware keys and, more recently, smart cards do make software harder to crack, largely due to the fact there is usually an element of hardware encryption these devices perform that can’t be easily replicated without access to the original device. However, over the years, I’ve met literally hundreds of disgruntled end-users of these devices, many of whom have sent me their keys and risked their jobs just to be free of them. A few eastern European contacts of mine sell ‘dongle emulating’ solutions and have archives of probably more than 10,000 individual dongles.

Is any method of securing software 100% secure?

Absolutely not, and anyone who tells you otherwise is lying.

What are the commonest mistakes software developers make related to security?

In no particular order:

Depending on commercial protection schemes for security.
Directly comparing the license string entered with the correct one.
Not using some sort of encryption/obfuscation (XOR isn’t *good* encryption).
Using a single simplistic registration function that is easy to isolate.
Displaying message boxes with helpful strings sending the cracker straight to the protection code.
Not integrity checking against patching.
Not updating the software once a crack is discovered in the wild.

Do you think software vendors should spend more time making their software harder to crack?

I’m pragmatic; I’d advise all software authors to invest time in a *reasonable* copy protection and keep abreast of whether cracks are out there, educating your potential customers can be worthwhile. Make your protection something custom and use some imagination by all means, but make it proportional to what you are protecting. There isn’t much point having a £million lock on a £100 product, you simply can’t defeat every single cracker out there.

Can you expand on “educating your customers can be worthwhile”?

‘Educating’ might be the wrong word, but appealing to peoples conscience can be quite effective. A few software authors have ‘crack catcher pages’ for the search engines that say things like “I work 60hrs per day on my software, please support me if you want me to continue adding features” etc. Its also worth pointing out that there are plenty of con-merchants and dodgy sites out there selling cracks that often do contain trojans/viruses. One could also appeal to the fact that ‘time is money’ for a lot of potential software buyers, so why invest several hours of their life looking for a crack if it’s more cost effective to buy?

Can you recommend any online resources for authors wanting to know how they can protect their software better?

There are several books and web resources on anti-debugging & protection advice, Google will find them ;-). There are also several mainstream books, Pavol Cerven’s springs to mind.

Success is always one feature away

In my consulting and various other dealings with aspiring microISVs, I notice certain recurring patterns. One of the most common is the belief that it is just one missing feature that is holding back a product from the commercial success it deserves. As soon as that feature is coded the sales are going to come pouring in! When they don’t, then maybe it was that other missing feature that our competitor has. It is a horizon that keeps receding until you run out of money or enthusiasm. But, in my experience, poor sales are almost always due to insufficient marketing. A fact that is borne out by these 13 case studies. It doesn’t matter how great your software is if no-one know about it, or if you can’t persuade them to try it when they do find out about it.

It isn’t surprising that microISVs fixate on features. MicroISVs tend to come from a programming background and learn marketing on the job (I have yet to meet a microISV who started off in marketing and taught themself programming). Features and coding are what we like to do best and it feels like ‘real work’. But all too often the warm embrace of an IDE is just an excuse to stay in our comfort zone. Of course, features are important. No features = no product. But, if you have got low traffic to your website and/or you are doing a lousy job of communicating with people that arrive at your site, then adding more features really isn’t going to help much. If you are in a hole, stop digging. Successful marketing is about being different from your competitors. You can even make a virtue of your lack of features. If you are competing against more feature-rich competitors, then emphasize the simplicity and ease-of-use of your product instead. It certainly seems to work for 37Signals.

Marketing can seem like a very alien discipline for someone from a programming background. But you can learn it like any other skill. There is loads of great information out there, for example Eric Sink’s marketing for geeks. Also, some elements of online marketing are actually quite technical with plenty of opportunites for number crunching. Analytics, A/B testing and Adwords will give you more data than you know what to do with. This can give programmers a considerable advantage over people from a more traditional marketing background, many of whom don’t seem to be able to handle anything more complicated than a 2×2 matrix. You don’t have to be a marketing genius, you just need to be better than your competitors (in the same way that you don’t need to be able to run faster than a lion to survive a lion attack, you just need to be able to run faster than the next guy). Given that your competitors are likely to be other programmers (who are probably also not doing enough marketing) or people from a marketing background (who don’t really understand software and are probably more interested in long lunches) that may not be as hard as you think.

ESWC 2011 registration is now open

Registration is now open for the European Software Conference 2011. It is on 19th-20th November in London, with informal drinks the evening before. This is the top European event for microISVs and other small software businesses. It is always good to meet up with other microISVs and London is a great city to visit, even if only to remind yourself how glad you are you don’t live in a big city. The early bird rates are just 55 Euros (with no meals) and 155 Euros (including 2 networking dinners). The schedule is still being fleshed out. I will be doing a talk, provisionally titled “Promoting your software”. Watch this space for more details. There are still some spare speaking slots. It would be nice to see some new faces doing talks, so why not volunteer?

Sadly there might not be a Software Industry Conference this year. But if you are based in the USA you might want to consider MicroConf 2011 in Vegas 6th-7th June. There is also Business of Software 2011 in Boston 24th-26th October, but I think this is aimed more at larger software companies (or those that want to be larger software companies).

Is it possible to run a successful software business with a 4 hour work week?

Tim Ferriss’ ‘Four Hour Work Week’ is a thought provoking, but controversial, book. One of the central ideas he promotes is that you should be able to use outsourcing to create a money making business (‘muse’) that you can run in only a few hours per week. Leaving you with enough free time and income to travel the world, learn to tango or otherwise amuse yourself. But I am highly sceptical that anyone can sustain, let alone grow, a software business long term, working only 4 hours per week. I have run my own business working less than 10 hours week for a month or two at a time while travelling or doing house renovations. But it only gave me enough time to keep things ticking over. I wasn’t able to improve my product or marketing. I am sure my business would decline in the face of technological changes and hungrier competitors if I kept this up for too long. I have spoken to other owners of small software businesses and they were of a similar opinion.

So I was interested to see a case study on the Four Hour Work Week blog from someone running a software business. Brandon Pearce owns musicsteachershelper.com, a slick-looking web based app for music teachers.

He says that after 5 years he is making $25k in sales per month with $10-12k in expenses per month[1] and no employees[2]. So that is a net profit of around $168k per year. That’s not too shabby, especially when you consider that he lives in Costa Rica and says he works just 5 hours per week. That’s nearly $650 per hour!

But he doesn’t say how many hours per week he worked to build the business. He also says in the case study:

With a complex web application, you can’t write it once and be done; you need to continue making enhancements and listen to user feedback in order to have a successful product.

I couldn’t see how this squared with working only 5 hours per week. Even if you are outsourcing everything you still need to manage the outsourcing, which can be time consuming in itself. I emailed him for some clarification and he was kind enough to give some more details:

It’s hard to give an average time worked over the past five years, since it’s changed so much. The first two years I was also working full-time as a programmer, but spent most of my free time working on the site – probably 10-20 hours per week. Once I quit my job (years 3-4) I worked probably 40 hours per week on the site. The past year or two, it varies from week to week. Some weeks I’ll only work 2 hours on it, some I’ll work more like 15, if I’m preparing for a new feature, special offer, or doing a big launch of some kind. But these days I’m averaging about 5 hours per week, and it’s been that way for well over a year.

Yes, I can definitely sustain and improve profit levels at this number of hours. The business is a well-oiled machine, and I have teams that are working to help continue to improve and grow the business in various ways, largely without my constant supervision. The business continues to grow every month, regardless of how much I work.

What do I spend these 5 hours doing? Mainly reviewing the new features or bug fixes the programmers have been working on, the requests from customers that the support team has submitted, and determining which items I want the programmers working on next. I also spend a little time handling some of the more difficult support or billing issues, paying my workers, managing a few PPC campaigns, answering e-mails, and checking stats. Recently, I’ve also been writing the scripts for some new video tutorials, and finding people to help produce the videos, too.

So, pretty much everything I do at this point could also be outsourced, allowing me to work even less, but at this point, I still enjoy this work, and it allows me to keep some important aspect of control on the business. Some day I may decide to work even less, but I’m pretty happy with 5 hours at the moment. :)

So, unsurprisingly, it took a lot more than 5 hours per week to reach this point. And only time will tell whether he can continue to maintain (let alone grow) this business with such minimal input. It will be an impressive achievement if he can. But I think Brandon is the exception rather than the rule. Perhaps he is particularly talented or lucky. Very few of the successful software business owners I know work short hours for extended periods. Also I have no way to verify Brandon’s numbers. So I would recommend viewing Brandon’s case study as something to aspire to, rather than a likely outcome.

Brandon has a blog and is writing a book about his experiences creating MusicTeachersHelper.com “in the hopes that it will help others who want to do something similar”. It should be an interesting read. Given all the spare time he has it shouldn’t take him long to finish it!

TestRail

The guys at Gurock Software were kind enough to send me this testimonial after I did some consulting on TestRail, their web based test management software.

After launching our new test management software TestRail early last year, we recently contacted Andy to help us increase the visibility of our product. Based on customer feedback and reviews, we knew that many software development teams prefer TestRail over legacy solutions that are difficult to use. But we also knew that most teams weren’t aware of our new product, so we wanted to improve this situation.

The first thing Andy did was to try and test the application as a normal user would use it. While he walked through the application and briefly tested its major features, he recorded a video of this experience and narrated the video with comments and suggestions. Seeing how a first-time user uses your application can be very useful and it definitely showed us a few things that we could improve.

Learning more about the application was also important for the next step: Andy interviewed us to learn more about our goals, marketing methods and many other things. He then prepared a detailed and thorough report with many suggestions, comments and recommendations. Implementing all those suggestions will take time but we are already seeing first positive results of the short-term improvements that we’ve implemented. If you want to bring your product (or product marketing) to the next level, Andy’s consulting service is highly recommended.

Dennis Gurock, http://www.gurock.com

Although only launched last year, TestRail is already a polished product with an impressive customer list. If you have a suite of test cases you need to manage, I suggest you take a look.

After launching our new test management software TestRail early last
year, we recently contacted Andy to help us increase the visibility of
our product. Based on customer feedback and reviews, we knew that many
software development teams prefer TestRail over legacy solutions that
are difficult to use. But we also knew that most teams weren’t aware of
our new product, so we wanted to improve this situation.

The first thing Andy did was to try and test the application as a normal
user would use it. While he walked through the application and briefly
tested its major features, he recorded a video of this experience and
narrated the video with comments and suggestions. Seeing how a
first-time user uses your application can be very useful and it
definitely showed us a few things that we could improve.

Learning more about the application was also important for the next
step: Andy interviewed us to learn more about our goals, marketing
methods and many other things. He then prepared a detailed and thorough
report with many suggestions, comments and recommendations. Implementing
all those suggestions will take time but we are already seeing first
positive results of the short-term improvements that we’ve implemented.

If you want to bring your product (or product marketing) to the next
level, Andy’s consulting service is highly recommended.

A small experiment with LinkedIn ads

LinkedIn.com (the B2B equivalent of Facebook) supports Google style pay per click ads. So I decided to run some ads for my seating planner software as an experiment. Here is a brief summary of my (very brief) experiences.

The good news

LinkedIn ads can be laser targeted. You can specify who you want to see your ad based on their job function, company, gender, age group, country and (best of all) the LinkedIn groups they belong to. I targeted 10,102 LinkedIn members who live in wealthy English speaking countries, belong to various LinkedIn groups related to event planning and have appropriate job titles. The campaign was quite painless to set up. It probably took me less than 10 minutes in total and I started getting impressions within an hour or so.

The bad news

The minimum allowed CPC (cost per click) was $2. Ouch. I know from extensive experience with Google Adwords that there is no way I can get a return on that.

The minimum allow CPM (cost per thousand impressions) was $3. If the CTR (click through rate) is around 1% (about what you might expect from Google search ads) this is $0.30 per click. Possibly profitable. If the CTR is around 0.1% (about what you might expect from Facebook ads) this is $3 per click. No better than the CPC bidding. Given that LinkedIn is more similar to Facebook than Google search, I expected the latter. I decided to spend a few dollars to find out. The results are below (click to enlarge):

So, with an average 0.17% CTR, I ended up spending $1.76 per click. Given my average transaction value and a realistic conversion rate I know that I can’t make any return on this. Also the CTR is likely to drop the more often people see the ad. So I stopped the experiment after less than 24 hours, before I wasted any more time or money. As far as I can tell (based on my own cookie tracking – LinkedIn ads don’t have their own conversion tracking) I didn’t make any sales. But that is hardly surprising given the small number of clicks.

Summary

Obviously $19.38 is a tiny amount to spend, but I think it told me what I needed to know about LinkedIn ads. Unless they reduce their CPC or CPM bid prices by an order of magnitude there is no way I can make a return. Of course, if you are selling a product where the average lifetime value of a customer is hundreds or thousands of dollars, the numbers might work out quite differently for you.

Advertising your software on Facebook (=Fail)

Does the world really need yet another Twitter client, RSS reader, ToDo list or backup application?

My heart sinks every time I hear a would-be-entrepreneur announcing they have written yet another Twitter client, RSS reader, ToDo list or backup application. Haven’t we got enough of those already? There are more than 1,900 Twitter apps already (possibly a lot more). Somebody probably released another one while I was writing this post. We have passed the Twitter app event horizon, where it is probably quicker to write your own custom app than it is to try and work out if any of the existing apps fulfils your requirements.

Even if you have done something radically new, interesting and different in one of these markets, how are you ever going to get noticed amongst thousands of more established competitors? Wouldn’t it be better to find a market that is currently under-served by software? It may be less fashionable than writing software for other techies, but it will probably contribute more to the sum of human happiness and be a lot more profitable.

There must be thousands of niches where there is a real need for software, but limited competition. You just need to open your eyes to the bigger world around you. It may mean having to learn about an unfamiliar domain. But it is generally much easier for a software developer to learn some domain knowledge about, say, butterfly collecting, than it is for the average butterfly collector to learn to create a software product. Next time you are talking to a non-techie about their job or hobbies, just ask them “Do you use software for that?” and “Is it any good?”. The ideal answers you are looking for are “Yes” (if there are existing software packages, there is probably a market) and “No” (maybe you can do better).

How to remove software cracks and keygens from file hosting sites

Software piracy is a real issue for every software company, large and small, and it isn’t going away any time soon. So when I heard that fellow microISV owner Nikos Bozinis had created a tool to help software vendors fight piracy, I asked him to write a guest post. He kindly agreed to write this post about software piracy, the Digital Millennium Copyright Act and his CrackTracker product.

Why buy something when you can download it ‘for free’? Billions of dollars are lost every year from illegal downloads of music, movies and software. People around the world seem to have very lax morals when it comes to abusing digital content. Downloading the latest movie or windows software from rapidshare.com somehow doesn’t strike them as theft — it’s not like stealing a loaf of bread! The traditional music industry is already down on its knees as a result, and software may be the next to follow.

Software authors and music enterprises are fighting back by tightening the DRM (Digital Rights Management) of their products in a futile effort to stop online piracy. But usually crackers have no problem circumventing any protection system that we can dream up. To add insult to injury legitimate customers are usually hurt by such reinforced software protection and activation systems. A little bit like the war on terror, isn’t it?

A different line of defense for ailing copyright owners is the Digital Millennium Copyright Act (DMCA), a US law with global reach for copyright protection (the european EUCD equivalent is not as broadly known). This law is very broad, and not without controversy, but it works – closing down websites that distribute illegal content and removing copyright infringing downloads from file-hosting websites with summary procedures, among other things. So if you discover your software illegally distributed in some warez website, you can send a so called “DMCA section 512 takedown notice” to the website host and they are expected to remove that particular file from circulation — or risk the wrath of the law.

Software Piracy

I have been a microISV for over 10 years so lets forget about the entertainment industry and concentrate on my field, software. There are over 200,000 programs listed on download.com and that’s just for Windows. Many are created by very small to medium sized companies — many even run by a single programmer/webmaster/marketer/entrepreneur. I bet that all these programs are cracked in one way or another — at least those popular enough for crackers to care about them. If you search for warez or torrents you will find the software you want for free, either the latest or an older working version.

Piracy statistics from Business Software Alliance report 2009 (click image to enlarge).

I sell a file manager called xplorer². I track how many people install the program every day and also I have a good guesstimate for the number of people using cracked versions of xplorer². I estimate over 70% of the regular users use one of the known keygens. Imagine if this 70% didn’t exist or it was converted to regular paying customers!

How is it done?

Downloadable software falls into 2 categories: those that run in trial mode until you buy a key to unlock the full functionality; and those that are special downloads for customers that pay the registration fee. In all cases some sort of unlocking takes place using a plain key, or a license file, or online activation, or some combination thereof. Many ISVs write their own licensing code, while others rely on off-the-shelf protection and licensing products (Armadillo, WinLicense etc).

Imagine you shipped your source code along with your program, then it would be trivial for even amateur crackers to bypass your protection and run the program without paying. Very few vendors supply source code, but people in the know can read off your licensing logic like an open book using specialized reverse engineering tools (softICE, IDA and other debuggers and disassemblers). Then they can create a ‘patch’ or modification to your executable that bypasses the protection.

An even worse type of compromise is a keygen. When the cracker uncovers the logic of your unlock keys, he can create a program to generate such keys which look and behave exactly like the legitimate ones you sell to your customers. Then he doesn’t need to patch your program, he just supplies this keygen to the warez community and everyone can help themselves to your program. You can guard yourself against such attacks using asymmetric encryption algorithms for your keys.

Is there a perfect protection system?

In short, no. If you consider that your program is presenting its logic to anyone with moderate experience in machine language, then sooner or later any protection can be circumvented. Professional protection schemes utilize encryption to protect sensitive parts of your code, but even they won’t withstand the cracker test. And remember the harder your DRM the more likely your program will be mistaken for malware (!) as many viruses and trojans use encryption tricks.

Even if there was a perfect system, your sales would still be at risk. All that’s required is some of your customers to post their unlock key in a warez site, and the game is lost. You would then blacklist that serial, until another one was leaked and so on.

The warez scene

There are people who don’t spend any time in Facebook or YouTube. They surf the internet for free stuff. Cracked versions of commercial software (aka warez) circulate in some shady forums that bring together the crackers with the downloaders e.g. http://www.warez-bb.org. Browse a warez site and you will find any software, movie or music you fancy, with an assortment of popups and dodgy advertisements of the usual internet 3P products (Pills, Poker and Girls [sic]). For your convenience there are even specialized search engines that search a number of such forums simultaneously, e.g. http://www.warez.com.

These forums do not host the actual files. They refer the traffic to specialized file hosting services like rapidshare.com. To make the most of warez you need to buy a subscription to access such file hosting sites (e.g. unlimited downloads from $9/month). Incurable cheapskates could get away without paying anything though, as you can download for free after a forced (nag) waiting of a minute or two.

A bit more up-market are download sites where to gain access you need to purchase a subscription, e.g. http://www.nowdownloadall.com. I have never paid to enter such a site, but they promise access to any download you can imagine. So you pay a monthly fee to download as much as you like. Note that this is different from paid-for hosting mentioned above. I suppose that you need a file hosting subscription on top to get the actual files downloaded. With so much stuff available for free I don’t know if this approach makes economic sense.

Finally there are traditional peer-to-peer file sharing networks, where people share their software music and video through torrents. After the demise of Napster torrents are still strong, with completely decentralized databases immune to legal intervention. The downside of torrents is their inherent unreliability, so people in a hurry will prefer the immediate gratification of a full download from rapidshare.com and the like.

Why do they do it?

It is easy to understand why someone will prefer ‘free’ software instead of paying up. But what about the crackers, the people who circumvent the DRM and distribute these warez. Why do they do it? Here are a few plausible motives:

For kicks. The traditional hacker stereotype is a geeky person whose pastime is breaking into computer networks. Cracking into a software’s protection and stripping it clean must be a pleasure in itself, a ritual destruction of the evil Death Star.
For glory. Marxist theory claims that private property is theft. This concept has struggled with real tangible property, but digital property is the ideal trophy. Many groups feel that software and music should be free (!) so taking down the big media and software corporations is a noble cause for them. But many small ISVs fall victims too, and the real motives are far less revolutionary…
For profit. Marx is dead; long live Das Kapital. Warez downloads are big business in a number of ways:
- Direct subscriptions charges to access the downloads
- Selling password unlockers (e.g. you download something in a ZIP archive which is locked and you need to buy some software to unlock it)
- Distributing malware. Many downloads are packed with malware (sample report for a keygen), from straightforward scams and ransomware to trojans that turn your computer to a zombie, waiting for instructions to launch a DDoS attack or send spam.

You can remove illegal downloads

If your software is available to download from warez sites, either compromised (patched or keygened) or simply accompanied by a simple serial number to unlock it, you will definitely lose sales. The good news is that, using DMCA provisions, you can have these unauthorized downloads removed. Without these downloads prospective users will have no choice but to buy your software — or move on to your competitor’s cracked software.

Here is how to remove illegal downloads:

Find your download links. All illegal downloads end up in a host like rapidshare.com or megaupload.com (I know of more than 100, but there are 10-20 big player websites). A standard Google search for your software name plus ‘crack’, ‘keygen’ or ‘rapidshare’ will find some hits, especially if you search in groups or blogs. Even better use specialized warez search engines like http://www.filestube.com with just your software name as a keyword — the results will be just downloads.
Validate download URLs. Some of the download links you discover may be dead (e.g. very old). Click on each one to see if they are valid or 404.
Send DCMA notices. Group the download links by provider (rapidshare, hotfile, etc), and send a DMCA notice to the abuse email address of each website. Usually this is abuse@website.com (e.g. abuse@rapidshare.com). Each website lists the steps for filing DMCA notices for file removal.

This sounds like a lot of hard work, and it can be, but it works. File sharing websites like rapidshare.com run a legitimate business — they are not responsible for cracks — so if you send them a polite DMCA takedown notice they will remove the copyright infringing downloads.

The DCMA takedown notice

Strictly speaking when you send a DMCA notice you are making allegations of copyright infringement, which is a serious crime. You would imagine that a formal complaint should be launched under the guidance of a solicitor/lawyer. Given the amount of copyright infringement that goes on, the red tape would bring everything to a standstill. The beauty of the DMCA law is that it simplifies the procedure. Sometimes a plain English email explaining the situation to the download site, along with a list of your download locations is all that’s required to have the links removed.

A few websites require a more formal DMCA email including details such as your company address, contact telephone numbers, and some boilerplate statements like “I swear, under penalty of perjury, that the information in the notification is accurate…”. You can find many sample DMCA notices online so I won’t repeat them here. The general idea is that you present yourself as the copyright owner and declare the download URLs as unauthorized, and therefore infringing your copyright.

Torrents slip by

DMCA is very good for removing illegal downloads hosted in popular file sharing websites, but it is powerless against torrents. There is no single source for the download, as the files are kept in many computers. You would have to contact each and every person who shares illegal copies of your software in the peer-to-peer network. This would be hopeless and a waste of effort. Thankfully for the ISV, torrent use is on the decline. People prefer direct downloads of the full package instead of slower peer-to-peer downloads.

The sales pitch

Anyone can search and remove illegal downloads manually. I was doing it the hard way for quite some time, each time I released a new version of my software tool (there’s a lot of cracker activity for each release as they need to update their patches and keygens). However this is very tedious, as you must:

enter shady warez forums to search for your keyword, facing annoying popups and adverts you wouldn’t want your wife to see
search many locations to ensure you get as many download URLs as possible
validate each download URL to see if it is still alive or dead
organize download URLs and write DMCA takedown emails for each file hosting website

Even if one wipes all the illegal downloads, new ones will appear over time. So the locate-report-remove cycle must be repeated regularly. This was the motivation for writing Crack Tracker, a tool that simplifies the removal of illegal downloads.

Crack Tracker is a desktop tool, with a meta search engine that securely scans warez databases for your downloads. You supply the search keyword (e.g. your software title or company name) then crack tracker will do an exhaustive search, collect a list of suspect download locations and verify the links with robotic efficiency. After you examine the results you just hit a button and the relevant DMCA emails are sent automatically. It doesn’t get any easier than that.

Crack Tracker doesn’t have a fancy user interface but it is very easy to use. It knows of more than 120 file hosting websites and works with 6 major warez search engines (the list is expanding). It is free to try as a search engine; to send the actual DMCA emails you need a registration, but I believe the price is very reasonable, especially if you consider the money you lose in pirated versions of your software.

Why don’t you try it for free and see how many cracks of your software it finds?

Download CrackTracker for Windows (318KB)

Nikos Bozinis ditched his Process Systems Engineering PhD to run his own microISV ZABKAT since 1999. He also writes a weekly blog focusing on file management and occasionally on programming, debugging and running a software business.

Reminder – microISV pub meetup in Wiltshire

In case you missed the previous post, I am organizing a get together for microISVs in Swindon on Thursday 27th January. More details here.