Tag Archives: software

A simple change that doubled sales

A while back I did a day of consulting for James Wang on his SQL Pretty Printer software. One of my many recommendations was that he displayed the name of the licensed user prominently in the software, to discourage casual license key sharing. He recently reported back to me that he had made this change and it had significantly increased the number of orders for multiple licenses. The average number of licenses per sale increased from 1.34 to 2.65 since he made the change in February 2011. That is a 98% increase in sales! And it only took a week to change the licensing system.

James commented:

Each time I have had an increase in sales, I found that it was mostly due to marketing related issues like changing the licensing system or paying for a link from a site which has a highly targeted audience for my software, not due to a new version release.

Of course it helps that James had a good product in the first place.

3 Low-Competition Niches In Retail Software

This is a guest post by Joannes Vermorel, founder of the Lokad Forecasting Service.

Software developers seem to be herd animals. They like to stay very close to each other. As a result, the marketplace ends up riddled with hundreds of ToDo lists while other segments are deserted, despite high financial stakes. During my routine browsing of software business forums, I have noticed that the most common answer to Why the heck are you producing yet another ToDo list? is the desperately annoying Because I can’t find a better idea.

This is desperately annoying because the world is full (saturated even) with problems so painful that people or companies would be very willing to pay to relieve the pain, even if only a little. A tiny fraction of these problems are addressed by the software industry (such as the need for ToDo lists), but most are just lacking any decent solution.

Hence, I detail below 3 low-competition software niches in retail. Indeed, after half a decade of running sales forecasting software company Lokad, I believe, despite the potential survivor bias, that I have acquired insights on a few B2B markets close to my own. Firstly I will address a few inevitable questions:

Q: If you have uncovered such profitable niches, why don’t you take over them yourself?
A: Mostly because running a growing business already takes about 100% of my management bandwidth.

Q: If these niches have little competition, entry barriers must be high?
A: Herding problems aside, I believe not.

Q: Now these niches have been disclosed, they will be swarmed over by competitors, right?
A: Odds are extremely low on that one. The herd instinct is just too strong.

Q. Do I have to pay you if I use one of your ideas?
A. No, I am releasing this into the public domain. I expect no payment if you get rich (unless you want to!) and accept no liability if you fail miserably. Execution is everything.  And don’t trust a random stranger on the Internet – do your own market research.

Before digging into the specifics of those niches, here are a couple of signs that I have noticed to be indicators of desperate lack of competition:

  • No one bothers about doing even basic SEO.
  • No prices on display.
  • No one offers self-signup – you have to go through a sales rep.
  • Little in the way of online documentation or screenshots are available.

However, lack of competition does not mean lack of competitors. It’s just not the sort of competition that keeps you up at night. Through private one-to-one discussions with clients of those solutions, here is the typical feedback I get:

  • Licenses are hideously expensive.
  • Setup takes months.
  • Upgrade takes months (and is hideously expensive).
  • Every single feature feels half-baked.

By way of anecdotal evidence – during a manufacturer integration with our forecasting technology a few months ago at Lokad, we discovered that the client had been charged $2,000 by its primary software provider in order to activate Remote Desktop on the Windows Server where the software was installed. Apparently, this was well within the norm of their usual fees for the inventory management system in place.

Granted, just being cheaper is usually not a good place to be in the market. Yet, when a competitor’s software is designed in such a way that it takes a small army of consultants to get it up and running, they can’t just lower their license fees to match yours – assuming that your design is not half-baked too. The competition would have to redesign their solution from scratch, and give up on their consultingware revenues. So you are in a great position to drive competition crazy.

With a market managing over two-thirds of the US gross domestic product, one would expected retail be saturated by fantastic software products. It turns out this is not the case. Not by a long shot – except eCommerce (e.g. online shopping carts) which attracts a zillion developers for no good reason.

Some salient aspects of the retail software market:

  1. Most retailers are already equipped in basic stuff such as point-of-sale, inventory management and order management systems. So you don’t have to deliver that yourself. On the contrary, you should rely on the assumption that such software is already in place.
  2. As far the Lokad experience goes with its online sales forecasting service, retailers are not unwilling to disclose their data to a 3rd party over the Internet. It takes trust and trust takes time. Interestingly enough, at Lokad we do sign NDAs, but rather infrequently. We are not unwilling, but most retailers (even top 100 worldwide ones) simply don’t even bother.
  3. Retailers have a LOT of data, and yet unlike banks, they have little talented manpower to deal with it. Many retail businesses are highly profitable though and could afford to pay for this kind of manpower, but as far I can tell, it’s just not part of the usual Western retail culture. Talents go to management, not to the trenches.

Niche 1: EOQ (Economic Order Quantity) calculator

Retailers know they need to keep their stocks as low as possible, while preserving their service levels (aka rate of non stock-outs), see this safety stock tutorial for more details. If the marginal ordering cost for replenishment was zero, then retailers would produce myriads of incremental replenishment orders, precisely matching their own sales. This is not the case. One century ago, F. W. Harris introduced the economic order quantity (EOQ) which represents the optimal quantity to be ordered at once by the retailer, when friction factors such as the shipping cost are taken into account. Obviously, the Wilson Formula (see Wikipedia for details) is an extremely early attempt at addressing the question. It’s not too hard to see that many factors are not accounted for, such as non-flat shipping costs, volume discounts, obsolescence risks …etc.

Picking the right quantity to order is obviously a fundamental question for each retailer performing an inventory replenishment operation. Yet, AFAIK, there is no satisfying solution available on the market. ERP systems just graciously let the retailer manually enter the EOQ along with other product settings. Naturally, this process is extremely tedious, firstly because of the sheer number of products, secondly because whenever a supply parameter is changing, the retailer has to go through all the relevant products all over again.

The EOQ calculator would typically come as multi-tenant web app. Main features being:

  • Product and supplier data import from any remotely reachable SQL database[1].
  • Web UI for entering / editing EOQ settings.
  • EOQ calculation engine.
  • Optional EOQ export back to the ERP.

Pricing guestimate: Charge by the number of products rather than by the number of users. I would suggest to start around $50/month for small shops and go up to $10k/month for large retail networks.

Gut feeling: EOQ seemingly involves a lot of expert knowledge (my take: acquiring this knowledge is a matter of months, not years). So there is an opportunity to position yourself as an expert here, which is a good place to be as it facilitates inbound marketing and PR with specialized press. Also, EOQ can be narrowed down to sub-verticals in retail (e.g. textiles) in case competition grows stronger.

Niche 2: Supplier scorecard manager

For a retailer, there are about 3 qualities that define a good supplier: lowest prices, shortest shipment delays, best availability levels (aka no items out-of-stock delaying the shipments). Better, sometime exclusive, suppliers give a strong competitive edge to a retailer. Setting aside payment terms and complicated discounts, comparing supplier prices is simple, yet, this is only the tip of the iceberg. If the cheapest supplier doesn’t deliver half of the time, “savings” will turn into very expensive lost sales. As far I can observe, beyond pricing, assessing quality of the suppliers is hard, and most retailers suffer an ongoing struggle with this issue.

An idea that frequently comes to the mind of retailers is to establish contracts with suppliers that involve financial penalties if delays or availability levels are not enforced. In practice, the idea is often impractical. Firstly, you need to be Walmart-strong to inflict any punitive damage on your suppliers without simply losing them. Secondly, shipping delays and availabilities needs to be accurately monitored, which is typically not the case.

A much better alternative, yet infrequently implemented outside the large retail networks, consists of establishing a supplier scorecard based on the precise measuring of both lead times (i.e. the duration between the initial order and the final delivery) and of the item availability. The scorecard is a synthetic, typically 1-page, document refreshed every week or every month that provides the overall performance of each supplier. The scorecard includes a synthetic score like A (10% best performing suppliers), B and C (10% worst performing suppliers). Scorecards are shared with the suppliers themselves.

Instead of punishing bad suppliers, the scorecard helps them in realizing there is a problem in the first place. Then, if the situation doesn’t improve after a couple of months, it helps the retailer itself to realize the need for switching to another supplier…

The scorecard manager web app would feature:

  • Import of both purchase orders and delivery receipts (this might be 2 distinct systems). [2]
  • Consolidation of per-supplier lead time and availability statistics.
  • One-page scorecard reports with 3rd party access offered to the suppliers.

Pricing guestimate: Charge based on the number of suppliers and the numbers of orders to be processed. Again, the number of users having access to the system might not be a reliable indicator. Starting at $50/month for small shops up to $10k/month for large retail networks.

Gut feeling: By positioning your company as intermediate between retailers and their suppliers, you benefit from a built-in viral marketing effect, which is rather unusual in B2B. On the other hand, there isn’t that much expert knowledge (real or assumed) in the software itself.

Niche 3: Dead simple sales analytics

Retail is a fast-paced business, and a retailer needs to keep a really close eye on its sales figures in order to stay clear of bankruptcy. Globally, the software market is swarming with hundreds of sales analytics tools, most of them being distant competitors of Business Objects acquired by SAP years ago. However, the business model of most retailers is extremely simple and straightforward, making all those Business Intelligence tools vast overkill for small and medium retail networks.

Concepts that matter in retail are: sales per product, product categories and points of sale. That’s about it. Hence, all it should take to have a powerful sales visualization tool setup for a retailer should be access to the 2 or 3 SQL tables of the ERP defining products and transactions; and the rest being hard-coded defaults.

Google Analytics would be an inspiring model. Indeed, Google does not offer to webmasters any flexibility whatsoever in the way the web traffic is reported; but in exchange, setting-up Google Analytics requires no more than merely cutting-and-pasting a block of JavaScript into your web page footer.

Naturally it would be a web app, with the main features being:

  • Product and sales data import from any remotely reachable SQL database.[2]
  • Aggregate sales per day/week/month.
  • Aggregate per product/product category/point-of-sales.
  • A Web UI ala Google Analytics, with a single time-series graph per page.

Pricing guestimate: Regular per-usage fee, a la Salesforce.com. Starting at $5/user/month basic features to $100/user/month for more fancy stuff.

Gut feeling: probably the weakest of the 3 niches, precisely because it has too much potential and is therefore doomed to attract significant attention later on. Also, achieving a wow effect on first contact with the product will probably be critical to turn prospects into clients.

Market entry points

Worldwide, there are plenty of competitors already for these niches. Yet, again, this does not mean much. Firstly because retail is so huge, secondly because it’s a heavily fragmented market anyway. First, there are big guys like SAP, JDA or RedPrairie, typically way too expensive for anything but large retail networks. Second, there are hundreds of mid-market ERPs, typically with a strong national (or even regional) focus. However, those ERPs don’t delve into fine-grained specifics of retail, as they are too busy already dealing with a myriad of feature requests for their +20 modules (accounting, billing, HR, payments, shipping … etc). Hence, there is a lot of space for razor-sharp web apps that focus on one, and only one, aspect of the retail business. Basically single-minded, uncompromising obsession with one thing, leaving aside all other stuff to either ERPs or other web apps.

In order to enter the market, the good news is that mid-size retailers are pretty much everywhere. So you can just use a tiny bit of networking to get in touch with a couple of neighbouring businesses, even if you don’t have that much of a network in the first place. Then, being razor-sharp in a market where very little online content is available, offers you a cheap opportunity at doing some basic SEO based on the very specific questions your software is addressing.

Q: I am interested, I have questions, can I ask you those questions?
A: Naturally, my rate is 200€/h (no just kidding). Yes, email me.

[1] Don’t even bother about providing a super-complicated setup wizard. Just offer a $2k to $5k setup package that includes the ad-hoc handful of SQL lines to match the existing data of the retailer. We are already using this approach at Lokad with Salescast. Alternatively, we also offer an intermediate SQL schema, if the retailer is willing to deal with the data formatting on its own.

[2] Again, I suggest an approach similar to the one of Salescast by Lokad: don’t even try to robotize data import, just design the software in such a way that adding a custom adapter is cheap.

Joannes Vermorel is the founder of Lokad, company motto “You send data, we return forecasts”. Lokad won the first Windows Azure award from Microsoft in 2010, out of 3000 companies applying worldwide. He has a personal blog that mostly deals with cloud computing matters.

15 criteria for evaluating software product ideas

Choosing the right product to develop is crucial. Great execution is also very important. But if you develop a product that no-one wants or no-one is prepared to pay for, then you are going to fail, no matter how well you execute it. You can often tweak a product or its marketing to make it more successful based on market feedback (‘pivot’) .  But the less pivoting you have to do, the better. Below I list some of the criteria I think are important for evaluating the potential of new commercial software products.

1. Are you solving a real problem?

Has your customer got a ‘bleeding neck’? Is your software solving a problem compelling enough that someone is going to download it, install it, evaluate it, buy it and then learn to use it, with the accompanying risks of credit card fraud and malware? It is hard to change people’s habits. They are going to keep doing what they are doing now (e.g. pen and paper or Excel) unless you can convince them your software offers them very significant advantages.

2. How much will people pay for this product?

This is a complex question and depends on many factors. You should be able to get a rough idea by looking at your closest potential competitors. But there are some types of software that people don’t expect to pay for, no matter how difficult or expensive it is to develop – for example web browsers and media players. There are some users who can’t pay – for example children and people in some developing countries. And there are some people who won’t pay – for example many Linux users. So good luck selling a media player aimed at teenage Linux users in China.

3. Is the market big enough?

Is the market big enough for you to make a living? How many people are looking for solutions to this sort of problem? This is less of a problem than most people think. Given the huge number of people with Internet access and credit cards it is possible for a small company to make a decent living from a market that appears very narrow. Narrowing your market also allows you to be much more focussed in your marketing.

4. Can you promote it cost effectively?

How are you going to reach customers: Adwords, SEO, partners, magazine ads, direct mail, social media, affiliates, resellers or other methods? Can you do it cost effectively? How much is each sale from Adwords going to cost you assuming a 1% conversion rate? If it costs you $31 in advertising for each sale of a $30 product, you aren’t going to be in business long. But if you can cross-sell it to customers you already have a relationship with, that is a huge plus.

5. How much competition is there?

If there are lots of established competitors, you may have a hard time getting noticed. Personally I wouldn’t want to go into any market where I didn’t have a reasonable shot of getting to the first page on Google for at least some of the important search terms. For example, I think it would be incredibly tough to succeed with yet another Twitter, RSS, todo list or backup application. Conversely, if there are no competitors, that means that there may be no market. Creating a new market is tough, especially for a small company. Ideally you want a market where there are competitors making a decent living, but you think you can do a better job than them, or at least be different to them in some important way.

6. How is your product different?

Many vendors try very hard to reach feature parity with their competitors. But successful marketing means being different to your competitors. How is your product going to be different? What is your positioning? Note that just being cheaper than your competitors is not enough.

7. How high is the barrier to entry?

How long will it take you to create a minimum sellable product? If the barrier to entry is too high, you may never have the time, cashflow and energy to reach v1.0. As a self-funded microISV I wouldn’t want to work on any product where I couldn’t deliver something sellable (a minimum viable product) within 6 months. Conversely if the barrier to entry is too low, then it will be easy for others to copy your idea if it is successful.

8. Can you reach critical mass?

Some types of applications need a certain number of users before they can take off (network effect). For example, a massively multi-player game, dating site or auction site isn’t going to be very interesting until the number of users reaches a certain threshold. Do you have the contacts and financial resources to reach this threshold?

9. Do you have the technical skills and domain knowledge to create this product?

If not, how long will it take to learn them? Different technologies suit different types of problems. Using an inappropriate technology, just because it is one you have experience in, is unlikely to end well.

10. Are you scratching your own itch?

If you can be your own customer, then this can be very helpful in coming up with a good solution. But be wary about assuming that your needs are the same as everyone elses.

11. What is the lifetime of the product?

Is the technology going to be obsolete, or will the market disappear within a couple of years?  Are customers likely to buy upgrades to new versions? The longer you can sell a product for, the more profitable it is likely to be.

12. Is a good domain available?

Can you get a good domain for your product? Domains that contain keywords that people are likely to search on will help with SEO.

13. What are the risk factors?

Every dependency is a risk factor. If the platform your products runs on dies, then your product dies.  If you are writing an add-on for another product, then you can be put out of business pretty much overnight if the core product dies or if the functionality of your add-on is incorporated into the core product. Can you get source code for third party libraries?

14. Is the passion there?

Good software takes a lot of time and effort. Don’t believe the hype about 4 hour work weeks. Is it going to be interesting and fun? Do you have the passion and commitment to still be working on this product in 10 years time?

15. Will it make the world a better place?

Software products can be an enormous force for good in the world, increasing productivity and allowing people to do things they couldn’t do otherwise. You don’t have to be the next Google to be doing something worthwhile. But creating a “me too” clone of an existing software package or a product that encourages anti-social behaviour (e.g. spamming) isn’t going to make the world a better place.

Making a decision

You need to look at all these criteria before you make a decision. For example, a short lifespan or a small market might be compensated for by a high ticket price. If you are evaluating several products, create a simple table with a row for each criteria and a column for each product and compare them side by side.

Al Harberg’s Software Marketing Glossary

Al Harberg (best known for his press release service for software vendors) has created a useful glossary of software marketing terms. Al knows a lot about marketing software. His glossary is 107 pages/53k words long and includes quotes, book review and feature articles. I particularly enjoyed some of the more tongue in cheek definitions e.g. “System requirements: A poorly cobbled statement of techie talk that software developers use to lose sales” and “Idiot customers: Clients who don’t understand every aspect of your software immediately”. If you don’t know what active voiceAIDA, astroturfing, cloaking, CPM, fast follower or purchase order mean, now is your chance to find out.

Interview with a cracker

Through an unforeseen series of events, I have ended up corresponding with a cracker known only to me by a Hotmail address and the  pseudonym “CrackZ”. It quickly became clear that he knew what he was talking about, but was motivated by curiosity rather than criminality. Obviously crackers are a more diverse group than the criminal masterminds and script kiddies of popular imagination. To my surprise he agreed to be interviewed for this blog and I jumped at the chance to find out a bit more about the shadowy world of cracking.

*** I realize this is an emotive subject, but please read the whole interview before posting anything in the comments. ***

What is your background? How did you get into cracking software?

I graduated in software engineering about 10 years ago and started out seriously cracking software in my first year at University. It was the first time I’d had access to a fast, unmetered Internet connection and my interest became collecting software and then breaking it; most of my associates never proceeded much beyond the downloading lots of free software stage. Prior to this I’d really only ever had a casual knowledge of the piracy scene from owning a Spectrum, Commodore 64 and then an Amiga. Think tapes and copy disks being swapped in the playground and you wouldn’t be far wrong ;-). The first PC experiences I can recall were studying some very early Phrozen Crew cracks and the Quox virus that someone gave to me on a disk.

Do you also write software? Is your day job in the IT industry?

Yes and yes.

What is the motivation for cracking software?

Motivation for cracking really seems to vary. For me I think its always been mainly about the intellectual challenge, studying code, or ‘breaking the minds of protection authors’ as one correspondent so eloquently put it. For many there is also the ‘social aspect’ of being amongst a like-minded group of individuals (see some of the interviews with former members of famous groups e.g. PWA, DOD if you want to understand how powerful a *pull* the social element can be). Then there are also those who simply enjoy getting software for free or those who do it simply for ‘kicks’. Contrary to the various anti-piracy associations propaganda, very few of those I’ve ever been associated with have been motivated financially. That’s not a justification of course, but it might help if most authors realised that the person who cracked their software is more likely a bored 16 year old Chinese male than a future terrorist.

Is cracking an individual activity or is it organized?

The answer is both, but that is an oversimplification. Most of my cracking has been pretty much a lone-wolf occupation, although there have been times I have worked with others on group projects, expensive CAD/CAM applications for example. One only has to look at the scene to see that there are plenty of organized groups out there and some of the group infrastructures I’ve seen would rival small corporations in their sophistication. A lot of authors are often quite surprised to find their software on the cracking scene radar.

What is your attitude to intellectual property? Do you release cracks and keygens ‘into the wild’? What do you think of those that do?

I’ve actually gone full circle here; in my early years IP literally meant absolutely nothing to me, the value of the software didn’t matter and authors were inconsequential. I would happily release cracks and key generators under a variety of nicknames and scene groups and I didn’t lie awake at night thinking about the damage I might be causing to someone’s livelihood. Currently, I’m 100% in the ethical category (you can debate that). I haven’t been able to curb my interest in protection code, but have managed to channel my interest towards simply contacting the authors when I have broken their code. Sometimes I’ll even offer a little helpful advice; though I’m afraid that’s probably the ‘moral best’ I’m ever going to be. I don’t support those who release cracks and key generators. I’ve heard enough from authors to know how damaging it can be, but anyone who has ever experienced the scene can probably understand why it still happens and will continue.

I can understand the attraction of cracking as an intellectual challenge. But why do some crackers then release the cracks? What do they gain?

Respect amongst their peers and the ‘scene’ at large and dubious notoriety. I’ve known some who did so in order to get a job.

When people release cracks do they think about the effect they are having on the livelihoods of the people who write the software? Do they care?

My guess would be ‘probably not’ on both counts. I think this changes with age though and many get more considerate as they get older.

What is your opinion of people that add trojan horses and other malware to cracks?

I suppose I might be accused of some degree of hypocrisy ;-), but these really are the bottom-feeders and low-lifes of the world.

What types of software do you target?

Myself it has been pretty much exclusively Windows, with the occasional bit of *nix, but there is plenty of interest in virtually every platform out there, even groups dedicated solely to them. Nothing escapes attention these days.

What tools and techniques do you use for cracking?

My tools of choice are IDAPro (the best disassembler which also includes a debugger) and also a mixture of other debuggers depending on the target (e.g. OllyDbg, SoftICE, Syser and even WinDbg). And then there are other associated tools like a decent Hex Editor (Hiew, UltraEdit) and more specific utilities covering the various cracking fields. There are quite a few books out there on the subject of reverse engineering that list virtually all of the tools in most crackers toolsets.

How long does it take you to crack the protection on an average piece of software?

On average shareware protections I’d usually be able to break them in a matter of hours, although understanding their intricacies might take a good deal longer. I’ve had some fall in minutes and others take full days of analysis. Perhaps as a small comfort, I’d say that each year the average protection seems to be getting a little more difficult to crack.

How long are you prepared to spend to try to crack a piece of software? Do you ever come across software you can’t crack?

In the past I’d be prepared to invest most of the hours in a day in one piece of software. I’d make literally pages of notes on paper and in the disassembler, naming functions, variables, structures, commenting fields etc. For many crackers time is a commodity they have in spades. I’ve met several targets that I couldn’t crack and several I simply didn’t bother completing because others had beaten me to it. Of the few I couldn’t break I did understand the reasons why (some need specific server-side responses). In some cases, several years later, users sent me the necessary hardware / information to enable me to break those targets.

Are applications protected by commercial anti-piracy software harder to crack than applications with home grown protection?

This is a tricky one; commercial anti-piracy software is pretty much exclusively written by ex-members of the cracking community and by default is protected better than many authors own creations. However, once a protector gains what I’d best term as a ‘critical usage mass’, its attractiveness as a target becomes that much greater. Experienced crackers are drawn to it almost like moths to a flame, since breaking an entire ‘protector’ can yield a lot of targets. Some of the very best and worst of the protections I’ve seen have been of the home grown variety. A lot of authors (IMHO rightly) conclude that improving the attractiveness of their software to potential customers is a much more productive use of their time than writing the ultimate copy protection.

Is software that phones home harder to crack?

Software that simply ‘phones home’ presents more of a nuisance than any real barrier to cracking. I’ve seen some that implement server license checking (mIRC is a widely available example) and it hasn’t stopped the cracks appearing. Several other targets have required decryption keys to be fetched from the server and these also haven’t presented any real problem. Its worth remembering that a cracker will often have access to a legitimate license with which to perform his study. At some stage a true client/server protection model over the internet will be a real possibility (MS has some stuff already like this), where all of the code is actually executing on a server. This will most likely simply move the goalposts, but seeing as a lot of the software I have been asked to look into was leaked to me by company employees the server model might not be as secure as it suggests.

Do hardware solutions (e.g. dongles) make software significantly harder to crack?

Hardware keys and, more recently, smart cards do make software harder to crack, largely due to the fact there is usually an element of hardware encryption these devices perform that can’t be easily replicated without access to the original device. However, over the years, I’ve met literally hundreds of disgruntled end-users of these devices, many of whom have sent me their keys and risked their jobs just to be free of them. A few eastern European contacts of mine sell ‘dongle emulating’ solutions and have archives of probably more than 10,000 individual dongles.

Is any method of securing software 100% secure?

Absolutely not, and anyone who tells you otherwise is lying.

What are the commonest mistakes software developers make related to security?

In no particular order:

  1. Depending on commercial protection schemes for security.
  2. Directly comparing the license string entered with the correct one.
  3. Not using some sort of encryption/obfuscation (XOR isn’t *good* encryption).
  4. Using a single simplistic registration function that is easy to isolate.
  5. Displaying message boxes with helpful strings sending the cracker straight to the protection code.
  6. Not integrity checking against patching.
  7. Not updating the software once a crack is discovered in the wild.

Do you think software vendors should spend more time making their software harder to crack?

I’m pragmatic; I’d advise all software authors to invest time in a *reasonable* copy protection and keep abreast of whether cracks are out there, educating your potential customers can be worthwhile. Make your protection something custom and use some imagination by all means, but make it proportional to what you are protecting. There isn’t much point having a £million lock on a £100 product, you simply can’t defeat every single cracker out there.

Can you expand on “educating your customers can be worthwhile”?

‘Educating’ might be the wrong word, but appealing to peoples conscience can be quite effective. A few software authors have ‘crack catcher pages’ for the search engines that say things like “I work 60hrs per day on my software, please support me if you want me to continue adding features” etc. Its also worth pointing out that there are plenty of con-merchants and dodgy sites out there selling cracks that often do contain trojans/viruses. One could also appeal to the fact that ‘time is money’ for a lot of potential software buyers, so why invest several hours of their life looking for a crack if it’s more cost effective to buy?

Can you recommend any online resources for authors wanting to know how they can protect their software better?

There are several books and web resources on anti-debugging & protection advice, Google will find them ;-). There are also several mainstream books, Pavol Cerven’s springs to mind.

Success is always one feature away

In my consulting and various other dealings with aspiring microISVs, I notice certain recurring patterns. One of the most common is the belief that it is just one missing feature that is holding back a product from the commercial success it deserves. As soon as that feature is coded the sales are going to come pouring in! When they don’t, then maybe it was that other missing feature that our competitor has. It is a horizon that keeps receding until you run out of money or enthusiasm. But, in my experience, poor sales are almost always due to insufficient marketing. A fact that is borne out by these 13 case studies. It doesn’t matter how great your software is if no-one know about it, or if you can’t persuade them to try it when they do find out about it.

It isn’t surprising that microISVs fixate on features. MicroISVs tend to come from a programming background and learn marketing  on the job (I have yet to meet a microISV who started off in marketing and taught themself programming). Features and coding are what we like to do best and it feels like ‘real work’. But all too often the warm embrace of an IDE is just an excuse to stay in our comfort zone. Of course, features are important. No features = no product. But, if you have got low traffic to your website and/or you are doing a lousy job of communicating with people that arrive at your site, then adding more features really isn’t going to help much. If you are in a hole, stop digging. Successful marketing is about being different from your competitors. You can even make a virtue of your lack of features. If you are competing against more feature-rich competitors, then emphasize the simplicity and ease-of-use of your product instead. It certainly seems to work for 37Signals.

Marketing can seem like a very alien discipline for someone from a programming background. But you can learn it like any other skill. There is loads of great information out there, for example Eric Sink’s marketing for geeks. Also, some elements of online marketing are actually quite technical with plenty of opportunites for number crunching. Analytics, A/B testing and Adwords will give you more data than you know what to do with. This can give programmers a considerable advantage over people from a more traditional marketing background, many of whom don’t seem to be able to handle anything more complicated than a 2×2 matrix. You don’t have to be a marketing genius, you just need to be better than your competitors (in the same way that you don’t need to be able to run faster than a lion to survive a lion attack, you just need to be able to run faster than the next guy). Given that your competitors are likely to be other programmers (who are probably also not doing enough marketing) or people from a marketing background (who don’t really understand software and are probably more interested in long lunches) that may not be as hard as you think.

Is it possible to run a successful software business with a 4 hour work week?

Tim Ferriss’ ‘Four Hour Work Week’ is a thought provoking, but controversial, book. One of the central ideas he promotes is that you should be able to use outsourcing to create a money making business (‘muse’) that you can run in only a few hours per week. Leaving you with enough free time and income to travel the world, learn to tango or otherwise amuse yourself. But I am highly sceptical that anyone can sustain, let alone grow, a software business long term, working only 4 hours per week. I have run my own business working less than 10 hours week for a month or two at a time while travelling or doing house renovations. But it only gave me enough time to keep things ticking over. I wasn’t able to improve my product or marketing. I am sure my business would decline in the face of technological changes and hungrier competitors if I kept this up for too long. I have spoken to other owners of small software businesses and they were of a similar opinion.

So I was interested to see a case study on the Four Hour Work Week blog from someone running a software business. Brandon Pearce owns musicsteachershelper.com, a slick-looking web based app for music teachers.

He says that after 5 years he is making $25k in sales per month with $10-12k in expenses per month[1] and no employees[2]. So that is a net profit of around $168k per year. That’s not too shabby, especially when you consider that he lives in Costa Rica and says he works just 5 hours per week. That’s nearly $650 per hour!

But he doesn’t say how many hours per week he worked to build the business. He also says in the case study:

With a complex web application, you can’t write it once and be done; you need to continue making enhancements and listen to user feedback in order to have a successful product.

I couldn’t see how this squared with working only 5 hours per week. Even if you are outsourcing everything you still need to manage the outsourcing, which can be time consuming in itself. I emailed him for some clarification and he was kind enough to give some more details:

It’s hard to give an average time worked over the past five years, since it’s changed so much. The first two years I was also working full-time as a programmer, but spent most of my free time working on the site – probably 10-20 hours per week. Once I quit my job (years 3-4) I worked probably 40 hours per week on the site. The past year or two, it varies from week to week. Some weeks I’ll only work 2 hours on it, some I’ll work more like 15, if I’m preparing for a new feature, special offer, or doing a big launch of some kind. But these days I’m averaging about 5 hours per week, and it’s been that way for well over a year.

Yes, I can definitely sustain and improve profit levels at this number of hours. The business is a well-oiled machine, and I have teams that are working to help continue to improve and grow the business in various ways, largely without my constant supervision. The business continues to grow every month, regardless of how much I work.

What do I spend these 5 hours doing? Mainly reviewing the new features or bug fixes the programmers have been working on, the requests from customers that the support team has submitted, and determining which items I want the programmers working on next. I also spend a little time handling some of the more difficult support or billing issues, paying my workers, managing a few PPC campaigns, answering e-mails, and checking stats. Recently, I’ve also been writing the scripts for some new video tutorials, and finding people to help produce the videos, too.

So, pretty much everything I do at this point could also be outsourced, allowing me to work even less, but at this point, I still enjoy this work, and it allows me to keep some important aspect of control on the business. Some day I may decide to work even less, but I’m pretty happy with 5 hours at the moment. :)

So, unsurprisingly, it took a lot more than 5 hours per week to reach this point. And only time will tell whether he can continue to maintain (let alone grow) this business with such minimal input. It will be an impressive achievement if he can. But I think Brandon is the exception rather than the rule. Perhaps he is particularly talented or lucky. Very few of the successful software business owners I know work short hours for extended periods. Also I have no way to verify Brandon’s numbers. So I would recommend viewing Brandon’s case study as something to aspire to, rather than a likely outcome.

Brandon has a blog and is writing a book about his experiences creating MusicTeachersHelper.com “in the hopes that it will help others who want to do something similar”. It should be an interesting read. Given all the spare time he has it shouldn’t take him long to finish it!

Further reading:

http://brandonpearce.com/2009/02/i-lived-a-4-hour-work-week/

http://brandonpearce.com/2009/04/how-i-spend-my-time/

[1] He mentions the expenses in the comments.

[2] He does use several contractors, some of whom work full time.

TestRail

The guys at Gurock Software were kind enough to send me this testimonial after I did some consulting on TestRail, their web based test management software.

After launching our new test management software TestRail early last year, we recently contacted Andy to help us increase the visibility of our product. Based on customer feedback and reviews, we knew that many software development teams prefer TestRail over legacy solutions that are difficult to use. But we also knew that most teams weren’t aware of our new product, so we wanted to improve this situation.

The first thing Andy did was to try and test the application as a normal user would use it. While he walked through the application and briefly tested its major features, he recorded a video of this experience and narrated the video with comments and suggestions. Seeing how a first-time user uses your application can be very useful and it definitely showed us a few things that we could improve.

Learning more about the application was also important for the next step: Andy interviewed us to learn more about our goals, marketing methods and many other things. He then prepared a detailed and thorough report with many suggestions, comments and recommendations. Implementing all those suggestions will take time but we are already seeing first positive results of the short-term improvements that we’ve implemented. If you want to bring your product (or product marketing) to the next level, Andy’s consulting service is highly recommended.

Dennis Gurock, http://www.gurock.com

Although only launched last year, TestRail is already a polished product with an impressive customer list. If you have a suite of test cases you need to manage, I suggest you take a look.

After launching our new test management software TestRail early last
year, we recently contacted Andy to help us increase the visibility of
our product. Based on customer feedback and reviews, we knew that many
software development teams prefer TestRail over legacy solutions that
are difficult to use. But we also knew that most teams weren’t aware of
our new product, so we wanted to improve this situation.

The first thing Andy did was to try and test the application as a normal
user would use it. While he walked through the application and briefly
tested its major features, he recorded a video of this experience and
narrated the video with comments and suggestions. Seeing how a
first-time user uses your application can be very useful and it
definitely showed us a few things that we could improve.

Learning more about the application was also important for the next
step: Andy interviewed us to learn more about our goals, marketing
methods and many other things. He then prepared a detailed and thorough
report with many suggestions, comments and recommendations. Implementing
all those suggestions will take time but we are already seeing first
positive results of the short-term improvements that we’ve implemented.

If you want to bring your product (or product marketing) to the next
level, Andy’s consulting service is highly recommended.

Does the world *really* need yet another Twitter client, RSS reader, ToDo list or backup application?

My heart sinks every time I hear a would-be-entrepreneur announcing they have written yet another Twitter client, RSS reader, ToDo list or backup application. Haven’t we got enough of those already? There are more than 1,900 Twitter apps already (possibly a lot more). Somebody probably released another one while I was writing this post. We have passed the Twitter app event horizon, where it is probably quicker to write your own custom app than it is to try and work out if any of the existing apps fulfils your requirements.

Even if you have done something radically new, interesting and different in one of these markets, how are you ever going to get noticed amongst thousands of more established competitors? Wouldn’t it be better to find a market that is currently under-served by software? It may be less fashionable than writing software for other techies, but it will probably contribute more to the sum of human happiness and be a lot more profitable.

There must be thousands of niches where there is a real need for software, but limited competition. You just need to open your eyes to the bigger world around you. It may mean having to learn about an unfamiliar domain. But it is generally much easier for a software developer to learn some domain knowledge about, say, butterfly collecting, than it is for the average butterfly collector to learn to create a software product. Next time you are talking to a non-techie about their job or hobbies, just ask them “Do you use software for that?” and “Is it any good?”. The ideal answers you are looking for are “Yes” (if there are existing software packages, there is probably a market) and “No” (maybe you can do better).

How to remove software cracks and keygens from file hosting sites

Software piracy is a real issue for every software company, large and small, and it isn’t going away any time soon. So when I heard that fellow microISV owner Nikos Bozinis had created a tool to help software vendors fight  piracy, I asked him to write a guest post. He kindly agreed to write this post about software piracy, the Digital Millennium Copyright Act and his CrackTracker product.

Why buy something when you can download it ‘for free’? Billions of dollars are lost every year from illegal downloads of music, movies and software. People around the world seem to have very lax morals when it comes to abusing digital content. Downloading the latest movie or windows software from rapidshare.com somehow doesn’t strike them as theft — it’s not like stealing a loaf of bread! The traditional music industry is already down on its knees as a result, and software may be the next to follow.

Software authors and music enterprises are fighting back by tightening the DRM (Digital Rights Management) of their products in a futile effort to stop online piracy. But usually crackers have no problem circumventing any protection system that we can dream up. To add insult to injury legitimate customers are usually hurt by such reinforced software protection and activation systems. A little bit like the war on terror, isn’t it?

A different line of defense for ailing copyright owners is the Digital Millennium Copyright Act (DMCA), a US law with global reach for copyright protection (the european EUCD equivalent is not as broadly known). This law is very broad, and not without controversy, but it works – closing down websites that distribute illegal content and removing copyright infringing downloads from file-hosting websites with summary procedures, among other things. So if you discover your software illegally distributed in some warez website, you can send a so called “DMCA section 512 takedown notice” to the website host and they are expected to remove that particular file from circulation — or risk the wrath of the law.

Software Piracy

I have been a microISV for over 10 years so lets forget about the entertainment industry and concentrate on my field, software. There are over 200,000 programs listed on download.com and that’s just for Windows. Many are created by very small to medium sized companies — many even run by a single programmer/webmaster/marketer/entrepreneur. I bet that all these programs are cracked in one way or another — at least those popular enough for crackers to care about them. If you search for warez or torrents you will find the software you want for free, either the latest or an older working version.

Piracy statistics from Business Software Alliance report 2009 (click image to enlarge).

I sell a file manager called xplorer². I track how many people install the program every day and also I have a good guesstimate for the number of people using cracked versions of xplorer². I estimate over 70% of the regular users use one of the known keygens. Imagine if this 70% didn’t exist or it was converted to regular paying customers!

How is it done?

Downloadable software falls into 2 categories: those that run in trial mode until you buy a key to unlock the full functionality; and those that are special downloads for customers that pay the registration fee. In all cases some sort of unlocking takes place using a plain key, or a license file, or online activation, or some combination thereof. Many ISVs write their own licensing code, while others rely on off-the-shelf protection and licensing products (Armadillo, WinLicense etc).

Imagine you shipped your source code along with your program, then it would be trivial for even amateur crackers to bypass your protection and run the program without paying. Very few vendors supply source code, but people in the know can read off your licensing logic like an open book using specialized reverse engineering tools (softICE, IDA and other debuggers and disassemblers). Then they can create a ‘patch’ or modification to your executable that bypasses the protection.

An even worse type of compromise is a keygen. When the cracker uncovers the logic of your unlock keys, he can create a program to generate such keys which look and behave exactly like the legitimate ones you sell to your customers. Then he doesn’t need to patch your program, he just supplies this keygen to the warez community and everyone can help themselves to your program. You can guard yourself against such attacks using asymmetric encryption algorithms for your keys.

Is there a perfect protection system?

In short, no. If you consider that your program is presenting its logic to anyone with moderate experience in machine language, then sooner or later any protection can be circumvented. Professional protection schemes utilize encryption to protect sensitive parts of your code, but even they won’t withstand the cracker test. And remember the harder your DRM the more likely your program will be mistaken for malware (!) as many viruses and trojans use encryption tricks.

Even if there was a perfect system, your sales would still be at risk. All that’s required is some of your customers to post their unlock key in a warez site, and the game is lost. You would then blacklist that serial, until another one was leaked and so on.

The warez scene

There are people who don’t spend any time in Facebook or YouTube. They surf the internet for free stuff. Cracked versions of commercial software (aka warez) circulate in some shady forums that bring together the crackers with the downloaders e.g. http://www.warez-bb.org.  Browse a warez site and you will find any software, movie or music you fancy, with an assortment of popups and dodgy advertisements of the usual internet 3P products (Pills, Poker and Girls [sic]). For your convenience there are even specialized search engines that search a number of such forums simultaneously, e.g. http://www.warez.com.

These forums do not host the actual files. They refer the traffic to specialized file hosting services like rapidshare.com. To make the most of warez you need to buy a subscription to access such file hosting sites (e.g. unlimited downloads from $9/month). Incurable cheapskates could get away without paying anything though, as you can download for free after a forced (nag) waiting of a minute or two.

A bit more up-market are download sites where to gain access you need to purchase a subscription, e.g. http://www.nowdownloadall.com. I have never paid to enter such a site, but they promise access to any download you can imagine. So you pay a monthly fee to download as much as you like. Note that this is different from paid-for hosting mentioned above. I suppose that you need a file hosting subscription on top to get the actual files downloaded. With so much stuff available for free I don’t know if this approach makes economic sense.

Finally there are traditional peer-to-peer file sharing networks, where people share their software music and video through torrents. After the demise of Napster torrents are still strong, with completely decentralized databases immune to legal intervention. The downside of torrents is their inherent unreliability, so people in a hurry will prefer the immediate gratification of a full download from rapidshare.com and the like.

Why do they do it?

It is easy to understand why someone will prefer ‘free’ software instead of paying up. But what about the crackers, the people who circumvent the DRM and distribute these warez. Why do they do it? Here are a few plausible motives:

  • For kicks. The traditional hacker stereotype is a geeky person whose pastime is breaking into computer networks. Cracking into a software’s protection and stripping it clean must be a pleasure in itself, a ritual destruction of the evil Death Star.
  • For glory. Marxist theory claims that private property is theft. This concept has struggled with real tangible property, but digital property is the ideal trophy. Many groups feel that software and music should be free (!) so taking down the big media and software corporations is a noble cause for them. But many small ISVs fall victims too, and the real motives are far less revolutionary…
  • For profit. Marx is dead; long live Das Kapital. Warez downloads are big business in a number of ways:
    • Direct subscriptions charges to access the downloads
    • Selling password unlockers (e.g. you download something in a ZIP archive which is locked and you need to buy some software to unlock it)
    • Distributing malware. Many downloads are packed with malware (sample report for a keygen), from straightforward scams and ransomware to trojans that turn your computer to a zombie, waiting for instructions to launch a DDoS attack or send spam.

You *can* remove illegal downloads

If your software is available to download from warez sites, either compromised (patched or keygened) or simply accompanied by a simple serial number to unlock it, you will definitely lose sales. The good news is that, using DMCA provisions, you can have these unauthorized downloads removed. Without these downloads prospective users will have no choice but to buy your software — or move on to your competitor’s cracked software.

Here is how to remove illegal downloads:

  1. Find your download links. All illegal downloads end up in a host like rapidshare.com or megaupload.com (I know of more than 100, but there are 10-20 big player websites). A standard Google search for your software name plus ‘crack’, ‘keygen’ or ‘rapidshare’ will find some hits, especially if you search in groups or blogs. Even better use specialized warez search engines like http://www.filestube.com with just your software name as a keyword — the results will be just downloads.
  2. Validate download URLs. Some of the download links you discover may be dead (e.g. very old). Click on each one to see if they are valid or 404.
  3. Send DCMA notices. Group the download links by provider (rapidshare, hotfile, etc), and send a DMCA notice to the abuse email address of each website. Usually this is abuse@website.com (e.g. abuse@rapidshare.com). Each website lists the steps for filing DMCA notices for file removal.

This sounds like a lot of hard work, and it can be, but it works. File sharing websites like rapidshare.com run a legitimate business — they are not responsible for cracks — so if you send them a polite DMCA takedown notice they will remove the copyright infringing downloads.

The DCMA takedown notice

Strictly speaking when you send a DMCA notice you are making allegations of copyright infringement, which is a serious crime. You would imagine that a formal complaint should be launched under the guidance of a solicitor/lawyer. Given the amount of copyright infringement that goes on, the red tape would bring everything to a standstill. The beauty of the DMCA law is that it simplifies the procedure. Sometimes a plain English email explaining the situation to the download site, along with a list of your download locations is all that’s required to have the links removed.

A few websites require a more formal DMCA email including details such as your company address, contact telephone numbers, and some boilerplate statements like “I swear, under penalty of perjury, that the information in the notification is accurate…”. You can find many sample DMCA notices online so I won’t repeat them here. The general idea is that you present yourself as the copyright owner and declare the download URLs as unauthorized, and therefore infringing your copyright.

Torrents slip by

DMCA is very good for removing illegal downloads hosted in popular file sharing websites, but it is powerless against torrents. There is no single source for the download, as the files are kept in many computers. You would have to contact each and every person who shares illegal copies of your software in the peer-to-peer network. This would be hopeless and a waste of effort. Thankfully for the ISV, torrent use is on the decline. People prefer direct downloads of the full package instead of slower peer-to-peer downloads.

The sales pitch

Anyone can search and remove illegal downloads manually. I was doing it the hard way for quite some time, each time I released a new version of my software tool (there’s a lot of cracker activity for each release as they need to update their patches and keygens). However this is very tedious, as you must:

  • enter shady warez forums to search for your keyword, facing annoying popups and adverts you wouldn’t want your wife to see
  • search many locations to ensure you get as many download URLs as possible
  • validate each download URL to see if it is still alive or dead
  • organize download URLs and write DMCA takedown emails for each file hosting website

Even if one wipes all the illegal downloads, new ones will appear over time. So the locate-report-remove cycle must be repeated regularly. This was the motivation for writing Crack Tracker, a tool that simplifies the removal of illegal downloads.

Crack Tracker is a desktop tool, with a meta search engine that securely scans warez databases for your downloads. You supply the search keyword (e.g. your software title or company name) then crack tracker will do an exhaustive search, collect a list of suspect download locations and verify the links with robotic efficiency. After you examine the results you just hit a button and the relevant DMCA emails are sent automatically. It doesn’t get any easier than that.

Crack Tracker doesn’t have a fancy user interface but it is very easy to use. It knows of more than 120 file hosting websites and works with 6 major warez search engines (the list is expanding). It is free to try as a search engine; to send the actual DMCA emails you need a registration, but I believe the price is very reasonable, especially if you consider the money you lose in pirated versions of your software.

Why don’t you try it for free and see how many cracks of your software it finds?

Download CrackTracker for Windows (318KB)

Nikos Bozinis ditched his Process Systems Engineering PhD to run his own microISV ZABKAT since 1999. He also writes a weekly blog focusing on file management and occasionally on programming, debugging and running a software business.