Ask HN: Copy protection?

5 points by randrews ↗ HN
My employer is worried that our clients will steal our application, and so want me to research copy protection methods.

The application is all client-side, must run without access to the network, and is written in Ironruby.

I'm having a lot of trouble thinking of a solution that I wouldn't be able to break. I know that it's impossible for it to be totally unbreakable, but could someone give me an idea of a pretty good solution?

Apparently cost is no object either.

Edit: Dongles are apparently cheaper than I thought, in the $200 range for a starter kit with five of them. Has anyone worked with them before? What do they do, just give you a small storage area that's somehow hard to access?

13 comments

[ 2.6 ms ] story [ 35.1 ms ] thread
If you're serious and "cost is no object", you probably want something dongle based: http://en.wikipedia.org/wiki/Dongle#Copy_protection

Note that the objective probably isn't something you can't break, but something that raises the bar high enough it's not worth it for any/many of your customers to pay someone to break.

Some kind of dongle is definitely required, but wouldn't someone be able to read the code to our app, remove the dongle-checking part, and then copy it all they want?

We do have a way to keep the code encrypted until we run it, but we have to ship the key with the code...

so you're shipping the code with the product or is the code the product (website/app)?
Yeah, the code is the product, it's a program to do physical simulations of a certain industrial process (actually more interesting than it sounds!)
and why dont you just ship compiled versions and add some sort of licencing into your program? or does the contract state that you have to give the sourcecode along with the programm (that would make it "some software you built on contract for a company" and not "your product"!)?
The main problem is that we want to do time-based licensing, so they can only use the product for a month or whatever before buying a new license. Anything we do in the program to check that license, they'll be able to edit the program to remove.
Just include an audit clause in the contract which allows you to audit them for licence compliance. Add a comment in the code around the check which says "If you report your employer for illegally using our software we will give you a $10,000 reward anonymously".
That's actually a pretty good idea. :-)
This issue has been addressed for compiled code (don't know anything about IronRuby, though). There are a bunch of tricks, like frequently checking the dongle, decrypting code before using it, etc.

And for a time-based license you'll need a dongle with a clock in it to prevent the simple workaround of setting the clock (and general system state, etc.) back in time.

Depending on how much 'cost is no object', hardware dongle's (http://en.wikipedia.org/wiki/Dongle) are very much still used for copy protection on larger, professional software packages. http://www.safenet-inc.com/ and http://www.marx.com/ are two that I know of.

Another method I've seen is to lock the software down to a particular hardware instance. In this method, the customer has to run a program on the computer that the program will be installed to, which grabs all sorts of unique things, like MAC address of any network devices, hard drive serial numbers, etc. The customer then sends the resulting info file back and a unique unlock key is generated.

But at the root of it, the protection is still done in software, which is very much still crackable to a skilled enough attacker. But for software you cannot download from the internet without a company provided password, skilled attackers are harder to come by. Compare that to something like winzip which was used as a teaching tool for how to write cracks.

That's the problem I've been running into. At some point, in a piece of code we ship them, we will have to have a thing that checks a license and then decrypts the code and runs it. They can just edit that code.
You're thinking too hard. Use a dongle, and if people crack it then it's not your problem (blame the dongle vendor).
I've been looking at a dongle that allows you to run code on it, so you'd be able to pass it an encrypted program and it would encrypt it for you (without putting the key on the host machine). That should be as secure as the dongle is.

My problem is that I've been thinking of a dongle as a secure-ish way to store a key, which still leaves the responsibility for using the key on my code.