I find it somewhat humorous how few of Bill’s statements in that letter hold true today …
More on topic: why oh why do so many companies insist on disabling copy/paste into the serial number/key text box? I mean, you’re not stopping a single pirate except perhaps someone brute-forcing the registration process (but if you’re after that type of attack, timeouts and lockouts after, say, 100 incorrect guesses would be much more effective … a true hacker would just write their own keyboard driver to emulate keys being pressed at the HID layer).
I’m with one of the previous posters: at the very least, for digital downloads offer a license file which I can double-click (or select in an Open File dialog) instead of entering text. And, yes, if you’re selling boxed software, provide a way for me to photograph or scan the number on the box and a widget to OCR that into your license key. Hell, every Mac sold today includes a camera; if you make Mac software allowing a bar-code scan a la Delicious Library is a no-brainer!
Yes, reg keys are a “one time” annoyance. But, they’re a “one time” annoyance every time I move computers, which is once every couple of years, for every single application.
I have many applications which I’ve paid for once and since abandoned (which means, not paid for any upgrades) because it was too much trouble to re-enter the serial number in my next computer. You are losing sales from this!
maybe i am wrong, but the long key may be necessary, because not every possible combination of character can be a valid key, there would be a lot more spaces for invalid keys, so making it more difficult for key generators to find legit key.
Tell me as soon as I’ve entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I’ve screwed up? You’re the computer, remember? This is what you’re good at.
wouldn’t it defeat the security purpose of the key? as it would make it easier to just brute force the keys? it would depends on implementation though, maybe like, if you entered only one or 2 character wrong AFTER typing the full key, then there would be a indicator for wrong character, any more than that it will display nothing helpful at all.
There might be other issue with this problem though, what if software has no access to cleartext registration key in memory? for example if they simply hash the user input key and compare the hashed value to that of a legit key, like they do with password validation?
I think the statement of wouldn’t you enter the key character by character waiting to see if it’s wrong is completely incorrect. How the hell would the product even know that, since as I understand it, there is an algorithm in place to create an incredibly small number of keys that work. It’s not like your going to enter 3 characters, and the algorithm knows that these same 3 characters also happen to match a key that’s in place.
However, if you type in the entire key, then it does it’s validity check and is wrong, it would be very easy to go to each character, try each alphanumeric combination, and see if any of those generate a valid key. If they do, just accept the key and move on (no need to even ask for it to be reentered). Worried about a collision, add 1 extra character to the key for this convenience.
The incredible part about this is that as soon as you start getting more then 2 or 3 characters wrong, the computation power required to do this check would begin to take exponentially more cpu power, so it would be impractical if more then 2 or 3 characters were screwed up, so the software wouldn’t even try.
This would be nice if your going to use a key anyways, however, key protection is ultimatly useless if your just asking to enter a key. Anyone can give you a valid key who’s bought the product once, so all you’ve done is spent extra developement time ensuring that atleast 1 copy of your software is purchased. Wouldn’t it make more sense to take the time to you know, develop a product that customers want to buy. And yea there will be pirates, but let your marketting department incur the expense to their budget, for all of the people promoting your software through it’s usage.
Of course if your really nasty, the number 1 way to protect your software would be to run the expensive system, where you have to log on to a key server on the internet every time you use the product. This key server would then provide the code decryption keys required to even run the software. And even that has to be transport / memory protected. But to me, unless you really really know what your doing, the imposed risks of running this system would tend to stop all your product users from using your software if it doesn’t work exactly as expected.
@ “…there has to be some kind of enforcement in place.”
It may be strange for a guy who earns a living making software to disagree, but consider: For most of Microsoft’s history, it sold software that was in the main entirely free of any meaningful copy protection, and it did it in the 1980s and 1990s, an environment of even more rampant piracy than we see today. And yet it managed to become one of the most profitable organizations on Earth. Without enforcement.
Hey, it may be biased data, but it is data.
Also, consider this spectrum of possible relationships that a person/company/government might have with (say) Microsoft software:
1 - Purchases, uses MS software
2 - Pirates, uses MS software
3 - Uses competing software
4 - Doesn’t own a computer, doesn’t use any software
Wouldn’t this be the order of desirability, from Microsoft’s point of view? Piracy cements and re-enforces a successful product’s market share.
Some Mac OS X apps have found a nifty solution to this.
For example, I recently purchased Voodoo Pad (http://flyingmeat.com/voodoopad/). The last step of the purchase process was a confirmation web page containing the following link:
Clicking that link opens the VoodooPad app (the trial version was unlockable, natch) and auto-registers it with the registration key. No typing, not even cut/paste.
(This trick works because of a little Mac OS magic: the app bundle contains a plist file that registers that URL scheme with the app.)
Actually, mistaken characters in key is a big problem.
I was almost unable to install my NWN game.
The font chosen to print the key was the worst possible, they’ve even put up a FAQ issue on it.
See here: http://nwn.bioware.com/support/known.html#42
Serial numbers (or keys) are the least intrusive for the honest user, while internet activation and dongles are more intrusive. Which is why I generally don’t mind serial numbers.
However, none of these schemes don’t work very well.
Copy protection doesn’t prevent piracy. As everyone who bothers to look knows, any software protected by a serial key or activation is widely available as a cracked version or with a key generator program. This is true even for quite intrusive protection schemes such as CD copy protection.
On the other hand, copy protection schemes DO scare away honest users. Personally, I am really tired of games that nag me to find the CD, windows that nags me to install WGA or to activate, and software that nags me to find the license key. Had I been using pirated software, all I had to do is install, copy crack, done.
Microsoft may consider WGA a success from their point of view, but I think it’s (a) short sighted, and (b) a failure from a customer’s (me) point of view.
I am sure many of us had the experience of having to reactivate Windows after installing a sound card, a new DVD drive, or whatever.
WGA has been known to report valid installations as pirates (i.e false detection). Also a while ago Microsoft had trouble with the WGA servers, causing trouble for the many users who suddenly had their installation detected as invalid.
Updated WGA cracks come out about two days after every update to WGA. I doubt this inconveniences an honest pirate. I am sure it inconveniences an honest user.
So basically all WGA does is to scare away honest users.
As for Microsoft’s “hard data” (assuming you take it at face value, which you shouldn’t), I don’t agree with their interpretation. Pirated versions of Vista ARE easily obtainable. Probably easier than actually going to the store and buy one. If indeed the “piracy rate” for Vista (whatever that means) is half of XP, it may be because many people aren’t bothering to switch to Vista anyway. Or perhaps pirates got better at hiding, due to the aggressiveness of Vista’s WGA.
What a coincidence! Just yesterday I was skimming through all my old mails, and read a forward about Bill Gates` hobbyist mail.
Today i open my Reader, to find your post having the exact same content!
If you have a 16-character code aranged in four blocks of four characters, add a fifth character to each block as a checksum so that you can easily highlight typos without indicating whether or not the key is actually valid. You can publish your checksum algorithm and still not give away the actual key generation algorithm.
In addition to checking that the characters typed by the user are in the valid set of characters, the key could contain a checksum that’s checked right away once the full length has been typed, for immediate feedback before a more involved check.
Personally I think that registration keys are used a bit too much. If I buy software on a CD/DVD, why can’t a unique key be printed on the CD/DVD? Why do I have to manually type it? Surely there has to be a way of printing a short unique code on each CD/DVD, readable by the disc drive (maybe by burning/punching holes in the surface, damaging a pattern of sectors), without prohibitive costs. With online purchases there isn’t even that excuse.
Also, I cannot understand the point of registration keys, unless they are checked online against a list of valid keys. Otherwise, crackers can and will figure out how the keys are checked and generate their own, or just buy a copy and pass that one key around.
Use consistent terminology in your code and packaging. Some products have several numbers of various kinds within their packaging, and it’s not always obvious which number is the software key as the labels sometimes don’t match. If necessary you should show a dummy sample key during installation to make the printed key easier to identify (eg XXX-XXX-123-XXX).
"avoid paying (note that I did not say “steal”)"
Yeah, what’s the difference again? Next time I take some stuff through HMV’s door, neatly bypassing the till, I’d like a convincing explanation. BTW, “Stealing from rich people is still theft.”
"I’d be inclined to disagree, and willing to bet that just about everyone who’d be willing to pirate something in the first place isn’t going to be stopped by simple serial number validation"
Well you’d lose. Products with serial numbers get pirated at a lower level than products without, even if it’s easy to fake the serial number. Apparently it’s a social compliance thing. Basically, the average consumer (read, non-programmer) will assume that, if there’s no serial security, it’s okay, much as if you leave a door ajar, they’ll assume it’s okay to open it. There’s also the fear that the serial code makes the product trackable and you’ll be caught.
"18th century view of property law"
What, that if someone spends 5 years making something that you use, you should pay? That’s pretty early to mid 20th Century too.
There is an alternative no-one’s considered. Everyone should release software so buggy, so ineffably crap, that your only alternative to pay to have it fixed. Fortunately, if we stick with only garage-hacker companies that work for free, that’ll probably be the situation we find ourselves in. I could start my own business, “fixing garage software; For moneys!”
"I’ve run into several issues playing games because of a cd-rom driver, or a video driver."
Yes, but I’ve run into several issues playing games on a Mac because… it’s a Mac!
Alex Said: “I wish they’d put a second copy of the serial ON the disc”
Well, unless they’re doing CDR print-on-demand that’s just not going to work well for them, logistically (sticker on CD = bad; individually printing them directly on the CD is also nightmarish).
On the other hand, you can do what I’ve done for years (especially with our MSDN volume-license downloads) and write the number on the disk with a Sharpie. (Also, on the disk sleeve. And inside the manual.)
"As far as stealing from UNIX- After reading Jeff’s posts on virus protection being pretty much unnecessary if we’d all stop running as Admin… I can’t help but feel that Windows would be much better if they HAD. :D"
Agreed. And I’m endlessly interested in what appears to be a massive over-hype. What exactly did Microsoft “steal” from UNIX, was it copyrighted/patented, and if not, did the creators of UNIX observe basic commercial security, as far as possible for the time?(Rule 1: if you talk about it in a public lab, it’s not commercially confidential/Rule 2: You only release the blueprints for your product via the patent office).
"nagware that trusts the user when the user claims to have paid"
You’d require some form of proof, or even I’d click the button marked “I’ve paid” at some point. Just to see what would happen. And then it’s no longer nagware.
I like Spiderweb Software’s approach for Shareware games. www.spidweb.com
Technically, Windows (insert flavor here) is designed to also work only on one platform: the PC. In essence: a dongle.
This is surely only a valid comparison if the “PC” was a product produced by a company. Microsoft are not a hardware company in this respect, so actually, it’s arguably designed to “work” on anything that will support it.
“The most rudimentary grasp of mathematics tells us that a conservative 10 character alphanumeric registration key is good for 197 trillion unique users”
alphanumeric: 26 letters + 10 digits = 36 possible values for each character
36 choices per character ^ 10 characters = 3,656,158,440,062,976 combinations
I’m on cold medicine right now…am I missing something? How did we get 197 trillion instead of ~3.6 quadrillion?
Mike seemed to be on the same track that I was. I think that you should add an additional factor that would alleviate most of the other concerns…
Make the Key Machine Readable
Many registration keys include a bar code, which might help but presupposes that you have a bar code reader. What if the key were encoded in a way that could automatically be recognized by the computer.
My thought would be a pattern that could be scanned via a web-cam. The use case is on the registration screen there would be a button that offers “Scan Key Using Webcam”. Upon pressing the button the installation software would fire up the webcam, display a small image from the webcam and start parsing the result. When the user puts the coded image up to the camera the parsing algorithm would detect and evaluate the code in the image. When the key from the code is recognized, the installation software beeps and congratulates the user. On with the installation.
Only drawback is that a scan converted to a gif of the installation code is as good as the original, but how is this different than copying the characters by hand into a text file, web page or email?