Shareware Author Tips - Don't let the pirates get you.

(this article is part of a series)

Ahoy! There be Pirates About!

Don't get angry, don't try to get even. Heck, before authoring your own application, you probably tried to "Google" up a shareware serial number or two.

Your job is to do everything within reason to make sure people can't get your software for free.

Think for a moment, what would happen if you could just type into a search engine:

"yourappname serial number"

...and the user actually got a serial number that worked.

What if you searched for "yourappname" on a file sharing service, and you were able to download a copy that worked?

What percentage of sales would you lose? 25%? 60%? I don't know.

There are two primary ways you can have your application pirated:

1. A valid serial number somehow gets distributed via websites or the Usenet. It could be a paying customer who decided to "share" (this is pretty rare), or alternately a hacker guessed or otherwise deduced a valid one.

2. A "hacker" modifies or offers a patch for your application to bypass the registration system. In the worst case they distribute your hacked application online via a website or file sharing service.

I had both of these problems with my spam blocker application to various extents early on. Here's what I've learned:

1. Design your registration process so that it validates against your web server. This way your can check your web log files to see if a single serial number is getting registered 90 times in 10 days. If this happens - you can modify the server-side code to reject the compromised serial number.

Try to be reasonable if you suspect a paying customer is installing on a handful of systems. Also - keep in mind some people will need to re-install periodically. If you see a single serial number used four times in a month - that's probably not cause for alarm. You'll know when you have a problem.

I've only had a few cases where I shutdown a serial number because it looked like it was getting deployed dozens of systems, when they'd only bought a license for one.

2. Add CRC or checksum code to your application so it can't be readily modified.

OK, that said, the hackers are going to locate the CRC or checksum code and remove it. So you need to add a second and third CRC checking routine someplace else in the code.

Adopt multiple strategies to try to figure out if someone's trying to mess with your application.

For this part of the application, write really bad code (yes, even worse than you usually do) - it's harder to hack. If needed, have a beer or three first. The registration code in the SpamButcher antispam tool, is well, extra-special. I'm leaving out a few of my own "gems" for the sake of security.

Assume the hackers are smarter than you (or at least have a lot more time). Once you think you've done enough, do a bit more to be sure.

3. If you find yourself having issues with hackers from a country you've never sold a single copy of your product to, consider blocking the entire country from accessing your web server (this is easier using Linux than Windows).

4. Regularly (maybe once a month) do the kinds of web searches people would if they were looking to pirate your application. If you find hacks or serial numbers - verify if they work or not.

5. Check those web logs! If you are getting 623 hits a day referred from WWW.WEGOTWAREZ2GO.CO.CN - you got a problem. Don't panic - get on top of the issue - and solve it. As mentioned above - you should also be able to check if a single serial number is getting hundreds or thousands of attempted registrations.

Back