Transcription
The TruthAboutDonglesProtecting intellectual propertyand the end-user experience
ContentsExecutive summaryA history of donglesThe problem with donglesThe alternative: software-based protectionSoftware-based protection problemsPRO-Tector Flash :the best of both worldsCombining hardware and software tosolve the dongle problemThe customer propositionConclusion234567891011
About The AuthorExecutive summaryhe world of computing is very cyclical.Often, you will find concepts fromyesteryear recycled and repackaged. The idea ofcentralized computing, for example, whichemerged with the mainframe, lost favour whenclient/server developed, only to find fortuneagain in the era of thin client computing andshared applications. Facilities houses andcomputer bureaus were a thing of the past untilsomeone coined the term ‘hosted services’ andthe whole cycle began again.THenry Roberts, CTO, Nalpeiron.Henry Roberts helped developone of the first general purposecomputers at Monroe Calculatorin the 1970s. The thesis for hisMSc at the University of SouthCarolina's graduate school inComputer Science helped AppleComputer to adapt its own copyprotection system. Henry’s thesiswas responsible for defeatingLocksmith, a technology thatwas known for being able tocircumvent any copy protectiontechnology on the Appleplatform.After obtaining his MSc in 1981,Henry worked on further Applecopy protection technology atSensible Software. In 1983 hestarted his own company, AST,to create custom copy protectionsolutions.In 2002 Henry devised a newcopy protection technology thatled to the development of PROTector and its Protect-n-Forget(PnF) technology. AST andNalpeiron worked together toproduce the new products until2004, when Nalpeiron acquiredAST.And so it should be. The world of computing isbuilt on solid ideas that we should not forget,but the real innovation comes with taking thoseold ideas and adapting them to add value and toadapt to modern conditions. The dongle is aprime example of this. A technology from theearly 1980s, it was clunky, expensive, and besetby many problems, limiting it to nicheapplications for very expensive software. Butthere is an element of usefulness in physicalcopy protection that we should not lose.This, the latest in a series of white papers fromNalpeiron offering new insights into copyprotection concepts, explains how the conceptof physical protection is being modernized,fused with digital licensing technologies tocreate a whole new product category. This newproduct provides a dramatic reduction inoperating overheads for software vendorsthanks to the use of inexpensive, industrystandard components, and gives new meaningto the term 'copy protection'.3
A history of donglesGenerally, copy protection technologies for computer software have fallen intotwo categories: the digital, and the physical. No matter how diligently you attemptto protect your computer software from piracy, protecting it using softwarealgorithms will always introduce an element of vulnerability. Because softwarecan be manipulated, hackers with enough skill can neutralise the detectionalgorithms or circumnavigate encryption mechanisms designed to keep yourintellectual property under lock and key. Physical protection is by no meansfoolproof, and can be hacked by determined software crackers, but it representsanother level of protection for software. This is why protecting software physicallyhas always appealed to software developers.Getting physicalPhysical copy protection emerged in the early 1980s, and came in the form of adongle. A dongle is a hardware device designed to plug into a computer's I/Oport. The dongle provides verification that the software is valid, because it shipswith the product and is very difficult to duplicate.A dongle solution normally consists of three separate components: A custom processor containing the intelligence in the system along with thelicense credentials necessary to activate the software.A physical interface to the main board (either a serial port, parallel port orUSB port).A device driver designed for installation on the PC that will talk to the donglehardware.The critical thing here is the specialist processor on the physical device. This iswhat makes a USB dongle different from a standard USB flash drive. Ideally, thesoftware program using the dongle to authenticate itself would perform multiplechecks by querying the dongle through the I/O port. Badly implemented donglesmay only reference the dongle when they start up, setting a single referencevariable that will allow the program to run. Such devices leave themselves opento code tampering, and properly implemented dongle/software solutions willinvolve multiple reference checks to the dongle from different parts of theprogram, making it much more difficult for hackers to fake the dongle’s existenceby tampering with the program code.4
The problem with donglesThe dongle sounds like an ideal solution, but it suffers from some underlyingproblems that affect the end user and the software developer alike. These canbe collected together into a few categories:Using physical media causes physical problemsPhysical devices can be lost more easily, especially small form factor devicessuch as a dongle. A customer who loses the dongle will not be able to use thesoftware until it is replaced.Supplying and replacing dongles is a problem for the vendor. One of theadvantages of working in the software business is that inventory is less relevantbecause your product can be replicated and doesn’t take up any space.Conversely, dongles must be managed as physical stock, placing additionaldemands on your business. Replacing your customers’ lost dongles is yetanother problem. Because dongles have not traditionally offered any value add forthe customer, replacing a lost dongle is simply an inconvenience for thecustomer, especially if they have to pay for it.Dongles are also expensive to manufacture, meaning that suppliers mustincrease the price of their software to accomodate the extra up-front cost. Buying1,000 traditional dongles at 30 each will result in a 30,000 inventory, which hasto be held in stock until it is used, tying up badly needed capital that could beused elsewhere.Higher development costsDongles are traditionally hard to upgrade, requiring you to send out a new deviceor new drivers. Users have to wait until these upgrades are issued before theirsoftware will work properly.Software protection that uses dongles is not as easy to develop for as nonphysical technology. Apart from the universally accepted physical interfaces(serial port/parallel port/USB) there are no standards for dongles, meaning thateach dongle solution works differently, using different ASICs and softwaredrivers.They create support headachesDongles can cause incompatibilities with hardware and software. A dongle thatworks perfectly well may suddenly experience problems following a majoroperating system upgrade or driver patch. Should a dongle suddenly begin lockingup because of changes to its operating environment, the supplier will have toresolve the problem, often with considerable time delays waiting for new drivers.The costs could be significant.5
The alternative:software-based protectionWhile dongles evolved as a form of physical protection, a parallel developmenthas taken place. Digital protection technology has evolved in various forms.Because of its reliance on software innovation rather than physical protection, theapproaches to digital copy protection have evolved at a faster pace than donglebased systems.WrappersEvolving from the loader-based mechanisms found in somesoftware protection systems, software wrappers areenvelopes of code that encrypt your own application binary.Because the software wrapper has to decrypt the codebefore it can be run, it can be programmed to check for theexistence of a software license before allowing access.SDKsAn SDK is a piece of copy protection code that has beendeveloped for a specific application environment. Unlikewrappers, which are designed to fit around your existingcode like a shell, SDKs integrate more tightly with yourapplication. You can make calls to the applicationprogramming interface (API) presented by the softwaredevelopment kit from within your own software.For example, whenever a particular function is called, it checks the details of yourlicense using the SDK. In this way, it becomes more difficult for hackers todisassociate the copy protection from the application code.SDKs are stronger and harder to hack than wrappers and much cheaper and moreflexible than dongles. They have more features and integrate with applicationsmuch more tightly, allowing for features such as custom screens, for example.6
Software-based protection problemsGenerally, software-based copy protection technology has been seen as morevulnerable than dongle-based systems, because software is easier for thirdparties to manipulate then hardware-based systems.WrappersSoftware wrappers are considered by many developers to be among the easiestproducts to use, because they are often designed to be easily integrated into anyproduct. However, that ease of use comes at a price. Once cracked, a softwarewrapper can be countered with an unwrapper that is easy to distribute and run.Search the Internet to find cracks for some of the better-known softwareprotection mechanisms, and you will be surprised at how quickly softwarecrackers can neutralise code. It becomes profitable for them to do this, becauseonce you have created a software patch neutralizing the protection provided by asingle wrapper, you theoretically provide access to tens or hundreds of softwareapplications protected using that product.Developers should also be wary of future operating system developments whenusing wrappers. Unless you are sure that your wrapper solution will surviveWindows XP Service Pack 2 and future operating system upgrades, for example,you could find yourself with increasing support costs in the future.SDKsSDKs are harder to implement than wrapper technology because you must be adeveloper with the tools that built the original application. The development timeneeded to copy protect your application with an SDK correlates directly with thelevel of integration you require.Digital licensing modelsThe flexibility of digital licensing allows companies to use several different licensing models with their software.These include:Modular licensingPer-use licensingLicensing software based on the use of individual components or features.Software can be paid for each time it is used, withusage measured by some agreed criteria.Trial period licensingConcurrent network usageUsing a trial version of the software that locks up aftera predefined period and can only be unlocked with alicense purchase.Software which is designed for use on a network canbe restricted to a set number of simultaneous users.SubscriptionSoftware locks up after a set number of uses until fulllicense is purchased.Providing software that is rented rather than owned.Limited-run evaluation7
PRO-Tector Flash :the best of both worldsPRO-Tector Flash is a software development kit enabling developers to buy aUSB flash drive from any supplier and turn it into a dongle-like device by creatingand storing the digital license for a particular software application on it. Thisapproach combines the strong protection of a physical device with the flexibilityof a software license.Roll your own protectionAlthough Nalpeiron will happily provide blank USB flash drives, developers nolonger need to rely on a single company as they do when purchasing donglehardware. Instead, they can roll their own protection, purchasing a USB drive withthe capacity that they need (up to a maximum of 2GB). PRO-Tector Flash putsdevelopers back in control of their own copy protection, making it possible tocustomise it to suit their customers’ needs.Users who travel frequently and need to move their license from one computerto another on a regular basis will find the copy protection offered by PRO-TectorFlash to be more convenient than dongle solutions. PRO-Tector Flash does notrestrict the use of the USB flash drive as a storage device and also providesusers with the option to transfer the license from the USB drive to their PC,minimizing inconvenience in the event of a lost flash drive.PRO-Tector Flash in action1. Developer acquires USBflash drive from one of manythird party suppliers (or fromNalpeiron)2. Developer usesPRO-Tector Flash SDK to generatedigital license,stored on USBflash drive.4. User uses USB drivewith software license toaccess application on officePC5. User leaves office andgoes home. Uses USBdrive to access sameapplication at home (iflicense allows multipleinstalls).3. Drive given to user.SDK fromNalpeiron86. User is leaving for trip andworries about losing USB drive.Transfers license temporarily toher PC for protection.
Combining hardware and software tosolve the dongle problemThe PRO-Tector Flash solution solves the problems associated with traditionaldongles while leaving the benefits intact.Lowering the cost of entryNow, with the introduction of low-cost USB drives and the ability to quickly createyour own physical protection without help from a third party dongle provider,developers can minimise the cost of software protection while maximizingcontrol over their intellectual property. With dongle-based copy protection costingaround 30 per unit, Nalpeiron can cut the up-front cost of volume productionunits by a third. Back-end costs associated with issues like support, inventorymanagement and distribution will also be dramatically reduced.Lowering the cost of supportBecause they use standard memory chips instead of the specialist ASICs usedby dongles, USB-based flash drives are much less likely to cause problems withoperating system software or system patches because they do not use specialistdrivers. And because it is so easy to copy the license to a PC, it will reduce thereplacement costs associated with many dongle-based copy protection systems.Similarly, standard solid state RAM has a better mean time between failure(MTBF), offering up to a million hours and reducing support costs still further.Lowering the cost of distributionBecause dongles can be created on the fly using off-the-shelf USB flash drives,developers can buy USB flash drives from a variety of different sources,increasing the flexibility of supply. This enables them to fulfil their softwareshipments, according to their own schedule rather than waiting for a specialistdongle vendor to providethem with product.Solving the wrapper problemUnlike wrappers, which if cracked can compromise an entire installed base ofUnlike traditional dongles,software, PRO-Tector Flash 's hardware/software combination giveswhich preclude the userdevelopers the protection of a physical dongle without sacrificing thefrom using software thatflexibility of software-based licensing. Custom screens, different softwarehas been downloadedlicensing models, and even Internet-based activation are all possible usingfrom the Internet, PROTector Flash enablesthis product, while the hardware element provides another level of protection.customers to use a trialversion of the software,ordering a separate USB flash drive which can be plugged into their machineupon arrival, creating a license and converting the product into a full-use version.And whereas other dongles can hold 115 software licenses, the high capacity ofmany USB flash drives enables a flash drive enabled with our software to hold250 licenses, with up to twice the application memory (10Kb).9
The customer propositionDongles created using PRO-TectorFlash represent not justconvenient copy protection fordevelopers, but added valuefor end users. Not onlydoes the product allowmultiple digital licensesfor digital applications tobe stored on the samedrive, but it also allowscustomers to store theirdata files on the key ringlike device, along with theproduct manual and even thesoftware application itself,which can dramatically cutdistribution and printing costs for thesoftware vendor.Thus, hardware becomes not just something that they need to make theapplication work, but a pocket storage device that enables them to take their fileswith them. Developers can present this to customers as a benefit, and all at a lowcost for the end user, thanks to the relatively cheap nature of the USB devicewhen purchased in volume. The ability to add product branding in the form oflogos printed on the side of the USB drive reinforces your company brand, whichthen travels with users wherever they go. For the first time, copy protection isnot simply something for users to tolerate, but something for them to buy into.About NalpeironFormed in 1991, Nalpeiron (NAL) is a US- and UK-based company.Nalpeiron started as a software developer and management consultancy,but had poor experiences using copy protection technologies leading tosupport headaches through lost software licenses. The company decidedto develop a range of new copy protection technologies to help itscustomers solve these problems.10
ConclusionCopy protection is often taken far too lightly by software vendors who leave it asan afterthought, hoping that the crackers won't target them. Unfortunately, theseare the vendors whose profits suffer from lost revenue. Companies have pulledout of entire geographical markets before, because of endemic piracy.Solutions now exist which take note of the lessons learned from previousgenerations of software protection, and combine the best parts of various toolsinto a single product. Thinking about your protection early on, and combining theflexibility of software licensing with the resilience of hardware-based dataprotection will help to protect your most valuable asset: your intellectual property.What to consider when sourcing physical copy protectionAny software developer thinking about ways to protect their software will doubtless consider physicalprotection solutions when making their final decision. If you decide that your product would benefitfrom physical protection, you should approach suppliers forearmed and forewarned. Consider theseissues when making your choice:InventoryHow easy is it to get supplies of the dongle hardware on demand?Dongle loss or theftWhat is the outcome if the dongle is removed from the system? Can the user transfer the license to thePC and back to the dongle when appropriate?StandardizationWill the hardware and associated driver need updating or upgrading with operating system updates?How will this delay and/or change affect your customer base when it occurs? What are the costs androllout issues?Extra valueIs the dongle that you are considering simply a way to stop software being copied, or does it add extravalue, such as file storage?ReliabilityWhat is the mean time between failure of the dongle? How long before it will need replacing? This willsignificantly affect your costs throughout the lifecycle of the customer’s license.FlexibilityCan your physical protection software be used to enforce different licensing models, such as trial period evaluations, rental models and pay per-use models?Unit costHow much will your dongle cost to produce in volume? Do you have to buy it directly from one vendor,and how will that impact ongoing pricing?Contact us now for a free 20 minute obligation-free consultation(normally 100) to discuss your project and to get impartial advice onthe best solution for you. Email us now at consult@nalpeiron.com withyour contact details and we will schedule a call with a consultant.11
Nalpeiron US Office:11707 S. Beechwood Rd.LeavenworthIN 47137USANalpeiron UK Office:44 Market SquareWitneyOXFORD OX28 6AJUnited Kingdomwww.nalpeiron.comCopyright 2005 Nalpeiron.PRO-Tector and Protect-nForget (PnF) aretrademarks of Nalpeiron.All other trademarksbelong to theirrespective owners.Royalty free solutions for flexible and reliable licensing, activation and copy protection.E&OE.
fused with digital licensing technologies to create a whole new product category. This new product provides a dramatic reduction in operating overheads for software vendors thanks to the use of inexpensive, industry standard components, and gives new meaning to the term 'copy protection'. About The Author Henry Roberts, CTO, Nalpeiron.
