Piracy protection using USB based hardware solution

Question

i want to protect my Java product by using some USB-based authentication and password management solution like you can buy it here: aladdin This mean that you have to connect a USB stick with a special software on it, before you can start your application.

I would like to here some experience of users which have used hardware like this.

• Is this as safe as it sounds?
• General: How much money you would spend to protect a software which would sell 100 times?

I will obfuscate my Java code and save some user specific OS settings in a crypted file which is lying somewhere on the hard disk. I dont want to constrain the user to do a online registration, because the internet is not necessary for the application.

Thanks

Comment: The company i am working for is using Wibu for now more than 5 years.

Answer 1

Please just don't. Sell your software at a price point that represents its worth, with a basic key-scheme if you must to keep honest people honest, and leave it at that. The pirates will always steal it, and a hardware dongle will just cause grief for your honest customers.

Besides, any scheme you build in will just be defeated by reverse engineering; if you make it a pain to use your software, you will motivate otherwise honest people to defeat it, or to search the internet for a crack. Simply make the protection less painful than searching for a crack.

Answer 2

Even though my view on the subject is to not use such piracy protection schemes, I can give you a few pointers since we have used such a solution in the past. In particular we used Aladdin tokens as well.

This solution in terms of security is quite robust, since it is something that you either have it on the system, or you don't. It's not something that you can easily override, provided that your code is secure as well.

On the down side, we came across a problem that made us drop the Hardware token solution. Our application is an intranet web Application, (i.e. a web app running in the local intranet of the customer, not a hosted solution) and quite often the customers wanted to deploy our app on blade servers or even virtual servers, where they did not have USB ports!

So before you choose such a solution, take such factors under consideration.

Answer 3

Whilst I agree with most of the other answers, there is a case where hardware dongles work and that is for low volume, high value software. Popular high volume software will always be cracked so there is little point in annoying your customers with a costly hardware system.

However it is unlikely that anyone will bother going to the effort of cracking specialised, low-volume software. Yet if it is easy to just install on another machine many customers may 'forget' to buy another license, and you lose out on valuable income. Here dongle protection works as they need to come back to you for another dongle if they want to run two copies simultaneously.

I've used Aladdin dongles but be aware there are software emulators available for these and so you must also program the memory on the dongle with something an emulator cannot know.

Answer 4

Just to add evidence to what SoftDeveloper says. In the area of low value software, protection is counterproductive. Likewise for high volume.

However, our money-earner is a product that sells for £10-25K per user license. The vast majority of our consumer base is very careful to be compliant - large corporations - and for some of these we have sold unlimited unprotected products.

However, we have had evidence in the past that when used by smaller companies for short-term use attempts have been made to break the protection. When you stand to lose £100K+ per incident, you must at least discourage that.

In the past we have used SuperPro but that product is weak and obsolete now.

For our latest product we are still evaluating, but Sentinel/Aladdin (http://www.safenet-inc.com/sentinelhasp/), SecuTech Unikey (http://www.esecutech.com/Software-Protection/UniKey-Family/UniKey-Drive/UniKey-Drive-Overview.html) and KeyLok Fortress (http://www.keylok.com) are among the subset selected.

One thing we are doing is allowing extreme flexibility in the model. That way when marketing comes up with the next bright idea, we will be ready. Also, ensuring extremely robust and informative license control is vital too. Protection shouldn't mean a bad customer experience (although it often can!).