rcd@ico.isc.com (Dick Dunn) (07/14/90)
jim@sco.COM (Jim Sullivan) writes: > ...People steal software and serialization > codes are an attempt to prevent people from stealing software... We all understand that already. The questions are (a) Do the keys actually prevent people from stealing? and (b) Are they worth the trouble they (can) cause? > Software piracy exists and until the ethics and morals of the software user > community improve, companies will have to go to serialization codes and such > to try and prevent software piracy... I find this attitude very unsettling. I don't believe the "ethics and morals" of the software community are any better or worse than the world at large. Moreover, and my main complaint: *Even if they are worse* this is no way to talk to users! This is not the proper attitude for going into a business relationship. It's one thing to say, "I'm providing a product to you and I expect you to pay me for it." Caution in business dealings is wise. But the attitude above is more like "I think you're going to try to cheat me, so I'm taking pre-emptive action." >...If anyone has a better idea of how to > prevent multiple copies of the software to be installed, then please, present > their solution. That's an interesting question, but perhaps we should back up a bit and get some background information: - What is the level of "software pirating"? Sure, it happens... but how much? - What are the most common forms of pirating? E.g., is it single system, installed once then given to a friend? Single license used on multiple machines in a company? Resellers copying systems and selling black-market copies as if they were originals? Answers to these two questions would let us evaluate piracy-prevention mechanisms. The first tells us how much revenue might be lost; it gives an order-of-magnitude idea of how hard to try. The second tells us criteria against which any new scheme must be judged. (Additional criteria include, of course, how much and what kind of a burden it puts on users.) -- Dick Dunn rcd@ico.isc.com -or- ico!rcd (303)449-2870 ...Reality is neat! It works even if you don't believe in it!
rick@pcrat.uucp (Rick Richardson) (07/16/90)
In article <1990Jul13.231942.14009@ico.isc.com> rcd@ico.isc.com (Dick Dunn) writes: >I find this attitude very unsettling. I don't believe the "ethics and >morals" of the software community are any better or worse than the world at >large. They may even be a shade better. The problem is, its too damn easy to make copies. It is almost like an attractive nuisance, or entrapment. Activation codes that come with the software don't make it any harder. >That's an interesting question, but perhaps we should back up a bit and get >some background information: > - What is the level of "software pirating"? Sure, it happens... > but how much? Its almost impossible to tell. The only way we know it is when somebody calls up for support and we haven't got a record of the purchase (either direct or thru a reseller). Believe it or not, this happens to us fairly regularly. And, I'm not including those that claim they are 'test driving'. sales * illegal_copy_ratio * stupidity_ratio = unreg_support_calls We know sales and unreg_support_calls, but I don't know what the stupidity_ratio is (the chance that a person with an illegal copy is going to call for support), so I can't figure illegal_copy_ratio. In *our experience*, the formula boils down to: illegal_copy_ratio = .013 / stupidity_ratio E.G. if 1 out of 10 are stupid enough to call for support, then the illegal_copy_ratio is 13 illegal copies in use for every 100 sold. If 1 out of 100 are stupid enough to call for support, then the illegal_copy_ratio is 130 illegal copies in use for every 100 sold. > - What are the most common forms of pirating? E.g., is it single > system, installed once then given to a friend? Single license > used on multiple machines in a company? Resellers copying > systems and selling black-market copies as if they were > originals? Yes. We've gotten all of those. No stats, though. I'll try to record them over the next year. It may take that long to get a good enough sample population. A company with larger monthly sales than ours and who keeps better records may be able to give you these sooner numbers. You can cut the friend-friend illegal copies with uncopiable media, such as CD-ROM (for all practical purposes uncopiable), and copy protected disks. I think friend-friend copying is the primary mode in games, which explains why disk copy protection is still popular with games manufacturers. For the other modes, you need to give people compelling reasons to buy. Such as good and hefty docs, and good support. For UNIX vendors, the widely available P-H docs have just about killed any chance to do it with documentation. That leaves support. Support issues, of course, are currently being discussed in this group in a different thread. Alternatively, and I think something that could work, could be a common authorization center used and funded by all software vendors. Open 24 hours, with an 800 number that is rarely busy. When the User installs the software, he gets an authorization request number based on the serial number, but permuted randomly. A quick (< 5 minute) call to the center gets you the authorization reply. You give them the request number, name, address, and phone. They give you the reply number (possibly by a return call to the phone number given). The center *never* refuses an authorization request. Cost to the vendor, maybe $1 per authorization. You may still get illegal authorizations, but at least now there's an audit trail. The vendor gets a periodic report for his authorizations. Seing that serial number 143265 has been authorized an abnormal number of times to a number of different people, he may want to initiate an investigation. The vendor is in complete control of how to use authorization replies. For example, he might allow the reply to work only with a specific request number, or for any request number generated in a one-day period. This second alternative is useful in case the user is having trouble getting the package installed. The user cost is the time to make the telephone call. Presumably, if the software costs less because of the authorization, the user will be happy, too. Assume the manufacturer has good reason to believe that 1 illegal copy is in use for every 1 copy sold of a $500 package. He adds this authorization scheme and charges (say) $350 for the new package. User saves $150, and vendor makes an additional $200. There is an assumption here that the illegal user won't 'do without', but the lower price is an additional inducement to purchase, for both the illegal user and additional legal users. [ Long-Posting-Obligatory-Humor follows for those that read this far ] There's another scenario possible. By law, all software is free and all you sell is support. So you make damn sure your product is at least as buggy as the other guys, so people will want to buy *your* support. Revision numbers start at 99.99 and go backwards, as each vendor tries to outdo the other in number of bugs. Manuals become vanishingly thin, thus prompting those money-making support questions, and saving trees (an environmentally aware marketing ploy). Apple goes out of business, because the Mac is too damned easy to use and they have no expertise at all in making cryptic command line interfaces. On the plus side, sales of UNIX support (sans GUI) is tremendous. And, we're all running V6 again. Double-meta-wacky-cokebottle-smiley goes here. -Rick -- Rick Richardson | Looking for FAX software for UNIX/386 ??? Ask About: |Mention PC Research,Inc.| FaxiX - UNIX Facsimile System (tm) |FAX# for uunet!pcrat!rick| FaxJet - HP LJ PCL to FAX (Send WP,Word,Pagemaker...)|Sample (201) 389-8963 | JetRoff - troff postprocessor for HP LaserJet and FAX|Output
martin@mwtech.UUCP (Martin Weitzel) (07/17/90)
In article <1990Jul16.161613.11171@pcrat.uucp> rick@pcrat.UUCP (Rick Richardson) writes: [estimations concerning number of illegal copies deleted] >Alternatively, and I think something that could work, could be >a common authorization center used and funded by all software >vendors. Open 24 hours, with an 800 number that is rarely busy. SMALL FLAME ON Again and again: Do all you US folks think civilized countries and people which might like to use your products can not be found overseas? Can you imagine the cost for such an "authorization call" from europe. From all experiences I've made there would of course be *no* toll free number for anyone outside the USA! SMALL FLAME OFF Nevertheless, your idea looks interresting ... let's see. >When the User installs the software, he gets an authorization >request number based on the serial number, but permuted randomly. >A quick (< 5 minute) call to the center gets you the authorization >reply. You give them the request number, name, address, and phone. >They give you the reply number (possibly by a return call to >the phone number given). The center *never* refuses an >authorization request. >Cost to the vendor, maybe $1 per authorization. You may still >get illegal authorizations, but at least now there's an audit >trail. The vendor gets a periodic report for his authorizations. >Seing that serial number 143265 has been authorized an abnormal >number of times to a number of different people, he may want to >initiate an investigation. Really? It's not uncommon for a small company like mine to run several systems. Furthermore it's not uncommon to have several (say five to ten) installations for a single system, especially if it turns out that you have some defective piece of hardware (as one of my harddisks about six months ago) or until you have found a satisfactory disk partitioning. On the other hand: with a second, third etc. system I am experienced enough to get the installation right at the first try. But most important: How do you "tie in" the hardware on which the system is installed? Eg. can I copy and move around an allready installed version of the programs? I hate software which notes its inode number or directory slot on installation time and refurses to work if I decide to move (eg. onto some other disk) or restore it (from the backup copies). Which parts of my hardware can I no longer simply exchange without doing a new installation? But if there is no reference to the hardware noted somewhere in the installed software, I can simpy copy it after installation. >The vendor is in complete control of how to use authorization >replies. For example, he might allow the reply to work only >with a specific request number, or for any request number >generated in a one-day period. This second alternative is >useful in case the user is having trouble getting the package >installed. How does the software read the date? I simply can set the hardware clock of some other system to this value, before I do an illegal second install? After installation the time *must* be changable. [estimations about costs deleted] I would surely appreciate everything that saves some Dollars (or DM in my case), but nothing that gives me an additional uncertainity when the system installation doesn't work: - Is my hardware defective? - Did the authorization center give me a wrong number? - Was it because I advanced the hardware clock too far? - Is there some "state"-info on the masterdisk which just got "out of sync", because I had to abort an installation? Surely no company which uses such a scheme would uncover the details about it, so every wierd hack might have been used and bring me into difficulties. But some lost working hours are much more expensive to me as the savings you calculated above. So I would strongly consider to choose some other product, if one without such an authorization scheme were available. >[ Long-Posting-Obligatory-Humor follows for those that read this far ] [humor deleted, some psychology inserted - you may hit "n" now if you are not interrested] Normally, I'm in the role of a customer, but if I put me into the role of a vendor, I see things as follows: Software piracy is some kind of betrayal. If I want my customers to be honest to me I should be honest to them *and* give them the feeling that piracy is a bad thing, especially concerning the product I give to them. One factor is the ratio of the price for my product with respect to the value of the product for my customers. If the cost is low compared to the value (eg. Turbo-C) there may still be piracy but there would certainly be much more if the customer thinks that my product is priced too high or not what I promised. A second psychological factor is how easy I make it to steel my product. If I try to make it complicated, the customer hast to work more or less hard to find out how it could be used illegaly. Anyway, if he manages to get arround the barriers I've built to protect my product, he has "done some work", and from a psychological point of view he has "paid something" for the illegal use. So the illegal copy is not so much "stolen" as it would have been if it could simply be copied when I have used no authorization scheme. Lastly, if my customer receives a buggy product (which software has no bugs?) for which he had to pay much and again would have to pay much only to get a version with the bugs fixed, he may feel more tempted to try software piracy as if there were a friendly policy for upgrades: Bugs are often fixed together with upgrades and in most cases one can not get the bug fixed without upgrading (... which often introduces new bugs and keeps the wheel turning 1/2:-)). Given the case someone has honestly bought several licences for product which turns out to have bugs, I could imagine that this someone would buy only *one* update but replace the buggy software of *all* licensed systems from this one upgrade, because he or she feels to have the right to do so, if there's no other way to get the bugs fixed. -- Martin Weitzel, email: martin@mwtech.UUCP, voice: 49-(0)6151-6 56 83
jim@sco.COM (Jim Sullivan) (07/17/90)
In article <1990Jul13.231942.14009@ico.isc.com> rcd@ico.isc.com (Dick Dunn) writes: >jim@sco.COM (Jim Sullivan) writes: >> Software piracy exists and until the ethics and morals of the software user >> community improve, companies will have to go to serialization codes and such >> to try and prevent software piracy... > >I find this attitude very unsettling. I don't believe the "ethics and >morals" of the software community are any better or worse than the world at >large. Moreover, and my main complaint: *Even if they are worse* this is >no way to talk to users! This is not the proper attitude for going into a >business relationship. It's one thing to say, "I'm providing a product to >you and I expect you to pay me for it." Caution in business dealings is >wise. But the attitude above is more like "I think you're going to try to >cheat me, so I'm taking pre-emptive action." But software has been sold like this for years, with cottage industries to break the copy protection schemes. While I don't like it, it is reality. I believe that you mis-understand me (and I wasn't clear anyways). I don't like serialization, but I understand why companies go for it. (It's interesting that we both work for companies that use serialization schemes :-) >>...If anyone has a better idea of how to >> prevent multiple copies of the software to be installed, then please, present >> their solution. > >That's an interesting question, but perhaps we should back up a bit and get >some background information: > - What is the level of "software pirating"? Sure, it happens... > but how much? > - What are the most common forms of pirating? E.g., is it single > system, installed once then given to a friend? Single license > used on multiple machines in a company? Resellers copying > systems and selling black-market copies as if they were > originals? We have caught people installing our software on multiple machines, in multiple sites because they called for support and gave the same serialization code for the different sites/machines. I don't think I can give more details than that. It does happen, and for the reseller who only sells 2 or 3 a month, an extra system or two a month is significant. ISC claims that the pressure for this came for the resellers. I can understand why this pressure was applied (while I might not agree with the solution, I understand the problem) >-- >Dick Dunn rcd@ico.isc.com -or- ico!rcd (303)449-2870 > ...Reality is neat! It works even if you don't believe in it! -- Jim Sullivan Youth Culture Killed My Puppy! SCO Canada Inc. (Formerly HCR Corporation) ...!uunet!hcr!jim jim@hcr.com Opinions are mine. 416 922 1937
tr@samadams.princeton.edu (Tom Reingold) (07/18/90)
I am amazed that a basic point has not yet been made yet!
Copy protection, serialization and other methods may prevent illegal
copies. But they do not necessarily make someone buy a product! If
someone can't copy something illegally, he may just do without it. He
may not be a potential sale at all. So you haven't lost anything from
him if he has an illegal copy of your software. You may gain good
word-of-mouth from him if he evaluates the software well and tells
potential customers about it. But you haven't lost anything.
This is why schemes such as these are such a big mistake.
--
Tom Reingold
tr@samadams.princeton.edu
rutgers!princeton!samadams!tr
201-577-5814
"Brew strength depends upon the
amount of coffee used." -Black&Deckerjohnl@esegue.segue.boston.ma.us (John R. Levine) (07/20/90)
In article <1990Jul17.121815.11752@sco.COM> jim@iggy.UUCP (Jim Sullivan) writes: >But software has been sold like this for years, with cottage industries to >break the copy protection schemes. While I don't like it, it is reality. Not any more, it's not. You'd be hard-pressed to find a PC application that is copy-protected any more, other than games. I hope SCO and ISC don't consider Unix to be a game, but you never know. >We have caught people installing our software on multiple machines, in >multiple sites because they called for support and gave the same >serialization code for the different sites/machines. I see no reason why all of the anti-piracy goals that people have been talking about wouldn't be served equally well by providing each customer a card with the serial number that they could read over the phone if they make a support call, without forcing them to type in the number when they load the software. A site with 100 machines would have 100 cards, but need only one copy of the disks. -- John R. Levine, Segue Software, POB 349, Cambridge MA 02238, +1 617 864 9650 johnl@esegue.segue.boston.ma.us, {ima|lotus|spdcc}!esegue!johnl Marlon Brando and Doris Day were born on the same day.
campbell@redsox.bsw.com (Larry Campbell) (07/21/90)
Just my two cents' worth: we sell a package (a very fancy email gateway for various proprietary mini-based email systems) that sells, on average, for about $25,000. When we first shipped it (three years ago) I never dreamed that anyone would actually try to steal a copy: installation and administration were quite complex, and it wasn't exactly a pee-cee product. Well, I was wrong. We were selling it through a Major Computer Vendor (who shall remain nameless), and in several cases, one of their sales reps just "included" a copy of our software in a hardware sale. At $25,000 a pop, that really hurts. Oddly, most of the problem was in Europe. It was only after a trip to Europe to meet with some sales reps and customers there that I became convinced that we HAD to implement some form of authorization key, or we'd be robbed blind. We only had one (that I know of) case of outright piracy in the U.S., but several in Europe, and the attitudes about software property rights I encountered there were MUCH worse than in the U.S. So we now require an authorization key, which is tied to various elements of your hardware config (CPU serial number, ethernet address, etc.) Yes, it's a bit inconvenient, but most customers don't mind a five minute phone call to activate a $25,000 piece of software. Yes, once in a while a customer has to replace a board in their CPU and the key turns into a pumpkin. For these cases we have a 24-hour beeper service so they can get a good key again very quickly. One nice side benefit is that our authorization keys can have an expiration date encoded in them; this allows us to permit a limited time "try-and-buy" evaluation. Also, if someone calls for a key and their is some confusion about whether they've actually purchased the product (which often happens in OEM situations), we can give them a temporary key while we sort out the administrative stuff. I was somewhat saddened to have to implement the authorization key, since I detest copy protection schemes as much as anyone. However, knowing what I know now, I wouldn't even consider removing the keys. Not only does it prevent piracy, it helps us keep in closer contact with our customers (while we've got them on the phone for a key we can also find out what their configuration is like, what versions of the operating system they've got, etc. which is nice for the support staff to know). -- Larry Campbell The Boston Software Works, Inc. campbell@redsox.bsw.com 120 Fulton Street wjh12!redsox!campbell Boston, MA 02109
jimmy@icjapan.info.com (Jim Gottlieb) (07/23/90)
In article <1580@redsox.bsw.com> campbell@redsox.bsw.com (Larry Campbell) writes: >Just my two cents' worth: we sell a package (a very fancy email gateway for >various proprietary mini-based email systems) that sells, on average, for >about $25,000...I never dreamed that anyone would actually try to steal >a copy. > >Well, I was wrong...Oddly, most of the problem was in Europe...and the >attitudes about software property rights I encountered there were >MUCH worse than in the U.S. I have encountered similar attitudes here in Japan. We were negotiating with a major Japanese trading company, and in the course of our talks we mentioned that we expected to receive a payment for each CPU that the software is used on (it's not a mass market product). They replied that that was absolutely ridiculous and added, "We Japanese do not believe in paying for software." Needless to say, our negotiations didn't get very far. -- Jim Gottlieb Info Connections, Tokyo, Japan <jimmy@pic.ucla.edu> or <jimmy@denwa.info.com> or <attmail!denwa!jimmy> Fax: +81 3 237 5867 Voice Mail: +81 3 222 8429
raymond@ele.tue.nl (Raymond Nijssen) (07/23/90)
In article <371@icjapan.uucp> jimmy@denwa.info.com (Jim Gottlieb) writes: >In art. <1580@redsox.bsw.com> campbell@redsox.bsw.com (Larry Campbell) writes: >>[...] we sell a package [...] that sells, on average, for about >>$25,000...I never dreamed that anyone would actually try to steal a copy. >>Well, I was wrong...Oddly, most of the problem was in Europe...and the >>attitudes about software property rights I encountered there were >>MUCH worse than in the U.S. > >I have encountered similar attitudes here in Japan. I believe that's true. No doubt stealing such packages is quite unforgivable. But consider the context, which is no excuse though. Let's just say it's a cause contributing to the attitude mentioned above: - In Europe, you have to pay av. 2 times as much for one and the same package as in the US, sometimes even much more. - If you live outside the US or Canada, you can just forget about support, yes, even if you bought the package. Toll free numbers (which you normally implicitly payed for) are not reachable, collect-calls are hardly accepted, and do you realize how much intercontinental calls cost? - Local vendors can't help you either because they usually have very inderect contact with the producer of the package, and their level of expertise is often way below what's acceptable. - It's quite common that vendors abroad sell packages which are one or even more versions behind the latest version already sold in the US. - Buying packages directly from the US is quite a risc. What if it doesn't work, what about warranty, will the updates ever arrive?....Bad luck! As everybody knows, selling a package implies much more than dispatching a box containing a number of floppies in return for a certain amount of money. This holds for the world outside the US as well, but many producers are inclined to forget this, thus indirectly stimulating software piracy. >"We Japanese do not believe in paying for software." Nobody feels like paying more than others for getting less than others. -Raymond --- raymond@ele.tue.nl
bin@primate.wisc.edu (Brain in Neutral) (07/24/90)
From article <371@icjapan.uucp>, by jimmy@icjapan.info.com (Jim Gottlieb):
> and added, "We Japanese do not believe in paying for software."
Do they believe in getting paid for software they market?
Paul DuBois
Internet: dubois@primate.wisc.edu
UUCP: rhesus!dubois
CompuServe: >INTERNET:dubois@primate.wisc.edu
FAX: 608/263-4031rick@pcrat.uucp (Rick Richardson) (07/24/90)
In article <371@icjapan.uucp> jimmy@denwa.info.com (Jim Gottlieb) writes: >In article <1580@redsox.bsw.com> campbell@redsox.bsw.com (Larry Campbell) writes: >>Well, I was wrong...Oddly, most of the problem was in Europe...and the >I have encountered similar attitudes here in Japan. I wasn't going to say anything in my last post where I gave our piracy stats, but since the subject has been broached I'll comment. First, I'd like to say that *we love our European customers*. They seem to be more UNIX aware than a lot of our domestic customers. Europe seems to be in the good position of having lagged behind us in some technology and now is able to leap-frog ahead (e.g. not as blinded by MS-DOS, and going straight from pulse dial to ISDN). However, our stats show an alarming difference in repeat business with Europe vs. repeat business in the USA. Because these are sensitive numbers, I won't give absolutes, other than to say the repeat business rate in Europe is less than 20% of what it is in the US. I hate to draw the obvious conclusion. Another poster gave some reasons why piracy might be higher in Europe. Although many of these are valid points, I think in the case of this particular product, we have attempted to minimize the impact of distance and culture differences. Note that these figures are strictly for a pure software product, JetRoff. The price is the same no matter where in the world you are. US Airmail (OK, its slow) shipping has been *free* all along, no matter where in the world you are (e.g. we don't make as much on foreign sales). We have support for A4 paper and EUUG troff specials specifically for those folks, so its not like we ignore European needs. About the only thing left is the cost of support calls. Most of the support requests come by EMAIL (even for US customers), anyway. And if you don't buy it, you get promised zero support, no matter where you are (and even that promise isn't kept -- we support people with the unregistered Shareware version on a time available basis). Its easy for an entire industry to generate bad attitudes among potential customers. But we've tried to halt some of that. And if there's more we can do, I'd like to hear about it. I can't fix telephone rates, and I can't read or write any foreign languages (my fault), though. -Rick -- Rick Richardson | JetRoff "di"-troff to LaserJet Postprocessor| Ask about PC Research,Inc.| Mail: uunet!pcrat!jetroff; For anon uucp do:| FaxiX uunet!pcrat!rick| uucp jetroff!~jetuucp/file_list ~nuucp/. | for UNIX/386 jetroff Wk2200-0300,Sa,Su ACU {2400,PEP} 12013898963 "" \d\r\d ogin: jetuucp
jackv@turnkey.tcc.com (Jack F. Vogel) (07/24/90)
In article <531@al.ele.tue.nl> raymond@ele.tue.nl (Raymond Nijssen) writes: >- If you live outside the US or Canada, you can just forget about support, yes, > even if you bought the package. Toll free numbers (which you normally > implicitly payed for) are not reachable, collect-calls are hardly accepted, > and do you realize how much intercontinental calls cost? This may be true in most cases but not true if you run AIX considering that we have been on site in Europe a number of times already (yes, join support and see the world :-}!). Furthermore, I have been up at midnight a couple of different times to handle European conference calls on critical problems. IBM has a dedicated organization to handle service and support for their International customers, but then as has been observed in other postings in this group, support is one of the things IBM does best. Disclaimer: I only support the software, I don't speak for LCC or IBM. -- Jack F. Vogel jackv@locus.com AIX370 Technical Support - or - Locus Computing Corp. jackv@turnkey.TCC.COM