28
First off, if you arrived at this page looking for any of the above you are now officially disappointed and probably deservingly labeled the last noun of the above title. To bad, how sad, to make you feel better however you can visit this link in order to get some value added information in your search for the above.
Originally I intended to make this blog something that the ISV and mISV could use to reference in relation to some of the issues faced with piracy of 2008 and potentially beyond. I’ve simply not had the time I hoped for to compile several years of research on this into articles on a consistent basis – or any basis. My own decision to launch a mISV and grow it applying some of the things I’ve learnt from a few folks on the BOS forums and in the past from my previous “life” in software development and marketing that took a different and I believe now to be frequently outmoded method of delivery, intent, design and more importantly *mindset*. I would never have believed, even six month ago, how fundamentally life changing this shift in mindset actually is nor how limiting following the older tenets actually were.
But I digress.
This is to be the first article and I hope not the last, no guarantees there though as I am genuinely flat out coding and would much prefer to look at the more positive business issues in this blog rather than this rather distasteful subject. However some folks might get some value out of the articles and if they do that’s great, if they don’t know harm done. 
I do need to make it clear that there will be *nothing* mind shatteringly new here in regards to the topic of piracy. Rather it’s a summation, not a complete treatise, on some of the issues for ISV”s to consider and this first article is just an introduction to terms purely as a “know thy enemy”.
OK. Preliminaries out of the way.
Some definitions are in order of the kind of people and things/services we will discuss as I throw these articles together. For the purposes of these articles I will be defining the following as:
1. Hacker: Technically the name for a programmer, misapplied by the clueless media and the clueless masses who believe anything a journalist tells them as given. I will not use the word “Hacker” to describe a person engaged in piracy in any form or somebody who uses their skills to cause willful damage. Such people are:
2. Crackers: Otherwise very intelligent people, sometimes programmers who are motivated by a variety of reasons to crack security of systems, software and data or a combination of these. It’s a grave pity that their intellect could not be applied to software development, systems design etc, though in some cases it actually is. Lots of grey areas in all these definitions BTW.
Most genuine Crackers do not publish their methods widely for general consumption. They tend to be elite and remain that way. However there are those who do publish their results for general consumption or make it possible to follow their techniques by publishing their methods. This is done for altruistic though I believe misguided reasons frequently, but there it is.
Some of them despise open piracy and you will find forums (public and private) where they vent their feelings. Some on the other hand actually support piracy, often with the “stick it to the man” mentality that is akin to the kind of otherwise intelligent people who fall for Leninism, Fascism, Maoism and other dysfunctional agendas. Most of the serious cracking of software is initially done by these folks and it is in the context of software cracking that we are concerned with here. It’s from these guys we get the hard to beat cracks and of course the ubiquitous Keygen.
3. Script Kiddies: Technically folks who crack software aren’t referred to as Script Kiddies however those who do most of the scene cracking where kudos are given to the highest cracked software turnover (day, week, month etc) are probably best described as such as they use scripts/Tutorials or “Tut’s” as they prefer to call them (literacy is not a priority of these losers) to achieve their goal. Personally I prefer the term Wanker for these guys, but if I use Wanker for them nobody is really going to know what I’m referring to. Scumbags, Scrubbers, Petty Thieves, Bogans are also terms that apply. To say they are clueless and lame (incredible insults in their community) is probably an understatement. Most of them couldn’t program a simple batch file let alone a simple text editor in assembly, never mind a fully functional GUI that anybody wanted. These are the folks who will use a Tut to learn how to unpack an executable protector (insert name of your favorite protector) and think they are real “cool dudes” and “mean hackers”. Total wankers of course but none the less dangerous to an ISV’s business.
4. Organized Crime: There are many net orientated organized crime gangs. One of the best known and most widely publicized is the infamous RBN (Russian Business Network). Allegedly the head or heads have a family tie to a Russian politician who it is alleged makes them tough nuts to crack – no pun intended. According to what is known they disappeared off the radar last November 2007, popped up in China, did a bit of damage for late December and early January and then disappeared again. A lot of security pundits have declared this a huge victory over the RBN. I would argue the security pundits claiming this as a victory have a few kangaroos loose in the top paddock or somehow believe that by claiming it they will achieve a clandestine advantage of their own. Be that as it may. Organized crime is involved in the software hacking and cracking scene and not, as many tend to suggest, so they can sell it illegally. Sure this happens but the real value seems to really be in getting bots and Trojans into Joe and Jill Six-pack’s machine. The number of cracks and Keygens containing Trojans and Bots is phenomenal. After downloading thousands of these (in a dedicated old clunker machine, no way I’d even visit these websites on a good machine) for examination I found only 100 that contained no payload. I did not test them against the software they were supposed to work against so I have no idea if the payload is transferred or not. Scanning them with various anti-virus programs was also an eye opener as most of the big boy AV packages simply didn’t pick them or if they did failed to render them harmless. These Bots and Trojans delivered, in many instances, correspond or are similar to those delivered by alledged organized crime gangs. Whether this is a direct result of their influence or not is not clear - which is pretty much the case for most of these kind of things.
5. Torrent Sites: The technology of the torrent is a wonderful thing that has many great *legal* uses. Sadly scum and petty thieves have adopted the technology all most as if it was there own. Enter sites, for which I refuse to help increase their Alexa ranking or Google ranking any further for by using their real name here, such as the PatheticCriminalBay in Sweden and other places make popular destinations and relative safe havens for Joe and Jill Six-pack to download software like byte addicted kleptomaniacs. These places are next to impossible to shut down because they have weak governing systems (hello Sweden!) in relation to enforcement of copyright law and convention (even when signed up to Berne as the likes of Sweden are). Sending cease and desist and DMCA violation notices is laughed at and publicly used to taunt inept lawyers who really don’t get it. Only political and economic muscle can fix this, or massive DOS attacks on the offenders. I do not support the latter option as it’s not effective. Political and economic muscle will fix it in countries such as Sweden but the risk is incredible. The Euro, for example, has a lot to loose from any action taken by the USA, UK, Canada, Australia etc if such action is taken in unison and it is sad, to me, that so many innocent people could get financially hurt because of such action. Are our politicians thinking about this option? I am. I have no idea how many software developers become directly and actively politically involved, but this one is and it is on my own agenda and it’s something I’ve discussed with politicians with more influence than I have and who were interested in the concept (and the losses the industry faces now and into the future).
6. Download Sites: No. I’m not suggesting for a moment the download sites are necessarily assisting directly in piracy. There may be a few who do it inadvertently through Google adds and such on their sites but I’m yet to confirm a single one who is actually doing it on purpose. That is not to say there are none or none with connections. But I have no proof of that, if you do contact me, I’d be happy to investigate in the strictest confidence.
HOWEVER. I did use the word inadvertently and I will expand on that. When they claim they have scanned for viruses and Trojans they are invariably telling pork pies. I have *never* found anything wrong malware wise from a file on say Download.Com/C-Net or Tucows who I know do scan. But I have on an incredible number of others. BOTS, Trojans etc. Some of it linking supposedly to legitimate software but through various techniques bypassing the real developer of the software and their real package and delivering their own nasty one. Contact one of these download sites and don’t hold your breath for a reply. They don’t care. They run them for the Google add income and/or Black Hat SEO potential such sites currently bring. Look towards Google addressing this sometime in the next few years. Still think the SEO advantages of a download site outway the concerns you should have in relation to our responsibility to consumers and of course our own businesses?
7. Crack: Usually a piece of software (program) that patches an executable by changing original values to something else. For example bit flipping or returning a desired result from a Boolean (like the classic IsItRegistered routines so many programmers unwittingly use). Telling a real crack from malware is virtually impossible for most people. Complicated further when it can be both at once and/or uses “secrets” known only to insiders in the cracking “scene”. This hidden payload method is a favorite on peer to peer networks like Limewire and similar.
8. Keygens: A program written to generate a working serial number for a piece of software. More deadly than a crack a Keygen can really eat into profits when released and depending on the technology you employ (see here for information on PKV) very hard to counter-attack.
9. Serialz: Corruption of the word “Serial” as in “Serial Number”. A working serial number for a program. Very popular Google search term. Sometimes gained via a Keygen, commonly gained by purchasing a valid license by using a stolen credit card number and “released” via crack sites and torrent sites. Probably the lamest and most identifiably illegal method used to most people, employed by many who fall into the script kiddy and scene cracking area. Lamest of the lame in essence. This hurts more than the software company from who the serial is illegally purchased from. It doesn’t hurt the credit card companies – they charge the software company via a charge-back that includes a fee. It hurts the consumer who owned the credit card as well and adds to the cost of online security. Often users of this technique (in keeping with lame excuses used by criminals since time began) will blame the software company for making their software so darned hard to crack. Keep this lame justification in mind when you are trying to use or employ commercial “uncrackable” software protection (if there even was such a thing) or just in making it really hard.
10. Casual Piracy: Believe it or not this remains, since the early days of software, one of the biggest piracy issues where-by the consumer hands their license key to Mary, who gives it to Joe or hands it to John or has ten friends who… This is a tough one to beat. I’ll talk more about this in another article, not that I have any solutions to it mind as I don’t believe there is a one size fits all solution to any of these.
In conclusion for this article.
What does all this mean to the consumer? Basically use cracks or Keygens and you are pretty much guaranteeing yourself grief or handing your computers processing power over to an organized crime gang for use in other activities when you don’t even know they are doing it, even if you have anti-virus and a firewall! It’s been estimated that the RBN could, if they chose, shut down a massive chunk of network or even a country in terms of computing infrastructure if they chose. Reports that they’ve been selling access to their bots make one wonder just how clued most of our politicians are when it comes to security, domestic and international, crime and of course terrorism.
In the next article on this particular topic I’ll be looking at protection of executables more superficially and in a sense what it is we do wrong and how there is basically no bloody way, with current methods available, for us to fix it. Sounds cheery huh? 
Leave a Reply