Steal This Article Part I: Battening Down the Digital Hatches

By Mikhail Atallah
Risk Management Magazine
May 1, 2008

As long as software has been shipped, people have found ways to copy it illegally. The latest Business Software Alliance's global piracy study, conducted in conjunction with the International Data Corporation, estimated that in 2006, global losses from packaged software piracy increased 15% from 2005 to nearly $40 billion, and that more than $200 billion will be lost to piracy over the next four years. Worldwide, for every $2 worth of software purchased legitimately, $1 worth was obtained illegally.

New incidents of cracked software are documented every day and pirated copies of new software titles are increasingly going on sale within 24 hours of release. High-tech companies in certain countries have departments dedicated to reverse engineering. Professional pirates are turning counterfeit software into an organized, lucrative business with internet-based stores that seem entirely legal. With today's rampant piracy, it is imperative to adequately protect intellectual property in software before releasing it to market.

The History of Software Piracy
Copy protection made its debut in the 1970s as software began to be distributed on floppy disks. In his infamous open letter to hobbyists, Bill Gates wrote, "most of you steal your software... Most directly, the thing you do is theft." The earliest copy protection schemes relied on special markings in disk sectors to prevent them from being copied correctly. The first copy protection circumvention device was reportedly introduced in 1980 (an Apple "nibble-copy" program called Locksmith), and protection and piracy have been in an arms race ever since. Copy protection first entered the mainstream to safeguard PC games, but rapidly spread to protecting software utilities and applications as well.

The growth of the internet has given rise to new software distribution models, which in turn require new forms of copy protection. Today, electronic license management and online activation is widespread, and new trends will undoubtedly leave further innovation in their wake.

As software management methods have evolved, however, piracy technology has evolved along with them. Tools to crack software are available freely and used widely. Professionally designed e-tailors sell counterfeit software at dramatic discounts. Fueling this explosion are four key factors:

1. Increasingly sophisticated disassemblers
   
2. Flourishing hacker communities that are increasingly organized, professionally backed and amazingly profitable
3. Cheap computing power, rising software demand and increasing hacker productivity
4. Low-cost, high-speed internet connectivity and efficient peer-to-peer (P2P) networks to rapidly disseminate hacking tools and cracked software

Piracy has many facets in today's world, where software is ubiquitous. In addition to historical license management circumvention exploits, today reverse engineering is rapidly emerging as the next unexplored frontier in software intellectual property management. Reverse engineering refers to the process of examining software to determine the internal algorithms and proprietary know-how used, and then leveraging this internal knowledge to either hack the software or produce a counterfeit equivalent. Embedded software-powered devices, in particular, suffer greatly from these tampering exploits. For example, Cisco lost more than $1 billion in revenue due to an episode of counterfeit products release, and cell phone companies lose billions of dollars every year to cell phone unlocking hacks. Reverse engineering can erode revenue streams based on closed protocols as well. eBay's $2.6 billion purchase of Skype, for example, has been devalued by widespread dissemination of counterfeit VoIP clients that can tap into the Skype network.

What does this mean for software developers? Today, more than ever, intellectual property in software must be comprehensively, durably and reliably safeguarded against all forms of piracy. Developers would never think of shipping software without quality assurance, license management or patent protection. So they need to take the next step and implement an intellectual property protection solution before releasing the software into the wild. Intellectual property protection measures harden an existing license management solution, bind it strongly to an overall application, and protect the composite against compromise to fully secure the product against every form of piracy and theft.

License Management Is Not Enough
License management is critical for enforcing business agreements with software customers. But the parallel economy of professional pirates, however, is able to dissociate license management from an application to unlock the software. Unlocked software is then sold on professional-looking websites, where many customers do not even realize they are buying illegal, copyrighted products.

Hackers use a number of exploits to attack software vulnerabilities. The easiest avenue of attack is to discover a valid serial number or software key and disseminate this over the internet. The next level of such attacks is to build a key generator, which creates serial numbers on demand. These spuriously generated serial numbers meet all the security checks performed by the software, and can therefore unlock software.

Instructions to build key generators are freely available on the internet and are widely traded on P2P networks.

When simple key generation methods fail or cannot be easily applied, the second avenue of attack is to hack the software binary directly, particularly license verification functions, to always grant permission for the software to be used (i.e., to always indicate that a valid license is present). Professional pirates rapidly gain expertise in attacking popular license management systems, leading to attacks where unlocked copies are created and disseminated within hours of a new software release.

The latest software hacks do not only unlock the software but also discover and steal its underlying intellectual property. They they use this to build a counterfeit product. Valuable intellectual property or proprietary algorithms within software can be reverse engineered or simply extracted, and packaged into a new counterfeit offering. These packages are generally independently branded and sold at a significantly lower price point than the original, eroding the value of legitimate product lines.

License management does keep most users honest, but it cannot protect against the entire gamut of reverse engineering, tampering and hacking attacks. A successful anti-piracy solution must not only be durable and resilient, but must also fit smoothly into the software development life cycle. In addition, since companies work hard to build trust and reputation among their customers, it is critical that anti-piracy measures not adversely affect the user's experience or the user's computer in any way.

Intellectual property protection solutions that fulfill these requirements ensure maximum defense against piracy, tampering or any type of theft. Such solutions can be implemented and maintained with a minimum incurred security tax in terms of impact on development, performance and user experience. These solutions significantly delay-and often entirely prevent-the hacking of software, resulting in maximum realization of revenue. Consequently, such solutions offer the highest return-on-investment.

As a result, risk managers need to get involved with their company's anti-piracy efforts. By doing so they can protect the very foundation of what their organization has been built upon.