V.i. Labs Software Piracy Risk Assessment Report - July 2009
|
We have been continuing to gather and analyze data on software piracy since we issued our first reports last summer and are issuing the first part of our Software Piracy Risk Assessment Report.
The first installment is a detailed review of crack releases and piracy enablement approaches. Tampering or bypassing the embedded license enforcement is a key enabler of piracy. Most high value applications have adopted third party licensing systems to enforce software entitlements for their customer base.
We reviewed 83 separate piracy group distributions of cracked software that were released between 2007 and 2009 from 39 Independent Software Vendors (ISVs). These high value applications have an average list price exceeding $4,000 (USD) per user seat and are used for Architecture Engineering and Construction (AEC), Computer Aided Design (CAD), Computer Aided Machine (CAM), Computer Aided Engineering (CAE), Electronic Design Automation (EDA), Product Lifecycle Management (PLM), and other specialized engineering and scientific modeling and analysis.
Interestingly, the top five piracy groups (out of 212) contributed 59% of the cracked releases in the study.
All of the pirated software releases used a crack mechanism or other approach to tamper with license enforcement and enable illegal use. However, there was a great range in terms of how well documented the cracks were, and the level of expertise required to configure the crack. Three general approaches were used:
- Binary patches (52% / 43 releases)
- Key maker (36% / 30 releases)
- Vulnerability (12 % / 10 releases)
The analysis also revealed that the piracy groups and the reverse engineering talent they recruit can tamper with a variety of hardware and software based licensing systems to enable overt piracy. Strengthening licensing using hardware dongles or tamper resistant licensing may be useful prevention for overuse within a licensed customer environment, but it should not be viewed as a defense against overt piracy.
To learn more about the results of the research, the complete report is available for download here.
|
|
Sign Up Now for Automated Software Piracy Alerts
|
 Leveraging the infrastructure we have built to conduct our original research, V.i. Labs now offers a free automated software piracy alert service for ISVs. Verified employees of software vendors can now receive an email alert when new piracy activity on their applications is detected.
Each piracy alert will let you know:
- Which software title and version has been cracked
- When the cracked version was released
- The name of the crack group responsible for the release
- The piracy crack approach used
Sign up now: www.vilabs.com/piracyalerts
|
Posts from Code Confidential
|
Goldman Sachs Code Theft - Mitigating the Risks
Software Protection is not the panacea for code theft issues like the one that occurred with Goldman Sachs. In fact, this case is very similar to the 2004 insider code theft of Cisco's IOS code. However, outside of just stronger access control and perimeter security measures, these threats do suggest a closer look at how to securely share valuable IP contained within code in a distributed and rapid software development process.
Although there are few details in terms of the development platform of the application and the exact access the alleged thief had, organizations should consider a few options to mitigate the risk of theft of sensitive IP within code:
- If managed code is involved, protect it - If the development language is managed (Microsoft .NET or Java), code obfuscation and encryption most be used. Even once the applications are compiled, it is only partially compiled into an intermediate language which is easily decompiled into source code representation. Another alternative is to place the sensitive IP into an unmanaged component to minimize exposure.
- Create protected APIs - If the software development process requires the use of outsourced development partners or contractors, create an application programming interface that contains the sensitive IP within compiled application components versus sharing the source. Although this would obviously require additional work by the organization, an API option that uses compiled binaries allow more options to use software protection and harden the API against reverse engineering.
- Embed threat detection and reporting - Add threat detection and reporting mechanisms (sometimes referred to as phone home systems) to the application itself. This approach can be used to continuously test for tampering or installation in unauthorized networks, and if a threat exists, notifies the owning organization in real-time. This presumes that the enterprise application (or in the context of this discussion a protected API) is designed to be deployed within specific networks, data centers or hosting partner networks.
Read the whole post
|
See Us at the Design Automation Conference (DAC)
|
On July 28, 2009 we will be participating in a panel discussion at DAC titled, "Fighting Piracy on the High Seas: Offense vs. Defense."Not all pirates are off the coast of Somalia. Not all anti-piracy techniques are appropriate in all situations. Sometimes hardening IP works best. Other times "business intelligence" can be used to convert pirates' clients into your paying customers. Anti-piracy techniques can be applied to design software, to embedded software, or even to physical chips. Learn what's best to protect your treasure.
The panel will be moderated by Scott Baeder, chair of the EDA Consortium Anti-Piracy Committee and will also feature Bill Lattin from Certicom. EDAC has put together a fun video with more details: |
