Question about "Snake Oil" (door-lock metaphor)SolvedLocked

I am just curious: do you have door locks in your home? I hope not, since they are obviously "Snake Oil". Any lock can be easily picked. There are more expensive ones that claim to be more sophisticated, there are vault locks used in banks, but ultimately, they are just pieces of metal. Surely you wouldn't fall for this SCAM and install one in your home. They just make YOUR life harder. You have to have your keys at you at all time. What an inconvenience!

Now getting to a more serious note, that is exactly the case with licensing. Simply adding an "if statement" inside a program, checking whether the software is activated or not, that is not secure at all. You claim that your asymmetric encryption is the reason why your solution is secure, and that any additional means to prevent piracy are "Snake Oil". This is a captivating story, but it is not true at all.

I wouldn't trust a door nob manufacturer if they told me they only produce nobs, because door locks are a scam. I would laugh in their face and walk away. I would however respect a door nob manufacturer telling me that, although locks are essential, they don't produce them, because they focus on high-quality nobs, and could recommend some 3rd party locks to pair with their product.

This is your situation. You tell people that obfuscation, memory encryption, debugger detectors, and other anti-piracy techniques are a scam, snake oil. You then claim that you can present papers and proof that any of these techniques can be defeated. This is misleading. Yes, software can be cracked. Does that mean you shouldn't protect it? No. Just as door locks can be picked, but you still install one on your door. Now I am not claiming that you market your product this way because you are not capable of making a proper protector. That is what I originally thought. However, I realized it's not fair to view it this way. You don't HAVE to provide anything more than you do. Your product IS already great for it's purpose. However, I have to point out that you present it as a solution for a problem it can't solve. Just as a door nob is essential, but you also want a lock at your front door, your product is GREAT, but it needs to be accompanied by strong anti-piracy protection, which other 3rd party providers can offer. You shouldn't deny that. You should instead embrace it. And you should definitely not harm your customers by claiming that your product (a door nob) can replace a good obfuscator (a door lock).

I would like you to address this, and also update your presentation pages accordingly. I do somewhat expect you to just remove this post, but I highly hope you won't. I am not writing here to criticize your product or to claim that it's flawed. I am simply pointing out the reality about your "snake oil" marketing strategy. Your product's dignity and your customers' money deserve this grade of honesty.

We only remove death threats and spam (which we've received both, unfortunately -- some people are awful). You can search this forum for tons of criticism of us, our products, how we release them, how we manage them, etc. And we respond (up to a point -- if a person just repeats themselves over and over again, we typically lock the topic after a while).

To address your argument more directly: "real world" metaphors are almost always a bad way to address disagreements about software. They fall apart very quickly.

This isn't the first time I've heard the "lock" argument over the decades. I get its appeal. It's also a dead-wrong metaphor.

I might have time to dig into why it's wrong later today or maybe next week, but I'll leave it as an exercise for you to figure out. Here are a few hints:

1. Are the communities (actual communities, not metaphorical ones) surrounding a house / apartment the same around a lock on a door and a "lock" on software? (hint: they're not).

2. Are the time constraints the same? (Duration, time of day, day of year) (hint: again, no)

3. Are the weather constraints the same? (hint: again, no).

4. Is the monitoring the same? (Can someone look out a window and see a cracker breaking into software. What about cheap video doorbells?) (hint: again, no).

5. Is the physical response the same? (hint: again, no)

6. Are the physical scale of the things being stolen the same? (size, weight, etc.) (hint: again, no).

7. Etc.

Real world metaphors don't work.

Putting broken metaphors aside and addressing crackability: everything can be cracked in minutes. Yes, even the "most advanced" "anti-crack" "technology".

Want a head-start on "new" "anti-crack" technology released this year? Look for research papers describing how to reverse engineering viruses from a few years back. I'm not even kidding.

Long story short: our snake-oil section of that article is 100% accurate. Yes, it pisses off people that make anti-crack garbage. Who cares?

The only problem is that it also pisses off people who *want* to believe in anti-crack garbage and have just enough information to be misled into believing it. I don't know what to do about that problem.

We've considered doing a series of 2 to 3 minute videos on a youtube channel showing how to crack every commercial "anti-crack" "product". However, there are legal implications to that. But it would definitely solve this problem; actually showing how easy it is to crack all software would take away the "secret sauce" nonsense that anti-crack peddlers like to lie about.

We haven't ruled it out, though. Just tricky to do legally.

Well, this is a radical view. I can't say I agree with it. You say that your product is all one needs to prevent "casual piracy". I am a reverse engineering enthusiast myself. However, I am not too experienced, nor do I have the best tools out there. I can remove LimeLM from a program in minutes, but I can't (and I wouldn't even bother to try to) tackle the actual top-notch obfuscators out there (or ANY obfuscator, for that matter. I usually look at it for half an hour, and if I can't figure it out in that time, I give up). So from my personal experience, those tools do stop casual piracy, while a simple, unobfuscated license check only encourages beginners to try out their skills. (Of course, I am not doing this without permission nor am I sharing any cracked software, just to get it out of the way.)

I also think it's a bit of an overkill to use and advertise your undefeatable encryption algorithms. In reality, even if you used the crappiest, most insecure encryption method, it would still be easier to just replace the few calls to your DLL, or the couple of if statements in order to gain full access to the program. In my opinion that is a problem, and should be addressed.

Lastly, you tell people that if someone says that a product can prevent or discourage piracy or reverse engineering, they should "run away", because it's a "lie". No, it's not a "lie", and instead of running away, they should really consider if they want to sell an unobfuscated program. (There are some cases where this could be ok, but usually it's not). Of course all protectors will say that they act against piracy. That is the only thing they are supposed to do. And I've seen them in action. They are effective to some extent. Most of your competitors don't really claim to stop any hacker or to make a program uncrackable. Also most serious competitors use secure cryptography as you do, although not all of them advertise it that much, because it's really somewhat expected. Your main selling point is that you use secure techniques that are industry standards. That is indeed great and deserves some credit. However, these are "industry standards" because basically the whole industry uses them too. 🙂

I want to finish with a specific example. WinRar is a product that is well known for offering a "trial" of 40 days, but allowing you to use it after the trial without any restriction. They keep asking you to purchase, but it will still work if you don't. They won't even bother to set in place any means of preventing you from using it (or "cracking it), besides telling you that you are not allowed to. Purchasing a license for WinRar is usually considered a joke. People don't buy it, because it's so easy not to. Compare that to any advanced DRM solution in a popular video game. Sometimes MONTHS pass without a crack being released, although games are very popular and expensive, and one could assume that the crackers actually do get some monetary compensation for their work. The truth is that, although people hate DRMs, they are quite effective. The cracked versions are usually late and buggy, and by the time a crack is released, the developer launches a new update that makes the outdated crack unappealing. The result is that many people actually buy the games, although they are expensive and there are free cracks available. Of course, these are two extreme examples. The truth is actually somewhere in the middle. You definitely need some obfuscation, but implementing the same DRM solutions as in the games that sell millions of copies would probably be an overkill, and would be too costly.

It seems like you missed the point of our article (its long, for sure) but worth a re-read: https://wyday.com/limelm/features/why/

Honestly dont know where to begin. You have a lot of misunderstandings about the article (honestly, we dont care much about anti-crack companies they lie, we address it early on in no-uncertain terms, then move on to other problems in the licensing industry).

You seem to think that entire article is about addressing anti-crack fraud companies. Its not. I also think some of the misunderstandings comes from a lack of experience.

I have read the article, I understand the point. If you've spotted any misunderstandings in my previous posts, you are free to address them.

I was referring more to the "Snake Oil" part of your article, as it's clear from the title. Yes, you explain multiple aspects of your product in that article. I don't see how that's relevant in this topic. I did touch on this briefly, however, when I said that you basically use industry standards, as described in your article (Using hardware locked keys with a hardware ID or "fingerprint" - industry standard. Using secure cryptography, including asymmetric encryption and signing - industry standard. Choosing very carefully which computer part to use in the computing of the hardware ID, along with explainations on the drawbacks of each component - again, best practice, encouraged and used by multiple competitors. Addressing multiple potential issues, such as the user changing a computer part and changing the computer "fingerprint"- again a very important feature, expected from any high-quality licensing system). In these aspects you do a good job, and your product seems solid. Those points were not the subjet of my original post.

Getting back to my main idea, which seems I need to repeat: Anyone who wants to sell software should consider obfuscating it. I think it is misleading and harmful for your customers to encourage them not to obfuscate their software, and my arguments were simple:

- Simply applying some license checks (as secure and well-thought as they may be) without obfuscation does NOT prevent casual piracy. Instead, it ENCOURAGES beginner reverse engineers to try out their skills, as I've noticed from personal experience. (Although I am not reversing anything with malicious intents. If I find some piece of software that has really bad protection, I usually write to the owner, informing them of how insecure their software is, and how they could address this)

- Currently, it is so easy to remove LimeLM from an unobfuscated program, that it doesn't even make sense to put any time and energy into implementing secure techniques, like asymmetric encryption and unique hardware IDs. Removing the licensing part is so easy that even if you had the most insecure system, it would still be easier to patch the program instead of exploiting the validation process. Of course, you list secure asymmetric encryption as a selling point. However, I don't see how it is a good thing that your encryption can't be broken, when even if it could, nobody would even try, because it's easier to remove it altogether because the program is unobfuscated...

- You say that obfuscation, in all its forms, is snake oil. That is misleading. Obfuscation works, it protects intellectual property and prevents to some extent piracy. The issue here is that you list the fact that you DON'T have obfuscation as a feature. That's like saying that your door is better because it doesn't have a lock. Sorry for getting back to this analogy. You seem not to like it, but, although not perfect, it is true. No matter how you slice it, obfuscation is an additional layer of security. One that can be thinner or thicker, one that comes with some inconveniences, but ultimately it is a layer of security, and there is no reason to turn it into a drawback (or call it "garbage", as you have).

- There are examples out there (WinRar was just the first it came to mind, and I'm sure most people are familiar with it) of software that because it doesn't have any means to prevent piracy, nobody pays for it, and nobody even thinks they should. Now it is true that WinRAR, although having a licensing system, also doesn't stop working by itself when the trial is over. However, from that to adding a simple "if" that terminates the app, is just a very small step. This small step would not prevent piracy, or protect intellectual property. I've also mentioned game DRMs, which would be the equivalent of licensing + obfuscation. Now although people don't like DRMs because of their overkill methods, there's no denying that good DRMs work. Even people who use cracked games admit that it's not the same, and it's obvious that the cracks are almost always outdated and don't work properly, despite the efforts of the best crackers out there. DRMs are the highest level of licensing systems we have. And guess what, they use obfuscation.

What I think would be truly honest would be to either implement some obfuscation yourself or to encourage people who use your product to also look for a good obfuscator. I don't even know really why you describe obfuscators as your competition. The truth is that there are many good software protectors that don't include any kind of licensing, and even the ones that do include some licensing, they don't focus that much on it, so it's really basic. I could make a long list here, and I am sure you wouldn't really be able to provide instructions on how to unpack/deobfuscate/defeat most of them, as you claim. However, I don't want to do so without your permission first, as I think it would be unprofessional. The thing is that you should encourage people to use these tools, instead of telling them that they are a scam and should be avoided.

If you think that would hurt your business, you could just not mention it, and focus on your great features. That would still be a bit harmful to the customers, as they would not realize they need extra obfuscation. However, addressing it and calling it a scam, snake oil and garbage is simply wrong and unprofessional.

I don't have a whole lot of time to debunk things we've already debunked. By I'll quickly go down the list:

1. Obfuscation can be undone often with pre-made tools in the matter of less than 1 second. Is it a brand new obfuscation technique? It might take a much as 2 minutes to modify the tool.

So, again, obfuscation is a waste of money.

2. Calling out fraud in our industry has changed the behavior of at least 2 of our competitors. Yes, anti-crack advertising is fraud. Nothing can stop cracking. (And, no, just because you can't crack something doesn't mean it's uncrackable -- it just shows a lack of experience).

We don't keep our mouths shut about fraud. Never have, never will. Call it unprofessional if you'd like.

3. We definitely need to make videos showing every company advertising fraudulent techniques and how much "protection" they really add. This will help educate customers who lack the necessary experience and who want to believe the lies. It might also tank a few of those fraudulent companies. Win-win for end-users. No ETA on that. But it's something that will have a positive effect on the industry.

4. You've made your same point multiple times (without ever providing an example of uncrackable software). Instead you've just re-iterated the talking points of these fraudulent companies. Locking the topic because nothing new has been added to the conversation.