Licensing and Piracy

Licensing

No licensing or anti-piracy method is ever going to be 100% effective. In designing or choosing a licensing system, its important to keep your paying customers at the forefront of every decision you make.

It may be heresy to say so- but it really doesn't matter if someone manages to break the anti-piracy measures on your software. So- they got a free copy of the software? But they were never going to buy it anyway, there's no hit to your bottom line. And on the scale most of us micro-ISVers work on, no-one's going to take the effort to distribute cracked versions all over the internet, you're not going to lose any paying customers as a result.

My requirements for the licensing in Cancellation Checker were pretty clear:

1. Must support a trial mode with limited functionality.
2. Strong preference for client-side checking of license - unreachable activation servers can cause a lot of heartache and annoyance.
3. Activation code linked to driving license number (a unique value for a specific user). This means that having bought the software, they can't use it to find their friends or siblings tests using the same activation code.
4. Activation code should not be limited to one machine, one install or in any other way.
5. It should be free- when I went live, I had no idea if I'd even sell one copy of the software, so paying for a licensing system was not an option I wanted to consider.

I settled on using a reversal of the normal public/private key encryption scenario:

Normally when Tom wants to send Dick a private message, he can encrypt it using Dick's public (shared) key. This message can then only be decrypted with the use of Dick's private key, which only Dick has access to.

Our scenario is a little different though:

I wanted to sign someone's driving license number using a private key. This would then be verified using my public key inside Cancellation Checker, and checked against the driving license number they enter into the application

This is a bit similar to signing your dll's with a snk file - its a way of ensuring that the activation code came from us and not from anyone else.

How to do it:

.NET has some pretty powerful classes built in to deal with these scenarios- unfortunately they are not suitable for use in server side shared hosting environments as they would compromise the server's private keys- try to use them and you'll just see permissions errors.

I found the solution here:

http://www.codeproject.com/KB/security/EZRSA.aspx?fid=473703&df=90&mpp=25&noise=3&sort=Position&view=Quick&select=2292015

public static string Sign(string plaintext)

{

ASCIIEncoding ByteConverter = new ASCIIEncoding();

byte[] sign_this = ByteConverter.GetBytes(plaintext);

AlpineSoft.EZRSA csp = new AlpineSoft.EZRSA(512);

csp.GenerateKeyPair(17);

csp.FromXmlString(GetPrivateKeyFileString());

byte[] sign = csp.SignData(sign_this, new SHA1CryptoServiceProvider());

return Convert.ToBase64String(sign);

}

Using the AlpineSoft dll, the code is really very simple as you can see above. Then on the client side we just:

public static bool Validate(string plaintext, byte[] sign)

{

ASCIIEncoding ByteConverter = new ASCIIEncoding();

byte[] validate_this = ByteConverter.GetBytes(plaintext);

AlpineSoft.EZRSA csp = new AlpineSoft.EZRSA(512);

csp.FromXmlString(GetPublicKeyFileString());

bool valid = csp.VerifyData(validate_this, new SHA1CryptoServiceProvider(), sign);

return valid;

}

The beauty of this approach is that a user is uniquely identified by their driving license number, and this number is an integral part of the workings of the software. So, everyone in the UK has an activation code that is unique to them.

So far- I've had no complaints, but I'd be interested to hear what approach other micro-ISVers take to protecting their software

Payment Processors- FastSpring and PayPal

Choosing a payment processor for your company is one of the most important decisions you will make. You rely on them keeping the trust of your potential customer who has decided to buy your product. You rely on them to always be available, to deal with any billing problems, to manage chargebacks, refunds and notifications.

And most of all- you rely on them to collect your customers' money.

I can say- without reservation, that I made the right choice in going with FastSpring (http://www.fastspring.com):

• Great customer Service- respond to emails very quickly
• Good presence in ISV community- e.g. on Joel on Software Business of Software forum
• No upfront/ongoing charges
• Higher transaction charges than other payment processors
• Easy to customise payment process- e.g. I send a HTTP notification to my webserver to generate a license key

A couple of weeks in however I noticed I was getting hit with VAT on all my transactions. There's nothing FastSpring can do about this- they resell your software, and as a large company are obliged to charge VAT at 15% to their European customers. This is especially painful as all my customers are in the UK- so it applies to every single transaction.

In the hope of increasing my profits by 15% I decided to investigate PayPal:

• More difficult to set up- documentation spread all over the place, and forum answers sometimes misleading
• Low transaction charges
• No support for discount codes/vouchers (this really surprised me)
• No experience with customer service yet- but I've heard bad things

I now run both side by side- though I try to steer users onto the PayPal payment option rather than FastSpring (Buy Page) as I make over 15% more per PayPal order.

Despite this- I still find that roughly half of my users prefer to use the FastSpring payment option- and I'm not really sure why- I'd be interested if people have any ideas about this.

How it all got started

Like many of the best things in life- my micro ISV adventure started almost completely by accident.

I failed my driving test. I managed to drive into a bus lane- whoops.

Now, as anyone who has tried to book a driving test in London will know- the waiting list is about three months (as I write, the closest test in Barking is three months and a week away).

My driving instructor told me that it was possible to get closer tests- all you had to do was check the test booking website non-stop for a few days, and when someone cancelled their test, you could leap in and take their slot.

Unfortunately- I have a day job, and understanding as my boss is, I couldn't see him, or the rest of my team putting up with checking the DSA website all day trying to get a driving test.

So, I did what any self respecting computer programmer would do- I automated it. Just put together a quick bit of .NET code which would check the website every few minutes for me, and then email me when a new driving test came up. Simple- and it worked, within a couple of days I had a new driving test.

A couple of weeks later, my girlfriend was off work with swine flu, and I was quarantined at home too- with nothing to do. I decided to polish up my solution, knock up a website and see if anyone else was interested...

And so, Driving Test Cancellation Checker (http://www.drivingtestcancellations.co.uk) was unleashed onto the world.

Welcome

Hi- and welcome to the blog of Stratford Software- a Micro ISV based in London.

My name's Tom Gallard, and I'm the founder of the company (company might be pushing it a bit- its really just me!).

At the moment we've got one product- Driving Test Cancellation Checker (http://www.drivingtestcancellations.co.uk) which launched just over a month ago, and is doing pretty nicely. In the next few months' blog posts, I'll be talking about some of the following areas.

1.) How it all got started

2.) Payment processors- Fastspring and PayPal

3.) License generation

4.) Bug tracking with Fogbugz

5.) Website design, analytics and tracking (Google Analytics, Crazy Egg)

And doubtless, lots more.

I'll also name a few of the blogs, books and other resources I've found most useful in getting this company up and running.