The Truth About Dongles Protecting intellectual property and the end-user experience Contents

Executive summary 3 A history of dongles 4 The problem with dongles 5 The alternative: software-based protection 6 Software-based protection problems 7 PRO-Tector Flash™: the best of both worlds 8 Combining hardware and software to solve the dongle problem 9 The customer proposition 10 Conclusion 11 2 About The Author Executive summary

he world of computing is very cyclical. TOften, you will find concepts from yesteryear recycled and repackaged. The idea of centralized computing, for example, which emerged with the mainframe, lost favour when client/server developed, only to find fortune again in the era of thin client computing and shared applications. Facilities houses and computer bureaus were a thing of the past until Henry Roberts, CTO, Nalpeiron. someone coined the term ‘hosted services’ and the whole cycle began again. Henry Roberts helped develop one of the first general purpose And so it should be. The world of computing is computers at Monroe Calculator built on solid ideas that we should not forget, in the 1970s. The thesis for his MSc at the University of South but the real innovation comes with taking those Carolina's graduate school in old ideas and adapting them to add value and to Computer Science helped Apple adapt to modern conditions. The dongle is a Computer to adapt its own copy prime example of this. A technology from the protection system. Henry’s thesis early 1980s, it was clunky, expensive, and beset was responsible for defeating Locksmith, a technology that by many problems, limiting it to niche was known for being able to applications for very expensive software. But circumvent any there is an element of usefulness in physical technology on the Apple copy protection that we should not lose. platform.

After obtaining his MSc in 1981, This, the latest in a series of white papers from Henry worked on further Apple Nalpeiron offering new insights into copy copy protection technology at protection concepts, explains how the concept Sensible Software. In 1983 he of physical protection is being modernized, started his own company, AST, fused with digital licensing technologies to to create custom copy protection solutions. create a whole new product category. This new product provides a dramatic reduction in In 2002 Henry devised a new operating overheads for software vendors copy protection technology that thanks to the use of inexpensive, industry led to the development of PRO- components, and gives new meaning Tector and its Protect-n-Forget (PnF) technology. AST and to the term 'copy protection'. Nalpeiron worked together to produce the new products until 2004, when Nalpeiron acquired AST.

3 A history of dongles

Generally, copy protection technologies for computer software have fallen into two categories: the digital, and the physical. No matter how diligently you attempt to protect your computer software from piracy, protecting it using software algorithms will always introduce an element of vulnerability. Because software can be manipulated, hackers with enough skill can neutralise the detection algorithms or circumnavigate encryption mechanisms designed to keep your intellectual property under lock and key. Physical protection is by no means foolproof, and can be hacked by determined software crackers, but it represents another level of protection for software. This is why protecting software physically has always appealed to software developers.

Getting physical Physical copy protection emerged in the early 1980s, and came in the form of a dongle. A dongle is a hardware device designed to plug into a computer's I/O port. The dongle provides verification that the software is valid, because it ships with the product and is very difficult to duplicate.

A dongle solution normally consists of three separate components:

• A custom processor containing the intelligence in the system along with the license credentials necessary to activate the software. • A physical interface to the main board (either a , or USB port). • A device driver designed for installation on the PC that will talk to the dongle hardware.

The critical thing here is the specialist processor on the physical device. This is what makes a USB dongle different from a standard USB flash drive. Ideally, the software program using the dongle to authenticate itself would perform multiple checks by querying the dongle through the I/O port. Badly implemented dongles may only reference the dongle when they start up, setting a single reference variable that will allow the program to run. Such devices leave themselves open to code tampering, and properly implemented dongle/software solutions will involve multiple reference checks to the dongle from different parts of the program, making it much more difficult for hackers to fake the dongle’s existence by tampering with the program code.

4 The problem with dongles

The dongle sounds like an ideal solution, but it suffers from some underlying problems that affect the end user and the software developer alike. These can be collected together into a few categories:

Using physical media causes physical problems Physical devices can be lost more easily, especially small form factor devices such as a dongle. A customer who loses the dongle will not be able to use the software until it is replaced.

Supplying and replacing dongles is a problem for the vendor. One of the advantages of working in the software business is that inventory is less relevant because your product can be replicated and doesn’t take up any space. Conversely, dongles must be managed as physical stock, placing additional demands on your business. Replacing your customers’ lost dongles is yet another problem. Because dongles have not traditionally offered any value add for the customer, replacing a lost dongle is simply an inconvenience for the customer, especially if they have to pay for it.

Dongles are also expensive to manufacture, meaning that suppliers must increase the price of their software to accomodate the extra up-front cost. Buying 1,000 traditional dongles at $30 each will result in a $30,000 inventory, which has to be held in stock until it is used, tying up badly needed capital that could be used elsewhere.

Higher development costs Dongles are traditionally hard to upgrade, requiring you to send out a new device or new drivers. Users have to wait until these upgrades are issued before their software will work properly.

Software protection that uses dongles is not as easy to develop for as non- physical technology. Apart from the universally accepted physical interfaces (serial port/parallel port/USB) there are no standards for dongles, meaning that each dongle solution works differently, using different ASICs and software drivers.

They create support headaches Dongles can cause incompatibilities with hardware and software. A dongle that works perfectly well may suddenly experience problems following a major operating system upgrade or driver patch. Should a dongle suddenly begin locking up because of changes to its operating environment, the supplier will have to resolve the problem, often with considerable time delays waiting for new drivers. The costs could be significant.

5 The alternative: software-based protection

While dongles evolved as a form of physical protection, a parallel development has taken place. Digital protection technology has evolved in various forms. Because of its reliance on software innovation rather than physical protection, the approaches to digital copy protection have evolved at a faster pace than dongle- based systems.

Wrappers Evolving from the loader-based mechanisms found in some software protection systems, software wrappers are envelopes of code that encrypt your own application binary. Because the software wrapper has to decrypt the code before it can be run, it can be programmed to check for the existence of a software license before allowing access.

SDKs An SDK is a piece of copy protection code that has been developed for a specific application environment. Unlike wrappers, which are designed to fit around your existing code like a shell, SDKs integrate more tightly with your application. You can make calls to the application programming interface (API) presented by the software development kit from within your own software.

For example, whenever a particular function is called, it checks the details of your license using the SDK. In this way, it becomes more difficult for hackers to disassociate the copy protection from the application code.

SDKs are stronger and harder to hack than wrappers and much cheaper and more flexible than dongles. They have more features and integrate with applications much more tightly, allowing for features such as custom screens, for example.

6 Software-based protection problems

Generally, software-based copy protection technology has been seen as more vulnerable than dongle-based systems, because software is easier for third parties to manipulate then hardware-based systems.

Wrappers Software wrappers are considered by many developers to be among the easiest products to use, because they are often designed to be easily integrated into any product. However, that ease of use comes at a price. Once cracked, a software wrapper can be countered with an unwrapper that is easy to distribute and run.

Search the Internet to find cracks for some of the better-known software protection mechanisms, and you will be surprised at how quickly software crackers can neutralise code. It becomes profitable for them to do this, because once you have created a software patch neutralizing the protection provided by a single wrapper, you theoretically provide access to tens or hundreds of software applications protected using that product.

Developers should also be wary of future operating system developments when using wrappers. Unless you are sure that your wrapper solution will survive Windows XP Service Pack 2 and future operating system upgrades, for example, you could find yourself with increasing support costs in the future.

SDKs SDKs are harder to implement than wrapper technology because you must be a developer with the tools that built the original application. The development time needed to copy protect your application with an SDK correlates directly with the level of integration you require.

Digital licensing models

The flexibility of digital licensing allows companies to use several different licensing models with their software. These include:

Modular licensing Per-use licensing Licensing software based on the use of individual com- Software can be paid for each time it is used, with ponents or features. usage measured by some agreed criteria. Trial period licensing Concurrent network usage Using a trial version of the software that locks up after Software which is designed for use on a network can a predefined period and can only be unlocked with a be restricted to a set number of simultaneous users. license purchase. Limited-run evaluation Subscription Software locks up after a set number of uses until full Providing software that is rented rather than owned. license is purchased. 7 PRO-Tector Flash™: the best of both worlds

PRO-Tector Flash™ is a software development kit enabling developers to buy a USB flash drive from any supplier and turn it into a dongle-like device by creating and storing the digital license for a particular software application on it. This approach combines the strong protection of a physical device with the flexibility of a software license.

Roll your own protection Although Nalpeiron will happily provide blank USB flash drives, developers no longer need to rely on a single company as they do when purchasing dongle hardware. Instead, they can roll their own protection, purchasing a USB drive with the capacity that they need (up to a maximum of 2GB). PRO-Tector Flash™ puts developers back in control of their own copy protection, making it possible to customise it to suit their customers’ needs.

Users who travel frequently and need to move their license from one computer to another on a regular basis will find the copy protection offered by PRO-Tector Flash™ to be more convenient than dongle solutions. PRO-Tector Flash does not restrict the use of the USB flash drive as a storage device and also provides users with the option to transfer the license from the USB drive to their PC, minimizing inconvenience in the event of a lost flash drive. PRO-Tector Flash™ in action 4. User uses USB drive 1. Developer acquires USB with software license to flash drive from one of many access application on office third party suppliers (or from PC Nalpeiron)

5. User leaves office and goes home. Uses USB drive to access same 2. Developer uses application at home (if PRO-Tector Flash™ license allows multiple SDK to generate installs). digital license, stored on USB flash drive.

3. Drive given to user.

SDK from Nalpeiron 6. User is leaving for trip and worries about losing USB drive. Transfers license temporarily to her PC for protection. 8 Combining hardware and software to solve the dongle problem

The PRO-Tector Flash™ solution solves the problems associated with traditional dongles while leaving the benefits intact.

Lowering the cost of entry , with the introduction of low-cost USB drives and the ability to quickly create your own physical protection without help from a third party dongle provider, developers can minimise the cost of software protection while maximizing control over their intellectual property. With dongle-based copy protection costing around $30 per unit, Nalpeiron can cut the up-front cost of volume production units by a third. Back-end costs associated with issues like support, inventory management and distribution will also be dramatically reduced.

Lowering the cost of support Because they use standard memory chips instead of the specialist ASICs used by dongles, USB-based flash drives are much less likely to cause problems with operating system software or system patches because they do not use specialist drivers. And because it is so easy to copy the license to a PC, it will reduce the replacement costs associated with many dongle-based copy protection systems. Similarly, standard solid state RAM has a better mean time between failure (MTBF), offering up to a million hours and reducing support costs still further.

Lowering the cost of distribution Because dongles can be created on the fly using off-the-shelf USB flash drives, developers can buy USB flash drives from a variety of different sources, increasing the flexibility of supply. This enables them to fulfil their software shipments, according to their own schedule rather than waiting for a specialist dongle vendor to provide them with product. Solving the wrapper problem Unlike wrappers, which if cracked can compromise an entire installed base of Unlike traditional dongles, software, PRO-Tector Flash™'s hardware/software combination gives which preclude the user from using software that developers the protection of a physical dongle without sacrificing the has been downloaded flexibility of software-based licensing. Custom screens, different software from the Internet, PRO- licensing models, and even Internet-based activation are all possible using Tector Flash™ enables this product, while the hardware element provides another level of protection. customers to use a trial version of the software, ordering a separate USB flash drive which can be plugged into their machine upon arrival, creating a license and converting the product into a full-use version. And whereas other dongles can hold 115 software licenses, the high capacity of many USB flash drives enables a flash drive enabled with our software to hold 250 licenses, with up to twice the application memory (10Kb). 9 The customer proposition

Dongles created using PRO-Tector Flash™ represent not just convenient copy protection for developers, but added value for end users. Not only does the product allow multiple digital licenses for digital applications to be stored on the same drive, but it also allows customers to store their data files on the key ring- like device, along with the product manual and even the software application itself, which can dramatically cut distribution and printing costs for the software vendor.

Thus, hardware becomes not just something that they need to make the application work, but a pocket storage device that enables them to take their files with them. Developers can present this to customers as a benefit, and all at a low cost for the end user, thanks to the relatively cheap nature of the USB device when purchased in volume. The ability to add product branding in the form of logos printed on the side of the USB drive reinforces your company brand, which then travels with users wherever they go. For the first time, copy protection is not simply something for users to tolerate, but something for them to buy into.

About Nalpeiron

Formed in 1991, Nalpeiron (NAL) is a US- and UK-based company. Nalpeiron started as a software developer and management consultancy, but had poor experiences using copy protection technologies leading to support headaches through lost software licenses. The company decided to develop a range of new copy protection technologies to help its customers solve these problems.

10 Conclusion

Copy protection is often taken far too lightly by software vendors who leave it as an afterthought, hoping that the crackers won't target them. Unfortunately, these are the vendors whose profits suffer from lost revenue. Companies have pulled out of entire geographical markets before, because of endemic piracy.

Solutions now exist which take note of the lessons learned from previous generations of software protection, and combine the best parts of various tools into a single product. Thinking about your protection early on, and combining the flexibility of software licensing with the resilience of hardware-based data protection will help to protect your most valuable asset: your intellectual property.

What to consider when sourcing physical copy protection

Any software developer thinking about ways to protect their software will doubtless consider physical protection solutions when making their final decision. If you decide that your product would benefit from physical protection, you should approach suppliers forearmed and forewarned. Consider these issues when making your choice:

Inventory How easy is it to get supplies of the dongle hardware on demand?

Dongle loss or theft What is the outcome if the dongle is removed from the system? Can the user transfer the license to the PC and back to the dongle when appropriate?

Standardization Will the hardware and associated driver need updating or upgrading with operating system updates? How will this delay and/or change affect your customer base when it occurs? What are the costs and rollout issues?

Extra value Is the dongle that you are considering simply a way to stop software being copied, or does it add extra value, such as file storage?

Reliability What is the mean time between failure of the dongle? How long before it will need replacing? This will significantly affect your costs throughout the lifecycle of the customer’s license.

Flexibility Can your physical protection software be used to enforce different licensing models, such as trial peri- od evaluations, rental models and pay per-use models?

Unit cost How much will your dongle cost to produce in volume? Do you have to buy it directly from one vendor, and how will that impact ongoing pricing?

Contact us now for a free 20 minute obligation-free consultation (normally $100) to discuss your project and to get impartial advice on the best solution for you. Email us now at [email protected] with your contact details and we will schedule a call with a consultant. 11 Nalpeiron US Office: 11707 S. Beechwood Rd. Leavenworth IN 47137 USA

Nalpeiron UK Office: 44 Market Square Witney OXFORD OX28 6AJ United Kingdom

www.nalpeiron.com

Copyright 2005 Nalpeiron. PRO-Tector and Protect-n- Forget (PnF) are trademarks of Nalpeiron. All other trademarks belong to their respective owners. Royalty free solutions for flexible and reliable licensing, activation and copy protection. E&OE.