No electronic system can ever be 100% secure, and if you do find one Microsoft would like some advice. Hundreds of billions of dollars and decades of the world’s greatest minds have only been able to come up with mostly great solutions.
Online license keys are generally accepted as the best and most popular solution. That’s where BatchKeys comes in.
Securing software is so difficult because the end user has so much control over their system (which is a good thing). Even if you locked everything down to the final detail an end user could still access the hardware and manipulate the code to circumvent your systems. But that would be really annoying so 99.99% of users won’t try it.
And that’s what security is all about. Fortify the security systems so that manipulating them is so difficult and so annoying that no reasonable person, even a malicious hacker, would ever want to bother with it.
True security is a balance between customer usability and malice prevention. Using online license keys to secure your software is the most widely accepted and easy to use system that still provided protection against malicious attacks.
The best security makes doing the right thing really easy and doing the wrong thing really annoying!
Why People Crack Software #
One of the greatest modern examples of why average people crack software is the Nintendo games store. For a long time you could easily purchase many great old NES and SNES games and play them on modern consoles. They were reasonably priced and worked great! People loved these old games that they grew up playing and they were willing to pay for it since it was so easy.
But once Nintendo removed a game from the store it would be cracked and emulated for PC, usually within hours. Funny enough sometimes the crack may have already existed for decades, but hardly no one cared until they couldn’t play their games through legitimate means.
Since players could no longer easily do what they wanted in a legitimate way they decided to take matters into their own hands. Now, despite Nintendo’s longstanding war against emulators and their best efforts to shut them down they will never stop their growing popularity.
Emulators are now part of mainstream society, in part due to Nintendo’s decision to make doing the right thing impossible.
This is why people crack software. Sure, there will always be dedicated Crackers who do it for the thrill or monetary gain, but they do not represent an average user.
Cracking is a customer service issue.
Make your app as easy to purchase as possible, as easy to activate as possible, and as annoying as possible to crack.
End User Security #
End users may not always act as expected, but they can be grouped into three classes for the purposes of this discussion. Good faith, malicious, and accidentally malicious.
Good faith end users are just normal uses and should be treated as such. Malicious end users are actively trying to circumvent your protections so that they can steal your app. Accidentally malicious end users are normal users doing abnormal things, like trying to check a bunch of keys you gave away.
Efforts to secure your app and keys should be focused primarily on malicious end users. Malicious users typically use special software or custom scripts such as brute-force key checkers. They may also implement IP obfuscation such as proxies, spoofing, vpn’s, etc. They find leaked key lists for your product online and test every key in quick succession.
Keep Your Keys Secret #
Our keys are sophisticated and even with a billion attempts per second, it would take billions of billions of years to brute-force a single valid key. Smart malicious end users know this and instead focus their resources on publicly leaked key lists for your specific app. They find these lists online, sometimes on websites dedicated to this purpose.
Keeping your keys secret is 90% of the battle. This might sound obvious, but don’t release keys in bulk publicly, especially if you intended to leave these keys up indefinitely. Once these keys are in the wild they are there forever. Even if you delete the post later those keys could have been saved by a user or scraped by a website.
Instead of doing this we highly recommend private messaging or emailing keys directly, preferably with a message indicating their key is unique and should not be shared. This keeps the “ammo” malicious end users have to a minimum.
Secure Your Account #
Keep your login credentials private and change your password often. If you share your account with team members be cautious who they share the information with.
NOTE: If you suspect your account has been compromised or a team member has leaked your keys please immediately change your password, delete any inactive keys, and generate new keys as needed.
If you have been the victim of a leak please notify us immediately. If the leak is extreme enough, you might consider the “scorched earth” option of sending new keys to all end users, giving them 30 days to activate their new keys, and then delete any pre-existing keys.
Removing Key Lists From The Internet #
First, realize that removing anything from the internet is practically impossible, but you can make any leaked keys harder to find.
Keep an eye out for websites that post such key lists. Try search terms like “your app name free keys” or “your app name key list” or “your app name cracked”. If you find your product keys on a website, whether fake keys or real ones, send DMCA requests to their contact info, their hosting provider, and their domain provider. You can find this information by using https://lookup.icann.org.
Custom DMCA requests asking to remove any content related to your app work best. Since practically every domain registrar does not allow stolen product key lists on a website they manage, this is typically an easy way to get the website removed from search results. But, your mileage may vary and the website might pop up again a few weeks later on different hosting and a different registrar.
It is far easier to keep a leak from ever happening than to clean up the mess afterwards.