The long term risk of software authorization keys
October 31, 2007
©2007 Rich Stillman, Waystation Partners
Do you like this article? You can read more. Better yet,
subscribe to my mailing list and you'll receive reviews of new devices and technology that can make your electronic life better today!
Since today is Halloween, I'm going to relate a scary
story that happened to me a couple of weeks ago. I'll tell you in
advance that it has a happy ending, I also want to stress from the
start that the companies involved in this story were more than happy to
help solve the problem - in fact, it took less than two hours to
resolve the situation, which required email exchanges with two
companies, one after the other. The problem here is more serious than
bad customer service - it's about an assumption at the core of one of
the most common forms of software copy protection out there.
referring to software activation keys, those cryptic strings companies
send you when you buy one of their products. Install their software
without the key, and it's trialware with limited function or an
expiration date, or it doesn't work at all. Plug in the key, and, well,
you get what you paid for. Your software would function, and usually
would also be branded with your name - this step to discourage passing
personal keys around to other people.
Activation keys, as
originally designed, worked pretty well. I have several computers, and
a library of software that I move from one to another depending on my
needs. My music studio software travels from my desktop, where it's
attached to recording equipment, to my laptop when I need to do mobile
recording and sound processing. To move the software, I install it on
the other system, plug in the key, and all is well.
A few years
ago, led by heavy hitters like Microsoft and Symantec, companies
started adding a new twist to the activation key: Internet
verification. Companies felt, with some justification, that just having
a code wasn't enough. People wouldn't care about passing around
software with their name attached, or they'd register a key with a
fictional name, and the software would hit the piracy circuit and
become, effectively, freeware. People might also take the somewhat less
illegal step of installing the same software on more than one of their
own computers. Clearly, in spite of the protection of a software
authorization key, people were getting more than they paid for.
the big guys said, "It's not enough that you paid for a key. We want to
know every time you use that key to install the software." Now, when
you enter your authorization key, the software phones home, the big
guy's servers verify your right to use the software, and authorizes the
installation by return message.
On the face of it, not a bad
solution. Every serious piece of commercial software has a EULA that
limits multiple use and transfer to other people. But there are other
situations where a person might want to reinstall software, within the
rights granted in the EULA. I found myself in one of those situations a
couple of weeks ago.
After six and a half years of faithful
service, my Dell laptop finally bit it. Nothing serious, but the lamp
that illuminates the screen backlight started quitting after a few
hours, then an hour, then ten minutes. I could have attached an
external monitor, but I was starting to look for a faster system, and
happened across a nice 2G Pentium 4 that ran rings around the laptop.
It was only five years old - compared to my laptop, almost new. I was
using it as a Linux test bed, but the temptation of speed was too great
and I decided to pick up and move to the newer system.
everything went perfectly. The system came with a license for XP, so
there was no need to move the old Windows 2000 OS. Office 2000 has a
software key but no Internet authorization, so no problem there,
either. Then I installed MailWasher, the program that makes email
possible for me.
When you own a domain like I do, and you don't
use automatic mail filtering, you get lots of spam. Much of that spam
contains malware, and the last thing I want is to have that stuff
loaded onto my hard drive, even if it's just to have an AV program trap
it and throw it away. MailWasher offers the perfect solution - it lets
me look at my mail while it's still on the server, selectively delete
what I don't want, and then download and read the rest with my regular
mail client. On average I kill about two hundred messages a day on my
server. MailWasher makes it quick and easy by warning me about emails
that are probably bad for my health, but it lets me make the decision
about which ones to dump. In doing so, it provides just the right
amount of automated intelligence and lets me make the final decisions.
I strongly recommend MailWasher for just about everyone.
last time I installed MailWasher was in 2003, when I bought it along
with ZoneAlarm as part of a package from ZoneLabs. They sent me an
authorization key, which I dutifully filed away in 2003 and pulled out
two weeks ago. I installed the software, which gave me a thirty day
free trial period, and then entered the key. "Invalid key", said the
program. I copied and pasted it again. Same answer. Typed it in by
hand, in case there was some invisible character imbedded in the email.
No luck, but at least I had thirty days to solve the problem.
where I started to get lucky. I wrote a return email to ZoneLabs. I got
a return email within an hour, saying that they couldn't fix the
problem since they had sold MailWasher as an agent of the manufacturer,
Firetrust. They suggested I contact Firetrust, which I did by email,
and less than an hour later, I got a very
long registration key in the mail. This one, apparently, was
self-contained and did not need to talk to the Firetrust authorization
servers that apparently no longer exist. I pasted in that key, and all
As I said at the beginning of this article, the
issue wasn't the software, the manufacturer or the shop that sold it.
It's the way software keys rely on verification with an external
server. In the case of software from Microsoft or other companies of
its size, the likelihood is that those servers will be around for a
long, long time. But for smaller companies which are bought out, move
on or just go out of business, maintaining authentication servers for
older products is not a priority. In fact, failing to authorize old
versions of software may drive sales of updated versions or replacement
products. I was fortunate on several levels - the seller still exists,
and pointed me to the manufacturer, who is also still in business. Both
companies provided great customer service.
In the long run,
though, most small companies in the tech business don't stay the same.
They evolve or disappear. And thanks to a dependency on software
authorization keys, many of us who own their software are only a
tenuous Internet connection away from extinction.
recommendation? It's time to do an inventory. Make a list of all the
software you own, and try to anticipate how you would reinstall each
item if you needed to. If some of that software requires a key, make
sure you have the key in a safe place. Find out if those keys require
Internet authorization and if the servers still exist, and revisit
those servers once or twice a year. If the servers are gone, consider
replacing those programs now,
while you still have the old software to use. Even if you can still
validate the keys, it's not a bad idea to shop around for alternatives
- anything can happen in the future, and probably will.