The long term risk of software authorization keys

October 31, 2007
2007 Rich Stillman, Waystation Partners

Do you like this article? You can read more. Better yet, subscribe to my mailing list and you'll receive reviews of new devices and technology that can make your electronic life better today!

Since today is Halloween, I'm going to relate a scary story that happened to me a couple of weeks ago. I'll tell you in advance that it has a happy ending, I also want to stress from the start that the companies involved in this story were more than happy to help solve the problem - in fact, it took less than two hours to resolve the situation, which required email exchanges with two companies, one after the other. The problem here is more serious than bad customer service - it's about an assumption at the core of one of the most common forms of software copy protection out there.

I'm referring to software activation keys, those cryptic strings companies send you when you buy one of their products. Install their software without the key, and it's trialware with limited function or an expiration date, or it doesn't work at all. Plug in the key, and, well, you get what you paid for. Your software would function, and usually would also be branded with your name - this step to discourage passing personal keys around to other people.

Activation keys, as originally designed, worked pretty well. I have several computers, and a library of software that I move from one to another depending on my needs. My music studio software travels from my desktop, where it's attached to recording equipment, to my laptop when I need to do mobile recording and sound processing. To move the software, I install it on the other system, plug in the key, and all is well.

A few years ago, led by heavy hitters like Microsoft and Symantec, companies started adding a new twist to the activation key: Internet verification. Companies felt, with some justification, that just having a code wasn't enough. People wouldn't care about passing around software with their name attached, or they'd register a key with a fictional name, and the software would hit the piracy circuit and become, effectively, freeware. People might also take the somewhat less illegal step of installing the same software on more than one of their own computers. Clearly, in spite of the protection of a software authorization key, people were getting more than they paid for.

So the big guys said, "It's not enough that you paid for a key. We want to know every time you use that key to install the software." Now, when you enter your authorization key, the software phones home, the big guy's servers verify your right to use the software, and authorizes the installation by return message.

On the face of it, not a bad solution. Every serious piece of commercial software has a EULA that limits multiple use and transfer to other people. But there are other situations where a person might want to reinstall software, within the rights granted in the EULA. I found myself in one of those situations a couple of weeks ago.

After six and a half years of faithful service, my Dell laptop finally bit it. Nothing serious, but the lamp that illuminates the screen backlight started quitting after a few hours, then an hour, then ten minutes. I could have attached an external monitor, but I was starting to look for a faster system, and happened across a nice 2G Pentium 4 that ran rings around the laptop. It was only five years old - compared to my laptop, almost new. I was using it as a Linux test bed, but the temptation of speed was too great and I decided to pick up and move to the newer system.

Almost everything went perfectly. The system came with a license for XP, so there was no need to move the old Windows 2000 OS. Office 2000 has a software key but no Internet authorization, so no problem there, either. Then I installed MailWasher, the program that makes email possible for me.

When you own a domain like I do, and you don't use automatic mail filtering, you get lots of spam. Much of that spam contains malware, and the last thing I want is to have that stuff loaded onto my hard drive, even if it's just to have an AV program trap it and throw it away. MailWasher offers the perfect solution - it lets me look at my mail while it's still on the server, selectively delete what I don't want, and then download and read the rest with my regular mail client. On average I kill about two hundred messages a day on my server. MailWasher makes it quick and easy by warning me about emails that are probably bad for my health, but it lets me make the decision about which ones to dump. In doing so, it provides just the right amount of automated intelligence and lets me make the final decisions. I strongly recommend MailWasher for just about everyone.

The last time I installed MailWasher was in 2003, when I bought it along with ZoneAlarm as part of a package from ZoneLabs. They sent me an authorization key, which I dutifully filed away in 2003 and pulled out two weeks ago. I installed the software, which gave me a thirty day free trial period, and then entered the key. "Invalid key", said the program. I copied and pasted it again. Same answer. Typed it in by hand, in case there was some invisible character imbedded in the email. No luck, but at least I had thirty days to solve the problem.

Here's where I started to get lucky. I wrote a return email to ZoneLabs. I got a return email within an hour, saying that they couldn't fix the problem since they had sold MailWasher as an agent of the manufacturer, Firetrust. They suggested I contact Firetrust, which I did by email, and less than an hour later, I got a very long registration key in the mail. This one, apparently, was self-contained and did not need to talk to the Firetrust authorization servers that apparently no longer exist. I pasted in that key, and all was well.

As I said at the beginning of this article, the issue wasn't the software, the manufacturer or the shop that sold it. It's the way software keys rely on verification with an external server. In the case of software from Microsoft or other companies of its size, the likelihood is that those servers will be around for a long, long time. But for smaller companies which are bought out, move on or just go out of business, maintaining authentication servers for older products is not a priority. In fact, failing to authorize old versions of software may drive sales of updated versions or replacement products. I was fortunate on several levels - the seller still exists, and pointed me to the manufacturer, who is also still in business. Both companies provided great customer service.

In the long run, though, most small companies in the tech business don't stay the same. They evolve or disappear. And thanks to a dependency on software authorization keys, many of us who own their software are only a tenuous Internet connection away from extinction.

My recommendation? It's time to do an inventory. Make a list of all the software you own, and try to anticipate how you would reinstall each item if you needed to. If some of that software requires a key, make sure you have the key in a safe place. Find out if those keys require Internet authorization and if the servers still exist, and revisit those servers once or twice a year. If the servers are gone, consider replacing those programs now, while you still have the old software to use. Even if you can still validate the keys, it's not a bad idea to shop around for alternatives - anything can happen in the future, and probably will.