This is a bit delayed, but Youseful Software is currently running live on Plimloc with softANCHOR DRM. Youseful software develops and markets a series of plugins for FileMaker. Youseful has been around since 1996 first offering Delphi components for setup authoring. They are currently using softANCHOR for their suite of FileMaker Plugins.

Joe Mele, Partner at Youseful has been a strong supporter of the Plimloc system since our first beta and said, “We looked at numerous solutions. None had the robustness of SoftAnchor via Plimloc. The inherent flexibility made it uniquely suitable for various deployment needs.”

At Uniloc we love Youseful’s implementation. Youseful is one of the first customers on the system to leverage SoftAnchor’s Service Oriented Architecture via Plimloc. Youseful integrated with the SoftANCHOR web service API to deliver trial keys directly from their own web portal with only a few lines of code. This highlights one of the most powerful features behind the SoftAnchor License Management server which customers may access via Plimloc in that the entire system can be leveraged programmatically in your server-side applications.

Joe also took some time to tell us more about the Youseful products using Plimloc. It allows FileMaker developers to call SQL queries against FileMaker databases and to utilize standard queries Select, Create etc. FileMaker Calculations can now work with the data in FileMaker tables. The potential uses are only limited by your imagination:

• Easily update data in unrelated tables

• Keep a change log of your records add rollback functionality, audit trails, etc

• Write to FileMaker fields directly, using a calculation via SQL statements

In addition there is a Postal Codes plug-in and database.  Using this you can get the list out the zip codes in a given radius from another zip code. It will also give you the latitude and longitude for a zip code and calculate the distance between 2 zip codes.

You can see Youseful’s plugins in action at:

http://www.youseful.net/fwlink/FMPluginTrials

Years ago, those of us in the software licensing space used to argue about whether best-of-breed 3rd party solutions for software licensing were better than home baked solutions for managing license activation. While that debate may continue, Uniloc is delivering the next generation licensing technology that creates a powerful competitive advantage for leading software publishers. To us, it’s perseverance paying off! Our customers can now grow their bottom line through actionable intelligence.

A recently deployed use case is Maximum Software, the makers of Bug Doctor, a popular PC repair tool with more than 15 million downloads worldwide. Maximum Software is now receiving actual license activation data including legitimate activations, number of hacked serial number attempts, number of different locations that hacked keys originated from, which software features are used and at what levels, and more. As this intelligence pool builds, the company seeks to leverage it for accurate, executable information that will support licensing strategy tied directly to accurate product usage data.

Joe Mordetsky, CTO of Uniloc, discussing upcoming road show with Intraware:

Next week Uniloc is participating in a road show with Intraware to highlight Uniloc’s new SoftAnchor Insight product suite. I’m pretty excited for the show, as SA Insight has come a long way since its original inception to become what proves to be an innovative look at how the software industry understands what happens to their intellectual property post-sale and how their applications behave once they are installed on a customer’s machine.

The SA Insight products aim to help software developers stop making educated guesses regarding their user behaviors and installation practices and to empower them to gather cold hard facts on compliance, over installation, piracy, hardware platforms and application usage patterns. That was a lot to say all in one go, but the Insight suite is a comprehensive set of APIs that puts answers to common questions that plague software companies:

• Are my enterprise customers currently in, under or out of compliance with my license policies?
• How much license revenue could I really recoup if I decided to implement more stringent license policies?
• How much real (hacked application) piracy do I have? What markets does this piracy take place in? Is there a high possibility I would recoup some of this revenue if I implemented more powerful anti-piracy tools?
• How much license revenue am I losing through disk sharing, key sharing or over installation?
• What sort of hardware is my user base using? What is lowest set up I should support?
• What features of my application do the majority of my user base take advantage of? How can I better segment my products to take advantage of these usage patterns?
• How do I establish a closer dialog my customers in an age when emails are either caught by spam filters or disregarded as noise?
• How do I use advertising to support new or alternative revenue streams in my thick client software applications?

Anyhow, that’s a brief introduction to what we’ll be discussing. I hope to see you there.

Last week a federal district judge in the 9th circuit (Seattle) handed down an important decision on shrink-wrap license agreements and whether software is sold or licensed.  The case involved eBay merchant Timothy Vernor who repeatedly re-sold used versions of Autodesk software.  Autodesk argued that it only licenses copies of its software to end-users, rather than actually selling them.  This specific detail is very important in identifying how the First Sale Doctrine applies to software publishers and their products.  Since the court ruled that Autodesk actually sold it software during the initial transaction, Vernor has the right to re-sell the product as opposed to Autodesk’s claims of copyright infringement under the DMCA.

Judge Richard A. Jones rejected Autodesk’s argument stating that Vernor has the right to sell used copies of Autodesk’s software.  First Sale Doctrine, which ensures the right to re-sell used copies of copyrighted works as well as allowing libraries to exist, was held to apply to Autodesk software thus allowing Vernor to continue selling Autodesk’s products via eBay.

Jones’ ruling, which will certainly continue to be appealed, has significant implications for how software publishers sell and protect their product.  Previous rulings regarding licensing vs. sale have been leveraged by software publishers to prevent reverse engineering of their product and prevent large scale resale via channels such as eBay.  This ruling also has a direct impact on organizations such as GameFly as it seems to reinforce their ability to resell games, a multi-billion dollar operation.

This ruling further reinforces the necessity for software copy management, code security and supports the device locked model as being the only fair balance between software publisher rights and consumer rights.  Device locking enables the software publisher to limit the number of times software can be installed, but does so by also allowing the customer to uninstall, and return seat.  The threat created by allowing software to be legally resold is that publishers have no recourse to ensure the original owners removed the software.

If a specific piece of software is bought and resold 5 times, what is the likely hood that those 5 users completely removed the software?  Since software is truly digital and although resale does not conclusively prove that copies have been created, it creates a huge hole by which illegal copies can rapidly be created with original product.  Software publishers have relied on devices such as dongles and protection mechanisms such as media present to prevent this threat for years.  Relying on the presence of a physical object is rapidly being phased out as it prevents online distribution and overly burdens the end customer.

The Uniloc method of physical device recognition coupled with self-service options allows users to securely uninstall a product and return its state back to that of the original sale.  In the case of a subsequent product resale, the software would be limited to the number of devices it can be installed on, but previous installations could be securely removed.  This mechanism allows the publisher to maintain the value for the software by limiting the number of digital copies, but also allows the customer to resell the product.

by Casey S. Potenzone

The core of everything that is Uniloc is our capacity for Physical Device Recognition.  Throughout our collateral and documentation we make claim to the level of integrity and the accuracy of our process being greater than that of the Human DNA comparison process.  There is a paper available on our site that explains the foundations for these claims, but I’m often asked to “explain” just what we mean.  I just wrote a short note to an editor explaining how we justify these claims and decided to post it here as well. 

There are two numbers referenced in our collateral, 3.4 * 10^38 and 5.35 * 10^83.  The first number, 3.4 * 10^38, refers to our ability to uniquely identify a computer based purely upon its physical characteristics.  This number was calculated by taking a sample set of 1,000 “identical” computers.  In order to establish this baseline we assumed the computers in the sample were manufacturer original, IE the exact same make and model, components, memory, etc.  Within this pool of 1,000 identical machines there is a 1 in 3.4 * 10^38 chance that two computers will have the same Uniloc Physical Device Fingerprints. 

There are two main reasons why validating a Uniloc Device Fingerprint is more accurate than human DNA comparisons.  The first reason is the easiest, it’s the human factor.  Validating a Uniloc Physical Device Fingerprint is purely electronic and neither relies on, nor allows for, human input.  The DNA polymerase process, for example, has been cited in court as having 0.7% chance of lab error.  There have been many arguments made relating to human DNA accuracy, one notably in-front of the Maryland Supreme Court where the petitioner cited a false positive rate of 1 in 800,000.  Kindly note that 800,000 is just slightly less than 10^38. 

The second factor by which the Uniloc Physical Device Fingerprint has superior accuracy to human DNA sampling is based upon the integrity of the number space itself.  Human DNA, with its 23 pairs of chromosomes, consists of roughly 3 billion base pairs.  These base pairs represent the sampling and comparison points for conducting DNA comparisons.  Within the human genome approximately .10% of the base pairs are unique per person, equating to roughly 3 million base pairs by which we can each be uniquely identified.  With the exception of these 3 million pairs, human DNA is pretty much identical.  

On the other hand, the Uniloc Physical Device Fingerprinting process allows for 5.35 * 10^83 accurate representations of one, physical computer.  Based upon the combination of number of sample able components and electronic automation, the Uniloc Physical Device Fingerprint has a very high level of integrity, and as this paper further elaborates, is more accurate than human DNA.

By Casey S. Potenzone

Prior to first meetings, first calls or in many cases even first dates, we type our conterpart’s name into Google to see what we can find.  In many cases we’ll come upon press releases, company “about” sections and other canned content.  For example, type my name into Google and you’ll find just about everything our marketing efforts and PR firm have meant for you to find.

 If you really want to know what someone’s Internet “biography” has to say search for their handle or email address.  Many of us who have been using the net for over 10 years have handles.  These vary from the very cool to the very lame.  Mine happens to be lame, its cpotenzone.

Instead of reading my PR why don’t you take a look at what I have to say on blog postings, message boards and more, Google my handle.

In the software publishing space many people consider licensing to be DRM, and for the most part they are right.  However, if you ask the majority of the world, DRM only applies to music and movies, and its a nasty, nasty word.  Just about every computer user is familiar with software activation, the process of communicating with a server to determine the validity of a license and the users right to use the software.  Regardless of whether you consider activation or software licensing to be DRM, many publishers and consumers look at it as a road block to product adoption as well as a necessary evil.

Over the past several years I have had the opportunity to speak with a large variety of software publishers on topics such as piracy, IP protection, usability and physical device recognition.  Regardless of the software company, be it a top tier fortune 500 or a small developer writing shareware, they all have the same fears of software licensing. 

I’m here to tell you that a properly implemented licensing system, with focus on user habits, polite copy control and forward looking licensing methods you can not only create a happy user base, but you can also fight the 800 lb gorillas, and potentially beat them at their own game. 

If you want additional ideas or tips on how to use software licensing to increase your revenue, take a look at this Squid Lens (after the jump).

Earlier this week I had the opportunity to discuss the risks of social networking with Jennifer Neville, a producer for KTLA’s “Kurt the Cyber Guy.” Last year the National Center for Missing and Exploited Children released a study stating that 1 out of every 7 online youth (ages 10 - 17) received a sexual solicitation over the Internet. Leveraging our expertise in device recognition, Uniloc released a new beta product called PCandMe. The product allows social networks to identify computers and assign them trust ratings.

The KTLA studio, buried deep in the heart of Hollywood, is pretty much what you would expect from an LA based TV station. TV personality Kurt Knutsson, aka Kurt the Cyberguy, reaches a national audience of 48 million plus viewers. Kurt’s production team is working on a program for mid to late May focusing on the threats to online youths from social networking, and what the tech community is doing about it.

Uniloc’s PCandMe product allows parents to create trusted networks of devices that their kids can communicate too. By establishing a device identity predators can more easily be tracked and blocked by sites such as FaceBook and MySpace. Once you identify threatening individual accounts, the sites simply assign a negative rating to their device and the other devices the account is associated with. Prior to PCandMe a user being banned from a site simply went out and got another free email address and created another online identity. 

By Casey S. Potenzone

I’ve recently decided to experience what it would be like to cancel my satellite service and live purely off web based services.  I have high speed in every room, and a Tivo on each TV.  Amazon Unbox, if you aren’t already familiar with it, is an on-demand download service available on your computer and your Tivo.  Everyone from HBO to the major networks are giving away content on Amazon. Even greater than Amazon Unbox and any channel on television, is Hulu, and here’s why: 

Hulu was formed in 2007 as a joint venture between NBC Universal and News Corp.  These two power houses coupled with $100 million from Providence Equity Partners have lead to free, web based television from FOX, NBC, MGM, Sony Pictures Television, Warner Bros., Lionsgate, and many more. Hulu.com is the aggregation point for video’s that are designed to appear all over the Internet, on sites ranging from Yahoo!, AOL, MSN, MySpace and the one you’re reading right now. 

Following the YouTube model, Hulu.com videos will all be available via embedded players on web pages all over the world.  With their existing deals with the major players listed above, It’s my guess that the Hulu model will be able to offer advertising to nearly 98% of US Internet population, or greater.  YouTube (and Google) are going to have a run for their advertising dollars. By Casey S. Potenzone

I’m a bit of a nube when it comes to MAC OSX. For the last few weeks I’ve been trying to figure out the root password, and have failed. On multiple occasions I’ve searched Google to figure out how to do it. Apple, the Apple forums, the neurotic MAC user boards, etc. all said the same thing: “Use the OSX install Disk.”

Great, who actually knows where those disks are??

If you don’t have the password than you are either the type of person who could forget it (and most likely lose the OS Disk), or you acquired the device second hand. In either case, Apple clearly wants you to buy a new OSX disk because they won’t tell you these 3 simple steps… Thanks Jobs.

How to reset an OSX password WITHOUT THE OS DISK:

Power on your device while simultaneously holding down the Apple + S keys. This will boot the device into Single User Mode, which you can observe by watching the kernel and services all kick in command line style.

Once you make it to the prompt, enter the following:

# sh /etc/rc

# passwd yourusername

# reboot

If you are not sure what username to use, try root ;). If the password reset was successful you will simply be returned to the prompt after running the passwd command. If it didn’t work, you’ll get a one line response that says “sorry.” All done, no need for the disk.

Over the past 10 days I’ve been through 6 different airports, LAX, SJC, MIA, LHR…. you get the picture.  Each one of these airports had a different screening process with a different level of what was acceptable.  In LAX I was allowed to keep on my shoes, but had to take out my laptop.  Miami allowed me to keep my lighter, but took my mouth wash (I swear it was under 3 ounces).  Of all the them the most efficient by far was Heathrow.  You have to take off your jacket, but you get to keep your laptop in your bag, your shoes on and they let me keep my lighter.  

With all the sensitivities to security I’ve become quite accustomed to being searched and nearly stripping at the airport.  What I will never get used to is the fact that we can not establish a standard of what is secure and what is not.  The lines at Heathrow were long, quite long actually, but moved so quickly because everyone did not have to unpack, take off their shoes, do a little dance holding their pants up while taking off the belt and constantly presenting your ticket.

Will someone please decide what is a threat and what is not!!!

This weeks edition of Ad Age focuses purely on the digital realm.  With articles covering everything from “…Marketers’ Biggest Challenge When It Comes to Social Networks,” to “Buying in-game advertising,” this edition is a must read for anyone focusing on digital.

By Casey S. Potenzone

Our StrongPoint presentation includes a slide on what I like to describe as “use cases.” These little gems are great at getting and keeping an audiences attention, and I like to sprinkle them liberally when I present. Fortunately I’ve got a great pool of press and stories to pick from because my topic is network security for critical infrastructure. Finding and relaying the most interesting, real news has become one of my most successful methods for conducting an exciting presentation. For the StrongPoint topic I have the following:

• CIA launches hunt for international computer hackers threatening to hold cities ransom by shutting off power
• How to significantly disrupt traffic in Los Angeles

• Hacker hits Pennsylvania Water System

Regardless of your topic, keep yourself up to date on the news and always have a few, interesting stories in your pocket. If you ever notice someone drifting or you want to just pick-up the tempo, work the stories in as use cases.

By Casey S. Potenzone

We just announced  the release of a new product called StrongPoint and I’ve been doing a variety of analyst briefings over the past two weeks.  As I always do I prepare myself for these calls by reviewing the magazines or blogs the various analysts write for along with getting on top of as much industry and vertical press as possible.  By doing this research I’m able to direct my conversations down a path that I feel will interest the press enough to get the editorials we are shooting for. 

I’ve probably done 50 or so briefings in the last 6 months and I’ve been getting progressively more comfortable which has resulted in better conversations.  Much of my improvement has come from reading various blogs and opinions online from the likes of Seth Godin,  Steve Rubel and dozens others.  Here are a few quick links that have helped me, and may just be able to help you:

• Strategic Messaging.com
• Technobabble
• BoingBoing

By Casey S. Potenzone

Since first gaining significant market traction in 2003, device locked software activation (DLSA) has emerged as the copy control method of choice for leading software publishers. Currently six of the top ten software publishers use DLSA on the majority of their products. In 2006 well over $40 billion of software will be activated with device locking. Today, a majority of computer users have already had exposure to DLSA and understand its value to the license management process. The primary benefit of DLSA is its ability to provide a simple, highly hack-resistant end user authentication foundation on which to build fair, flexible and enforceable end user license models. DLSA can be integrated with virtually any standard license management back end. When implemented properly, DLSA has been shown to dramatically curtail unauthorized software use, delivering significant revenue increase with minimal additional operational or product cost.

The popularity and apparent simplicity of DLSA encourages many software publishers to pursue development of a “Homebuilt” solution in order to minimize costs. Any publisher considering such a development should first understand the requirements and costs to successfully implement and maintain DLSA. Potential benefits are only realized if hack-resistance is cost effectively achieved and sustained long term. The financial profile of an outcome in which security is sub-par will be disastrous because of low return and high cost. To meet business objectives and to minimize the risk of failure, the software publisher has to achieve sustainable security while managing the levels of investment.

Requirements

A copy control solution is a necessity for software publishers, a necessity that almost always distracts publishers away from their core competency. An ideal solution provides user-convenient, hack-resistant user authentication with a minimum of publisher effort and cost, and is easily adapted to address emerging business models. The growing dominance of embedded DLSA provides a multitude of real world examples demonstrating its ability to yield these benefits, putting authority firmly in the hands of publishers to politely enforce end user licenses. To realize value of DLSA solution, publishers must get several critical elements “right” or risk frustrating users, creating customer service issues and failing to curb piracy.

Successful copy control throughout a product’s lifecycle maximizes product ROI and politely conditions users to a reliable and fair product and brand experience. Such success depends significantly on the quality of the end-user experience. The willingness of end-users to accept security rather than try to find a way around it is directly related to the solution’s ability to provide a convenient and problem-free end-user experience. A well conceived DLSA system supports the fair use users want, and does so simply, reliably and politely. Whenever possible, a DLSA solution should empower users to easily self-manage their rights within the publisher’s fair use parameters.

A DLSA solution that optimizes the end-user experience virtually guarantees similar benefits to the publisher. A highly reliable and flexible system that gives users what they want and enables them to self-manage their needs will minimize the publisher’s customer support activities.

The most advanced DLSA solutions feature new powerful features such as “polite auditing”, “fair use throttling” and “smart tolerance” allow publishers to audit user behaviors and optimize license terms to maximize the value of their DLSA investment.

The Key to Sustainable Anti-hacking: Advanced Device Fingerprinting

Device recognition, the process of uniquely identifying a user device, is the secure foundation of DLSA. The hack resistance of a DLSA system depends primarily upon its ability to uniquely and consistently identify a device using its “device fingerprint”. A device fingerprint is created by sampling a range of non-personal information about a user’s device and then hashing that information into an encrypted code string. Early software activation systems used readily accessible device information such as Volume Serial Number, Network Name or Hard Drive Serial Number to generate the device fingerprint. The problem with using such readily accessible information is that they are easily spoofed and susceptible to license key generators. Advanced DLSA systems do not rely on component information that is easily changed, and instead sample a wide range of “non-user-configurable” device sampling points such as hard drive damage map, chip benchmarking, bios and firmware versions, manufacturer serial numbers and many others. The most advanced DLSA systems sample over 10,000 unique points of data in a typical PC and reliably distinguish one PC from another with more accuracy than DNA can distinguish human beings. The larger the pool of device information, the higher the integrity and more hack resistant the device fingerprint. Also, the wider the range of component targets, the more tolerance for change in a user’s device before requiring re-authentication, enabling higher system reliability and overall efficiency. Lastly, a large selection of device anchors enables publishers to tailor hardware anchor importance to those components most applicable to their applications.

To accomplish the business objectives of the software publisher and realize the value of a DLSA implementation, a high quality device fingerprinting technology must be the foundation. The integrity of the device fingerprint depends on the number and range of the sampling targets and the ability to include non-user-configurable targets. In addition, the ability to sample components using a combination of interfaces, such as high level OS calls and low level driver interfaces, further increases the integrity of the system.

Managing Risk

Managing the risks associated with the failure of a copy control system is a prudent strategy. As anyone in the security field knows: given enough computing power and time, any security schema can be broken. While embedded DLSA challenges this notion to extraordinary levels (and will significantly limit the damage from any single crack), anything is possible. In addition to cracking, it should also be considered a copy control system failure if the number of users driven away due to inconvenience is greater than the number unauthorized users “converted”. No matter how carefully planned the project, no matter how passionately supported by top management, no matter how obvious the benefits, success is not a sure thing. The benefits and the payoff depend on the quality of the design and implementation of the solution. There are the usual challenges to any organization: rushing to meet market deadlines, conflicting internal priorities, corporate reorganizations. All of these realities can interfere with achieving the targeted result. Aside from creating potential security holes, a sub-par implementation can easily result in an unacceptable user experience.

The Security Provider approach is inherently more financially conservative. It requires relatively small startup costs and time investment from in-house development staff. Costs are only incurred as protected product revenue is realized, so a “high cost / low benefit” result is virtually impossible. Total cost for the Security Provider solution is considerably less than the Homebuilt approach.

The risk of failure is lower with the Security Provider because expertise and focus enhances the likelihood of sustainable hack-resistance and total end user acceptance. The publisher experiences no disruption to the ongoing product development process. Internal staff is not burdened with acquiring off-competency, specialized expertise, or the ongoing efforts to sustain it. Instead, development staff can stay focused on making better applications for the publisher’s target customers.

All in all, device locked software activation is a prudent strategy. It can maximize ROI and improve the overall brand experience.

By Casey S. Potenzone

Why is it that “Activation” has received all the negative heat when it is clear that it is the way technology is used rather than the technology itself is the problem? This situation reminds me, as an Aussie, of the way speed cameras are abused in Australia.

There is something severely unfair about a policeman placing a camera on the side of the road to grab unsuspecting drivers and coming back later that day to retrieve a photographic list of offenders.

It is not uncommon to hear of a local driver who goes to the shops a few times in a day to learn ten days later that they have done all their points and lost their license. The camera itself is not the problem. The usage policy however is very much to blame.

The same goes for Activation. The fact that Microsoft amongst others hides its one license/ one machine policy embedded in hundreds of words of legal-speak during one screen of an installation of their software is not enough to expect the user to be informed about this significant limitation on the use of the software. It should be in large print on the outside of the box.

The real problem goes beyond this. It’s about being fair. Software has been in use by most people in the western world for 15-20 years and not until the advent of Microsoft’s use of Activation have consumers been expected to pay for a separate copy of software for every machine they use.

How many CD’s would be sold if the record industry required music lovers to buy a copy for every player they owned or used!

So it goes. This incredible tool I designed in 1992 to facilitate electronic distribution has become the whipping stick for every software publisher willing to risk the ire of their users in return for some quick sales.

I for one at Uniloc encourage all our partners and customers to be fair in the use of Activation. Track copies… sure ok. But policing need not be abused. Even a ten copy per license limit would easily stop the real culprits like the peer to peer die-hards and the dorm room pirates.

At least the average Joe can get to use their software freely without waiting for permission from a publisher every time they want to use a piece of software they own.

By Ric Richardson

Over the last few weeks we have started to reshape the Uniloc branding, starting with the website.  You’ll most likely have noticed a new look and feel to the Software Publishing section and over the next few weeks we will be relaunching the remaining microsites as well as our new tech. wiki. 

 Keep your eye’s open and watch for “The Rise of the Machine”