Sunday, May 13, 2012

Software Pirates protect their booty too (pun intended)

In the past 90 days, there have been 22,604 reported cases of hacked Dotfuscator use in 46 countries. For those who don’t know, Dotfuscator is a highly sophisticated piece of software that protects Intellectual Property inside apps, prevents software piracy and monitors application usage. What the above statistic is measuring are software pirates using pirated versions of Dotfuscator to protect their ill-gotten code. Does everyone see the irony? (I guess bank robbers need to protect their stolen money too)

Some of you may be snickering on the other side of your screens, “how good could this software be when 22,604 developers cracked their code?” – Well, as it happens, Dotfuscator was only cracked twice. These two instances were then distributed to thousands of these “application chop shops.” (thank to Morgan Reed, executive director of the Association for Competitive Technology for the new term - I think it's spot on). 

Also – these bad actors were NOT able to disarm our tamper alerts. Thanks to Dotfuscator’s tamper detection mechanism, I can share this unprecedented glimpse into what appears to be a massive, highly organized and well-equipped software piracy network.

Percentage of 22,604 tamper alerts from two hacked instances of Dotfuscator

The “46 country” count is also somewhat misleading. In point of fact, roughly 9 out of 10 of all incidents emanated from only two countries; China (75%) and Vietnam (12%). Interestingly, all of Vietnam (many many locations within Vietnam) used only one of the two keys whereas Chinese crooks used both – does this suggest two rather than one criminal network; one based out of China and another out of Vietnam?

Distribution of incidents by country of origin

So why should anyone but PreEmptive care?

Some of you may say – that’s just the cost of doing business in the software world – and, in this particular case, while relatively large, who does this hurt but PreEmptive?

To be honest, I don’t think I’m really the best person to try to communicate the enormity of the threat this data reveals. …And I have to thank my recent experiences as part of the Act Online Fly-in that have helped to open my eyes to the threats that this kind of organized attack on our IP and our apps represent. Anyhow, here goes... (NOTE - the greatest threats are last on this list)

First, the obvious one – when a software company is denied revenue, they cannot hire as many employees, pay as much taxes or contribute to our economy in a multitude of ways.

Second, when a hacked app also relies on external services (hosting, bandwidth, human support), these expenses are typically still borne by the true app developers.

Third, hacked apps cannot be trusted to be updated or to be as functionally reliable as the original. To the extent that poorly performing apps can cause damage to their users – this can become a public and personal safety hazard. (GPS, financial, etc. apps are often “mission critical).

Fourth, all of the privacy and security practices and ethical guidelines that legitimate software companies follow can be expected to be thrown out the door. Tracking, identity theft, hijacking of devices may all begin with a hacked/counterfeited app.

Pirated/look-alike/counterfeit apps may well be the single most unrecognized risk to consumers, children, and our economy – not just because of the lost revenue, but because of our dependence on this software (think about counterfeit cancer drugs and car parts as an analogy) and the intimate place these apps occupy on all of our devices.

Anarchy or organized attack?

Again, I am not the expert here – but lets revisit the Dotfuscator example one more time. Dotfuscator is a specialized software manufacturing platform that obfuscates and instruments MSIL (I realize that many of you will have no idea what I just wrote – that’s my point). Dotfuscator is embedded into serious, commercial software publishing platforms – each of the 22,604 sessions run over just the past 90 days represent ANOTHER app being built and readied for distribution into our infrastructure and economy. This is a tiny fraction of the massive production effort underway churning out applications that, in all likelihood, pose a material threat to each of us – even those of you that have nothing to do with software development.

Chinese and Vietnamese developers are clearly organized (they are communicating and sharing resources), sophisticated (as evidenced by their use of Dotfuscator), and prolific... Coincidence? 

Sunday, May 6, 2012

Ryan is Lying – (well, actually stealing, cheating and lying - again)

Back in January I posted Hoisted by my own petard: or why my app is number two (for now) where I profiled the pirating of my app content (from A Pose for That) and the steps I took to have Microsoft remove the offending app from the marketplace. Well, Ryan Lan AG is still going strong on the Microsoft marketplace (with 37 apps – what’s up with that Microsoft?) even though my particular app had been removed – OR SO I THOUGHT! Thanks to an eagle-eyed phone user (thank you – you know who you are), I discovered a new publisher on the marketplace – Ryan AG. Coincidence? I think not. 

Ryan AG has an app called A Yoga Course – which is the identical app with my identical (pirated) content. I have filed the requisite infringement complaint document with Microsoft – but, obviously, this is like stepping on a single cockroach – it’s not going to make my food any safer.

I think, while Microsoft is analyzing app submissions, they should be building an index of resources and flagging cases of reuse. I think publishers should be able to register “ownership” of their content resources and be notified when those resources are showing up in submitted apps. Publishers can do nothing or register a complaint – of course this 
a) costs time, money and resources and 
b) can be easily circumvented with some effort on the part of the bad guys – so, it may not be practical (but I would also welcome a better suggestion).

A two foot fence that “deters the opportunistic” and clearly delineates acceptable from criminal behavior would have, in my view, a net positive effect.

Who actually are the people behind Ryan (Lan) AG? I can’t say for sure, but I have a strong suspicion that whoever owns the email knows the answer to that – why not email him and ask what he is thinking about as he steals my content (and a host of others from what I can see).

You might think I may be jumping the gun here – perhaps this is an innocent naively unaware that they are crossing some invisible theoretical line. Perhaps they have a strong moral stand against content ownership or some other flavor of that malarkey – so… check out Ryan’s profile picture that can be seen here. This is not an ethical, cultural, or language issue – this is an unrepentant thief.

Wednesday, May 2, 2012

Mr. Smith (ok – Mr. Holst) goes to Washington

I’ll be heading to DC on Monday to meet with my elected officials (I’ll be joining up with another 40+ technologists). We’re all participating in the Association for Competitive Technology (ACT) Fly-In with a simple objective – to educate and inform our representatives and their staff on the tremendous opportunities (and potential risks) stemming from the emerging $20B app economy.

Our message is simple too.  The pace of innovation and growth taking place right now in the app economy is spectacular.   …and we need to do whatever we can to ensure that the app economy continues to grow – especially inside the US. What can the federal government do? We need to increase capacity for mobile connectivity (spectrum) – we need to ensure that developers can protect their intellectual property and efficiently license their work across a variety of marketplaces.  And of course – we need to strike that delicate balance of ensuring consumer privacy without stifling the internet economy (or handicapping US-based companies unfairly). 

The role of government is important – both in terms of what is should be doing – and in terms of where it should be holding back. The greater development community also has a critical role to play and has been working to find solutions on all of these fronts (including the folks at PreEmptive and my own work inside Qi-fense and The Mobile Yogi). …and we’re all looking forward to sharing our progress with our lawmakers next week.

My view is that an informed Congress will help all application stakeholders (both producers and consumers) to continue to flourish. Some of you may find this post a bit idealistic – but this will be my second jaunt to DC in this capacity; I “flew in” last year too – and, amazingly, I think it mattered. 

…and this year, well, I AM from a swing state after all. Go Buckeyes!