Sunday, May 13, 2012

Software Pirates protect their booty too (pun intended)

In the past 90 days, there have been 22,604 reported cases of hacked Dotfuscator use in 46 countries. For those who don’t know, Dotfuscator is a highly sophisticated piece of software that protects Intellectual Property inside apps, prevents software piracy and monitors application usage. What the above statistic is measuring are software pirates using pirated versions of Dotfuscator to protect their ill-gotten code. Does everyone see the irony? (I guess bank robbers need to protect their stolen money too)

Some of you may be snickering on the other side of your screens, “how good could this software be when 22,604 developers cracked their code?” – Well, as it happens, Dotfuscator was only cracked twice. These two instances were then distributed to thousands of these “application chop shops.” (thank to Morgan Reed, executive director of the Association for Competitive Technology for the new term - I think it's spot on). 

Also – these bad actors were NOT able to disarm our tamper alerts. Thanks to Dotfuscator’s tamper detection mechanism, I can share this unprecedented glimpse into what appears to be a massive, highly organized and well-equipped software piracy network.

Percentage of 22,604 tamper alerts from two hacked instances of Dotfuscator

The “46 country” count is also somewhat misleading. In point of fact, roughly 9 out of 10 of all incidents emanated from only two countries; China (75%) and Vietnam (12%). Interestingly, all of Vietnam (many many locations within Vietnam) used only one of the two keys whereas Chinese crooks used both – does this suggest two rather than one criminal network; one based out of China and another out of Vietnam?

Distribution of incidents by country of origin

So why should anyone but PreEmptive care?

Some of you may say – that’s just the cost of doing business in the software world – and, in this particular case, while relatively large, who does this hurt but PreEmptive?

To be honest, I don’t think I’m really the best person to try to communicate the enormity of the threat this data reveals. …And I have to thank my recent experiences as part of the Act Online Fly-in that have helped to open my eyes to the threats that this kind of organized attack on our IP and our apps represent. Anyhow, here goes... (NOTE - the greatest threats are last on this list)

First, the obvious one – when a software company is denied revenue, they cannot hire as many employees, pay as much taxes or contribute to our economy in a multitude of ways.

Second, when a hacked app also relies on external services (hosting, bandwidth, human support), these expenses are typically still borne by the true app developers.

Third, hacked apps cannot be trusted to be updated or to be as functionally reliable as the original. To the extent that poorly performing apps can cause damage to their users – this can become a public and personal safety hazard. (GPS, financial, etc. apps are often “mission critical).

Fourth, all of the privacy and security practices and ethical guidelines that legitimate software companies follow can be expected to be thrown out the door. Tracking, identity theft, hijacking of devices may all begin with a hacked/counterfeited app.

Pirated/look-alike/counterfeit apps may well be the single most unrecognized risk to consumers, children, and our economy – not just because of the lost revenue, but because of our dependence on this software (think about counterfeit cancer drugs and car parts as an analogy) and the intimate place these apps occupy on all of our devices.

Anarchy or organized attack?

Again, I am not the expert here – but lets revisit the Dotfuscator example one more time. Dotfuscator is a specialized software manufacturing platform that obfuscates and instruments MSIL (I realize that many of you will have no idea what I just wrote – that’s my point). Dotfuscator is embedded into serious, commercial software publishing platforms – each of the 22,604 sessions run over just the past 90 days represent ANOTHER app being built and readied for distribution into our infrastructure and economy. This is a tiny fraction of the massive production effort underway churning out applications that, in all likelihood, pose a material threat to each of us – even those of you that have nothing to do with software development.

Chinese and Vietnamese developers are clearly organized (they are communicating and sharing resources), sophisticated (as evidenced by their use of Dotfuscator), and prolific... Coincidence? 

No comments: